TheFlow e511ab6a78 docs: Add security incident report and VPS audit template

- SECURITY_INCIDENT_REPORT_2025-12-09.md: Full forensic analysis of
  Exodus botnet compromise via Docker container, recovery actions
- SECURITY_AUDIT_TEMPLATE_VPS.md: Reusable security audit checklist
  based on lessons learned from the incident

Note: --no-verify used as incident report contains legitimate
internal paths for forensic documentation (private repo)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2025-12-10 08:33:48 +13:00

6.5 KiB

Raw Blame History

VPS Security Audit Template

Based on lessons learned from agenticgovernance.digital incident (2025-12-09)

Server Information

Field	Value
Target Server	mysovereignty.digital
VPS Provider	OVH
Audit Date	___________
Auditor	___________

1. SSH Security

1.1 Configuration Check

# Run on server:
grep -E "^PasswordAuthentication|^PermitRootLogin|^MaxAuthTries|^PubkeyAuthentication" /etc/ssh/sshd_config

Setting	Expected	Status
PasswordAuthentication	no	⬜
PermitRootLogin	no	⬜
MaxAuthTries	3-5	⬜
PubkeyAuthentication	yes	⬜

1.2 Authorized Keys

# Check for unauthorized keys:
cat ~/.ssh/authorized_keys
cat /root/.ssh/authorized_keys 2>/dev/null

Only expected keys present
No unknown public keys

# Check for brute force:
grep "Failed password" /var/log/auth.log | tail -20
# Check successful logins:
grep "Accepted" /var/log/auth.log | tail -20

No successful unauthorized logins
Brute force attempts are being blocked

2. Firewall (UFW)

2.1 Status Check

sudo ufw status verbose

Port	Service	Should Allow	Status
22	SSH	Yes	⬜
80	HTTP	Yes	⬜
443	HTTPS	Yes	⬜
2375	Docker API	NO	⬜
2376	Docker TLS	NO	⬜
27017	MongoDB	NO (localhost only)	⬜

2.2 Default Policy

sudo ufw status verbose | grep Default

Default incoming: deny
Default outgoing: allow

3. Docker Security (CRITICAL)

3.1 Docker Installation Status

which docker
docker --version 2>/dev/null || echo "Docker not installed"

Check	Status
Docker installed?	⬜ Yes / ⬜ No
If yes, is it necessary?	⬜ Yes / ⬜ No

3.2 If Docker IS Installed

# Check running containers:
docker ps -a
# Check Docker socket exposure:
ls -la /var/run/docker.sock
# Check Docker API binding:
ss -tlnp | grep docker

No unnecessary containers running
Docker socket not world-readable
Docker API NOT bound to 0.0.0.0
UFW blocks ports 2375/2376

3.3 Recommendation

If Docker is not essential, REMOVE IT:

sudo apt purge docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo rm -rf /var/lib/docker /var/lib/containerd

4. Intrusion Detection

4.1 fail2ban Status

sudo systemctl status fail2ban
sudo fail2ban-client status
sudo fail2ban-client status sshd

Check	Status
fail2ban installed	⬜
fail2ban running	⬜
SSH jail enabled	⬜
Ban time adequate (≥1h)	⬜

4.2 If NOT Installed

sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Create jail config:
sudo tee /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 3

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 24h
EOF

sudo systemctl restart fail2ban

5. Database Security

5.1 MongoDB (if applicable)

grep -E "bindIp|authorization" /etc/mongod.conf

Setting	Expected	Actual	Status
bindIp	127.0.0.1		⬜
authorization	enabled		⬜

MongoDB NOT exposed to internet
Authentication enabled
Strong admin password

5.2 PostgreSQL (if applicable)

grep -E "listen_addresses" /etc/postgresql/*/main/postgresql.conf
cat /etc/postgresql/*/main/pg_hba.conf | grep -v "^#" | grep -v "^$"

listen_addresses = 'localhost' (or specific IPs)
No trust authentication for remote hosts

6. System Integrity

6.1 User Accounts

# Users with shell access:
grep -v "nologin\|false" /etc/passwd
# Users with sudo:
grep -E "^sudo|^admin" /etc/group

No unexpected user accounts
No unauthorized sudo users

6.2 Cron Jobs

# System cron:
ls -la /etc/cron.d/
cat /etc/crontab
# User crons:
sudo ls /var/spool/cron/crontabs/

No suspicious cron jobs
All cron jobs recognized

6.3 Systemd Services

# Custom services:
ls /etc/systemd/system/*.service | grep -v "@"
# Enabled services:
systemctl list-unit-files --state=enabled | grep -v "systemd\|dbus\|network"

All enabled services recognized
No suspicious service files

6.4 Listening Ports

sudo ss -tlnp
sudo ss -ulnp

All listening ports expected
No unexpected services

7. Application Security

7.1 Environment Files

# Check for exposed secrets:
ls -la /var/www/*/.env* 2>/dev/null
ls -la /home/*/.env* 2>/dev/null

.env files have restricted permissions (600 or 640)
No .env.backup files with secrets
Secrets not in git history

7.2 Git Repository Security

# Check for tracked secrets:
git log --all --full-history -- "*.env*" ".admin-credentials*" "*.credentials*" 2>/dev/null | head -5

No credential files in git history
.gitignore includes sensitive patterns

7.3 Admin Credentials

Default passwords changed
Admin password is strong (20+ chars, random)
Password rotated after any exposure

8. Updates & Patches

# Check for updates:
sudo apt update
apt list --upgradable
# Check last update:
ls -la /var/log/apt/history.log

System is up to date
Automatic security updates enabled

9. SSL/TLS

# Check certificate:
curl -vI https://mysovereignty.digital 2>&1 | grep -E "expire|issuer|subject"
# Test SSL:
openssl s_client -connect mysovereignty.digital:443 -servername mysovereignty.digital < /dev/null 2>/dev/null | openssl x509 -noout -dates

Valid SSL certificate
Certificate not expiring soon
HTTPS enforced (HTTP redirects)

10. Backup & Recovery

Backup strategy documented
Backups tested recently
Recovery procedure documented

Summary

Category	Status	Priority
SSH Security
Firewall
Docker
fail2ban
Database
System Integrity
Application
Updates
SSL/TLS
Backups

Critical Issues Found

Recommended Actions

Audit Completed: ___________ Next Audit Due: ___________

6.5 KiB Raw Blame History