feat: add security audit

2025-06-26 18:27:59 +00:00 · 2024-12-15 21:13:37 -06:00
parent c0acdc5df1
commit 58c2ceb355
5 changed files with 182 additions and 52 deletions
--- a/apps/dokploy/components/dashboard/settings/servers/security-setup.tsx
+++ b/apps/dokploy/components/dashboard/settings/servers/security-setup.tsx
@@ -8,7 +8,7 @@ import {
 	CardTitle,
 } from "@/components/ui/card";
 import { api } from "@/utils/api";
-import { Loader2, PcCase, RefreshCw } from "lucide-react";
+import { Loader2, LockKeyhole, PcCase, RefreshCw } from "lucide-react";
 import { useState } from "react";
 import { StatusRow } from "./gpu-support";

@@ -34,7 +34,7 @@ export const SecuritySetup = ({ serverId }: Props) => {
 						<div className="flex flex-row gap-2 justify-between w-full  max-sm:flex-col">
 							<div className="flex flex-col gap-1">
 								<div className="flex items-center gap-2">
-									<PcCase className="size-5" />
+									<LockKeyhole className="size-5" />
 									<CardTitle className="text-xl">
 										Setup Security Sugestions
 									</CardTitle>
@@ -42,11 +42,11 @@ export const SecuritySetup = ({ serverId }: Props) => {
 								<CardDescription>Check the security sugestions</CardDescription>
 							</div>
 							<Button
-								// isLoading={isRefreshing}
+								isLoading={isRefreshing}
 								onClick={async () => {
-									// setIsRefreshing(true);
+									setIsRefreshing(true);
 									await refetch();
-									// setIsRefreshing(false);
+									setIsRefreshing(false);
 								}}
 							>
 								<RefreshCw className="size-4" />
@@ -71,72 +71,149 @@ export const SecuritySetup = ({ serverId }: Props) => {
 						) : (
 							<div className="grid w-full gap-4">
 								<div className="border rounded-lg p-4">
-									<h3 className="text-lg font-semibold mb-1">Status</h3>
+									<h3 className="text-lg font-semibold mb-1">UFW</h3>
 									<p className="text-sm text-muted-foreground mb-4">
-										Shows the server configuration status
+										UFW (Uncomplicated Firewall) is a simple firewall that can
+										be used to block incoming and outgoing traffic from your
+										server.
 									</p>
 									<div className="grid gap-2.5">
 										<StatusRow
-											label="Docker Installed"
-											isEnabled={data?.docker?.enabled}
+											label="UFW Installed"
+											isEnabled={data?.ufw?.installed}
 											description={
-												data?.docker?.enabled
-													? `Installed: ${data?.docker?.version}`
-													: undefined
+												data?.ufw?.installed 
+													? "Installed (Recommended)" 
+													: "Not Installed (UFW should be installed for security)"
 											}
 										/>
 										<StatusRow
-											label="RClone Installed"
-											isEnabled={data?.rclone?.enabled}
+											label="Status"
+											isEnabled={data?.ufw?.active}
 											description={
-												data?.rclone?.enabled
-													? `Installed: ${data?.rclone?.version}`
-													: undefined
+												data?.ufw?.active 
+													? "Active (Recommended)" 
+													: "Not Active (UFW should be enabled for security)"
 											}
 										/>
 										<StatusRow
-											label="Nixpacks Installed"
-											isEnabled={data?.nixpacks?.enabled}
+											label="Default Incoming"
+											isEnabled={data?.ufw?.defaultIncoming === "deny"}
 											description={
-												data?.nixpacks?.enabled
-													? `Installed: ${data?.nixpacks?.version}`
-													: undefined
+												data?.ufw?.defaultIncoming === "deny"
+													? "Default: Deny (Recommended)"
+													: `Default: ${data?.ufw?.defaultIncoming} (Should be set to 'deny' for security)`
+											}
+										/>
+									</div>
+								</div>
+
+								<div className="border rounded-lg p-4">
+									<h3 className="text-lg font-semibold mb-1">SSH</h3>
+									<p className="text-sm text-muted-foreground mb-4">
+										SSH (Secure Shell) is a protocol that allows you to securely
+										connect to a server and execute commands on it.
