cal/claude-home
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity
docs/ansible-controller-setup
claude-home/networking/examples/security_improvements.md
Cal Corum 4b7eca8a46
All checks were successful
Reindex Knowledge Base / reindex (push) Successful in 3s
Details
docs: add YAML frontmatter to all 151 markdown files 
Adds title, description, type, domain, and tags frontmatter to every
doc for improved KB semantic search. The description field is prepended
to every search chunk, and domain/type/tags enable filtered queries.

Type values: context, guide, runbook, reference, troubleshooting
Domain values match directory structure (networking, docker, etc.)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 09:00:44 -05:00

107 lines
3.3 KiB
Markdown
Raw Permalink Blame History

---
title: "Home Lab Security Improvements"
description: "Security audit and migration plan from password-based SSH to key-based authentication, covering risk assessment, server hardening, and phased rollout."
type: guide
domain: networking
tags: [ssh, security, authentication, hardening, migration]
---
# Home Lab Security Improvements
## Current Security Issues
### Critical Issues Found:
- **Password Authentication**: All servers using password-based SSH authentication
- **Credential Reuse**: Same password used across 7 home network servers
- **Insecure Storage**: Passwords stored in FileZilla (base64 encoded, not encrypted)
- **Root Access**: Cloud servers using root user accounts
### Risk Assessment:
- **High**: Password-based authentication vulnerable to brute force attacks
- **High**: Shared passwords create single point of failure
- **Medium**: FileZilla credentials accessible to anyone with file system access
- **Medium**: Root access increases attack surface
## Implemented Solutions
### 1. SSH Key-Based Authentication
- **Generated separate key pairs** for home lab vs cloud servers
- **4096-bit RSA keys** for strong encryption
- **Descriptive key comments** for identification
### 2. SSH Configuration Management
- **Centralized config** in `~/.ssh/config`
- **Host aliases** for easy server access
- **Port forwarding** pre-configured for common services
- **Security defaults** (ServerAliveInterval, StrictHostKeyChecking)
### 3. Network Segmentation
- **Home network** (10.10.0.0/24) uses dedicated key
- **Cloud servers** use separate key pair
- **Service-specific aliases** for different server roles
## Additional Security Recommendations
### Immediate Actions:
1. **Deploy SSH keys** using the provided script
2. **Test key-based authentication** on all servers
3. **Disable password authentication** once keys work
4. **Remove FileZilla passwords** after migration
### Server Hardening:
```bash
# On each server, edit /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no # (create non-root user on cloud servers first)
Port 2222 # Change default SSH port
AllowUsers cal # Restrict SSH access
```
### Monitoring:
- **SSH login monitoring** with fail2ban
- **Key rotation schedule** (annually)
- **Access logging** review
### Future Enhancements:
- **Certificate-based authentication** (SSH CA)
- **Multi-factor authentication** (TOTP)
- **VPN access** for home network
- **Bastion host** for cloud servers
## Migration Plan
### Phase 1: Key Deployment ✅
- [x] Generate SSH key pairs
- [x] Create SSH configuration
- [x] Document server inventory
### Phase 2: Authentication Migration
- [ ] Deploy public keys to all servers
- [ ] Test SSH connections with keys
- [ ] Verify all services accessible
### Phase 3: Security Lockdown
- [ ] Disable password authentication
- [ ] Change default SSH ports
- [ ] Configure fail2ban
- [ ] Remove FileZilla credentials
### Phase 4: Monitoring & Maintenance
- [ ] Set up access logging
- [ ] Schedule key rotation
- [ ] Document incident response
## Connection Examples
After setup, you'll connect using simple aliases:
```bash
# Instead of: ssh cal@10.10.0.42
ssh database-apis
# Instead of: ssh root@172.237.147.99
ssh akamai
# With automatic port forwarding:
ssh pihole # Forwards port 8080 → localhost:80
```
Reference in New Issue View Git Blame Copy Permalink