Projektdokumentation \u2013 Debian 12 YunoHost H\u00e4rtung, Monitoring, Backup & MaxSecurity<\/title>\n<meta content=\"MayIT\" name=\"author\"\/>\n<meta content=\"Projektdokumentation der Debian-12\/YunoHost-Serverh\u00e4rtung mit Monitoring, Backup, Restore, Hardening, Security und Betriebsdokumentation.\" name=\"description\"\/>\n<style>\n :root{\n --bg:#0b0f14; --panel:#111827; --panel2:#0f172a;\n --text:#e5e7eb; --muted:#9ca3af;\n --accent:#60a5fa; --accent2:#34d399; --warn:#f59e0b; --danger:#fb7185; --ok:#22c55e;\n --border:#1f2937; --codeborder:#1d2a3a;\n --shadow: 0 10px 30px rgba(0,0,0,.35);\n --radius: 16px;\n --mono: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, \"Liberation Mono\", \"Courier New\", monospace;\n --sans: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Ubuntu, Cantarell, Noto Sans, Arial, \"Apple Color Emoji\",\"Segoe UI Emoji\";\n }\n *{box-sizing:border-box}\n html{scroll-behavior:smooth}\n body{\n margin:0; font-family:var(--sans);\n background:\n radial-gradient(1200px 600px at 10% -10%, rgba(96,165,250,.18), transparent 55%),\n radial-gradient(900px 500px at 80% 0%, rgba(52,211,153,.10), transparent 50%),\n var(--bg);\n color:var(--text);\n }\n a{color:var(--accent); text-decoration:none}\n a:hover{text-decoration:underline}\n .layout{display:flex; min-height:100vh}\n .toc{\n position:sticky; top:0; height:100vh; width:360px; min-width:300px;\n padding:22px 18px;\n background:linear-gradient(180deg, rgba(17,24,39,.92), rgba(15,23,42,.92));\n border-right:1px solid var(--border); overflow:auto; backdrop-filter: blur(8px);\n }\n .brand{\n display:flex; gap:10px; align-items:center;\n padding:10px 10px 14px; border:1px solid var(--border);\n border-radius:14px; background:rgba(11,18,32,.65); box-shadow:var(--shadow);\n margin-bottom:14px;\n }\n .logo{\n width:38px; height:38px; border-radius:12px;\n background:linear-gradient(135deg, rgba(96,165,250,.95), rgba(52,211,153,.95));\n display:flex; align-items:center; justify-content:center;\n color:#06101c; font-weight:900;\n }\n .brand h1{font-size:14px; margin:0}\n .brand .sub{font-size:12px; color:var(--muted); margin-top:2px}\n .pill{\n display:inline-flex; align-items:center; gap:8px;\n font-size:12px; color:var(--muted);\n padding:10px 12px; border:1px solid var(--border);\n border-radius:999px; background:rgba(11,18,32,.55);\n margin:10px 8px 0;\n }\n .pill b{color:var(--text)}\n .toc h2{font-size:12px; margin:14px 10px 8px; color:var(--muted); letter-spacing:.08em; text-transform:uppercase}\n .toc ul{list-style:none; margin:0; padding:0 6px 14px}\n .toc li{margin:6px 0}\n .toc a{\n display:block; padding:8px 10px; border-radius:12px;\n color:var(--text); border:1px solid transparent;\n }\n .toc a:hover{border-color:rgba(96,165,250,.35); background:rgba(96,165,250,.10); text-decoration:none}\n .main{flex:1; padding:28px 26px 80px}\n .container{max-width:1120px; margin:0 auto}\n .hero{\n padding:22px; border-radius: var(--radius);\n background: linear-gradient(180deg, rgba(17,24,39,.55), rgba(15,23,42,.35));\n border:1px solid var(--border); box-shadow: var(--shadow);\n }\n .hero h1{font-size:28px; margin:0 0 8px}\n .hero .meta{display:flex; flex-wrap:wrap; gap:10px; margin-top:12px}\n .tag{\n font-size:12px; color:var(--text);\n padding:8px 12px; border-radius:999px;\n border:1px solid var(--border); background:rgba(11,18,32,.55);\n }\n section{margin-top:18px}\n .card{\n padding:18px; border-radius: var(--radius);\n border:1px solid var(--border);\n background: rgba(11,18,32,.55);\n box-shadow: var(--shadow);\n }\n .card h3{margin:0 0 10px; font-size:18px}\n .muted{color:var(--muted)}\n .small{font-size:12px}\n .note, .warn, .danger, .ok{\n border-radius:14px; padding:12px 14px; border:1px solid var(--border);\n background: rgba(96,165,250,.08);\n }\n .warn{background: rgba(245,158,11,.10); border-color: rgba(245,158,11,.25)}\n .danger{background: rgba(251,113,133,.10); border-color: rgba(251,113,133,.25)}\n .ok{background: rgba(34,197,94,.10); border-color: rgba(34,197,94,.25)}\n .hr{height:1px; background:var(--border); margin:14px 0}\n .grid{display:grid; gap:14px}\n @media (min-width: 980px){\n .grid.cols2{grid-template-columns: 1fr 1fr}\n .grid.cols3{grid-template-columns: 1fr 1fr 1fr}\n }\n table{width:100%; border-collapse:separate; border-spacing:0; overflow:hidden; border-radius:14px; border:1px solid var(--border)}\n th, td{padding:10px; border-bottom:1px solid var(--border); vertical-align:top}\n th{background:rgba(17,24,39,.55); text-align:left; font-size:12px; text-transform:uppercase; letter-spacing:.08em; color:var(--muted)}\n tr:last-child td{border-bottom:none}\n .codewrap{position:relative; margin-top:10px}\n pre{\n margin:0; padding:14px; overflow:auto; border-radius:14px;\n background:linear-gradient(180deg, rgba(10,15,26,.95), rgba(10,15,26,.85));\n border:1px solid var(--codeborder); color:var(--text);\n font-family: var(--mono); font-size:12.8px; line-height:1.45;\n }\n .copybtn{\n position:absolute; top:10px; right:10px;\n border:1px solid var(--border); background:rgba(15,23,42,.70);\n color:var(--text); padding:8px 10px; border-radius:12px;\n cursor:pointer; font-size:12px; display:flex; align-items:center; gap:8px;\n }\n .copybtn:hover{border-color:rgba(96,165,250,.40); background:rgba(96,165,250,.12)}\n .copybtn .dot{width:8px; height:8px; border-radius:99px; background:var(--accent)}\n .kbd{display:inline-block; padding:2px 8px; border-radius:10px; border:1px solid var(--border); background:rgba(15,23,42,.55); font-family:var(--mono); font-size:12px}\n .badge{display:inline-flex; align-items:center; gap:8px; padding:8px 10px; border-radius:999px; border:1px solid var(--border); background:rgba(15,23,42,.35); font-size:12px}\n .badge .b{width:8px;height:8px;border-radius:99px;background:var(--accent2)}\n .footer{\n margin-top:18px; padding:16px 18px; border-radius: var(--radius);\n border:1px solid var(--border); background:rgba(11,18,32,.45); color:var(--muted)\n }\n .footer b{color:var(--text)}\n details{\n border:1px solid var(--border); border-radius:14px; padding:10px 12px; background:rgba(15,23,42,.25)\n }\n summary{cursor:pointer; color:var(--text); font-weight:700}\n details p, details ul{color:var(--muted)}\n .print-only{display:none}\n @media print{\n body{background:#fff; color:#000}\n .layout{display:block}\n .toc{display:none}\n .hero, .card, .footer, details{box-shadow:none; background:#fff; border:1px solid #ddd}\n pre{background:#f7f7f7; color:#000; border:1px solid #ddd}\n .copybtn{display:none}\n a{color:#000; text-decoration:underline}\n .print-only{display:block}\n }\n \n.grid.cols2 > .note, .grid.cols2 > div{min-width:0}\nsection.card h4{margin:12px 0 8px;font-size:15px}\nsection.card h3 + .muted{margin-top:6px}\nsection.card ul, section.card ol{color:var(--muted)}\nsection.card li{margin:4px 0}\nsection.card code{display:inline-block; padding:2px 6px; border-radius:8px; border:1px solid var(--border); background:rgba(15,23,42,.55); font-family:var(--mono); font-size:12px}\n<\/style>\n<\/head>\n<body>\n<div class=\"layout\">\n<aside class=\"toc\">\n<div class=\"brand\">\n<div class=\"logo\">M<\/div>\n<div>\n<h1>Projektdokumentation<\/h1>\n<div class=\"sub\">Hardening \u2022 Monitoring \u2022 Backup \u2022 Autor: <b>MayIT<\/b><\/div>\n<\/div>\n<\/div>\n<div class=\"pill\"><b>Ziel:<\/b> Vollst\u00e4ndige Dokumentation der Debian 12 \/ YunoHost H\u00e4rtung<\/div>\n<h2>Navigation<\/h2>\n<ul><li><a href=\"#scope\">1. Scope, Annahmen, Grundregeln<\/a><\/li><li><a href=\"#baseline\">2. Baseline-Checks (vor jeder \u00c4nderung)<\/a><\/li><li><a href=\"#hardening-start\">3. Beginn der H\u00e4rtungsphase (Kontext & Ausl\u00f6ser)<\/a><\/li><li><a href=\"#storage\">4. Speicher & I\/O stabilisieren (Root-FS, WordPress Backups)<\/a><\/li><li><a href=\"#swap\">5. Swap aktivieren (Stabilit\u00e4t bei Lastspitzen)<\/a><\/li><li><a href=\"#repos\">6. APT\/Repository-H\u00e4rtung (Stabilit\u00e4t statt Paketmix)<\/a><\/li><li><a href=\"#redis\">7. Redis (Cache + Locking) \u2013 Nextcloud stabilisieren<\/a><\/li><li><a href=\"#db\">8. MariaDB \u2013 Performance & I\/O reduzieren<\/a><\/li><li><a href=\"#phpfpm\">9. PHP-FPM \u2013 Prozesslimits f\u00fcr 2 GB RAM<\/a><\/li><li><a href=\"#fail2ban\">10. Fail2Ban \u2013 Bruteforce & App-Schutz<\/a><\/li><li><a href=\"#nginx\">11. Nginx \u2013 Rate Limiting (DoS\/Bot-Schutz) & Best Practices<\/a><\/li><li><a href=\"#kernel\">12. Kernel Hardening (sysctl)<\/a><\/li><li><a href=\"#monitoring\">13. Monitoring mit E-Mail Alarmierung<\/a><\/li><li><a href=\"#backup\">14. Backup-Konzept (professionell) + Restore-Plan<\/a><\/li><li><a href=\"#architecture\">15. Architektur-Upgrade-Plan (Roadmap)<\/a><\/li><li><a href=\"#maxsecurity\">16. Max-Security Checkliste<\/a><\/li><li><a href=\"#operations\">17. Betriebsprozesse (Wartung, Updates, Notfall)<\/a><\/li><li><a href=\"#rollback\">18. Rollback-Strategie<\/a><\/li><li><a href=\"#appendix\">19. Appendix \u2013 N\u00fctzliche Befehle<\/a><\/li><\/ul>\n<h2>Quick Links<\/h2>\n<ul><li><a href=\"#baseline\">2. Baseline-Checks (vor jeder \u00c4nderung)<\/a><\/li><li><a href=\"#monitoring\">13. Monitoring mit E-Mail Alarmierung<\/a><\/li><li><a href=\"#backup\">14. Backup-Konzept (professionell) + Restore-Plan<\/a><\/li><li><a href=\"#appendix\">19. Appendix \u2013 N\u00fctzliche Befehle<\/a><\/li><\/ul>\n<div class=\"footer small\">\n<div><b>Stand:<\/b> 2026-03-23<\/div>\n<div class=\"hr\"><\/div>\n<div>Dokument: HTML \u2022 Enterprise Layout \u2022 MayIT Style<\/div>\n<\/div>\n<\/aside>\n<main class=\"main\">\n<div class=\"container\"><div class=\"hero\"><h1>Server-H\u00e4rtung & Betrieb (Max-Security): Debian 12 + YunoHost + Nextcloud + WordPress + Mail<\/h1><div class=\"muted\">Ziel: Dieser Leitfaden dokumentiert die vollst\u00e4ndige H\u00e4rtung und den professionellen Betrieb ab Beginn der H\u00e4rtungsphase (inkl. Monitoring, Architektur, Backup und Max-Security).