root
52 lines
1.4 KiB
Markdown
52 lines
1.4 KiB
Markdown
# Sicherheit: Ubuntu LXC Standard-Setup
|
|
|
|
Standardisierter Installationsprozess fuer neue Ubuntu-LXC-Container.
|
|
|
|
Installiert und **direkt vorkonfiguriert**:
|
|
- `fail2ban`: SSH/SSHD-DDoS + Recidive-Jail, UFW-Ban-Action
|
|
- `ufw`: default deny incoming, allow outgoing, SSH-Rate-Limit, 80/443 erlaubt
|
|
- `unattended-upgrades`: taegliche Security-Updates aktiv
|
|
- `openssh-server`: Basishardening via `sshd_config.d`
|
|
- `auditd`: grundlegende Audit-Regeln fuer sensible Dateien
|
|
- `sysctl`: Kernel/Netzwerk-Hardening-Basis
|
|
- `nodejs`, `npm`, `@openai/codex`
|
|
|
|
## Standardprozess nach Download
|
|
|
|
```bash
|
|
git clone https://gitea.kanu1.duckdns.org/Kanu/Sicherheit.git
|
|
cd Sicherheit
|
|
chmod +x bin/sicherheit-install scripts/bootstrap_ubuntu_lxc_security.sh
|
|
./bin/sicherheit-install
|
|
```
|
|
|
|
Optional global verlinken:
|
|
|
|
```bash
|
|
sudo ln -sf "$(pwd)/bin/sicherheit-install" /usr/local/bin/sicherheit-install
|
|
sudo sicherheit-install
|
|
```
|
|
|
|
## Wichtige Konfigurationen
|
|
|
|
- `config/fail2ban/jail.local`
|
|
- `config/ufw/after.rules`
|
|
- `config/unattended-upgrades/20auto-upgrades`
|
|
- `config/unattended-upgrades/50unattended-upgrades`
|
|
- `config/ssh/sshd_config.d-sicherheit.conf`
|
|
- `config/sysctl/99-sicherheit.conf`
|
|
- `config/auditd/hardening.rules`
|
|
|
|
## Pruefen
|
|
|
|
```bash
|
|
fail2ban-client status
|
|
fail2ban-client status sshd
|
|
ufw status verbose
|
|
systemctl status unattended-upgrades --no-pager
|
|
sshd -t
|
|
node --version
|
|
npm --version
|
|
codex --help
|
|
```
|