#!/bin/bash # Post-installation hardening script for football system # This script configures strict firewall with WireGuard-only access # All traffic must go through WireGuard tunnel set -e echo "Hardening football system with WireGuard-only access..." # Disable and remove all remote access services systemctl disable ssh 2>/dev/null || true systemctl disable sshd 2>/dev/null || true systemctl disable telnet 2>/dev/null || true systemctl disable rsh 2>/dev/null || true # Mask services to prevent them from being started systemctl mask ssh 2>/dev/null || true systemctl mask sshd 2>/dev/null || true systemctl mask telnet 2>/dev/null || true systemctl mask rsh 2>/dev/null || true # Remove remote access packages if any were installed apt-get purge -y openssh-server telnetd rsh-server 2>/dev/null || true # STRICT FIREWALL RULES - WireGuard ONLY # Read WireGuard endpoint configuration WG_ENDPOINT_IP="${WG_ENDPOINT_IP:-192.0.2.1}" WG_ENDPOINT_PORT="${WG_ENDPOINT_PORT:-51820}" echo "Configuring strict firewall: only WireGuard to $WG_ENDPOINT_IP:$WG_ENDPOINT_PORT allowed on eth0" # Flush all existing rules iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Default policies - DROP everything iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # Allow loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow ONLY WireGuard on physical interface (eth0) # Only UDP to WireGuard endpoint allowed iptables -A OUTPUT -o eth0 -d $WG_ENDPOINT_IP -p udp --dport $WG_ENDPOINT_PORT -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -s $WG_ENDPOINT_IP -p udp --sport $WG_ENDPOINT_PORT -m state --state ESTABLISHED -j ACCEPT # Allow all traffic through WireGuard interface (wg0) iptables -A INPUT -i wg0 -j ACCEPT iptables -A OUTPUT -o wg0 -j ACCEPT # Allow DHCP on eth0 to get initial IP iptables -A OUTPUT -o eth0 -p udp --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p udp --sport 67 -m state --state ESTABLISHED -j ACCEPT # Save rules mkdir -p /etc/iptables iptables-save > /etc/iptables/rules.v4 # Same strict rules for IPv6 ip6tables -F 2>/dev/null || true ip6tables -X 2>/dev/null || true ip6tables -P INPUT DROP 2>/dev/null || true ip6tables -P FORWARD DROP 2>/dev/null || true ip6tables -P OUTPUT DROP 2>/dev/null || true ip6tables -A INPUT -i lo -j ACCEPT 2>/dev/null || true ip6tables -A OUTPUT -o lo -j ACCEPT 2>/dev/null || true ip6tables-save > /etc/iptables/rules.v6 2>/dev/null || true # Configure network to reject incoming connections echo "hardening football - disable remote access" > /etc/issue echo "" >> /etc/issue echo "No remote access is permitted on this system." >> /etc/issue echo "Local console access only." >> /etc/issue # Disable all network filesystem mounts echo "disable network filesystem mounts" > /etc/modprobe.d/no-network-fs.conf echo "install nfs /bin/true" >> /etc/modprobe.d/no-network-fs.conf echo "install nfs4 /bin/true" >> /etc/modprobe.d/no-network-fs.conf echo "install cifs /bin/true" >> /etc/modprobe.d/no-network-fs.conf echo "install smbfs /bin/true" >> /etc/modprobe.d/no-network-fs.conf # Secure SSH configuration (even though service is disabled) mkdir -p /etc/ssh cat > /etc/ssh/sshd_config.d/99-hardening.conf << 'EOF' PasswordAuthentication no PermitRootLogin no X11Forwarding no AllowTcpForwarding no GatewayPorts no EOF # Configure AppArmor to enforce echo "Enforce AppArmor profiles" > /etc/apparmor.d/tunables/global.d/force_enforce # Disable unnecessary kernel modules echo "disable bluetooth" > /etc/modprobe.d/disable-bluetooth.conf echo "install bluetooth /bin/true" >> /etc/modprobe.d/disable-bluetooth.conf echo "install btusb /bin/true" >> /etc/modprobe.d/disable-bluetooth.conf # Disable wireless if on wired-only system echo "disable wireless" > /etc/modprobe.d/disable-wireless.conf echo "install cfg80211 /bin/true" >> /etc/modprobe.d/disable-wireless.conf echo "install mac80211 /bin/true" >> /etc/modprobe.d/disable-wireless.conf # Disable unnecessary services systemctl disable bluetooth 2>/dev/null || true systemctl mask bluetooth 2>/dev/null || true # Set secure umask echo "umask 077" >> /etc/profile echo "umask 077" >> /etc/bash.bashrc # Disable core dumps echo "* hard core 0" >> /etc/security/limits.conf echo "* soft core 0" >> /etc/security/limits.conf # Enable auditd systemctl enable auditd 2>/dev/null || true echo "Hardening complete - remote access disabled"