commit be6ddf1416feb665dc76c0ee36d1b4c12179d1a9 Author: root Date: Sun May 10 20:08:47 2026 +0000 Add standardized Ubuntu LXC security install process with npm and codex diff --git a/README.md b/README.md new file mode 100644 index 0000000..4dc3e8c --- /dev/null +++ b/README.md @@ -0,0 +1,36 @@ +# Sicherheit: Ubuntu LXC Standard-Setup + +Standardisierter Installationsprozess fuer neue Ubuntu-LXC-Container. + +Installiert unter anderem: +- Security-Basis: `ufw`, `fail2ban`, `unattended-upgrades`, `auditd` +- Admin-Tools: `git`, `curl`, `jq`, `tmux`, `htop` +- Runtime: `nodejs`, `npm` +- CLI: `@openai/codex` + +## Standardprozess nach Download + +```bash +git clone https://gitea.kanu1.duckdns.org/Kanu/Sicherheit.git +cd Sicherheit +chmod +x bin/sicherheit-install scripts/bootstrap_ubuntu_lxc_security.sh +./bin/sicherheit-install +``` + +Optional global verlinken: + +```bash +sudo ln -sf "$(pwd)/bin/sicherheit-install" /usr/local/bin/sicherheit-install +sudo sicherheit-install +``` + +## Pruefen + +```bash +fail2ban-client status +ufw status verbose +systemctl status unattended-upgrades --no-pager +node --version +npm --version +codex --help +``` diff --git a/bin/sicherheit-install b/bin/sicherheit-install new file mode 100755 index 0000000..a12697d --- /dev/null +++ b/bin/sicherheit-install @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +set -euo pipefail + +SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)" +REPO_ROOT="$(cd -- "${SCRIPT_DIR}/.." && pwd)" + +if [[ "${EUID}" -ne 0 ]]; then + exec sudo "${REPO_ROOT}/scripts/bootstrap_ubuntu_lxc_security.sh" "$@" +fi + +exec "${REPO_ROOT}/scripts/bootstrap_ubuntu_lxc_security.sh" "$@" diff --git a/config/fail2ban/jail.local b/config/fail2ban/jail.local new file mode 100644 index 0000000..203df17 --- /dev/null +++ b/config/fail2ban/jail.local @@ -0,0 +1,18 @@ +[DEFAULT] +ignoreip = 127.0.0.1/8 ::1 +bantime = 1h +findtime = 10m +maxretry = 5 +backend = systemd + +[sshd] +enabled = true +port = ssh +logpath = %(sshd_log)s +maxretry = 5 + +[sshd-ddos] +enabled = true +port = ssh +logpath = %(sshd_log)s +maxretry = 3 diff --git a/scripts/bootstrap_ubuntu_lxc_security.sh b/scripts/bootstrap_ubuntu_lxc_security.sh new file mode 100755 index 0000000..c5fcf3d --- /dev/null +++ b/scripts/bootstrap_ubuntu_lxc_security.sh @@ -0,0 +1,93 @@ +#!/usr/bin/env bash +set -euo pipefail + +if [[ "${EUID}" -ne 0 ]]; then + echo "Bitte als root ausfuehren (z. B. mit sudo)." + exit 1 +fi + +export DEBIAN_FRONTEND=noninteractive + +APT_PACKAGES=( + apt-transport-https + ca-certificates + curl + wget + gnupg + lsb-release + software-properties-common + jq + unzip + git + vim + htop + tmux + ufw + fail2ban + unattended-upgrades + apt-listchanges + needrestart + auditd + rsyslog + logrotate +) + +NODE_MAJOR="20" +CODEX_NPM_PACKAGE="@openai/codex" + +log() { + echo "[sicherheit-install] $*" +} + +log "1/8 Paketindex aktualisieren" +apt-get update -y + +log "2/8 Basispakete installieren" +apt-get install -y "${APT_PACKAGES[@]}" + +log "3/8 Automatische Sicherheitsupdates aktivieren" +dpkg-reconfigure -f noninteractive unattended-upgrades || true +cat > /etc/apt/apt.conf.d/20auto-upgrades <<'AUTOU' +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Download-Upgradeable-Packages "1"; +APT::Periodic::AutocleanInterval "7"; +APT::Periodic::Unattended-Upgrade "1"; +AUTOU + +log "4/8 fail2ban konfigurieren" +SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)" +if [[ -f "${SCRIPT_DIR}/../config/fail2ban/jail.local" ]]; then + install -m 0644 "${SCRIPT_DIR}/../config/fail2ban/jail.local" /etc/fail2ban/jail.local +fi +systemctl enable fail2ban || true +systemctl restart fail2ban || true + +log "5/8 UFW Basisregeln setzen" +ufw allow OpenSSH || true +ufw allow 80/tcp || true +ufw allow 443/tcp || true +ufw --force enable || true + +log "6/8 Node.js ${NODE_MAJOR} installieren" +if ! command -v node >/dev/null 2>&1; then + mkdir -p /etc/apt/keyrings + curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg + echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" > /etc/apt/sources.list.d/nodesource.list + apt-get update -y + apt-get install -y nodejs +fi + +log "7/8 npm aktualisieren und Codex installieren" +npm install -g npm@latest +npm install -g "${CODEX_NPM_PACKAGE}" + +log "8/8 Dienste aktivieren" +systemctl enable unattended-upgrades || true +systemctl restart unattended-upgrades || true +systemctl enable auditd || true +systemctl restart auditd || true + +log "Install abgeschlossen" +node --version || true +npm --version || true +fail2ban-client status || true