Add back steps to secure ssh daemon

CI_CD_PIPELINE_SETUP_GUIDE.md

@@ -357,6 +357,159 @@ ssh ci-cd-dev
 ssh production-dev
 ```
 
+##### 0.4.8 Secure SSH Configuration
+
+**Critical Security Step**: After setting up SSH key authentication, you must disable password authentication and root login to secure your servers.
+
+**For Both CI/CD and Production Linodes:**
+
+**Step 1: Edit SSH Configuration File**
+
+```bash
+# Open the SSH configuration file using nano
+sudo nano /etc/ssh/sshd_config
+```
+
+**Step 2: Disallow Root Logins**
+
+Find the line that says:
+```
+#PermitRootLogin prohibit-password
+```
+
+Change it to:
+```
+PermitRootLogin no
+```
+
+**Step 3: Disable Password Authentication**
+
+Find the line that says:
+```
+#PasswordAuthentication yes
+```
+
+Change it to:
+```
+PasswordAuthentication no
+```
+
+**Step 4: Configure Protocol Family (Optional)**
+
+If you only need IPv4 connections, find or add:
+```
+#AddressFamily any
+```
+
+Change it to:
+```
+AddressFamily inet
+```
+
+**Step 5: Save and Exit**
+
+- Press `Ctrl + X` to exit
+- Press `Y` to confirm saving
+- Press `Enter` to confirm the filename
+
+**Step 6: Test SSH Configuration**
+
+```bash
+# Test the SSH configuration for syntax errors
+sudo sshd -t
+```
+
+**Step 7: Restart SSH Service**
+
+For Ubuntu 22.10+ (socket-based activation):
+```bash
+sudo systemctl enable --now ssh.service
+```
+
+For other distributions:
+```bash
+sudo systemctl restart sshd
+```
+
+**Step 8: Verify SSH Access**
+
+**IMPORTANT**: Test SSH access from a new terminal window before closing your current session:
+
+```bash
+# Test CI/CD Linode
+ssh CI_DEPLOY_USER@YOUR_CI_CD_IP 'echo "SSH configuration test successful"'
+
+# Test Production Linode
+ssh PROD_DEPLOY_USER@YOUR_PRODUCTION_IP 'echo "SSH configuration test successful"'
+```
+
+**What these changes do:**
+
+- **`PermitRootLogin no`**: Completely disables root SSH access
+- **`PasswordAuthentication no`**: Disables password-based authentication
+- **`AddressFamily inet`**: Listens only on IPv4 (optional, for additional security)
+
+**Security Benefits:**
+
+- **No root access**: Eliminates the most common attack vector
+- **Key-only authentication**: Prevents brute force password attacks
+- **Protocol restriction**: Limits SSH to IPv4 only (if configured)
+
+**Emergency Access:**
+
+If you lose SSH access, you can still access the server through:
+- **Linode Console**: Use the Linode dashboard's console access
+- **Emergency mode**: Boot into single-user mode if needed
+
+**Verification Commands:**
+
+```bash
+# Check SSH configuration
+sudo grep -E "(PermitRootLogin|PasswordAuthentication|AddressFamily)" /etc/ssh/sshd_config
+
+# Check SSH service status
+sudo systemctl status ssh
+
+# Check SSH logs for any issues
+sudo journalctl -u ssh -f
+
+# Test SSH access from a new session
+ssh CI_DEPLOY_USER@YOUR_CI_CD_IP 'whoami'
+ssh PROD_DEPLOY_USER@YOUR_PRODUCTION_IP 'whoami'
+```
+
+**Expected Output:**
+- `PermitRootLogin no`
+- `PasswordAuthentication no` 
+- `AddressFamily inet` (if configured)
+- SSH service should be "active (running)"
+- Test commands should return the deployment user names
+
+**Important Security Notes:**
+
+1. **Test before closing**: Always test SSH access from a new session before closing your current SSH connection
+2. **Keep backup**: You can restore the original configuration if needed
+3. **Monitor logs**: Check `/var/log/auth.log` for SSH activity and potential attacks
+4. **Regular updates**: Keep SSH and system packages updated for security patches
+
+**Alternative: Manual Configuration with Backup**
+
+If you prefer to manually edit the file with a backup:
+
+```bash
+# Create backup
+sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
+
+# Edit the file
+sudo nano /etc/ssh/sshd_config
+
+# Test configuration
+sudo sshd -t
+
+# Restart service
+sudo systemctl restart ssh
+```
+
 ---
 
 ## Part 1: CI/CD Linode Setup
@@ -1604,7 +1757,154 @@ The `docker-compose.prod.yml` file is specifically designed for production deplo
 
