core/Projektarbeit-MYP
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Major updates to backend structure and security enhancements

Browse Source 
- Removed `COMMON_ERRORS.md` file to streamline documentation.
- Added `Flask-Limiter` for rate limiting and `redis` for session management in `requirements.txt`.
- Expanded `ROADMAP.md` to include completed security features and planned enhancements for version 2.2.
- Enhanced `setup_myp.sh` for ultra-secure kiosk installation, including system hardening and security configurations.
- Updated `app.py` to integrate CSRF protection and improved logging setup.
- Refactored user model to include username and active status for better user management.
- Improved job scheduler with uptime tracking and task management features.
- Updated various templates for a more cohesive user interface and experience.
This commit is contained in:
Till Tomczak
2025-05-25 20:33:38 +02:00
parent e21104611f
commit 2d33753b94
1288 changed files with 247388 additions and 3249 deletions
Download Patch File Download Diff File Expand all files Collapse all files

924
backend/setup_myp.sh
View File

@@ -189,24 +189,238 @@ standard_installation() {
# 2) MYP V2 Kiosk-Modus Installation
kiosk_installation() {
print_header
echo -e "${GREEN}MYP V2 Kiosk-Modus Installation${NC}"
echo -e "${GREEN}MYP V2 Kiosk-Modus Installation (Ultra-Sicher)${NC}"
echo ""
echo -e "${RED}WARNUNG: Diese Installation erstellt einen gehärteten Kiosk-Modus!${NC}"
echo -e "${YELLOW}Deaktivierung nur mit Passwort möglich: 744563017196A${NC}"
echo ""
# Benötigte Pakete installieren
echo "Installiere benötigte Pakete..."
apt update
read -p "Möchten Sie fortfahren? (j/n): " confirm
if [[ "$confirm" != "j" && "$confirm" != "J" ]]; then
show_main_menu
return
fi
# Cleanup vorheriger Installationen
echo -e "${YELLOW}Bereinige vorherige Installationen...${NC}"
cleanup_previous_installation
# System-Updates und Sicherheits-Patches
echo -e "${YELLOW}Installiere System-Updates und Sicherheits-Patches...${NC}"
apt update && apt upgrade -y
# Benötigte Pakete installieren (Debian-kompatibel)
echo -e "${YELLOW}Installiere benötigte Pakete...${NC}"
apt install -y python3.11 python3.11-pip python3.11-venv python3.11-dev \
build-essential chromium-browser unclutter xdotool \
xscreensaver git curl nginx
# Verzeichnis für MYP erstellen und Projekt kopieren
echo "Kopiere MYP V2 nach /opt/myp..."
build-essential chromium unclutter xdotool \
xscreensaver git curl nginx fail2ban ufw \
sudo openssh-server iptables-persistent \
apparmor apparmor-utils auditd \
clamav clamav-daemon rkhunter chkrootkit \
psmisc procps net-tools
# Sicherheits-Konfiguration
echo -e "${YELLOW}Konfiguriere Sicherheitsmaßnahmen...${NC}"
configure_security_hardening
# MYP Installation
echo -e "${YELLOW}Installiere MYP V2...${NC}"
install_myp_secure
# Kiosk-Benutzer erstellen (isoliert)
echo -e "${YELLOW}Erstelle sicheren Kiosk-Benutzer...${NC}"
create_secure_kiosk_user
# Kiosk-Umgebung härten
echo -e "${YELLOW}Härte Kiosk-Umgebung...${NC}"
harden_kiosk_environment
# Überwachung und Logging einrichten
echo -e "${YELLOW}Richte Sicherheitsüberwachung ein...${NC}"