+									</p>
+									<div className="grid gap-2.5">
+										<StatusRow
+											label="Enabled"
+											isEnabled={data?.ssh.enabled}
+											description={
+												data?.ssh.enabled ? "Enabled" : "Not Enabled (SSH should be enabled)"
 											}
 										/>
 										<StatusRow
-											label="Buildpacks Installed"
-											isEnabled={data?.buildpacks?.enabled}
+											label="Key Auth"
+											isEnabled={data?.ssh.keyAuth}
 											description={
-												data?.buildpacks?.enabled
-													? `Installed: ${data?.buildpacks?.version}`
-													: undefined
+												data?.ssh.keyAuth
+													? "Enabled (Recommended)"
+													: "Not Enabled (Key Authentication should be enabled)"
 											}
 										/>
 										<StatusRow
-											label="Docker Swarm Initialized"
-											isEnabled={data?.isSwarmInstalled}
+											label="Password Auth"
+											isEnabled={data?.ssh.passwordAuth === "no"}
 											description={
-												data?.isSwarmInstalled
-													? "Initialized"
-													: "Not Initialized"
+												data?.ssh.passwordAuth === "no"
+													? "Disabled (Recommended)"
+													: "Enabled (Password Authentication should be disabled)"
 											}
 										/>
 										<StatusRow
-											label="Dokploy Network Created"
-											isEnabled={data?.isDokployNetworkInstalled}
+											label="Permit Root Login"
+											isEnabled={data?.ssh.permitRootLogin === "no"}
 											description={
-												data?.isDokployNetworkInstalled
-													? "Created"
-													: "Not Created"
+												data?.ssh.permitRootLogin === "no"
+													? "Disabled (Recommended)"
+													: `Enabled: ${data?.ssh.permitRootLogin} (Root Login should be disabled)`
 											}
 										/>
 										<StatusRow
-											label="Main Directory Created"
-											isEnabled={data?.isMainDirectoryInstalled}
+											label="Use PAM"
+											isEnabled={data?.ssh.usePam === "no"}
 											description={
-												data?.isMainDirectoryInstalled
-													? "Created"
-													: "Not Created"
+												data?.ssh.usePam === "no"
+													? "Disabled (Recommended for key-based auth)"
+													: "Enabled (Should be disabled when using key-based auth)"
+											}
+										/>
+									</div>
+								</div>
+
+								<div className="border rounded-lg p-4">
+									<h3 className="text-lg font-semibold mb-1">Fail2Ban</h3>
+									<p className="text-sm text-muted-foreground mb-4">
+										Fail2Ban (Fail2Ban) is a service that can be used to prevent
+										brute force attacks on your server.
+									</p>
+									<div className="grid gap-2.5">
+										<StatusRow
+											label="Installed"
+											isEnabled={data?.fail2ban.installed}
+											description={
+												data?.fail2ban.installed 
+													? "Installed (Recommended)" 
+													: "Not Installed (Fail2Ban should be installed for protection against brute force attacks)"
+											}
+										/>
+
+										<StatusRow
+											label="Enabled"
+											isEnabled={data?.fail2ban.enabled}
+											description={
+												data?.fail2ban.enabled 
+													? "Enabled (Recommended)" 
+													: "Not Enabled (Fail2Ban service should be enabled)"
+											}
+										/>
+										<StatusRow
+											label="Active"
+											isEnabled={data?.fail2ban.active}
+											description={
+												data?.fail2ban.active 
+													? "Active (Recommended)" 
+													: "Not Active (Fail2Ban service should be running)"
+											}
+										/>
+
+										<StatusRow
+											label="SSH Protection"
+											isEnabled={data?.fail2ban.sshEnabled === "true"}
+											description={
+												data?.fail2ban.sshEnabled === "true"
+													? "Enabled (Recommended)"
+													: "Not Enabled (SSH protection should be enabled to prevent brute force attacks)"
+											}
+										/>
+
+										<StatusRow
+											label="SSH Mode"
+											isEnabled={data?.fail2ban.sshMode === "aggressive"}
+											description={
+												data?.fail2ban.sshMode === "aggressive"
+													? "Aggressive Mode (Recommended)"
+													: `Mode: ${data?.fail2ban.sshMode || "Not Set"} (Aggressive mode recommended for better protection)`
 											}
 										/>
 									</div>
--- a/apps/dokploy/server/api/routers/server.ts
+++ b/apps/dokploy/server/api/routers/server.ts
@@ -26,6 +26,7 @@ import {
 	getPublicIpWithFallback,
 	haveActiveServices,
 	removeDeploymentsByServerId,
+	serverAudit,
 	serverSecurity,
 	serverSetup,
 	serverValidate,
@@ -179,11 +180,36 @@ export const serverRouter = createTRPCRouter({
 						message: "You are not authorized to validate this server",
 					});
 				}
-				const response = await serverSecurity(input.serverId);
-				return {} as unknown as {
-					docker: {
+				const response = await serverAudit(input.serverId);
+				console.log(response);
+				return response as unknown as {
+					ufw: {
+						installed: boolean;
+						active: boolean;
+						defaultIncoming: string;
+					};
+					ssh: {
 						enabled: boolean;
-						version: string;
+						keyAuth: boolean;
+						permitRootLogin: string;
+						passwordAuth: string;
+						usePam: string;
+					};
+					nonRootUser: {
+						hasValidSudoUser: boolean;
+					};
+					unattendedUpgrades: {
+						installed: boolean;
+						active: boolean;
+						updateEnabled: number;
+						upgradeEnabled: number;
+					};
+					fail2ban: {
+						installed: boolean;
+						enabled: boolean;
+						active: boolean;
+						sshEnabled: string;
+						sshMode: string;
 					};
 				};
 			} catch (error) {