@poolzin/pool-bot 2026.4.32 → 2026.4.34

package/docs/security/vps-hardening.md

@@ -0,0 +1,309 @@
+# VPS Security Hardening Guide
+
+## Security Measures Applied (Gentle - Non-Breaking)
+
+### 1. fail2ban
+**Status:** ✅ Active
+
+**Configuration:**
+- 5 failed login attempts = 1 hour ban
+- Monitors SSH only
+- Does NOT block legitimate users
+
+**Check status:**
+```bash
+fail2ban-client status sshd
+```
+
+**Unban an IP:**
+```bash
+fail2ban-client set sshd unbanip <IP>
+```
+
+---
+
+### 2. UFW Rate Limit (SSH)
+**Status:** ✅ Active
+
+**Configuration:**
+- SSH (port 22) rate limited per IP
+- Allows normal connections
+- Blocks aggressive connection attempts
+
+**Check status:**
+```bash
+ufw status | grep 22
+```
+
+---
+
+### 3. SSH Hardening
+**Status:** ✅ Active
+
+**Configuration:**
+- `LoginGraceTime 60` — Disconnect after 60s without auth
+- `MaxAuthTries 6` — 6 password attempts per connection
+- `ClientAliveInterval 300` — Keep-alive every 5 min
+- `ClientAliveCountMax 2` — Disconnect after 2 missed keep-alives
+
+**What's NOT changed:**
+- `PermitRootLogin yes` — Root login still allowed
+- `PasswordAuthentication yes` — Password auth still enabled
+
+**Check config:**
+```bash
+grep -E 'LoginGraceTime|MaxAuthTries' /etc/ssh/sshd_config
+```
+
+---
+
+### 4. Honeypot (endlessh)
+**Status:** ✅ Active on port 2222
+
+**What it does:**
+- Simulates an SSH server on port 2222
+- Traps bots that scan for SSH on non-standard ports
+- Logs attacker IPs and commands
+- Does NOT affect real SSH (port 22)
+
+**Check status:**
+```bash
+systemctl is-active endlessh
+```
+
+**View honeypot logs:**
+```bash
+journalctl -u endlessh -f
+# Or check /var/log/endlessh.log
+```
+
+**How it works:**
+- Real SSH: port 22
+- Honeypot: port 2222
+- Bots scanning port 2222 get trapped and logged
+- You connect to port 22 (unaffected)
+
+---
+
+### 5. Port 9999 (glance API)
+**Status:** ✅ Identified as legitimate
+
+**What it is:**
+- PoolBot skill: `/root/pool/skills/glance/api/ecosystem-api.py`
+- Used by PoolBot for glance functionality
+- NOT a security risk
+
+**No action needed.**
+
+---
+
+## How PoolBot Uses Security Features
+
+### security-audit Skill
+
+**What it does:**
+- Runs daily security audit
+- Checks for:
+  - Failed login attempts
+  - Suspicious processes
+  - Open ports
+  - SSL certificate expiry
+  - System updates
+
+**Manual trigger:**
+```bash
+poolbot message send "Run security audit"
+```
+
+**Output:**
+- Security score (0-100)
+- List of issues found
+- Recommended actions
+
+---
+
+### self-healing Skill
+
+**What it does:**
+- Automatically fixes common issues
+- Restarts failed services
+- Clears stuck processes
+- Recovers from errors
+
+**Manual trigger:**
+```bash
+poolbot message send "Self-heal the system"
+```
+
+---
+
+### Fail2ban Monitoring via PoolBot
+
+**Ask PoolBot:**
+```bash
+poolbot message send "How many failed login attempts?"
+poolbot message send "Show me banned IPs"
+poolbot message send "Unban IP 1.2.3.4"
+```
+
+---
+
+### Honeypot Monitoring via PoolBot
+
+**Ask PoolBot:**
+```bash
+poolbot message send "Show honeypot activity"
+poolbot message send "How many bots tried to connect?"
