lenovo-gentoo/scripts/security-setup/INSTALL.sh

#!/bin/sh
# Installation script for security hardening components
# Run with: sudo ./INSTALL.sh

set -e

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

info() {
  printf "${BLUE}ℹ${NC} %s\n" "$1"
}

success() {
  printf "${GREEN}✓${NC} %s\n" "$1"
}

warning() {
  printf "${YELLOW}⚠${NC} %s\n" "$1"
}

error() {
  printf "${RED}✖${NC} %s\n" "$1"
}

# Check if running as root
if [ "$(id -u)" -ne 0 ]; then
  error "This script must be run as root (use sudo)"
  exit 1
fi

info "Installing security hardening components..."
echo ""

# 1. nftables firewall
info "Installing nftables configuration..."
if [ ! -f /etc/nftables.conf ]; then
  warning "No existing /etc/nftables.conf found"
fi

# Backup existing config
if [ -f /etc/nftables.conf ]; then
  info "Backing up existing nftables.conf..."
  cp /etc/nftables.conf "/etc/nftables.conf.backup.$(date +%Y%m%d-%H%M%S)"
  success "Backup created"
fi

# Copy new config
cp nftables.conf /etc/nftables.conf
chmod 644 /etc/nftables.conf
success "nftables configuration installed"

# Enable nftables service
info "Enabling nftables service..."
if command -v rc-update >/dev/null 2>&1; then
  rc-update add nftables default
  success "nftables service enabled"
else
  warning "OpenRC not found - please enable nftables manually"
fi

echo ""

# 2. fail2ban
info "Installing fail2ban configuration..."

# Check if fail2ban is installed
if ! command -v fail2ban-server >/dev/null 2>&1; then
  warning "fail2ban is not installed"
  info "Install with: emerge -av net-analyzer/fail2ban"
  info "jail.local will be copied but not activated"
fi

# Create fail2ban directory if needed
mkdir -p /etc/fail2ban

# Backup existing jail.local
if [ -f /etc/fail2ban/jail.local ]; then
  info "Backing up existing jail.local..."
  cp /etc/fail2ban/jail.local \
    "/etc/fail2ban/jail.local.backup.$(date +%Y%m%d-%H%M%S)"
  success "Backup created"
fi

# Copy new config
cp jail.local /etc/fail2ban/jail.local
chmod 644 /etc/fail2ban/jail.local
success "fail2ban configuration installed"

# Enable fail2ban service (if installed)
if command -v fail2ban-server >/dev/null 2>&1; then
  info "Enabling fail2ban service..."
  if command -v rc-update >/dev/null 2>&1; then
    rc-update add fail2ban default
    success "fail2ban service enabled"
  fi
fi

echo ""

# 3. SSH hardening
info "Installing SSH hardening configuration..."

# Check if SSH is installed
if [ ! -d /etc/ssh ]; then
  warning "SSH directory not found - skipping SSH hardening"
else
  # Create sshd_config.d directory (modern SSH)
  mkdir -p /etc/ssh/sshd_config.d

  # Backup existing config
  if [ -f /etc/ssh/sshd_config ]; then
    info "Backing up existing sshd_config..."
    cp /etc/ssh/sshd_config \
      "/etc/ssh/sshd_config.backup.$(date +%Y%m%d-%H%M%S)"
    success "Backup created"
  fi

  # Copy hardened config
  cp sshd_config.hardened /etc/ssh/sshd_config.d/hardening.conf
  chmod 644 /etc/ssh/sshd_config.d/hardening.conf
  success "SSH hardening configuration installed"

  warning "SSH config updated - TEST BEFORE CLOSING THIS SESSION!"
  info "Test with: sshd -t"
  info "Apply with: rc-service sshd restart"
fi

echo ""

# Summary
info "Installation complete!"
echo ""
warning "IMPORTANT NEXT STEPS:"
echo ""
echo "1. Review nftables configuration:"
echo "   cat /etc/nftables.conf"
echo ""
echo "2. Test nftables rules (DRY RUN):"
echo "   nft -f /etc/nftables.conf"
echo ""
echo "3. Start nftables:"
echo "   rc-service nftables start"
echo ""
echo "4. Verify firewall is working:"
echo "   nft list ruleset"
echo ""
echo "5. Test SSH configuration:"
echo "   sshd -t"
echo ""
echo "6. If SSH test passes, restart SSH:"
echo "   rc-service sshd restart"
echo ""
echo "7. If fail2ban is installed and SSH server is running, start it:"
echo "   rc-service fail2ban start"
echo ""
warning "NOTE: SSH hardening only applies if you're running SSH server"
warning "For a workstation, SSH server is typically not needed"
echo ""