This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

16 — Security Checklist

This page provides a consolidated security verification checklist for the production infrastructure.

Snapshot date: 2026-02
Environment: Ubuntu + Docker Swarm

This checklist must be reviewed:

• After initial deployment
• After major updates
• Quarterly (recommended)
• After any security incident

---

1. Server Hardening

SSH

• Root login disabled
• Password authentication disabled
• ed25519 key-based authentication enforced
• SSH configuration validated via:

  sudo sshd -T | grep passwordauthentication
  sudo sshd -T | grep permitrootlogin
  

• Fail2ban active and monitoring sshd
• UFW enabled
• Only required ports open

---

2. Firewall

Verify open ports:

sudo ufw status

Allowed ports must be limited to:

Port	Purpose
22	SSH
80	HTTP (Certbot only)
443	HTTPS
3478/udp	TURN
49160–49200/udp	TURN relay

No database port exposed publicly.

---

3. Docker Security

General

• Docker installed from official repository
• Docker daemon configuration reviewed
• No unnecessary published ports
• Services attached only to required networks
• Secrets used instead of environment passwords

Verify:

sudo docker service ls
sudo docker service inspect <service>

---

Secrets

• Secrets stored outside Git repository
• Secrets backed up securely
• No hardcoded passwords in stack files

---

4. Network Isolation

• PostgreSQL accessible only from internal network
• MinIO not exposed publicly
• Internal overlay networks properly configured
• Reverse proxy is the only public entry point

Verify exposed ports:

sudo ss -tulpn

---

5. TLS & Certificates

• Certificates issued via Let's Encrypt
• Automatic renewal configured
• Certbot logs monitored
• No expired certificates

Verify:

sudo certbot certificates

---

6. TURN Security

• static-auth-secret configured
• No anonymous relay allowed
• Restricted port range
• Firewall rules applied
• coturn service enabled at boot

Verify:

sudo systemctl status coturn

---

7. Application Security

Forgejo

• Open registration disabled
• Admin accounts limited
• Repository visibility reviewed

Mattermost

• Open registration disabled
• File storage secured
• TURN properly configured

---

8. Backup Integrity

• PostgreSQL backups tested
• Volume backups tested
• Secrets backed up
• Offsite storage confirmed
• Restore procedure documented and tested

Test restore at least once per quarter.

Backups not tested are not valid backups.

---

9. System Updates

• Ubuntu updated
• Docker updated
• Images updated regularly
• Unused images removed
• Old containers cleaned

Verify:

sudo apt update && sudo apt list --upgradable
sudo docker image ls

---

10. Monitoring & Logs

• Docker logs not growing indefinitely
• Log rotation configured
• Disk usage monitored
• Fail2ban banning malicious IPs
• Journal logs reviewed periodically

Check disk usage:

df -h

---

11. Final Production Validation

Before considering the server production-ready:

• SSH hardened
• Swarm initialized
• Secrets configured
• Stacks deployed
• Reverse proxy functional
• HTTPS enforced
• TURN operational
• Backups configured
• Recovery tested

---

Infrastructure security status:
☐ Needs review
☐ Partially compliant
☐ Production-ready

---