175 lines
No EOL
5.2 KiB
Bash
175 lines
No EOL
5.2 KiB
Bash
#!/bin/bash
|
|
|
|
# Exit on any error
|
|
set -e
|
|
|
|
# Function to log messages
|
|
log_message() {
|
|
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"
|
|
}
|
|
|
|
# Check if script is run as root
|
|
if [ "$EUID" -ne 0 ]; then
|
|
echo "Please run as root"
|
|
exit 1
|
|
fi
|
|
|
|
# Update system
|
|
log_message "Updating system packages..."
|
|
apt-get update && apt-get upgrade -y
|
|
|
|
# Install essential packages
|
|
log_message "Installing essential packages..."
|
|
apt-get install -y \
|
|
ca-certificates \
|
|
curl \
|
|
gnupg \
|
|
ufw \
|
|
fail2ban \
|
|
git \
|
|
sudo
|
|
|
|
# Install Docker
|
|
log_message "Installing Docker..."
|
|
install -m 0755 -d /etc/apt/keyrings
|
|
curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
|
|
chmod a+r /etc/apt/keyrings/docker.asc
|
|
|
|
# Add Docker repository
|
|
echo \
|
|
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
|
|
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
|
|
tee /etc/apt/sources.list.d/docker.list > /dev/null
|
|
|
|
apt-get update
|
|
apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
|
|
|
|
# Create docker user and set up permissions
|
|
log_message "Creating docker user and setting up permissions..."
|
|
useradd -m -s /bin/bash dockeruser
|
|
usermod -aG docker dockeruser
|
|
echo "dockeruser ALL=(ALL) NOPASSWD: /usr/bin/docker, /usr/bin/docker-compose" | sudo tee /etc/sudoers.d/dockeruser
|
|
|
|
# Configure UFW
|
|
log_message "Configuring firewall..."
|
|
ufw default deny incoming
|
|
ufw default allow outgoing
|
|
ufw allow 22/tcp
|
|
ufw allow 25/tcp
|
|
ufw allow 80/tcp
|
|
ufw allow 110/tcp
|
|
ufw allow 143/tcp
|
|
ufw allow 443/tcp
|
|
ufw allow 465/tcp
|
|
ufw allow 587/tcp
|
|
ufw allow 993/tcp
|
|
ufw allow 995/tcp
|
|
ufw allow 4190/tcp
|
|
ufw --force enable
|
|
|
|
# Configure fail2ban with SSH honeypot
|
|
log_message "Configuring fail2ban and SSH honeypot..."
|
|
cat > /etc/fail2ban/jail.local << EOL
|
|
[DEFAULT]
|
|
bantime = 1h
|
|
findtime = 10m
|
|
maxretry = 3
|
|
banaction = ufw
|
|
backend = systemd
|
|
|
|
ignoreip = 127.0.0.1/8 ::1
|
|
findtime = 10m
|
|
bantime = 1h
|
|
maxretry = 3
|
|
|
|
[sshd]
|
|
enabled = true
|
|
port = ssh
|
|
filter = sshd
|
|
logpath = %(sshd_log)s
|
|
maxretry = 3
|
|
bantime = 1d
|
|
|
|
[ssh-honeypot]
|
|
enabled = true
|
|
filter = sshd
|
|
logpath = %(sshd_log)s
|
|
maxretry = 1
|
|
bantime = 1d
|
|
findtime = 1d
|
|
EOL
|
|
|
|
# Configure fail2ban filter
|
|
cat > /etc/fail2ban/filter.d/sshd.local << EOL
|
|
[Definition]
|
|
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
|
|
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
|
|
^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s))?\s*$
|
|
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
|
|
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
|
|
^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
|
|
^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
|
|
^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
|
|
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
|
|
^%(__prefix_line)sReceived disconnect from <HOST>: 3: .*: Auth fail$
|
|
^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
|
|
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
|
|
^%(__prefix_line)s[aA]uthentication (?:failure|error) for .* from <HOST>(?:\s+\[preauth\])?\s*$
|
|
ignoreregex =
|
|
EOL
|
|
|
|
# Create fail2ban systemd override directory
|
|
mkdir -p /etc/systemd/system/fail2ban.service.d/
|
|
|
|
# Create override file
|
|
cat > /etc/systemd/system/fail2ban.service.d/override.conf << EOL
|
|
[Service]
|
|
ExecStart=
|
|
ExecStart=/usr/bin/fail2ban-server -xf start
|
|
EOL
|
|
|
|
# Reload systemd daemon
|
|
systemctl daemon-reload
|
|
|
|
# Restart fail2ban
|
|
systemctl restart fail2ban
|
|
|
|
# Set up Mailcow directory and permissions
|
|
log_message "Setting up Mailcow directory..."
|
|
mkdir -p /opt/mailcow-dockerized
|
|
chown dockeruser:dockeruser /opt/mailcow-dockerized
|
|
|
|
# Switch to dockeruser and install Mailcow
|
|
log_message "Installing Mailcow as dockeruser..."
|
|
su - dockeruser << 'EOF'
|
|
cd /opt
|
|
git clone https://github.com/mailcow/mailcow-dockerized
|
|
cd mailcow-dockerized
|
|
./generate_config.sh
|
|
|
|
# Start Mailcow
|
|
docker compose pull
|
|
docker compose up -d
|
|
EOF
|
|
|
|
# Final security checks
|
|
log_message "Performing final security checks..."
|
|
su - dockeruser -c "cd /opt/mailcow-dockerized && docker compose ps"
|
|
ufw status
|
|
systemctl status fail2ban
|
|
|
|
log_message "Installation complete! Please check the logs above for any errors."
|
|
log_message "Remember to:"
|
|
log_message "1. Change the default passwords"
|
|
log_message "2. Configure your DNS records"
|
|
log_message "3. Set up SSL certificates"
|
|
log_message "4. Regular backup your configuration"
|
|
|
|
# Print access information
|
|
echo "================================================================"
|
|
echo "Mailcow web interface: https://$(hostname)"
|
|
echo "Docker user: dockeruser"
|
|
echo "Mailcow location: /opt/mailcow-dockerized"
|
|
echo "Firewall status:"
|
|
ufw status numbered
|
|
echo "================================================================" |