setup_security_monitoring
# Passwort-basierte Deaktivierung einrichten
echo -e "${YELLOW}Richte Passwort-Deaktivierung ein...${NC}"
setup_password_deactivation
# Firewall konfigurieren
echo -e "${YELLOW}Konfiguriere Firewall...${NC}"
configure_firewall
# Autostart und Services
echo -e "${YELLOW}Konfiguriere Autostart...${NC}"
configure_secure_autostart
echo -e "${GREEN}Ultra-sichere Kiosk-Installation abgeschlossen!${NC}"
echo ""
echo -e "${RED}WICHTIGE SICHERHEITSHINWEISE:${NC}"
echo -e "${YELLOW}1. Kiosk-Deaktivierung: Strg+Alt+F1, dann 'sudo /opt/myp/deactivate_kiosk.sh'${NC}"
echo -e "${YELLOW}2. Passwort für Deaktivierung: 744563017196A${NC}"
echo -e "${YELLOW}3. SSH-Zugang nur mit Key-Authentifizierung${NC}"
echo -e "${YELLOW}4. Alle Aktivitäten werden geloggt und überwacht${NC}"
echo -e "${YELLOW}5. System startet automatisch im Kiosk-Modus${NC}"
echo ""
echo -e "${BLUE}MYP V2 ist unter http://localhost erreichbar${NC}"
read -p "System jetzt neu starten? (j/n): " reboot_confirm
if [[ "$reboot_confirm" == "j" || "$reboot_confirm" == "J" ]]; then
echo -e "${GREEN}System wird neu gestartet...${NC}"
sleep 3
reboot
fi
show_main_menu
}
# Cleanup vorheriger Installationen
cleanup_previous_installation() {
echo "Stoppe alle MYP-Services..."
systemctl stop myp.service 2>/dev/null || true
systemctl stop myp-kiosk.service 2>/dev/null || true
systemctl disable myp.service 2>/dev/null || true
systemctl disable myp-kiosk.service 2>/dev/null || true
echo "Entferne alte Service-Dateien..."
rm -f /etc/systemd/system/myp*.service
systemctl daemon-reload
echo "Entferne alte Kiosk-Konfigurationen..."
rm -rf /home/*/kiosk.sh
rm -rf /home/*/.config/autostart/myp*.desktop
rm -rf /opt/myp/kiosk*
echo "Entferne alte Benutzer..."
userdel -r kiosk 2>/dev/null || true
userdel -r myp-kiosk 2>/dev/null || true
echo "Bereinige Netzwerk-Konfiguration..."
rm -f /etc/nginx/sites-enabled/myp*
rm -f /etc/nginx/sites-available/myp*
echo "Cleanup abgeschlossen."
}
# Sicherheits-Härtung konfigurieren
configure_security_hardening() {
echo "Konfiguriere Kernel-Sicherheitsparameter..."
cat > /etc/sysctl.d/99-myp-security.conf << 'EOF'
# Netzwerk-Sicherheit
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
# Speicher-Schutz
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2
kernel.yama.ptrace_scope = 1
kernel.core_uses_pid = 1
fs.suid_dumpable = 0
EOF
sysctl -p /etc/sysctl.d/99-myp-security.conf
echo "Konfiguriere SSH-Härtung..."
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
cat > /etc/ssh/sshd_config << 'EOF'
# MYP Secure SSH Configuration
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Authentifizierung
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
# Sicherheitseinstellungen
X11Forwarding no
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
UsePrivilegeSeparation yes
StrictModes yes
MaxAuthTries 3
MaxSessions 2
ClientAliveInterval 300
ClientAliveCountMax 2
# Logging
SyslogFacility AUTH
LogLevel VERBOSE
# Nur bestimmte Benutzer erlauben
AllowUsers root admin
EOF
systemctl restart ssh
echo "Konfiguriere Fail2Ban..."
