Version control is awful
This commit is contained in:
@@ -64,4 +64,6 @@ You can also specify a port with the `--port` flag.
|
|||||||
|
|
||||||
Note: The docker-compose.yml file has to be in the same directory as the script and be named as `docker-compose.yml`. Also if it contains a volumes section, make sure that the left side path before the ":" corresponting to the host path is not owned by root but by your user and if using portainer make sure to enter the full path in the web editor
|
Note: The docker-compose.yml file has to be in the same directory as the script and be named as `docker-compose.yml`. Also if it contains a volumes section, make sure that the left side path before the ":" corresponting to the host path is not owned by root but by your user and if using portainer make sure to enter the full path in the web editor
|
||||||
|
|
||||||
Additional Note: By deploying a docker-compose.yml file using the --docker_compose flag, the needed ports will be allowed by the firewall for usage. But by deploying a docker image or docker-compose.yml file through portainer one should then `sudo ufw allow needed_port` and `sudo ufw reload` for them to be usable or `firewall-cmd --permanent --add-port=needed_port` and `sudo firewall-cmd --reload` depending on the distribution
|
Additional Note: By deploying a docker-compose.yml file using the --docker_compose flag, the needed ports will be allowed by the firewall for usage. But by deploying a docker image or docker-compose.yml file through portainer one should then `sudo ufw allow needed_port` and `sudo ufw reload` for them to be usable or `firewall-cmd --permanent --add-port=needed_port` and `sudo firewall-cmd --reload` depending on the distribution.
|
||||||
|
|
||||||
|
For convenience, the scirpt will also create another script that checks which ports are to be opened or closed and assign it to a cronjob that will execute it every 20 minutes so one can just wait.
