This commit is contained in:
Mateusz Suski
+61
@@ -0,0 +1,61 @@
|
||||
#!/usr/bin/env bash
|
||||
set -o errexit
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
# shellcheck source=00-platform-guard.inc
|
||||
source "$SCRIPT_DIR/00-platform-guard.inc"
|
||||
|
||||
enable_ufw=0
|
||||
|
||||
usage() {
|
||||
cat <<'EOF'
|
||||
Usage: sudo ./08-security-baseline.sh [--enable-ufw]
|
||||
|
||||
Installs fail2ban and UFW. UFW is enabled only with the explicit flag.
|
||||
EOF
|
||||
}
|
||||
|
||||
while (($# > 0)); do
|
||||
case "$1" in
|
||||
--enable-ufw)
|
||||
enable_ufw=1
|
||||
;;
|
||||
-h|--help)
|
||||
usage
|
||||
exit 0
|
||||
;;
|
||||
*)
|
||||
printf 'CRITICAL: unknown option: %s\n' "$1" >&2
|
||||
exit 2
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
if ((EUID != 0)); then
|
||||
printf 'CRITICAL: security baseline setup must run as root\n' >&2
|
||||
exit 2
|
||||
fi
|
||||
require_supported_ubuntu
|
||||
if ! command -v apt-get >/dev/null 2>&1; then
|
||||
printf 'CRITICAL: apt-get is required\n' >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
apt-get update
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y fail2ban ufw
|
||||
systemctl enable --now fail2ban
|
||||
|
||||
if ((enable_ufw == 1)); then
|
||||
printf 'WARNING: UFW was explicitly requested; SSH and Cockpit rules will be added before enablement\n'
|
||||
ufw allow OpenSSH
|
||||
ufw allow 9090/tcp comment 'Cockpit'
|
||||
ufw --force enable
|
||||
else
|
||||
printf 'WARNING: UFW is installed but was not enabled; use --enable-ufw after reviewing access requirements\n'
|
||||
fi
|
||||
|
||||
ufw status verbose || printf 'WARNING: unable to read UFW status\n'
|
||||
printf 'OK: security baseline completed\n'
|
||||
Reference in New Issue
Block a user