Files
apf_portal/docs/setup/scripts/70-hardening.sh
T
julien d99254a280
CI / commits (push) Has been skipped
CI / check (push) Successful in 3m14s
CI / scan (push) Successful in 3m19s
CI / a11y (push) Successful in 3m59s
CI / perf (push) Successful in 5m48s
Docs site / build (push) Successful in 5m57s
docs(setup): make fail2ban opt-in in 70-hardening.sh (#222)
## Summary

Follow-up on [#220](#220) / [#221](#221). Makes fail2ban **opt-in** in [`70-hardening.sh`](docs/setup/scripts/70-hardening.sh) instead of installing it unconditionally.

Reasoning: some corp environments already ship brute-force protection at the network layer (ACL / corp firewall / appliance) — fail2ban on the host then becomes redundant and can be the wrong layer to debug from when a rule misfires. The other three hardening steps (UFW enable, sshd lockdown) were already prompt-gated; fail2ban was the odd one out.

## What lands

| File | Change |
| --- | --- |
| `docs/setup/scripts/70-hardening.sh` | fail2ban block restructured into three branches: (1) already running → skip; (2) installed but stopped → prompt to enable+start; (3) not installed → prompt to install+enable+start. Each "no" path logs `↪ skip (user choice)` so re-runs don't repeatedly nag if the dev has already declined. |
| `docs/setup/01-dev-debian-vm-setup.md` | Table row for `70-hardening.sh` clarified — each sub-step's prompt posture is now visible: UFW prompts before enabling, fail2ban prompts before installing, sshd hardening prompts before applying. `unattended-upgrades` is the only one applied unconditionally. |
| `docs/setup/README.md` | Same descriptor adjustment. |

## Test plan

- [ ] On a fresh Debian VM with no fail2ban installed, run `70-hardening.sh`, decline the fail2ban prompt → script continues, fail2ban not installed, no service started.
- [ ] On the same VM, re-run `70-hardening.sh` → the fail2ban branch prompts again (the dev may have changed their mind); declining again produces the same `↪ skip (user choice)` result.
- [ ] On a VM where fail2ban is pre-installed but stopped (rare, but possible if infra rolled it back), the script offers to start it without re-installing.
- [x] `pnpm exec prettier --check` clean on the touched files.
- [x] `bash -n docs/setup/scripts/70-hardening.sh` (syntax check) clean.

---------

Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #222
2026-05-24 20:04:16 +02:00

109 lines
4.3 KiB
Bash
Executable File

#!/usr/bin/env bash
# Best-effort VM hardening — probes current state, only applies what's missing.
# Skips cleanly when infra has already configured a step.
# - UFW (allow SSH only)
# - unattended-upgrades (security channel)
# - fail2ban
# - sshd: disable root login + password auth (always validates first)
set -euo pipefail
# shellcheck source=./lib.sh
source "$(cd "$(dirname "$0")" && pwd)/lib.sh"
require_debian
require_not_root
log "Hardening pass — each section probes and skips if already done."
# ─── 1. UFW ────────────────────────────────────────────────────────────
if ! command -v ufw >/dev/null; then
apt_install ufw
fi
if sudo ufw status | head -1 | grep -q 'Status: active'; then
skip "UFW already active. Current rules:"
sudo ufw status numbered | sed 's/^/ /'
else
if confirm "Enable UFW with 'deny incoming, allow SSH'?"; then
sudo ufw default deny incoming >/dev/null
sudo ufw default allow outgoing >/dev/null
sudo ufw allow OpenSSH >/dev/null
sudo ufw --force enable
ok "UFW enabled (SSH-only ingress)."
else
skip "UFW left disabled."
fi
fi
# ─── 2. unattended-upgrades ────────────────────────────────────────────
apt_install unattended-upgrades
AUTO_UP="/etc/apt/apt.conf.d/20auto-upgrades"
if [[ -f "$AUTO_UP" ]] \
&& sudo grep -q 'APT::Periodic::Update-Package-Lists "1"' "$AUTO_UP" \
&& sudo grep -q 'APT::Periodic::Unattended-Upgrade "1"' "$AUTO_UP"; then
skip "unattended-upgrades already enabled."
else
cat <<'EOF' | sudo tee "$AUTO_UP" >/dev/null
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
EOF
ok "unattended-upgrades enabled."
fi
# ─── 3. fail2ban (opt-in) ──────────────────────────────────────────────
# Some VMs already ship with infra-managed brute-force protection at the
# network layer (corp firewall, ACLs, etc.). In that case fail2ban on the
# host is redundant — and its presence can be the wrong layer to debug
# from when a rule misfires. Make it a deliberate choice instead of
# imposing it.
if systemctl is-active fail2ban.service >/dev/null 2>&1; then
skip "fail2ban already running."
elif dpkg -s fail2ban >/dev/null 2>&1; then
if confirm "fail2ban is installed but not running. Enable + start it now?"; then
sudo systemctl enable --now fail2ban.service
ok "fail2ban started + enabled at boot."
else
skip "fail2ban left stopped (user choice)."
fi
else
if confirm "Install + enable fail2ban (SSH brute-force protection)?"; then
apt_install fail2ban
sudo systemctl enable --now fail2ban.service
ok "fail2ban installed + started + enabled at boot."
else
skip "fail2ban not installed (user choice)."
fi
fi
# ─── 4. sshd hardening ────────────────────────────────────────────────
# Drop-in file rather than editing /etc/ssh/sshd_config directly.
# We always validate with `sshd -t` before reloading the daemon.
SSHD_DROPIN="/etc/ssh/sshd_config.d/99-apf-portal-hardening.conf"
if sudo test -f "$SSHD_DROPIN"; then
skip "sshd hardening drop-in already at $SSHD_DROPIN."
else
warn "About to disable password auth + root login on SSH."
warn "Make sure your SSH key already works from your workstation."
if confirm "Continue?"; then
cat <<'EOF' | sudo tee "$SSHD_DROPIN" >/dev/null
# Managed by docs/setup/scripts/70-hardening.sh.
# To override or extend, drop another file in /etc/ssh/sshd_config.d/.
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
UsePAM yes
AllowAgentForwarding yes
EOF
if sudo sshd -t 2>/dev/null; then
sudo systemctl reload ssh.service 2>/dev/null || sudo systemctl reload sshd.service
ok "sshd reloaded with hardened config."
else
err "sshd config validation failed — removing $SSHD_DROPIN."
sudo rm -f "$SSHD_DROPIN"
exit 1
fi
else
skip "sshd hardening declined."
fi
fi
ok "Hardening pass complete."