Projektarbeit-MYP/backend/setup/modules/firewall.sh

#!/bin/bash

#######################################################################
# MYP AIO-Installer - Firewall & Network Security Module
# 
# Dieses Modul behandelt:
# - UFW (Uncomplicated Firewall) Konfiguration
# - Netzwerk-Sicherheitszonen
# - Port-Management für MYP-Services
# - Intrusion Detection Grundlagen
# - Netzwerk-Monitoring
# - SSH-Absicherung
#######################################################################

# Funktionsdeklarationen für Firewall & Network Setup

configure_firewall() {
    log "INFO" "=== FIREWALL & NETZWERK-SICHERHEIT KONFIGURIEREN ==="
    
    # UFW installieren und konfigurieren
    setup_ufw
    
    # Basis-Firewall-Regeln erstellen
    configure_base_firewall_rules
    
    # MYP-spezifische Regeln
    configure_myp_firewall_rules
    
    # SSH absichern
    secure_ssh
    
    # Netzwerk-Monitoring einrichten
    setup_network_monitoring
    
    # Fail2Ban für Intrusion Detection
    setup_fail2ban
    
    # IP-Tables Backup erstellen
    create_iptables_backup
    
    log "INFO" "Firewall & Netzwerk-Sicherheit Konfiguration abgeschlossen"
}

setup_ufw() {
    log "INFO" "Installiere und konfiguriere UFW..."
    
    # UFW installieren falls nicht vorhanden
    if ! command -v ufw >/dev/null 2>&1; then
        DEBIAN_FRONTEND=noninteractive apt-get install -y ufw
    fi
    
    # UFW zurücksetzen für saubere Konfiguration
    ufw --force reset
    
    # Standard-Policies setzen
    ufw default deny incoming
    ufw default allow outgoing
    ufw default deny forward
    
    # Logging aktivieren
    ufw logging on medium
    
    log "INFO" "UFW grundlegend konfiguriert"
}

configure_base_firewall_rules() {
    log "INFO" "Konfiguriere Basis-Firewall-Regeln..."
    
    # Loopback-Interface erlauben
    ufw allow in on lo
    ufw allow out on lo
    
    # Bereits etablierte Verbindungen erlauben
    ufw allow in on any to any port 22 proto tcp
    ufw allow in on any to any port 80 proto tcp
    ufw allow in on any to any port 443 proto tcp
    
    # ICMP (Ping) teilweise erlauben
    ufw allow in proto icmp
    
    # DNS-Abfragen erlauben (ausgehend)
    ufw allow out 53
    
    # NTP für Zeitynchronisation
    ufw allow out 123/udp
    
    # HTTP/HTTPS für Updates (ausgehend)
    ufw allow out 80/tcp
    ufw allow out 443/tcp
    
    log "INFO" "Basis-Firewall-Regeln konfiguriert"
}

configure_myp_firewall_rules() {
    log "INFO" "Konfiguriere MYP-spezifische Firewall-Regeln..."
    
    # MYP HTTPS-Service (Port 443)
    ufw allow in 443/tcp comment "MYP HTTPS Service"
    
    # MYP HTTP-Redirect (Port 80)
    ufw allow in 80/tcp comment "MYP HTTP Redirect"
    
    # Entwicklungs-Port (nur für lokale Netzwerke)
    ufw allow from 192.168.0.0/16 to any port 5000 comment "MYP Development"
    ufw allow from 10.0.0.0/8 to any port 5000 comment "MYP Development"
    ufw allow from 172.16.0.0/12 to any port 5000 comment "MYP Development"
    
    # SSH nur für lokale Netzwerke beschränken
    ufw delete allow 22/tcp 2>/dev/null || true
    ufw allow from 192.168.0.0/16 to any port 22 comment "SSH Local Network"
    ufw allow from 10.0.0.0/8 to any port 22 comment "SSH Local Network"
    ufw allow from 172.16.0.0/12 to any port 22 comment "SSH Local Network"
    
    # Printer-spezifische Ports (falls direkte Printer-Kommunikation benötigt)
    # OctoPrint-Standard-Ports
    ufw allow from 192.168.0.0/16 to any port 5001 comment "OctoPrint Web Interface"
    ufw allow from 10.0.0.0/8 to any port 5001 comment "OctoPrint Web Interface"
    
