Preconfigure fail2ban and core security services by default

README.md

@@ -2,11 +2,14 @@
 
 Standardisierter Installationsprozess fuer neue Ubuntu-LXC-Container.
 
-Installiert unter anderem:
-- Security-Basis: `ufw`, `fail2ban`, `unattended-upgrades`, `auditd`
-- Admin-Tools: `git`, `curl`, `jq`, `tmux`, `htop`
-- Runtime: `nodejs`, `npm`
-- CLI: `@openai/codex`
+Installiert und **direkt vorkonfiguriert**:
+- `fail2ban`: SSH/SSHD-DDoS + Recidive-Jail, UFW-Ban-Action
+- `ufw`: default deny incoming, allow outgoing, SSH-Rate-Limit, 80/443 erlaubt
+- `unattended-upgrades`: taegliche Security-Updates aktiv
+- `openssh-server`: Basishardening via `sshd_config.d`
+- `auditd`: grundlegende Audit-Regeln fuer sensible Dateien
+- `sysctl`: Kernel/Netzwerk-Hardening-Basis
+- `nodejs`, `npm`, `@openai/codex`
 
 ## Standardprozess nach Download
 
@@ -24,12 +27,24 @@ sudo ln -sf "$(pwd)/bin/sicherheit-install" /usr/local/bin/sicherheit-install
 sudo sicherheit-install
 ```
 
+## Wichtige Konfigurationen
+
+- `config/fail2ban/jail.local`
+- `config/ufw/after.rules`
+- `config/unattended-upgrades/20auto-upgrades`
+- `config/unattended-upgrades/50unattended-upgrades`
+- `config/ssh/sshd_config.d-sicherheit.conf`
+- `config/sysctl/99-sicherheit.conf`
+- `config/auditd/hardening.rules`
+
 ## Pruefen
 
 ```bash
 fail2ban-client status
+fail2ban-client status sshd
 ufw status verbose
 systemctl status unattended-upgrades --no-pager
+sshd -t
 node --version
 npm --version
 codex --help

config/auditd/hardening.rules

@@ -0,0 +1,6 @@
+## Managed by sicherheit-install
+-w /etc/passwd -p wa -k identity
+-w /etc/group -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/sudoers -p wa -k scope
+-w /var/log/auth.log -p wa -k authlog

config/fail2ban/jail.local

@@ -1,18 +1,35 @@
 [DEFAULT]
 ignoreip = 127.0.0.1/8 ::1
-bantime  = 1h
+bantime = 1h
 findtime = 10m
 maxretry = 5
-backend  = systemd
+backend = systemd
+banaction = ufw
+banaction_allports = ufw
+
+action = %(action_mwl)s
 
 [sshd]
-enabled  = true
-port     = ssh
-logpath  = %(sshd_log)s
-maxretry = 5
+enabled = true
+mode = aggressive
+port = ssh
+logpath = %(sshd_log)s
+maxretry = 4
+findtime = 10m
+bantime = 4h
 
 [sshd-ddos]
-enabled  = true
-port     = ssh
-logpath  = %(sshd_log)s
+enabled = true
+port = ssh
+logpath = %(sshd_log)s
 maxretry = 3
+findtime = 10m
+bantime = 8h
+
+[recidive]
+enabled = true
+logpath = /var/log/fail2ban.log
+banaction = ufw-allports
+findtime = 1d
+bantime = 7d
+maxretry = 5

config/ssh/sshd_config.d-sicherheit.conf

@@ -0,0 +1,13 @@
+# Managed by sicherheit-install
+Protocol 2
+PermitRootLogin prohibit-password
+PasswordAuthentication no
+PubkeyAuthentication yes
+PermitEmptyPasswords no
+X11Forwarding no
+ClientAliveInterval 300
+ClientAliveCountMax 2
+MaxAuthTries 4
+MaxSessions 10
+LoginGraceTime 30
+AllowTcpForwarding no

config/sysctl/99-sicherheit.conf

@@ -0,0 +1,10 @@
+# Managed by sicherheit-install
+net.ipv4.tcp_syncookies = 1
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+kernel.randomize_va_space = 2

config/ufw/after.rules

@@ -0,0 +1,10 @@
+# Managed by sicherheit-install
+*filter
+:ufw-after-input - [0:0]
+:ufw-after-output - [0:0]
+:ufw-after-forward - [0:0]
+
+# Drop invalid packets early
+-A ufw-after-input -m conntrack --ctstate INVALID -j DROP
+
+COMMIT

config/unattended-upgrades/20auto-upgrades

@@ -0,0 +1,4 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";

config/unattended-upgrades/50unattended-upgrades

@@ -0,0 +1,9 @@
+Unattended-Upgrade::Allowed-Origins {
+        "${distro_id}:${distro_codename}";
+        "${distro_id}:${distro_codename}-security";
+        "${distro_id}ESMApps:${distro_codename}-apps-security";
+        "${distro_id}ESM:${distro_codename}-infra-security";
+};
+
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+Unattended-Upgrade::Automatic-Reboot "false";

scripts/bootstrap_ubuntu_lxc_security.sh

@@ -30,45 +30,67 @@ APT_PACKAGES=(
   auditd
   rsyslog
   logrotate
+  openssh-server
 )
 
