From 43734fe1b19d8f7a8cc8c93638dc83f6da116f89 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 10 May 2026 20:13:30 +0000 Subject: [PATCH] Preconfigure fail2ban and core security services by default --- README.md | 25 ++++++-- config/auditd/hardening.rules | 6 ++ config/fail2ban/jail.local | 35 ++++++++--- config/ssh/sshd_config.d-sicherheit.conf | 13 ++++ config/sysctl/99-sicherheit.conf | 10 +++ config/ufw/after.rules | 10 +++ config/unattended-upgrades/20auto-upgrades | 4 ++ .../unattended-upgrades/50unattended-upgrades | 9 +++ scripts/bootstrap_ubuntu_lxc_security.sh | 62 ++++++++++++------- 9 files changed, 139 insertions(+), 35 deletions(-) create mode 100644 config/auditd/hardening.rules create mode 100644 config/ssh/sshd_config.d-sicherheit.conf create mode 100644 config/sysctl/99-sicherheit.conf create mode 100644 config/ufw/after.rules create mode 100644 config/unattended-upgrades/20auto-upgrades create mode 100644 config/unattended-upgrades/50unattended-upgrades diff --git a/README.md b/README.md index 4dc3e8c..a2bb088 100644 --- a/README.md +++ b/README.md @@ -2,11 +2,14 @@ Standardisierter Installationsprozess fuer neue Ubuntu-LXC-Container. -Installiert unter anderem: -- Security-Basis: `ufw`, `fail2ban`, `unattended-upgrades`, `auditd` -- Admin-Tools: `git`, `curl`, `jq`, `tmux`, `htop` -- Runtime: `nodejs`, `npm` -- CLI: `@openai/codex` +Installiert und **direkt vorkonfiguriert**: +- `fail2ban`: SSH/SSHD-DDoS + Recidive-Jail, UFW-Ban-Action +- `ufw`: default deny incoming, allow outgoing, SSH-Rate-Limit, 80/443 erlaubt +- `unattended-upgrades`: taegliche Security-Updates aktiv +- `openssh-server`: Basishardening via `sshd_config.d` +- `auditd`: grundlegende Audit-Regeln fuer sensible Dateien +- `sysctl`: Kernel/Netzwerk-Hardening-Basis +- `nodejs`, `npm`, `@openai/codex` ## Standardprozess nach Download @@ -24,12 +27,24 @@ sudo ln -sf "$(pwd)/bin/sicherheit-install" /usr/local/bin/sicherheit-install sudo sicherheit-install ``` +## Wichtige Konfigurationen + +- `config/fail2ban/jail.local` +- `config/ufw/after.rules` +- `config/unattended-upgrades/20auto-upgrades` +- `config/unattended-upgrades/50unattended-upgrades` +- `config/ssh/sshd_config.d-sicherheit.conf` +- `config/sysctl/99-sicherheit.conf` +- `config/auditd/hardening.rules` + ## Pruefen ```bash fail2ban-client status +fail2ban-client status sshd ufw status verbose systemctl status unattended-upgrades --no-pager +sshd -t node --version npm --version codex --help diff --git a/config/auditd/hardening.rules b/config/auditd/hardening.rules new file mode 100644 index 0000000..9537757 --- /dev/null +++ b/config/auditd/hardening.rules @@ -0,0 +1,6 @@ +## Managed by sicherheit-install +-w /etc/passwd -p wa -k identity +-w /etc/group -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/sudoers -p wa -k scope +-w /var/log/auth.log -p wa -k authlog diff --git a/config/fail2ban/jail.local b/config/fail2ban/jail.local index 203df17..a8f1228 100644 --- a/config/fail2ban/jail.local +++ b/config/fail2ban/jail.local @@ -1,18 +1,35 @@ [DEFAULT] ignoreip = 127.0.0.1/8 ::1 -bantime = 1h +bantime = 1h findtime = 10m maxretry = 5 -backend = systemd +backend = systemd +banaction = ufw +banaction_allports = ufw + +action = %(action_mwl)s [sshd] -enabled = true -port = ssh -logpath = %(sshd_log)s -maxretry = 5 +enabled = true +mode = aggressive +port = ssh +logpath = %(sshd_log)s +maxretry = 4 +findtime = 10m +bantime = 4h [sshd-ddos] -enabled = true -port = ssh -logpath = %(sshd_log)s +enabled = true +port = ssh +logpath = %(sshd_log)s maxretry = 3 +findtime = 10m +bantime = 8h + +[recidive] +enabled = true +logpath = /var/log/fail2ban.log +banaction = ufw-allports +findtime = 1d +bantime = 7d +maxretry = 5 diff --git a/config/ssh/sshd_config.d-sicherheit.conf b/config/ssh/sshd_config.d-sicherheit.conf new file mode 100644 index 0000000..e458aac --- /dev/null +++ b/config/ssh/sshd_config.d-sicherheit.conf @@ -0,0 +1,13 @@ +# Managed by sicherheit-install +Protocol 2 +PermitRootLogin prohibit-password +PasswordAuthentication no +PubkeyAuthentication yes +PermitEmptyPasswords no +X11Forwarding no +ClientAliveInterval 300 +ClientAliveCountMax 2 +MaxAuthTries 4 +MaxSessions 10 +LoginGraceTime 30 +AllowTcpForwarding no diff --git a/config/sysctl/99-sicherheit.conf b/config/sysctl/99-sicherheit.conf new file mode 100644 index 0000000..7d10091 --- /dev/null +++ b/config/sysctl/99-sicherheit.conf @@ -0,0 +1,10 @@ +# Managed by sicherheit-install +net.ipv4.tcp_syncookies = 1 +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 +net.ipv4.icmp_echo_ignore_broadcasts = 1 +kernel.randomize_va_space = 2 diff --git a/config/ufw/after.rules b/config/ufw/after.rules new file mode 100644 index 0000000..8a84e22 --- /dev/null +++ b/config/ufw/after.rules @@ -0,0 +1,10 @@ +# Managed by sicherheit-install +*filter +:ufw-after-input - [0:0] +:ufw-after-output - [0:0] +:ufw-after-forward - [0:0] + +# Drop invalid packets early +-A ufw-after-input -m conntrack --ctstate INVALID -j DROP + +COMMIT diff --git a/config/unattended-upgrades/20auto-upgrades b/config/unattended-upgrades/20auto-upgrades new file mode 100644 index 0000000..5d37e9f --- /dev/null +++ b/config/unattended-upgrades/20auto-upgrades @@ -0,0 +1,4 @@ +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Download-Upgradeable-Packages "1"; +APT::Periodic::AutocleanInterval "7"; +APT::Periodic::Unattended-Upgrade "1"; diff --git a/config/unattended-upgrades/50unattended-upgrades b/config/unattended-upgrades/50unattended-upgrades new file mode 100644 index 0000000..b760f19 --- /dev/null +++ b/config/unattended-upgrades/50unattended-upgrades @@ -0,0 +1,9 @@ +Unattended-Upgrade::Allowed-Origins { + "${distro_id}:${distro_codename}"; + "${distro_id}:${distro_codename}-security"; + "${distro_id}ESMApps:${distro_codename}-apps-security"; + "${distro_id}ESM:${distro_codename}-infra-security"; +}; + +Unattended-Upgrade::Remove-Unused-Dependencies "true"; +Unattended-Upgrade::Automatic-Reboot "false"; diff --git a/scripts/bootstrap_ubuntu_lxc_security.sh b/scripts/bootstrap_ubuntu_lxc_security.sh index c5fcf3d..5781e25 100755 --- a/scripts/bootstrap_ubuntu_lxc_security.sh +++ b/scripts/bootstrap_ubuntu_lxc_security.sh @@ -30,45 +30,67 @@ APT_PACKAGES=( auditd rsyslog logrotate + openssh-server ) NODE_MAJOR="20" CODEX_NPM_PACKAGE="@openai/codex" +SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)" +CONFIG_DIR="${SCRIPT_DIR}/../config" log() { echo "[sicherheit-install] $*" } -log "1/8 Paketindex aktualisieren" +copy_cfg() { + local src="$1" + local dst="$2" + if [[ -f "${src}" ]]; then + install -D -m 0644 "${src}" "${dst}" + fi +} + +log "1/10 Paketindex aktualisieren" apt-get update -y -log "2/8 Basispakete installieren" +log "2/10 Basispakete installieren" apt-get install -y "${APT_PACKAGES[@]}" -log "3/8 Automatische Sicherheitsupdates aktivieren" +log "3/10 Unattended-Upgrades konfigurieren" +copy_cfg "${CONFIG_DIR}/unattended-upgrades/20auto-upgrades" "/etc/apt/apt.conf.d/20auto-upgrades" +copy_cfg "${CONFIG_DIR}/unattended-upgrades/50unattended-upgrades" "/etc/apt/apt.conf.d/50unattended-upgrades" dpkg-reconfigure -f noninteractive unattended-upgrades || true -cat > /etc/apt/apt.conf.d/20auto-upgrades <<'AUTOU' -APT::Periodic::Update-Package-Lists "1"; -APT::Periodic::Download-Upgradeable-Packages "1"; -APT::Periodic::AutocleanInterval "7"; -APT::Periodic::Unattended-Upgrade "1"; -AUTOU -log "4/8 fail2ban konfigurieren" -SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)" -if [[ -f "${SCRIPT_DIR}/../config/fail2ban/jail.local" ]]; then - install -m 0644 "${SCRIPT_DIR}/../config/fail2ban/jail.local" /etc/fail2ban/jail.local -fi +log "4/10 fail2ban vorkonfigurieren" +copy_cfg "${CONFIG_DIR}/fail2ban/jail.local" "/etc/fail2ban/jail.local" systemctl enable fail2ban || true systemctl restart fail2ban || true -log "5/8 UFW Basisregeln setzen" -ufw allow OpenSSH || true +log "5/10 UFW vorkonfigurieren" +copy_cfg "${CONFIG_DIR}/ufw/after.rules" "/etc/ufw/after.rules" +ufw default deny incoming || true +ufw default allow outgoing || true +ufw logging medium || true +ufw limit OpenSSH || true ufw allow 80/tcp || true ufw allow 443/tcp || true ufw --force enable || true -log "6/8 Node.js ${NODE_MAJOR} installieren" +log "6/10 SSH-Basishardening setzen" +copy_cfg "${CONFIG_DIR}/ssh/sshd_config.d-sicherheit.conf" "/etc/ssh/sshd_config.d/99-sicherheit.conf" +sshd -t && systemctl restart ssh || true + +log "7/10 sysctl Hardening setzen" +copy_cfg "${CONFIG_DIR}/sysctl/99-sicherheit.conf" "/etc/sysctl.d/99-sicherheit.conf" +sysctl --system || true + +log "8/10 auditd Regeln setzen" +copy_cfg "${CONFIG_DIR}/auditd/hardening.rules" "/etc/audit/rules.d/hardening.rules" +augenrules --load || true +systemctl enable auditd || true +systemctl restart auditd || true + +log "9/10 Node.js ${NODE_MAJOR} installieren" if ! command -v node >/dev/null 2>&1; then mkdir -p /etc/apt/keyrings curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg @@ -77,17 +99,15 @@ if ! command -v node >/dev/null 2>&1; then apt-get install -y nodejs fi -log "7/8 npm aktualisieren und Codex installieren" +log "10/10 npm aktualisieren und Codex installieren" npm install -g npm@latest npm install -g "${CODEX_NPM_PACKAGE}" -log "8/8 Dienste aktivieren" systemctl enable unattended-upgrades || true systemctl restart unattended-upgrades || true -systemctl enable auditd || true -systemctl restart auditd || true log "Install abgeschlossen" node --version || true npm --version || true fail2ban-client status || true +ufw status verbose || true