15 — Server Security
SSH hardening, firewall configuration, CVE exposure tracking, and EOL OS risk per server. For SSH key management see README.
Security Status Per Server
| Server | OS / EOL | SSH root | Firewall | CVE exposure | Critical risks |
|---|---|---|---|---|---|
| vps-i1 | AlmaLinux 9.7 / 2032 | key-only | iptables + Caddy | Low | None |
| vps-h1 | Ubuntu 24.04 / 2029 | key-only | ufw + Traefik | Low | PROTECTED — no new services |
| bms-1 | Ubuntu 20.04 / EOL Apr 2025 | key-only | iptables | HIGH | EOL kernel, disk 100% full |
| bms-2 | Ubuntu 24.04 / 2029 | key-only | ufw | Low | None |
| bms-3 | Ubuntu 22.04 / 2027 | key-only | ufw | Low | MongoDB OOM risk |
| bms-4 | Ubuntu 22.04 / 2027 | key-only | ufw + Traefik | Low | None |
CRITICAL — bms-1: Ubuntu 20.04 reached EOL in April 2025. The kernel receives no security patches. This server runs Pinbox24 production. Upgrade or migration is the highest-priority security action.
Key Documents
| Document | Description |
|---|---|
| ssh-hardening-operations.md | SSH hardening procedures — sshd_config, key rotation, authorized_keys audits |
| 09-ssh-hardening.md | SSH hardening improvement proposal and checklist |
| 08-image-cve-scanning.md | Docker image CVE scanning pipeline proposal |
SSH Hardening Checklist
- Password auth disabled (
PasswordAuthentication no) on all servers - Root login via key only (
PermitRootLogin prohibit-password) -
claude-adminpasswordless sudo limited to:docker,systemctl,mkdir,chown,cp,tee - bms-1: needs fresh security audit after disk cleanup and OS upgrade
- Automated
authorized_keysrotation (manual currently)
Docker / Container Security
- 08-image-cve-scanning.md — proposal for Trivy/Grype in CI
- All custom Python exporters use
python:3.12-slimbase — review regularly for upstream CVEs - Secrets injected via
.env.bakat container startup — never baked into images