daarion-admin/microdao-daarion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1231647f947c3f951f49fe2b4a8e901e5a42be5f
microdao-daarion/scripts/security/setup-node1-security.sh
Apple 1231647f94 🛡️ Add comprehensive Security Hardening Plan 
- Created SECURITY-HARDENING-PLAN.md with 6 security levels
- Added setup-node1-security.sh for automated hardening
- Added scan-image.sh for pre-deployment image scanning
- Created docker-compose.secure.yml template
- Includes: Trivy, fail2ban, UFW, auditd, rkhunter, chkrootkit
- Network isolation, egress filtering, process monitoring
- Incident response procedures and recovery playbook
2026-01-10 05:05:21 -08:00

196 lines
5.6 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# ============================================================
# setup-node1-security.sh — Налаштування безпеки NODE1
# ============================================================
# Запускати на NODE1 після rebuild:
# ssh root@144.76.224.179
# bash < <(curl -s https://raw.githubusercontent.com/.../setup-node1-security.sh)
# ============================================================
set -e
echo "🛡️ NODE1 Security Setup"
echo "========================"
date
echo ""
# Кольори
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
# 1. Оновлення системи
echo -e "${YELLOW}[1/10] Оновлення системи...${NC}"
apt update && apt upgrade -y
# 2. Встановлення security tools
echo -e "${YELLOW}[2/10] Встановлення security tools...${NC}"
apt install -y \
fail2ban \
ufw \
auditd \
rkhunter \
chkrootkit \
lynis \
aide \
unattended-upgrades \
apt-listchanges
# 3. Встановлення Trivy (image scanner)
echo -e "${YELLOW}[3/10] Встановлення Trivy...${NC}"
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
trivy --version
# 4. Налаштування fail2ban
echo -e "${YELLOW}[4/10] Налаштування fail2ban...${NC}"
cat > /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
EOF
systemctl enable fail2ban
systemctl restart fail2ban
# 5. Налаштування UFW (firewall)
echo -e "${YELLOW}[5/10] Налаштування UFW...${NC}"
ufw default deny incoming
ufw default deny outgoing
ufw allow 22/tcp comment 'SSH'
ufw allow 80/tcp comment 'HTTP'
ufw allow 443/tcp comment 'HTTPS'
ufw allow out 53/udp comment 'DNS'
ufw allow out 443/tcp comment 'HTTPS out'
ufw allow out 80/tcp comment 'HTTP out'
ufw allow out 123/udp comment 'NTP'
# Block internal networks
ufw deny out to 10.0.0.0/8
ufw deny out to 172.16.0.0/12
echo "y" | ufw enable
# 6. Kernel hardening
echo -e "${YELLOW}[6/10] Kernel hardening...${NC}"
cat >> /etc/sysctl.conf << 'EOF'
# Security hardening
net.ipv4.ip_forward = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
kernel.randomize_va_space = 2
EOF
sysctl -p
# 7. Налаштування auditd
echo -e "${YELLOW}[7/10] Налаштування auditd...${NC}"
cat > /etc/audit/rules.d/security.rules << 'EOF'
# Monitor Docker
-w /usr/bin/docker -p rwxa -k docker
-w /var/lib/docker -p rwxa -k docker
-w /etc/docker -p rwxa -k docker
# Monitor /tmp for executables
-w /tmp -p x -k tmp_exec
# Monitor cron
-w /etc/crontab -p wa -k cron
-w /etc/cron.d -p wa -k cron
# Monitor passwd/shadow
-w /etc/passwd -p wa -k passwd
-w /etc/shadow -p wa -k shadow
# Monitor network config
-w /etc/hosts -p wa -k hosts
-w /etc/network -p wa -k network
EOF
systemctl enable auditd
systemctl restart auditd
# 8. Створення директорій
echo -e "${YELLOW}[8/10] Створення директорій...${NC}"
mkdir -p /opt/scripts
mkdir -p /opt/config
mkdir -p /opt/backups
mkdir -p /var/log/security
# 9. Створення security check script
echo -e "${YELLOW}[9/10] Створення security check script...${NC}"
cat > /opt/scripts/security-check.sh << 'SCRIPT'
#!/bin/bash
# Security check script - runs every hour
LOG="/var/log/security/check-$(date +%Y%m%d).log"
echo "$(date) - Starting security check" >> $LOG
# Check for suspicious processes
SUSPICIOUS=$(ps aux | grep -E "(xmrig|kdevtmp|kinsing|perfctl|httpd.*tmp|softirq|vrarhpb)" | grep -v grep)
if [ -n "$SUSPICIOUS" ]; then
echo "🚨 ALERT: Suspicious process found!" >> $LOG
echo "$SUSPICIOUS" >> $LOG
pkill -9 -f "xmrig|kdevtmp|kinsing|perfctl"
fi
# Check /tmp for executables
TMP_EXEC=$(find /tmp -type f -executable 2>/dev/null)
if [ -n "$TMP_EXEC" ]; then
echo "🚨 ALERT: Executable in /tmp!" >> $LOG
echo "$TMP_EXEC" >> $LOG
rm -f $TMP_EXEC
fi
# Check CPU load
LOAD=$(cat /proc/loadavg | cut -d' ' -f1)
if (( $(echo "$LOAD > 5" | bc -l) )); then
echo "⚠️ WARNING: High CPU load: $LOAD" >> $LOG
ps aux --sort=-%cpu | head -10 >> $LOG
fi
# Check for unknown containers
UNKNOWN=$(docker ps --format '{{.Names}}' 2>/dev/null | grep -v -E "^(dagi-|postgres|redis|neo4j|qdrant|grafana|prometheus)")
if [ -n "$UNKNOWN" ]; then
echo "⚠️ WARNING: Unknown containers: $UNKNOWN" >> $LOG
fi
echo "$(date) - Security check complete" >> $LOG
SCRIPT
chmod +x /opt/scripts/security-check.sh
# 10. Налаштування cron
echo -e "${YELLOW}[10/10] Налаштування cron...${NC}"
cat > /etc/cron.d/security << 'EOF'
# Security checks
0 * * * * root /opt/scripts/security-check.sh
0 3 * * * root rkhunter --update && rkhunter --check --skip-keypress > /var/log/security/rkhunter.log 2>&1
0 4 * * * root chkrootkit > /var/log/security/chkrootkit.log 2>&1
EOF
# Фінальна перевірка
echo ""
echo -e "${GREEN}✅ Security setup complete!${NC}"
echo ""
echo "Встановлено:"
echo " ✓ fail2ban (SSH protection)"
echo " ✓ UFW (firewall with egress filtering)"
echo " ✓ Trivy (image scanner)"
echo " ✓ auditd (system auditing)"
echo " ✓ rkhunter + chkrootkit (rootkit detection)"
echo " ✓ Security check script (hourly)"
echo ""
echo "Перевірка:"
echo " ufw status"
echo " fail2ban-client status"
echo " trivy --version"
echo " /opt/scripts/security-check.sh"
Reference in New Issue View Git Blame Copy Permalink