-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsetup.sh
213 lines (191 loc) · 6.17 KB
/
setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
#!/bin/bash
# 5/29: Initial Test Deployment.
# 5/30: Bug Fixes.
# - Added epel-release installation for Fail2Ban package availability.
# - Created /etc/fail2ban directory if it doesn't exist.
# - Ensured the fail2ban service was enabled and started.
# - Ensured honeypot-probe service is enabled and started after installation.
# - Added checks for RPM file existence before installation.
# - Fixed RPM file path to include version.
# - Auto-determined the RPM version.
# Function to display help message
show_help() {
echo "Usage: $0 [--probe | --client]"
echo ""
echo "Options:"
echo " --help Show this help message and exit"
echo " --probe Setup probe environment"
echo " --client Setup client environment"
}
# Check if the script is run with sudo
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run as root."
exit 1
fi
# Function to determine the OS version
determine_os_version() {
if [ -f /etc/os-release ]; then
. /etc/os-release
if [[ "$ID" == "centos" || "$ID" == "rhel" || "$ID" == "fedora" || "$ID" == "almalinux" || "$ID" == "rocky" ]]; then
if [[ "$VERSION_ID" =~ ^8 ]]; then
echo "el8"
elif [[ "$VERSION_ID" =~ ^9 ]]; then
echo "el9"
else
echo "Unsupported OS version: $VERSION_ID"
exit 1
fi
else
echo "Unsupported OS: $ID"
exit 1
fi
else
echo "Cannot determine OS version."
exit 1
fi
}
# Function to determine the RPM version
determine_rpm_version() {
local rpm_pattern=$1
local rpm_file=$(ls ./RPMS/x86_64/$rpm_pattern | head -n 1)
if [[ -f "$rpm_file" ]]; then
echo "$rpm_file" | sed -n 's/.*-\([0-9]\+\.[0-9]\+-[0-9]\+\)\..*/\1/p'
else
echo ""
fi
}
# Function to setup probe environment
setup_probe() {
local os_version=$(determine_os_version)
local rpm_version=$(determine_rpm_version "honeypot-blocklist-probe-*.${os_version}.x86_64.rpm")
if [[ -z "$rpm_version" ]]; then
echo "Could not determine RPM version for probe."
exit 1
fi
# Prompt for Git user details
read -p "Enter your Git name: " git_name
read -p "Enter your Git email: " git_email
read -p "Enter your GitHub username: " github_username
# Check and install Fail2Ban if not installed
if ! command -v fail2ban-server &> /dev/null; then
echo "Fail2Ban is not installed. Installing..."
if command -v yum &> /dev/null; then
yum install -y epel-release
yum install -y fail2ban
elif command -v dnf &> /dev/null; then
dnf install -y epel-release
dnf install -y fail2ban
else
echo "Neither yum nor dnf is available for package installation."
exit 1
fi
fi
# Configure Fail2Ban
echo "Configuring Fail2Ban..."
mkdir -p /etc/fail2ban
cat <<EOL > /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 2
bantime = 2h
EOL
systemctl enable --now fail2ban
# Create SSH key if not exists
if [ ! -f ~/.ssh/id_rsa_probe ]; then
echo "Creating SSH key for probe..."
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_probe -N ""
echo "Public key to add to GitHub:"
cat ~/.ssh/id_rsa_probe.pub
fi
# Create SSH config
echo "Creating SSH config..."
mkdir -p ~/.ssh
cat <<EOL >> ~/.ssh/config
Host github.com-honeypot-probe
HostName github.com
IdentityFile ~/.ssh/id_rsa_probe
StrictHostKeyChecking no
EOL
# Set git remote URL to user's fork
echo "Configuring git remote URL..."
git remote set-url origin git@github.com-honeypot-probe:$github_username/honeypot-blocklist.git
# Configure Git
git config user.name "$git_name"
git config user.email "$git_email"
# Check if the RPM file exists
local rpm_file="./RPMS/x86_64/honeypot-blocklist-probe-${rpm_version}.${os_version}.x86_64.rpm"
if [[ -f "$rpm_file" ]]; then
echo "Installing honeypot-blocklist-probe RPM..."
if command -v yum &> /dev/null; then
yum install -y "$rpm_file"
elif command -v dnf &> /dev/null; then
dnf install -y "$rpm_file"
else
echo "Neither yum nor dnf is available for package installation."
exit 1
fi
# Restart honeypot-probe service
systemctl enable --now honeypot-probe
else
echo "RPM file not found: $rpm_file"
exit 1
fi
}
# Function to set up client environment
setup_client() {
local os_version=$(determine_os_version)
local rpm_version=$(determine_rpm_version "honeypot-blocklist-client-*.${os_version}.x86_64.rpm")
if [[ -z "$rpm_version" ]]; then
echo "Could not determine RPM version for client."
exit 1
fi
# Ensure firewalld is installed and active
echo "Ensuring firewall is installed and active..."
if ! command -v firewall-cmd &> /dev/null; then
if command -v yum &> /dev/null; then
yum install -y firewalld
elif command -v dnf &> /dev/null; then
dnf install -y firewalld
else
echo "Neither yum nor dnf is available for package installation."
exit 1
fi
fi
systemctl enable --now firewalld
# Check if the RPM file exists
local rpm_file="./RPMS/x86_64/honeypot-blocklist-client-${rpm_version}.${os_version}.x86_64.rpm"
if [[ -f "$rpm_file" ]]; then
echo "Installing honeypot-blocklist-client RPM..."
if command -v yum &> /dev/null; then
yum install -y "$rpm_file"
elif command -v dnf &> /dev/null; then
dnf install -y "$rpm_file"
else
echo "Neither yum nor dnf is available for package installation."
exit 1
fi
else
echo "RPM file not found: $rpm_file"
exit 1
fi
}
# Main script logic
case "$1" in
--help)
show_help
;;
--probe)
setup_probe
;;
--client)
setup_client
;;
*)
echo "Invalid option: $1"
show_help
exit 1
;;
esac