\n Alle Ma\u00dfnahmen sind f\u00fcr ein produktives VPS-Setup optimiert und bewusst ressourcenschonend gehalten.<\/div><div class=\"meta\"><span class=\"tag\">\ud83e\uddf1 Max-Security Hardening<\/span><span class=\"tag\">\ud83d\udcc8 Monitoring + E-Mail Alerts<\/span><span class=\"tag\">\ud83d\udcbe Backup-Konzept + Restore-Plan<\/span><span class=\"tag\">\ud83c\udfd7\ufe0f Architektur-Upgrade-Plan<\/span><\/div><\/div><section class=\"card\" id=\"overview\"><h3>Projekt\u00fcberblick<\/h3><div class=\"grid cols2\"><div class=\"note\"><b>Was wurde stabilisiert<\/b><br\/>I\/O-Spitzen durch lokale WordPress-Backups beseitigt, Swap aktiviert, Repos konsolidiert, Redis + DB-Tuning, Rate-Limits, Kernel-Hardening, Alarmierung.<\/div><div class=\"note\"><b>Was dieses Runbook liefert<\/b><br\/>Schritt-f\u00fcr-Schritt Hardening, wiederholbare Checks, Rollback, Wartungsplan, Restore-Plan und eine saubere Ziel-Architektur inkl. Migrationspfad.<\/div><\/div><\/section><section class=\"card\" id=\"scope\"><h3>1. Scope, Annahmen, Grundregeln<\/h3><ul>\n<li><b>System:<\/b> Debian 12 (Bookworm), YunoHost 12.x, nginx, php-fpm (8.3), MariaDB, Redis, Fail2Ban<\/li>\n<li><b>Apps:<\/b> Nextcloud (Hub), WordPress, Mail-Stack (Postfix\/Dovecot)<\/li>\n<li><b>Pr\u00e4misse:<\/b> Stabilit\u00e4t auf 2-GB-VPS (keine \u201eHeavy-Suites\u201c, kein Overkill, aber maximale H\u00e4rtung mit vertretbarem Risiko)<\/li>\n<li><b>Grundregel:<\/b> \u00c4nderungen immer mit <code>nginx -t<\/code>\/<code>php-fpm -t<\/code> pr\u00fcfen, dann erst reload\/restart.<\/li>\n<\/ul><div class=\"warn\">\n<strong>Hinweis (YunoHost-Kompatibilit\u00e4t):<\/strong> Nginx\/SSOwat\/Nextcloud-Header und CSP nur YunoHost-konform anpassen. Zu aggressive CSP kann Nextcloud-Apps brechen.\n <\/div><\/section><section class=\"card\" id=\"baseline\"><h3>2. Baseline-Checks (vor jeder \u00c4nderung)<\/h3><p class=\"muted\">Diese Checks geben dir in 60 Sekunden Klarheit, ob das System gesund ist.<\/p><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code1\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code1\">uptime\nfree -h\ndf -h\nsudo ss -tulpen | egrep ':22|:80|:443|:25|:587|:993|:53' || true\nsudo systemctl status nginx --no-pager\nsudo systemctl status php8.3-fpm --no-pager\nsudo systemctl status mariadb --no-pager\nsudo systemctl status redis-server --no-pager\nsudo fail2ban-client status<\/pre><\/div><\/section><section class=\"card\" id=\"hardening-start\"><h3>3. Beginn der H\u00e4rtungsphase (Kontext & Ausl\u00f6ser)<\/h3><div class=\"note\">\n<strong>Ausl\u00f6ser:<\/strong> Instabilit\u00e4t\/Timeouts (Nextcloud\/YunoHost), \u201eZu viele Anfragen\u201c, sporadische Verbindungsabbr\u00fcche. Haupttreiber: lokale WordPress-Backups (BackWPup) erzeugten I\/O- und CPU-Spitzen, bei 2 GB RAM ohne Swap.\n <\/div><ul>\n<li>Disk-Analyse zeigte gro\u00dfe Backup-Archive in <code>\/var\/www\/wordpress\/wp-content\/uploads\/backwpup<\/code>.<\/li>\n<li>Swap wurde eingef\u00fchrt, um Lastspitzen abzufedern.<\/li>\n<li>APT-Repo-Mix (Sury\/Yarn) wurde bereinigt, um Paketkonflikte zu verhindern.<\/li>\n<\/ul><\/section><section class=\"card\" id=\"storage\"><h3>4. Speicher & I\/O stabilisieren (Root-FS, WordPress Backups)<\/h3><h3>4.1 Schnellanalyse: Wo liegt das Volumen?<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code2\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code2\">sudo du -h --max-depth=1 \/var | sort -hr\nsudo du -h --max-depth=1 \/var\/www | sort -hr\nsudo du -h --max-depth=2 \/var\/www\/wordpress\/wp-content\/uploads | sort -hr | head -20<\/pre><\/div><h3>4.2 Ma\u00dfnahme: lokale WP-Backups vermeiden<\/h3><ul>\n<li><b>Ziel:<\/b> Keine Multi-GB ZIP-Backups lokal auf dem VPS behalten.<\/li>\n<li><b>Empfehlung:<\/b> BackWPup so konfigurieren, dass Backups <b>offsite<\/b> (S3\/FTP\/Storage) gehen und lokal nur 0\u20132 Rotationen verbleiben.<\/li>\n<\/ul><div class=\"warn\">\n<strong>Regel:<\/strong> Auf 2 GB RAM niemals \u201et\u00e4gliches Vollbackup lokal als ZIP\u201c dauerhaft laufen lassen. Das erzeugt exakt die beobachteten Timeouts\/Abbr\u00fcche.\n <\/div><\/section><section class=\"card\" id=\"swap\"><h3>5. Swap aktivieren (Stabilit\u00e4t bei Lastspitzen)<\/h3><div class=\"ok\">\n<strong>Status:<\/strong> Swapfile 2 GB ist aktiv. Leichte Swap-Nutzung ist normal und erh\u00f6ht Stabilit\u00e4t.\n <\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code3\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code3\">sudo swapon --show\nfree -h\nls -lh \/swapfile\ngrep -n swapfile \/etc\/fstab || true<\/pre><\/div><h3>5.1 (Optional) Swappiness konservativ setzen<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code4\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code4\">echo \"vm.swappiness=20\" | sudo tee -a \/etc\/sysctl.conf\nsudo sysctl -p | tail -n 20<\/pre><\/div><\/section><section class=\"card\" id=\"repos\"><h3>6. APT\/Repository-H\u00e4rtung (Stabilit\u00e4t statt Paketmix)<\/h3><div class=\"note\">\n<strong>Ziel:<\/strong> Repos so minimal wie m\u00f6glich halten. Jede zus\u00e4tzliche Quelle erh\u00f6ht das Risiko von Dependency-Br\u00fcchen.\n <\/div><h3>6.1 Sury\/Yarn entfernt bzw. deaktiviert<\/h3><ul>\n<li>Sury-Repo: deaktiviert (404-Fehler, Versionsmix).<\/li>\n<li>Yarn-Repo: entfernt (NO_PUBKEY). Nicht notwendig f\u00fcr Betrieb.<\/li>\n<\/ul><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code5\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code5\">grep -R \"sury\" -n \/etc\/apt\/sources.list \/etc\/apt\/sources.list.d\/* || true\nls -1 \/etc\/apt\/sources.list.d\nsudo apt update\nsudo apt -f install -y\nsudo apt autoremove --purge -y\nsudo apt autoclean<\/pre><\/div><\/section><section class=\"card\" id=\"redis\"><h3>7. Redis (Cache + Locking) \u2013 Nextcloud stabilisieren<\/h3><div class=\"ok\">\n<strong>Status:<\/strong> Redis l\u00e4uft stabil (localhost), PHP-Modul geladen, Verbindung ok (<code>redis-cli ping<\/code> \u2192 PONG).\n <\/div><h3>7.1 Verifikation<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code6\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code6\">php -m | grep -i redis\nredis-cli ping\nsudo systemctl status redis-server --no-pager<\/pre><\/div><h3>7.2 Nextcloud auf Redis setzen (TCP localhost)<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code7\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code7\">sudo yunohost app shell nextcloud\nphp occ config:system:set redis host --value=\"127.0.0.1\"\nphp occ config:system:set redis port --value=6379 --type=integer\nphp occ config:system:set memcache.locking --value=\"\\OC\\Memcache\\Redis\"\nphp occ config:system:set memcache.distributed --value=\"\\OC\\Memcache\\Redis\"\nphp occ config:system:get redis\nphp occ config:system:get memcache.locking\nexit<\/pre><\/div><\/section><section class=\"card\" id=\"db\"><h3>8. MariaDB \u2013 Performance & I\/O reduzieren<\/h3><div class=\"ok\">\n<strong>Status:<\/strong> <code>innodb_buffer_pool_size = 768M<\/code> (805306368 Bytes) gesetzt \u2013 optimal f\u00fcr 2 GB RAM.\n <\/div><h3>8.1 Verifikation<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code8\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code8\">sudo mysql -e \"SHOW VARIABLES LIKE 'innodb_buffer_pool_size';\"\nsudo mysql -e \"SHOW VARIABLES LIKE 'max_connections';\"\nsudo systemctl status mariadb --no-pager<\/pre><\/div><h3>8.2 Empfohlene MariaDB-Parameter (2 GB RAM)<\/h3><p class=\"muted\">In <code>\/etc\/mysql\/mariadb.conf.d\/50-server.cnf<\/code> unter <code>[mysqld]<\/code> (nur, wenn nicht bereits gesetzt):<\/p><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code9\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code9\"># \/etc\/mysql\/mariadb.conf.d\/50-server.cnf (unter [mysqld])\ninnodb_buffer_pool_size = 768M\ninnodb_log_file_size = 256M\ninnodb_flush_method = O_DIRECT\ninnodb_flush_log_at_trx_commit = 2\nmax_connections = 60\ntmp_table_size = 64M\nmax_heap_table_size = 64M<\/pre><\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code10\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code10\">sudo systemctl restart mariadb\nsudo mysql -e \"SHOW VARIABLES LIKE 'innodb_buffer_pool_size';\"<\/pre><\/div><\/section><section class=\"card\" id=\"phpfpm\"><h3>9. PHP-FPM \u2013 Prozesslimits f\u00fcr 2 GB RAM<\/h3><div class=\"note\">\n<strong>Ziel:<\/strong> Verhindern, dass PHP-FPM durch zu viele Worker RAM frisst und das System in Swap- oder Timeout-Szenarien l\u00e4uft.\n <\/div><h3>9.1 Konfigurationspfad<\/h3><ul>\n<li>Aktiv: <code>php8.3-fpm<\/code><\/li>\n<li>Pool: <code>\/etc\/php\/8.3\/fpm\/pool.d\/www.conf<\/code><\/li>\n<\/ul><h3>9.2 Empfohlene Werte<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code11\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code11\"># \/etc\/php\/8.3\/fpm\/pool.d\/www.conf\npm = dynamic\npm.max_children = 18\npm.start_servers = 4\npm.min_spare_servers = 2\npm.max_spare_servers = 6\npm.max_requests = 500<\/pre><\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code12\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code12\">sudo php-fpm8.3 -t\nsudo systemctl restart php8.3-fpm\nsudo systemctl status php8.3-fpm --no-pager<\/pre><\/div><\/section><section class=\"card\" id=\"fail2ban\"><h3>10. Fail2Ban \u2013 Bruteforce & App-Schutz<\/h3><div class=\"ok\">\n<strong>Status:<\/strong> 11 Jails aktiv (u.a. nextcloud, wordpress, sshd, yunohost-portal). Das ist ein sehr guter Schutzgrad.