    # 3D-Printer-spezifische Ports
    # Marlin/RepRap (seriell über USB, normalerweise nicht nötig)
    # Klipper API (falls verwendet)
    ufw allow from 192.168.0.0/16 to any port 7125 comment "Klipper API"
    ufw allow from 10.0.0.0/8 to any port 7125 comment "Klipper API"
    
    # UPnP für Netzwerk-Discovery (begrenzt)
    ufw allow from 192.168.0.0/16 to any port 1900/udp comment "UPnP Discovery"
    ufw allow from 10.0.0.0/8 to any port 1900/udp comment "UPnP Discovery"
    
    log "INFO" "MYP-spezifische Firewall-Regeln konfiguriert"
}

secure_ssh() {
    log "INFO" "Sichere SSH-Konfiguration..."
    
    # SSH-Konfiguration sichern
    local ssh_config="/etc/ssh/sshd_config"
    
    # Backup der SSH-Konfiguration
    cp "$ssh_config" "${ssh_config}.backup.$(date +%Y%m%d)"
    
    # SSH-Sicherheitseinstellungen
    cat > "/etc/ssh/sshd_config.d/myp-security.conf" << 'EOF'
# MYP SSH Security Configuration

# Basis-Sicherheit
PermitRootLogin no
PasswordAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes

# Session-Einstellungen
ClientAliveInterval 300
ClientAliveCountMax 2
LoginGraceTime 60
MaxAuthTries 3
MaxSessions 2
MaxStartups 2

# Protokoll-Einstellungen
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Verschlüsselung
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512

# Banner
Banner /etc/ssh/ssh_banner
EOF
    
    # SSH-Banner erstellen
    cat > "/etc/ssh/ssh_banner" << 'EOF'
================================================================================
                        MYP SYSTEM - AUTORISIERTER ZUGANG
================================================================================

WARNUNG: Dieses System ist nur für autorisierte Benutzer bestimmt.
Alle Aktivitäten werden überwacht und protokolliert.

Unbefugter Zugang ist strengstens untersagt und wird strafrechtlich verfolgt.

Mercedes-Benz 3D-Drucker-Management-System
================================================================================
EOF
    
    # SSH-Host-Keys regenerieren für bessere Sicherheit
    log "INFO" "Regeneriere SSH-Host-Keys..."
    rm -f /etc/ssh/ssh_host_*
    ssh-keygen -A
    
    # SSH-Service neu starten
    systemctl restart ssh
    
    # SSH-Service Status prüfen
    if systemctl is-active --quiet ssh; then
        log "INFO" "SSH erfolgreich gesichert und neu gestartet"
    else
        log "ERROR" "SSH-Service konnte nicht neu gestartet werden"
        return 1
    fi
    
    log "INFO" "SSH-Sicherheit konfiguriert"
}

setup_network_monitoring() {
    log "INFO" "Richte Netzwerk-Monitoring ein..."
    
    # Netstat-Monitoring-Script
    cat > "/usr/local/bin/myp-netmon.sh" << 'EOF'
#!/bin/bash
# MYP Network Monitor

LOG_FILE="/var/log/myp/network-monitor.log"
ALERT_FILE="/var/log/myp/network-alerts.log"

exec >> "$LOG_FILE" 2>&1

echo "$(date): Network Monitor Scan gestartet"

# Prüfe offene Ports
OPEN_PORTS=$(ss -tlnp | grep LISTEN)
echo "Offene Ports:"
echo "$OPEN_PORTS"

# Prüfe verdächtige Verbindungen
SUSPICIOUS_CONNECTIONS=$(ss -tn | awk '$1=="ESTAB" {print $4, $5}' | grep -v "127.0.0.1\|::1" | sort | uniq -c | sort -nr | head -10)
if [[ -n "$SUSPICIOUS_CONNECTIONS" ]]; then
    echo "Top-Verbindungen:"
    echo "$SUSPICIOUS_CONNECTIONS"
fi

