feat: initial setup for PVE security scanner VM

Scripts for deploying a hardened internal network security scanner on Proxmox VE: - PVE-level firewall and VM creation - System hardening (sysctl, auditd, AIDE) - nftables firewall with dynamic IP blocking - SSH hardening with fail2ban - Security tools (OpenVAS, Nmap, Nuclei, httpx, Nikto, testssl, NetExec) - Monitoring, logging, and Docker autostart
2026-03-08 20:21:29 +01:00
commit 5e49b977ab
10 changed files with 1511 additions and 0 deletions
--- a/vm/setup.sh
+++ b/vm/setup.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+# =============================================================================
+# Security Scanner VM - Full Setup
+# Run this inside the VM as root to execute all scripts in order
+# =============================================================================
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# --- Pre-flight checks ---
+if [[ "$(id -u)" -ne 0 ]]; then
+    echo "[ERROR] This script must be run as root." >&2
+    exit 1
+fi
+
+if [[ -z "${SCANNER_ADMIN_IPS:-}" ]]; then
+    echo "[ERROR] Set SCANNER_ADMIN_IPS before running." >&2
+    echo "  Example: export SCANNER_ADMIN_IPS='192.168.68.100, 192.168.68.101'" >&2
+    exit 1
+fi
+
+echo "============================================"
+echo " Security Scanner VM - Full Setup"
+echo "============================================"
+echo ""
+echo " ADMIN_IPS:     ${SCANNER_ADMIN_IPS}"
+echo " INTERNAL_NETS: ${SCANNER_INTERNAL_NETS:-10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16}"
+echo " DNS_SERVERS:   ${SCANNER_DNS_SERVERS:-192.168.68.1}"
+echo ""
+
+SCRIPTS=(
+    "01-system-harden.sh"
+    "02-firewall.sh"
+    "03-ssh-harden.sh"
+    "04-install-tools.sh"
+    "05-monitoring.sh"
+)
+
+for script in "${SCRIPTS[@]}"; do
+    SCRIPT_PATH="${SCRIPT_DIR}/${script}"
+    if [[ ! -f "${SCRIPT_PATH}" ]]; then
+        echo "[ERROR] Script not found: ${SCRIPT_PATH}" >&2
+        exit 1
+    fi
+    echo ""
+    echo ">>> Running ${script}..."
+    bash "${SCRIPT_PATH}"
+    echo ">>> ${script} completed."
+done
+
+echo ""
+echo "============================================"
+echo " Setup complete!"
+echo "============================================"
+echo ""
+echo " Next steps:"
+echo "   1. Add SSH key: /home/scanner-admin/.ssh/authorized_keys"
+echo "   2. Start OpenVAS: cd /opt/greenbone && docker compose up -d"
+echo "   3. Set OpenVAS password:"
+echo "      docker compose exec -u gvmd gvmd gvmd --user=admin --new-password=<PASSWORD>"
+echo "   4. Reboot: shutdown -r now"