--- name: node-hardening description: > Harden a Linux node for sovereign EU infrastructure without losing remote access. Implements UFW firewall, SSH hardening, fail2ban, and auditd with two-phase plan/apply workflow and DRY_RUN safety gates. Use when securing Node A after operator-bootstrap completes. Triggers: 'harden node', 'secure server', 'configure firewall', 'harden SSH', 'set up fail2ban', 'enable auditd', 'lock down node', 'security hardening'. version: 1.0.0 --- # Node Hardening High-risk Tier 1 skill for securing Linux nodes. All risky operations require explicit DRY_RUN=0 and confirmation phrase. Designed for full Linux servers (Ubuntu/Debian) with console/IPMI/VNC fallback access. ## Quick Start ```bash # Set required parameters (none required, but review defaults) export NODE_NAME="node-a" export SSH_PORT=22 # Run preflight check ./scripts/00_preflight.sh # Plan phases (safe to run, shows what WILL happen) ./scripts/10_ufw_plan.sh ./scripts/20_ssh_plan.sh # Apply phases (REQUIRES DRY_RUN=0 and confirmation) export DRY_RUN=0 ./scripts/11_ufw_apply.sh # Type confirmation phrase ./scripts/21_ssh_apply.sh # Type confirmation phrase # Optional: fail2ban and auditd ./scripts/30_fail2ban_setup.sh ./scripts/40_auditd_setup.sh # Verify and report ./scripts/90_verify.sh ./scripts/99_report.sh ``` ## Workflow ### Phase 0: Preflight (00) Check dependencies: sudo, systemctl, ufw, sshd, fail2ban, auditd. Detect SSH session and warn about keeping backup session open. ### Phase 1: UFW Firewall (10-11) **Two-phase operation with DRY_RUN gate.** Plan phase shows: - Default deny incoming, allow outgoing - SSH port allowance (rate-limited if possible) - HTTP/HTTPS ports if enabled - Current client IP auto-whitelisted Apply phase executes: - Backs up current iptables state - Resets and configures UFW - Enables firewall Rollback: `./scripts/rollback/undo_ufw.sh` ### Phase 2: SSH Hardening (20-21) **Two-phase operation with DRY_RUN gate and CONFIRM_PHRASE.** Plan phase shows: - Proposed sshd_config changes - PermitRootLogin, PasswordAuthentication settings - Cipher and MAC selections Apply phase executes: - Backs up /etc/ssh/sshd_config - Renders hardened config from template - Validates with `sshd -t` before applying - Uses `reload` (not restart) to keep current session alive - **Auto-restores on validation failure** Rollback: `./scripts/rollback/undo_ssh.sh` ### Phase 3: fail2ban (30) Optional intrusion detection. - SSH jail configuration - UFW integration - Operator IP whitelisting ### Phase 4: auditd (40) Optional audit logging. - Monitor security-relevant files - Kernel module loading - User/group modifications ### Phase 5: Verification (90-99) Generate JSON status matrix and markdown audit report. ## Inputs | Parameter | Required | Default | Description | |-----------|----------|---------|-------------| | NODE_NAME | No | node-a | Hostname for this node | | SSH_PORT | No | 22 | SSH port number | | ALLOW_HTTP | No | true | Allow port 80 in UFW | | ALLOW_HTTPS | No | true | Allow port 443 in UFW | | ALLOW_ICMP | No | false | Allow ICMP (ping) | | DRY_RUN | No | 1 | Set to 0 to enable apply scripts | | REQUIRE_CONFIRM | No | 1 | Require confirmation phrase | | CONFIRM_PHRASE | No | I UNDERSTAND THIS CAN LOCK ME OUT | Safety phrase | | BACKUP_DIR | No | outputs/backups | Backup location | | FAIL2BAN_ENABLE | No | true | Enable fail2ban setup | | AUDITD_ENABLE | No | true | Enable auditd setup | ## Outputs | File | Description | |------|-------------| | `outputs/backups/ufw_status_before.txt` | Pre-change UFW state | | `outputs/backups/iptables_rules_before.txt` | Pre-change iptables | | `outputs/backups/sshd_config.before` | Pre-change SSH config | | `outputs/ufw_status_after.txt` | Post-change UFW state | | `outputs/status_matrix.json` | Verification results | | `outputs/audit_report.md` | Human-readable audit trail | ## Safety Guarantees 1. **DRY_RUN=1 by default** - Apply scripts refuse to run without explicit DRY_RUN=0 2. **CONFIRM_PHRASE required** - Must type exact phrase to proceed 3. **SSH reload (not restart)** - Keeps current session alive 4. **sshd -t validation** - Config validated before applying 5. **Auto-restore on failure** - Invalid config automatically reverted 6. **Backups before every change** - Full state preserved 7. **Emergency restore script** - Console-safe full recovery 8. **All scripts idempotent** - Safe to run multiple times ## Emergency Recovery If you lose SSH access: 1. Access console via IPMI/VNC/physical 2. Run: `./scripts/rollback/emergency_restore.sh` This will: - Disable UFW - Restore original sshd_config from backup - Restart SSH service ## EU Compliance | Aspect | Value | |--------|-------| | Data Residency | EU (Ireland - Dublin) | | GDPR Applicable | Yes | | Jurisdiction | Irish Law | | Audit Logging | auditd (local only) | ## References - [Recovery Procedures](references/recovery_procedures.md) - [CIS Benchmarks](references/cis_benchmarks.md) - [SSH Cipher Recommendations](references/ssh_cipher_recommendations.md) ## Next Steps After completing node-hardening: 1. Verify SSH access from secondary session 2. Test rollback procedure (optional but recommended) 3. Proceed to **backup-sovereign** skill 4. Document hardening in LAWCHAIN (if applicable)