cat > /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
backend = systemd
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 3
[myp-auth]
enabled = true
filter = myp-auth
port = http,https
logpath = /opt/myp/logs/auth/auth.log
maxretry = 5
EOF
# Custom Fail2Ban Filter für MYP
cat > /etc/fail2ban/filter.d/myp-auth.conf << 'EOF'
[Definition]
failregex = ^.*Authentication failed.*<HOST>.*$
^.*Invalid login attempt.*<HOST>.*$
^.*Unauthorized access attempt.*<HOST>.*$
ignoreregex =
EOF
systemctl enable fail2ban
systemctl restart fail2ban
}
# Sichere MYP Installation
install_myp_secure() {
# Verzeichnis für MYP erstellen
mkdir -p /opt/myp
# Basispfad ermitteln
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
# Komplette Projektstruktur kopieren
echo "Kopiere Projektdateien..."
cp -r "$SCRIPT_DIR/app" /opt/myp/
cp -r "$SCRIPT_DIR/docs" /opt/myp/
cp -r "$SCRIPT_DIR/install" /opt/myp/
@@ -215,29 +429,58 @@ kiosk_installation() {
cp "$SCRIPT_DIR/ROADMAP.md" /opt/myp/
cp "$SCRIPT_DIR/COMMON_ERRORS.md" /opt/myp/
# Log-Verzeichnisse erstellen
mkdir -p /opt/myp/logs/{app,auth,jobs,printers,scheduler}
# Datenbank-Verzeichnis erstellen
# Sichere Log-Verzeichnisse erstellen
mkdir -p /opt/myp/logs/{app,auth,jobs,printers,scheduler,security}
mkdir -p /opt/myp/data
mkdir -p /opt/myp/security
# Python-Umgebung und Abhängigkeiten einrichten
echo "Richte Python-Umgebung ein..."
# Python-Umgebung einrichten
cd /opt/myp
python3.11 -m venv .venv
source .venv/bin/activate
pip install --upgrade pip
pip install -r requirements.txt
pip install gunicorn # Für Produktionsserver
pip install gunicorn psutil
# Sicherheits-Konfiguration für Flask
cat > /opt/myp/app/config/security.py << 'EOF'
# MYP Security Configuration
import os
import secrets
# Sichere Session-Konfiguration
SECRET_KEY = os.environ.get('MYP_SECRET_KEY', secrets.token_hex(32))
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SAMESITE = 'Lax'
PERMANENT_SESSION_LIFETIME = 1800 # 30 Minuten
# Sicherheits-Headers
SECURITY_HEADERS = {
'X-Content-Type-Options': 'nosniff',
'X-Frame-Options': 'DENY',
'X-XSS-Protection': '1; mode=block',
'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
'Content-Security-Policy': "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'",
'Referrer-Policy': 'strict-origin-when-cross-origin'
}
# Rate Limiting
RATELIMIT_STORAGE_URL = 'memory://'
RATELIMIT_DEFAULT = "100 per hour"
RATELIMIT_LOGIN = "5 per minute"
# Kiosk-Modus Konfiguration
KIOSK_MODE = True
KIOSK_PASSWORD_HASH = 'pbkdf2:sha256:260000$salt$hash' # Wird später gesetzt
EOF
# Systemd-Dienst für Flask-Backend einrichten
echo "Richte Flask-Backend-Dienst ein..."
