From 4910983400401a4f1b76c4b0fd7830ee6751a4b5 Mon Sep 17 00:00:00 2001
From: Martin Goik <goik@hdm-stuttgart.de>
Date: Sun, 5 May 2024 17:57:00 +0200
Subject: [PATCH] Fail2ban ssh login limit, mlocate and vim

---
 .../Terra/060SshKnownHosts/Readme.md          |  5 +-
 .../Terra/060SshKnownHosts/tpl/userData.yml   |  1 +
 .../CloudProvider/Terra/070Upgrade/Readme.md  |  7 +++
 .../Terra/070Upgrade/bin/.gitignore           |  2 +
 .../Terra/070Upgrade/gen/.gitignore           |  2 +
 .../CloudProvider/Terra/070Upgrade/main.tf    | 48 +++++++++++++++++++
 .../CloudProvider/Terra/070Upgrade/network.tf | 12 +++++
 .../CloudProvider/Terra/070Upgrade/outputs.tf |  9 ++++
 .../070Upgrade/secrets.auto.tfvars.template   |  1 +
 .../CloudProvider/Terra/070Upgrade/tpl/ssh.sh |  5 ++
 .../Terra/070Upgrade/tpl/userData.yml         | 37 ++++++++++++++
 .../Terra/070Upgrade/variables.tf             |  4 ++
 12 files changed, 132 insertions(+), 1 deletion(-)
 create mode 100644 Doc/Sdi/CloudProvider/Terra/070Upgrade/Readme.md
 create mode 100644 Doc/Sdi/CloudProvider/Terra/070Upgrade/bin/.gitignore
 create mode 100644 Doc/Sdi/CloudProvider/Terra/070Upgrade/gen/.gitignore
 create mode 100644 Doc/Sdi/CloudProvider/Terra/070Upgrade/main.tf
 create mode 100644 Doc/Sdi/CloudProvider/Terra/070Upgrade/network.tf
 create mode 100644 Doc/Sdi/CloudProvider/Terra/070Upgrade/outputs.tf
 create mode 100644 Doc/Sdi/CloudProvider/Terra/070Upgrade/secrets.auto.tfvars.template
 create mode 100644 Doc/Sdi/CloudProvider/Terra/070Upgrade/tpl/ssh.sh
 create mode 100644 Doc/Sdi/CloudProvider/Terra/070Upgrade/tpl/userData.yml
 create mode 100644 Doc/Sdi/CloudProvider/Terra/070Upgrade/variables.tf

diff --git a/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/Readme.md b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/Readme.md
index 8893e3ebf..112c9318d 100644
--- a/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/Readme.md
+++ b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/Readme.md
@@ -1,5 +1,8 @@
 # Improving ssh handling and security
 
 - Creating local `bin/ssh` and related `gen/known_hosts` file from templates
-- Enhancing `sshd` security settings
+- Enhancing `sshd` security settings:
+    - Disallow password based logins 
+    - Disallow `root` login
+    - Allow `devops` private key based login
 
diff --git a/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/tpl/userData.yml b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/tpl/userData.yml
index cd61df8f3..deae75e27 100644
--- a/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/tpl/userData.yml
+++ b/Doc/Sdi/CloudProvider/Terra/060SshKnownHosts/tpl/userData.yml
@@ -13,6 +13,7 @@ users:
       - ${devopsSshPublicKey}
 
