diff --git a/servers/ARCHITECT.md b/servers/ARCHITECT.md
index 8d6e381..ff170dd 100644
--- a/servers/ARCHITECT.md
+++ b/servers/ARCHITECT.md
@@ -118,7 +118,52 @@ curl -X POST "http://localhost:3000/api/v1/user/repos" \
 psql -U architect -d tzzr_db
 ```
 
+## Seguridad
+
+### Firewall (UFW)
+```
+Status: active
+Default: deny incoming, allow outgoing
+
+Reglas:
+- ALLOW from 72.62.1.113 (DECK)
+- ALLOW from 92.112.181.188 (CORP)
+- ALLOW from 72.62.2.84 (HST)
+- ALLOW 22/tcp (SSH)
+- ALLOW 80/tcp (HTTP)
+- ALLOW 443/tcp (HTTPS)
+- ALLOW 3000/tcp (Gitea)
+- ALLOW 8082, 8090, 8100/tcp (Apps)
+- ALLOW on docker0 (Docker)
+- ALLOW 5432 from 172.18.0.0/16 (PostgreSQL Docker)
+```
+
+### SSH Hardening
+```
+PermitRootLogin prohibit-password
+PasswordAuthentication no
+```
+Backup config: `/etc/ssh/sshd_config.bak`
+
+### SWAP
+```
+/swapfile 2GB (persistente en /etc/fstab)
+```
+
+## Backups Automatizados
+
+### Gitea
+- **Script**: `/opt/tzzr/claude-code/backup_gitea.sh`
+- **Cron**: `0 2 * * *` (diario 2AM)
+- **Destino**: `s3://architect/backups/gitea/`
+
+### PostgreSQL
+- **Script**: `/home/architect/scripts/backup_postgres_all.sh`
+- **Cron**: `0 3 * * *` (diario 3AM)
+- **Destino**: `s3://architect/backups/postgresql/`
+
 ## Últimas Actualizaciones
 
+- 2025-12-30: UFW habilitado, SSH hardening, SWAP 2GB, Docker permissions
 - 2025-12-30: Documentación inicial
 - 2025-12-18: Instalación inicial de ARCHITECT
diff --git a/servers/CORP.md b/servers/CORP.md
index d307dea..5f583b2 100644
--- a/servers/CORP.md
+++ b/servers/CORP.md
@@ -138,6 +138,42 @@ Ambos servicios se conectan a la PostgreSQL centralizada:
 - **Puerto**: 5432
 - **Usuario**: architect
 
+## Seguridad
+
+### Firewall (UFW)
+```
+Status: active
+Default: deny incoming, allow outgoing
+
+Reglas:
+- ALLOW from 69.62.126.110 (ARCHITECT)
+- ALLOW from 72.62.1.113 (DECK)
+- ALLOW from 72.62.2.84 (HST)
+- ALLOW 22/tcp (SSH)
+- ALLOW 80/tcp (HTTP)
+- ALLOW 443/tcp (HTTPS)
+- ALLOW 5432 on docker0 (PostgreSQL interno)
+
+IPs Bloqueadas:
+- 185.242.226.71
+- 165.154.119.158
+- 198.235.24.103
+- 198.235.24.199
+```
+
+### SSH Hardening
+```
+PermitRootLogin prohibit-password
+PasswordAuthentication no
+```
+Backup config: `/etc/ssh/sshd_config.bak`
+
+### SWAP
+```
+/swapfile 2GB (persistente en /etc/fstab)
+```
+
 ## Últimas Actualizaciones
 
+- 2025-12-30: UFW configurado, SSH hardening, SWAP 2GB
 - 2025-12-30: Documentación inicial
diff --git a/servers/DECK.md b/servers/DECK.md
index 159f4bc..15e0b27 100644
--- a/servers/DECK.md
+++ b/servers/DECK.md
@@ -109,6 +109,37 @@ systemctl start grace
 tail -f /home/logs/grace.log
 ```
 
+## Seguridad
+
+### Firewall (UFW)
+```
+Status: active
+Default: deny incoming, allow outgoing
+
+Reglas:
+- ALLOW from 69.62.126.110 (ARCHITECT)
+- ALLOW from 92.112.181.188 (CORP)
+- ALLOW from 72.62.2.84 (HST)
+- ALLOW 22/tcp (SSH)
+- ALLOW 80/tcp (HTTP)
+- ALLOW 443/tcp (HTTPS)
+- ALLOW 25, 465, 587, 993, 995, 4190/tcp (Mail)
+- ALLOW 53 (DNS)
+```
+
+### SSH Hardening
+```
+PermitRootLogin prohibit-password
+PasswordAuthentication no
+```
+Backup config: `/etc/ssh/sshd_config.bak`
+
+### SWAP
+```
+/swapfile 2GB (persistente en /etc/fstab)
+```
+
 ## Últimas Actualizaciones
 
+- 2025-12-30: UFW habilitado, SSH hardening, SWAP 2GB
 - 2025-12-30: Documentación inicial
diff --git a/servers/HST.md b/servers/HST.md
index c3ade14..0d8cd1e 100644
--- a/servers/HST.md
+++ b/servers/HST.md
@@ -134,6 +134,38 @@ PONG
 - Alertas basadas en métricas
 - Integración con Slack y otros servicios
 
+## Seguridad
+
+### Firewall (UFW)
+```
+Status: active
+Default: deny incoming, allow outgoing
+
+Reglas:
+- ALLOW from 69.62.126.110 (ARCHITECT)
+- ALLOW from 72.62.1.113 (DECK)
+- ALLOW from 92.112.181.188 (CORP)
+- ALLOW 22/tcp (SSH)
+- ALLOW 80/tcp (HTTP)
+- ALLOW 443/tcp (HTTPS)
+- ALLOW 5000/tcp (HST-API)
+- ALLOW 8055/tcp (Directus)
+- ALLOW 8081/tcp (Apps)
+```
+
+### SSH Hardening
+```
+PermitRootLogin prohibit-password
+PasswordAuthentication no
+```
+Backup config: `/etc/ssh/sshd_config.bak`
+
+### SWAP
+```
+/swapfile 2GB (persistente en /etc/fstab)
+```
+
 ## Últimas Actualizaciones
 
+- 2025-12-30: UFW habilitado, SSH hardening, SWAP 2GB
 - 2025-12-30: Documentación inicial