#!/bin/bash ####################################################################### # MYP AIO-Installer - Firewall & Network Security Module # # Dieses Modul behandelt: # - UFW (Uncomplicated Firewall) Konfiguration # - Netzwerk-Sicherheitszonen # - Port-Management für MYP-Services # - Intrusion Detection Grundlagen # - Netzwerk-Monitoring # - SSH-Absicherung ####################################################################### # Funktionsdeklarationen für Firewall & Network Setup configure_firewall() { log "INFO" "=== FIREWALL & NETZWERK-SICHERHEIT KONFIGURIEREN ===" # UFW installieren und konfigurieren setup_ufw # Basis-Firewall-Regeln erstellen configure_base_firewall_rules # MYP-spezifische Regeln configure_myp_firewall_rules # SSH absichern secure_ssh # Netzwerk-Monitoring einrichten setup_network_monitoring # Fail2Ban für Intrusion Detection setup_fail2ban # IP-Tables Backup erstellen create_iptables_backup log "INFO" "Firewall & Netzwerk-Sicherheit Konfiguration abgeschlossen" } setup_ufw() { log "INFO" "Installiere und konfiguriere UFW..." # UFW installieren falls nicht vorhanden if ! command -v ufw >/dev/null 2>&1; then DEBIAN_FRONTEND=noninteractive apt-get install -y ufw fi # UFW zurücksetzen für saubere Konfiguration ufw --force reset # Standard-Policies setzen ufw default deny incoming ufw default allow outgoing ufw default deny forward # Logging aktivieren ufw logging on medium log "INFO" "UFW grundlegend konfiguriert" } configure_base_firewall_rules() { log "INFO" "Konfiguriere Basis-Firewall-Regeln..." # Loopback-Interface erlauben ufw allow in on lo ufw allow out on lo # Bereits etablierte Verbindungen erlauben ufw allow in on any to any port 22 proto tcp ufw allow in on any to any port 80 proto tcp ufw allow in on any to any port 443 proto tcp # ICMP (Ping) teilweise erlauben ufw allow in proto icmp # DNS-Abfragen erlauben (ausgehend) ufw allow out 53 # NTP für Zeitynchronisation ufw allow out 123/udp # HTTP/HTTPS für Updates (ausgehend) ufw allow out 80/tcp ufw allow out 443/tcp log "INFO" "Basis-Firewall-Regeln konfiguriert" } configure_myp_firewall_rules() { log "INFO" "Konfiguriere MYP-spezifische Firewall-Regeln..." # MYP HTTPS-Service (Port 443) ufw allow in 443/tcp comment "MYP HTTPS Service" # MYP HTTP-Redirect (Port 80) ufw allow in 80/tcp comment "MYP HTTP Redirect" # Entwicklungs-Port (nur für lokale Netzwerke) ufw allow from 192.168.0.0/16 to any port 5000 comment "MYP Development" ufw allow from 10.0.0.0/8 to any port 5000 comment "MYP Development" ufw allow from 172.16.0.0/12 to any port 5000 comment "MYP Development" # SSH nur für lokale Netzwerke beschränken ufw delete allow 22/tcp 2>/dev/null || true ufw allow from 192.168.0.0/16 to any port 22 comment "SSH Local Network" ufw allow from 10.0.0.0/8 to any port 22 comment "SSH Local Network" ufw allow from 172.16.0.0/12 to any port 22 comment "SSH Local Network" # Printer-spezifische Ports (falls direkte Printer-Kommunikation benötigt) # OctoPrint-Standard-Ports ufw allow from 192.168.0.0/16 to any port 5001 comment "OctoPrint Web Interface" ufw allow from 10.0.0.0/8 to any port 5001 comment "OctoPrint Web Interface" # 3D-Printer-spezifische Ports # Marlin/RepRap (seriell über USB, normalerweise nicht nötig) # Klipper API (falls verwendet) ufw allow from 192.168.0.0/16 to any port 7125 comment "Klipper API" ufw allow from 10.0.0.0/8 to any port 7125 comment "Klipper API" # UPnP für Netzwerk-Discovery (begrenzt) ufw allow from 192.168.0.0/16 to any port 1900/udp comment "UPnP Discovery" ufw allow from 10.0.0.0/8 to any port 1900/udp comment "UPnP Discovery" log "INFO" "MYP-spezifische Firewall-Regeln konfiguriert" } secure_ssh() { log "INFO" "Sichere SSH-Konfiguration..." # SSH-Konfiguration sichern local ssh_config="/etc/ssh/sshd_config" # Backup der SSH-Konfiguration cp "$ssh_config" "${ssh_config}.backup.