#!/bin/bash
# Vault1984 POP Hardening Script — idempotent, run via SSM
# Usage: bash harden-pop.sh
# Can be re-run safely at any time to re-apply hardening.
set -euo pipefail

echo "=== Vault1984 POP Hardening ==="

# 1. Update system
echo "[1/8] Updating system..."
yum update -y -q

# 2. Install fail2ban (via EPEL)
echo "[2/8] Installing fail2ban..."
amazon-linux-extras install epel -y -q 2>/dev/null || true
yum install -y -q fail2ban
systemctl enable fail2ban

# 3. Configure fail2ban — sshd jail
# NOTE: jail section must be [sshd] (lowercase), not [ssHD]
echo "[3/8] Configuring fail2ban..."
cat > /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
bantime  = 86400
findtime = 600
maxretry = 3
ignoreip = 127.0.0.1/8 ::1

[sshd]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/secure
maxretry = 3
bantime  = 86400
EOF
systemctl restart fail2ban
sleep 2
fail2ban-client status sshd

# 4. NTP / timezone
echo "[4/8] Configuring NTP..."
timedatectl set-timezone UTC
yum install -y -q chrony
systemctl enable chronyd
systemctl start chronyd

# 5. Disable unnecessary services (SSH not needed — managed via SSM only)
echo "[5/8] Disabling unnecessary services..."
for svc in postfix rpcbind rpcbind.socket sshd; do
  systemctl stop    "$svc" 2>/dev/null || true
  systemctl disable "$svc" 2>/dev/null || true
done

# 6. Kernel hardening
echo "[6/8] Kernel hardening..."
cat > /etc/sysctl.d/99-vault1984.conf << 'EOF'
net.ipv4.tcp_syncookies         = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.rp_filter     = 1
net.ipv4.conf.default.rp_filter = 1
EOF
sysctl --system -q

# 7. Firewall — allow only vault1984 port (SSM doesn't need port 22)
echo "[7/8] Configuring firewall..."
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --permanent --remove-service=ssh  2>/dev/null || true
firewall-cmd --permanent --remove-service=dhcpv6-client 2>/dev/null || true
firewall-cmd --permanent --add-port=1984/tcp
firewall-cmd --reload
firewall-cmd --list-all

# 8. sshd disabled — POPs are managed exclusively via AWS SSM
echo "[8/8] Disabling sshd (SSM-managed, no SSH needed)..."
systemctl stop sshd 2>/dev/null || true
systemctl disable sshd 2>/dev/null || true

echo ""
echo "=== Hardening complete ==="
echo "  fail2ban:  $(fail2ban-client status | grep 'Jail list' | sed 's/.*Jail list:\s*//')"
echo "  firewall:  $(firewall-cmd --list-ports)"
echo "  rpcbind:   $(systemctl is-active rpcbind 2>/dev/null || echo inactive)"
echo "  timezone:  $(timedatectl | grep 'Time zone')"