feat: Add backup and security hardening
This commit is contained in:
163
scripts/security-setup/INSTALL.sh
Executable file
163
scripts/security-setup/INSTALL.sh
Executable file
@@ -0,0 +1,163 @@
|
||||
#!/bin/sh
|
||||
# Installation script for security hardening components
|
||||
# Run with: sudo ./INSTALL.sh
|
||||
|
||||
set -e
|
||||
|
||||
# Colors
|
||||
RED='\033[0;31m'
|
||||
GREEN='\033[0;32m'
|
||||
YELLOW='\033[1;33m'
|
||||
BLUE='\033[0;34m'
|
||||
NC='\033[0m'
|
||||
|
||||
info() {
|
||||
printf "${BLUE}ℹ${NC} %s\n" "$1"
|
||||
}
|
||||
|
||||
success() {
|
||||
printf "${GREEN}✓${NC} %s\n" "$1"
|
||||
}
|
||||
|
||||
warning() {
|
||||
printf "${YELLOW}⚠${NC} %s\n" "$1"
|
||||
}
|
||||
|
||||
error() {
|
||||
printf "${RED}✖${NC} %s\n" "$1"
|
||||
}
|
||||
|
||||
# Check if running as root
|
||||
if [ "$(id -u)" -ne 0 ]; then
|
||||
error "This script must be run as root (use sudo)"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
info "Installing security hardening components..."
|
||||
echo ""
|
||||
|
||||
# 1. nftables firewall
|
||||
info "Installing nftables configuration..."
|
||||
if [ ! -f /etc/nftables.conf ]; then
|
||||
warning "No existing /etc/nftables.conf found"
|
||||
fi
|
||||
|
||||
# Backup existing config
|
||||
if [ -f /etc/nftables.conf ]; then
|
||||
info "Backing up existing nftables.conf..."
|
||||
cp /etc/nftables.conf "/etc/nftables.conf.backup.$(date +%Y%m%d-%H%M%S)"
|
||||
success "Backup created"
|
||||
fi
|
||||
|
||||
# Copy new config
|
||||
cp nftables.conf /etc/nftables.conf
|
||||
chmod 644 /etc/nftables.conf
|
||||
success "nftables configuration installed"
|
||||
|
||||
# Enable nftables service
|
||||
info "Enabling nftables service..."
|
||||
if command -v rc-update >/dev/null 2>&1; then
|
||||
rc-update add nftables default
|
||||
success "nftables service enabled"
|
||||
else
|
||||
warning "OpenRC not found - please enable nftables manually"
|
||||
fi
|
||||
|
||||
echo ""
|
||||
|
||||
# 2. fail2ban
|
||||
info "Installing fail2ban configuration..."
|
||||
|
||||
# Check if fail2ban is installed
|
||||
if ! command -v fail2ban-server >/dev/null 2>&1; then
|
||||
warning "fail2ban is not installed"
|
||||
info "Install with: emerge -av net-analyzer/fail2ban"
|
||||
info "jail.local will be copied but not activated"
|
||||
fi
|
||||
|
||||
# Create fail2ban directory if needed
|
||||
mkdir -p /etc/fail2ban
|
||||
|
||||
# Backup existing jail.local
|
||||
if [ -f /etc/fail2ban/jail.local ]; then
|
||||
info "Backing up existing jail.local..."
|
||||
cp /etc/fail2ban/jail.local \
|
||||
"/etc/fail2ban/jail.local.backup.$(date +%Y%m%d-%H%M%S)"
|
||||
success "Backup created"
|
||||
fi
|
||||
|
||||
# Copy new config
|
||||
cp jail.local /etc/fail2ban/jail.local
|
||||
chmod 644 /etc/fail2ban/jail.local
|
||||
success "fail2ban configuration installed"
|
||||
|
||||
# Enable fail2ban service (if installed)
|
||||
if command -v fail2ban-server >/dev/null 2>&1; then
|
||||
info "Enabling fail2ban service..."
|
||||
if command -v rc-update >/dev/null 2>&1; then
|
||||
rc-update add fail2ban default
|
||||
success "fail2ban service enabled"
|
||||
fi
|
||||
fi
|
||||
|
||||
echo ""
|
||||
|
||||
# 3. SSH hardening
|
||||
info "Installing SSH hardening configuration..."
|
||||
|
||||
# Check if SSH is installed
|
||||
if [ ! -d /etc/ssh ]; then
|
||||
warning "SSH directory not found - skipping SSH hardening"
|
||||
else
|
||||
# Create sshd_config.d directory (modern SSH)
|
||||
mkdir -p /etc/ssh/sshd_config.d
|
||||
|
||||
# Backup existing config
|
||||
if [ -f /etc/ssh/sshd_config ]; then
|
||||
info "Backing up existing sshd_config..."
|
||||
cp /etc/ssh/sshd_config \
|
||||
"/etc/ssh/sshd_config.backup.$(date +%Y%m%d-%H%M%S)"
|
||||
success "Backup created"
|
||||
fi
|
||||
|
||||
# Copy hardened config
|
||||
cp sshd_config.hardened /etc/ssh/sshd_config.d/hardening.conf
|
||||
chmod 644 /etc/ssh/sshd_config.d/hardening.conf
|
||||
success "SSH hardening configuration installed"
|
||||
|
||||
warning "SSH config updated - TEST BEFORE CLOSING THIS SESSION!"
|
||||
info "Test with: sshd -t"
|
||||
info "Apply with: rc-service sshd restart"
|
||||
fi
|
||||
|
||||
echo ""
|
||||
|
||||
# Summary
|
||||
info "Installation complete!"
|
||||
echo ""
|
||||
warning "IMPORTANT NEXT STEPS:"
|
||||
echo ""
|
||||
echo "1. Review nftables configuration:"
|
||||
echo " cat /etc/nftables.conf"
|
||||
echo ""
|
||||
echo "2. Test nftables rules (DRY RUN):"
|
||||
echo " nft -f /etc/nftables.conf"
|
||||
echo ""
|
||||
echo "3. Start nftables:"
|
||||
echo " rc-service nftables start"
|
||||
echo ""
|
||||
echo "4. Verify firewall is working:"
|
||||
echo " nft list ruleset"
|
||||
echo ""
|
||||
echo "5. Test SSH configuration:"
|
||||
echo " sshd -t"
|
||||
echo ""
|
||||
echo "6. If SSH test passes, restart SSH:"
|
||||
echo " rc-service sshd restart"
|
||||
echo ""
|
||||
echo "7. If fail2ban is installed and SSH server is running, start it:"
|
||||
echo " rc-service fail2ban start"
|
||||
echo ""
|
||||
warning "NOTE: SSH hardening only applies if you're running SSH server"
|
||||
warning "For a workstation, SSH server is typically not needed"
|
||||
echo ""
|
||||
Reference in New Issue
Block a user