docs: security incident resolution & firewall implementation

- Document network scanning incident (Dec 6 2025 - Jan 8 2026)
- Add firewall rules to prevent internal network access
- Deploy monitoring script for scanning attempts
- Update INFRASTRUCTURE.md v2.2.0 with Security section
- Update infrastructure_quick_ref.ipynb v2.1.0
- Root cause: compromised daarion-web container with crypto miner
- Resolution: container removed, firewall applied, monitoring deployed

Co-Authored-By: Warp <agent@warp.dev>

docs/infrastructure_quick_ref.ipynb

@@ -6,12 +6,16 @@
    "source": [
     "# 🚀 Infrastructure Quick Reference — DAARION & MicroDAO\n",
     "\n",
-    "**Версія:** 2.0.0  \n",
-    "**Останнє оновлення:** 2025-11-23  \n",
+    "Версія:** 2.1.0  \n",
+    "Останнє оновлення:** 2026-01-08  \n",
     "\n",
     "Цей notebook містить швидкий довідник по серверах, репозиторіях та endpoints для DAGI Stack.\n",
     "\n",
-    "**NEW (v2.0.0):** \n",
+    "**NEW (v2.1.0):** \n",
+    "- 🔒 **Security Incident Resolved** (Dec 2025 - Jan 2026)\n",
+    "- ✅ Firewall rules + monitoring deployed\n",
+    "\n",
+    "**v2.0.0:** \n",
     "- ✅ Мультимодальні сервіси (STT, OCR, Web Search, Vector DB) на НОДА2\n",
     "- ✅ Router Multimodal Support (інтеграція в процесі)\n",
     "- ✅ Telegram Gateway Enhanced (STT + Vision)\n",
@@ -465,6 +469,64 @@
     "pd.DataFrame(multimodal_capabilities).T\n"
    ]
   },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "## 🔒 Security & Incident Response\n",
+    "\n",
+    "### Incident #1: Network Scanning & Lockdown (Dec 6, 2025 - Jan 8, 2026)\n",
+    "\n",
+    "**Root Cause:** Compromised `daarion-web` container with cryptocurrency miner\n",
+    "**Impact:** Server locked by Hetzner for 33 days due to internal network scanning\n",
+    "**Resolution:** Container removed, firewall rules implemented, monitoring deployed\n",
+    "\n",
+    "### Security Measures\n",
+    "\n",
+    "1. **Egress Firewall Rules** (блокування внутрішніх мереж Hetzner)\n",
+    "2. **Monitoring Script** (`/root/monitor_scanning.sh`, runs every 15 min)\n",
+    "3. **Security Checklist:**\n",
+    "   - [ ] Container vulnerability scanning\n",
+    "   - [ ] Docker Content Trust\n",
+    "   - [ ] Resource limits (CPU/memory)\n",
+    "   - [ ] Network segmentation\n",
+    "   - [ ] Regular security audits\n",
+    "\n",
+    "**Full details:** See `INFRASTRUCTURE.md` → Security & Incident Response section\n"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "# Security Configuration\n",
+    "security_config = {\n",
+    "    \"Firewall Rules\": {\n",
+    "        \"script\": \"/root/prevent_scanning.sh\",\n",
+    "        \"status\": \"✅ Active\",\n",
+    "        \"blocks\": [\"10.0.0.0/8\", \"172.16.0.0/12\"],\n",
+    "        \"allows\": [\"80/tcp\", \"443/tcp\"]\n",
+    "    },\n",
+    "    \"Monitoring\": {\n",
+    "        \"script\": \"/root/monitor_scanning.sh\",\n",
+    "        \"status\": \"✅ Active\",\n",
+    "        \"interval\": \"15 minutes\",\n",
+    "        \"log\": \"/var/log/scan_attempts.log\"\n",
+    "    },\n",
+    "    \"Incident Response\": {\n",
+    "        \"last_incident\": \"2025-12-06\",\n",
+    "        \"recovery_time\": \"33 days\",\n",
+    "        \"status\": \"✅ Resolved\",\n",
+    "        \"prevention\": \"Firewall + Monitoring\"\n",
+    "    }\n",
+    "}\n",
+    "\n",
+    "import pandas as pd\n",
+    "pd.DataFrame(security_config).T\n"
+   ]
+  },
   {
    "cell_type": "markdown",
    "metadata": {},
@@ -499,7 +561,7 @@
     "\n",
     "---\n",
     "\n",
-    "**Last Updated:** 2025-11-23 by Auto AI  \n",
+    "**Last Updated:** 2026-01-08 (Security incident resolution & firewall implementation)  \n",
     "**Maintained by:** Ivan Tytar & DAARION Team"
    ]
   }