Add automated security hardening setup script

- scripts/setup-security-hardening.sh: One-command deployment of all security configurations
- Includes SSH hardening, kernel parameters, Docker security, fail2ban, and nginx rate limiting
- Provides status output and next steps for verification

scripts/setup-security-hardening.sh

@@ -0,0 +1,112 @@
+#!/bin/bash
+# Security Hardening Setup Script
+# Run with: sudo -A ./scripts/setup-security-hardening.sh
+
+set -euo pipefail
+
+echo "=== Security Hardening Setup ==="
+echo "Deploying security configurations from config/ directory"
+echo
+
+# Colors for output  
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+log_info() {
+    echo -e "${GREEN}[INFO]${NC} $1"
+}
+
+log_warn() {
+    echo -e "${YELLOW}[WARN]${NC} $1"
+}
+
+# Check if running as root
+if [ "$EUID" -ne 0 ]; then
+    echo "This script must be run as root (use sudo -A)"
+    exit 1
+fi
+
+REPO_DIR="/home/hoborg/homelab"
+
+# 1. Deploy SSH hardening
+log_info "Deploying SSH security configuration..."
+if [ -f "$REPO_DIR/config/ssh/sshd_config_hardening" ]; then
+    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup || true
+    cat "$REPO_DIR/config/ssh/sshd_config_hardening" >> /etc/ssh/sshd_config
+    cp "$REPO_DIR/config/ssh/banner" /etc/ssh/banner
+    chmod 644 /etc/ssh/banner
+    log_info "SSH hardening applied"
+else
+    log_warn "SSH hardening config not found"
+fi
+
+# 2. Deploy kernel security parameters
+log_info "Deploying kernel security parameters..."
+if [ -f "$REPO_DIR/config/sysctl/99-security.conf" ]; then
+    cp "$REPO_DIR/config/sysctl/99-security.conf" /etc/sysctl.d/
+    sysctl -p /etc/sysctl.d/99-security.conf
+    log_info "Kernel security parameters applied"
+else
+    log_warn "Sysctl security config not found"
+fi
+
+# 3. Deploy Docker security configuration
+log_info "Deploying Docker security configuration..."
+if [ -f "$REPO_DIR/config/docker/daemon.json" ]; then
+    mkdir -p /etc/docker
+    cp "$REPO_DIR/config/docker/daemon.json" /etc/docker/
+    systemctl restart docker
+    log_info "Docker security configuration applied"
+else
+    log_warn "Docker daemon config not found"
+fi
+
+# 4. Deploy fail2ban configuration
+log_info "Deploying fail2ban configuration..."
+if [ -f "$REPO_DIR/config/fail2ban/jail.local" ]; then
+    # Install fail2ban if needed
+    if ! command -v fail2ban-server >/dev/null; then
+        log_info "Installing fail2ban..."
+        pacman -S --noconfirm fail2ban
+    fi
+    
+    # Deploy config files
+    cp "$REPO_DIR/config/fail2ban/jail.local" /etc/fail2ban/
+    cp "$REPO_DIR/config/fail2ban/filter.d/"*.conf /etc/fail2ban/filter.d/
+    
+    # Enable and restart
+    systemctl enable fail2ban
+    systemctl restart fail2ban
+    
+    log_info "fail2ban configuration applied"
+else
+    log_warn "fail2ban config not found"
+fi
+
+# 5. Deploy nginx rate limiting
+log_info "Deploying nginx rate limiting..."
+if [ -f "$REPO_DIR/config/systemd/nginx.service.d/rate-limit.conf" ]; then
+    mkdir -p /etc/systemd/system/nginx.service.d
+    cp "$REPO_DIR/config/systemd/nginx.service.d/rate-limit.conf" /etc/systemd/system/nginx.service.d/
+    systemctl daemon-reload
+    log_info "Nginx rate limiting applied"
+else
+    log_warn "Nginx rate limiting config not found"
+fi
+
+echo
+echo "=== Security Hardening Complete ==="
+echo
+echo "Applied configurations:"
+echo "  ✓ SSH hardening and banner"
+echo "  ✓ Kernel security parameters"  
+echo "  ✓ Docker security configuration"
+echo "  ✓ fail2ban intrusion prevention"
+echo "  ✓ Nginx rate limiting"
+echo
+echo "Next steps:"
+echo "  1. Test SSH connections: ssh -p 2222 user@localhost"
+echo "  2. Check fail2ban status: fail2ban-client status"
+echo "  3. Verify services: systemctl status sshd nginx docker"
+echo "  4. Monitor logs: tail -f /var/log/honeypot.log"