\n <\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code13\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code13\">sudo fail2ban-client status\nsudo fail2ban-client status sshd\nsudo fail2ban-client status nextcloud\nsudo fail2ban-client status wordpress<\/pre><\/div><h3>10.1 Default-H\u00e4rtung (konservativ, produktionssicher)<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code14\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code14\"># \/etc\/fail2ban\/jail.local\n[DEFAULT]\nbantime = 24h\nfindtime = 10m\nmaxretry = 3<\/pre><\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code15\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code15\">sudo systemctl restart fail2ban\nsudo fail2ban-client status<\/pre><\/div><\/section><section class=\"card\" id=\"nginx\"><h3>11. Nginx \u2013 Rate Limiting (DoS\/Bot-Schutz) & Best Practices<\/h3><h3>11.1 Global Zone in nginx.conf (http{} Block)<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code16\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code16\"># \/etc\/nginx\/nginx.conf (innerhalb http { ... })\nlimit_req_zone $binary_remote_addr zone=global_limit:10m rate=10r\/s;<\/pre><\/div><h3>11.2 Anwendung im HTTPS server{} Block (443)<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code17\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code17\"># innerhalb server { listen 443 ssl http2; ... } f\u00fcr mitcloud.mayit.eu\nlimit_req zone=global_limit burst=20 nodelay;<\/pre><\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code18\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code18\">sudo nginx -t\nsudo systemctl reload nginx<\/pre><\/div><div class=\"warn\">\n<strong>Wichtig:<\/strong> Zu strikte Limits k\u00f6nnen echte Nutzer (z.B. WebDAV Sync) beeintr\u00e4chtigen. Bei Problemen: <code>rate<\/code> erh\u00f6hen oder <code>burst<\/code> anpassen.\n <\/div><\/section><section class=\"card\" id=\"kernel\"><h3>12. Kernel Hardening (sysctl)<\/h3><p class=\"muted\">Empfohlene Baseline (produktionssicher). Block ans Ende von <code>\/etc\/sysctl.conf<\/code>:<\/p><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code19\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code19\"># IP Spoofing Protection\nnet.ipv4.conf.all.rp_filter=1\nnet.ipv4.conf.default.rp_filter=1\n\n# Disable IP forwarding\nnet.ipv4.ip_forward=0\n\n# SYN Flood Protection\nnet.ipv4.tcp_syncookies=1\n\n# Disable source routing\nnet.ipv4.conf.all.accept_source_route=0\nnet.ipv6.conf.all.accept_source_route=0\n\n# Ignore ICMP broadcast\nnet.ipv4.icmp_echo_ignore_broadcasts=1\n\n# Log suspicious packets\nnet.ipv4.conf.all.log_martians=1<\/pre><\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code20\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code20\">sudo sysctl -p\nsudo sysctl net.ipv4.ip_forward\nsudo sysctl net.ipv4.tcp_syncookies<\/pre><\/div><\/section><section class=\"card\" id=\"monitoring\"><h3>13. Monitoring mit E-Mail Alarmierung<\/h3><div class=\"ok\">\n<strong>Status:<\/strong> Testmail erfolgreich. Monitoring l\u00e4uft leichtgewichtig \u00fcber ein Health-Check Script + Cron (alle 5 Minuten).\n <\/div><h3>13.1 Mailutils (falls erforderlich)<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code21\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code21\">sudo apt install -y mailutils\necho \"Testmail Monitoring OK\" | mail -s \"Server Test\" DEINE-MAIL@DOMAIN.DE<\/pre><\/div><h3>13.2 Health-Check Script<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code22\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code22\">sudo nano \/usr\/local\/sbin\/server-health-check.sh<\/pre><\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code23\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code23\">#!\/bin\/bash\nMAIL=\"DEINE-MAIL@DOMAIN.DE\"\nHOSTNAME=$(hostname)\n\n# RAM Check\nRAM_USED=$(free | awk '\/Mem:\/ {printf(\"%.0f\"), $3\/$2*100}')\nif [ \"$RAM_USED\" -gt 85 ]; then\n echo \"RAM usage is ${RAM_USED}% on ${HOSTNAME}\" | mail -s \"ALERT: High RAM on ${HOSTNAME}\" \"$MAIL\"\nfi\n\n# Disk Check\nDISK_USED=$(df \/ | awk 'END{print $5}' | sed 's\/%\/\/')\nif [ \"$DISK_USED\" -gt 85 ]; then\n echo \"Disk usage is ${DISK_USED}% on ${HOSTNAME}\" | mail -s \"ALERT: High Disk on ${HOSTNAME}\" \"$MAIL\"\nfi\n\n# Load Check\nLOAD=$(uptime | awk -F'load average:' '{ print $2 }' | cut -d, -f1 | tr -d ' ')\nLOAD_INT=${LOAD%.*}\nif [ \"$LOAD_INT\" -gt 2 ]; then\n echo \"Load average is ${LOAD} on ${HOSTNAME}\" | mail -s \"ALERT: High Load on ${HOSTNAME}\" \"$MAIL\"\nfi\n\n# Service Check\nfor SERVICE in nginx php8.3-fpm mariadb redis-server\ndo\n if ! systemctl is-active --quiet \"$SERVICE\"; then\n echo \"Service $SERVICE is NOT running on ${HOSTNAME}\" | mail -s \"ALERT: Service down on ${HOSTNAME}\" \"$MAIL\"\n fi\ndone<\/pre><\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code24\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code24\">sudo chmod +x \/usr\/local\/sbin\/server-health-check.sh\nsudo \/usr\/local\/sbin\/server-health-check.sh<\/pre><\/div><h3>13.3 Cron (alle 5 Minuten)<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code25\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code25\">sudo crontab -e\n# hinzuf\u00fcgen:\n*\/5 * * * * \/usr\/local\/sbin\/server-health-check.sh<\/pre><\/div><h3>13.4 (Optional) T\u00e4glicher Statusreport<\/h3><p class=\"muted\">Empfehlung: ein kompakter Tagesreport (z.B. 08:00). Vorteil: du bemerkst Trends fr\u00fch.<\/p><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code26\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code26\"># \/usr\/local\/sbin\/server-daily-report.sh (Beispiel \u2013 optional)\n# Sammle: uptime, df -h, free -h, fail2ban status, top 5 processes by mem\/cpu, last 100 auth.log lines\n# Versand per mail -s \"Daily Report ${HOSTNAME}\" \"$MAIL\"<\/pre><\/div><\/section><section class=\"card\" id=\"backup\"><h3>14. Backup-Konzept (professionell) + Restore-Plan<\/h3><div class=\"warn\">\n<strong>Prinzip:<\/strong> Backups sind nur so gut wie der getestete Restore. Mindestens 1\u00d7 pro Quartal Restore-Test durchf\u00fchren und dokumentieren.\n <\/div><h3>14.1 Backup-Ziele (Empfehlung)<\/h3><table>\n<thead><tr><th>Komponente<\/th><th>Was sichern?<\/th><th>Ziel<\/th><th>Rotation<\/th><\/tr><\/thead>\n<tbody>\n<tr><td><b>YunoHost<\/b><\/td><td>Konfiguration + Apps + Daten (YunoHost Backup)<\/td><td>Offsite Storage (S3\/FTP\/Remote)<\/td><td>t\u00e4glich inkrementell \/ w\u00f6chentlich voll<\/td><\/tr>\n<tr><td><b>Nextcloud<\/b><\/td><td>Data Dir + DB Dump + config.php + custom apps<\/td><td>Offsite + ggf. Snapshot<\/td><td>t\u00e4glich<\/td><\/tr>\n<tr><td><b>WordPress<\/b><\/td><td>DB + wp-content<\/td><td>Offsite (keine ZIP lokal)<\/td><td>t\u00e4glich\/2-t\u00e4glich<\/td><\/tr>\n<tr><td><b>Mail<\/b><\/td><td>Maildirs + DB\/Configs (je nach Setup)<\/td><td>Offsite<\/td><td>t\u00e4glich<\/td><\/tr>\n<\/tbody>\n<\/table><h3>14.2 YunoHost Backup (Standardweg)<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code27\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code27\">sudo yunohost backup create --system --apps nextcloud,wordpress --name \"daily-$(date +%F)\"\nsudo yunohost backup list\n# Speicherorte pr\u00fcfen (je nach YunoHost-Konfiguration): \/home\/yunohost.backup\/ oder konfiguriertes Storage<\/pre><\/div><h3>14.3 Nextcloud konsistent sichern (App Maintenance Mode)<\/h3><div class=\"note\">\n<strong>Strategie:<\/strong> F\u00fcr konsistente Backups: Maintenance Mode + DB Dump + Files sichern. Bei gro\u00dfen Instanzen alternativ Snapshots mit kurzer Downtime.\n <\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code28\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code28\">sudo yunohost app shell nextcloud\nphp occ maintenance:mode --on\n\n# DB Dump (lokal \u2013 danach offsite kopieren)\nmysqldump --single-transaction -h localhost -u nextcloud -p\"$(php -r 'include(\\\"\/var\/www\/nextcloud\/config\/config.php\\\"); echo $CONFIG[\\\"dbpassword\\\"];')\" nextcloud \\\n > \/home\/yunohost.app\/nextcloud\/data\/backup-nextcloud-db-$(date +%F).sql\n\nphp occ maintenance:mode --off\nexit<\/pre><\/div><div class=\"warn\">\n<strong>Wichtig:<\/strong> DB-Passwort via config.php ist sensitiv. Sorge f\u00fcr sichere Dateirechte und offsite Transfer via verschl\u00fcsseltem Kanal.\n <\/div><h3>14.4 Restore-Plan (Kurzform)<\/h3><ul>\n<li><b>RTO\/RPO definieren:<\/b> z.B. RTO 4h, RPO 24h (je nach Anspruch)<\/li>\n<li><b>Restore-Test:<\/b> 1\u00d7\/Quartal auf Test-VPS oder Snapshot<\/li>\n<li><b>Reihenfolge:<\/b> System \u2192 DB \u2192 App \u2192 Daten \u2192 Checks<\/li>\n<\/ul><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code29\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code29\"># 1) System-Stand pr\u00fcfen (Debian\/YunoHost Version)\n# 2) YunoHost Backup restore (system + apps)\n# 3) Nextcloud: maintenance:mode on \u2192 DB import \u2192 files restore \u2192 files:scan \u2192 maintenance off\n# 4) WordPress: DB import + wp-content restore\n# 5) Smoke Tests: HTTP(S), login, webdav, cron, mail flow<\/pre><\/div><\/section><section class=\"card\" id=\"architecture\"><h3>15. Architektur-Upgrade-Plan (Roadmap)<\/h3><div class=\"note\">\n<strong>Ist-Architektur:<\/strong> Alles auf einem 2-GB-VPS. Vorteil: einfach. Risiko: Resource-Contention (Backups, Updates, Peaks).