49 lines
1.5 KiB
Makefile
49 lines
1.5 KiB
Makefile
.PHONY: postinstall utils hardening sys-tune
|
|
|
|
postinstall: utils hardening sys-tune
|
|
@echo "[INFO] Post-installazione completata."
|
|
|
|
utils:
|
|
@echo "[INFO] Installo utilità post-installazione..."
|
|
@apt-get update
|
|
@DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
|
|
vim tmux net-tools wget jq tree fail2ban software-properties-common \
|
|
htop lsof
|
|
|
|
hardening:
|
|
@echo "[INFO] Configuro auto-aggiornamenti di sicurezza, sysctl e Docker..."
|
|
@DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends unattended-upgrades
|
|
@printf 'APT::Periodic::Update-Package-Lists "1";\nAPT::Periodic::Unattended-Upgrade "1";\n' | tee /etc/apt/apt.conf.d/20auto-upgrades >/dev/null
|
|
@mkdir -p /etc/sysctl.d
|
|
@tee /etc/sysctl.d/99-hardening.conf >/dev/null <<'EOF'
|
|
net.ipv4.conf.all.rp_filter=1
|
|
net.ipv4.tcp_syncookies=1
|
|
net.ipv4.icmp_echo_ignore_broadcasts=1
|
|
kernel.kptr_restrict=2
|
|
kernel.randomize_va_space=2
|
|
EOF
|
|
@sysctl --system || true
|
|
@mkdir -p /etc/docker
|
|
@tee /etc/docker/daemon.json >/dev/null <<'EOF'
|
|
{
|
|
"log-driver": "json-file",
|
|
"log-opts": { "max-size": "10m", "max-file": "3" },
|
|
"live-restore": true
|
|
}
|
|
EOF
|
|
@systemctl reload docker || systemctl restart docker || true
|
|
@mkdir -p /etc/fail2ban/jail.d
|
|
@tee /etc/fail2ban/jail.d/sshd-local.conf >/dev/null <<'EOF'
|
|
[sshd]
|
|
enabled = true
|
|
bantime = 1h
|
|
findtime = 10m
|
|
maxretry = 5
|
|
EOF
|
|
@systemctl restart fail2ban || true
|
|
|
|
sys-tune:
|
|
@echo "[INFO] Configuro Fail2ban..."
|
|
@systemctl enable fail2ban || true
|
|
@systemctl restart fail2ban || true
|