Primo caricamento

2025-12-29 16:00:23 +01:00
commit 87d6ffe8a0
3 changed files with 227 additions and 0 deletions
--- a/48
+++ b/48
@@ -0,0 +1,48 @@
+.PHONY: postinstall utils hardening sys-tune
+
+postinstall: utils hardening sys-tune
+	@echo "[INFO] Post-installazione completata."
+
+utils:
+	@echo "[INFO] Installo utilità post-installazione..."
+	@apt-get update
+	@DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+		vim tmux net-tools wget jq tree fail2ban software-properties-common \
+		htop lsof
+
+hardening:
+	@echo "[INFO] Configuro auto-aggiornamenti di sicurezza, sysctl e Docker..."
+	@DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends unattended-upgrades
+	@printf 'APT::Periodic::Update-Package-Lists "1";\nAPT::Periodic::Unattended-Upgrade "1";\n' | tee /etc/apt/apt.conf.d/20auto-upgrades >/dev/null
+	@mkdir -p /etc/sysctl.d
+	@tee /etc/sysctl.d/99-hardening.conf >/dev/null <<'EOF'
+net.ipv4.conf.all.rp_filter=1
+net.ipv4.tcp_syncookies=1
+net.ipv4.icmp_echo_ignore_broadcasts=1
+kernel.kptr_restrict=2
+kernel.randomize_va_space=2
+EOF
+	@sysctl --system || true
+	@mkdir -p /etc/docker
+	@tee /etc/docker/daemon.json >/dev/null <<'EOF'
+{
+  "log-driver": "json-file",
+  "log-opts": { "max-size": "10m", "max-file": "3" },
+  "live-restore": true
+}
+EOF
+	@systemctl reload docker || systemctl restart docker || true
+	@mkdir -p /etc/fail2ban/jail.d
+	@tee /etc/fail2ban/jail.d/sshd-local.conf >/dev/null <<'EOF'
+[sshd]
+enabled = true
+bantime = 1h
+findtime = 10m
+maxretry = 5
+EOF
+	@systemctl restart fail2ban || true
+
+sys-tune:
+	@echo "[INFO] Configuro Fail2ban..."
+	@systemctl enable fail2ban || true
+	@systemctl restart fail2ban || true