 runcmd:
+  # ssh daemon defaults
   - sed -ie '/^PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
   - sed -ie '/^PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
   - sed -ie '/^#AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh/authorized_keys/' /etc/ssh/sshd_config
diff --git a/Doc/Sdi/CloudProvider/Terra/070Upgrade/Readme.md b/Doc/Sdi/CloudProvider/Terra/070Upgrade/Readme.md
new file mode 100644
index 000000000..1fe6603e4
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/070Upgrade/Readme.md
@@ -0,0 +1,7 @@
+# System update, enhanced security and useful helpers
+
+- Package upgrade and reboot if so required
+- Installing and configuring `fail2ban` limiting ssh connection attempts.
+- Installing enhanced vim
+- Installing mlocate file indexer 
+
diff --git a/Doc/Sdi/CloudProvider/Terra/070Upgrade/bin/.gitignore b/Doc/Sdi/CloudProvider/Terra/070Upgrade/bin/.gitignore
new file mode 100644
index 000000000..c96a04f00
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/070Upgrade/bin/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
\ No newline at end of file
diff --git a/Doc/Sdi/CloudProvider/Terra/070Upgrade/gen/.gitignore b/Doc/Sdi/CloudProvider/Terra/070Upgrade/gen/.gitignore
new file mode 100644
index 000000000..c96a04f00
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/070Upgrade/gen/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
\ No newline at end of file
diff --git a/Doc/Sdi/CloudProvider/Terra/070Upgrade/main.tf b/Doc/Sdi/CloudProvider/Terra/070Upgrade/main.tf
new file mode 100644
index 000000000..52c074a63
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/070Upgrade/main.tf
@@ -0,0 +1,48 @@
+terraform {
+  required_providers {
+    hcloud = {
+      source = "hetznercloud/hcloud"
+    }
+  }
+  required_version = ">= 0.13"
+}
+
+provider "hcloud" {
+  token = var.hcloud_token
+}
+resource "tls_private_key" "host" {
+  algorithm   = "ED25519"
+}
+
+resource "hcloud_ssh_key" "loginUser" {
+  name       = "goik@hdm-stuttgart.de"
+  public_key = file("~/.ssh/id_ed25519.pub")
+}
+
+resource "hcloud_server" "helloServer" {
+  name         = "hello"
+  image        =  "debian-12"
+  server_type  =  "cx11"
+  user_data    = templatefile("tpl/userData.yml", {
+    host_ed25519_private = indent(4, tls_private_key.host.private_key_openssh) # yaml format parsing quirk, sigh!
+    host_ed25519_public  = tls_private_key.host.public_key_openssh
+    devopsSshPublicKey  = hcloud_ssh_key.loginUser.public_key
+  })
+  ssh_keys     = [hcloud_ssh_key.loginUser.id]
+  firewall_ids = [hcloud_firewall.sshFw.id]
+}
+
+resource "local_file" "known_hosts" {
+  content         = "${hcloud_server.helloServer.ipv4_address} ${tls_private_key.host.public_key_openssh}"
+  filename        = "gen/known_hosts"
+  file_permission = "644"
+}
+
+resource "local_file" "ssh_script" {
+  content = templatefile("tpl/ssh.sh", {
+    ip = hcloud_server.helloServer.ipv4_address
+  })
+  filename        = "bin/ssh"
+  file_permission = "700"
+  depends_on      = [local_file.known_hosts]
+}
diff --git a/Doc/Sdi/CloudProvider/Terra/070Upgrade/network.tf b/Doc/Sdi/CloudProvider/Terra/070Upgrade/network.tf
new file mode 100644
index 000000000..0a58ea664
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/070Upgrade/network.tf
@@ -0,0 +1,12 @@
+resource "hcloud_firewall" "sshFw" {
+  name = "www-firewall"
+  rule {
+    direction = "in"
+    protocol  = "tcp"
+    port      = "22"
+    source_ips = [
+      "0.0.0.0/0",
+      "::/0"
+    ]
+  }
+}
diff --git a/Doc/Sdi/CloudProvider/Terra/070Upgrade/outputs.tf b/Doc/Sdi/CloudProvider/Terra/070Upgrade/outputs.tf
new file mode 100644
index 000000000..a63f85e52
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/070Upgrade/outputs.tf
@@ -0,0 +1,9 @@
+output "hello_ip_addr" {
+  value       = hcloud_server.helloServer.ipv4_address
+  description = "The server's IPv4 address"
+}
+
+output "hello_datacenter" {
+  value       = hcloud_server.helloServer.datacenter
+  description = "The server's datacenter"
+}
diff --git a/Doc/Sdi/CloudProvider/Terra/070Upgrade/secrets.auto.tfvars.template b/Doc/Sdi/CloudProvider/Terra/070Upgrade/secrets.auto.tfvars.template
new file mode 100644
index 000000000..5929da087
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/070Upgrade/secrets.auto.tfvars.template
@@ -0,0 +1 @@
+hcloud_token="your_api_token_goes_here"
diff --git a/Doc/Sdi/CloudProvider/Terra/070Upgrade/tpl/ssh.sh b/Doc/Sdi/CloudProvider/Terra/070Upgrade/tpl/ssh.sh
new file mode 100644
index 000000000..5de61bbbf
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/070Upgrade/tpl/ssh.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+GEN_DIR=$(dirname "$0")/../gen
+
+ssh -o UserKnownHostsFile="$GEN_DIR/known_hosts" devops@${ip} "$@"
diff --git a/Doc/Sdi/CloudProvider/Terra/070Upgrade/tpl/userData.yml b/Doc/Sdi/CloudProvider/Terra/070Upgrade/tpl/userData.yml
new file mode 100644
index 000000000..e9d65aaed
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/070Upgrade/tpl/userData.yml
@@ -0,0 +1,37 @@
+#cloud-config
+
+ssh_keys:
+  ed25519_private: |
+    ${host_ed25519_private}
+  ed25519_public: ${host_ed25519_public}
+users:
+  - name: devops
+    groups: users, admin
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    shell: /bin/bash
+    ssh_authorized_keys:
+      - ${devopsSshPublicKey}
+
+package_update: true
+package_upgrade: true
+package_reboot_if_required: true
+
+packages:
+  - fail2ban
+  - vim # Enhanced vi command
+  - mlocate
+runcmd:
+  # Fail2ban activation
+  - printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
+  - systemctl enable fail2ban
+  - systemctl start fail2ban
+  # ssh daemon defaults
+  - sed -ie '/^PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
+  - sed -ie '/^PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
+  - sed -ie '/^#AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh/authorized_keys/' /etc/ssh/sshd_config
+  - sed -i '$a AllowUsers devops' /etc/ssh/sshd_config
+  - systemctl restart ssh
+  # Generation mlocate index
+  - updatedb
+
+
diff --git a/Doc/Sdi/CloudProvider/Terra/070Upgrade/variables.tf b/Doc/Sdi/CloudProvider/Terra/070Upgrade/variables.tf
new file mode 100644
index 000000000..3eefa6804
--- /dev/null
+++ b/Doc/Sdi/CloudProvider/Terra/070Upgrade/variables.tf
@@ -0,0 +1,4 @@
+variable "hcloud_token" {  # See secret.auto.tfvars
+  nullable = false
+  sensitive = true
+}
\ No newline at end of file
-- 
GitLab