cal/claude-home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10c9e0d854
claude-home/networking/examples/security_improvements.md
Cal Corum 10c9e0d854 CLAUDE: Migrate to technology-first documentation architecture 
Complete restructure from patterns/examples/reference to technology-focused directories:

• Created technology-specific directories with comprehensive documentation:
  - /tdarr/ - Transcoding automation with gaming-aware scheduling
  - /docker/ - Container management with GPU acceleration patterns
  - /vm-management/ - Virtual machine automation and cloud-init
  - /networking/ - SSH infrastructure, reverse proxy, and security
  - /monitoring/ - System health checks and Discord notifications
  - /databases/ - Database patterns and troubleshooting
  - /development/ - Programming language patterns (bash, nodejs, python, vuejs)

• Enhanced CLAUDE.md with intelligent context loading:
  - Technology-first loading rules for automatic context provision
  - Troubleshooting keyword triggers for emergency scenarios
  - Documentation maintenance protocols with automated reminders
  - Context window management for optimal documentation updates

• Preserved valuable content from .claude/tmp/:
  - SSH security improvements and server inventory
  - Tdarr CIFS troubleshooting and Docker iptables solutions
  - Operational scripts with proper technology classification

• Benefits achieved:
  - Self-contained technology directories with complete context
  - Automatic loading of relevant documentation based on keywords
  - Emergency-ready troubleshooting with comprehensive guides
  - Scalable structure for future technology additions
  - Eliminated context bloat through targeted loading

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-12 23:20:15 -05:00

99 lines
3.0 KiB
Markdown
Raw Blame History

# Home Lab Security Improvements
## Current Security Issues
### Critical Issues Found:
- **Password Authentication**: All servers using password-based SSH authentication
- **Credential Reuse**: Same password used across 7 home network servers
- **Insecure Storage**: Passwords stored in FileZilla (base64 encoded, not encrypted)
- **Root Access**: Cloud servers using root user accounts
### Risk Assessment:
- **High**: Password-based authentication vulnerable to brute force attacks
- **High**: Shared passwords create single point of failure
- **Medium**: FileZilla credentials accessible to anyone with file system access
- **Medium**: Root access increases attack surface
## Implemented Solutions
### 1. SSH Key-Based Authentication
- **Generated separate key pairs** for home lab vs cloud servers
- **4096-bit RSA keys** for strong encryption
- **Descriptive key comments** for identification
### 2. SSH Configuration Management
- **Centralized config** in `~/.ssh/config`
- **Host aliases** for easy server access
- **Port forwarding** pre-configured for common services
- **Security defaults** (ServerAliveInterval, StrictHostKeyChecking)
### 3. Network Segmentation
- **Home network** (10.10.0.0/24) uses dedicated key
- **Cloud servers** use separate key pair
- **Service-specific aliases** for different server roles
## Additional Security Recommendations
### Immediate Actions:
1. **Deploy SSH keys** using the provided script
2. **Test key-based authentication** on all servers
3. **Disable password authentication** once keys work
4. **Remove FileZilla passwords** after migration
### Server Hardening:
```bash
# On each server, edit /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no # (create non-root user on cloud servers first)
Port 2222 # Change default SSH port
AllowUsers cal # Restrict SSH access
```
### Monitoring:
- **SSH login monitoring** with fail2ban
- **Key rotation schedule** (annually)
- **Access logging** review
### Future Enhancements:
- **Certificate-based authentication** (SSH CA)
- **Multi-factor authentication** (TOTP)
- **VPN access** for home network
- **Bastion host** for cloud servers
## Migration Plan
### Phase 1: Key Deployment ✅
- [x] Generate SSH key pairs
- [x] Create SSH configuration
- [x] Document server inventory
### Phase 2: Authentication Migration
- [ ] Deploy public keys to all servers
- [ ] Test SSH connections with keys
- [ ] Verify all services accessible
### Phase 3: Security Lockdown
- [ ] Disable password authentication
- [ ] Change default SSH ports
- [ ] Configure fail2ban
- [ ] Remove FileZilla credentials
### Phase 4: Monitoring & Maintenance
- [ ] Set up access logging
- [ ] Schedule key rotation
- [ ] Document incident response
## Connection Examples
After setup, you'll connect using simple aliases:
```bash
# Instead of: ssh cal@10.10.0.42
ssh database-apis
# Instead of: ssh root@172.237.147.99
ssh akamai
# With automatic port forwarding:
ssh pihole # Forwards port 8080 → localhost:80
```
Reference in New Issue View Git Blame Copy Permalink