Add Ubuntu LXC security baseline bootstrap with fail2ban, npm and codex

README.md

@@ -0,0 +1,44 @@
+# Ubuntu LXC Security Baseline
+
+Standard-Setup fuer neue Ubuntu-LXC-Container mit Security-Basis und Must-haves:
+
+- System- und Security-Updates (`unattended-upgrades`)
+- Host-Firewall (`ufw`)
+- Brute-Force-Schutz (`fail2ban`)
+- Logging/Auditing (`rsyslog`, `auditd`, `logrotate`)
+- Tooling (`git`, `curl`, `jq`, `tmux`, `htop`, ...)
+- Node.js + npm
+- OpenAI Codex CLI via npm
+
+## Inhalt
+
+- `scripts/bootstrap_ubuntu_lxc_security.sh`
+- `config/fail2ban/jail.local`
+
+## Verwendung
+
+1. Repo in den Container kopieren/klonen.
+2. Als `root` ausfuehren:
+
+```bash
+chmod +x scripts/bootstrap_ubuntu_lxc_security.sh
+sudo ./scripts/bootstrap_ubuntu_lxc_security.sh
+```
+
+## Hinweise
+
+- Das Skript ist auf Ubuntu (LXC) ausgelegt.
+- Fuer produktive Systeme sollten erlaubte Ports in `ufw` an den Dienst angepasst werden.
+- Falls `@openai/codex` abweicht, kann im Skript `CODEx_NPM_PACKAGE` angepasst werden.
+- Fuer SSH-Zugriff wird standardmaessig `OpenSSH` freigegeben.
+
+## Nach dem Setup pruefen
+
+```bash
+fail2ban-client status
+ufw status verbose
+systemctl status unattended-upgrades --no-pager
+node --version
+npm --version
+codex --help
+```

config/fail2ban/jail.local

@@ -0,0 +1,18 @@
+[DEFAULT]
+ignoreip = 127.0.0.1/8 ::1
+bantime  = 1h
+findtime = 10m
+maxretry = 5
+backend  = systemd
+
+[sshd]
+enabled  = true
+port     = ssh
+logpath  = %(sshd_log)s
+maxretry = 5
+
+[sshd-ddos]
+enabled  = true
+port     = ssh
+logpath  = %(sshd_log)s
+maxretry = 3

scripts/bootstrap_ubuntu_lxc_security.sh

@@ -0,0 +1,94 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ "${EUID}" -ne 0 ]]; then
+  echo "Bitte als root ausführen (z. B. mit sudo)."
+  exit 1
+fi
+
+export DEBIAN_FRONTEND=noninteractive
+
+APT_PACKAGES=(
+  apt-transport-https
+  ca-certificates
+  curl
+  wget
+  gnupg
+  lsb-release
+  software-properties-common
+  jq
+  unzip
+  git
+  vim
+  htop
+  tmux
+  ufw
+  fail2ban
+  unattended-upgrades
+  apt-listchanges
+  needrestart
+  auditd
+  rsyslog
+  logrotate
+)
+
+NODE_MAJOR="20"
+CODEx_NPM_PACKAGE="@openai/codex"
+
+echo "[1/8] Paketindex aktualisieren..."
+apt-get update -y
+
+echo "[2/8] Basispakete installieren..."
+apt-get install -y "${APT_PACKAGES[@]}"
+
+echo "[3/8] Automatische Sicherheitsupdates aktivieren..."
+dpkg-reconfigure -f noninteractive unattended-upgrades || true
+
+cat > /etc/apt/apt.conf.d/20auto-upgrades <<'AUTOU'
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";
+AUTOU
+
+echo "[4/8] Fail2ban konfigurieren..."
+if [[ -f /opt/bootstrap/config/fail2ban/jail.local ]]; then
+  install -m 0644 /opt/bootstrap/config/fail2ban/jail.local /etc/fail2ban/jail.local
+elif [[ -f "$(dirname "$0")/../config/fail2ban/jail.local" ]]; then
+  install -m 0644 "$(dirname "$0")/../config/fail2ban/jail.local" /etc/fail2ban/jail.local
+fi
+
+systemctl enable fail2ban || true
+systemctl restart fail2ban || true
+
+echo "[5/8] UFW Basisregeln setzen (SSH, HTTP, HTTPS)..."
+ufw allow OpenSSH || true
+ufw allow 80/tcp || true
+ufw allow 443/tcp || true
+ufw --force enable || true
+
+echo "[6/8] Node.js ${NODE_MAJOR} installieren..."
+if ! command -v node >/dev/null 2>&1; then
+  mkdir -p /etc/apt/keyrings
+  curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
+  echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" > /etc/apt/sources.list.d/nodesource.list
+  apt-get update -y
+  apt-get install -y nodejs
+fi
+
+echo "[7/8] npm aktualisieren und Codex CLI installieren..."
+npm install -g npm@latest
+npm install -g "${CODEx_NPM_PACKAGE}"
+
+echo "[8/8] Dienste prüfen..."
+systemctl enable unattended-upgrades || true
+systemctl restart unattended-upgrades || true
+systemctl enable auditd || true
+systemctl restart auditd || true
+
+echo
+node --version || true
+npm --version || true
+fail2ban-client status || true
+
+echo "Fertig. Empfohlen: SSH-Härtung und Benutzerrechte zusätzlich prüfen."