Added sysadm docker & docker-compose scripts

2021-05-06 12:18:42 +02:00 · 2021-05-06 12:18:42 +02:00 · 4cc05f5eac
parent 432e61f54a
commit 4cc05f5eac
3 changed files with 73 additions and 0 deletions
--- a/sysadm/01-sshd.conf
+++ b/sysadm/01-sshd.conf
@ -0,0 +1,20 @@
+[DEFAULT]
+# Ban IP/hosts for 24 hour ( 24h*3600s = 86400s):
+bantime = 600
+ 
+# An ip address/host is banned if it has generated "maxretry" during the last "findtime" seconds.
+findtime = 60
+maxretry = 3
+ 
+# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
+# will not ban a host which matches an address in this list. Several addresses
+# can be defined using space (and/or comma) separator. For example, add your 
+# static IP address that you always use for login such as 103.1.2.3
+#ignoreip = 127.0.0.1/8 ::1 103.1.2.3
+ 
+# Call iptables to ban IP address
+#banaction = iptables-multiport
+ 
+# Enable sshd protection
+[sshd]
+enabled = true
--- a/sysadm/debian_docker_and_compose.sh
+++ b/sysadm/debian_docker_and_compose.sh
@ -0,0 +1,18 @@
+apt-get remove docker docker-engine docker.io containerd runc
+apt-get install -y \
+    apt-transport-https \
+    ca-certificates \
+    curl \
+    gnupg-agent \
+    software-properties-common
+curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
+add-apt-repository \
+   "deb [arch=amd64] https://download.docker.com/linux/debian \
+   buster \
+   stable"
+apt-get update -y
+apt-get install -y docker-ce docker-ce-cli containerd.io   
+
+apt install python3-pip -y
+pip3 install docker-compose
+
--- a/sysadm/debian_firewall.sh
+++ b/sysadm/debian_firewall.sh
@ -0,0 +1,35 @@
+apt install firewalld fail2ban -y
+# Fixes bug in iptables 1.8
+echo "deb http://deb.debian.org/debian buster-backports main" > /etc/apt/sources.list.d/buster-backports.list
+apt update
+apt install -y iptables -t buster-backports
+
+#echo "Setting iptables to not use nf_tables"
+update-alternatives --set iptables /usr/sbin/iptables-legacy
+update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+#update-alternatives --set iptables /usr/sbin/iptables-legacy
+
+echo "Setting docker to not open ports automatically..."
+echo '{ "iptables": false }' > /etc/docker/daemon.json
+
+cp 01* /etc/fail2ban/fail2ban.d/
+
+echo "Setting firewalld to use iptables..."
+sed -i 's/FirewallBackend=nftables/FirewallBackend=iptables/g' /etc/firewalld/firewalld.conf
+
+rm -rf /etc/firewalld/zones/*
+firewall-cmd --permanent --zone=public --change-interface=docker0 
+firewall-cmd --permanent --zone=public --add-masquerade
+# This assumes a typical port 22 for ssh. If not just set it here with --add-port
+firewall-cmd --permanent --zone=public --add-service=ssh
+
+## OUTSIDE WORLD NEEDED PORTS FOR ISARDVDI WEB and VIEWERS
+firewall-cmd --permanent --zone=public --add-port=443/tcp
+firewall-cmd --permanent --zone=public --add-port=80/tcp
+
+## LETS RESTART EVERYTHING.
+systemctl restart firewalld
+systemctl stop docker
+systemctl start docker
+systemctl restart fail2ban
+