\n <\/div><h3>15.1 Ziel-Architektur (empfohlen)<\/h3><table>\n<thead><tr><th>Variante<\/th><th>Beschreibung<\/th><th>Vorteile<\/th><th>Risiken\/Notes<\/th><\/tr><\/thead>\n<tbody>\n<tr>\n<td><b>A (Minimal)<\/b><\/td>\n<td>VPS auf 4 GB RAM upgraden<\/td>\n<td>Einfachster Stabilit\u00e4tsgewinn<\/td>\n<td>Kosten \u2191, aber geringes Risiko<\/td>\n<\/tr>\n<tr>\n<td><b>B (Empfohlen)<\/b><\/td>\n<td>WordPress auslagern (eigener VPS\/Managed)<\/td>\n<td>Nextcloud erh\u00e4lt Ressourcen, weniger I\/O-Spitzen<\/td>\n<td>DNS\/SSL\/Backup getrennt<\/td>\n<\/tr>\n<tr>\n<td><b>C (Professionell)<\/b><\/td>\n<td>Mail separieren (oder managed), NC + WP getrennt<\/td>\n<td>Security-Isolation, bessere Wartbarkeit<\/td>\n<td>Komplexit\u00e4t \u2191, aber best practice<\/td>\n<\/tr>\n<\/tbody>\n<\/table><h3>15.2 Migrationspfad (Kurz)<\/h3><ul>\n<li><b>WordPress Move:<\/b> DNS TTL senken \u2192 Backup \u2192 Restore auf Ziel \u2192 Test \u2192 DNS Switch \u2192 Monitoring<\/li>\n<li><b>Nextcloud bleibt:<\/b> Redis\/DB\/Swap\/Rate-Limits bleiben wie dokumentiert.<\/li>\n<li><b>Mail:<\/b> nur migrieren, wenn klare Notwendigkeit und saubere Restore-Tests m\u00f6glich sind.<\/li>\n<\/ul><\/section><section class=\"card\" id=\"maxsecurity\"><h3>16. Max-Security Checkliste<\/h3><table>\n<thead><tr><th>Bereich<\/th><th>Ma\u00dfnahme<\/th><th>Status<\/th><th>Verifikation<\/th><\/tr><\/thead>\n<tbody>\n<tr><td>SSH<\/td><td>Key-only, Root-Login aus, max tries reduziert<\/td><td class=\"tag-ok\">OK<\/td><td><code>sshd_config<\/code> + Login-Test<\/td><\/tr>\n<tr><td>Fail2Ban<\/td><td>sshd, nextcloud, wordpress, portal + recidive<\/td><td class=\"tag-ok\">OK<\/td><td><code>fail2ban-client status<\/code><\/td><\/tr>\n<tr><td>Nginx<\/td><td>Rate limiting aktiv<\/td><td class=\"tag-ok\">OK<\/td><td><code>nginx -T | grep limit_req<\/code><\/td><\/tr>\n<tr><td>Kernel<\/td><td>sysctl baseline hardening<\/td><td class=\"tag-ok\">OK<\/td><td><code>sysctl \u2026<\/code><\/td><\/tr>\n<tr><td>PHP-FPM<\/td><td>max_children begrenzt + max_requests<\/td><td class=\"tag-ok\">OK<\/td><td><code>php-fpm8.3 -t<\/code> + Prozessz\u00e4hlung<\/td><\/tr>\n<tr><td>DB<\/td><td>Buffer Pool 768M + flush optimiert<\/td><td class=\"tag-ok\">OK<\/td><td><code>SHOW VARIABLES<\/code><\/td><\/tr>\n<tr><td>Redis<\/td><td>Cache + Locking (localhost)<\/td><td class=\"tag-ok\">OK<\/td><td><code>redis-cli ping<\/code><\/td><\/tr>\n<tr><td>Repos<\/td><td>Keine unsicheren\/kaputten Repos<\/td><td class=\"tag-ok\">OK<\/td><td><code>apt update<\/code><\/td><\/tr>\n<tr><td>Monitoring<\/td><td>Healthcheck + Mail Alerts<\/td><td class=\"tag-ok\">OK<\/td><td>Testmail + Cron<\/td><\/tr>\n<\/tbody>\n<\/table><\/section><section class=\"card\" id=\"operations\"><h3>17. Betriebsprozesse (Wartung, Updates, Notfall)<\/h3><h3>17.1 Regelm\u00e4\u00dfige Wartung (monatlich)<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code30\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code30\">sudo apt update\nsudo apt upgrade -y\nsudo apt autoremove --purge -y\nsudo yunohost diagnosis run\nsudo fail2ban-client status\nsudo journalctl -p 3 -xb --no-pager | tail -n 200<\/pre><\/div><h3>17.2 Nextcloud Wartung (monatlich\/quartalsweise)<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code31\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code31\">sudo yunohost app shell nextcloud\nphp occ status\nphp occ db:add-missing-indices\nphp occ maintenance:repair\nexit<\/pre><\/div><h3>17.3 Incident Quick Response<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code32\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code32\"># 1) Ressourcen\nuptime\nfree -h\ndf -h\nsudo iotop -oPa # falls installiert\n\n# 2) Web\/DB\/PHP\nsudo systemctl status nginx php8.3-fpm mariadb redis-server --no-pager\n\n# 3) Logs (kurz)\nsudo tail -n 200 \/var\/log\/nginx\/error.log\nsudo journalctl -u php8.3-fpm --since \"30 min ago\" --no-pager | tail -n 200\nsudo journalctl -u mariadb --since \"30 min ago\" --no-pager | tail -n 200\n\n# 4) Fail2Ban \/ Bruteforce\nsudo fail2ban-client status nextcloud\nsudo fail2ban-client status sshd<\/pre><\/div><\/section><section class=\"card\" id=\"rollback\"><h3>18. Rollback-Strategie<\/h3><ul>\n<li><b>Nginx:<\/b> \u00c4nderungen r\u00fcckg\u00e4ngig \u2192 <code>nginx -t<\/code> \u2192 reload<\/li>\n<li><b>PHP-FPM:<\/b> <code>www.conf<\/code> zur\u00fcck \u2192 <code>php-fpm8.3 -t<\/code> \u2192 restart<\/li>\n<li><b>DB:<\/b> Parameter zur\u00fcck \u2192 restart \u2192 Buffer Pool ggf. reduzieren<\/li>\n<li><b>sysctl:<\/b> Werte entfernen \u2192 <code>sysctl -p<\/code><\/li>\n<li><b>Nextcloud:<\/b> config.php Eintr\u00e4ge (Redis) zur\u00fccksetzen, falls n\u00f6tig<\/li>\n<\/ul><\/section><section class=\"card\" id=\"appendix\"><h3>19. Appendix \u2013 N\u00fctzliche Befehle<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code33\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code33\"># Welche Dienste laufen?\nsudo systemctl list-units --type=service --state=running\n\n# Welche PHP-FPM Units existieren?\nsudo systemctl list-units | grep fpm\n\n# Nginx Konfiguration komplett anzeigen (vorsichtig, sehr lang)\nsudo nginx -T | head -n 120\n\n# Nextcloud config Werte pr\u00fcfen\nsudo yunohost app shell nextcloud\nphp occ config:system:get trusted_domains\nphp occ config:system:get overwrite.cli.url\nexit<\/pre><\/div><div class=\"foot\">\n<div class=\"hr\"><\/div>\n<div><b>Dokument-Standard:<\/b> Dark\/YunoHost-Style V2 (TOC fixiert, Copy-Buttons inkl. Fallback, Print-CSS).<\/div>\n<div><b>Autor:<\/b> MayIT<\/div>\n<div><b>Hinweis:<\/b> Bei jeder gr\u00f6\u00dferen \u00c4nderung: Backup + kurzer Smoke-Test (Login, WebDAV, Admin-Panel, Mailflow).<\/div>\n<\/div><\/section><div class=\"footer\"><b>Autor:<\/b> MayIT \u2022 <b>Dokumenttyp:<\/b> Projektdokumentation \u2022 <b>System:<\/b> Debian 12 + YunoHost Hardening, Monitoring, Backup & MaxSecurity<\/div><div class=\"print-only\">Autor: MayIT \u2013 Projektdokumentation Debian 12 YunoHost H\u00e4rtung, Monitoring, Backup & MaxSecurity<\/div><\/div>\n<\/main>\n<\/div>\n<script>\n function copyText(text){\n if(navigator.clipboard && window.isSecureContext){\n return navigator.clipboard.writeText(text);\n }\n return new Promise((resolve, reject)=>{\n try{\n const ta = document.createElement('textarea');\n ta.value = text;\n ta.style.position = 'fixed';\n ta.style.left = '-9999px';\n ta.style.top = '0';\n document.body.appendChild(ta);\n ta.focus();\n ta.select();\n const ok = document.execCommand('copy');\n document.body.removeChild(ta);\n ok ? resolve() : reject();\n } catch(e){ reject(e); }\n });\n }\n document.querySelectorAll('.copybtn').forEach(btn=>{\n btn.addEventListener('click', async ()=>{\n const sel = btn.getAttribute('data-copy');\n const pre = document.querySelector(sel);\n if(!pre) return;\n const text = pre.innerText.replace(\/\\u00a0\/g,' ');\n const old = btn.innerHTML;\n try{\n await copyText(text);\n btn.innerHTML = '<span class=\"dot\" style=\"background: var(--accent2)\"><\/span>Copied';\n setTimeout(()=>btn.innerHTML = old, 1100);\n } catch(e){\n btn.innerHTML = '<span class=\"dot\" style=\"background: var(--warn)\"><\/span>Copy failed';\n setTimeout(()=>btn.innerHTML = old, 1400);\n }\n });\n });\n <\/script>\n<\/body>\n<\/html>\n\n","protected":false},"excerpt":{"rendered":"<p>Projektdokumentation \u2013 Debian 12 YunoHost H\u00e4rtung, Monitoring, Backup & MaxSecurity M Projektdokumentation Hardening \u2022 Monitoring \u2022 Backup \u2022 Autor: MayIT Ziel: Vollst\u00e4ndige Dokumentation der Debian 12 \/ YunoHost H\u00e4rtung Navigation 1. Scope, Annahmen, Grundregeln 2. Baseline-Checks (vor jeder \u00c4nderung) 3. Beginn der H\u00e4rtungsphase (Kontext & Ausl\u00f6ser) 4. Speicher & I\/O stabilisieren (Root-FS, WordPress Backups) 5. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","_uag_custom_page_level_css":"","site-sidebar-layout":"no-sidebar","site-content-layout":"","ast-site-content-layout":"normal-width-container","site-content-style":"unboxed","site-sidebar-style":"boxed","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"disabled","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"class_list":["post-2583","page","type-page","status-publish","hentry"],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false,"trp-custom-language-flag":false},"uagb_author_info":{"display_name":"MIT","author_link":"https:\/\/www.mayit.eu\/en\/author\/markus_\/"},"uagb_comment_info":0,"uagb_excerpt":"Projektdokumentation \u2013 Debian 12 YunoHost H\u00e4rtung, Monitoring, Backup & MaxSecurity M Projektdokumentation Hardening \u2022 Monitoring \u2022 Backup \u2022 Autor: MayIT Ziel: Vollst\u00e4ndige Dokumentation der Debian 12 \/ YunoHost H\u00e4rtung Navigation 1. Scope, Annahmen, Grundregeln 2. Baseline-Checks (vor jeder \u00c4nderung) 3. Beginn der H\u00e4rtungsphase (Kontext & Ausl\u00f6ser) 4. Speicher & I\/O stabilisieren (Root-FS, WordPress Backups) 5.…","_links":{"self":[{"href":"https:\/\/www.mayit.eu\/en\/wp-json\/wp\/v2\/pages\/2583","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mayit.eu\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.mayit.eu\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.mayit.eu\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mayit.eu\/en\/wp-json\/wp\/v2\/comments?post=2583"}],"version-history":[{"count":1,"href":"https:\/\/www.mayit.eu\/en\/wp-json\/wp\/v2\/pages\/2583\/revisions"}],"predecessor-version":[{"id":2584,"href":"https:\/\/www.mayit.eu\/en\/wp-json\/wp\/v2\/pages\/2583\/revisions\/2584"}],"wp:attachment":[{"href":"https:\/\/www.mayit.eu\/en\/wp-json\/wp\/v2\/media?parent=2583"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":2583,"date":"2026-03-25T15:28:37","date_gmt":"2026-03-25T15:28:37","guid":{"rendered":"https:\/\/www.mayit.eu\/?page_id=2583"},"modified":"2026-03-28T23:00:36","modified_gmt":"2026-03-28T23:00:36","slug":"debian12hard","status":"publish","type":"page","link":"https:\/\/www.mayit.eu\/en\/debian12hard\/","title":{"rendered":"Debian12Hard"},"content":{"rendered":"\n\n\n\n\n\n\nProjektdokumentation \u2013 Debian 12 YunoHost H\u00e4rtung, Monitoring, Backup & MaxSecurity<\/title>\n<meta content=\"MayIT\" name=\"author\"\/>\n<meta content=\"Projektdokumentation der Debian-12\/YunoHost-Serverh\u00e4rtung mit Monitoring, Backup, Restore, Hardening, Security und Betriebsdokumentation.