194 lines
5.6 KiB
Bash
194 lines
5.6 KiB
Bash
|
#!/bin/bash
|
||
|
|
||
|
|
||
|
echo_rgb() {
|
||
|
# Echo a colored string to the terminal based on rgb values
|
||
|
#
|
||
|
# Positional Arguments:
|
||
|
#
|
||
|
# message <type: string> <position: 1> <required: true>
|
||
|
# - The message to be printed to stdout
|
||
|
# red <type: int> <position: 2> <required: true>
|
||
|
# - The red value from 0 to 255
|
||
|
# green <type: int> <position: 3> <required: true>
|
||
|
# - The green value from 0 to 255
|
||
|
# blue <type: int> <position: 4> <required: true>
|
||
|
# - The blue value from 0 to 255
|
||
|
#
|
||
|
# Usage:
|
||
|
# echo_rgb "Yep" 10 8 30
|
||
|
#
|
||
|
# POSIX Compliant:
|
||
|
# N/A
|
||
|
#
|
||
|
|
||
|
local red
|
||
|
local green
|
||
|
local blue
|
||
|
local input
|
||
|
|
||
|
input="${1}"
|
||
|
red="${2}"
|
||
|
green="${3}"
|
||
|
blue="${4}"
|
||
|
|
||
|
printf "\e[0;38;2;%s;%s;%sm%s\e[m\n" "${red}" "${green}" "${blue}" "${input}"
|
||
|
}
|
||
|
|
||
|
log() {
|
||
|
# Print a message and send it to stdout or stderr depending upon log level, also configurable with debug etc.
|
||
|
#
|
||
|
# Arguments:
|
||
|
# level <type: string> <position: 1> <required: true>
|
||
|
# - The log level, defined within a case check in this function
|
||
|
# message <type: string> <position: 2> <required: true>
|
||
|
# - The info message
|
||
|
# line_number <type: int> <position: 3> <required: false>
|
||
|
# - The line number of the calling function (${LINNO})
|
||
|
#
|
||
|
# Usage:
|
||
|
# log "info" "Could not find that directory"
|
||
|
#
|
||
|
# POSIX Compliant:
|
||
|
# Yes
|
||
|
#
|
||
|
|
||
|
# Set debug status depending if a global debug variable has been set to either 1 or 0
|
||
|
local debug
|
||
|
if [ ${DEBUG} ]; then
|
||
|
debug=${DEBUG}
|
||
|
else
|
||
|
debug=0
|
||
|
fi
|
||
|
|
||
|
local FORMAT
|
||
|
FORMAT="[$(echo_rgb "$(date +%Y-%m-%dT%H:%M:%S)" 180 140 255)]"
|
||
|
|
||
|
# Convert the level to uppercase
|
||
|
local level
|
||
|
level=$(echo "${1}" | tr '[:lower:]' '[:upper:]')
|
||
|
|
||
|
local message
|
||
|
message="${2}"
|
||
|
|
||
|
case "${level}" in
|
||
|
INFO)
|
||
|
# Output all info log levels to stdout
|
||
|
printf "${FORMAT}[$(echo_rgb "INFO" 0 140 255)] %s\n" "${message}" >&1
|
||
|
return 0
|
||
|
;;
|
||
|
WARN | WARNING)
|
||
|
# Output all info log levels to stdout
|
||
|
printf "${FORMAT}[$(echo_rgb "WARNING" 255 255 0)] %s\n" "${message}" >&1
|
||
|
return 0
|
||
|
;;
|
||
|
DEBUG)
|
||
|
[[ ${debug} == 0 ]] && return
|
||
|
printf "${FORMAT}[$(echo_rgb "DEBUG" 0 160 110)] %s\n" "${message}" >&1
|
||
|
return 0
|
||
|
;;
|
||
|
ERROR)
|
||
|
# Output all error log levels to stderr
|
||
|
printf "${FORMAT}[$(echo_rgb "ERROR" 255 0 0)] %s\n" "${message}" >&2
|
||
|
return 0
|
||
|
;;
|
||
|
# Further log levels can be added by extending this switch statement with more comparisons
|
||
|
|
||
|
*) # Default case, no matches
|
||
|
# Returns non-zero code as an improper log option was passed, this helps with using `set -e`
|
||
|
printf "${FORMAT}[ERROR] %s\n" "Invalid log level passed, received level \"${level}\" with message \"${message}\"" >&2
|
||
|
return 1
|
||
|
;;
|
||
|
esac
|
||
|
}
|
||
|
|
||
|
# Install Extra Packages for Enterprise Linux if Missing
|
||
|
log "info" "Installing extra packages for enterprise linux if they are missing..."
