Added sysadm docker & docker-compose scripts
parent
432e61f54a
commit
4cc05f5eac
|
@ -0,0 +1,20 @@
|
|||
[DEFAULT]
|
||||
# Ban IP/hosts for 24 hour ( 24h*3600s = 86400s):
|
||||
bantime = 600
|
||||
|
||||
# An ip address/host is banned if it has generated "maxretry" during the last "findtime" seconds.
|
||||
findtime = 60
|
||||
maxretry = 3
|
||||
|
||||
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
|
||||
# will not ban a host which matches an address in this list. Several addresses
|
||||
# can be defined using space (and/or comma) separator. For example, add your
|
||||
# static IP address that you always use for login such as 103.1.2.3
|
||||
#ignoreip = 127.0.0.1/8 ::1 103.1.2.3
|
||||
|
||||
# Call iptables to ban IP address
|
||||
#banaction = iptables-multiport
|
||||
|
||||
# Enable sshd protection
|
||||
[sshd]
|
||||
enabled = true
|
|
@ -0,0 +1,18 @@
|
|||
apt-get remove docker docker-engine docker.io containerd runc
|
||||
apt-get install -y \
|
||||
apt-transport-https \
|
||||
ca-certificates \
|
||||
curl \
|
||||
gnupg-agent \
|
||||
software-properties-common
|
||||
curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
|
||||
add-apt-repository \
|
||||
"deb [arch=amd64] https://download.docker.com/linux/debian \
|
||||
buster \
|
||||
stable"
|
||||
apt-get update -y
|
||||
apt-get install -y docker-ce docker-ce-cli containerd.io
|
||||
|
||||
apt install python3-pip -y
|
||||
pip3 install docker-compose
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apt install firewalld fail2ban -y
|
||||
# Fixes bug in iptables 1.8
|
||||
echo "deb http://deb.debian.org/debian buster-backports main" > /etc/apt/sources.list.d/buster-backports.list
|
||||
apt update
|
||||
apt install -y iptables -t buster-backports
|
||||
|
||||
#echo "Setting iptables to not use nf_tables"
|
||||
update-alternatives --set iptables /usr/sbin/iptables-legacy
|
||||
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
|
||||
#update-alternatives --set iptables /usr/sbin/iptables-legacy
|
||||
|
||||
echo "Setting docker to not open ports automatically..."
|
||||
echo '{ "iptables": false }' > /etc/docker/daemon.json
|
||||
|
||||
cp 01* /etc/fail2ban/fail2ban.d/
|
||||
|
||||
echo "Setting firewalld to use iptables..."
|
||||
sed -i 's/FirewallBackend=nftables/FirewallBackend=iptables/g' /etc/firewalld/firewalld.conf
|
||||
|
||||
rm -rf /etc/firewalld/zones/*
|
||||
firewall-cmd --permanent --zone=public --change-interface=docker0
|
||||
firewall-cmd --permanent --zone=public --add-masquerade
|
||||
# This assumes a typical port 22 for ssh. If not just set it here with --add-port
|
||||
firewall-cmd --permanent --zone=public --add-service=ssh
|
||||
|
||||
## OUTSIDE WORLD NEEDED PORTS FOR ISARDVDI WEB and VIEWERS
|
||||
firewall-cmd --permanent --zone=public --add-port=443/tcp
|
||||
firewall-cmd --permanent --zone=public --add-port=80/tcp
|
||||
|
||||
## LETS RESTART EVERYTHING.
|
||||
systemctl restart firewalld
|
||||
systemctl stop docker
|
||||
systemctl start docker
|
||||
systemctl restart fail2ban
|
||||
|
Loading…
Reference in New Issue