Initial commit — SETEC LABS Manager (Setec_CDM)

Flask-based VPS management panel with SSH remote command execution.
Includes E2E encrypted SSH tunnel (AES-256-GCM + Go agent), setup wizard,
security hardening tools, DNS management, firewall configs, monitoring,
backup, and .sec patch update system.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

updates/sec/debian12_0326.sec

@@ -0,0 +1,55 @@
+# Setec Labs Security Update — Debian 12 Bookworm
+# Release: 2026-03
+# Target: Debian 12 (Bookworm)
+# Author: seteclabs.io
+# Applied via: sec_updates.py parse_and_apply_cmd()
+
+[packages]
+# Critical security patches for March 2026
+apt-get update -qq
+apt-get install -y --only-upgrade openssl libssl3
+apt-get install -y --only-upgrade libgnutls30
+apt-get install -y --only-upgrade openssh-server openssh-client
+apt-get install -y --only-upgrade curl libcurl4
+apt-get install -y --only-upgrade sudo
+apt-get install -y --only-upgrade systemd libsystemd0
+apt-get install -y --only-upgrade linux-image-amd64
+apt-get install -y --only-upgrade bind9-dnsutils bind9-host
+apt-get install -y --only-upgrade nginx
+apt-get install -y --only-upgrade python3 libpython3-stdlib
+apt-get install -y --only-upgrade git
+apt-get install -y --only-upgrade vim-common xxd
+
+[sysctl]
+# Harden network stack
+net.ipv4.tcp_syncookies = 1
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+kernel.randomize_va_space = 2
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+kernel.kptr_restrict = 1
+kernel.dmesg_restrict = 1
+
+[services]
+systemctl restart ssh
+systemctl restart nginx
+systemctl daemon-reexec
+
+[files]
+chmod 600 /etc/ssh/sshd_config
+chmod 700 /root/.ssh
+chmod 644 /etc/sysctl.d/99-setec-update.conf
+chown root:root /etc/sysctl.d/99-setec-update.conf
+
+[custom]
+# Cleanup old kernels
+bash:-:apt-get autoremove -y --purge 2>&1
+# Verify no known vulnerable packages remain
+bash:-:apt-get -s upgrade 2>&1 | grep -c 'upgraded' || echo '0 remaining upgrades'

updates/sec/debian13_0326.sec

@@ -0,0 +1,53 @@
+# Setec Labs Security Update — Debian 13 Trixie
+# Release: 2026-03
+# Target: Debian 13 (Trixie)
+# Author: seteclabs.io
+# Note: Trixie is the current testing/stable release
+
+[packages]
+apt-get update -qq
+apt-get install -y --only-upgrade openssl libssl3t64
+apt-get install -y --only-upgrade libgnutls30t64
+apt-get install -y --only-upgrade openssh-server openssh-client
+apt-get install -y --only-upgrade curl libcurl4t64
+apt-get install -y --only-upgrade sudo
+apt-get install -y --only-upgrade systemd libsystemd0
+apt-get install -y --only-upgrade linux-image-amd64
+apt-get install -y --only-upgrade nginx
+apt-get install -y --only-upgrade python3 python3-minimal
+apt-get install -y --only-upgrade git
+apt-get install -y --only-upgrade vim-common xxd
+apt-get install -y --only-upgrade libc6
+
+[sysctl]
+net.ipv4.tcp_syncookies = 1
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+kernel.randomize_va_space = 2
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+kernel.kptr_restrict = 1
+kernel.dmesg_restrict = 1
+# Trixie supports unprivileged userns restrictions
+kernel.unprivileged_userns_clone = 0
+
+[services]
+systemctl restart ssh
+systemctl restart nginx
+systemctl daemon-reexec
+
+[files]
+chmod 600 /etc/ssh/sshd_config
+chmod 700 /root/.ssh
+chmod 644 /etc/sysctl.d/99-setec-update.conf
+chown root:root /etc/sysctl.d/99-setec-update.conf
+
+[custom]
+bash:-:apt-get autoremove -y --purge 2>&1
+bash:-:apt-get -s upgrade 2>&1 | grep -c 'upgraded' || echo '0 remaining upgrades'

