ld-install

#!/bin/bash
#ld-install

#===============================================================================
#
# FILE: 
#   ld-install
#
# REVISION:  
#   001
#
# WHEN TO USE:  
#   When you are very sure you want to boot up the full Lockdown suite of
#   utilities using the configuration files in the conf/ directory where
#   ld-install is located.
#
# USAGE: 
#   ld-install [-d] [-n] [-s] [-v] [-y]
#   ld-install [--dry-run] [--no-download] [--silent] [--verbose] [--yes]
#
# DESCRIPTION:
#   This script will try to do all of the following things, 
#    once it starts running, and in the order specified:
#     * Install extra packages for Enterprise Linux if required
#     * Install iptables, ipset and fail2ban if required
#     * Stop each of the three above services if running
#     * Copy default configuration files into place
#     * Start each of the three services
#     * Enable each of the three services to run at boot
#     * Stop nftables or firewalld
#     * Disable nftables or firewalld from running at boot
#
# OPTIONS:
#   -d | --dry-run
#      Echos the commands that would be executed rather than executing them
#   -h | --help
#      Run help function and exit
#   -n | --no-download
#      Do not run commands to download latest blacklist & country CIDR lists
#   -o | --out
#      Output directory to save backup tarball
#   -s | --silent
#      Silent will attempt to prevent any and all output except in the event
#      of failure.  Silent operation implies --yes and will not ask permission
#      for anything, you have been warned!
#      Currently, any output from external programs will not be suppressed.
#   -v | --verbose
#      Output each line of the script after validations are parsed
#   -x | --no-backup
#      Do not back up any potentially pre-existing files
#   -y | --yes
#      Automatically say yes to everything
#
# TODO:
#  Add -p|--ports option to open custom ports
#  Add -s|--silent option
#  Integrate pre/post processing rules
#
# AUTHOR: Jason (@iDoMeteor)
#===============================================================================

# Strict mode
set -euo pipefail
IFS=$'\n\t'

# Load configuration file
SRCDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
if [ ! -f "$SRCDIR/conf/lockdown-default.conf" ] \
  && [ ! -f "$SRCDIR/conf/lockdown.conf" ]
then
  echo "Lockdown installation configuration file not found, cannot continue."
  exit 1
fi
if [ -f "$SRCDIR/conf/lockdown-default.conf" ]
then
  . "$SRCDIR/conf/lockdown-default.conf"
fi
if [ -f "$SRCDIR/conf/lockdown.conf" ]
then
  . "$SRCDIR/conf/lockdown.conf"
fi

# Instantiate Variables
BACKUP=1
DATE=`date +%s`
DISTRO=''
DOWNLOAD=$update_lists
DRY_RUN=''
EPEL='epel-release'
FAIL2BAN='fail2ban'
GAMIN='gamin'
IPSET='ipset'
IPTABLES='iptables'
PACKAGE_MANAGER='yum'
SAVE_PATH=`pwd`
SILENT=0
YES=''

# Save origin
ORIGIN=`pwd`


# Help function
help () { 
  echo "Description:"
  echo "  Running this program will install Lockdown and all related services,"
  echo "  configuration files and lists."
  echo "Usage:"
  echo "  `basename $0` [-d] [-n] [-s] [-v] [-y]"
  echo "  `basename $0` [--dry-run] [--no-download] [--silent] [--verbose] [--yes]"
  exit 0
}

# Load libraries
. "$SRCDIR/lib/determine_linux_distro"
. "$SRCDIR/lib/lockdown_init"
. "$SRCDIR/lib/lockdown_installation_report"

# Parse command line arguments into variables
while :
do
    case ${1:-} in
      -d | --dry-run)
      DRY_RUN='echo'
      shift 1
    ;;
      -h | --help)
      help
      shift 1
    ;;
      -n | --no-download)
      DOWNLOAD=0
      shift 1
    ;;
      -s | --silent)
      SILENT=1
      YES='-y'
      shift 1
    ;;
      -o | --out)
      SAVE_PATH=$2
      shift 2
    ;;
      -v | --verbose)
      VERBOSE=true
      shift 1
    ;;
      -x | --no-backup)
      BACKUP=0
      shift 1
    ;;
      -y | --yes)
      YES='-y'
      shift 1
    ;;
      -*)
      echo "Error: Unknown option: $1" >&2
      exit 1
    ;;
      *)  # No more options
      break
    ;;
    esac
done

# Ensure distro is supported
determine_distro
if [ -z "$DISTRO" ]
then
  echo "Could not determine distro, cannot continue."
  echo "Please report this as a bug on Github, thanks!"
  exit 1
elif (( ! SILENT ))
then
  echo "$DISTRO discovered, proceeding with $PACKAGE_MANAGER"
  echo
fi

