archy/image-recipe/scripts/harden-alpine.sh

#!/bin/bash
# Alpine Linux Hardening Script for Archipelago Bitcoin Node OS
# This script applies security hardening to the Alpine base image

set -e

echo "🔒 Starting Alpine Linux hardening..."

# Disable unnecessary services
systemctl disable bluetooth || true
systemctl disable avahi-daemon || true

# Configure kernel parameters for security
cat >> /etc/sysctl.conf <<EOF

# Archipelago Security Hardening
# Disable IP forwarding
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

# Enable SYN flood protection
net.ipv4.tcp_syncookies = 1

# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Disable send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Log martian packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Ignore ICMP ping requests (can be enabled if needed)
# net.ipv4.icmp_echo_ignore_all = 1

# Ignore ICMP ping broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Ignore bogus ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Enable RFC-recommended source validation
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable IPv6 if not needed (uncomment if IPv6 not required)
# net.ipv6.conf.all.disable_ipv6 = 1
# net.ipv6.conf.default.disable_ipv6 = 1
EOF

# Configure SSH (if installed)
if [ -f /etc/ssh/sshd_config ]; then
    sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config || true
    sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config || true
    sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config || true
fi

# Set up fail2ban basic configuration
if [ -f /etc/fail2ban/jail.conf ]; then
    cat > /etc/fail2ban/jail.local <<EOF
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
destemail = root@localhost
sendername = Fail2Ban
action = %(action_)s

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
EOF
fi

# Configure automatic security updates
cat > /etc/periodic/daily/archipelago-security-updates <<'EOF'
#!/bin/sh
# Automatic security updates for Archipelago
apk update && apk upgrade -u || true
EOF
chmod +x /etc/periodic/daily/archipelago-security-updates

# Set restrictive file permissions
chmod 700 /var/lib/archipelago/secrets
chmod 755 /var/lib/archipelago/apps
chmod 755 /var/lib/archipelago/logs

# Create log directory with proper permissions
mkdir -p /var/log/archipelago
chmod 755 /var/log/archipelago

# Configure log rotation for archipelago logs
cat > /etc/logrotate.d/archipelago <<EOF
/var/log/archipelago/*.log {
    daily
    rotate 30
    compress
    delaycompress
    missingok
    notifempty
    create 0644 root root
}
EOF

echo "✅ Alpine Linux hardening complete!"
Initial commit 2026-01-24 22:01:51 +00:00			`#!/bin/bash`
			`# Alpine Linux Hardening Script for Archipelago Bitcoin Node OS`
			`# This script applies security hardening to the Alpine base image`

			`set -e`

			`echo "🔒 Starting Alpine Linux hardening..."`

			`# Disable unnecessary services`
			`systemctl disable bluetooth \|\| true`
			`systemctl disable avahi-daemon \|\| true`

			`# Configure kernel parameters for security`
			`cat >> /etc/sysctl.conf <<EOF`

			`# Archipelago Security Hardening`
			`# Disable IP forwarding`
			`net.ipv4.ip_forward = 0`
			`net.ipv6.conf.all.forwarding = 0`

			`# Enable SYN flood protection`
			`net.ipv4.tcp_syncookies = 1`

			`# Disable source routing`
			`net.ipv4.conf.all.accept_source_route = 0`
			`net.ipv4.conf.default.accept_source_route = 0`
			`net.ipv6.conf.all.accept_source_route = 0`
			`net.ipv6.conf.default.accept_source_route = 0`

			`# Disable ICMP redirects`
			`net.ipv4.conf.all.accept_redirects = 0`
			`net.ipv4.conf.default.accept_redirects = 0`
			`net.ipv6.conf.all.accept_redirects = 0`
			`net.ipv6.conf.default.accept_redirects = 0`

			`# Disable send redirects`
			`net.ipv4.conf.all.send_redirects = 0`
			`net.ipv4.conf.default.send_redirects = 0`

			`# Log martian packets`
			`net.ipv4.conf.all.log_martians = 1`
			`net.ipv4.conf.default.log_martians = 1`

			`# Ignore ICMP ping requests (can be enabled if needed)`
			`# net.ipv4.icmp_echo_ignore_all = 1`

			`# Ignore ICMP ping broadcasts`
			`net.ipv4.icmp_echo_ignore_broadcasts = 1`

			`# Ignore bogus ICMP errors`
			`net.ipv4.icmp_ignore_bogus_error_responses = 1`

			`# Enable RFC-recommended source validation`
			`net.ipv4.conf.all.rp_filter = 1`
			`net.ipv4.conf.default.rp_filter = 1`

			`# Disable IPv6 if not needed (uncomment if IPv6 not required)`
			`# net.ipv6.conf.all.disable_ipv6 = 1`
			`# net.ipv6.conf.default.disable_ipv6 = 1`
			`EOF`

			`# Configure SSH (if installed)`
			`if [ -f /etc/ssh/sshd_config ]; then`
			`sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config \|\| true`
			`sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config \|\| true`
			`sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config \|\| true`
			`fi`

			`# Set up fail2ban basic configuration`
			`if [ -f /etc/fail2ban/jail.conf ]; then`
			`cat > /etc/fail2ban/jail.local <<EOF`
			`[DEFAULT]`
			`bantime = 3600`
			`findtime = 600`
			`maxretry = 5`
			`destemail = root@localhost`
			`sendername = Fail2Ban`
			`action = %(action_)s`

			`[sshd]`
			`enabled = true`
			`port = ssh`
			`logpath = %(sshd_log)s`
			`backend = %(sshd_backend)s`
			`EOF`
			`fi`

			`# Configure automatic security updates`
			`cat > /etc/periodic/daily/archipelago-security-updates <<'EOF'`
			`#!/bin/sh`
			`# Automatic security updates for Archipelago`
			`apk update && apk upgrade -u \|\| true`
			`EOF`
			`chmod +x /etc/periodic/daily/archipelago-security-updates`

			`# Set restrictive file permissions`
			`chmod 700 /var/lib/archipelago/secrets`
			`chmod 755 /var/lib/archipelago/apps`
			`chmod 755 /var/lib/archipelago/logs`

			`# Create log directory with proper permissions`
			`mkdir -p /var/log/archipelago`
			`chmod 755 /var/log/archipelago`

			`# Configure log rotation for archipelago logs`
			`cat > /etc/logrotate.d/archipelago <<EOF`
			`/var/log/archipelago/*.log {`
			`daily`
			`rotate 30`
			`compress`
			`delaycompress`
			`missingok`
			`notifempty`
			`create 0644 root root`
			`}`
			`EOF`

			`echo "✅ Alpine Linux hardening complete!"`