From 7d107bca67893acea453c449eae9b47224213293 Mon Sep 17 00:00:00 2001 From: konsthol Date: Thu, 7 Sep 2023 07:09:20 +0300 Subject: [PATCH] Version control is awful --- assets/pages/demo/demo.md | 4 +++- harden | 32 ++++++++++++++++---------------- 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/assets/pages/demo/demo.md b/assets/pages/demo/demo.md index 4325ef9..22f2bb4 100644 --- a/assets/pages/demo/demo.md +++ b/assets/pages/demo/demo.md @@ -64,4 +64,6 @@ You can also specify a port with the `--port` flag. Note: The docker-compose.yml file has to be in the same directory as the script and be named as `docker-compose.yml`. Also if it contains a volumes section, make sure that the left side path before the ":" corresponting to the host path is not owned by root but by your user and if using portainer make sure to enter the full path in the web editor -Additional Note: By deploying a docker-compose.yml file using the --docker_compose flag, the needed ports will be allowed by the firewall for usage. But by deploying a docker image or docker-compose.yml file through portainer one should then `sudo ufw allow needed_port` and `sudo ufw reload` for them to be usable or `firewall-cmd --permanent --add-port=needed_port` and `sudo firewall-cmd --reload` depending on the distribution +Additional Note: By deploying a docker-compose.yml file using the --docker_compose flag, the needed ports will be allowed by the firewall for usage. But by deploying a docker image or docker-compose.yml file through portainer one should then `sudo ufw allow needed_port` and `sudo ufw reload` for them to be usable or `firewall-cmd --permanent --add-port=needed_port` and `sudo firewall-cmd --reload` depending on the distribution. + +For convenience, the scirpt will also create another script that checks which ports are to be opened or closed and assign it to a cronjob that will execute it every 20 minutes so one can just wait. diff --git a/harden b/harden index 8bd6eab..aa56ee4 100755 --- a/harden +++ b/harden @@ -607,9 +607,9 @@ else sudo ufw reload fi TOHERE -# Every 30 minutes check if there are any new ports used by docker and allow them in the firewall +# Every 20 minutes check if there are any new ports used by docker and allow them in the firewall cat << TOHERE | sudo tee -a /var/spool/cron/crontabs/root > /dev/null 2>&1 -*/30 * * * * /root/bin/dynamic_docker_ports_cronjob.sh +*/20 * * * * /root/bin/dynamic_docker_ports_cronjob.sh TOHERE sudo chmod +x /root/bin/dynamic_docker_ports_cronjob.sh sudo systemctl restart cron @@ -700,32 +700,32 @@ sudo systemctl restart cron # It will also pass any arguments passed to the script to the dockerInit function. # Then it will output a message to the user and reboot the system in 2 minutes. function main { - printf "%s\n" "$SCRIPT_NAME script started" + printf "%s\n" "=> $SCRIPT_NAME script started <=" check_dependencies || exit 1 # Check dependencies and exit if it fails - printf "%s\n" "Dependencies installed" + printf "%s\n" "=> Dependencies installed <=" hardenSSH || exit 1 # Harden ssh and exit if it fails - printf "%s\n" "SSH hardened" + printf "%s\n" "=> SSH hardened <=" firewallInit || exit 1 # Initialize the firewall and exit if it fails - printf "%s\n" "Firewall initialized" + printf "%s\n" "=> Firewall initialized <=" kernelSecurityModuleInit || exit 1 # Initialize the kernel security module and exit if it fails - printf "%s\n" "Kernel security module initialized" + printf "%s\n" "=> Kernel security module initialized <=" configureFail2ban || exit 1 # Initialize fail2ban and exit if it fails - printf "%s\n" "Fail2ban configured" + printf "%s\n" "=> Fail2ban configured <=" # Call the dockerInit function with the arguments passed to the script dockerInit "$@" || exit 1 # Initialize docker and exit if it fails - printf "%s\n" "Docker Rootless, docker-compose and gVisor installed and configured" - printf "%s\n" "Portainer and Watchtower along with any specified docker images from the command line or a docker-compose.yml file installed" + printf "%s\n" "=> Docker Rootless, docker-compose and gVisor installed and configured <=" + printf "%s\n" "=> Portainer and Watchtower along with any specified docker images from the command line or a docker-compose.yml file installed <=" enableServices || exit 1 # Enable the services that need to be restarted and the firewall - printf "%s\n" "Services restarted and firewall enabled" + printf "%s\n" "=> Services restarted and firewall enabled <=" dynamicDockerPortsCronjob || exit 1 # Allow the ports used by docker in the firewall - printf "%s\n" "CronJob to adjust the ports used by docker and the firewall installed" + printf "%s\n" "=> CronJob to adjust the ports used by docker and the firewall installed <=" automaticUpdatesCronjob || exit 1 # Install a cronjob to update the system periodically - printf "%s\n" "CronJob to update the system installed" + printf "%s\n" "=> CronJob to update the system installed <=" # If the username is not secdep, delete the remaining users [[ "$USER" != "secdep" ]] && deleteRemainingUsers || exit 1 # Delete possible remaining users - printf "%s\n" "Any unnecessary users deleted" - printf "%s\n" "$SCRIPT_NAME script finished" # Output message to the user - printf "%s\n" "System will reboot momentarily" # Output message to the user + printf "%s\n" "=> Any unnecessary users deleted <=" + printf "%s\n" "=> $SCRIPT_NAME script finished <=" # Output message to the user + printf "%s\n" "=> System will reboot momentarily <=" # Output message to the user # Reboot the system in 3 minutes with the shutdown command so that login before the reboot is not possible # If the username is not secdep, reboot the system in 1 minute # We reboot just in case there are any updates that need to be applied