I expected something different.
This commit is contained in:
29
harden
29
harden
@@ -231,10 +231,14 @@ function firewallInit {
|
||||
sudo ufw default allow outgoing # Allow outgoing connections
|
||||
sudo ufw default deny incoming # Deny incoming connections
|
||||
sudo ufw allow 22100/tcp # Allow ssh connections on port 22100
|
||||
sudo ufw allow 8000/tcp # Allow portainer connections on port 8000
|
||||
sudo ufw allow 9443/tcp # Allow portainer connections on port 9443
|
||||
;;
|
||||
firewalld)
|
||||
sudo systemctl enable firewalld # Enable the firewall on boot
|
||||
sudo firewall-cmd --permanent --add-port=22100/tcp # Allow ssh connections on port 22100
|
||||
sudo firewall-cmd --permanent --add-port=8000/tcp # Allow portainer connections on port 8000
|
||||
sudo firewall-cmd --permanent --add-port=9443/tcp # Allow portainer connections on port 9443
|
||||
;;
|
||||
*)
|
||||
printf "%s" "Unsupported firewall"
|
||||
@@ -278,8 +282,8 @@ function dockerInit {
|
||||
sudo machinectl shell secdep@ /bin/bash -c "curl -fsSL https://get.docker.com/rootless | sh"
|
||||
# Add important environment variables to the secdep user's .bashrc
|
||||
sudo su secdep << 'EOF'
|
||||
printf "%s\n" "export PATH=/home/$USER/bin:$PATH" >> "$HOME/.bashrc"
|
||||
printf "%s\n" "export DOCKER_HOST=unix:///run/user/$UID/docker.sock" >> "$HOME/.bashrc"
|
||||
printf "%s\n" "export PATH=/home/$USER/bin:$PATH" >> "$HOME/.bashrc"
|
||||
printf "%s\n" "export DOCKER_HOST=unix:///run/user/$UID/docker.sock" >> "$HOME/.bashrc"
|
||||
EOF
|
||||
# Enable the user to bind to ports below 1024
|
||||
sudo setcap cap_net_bind_service=ep /home/secdep/bin/rootlesskit
|
||||
@@ -332,13 +336,10 @@ EOF
|
||||
done
|
||||
fi
|
||||
# Portainer is a docker image that provides a web interface for docker
|
||||
# which will be installed and run on port 9000 by default to make it easier to manage docker
|
||||
# CMD1="docker volume create portainer_data # Create a docker volume for portainer"
|
||||
# CMD2="docker run -d -p 9000:9000 --name=portainer --restart=unless-stopped -v /home/secdep/.docker/run/docker.sock:/home/secdep/.docker/run/docker.sock -v portainer_data:/data portainer/portainer-ce"
|
||||
# CMD2="docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=always -v /$XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock -v ~/.local/share/docker/volumes:/var/lib/docker/volumes -v portainer_data:/data portainer/portainer-ce"
|
||||
# sudo -u secdep bash -c "$CMD1" # Create a docker volume for portainer
|
||||
# sudo -u secdep bash -c "$CMD2" # Run portainer
|
||||
# sudo machinectl shell secdep@ /bin/bash -c "docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=always -v /$XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock -v ~/.local/share/docker/volumes:/var/lib/docker/volumes -v portainer_data:/data portainer/portainer-ce"
|
||||
# which will be installed and run on port 9443 by default to make it easier to manage docker
|
||||
# url to follow after the installation is complete: https://vps_ip:9443
|
||||
# the https:// part is important as portainer will not work without it
|
||||
sudo -E runuser - secdep -c 'docker run -d -p 8000:8000 -p 9443:9443 --name=portainer --restart=always -v /run/user/$UID/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce'
|
||||
# Check if the dockerImages array is empty and return 0 if it is
|
||||
[[ "${#dockerImages[@]}" -eq 0 ]] && return 0
|
||||
# Loop through the dockerImages array
|
||||
@@ -375,7 +376,7 @@ EOF
|
||||
# }
|
||||
|
||||
# Fix banaction ufw with iptables
|
||||
# Does not always persist after reboot
|
||||
# Does not always persist after reboot.
|
||||
function configureFail2ban {
|
||||
FAIL2BAN_LOCAL=$(cat <<'EOF'
|
||||
[Definition]
|
||||
@@ -471,8 +472,9 @@ EOF
|
||||
sudo at now + 1 minute <<< "bash /root/delete_users.sh"
|
||||
}
|
||||
|
||||
# The main function will call the check_dependencies function and exit if it fails.
|
||||
# It will also output a message to the user to let them know that the script has finished.
|
||||
# The main function will call the declared functions in order and exit if any of them fails.
|
||||
# It will also pass any arguments passed to the script to the dockerInit function.
|
||||
# Then it will output a message to the user and reboot the system in 2 minutes.
|
||||
function main {
|
||||
printf "%s" "$SCRIPT_NAME script started"
|
||||
check_dependencies || exit 1 # Check dependencies and exit if it fails
|
||||
@@ -492,7 +494,8 @@ function main {
|
||||
deleteRemainingUsers || exit 1
|
||||
printf "%s" "$SCRIPT_NAME script finished" # Output message to the user
|
||||
printf "%s" "System will reboot momentarily" # Output message to the user
|
||||
sudo at now + 2 minute <<< "reboot"
|
||||
# Reboot the system in 2 minutes
|
||||
sudo shutdown -r +2
|
||||
}
|
||||
|
||||
# Call the main function
|
||||
|
||||
Reference in New Issue
Block a user