# Prüfe Firewall-Status
UFW_STATUS=$(ufw status)
echo "Firewall-Status:"
echo "$UFW_STATUS"

# Prüfe auf Port-Scans (einfache Heuristik)
RECENT_CONNECTIONS=$(journalctl --since="5 minutes ago" -u ssh | grep "Failed\|Invalid" | wc -l)
if [[ $RECENT_CONNECTIONS -gt 10 ]]; then
    echo "$(date): ALERT - Möglicher SSH-Angriff erkannt ($RECENT_CONNECTIONS Fehlversuche)" >> "$ALERT_FILE"
fi

echo "$(date): Network Monitor Scan abgeschlossen"
echo "----------------------------------------"
EOF
    
    chmod +x "/usr/local/bin/myp-netmon.sh"
    
    # Network Monitor Service
    cat > "/etc/systemd/system/myp-netmon.service" << 'EOF'
[Unit]
Description=MYP Network Monitor
Documentation=https://github.com/mercedes-benz/myp

[Service]
Type=oneshot
ExecStart=/usr/local/bin/myp-netmon.sh
EOF
    
    # Network Monitor Timer
    cat > "/etc/systemd/system/myp-netmon.timer" << 'EOF'
[Unit]
Description=MYP Network Monitor Timer
Documentation=https://github.com/mercedes-benz/myp

[Timer]
OnCalendar=*:0/10
Persistent=true

[Install]
WantedBy=timers.target
EOF
    
    systemctl enable myp-netmon.timer
    
    log "INFO" "Netzwerk-Monitoring eingerichtet"
}

setup_fail2ban() {
    log "INFO" "Installiere und konfiguriere Fail2Ban..."
    
    # Fail2Ban installieren
    if ! command -v fail2ban-server >/dev/null 2>&1; then
        DEBIAN_FRONTEND=noninteractive apt-get install -y fail2ban
    fi
    
    # Fail2Ban lokale Konfiguration
    cat > "/etc/fail2ban/jail.local" << 'EOF'
[DEFAULT]
# Basis-Konfiguration
ignoreip = 127.0.0.1/8 ::1 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12
bantime = 3600
findtime = 600
maxretry = 3
backend = systemd

# E-Mail-Benachrichtigungen (optional)
# destemail = admin@example.com
# sendername = Fail2Ban
# mta = sendmail

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 7200

[nginx-http-auth]
enabled = false
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log

[nginx-noscript]
enabled = false
port = http,https
filter = nginx-noscript
logpath = /var/log/nginx/access.log

[nginx-badbots]
enabled = false
port = http,https
filter = nginx-badbots
logpath = /var/log/nginx/access.log

[apache-auth]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log

[myp-https]
enabled = true
port = https
filter = myp-https
logpath = /var/log/myp/app.log
maxretry = 5
bantime = 1800
EOF
    
    # MYP-spezifischer Fail2Ban-Filter
    cat > "/etc/fail2ban/filter.d/myp-https.conf" << 'EOF'
# MYP HTTPS Fail2Ban Filter

[Definition]
failregex = ^.*\[.*\] ".*" 401 .* ".*" ".*" "<HOST>".*$
            ^.*\[.*\] ".*" 403 .* ".*" ".*" "<HOST>".*$
            ^.*Authentication failed.*<HOST>.*$
            ^.*Invalid login attempt.*<HOST>.*$

ignoreregex =

[Init]
journalmatch = _SYSTEMD_UNIT=myp-https.service
EOF
    
    # Fail2Ban aktivieren und starten
    systemctl enable fail2ban
    systemctl restart fail2ban
    
    # Status prüfen
    if systemctl is-active --quiet fail2ban; then
        log "INFO" "Fail2Ban erfolgreich konfiguriert und gestartet"
    else
        log "WARN" "Fail2Ban konnte nicht gestartet werden"
    fi
    
    log "INFO" "Fail2Ban konfiguriert"
}

create_iptables_backup() {
    log "INFO" "Erstelle IPTables-Backup..."
    
