[no message]
This commit is contained in:
46
harden
46
harden
@@ -103,7 +103,7 @@ function install_packages {
|
|||||||
# Then it will install the packages that are missing by invoking the install_packages function.
|
# Then it will install the packages that are missing by invoking the install_packages function.
|
||||||
function check_dependencies { # systemd-container is for machinectl
|
function check_dependencies { # systemd-container is for machinectl
|
||||||
local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns systemd-container at cron htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array
|
local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns systemd-container at cron htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array
|
||||||
#> see what to do with name differences between distros if any <#
|
#> in the future we should see what to do with name differences between distros if any <#
|
||||||
local missing_dependencies=() # Declare missing_dependencies as a local array
|
local missing_dependencies=() # Declare missing_dependencies as a local array
|
||||||
for dependency in "${dependencies[@]}"; do # Loop through the dependencies array
|
for dependency in "${dependencies[@]}"; do # Loop through the dependencies array
|
||||||
# If the dependency is not installed, add it to the missing_dependencies array
|
# If the dependency is not installed, add it to the missing_dependencies array
|
||||||
@@ -222,6 +222,7 @@ function getCorrectKernelSecurityModule {
|
|||||||
function firewallInit {
|
function firewallInit {
|
||||||
getCorrectFirewall # Get the correct firewall installed
|
getCorrectFirewall # Get the correct firewall installed
|
||||||
# Determine if ufw or firewalld is installed
|
# Determine if ufw or firewalld is installed
|
||||||
|
# We are not using command -v because we may be checking from a user that doesn't have the command in his path
|
||||||
whereis ufw | grep -q /ufw && currentFirewall="ufw" || currentFirewall="firewalld"
|
whereis ufw | grep -q /ufw && currentFirewall="ufw" || currentFirewall="firewalld"
|
||||||
case "$currentFirewall" in
|
case "$currentFirewall" in
|
||||||
ufw)
|
ufw)
|
||||||
@@ -307,7 +308,7 @@ EOF
|
|||||||
sudo machinectl shell secdep@ /bin/bash -c 'curl -SL https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-linux-x86_64 -o /home/secdep/bin/docker-compose'
|
sudo machinectl shell secdep@ /bin/bash -c 'curl -SL https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-linux-x86_64 -o /home/secdep/bin/docker-compose'
|
||||||
sudo machinectl shell secdep@ /bin/bash -c 'chmod +x /home/secdep/bin/docker-compose'
|
sudo machinectl shell secdep@ /bin/bash -c 'chmod +x /home/secdep/bin/docker-compose'
|
||||||
|
|
||||||
# Install gVisor
|
# Install gVisor (runsc) and containerd-shim-runsc-v1
|
||||||
(
|
(
|
||||||
set -e
|
set -e
|
||||||
ARCH=$(uname -m)
|
ARCH=$(uname -m)
|
||||||
@@ -365,7 +366,7 @@ EOF
|
|||||||
sudo -E runuser - secdep -c "$CMD_PORTS" > /dev/null 2>&1 && PORTS="$(sudo -E runuser - secdep -c "$CMD_PORTS")" || PORTS=""
|
sudo -E runuser - secdep -c "$CMD_PORTS" > /dev/null 2>&1 && PORTS="$(sudo -E runuser - secdep -c "$CMD_PORTS")" || PORTS=""
|
||||||
# Loop through the ports in the PORTS variable
|
# Loop through the ports in the PORTS variable
|
||||||
if [[ -n "$PORTS" ]]; then
|
if [[ -n "$PORTS" ]]; then
|
||||||
for port in "${PORTS[@]}"; do
|
for port in "${PORTS[@]}"; do # Using "${PORTS[@]}" instead of "$PORTS" as the latter will only return the first port
|
||||||
# Allow the port in the firewall
|
# Allow the port in the firewall
|
||||||
case "$currentFirewall" in
|
case "$currentFirewall" in
|
||||||
ufw)
|
ufw)
|
||||||
@@ -408,6 +409,7 @@ EOF
|
|||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# The configureFail2ban function will configure fail2ban to ban ip addresses that try to brute force the ssh port (22100)
|
||||||
function configureFail2ban {
|
function configureFail2ban {
|
||||||
FAIL2BAN_LOCAL=$(cat <<'EOF'
|
FAIL2BAN_LOCAL=$(cat <<'EOF'
|
||||||
[Definition]
|
[Definition]
|
||||||
@@ -448,6 +450,7 @@ printf "%s\n" "LogLevel VERBOSE" | sudo tee -a /etc/ssh/sshd_config > /dev/null
|
|||||||
}
|
}
|
||||||
|
|
||||||
function enableServices {
|
function enableServices {
|
||||||
|
# Loop through the services array which in the future could contain more services
|
||||||
for service in "${services[@]}"; do
|
for service in "${services[@]}"; do
|
||||||
sudo systemctl restart "$service"
|
sudo systemctl restart "$service"
|
||||||
done
|
done
|
||||||
@@ -470,7 +473,11 @@ function enableServices {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# Sometimes the user is not deleted after the script is run
