This runbook covers immediate containment and fast recovery when HomeDir suffers attack traffic or denial-of-service symptoms.
- Protect availability and data integrity.
- Reduce blast radius quickly.
- Recover to a stable version with minimum operational steps.
Run this procedure when one or more are true:
- sustained 5xx spikes
- response latency collapse
- nginx/podman saturation
- abnormal traffic bursts with service degradation
All commands are provided by:
platform/scripts/homedir-ir-first-level.sh
/usr/local/bin/homedir-ir-first-level.sh status/usr/local/bin/homedir-ir-first-level.sh shield-onThis activates lock-file shield (/etc/homedir.incident.lock) via nginx snippet and serves maintenance to public traffic while keeping local health checks available.
/usr/local/bin/homedir-ir-first-level.sh snapshotArtifacts are stored under /var/log/homedir-incident/<timestamp>.
Preferred:
/usr/local/bin/homedir-ir-first-level.sh recover vX.Y.ZAlternative:
/usr/local/bin/homedir-ir-first-level.sh deploy-tag vX.Y.Z
/usr/local/bin/homedir-ir-first-level.sh shield-off/q/healthreturns 200/,/comunidad,/eventos,/proyectosreturn 200- error rate back to baseline
- Do not export
/etc/homedir.envin incident evidence. - Keep incident snapshots in restricted directories (
umask 077in script). - Keep backup/env artifacts encrypted at rest and in transfer (
agerecommended). - Keep webhook requests signed and avoid exposing webhook status endpoint without token protection.
- Preserve incident snapshot folder.
- Document attack indicators and timeline.
- Rotate sensitive tokens if compromise is suspected.
- Execute DR drill if root cause indicates host compromise risk.
- Run
/usr/local/bin/homedir-cfp-traffic-guard.sh checkand confirm thresholds are healthy. - Run
/usr/local/bin/homedir-security-hardening.sh auditbefore declaring incident closure.