    # Backup-Verzeichnis erstellen
    mkdir -p "/etc/myp/firewall-backups"
    
    # IPTables-Regeln sichern
    iptables-save > "/etc/myp/firewall-backups/iptables-$(date +%Y%m%d-%H%M%S).rules"
    ip6tables-save > "/etc/myp/firewall-backups/ip6tables-$(date +%Y%m%d-%H%M%S).rules"
    
    # UFW-Status sichern
    ufw status verbose > "/etc/myp/firewall-backups/ufw-status-$(date +%Y%m%d-%H%M%S).txt"
    
    # Backup-Script für regelmäßige Sicherungen
    cat > "/usr/local/bin/myp-firewall-backup.sh" << 'EOF'
#!/bin/bash
# MYP Firewall Backup Script

BACKUP_DIR="/etc/myp/firewall-backups"
DATE=$(date +%Y%m%d-%H%M%S)

# Aktuelle Regeln sichern
iptables-save > "$BACKUP_DIR/iptables-$DATE.rules"
ip6tables-save > "$BACKUP_DIR/ip6tables-$DATE.rules"
ufw status verbose > "$BACKUP_DIR/ufw-status-$DATE.txt"

# Alte Backups bereinigen (behalte nur die letzten 30)
find "$BACKUP_DIR" -name "*.rules" -mtime +30 -delete
find "$BACKUP_DIR" -name "*.txt" -mtime +30 -delete

echo "$(date): Firewall-Backup erstellt: $DATE"
EOF
    
    chmod +x "/usr/local/bin/myp-firewall-backup.sh"
    
    # Backup-Service
    cat > "/etc/systemd/system/myp-firewall-backup.service" << 'EOF'
[Unit]
Description=MYP Firewall Backup
Documentation=https://github.com/mercedes-benz/myp

[Service]
Type=oneshot
ExecStart=/usr/local/bin/myp-firewall-backup.sh
StandardOutput=append:/var/log/myp/firewall-backup.log
StandardError=append:/var/log/myp/firewall-backup.log
EOF
    
    # Backup-Timer
    cat > "/etc/systemd/system/myp-firewall-backup.timer" << 'EOF'
[Unit]
Description=MYP Firewall Backup Timer
Documentation=https://github.com/mercedes-benz/myp

[Timer]
OnCalendar=daily
Persistent=true
RandomizedDelaySec=30m

[Install]
WantedBy=timers.target
EOF
    
    systemctl enable myp-firewall-backup.timer
    
    log "INFO" "IPTables-Backup erstellt und Backup-System eingerichtet"
}

configure_network_zones() {
    log "INFO" "Konfiguriere Netzwerk-Sicherheitszonen..."
    
    # Erstelle Netzwerk-Zonen-Konfiguration
    cat > "/etc/myp/network-zones.conf" << 'EOF'
# MYP Network Security Zones Configuration

# Trusted Networks (Management, Admin-Zugang)
TRUSTED_NETWORKS=(
    "192.168.1.0/24"    # Management-Netz
    "10.10.0.0/16"      # Admin-Netz
)

# Production Networks (Standard-Benutzer)
PRODUCTION_NETWORKS=(
    "192.168.0.0/16"    # Produktions-Netz
    "10.0.0.0/8"        # Firmen-Netz
    "172.16.0.0/12"     # DMZ
)

# Restricted Networks (Gäste, IoT)
RESTRICTED_NETWORKS=(
    "192.168.100.0/24"  # Gäste-Netz
    "10.99.0.0/16"      # IoT-Netz
)

# Blocked Networks
BLOCKED_NETWORKS=(
    "0.0.0.0/8"         # Invalid
    "169.254.0.0/16"    # Link-local
    "224.0.0.0/4"       # Multicast
)
EOF
    
    # Zonen-Management-Script
    cat > "/usr/local/bin/myp-zones.sh" << 'EOF'
#!/bin/bash
# MYP Network Zones Management

source /etc/myp/network-zones.conf

case "$1" in
    "apply")
        echo "Wende Netzwerk-Zonen an..."
        
        # Trusted Networks - Vollzugriff
        for network in "${TRUSTED_NETWORKS[@]}"; do
            ufw allow from "$network" comment "Trusted Zone"
        done
        
        # Production Networks - Limitierter Zugriff
        for network in "${PRODUCTION_NETWORKS[@]}"; do
            ufw allow from "$network" to any port 443 comment "Production Zone HTTPS"
            ufw allow from "$network" to any port 80 comment "Production Zone HTTP"
        done
        
        # Restricted Networks - Sehr limitiert
        for network in "${RESTRICTED_NETWORKS[@]}"; do
            ufw allow from "$network" to any port 443 comment "Restricted Zone HTTPS"
        done
        
