Moved something to somewhere... goodnight...

2023-08-31 15:14:58 +03:00
parent 5506c9cc75
commit 42cf19a587
1 changed files with 53 additions and 7 deletions
--- a/60
+++ b/60
@@ -103,7 +103,7 @@ function install_packages {
 # and store the ones that are indeed absent in another local array.
 # Then it will install the packages that are missing by invoking the install_packages function.
 function check_dependencies { # systemd-container is for machinectl
-	local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns systemd-container htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array
+	local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns systemd-container at htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array
 	# local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns docker-compose systemd-container htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array
 	# local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns docker-compose dnsutils htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array
 	#> see what to do with name differences between distros if any <#
@@ -296,6 +296,7 @@ function dockerInit {
    printf "%s\n" "export PATH=/home/$USER/bin:$PATH" >> "$HOME/.bashrc"
    printf "%s\n" "export DOCKER_HOST=unix:///run/user/$UID/docker.sock" >> "$HOME/.bashrc"
 EOF
+    # printf "%s\n" "alias docker=\"docker --restart always --security-opt=no-new-privileges --cap-drop all --cap-add NET_BIND_SERVICE --read-only --tmpfs /home/$USER/opt -v /:/host\"" >> "$HOME/.bashrc"
    # Enable the user to bind to ports below 1024
    sudo setcap cap_net_bind_service=ep /home/secdep/bin/rootlesskit
    # Restart docker
@@ -328,6 +329,30 @@ EOF
    sudo machinectl shell secdep@ /bin/bash -c 'chmod +x /home/secdep/bin/docker-compose'
    # Check if there is a docker-compose.yml file in the user's home directory and run it if there is
    sudo machinectl shell secdep@ "$(which bash)" -c 'DOCKER_HOST=unix:///run/user/$UID/docker.sock /home/secdep/bin/docker-compose -f /home/secdep/docker-compose.yml up -d'
+    # Read the docker-compose.yml file for port mappings to add to the firewall
+    ## Check if we can use docker-compose config for that unless we have no access to the output
+    # sudo machinectl shell secdep@ "$(which bash)" -c 'DOCKER_HOST=unix:///run/user/$UID/docker.sock /home/secdep/bin/docker-compose -f /home/secdep/docker-compose.yml config'
+    # [[ -f /home/secdep/docker-compose.yml ]] && sudo PORTS="$(grep '[0-9]:[0-9]' /home/secdep/docker-compose.yml | rev | cut -d':' -f1 | rev | grep -Eow '[[:digit:]]+' | tr '\n' ' ')" || PORTS=""
+    CMD_PORTS="grep '[0-9]:[0-9]' /home/secdep/docker-compose.yml | rev | cut -d':' -f1 | rev | grep -Eow '[[:digit:]]+' | tr '\n' ' '"
+    sudo -E runuser - secdep -c "$CMD_PORTS" > /dev/null 2>&1 && PORTS="$(sudo -E runuser - secdep -c "$CMD_PORTS")" || PORTS=""
+    # Loop through the ports in the PORTS variable
+    if [[ -n "$PORTS" ]]; then
+        for port in $PORTS; do
+            # Allow the port in the firewall
+            case "$currentFirewall" in
+                ufw)
+                    sudo ufw allow "$port"/tcp
+                ;;
+                firewalld)
+                    sudo firewall-cmd --permanent --add-port="$port"/tcp
+                ;;
+                *)
+                    printf "%s" "Unsupported firewall"
+                    exit 1
+                ;;
+            esac
+        done
+    fi
    # sudo machinectl shell secdep@ /bin/bash -c 'DOCKER_HOST=unix:///run/user/$UID/docker.sock docker-compose -f /home/secdep/docker-compose.yml up -d'
