hoborg/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
acc30e7c3d9c014d5eccd64ebfa4ed5270f58fb2
homelab/scripts/setup-security-hardening.sh
Arpad Krejczinger 5a4eb2fd72 Add automated security hardening setup script 
- scripts/setup-security-hardening.sh: One-command deployment of all security configurations
- Includes SSH hardening, kernel parameters, Docker security, fail2ban, and nginx rate limiting
- Provides status output and next steps for verification
2025-09-12 20:39:02 +02:00

112 lines
3.3 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Security Hardening Setup Script
# Run with: sudo -A ./scripts/setup-security-hardening.sh
set -euo pipefail
echo "=== Security Hardening Setup ==="
echo "Deploying security configurations from config/ directory"
echo
# Colors for output
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
log_info() {
echo -e "${GREEN}[INFO]${NC} $1"
}
log_warn() {
echo -e "${YELLOW}[WARN]${NC} $1"
}
# Check if running as root
if [ "$EUID" -ne 0 ]; then
echo "This script must be run as root (use sudo -A)"
exit 1
fi
REPO_DIR="/home/hoborg/homelab"
# 1. Deploy SSH hardening
log_info "Deploying SSH security configuration..."
if [ -f "$REPO_DIR/config/ssh/sshd_config_hardening" ]; then
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup || true
cat "$REPO_DIR/config/ssh/sshd_config_hardening" >> /etc/ssh/sshd_config
cp "$REPO_DIR/config/ssh/banner" /etc/ssh/banner
chmod 644 /etc/ssh/banner
log_info "SSH hardening applied"
else
log_warn "SSH hardening config not found"
fi
# 2. Deploy kernel security parameters
log_info "Deploying kernel security parameters..."
if [ -f "$REPO_DIR/config/sysctl/99-security.conf" ]; then
cp "$REPO_DIR/config/sysctl/99-security.conf" /etc/sysctl.d/
sysctl -p /etc/sysctl.d/99-security.conf
log_info "Kernel security parameters applied"
else
log_warn "Sysctl security config not found"
fi
# 3. Deploy Docker security configuration
log_info "Deploying Docker security configuration..."
if [ -f "$REPO_DIR/config/docker/daemon.json" ]; then
mkdir -p /etc/docker
cp "$REPO_DIR/config/docker/daemon.json" /etc/docker/
systemctl restart docker
log_info "Docker security configuration applied"
else
log_warn "Docker daemon config not found"
fi
# 4. Deploy fail2ban configuration
log_info "Deploying fail2ban configuration..."
if [ -f "$REPO_DIR/config/fail2ban/jail.local" ]; then
# Install fail2ban if needed
if ! command -v fail2ban-server >/dev/null; then
log_info "Installing fail2ban..."
pacman -S --noconfirm fail2ban
fi
# Deploy config files
cp "$REPO_DIR/config/fail2ban/jail.local" /etc/fail2ban/
cp "$REPO_DIR/config/fail2ban/filter.d/"*.conf /etc/fail2ban/filter.d/
# Enable and restart
systemctl enable fail2ban
systemctl restart fail2ban
log_info "fail2ban configuration applied"
else
log_warn "fail2ban config not found"
fi
# 5. Deploy nginx rate limiting
log_info "Deploying nginx rate limiting..."
if [ -f "$REPO_DIR/config/systemd/nginx.service.d/rate-limit.conf" ]; then
mkdir -p /etc/systemd/system/nginx.service.d
cp "$REPO_DIR/config/systemd/nginx.service.d/rate-limit.conf" /etc/systemd/system/nginx.service.d/
systemctl daemon-reload
log_info "Nginx rate limiting applied"
else
log_warn "Nginx rate limiting config not found"
fi
echo
echo "=== Security Hardening Complete ==="
echo
echo "Applied configurations:"
echo " ✓ SSH hardening and banner"
echo " ✓ Kernel security parameters"
echo " ✓ Docker security configuration"
echo " ✓ fail2ban intrusion prevention"
echo " ✓ Nginx rate limiting"
echo
echo "Next steps:"
echo " 1. Test SSH connections: ssh -p 2222 user@localhost"
echo " 2. Check fail2ban status: fail2ban-client status"
echo " 3. Verify services: systemctl status sshd nginx docker"
echo " 4. Monitor logs: tail -f /var/log/honeypot.log"
Reference in New Issue View Git Blame Copy Permalink