directlx
/
dlx-ansible
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dlx-ansible/docs/SECURITY-AUDIT-SUMMARY.md

7.0 KiB
Raw Blame History

Security Audit Summary

Date: 2026-02-09 Servers Audited: 16 Full Report: /tmp/security-audit-full-report.txt

Executive Summary

Security audit completed across all infrastructure servers. Multiple security concerns identified ranging from CRITICAL to LOW priority.

Critical Security Findings

🔴 CRITICAL

  1. Root Login Enabled via SSH (ansible-node, gitea)

    • Risk: Direct root access increases attack surface
    • Affected: 2 servers
    • Recommendation: Disable root login immediately
    PermitRootLogin no

  2. No Firewall on Multiple Servers

    • Risk: All ports exposed to network
    • Affected: ansible-node, gitea, and others
    • Recommendation: Enable UFW with strict rules

  3. Password Authentication Enabled on Jenkins

    • Risk: We enabled this for temporary AWS access
    • Status: Known configuration (for AWS Jenkins Master)
    • Recommendation: Switch to key-based auth when possible

🟠 HIGH

  1. Automatic Updates Not Configured

    • Risk: Servers missing security patches
    • Affected: ansible-node, docker, and most servers
    • Recommendation: Enable unattended-upgrades

  2. Security Updates Available

    • Critical: docker has 65 pending security updates
    • Recommendation: Apply immediately
    ansible docker -m apt -a "upgrade=dist update_cache=yes" -b

  3. Multiple Services Exposed on Docker Server

    • Risk: Ports 5000, 8000-8082, 8443, 9000, 11434 publicly accessible
    • Firewall: Currently disabled
    • Recommendation: Enable firewall, restrict to internal network

🟡 MEDIUM

  1. Password-Based Users on Multiple Servers

    • Users with passwords: root, dlxadmin, directlx, jenkins
    • Risk: Potential brute-force targets
    • Recommendation: Enforce strong password policies

  2. PermitRootLogin Enabled

    • Affected: Several Proxmox nodes
    • Risk: Root SSH access possible
    • Recommendation: Disable after confirming Proxmox compatibility

Server-Specific Findings

ansible-node (192.168.200.106)

  • Password auth: Disabled
  • Root login: ENABLED
  • Firewall: NOT CONFIGURED
  • Auto-updates: NOT CONFIGURED
  • Services: nginx (80, 443), MySQL (3306), Webmin (12321)

docker (192.168.200.200)

  • Root login: Disabled
  • Firewall: INACTIVE
  • Auto-updates: NOT CONFIGURED
  • ⚠️ Security updates: 65 PENDING
  • Services: Many Docker containers on multiple ports

jenkins (192.168.200.91)

  • Firewall: Active (ports 22, 8080, 9000, 2222)
  • ⚠️ Password auth: ENABLED (intentional for AWS)
  • ⚠️ Keyboard-interactive: ENABLED (intentional)
  • Services: Jenkins (8080), SonarQube (9000)

npm (192.168.200.71)

  • Firewall: Active (ports 22, 80, 443, 81, 2222)
  • Password auth: Disabled
  • Services: Nginx Proxy Manager, OpenResty

hiveops, smartjournal, odoo

  • ⚠️ Firewall: DISABLED (intentional for Docker networking)
  • Auto-updates: NOT CONFIGURED
  • Multiple Docker services running

Proxmox Nodes (proxmox-00, 01, 02)

  • Firewall: Active
  • ⚠️ Root login: Enabled (may be required for Proxmox)
  • Services: Proxmox web interface

Immediate Actions Required

Priority 1 (Critical - Do Now)

  1. Disable Root SSH Login

    ansible all -m lineinfile -a "path=/etc/ssh/sshd_config regexp='^PermitRootLogin' line='PermitRootLogin no'" -b
ansible all -m service -a "name=sshd state=restarted" -b

  2. Apply Security Updates on Docker Server

    ansible docker -m apt -a "upgrade=dist update_cache=yes" -b

  3. Enable Firewall on Critical Servers

    # For servers without firewall
ansible ansible-node,gitea -m apt -a "name=ufw state=present" -b
ansible ansible-node,gitea -m ufw -a "rule=allow port=22 proto=tcp" -b
ansible ansible-node,gitea -m ufw -a "state=enabled" -b

Priority 2 (High - This Week)

  1. Enable Automatic Security Updates

    ansible all -m apt -a "name=unattended-upgrades state=present" -b
ansible all -m copy -a "dest=/etc/apt/apt.conf.d/20auto-upgrades content='APT::Periodic::Update-Package-Lists \"1\";\nAPT::Periodic::Unattended-Upgrade \"1\";' mode=0644" -b

  2. Configure Firewall for Docker Server

    ansible docker -m ufw -a "rule=allow port={{ item }} proto=tcp" -b
# Add specific ports needed for services

  3. Review and Secure Open Ports

    • Audit what services need external access
    • Close unnecessary ports
    • Use NPM proxy for web services

Priority 3 (Medium - This Month)

  1. Implement Password Policy

    # In /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 1
PASS_MIN_LEN 12
PASS_WARN_AGE 7

  2. Enable Fail2Ban

    ansible all -m apt -a "name=fail2ban state=present" -b

  3. Regular Security Audit Schedule

    • Run monthly: ansible-playbook playbooks/security-audit-v2.yml
    • Review findings
    • Track improvements

Positive Security Practices Found

Jenkins Server: Well-configured firewall with specific ports NPM Server: Good firewall configuration, SSL certificates managed Most Servers: Password SSH auth disabled (key-only) Most Servers: Root login restricted Proxmox Nodes: Firewalls active

Recommended Playbooks

security-hardening.yml (To Be Created)

- Enable automatic security updates
- Disable root SSH login (except where needed)
- Configure UFW on all servers
- Install fail2ban
- Set password policies
- Remove world-writable files

security-monitoring.yml (To Be Created)

- Monitor failed login attempts
- Alert on unauthorized access
- Track open ports
- Monitor security updates

Compliance Checklist

  • All servers have firewall enabled
  • Root SSH login disabled (except Proxmox)
  • Password authentication disabled (except where needed)
  • Automatic updates enabled
  • No pending critical security updates
  • Strong password policies enforced
  • Fail2Ban installed and configured
  • Regular security audits scheduled
  • SSH keys rotated (90 days)
  • Unnecessary services disabled

Next Steps

  1. Review this report with stakeholders
  2. Execute Priority 1 actions immediately
  3. Schedule Priority 2 actions for this week
  4. Create remediation playbooks for automation
  5. Establish monthly security audit routine
  6. Document exceptions (e.g., Jenkins password auth for AWS)

Resources

  • Full audit report: /tmp/security-audit-full-report.txt
  • Individual reports: /tmp/security-audit-*/report.txt
  • Audit playbook: playbooks/security-audit-v2.yml

Notes

  • Jenkins password auth is intentional for AWS Jenkins Master connection
  • Firewall disabled on hiveops/smartjournal/odoo due to Docker networking requirements
  • Proxmox root login may be required for management interface

Generated: 2026-02-09 Auditor: Ansible Security Audit v2 Next Audit: 2026-03-09 (monthly)