119 lines
3.0 KiB
Bash
Executable File
119 lines
3.0 KiB
Bash
Executable File
#!/bin/bash
|
|
# Alpine Linux Hardening Script for Archipelago Bitcoin Node OS
|
|
# This script applies security hardening to the Alpine base image
|
|
|
|
set -e
|
|
|
|
echo "🔒 Starting Alpine Linux hardening..."
|
|
|
|
# Disable unnecessary services
|
|
systemctl disable bluetooth || true
|
|
systemctl disable avahi-daemon || true
|
|
|
|
# Configure kernel parameters for security
|
|
cat >> /etc/sysctl.conf <<EOF
|
|
|
|
# Archipelago Security Hardening
|
|
# Disable IP forwarding
|
|
net.ipv4.ip_forward = 0
|
|
net.ipv6.conf.all.forwarding = 0
|
|
|
|
# Enable SYN flood protection
|
|
net.ipv4.tcp_syncookies = 1
|
|
|
|
# Disable source routing
|
|
net.ipv4.conf.all.accept_source_route = 0
|
|
net.ipv4.conf.default.accept_source_route = 0
|
|
net.ipv6.conf.all.accept_source_route = 0
|
|
net.ipv6.conf.default.accept_source_route = 0
|
|
|
|
# Disable ICMP redirects
|
|
net.ipv4.conf.all.accept_redirects = 0
|
|
net.ipv4.conf.default.accept_redirects = 0
|
|
net.ipv6.conf.all.accept_redirects = 0
|
|
net.ipv6.conf.default.accept_redirects = 0
|
|
|
|
# Disable send redirects
|
|
net.ipv4.conf.all.send_redirects = 0
|
|
net.ipv4.conf.default.send_redirects = 0
|
|
|
|
# Log martian packets
|
|
net.ipv4.conf.all.log_martians = 1
|
|
net.ipv4.conf.default.log_martians = 1
|
|
|
|
# Ignore ICMP ping requests (can be enabled if needed)
|
|
# net.ipv4.icmp_echo_ignore_all = 1
|
|
|
|
# Ignore ICMP ping broadcasts
|
|
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
|
|
|
# Ignore bogus ICMP errors
|
|
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
|
|
|
# Enable RFC-recommended source validation
|
|
net.ipv4.conf.all.rp_filter = 1
|
|
net.ipv4.conf.default.rp_filter = 1
|
|
|
|
# Disable IPv6 if not needed (uncomment if IPv6 not required)
|
|
# net.ipv6.conf.all.disable_ipv6 = 1
|
|
# net.ipv6.conf.default.disable_ipv6 = 1
|
|
EOF
|
|
|
|
# Configure SSH (if installed)
|
|
if [ -f /etc/ssh/sshd_config ]; then
|
|
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config || true
|
|
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config || true
|
|
sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config || true
|
|
fi
|
|
|
|
# Set up fail2ban basic configuration
|
|
if [ -f /etc/fail2ban/jail.conf ]; then
|
|
cat > /etc/fail2ban/jail.local <<EOF
|
|
[DEFAULT]
|
|
bantime = 3600
|
|
findtime = 600
|
|
maxretry = 5
|
|
destemail = root@localhost
|
|
sendername = Fail2Ban
|
|
action = %(action_)s
|
|
|
|
[sshd]
|
|
enabled = true
|
|
port = ssh
|
|
logpath = %(sshd_log)s
|
|
backend = %(sshd_backend)s
|
|
EOF
|
|
fi
|
|
|
|
# Configure automatic security updates
|
|
cat > /etc/periodic/daily/archipelago-security-updates <<'EOF'
|
|
#!/bin/sh
|
|
# Automatic security updates for Archipelago
|
|
apk update && apk upgrade -u || true
|
|
EOF
|
|
chmod +x /etc/periodic/daily/archipelago-security-updates
|
|
|
|
# Set restrictive file permissions
|
|
chmod 700 /var/lib/archipelago/secrets
|
|
chmod 755 /var/lib/archipelago/apps
|
|
chmod 755 /var/lib/archipelago/logs
|
|
|
|
# Create log directory with proper permissions
|
|
mkdir -p /var/log/archipelago
|
|
chmod 755 /var/log/archipelago
|
|
|
|
# Configure log rotation for archipelago logs
|
|
cat > /etc/logrotate.d/archipelago <<EOF
|
|
/var/log/archipelago/*.log {
|
|
daily
|
|
rotate 30
|
|
compress
|
|
delaycompress
|
|
missingok
|
|
notifempty
|
|
create 0644 root root
|
|
}
|
|
EOF
|
|
|
|
echo "✅ Alpine Linux hardening complete!"
|