Committing fixes in the dark, seriously, who killed my power!?
This commit is contained in:
12
harden
12
harden
@@ -323,7 +323,7 @@ EOF
|
|||||||
# Make sure docker is disabled after
|
# Make sure docker is disabled after
|
||||||
# having installed docker-compose, to make sure
|
# having installed docker-compose, to make sure
|
||||||
# only rootless docker is used
|
# only rootless docker is used
|
||||||
sudo systemctl disable --now docker.service docker.socket
|
# sudo systemctl disable --now docker.service docker.socket
|
||||||
sudo machinectl shell secdep@ /bin/bash -c 'curl -SL https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-linux-x86_64 -o /home/secdep/bin/docker-compose'
|
sudo machinectl shell secdep@ /bin/bash -c 'curl -SL https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-linux-x86_64 -o /home/secdep/bin/docker-compose'
|
||||||
sudo machinectl shell secdep@ /bin/bash -c 'chmod +x /home/secdep/bin/docker-compose'
|
sudo machinectl shell secdep@ /bin/bash -c 'chmod +x /home/secdep/bin/docker-compose'
|
||||||
# Check if there is a docker-compose.yml file in the user's home directory and run it if there is
|
# Check if there is a docker-compose.yml file in the user's home directory and run it if there is
|
||||||
@@ -398,6 +398,7 @@ EOF
|
|||||||
# sudo systemctl reload apparmor
|
# sudo systemctl reload apparmor
|
||||||
# }
|
# }
|
||||||
|
|
||||||
|
# Fix banaction ufw with iptables
|
||||||
function configureFail2ban {
|
function configureFail2ban {
|
||||||
FAIL2BAN_LOCAL=$(cat <<'EOF'
|
FAIL2BAN_LOCAL=$(cat <<'EOF'
|
||||||
[Definition]
|
[Definition]
|
||||||
@@ -419,6 +420,7 @@ bantime = 1d
|
|||||||
ignoreip = 127.0.0.1/8
|
ignoreip = 127.0.0.1/8
|
||||||
EOF
|
EOF
|
||||||
)
|
)
|
||||||
|
sudo mkdir -p /etc/fail2ban/jail.local
|
||||||
printf "%s" "$FAIL2BAN_SSH_JAIL_LOCAL" | sudo tee /etc/fail2ban/jail.local/sshd.local
|
printf "%s" "$FAIL2BAN_SSH_JAIL_LOCAL" | sudo tee /etc/fail2ban/jail.local/sshd.local
|
||||||
FAIL2BAN_FILTER=$(cat <<'EOF'
|
FAIL2BAN_FILTER=$(cat <<'EOF'
|
||||||
[Definition]
|
[Definition]
|
||||||
@@ -441,8 +443,10 @@ ReadWritePaths=/run/xtables.lock
|
|||||||
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
|
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
|
||||||
EOF
|
EOF
|
||||||
)
|
)
|
||||||
|
sudo mkdir -p /etc/systemd/system/fail2ban.service.d
|
||||||
printf "%s" "$HARDEN_FAIL2BAN_SERVICE" | sudo tee /etc/systemd/system/fail2ban.service.d/override.conf
|
printf "%s" "$HARDEN_FAIL2BAN_SERVICE" | sudo tee /etc/systemd/system/fail2ban.service.d/override.conf
|
||||||
sudo systemctl enable fail2ban
|
sudo systemctl enable fail2ban
|
||||||
|
services+=("fail2ban") # Add fail2ban to the services array
|
||||||
# sudo systemctl enable --now fail2ban
|
# sudo systemctl enable --now fail2ban
|
||||||
printf "%s" "LogLevel VERBOSE" | sudo tee -a /etc/ssh/sshd_config
|
printf "%s" "LogLevel VERBOSE" | sudo tee -a /etc/ssh/sshd_config
|
||||||
#sudo systemctl restart sshd
|
#sudo systemctl restart sshd
|
||||||
@@ -456,9 +460,9 @@ function enableServices {
|
|||||||
whereis ufw | grep -q /ufw && currentFirewall="ufw" || currentFirewall="firewalld"
|
whereis ufw | grep -q /ufw && currentFirewall="ufw" || currentFirewall="firewalld"
|
||||||
|
|
||||||
if [[ "$currentFirewall" == "ufw" ]]; then
|
if [[ "$currentFirewall" == "ufw" ]]; then
|
||||||
echo "You should enable ufw"
|
# echo "You should enable ufw"
|
||||||
# sudo ufw enable
|
sudo ufw --force enable
|
||||||
# sudo systemctl enable --now ufw
|
sudo systemctl enable --now ufw
|
||||||
elif [[ "$currentFirewall" == "firewalld" ]]; then
|
elif [[ "$currentFirewall" == "firewalld" ]]; then
|
||||||
sudo firewall-cmd --reload
|
sudo firewall-cmd --reload
|
||||||
else
|
else
|
||||||
|
|||||||
Reference in New Issue
Block a user