+poolbot message send "Show recent attacker IPs"
+```
+
+---
+
+## Security Commands Reference
+
+### fail2ban
+```bash
+# Status
+fail2ban-client status
+fail2ban-client status sshd
+
+# Unban IP
+fail2ban-client set sshd unbanip <IP>
+
+# Restart
+systemctl restart fail2ban
+```
+
+### UFW
+```bash
+# Status
+ufw status
+
+# Add rate limit
+ufw limit 22/tcp
+
+# Allow specific IP
+ufw allow from 1.2.3.4 to any port 22
+```
+
+### SSH
+```bash
+# Check config
+sshd -t  # Test config validity
+
+# Reload
+systemctl reload ssh
+```
+
+### Honeypot
+```bash
+# Status
+systemctl is-active endlessh
+
+# Logs
+journalctl -u endlessh -f
+cat /var/log/endlessh.log
+```
+
+---
+
+## What Was NOT Changed (By Design)
+
+| Setting | Value | Why |
+|---------|-------|-----|
+| `PermitRootLogin` | `yes` | You need root access |
+| `PasswordAuthentication` | `yes` | You use password auth |
+| PostgreSQL `listen_addresses` | `*` | Your APIs need external access |
+| Port 9999 | Open | glance API (legitimate PoolBot skill) |
+
+---
+
+## Security Score
+
+| Measure | Status | Protection Level |
+|---------|--------|-----------------|
+| fail2ban | ✅ Active | High (blocks brute force) |
+| UFW rate limit | ✅ Active | Medium (slows attacks) |
+| SSH hardening | ✅ Active | Medium (reduces attack window) |
+| Honeypot | ✅ Active | Low (detection only) |
+| security-audit | ✅ Available | Medium (daily checks) |
+
+**Overall: Good baseline security without breaking workflow.**
+
+---
+
+## Troubleshooting
+
+### "I got locked out!"
+**Unlikely, but if it happens:**
+
+1. Wait 1 hour (fail2ban ban expires)
+2. Or access via Tailscale (bypasses fail2ban)
+3. Or console access (VPS provider)
+
+**To prevent:**
+- Use Tailscale for primary access
+- Keep your IP whitelisted if needed
+
+### "SSH is slow"
+**Check if fail2ban is blocking you:**
+```bash
+fail2ban-client status sshd
+```
+
+**If your IP is listed:**
+```bash
+fail2ban-client set sshd unbanip <YOUR_IP>
+```
+
+### "Honeypot not working"
+```bash
+# Check status
+systemctl is-active endlessh
+
+# Check logs
+journalctl -u endlessh -n 50
+
+# Restart
+systemctl restart endlessh
+```
+
+---
+
+## Next Steps (Optional)
+
+1. **Enable unattended-upgrades** — Auto security patches
+2. **Configure PostgreSQL backups** — Protect API data
+3. **Add PoolBot security alerts** — Telegram notifications for suspicious activity
+4. **Whitelist your IP** — Extra protection for SSH
+
+---
+
+## Summary
+
+✅ **fail2ban** — Blocks brute force after 5 failures
+✅ **UFW rate limit** — Slows down connection floods
+✅ **SSH hardening** — Reduces attack window
+✅ **Honeypot** — Detects and logs attackers
+✅ **security-audit skill** — Daily automated audits
+✅ **self-healing skill** — Auto-fix common issues
+
+❌ **Nothing broken** — SSH password auth still works, PostgreSQL still accessible, root login still allowed
+
+**Security improved without breaking your workflow.**
+
+---
+
+## Honeypot Note
+
+**endlessh runs in manual mode** (systemd service has namespace issues).