# Warn user unless they've agreed to everything
if [ -z $YES ]
then
  echo "Lockdown is a sophisticated control system for a suite of sophisticated software."
  echo "It's misuse or breakage can cause your system to become unusable or unable to"
  echo "accept incoming traffic or send any out.  In the case of failures, you must be"
  echo "capable of diagnosing and repairing any problems.  Lockdown is free software"
  echo "provided as is and you are responsible for any effects or side-effects of it's"
  echo "existence on your systems."
  echo
  echo "You are about to perform this installation on `hostname` with"
  echo "IP `curl -s whatip.gzo.com`."
  echo
  read -p "Proceed with installation and configuration of Lockdown and all related services? [y/N] " -n 1 -r REPLY
  if [[ $REPLY =~ ^[Yy]$ ]] ; then
    echo
    echo "Locking down `hostname`!"
  else
    echo "Exiting without making any changes."
    exit 2
  fi
fi

# Check verbosity
if [ -v VERBOSE ]
then
  set -v
fi

# Attempt to back up pre-existing configuration files, this is similar
# to what ld-export does but does not attempt to save a running configuration.
if [ ! -d /etc/fail2ban ] && \
   [ ! -f /etc/ipset.conf ] && \
   [ ! -d /etc/lockdown ] && \
   [ ! -f /etc/sysconfig/iptables.* ]
   [ ! -f /etc/sysconfig/ip6tables.* ]
then
  BACKUP=0
fi
if (( BACKUP ))
then
  # Check temp location
  if [ ! -d "$SAVE_PATH" ]
  then
    if (( ! SILENT )) ; then echo "Output location $SAVE_PATH does not exist, creating"; fi
    mkdir -p "$SAVE_PATH"
  fi
  BACKUP_FILES=()
  if [ -d "/etc/fail2ban" ]
  then
    BACKUP_FILES+=('/etc/fail2ban*')
  fi
  if [ -f "/etc/ipset.conf" ]
  then
    BACKUP_FILES+=('/etc/ipset*')
  fi
  if [ -d "/etc/lockdown" ]
  then
    BACKUP_FILES+=('/etc/lockdown*')
  fi
  if [ -f "/etc/sysconfig/iptables.conf" ]
  then
    BACKUP_FILES+=('/etc/sysconfig/ip?tables*')
  fi
  $DRY_RUN tar czf "$SAVE_PATH/ld-pre-install-backup-$DATE.tar.gz" $BACKUP_FILES
fi

## Begin Installations!!
if [ 'Amazon Linux 2' != $DISTRO ] \
  && [ 'yum' = $PACKAGE_MANAGER ] \
  || [ 'dnf' = $PACKAGE_MANAGER ]
then
  $DRY_RUN $PACKAGE_MANAGER install $YES $EPEL
fi
if [ ! -f /usr/bin/iptables ]
then
  $DRY_RUN $PACKAGE_MANAGER install $YES $IPTABLES
fi
if [ 'dnf' = $PACKAGE_MANAGER ]
then
  $DRY_RUN $PACKAGE_MANAGER install $YES iptables-services iptables-utils
fi
if [ ! -f /usr/sbin/ipset ]
then
  $DRY_RUN $PACKAGE_MANAGER install $YES $IPSET
fi
if [ 'dnf' = $PACKAGE_MANAGER ]
then
  $DRY_RUN $PACKAGE_MANAGER install $YES ipset-service
fi
if [ ! -f /usr/bin/fail2ban-server ]
then
  if [ 'Amazon Linux 2' = $DISTRO ]
  then
    wget https://github.com/fail2ban/fail2ban/archive/0.9.4.tar.gz
    mv 0.9.4.tar.gz fail2ban-0.9.4.tar.gz
    tar xzf fail2ban-0.9.4.tar.gz 
    cd fail2ban-0.9.4/
    ./setup.py build 
    ./setup.py install
  else
    $DRY_RUN $PACKAGE_MANAGER install $YES $FAIL2BAN
  fi
fi
if [ ! -f /usr/lib64/libgamin-1.so.0 ]
then
  $DRY_RUN $PACKAGE_MANAGER install $YES $GAMIN
fi
$DRY_RUN lockdown_init $YES