# Service-File erstellen
cat > /etc/systemd/system/myp.service << EOF
cat > /etc/systemd/system/myp.service << 'EOF'
[Unit]
Description=MYP V2 Flask Application
Description=MYP V2 Flask Application (Secure)
After=network.target
Wants=network.target
[Service]
Type=simple
@@ -245,7 +488,391 @@ User=www-data
Group=www-data
WorkingDirectory=/opt/myp
Environment=PATH=/opt/myp/.venv/bin
ExecStart=/opt/myp/.venv/bin/python3.11 /opt/myp/app/app.py
Environment=FLASK_ENV=production
Environment=MYP_SECRET_KEY=SECURE_RANDOM_KEY_WILL_BE_GENERATED
ExecStart=/opt/myp/.venv/bin/gunicorn --bind 127.0.0.1:5000 --workers 2 --timeout 30 app.app:app
Restart=always
RestartSec=10
StandardOutput=journal
StandardError=journal
# Sicherheits-Einschränkungen
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/opt/myp/logs /opt/myp/data
CapabilityBoundingSet=
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
[Install]
WantedBy=multi-user.target
EOF
# Nginx-Konfiguration mit Sicherheits-Headers
cat > /etc/nginx/sites-available/myp << 'EOF'
server {
listen 80;
server_name _;
# Sicherheits-Headers
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';" always;
# Rate Limiting
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
limit_req_zone $binary_remote_addr zone=api:10m rate=30r/m;
location / {
proxy_pass http://127.0.0.1:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Timeout-Einstellungen
proxy_connect_timeout 30s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
}
location /auth/login {
limit_req zone=login burst=3 nodelay;
proxy_pass http://127.0.0.1:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /api/ {
limit_req zone=api burst=10 nodelay;
proxy_pass http://127.0.0.1:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /static {
alias /opt/myp/app/static;
expires 1y;
add_header Cache-Control "public, immutable";
# Verhindere Ausführung von Skripten
location ~* \.(php|pl|py|jsp|asp|sh|cgi)$ {
deny all;
}
}
# Verstecke Nginx-Version
server_tokens off;
# Blockiere verdächtige Anfragen
location ~* \.(git|svn|env|htaccess|htpasswd)$ {
deny all;
return 404;
}
}
EOF
ln -sf /etc/nginx/sites-available/myp /etc/nginx/sites-enabled/
rm -f /etc/nginx/sites-enabled/default
# Berechtigungen setzen (restriktiv)
chown -R www-data:www-data /opt/myp
chmod -R 750 /opt/myp
chmod -R 770 /opt/myp/logs
chmod -R 770 /opt/myp/data
chmod 600 /opt/myp/app/config/security.py
systemctl daemon-reload
systemctl enable myp.service
systemctl restart nginx
systemctl start myp.service
}
# Sicheren Kiosk-Benutzer erstellen
create_secure_kiosk_user() {
# Kiosk-Benutzer erstellen (ohne Shell-Zugang)
useradd -m -s /bin/false -G audio,video myp-kiosk 2>/dev/null || true
# Home-Verzeichnis sichern
chmod 750 /home/myp-kiosk
# Minimale Desktop-Umgebung für Kiosk
mkdir -p /home/myp-kiosk/.config/autostart
mkdir -p /home/myp-kiosk/.local/share/applications
# Kiosk-Desktop-Session erstellen
cat > /usr/share/xsessions/myp-kiosk.desktop << 'EOF'
[Desktop Entry]
Name=MYP Kiosk
Comment=MYP Secure Kiosk Mode
Exec=/opt/myp/security/start_kiosk.sh
Type=Application
DesktopNames=MYP-Kiosk
EOF
chown -R myp-kiosk:myp-kiosk /home/myp-kiosk
}
# Kiosk-Umgebung härten
harden_kiosk_environment() {
# Sicheres Kiosk-Start-Script
mkdir -p /opt/myp/security
cat > /opt/myp/security/start_kiosk.sh << 'EOF'
#!/bin/bash
# MYP Ultra-Secure Kiosk Startup Script
# Logging aktivieren
exec > >(tee -a /opt/myp/logs/security/kiosk.log) 2>&1
echo "$(date): Kiosk-Modus wird gestartet..."
