#!/bin/sh # Installation script for security hardening components # Run with: sudo ./INSTALL.sh set -e # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' info() { printf "${BLUE}ℹ${NC} %s\n" "$1" } success() { printf "${GREEN}✓${NC} %s\n" "$1" } warning() { printf "${YELLOW}⚠${NC} %s\n" "$1" } error() { printf "${RED}✖${NC} %s\n" "$1" } # Check if running as root if [ "$(id -u)" -ne 0 ]; then error "This script must be run as root (use sudo)" exit 1 fi info "Installing security hardening components..." echo "" # 1. nftables firewall info "Installing nftables configuration..." if [ ! -f /etc/nftables.conf ]; then warning "No existing /etc/nftables.conf found" fi # Backup existing config if [ -f /etc/nftables.conf ]; then info "Backing up existing nftables.conf..." cp /etc/nftables.conf "/etc/nftables.conf.backup.$(date +%Y%m%d-%H%M%S)" success "Backup created" fi # Copy new config cp nftables.conf /etc/nftables.conf chmod 644 /etc/nftables.conf success "nftables configuration installed" # Enable nftables service info "Enabling nftables service..." if command -v rc-update >/dev/null 2>&1; then rc-update add nftables default success "nftables service enabled" else warning "OpenRC not found - please enable nftables manually" fi echo "" # 2. fail2ban info "Installing fail2ban configuration..." # Check if fail2ban is installed if ! command -v fail2ban-server >/dev/null 2>&1; then warning "fail2ban is not installed" info "Install with: emerge -av net-analyzer/fail2ban" info "jail.local will be copied but not activated" fi # Create fail2ban directory if needed mkdir -p /etc/fail2ban # Backup existing jail.local if [ -f /etc/fail2ban/jail.local ]; then info "Backing up existing jail.local..." cp /etc/fail2ban/jail.local \ "/etc/fail2ban/jail.local.backup.$(date +%Y%m%d-%H%M%S)" success "Backup created" fi # Copy new config cp jail.local /etc/fail2ban/jail.local chmod 644 /etc/fail2ban/jail.local success "fail2ban configuration installed" # Enable fail2ban service (if installed) if command -v fail2ban-server >/dev/null 2>&1; then info "Enabling fail2ban service..." if command -v rc-update >/dev/null 2>&1; then rc-update add fail2ban default success "fail2ban service enabled" fi fi echo "" # 3. SSH hardening info "Installing SSH hardening configuration..." # Check if SSH is installed if [ ! -d /etc/ssh ]; then warning "SSH directory not found - skipping SSH hardening" else # Create sshd_config.d directory (modern SSH) mkdir -p /etc/ssh/sshd_config.d # Backup existing config if [ -f /etc/ssh/sshd_config ]; then info "Backing up existing sshd_config..." cp /etc/ssh/sshd_config \ "/etc/ssh/sshd_config.backup.$(date +%Y%m%d-%H%M%S)" success "Backup created" fi # Copy hardened config cp sshd_config.hardened /etc/ssh/sshd_config.d/hardening.conf chmod 644 /etc/ssh/sshd_config.d/hardening.conf success "SSH hardening configuration installed" warning "SSH config updated - TEST BEFORE CLOSING THIS SESSION!" info "Test with: sshd -t" info "Apply with: rc-service sshd restart" fi echo "" # Summary info "Installation complete!" echo "" warning "IMPORTANT NEXT STEPS:" echo "" echo "1. Review nftables configuration:" echo " cat /etc/nftables.conf" echo "" echo "2. Test nftables rules (DRY RUN):" echo " nft -f /etc/nftables.conf" echo "" echo "3. Start nftables:" echo " rc-service nftables start" echo "" echo "4. Verify firewall is working:" echo " nft list ruleset" echo "" echo "5. Test SSH configuration:" echo " sshd -t" echo "" echo "6. If SSH test passes, restart SSH:" echo " rc-service sshd restart" echo "" echo "7. If fail2ban is installed and SSH server is running, start it:" echo " rc-service fail2ban start" echo "" warning "NOTE: SSH hardening only applies if you're running SSH server" warning "For a workstation, SSH server is typically not needed" echo ""