From d517e94fad7eaaffcf14f01d12667281923ca0a1 Mon Sep 17 00:00:00 2001
From: konsthol <konsthol@konsthol.eu>
Date: Wed, 6 Sep 2023 22:30:58 +0300
Subject: [PATCH] [no message]

---
 harden | 46 +++++++++++++++++++++++++++++++++++++---------
 1 file changed, 37 insertions(+), 9 deletions(-)

diff --git a/harden b/harden
index ca1c535..ecfee74 100755
--- a/harden
+++ b/harden
@@ -103,7 +103,7 @@ function install_packages {
 # Then it will install the packages that are missing by invoking the install_packages function.
 function check_dependencies { # systemd-container is for machinectl
     local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns systemd-container at cron htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array
-    #> see what to do with name differences between distros if any <#
+    #> in the future we should see what to do with name differences between distros if any <#
     local missing_dependencies=()              # Declare missing_dependencies as a local array
     for dependency in "${dependencies[@]}"; do # Loop through the dependencies array
         # If the dependency is not installed, add it to the missing_dependencies array
@@ -222,6 +222,7 @@ function getCorrectKernelSecurityModule {
 function firewallInit {
     getCorrectFirewall # Get the correct firewall installed
     # Determine if ufw or firewalld is installed
+    # We are not using command -v because we may be checking from a user that doesn't have the command in his path
     whereis ufw | grep -q /ufw && currentFirewall="ufw" || currentFirewall="firewalld"
     case "$currentFirewall" in
         ufw)
@@ -307,7 +308,7 @@ EOF
     sudo machinectl shell secdep@ /bin/bash -c 'curl -SL https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-linux-x86_64 -o /home/secdep/bin/docker-compose'
     sudo machinectl shell secdep@ /bin/bash -c 'chmod +x /home/secdep/bin/docker-compose'
 
-    # Install gVisor
+    # Install gVisor (runsc) and containerd-shim-runsc-v1
     (
     set -e
     ARCH=$(uname -m)
@@ -365,7 +366,7 @@ EOF
     sudo -E runuser - secdep -c "$CMD_PORTS" > /dev/null 2>&1 && PORTS="$(sudo -E runuser - secdep -c "$CMD_PORTS")" || PORTS=""
     # Loop through the ports in the PORTS variable
     if [[ -n "$PORTS" ]]; then
-        for port in "${PORTS[@]}"; do
+        for port in "${PORTS[@]}"; do # Using "${PORTS[@]}" instead of "$PORTS" as the latter will only return the first port
             # Allow the port in the firewall
             case "$currentFirewall" in
                 ufw)
@@ -408,6 +409,7 @@ EOF
     done
 }
 
+# The configureFail2ban function will configure fail2ban to ban ip addresses that try to brute force the ssh port (22100)
 function configureFail2ban {
 FAIL2BAN_LOCAL=$(cat <<'EOF'
 [Definition]
@@ -448,6 +450,7 @@ printf "%s\n" "LogLevel VERBOSE" | sudo tee -a /etc/ssh/sshd_config > /dev/null
 }
 
 function enableServices {
+    # Loop through the services array which in the future could contain more services
     for service in "${services[@]}"; do
         sudo systemctl restart "$service"
     done
@@ -470,7 +473,11 @@ function enableServices {
     fi
 }
 
-# Sometimes the user is not deleted after the script is run
+# If we are using aws to make the vps there is a default user different from the one we want to use.
+# Also for the same reason, this script could be run by one of those users so we are using at to delete them
+# after 2 minutes. If it was 1 minute it could fail if its xx:59 because at doesn't actually wait for 60 seconds
+# but it waits for the next minute to come. Also the user would not be deleted without at because the script would
+# be running as the user that we want to delete.
 function deleteRemainingUsers {
     # In case atd wasn't running
     sudo systemctl enable --now atd
@@ -491,6 +498,9 @@ EOF
     sudo at now + 2 minute <<< "bash /root/delete_users.sh"
 }
 
+# It is not entirely possible to dynamically add and remove firewall rules for docker ports,
+# especially when using portainer so we will use a cronjob to check every 30 minutes if there are
+# any changes to be made to the firewall rules.
 function dynamicDockerPortsCronjob {
 # Part of the code responsible for the comparison
 # of the arrays was taken from:
@@ -602,6 +612,8 @@ sudo chmod +x /root/bin/dynamic_docker_ports_cronjob.sh
 sudo systemctl restart cron
 }
 
+# Even though there is a package called cron-apt, it is only available for debian and ubuntu
+# while this script is supposed to work on all the major server distros
 function automaticUpdatesCronjob {
     sudo mkdir -p /root/bin
     cat << 'TOHERE' | sudo tee /root/bin/automatic_updates_cronjob.sh > /dev/null 2>&1
@@ -703,18 +715,34 @@ function main {
     enableServices || exit 1                        # Enable the services that need to be restarted and the firewall
     printf "%s\n" "Services restarted and firewall enabled"
     dynamicDockerPortsCronjob || exit 1                    # Allow the ports used by docker in the firewall
-    printf "%s\n" "CronJob to allow the ports used by docker in the firewall installed"
+    printf "%s\n" "CronJob to adjust the ports used by docker and the firewall installed"
     automaticUpdatesCronjob || exit 1               # Install a cronjob to update the system periodically
     printf "%s\n" "CronJob to update the system installed"
-    deleteRemainingUsers || exit 1                  # Delete possible remaining users
+    # If the username is not secdep, delete the remaining users
+    [[ "$USERNAME" != "secdep" ]] && deleteRemainingUsers || exit 1                  # Delete possible remaining users
     printf "%s\n" "Any unnecessary users deleted"
     printf "%s\n" "$SCRIPT_NAME script finished"      # Output message to the user
     printf "%s\n" "System will reboot momentarily"    # Output message to the user
     # Reboot the system in 3 minutes with the shutdown command so that login before the reboot is not possible
-    sudo shutdown -r +3
+    # If the username is not secdep, reboot the system in 1 minute
+    # We reboot just in case there are any updates that need to be applied
+    # It was not the original intention of the script to reboot the system but it is better to be safe than sorry
+    # We also wait (for 1 or 3 minutes depending on the user running it) so that the script can finish as we 
+    # want to see the exit code.
+    if [[ "$USERNAME" != "secdep" ]]; then
+        sudo shutdown -r +3
+    else
+        sudo shutdown -r +1
+    fi
 }
 
-# Call the main function
-main "$@"
+# Check if the user is root
+if [[ "$EUID" -eq 0 ]]; then
+    printf "%s\n" "Which distro let you login as root?"
+    exit 1
+else
+    # Call the main function
+    main "$@"
+fi
 
 exit 0 # The right and proper way to exit a script