$(date +%Y%m%d)" # SSH-Sicherheitseinstellungen cat > "/etc/ssh/sshd_config.d/myp-security.conf" << 'EOF' # MYP SSH Security Configuration # Basis-Sicherheit PermitRootLogin no PasswordAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes # Session-Einstellungen ClientAliveInterval 300 ClientAliveCountMax 2 LoginGraceTime 60 MaxAuthTries 3 MaxSessions 2 MaxStartups 2 # Protokoll-Einstellungen Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Verschlüsselung Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 # Banner Banner /etc/ssh/ssh_banner EOF # SSH-Banner erstellen cat > "/etc/ssh/ssh_banner" << 'EOF' ================================================================================ MYP SYSTEM - AUTORISIERTER ZUGANG ================================================================================ WARNUNG: Dieses System ist nur für autorisierte Benutzer bestimmt. Alle Aktivitäten werden überwacht und protokolliert. Unbefugter Zugang ist strengstens untersagt und wird strafrechtlich verfolgt. Mercedes-Benz 3D-Drucker-Management-System ================================================================================ EOF # SSH-Host-Keys regenerieren für bessere Sicherheit log "INFO" "Regeneriere SSH-Host-Keys..." rm -f /etc/ssh/ssh_host_* ssh-keygen -A # SSH-Service neu starten systemctl restart ssh # SSH-Service Status prüfen if systemctl is-active --quiet ssh; then log "INFO" "SSH erfolgreich gesichert und neu gestartet" else log "ERROR" "SSH-Service konnte nicht neu gestartet werden" return 1 fi log "INFO" "SSH-Sicherheit konfiguriert" } setup_network_monitoring() { log "INFO" "Richte Netzwerk-Monitoring ein..." # Netstat-Monitoring-Script cat > "/usr/local/bin/myp-netmon.sh" << 'EOF' #!/bin/bash # MYP Network Monitor LOG_FILE="/var/log/myp/network-monitor.log" ALERT_FILE="/var/log/myp/network-alerts.log" exec >> "$LOG_FILE" 2>&1 echo "$(date): Network Monitor Scan gestartet" # Prüfe offene Ports OPEN_PORTS=$(ss -tlnp | grep LISTEN) echo "Offene Ports:" echo "$OPEN_PORTS" # Prüfe verdächtige Verbindungen SUSPICIOUS_CONNECTIONS=$(ss -tn | awk '$1=="ESTAB" {print $4, $5}' | grep -v "127.0.0.1\|::1" | sort | uniq -c | sort -nr | head -10) if [[ -n "$SUSPICIOUS_CONNECTIONS" ]]; then echo "Top-Verbindungen:" echo "$SUSPICIOUS_CONNECTIONS" fi # Prüfe Firewall-Status UFW_STATUS=$(ufw status) echo "Firewall-Status:" echo "$UFW_STATUS" # Prüfe auf Port-Scans (einfache Heuristik) RECENT_CONNECTIONS=$(journalctl --since="5 minutes ago" -u ssh | grep "Failed\|Invalid" | wc -l) if [[ $RECENT_CONNECTIONS -gt 10 ]]; then echo "$(date): ALERT - Möglicher SSH-Angriff erkannt ($RECENT_CONNECTIONS Fehlversuche)" >> "$ALERT_FILE" fi echo "$(date): Network Monitor Scan abgeschlossen" echo "----------------------------------------" EOF chmod +x "/usr/local/bin/myp-netmon.sh" # Network Monitor Service cat > "/etc/systemd/system/myp-netmon.service" << 'EOF' [Unit] Description=MYP Network Monitor Documentation=https://github.com/mercedes-benz/myp [Service] Type=oneshot ExecStart=/usr/local/bin/myp-netmon.sh EOF # Network Monitor Timer cat > "/etc/systemd/system/myp-netmon.timer" << 'EOF' [Unit] Description=MYP Network Monitor Timer Documentation=https://github.com/mercedes-benz/myp [Timer] OnCalendar=*:0/10 Persistent=true [Install] WantedBy=timers.target EOF systemctl enable myp-netmon.timer log "INFO" "Netzwerk-Monitoring eingerichtet" } setup_fail2ban() { log "INFO" "Installiere und konfiguriere Fail2Ban..." # Fail2Ban installieren if ! command -v fail2ban-server >/dev/null 2>&1; then DEBIAN_FRONTEND=noninteractive apt-get install -y fail2ban fi # Fail2Ban lokale Konfiguration cat > "/etc/fail2ban/jail.local" << 'EOF' [DEFAULT] # Basis-Konfiguration ignoreip = 127.0.0.1/8 ::1 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 bantime = 3600 findtime = 600 maxretry = 3 backend = systemd # E-Mail-Benachrichtigungen (optional) # destemail = admin@example.com # sendername = Fail2Ban # mta = sendmail [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 7200 [nginx-http-auth] enabled = false port = http,https filter = nginx-http-auth logpath = /var/log/nginx/error.log [nginx-noscript] enabled = false port = http,https filter = nginx-noscript logpath = /var/log/nginx/access.log [nginx-badbots] enabled = false port = http,https filter = nginx-badbots logpath = /var/log/nginx/access.log [apache-auth] enabled = false port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log [myp-https] enabled = true port = https filter = myp-https logpath = /var/log/myp/app.log maxretry = 5 bantime = 1800 EOF # MYP-spezifischer Fail2Ban-Filter cat > "/etc/fail2ban/filter.d/myp-https.conf" << 'EOF' # MYP HTTPS Fail2Ban Filter [Definition] failregex = ^.*\[.*\] ".*" 401 .* ".*" ".*" "".*$ ^.*\[.*\] ".*" 403 .* ".*" ".*" "".*$ ^.*Authentication failed.*.*$ ^.*Invalid login attempt.*.*$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=myp-https.service EOF # Fail2Ban aktivieren und starten systemctl enable fail2ban systemctl restart fail2ban # Status prüfen if systemctl is-active --quiet fail2ban; then log "INFO" "Fail2Ban erfolgreich konfiguriert und gestartet" else log "WARN" "Fail2Ban konnte nicht gestartet werden" fi log "INFO" "Fail2Ban konfiguriert" } create_iptables_backup() { log "INFO" "Erstelle IPTables-Backup..." # Backup-Verzeichnis erstellen mkdir -p "/etc/myp/firewall-backups" # IPTables-Regeln sichern iptables-save > "/etc/myp/firewall-backups/iptables-$(date +%Y%m%d-%H%M%S).rules" ip6tables-save > "/etc/myp/firewall-backups/ip6tables-$(date +%Y%m%d-%H%M%S).rules" # UFW-Status sichern ufw status verbose > "/etc/myp/firewall-backups/ufw-status-$(date +%Y%m%d-%H%M%S).txt" # Backup-Script für regelmäßige Sicherungen cat > "/usr/local/bin/myp-firewall-backup.sh" << 'EOF' #!/bin/bash # MYP Firewall Backup Script BACKUP_DIR="/etc/myp/firewall-backups" DATE=$(date +%Y%m%d-%H%M%S) # Aktuelle Regeln sichern iptables-save > "$BACKUP_DIR/iptables-$DATE.rules" ip6tables-save > "$BACKUP_DIR/ip6tables-$DATE.rules" ufw status verbose > "$BACKUP_DIR/ufw-status-$DATE.txt" # Alte Backups bereinigen (behalte nur die letzten 30) find "$BACKUP_DIR" -name "*.rules" -mtime +30 -delete find "$BACKUP_DIR" -name "*.txt" -mtime +30 -delete echo "$(date): Firewall-Backup erstellt: $DATE" EOF chmod +x "/usr/local/bin/myp-firewall-backup.sh" # Backup-Service cat > "/etc/systemd/system/myp-firewall-backup.service" << 'EOF' [Unit] Description=MYP Firewall Backup Documentation=https://github.com/mercedes-benz/myp [Service] Type=oneshot ExecStart=/usr/local/bin/myp-firewall-backup.sh StandardOutput=append:/var/log/myp/firewall-backup.log StandardError=append:/var/log/myp/firewall-backup.log EOF # Backup-Timer cat > "/etc/systemd/system/myp-firewall-backup.timer" << 'EOF' [Unit] Description=MYP Firewall Backup Timer Documentation=https://github.com/mercedes-benz/myp [Timer] OnCalendar=daily Persistent=true RandomizedDelaySec=30m [Install] WantedBy=timers.target EOF systemctl enable myp-firewall-backup.timer log "INFO" "IPTables-Backup erstellt und Backup-System eingerichtet" } configure_network_zones() { log "INFO" "Konfiguriere Netzwerk-Sicherheitszonen..." # Erstelle Netzwerk-Zonen-Konfiguration cat > "/etc/myp/network-zones.conf" << 'EOF' # MYP Network Security Zones Configuration # Trusted Networks (Management, Admin-Zugang) TRUSTED_NETWORKS=( "192.168.1.0/24" # Management-Netz "10.10.0.0/16" # Admin-Netz ) # Production Networks (Standard-Benutzer) PRODUCTION_NETWORKS=( "192.168.0.0/16" # Produktions-Netz "10.0.0.0/8" # Firmen-Netz "172.16.0.0/12" # DMZ ) # Restricted Networks (Gäste, IoT) RESTRICTED_NETWORKS=( "192.168.100.0/24" # Gäste-Netz "10.99.0.0/16" # IoT-Netz ) # Blocked Networks BLOCKED_NETWORKS=( "0.0.0.0/8" # Invalid "169.254.0.0/16" # Link-local "224.0.0.0/4" # Multicast ) EOF # Zonen-Management-Script cat > "/usr/local/bin/myp-zones.sh" << 'EOF' #!