        # Blocked Networks
        for network in "${BLOCKED_NETWORKS[@]}"; do
            ufw deny from "$network" comment "Blocked Zone"
        done
        ;;
    "status")
        echo "Netzwerk-Zonen Status:"
        ufw status numbered
        ;;
    "reset")
        echo "Setze Netzwerk-Zonen zurück..."
        ufw --force reset
        ;;
    *)
        echo "Verwendung: $0 {apply|status|reset}"
        exit 1
        ;;
esac
EOF
    
    chmod +x "/usr/local/bin/myp-zones.sh"
    
    log "INFO" "Netzwerk-Sicherheitszonen konfiguriert"
}

activate_firewall() {
    log "INFO" "Aktiviere Firewall..."
    
    # UFW aktivieren
    echo "y" | ufw enable
    
    # Status prüfen
    if ufw status | grep -q "Status: active"; then
        log "INFO" "UFW erfolgreich aktiviert"
    else
        log "ERROR" "UFW konnte nicht aktiviert werden"
        return 1
    fi
    
    # Firewall-Status loggen
    ufw status verbose > "/var/log/myp/firewall-status.log"
    
    log "INFO" "Firewall aktiviert"
}

verify_firewall() {
    log "INFO" "Überprüfe Firewall-Konfiguration..."
    
    local errors=0
    
    # UFW Status prüfen
    if ! ufw status | grep -q "Status: active"; then
        log "ERROR" "UFW ist nicht aktiv"
        errors=$((errors + 1))
    fi
    
    # Wichtige Ports prüfen
    local required_ports=("443/tcp" "80/tcp" "22/tcp")
    for port in "${required_ports[@]}"; do
        if ! ufw status | grep -q "$port"; then
            log "ERROR" "Port-Regel fehlt: $port"
            errors=$((errors + 1))
        fi
    done
    
    # SSH-Service prüfen
    if ! systemctl is-active --quiet ssh; then
        log "ERROR" "SSH-Service nicht aktiv"
        errors=$((errors + 1))
    fi
    
    # Fail2Ban prüfen
    if command -v fail2ban-server >/dev/null 2>&1; then
        if ! systemctl is-active --quiet fail2ban; then
            log "WARN" "Fail2Ban nicht aktiv"
        fi
    fi
    
    # Netzwerk-Konnektivität testen
    if ! ping -c 1 8.8.8.8 >/dev/null 2>&1; then
        log "ERROR" "Externe Netzwerk-Konnektivität fehlgeschlagen"
        errors=$((errors + 1))
    fi
    
    if [[ $errors -eq 0 ]]; then
        log "INFO" "Firewall-Verifikation erfolgreich"
        
        # Firewall-Status-Report erstellen
        create_firewall_report
        
        return 0
    else
        log "ERROR" "Firewall-Verifikation fehlgeschlagen ($errors Fehler)"
        return 1
    fi
}

create_firewall_report() {
    log "INFO" "Erstelle Firewall-Status-Report..."
    
    local report_file="/var/log/myp/firewall-report-$(date +%Y%m%d-%H%M%S).txt"
    
    cat > "$report_file" << EOF
================================================================================
MYP FIREWALL-KONFIGURATION REPORT
================================================================================
Erstellt: $(date)
System: $(uname -a)
Hostname: $(hostname)

=== UFW STATUS ===
$(ufw status verbose)

=== IPTABLES RULES ===
$(iptables -L -n)

=== OPEN PORTS ===
$(ss -tlnp)

=== SSH CONFIGURATION ===
SSH-Service: $(systemctl is-active ssh)
SSH-Port: $(grep -E "^Port|^#Port" /etc/ssh/sshd_config | head -1)

=== FAIL2BAN STATUS ===
$(if command -v fail2ban-client >/dev/null 2>&1; then fail2ban-client status; else echo "Fail2Ban nicht installiert"; fi)

=== NETWORK INTERFACES ===
$(ip addr show)

=== ROUTING TABLE ===
$(ip route show)

=== DNS CONFIGURATION ===
$(cat /etc/resolv.conf)

================================================================================
ENDE REPORT
================================================================================
EOF
    
    log "INFO" "Firewall-Report erstellt: $report_file"
}