updates/sec/ubuntu2204_0326.sec

@@ -0,0 +1,55 @@
+# Setec Labs Security Update — Ubuntu 22.04 LTS Jammy
+# Release: 2026-03
+# Target: Ubuntu 22.04 (Jammy Jellyfish)
+# Author: seteclabs.io
+# EOL: April 2027 (standard), April 2032 (ESM)
+
+[packages]
+apt-get update -qq
+apt-get install -y --only-upgrade openssl libssl3
+apt-get install -y --only-upgrade libgnutls30
+apt-get install -y --only-upgrade openssh-server openssh-client
+apt-get install -y --only-upgrade curl libcurl4
+apt-get install -y --only-upgrade sudo
+apt-get install -y --only-upgrade systemd libsystemd0
+apt-get install -y --only-upgrade linux-image-generic
+apt-get install -y --only-upgrade nginx
+apt-get install -y --only-upgrade python3 python3-minimal
+apt-get install -y --only-upgrade git
+apt-get install -y --only-upgrade vim-common xxd
+apt-get install -y --only-upgrade ca-certificates
+apt-get install -y --only-upgrade apparmor
+
+[sysctl]
+net.ipv4.tcp_syncookies = 1
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+kernel.randomize_va_space = 2
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+kernel.kptr_restrict = 1
+kernel.dmesg_restrict = 1
+
+[services]
+systemctl restart ssh
+systemctl restart nginx
+systemctl restart apparmor
+systemctl daemon-reexec
+
+[files]
+chmod 600 /etc/ssh/sshd_config
+chmod 700 /root/.ssh
+chmod 644 /etc/sysctl.d/99-setec-update.conf
+chown root:root /etc/sysctl.d/99-setec-update.conf
+
+[custom]
+bash:-:apt-get autoremove -y --purge 2>&1
+bash:-:apt-get -s upgrade 2>&1 | grep -c 'upgraded' || echo '0 remaining upgrades'
+# Check Ubuntu Pro/ESM status
+bash:-:pro status 2>/dev/null || echo 'Ubuntu Pro not configured'

updates/sec/ubuntu2210_0326.sec

@@ -0,0 +1,49 @@
+# Setec Labs Security Update — Ubuntu 22.10 Kinetic
+# Release: 2026-03
+# Target: Ubuntu 22.10 (Kinetic Kudu)
+# Author: seteclabs.io
+#
+# !! WARNING: Ubuntu 22.10 reached End of Life on July 20, 2023 !!
+# No further security patches are available from Canonical.
+# This .sec file provides upgrade guidance only.
+
+[packages]
+# IMPORTANT: 22.10 repos are archived. Update sources first if needed.
+# sed -i 's|archive.ubuntu.com|old-releases.ubuntu.com|g' /etc/apt/sources.list
+# sed -i 's|security.ubuntu.com|old-releases.ubuntu.com|g' /etc/apt/sources.list
+apt-get update -qq
+apt-get install -y --only-upgrade openssl libssl3
+apt-get install -y --only-upgrade openssh-server openssh-client
+apt-get install -y --only-upgrade curl libcurl4
+apt-get install -y --only-upgrade sudo
+
+[sysctl]
+# Minimal hardening — upgrade ASAP
+net.ipv4.tcp_syncookies = 1
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+kernel.randomize_va_space = 2
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+
+[services]
+systemctl restart ssh
+
+[files]
+chmod 600 /etc/ssh/sshd_config
+
+[custom]
+# Display EOL warning prominently
+bash:-:echo '=========================================='
+bash:-:echo 'WARNING: Ubuntu 22.10 is END OF LIFE'
+bash:-:echo 'No security patches since July 2023!'
+bash:-:echo '=========================================='
+bash:-:echo ''
+bash:-:echo 'Recommended upgrade path:'
+bash:-:echo '  22.10 -> 23.04 -> 23.10 -> 24.04 LTS'
+bash:-:echo ''
+bash:-:echo 'Or fresh install Ubuntu 24.04 LTS (recommended)'
+bash:-:echo ''
+bash:-:echo 'To begin upgrade: do-release-upgrade'
+bash:-:echo '=========================================='