    # sudo machinectl shell secdep@ /bin/bash -c '[[ -f "$HOME/docker-compose.yml" ]] && docker-compose -f "$HOME/docker-compose.yml" up -d'
    # sudo -u secdep bash -c '[[ -f "$HOME/docker-compose.yml" ]] && docker-compose -f "$HOME/docker-compose.yml" up -d'
@@ -361,7 +386,8 @@ EOF
        # The -v /:/host option will enable the docker rootless mode
        # # The --user secdep option will run the docker image as the secdep user to prevent privilege escalation
        sudo -u secdep bash -c 'mkdir -p /home/secdep/opt'
-        CMD="docker run -d --restart always --name $dockerImageName --security-opt=no-new-privileges --cap-drop all --cap-add NET_BIND_SERVICE --tmpfs /home/secdep/opt -v /:/host $dockerImage"
+        CMD="docker pull $dockerImage"
+        # CMD="docker run -d --restart always --name $dockerImageName --security-opt=no-new-privileges --cap-drop all --cap-add NET_BIND_SERVICE --tmpfs /home/secdep/opt -v /:/host $dockerImage"
        # CMD="docker run -d --restart always --name $dockerImageName --security-opt=no-new-privileges --cap-drop all --cap-add NET_BIND_SERVICE --read-only --tmpfs /home/secdep/opt -v /:/host $dockerImage"
        sudo -E runuser - secdep -c "$CMD"
    done
@@ -420,8 +446,13 @@ bantime = 1d
 ignoreip = 127.0.0.1/8
 EOF
 )
-sudo mkdir -p /etc/fail2ban/jail.local
-printf "%s" "$FAIL2BAN_SSH_JAIL_LOCAL" | sudo tee /etc/fail2ban/jail.local/sshd.local
+FAIL2BAN_JAIL_LOCAL=$(cat <<'EOF'
+[DEFAULT]
+bantime = 1d
+EOF
+)
+printf "%s" "$FAIL2BAN_JAIL_LOCAL" | sudo tee /etc/fail2ban/jail.local
+printf "%s" "$FAIL2BAN_SSH_JAIL_LOCAL" | sudo tee /etc/fail2ban/jail.d/sshd.local
 FAIL2BAN_FILTER=$(cat <<'EOF'
 [Definition]
 failregex = ^.*DROP_.*SRC=<ADDR> DST=.*$
@@ -445,9 +476,10 @@ EOF
 )
 sudo mkdir -p /etc/systemd/system/fail2ban.service.d
 printf "%s" "$HARDEN_FAIL2BAN_SERVICE" | sudo tee /etc/systemd/system/fail2ban.service.d/override.conf
-sudo systemctl enable fail2ban
-services+=("fail2ban") # Add fail2ban to the services array
-# sudo systemctl enable --now fail2ban
+sudo systemctl daemon-reload
+# sudo systemctl enable fail2ban
+# services+=("fail2ban") # Add fail2ban to the services array
+sudo systemctl enable --now fail2ban
 printf "%s" "LogLevel VERBOSE" | sudo tee -a /etc/ssh/sshd_config
 #sudo systemctl restart sshd
 }
@@ -469,6 +501,7 @@ function enableServices {
        printf "%s" "Unsupported firewall"
        exit 1
    fi
+    # sudo fail2ban-client start
    # With the if block it doesn't error out at firewalld check
    # For ufw
    # Enable the firewall
@@ -488,6 +521,18 @@ function enableServices {
    # only rootless docker is used
 }

+function deleteRemainingUsers {
+    # Delete possible remaining users
+    sudo systemctl enable --now atd
+    at now + 1 minute << 'EOF'
+    [[ -d /home/admin ]] && sudo userdel -r admin && sudo groupdel admin
+    [[ -d /home/ec2-user ]] && sudo userdel -r ec2-user && sudo groupdel ec2-user
+    [[ -d /home/centos ]] && sudo userdel -r centos && sudo groupdel centos
+    [[ -d /home/fedora ]] && sudo userdel -r fedora && sudo groupdel fedora
+    [[ -d /home/ubuntu ]] && sudo userdel -r ubuntu && sudo groupdel ubuntu
+EOF
+}
+
 # The main function will call the check_dependencies function and exit if it fails.
 # It will also output a message to the user to let them know that the script has finished.
 function main {
@@ -506,6 +551,7 @@ function main {
 ##    [[ $# -gt 0 ]] && dockerInit "$@" || exit 1
    dockerInit "$@" || exit 1
    enableServices || exit 1
+    deleteRemainingUsers || exit 1
 	printf "%s" "Script finished" # Output message to the user
 	printf "%s" "You should reboot" # Output message to the user
 	# printf "%s" "Now rebooting" # Output message to the user