# Umgebungsvariablen setzen
export DISPLAY=:0
export HOME=/home/myp-kiosk
# Sicherheits-Checks
if [ "$USER" != "myp-kiosk" ]; then
echo "$(date): SECURITY ALERT - Unauthorized user attempted kiosk start: $USER"
exit 1
fi
# Bildschirmschoner und Energieverwaltung deaktivieren
xset s off
xset -dpms
xset s noblank
# Mauszeiger verstecken
unclutter -idle 1 -root &
# Tastatur-Shortcuts blockieren (außer Escape-Sequenz)
xmodmap -e "clear mod1"
xmodmap -e "clear mod4"
# Chromium im Ultra-Secure Kiosk-Modus starten
chromium \
--kiosk \
--noerrdialogs \
--disable-infobars \
--disable-session-crashed-bubble \
--disable-restore-session-state \
--disable-background-timer-throttling \
--disable-backgrounding-occluded-windows \
--disable-renderer-backgrounding \
--disable-features=TranslateUI,VizDisplayCompositor \
--disable-ipc-flooding-protection \
--disable-background-networking \
--disable-sync \
--disable-default-apps \
--disable-extensions \
--disable-plugins \
--disable-java \
--disable-javascript-harmony-shipping \
--disable-webgl \
--disable-3d-apis \
--disable-accelerated-2d-canvas \
--disable-accelerated-jpeg-decoding \
--disable-accelerated-mjpeg-decode \
--disable-accelerated-video-decode \
--disable-dev-tools \
--disable-file-system \
--disable-notifications \
--disable-speech-api \
--disable-usb-keyboard-detect \
--no-first-run \
--no-default-browser-check \
--no-sandbox \
--disable-gpu \
--disable-software-rasterizer \
--disable-background-mode \
--disable-component-extensions-with-background-pages \
--disable-client-side-phishing-detection \
--disable-datasaver-prompt \
--disable-desktop-notifications \
--disable-domain-reliability \
--disable-features=AudioServiceOutOfProcess \
--user-data-dir=/tmp/chromium-kiosk \
--app=http://localhost/ &
CHROMIUM_PID=$!
# Überwachung des Chromium-Prozesses
while kill -0 $CHROMIUM_PID 2>/dev/null; do
sleep 5
# Prüfe auf verdächtige Prozesse
if pgrep -f "bash|sh|zsh|fish|tcsh|csh" | grep -v $$ | grep -v $(pgrep -f start_kiosk.sh); then
echo "$(date): SECURITY ALERT - Unauthorized shell detected!"
pkill -f "bash|sh|zsh|fish|tcsh|csh"
fi
# Prüfe auf Entwicklertools
if pgrep -f "devtools|inspector|debugger"; then
echo "$(date): SECURITY ALERT - Developer tools detected!"
pkill -f "devtools|inspector|debugger"
fi
done
echo "$(date): Chromium beendet, Kiosk-Modus wird neu gestartet..."
sleep 2
exec $0
EOF
chmod +x /opt/myp/security/start_kiosk.sh
# Kiosk-Deaktivierungs-Script
cat > /opt/myp/security/deactivate_kiosk.sh << 'EOF'
#!/bin/bash
# MYP Kiosk Deactivation Script
echo "MYP Kiosk-Modus Deaktivierung"
echo "=============================="
echo ""
# Passwort-Eingabe
read -s -p "Deaktivierungs-Passwort eingeben: " password
echo ""
# Passwort-Hash prüfen (744563017196A)
expected_hash="e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
input_hash=$(echo -n "$password" | sha256sum | cut -d' ' -f1)
if [ "$password" != "744563017196A" ]; then
echo "FEHLER: Falsches Passwort!"
logger "MYP SECURITY: Failed kiosk deactivation attempt from $(who am i)"
exit 1
fi
echo "Passwort korrekt. Deaktiere Kiosk-Modus..."
logger "MYP SECURITY: Kiosk mode deactivated by $(who am i)"
# Kiosk-Prozesse beenden
pkill -f chromium
pkill -f start_kiosk.sh
pkill -f unclutter
# Autostart deaktivieren
systemctl disable myp-kiosk.service 2>/dev/null || true
# Desktop-Session wiederherstellen
export DISPLAY=:0
startx &
echo "Kiosk-Modus deaktiviert. Desktop-Umgebung wird gestartet..."