updates/sec/ubuntu2404_0326.sec

@@ -0,0 +1,57 @@
+# Setec Labs Security Update — Ubuntu 24.04 LTS Noble
+# Release: 2026-03
+# Target: Ubuntu 24.04 (Noble Numbat)
+# Author: seteclabs.io
+# EOL: April 2029 (standard), April 2034 (ESM)
+
+[packages]
+apt-get update -qq
+apt-get install -y --only-upgrade openssl libssl3t64
+apt-get install -y --only-upgrade libgnutls30t64
+apt-get install -y --only-upgrade openssh-server openssh-client
+apt-get install -y --only-upgrade curl libcurl4t64
+apt-get install -y --only-upgrade sudo
+apt-get install -y --only-upgrade systemd libsystemd0
+apt-get install -y --only-upgrade linux-image-generic
+apt-get install -y --only-upgrade nginx
+apt-get install -y --only-upgrade python3 python3-minimal
+apt-get install -y --only-upgrade git
+apt-get install -y --only-upgrade vim-common xxd
+apt-get install -y --only-upgrade ca-certificates
+apt-get install -y --only-upgrade apparmor
+apt-get install -y --only-upgrade libc6
+
+[sysctl]
+net.ipv4.tcp_syncookies = 1
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+kernel.randomize_va_space = 2
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+kernel.kptr_restrict = 1
+kernel.dmesg_restrict = 1
+# Noble supports unprivileged userns restrictions
+kernel.apparmor_restrict_unprivileged_userns = 1
+
+[services]
+systemctl restart ssh
+systemctl restart nginx
+systemctl restart apparmor
+systemctl daemon-reexec
+
+[files]
+chmod 600 /etc/ssh/sshd_config
+chmod 700 /root/.ssh
+chmod 644 /etc/sysctl.d/99-setec-update.conf
+chown root:root /etc/sysctl.d/99-setec-update.conf
+
+[custom]
+bash:-:apt-get autoremove -y --purge 2>&1
+bash:-:apt-get -s upgrade 2>&1 | grep -c 'upgraded' || echo '0 remaining upgrades'
+bash:-:pro status 2>/dev/null || echo 'Ubuntu Pro not configured'

updates/sec/ubuntu2410_0326.sec

@@ -0,0 +1,57 @@
+# Setec Labs Security Update — Ubuntu 24.10 Oracular
+# Release: 2026-03
+# Target: Ubuntu 24.10 (Oracular Oriole)
+# Author: seteclabs.io
+# EOL: July 2025 — approaching end of life, plan upgrade to 25.04 or 24.04 LTS
+
+[packages]
+apt-get update -qq
+apt-get install -y --only-upgrade openssl libssl3t64
+apt-get install -y --only-upgrade libgnutls30t64
+apt-get install -y --only-upgrade openssh-server openssh-client
+apt-get install -y --only-upgrade curl libcurl4t64
+apt-get install -y --only-upgrade sudo
+apt-get install -y --only-upgrade systemd libsystemd0
+apt-get install -y --only-upgrade linux-image-generic
+apt-get install -y --only-upgrade nginx
+apt-get install -y --only-upgrade python3 python3-minimal
+apt-get install -y --only-upgrade git
+apt-get install -y --only-upgrade vim-common xxd
+apt-get install -y --only-upgrade ca-certificates
+apt-get install -y --only-upgrade apparmor
+apt-get install -y --only-upgrade libc6
+
+[sysctl]
+net.ipv4.tcp_syncookies = 1
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+kernel.randomize_va_space = 2
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+kernel.kptr_restrict = 1
+kernel.dmesg_restrict = 1
+kernel.apparmor_restrict_unprivileged_userns = 1
+
+[services]
+systemctl restart ssh
+systemctl restart nginx
+systemctl restart apparmor
+systemctl daemon-reexec
+
+[files]
+chmod 600 /etc/ssh/sshd_config
+chmod 700 /root/.ssh
+chmod 644 /etc/sysctl.d/99-setec-update.conf
+chown root:root /etc/sysctl.d/99-setec-update.conf
+
+[custom]
+bash:-:apt-get autoremove -y --purge 2>&1
+bash:-:apt-get -s upgrade 2>&1 | grep -c 'upgraded' || echo '0 remaining upgrades'
+# Reminder: 24.10 is a short-term release
+bash:-:echo 'NOTE: Ubuntu 24.10 support ends July 2025. Consider upgrading to 25.04 or 24.04 LTS.'