|
# If we are using aws to make the vps there is a default user different from the one we want to use.
|
||||||
|
# Also for the same reason, this script could be run by one of those users so we are using at to delete them
|
||||||
|
# after 2 minutes. If it was 1 minute it could fail if its xx:59 because at doesn't actually wait for 60 seconds
|
||||||
|
# but it waits for the next minute to come. Also the user would not be deleted without at because the script would
|
||||||
|
# be running as the user that we want to delete.
|
||||||
function deleteRemainingUsers {
|
function deleteRemainingUsers {
|
||||||
# In case atd wasn't running
|
# In case atd wasn't running
|
||||||
sudo systemctl enable --now atd
|
sudo systemctl enable --now atd
|
||||||
@@ -491,6 +498,9 @@ EOF
|
|||||||
sudo at now + 2 minute <<< "bash /root/delete_users.sh"
|
sudo at now + 2 minute <<< "bash /root/delete_users.sh"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# It is not entirely possible to dynamically add and remove firewall rules for docker ports,
|
||||||
|
# especially when using portainer so we will use a cronjob to check every 30 minutes if there are
|
||||||
|
# any changes to be made to the firewall rules.
|
||||||
function dynamicDockerPortsCronjob {
|
function dynamicDockerPortsCronjob {
|
||||||
# Part of the code responsible for the comparison
|
# Part of the code responsible for the comparison
|
||||||
# of the arrays was taken from:
|
# of the arrays was taken from:
|
||||||
@@ -602,6 +612,8 @@ sudo chmod +x /root/bin/dynamic_docker_ports_cronjob.sh
|
|||||||
sudo systemctl restart cron
|
sudo systemctl restart cron
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Even though there is a package called cron-apt, it is only available for debian and ubuntu
|
||||||
|
# while this script is supposed to work on all the major server distros
|
||||||
function automaticUpdatesCronjob {
|
function automaticUpdatesCronjob {
|
||||||
sudo mkdir -p /root/bin
|
sudo mkdir -p /root/bin
|
||||||
cat << 'TOHERE' | sudo tee /root/bin/automatic_updates_cronjob.sh > /dev/null 2>&1
|
cat << 'TOHERE' | sudo tee /root/bin/automatic_updates_cronjob.sh > /dev/null 2>&1
|
||||||
@@ -703,18 +715,34 @@ function main {
|
|||||||
enableServices || exit 1 # Enable the services that need to be restarted and the firewall
|
enableServices || exit 1 # Enable the services that need to be restarted and the firewall
|
||||||
printf "%s\n" "Services restarted and firewall enabled"
|
printf "%s\n" "Services restarted and firewall enabled"
|
||||||
dynamicDockerPortsCronjob || exit 1 # Allow the ports used by docker in the firewall
|
dynamicDockerPortsCronjob || exit 1 # Allow the ports used by docker in the firewall
|
||||||
printf "%s\n" "CronJob to allow the ports used by docker in the firewall installed"
|
printf "%s\n" "CronJob to adjust the ports used by docker and the firewall installed"
|
||||||
automaticUpdatesCronjob || exit 1 # Install a cronjob to update the system periodically
|
automaticUpdatesCronjob || exit 1 # Install a cronjob to update the system periodically
|
||||||
printf "%s\n" "CronJob to update the system installed"
|
printf "%s\n" "CronJob to update the system installed"
|
||||||
deleteRemainingUsers || exit 1 # Delete possible remaining users
|
# If the username is not secdep, delete the remaining users
|
||||||
|
[[ "$USERNAME" != "secdep" ]] && deleteRemainingUsers || exit 1 # Delete possible remaining users
|
||||||
printf "%s\n" "Any unnecessary users deleted"
|
printf "%s\n" "Any unnecessary users deleted"
|
||||||
printf "%s\n" "$SCRIPT_NAME script finished" # Output message to the user
|
printf "%s\n" "$SCRIPT_NAME script finished" # Output message to the user
|
||||||
printf "%s\n" "System will reboot momentarily" # Output message to the user
|
printf "%s\n" "System will reboot momentarily" # Output message to the user
|
||||||
# Reboot the system in 3 minutes with the shutdown command so that login before the reboot is not possible
|
# Reboot the system in 3 minutes with the shutdown command so that login before the reboot is not possible
|
||||||
sudo shutdown -r +3
|
# If the username is not secdep, reboot the system in 1 minute
|
||||||
|
# We reboot just in case there are any updates that need to be applied
|
||||||
|
# It was not the original intention of the script to reboot the system but it is better to be safe than sorry
|
||||||
|
# We also wait (for 1 or 3 minutes depending on the user running it) so that the script can finish as we
|
||||||
|
# want to see the exit code.
|
||||||
|
if [[ "$USERNAME" != "secdep" ]]; then
|
||||||
|
sudo shutdown -r +3
|
||||||
|
else
|
||||||
|
sudo shutdown -r +1
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# Call the main function
|
# Check if the user is root
|
||||||
main "$@"
|
if [[ "$EUID" -eq 0 ]]; then
|
||||||
|
printf "%s\n" "Which distro let you login as root?"
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
# Call the main function
|
||||||
|
main "$@"
|
||||||
|
fi
|
||||||
|
|
||||||
exit 0 # The right and proper way to exit a script
|
exit 0 # The right and proper way to exit a script
|
||||||
|
|||||||
Reference in New Issue
Block a user