|
||||||
|
|||||||
32
harden
32
harden
@@ -607,9 +607,9 @@ else
|
|||||||
sudo ufw reload
|
sudo ufw reload
|
||||||
fi
|
fi
|
||||||
TOHERE
|
TOHERE
|
||||||
# Every 30 minutes check if there are any new ports used by docker and allow them in the firewall
|
# Every 20 minutes check if there are any new ports used by docker and allow them in the firewall
|
||||||
cat << TOHERE | sudo tee -a /var/spool/cron/crontabs/root > /dev/null 2>&1
|
cat << TOHERE | sudo tee -a /var/spool/cron/crontabs/root > /dev/null 2>&1
|
||||||
*/30 * * * * /root/bin/dynamic_docker_ports_cronjob.sh
|
*/20 * * * * /root/bin/dynamic_docker_ports_cronjob.sh
|
||||||
TOHERE
|
TOHERE
|
||||||
sudo chmod +x /root/bin/dynamic_docker_ports_cronjob.sh
|
sudo chmod +x /root/bin/dynamic_docker_ports_cronjob.sh
|
||||||
sudo systemctl restart cron
|
sudo systemctl restart cron
|
||||||
@@ -700,32 +700,32 @@ sudo systemctl restart cron
|
|||||||
# It will also pass any arguments passed to the script to the dockerInit function.
|
# It will also pass any arguments passed to the script to the dockerInit function.
|
||||||
# Then it will output a message to the user and reboot the system in 2 minutes.
|
# Then it will output a message to the user and reboot the system in 2 minutes.
|
||||||
function main {
|
function main {
|
||||||
printf "%s\n" "$SCRIPT_NAME script started"
|
printf "%s\n" "=> $SCRIPT_NAME script started <="
|
||||||
check_dependencies || exit 1 # Check dependencies and exit if it fails
|
check_dependencies || exit 1 # Check dependencies and exit if it fails
|
||||||
printf "%s\n" "Dependencies installed"
|
printf "%s\n" "=> Dependencies installed <="
|
||||||
hardenSSH || exit 1 # Harden ssh and exit if it fails
|
hardenSSH || exit 1 # Harden ssh and exit if it fails
|
||||||
printf "%s\n" "SSH hardened"
|
printf "%s\n" "=> SSH hardened <="
|
||||||
firewallInit || exit 1 # Initialize the firewall and exit if it fails
|
firewallInit || exit 1 # Initialize the firewall and exit if it fails
|
||||||
printf "%s\n" "Firewall initialized"
|
printf "%s\n" "=> Firewall initialized <="
|
||||||
kernelSecurityModuleInit || exit 1 # Initialize the kernel security module and exit if it fails
|
kernelSecurityModuleInit || exit 1 # Initialize the kernel security module and exit if it fails
|
||||||
printf "%s\n" "Kernel security module initialized"
|
printf "%s\n" "=> Kernel security module initialized <="
|
||||||
configureFail2ban || exit 1 # Initialize fail2ban and exit if it fails
|
configureFail2ban || exit 1 # Initialize fail2ban and exit if it fails
|
||||||
printf "%s\n" "Fail2ban configured"
|
printf "%s\n" "=> Fail2ban configured <="
|
||||||
# Call the dockerInit function with the arguments passed to the script
|
# Call the dockerInit function with the arguments passed to the script
|
||||||
dockerInit "$@" || exit 1 # Initialize docker and exit if it fails
|
dockerInit "$@" || exit 1 # Initialize docker and exit if it fails
|
||||||
printf "%s\n" "Docker Rootless, docker-compose and gVisor installed and configured"
|
printf "%s\n" "=> Docker Rootless, docker-compose and gVisor installed and configured <="
|
||||||
printf "%s\n" "Portainer and Watchtower along with any specified docker images from the command line or a docker-compose.yml file installed"
|
printf "%s\n" "=> Portainer and Watchtower along with any specified docker images from the command line or a docker-compose.yml file installed <="
|
||||||
enableServices || exit 1 # Enable the services that need to be restarted and the firewall
|
enableServices || exit 1 # Enable the services that need to be restarted and the firewall
|
||||||
printf "%s\n" "Services restarted and firewall enabled"
|
printf "%s\n" "=> Services restarted and firewall enabled <="
|
||||||
dynamicDockerPortsCronjob || exit 1 # Allow the ports used by docker in the firewall
|
dynamicDockerPortsCronjob || exit 1 # Allow the ports used by docker in the firewall
|
||||||
printf "%s\n" "CronJob to adjust the ports used by docker and the firewall installed"
|
printf "%s\n" "=> CronJob to adjust the ports used by docker and the firewall installed <="
|
||||||
automaticUpdatesCronjob || exit 1 # Install a cronjob to update the system periodically
|
automaticUpdatesCronjob || exit 1 # Install a cronjob to update the system periodically
|
||||||
printf "%s\n" "CronJob to update the system installed"
|
printf "%s\n" "=> CronJob to update the system installed <="
|
||||||
# If the username is not secdep, delete the remaining users
|
# If the username is not secdep, delete the remaining users
|
||||||
[[ "$USER" != "secdep" ]] && deleteRemainingUsers || exit 1 # Delete possible remaining users
|
[[ "$USER" != "secdep" ]] && deleteRemainingUsers || exit 1 # Delete possible remaining users
|
||||||
printf "%s\n" "Any unnecessary users deleted"
|
printf "%s\n" "=> Any unnecessary users deleted <="
|
||||||
printf "%s\n" "$SCRIPT_NAME script finished" # Output message to the user
|
printf "%s\n" "=> $SCRIPT_NAME script finished <=" # Output message to the user
|
||||||
printf "%s\n" "System will reboot momentarily" # Output message to the user
|
printf "%s\n" "=> System will reboot momentarily <=" # Output message to the user
|
||||||
# Reboot the system in 3 minutes with the shutdown command so that login before the reboot is not possible
|
# Reboot the system in 3 minutes with the shutdown command so that login before the reboot is not possible
|
||||||
# If the username is not secdep, reboot the system in 1 minute
|
# If the username is not secdep, reboot the system in 1 minute
|
||||||
# We reboot just in case there are any updates that need to be applied
|
# We reboot just in case there are any updates that need to be applied
|
||||||
|
|||||||
Reference in New Issue
Block a user