vaultsovereign/vm-skills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
009e93a80b3c58bbfaa2ceb153e3fba32a6efc3c
vm-skills/node-hardening/SKILL.md
Vault Sovereign eac77ef7b4 Initial commit: VaultMesh Skills collection 
Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00

5.2 KiB
Raw Blame History

name, description, version
name description version
node-hardening Harden a Linux node for sovereign EU infrastructure without losing remote access. Implements UFW firewall, SSH hardening, fail2ban, and auditd with two-phase plan/apply workflow and DRY_RUN safety gates. Use when securing Node A after operator-bootstrap completes. Triggers: 'harden node', 'secure server', 'configure firewall', 'harden SSH', 'set up fail2ban', 'enable auditd', 'lock down node', 'security hardening'. 1.0.0

Node Hardening

High-risk Tier 1 skill for securing Linux nodes. All risky operations require explicit DRY_RUN=0 and confirmation phrase. Designed for full Linux servers (Ubuntu/Debian) with console/IPMI/VNC fallback access.

Quick Start

# Set required parameters (none required, but review defaults)
export NODE_NAME="node-a"
export SSH_PORT=22

# Run preflight check
./scripts/00_preflight.sh

# Plan phases (safe to run, shows what WILL happen)
./scripts/10_ufw_plan.sh
./scripts/20_ssh_plan.sh

# Apply phases (REQUIRES DRY_RUN=0 and confirmation)
export DRY_RUN=0
./scripts/11_ufw_apply.sh    # Type confirmation phrase
./scripts/21_ssh_apply.sh    # Type confirmation phrase

# Optional: fail2ban and auditd
./scripts/30_fail2ban_setup.sh
./scripts/40_auditd_setup.sh

# Verify and report
./scripts/90_verify.sh
./scripts/99_report.sh

Workflow

Phase 0: Preflight (00)

Check dependencies: sudo, systemctl, ufw, sshd, fail2ban, auditd. Detect SSH session and warn about keeping backup session open.

Phase 1: UFW Firewall (10-11)

Two-phase operation with DRY_RUN gate.

Plan phase shows:

  • Default deny incoming, allow outgoing
  • SSH port allowance (rate-limited if possible)
  • HTTP/HTTPS ports if enabled
  • Current client IP auto-whitelisted

Apply phase executes:

  • Backs up current iptables state
  • Resets and configures UFW
  • Enables firewall

Rollback: ./scripts/rollback/undo_ufw.sh

Phase 2: SSH Hardening (20-21)

Two-phase operation with DRY_RUN gate and CONFIRM_PHRASE.

Plan phase shows:

  • Proposed sshd_config changes
  • PermitRootLogin, PasswordAuthentication settings
  • Cipher and MAC selections

Apply phase executes:

  • Backs up /etc/ssh/sshd_config
  • Renders hardened config from template
  • Validates with sshd -t before applying
  • Uses reload (not restart) to keep current session alive
  • Auto-restores on validation failure

Rollback: ./scripts/rollback/undo_ssh.sh

Phase 3: fail2ban (30)

Optional intrusion detection.

  • SSH jail configuration
  • UFW integration
  • Operator IP whitelisting

Phase 4: auditd (40)

Optional audit logging.

  • Monitor security-relevant files
  • Kernel module loading
  • User/group modifications

Phase 5: Verification (90-99)

Generate JSON status matrix and markdown audit report.

Inputs

Parameter Required Default Description
NODE_NAME No node-a Hostname for this node
SSH_PORT No 22 SSH port number
ALLOW_HTTP No true Allow port 80 in UFW
ALLOW_HTTPS No true Allow port 443 in UFW
ALLOW_ICMP No false Allow ICMP (ping)
DRY_RUN No 1 Set to 0 to enable apply scripts
REQUIRE_CONFIRM No 1 Require confirmation phrase
CONFIRM_PHRASE No I UNDERSTAND THIS CAN LOCK ME OUT Safety phrase
BACKUP_DIR No outputs/backups Backup location
FAIL2BAN_ENABLE No true Enable fail2ban setup
AUDITD_ENABLE No true Enable auditd setup

Outputs

File Description
outputs/backups/ufw_status_before.txt Pre-change UFW state
outputs/backups/iptables_rules_before.txt Pre-change iptables
outputs/backups/sshd_config.before Pre-change SSH config
outputs/ufw_status_after.txt Post-change UFW state
outputs/status_matrix.json Verification results
outputs/audit_report.md Human-readable audit trail

Safety Guarantees

  1. DRY_RUN=1 by default - Apply scripts refuse to run without explicit DRY_RUN=0
  2. CONFIRM_PHRASE required - Must type exact phrase to proceed
  3. SSH reload (not restart) - Keeps current session alive
  4. sshd -t validation - Config validated before applying
  5. Auto-restore on failure - Invalid config automatically reverted
  6. Backups before every change - Full state preserved
  7. Emergency restore script - Console-safe full recovery
  8. All scripts idempotent - Safe to run multiple times

Emergency Recovery

If you lose SSH access:

  1. Access console via IPMI/VNC/physical
  2. Run: ./scripts/rollback/emergency_restore.sh

This will:

  • Disable UFW
  • Restore original sshd_config from backup
  • Restart SSH service

EU Compliance

Aspect Value
Data Residency EU (Ireland - Dublin)
GDPR Applicable Yes
Jurisdiction Irish Law
Audit Logging auditd (local only)

References

Next Steps

After completing node-hardening:

  1. Verify SSH access from secondary session
  2. Test rollback procedure (optional but recommended)
  3. Proceed to backup-sovereign skill
  4. Document hardening in LAWCHAIN (if applicable)
Reference in New Issue View Git Blame Copy Permalink