\" name=\"description\"\/>\n<style>\n :root{\n --bg:#0b0f14; --panel:#111827; --panel2:#0f172a;\n --text:#e5e7eb; --muted:#9ca3af;\n --accent:#60a5fa; --accent2:#34d399; --warn:#f59e0b; --danger:#fb7185; --ok:#22c55e;\n --border:#1f2937; --codeborder:#1d2a3a;\n --shadow: 0 10px 30px rgba(0,0,0,.35);\n --radius: 16px;\n --mono: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, \"Liberation Mono\", \"Courier New\", monospace;\n --sans: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Ubuntu, Cantarell, Noto Sans, Arial, \"Apple Color Emoji\",\"Segoe UI Emoji\";\n }\n *{box-sizing:border-box}\n html{scroll-behavior:smooth}\n body{\n margin:0; font-family:var(--sans);\n background:\n radial-gradient(1200px 600px at 10% -10%, rgba(96,165,250,.18), transparent 55%),\n radial-gradient(900px 500px at 80% 0%, rgba(52,211,153,.10), transparent 50%),\n var(--bg);\n color:var(--text);\n }\n a{color:var(--accent); text-decoration:none}\n a:hover{text-decoration:underline}\n .layout{display:flex; min-height:100vh}\n .toc{\n position:sticky; top:0; height:100vh; width:360px; min-width:300px;\n padding:22px 18px;\n background:linear-gradient(180deg, rgba(17,24,39,.92), rgba(15,23,42,.92));\n border-right:1px solid var(--border); overflow:auto; backdrop-filter: blur(8px);\n }\n .brand{\n display:flex; gap:10px; align-items:center;\n padding:10px 10px 14px; border:1px solid var(--border);\n border-radius:14px; background:rgba(11,18,32,.65); box-shadow:var(--shadow);\n margin-bottom:14px;\n }\n .logo{\n width:38px; height:38px; border-radius:12px;\n background:linear-gradient(135deg, rgba(96,165,250,.95), rgba(52,211,153,.95));\n display:flex; align-items:center; justify-content:center;\n color:#06101c; font-weight:900;\n }\n .brand h1{font-size:14px; margin:0}\n .brand .sub{font-size:12px; color:var(--muted); margin-top:2px}\n .pill{\n display:inline-flex; align-items:center; gap:8px;\n font-size:12px; color:var(--muted);\n padding:10px 12px; border:1px solid var(--border);\n border-radius:999px; background:rgba(11,18,32,.55);\n margin:10px 8px 0;\n }\n .pill b{color:var(--text)}\n .toc h2{font-size:12px; margin:14px 10px 8px; color:var(--muted); letter-spacing:.08em; text-transform:uppercase}\n .toc ul{list-style:none; margin:0; padding:0 6px 14px}\n .toc li{margin:6px 0}\n .toc a{\n display:block; padding:8px 10px; border-radius:12px;\n color:var(--text); border:1px solid transparent;\n }\n .toc a:hover{border-color:rgba(96,165,250,.35); background:rgba(96,165,250,.10); text-decoration:none}\n .main{flex:1; padding:28px 26px 80px}\n .container{max-width:1120px; margin:0 auto}\n .hero{\n padding:22px; border-radius: var(--radius);\n background: linear-gradient(180deg, rgba(17,24,39,.55), rgba(15,23,42,.35));\n border:1px solid var(--border); box-shadow: var(--shadow);\n }\n .hero h1{font-size:28px; margin:0 0 8px}\n .hero .meta{display:flex; flex-wrap:wrap; gap:10px; margin-top:12px}\n .tag{\n font-size:12px; color:var(--text);\n padding:8px 12px; border-radius:999px;\n border:1px solid var(--border); background:rgba(11,18,32,.55);\n }\n section{margin-top:18px}\n .card{\n padding:18px; border-radius: var(--radius);\n border:1px solid var(--border);\n background: rgba(11,18,32,.55);\n box-shadow: var(--shadow);\n }\n .card h3{margin:0 0 10px; font-size:18px}\n .muted{color:var(--muted)}\n .small{font-size:12px}\n .note, .warn, .danger, .ok{\n border-radius:14px; padding:12px 14px; border:1px solid var(--border);\n background: rgba(96,165,250,.08);\n }\n .warn{background: rgba(245,158,11,.10); border-color: rgba(245,158,11,.25)}\n .danger{background: rgba(251,113,133,.10); border-color: rgba(251,113,133,.25)}\n .ok{background: rgba(34,197,94,.10); border-color: rgba(34,197,94,.25)}\n .hr{height:1px; background:var(--border); margin:14px 0}\n .grid{display:grid; gap:14px}\n @media (min-width: 980px){\n .grid.cols2{grid-template-columns: 1fr 1fr}\n .grid.cols3{grid-template-columns: 1fr 1fr 1fr}\n }\n table{width:100%; border-collapse:separate; border-spacing:0; overflow:hidden; border-radius:14px; border:1px solid var(--border)}\n th, td{padding:10px; border-bottom:1px solid var(--border); vertical-align:top}\n th{background:rgba(17,24,39,.55); text-align:left; font-size:12px; text-transform:uppercase; letter-spacing:.08em; color:var(--muted)}\n tr:last-child td{border-bottom:none}\n .codewrap{position:relative; margin-top:10px}\n pre{\n margin:0; padding:14px; overflow:auto; border-radius:14px;\n background:linear-gradient(180deg, rgba(10,15,26,.95), rgba(10,15,26,.85));\n border:1px solid var(--codeborder); color:var(--text);\n font-family: var(--mono); font-size:12.8px; line-height:1.45;\n }\n .copybtn{\n position:absolute; top:10px; right:10px;\n border:1px solid var(--border); background:rgba(15,23,42,.70);\n color:var(--text); padding:8px 10px; border-radius:12px;\n cursor:pointer; font-size:12px; display:flex; align-items:center; gap:8px;\n }\n .copybtn:hover{border-color:rgba(96,165,250,.40); background:rgba(96,165,250,.12)}\n .copybtn .dot{width:8px; height:8px; border-radius:99px; background:var(--accent)}\n .kbd{display:inline-block; padding:2px 8px; border-radius:10px; border:1px solid var(--border); background:rgba(15,23,42,.55); font-family:var(--mono); font-size:12px}\n .badge{display:inline-flex; align-items:center; gap:8px; padding:8px 10px; border-radius:999px; border:1px solid var(--border); background:rgba(15,23,42,.35); font-size:12px}\n .badge .b{width:8px;height:8px;border-radius:99px;background:var(--accent2)}\n .footer{\n margin-top:18px; padding:16px 18px; border-radius: var(--radius);\n border:1px solid var(--border); background:rgba(11,18,32,.45); color:var(--muted)\n }\n .footer b{color:var(--text)}\n details{\n border:1px solid var(--border); border-radius:14px; padding:10px 12px; background:rgba(15,23,42,.25)\n }\n summary{cursor:pointer; color:var(--text); font-weight:700}\n details p, details ul{color:var(--muted)}\n .print-only{display:none}\n @media print{\n body{background:#fff; color:#000}\n .layout{display:block}\n .toc{display:none}\n .hero, .card, .footer, details{box-shadow:none; background:#fff; border:1px solid #ddd}\n pre{background:#f7f7f7; color:#000; border:1px solid #ddd}\n .copybtn{display:none}\n a{color:#000; text-decoration:underline}\n .print-only{display:block}\n }\n \n.grid.cols2 > .note, .grid.cols2 > div{min-width:0}\nsection.card h4{margin:12px 0 8px;font-size:15px}\nsection.card h3 + .muted{margin-top:6px}\nsection.card ul, section.card ol{color:var(--muted)}\nsection.card li{margin:4px 0}\nsection.card code{display:inline-block; padding:2px 6px; border-radius:8px; border:1px solid var(--border); background:rgba(15,23,42,.55); font-family:var(--mono); font-size:12px}\n<\/style>\n<\/head>\n<body>\n<div class=\"layout\">\n<aside class=\"toc\">\n<div class=\"brand\">\n<div class=\"logo\">M<\/div>\n<div>\n<h1>Projektdokumentation<\/h1>\n<div class=\"sub\">Hardening \u2022 Monitoring \u2022 Backup \u2022 Autor: <b>MayIT<\/b><\/div>\n<\/div>\n<\/div>\n<div class=\"pill\"><b>Ziel:<\/b> Vollst\u00e4ndige Dokumentation der Debian 12 \/ YunoHost H\u00e4rtung<\/div>\n<h2>Navigation<\/h2>\n<ul><li><a href=\"#scope\">1. Scope, Annahmen, Grundregeln<\/a><\/li><li><a href=\"#baseline\">2. Baseline-Checks (vor jeder \u00c4nderung)<\/a><\/li><li><a href=\"#hardening-start\">3. Beginn der H\u00e4rtungsphase (Kontext & Ausl\u00f6ser)<\/a><\/li><li><a href=\"#storage\">4. Speicher & I\/O stabilisieren (Root-FS, WordPress Backups)<\/a><\/li><li><a href=\"#swap\">5. Swap aktivieren (Stabilit\u00e4t bei Lastspitzen)<\/a><\/li><li><a href=\"#repos\">6. APT\/Repository-H\u00e4rtung (Stabilit\u00e4t statt Paketmix)<\/a><\/li><li><a href=\"#redis\">7. Redis (Cache + Locking) \u2013 Nextcloud stabilisieren<\/a><\/li><li><a href=\"#db\">8. MariaDB \u2013 Performance & I\/O reduzieren<\/a><\/li><li><a href=\"#phpfpm\">9. PHP-FPM \u2013 Prozesslimits f\u00fcr 2 GB RAM<\/a><\/li><li><a href=\"#fail2ban\">10. Fail2Ban \u2013 Bruteforce & App-Schutz<\/a><\/li><li><a href=\"#nginx\">11. Nginx \u2013 Rate Limiting (DoS\/Bot-Schutz) & Best Practices<\/a><\/li><li><a href=\"#kernel\">12. Kernel Hardening (sysctl)<\/a><\/li><li><a href=\"#monitoring\">13. Monitoring mit E-Mail Alarmierung<\/a><\/li><li><a href=\"#backup\">14. Backup-Konzept (professionell) + Restore-Plan<\/a><\/li><li><a href=\"#architecture\">15. Architektur-Upgrade-Plan (Roadmap)<\/a><\/li><li><a href=\"#maxsecurity\">16. Max-Security Checkliste<\/a><\/li><li><a href=\"#operations\">17. Betriebsprozesse (Wartung, Updates, Notfall)<\/a><\/li><li><a href=\"#rollback\">18. Rollback-Strategie<\/a><\/li><li><a href=\"#appendix\">19. Appendix \u2013 N\u00fctzliche Befehle<\/a><\/li><\/ul>\n<h2>Quick Links<\/h2>\n<ul><li><a href=\"#baseline\">2. Baseline-Checks (vor jeder \u00c4nderung)<\/a><\/li><li><a href=\"#monitoring\">13. Monitoring mit E-Mail Alarmierung<\/a><\/li><li><a href=\"#backup\">14. Backup-Konzept (professionell) + Restore-Plan<\/a><\/li><li><a href=\"#appendix\">19. Appendix \u2013 N\u00fctzliche Befehle<\/a><\/li><\/ul>\n<div class=\"footer small\">\n<div><b>Stand:<\/b> 2026-03-23<\/div>\n<div class=\"hr\"><\/div>\n<div>Dokument: HTML \u2022 Enterprise Layout \u2022 MayIT Style<\/div>\n<\/div>\n<\/aside>\n<main class=\"main\">\n<div class=\"container\"><div class=\"hero\"><h1>Server-H\u00e4rtung & Betrieb (Max-Security): Debian 12 + YunoHost + Nextcloud + WordPress + Mail<\/h1><div class=\"muted\">Ziel: Dieser Leitfaden dokumentiert die vollst\u00e4ndige H\u00e4rtung und den professionellen Betrieb ab Beginn der H\u00e4rtungsphase (inkl. Monitoring, Architektur, Backup und Max-Security).