From 42cf19a5872724439d6ddc3879379fb1afd11786 Mon Sep 17 00:00:00 2001 From: konsthol Date: Thu, 31 Aug 2023 15:14:58 +0300 Subject: [PATCH] Moved something to somewhere... goodnight... --- harden | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 53 insertions(+), 7 deletions(-) diff --git a/harden b/harden index e177ba2..5d2da1b 100755 --- a/harden +++ b/harden @@ -103,7 +103,7 @@ function install_packages { # and store the ones that are indeed absent in another local array. # Then it will install the packages that are missing by invoking the install_packages function. function check_dependencies { # systemd-container is for machinectl - local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns systemd-container htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array + local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns systemd-container at htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array # local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns docker-compose systemd-container htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array # local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns docker-compose dnsutils htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array #> see what to do with name differences between distros if any <# @@ -296,6 +296,7 @@ function dockerInit { printf "%s\n" "export PATH=/home/$USER/bin:$PATH" >> "$HOME/.bashrc" printf "%s\n" "export DOCKER_HOST=unix:///run/user/$UID/docker.sock" >> "$HOME/.bashrc" EOF + # printf "%s\n" "alias docker=\"docker --restart always --security-opt=no-new-privileges --cap-drop all --cap-add NET_BIND_SERVICE --read-only --tmpfs /home/$USER/opt -v /:/host\"" >> "$HOME/.bashrc" # Enable the user to bind to ports below 1024 sudo setcap cap_net_bind_service=ep /home/secdep/bin/rootlesskit # Restart docker @@ -328,6 +329,30 @@ EOF sudo machinectl shell secdep@ /bin/bash -c 'chmod +x /home/secdep/bin/docker-compose' # Check if there is a docker-compose.yml file in the user's home directory and run it if there is sudo machinectl shell secdep@ "$(which bash)" -c 'DOCKER_HOST=unix:///run/user/$UID/docker.sock /home/secdep/bin/docker-compose -f /home/secdep/docker-compose.yml up -d' + # Read the docker-compose.yml file for port mappings to add to the firewall + ## Check if we can use docker-compose config for that unless we have no access to the output + # sudo machinectl shell secdep@ "$(which bash)" -c 'DOCKER_HOST=unix:///run/user/$UID/docker.sock /home/secdep/bin/docker-compose -f /home/secdep/docker-compose.yml config' + # [[ -f /home/secdep/docker-compose.yml ]] && sudo PORTS="$(grep '[0-9]:[0-9]' /home/secdep/docker-compose.yml | rev | cut -d':' -f1 | rev | grep -Eow '[[:digit:]]+' | tr '\n' ' ')" || PORTS="" + CMD_PORTS="grep '[0-9]:[0-9]' /home/secdep/docker-compose.yml | rev | cut -d':' -f1 | rev | grep -Eow '[[:digit:]]+' | tr '\n' ' '" + sudo -E runuser - secdep -c "$CMD_PORTS" > /dev/null 2>&1 && PORTS="$(sudo -E runuser - secdep -c "$CMD_PORTS")" || PORTS="" + # Loop through the ports in the PORTS variable + if [[ -n "$PORTS" ]]; then + for port in $PORTS; do + # Allow the port in the firewall + case "$currentFirewall" in + ufw) + sudo ufw allow "$port"/tcp + ;; + firewalld) + sudo firewall-cmd --permanent --add-port="$port"/tcp + ;; + *) + printf "%s" "Unsupported firewall" + exit 1 + ;; + esac + done + fi # sudo machinectl shell secdep@ /bin/bash -c 'DOCKER_HOST=unix:///run/user/$UID/docker.sock docker-compose -f /home/secdep/docker-compose.yml up -d' # sudo machinectl