KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
17dcee7e526f3b288fd5d7d55165d1cc06ba92fc
football/config/harden.sh
Charles N Wyble 17dcee7e52 feat: add minimal Debian image build system with WireGuard-only networking 
Add complete build infrastructure for football secure access system:
- Minimal Debian base with only IceWM and Remmina
- WireGuard-only networking with strict firewall (eth0 allows only WireGuard)
- All network traffic routed through mandatory VPN tunnel
- Secure Boot enforced for physical deployments
- Zero remote access - SSH, telnet disabled and blocked
- AppArmor, auditd, and fail2ban for security hardening

Build system generates both VM (qcow2) and physical (raw) images.
WireGuard endpoint IP and port configurable via build script variables.

Includes:
- Package list with minimal dependencies
- System hardening scripts
- WireGuard client and server configuration tools
- Comprehensive documentation (README.md, QUICKSTART.md)
- systemd services for firewall enforcement
- User environment with automatic IceWM startup

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-13 12:11:18 -05:00

128 lines
4.4 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Post-installation hardening script for football system
# This script configures strict firewall with WireGuard-only access
# All traffic must go through WireGuard tunnel
set -e
echo "Hardening football system with WireGuard-only access..."
# Disable and remove all remote access services
systemctl disable ssh 2>/dev/null || true
systemctl disable sshd 2>/dev/null || true
systemctl disable telnet 2>/dev/null || true
systemctl disable rsh 2>/dev/null || true
# Mask services to prevent them from being started
systemctl mask ssh 2>/dev/null || true
systemctl mask sshd 2>/dev/null || true
systemctl mask telnet 2>/dev/null || true
systemctl mask rsh 2>/dev/null || true
# Remove remote access packages if any were installed
apt-get purge -y openssh-server telnetd rsh-server 2>/dev/null || true
# STRICT FIREWALL RULES - WireGuard ONLY
# Read WireGuard endpoint configuration
WG_ENDPOINT_IP="${WG_ENDPOINT_IP:-192.0.2.1}"
WG_ENDPOINT_PORT="${WG_ENDPOINT_PORT:-51820}"
echo "Configuring strict firewall: only WireGuard to $WG_ENDPOINT_IP:$WG_ENDPOINT_PORT allowed on eth0"
# Flush all existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Default policies - DROP everything
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow ONLY WireGuard on physical interface (eth0)
# Only UDP to WireGuard endpoint allowed
iptables -A OUTPUT -o eth0 -d $WG_ENDPOINT_IP -p udp --dport $WG_ENDPOINT_PORT -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s $WG_ENDPOINT_IP -p udp --sport $WG_ENDPOINT_PORT -m state --state ESTABLISHED -j ACCEPT
# Allow all traffic through WireGuard interface (wg0)
iptables -A INPUT -i wg0 -j ACCEPT
iptables -A OUTPUT -o wg0 -j ACCEPT
# Allow DHCP on eth0 to get initial IP
iptables -A OUTPUT -o eth0 -p udp --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 67 -m state --state ESTABLISHED -j ACCEPT
# Save rules
mkdir -p /etc/iptables
iptables-save > /etc/iptables/rules.v4
# Same strict rules for IPv6
ip6tables -F 2>/dev/null || true
ip6tables -X 2>/dev/null || true
ip6tables -P INPUT DROP 2>/dev/null || true
ip6tables -P FORWARD DROP 2>/dev/null || true
ip6tables -P OUTPUT DROP 2>/dev/null || true
ip6tables -A INPUT -i lo -j ACCEPT 2>/dev/null || true
ip6tables -A OUTPUT -o lo -j ACCEPT 2>/dev/null || true
ip6tables-save > /etc/iptables/rules.v6 2>/dev/null || true
# Configure network to reject incoming connections
echo "hardening football - disable remote access" > /etc/issue
echo "" >> /etc/issue
echo "No remote access is permitted on this system." >> /etc/issue
echo "Local console access only." >> /etc/issue
# Disable all network filesystem mounts
echo "disable network filesystem mounts" > /etc/modprobe.d/no-network-fs.conf
echo "install nfs /bin/true" >> /etc/modprobe.d/no-network-fs.conf
echo "install nfs4 /bin/true" >> /etc/modprobe.d/no-network-fs.conf
echo "install cifs /bin/true" >> /etc/modprobe.d/no-network-fs.conf
echo "install smbfs /bin/true" >> /etc/modprobe.d/no-network-fs.conf
# Secure SSH configuration (even though service is disabled)
mkdir -p /etc/ssh
cat > /etc/ssh/sshd_config.d/99-hardening.conf << 'EOF'
PasswordAuthentication no
PermitRootLogin no
X11Forwarding no
AllowTcpForwarding no
GatewayPorts no
EOF
# Configure AppArmor to enforce
echo "Enforce AppArmor profiles" > /etc/apparmor.d/tunables/global.d/force_enforce
# Disable unnecessary kernel modules
echo "disable bluetooth" > /etc/modprobe.d/disable-bluetooth.conf
echo "install bluetooth /bin/true" >> /etc/modprobe.d/disable-bluetooth.conf
echo "install btusb /bin/true" >> /etc/modprobe.d/disable-bluetooth.conf
# Disable wireless if on wired-only system
echo "disable wireless" > /etc/modprobe.d/disable-wireless.conf
echo "install cfg80211 /bin/true" >> /etc/modprobe.d/disable-wireless.conf
echo "install mac80211 /bin/true" >> /etc/modprobe.d/disable-wireless.conf
# Disable unnecessary services
systemctl disable bluetooth 2>/dev/null || true
systemctl mask bluetooth 2>/dev/null || true
# Set secure umask
echo "umask 077" >> /etc/profile
echo "umask 077" >> /etc/bash.bashrc
# Disable core dumps
echo "* hard core 0" >> /etc/security/limits.conf
echo "* soft core 0" >> /etc/security/limits.conf
# Enable auditd
systemctl enable auditd 2>/dev/null || true
echo "Hardening complete - remote access disabled"
Reference in New Issue View Git Blame Copy Permalink