 ### Step 15: Configure Security
 
-#### 15.1 Configure Firewall
+#### 15.1 Secure SSH Configuration
+
+**Critical Security Step**: After setting up SSH key authentication, you must disable password authentication and root login to secure your Production server.
+
+**Step 1: Edit SSH Configuration File**
+
+```bash
+# Open the SSH configuration file using nano
+sudo nano /etc/ssh/sshd_config
+```
+
+**Step 2: Disallow Root Logins**
+
+Find the line that says:
+```
+#PermitRootLogin prohibit-password
+```
+
+Change it to:
+```
+PermitRootLogin no
+```
+
+**Step 3: Disable Password Authentication**
+
+Find the line that says:
+```
+#PasswordAuthentication yes
+```
+
+Change it to:
+```
+PasswordAuthentication no
+```
+
+**Step 4: Configure Protocol Family (Optional)**
+
+If you only need IPv4 connections, find or add:
+```
+#AddressFamily any
+```
+
+Change it to:
+```
+AddressFamily inet
+```
+
+**Step 5: Save and Exit**
+
+- Press `Ctrl + X` to exit
+- Press `Y` to confirm saving
+- Press `Enter` to confirm the filename
+
+**Step 6: Test SSH Configuration**
+
+```bash
+# Test the SSH configuration for syntax errors
+sudo sshd -t
+```
+
+**Step 7: Restart SSH Service**
+
+For Ubuntu 22.10+ (socket-based activation):
+```bash
+sudo systemctl enable --now ssh.service
+```
+
+For other distributions:
+```bash
+sudo systemctl restart sshd
+```
+
+**Step 8: Verify SSH Access**
+
+**IMPORTANT**: Test SSH access from a new terminal window before closing your current session:
+
+```bash
+# Test Production Linode
+ssh PROD_DEPLOY_USER@YOUR_PRODUCTION_IP 'echo "SSH configuration test successful"'
+```
+
+**What these changes do:**
+
+- **`PermitRootLogin no`**: Completely disables root SSH access
+- **`PasswordAuthentication no`**: Disables password-based authentication
+- **`AddressFamily inet`**: Listens only on IPv4 (optional, for additional security)
+
+**Security Benefits:**
+
+- **No root access**: Eliminates the most common attack vector
+- **Key-only authentication**: Prevents brute force password attacks
+- **Protocol restriction**: Limits SSH to IPv4 only (if configured)
+
+**Emergency Access:**
+
+If you lose SSH access, you can still access the server through:
+- **Linode Console**: Use the Linode dashboard's console access
+- **Emergency mode**: Boot into single-user mode if needed
+
+**Verification Commands:**
+
+```bash
+# Check SSH configuration
+sudo grep -E "(PermitRootLogin|PasswordAuthentication|AddressFamily)" /etc/ssh/sshd_config
+
+# Check SSH service status
+sudo systemctl status ssh
+
+# Check SSH logs for any issues
+sudo journalctl -u ssh -f
+
+# Test SSH access from a new session
+ssh PROD_DEPLOY_USER@YOUR_PRODUCTION_IP 'whoami'
+```
+
+**Expected Output:**
+- `PermitRootLogin no`
+- `PasswordAuthentication no` 
+- `AddressFamily inet` (if configured)
+- SSH service should be "active (running)"
+- Test commands should return the deployment user name
+
+**Important Security Notes:**
+
+1. **Test before closing**: Always test SSH access from a new session before closing your current SSH connection
+2. **Keep backup**: You can restore the original configuration if needed
+3. **Monitor logs**: Check `/var/log/auth.log` for SSH activity and potential attacks
+4. **Regular updates**: Keep SSH and system packages updated for security patches
+
+**Alternative: Manual Configuration with Backup**
+
+If you prefer to manually edit the file with a backup:
+
+```bash
+# Create backup
+sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
+
+# Edit the file
+sudo nano /etc/ssh/sshd_config
+
+# Test configuration
+sudo sshd -t
+
+# Restart service
+sudo systemctl restart ssh
+```
+
+#### 15.2 Configure Firewall
 
 ```bash
 sudo ufw --force enable
@@ -1691,7 +1991,6 @@ sudo tail -f /var/log/fail2ban.log
 
 # Check all active jails
 sudo fail2ban-client status
-```
 
 **Why This Matters for Production**:
 - **Your server is exposed**: The Production Linode is accessible from the internet