+
+**To restart after reboot:**
+```bash
+nohup endlessh -p 2222 > /var/log/endlessh.log 2>&1 &
+```
+
+**Or add to crontab @reboot:**
+```bash
+echo '@reboot nohup endlessh -p 2222 > /var/log/endlessh.log 2>&1 &' | crontab -
+```

package/docs/skills/vps-security.md

@@ -0,0 +1,140 @@
+# VPS Security Monitoring Skill
+
+## Overview
+
+Monitors and manages VPS security features including fail2ban, UFW firewall, SSH hardening, and honeypot.
+
+## Capabilities
+
+- **fail2ban monitoring** — Check banned IPs, failed attempts, unban IPs
+- **UFW status** — Check firewall rules and rate limits
+- **SSH hardening** — Verify SSH security configuration
+- **Honeypot monitoring** — Check endlessh activity and attacker logs
+- **Security reports** — Generate security status reports
+
+## Usage
+
+### Check Security Status
+
+```
+Check VPS security status
+Show fail2ban status
+How many failed login attempts?
+Show banned IPs
+```
+
+### Manage fail2ban
+
+```
+Unban IP 1.2.3.4
+Restart fail2ban
+Show fail2ban logs
+```
+
+### Check Firewall
+
+```
+Show UFW status
+Check SSH rate limit
+Show firewall rules
+```
+
+### Honeypot Monitoring
+
+```
+Show honeypot activity
+How many bots tried to connect?
+Show recent attacker IPs
+Check endlessh status
+```
+
+### Security Reports
+
+```
+Generate security report
+Daily security summary
+```
+
+## Commands
+
+### `vps_security status`
+
+Returns overall security status including:
+- fail2ban status (active/inactive, banned count)
+- UFW status (active/inactive, rate limits)
+- SSH hardening (LoginGraceTime, MaxAuthTries)
+- Honeypot status (active/inactive, port)
+
+### `vps_security fail2ban`
+
+Returns fail2ban details:
+- Currently failed attempts
+- Total failed attempts
+- Currently banned IPs
+- Total banned IPs
+- Banned IP list
+
+### `vps_security unban <ip>`
+
+Unbans a specific IP address from fail2ban.
+
+### `vps_security ufw`
+
+Returns UFW firewall status:
+- Active/inactive
+- Rules list
+- Rate limits
+
+### `vps_security ssh`
+
+Returns SSH hardening status:
+- LoginGraceTime
+- MaxAuthTries
+- PermitRootLogin
+- PasswordAuthentication
+
+### `vps_security honeypot`
+
+Returns honeypot (endlessh) status:
+- Active/inactive
+- Port (default: 2222)
+- Recent activity count
+
+### `vps_security report`
+
+Generates comprehensive security report with:
+- Overall security score (0-100)
+- Active measures
+- Recommendations
+- Recent activity summary
+
+## Implementation Notes
+
+- All commands execute via SSH to the VPS
+- Requires SSH access configured in PoolBot
+- Output is formatted for Telegram/Discord/Slack delivery
+- Security score calculation:
+  - fail2ban active: +25 points
+  - UFW active: +25 points
+  - SSH hardening: +25 points
+  - Honeypot active: +15 points
+  - No critical issues: +10 points
+
+## Security Considerations
+
+- Only authorized users should access security commands
+- Unban commands should be logged
+- Security reports should not expose sensitive data
+- Consider adding authentication for security commands
+
+## Related Skills
+
+- `security-audit` — Automated daily security audits
+- `self-healing` — Automatic issue recovery
+- `vps-api` — VPS management API
+
+## Files
+
+- Skill: `/root/pool/skills/vps-security/SKILL.md`
+- Scripts: `/root/pool/skills/vps-security/scripts/`
+- Logs: `/var/log/fail2ban.log`, `/var/log/endlessh.log`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@poolzin/pool-bot",
-  "version": "2026.4.32",
+  "version": "2026.4.34",
   "description": "🎱 Pool Bot - AI assistant with PLCODE integrations",
   "keywords": [],
   "license": "MIT",