cal/claude-home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7eadacc6db
claude-home/networking/examples/security_improvements.md
Cal Corum 10c9e0d854 CLAUDE: Migrate to technology-first documentation architecture 
Complete restructure from patterns/examples/reference to technology-focused directories:

• Created technology-specific directories with comprehensive documentation:
  - /tdarr/ - Transcoding automation with gaming-aware scheduling
  - /docker/ - Container management with GPU acceleration patterns
  - /vm-management/ - Virtual machine automation and cloud-init
  - /networking/ - SSH infrastructure, reverse proxy, and security
  - /monitoring/ - System health checks and Discord notifications
  - /databases/ - Database patterns and troubleshooting
  - /development/ - Programming language patterns (bash, nodejs, python, vuejs)

• Enhanced CLAUDE.md with intelligent context loading:
  - Technology-first loading rules for automatic context provision
  - Troubleshooting keyword triggers for emergency scenarios
  - Documentation maintenance protocols with automated reminders
  - Context window management for optimal documentation updates

• Preserved valuable content from .claude/tmp/:
  - SSH security improvements and server inventory
  - Tdarr CIFS troubleshooting and Docker iptables solutions
  - Operational scripts with proper technology classification

• Benefits achieved:
  - Self-contained technology directories with complete context
  - Automatic loading of relevant documentation based on keywords
  - Emergency-ready troubleshooting with comprehensive guides
  - Scalable structure for future technology additions
  - Eliminated context bloat through targeted loading

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-12 23:20:15 -05:00

3.0 KiB
Raw Blame History

Home Lab Security Improvements

Current Security Issues

Critical Issues Found:

  • Password Authentication: All servers using password-based SSH authentication
  • Credential Reuse: Same password used across 7 home network servers
  • Insecure Storage: Passwords stored in FileZilla (base64 encoded, not encrypted)
  • Root Access: Cloud servers using root user accounts

Risk Assessment:

  • High: Password-based authentication vulnerable to brute force attacks
  • High: Shared passwords create single point of failure
  • Medium: FileZilla credentials accessible to anyone with file system access
  • Medium: Root access increases attack surface

Implemented Solutions

1. SSH Key-Based Authentication

  • Generated separate key pairs for home lab vs cloud servers
  • 4096-bit RSA keys for strong encryption
  • Descriptive key comments for identification

2. SSH Configuration Management

  • Centralized config in ~/.ssh/config
  • Host aliases for easy server access
  • Port forwarding pre-configured for common services
  • Security defaults (ServerAliveInterval, StrictHostKeyChecking)

3. Network Segmentation

  • Home network (10.10.0.0/24) uses dedicated key
  • Cloud servers use separate key pair
  • Service-specific aliases for different server roles

Additional Security Recommendations

Immediate Actions:

  1. Deploy SSH keys using the provided script
  2. Test key-based authentication on all servers
  3. Disable password authentication once keys work
  4. Remove FileZilla passwords after migration

Server Hardening:

# On each server, edit /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no  # (create non-root user on cloud servers first)
Port 2222  # Change default SSH port
AllowUsers cal  # Restrict SSH access

Monitoring:

  • SSH login monitoring with fail2ban
  • Key rotation schedule (annually)
  • Access logging review

Future Enhancements:

  • Certificate-based authentication (SSH CA)
  • Multi-factor authentication (TOTP)
  • VPN access for home network
  • Bastion host for cloud servers

Migration Plan

Phase 1: Key Deployment

  • Generate SSH key pairs
  • Create SSH configuration
  • Document server inventory

Phase 2: Authentication Migration

  • Deploy public keys to all servers
  • Test SSH connections with keys
  • Verify all services accessible

Phase 3: Security Lockdown

  • Disable password authentication
  • Change default SSH ports
  • Configure fail2ban
  • Remove FileZilla credentials

Phase 4: Monitoring & Maintenance

  • Set up access logging
  • Schedule key rotation
  • Document incident response

Connection Examples

After setup, you'll connect using simple aliases:

# Instead of: ssh cal@10.10.0.42
ssh database-apis

# Instead of: ssh root@172.237.147.99  
ssh akamai

# With automatic port forwarding:
ssh pihole  # Forwards port 8080 → localhost:80