## Manipulate system daemons!!
# This is done in the following order for maximum safety
# Start required services
# Stop conflicting services
# Enable required services
# Disable conflicting services
##
if (( ! SILENT )) ; then echo; fi
case $DISTRO in
  "Amazon Linux"|"CentOS6")
    #   Amazon Linux, CentOS
    #     service x start|stop|etc
    #     chkconfig x on|off
    # Begin starting services
    if (( ! SILENT )) ; then echo "Starting services for $DISTRO"; fi
    $DRY_RUN service fail2ban start
    if [ 0 -ne $? ] && [ -z $DRY_RUN ]
    then
        echo "Failed to start fail2ban, exiting."
        exit 1
    else
      echo "Started fail2ban"
    fi
    $DRY_RUN service ipset start
    if [ 0 -ne $? ] && [ -z $DRY_RUN ]
    then
        echo "Failed to start ipset, exiting."
        exit 1
    else
      echo "Started ipset"
    fi
    $DRY_RUN service iptables start && echo
    if [ 1 -eq $? ] && [ -z $DRY_RUN ]
    then
        echo "Failed to start iptables, exiting."
        exit 1
    else
      echo "Started iptables"
    fi
    # Begin stopping & disabling conflicting services
    if [ `pidof nftables` ]
    then
      if (( ! SILENT )) ; then echo "Stopping & disabling nftables"; fi
      $DRY_RUN service nftables stop
      $DRY_RUN chkconfig nftables off
    fi
    if [ `pidof firewalld` ]
    then
      if (( ! SILENT )) ; then echo "Stopping & disabling firewalld"; fi
      $DRY_RUN service firewalld stop
      $DRY_RUN chkconfig firewalld off
    fi
    # Begin enabling services
    if (( ! SILENT )) ; then echo "Enabling services for $DISTRO"; fi
    $DRY_RUN chkconfig fail2ban on
    if [ 0 -ne $? ] && [ -z $DRY_RUN ]
    then
        echo "Failed to enable fail2ban, exiting."
    fi
    $DRY_RUN chkconfig ipset on
    if [ 0 -ne $? ] && [ -z $DRY_RUN ]
    then
        echo "Failed to enable ipset, exiting."
    fi
    $DRY_RUN chkconfig iptables on
    if [ 0 -ne $? ] && [ -z $DRY_RUN ]
    then
        echo "Failed to enable iptables, exiting."
    fi
    if (( ! SILENT )) ; then echo "Service configuration completed successfully!"; fi
  ;;
  "Amazon Linux 2"|"CentOS7"|"Fedora"|"RHEL"|"Ubuntu")
    #   Fedora, RHEL, Ubuntu
    #     systemctl start|stop|etc x
    #     systemctl enable|disable x
    # Begin starting services
    if (( ! SILENT )) ; then echo "Starting systemctl starts for $DISTRO"; fi
    $DRY_RUN systemctl daemon-reload
    $DRY_RUN systemctl start fail2ban
    if [ 0 -ne $? ] && [ -z $DRY_RUN ]
    then
        echo "Failed to start fail2ban, exiting."
        exit 1
    fi
    $DRY_RUN systemctl start ipset
    if [ 0 -ne $? ] && [ -z $DRY_RUN ]
    then
        echo "Failed to start ipset, exiting."
        exit 1
    fi
    $DRY_RUN systemctl start iptables
    if [ 0 -ne $? ] && [ -z $DRY_RUN ]
    then
        echo "Failed to start iptables, exiting."
        exit 1
    fi
    # Begin stopping & disabling conflicting services
    if [ `pidof nftables` ]
    then
      if (( ! SILENT )) ; then echo "Stopping & disabling nftables"; fi
      $DRY_RUN systemctl stop nftables
      $DRY_RUN systemctl disable nftables
    fi
    if [ `pidof firewalld` ]
    then
      if (( ! SILENT )) ; then echo "Stopping & disabling firewalld"; fi
      $DRY_RUN systemctl stop nftables
      $DRY_RUN systemctl disable nftables
    fi
    # Begin enabling services
    if (( ! SILENT )) ; then echo "Enabling services for $DISTRO"; fi
    $DRY_RUN systemctl enable fail2ban
    test=$(systemctl is-enabled fail2ban)
    if [ 'enabled' != "$test" ] && [ -z $DRY_RUN ]
    then
        echo "Failed to enable fail2ban, exiting."
	exit 1
    fi
    $DRY_RUN systemctl enable ipset
    test=$(systemctl is-enabled ipset)
    if [ 'enabled' != "$test" ] && [ -z $DRY_RUN ]
    then
        echo "Failed to enable ipset, exiting."
	exit 1
    fi
    $DRY_RUN systemctl enable iptables
    test=$(systemctl is-enabled iptables)
    if [ 'enabled' != "$test" ] && [ -z $DRY_RUN ]
    then
        echo "Failed to enable iptables, exiting."
	exit 1
    fi
    if (( ! SILENT )) ; then echo "Service configuration completed successfully!"; fi
  ;;
  *)  # No more options
    echo "Unsupported distro, exiting."
    exit 1
  ;;
esac
if (( ! SILENT )) ; then echo; fi

