torrent-gateway/docs/security.md

Security Hardening Guide

Overview

This guide covers security hardening for Torrent Gateway deployments, including authentication, authorization, network security, and operational security practices.

Application Security

Authentication & Authorization

API Key Management:

• Generate strong API keys with sufficient entropy
• Rotate API keys regularly (recommended: every 90 days)
• Store API keys securely (avoid environment variables in production)
• Implement API key scope limitations

Session Security:

# Verify session configuration
sqlite3 data/metadata.db "SELECT * FROM sessions WHERE expires_at > datetime('now');"

# Clean expired sessions
./scripts/migrate.sh  # Includes session cleanup

Access Control:

• Implement role-based access control (RBAC)
• Separate admin and user permissions
• Use principle of least privilege
• Regular access audits

Input Validation

File Upload Security:

• File type validation (whitelist approach)
• File size limits (configurable per user/role)
• Filename sanitization
• Virus scanning integration (recommended)

API Input Validation:

• Validate all JSON inputs
• Sanitize file paths
• Validate authentication tokens
• Rate limiting per endpoint

Cryptographic Security

Hashing:

• Use strong hashing algorithms (SHA-256 minimum)
• Implement salt for password hashing
• Verify file integrity with checksums

Data Encryption:

# Encrypt sensitive data at rest
# Configure in environment variables
export ENCRYPTION_KEY=$(openssl rand -hex 32)
export DB_ENCRYPTION=true

Network Security

Firewall Configuration

UFW Setup:

# Reset firewall rules
sudo ufw --force reset

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow essential services
sudo ufw allow ssh
sudo ufw allow 80/tcp    # HTTP
sudo ufw allow 443/tcp   # HTTPS

# Monitoring (localhost only)
sudo ufw allow from 127.0.0.1 to any port 9090  # Prometheus
sudo ufw allow from 127.0.0.1 to any port 3000  # Grafana

# Enable firewall
sudo ufw enable

iptables Rules (advanced):

# Block common attack patterns
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

# Block brute force attempts
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

SSL/TLS Configuration

Nginx SSL Setup:

server {
    listen 443 ssl http2;
    server_name yourdomain.com;
    
    # SSL certificates
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    
    # SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    
    # Security headers
    add_header Strict-Transport-Security "max-age=63072000" always;
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy "strict-origin-when-cross-origin";
    
    # CSP header
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'";
    
    location / {
        proxy_pass http://127.0.0.1:9876;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    server_name yourdomain.com;
    return 301 https://$server_name$request_uri;
}

Rate Limiting

Nginx Rate Limiting:

http {
    # Define rate limiting zones
    limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
    limit_req_zone $binary_remote_addr zone=upload:10m rate=1r/s;
    limit_req_zone $binary_remote_addr zone=download:10m rate=5r/s;
    
    server {
        # Apply rate limits
        location /api/upload {
            limit_req zone=upload burst=5 nodelay;
            proxy_pass http://torrent_gateway;
        }
        
        location /api/download {
            limit_req zone=download burst=10 nodelay;
            proxy_pass http://torrent_gateway;
        }
        
        location /api/ {
            limit_req zone=api burst=20 nodelay;
            proxy_pass http://torrent_gateway;
        }
    }
}

Application-Level Rate Limiting: Configure in gateway environment:

export RATE_LIMIT_UPLOAD=10/minute
export RATE_LIMIT_DOWNLOAD=100/minute
export RATE_LIMIT_API=1000/minute

System Security

User and Permission Security

Service Account Security:

# Verify service user configuration
id torrent-gateway
groups torrent-gateway

# Check file permissions
ls -la /opt/torrent-gateway/
ls -la /opt/torrent-gateway/data/

# Verify no shell access
grep torrent-gateway /etc/passwd

File System Permissions:

# Secure sensitive files
chmod 600 /opt/torrent-gateway/configs/*.yml
chmod 700 /opt/torrent-gateway/data/
chmod 755 /opt/torrent-gateway/scripts/*.sh

# Regular permission audit
find /opt/torrent-gateway/ -type f -perm /o+w -ls

Log Security

Secure Log Configuration:

# Configure logrotate for security
cat > /etc/logrotate.d/torrent-gateway << 'EOF'
/opt/torrent-gateway/logs/*.log {
    daily
    missingok
    rotate 90
    compress
    delaycompress
    notifempty
    copytruncate
    su torrent-gateway torrent-gateway
    create 640 torrent-gateway torrent-gateway
}
EOF

Log Monitoring:

# Monitor for security events
journalctl -u torrent-gateway | grep -E "(failed|error|denied|unauthorized)"

# Setup log monitoring alerts
# Add to monitoring configuration

System Hardening

SSH Security:

# Disable root login
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config

# Disable password authentication (use keys only)
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config

# Change default SSH port
sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config

systemctl restart ssh

Kernel Security:

# Enable kernel security features
cat >> /etc/sysctl.conf << 'EOF'
# Network security
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1

# Memory protection
kernel.exec-shield = 1
kernel.randomize_va_space = 2
EOF

sysctl -p

Monitoring and Alerting

Security Monitoring

Failed Authentication Attempts:

