[no message]
This commit is contained in:
40
harden
40
harden
@@ -103,7 +103,7 @@ function install_packages {
|
||||
# Then it will install the packages that are missing by invoking the install_packages function.
|
||||
function check_dependencies { # systemd-container is for machinectl
|
||||
local dependencies=(fuse-overlayfs dbus-user-session uidmap slirp4netns systemd-container at cron htop curl git sudo vim ssh wget fail2ban) # Declare dependencies as a local array
|
||||
#> see what to do with name differences between distros if any <#
|
||||
#> in the future we should see what to do with name differences between distros if any <#
|
||||
local missing_dependencies=() # Declare missing_dependencies as a local array
|
||||
for dependency in "${dependencies[@]}"; do # Loop through the dependencies array
|
||||
# If the dependency is not installed, add it to the missing_dependencies array
|
||||
@@ -222,6 +222,7 @@ function getCorrectKernelSecurityModule {
|
||||
function firewallInit {
|
||||
getCorrectFirewall # Get the correct firewall installed
|
||||
# Determine if ufw or firewalld is installed
|
||||
# We are not using command -v because we may be checking from a user that doesn't have the command in his path
|
||||
whereis ufw | grep -q /ufw && currentFirewall="ufw" || currentFirewall="firewalld"
|
||||
case "$currentFirewall" in
|
||||
ufw)
|
||||
@@ -307,7 +308,7 @@ EOF
|
||||
sudo machinectl shell secdep@ /bin/bash -c 'curl -SL https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-linux-x86_64 -o /home/secdep/bin/docker-compose'
|
||||
sudo machinectl shell secdep@ /bin/bash -c 'chmod +x /home/secdep/bin/docker-compose'
|
||||
|
||||
# Install gVisor
|
||||
# Install gVisor (runsc) and containerd-shim-runsc-v1
|
||||
(
|
||||
set -e
|
||||
ARCH=$(uname -m)
|
||||
@@ -365,7 +366,7 @@ EOF
|
||||
sudo -E runuser - secdep -c "$CMD_PORTS" > /dev/null 2>&1 && PORTS="$(sudo -E runuser - secdep -c "$CMD_PORTS")" || PORTS=""
|
||||
# Loop through the ports in the PORTS variable
|
||||
if [[ -n "$PORTS" ]]; then
|
||||
for port in "${PORTS[@]}"; do
|
||||
for port in "${PORTS[@]}"; do # Using "${PORTS[@]}" instead of "$PORTS" as the latter will only return the first port
|
||||
# Allow the port in the firewall
|
||||
case "$currentFirewall" in
|
||||
ufw)
|
||||
@@ -408,6 +409,7 @@ EOF
|
||||
done
|
||||
}
|
||||
|
||||
# The configureFail2ban function will configure fail2ban to ban ip addresses that try to brute force the ssh port (22100)
|
||||
function configureFail2ban {
|
||||
FAIL2BAN_LOCAL=$(cat <<'EOF'
|
||||
[Definition]
|
||||
@@ -448,6 +450,7 @@ printf "%s\n" "LogLevel VERBOSE" | sudo tee -a /etc/ssh/sshd_config > /dev/null
|
||||
}
|
||||
|
||||
function enableServices {
|
||||
# Loop through the services array which in the future could contain more services
|
||||
for service in "${services[@]}"; do
|
||||
sudo systemctl restart "$service"
|
||||
done
|
||||
@@ -470,7 +473,11 @@ function enableServices {
|
||||
fi
|
||||
}
|
||||
|
||||
# Sometimes the user is not deleted after the script is run
|
||||
# If we are using aws to make the vps there is a default user different from the one we want to use.
|
||||
# Also for the same reason, this script could be run by one of those users so we are using at to delete them
|
||||
# after 2 minutes. If it was 1 minute it could fail if its xx:59 because at doesn't actually wait for 60 seconds
|
||||
# but it waits for the next minute to come. Also the user would not be deleted without at because the script would
|
||||
# be running as the user that we want to delete.
|
||||
function deleteRemainingUsers {
|
||||
# In case atd wasn't running
|
||||
sudo systemctl enable --now atd
|
||||
@@ -491,6 +498,9 @@ EOF
|
||||
sudo at now + 2 minute <<< "bash /root/delete_users.sh"
|
||||
}
|
||||
|
||||
# It is not entirely possible to dynamically add and remove firewall rules for docker ports,
|
||||
# especially when using portainer so we will use a cronjob to check every 30 minutes if there are
|
||||
# any changes to be made to the firewall rules.
|
||||
function dynamicDockerPortsCronjob {
|
||||
# Part of the code responsible for the comparison
|
||||
# of the arrays was taken from:
|
||||
@@ -602,6 +612,8 @@ sudo chmod +x /root/bin/dynamic_docker_ports_cronjob.sh
|
||||
sudo systemctl restart cron
|
||||
}
|
||||
|
||||
# Even though there is a package called cron-apt, it is only available for debian and ubuntu
|
||||
# while this script is supposed to work on all the major server distros
|
||||
function automaticUpdatesCronjob {
|
||||
sudo mkdir -p /root/bin
|
||||
cat << 'TOHERE' | sudo tee /root/bin/automatic_updates_cronjob.sh > /dev/null 2>&1
|
||||
@@ -703,18 +715,34 @@ function main {
|
||||
enableServices || exit 1 # Enable the services that need to be restarted and the firewall
|
||||
printf "%s\n" "Services restarted and firewall enabled"
|
||||
dynamicDockerPortsCronjob || exit 1 # Allow the ports used by docker in the firewall
|
||||
printf "%s\n" "CronJob to allow the ports used by docker in the firewall installed"
|
||||
printf "%s\n" "CronJob to adjust the ports used by docker and the firewall installed"
|
||||
automaticUpdatesCronjob || exit 1 # Install a cronjob to update the system periodically
|
||||
printf "%s\n" "CronJob to update the system installed"
|
||||
deleteRemainingUsers || exit 1 # Delete possible remaining users
|
||||
# If the username is not secdep, delete the remaining users
|
||||
[[ "$USERNAME" != "secdep" ]] && deleteRemainingUsers || exit 1 # Delete possible remaining users
|
||||
printf "%s\n" "Any unnecessary users deleted"
|
||||
printf "%s\n" "$SCRIPT_NAME script finished" # Output message to the user
|
||||
printf "%s\n" "System will reboot momentarily" # Output message to the user
|
||||
# Reboot the system in 3 minutes with the shutdown command so that login before the reboot is not possible
|
||||
# If the username is not secdep, reboot the system in 1 minute
|
||||
# We reboot just in case there are any updates that need to be applied
|
||||
# It was not the original intention of the script to reboot the system but it is better to be safe than sorry
|
||||
# We also wait (for 1 or 3 minutes depending on the user running it) so that the script can finish as we
|
||||
# want to see the exit code.
|
||||
if [[ "$USERNAME" != "secdep" ]]; then
|
||||
sudo shutdown -r +3
|
||||
else
|
||||
sudo shutdown -r +1
|
||||
fi
|
||||
}
|
||||
|
||||
# Check if the user is root
|
||||
if [[ "$EUID" -eq 0 ]]; then
|
||||
printf "%s\n" "Which distro let you login as root?"
|
||||
exit 1
|
||||
else
|
||||
# Call the main function
|
||||
main "$@"
|
||||
fi
|
||||
|
||||
exit 0 # The right and proper way to exit a script
|
||||
|
||||
Reference in New Issue
Block a user