From d534aceadcf1455948b3e1cb543944a10f51ebe2 Mon Sep 17 00:00:00 2001 From: David Kiania Date: Fri, 10 Apr 2026 22:34:56 +0300 Subject: [PATCH] Add DB connection string to ops manual, add administration notes, remove stale deploy guide Co-Authored-By: Claude Sonnet 4.6 --- OPERATIONS_MANUAL.md | 3 + administration/ingest_movement_dockerps.md | 14 + deployInstance.md | 379 --------------------- 3 files changed, 17 insertions(+), 379 deletions(-) create mode 100644 administration/ingest_movement_dockerps.md delete mode 100644 deployInstance.md diff --git a/OPERATIONS_MANUAL.md b/OPERATIONS_MANUAL.md index 2d0d890..895c2eb 100644 --- a/OPERATIONS_MANUAL.md +++ b/OPERATIONS_MANUAL.md @@ -1,6 +1,9 @@ # Fireside Communications — Tracksolid Pro Telemetry Stack ## Operations Manual & Verification Guide + +connection string docker exec -it timescale_db-bo3nov2ija7g8wn9b1g2paxs-210508774107 psql -U postgres -d tracksolid_db + --- ## 1. Service Architecture diff --git a/administration/ingest_movement_dockerps.md b/administration/ingest_movement_dockerps.md new file mode 100644 index 0000000..32079c5 --- /dev/null +++ b/administration/ingest_movement_dockerps.md @@ -0,0 +1,14 @@ +docker logs -f ingest_events-bo3nov2ija7g8wn9b1g2paxs-162026778012 +docker logs -f ingest_movement-bo3nov2ija7g8wn9b1g2paxs-162026773516 + + Or to see both at once with labels, use --tail to get the last N lines: + + # Last 50 lines from each +docker logs --tail 50 ingest_events-bo3nov2ija7g8wn9b1g2paxs-162026778012 +docker logs --tail 50 ingest_movement-bo3nov2ija7g8wn9b1g2paxs-162026773516 + + To follow both simultaneously in split view: + + # Option 1: Follow both in one terminal (prefixed) +docker logs -f ingest_events-bo3nov2ija7g8wn9b1g2paxs-162026778012 2>&1 | sed 's/^/[EVENTS] /' & +docker logs -f ingest_movement-bo3nov2ija7g8wn9b1g2paxs-162026773516 2>&1 | sed 's/^/[MOVEMENT] /' \ No newline at end of file diff --git a/deployInstance.md b/deployInstance.md deleted file mode 100644 index c06a707..0000000 --- a/deployInstance.md +++ /dev/null @@ -1,379 +0,0 @@ -# Ubuntu Server Instance Setup Guide - -## Table of Contents - -1. [Initial System Update](#1-initial-system-update) -2. [Hostname & Timezone](#2-hostname--timezone) -3. [Create a Sudo User](#3-create-a-sudo-user) -4. [SSH Hardening](#4-ssh-hardening) -5. [Copy SSH Key](#5-copy-ssh-key) -6. [UFW Firewall](#6-ufw-firewall) -7. [CrowdSec Intrusion Detection](#7-crowdsec-intrusion-detection) -8. [Shell Setup (Zsh)](#8-shell-setup-zsh) -9. [Verify Instance Settings](#9-verify-instance-settings) - ---- - -## 1. Initial System Update - -```bash -sudo apt update && sudo apt upgrade -y -sudo apt autoremove -y -``` - ---- - -## 2. Hostname & Timezone - -```bash -# Set hostname -sudo hostnamectl set-hostname your-hostname - -# Set timezone to Nairobi -sudo timedatectl set-timezone Africa/Nairobi - -# Enable NTP time sync -sudo timedatectl set-ntp true -sudo apt install systemd-timesyncd -y -sudo systemctl enable --now systemd-timesyncd - -# Verify -hostnamectl -timedatectl status -``` - -Expected NTP output: -``` -NTP service: active -System clock synchronized: yes -``` - ---- - -## 3. Create a Sudo User - -```bash -# Create user -sudo adduser username - -# Add to sudo group -sudo usermod -aG sudo username - -# Verify -groups username -``` - ---- - -## 4. SSH Hardening - -> **Important:** Copy your SSH key (Step 5) BEFORE disabling password authentication or you will lock yourself out. - -```bash -sudo nano /etc/ssh/sshd_config -``` - -Set the following values: - -```bash -# Disable root login -PermitRootLogin no - -# Disable password authentication (keys only — do AFTER copying SSH key) -PasswordAuthentication no - -# Disable empty passwords -PermitEmptyPasswords no - -# Only allow specific users -AllowUsers your-username - -# Disable X11 forwarding -X11Forwarding no - -# Reduce login grace time -LoginGraceTime 30 - -# Limit authentication attempts -MaxAuthTries 3 - -# Limit simultaneous unauthenticated connections -MaxStartups 3:50:10 - -# Disable unused authentication methods -ChallengeResponseAuthentication no -KerberosAuthentication no -GSSAPIAuthentication no - -# SSH protocol 2 only -Protocol 2 - -# Idle timeout (10 minutes) -ClientAliveInterval 300 -ClientAliveCountMax 2 -``` - -Optionally change the default SSH port (reduces bot noise): - -```bash -Port 2222 -``` - -Test config and restart: - -```bash -sudo sshd -t # test for errors first -sudo systemctl restart sshd -``` - -> **Before closing your session** open a second SSH connection to confirm you can still log in. - -If you changed the port, update UFW before restarting sshd: - -```bash -sudo ufw allow 2222/tcp -sudo ufw delete allow ssh -sudo systemctl restart sshd -``` - -Connect going forward with: - -```bash -ssh -p 2222 username@server-ip -``` - ---- - -## 5. Copy SSH Key - -Run this from your **local machine**: - -```bash -ssh-copy-id username@server-ip - -# If using a non-standard port -ssh-copy-id -p 2222 username@server-ip - -# If specifying a key explicitly -ssh-copy-id -i ~/.ssh/id_rsa.pub username@server-ip -``` - -Test passwordless login: - -```bash -ssh username@server-ip -``` - ---- - -## 6. UFW Firewall - -```bash -# Set default rules -sudo ufw default deny incoming -sudo ufw default allow outgoing - -# Allow SSH (do this BEFORE enabling) -sudo ufw allow ssh -# Or if using custom port: -sudo ufw allow 2222/tcp - -# Allow web traffic -sudo ufw allow 80/tcp -sudo ufw allow 443/tcp - -# Enable firewall -sudo ufw enable - -# Verify -sudo ufw status verbose -``` - -Add any additional ports your services need: - -```bash -# Grafana -sudo ufw allow 3000/tcp - -# Webhook receiver -sudo ufw allow 8888/tcp - -# PostgreSQL (only if external access needed) -sudo ufw allow 5432/tcp -``` - ---- - -## 7. CrowdSec Intrusion Detection - -### Install CrowdSec - -```bash -curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash -sudo apt install crowdsec -y -``` - -### Install Firewall Bouncer - -```bash -sudo apt install crowdsec-firewall-bouncer -y -``` - -### Configure for nftables (default on Ubuntu 22+) - -```bash -sudo nano /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml -``` - -Confirm top of file: - -```yaml -mode: ${BACKEND} -``` - -Ensure nftables is enabled: - -```yaml -nftables: - ipv4: - enabled: true - ipv6: - enabled: false -``` - -Restart bouncer: - -```bash -sudo systemctl restart crowdsec-firewall-bouncer -sudo systemctl status crowdsec-firewall-bouncer -``` - -### Enroll with CrowdSec Console (Recommended) - -Register at `https://app.crowdsec.net`, grab your enroll key, then: - -```bash -sudo cscli console enroll -sudo systemctl restart crowdsec -``` - -### Update Collections - -```bash -sudo cscli hub update -sudo cscli collections upgrade --all -``` - -### Whitelist Your Own IP - -```bash -sudo nano /etc/crowdsec/parsers/s02-enrich/whitelists.yaml -``` - -```yaml -name: crowdsecurity/whitelists -description: "Whitelist trusted IPs" -whitelist: - reason: "trusted management IPs" - ip: - - "" - - "" -``` - -```bash -sudo systemctl restart crowdsec -``` - -### Test CrowdSec Is Working - -```bash -# Add a test ban -sudo cscli decisions add --ip 1.2.3.4 --duration 5m --reason "test" - -# Verify it registered -sudo cscli decisions list - -# Remove the test ban -sudo cscli decisions delete --ip 1.2.3.4 -``` - -### Useful CrowdSec Commands - -```bash -sudo cscli decisions list # active bans -sudo cscli alerts list # recent alerts -sudo cscli bouncers list # registered bouncers -sudo cscli collections list # installed collections -sudo cscli metrics # ingestion metrics -``` - ---- - -## 8. Shell Setup (Zsh) - -```bash -# Install zsh -sudo apt install zsh -y - -# Set as default shell -chsh -s $(which zsh) -``` - -Log out and back in, then verify: - -```bash -echo $SHELL # should return /usr/bin/zsh -``` - -Optional — install Oh My Zsh: - -```bash -sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" -``` - ---- - -## 9. Verify Instance Settings - -Run this to get a full summary of the instance: - -```bash -echo "=== HOSTNAME ===" && hostnamectl | grep -E "hostname|OS|Kernel" && \ -echo "=== CPU ===" && lscpu | grep -E "Model name|CPU\(s\):" && \ -echo "=== RAM ===" && free -h | grep Mem && \ -echo "=== DISK ===" && df -h / && \ -echo "=== IP ===" && ip addr show | grep "inet " && \ -echo "=== TIMEZONE ===" && timedatectl | grep -E "Time zone|NTP|synchronized" -``` - -Or individually: - -```bash -hostnamectl # hostname, OS, kernel -lscpu | grep -E "Model|CPU\(s\)" # CPU -free -h # RAM -df -h # disk -ip addr show # network interfaces -ss -tlnp # listening ports -timedatectl # timezone and NTP -sudo ufw status verbose # firewall rules -sudo systemctl status crowdsec # CrowdSec status -sudo systemctl status crowdsec-firewall-bouncer # bouncer status -``` - ---- - -## Quick Reference Checklist - -- [ ] System updated (`apt update && apt upgrade`) -- [ ] Hostname set -- [ ] Timezone set to `Africa/Nairobi` -- [ ] NTP enabled and syncing -- [ ] Sudo user created -- [ ] SSH key copied to server -- [ ] SSH hardened (no root login, no password auth) -- [ ] UFW enabled with correct ports open -- [ ] CrowdSec installed and running -- [ ] Firewall bouncer installed and running -- [ ] Own IP whitelisted in CrowdSec -- [ ] Zsh set as default shell