shell secdep@ /bin/bash -c '[[ -f "$HOME/docker-compose.yml" ]] && docker-compose -f "$HOME/docker-compose.yml" up -d' # sudo -u secdep bash -c '[[ -f "$HOME/docker-compose.yml" ]] && docker-compose -f "$HOME/docker-compose.yml" up -d' @@ -361,7 +386,8 @@ EOF # The -v /:/host option will enable the docker rootless mode # # The --user secdep option will run the docker image as the secdep user to prevent privilege escalation sudo -u secdep bash -c 'mkdir -p /home/secdep/opt' - CMD="docker run -d --restart always --name $dockerImageName --security-opt=no-new-privileges --cap-drop all --cap-add NET_BIND_SERVICE --tmpfs /home/secdep/opt -v /:/host $dockerImage" + CMD="docker pull $dockerImage" + # CMD="docker run -d --restart always --name $dockerImageName --security-opt=no-new-privileges --cap-drop all --cap-add NET_BIND_SERVICE --tmpfs /home/secdep/opt -v /:/host $dockerImage" # CMD="docker run -d --restart always --name $dockerImageName --security-opt=no-new-privileges --cap-drop all --cap-add NET_BIND_SERVICE --read-only --tmpfs /home/secdep/opt -v /:/host $dockerImage" sudo -E runuser - secdep -c "$CMD" done @@ -420,8 +446,13 @@ bantime = 1d ignoreip = 127.0.0.1/8 EOF ) -sudo mkdir -p /etc/fail2ban/jail.local -printf "%s" "$FAIL2BAN_SSH_JAIL_LOCAL" | sudo tee /etc/fail2ban/jail.local/sshd.local +FAIL2BAN_JAIL_LOCAL=$(cat <<'EOF' +[DEFAULT] +bantime = 1d +EOF +) +printf "%s" "$FAIL2BAN_JAIL_LOCAL" | sudo tee /etc/fail2ban/jail.local +printf "%s" "$FAIL2BAN_SSH_JAIL_LOCAL" | sudo tee /etc/fail2ban/jail.d/sshd.local FAIL2BAN_FILTER=$(cat <<'EOF' [Definition] failregex = ^.*DROP_.*SRC= DST=.*$ @@ -445,9 +476,10 @@ EOF ) sudo mkdir -p /etc/systemd/system/fail2ban.service.d printf "%s" "$HARDEN_FAIL2BAN_SERVICE" | sudo tee /etc/systemd/system/fail2ban.service.d/override.conf -sudo systemctl enable fail2ban -services+=("fail2ban") # Add fail2ban to the services array -# sudo systemctl enable --now fail2ban +sudo systemctl daemon-reload +# sudo systemctl enable fail2ban +# services+=("fail2ban") # Add fail2ban to the services array +sudo systemctl enable --now fail2ban printf "%s" "LogLevel VERBOSE" | sudo tee -a /etc/ssh/sshd_config #sudo systemctl restart sshd } @@ -469,6 +501,7 @@ function enableServices { printf "%s" "Unsupported firewall" exit 1 fi + # sudo fail2ban-client start # With the if block it doesn't error out at firewalld check # For ufw # Enable the firewall @@ -488,6 +521,18 @@ function enableServices { # only rootless docker is used } +function deleteRemainingUsers { + # Delete possible remaining users + sudo systemctl enable --now atd + at now + 1 minute << 'EOF' + [[ -d /home/admin ]] && sudo userdel -r admin && sudo groupdel admin + [[ -d /home/ec2-user ]] && sudo userdel -r ec2-user && sudo groupdel ec2-user + [[ -d /home/centos ]] && sudo userdel -r centos && sudo groupdel centos + [[ -d /home/fedora ]] && sudo userdel -r fedora && sudo groupdel fedora + [[ -d /home/ubuntu ]] && sudo userdel -r ubuntu && sudo groupdel ubuntu +EOF +} + # The main function will call the check_dependencies function and exit if it fails. # It will also output a message to the user to let them know that the script has finished. function main { @@ -506,6 +551,7 @@ function main { ## [[ $# -gt 0 ]] && dockerInit "$@" || exit 1 dockerInit "$@" || exit 1 enableServices || exit 1 + deleteRemainingUsers || exit 1 printf "%s" "Script finished" # Output message to the user printf "%s" "You should reboot" # Output message to the user # printf "%s" "Now rebooting" # Output message to the user