-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsetup-security.sh
More file actions
executable file
·240 lines (203 loc) · 7.16 KB
/
setup-security.sh
File metadata and controls
executable file
·240 lines (203 loc) · 7.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
#!/bin/bash
# SPDX-FileCopyrightText: 2025 Juan Manuel Méndez Rey
# SPDX-License-Identifier: GPL-3.0-or-later
set -e
echo "🛡️ Conquer Web Security Enhancement Setup"
echo "========================================"
echo ""
# Check if running as root
if [ "$EUID" -ne 0 ]; then
echo "❌ This script must be run as root"
echo " Run with: sudo $0"
exit 1
fi
# Read domain from production config if available
PROJECT_DIR="/home/conquer/conquer-web"
if [ -f "$PROJECT_DIR/config/production.env" ]; then
source "$PROJECT_DIR/config/production.env"
DOMAIN_NAME="$DOMAIN"
else
echo "⚠️ Production environment not found. Using generic configuration."
DOMAIN_NAME="your-domain"
fi
echo "🔍 Configuring security for domain: $DOMAIN_NAME"
echo ""
# Install fail2ban
echo "📦 Installing fail2ban..."
apt update
apt install -y fail2ban
# Create fail2ban configuration
echo "🔧 Configuring fail2ban for Conquer Web..."
cat > /etc/fail2ban/jail.d/conquer-web.conf << EOF
# Conquer Web fail2ban configuration
# Auto-generated by setup-security.sh
[apache-auth-conquer]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/conquer_*_error.log
maxretry = 3
bantime = 3600
findtime = 600
action = iptables-multiport[name=apache-auth-conquer, port="http,https", protocol=tcp]
[apache-dos-conquer]
enabled = true
port = http,https
filter = apache-dos-conquer
logpath = /var/log/apache2/conquer_*_access.log
maxretry = 200
bantime = 1800
findtime = 300
action = iptables-multiport[name=apache-dos-conquer, port="http,https", protocol=tcp]
[ttyd-auth]
enabled = true
port = http,https
filter = ttyd-auth
logpath = /var/log/apache2/conquer_*_error.log
maxretry = 5
bantime = 7200
findtime = 900
action = iptables-multiport[name=ttyd-auth, port="http,https", protocol=tcp]
EOF
# Create custom ttyd filter
echo "🎯 Creating custom ttyd authentication filter..."
cat > /etc/fail2ban/filter.d/ttyd-auth.conf << 'EOF'
# fail2ban filter for ttyd authentication failures
# Matches Apache error log entries for HTTP 401 responses
[Definition]
failregex = ^.* \[client <HOST>:\d+\] client sent HTTP code 401.*
^.* \[client <HOST>:\d+\] AH01797: client denied by server configuration.*
^.* \[client <HOST>:\d+\] AH01630: client denied by server configuration.*
ignoreregex =
EOF
# Create custom DoS filter for Apache access logs
echo "🎯 Creating custom DoS protection filter..."
cat > /etc/fail2ban/filter.d/apache-dos-conquer.conf << 'EOF'
# fail2ban filter for DoS attacks via Apache access logs
# Detects excessive requests from single IP
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*" (200|206|301|302) .*$
ignoreregex =
EOF
# Enable and start fail2ban
echo "🚀 Starting fail2ban service..."
systemctl enable fail2ban
systemctl restart fail2ban
# Install logwatch for log monitoring
echo "📊 Installing logwatch for log monitoring..."
apt install -y logwatch
# Create additional Apache security configuration
echo "🔒 Adding enhanced Apache security headers..."
