derp, helper method rename
This commit is contained in:
79
harden
79
harden
@@ -369,28 +369,19 @@ EOF
|
||||
done
|
||||
}
|
||||
|
||||
# The selinuxConfig function will set up and configure selinux with sane defaults.
|
||||
# function selinuxConfig {
|
||||
# # Set the selinux boolean to allow docker to use the network
|
||||
# sudo setsebool -P docker_connect_any 1
|
||||
# }
|
||||
|
||||
# Fix banaction ufw with iptables
|
||||
# Does not always persist after reboot.
|
||||
function configureFail2ban {
|
||||
FAIL2BAN_LOCAL=$(cat <<'EOF'
|
||||
[Definition]
|
||||
logtarget = /var/log/fail2ban/fail2ban.log
|
||||
allowipv6 = auto
|
||||
EOF
|
||||
)
|
||||
printf "%s" "$FAIL2BAN_LOCAL" | sudo tee /etc/fail2ban/fail2ban.local
|
||||
printf "%s\n" "$FAIL2BAN_LOCAL" | sudo tee /etc/fail2ban/fail2ban.local
|
||||
FAIL2BAN_SSH_JAIL_LOCAL=$(cat <<'EOF'
|
||||
[sshd]
|
||||
backend = systemd
|
||||
enabled = true
|
||||
filter = sshd
|
||||
banaction = ufw
|
||||
banaction = iptables
|
||||
backend = systemd
|
||||
maxretry = 3
|
||||
# 3 failed attempts in 600 seconds = 10 minutes
|
||||
findtime = 1d
|
||||
@@ -400,38 +391,21 @@ EOF
|
||||
)
|
||||
FAIL2BAN_JAIL_LOCAL=$(cat <<'EOF'
|
||||
[DEFAULT]
|
||||
backend = systemd
|
||||
bantime = 1d
|
||||
EOF
|
||||
)
|
||||
printf "%s" "$FAIL2BAN_JAIL_LOCAL" | sudo tee /etc/fail2ban/jail.local
|
||||
printf "%s" "$FAIL2BAN_SSH_JAIL_LOCAL" | sudo tee /etc/fail2ban/jail.d/sshd.local
|
||||
printf "%s\n" "$FAIL2BAN_JAIL_LOCAL" | sudo tee /etc/fail2ban/jail.local
|
||||
sudo rm -f /etc/fail2ban/jail.d/*
|
||||
printf "%s\n" "$FAIL2BAN_SSH_JAIL_LOCAL" | sudo tee /etc/fail2ban/jail.d/sshd.local
|
||||
FAIL2BAN_FILTER=$(cat <<'EOF'
|
||||
[Definition]
|
||||
failregex = ^.*DROP_.*SRC=<ADDR> DST=.*$
|
||||
journalmatch = _TRANSPORT=kernel
|
||||
EOF
|
||||
)
|
||||
printf "%s" "$FAIL2BAN_FILTER" | sudo tee /etc/fail2ban/filter.d/fwdrop.local
|
||||
HARDEN_FAIL2BAN_SERVICE=$(cat <<'EOF'
|
||||
[Service]
|
||||
PrivateDevices=yes
|
||||
PrivateTmp=yes
|
||||
ProtectHome=read-only
|
||||
ProtectSystem=strict
|
||||
ReadWritePaths=-/var/run/fail2ban
|
||||
ReadWritePaths=-/var/lib/fail2ban
|
||||
ReadWritePaths=-/var/log/fail2ban
|
||||
ReadWritePaths=-/var/spool/postfix/maildrop
|
||||
ReadWritePaths=/run/xtables.lock
|
||||
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
|
||||
EOF
|
||||
)
|
||||
sudo mkdir -p /etc/systemd/system/fail2ban.service.d
|
||||
printf "%s" "$HARDEN_FAIL2BAN_SERVICE" | sudo tee /etc/systemd/system/fail2ban.service.d/override.conf
|
||||
sudo systemctl daemon-reload
|
||||
printf "%s\n" "$FAIL2BAN_FILTER" | sudo tee /etc/fail2ban/filter.d/fwdrop.local
|
||||
sudo systemctl enable --now fail2ban
|
||||
printf "%s" "LogLevel VERBOSE" | sudo tee -a /etc/ssh/sshd_config
|
||||
printf "%s\n" "LogLevel VERBOSE" | sudo tee -a /etc/ssh/sshd_config
|
||||
}
|
||||
|
||||
function enableServices {
|
||||
@@ -473,6 +447,28 @@ EOF
|
||||
sudo at now + 1 minute <<< "bash /root/delete_users.sh"
|
||||
}
|
||||
|
||||
function gVisorInit {
|
||||
# Install gVisor
|
||||
(
|
||||
set -e
|
||||
ARCH=$(uname -m)
|
||||
URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
|
||||
wget "${URL}"/runsc "${URL}"/runsc.sha512 \
|
||||
"${URL}"/containerd-shim-runsc-v1 "${URL}"/containerd-shim-runsc-v1.sha512
|
||||
sha512sum -c runsc.sha512 \
|
||||
-c containerd-shim-runsc-v1.sha512
|
||||
rm -f -- *.sha512
|
||||
chmod a+rx runsc containerd-shim-runsc-v1
|
||||
sudo mv runsc containerd-shim-runsc-v1 /home/secdep/bin
|
||||
)
|
||||
# Enable gVisor for docker by default
|
||||
}
|
||||
|
||||
function finishingTouches {
|
||||
# Set the correct timezone for Greece
|
||||
sudo timedatectl set-timezone Europe/Athens
|
||||
}
|
||||
|
||||
# The main function will call the declared functions in order and exit if any of them fails.
|
||||
# It will also pass any arguments passed to the script to the dockerInit function.
|
||||
# Then it will output a message to the user and reboot the system in 2 minutes.
|
||||
@@ -488,14 +484,21 @@ function main {
|
||||
printf "%s" "Kernel security module initialized"
|
||||
configureFail2ban || exit 1 # Initialize fail2ban and exit if it fails
|
||||
printf "%s" "Fail2ban configured"
|
||||
# selinuxConfig # Configure selinux
|
||||
# Call the dockerInit function with the arguments passed to the script
|
||||
dockerInit "$@" || exit 1 # Initialize docker and exit if it fails
|
||||
enableServices || exit 1
|
||||
deleteRemainingUsers || exit 1
|
||||
printf "%s" "Docker Rootless and docker-compose installed"
|
||||
printf "%s" "Portainer along with any specified docker images from the command line or a docker-compose.yml file installed"
|
||||
gVisorInit || exit 1 # Initialize gVisor and exit if it fails
|
||||
printf "%s" "gVisor installed"
|
||||
enableServices || exit 1 # Enable the services that need to be restarted and the firewall
|
||||
printf "%s" "Services restarted and firewall enabled"
|
||||
deleteRemainingUsers || exit 1 # Delete possible remaining users
|
||||
printf "%s" "Any unnecessary users deleted"
|
||||
finishingTouches || exit 1 # Last finishing touches
|
||||
printf "%s" "System almost ready"
|
||||
printf "%s" "$SCRIPT_NAME script finished" # Output message to the user
|
||||
printf "%s" "System will reboot momentarily" # Output message to the user
|
||||
# Reboot the system in 2 minutes
|
||||
# Reboot the system in 2 minutes with the shutdown command so that login before the reboot is not possible
|
||||
sudo shutdown -r +2
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user