Kanu/Sicherheit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4f578eea52f0ac79106d0ebb7e49afb0be7392b9
Sicherheit/scripts/bootstrap_ubuntu_lxc_security.sh
T

126 lines
3.2 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
if [[ "${EUID}" -ne 0 ]]; then
echo "Bitte als root ausfuehren (z. B. mit sudo)."
exit 1
fi
export DEBIAN_FRONTEND=noninteractive
APT_PACKAGES=(
apt-transport-https
ca-certificates
curl
wget
gnupg
lsb-release
software-properties-common
jq
unzip
git
vim
htop
tmux
ufw
fail2ban
unattended-upgrades
apt-listchanges
needrestart
auditd
rsyslog
logrotate
openssh-server
)
NODE_MAJOR="20"
CODEX_NPM_PACKAGE="@openai/codex"
SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
CONFIG_DIR="${SCRIPT_DIR}/../config"
log() {
echo "[sicherheit-install] $*"
}
is_container() {
systemd-detect-virt --quiet --container
}
copy_cfg() {
local src="$1"
local dst="$2"
if [[ -f "${src}" ]]; then
install -D -m 0644 "${src}" "${dst}"
fi
}
log "1/10 Paketindex aktualisieren"
apt-get update -y
log "2/10 Basispakete installieren"
apt-get install -y "${APT_PACKAGES[@]}"
log "3/10 Unattended-Upgrades konfigurieren"
copy_cfg "${CONFIG_DIR}/unattended-upgrades/20auto-upgrades" "/etc/apt/apt.conf.d/20auto-upgrades"
copy_cfg "${CONFIG_DIR}/unattended-upgrades/50unattended-upgrades" "/etc/apt/apt.conf.d/50unattended-upgrades"
dpkg-reconfigure -f noninteractive unattended-upgrades || true
log "4/10 fail2ban vorkonfigurieren"
copy_cfg "${CONFIG_DIR}/fail2ban/jail.local" "/etc/fail2ban/jail.local"
systemctl enable fail2ban || true
systemctl restart fail2ban || true
log "5/10 UFW vorkonfigurieren"
copy_cfg "${CONFIG_DIR}/ufw/after.rules" "/etc/ufw/after.rules"
ufw default deny incoming || true
ufw default allow outgoing || true
ufw logging medium || true
ufw allow ssh || true
ufw allow 80/tcp || true
ufw allow 443/tcp || true
ufw --force enable || true
log "6/10 SSH-Basishardening setzen"
copy_cfg "${CONFIG_DIR}/ssh/sshd_config.d-sicherheit.conf" "/etc/ssh/sshd_config.d/99-sicherheit.conf"
sshd -t && systemctl restart ssh || true
log "7/10 sysctl Hardening setzen"
copy_cfg "${CONFIG_DIR}/sysctl/99-sicherheit.conf" "/etc/sysctl.d/99-sicherheit.conf"
if is_container; then
log "Container erkannt: sysctl --system wird uebersprungen (teilweise read-only in LXC)"
else
sysctl --system || true
fi
log "8/10 auditd Regeln setzen"
copy_cfg "${CONFIG_DIR}/auditd/hardening.rules" "/etc/audit/rules.d/hardening.rules"
if is_container; then
log "Container erkannt: auditd service/augenrules wird uebersprungen"
else
augenrules --load || true
systemctl enable auditd || true
systemctl restart auditd || true
fi
log "9/10 Node.js ${NODE_MAJOR} installieren"
if ! command -v node >/dev/null 2>&1; then
mkdir -p /etc/apt/keyrings
curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" > /etc/apt/sources.list.d/nodesource.list
apt-get update -y
apt-get install -y nodejs
fi
log "10/10 npm aktualisieren und Codex installieren"
npm install -g npm@latest
npm install -g "${CODEX_NPM_PACKAGE}"
systemctl enable unattended-upgrades || true
systemctl restart unattended-upgrades || true
log "Install abgeschlossen"
node --version || true
npm --version || true
fail2ban-client status || true
ufw status verbose || true
Reference in New Issue View Git Blame Copy Permalink