#!/bin/bash
# ============================================================
# setup-node1-security.sh — Налаштування безпеки NODE1
# ============================================================
# Запускати на NODE1 після rebuild:
#   ssh root@144.76.224.179
#   bash < <(curl -s https://raw.githubusercontent.com/.../setup-node1-security.sh)
# ============================================================

set -e

echo "🛡️ NODE1 Security Setup"
echo "========================"
date
echo ""

# Кольори
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'

# 1. Оновлення системи
echo -e "${YELLOW}[1/10] Оновлення системи...${NC}"
apt update && apt upgrade -y

# 2. Встановлення security tools
echo -e "${YELLOW}[2/10] Встановлення security tools...${NC}"
apt install -y \
    fail2ban \
    ufw \
    auditd \
    rkhunter \
    chkrootkit \
    lynis \
    aide \
    unattended-upgrades \
    apt-listchanges

# 3. Встановлення Trivy (image scanner)
echo -e "${YELLOW}[3/10] Встановлення Trivy...${NC}"
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
trivy --version

# 4. Налаштування fail2ban
echo -e "${YELLOW}[4/10] Налаштування fail2ban...${NC}"
cat > /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
EOF
systemctl enable fail2ban
systemctl restart fail2ban

# 5. Налаштування UFW (firewall)
echo -e "${YELLOW}[5/10] Налаштування UFW...${NC}"
ufw default deny incoming
ufw default deny outgoing
ufw allow 22/tcp comment 'SSH'
ufw allow 80/tcp comment 'HTTP'
ufw allow 443/tcp comment 'HTTPS'
ufw allow out 53/udp comment 'DNS'
ufw allow out 443/tcp comment 'HTTPS out'
ufw allow out 80/tcp comment 'HTTP out'
ufw allow out 123/udp comment 'NTP'
# Block internal networks
ufw deny out to 10.0.0.0/8
ufw deny out to 172.16.0.0/12
echo "y" | ufw enable

# 6. Kernel hardening
echo -e "${YELLOW}[6/10] Kernel hardening...${NC}"
cat >> /etc/sysctl.conf << 'EOF'

# Security hardening
net.ipv4.ip_forward = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
kernel.randomize_va_space = 2
EOF
sysctl -p

# 7. Налаштування auditd
echo -e "${YELLOW}[7/10] Налаштування auditd...${NC}"
cat > /etc/audit/rules.d/security.rules << 'EOF'
# Monitor Docker
-w /usr/bin/docker -p rwxa -k docker
-w /var/lib/docker -p rwxa -k docker
-w /etc/docker -p rwxa -k docker

# Monitor /tmp for executables
-w /tmp -p x -k tmp_exec

# Monitor cron
-w /etc/crontab -p wa -k cron
-w /etc/cron.d -p wa -k cron

# Monitor passwd/shadow
-w /etc/passwd -p wa -k passwd
-w /etc/shadow -p wa -k shadow

# Monitor network config
-w /etc/hosts -p wa -k hosts
-w /etc/network -p wa -k network
EOF
systemctl enable auditd
systemctl restart auditd

# 8. Створення директорій
echo -e "${YELLOW}[8/10] Створення директорій...${NC}"
mkdir -p /opt/scripts
mkdir -p /opt/config
mkdir -p /opt/backups
mkdir -p /var/log/security

# 9. Створення security check script
echo -e "${YELLOW}[9/10] Створення security check script...${NC}"
cat > /opt/scripts/security-check.sh << 'SCRIPT'
#!/bin/bash
# Security check script - runs every hour

LOG="/var/log/security/check-$(date +%Y%m%d).log"
echo "$(date) - Starting security check" >> $LOG

# Check for suspicious processes
SUSPICIOUS=$(ps aux | grep -E "(xmrig|kdevtmp|kinsing|perfctl|httpd.*tmp|softirq|vrarhpb)" | grep -v grep)
if [ -n "$SUSPICIOUS" ]; then
    echo "🚨 ALERT: Suspicious process found!" >> $LOG
    echo "$SUSPICIOUS" >> $LOG
    pkill -9 -f "xmrig|kdevtmp|kinsing|perfctl"
fi

# Check /tmp for executables
TMP_EXEC=$(find /tmp -type f -executable 2>/dev/null)
if [ -n "$TMP_EXEC" ]; then
    echo "🚨 ALERT: Executable in /tmp!" >> $LOG
    echo "$TMP_EXEC" >> $LOG
    rm -f $TMP_EXEC
fi

# Check CPU load
LOAD=$(cat /proc/loadavg | cut -d' ' -f1)
if (( $(echo "$LOAD > 5" | bc -l) )); then
    echo "⚠️ WARNING: High CPU load: $LOAD" >> $LOG
    ps aux --sort=-%cpu | head -10 >> $LOG
fi

# Check for unknown containers
UNKNOWN=$(docker ps --format '{{.Names}}' 2>/dev/null | grep -v -E "^(dagi-|postgres|redis|neo4j|qdrant|grafana|prometheus)")
if [ -n "$UNKNOWN" ]; then
    echo "⚠️ WARNING: Unknown containers: $UNKNOWN" >> $LOG
fi

echo "$(date) - Security check complete" >> $LOG
SCRIPT
chmod +x /opt/scripts/security-check.sh

# 10. Налаштування cron
echo -e "${YELLOW}[10/10] Налаштування cron...${NC}"
cat > /etc/cron.d/security << 'EOF'
# Security checks
0 * * * * root /opt/scripts/security-check.sh
0 3 * * * root rkhunter --update && rkhunter --check --skip-keypress > /var/log/security/rkhunter.log 2>&1
0 4 * * * root chkrootkit > /var/log/security/chkrootkit.log 2>&1
EOF

# Фінальна перевірка
echo ""
echo -e "${GREEN}✅ Security setup complete!${NC}"
echo ""
echo "Встановлено:"
echo "  ✓ fail2ban (SSH protection)"
echo "  ✓ UFW (firewall with egress filtering)"
echo "  ✓ Trivy (image scanner)"
echo "  ✓ auditd (system auditing)"
echo "  ✓ rkhunter + chkrootkit (rootkit detection)"
echo "  ✓ Security check script (hourly)"
echo ""
echo "Перевірка:"
echo "  ufw status"
echo "  fail2ban-client status"
echo "  trivy --version"
echo "  /opt/scripts/security-check.sh"