\n Alle Ma\u00dfnahmen sind f\u00fcr ein produktives VPS-Setup optimiert und bewusst ressourcenschonend gehalten.<\/div><div class=\"meta\"><span class=\"tag\">\ud83e\uddf1 Max-Security Hardening<\/span><span class=\"tag\">\ud83d\udcc8 Monitoring + E-Mail Alerts<\/span><span class=\"tag\">\ud83d\udcbe Backup-Konzept + Restore-Plan<\/span><span class=\"tag\">\ud83c\udfd7\ufe0f Architektur-Upgrade-Plan<\/span><\/div><\/div><section class=\"card\" id=\"overview\"><h3>Projekt\u00fcberblick<\/h3><div class=\"grid cols2\"><div class=\"note\"><b>Was wurde stabilisiert<\/b><br\/>I\/O-Spitzen durch lokale WordPress-Backups beseitigt, Swap aktiviert, Repos konsolidiert, Redis + DB-Tuning, Rate-Limits, Kernel-Hardening, Alarmierung.<\/div><div class=\"note\"><b>Was dieses Runbook liefert<\/b><br\/>Schritt-f\u00fcr-Schritt Hardening, wiederholbare Checks, Rollback, Wartungsplan, Restore-Plan und eine saubere Ziel-Architektur inkl. Migrationspfad.<\/div><\/div><\/section><section class=\"card\" id=\"scope\"><h3>1. Scope, Annahmen, Grundregeln<\/h3><ul>\n<li><b>System:<\/b> Debian 12 (Bookworm), YunoHost 12.x, nginx, php-fpm (8.3), MariaDB, Redis, Fail2Ban<\/li>\n<li><b>Apps:<\/b> Nextcloud (Hub), WordPress, Mail-Stack (Postfix\/Dovecot)<\/li>\n<li><b>Pr\u00e4misse:<\/b> Stabilit\u00e4t auf 2-GB-VPS (keine \u201eHeavy-Suites\u201c, kein Overkill, aber maximale H\u00e4rtung mit vertretbarem Risiko)<\/li>\n<li><b>Grundregel:<\/b> \u00c4nderungen immer mit <code>nginx -t<\/code>\/<code>php-fpm -t<\/code> pr\u00fcfen, dann erst reload\/restart.<\/li>\n<\/ul><div class=\"warn\">\n<strong>Hinweis (YunoHost-Kompatibilit\u00e4t):<\/strong> Nginx\/SSOwat\/Nextcloud-Header und CSP nur YunoHost-konform anpassen. Zu aggressive CSP kann Nextcloud-Apps brechen.\n <\/div><\/section><section class=\"card\" id=\"baseline\"><h3>2. Baseline-Checks (vor jeder \u00c4nderung)<\/h3><p class=\"muted\">Diese Checks geben dir in 60 Sekunden Klarheit, ob das System gesund ist.<\/p><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code1\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code1\">uptime\nfree -h\ndf -h\nsudo ss -tulpen | egrep ':22|:80|:443|:25|:587|:993|:53' || true\nsudo systemctl status nginx --no-pager\nsudo systemctl status php8.3-fpm --no-pager\nsudo systemctl status mariadb --no-pager\nsudo systemctl status redis-server --no-pager\nsudo fail2ban-client status<\/pre><\/div><\/section><section class=\"card\" id=\"hardening-start\"><h3>3. Beginn der H\u00e4rtungsphase (Kontext & Ausl\u00f6ser)<\/h3><div class=\"note\">\n<strong>Ausl\u00f6ser:<\/strong> Instabilit\u00e4t\/Timeouts (Nextcloud\/YunoHost), \u201eZu viele Anfragen\u201c, sporadische Verbindungsabbr\u00fcche. Haupttreiber: lokale WordPress-Backups (BackWPup) erzeugten I\/O- und CPU-Spitzen, bei 2 GB RAM ohne Swap.\n <\/div><ul>\n<li>Disk-Analyse zeigte gro\u00dfe Backup-Archive in <code>\/var\/www\/wordpress\/wp-content\/uploads\/backwpup<\/code>.<\/li>\n<li>Swap wurde eingef\u00fchrt, um Lastspitzen abzufedern.<\/li>\n<li>APT-Repo-Mix (Sury\/Yarn) wurde bereinigt, um Paketkonflikte zu verhindern.<\/li>\n<\/ul><\/section><section class=\"card\" id=\"storage\"><h3>4. Speicher & I\/O stabilisieren (Root-FS, WordPress Backups)<\/h3><h3>4.1 Schnellanalyse: Wo liegt das Volumen?<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code2\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code2\">sudo du -h --max-depth=1 \/var | sort -hr\nsudo du -h --max-depth=1 \/var\/www | sort -hr\nsudo du -h --max-depth=2 \/var\/www\/wordpress\/wp-content\/uploads | sort -hr | head -20<\/pre><\/div><h3>4.2 Ma\u00dfnahme: lokale WP-Backups vermeiden<\/h3><ul>\n<li><b>Ziel:<\/b> Keine Multi-GB ZIP-Backups lokal auf dem VPS behalten.<\/li>\n<li><b>Empfehlung:<\/b> BackWPup so konfigurieren, dass Backups <b>offsite<\/b> (S3\/FTP\/Storage) gehen und lokal nur 0\u20132 Rotationen verbleiben.<\/li>\n<\/ul><div class=\"warn\">\n<strong>Regel:<\/strong> Auf 2 GB RAM niemals \u201et\u00e4gliches Vollbackup lokal als ZIP\u201c dauerhaft laufen lassen. Das erzeugt exakt die beobachteten Timeouts\/Abbr\u00fcche.\n <\/div><\/section><section class=\"card\" id=\"swap\"><h3>5. Swap aktivieren (Stabilit\u00e4t bei Lastspitzen)<\/h3><div class=\"ok\">\n<strong>Status:<\/strong> Swapfile 2 GB ist aktiv. Leichte Swap-Nutzung ist normal und erh\u00f6ht Stabilit\u00e4t.\n <\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code3\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code3\">sudo swapon --show\nfree -h\nls -lh \/swapfile\ngrep -n swapfile \/etc\/fstab || true<\/pre><\/div><h3>5.1 (Optional) Swappiness konservativ setzen<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code4\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code4\">echo \"vm.swappiness=20\" | sudo tee -a \/etc\/sysctl.conf\nsudo sysctl -p | tail -n 20<\/pre><\/div><\/section><section class=\"card\" id=\"repos\"><h3>6. APT\/Repository-H\u00e4rtung (Stabilit\u00e4t statt Paketmix)<\/h3><div class=\"note\">\n<strong>Ziel:<\/strong> Repos so minimal wie m\u00f6glich halten. Jede zus\u00e4tzliche Quelle erh\u00f6ht das Risiko von Dependency-Br\u00fcchen.\n <\/div><h3>6.1 Sury\/Yarn entfernt bzw. deaktiviert<\/h3><ul>\n<li>Sury-Repo: deaktiviert (404-Fehler, Versionsmix).<\/li>\n<li>Yarn-Repo: entfernt (NO_PUBKEY). Nicht notwendig f\u00fcr Betrieb.<\/li>\n<\/ul><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code5\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code5\">grep -R \"sury\" -n \/etc\/apt\/sources.list \/etc\/apt\/sources.list.d\/* || true\nls -1 \/etc\/apt\/sources.list.d\nsudo apt update\nsudo apt -f install -y\nsudo apt autoremove --purge -y\nsudo apt autoclean<\/pre><\/div><\/section><section class=\"card\" id=\"redis\"><h3>7. Redis (Cache + Locking) \u2013 Nextcloud stabilisieren<\/h3><div class=\"ok\">\n<strong>Status:<\/strong> Redis l\u00e4uft stabil (localhost), PHP-Modul geladen, Verbindung ok (<code>redis-cli ping<\/code> \u2192 PONG).\n <\/div><h3>7.1 Verifikation<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code6\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code6\">php -m | grep -i redis\nredis-cli ping\nsudo systemctl status redis-server --no-pager<\/pre><\/div><h3>7.2 Nextcloud auf Redis setzen (TCP localhost)<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code7\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code7\">sudo yunohost app shell nextcloud\nphp occ config:system:set redis host --value=\"127.0.0.1\"\nphp occ config:system:set redis port --value=6379 --type=integer\nphp occ config:system:set memcache.locking --value=\"\\OC\\Memcache\\Redis\"\nphp occ config:system:set memcache.distributed --value=\"\\OC\\Memcache\\Redis\"\nphp occ config:system:get redis\nphp occ config:system:get memcache.locking\nexit<\/pre><\/div><\/section><section class=\"card\" id=\"db\"><h3>8. MariaDB \u2013 Performance & I\/O reduzieren<\/h3><div class=\"ok\">\n<strong>Status:<\/strong> <code>innodb_buffer_pool_size = 768M<\/code> (805306368 Bytes) gesetzt \u2013 optimal f\u00fcr 2 GB RAM.\n <\/div><h3>8.1 Verifikation<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code8\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code8\">sudo mysql -e \"SHOW VARIABLES LIKE 'innodb_buffer_pool_size';\"\nsudo mysql -e \"SHOW VARIABLES LIKE 'max_connections';\"\nsudo systemctl status mariadb --no-pager<\/pre><\/div><h3>8.2 Empfohlene MariaDB-Parameter (2 GB RAM)<\/h3><p class=\"muted\">In <code>\/etc\/mysql\/mariadb.conf.d\/50-server.cnf<\/code> unter <code>[mysqld]<\/code> (nur, wenn nicht bereits gesetzt):<\/p><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code9\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code9\"># \/etc\/mysql\/mariadb.conf.d\/50-server.cnf (unter [mysqld])\ninnodb_buffer_pool_size = 768M\ninnodb_log_file_size = 256M\ninnodb_flush_method = O_DIRECT\ninnodb_flush_log_at_trx_commit = 2\nmax_connections = 60\ntmp_table_size = 64M\nmax_heap_table_size = 64M<\/pre><\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code10\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code10\">sudo systemctl restart mariadb\nsudo mysql -e \"SHOW VARIABLES LIKE 'innodb_buffer_pool_size';\"<\/pre><\/div><\/section><section class=\"card\" id=\"phpfpm\"><h3>9. PHP-FPM \u2013 Prozesslimits f\u00fcr 2 GB RAM<\/h3><div class=\"note\">\n<strong>Ziel:<\/strong> Verhindern, dass PHP-FPM durch zu viele Worker RAM frisst und das System in Swap- oder Timeout-Szenarien l\u00e4uft.\n <\/div><h3>9.1 Konfigurationspfad<\/h3><ul>\n<li>Aktiv: <code>php8.3-fpm<\/code><\/li>\n<li>Pool: <code>\/etc\/php\/8.3\/fpm\/pool.d\/www.conf<\/code><\/li>\n<\/ul><h3>9.2 Empfohlene Werte<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code11\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code11\"># \/etc\/php\/8.3\/fpm\/pool.d\/www.conf\npm = dynamic\npm.max_children = 18\npm.start_servers = 4\npm.min_spare_servers = 2\npm.max_spare_servers = 6\npm.max_requests = 500<\/pre><\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code12\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code12\">sudo php-fpm8.3 -t\nsudo systemctl restart php8.3-fpm\nsudo systemctl status php8.3-fpm --no-pager<\/pre><\/div><\/section><section class=\"card\" id=\"fail2ban\"><h3>10. Fail2Ban \u2013 Bruteforce & App-Schutz<\/h3><div class=\"ok\">\n<strong>Status:<\/strong> 11 Jails aktiv (u.a. nextcloud, wordpress, sshd, yunohost-portal). Das ist ein sehr guter Schutzgrad.