From 5e5c8cb698304862446701f9ead647aa9d94f272 Mon Sep 17 00:00:00 2001 From: ARCHITECT Date: Tue, 30 Dec 2025 19:14:18 +0000 Subject: [PATCH] =?UTF-8?q?docs:=20A=C3=B1adir=20secci=C3=B3n=20de=20segur?= =?UTF-8?q?idad=20a=20todos=20los=20servidores?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - UFW configurado en 4/4 servidores con whitelist TZZR - SSH hardening (PermitRootLogin prohibit-password, PasswordAuthentication no) - SWAP 2GB en todos los servidores - Backups automatizados documentados en ARCHITECT - IPs bloqueadas documentadas en CORP 馃 Generated with Claude Code --- servers/ARCHITECT.md | 45 ++++++++++++++++++++++++++++++++++++++++++++ servers/CORP.md | 36 +++++++++++++++++++++++++++++++++++ servers/DECK.md | 31 ++++++++++++++++++++++++++++++ servers/HST.md | 32 +++++++++++++++++++++++++++++++ 4 files changed, 144 insertions(+) diff --git a/servers/ARCHITECT.md b/servers/ARCHITECT.md index 8d6e381..ff170dd 100644 --- a/servers/ARCHITECT.md +++ b/servers/ARCHITECT.md @@ -118,7 +118,52 @@ curl -X POST "http://localhost:3000/api/v1/user/repos" \ psql -U architect -d tzzr_db ``` +## Seguridad + +### Firewall (UFW) +``` +Status: active +Default: deny incoming, allow outgoing + +Reglas: +- ALLOW from 72.62.1.113 (DECK) +- ALLOW from 92.112.181.188 (CORP) +- ALLOW from 72.62.2.84 (HST) +- ALLOW 22/tcp (SSH) +- ALLOW 80/tcp (HTTP) +- ALLOW 443/tcp (HTTPS) +- ALLOW 3000/tcp (Gitea) +- ALLOW 8082, 8090, 8100/tcp (Apps) +- ALLOW on docker0 (Docker) +- ALLOW 5432 from 172.18.0.0/16 (PostgreSQL Docker) +``` + +### SSH Hardening +``` +PermitRootLogin prohibit-password +PasswordAuthentication no +``` +Backup config: `/etc/ssh/sshd_config.bak` + +### SWAP +``` +/swapfile 2GB (persistente en /etc/fstab) +``` + +## Backups Automatizados + +### Gitea +- **Script**: `/opt/tzzr/claude-code/backup_gitea.sh` +- **Cron**: `0 2 * * *` (diario 2AM) +- **Destino**: `s3://architect/backups/gitea/` + +### PostgreSQL +- **Script**: `/home/architect/scripts/backup_postgres_all.sh` +- **Cron**: `0 3 * * *` (diario 3AM) +- **Destino**: `s3://architect/backups/postgresql/` + ## 脷ltimas Actualizaciones +- 2025-12-30: UFW habilitado, SSH hardening, SWAP 2GB, Docker permissions - 2025-12-30: Documentaci贸n inicial - 2025-12-18: Instalaci贸n inicial de ARCHITECT diff --git a/servers/CORP.md b/servers/CORP.md index d307dea..5f583b2 100644 --- a/servers/CORP.md +++ b/servers/CORP.md @@ -138,6 +138,42 @@ Ambos servicios se conectan a la PostgreSQL centralizada: - **Puerto**: 5432 - **Usuario**: architect +## Seguridad + +### Firewall (UFW) +``` +Status: active +Default: deny incoming, allow outgoing + +Reglas: +- ALLOW from 69.62.126.110 (ARCHITECT) +- ALLOW from 72.62.1.113 (DECK) +- ALLOW from 72.62.2.84 (HST) +- ALLOW 22/tcp (SSH) +- ALLOW 80/tcp (HTTP) +- ALLOW 443/tcp (HTTPS) +- ALLOW 5432 on docker0 (PostgreSQL interno) + +IPs Bloqueadas: +- 185.242.226.71 +- 165.154.119.158 +- 198.235.24.103 +- 198.235.24.199 +``` + +### SSH Hardening +``` +PermitRootLogin prohibit-password +PasswordAuthentication no +``` +Backup config: `/etc/ssh/sshd_config.bak` + +### SWAP +``` +/swapfile 2GB (persistente en /etc/fstab) +``` + ## 脷ltimas Actualizaciones +- 2025-12-30: UFW configurado, SSH hardening, SWAP 2GB - 2025-12-30: Documentaci贸n inicial diff --git a/servers/DECK.md b/servers/DECK.md index 159f4bc..15e0b27 100644 --- a/servers/DECK.md +++ b/servers/DECK.md @@ -109,6 +109,37 @@ systemctl start grace tail -f /home/logs/grace.log ``` +## Seguridad + +### Firewall (UFW) +``` +Status: active +Default: deny incoming, allow outgoing + +Reglas: +- ALLOW from 69.62.126.110 (ARCHITECT) +- ALLOW from 92.112.181.188 (CORP) +- ALLOW from 72.62.2.84 (HST) +- ALLOW 22/tcp (SSH) +- ALLOW 80/tcp (HTTP) +- ALLOW 443/tcp (HTTPS) +- ALLOW 25, 465, 587, 993, 995, 4190/tcp (Mail) +- ALLOW 53 (DNS) +``` + +### SSH Hardening +``` +PermitRootLogin prohibit-password +PasswordAuthentication no +``` +Backup config: `/etc/ssh/sshd_config.bak` + +### SWAP +``` +/swapfile 2GB (persistente en /etc/fstab) +``` + ## 脷ltimas Actualizaciones +- 2025-12-30: UFW habilitado, SSH hardening, SWAP 2GB - 2025-12-30: Documentaci贸n inicial diff --git a/servers/HST.md b/servers/HST.md index c3ade14..0d8cd1e 100644 --- a/servers/HST.md +++ b/servers/HST.md @@ -134,6 +134,38 @@ PONG - Alertas basadas en m茅tricas - Integraci贸n con Slack y otros servicios +## Seguridad + +### Firewall (UFW) +``` +Status: active +Default: deny incoming, allow outgoing + +Reglas: +- ALLOW from 69.62.126.110 (ARCHITECT) +- ALLOW from 72.62.1.113 (DECK) +- ALLOW from 92.112.181.188 (CORP) +- ALLOW 22/tcp (SSH) +- ALLOW 80/tcp (HTTP) +- ALLOW 443/tcp (HTTPS) +- ALLOW 5000/tcp (HST-API) +- ALLOW 8055/tcp (Directus) +- ALLOW 8081/tcp (Apps) +``` + +### SSH Hardening +``` +PermitRootLogin prohibit-password +PasswordAuthentication no +``` +Backup config: `/etc/ssh/sshd_config.bak` + +### SWAP +``` +/swapfile 2GB (persistente en /etc/fstab) +``` + ## 脷ltimas Actualizaciones +- 2025-12-30: UFW habilitado, SSH hardening, SWAP 2GB - 2025-12-30: Documentaci贸n inicial