5e49b977ab
Scripts for deploying a hardened internal network security scanner on Proxmox VE: - PVE-level firewall and VM creation - System hardening (sysctl, auditd, AIDE) - nftables firewall with dynamic IP blocking - SSH hardening with fail2ban - Security tools (OpenVAS, Nmap, Nuclei, httpx, Nikto, testssl, NetExec) - Monitoring, logging, and Docker autostart
49 lines
1.5 KiB
Bash
49 lines
1.5 KiB
Bash
#!/bin/bash
|
|
# =============================================================================
|
|
# PVE Security Scanner VM - Creation Script
|
|
# Run this on the Proxmox host
|
|
# =============================================================================
|
|
set -euo pipefail
|
|
|
|
# --- Configuration (modify these) ---
|
|
VMID=200
|
|
VM_NAME="security-scanner"
|
|
STORAGE="local-lvm" # PVE storage pool
|
|
ISO_PATH="local:iso/debian-12-amd64-netinst.iso" # Debian 12 ISO
|
|
BRIDGE="vmbr0" # Network bridge
|
|
CORES=4
|
|
MEMORY=8192 # MB
|
|
DISK_SIZE="80G"
|
|
VLAN_TAG="" # Set VLAN tag if needed, e.g., "10"
|
|
|
|
# --- Guard: check if VM already exists ---
|
|
if qm status "${VMID}" &>/dev/null; then
|
|
echo "[!] VM ${VMID} already exists. Skipping creation."
|
|
exit 0
|
|
fi
|
|
|
|
# --- Create VM ---
|
|
echo "[+] Creating VM ${VMID} (${VM_NAME})..."
|
|
|
|
# VLAN_TAG conditional: appends ,tag=<N> only when VLAN_TAG is set
|
|
qm create "${VMID}" \
|
|
--name "${VM_NAME}" \
|
|
--ostype l26 \
|
|
--cores "${CORES}" \
|
|
--memory "${MEMORY}" \
|
|
--cpu cputype=host \
|
|
--scsihw virtio-scsi-single \
|
|
--scsi0 "${STORAGE}:${DISK_SIZE}" \
|
|
--ide2 "${ISO_PATH},media=cdrom" \
|
|
--net0 "virtio,bridge=${BRIDGE}${VLAN_TAG:+,tag=${VLAN_TAG}}" \
|
|
--boot "order=ide2;scsi0" \
|
|
--agent enabled=1 \
|
|
--onboot 1 \
|
|
--protection 0 \
|
|
--description "Internal network security scanner. Restricted network access."
|
|
|
|
echo "[+] VM ${VMID} created successfully."
|
|
echo "[+] Start the VM and install Debian 12, then run the vm/ scripts."
|
|
echo ""
|
|
echo " qm start ${VMID}"
|