# Download latest lists
if (( DOWNLOAD ))
then
  if (( ! SILENT ))
  then
    echo "Downloading latest blacklists & country CIDRs."
  fi
  $DRY_RUN $SRCDIR/bin/ld-update-lists -f
fi
if (( ! SILENT )) ; then echo; fi

# Flush nat, mangle, all chains
$DRY_RUN iptables -F
# Delete non-default chains
$DRY_RUN iptables -X

# Clear IP set
$DRY_RUN service iptables stop && echo
$DRY_RUN ipset -F
$DRY_RUN ipset -X
$DRY_RUN service iptables start && echo

# Process IP Set pre-process rules
if [ -f "$SRCDIR/pre-process/ipset.rules" ]
then
  . "$SRCDIR/pre-process/ipset.rules" $SILENT
elif (( ! SILENT ))
then
  echo "Rules file $1 not found, skipping"
fi

# Create sets
$DRY_RUN ipset create blacklist-f2b hash:net
$DRY_RUN ipset create blacklist-ips hash:net
$DRY_RUN ipset create blacklist-net hash:net
$DRY_RUN ipset create whitelist-ips hash:net
$DRY_RUN ipset create whitelist-net hash:net
$DRY_RUN ipset create blacklist-countries hash:net
$DRY_RUN ipset create whitelist-countries hash:net

# Load list data into sets
$DRY_RUN $SRCDIR/bin/ld-load-lists -y

# Process IP Set post-process rules
if [ -f "$SRCDIR/post-process/ipset.rules" ]
then
  . "$SRCDIR/post-process/ipset.rules" $SILENT
elif (( ! SILENT ))
then
  echo "Rules file $1 not found, skipping"
fi

# Process IP Tables pre-process rules
if [ -f "$SRCDIR/pre-process/iptables.rules" ]
then
  . "$SRCDIR/pre-process/iptables.rules" $SILENT
elif (( ! SILENT ))
then
  echo "Rules file $1 not found, skipping"
fi

# Drop invalid packets
$DRY_RUN iptables -I INPUT 1 -m conntrack --ctstate INVALID -j DROP
# Allow all to/from loopback (lo)
$DRY_RUN iptables -I INPUT 2 -i lo -j ACCEPT
# Allow established & related incoming, for outgoing 
# connections initiated from server
$DRY_RUN iptables -I INPUT 3 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Create set matching rules
$DRY_RUN iptables -I INPUT 4 -m set --match-set whitelist-ips src -j ACCEPT
$DRY_RUN iptables -I INPUT 5 -m set --match-set blacklist-ips src -j DROP
$DRY_RUN iptables -I INPUT 6 -m set --match-set whitelist-net src -j ACCEPT
$DRY_RUN iptables -I INPUT 7 -m set --match-set blacklist-net src -j DROP
$DRY_RUN iptables -I INPUT 8 -m set --match-set whitelist-countries src -j ACCEPT
$DRY_RUN iptables -I INPUT 9 -m set --match-set blacklist-countries src -j DROP
# Create global inlets
for port in ${ports[@]}
do
  # This rule avoids connection tracking in favor of optimal processing 
  # speed which is the same reason we allow all outgoing traffic rather 
  # than just related - at small scale this would be a non-issue but at
  # scale would definitely add a lot of extra cpu cycles in the long term
  $DRY_RUN iptables -A INPUT -p tcp --dport $port -j ACCEPT
  # If you were to use a drop target in the default outgoing policy, then
  # you would want to add an established/related output rule here as well.
done

# Set default drop policies
$DRY_RUN iptables -P INPUT DROP
$DRY_RUN iptables -P FORWARD DROP
$DRY_RUN iptables -P OUTPUT ACCEPT

# Process IP Tables post-process rules
if [ -f "$SRCDIR/post-process/iptables.rules" ]
then
  . "$SRCDIR/post-process/iptables.rules" $SILENT
elif (( ! SILENT ))
then
  echo "Rules file $1 not found, skipping"
fi

# Add cron job
echo "Adding daily list cron job to update lists under root user's cron tables via /etc/crontab."
echo "17 1 * * * root /usr/sbin/ld-cron-job 2>&1 # Lockdown daily list updater" >> /etc/crontab

# Installation complete, present results to user if applicable
if [ $DRY_RUN ]
then
  # Dry run notification
  echo
  echo "*Notice*"
  echo "You have run ld-install in dry run mode."
  echo "If you run the same command line without -d or --dry-run again,"
  echo "the commands above will be executed and permanent changes will be made."
  echo
  echo "Lockdown has *not* been installed and your system has not been altered!"
elif (( ! SILENT ))
then
  # Checking installation
  installation_report
fi

## w00t!
exit 0