|
||
|
sudo dnf install epel-release -y \
|
||
|
&& log "info" "Successfully installed extra packages for enterprise linux"
|
||
|
|
||
|
## Fail2ban Setup
|
||
|
# Install Fail2ban
|
||
|
log "info" "Installing fail2ban..."
|
||
|
sudo dnf install fail2ban -y \
|
||
|
&& log "info" "Successfully installed fail2ban"
|
||
|
|
||
|
# Enable and run Fail2ban
|
||
|
log "info" "Enabling and starting fail2ban"
|
||
|
sudo systemctl enable --now fail2ban \
|
||
|
&& log "info" "Successfully enabled and started fail2ban"
|
||
|
|
||
|
# Write config files to jail.d
|
||
|
|
||
|
JAIL_D_PATH="/etc/fail2ban/jail.d/"
|
||
|
log "info" "Writing fail2ban local configurations to ${JAIL_D_PATH}"
|
||
|
|
||
|
log "info" "Writing SSHD Configuration"
|
||
|
cat << '__EOF__' | sudo tee "${JAIL_D_PATH}/sshd.local"
|
||
|
[sshd]
|
||
|
enabled = true
|
||
|
port = ssh
|
||
|
ignoreip = 127.0.0.1/8
|
||
|
logpath = %(sshd_log)s
|
||
|
backend = %(sshd_backend)s
|
||
|
maxretry = 3
|
||
|
findtime = 1d
|
||
|
bantime = 15mm
|
||
|
usedns = warn
|
||
|
__EOF__
|
||
|
|
||
|
log "info" "Finished writing fail2ban local configurations to ${JAIL_D_PATH}"
|
||
|
|
||
|
sudo systemctl restart fail2ban \
|
||
|
&& log "info" "Restarted fail2ban"
|
||
|
|
||
|
|
||
|
## SSH Configuration
|
||
|
log "info" "Installing SSHD configuration..."
|
||
|
|
||
|
SSHD_CONFIG_BACKUP_PATH="/etc/ssh/sshd_config.back"
|
||
|
sudo cp /etc/ssh/sshd_config "${SSHD_CONFIG_BACKUP_PATH}"
|
||
|
|
||
|
log "info" "Made a backup of sshd_config located at ${SSHD_CONFIG_BACKUP_PATH}"
|
||
|
|
||
|
log "info" "Creating SSH banner..."
|
||
|
cat << '__EOF__' | sudo tee "/etc/ssh/banner"
|
||
|
|
||
|
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
|
||
|
┃ Orion Technologies - Security Notice ┃
|
||
|
┃ ------------------------------------ ┃
|
||
|
┃ The following source file(s) contains confidential, ┃
|
||
|
┃ proprietary information. Unauthorized use is strictly ┃
|
||
|
┃ prohibited. No portions may be copied, reproduced, ┃
|
||
|
┃ or incorporated outside of this domain without ┃
|
||
|
┃ Price Hiller's prior written consent. ┃
|
||
|
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
|
||
|
|
||
|
__EOF__
|
||
|
log "info" "Created SSH banner"
|
||
|
|
||
|
log "info" "Writing new SSHD configuration..."
|
||
|
cat << __EOF__ | sudo tee /etc/ssh/sshd_config
|
||
|
UsePAM yes
|
||
|
UsePrivilegeSeparation yes
|
||
|
X11Forwarding yes
|
||
|
PermitRootLogin yes
|
||
|
LogLevel VERBOSE
|
||
|
SyslogFacility AUTH
|
||
|
AllowAgentForwarding yes
|
||
|
AllowTcpForwarding yes
|
||
|
PrintMotd no
|
||
|
PubkeyAuthentication yes
|
||
|
PasswordAuthentication no
|
||
|
ChallengeResponseAuthentication no
|
||
|
Banner /etc/ssh/banner
|
||
|
AuthorizedKeysFile .ssh/authorized_keys
|
||
|
Subsystem sftp /usr/libexec/openssh/sftp-server
|
||
|
Compression delayed
|
||
|
__EOF__
|
||
|
|
||
|
log "info" "Wrote new SSHD configuration"
|
||
|
|
||
|
sudo systemctl restart sshd.service \
|
||
|
&& log "info" "Restarted SSHD"
|