EOF
chmod +x /opt/myp/security/deactivate_kiosk.sh
# Passwort-Hash für Flask-App generieren
python3.11 -c "
from werkzeug.security import generate_password_hash
hash_value = generate_password_hash('744563017196A')
print(f'KIOSK_PASSWORD_HASH = \"{hash_value}\"')
" >> /opt/myp/app/config/security.py
}
# Sicherheitsüberwachung einrichten
setup_security_monitoring() {
# Audit-Regeln für MYP
cat > /etc/audit/rules.d/myp-security.rules << 'EOF'
# MYP Security Audit Rules
-w /opt/myp/ -p wa -k myp_access
-w /etc/nginx/sites-enabled/myp -p wa -k myp_config
-w /etc/systemd/system/myp.service -p wa -k myp_service
-w /home/myp-kiosk/ -p wa -k kiosk_access
-w /opt/myp/security/ -p wa -k security_scripts
EOF
systemctl restart auditd
# Sicherheits-Monitoring Script
cat > /opt/myp/security/monitor.sh << 'EOF'
#!/bin/bash
# MYP Security Monitoring
LOG_FILE="/opt/myp/logs/security/monitor.log"
ALERT_FILE="/opt/myp/logs/security/alerts.log"
log_event() {
echo "$(date): $1" >> "$LOG_FILE"
}
alert() {
echo "$(date): ALERT - $1" >> "$ALERT_FILE"
logger "MYP SECURITY ALERT: $1"
}
# Prüfe auf verdächtige Prozesse
check_processes() {
# Entwicklertools
if pgrep -f "devtools|inspector|debugger|firebug"; then
alert "Developer tools detected and terminated"
pkill -f "devtools|inspector|debugger|firebug"
fi
# Unerlaubte Shells außerhalb SSH
suspicious_shells=$(pgrep -f "bash|sh|zsh|fish" | while read pid; do
if ! ps -p $pid -o ppid= | xargs ps -p 2>/dev/null | grep -q "sshd"; then
echo $pid
fi
done)
if [ -n "$suspicious_shells" ]; then
alert "Unauthorized shell processes detected: $suspicious_shells"
echo $suspicious_shells | xargs kill -9 2>/dev/null
fi
}
# Prüfe Dateisystem-Integrität
check_filesystem() {
# Prüfe kritische Dateien
if [ ! -f "/opt/myp/security/start_kiosk.sh" ]; then
alert "Critical kiosk script missing!"
fi
# Prüfe Berechtigungen
if [ "$(stat -c %a /opt/myp/security/deactivate_kiosk.sh)" != "755" ]; then
alert "Deactivation script permissions changed!"
chmod 755 /opt/myp/security/deactivate_kiosk.sh
fi
}
# Prüfe Netzwerk-Verbindungen
check_network() {
# Prüfe auf unerlaubte ausgehende Verbindungen
suspicious_connections=$(netstat -tnp 2>/dev/null | grep -E ":22|:80|:443" | grep -v "127.0.0.1\|localhost")
if [ -n "$suspicious_connections" ]; then
log_event "Network connections detected: $suspicious_connections"
fi
}
# Hauptschleife
while true; do
check_processes
check_filesystem
check_network
sleep 30
done
EOF
chmod +x /opt/myp/security/monitor.sh
# Monitoring-Service
cat > /etc/systemd/system/myp-monitor.service << 'EOF'
[Unit]
Description=MYP Security Monitor
After=myp.service
[Service]
Type=simple
User=root
ExecStart=/opt/myp/security/monitor.sh
Restart=always
RestartSec=10
@@ -253,104 +880,167 @@ RestartSec=10
WantedBy=multi-user.target
EOF
# Berechtigungen setzen
chown -R www-data:www-data /opt/myp
chmod -R 755 /opt/myp
chmod -R 775 /opt/myp/logs
chmod -R 775 /opt/myp/data
systemctl daemon-reload
systemctl enable myp-monitor.service
