Add Ubuntu LXC security baseline bootstrap with fail2ban, npm and codex
This commit is contained in:
root
@@ -0,0 +1,44 @@
|
||||
# Ubuntu LXC Security Baseline
|
||||
|
||||
Standard-Setup fuer neue Ubuntu-LXC-Container mit Security-Basis und Must-haves:
|
||||
|
||||
- System- und Security-Updates (`unattended-upgrades`)
|
||||
- Host-Firewall (`ufw`)
|
||||
- Brute-Force-Schutz (`fail2ban`)
|
||||
- Logging/Auditing (`rsyslog`, `auditd`, `logrotate`)
|
||||
- Tooling (`git`, `curl`, `jq`, `tmux`, `htop`, ...)
|
||||
- Node.js + npm
|
||||
- OpenAI Codex CLI via npm
|
||||
|
||||
## Inhalt
|
||||
|
||||
- `scripts/bootstrap_ubuntu_lxc_security.sh`
|
||||
- `config/fail2ban/jail.local`
|
||||
|
||||
## Verwendung
|
||||
|
||||
1. Repo in den Container kopieren/klonen.
|
||||
2. Als `root` ausfuehren:
|
||||
|
||||
```bash
|
||||
chmod +x scripts/bootstrap_ubuntu_lxc_security.sh
|
||||
sudo ./scripts/bootstrap_ubuntu_lxc_security.sh
|
||||
```
|
||||
|
||||
## Hinweise
|
||||
|
||||
- Das Skript ist auf Ubuntu (LXC) ausgelegt.
|
||||
- Fuer produktive Systeme sollten erlaubte Ports in `ufw` an den Dienst angepasst werden.
|
||||
- Falls `@openai/codex` abweicht, kann im Skript `CODEx_NPM_PACKAGE` angepasst werden.
|
||||
- Fuer SSH-Zugriff wird standardmaessig `OpenSSH` freigegeben.
|
||||
|
||||
## Nach dem Setup pruefen
|
||||
|
||||
```bash
|
||||
fail2ban-client status
|
||||
ufw status verbose
|
||||
systemctl status unattended-upgrades --no-pager
|
||||
node --version
|
||||
npm --version
|
||||
codex --help
|
||||
```
|
||||
Reference in New Issue
Block a user