\n <\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code13\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code13\">sudo fail2ban-client status\nsudo fail2ban-client status sshd\nsudo fail2ban-client status nextcloud\nsudo fail2ban-client status wordpress<\/pre><\/div><h3>10.1 Default-H\u00e4rtung (konservativ, produktionssicher)<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code14\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code14\"># \/etc\/fail2ban\/jail.local\n[DEFAULT]\nbantime = 24h\nfindtime = 10m\nmaxretry = 3<\/pre><\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code15\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code15\">sudo systemctl restart fail2ban\nsudo fail2ban-client status<\/pre><\/div><\/section><section class=\"card\" id=\"nginx\"><h3>11. Nginx \u2013 Rate Limiting (DoS\/Bot-Schutz) & Best Practices<\/h3><h3>11.1 Global Zone in nginx.conf (http{} Block)<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code16\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code16\"># \/etc\/nginx\/nginx.conf (innerhalb http { ... })\nlimit_req_zone $binary_remote_addr zone=global_limit:10m rate=10r\/s;<\/pre><\/div><h3>11.2 Anwendung im HTTPS server{} Block (443)<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code17\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code17\"># innerhalb server { listen 443 ssl http2; ... } f\u00fcr mitcloud.mayit.eu\nlimit_req zone=global_limit burst=20 nodelay;<\/pre><\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code18\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code18\">sudo nginx -t\nsudo systemctl reload nginx<\/pre><\/div><div class=\"warn\">\n<strong>Wichtig:<\/strong> Zu strikte Limits k\u00f6nnen echte Nutzer (z.B. WebDAV Sync) beeintr\u00e4chtigen. Bei Problemen: <code>rate<\/code> erh\u00f6hen oder <code>burst<\/code> anpassen.\n <\/div><\/section><section class=\"card\" id=\"kernel\"><h3>12. Kernel Hardening (sysctl)<\/h3><p class=\"muted\">Empfohlene Baseline (produktionssicher). Block ans Ende von <code>\/etc\/sysctl.conf<\/code>:<\/p><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code19\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code19\"># IP Spoofing Protection\nnet.ipv4.conf.all.rp_filter=1\nnet.ipv4.conf.default.rp_filter=1\n\n# Disable IP forwarding\nnet.ipv4.ip_forward=0\n\n# SYN Flood Protection\nnet.ipv4.tcp_syncookies=1\n\n# Disable source routing\nnet.ipv4.conf.all.accept_source_route=0\nnet.ipv6.conf.all.accept_source_route=0\n\n# Ignore ICMP broadcast\nnet.ipv4.icmp_echo_ignore_broadcasts=1\n\n# Log suspicious packets\nnet.ipv4.conf.all.log_martians=1<\/pre><\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code20\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code20\">sudo sysctl -p\nsudo sysctl net.ipv4.ip_forward\nsudo sysctl net.ipv4.tcp_syncookies<\/pre><\/div><\/section><section class=\"card\" id=\"monitoring\"><h3>13. Monitoring mit E-Mail Alarmierung<\/h3><div class=\"ok\">\n<strong>Status:<\/strong> Testmail erfolgreich. Monitoring l\u00e4uft leichtgewichtig \u00fcber ein Health-Check Script + Cron (alle 5 Minuten).\n <\/div><h3>13.1 Mailutils (falls erforderlich)<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code21\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code21\">sudo apt install -y mailutils\necho \"Testmail Monitoring OK\" | mail -s \"Server Test\" DEINE-MAIL@DOMAIN.DE<\/pre><\/div><h3>13.2 Health-Check Script<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code22\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code22\">sudo nano \/usr\/local\/sbin\/server-health-check.sh<\/pre><\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code23\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code23\">#!\/bin\/bash\nMAIL=\"DEINE-MAIL@DOMAIN.DE\"\nHOSTNAME=$(hostname)\n\n# RAM Check\nRAM_USED=$(free | awk '\/Mem:\/ {printf(\"%.0f\"), $3\/$2*100}')\nif [ \"$RAM_USED\" -gt 85 ]; then\n echo \"RAM usage is ${RAM_USED}% on ${HOSTNAME}\" | mail -s \"ALERT: High RAM on ${HOSTNAME}\" \"$MAIL\"\nfi\n\n# Disk Check\nDISK_USED=$(df \/ | awk 'END{print $5}' | sed 's\/%\/\/')\nif [ \"$DISK_USED\" -gt 85 ]; then\n echo \"Disk usage is ${DISK_USED}% on ${HOSTNAME}\" | mail -s \"ALERT: High Disk on ${HOSTNAME}\" \"$MAIL\"\nfi\n\n# Load Check\nLOAD=$(uptime | awk -F'load average:' '{ print $2 }' | cut -d, -f1 | tr -d ' ')\nLOAD_INT=${LOAD%.*}\nif [ \"$LOAD_INT\" -gt 2 ]; then\n echo \"Load average is ${LOAD} on ${HOSTNAME}\" | mail -s \"ALERT: High Load on ${HOSTNAME}\" \"$MAIL\"\nfi\n\n# Service Check\nfor SERVICE in nginx php8.3-fpm mariadb redis-server\ndo\n if ! systemctl is-active --quiet \"$SERVICE\"; then\n echo \"Service $SERVICE is NOT running on ${HOSTNAME}\" | mail -s \"ALERT: Service down on ${HOSTNAME}\" \"$MAIL\"\n fi\ndone<\/pre><\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code24\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code24\">sudo chmod +x \/usr\/local\/sbin\/server-health-check.sh\nsudo \/usr\/local\/sbin\/server-health-check.sh<\/pre><\/div><h3>13.3 Cron (alle 5 Minuten)<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code25\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code25\">sudo crontab -e\n# hinzuf\u00fcgen:\n*\/5 * * * * \/usr\/local\/sbin\/server-health-check.sh<\/pre><\/div><h3>13.4 (Optional) T\u00e4glicher Statusreport<\/h3><p class=\"muted\">Empfehlung: ein kompakter Tagesreport (z.B. 08:00). Vorteil: du bemerkst Trends fr\u00fch.<\/p><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code26\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code26\"># \/usr\/local\/sbin\/server-daily-report.sh (Beispiel \u2013 optional)\n# Sammle: uptime, df -h, free -h, fail2ban status, top 5 processes by mem\/cpu, last 100 auth.log lines\n# Versand per mail -s \"Daily Report ${HOSTNAME}\" \"$MAIL\"<\/pre><\/div><\/section><section class=\"card\" id=\"backup\"><h3>14. Backup-Konzept (professionell) + Restore-Plan<\/h3><div class=\"warn\">\n<strong>Prinzip:<\/strong> Backups sind nur so gut wie der getestete Restore. Mindestens 1\u00d7 pro Quartal Restore-Test durchf\u00fchren und dokumentieren.\n <\/div><h3>14.1 Backup-Ziele (Empfehlung)<\/h3><table>\n<thead><tr><th>Komponente<\/th><th>Was sichern?<\/th><th>Ziel<\/th><th>Rotation<\/th><\/tr><\/thead>\n<tbody>\n<tr><td><b>YunoHost<\/b><\/td><td>Konfiguration + Apps + Daten (YunoHost Backup)<\/td><td>Offsite Storage (S3\/FTP\/Remote)<\/td><td>t\u00e4glich inkrementell \/ w\u00f6chentlich voll<\/td><\/tr>\n<tr><td><b>Nextcloud<\/b><\/td><td>Data Dir + DB Dump + config.php + custom apps<\/td><td>Offsite + ggf. Snapshot<\/td><td>t\u00e4glich<\/td><\/tr>\n<tr><td><b>WordPress<\/b><\/td><td>DB + wp-content<\/td><td>Offsite (keine ZIP lokal)<\/td><td>t\u00e4glich\/2-t\u00e4glich<\/td><\/tr>\n<tr><td><b>Mail<\/b><\/td><td>Maildirs + DB\/Configs (je nach Setup)<\/td><td>Offsite<\/td><td>t\u00e4glich<\/td><\/tr>\n<\/tbody>\n<\/table><h3>14.2 YunoHost Backup (Standardweg)<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code27\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code27\">sudo yunohost backup create --system --apps nextcloud,wordpress --name \"daily-$(date +%F)\"\nsudo yunohost backup list\n# Speicherorte pr\u00fcfen (je nach YunoHost-Konfiguration): \/home\/yunohost.backup\/ oder konfiguriertes Storage<\/pre><\/div><h3>14.3 Nextcloud konsistent sichern (App Maintenance Mode)<\/h3><div class=\"note\">\n<strong>Strategie:<\/strong> F\u00fcr konsistente Backups: Maintenance Mode + DB Dump + Files sichern. Bei gro\u00dfen Instanzen alternativ Snapshots mit kurzer Downtime.\n <\/div><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code28\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code28\">sudo yunohost app shell nextcloud\nphp occ maintenance:mode --on\n\n# DB Dump (lokal \u2013 danach offsite kopieren)\nmysqldump --single-transaction -h localhost -u nextcloud -p\"$(php -r 'include(\\\"\/var\/www\/nextcloud\/config\/config.php\\\"); echo $CONFIG[\\\"dbpassword\\\"];')\" nextcloud \\\n > \/home\/yunohost.app\/nextcloud\/data\/backup-nextcloud-db-$(date +%F).sql\n\nphp occ maintenance:mode --off\nexit<\/pre><\/div><div class=\"warn\">\n<strong>Wichtig:<\/strong> DB-Passwort via config.php ist sensitiv. Sorge f\u00fcr sichere Dateirechte und offsite Transfer via verschl\u00fcsseltem Kanal.\n <\/div><h3>14.4 Restore-Plan (Kurzform)<\/h3><ul>\n<li><b>RTO\/RPO definieren:<\/b> z.B. RTO 4h, RPO 24h (je nach Anspruch)<\/li>\n<li><b>Restore-Test:<\/b> 1\u00d7\/Quartal auf Test-VPS oder Snapshot<\/li>\n<li><b>Reihenfolge:<\/b> System \u2192 DB \u2192 App \u2192 Daten \u2192 Checks<\/li>\n<\/ul><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code29\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code29\"># 1) System-Stand pr\u00fcfen (Debian\/YunoHost Version)\n# 2) YunoHost Backup restore (system + apps)\n# 3) Nextcloud: maintenance:mode on \u2192 DB import \u2192 files restore \u2192 files:scan \u2192 maintenance off\n# 4) WordPress: DB import + wp-content restore\n# 5) Smoke Tests: HTTP(S), login, webdav, cron, mail flow<\/pre><\/div><\/section><section class=\"card\" id=\"architecture\"><h3>15. Architektur-Upgrade-Plan (Roadmap)<\/h3><div class=\"note\">\n<strong>Ist-Architektur:<\/strong> Alles auf einem 2-GB-VPS. Vorteil: einfach. Risiko: Resource-Contention (Backups, Updates, Peaks).