systemctl start myp-monitor.service
}
# Passwort-basierte Deaktivierung einrichten
setup_password_deactivation() {
# Kiosk-Deaktivierungs-Endpoint für Flask
cat > /opt/myp/app/kiosk_control.py << 'EOF'
from flask import Blueprint, request, jsonify, session
from werkzeug.security import check_password_hash
import subprocess
import logging
import os
kiosk_bp = Blueprint('kiosk', __name__)
# Sicherheits-Logger
security_logger = logging.getLogger('myp.security')
handler = logging.FileHandler('/opt/myp/logs/security/kiosk_control.log')
formatter = logging.Formatter('%(asctime)s - %(levelname)s - %(message)s')
handler.setFormatter(formatter)
security_logger.addHandler(handler)
security_logger.setLevel(logging.INFO)
@kiosk_bp.route('/api/kiosk/deactivate', methods=['POST'])
def deactivate_kiosk():
"""Deaktiviert den Kiosk-Modus mit Passwort"""
try:
data = request.get_json()
password = data.get('password', '')
# IP-Adresse für Logging
client_ip = request.environ.get('HTTP_X_REAL_IP', request.remote_addr)
# Passwort prüfen
if password != '744563017196A':
security_logger.warning(f"Failed kiosk deactivation attempt from {client_ip}")
return jsonify({'error': 'Falsches Passwort'}), 401
security_logger.info(f"Kiosk deactivation authorized from {client_ip}")
# Kiosk-Modus deaktivieren
try:
subprocess.run(['/opt/myp/security/deactivate_kiosk.sh'],
check=True, timeout=30)
return jsonify({'success': True, 'message': 'Kiosk-Modus deaktiviert'})
except subprocess.CalledProcessError as e:
security_logger.error(f"Failed to deactivate kiosk: {e}")
return jsonify({'error': 'Deaktivierung fehlgeschlagen'}), 500
except Exception as e:
security_logger.error(f"Kiosk deactivation error: {e}")
return jsonify({'error': 'Interner Fehler'}), 500
@kiosk_bp.route('/api/kiosk/status', methods=['GET'])
def kiosk_status():
"""Gibt den aktuellen Kiosk-Status zurück"""
try:
# Prüfe ob Kiosk-Prozesse laufen
result = subprocess.run(['pgrep', '-f', 'start_kiosk.sh'],
capture_output=True, text=True)
kiosk_active = result.returncode == 0
return jsonify({
'kiosk_active': kiosk_active,
'timestamp': datetime.now().isoformat()
})
except Exception as e:
return jsonify({'error': str(e)}), 500
EOF
# Notfall-Deaktivierung über Tastenkombination
cat > /opt/myp/security/emergency_exit.sh << 'EOF'
#!/bin/bash
# Notfall-Deaktivierung für Kiosk-Modus
# Prüfe auf Escape-Sequenz (Strg+Alt+Shift+E)
while true; do
if xinput test-xi2 --root | grep -q "KeyPress.*Escape"; then
echo "Emergency exit sequence detected"
/opt/myp/security/deactivate_kiosk.sh
break
fi
sleep 1
done
EOF
chmod +x /opt/myp/security/emergency_exit.sh
}
# Firewall konfigurieren
configure_firewall() {
# UFW zurücksetzen
ufw --force reset
# Standard-Policies
ufw default deny incoming
ufw default allow outgoing
# Erlaubte Ports
ufw allow 22/tcp # SSH
ufw allow 80/tcp # HTTP
ufw allow 443/tcp # HTTPS (falls später benötigt)
# Rate Limiting für SSH
ufw limit ssh
# UFW aktivieren
ufw --force enable
echo "Firewall konfiguriert und aktiviert."
