Add Ubuntu LXC security baseline bootstrap with fail2ban, npm and codex
This commit is contained in:
root
@@ -0,0 +1,44 @@
|
||||
# Ubuntu LXC Security Baseline
|
||||
|
||||
Standard-Setup fuer neue Ubuntu-LXC-Container mit Security-Basis und Must-haves:
|
||||
|
||||
- System- und Security-Updates (`unattended-upgrades`)
|
||||
- Host-Firewall (`ufw`)
|
||||
- Brute-Force-Schutz (`fail2ban`)
|
||||
- Logging/Auditing (`rsyslog`, `auditd`, `logrotate`)
|
||||
- Tooling (`git`, `curl`, `jq`, `tmux`, `htop`, ...)
|
||||
- Node.js + npm
|
||||
- OpenAI Codex CLI via npm
|
||||
|
||||
## Inhalt
|
||||
|
||||
- `scripts/bootstrap_ubuntu_lxc_security.sh`
|
||||
- `config/fail2ban/jail.local`
|
||||
|
||||
## Verwendung
|
||||
|
||||
1. Repo in den Container kopieren/klonen.
|
||||
2. Als `root` ausfuehren:
|
||||
|
||||
```bash
|
||||
chmod +x scripts/bootstrap_ubuntu_lxc_security.sh
|
||||
sudo ./scripts/bootstrap_ubuntu_lxc_security.sh
|
||||
```
|
||||
|
||||
## Hinweise
|
||||
|
||||
- Das Skript ist auf Ubuntu (LXC) ausgelegt.
|
||||
- Fuer produktive Systeme sollten erlaubte Ports in `ufw` an den Dienst angepasst werden.
|
||||
- Falls `@openai/codex` abweicht, kann im Skript `CODEx_NPM_PACKAGE` angepasst werden.
|
||||
- Fuer SSH-Zugriff wird standardmaessig `OpenSSH` freigegeben.
|
||||
|
||||
## Nach dem Setup pruefen
|
||||
|
||||
```bash
|
||||
fail2ban-client status
|
||||
ufw status verbose
|
||||
systemctl status unattended-upgrades --no-pager
|
||||
node --version
|
||||
npm --version
|
||||
codex --help
|
||||
```
|
||||
@@ -0,0 +1,18 @@
|
||||
[DEFAULT]
|
||||
ignoreip = 127.0.0.1/8 ::1
|
||||
bantime = 1h
|
||||
findtime = 10m
|
||||
maxretry = 5
|
||||
backend = systemd
|
||||
|
||||
[sshd]
|
||||
enabled = true
|
||||
port = ssh
|
||||
logpath = %(sshd_log)s
|
||||
maxretry = 5
|
||||
|
||||
[sshd-ddos]
|
||||
enabled = true
|
||||
port = ssh
|
||||
logpath = %(sshd_log)s
|
||||
maxretry = 3
|
||||
Executable
+94
@@ -0,0 +1,94 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
if [[ "${EUID}" -ne 0 ]]; then
|
||||
echo "Bitte als root ausführen (z. B. mit sudo)."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
|
||||
APT_PACKAGES=(
|
||||
apt-transport-https
|
||||
ca-certificates
|
||||
curl
|
||||
wget
|
||||
gnupg
|
||||
lsb-release
|
||||
software-properties-common
|
||||
jq
|
||||
unzip
|
||||
git
|
||||
vim
|
||||
htop
|
||||
tmux
|
||||
ufw
|
||||
fail2ban
|
||||
unattended-upgrades
|
||||
apt-listchanges
|
||||
needrestart
|
||||
auditd
|
||||
rsyslog
|
||||
logrotate
|
||||
)
|
||||
|
||||
NODE_MAJOR="20"
|
||||
CODEx_NPM_PACKAGE="@openai/codex"
|
||||
|
||||
echo "[1/8] Paketindex aktualisieren..."
|
||||
apt-get update -y
|
||||
|
||||
echo "[2/8] Basispakete installieren..."
|
||||
apt-get install -y "${APT_PACKAGES[@]}"
|
||||
|
||||
echo "[3/8] Automatische Sicherheitsupdates aktivieren..."
|
||||
dpkg-reconfigure -f noninteractive unattended-upgrades || true
|
||||
|
||||
cat > /etc/apt/apt.conf.d/20auto-upgrades <<'AUTOU'
|
||||
APT::Periodic::Update-Package-Lists "1";
|
||||
APT::Periodic::Download-Upgradeable-Packages "1";
|
||||
APT::Periodic::AutocleanInterval "7";
|
||||
APT::Periodic::Unattended-Upgrade "1";
|
||||
AUTOU
|
||||
|
||||
echo "[4/8] Fail2ban konfigurieren..."
|
||||
if [[ -f /opt/bootstrap/config/fail2ban/jail.local ]]; then
|
||||
install -m 0644 /opt/bootstrap/config/fail2ban/jail.local /etc/fail2ban/jail.local
|
||||
elif [[ -f "$(dirname "$0")/../config/fail2ban/jail.local" ]]; then
|
||||
install -m 0644 "$(dirname "$0")/../config/fail2ban/jail.local" /etc/fail2ban/jail.local
|
||||
fi
|
||||
|
||||
systemctl enable fail2ban || true
|
||||
systemctl restart fail2ban || true
|
||||
|
||||
echo "[5/8] UFW Basisregeln setzen (SSH, HTTP, HTTPS)..."
|
||||
ufw allow OpenSSH || true
|
||||
ufw allow 80/tcp || true
|
||||
ufw allow 443/tcp || true
|
||||
ufw --force enable || true
|
||||
|
||||
echo "[6/8] Node.js ${NODE_MAJOR} installieren..."
|
||||
if ! command -v node >/dev/null 2>&1; then
|
||||
mkdir -p /etc/apt/keyrings
|
||||
curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
|
||||
echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" > /etc/apt/sources.list.d/nodesource.list
|
||||
apt-get update -y
|
||||
apt-get install -y nodejs
|
||||
fi
|
||||
|
||||
echo "[7/8] npm aktualisieren und Codex CLI installieren..."
|
||||
npm install -g npm@latest
|
||||
npm install -g "${CODEx_NPM_PACKAGE}"
|
||||
|
||||
echo "[8/8] Dienste prüfen..."
|
||||
systemctl enable unattended-upgrades || true
|
||||
systemctl restart unattended-upgrades || true
|
||||
systemctl enable auditd || true
|
||||
systemctl restart auditd || true
|
||||
|
||||
echo
|
||||
node --version || true
|
||||
npm --version || true
|
||||
fail2ban-client status || true
|
||||
|
||||
echo "Fertig. Empfohlen: SSH-Härtung und Benutzerrechte zusätzlich prüfen."
|
||||
Reference in New Issue
Block a user