From 5a4eb2fd7217be536350d17f660e00615c077345 Mon Sep 17 00:00:00 2001 From: Arpad Krejczinger Date: Fri, 12 Sep 2025 20:39:02 +0200 Subject: [PATCH] Add automated security hardening setup script - scripts/setup-security-hardening.sh: One-command deployment of all security configurations - Includes SSH hardening, kernel parameters, Docker security, fail2ban, and nginx rate limiting - Provides status output and next steps for verification --- scripts/setup-security-hardening.sh | 112 ++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100755 scripts/setup-security-hardening.sh diff --git a/scripts/setup-security-hardening.sh b/scripts/setup-security-hardening.sh new file mode 100755 index 0000000..b8f34d8 --- /dev/null +++ b/scripts/setup-security-hardening.sh @@ -0,0 +1,112 @@ +#!/bin/bash +# Security Hardening Setup Script +# Run with: sudo -A ./scripts/setup-security-hardening.sh + +set -euo pipefail + +echo "=== Security Hardening Setup ===" +echo "Deploying security configurations from config/ directory" +echo + +# Colors for output +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +NC='\033[0m' + +log_info() { + echo -e "${GREEN}[INFO]${NC} $1" +} + +log_warn() { + echo -e "${YELLOW}[WARN]${NC} $1" +} + +# Check if running as root +if [ "$EUID" -ne 0 ]; then + echo "This script must be run as root (use sudo -A)" + exit 1 +fi + +REPO_DIR="/home/hoborg/homelab" + +# 1. Deploy SSH hardening +log_info "Deploying SSH security configuration..." +if [ -f "$REPO_DIR/config/ssh/sshd_config_hardening" ]; then + cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup || true + cat "$REPO_DIR/config/ssh/sshd_config_hardening" >> /etc/ssh/sshd_config + cp "$REPO_DIR/config/ssh/banner" /etc/ssh/banner + chmod 644 /etc/ssh/banner + log_info "SSH hardening applied" +else + log_warn "SSH hardening config not found" +fi + +# 2. Deploy kernel security parameters +log_info "Deploying kernel security parameters..." +if [ -f "$REPO_DIR/config/sysctl/99-security.conf" ]; then + cp "$REPO_DIR/config/sysctl/99-security.conf" /etc/sysctl.d/ + sysctl -p /etc/sysctl.d/99-security.conf + log_info "Kernel security parameters applied" +else + log_warn "Sysctl security config not found" +fi + +# 3. Deploy Docker security configuration +log_info "Deploying Docker security configuration..." +if [ -f "$REPO_DIR/config/docker/daemon.json" ]; then + mkdir -p /etc/docker + cp "$REPO_DIR/config/docker/daemon.json" /etc/docker/ + systemctl restart docker + log_info "Docker security configuration applied" +else + log_warn "Docker daemon config not found" +fi + +# 4. Deploy fail2ban configuration +log_info "Deploying fail2ban configuration..." +if [ -f "$REPO_DIR/config/fail2ban/jail.local" ]; then + # Install fail2ban if needed + if ! command -v fail2ban-server >/dev/null; then + log_info "Installing fail2ban..." + pacman -S --noconfirm fail2ban + fi + + # Deploy config files + cp "$REPO_DIR/config/fail2ban/jail.local" /etc/fail2ban/ + cp "$REPO_DIR/config/fail2ban/filter.d/"*.conf /etc/fail2ban/filter.d/ + + # Enable and restart + systemctl enable fail2ban + systemctl restart fail2ban + + log_info "fail2ban configuration applied" +else + log_warn "fail2ban config not found" +fi + +# 5. Deploy nginx rate limiting +log_info "Deploying nginx rate limiting..." +if [ -f "$REPO_DIR/config/systemd/nginx.service.d/rate-limit.conf" ]; then + mkdir -p /etc/systemd/system/nginx.service.d + cp "$REPO_DIR/config/systemd/nginx.service.d/rate-limit.conf" /etc/systemd/system/nginx.service.d/ + systemctl daemon-reload + log_info "Nginx rate limiting applied" +else + log_warn "Nginx rate limiting config not found" +fi + +echo +echo "=== Security Hardening Complete ===" +echo +echo "Applied configurations:" +echo " ✓ SSH hardening and banner" +echo " ✓ Kernel security parameters" +echo " ✓ Docker security configuration" +echo " ✓ fail2ban intrusion prevention" +echo " ✓ Nginx rate limiting" +echo +echo "Next steps:" +echo " 1. Test SSH connections: ssh -p 2222 user@localhost" +echo " 2. Check fail2ban status: fail2ban-client status" +echo " 3. Verify services: systemctl status sshd nginx docker" +echo " 4. Monitor logs: tail -f /var/log/honeypot.log" \ No newline at end of file