johan
/
vault1984-dashboard
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vault1984-dashboard/scripts/harden-pop.sh

86 lines
2.5 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
# Vault1984 POP Hardening Script — idempotent, run via SSM
# Usage: bash harden-pop.sh
# Can be re-run safely at any time to re-apply hardening.
set -euo pipefail
echo "=== Vault1984 POP Hardening ==="
# 1. Update system
echo "[1/8] Updating system..."
yum update -y -q
# 2. Install fail2ban (via EPEL)
echo "[2/8] Installing fail2ban..."
amazon-linux-extras install epel -y -q 2>/dev/null || true
yum install -y -q fail2ban
systemctl enable fail2ban
# 3. Configure fail2ban — sshd jail
# NOTE: jail section must be [sshd] (lowercase), not [ssHD]
echo "[3/8] Configuring fail2ban..."
cat > /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
bantime = 86400
findtime = 600
maxretry = 3
ignoreip = 127.0.0.1/8 ::1
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 3
bantime = 86400
EOF
systemctl restart fail2ban
sleep 2
fail2ban-client status sshd
# 4. NTP / timezone
echo "[4/8] Configuring NTP..."
timedatectl set-timezone UTC
yum install -y -q chrony
systemctl enable chronyd
systemctl start chronyd
# 5. Disable unnecessary services (SSH not needed — managed via SSM only)
echo "[5/8] Disabling unnecessary services..."
for svc in postfix rpcbind rpcbind.socket sshd; do
systemctl stop "$svc" 2>/dev/null || true
systemctl disable "$svc" 2>/dev/null || true
done
# 6. Kernel hardening
echo "[6/8] Kernel hardening..."
cat > /etc/sysctl.d/99-vault1984.conf << 'EOF'
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
EOF
sysctl --system -q
# 7. Firewall — allow only vault1984 port (SSM doesn't need port 22)
echo "[7/8] Configuring firewall..."
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --permanent --remove-service=ssh 2>/dev/null || true
firewall-cmd --permanent --remove-service=dhcpv6-client 2>/dev/null || true
firewall-cmd --permanent --add-port=1984/tcp
firewall-cmd --reload
firewall-cmd --list-all
# 8. sshd disabled — POPs are managed exclusively via AWS SSM
echo "[8/8] Disabling sshd (SSM-managed, no SSH needed)..."
systemctl stop sshd 2>/dev/null || true
systemctl disable sshd 2>/dev/null || true
echo ""
echo "=== Hardening complete ==="
echo " fail2ban: $(fail2ban-client status | grep 'Jail list' | sed 's/.*Jail list:\s*//')"
echo " firewall: $(firewall-cmd --list-ports)"
echo " rpcbind: $(systemctl is-active rpcbind 2>/dev/null || echo inactive)"
echo " timezone: $(timedatectl | grep 'Time zone')"
Reference in New Issue View Git Blame Copy Permalink