\n <\/div><h3>15.1 Ziel-Architektur (empfohlen)<\/h3><table>\n<thead><tr><th>Variante<\/th><th>Beschreibung<\/th><th>Vorteile<\/th><th>Risiken\/Notes<\/th><\/tr><\/thead>\n<tbody>\n<tr>\n<td><b>A (Minimal)<\/b><\/td>\n<td>VPS auf 4 GB RAM upgraden<\/td>\n<td>Einfachster Stabilit\u00e4tsgewinn<\/td>\n<td>Kosten \u2191, aber geringes Risiko<\/td>\n<\/tr>\n<tr>\n<td><b>B (Empfohlen)<\/b><\/td>\n<td>WordPress auslagern (eigener VPS\/Managed)<\/td>\n<td>Nextcloud erh\u00e4lt Ressourcen, weniger I\/O-Spitzen<\/td>\n<td>DNS\/SSL\/Backup getrennt<\/td>\n<\/tr>\n<tr>\n<td><b>C (Professionell)<\/b><\/td>\n<td>Mail separieren (oder managed), NC + WP getrennt<\/td>\n<td>Security-Isolation, bessere Wartbarkeit<\/td>\n<td>Komplexit\u00e4t \u2191, aber best practice<\/td>\n<\/tr>\n<\/tbody>\n<\/table><h3>15.2 Migrationspfad (Kurz)<\/h3><ul>\n<li><b>WordPress Move:<\/b> DNS TTL senken \u2192 Backup \u2192 Restore auf Ziel \u2192 Test \u2192 DNS Switch \u2192 Monitoring<\/li>\n<li><b>Nextcloud bleibt:<\/b> Redis\/DB\/Swap\/Rate-Limits bleiben wie dokumentiert.<\/li>\n<li><b>Mail:<\/b> nur migrieren, wenn klare Notwendigkeit und saubere Restore-Tests m\u00f6glich sind.<\/li>\n<\/ul><\/section><section class=\"card\" id=\"maxsecurity\"><h3>16. Max-Security Checkliste<\/h3><table>\n<thead><tr><th>Bereich<\/th><th>Ma\u00dfnahme<\/th><th>Status<\/th><th>Verifikation<\/th><\/tr><\/thead>\n<tbody>\n<tr><td>SSH<\/td><td>Key-only, Root-Login aus, max tries reduziert<\/td><td class=\"tag-ok\">OK<\/td><td><code>sshd_config<\/code> + Login-Test<\/td><\/tr>\n<tr><td>Fail2Ban<\/td><td>sshd, nextcloud, wordpress, portal + recidive<\/td><td class=\"tag-ok\">OK<\/td><td><code>fail2ban-client status<\/code><\/td><\/tr>\n<tr><td>Nginx<\/td><td>Rate limiting aktiv<\/td><td class=\"tag-ok\">OK<\/td><td><code>nginx -T | grep limit_req<\/code><\/td><\/tr>\n<tr><td>Kernel<\/td><td>sysctl baseline hardening<\/td><td class=\"tag-ok\">OK<\/td><td><code>sysctl \u2026<\/code><\/td><\/tr>\n<tr><td>PHP-FPM<\/td><td>max_children begrenzt + max_requests<\/td><td class=\"tag-ok\">OK<\/td><td><code>php-fpm8.3 -t<\/code> + Prozessz\u00e4hlung<\/td><\/tr>\n<tr><td>DB<\/td><td>Buffer Pool 768M + flush optimiert<\/td><td class=\"tag-ok\">OK<\/td><td><code>SHOW VARIABLES<\/code><\/td><\/tr>\n<tr><td>Redis<\/td><td>Cache + Locking (localhost)<\/td><td class=\"tag-ok\">OK<\/td><td><code>redis-cli ping<\/code><\/td><\/tr>\n<tr><td>Repos<\/td><td>Keine unsicheren\/kaputten Repos<\/td><td class=\"tag-ok\">OK<\/td><td><code>apt update<\/code><\/td><\/tr>\n<tr><td>Monitoring<\/td><td>Healthcheck + Mail Alerts<\/td><td class=\"tag-ok\">OK<\/td><td>Testmail + Cron<\/td><\/tr>\n<\/tbody>\n<\/table><\/section><section class=\"card\" id=\"operations\"><h3>17. Betriebsprozesse (Wartung, Updates, Notfall)<\/h3><h3>17.1 Regelm\u00e4\u00dfige Wartung (monatlich)<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code30\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code30\">sudo apt update\nsudo apt upgrade -y\nsudo apt autoremove --purge -y\nsudo yunohost diagnosis run\nsudo fail2ban-client status\nsudo journalctl -p 3 -xb --no-pager | tail -n 200<\/pre><\/div><h3>17.2 Nextcloud Wartung (monatlich\/quartalsweise)<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code31\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code31\">sudo yunohost app shell nextcloud\nphp occ status\nphp occ db:add-missing-indices\nphp occ maintenance:repair\nexit<\/pre><\/div><h3>17.3 Incident Quick Response<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code32\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code32\"># 1) Ressourcen\nuptime\nfree -h\ndf -h\nsudo iotop -oPa # falls installiert\n\n# 2) Web\/DB\/PHP\nsudo systemctl status nginx php8.3-fpm mariadb redis-server --no-pager\n\n# 3) Logs (kurz)\nsudo tail -n 200 \/var\/log\/nginx\/error.log\nsudo journalctl -u php8.3-fpm --since \"30 min ago\" --no-pager | tail -n 200\nsudo journalctl -u mariadb --since \"30 min ago\" --no-pager | tail -n 200\n\n# 4) Fail2Ban \/ Bruteforce\nsudo fail2ban-client status nextcloud\nsudo fail2ban-client status sshd<\/pre><\/div><\/section><section class=\"card\" id=\"rollback\"><h3>18. Rollback-Strategie<\/h3><ul>\n<li><b>Nginx:<\/b> \u00c4nderungen r\u00fcckg\u00e4ngig \u2192 <code>nginx -t<\/code> \u2192 reload<\/li>\n<li><b>PHP-FPM:<\/b> <code>www.conf<\/code> zur\u00fcck \u2192 <code>php-fpm8.3 -t<\/code> \u2192 restart<\/li>\n<li><b>DB:<\/b> Parameter zur\u00fcck \u2192 restart \u2192 Buffer Pool ggf. reduzieren<\/li>\n<li><b>sysctl:<\/b> Werte entfernen \u2192 <code>sysctl -p<\/code><\/li>\n<li><b>Nextcloud:<\/b> config.php Eintr\u00e4ge (Redis) zur\u00fccksetzen, falls n\u00f6tig<\/li>\n<\/ul><\/section><section class=\"card\" id=\"appendix\"><h3>19. Appendix \u2013 N\u00fctzliche Befehle<\/h3><div class=\"codewrap\"><button class=\"copybtn\" data-copy=\"#code33\"><span class=\"dot\"><\/span>Copy<\/button><pre id=\"code33\"># Welche Dienste laufen?\nsudo systemctl list-units --type=service --state=running\n\n# Welche PHP-FPM Units existieren?\nsudo systemctl list-units | grep fpm\n\n# Nginx Konfiguration komplett anzeigen (vorsichtig, sehr lang)\nsudo nginx -T | head -n 120\n\n# Nextcloud config Werte pr\u00fcfen\nsudo yunohost app shell nextcloud\nphp occ config:system:get trusted_domains\nphp occ config:system:get overwrite.cli.url\nexit<\/pre><\/div><div class=\"foot\">\n<div class=\"hr\"><\/div>\n<div><b>Dokument-Standard:<\/b> Dark\/YunoHost-Style V2 (TOC fixiert, Copy-Buttons inkl. Fallback, Print-CSS).<\/div>\n<div><b>Autor:<\/b> MayIT<\/div>\n<div><b>Hinweis:<\/b> Bei jeder gr\u00f6\u00dferen \u00c4nderung: Backup + kurzer Smoke-Test (Login, WebDAV, Admin-Panel, Mailflow).<\/div>\n<\/div><\/section><div class=\"footer\"><b>Autor:<\/b> MayIT \u2022 <b>Dokumenttyp:<\/b> Projektdokumentation \u2022 <b>System:<\/b> Debian 12 + YunoHost Hardening, Monitoring, Backup & MaxSecurity<\/div><div class=\"print-only\">Autor: MayIT \u2013 Projektdokumentation Debian 12 YunoHost H\u00e4rtung, Monitoring, Backup & MaxSecurity<\/div><\/div>\n<\/main>\n<\/div>\n<script>\n function copyText(text){\n if(navigator.clipboard && window.isSecureContext){\n return navigator.clipboard.writeText(text);\n }\n return new Promise((resolve, reject)=>{\n try{\n const ta = document.createElement('textarea');\n ta.value = text;\n ta.style.position = 'fixed';\n ta.style.left = '-9999px';\n ta.style.top = '0';\n document.body.appendChild(ta);\n ta.focus();\n ta.select();\n const ok = document.execCommand('copy');\n document.body.removeChild(ta);\n ok ? resolve() : reject();\n } catch(e){ reject(e); }\n });\n }\n document.querySelectorAll('.copybtn').forEach(btn=>{\n btn.addEventListener('click', async ()=>{\n const sel = btn.getAttribute('data-copy');\n const pre = document.querySelector(sel);\n if(!pre) return;\n const text = pre.innerText.replace(\/\\u00a0\/g,' ');\n const old = btn.innerHTML;\n try{\n await copyText(text);\n btn.innerHTML = '<span class=\"dot\" style=\"background: var(--accent2)\"><\/span>Copied';\n setTimeout(()=>btn.innerHTML = old, 1100);\n } catch(e){\n btn.innerHTML = '<span class=\"dot\" style=\"background: var(--warn)\"><\/span>Copy failed';\n setTimeout(()=>btn.innerHTML = old, 1400);\n }\n });\n });\n <\/script>\n<\/body>\n<\/html>\n\n","protected":false},"excerpt":{"rendered":"<p>Projektdokumentation \u2013 Debian 12 YunoHost H\u00e4rtung, Monitoring, Backup & MaxSecurity M Projektdokumentation Hardening \u2022 Monitoring \u2022 Backup \u2022 Autor: MayIT Ziel: Vollst\u00e4ndige Dokumentation der Debian 12 \/ YunoHost H\u00e4rtung Navigation 1. Scope, Annahmen, Grundregeln 2. Baseline-Checks (vor jeder \u00c4nderung) 3. Beginn der H\u00e4rtungsphase (Kontext & Ausl\u00f6ser) 4. Speicher & I\/O stabilisieren (Root-FS, WordPress Backups) 5. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","_uag_custom_page_level_css":"","site-sidebar-layout":"no-sidebar","site-content-layout":"","ast-site-content-layout":"normal-width-container","site-content-style":"unboxed","site-sidebar-style":"boxed","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"disabled","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"class_list":["post-2583","page","type-page","status-publish","hentry"],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false,"trp-custom-language-flag":false},"uagb_author_info":{"display_name":"MIT","author_link":"https:\/\/www.mayit.eu\/en\/author\/markus_\/"},"uagb_comment_info":0,"uagb_excerpt":"Projektdokumentation \u2013 Debian 12 YunoHost H\u00e4rtung, Monitoring, Backup & MaxSecurity M Projektdokumentation Hardening \u2022 Monitoring \u2022 Backup \u2022 Autor: MayIT Ziel: Vollst\u00e4ndige Dokumentation der Debian 12 \/ YunoHost H\u00e4rtung Navigation 1. Scope, Annahmen, Grundregeln 2. Baseline-Checks (vor jeder \u00c4nderung) 3. Beginn der H\u00e4rtungsphase (Kontext & Ausl\u00f6ser) 4. Speicher & I\/O stabilisieren (Root-FS, WordPress Backups) 5.…","_links":{"self":[{"href":"https:\/\/www.mayit.eu\/en\/wp-json\/wp\/v2\/pages\/2583","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mayit.eu\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.mayit.eu\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.mayit.eu\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mayit.eu\/en\/wp-json\/wp\/v2\/comments?post=2583"}],"version-history":[{"count":1,"href":"https:\/\/www.mayit.eu\/en\/wp-json\/wp\/v2\/pages\/2583\/revisions"}],"predecessor-version":[{"id":2584,"href":"https:\/\/www.mayit.eu\/en\/wp-json\/wp\/v2\/pages\/2583\/revisions\/2584"}],"wp:attachment":[{"href":"https:\/\/www.mayit.eu\/en\/wp-json\/wp\/v2\/media?parent=2583"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}