/bin/bash # MYP Network Zones Management source /etc/myp/network-zones.conf case "$1" in "apply") echo "Wende Netzwerk-Zonen an..." # Trusted Networks - Vollzugriff for network in "${TRUSTED_NETWORKS[@]}"; do ufw allow from "$network" comment "Trusted Zone" done # Production Networks - Limitierter Zugriff for network in "${PRODUCTION_NETWORKS[@]}"; do ufw allow from "$network" to any port 443 comment "Production Zone HTTPS" ufw allow from "$network" to any port 80 comment "Production Zone HTTP" done # Restricted Networks - Sehr limitiert for network in "${RESTRICTED_NETWORKS[@]}"; do ufw allow from "$network" to any port 443 comment "Restricted Zone HTTPS" done # Blocked Networks for network in "${BLOCKED_NETWORKS[@]}"; do ufw deny from "$network" comment "Blocked Zone" done ;; "status") echo "Netzwerk-Zonen Status:" ufw status numbered ;; "reset") echo "Setze Netzwerk-Zonen zurück..." ufw --force reset ;; *) echo "Verwendung: $0 {apply|status|reset}" exit 1 ;; esac EOF chmod +x "/usr/local/bin/myp-zones.sh" log "INFO" "Netzwerk-Sicherheitszonen konfiguriert" } activate_firewall() { log "INFO" "Aktiviere Firewall..." # UFW aktivieren echo "y" | ufw enable # Status prüfen if ufw status | grep -q "Status: active"; then log "INFO" "UFW erfolgreich aktiviert" else log "ERROR" "UFW konnte nicht aktiviert werden" return 1 fi # Firewall-Status loggen ufw status verbose > "/var/log/myp/firewall-status.log" log "INFO" "Firewall aktiviert" } verify_firewall() { log "INFO" "Überprüfe Firewall-Konfiguration..." local errors=0 # UFW Status prüfen if ! ufw status | grep -q "Status: active"; then log "ERROR" "UFW ist nicht aktiv" errors=$((errors + 1)) fi # Wichtige Ports prüfen local required_ports=("443/tcp" "80/tcp" "22/tcp") for port in "${required_ports[@]}"; do if ! ufw status | grep -q "$port"; then log "ERROR" "Port-Regel fehlt: $port" errors=$((errors + 1)) fi done # SSH-Service prüfen if ! systemctl is-active --quiet ssh; then log "ERROR" "SSH-Service nicht aktiv" errors=$((errors + 1)) fi # Fail2Ban prüfen if command -v fail2ban-server >/dev/null 2>&1; then if ! systemctl is-active --quiet fail2ban; then log "WARN" "Fail2Ban nicht aktiv" fi fi # Netzwerk-Konnektivität testen if ! ping -c 1 8.8.8.8 >/dev/null 2>&1; then log "ERROR" "Externe Netzwerk-Konnektivität fehlgeschlagen" errors=$((errors + 1)) fi if [[ $errors -eq 0 ]]; then log "INFO" "Firewall-Verifikation erfolgreich" # Firewall-Status-Report erstellen create_firewall_report return 0 else log "ERROR" "Firewall-Verifikation fehlgeschlagen ($errors Fehler)" return 1 fi } create_firewall_report() { log "INFO" "Erstelle Firewall-Status-Report..." local report_file="/var/log/myp/firewall-report-$(date +%Y%m%d-%H%M%S).txt" cat > "$report_file" << EOF ================================================================================ MYP FIREWALL-KONFIGURATION REPORT ================================================================================ Erstellt: $(date) System: $(uname -a) Hostname: $(hostname) === UFW STATUS === $(ufw status verbose) === IPTABLES RULES === $(iptables -L -n) === OPEN PORTS === $(ss -tlnp) === SSH CONFIGURATION === SSH-Service: $(systemctl is-active ssh) SSH-Port: $(grep -E "^Port|^#Port" /etc/ssh/sshd_config | head -1) === FAIL2BAN STATUS === $(if command -v fail2ban-client >/dev/null 2>&1; then fail2ban-client status; else echo "Fail2Ban nicht installiert"; fi) === NETWORK INTERFACES === $(ip addr show) === ROUTING TABLE === $(ip route show) === DNS CONFIGURATION === $(cat /etc/resolv.conf) ================================================================================ ENDE REPORT ================================================================================ EOF log "INFO" "Firewall-Report erstellt: $report_file" }