#!/bin/bash # Security Hardening Setup Script # Run with: sudo -A ./scripts/setup-security-hardening.sh set -euo pipefail echo "=== Security Hardening Setup ===" echo "Deploying security configurations from config/ directory" echo # Colors for output GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' log_info() { echo -e "${GREEN}[INFO]${NC} $1" } log_warn() { echo -e "${YELLOW}[WARN]${NC} $1" } # Check if running as root if [ "$EUID" -ne 0 ]; then echo "This script must be run as root (use sudo -A)" exit 1 fi REPO_DIR="/home/hoborg/homelab" # 1. Deploy SSH hardening log_info "Deploying SSH security configuration..." if [ -f "$REPO_DIR/config/ssh/sshd_config_hardening" ]; then cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup || true cat "$REPO_DIR/config/ssh/sshd_config_hardening" >> /etc/ssh/sshd_config cp "$REPO_DIR/config/ssh/banner" /etc/ssh/banner chmod 644 /etc/ssh/banner log_info "SSH hardening applied" else log_warn "SSH hardening config not found" fi # 2. Deploy kernel security parameters log_info "Deploying kernel security parameters..." if [ -f "$REPO_DIR/config/sysctl/99-security.conf" ]; then cp "$REPO_DIR/config/sysctl/99-security.conf" /etc/sysctl.d/ sysctl -p /etc/sysctl.d/99-security.conf log_info "Kernel security parameters applied" else log_warn "Sysctl security config not found" fi # 3. Deploy Docker security configuration log_info "Deploying Docker security configuration..." if [ -f "$REPO_DIR/config/docker/daemon.json" ]; then mkdir -p /etc/docker cp "$REPO_DIR/config/docker/daemon.json" /etc/docker/ systemctl restart docker log_info "Docker security configuration applied" else log_warn "Docker daemon config not found" fi # 4. Deploy fail2ban configuration log_info "Deploying fail2ban configuration..." if [ -f "$REPO_DIR/config/fail2ban/jail.local" ]; then # Install fail2ban if needed if ! command -v fail2ban-server >/dev/null; then log_info "Installing fail2ban..." pacman -S --noconfirm fail2ban fi # Deploy config files cp "$REPO_DIR/config/fail2ban/jail.local" /etc/fail2ban/ cp "$REPO_DIR/config/fail2ban/filter.d/"*.conf /etc/fail2ban/filter.d/ # Enable and restart systemctl enable fail2ban systemctl restart fail2ban log_info "fail2ban configuration applied" else log_warn "fail2ban config not found" fi # 5. Deploy nginx rate limiting log_info "Deploying nginx rate limiting..." if [ -f "$REPO_DIR/config/systemd/nginx.service.d/rate-limit.conf" ]; then mkdir -p /etc/systemd/system/nginx.service.d cp "$REPO_DIR/config/systemd/nginx.service.d/rate-limit.conf" /etc/systemd/system/nginx.service.d/ systemctl daemon-reload log_info "Nginx rate limiting applied" else log_warn "Nginx rate limiting config not found" fi echo echo "=== Security Hardening Complete ===" echo echo "Applied configurations:" echo " ✓ SSH hardening and banner" echo " ✓ Kernel security parameters" echo " ✓ Docker security configuration" echo " ✓ fail2ban intrusion prevention" echo " ✓ Nginx rate limiting" echo echo "Next steps:" echo " 1. Test SSH connections: ssh -p 2222 user@localhost" echo " 2. Check fail2ban status: fail2ban-client status" echo " 3. Verify services: systemctl status sshd nginx docker" echo " 4. Monitor logs: tail -f /var/log/honeypot.log"