}
# Sicheren Autostart konfigurieren
configure_secure_autostart() {
# Kiosk-Service erstellen
cat > /etc/systemd/system/myp-kiosk.service << 'EOF'
[Unit]
Description=MYP Secure Kiosk Mode
After=graphical-session.target
Wants=graphical-session.target
[Service]
Type=simple
User=myp-kiosk
Group=myp-kiosk
Environment=DISPLAY=:0
ExecStart=/opt/myp/security/start_kiosk.sh
Restart=always
RestartSec=5
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=graphical-session.target
EOF
# Display Manager für automatischen Login konfigurieren
if [ -f "/etc/lightdm/lightdm.conf" ]; then
cp /etc/lightdm/lightdm.conf /etc/lightdm/lightdm.conf.backup
sed -i 's/#autologin-user=/autologin-user=myp-kiosk/' /etc/lightdm/lightdm.conf
sed -i 's/#autologin-user-timeout=0/autologin-user-timeout=0/' /etc/lightdm/lightdm.conf
sed -i 's/#autologin-session=/autologin-session=myp-kiosk/' /etc/lightdm/lightdm.conf
fi
# GDM3 Konfiguration (falls vorhanden)
if [ -f "/etc/gdm3/daemon.conf" ]; then
cp /etc/gdm3/daemon.conf /etc/gdm3/daemon.conf.backup
cat >> /etc/gdm3/daemon.conf << 'EOF'
[daemon]
AutomaticLoginEnable=true
AutomaticLogin=myp-kiosk
EOF
fi
systemctl daemon-reload
systemctl enable myp.service
systemctl start myp.service
systemctl enable myp-kiosk.service
# Nginx-Konfiguration für Reverse Proxy
echo "Konfiguriere Nginx..."
cat > /etc/nginx/sites-available/myp << EOF
server {
listen 80;
server_name _;
location / {
proxy_pass http://127.0.0.1:5000;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
}
location /static {
alias /opt/myp/app/static;
expires 1y;
add_header Cache-Control "public, immutable";
}
}
EOF
ln -sf /etc/nginx/sites-available/myp /etc/nginx/sites-enabled/
rm -f /etc/nginx/sites-enabled/default
systemctl restart nginx
# Kiosk-Script einrichten
echo "Richte Kiosk-Script ein..."
cat > /opt/myp/kiosk.sh << 'EOF'
#!/bin/bash
# MYP V2 Kiosk-Modus Script
# Bildschirmschoner deaktivieren
xset s off
xset -dpms
xset s noblank
# Mauszeiger verstecken
unclutter -idle 0.5 -root &
# Chromium im Kiosk-Modus starten
chromium-browser \
--noerrdialogs \
--disable-infobars \
--kiosk \
--disable-session-crashed-bubble \
--disable-restore-session-state \
--disable-background-timer-throttling \
--disable-backgrounding-occluded-windows \
--disable-renderer-backgrounding \
--disable-features=TranslateUI \
--disable-ipc-flooding-protection \
--disable-background-networking \
--disable-sync \
--disable-default-apps \
--no-first-run \
--fast \
--fast-start \
--disable-gpu \
--no-sandbox \
http://localhost/
EOF
chmod +x /opt/myp/kiosk.sh
# Autostart für Kiosk-Modus einrichten
mkdir -p /home/pi/.config/autostart
cat > /home/pi/.config/autostart/myp-kiosk.desktop << EOF
[Desktop Entry]
Type=Application
Name=MYP Kiosk
Exec=/opt/myp/kiosk.sh
Hidden=false
NoDisplay=false
X-GNOME-Autostart-enabled=true
EOF
chown -R pi:pi /home/pi/.config
echo -e "${GREEN}Kiosk-Installation abgeschlossen.${NC}"
echo ""
echo -e "${YELLOW}Das System wird beim nächsten Start automatisch im Kiosk-Modus starten.${NC}"
echo -e "${BLUE}MYP V2 ist unter http://localhost erreichbar${NC}"
read -p "Drücken Sie eine Taste, um zum Hauptmenü zurückzukehren..."
show_main_menu
echo "Sicherer Autostart konfiguriert."
}
# 3) MYP V2 deinstallieren