Demo mode — data is read-only. No account required.
Log Change

Changes

12 total changes

Block inbound traffic on port 8080 from public internet

MediumCompleted

Discovered several unauthorized scan attempts hitting port 8080. Blocking at perimeter firewall. Internal access via proxy still functional.

Firewall (pfsense)firewall, security, prodApr 4, 2026

Add 14 new user accounts for Q2 contractor onboarding

LowCompleted

Provisioned AD accounts for the new contractor cohort starting Monday. Accounts placed in OU=Contractors, added to security group SG-VPN-Limited.

AD-SERVER-01active-directory, user-management, onboardingApr 4, 2026

Scheduled PostgreSQL minor version upgrade 16.1 → 16.4

HighPlanned

Upgrading production DB cluster to PostgreSQL 16.4. Includes security patches CVE-2024-10978 and CVE-2024-10979. Replica promoted first, then primary.

DB-CLUSTER-PRODApr 13, 2026, 11:32 AMdatabase, maintenance, security-patchApr 3, 2026

Rotate WireGuard pre-shared keys for all remote clients

MediumCompleted

Annual key rotation per security policy SEC-007. Generated new PSKs, distributed via encrypted email. Old keys invalidated at rotation time.

VPN Gatewayvpn, security, key-rotationApr 3, 2026

Update NGINX to 1.26.2 — patch CVE-2024-7347

MediumCompleted

NGINX 1.26.2 addresses a buffer overflow in the ngx_http_mp4_module. Rolling update across load balancer cluster. No configuration changes.

NGINX Load Balancernginx, security-patch, load-balancerApr 2, 2026

Add geo-blocking rule: CN, RU, KP traffic blocked on all external ports

LowCompleted

Following threat intelligence report, implemented geo-blocking for high-risk country codes. Allowlist in place for known partner IPs.

Firewall (pfsense)firewall, security, geo-blockingApr 1, 2026

Enable audit logging for privileged group membership changes

LowCompleted

Configured Windows audit policy to log all changes to Domain Admins, Enterprise Admins, and Schema Admins groups. Logs forwarding to SIEM.

AD-SERVER-01active-directory, audit, compliance +1Mar 31, 2026

Expand backup retention: 30-day → 90-day for production databases

LowCompleted

Updated Veeam backup job schedule to retain production DB backups for 90 days instead of 30. Additional 2TB storage provisioned on NAS-02.

Backup Systembackup, storage, database +1Mar 28, 2026

Revoke read permissions for deprecated service account svc_reporting_v1

LowCompleted

Removed DB permissions for deprecated service account following decommission of legacy reporting app. Account left disabled per offboarding SOP.

DB-CLUSTER-PRODdatabase, permissions, cleanupMar 25, 2026

NGINX rate limiting: 100 req/s per IP on /api/* endpoints

MediumRolled Back

Implemented rate limiting to protect API endpoints from abuse. Configured zone with 10MB memory, burst=20 nodelay. Returns 429 on excess.

NGINX Load Balancernginx, rate-limiting, api +1Mar 22, 2026

VPN split tunneling: route only corp subnets through VPN

MediumCompleted

Updated WireGuard config to only tunnel 10.0.0.0/8 and 172.16.0.0/12 through VPN. Public internet goes direct. Reduces bandwidth on VPN gateway.

VPN Gatewayvpn, networking, split-tunnelingMar 20, 2026

Full database maintenance window — VACUUM ANALYZE + index rebuild

HighPlanned

Monthly maintenance window. Running VACUUM ANALYZE on all tables, rebuilding fragmented indexes. Estimated 45 min. Standby promoted during window.

DB-CLUSTER-PRODApr 16, 2026, 11:32 AMdatabase, maintenance, planned-downtimeApr 3, 2026