5e49b977ab
Scripts for deploying a hardened internal network security scanner on Proxmox VE: - PVE-level firewall and VM creation - System hardening (sysctl, auditd, AIDE) - nftables firewall with dynamic IP blocking - SSH hardening with fail2ban - Security tools (OpenVAS, Nmap, Nuclei, httpx, Nikto, testssl, NetExec) - Monitoring, logging, and Docker autostart
62 lines
1.9 KiB
Bash
62 lines
1.9 KiB
Bash
#!/bin/bash
|
|
# =============================================================================
|
|
# Security Scanner VM - Full Setup
|
|
# Run this inside the VM as root to execute all scripts in order
|
|
# =============================================================================
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
# --- Pre-flight checks ---
|
|
if [[ "$(id -u)" -ne 0 ]]; then
|
|
echo "[ERROR] This script must be run as root." >&2
|
|
exit 1
|
|
fi
|
|
|
|
if [[ -z "${SCANNER_ADMIN_IPS:-}" ]]; then
|
|
echo "[ERROR] Set SCANNER_ADMIN_IPS before running." >&2
|
|
echo " Example: export SCANNER_ADMIN_IPS='192.168.68.100, 192.168.68.101'" >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo "============================================"
|
|
echo " Security Scanner VM - Full Setup"
|
|
echo "============================================"
|
|
echo ""
|
|
echo " ADMIN_IPS: ${SCANNER_ADMIN_IPS}"
|
|
echo " INTERNAL_NETS: ${SCANNER_INTERNAL_NETS:-10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16}"
|
|
echo " DNS_SERVERS: ${SCANNER_DNS_SERVERS:-192.168.68.1}"
|
|
echo ""
|
|
|
|
SCRIPTS=(
|
|
"01-system-harden.sh"
|
|
"02-firewall.sh"
|
|
"03-ssh-harden.sh"
|
|
"04-install-tools.sh"
|
|
"05-monitoring.sh"
|
|
)
|
|
|
|
for script in "${SCRIPTS[@]}"; do
|
|
SCRIPT_PATH="${SCRIPT_DIR}/${script}"
|
|
if [[ ! -f "${SCRIPT_PATH}" ]]; then
|
|
echo "[ERROR] Script not found: ${SCRIPT_PATH}" >&2
|
|
exit 1
|
|
fi
|
|
echo ""
|
|
echo ">>> Running ${script}..."
|
|
bash "${SCRIPT_PATH}"
|
|
echo ">>> ${script} completed."
|
|
done
|
|
|
|
echo ""
|
|
echo "============================================"
|
|
echo " Setup complete!"
|
|
echo "============================================"
|
|
echo ""
|
|
echo " Next steps:"
|
|
echo " 1. Add SSH key: /home/scanner-admin/.ssh/authorized_keys"
|
|
echo " 2. Start OpenVAS: cd /opt/greenbone && docker compose up -d"
|
|
echo " 3. Set OpenVAS password:"
|
|
echo " docker compose exec -u gvmd gvmd gvmd --user=admin --new-password=<PASSWORD>"
|
|
echo " 4. Reboot: shutdown -r now"
|