# Monitor auth failures
journalctl -u torrent-gateway | grep "authentication failed"

# Setup alert for repeated failures
# Add to Prometheus alerting rules

Suspicious Activity Detection:

# High error rates
rate(http_requests_total{status=~"4.."}[5m]) > 0.1

# Unusual upload patterns
rate(upload_requests_total[1h]) > 100

# Large file downloads
rate(download_bytes_total[5m]) > 100000000  # 100MB/s

Security Alerts

Critical Security Events:

• Multiple authentication failures
• Unusual traffic patterns
• File system permission changes
• Service account login attempts
• Database integrity check failures

AlertManager Configuration:

# In configs/alertmanager.yml
route:
  routes:
  - match:
      severity: critical
      team: security
    receiver: 'security-team'

receivers:
- name: 'security-team'
  slack_configs:
  - api_url: 'YOUR_SLACK_WEBHOOK'
    channel: '#security-alerts'
    title: 'Security Alert'
    text: '{{ range .Alerts }}{{ .Annotations.summary }}{{ end }}'

Vulnerability Management

Regular Security Updates

System Updates:

# Automated security updates
apt-get install unattended-upgrades
dpkg-reconfigure unattended-upgrades

# Manual update process
apt-get update
apt-get upgrade
apt-get autoremove

Application Dependencies:

# Go module security scanning
go list -m all | nancy sleuth

# Check for known vulnerabilities
go mod download
govulncheck ./...

Security Scanning

Static Analysis:

# Run security scanner
gosec ./...

# Check for hardcoded secrets
git secrets --scan

# Dependency vulnerability scan
snyk test

Container Security (if using Docker):

# Scan Docker images
docker scan torrent-gateway:latest

# Check container configuration
docker-bench-security

Incident Response

Security Incident Procedures

Immediate Response:

1. Isolate affected systems
2. Preserve evidence
3. Assess damage scope
4. Implement containment
5. Begin recovery

Evidence Collection:

# Collect system state
ps aux > incident_processes.txt
netstat -tulpn > incident_network.txt
ls -la /opt/torrent-gateway/ > incident_files.txt

# Collect logs
journalctl -u torrent-gateway --since "1 hour ago" > incident_app_logs.txt
tail -1000 /var/log/auth.log > incident_auth_logs.txt
tail -1000 /var/log/nginx/access.log > incident_access_logs.txt

Forensic Analysis

Database Forensics:

# Check for unauthorized data access
sqlite3 data/metadata.db "
SELECT * FROM files 
WHERE last_access > datetime('now', '-1 hour')
ORDER BY last_access DESC;
"

# Check for unauthorized user creation
sqlite3 data/metadata.db "
SELECT * FROM users 
WHERE created_at > datetime('now', '-1 day')
ORDER BY created_at DESC;
"

File System Analysis:

# Check for recently modified files
find /opt/torrent-gateway/ -type f -mtime -1 -ls

# Check for unauthorized executables
find /opt/torrent-gateway/ -type f -executable -ls

Compliance and Auditing

Audit Logging

Enable comprehensive logging:

# Application audit logs
export AUDIT_LOG_ENABLED=true
export AUDIT_LOG_LEVEL=detailed

# System audit logs (auditd)
apt-get install auditd
systemctl enable auditd
systemctl start auditd

Log Analysis:

# Search for security events
journalctl -u torrent-gateway | grep -E "(authentication|authorization|failed|denied)"

# Generate audit reports
./scripts/generate_audit_report.sh

Security Checklist

Daily:

• Review security alerts
• Check authentication logs
• Verify backup completion
• Monitor resource usage

Weekly:

• Review access logs
• Check for failed login attempts
• Verify firewall rules
• Update security patches

Monthly:

• Rotate API keys
• Review user access
• Security scan
• Backup restoration test
• Vulnerability assessment

Quarterly:

• Security architecture review
• Penetration testing
• Incident response drill
• Security training update

Emergency Security Procedures

Suspected Breach

Immediate Actions:

# 1. Isolate system
sudo ufw deny incoming

# 2. Stop services
sudo systemctl stop torrent-gateway
sudo systemctl stop nginx

# 3. Create forensic backup
sudo ./scripts/backup.sh forensic_$(date +%Y%m%d_%H%M%S)

# 4. Preserve logs
sudo cp -r /var/log /tmp/incident_logs_$(date +%Y%m%d_%H%M%S)

Compromised Credentials

API Key Compromise:

# 1. Revoke compromised keys
# (Implement key revocation in application)

# 2. Force re-authentication
sqlite3 data/metadata.db "DELETE FROM sessions;"

# 3. Generate new keys
# (Application-specific procedure)

# 4. Notify affected users
# (Implement notification system)

System Recovery After Incident

Clean Recovery Process:

1. Verify threat elimination
2. Restore from clean backup
3. Apply security patches
4. Implement additional controls
5. Monitor for recurring issues

# Recovery script
sudo ./scripts/restore.sh <pre_incident_backup>
sudo ./scripts/install_native.sh --skip-build
sudo ./scripts/health_check.sh