 NODE_MAJOR="20"
 CODEX_NPM_PACKAGE="@openai/codex"
+SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
+CONFIG_DIR="${SCRIPT_DIR}/../config"
 
 log() {
   echo "[sicherheit-install] $*"
 }
 
-log "1/8 Paketindex aktualisieren"
+copy_cfg() {
+  local src="$1"
+  local dst="$2"
+  if [[ -f "${src}" ]]; then
+    install -D -m 0644 "${src}" "${dst}"
+  fi
+}
+
+log "1/10 Paketindex aktualisieren"
 apt-get update -y
 
-log "2/8 Basispakete installieren"
+log "2/10 Basispakete installieren"
 apt-get install -y "${APT_PACKAGES[@]}"
 
-log "3/8 Automatische Sicherheitsupdates aktivieren"
+log "3/10 Unattended-Upgrades konfigurieren"
+copy_cfg "${CONFIG_DIR}/unattended-upgrades/20auto-upgrades" "/etc/apt/apt.conf.d/20auto-upgrades"
+copy_cfg "${CONFIG_DIR}/unattended-upgrades/50unattended-upgrades" "/etc/apt/apt.conf.d/50unattended-upgrades"
 dpkg-reconfigure -f noninteractive unattended-upgrades || true
-cat > /etc/apt/apt.conf.d/20auto-upgrades <<'AUTOU'
-APT::Periodic::Update-Package-Lists "1";
-APT::Periodic::Download-Upgradeable-Packages "1";
-APT::Periodic::AutocleanInterval "7";
-APT::Periodic::Unattended-Upgrade "1";
-AUTOU
 
-log "4/8 fail2ban konfigurieren"
-SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
-if [[ -f "${SCRIPT_DIR}/../config/fail2ban/jail.local" ]]; then
-  install -m 0644 "${SCRIPT_DIR}/../config/fail2ban/jail.local" /etc/fail2ban/jail.local
-fi
+log "4/10 fail2ban vorkonfigurieren"
+copy_cfg "${CONFIG_DIR}/fail2ban/jail.local" "/etc/fail2ban/jail.local"
 systemctl enable fail2ban || true
 systemctl restart fail2ban || true
 
-log "5/8 UFW Basisregeln setzen"
-ufw allow OpenSSH || true
+log "5/10 UFW vorkonfigurieren"
+copy_cfg "${CONFIG_DIR}/ufw/after.rules" "/etc/ufw/after.rules"
+ufw default deny incoming || true
+ufw default allow outgoing || true
+ufw logging medium || true
+ufw limit OpenSSH || true
 ufw allow 80/tcp || true
 ufw allow 443/tcp || true
 ufw --force enable || true
 
-log "6/8 Node.js ${NODE_MAJOR} installieren"
+log "6/10 SSH-Basishardening setzen"
+copy_cfg "${CONFIG_DIR}/ssh/sshd_config.d-sicherheit.conf" "/etc/ssh/sshd_config.d/99-sicherheit.conf"
+sshd -t && systemctl restart ssh || true
+
+log "7/10 sysctl Hardening setzen"
+copy_cfg "${CONFIG_DIR}/sysctl/99-sicherheit.conf" "/etc/sysctl.d/99-sicherheit.conf"
+sysctl --system || true
+
+log "8/10 auditd Regeln setzen"
+copy_cfg "${CONFIG_DIR}/auditd/hardening.rules" "/etc/audit/rules.d/hardening.rules"
+augenrules --load || true
+systemctl enable auditd || true
+systemctl restart auditd || true
+
+log "9/10 Node.js ${NODE_MAJOR} installieren"
 if ! command -v node >/dev/null 2>&1; then
   mkdir -p /etc/apt/keyrings
   curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
@@ -77,17 +99,15 @@ if ! command -v node >/dev/null 2>&1; then
   apt-get install -y nodejs
 fi
 
-log "7/8 npm aktualisieren und Codex installieren"
+log "10/10 npm aktualisieren und Codex installieren"
 npm install -g npm@latest
 npm install -g "${CODEX_NPM_PACKAGE}"
 
-log "8/8 Dienste aktivieren"
 systemctl enable unattended-upgrades || true
 systemctl restart unattended-upgrades || true
-systemctl enable auditd || true
-systemctl restart auditd || true
 
 log "Install abgeschlossen"
 node --version || true
 npm --version || true
 fail2ban-client status || true
+ufw status verbose || true