cat > /etc/apache2/conf-available/conquer-security.conf << 'EOF'
# Enhanced security configuration for Conquer Web
# Auto-generated by setup-security.sh
# Additional security headers
Header always set X-Robots-Tag "noindex, nofollow"
Header always set X-Permitted-Cross-Domain-Policies "none"
Header always set Cross-Origin-Embedder-Policy "require-corp"
Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Cross-Origin-Resource-Policy "same-origin"
# Hide server information
Header always unset X-Powered-By
Header always unset Server
ServerTokens Prod
# Block suspicious request patterns
<LocationMatch "(\.php|\.asp|\.jsp|wp-admin|phpmyadmin|\.git|\.env|config)">
Require all denied
</LocationMatch>
# Request filtering
RewriteEngine On
RewriteCond %{QUERY_STRING} (union.*select|concat.*\(|script.*>) [NC,OR]
RewriteCond %{QUERY_STRING} (\.\.\/|\.\.\\|etc\/passwd|boot\.ini) [NC,OR]
RewriteCond %{QUERY_STRING} (<script|javascript:|vbscript:|onload|onerror) [NC]
RewriteRule .* - [F,L]
# Limit request methods (applied globally)
<Location />
<RequireAll>
Require method GET POST HEAD OPTIONS
</RequireAll>
</Location>
EOF
# Enable the new security configuration
a2enconf conquer-security
# Test configurations
echo "🧪 Testing configurations..."
# Test fail2ban configuration
echo "Testing fail2ban configuration..."
if fail2ban-client -t; then
echo "✅ fail2ban configuration is valid"
else
echo "❌ fail2ban configuration has errors"
echo "Checking fail2ban logs for details:"
journalctl -u fail2ban --no-pager -n 20
echo ""
echo "You can check the configuration manually with:"
echo "sudo fail2ban-client -t"
echo "sudo fail2ban-client -d"
exit 1
fi
# Test Apache configuration
if apache2ctl configtest; then
echo "✅ Apache configuration is valid"
systemctl reload apache2
else
echo "❌ Apache configuration has errors"
exit 1
fi
# Create monitoring script
echo "📝 Creating security monitoring script..."
cat > "$PROJECT_DIR/check-security.sh" << 'EOF'
#!/bin/bash
# SPDX-FileCopyrightText: 2025 Juan Manuel Méndez Rey
# SPDX-License-Identifier: GPL-3.0-or-later
echo "🛡️ Conquer Web Security Status Check"
echo "===================================="
echo ""
# Check fail2ban status
echo "📊 fail2ban Status:"
fail2ban-client status
echo ""
echo "🚫 Currently Banned IPs:"
for jail in $(fail2ban-client status | grep "Jail list:" | cut -d: -f2 | tr ',' '\n' | xargs); do
echo "Jail: $jail"
fail2ban-client status "$jail" | grep "Banned IP list"
done
echo ""
echo "📈 Recent Authentication Failures (last 10):"
grep "401" /var/log/apache2/conquer_*_access.log 2>/dev/null | tail -10 || echo "No recent failures found"
echo ""
echo "🔍 Suspicious Activity Check:"
grep -i "attack\|hack\|exploit\|scan" /var/log/apache2/conquer_*_error.log 2>/dev/null | tail -5 || echo "No suspicious activity detected"
echo ""
echo "💾 System Resources:"
df -h / | tail -1
free -h | grep Mem
EOF
chmod +x "$PROJECT_DIR/check-security.sh"
chown conquer:conquer "$PROJECT_DIR/check-security.sh"
echo ""
echo "🎉 Security enhancements installed successfully!"
echo ""
echo "📋 What was configured:"
echo " ✅ fail2ban with custom Conquer Web rules"
echo " ✅ Enhanced Apache security headers"
echo " ✅ Request filtering and attack protection"
echo " ✅ Log monitoring with logwatch"
echo " ✅ Security monitoring script created"
echo ""
echo "🔧 Management Commands:"
echo " sudo fail2ban-client status # Check fail2ban status"
echo " sudo fail2ban-client status apache-auth-conquer # Check banned IPs"
echo " cd $PROJECT_DIR && ./check-security.sh # Run security check"
echo " sudo tail -f /var/log/fail2ban.log # Monitor bans in real-time"
echo ""
echo "📚 Documentation:"
echo " See SECURITY.md for detailed configuration and maintenance guide"
echo ""
echo "🔒 Your Conquer Web installation now has enhanced protection against:"
echo " - Brute force authentication attacks"
echo " - DoS and DDoS attempts"
echo " - Common web application attacks"
echo " - Automated scanning and bot activity"
echo ""
echo "🛡️ Security enhancement complete!"