#!/bin/bash
if [ "$EUID" -ne 0 ]; then
exit 1
fi
# Установка необходимых пакетов
apt update
apt install libpam-modules libpam-pwquality ufw -y
# ============================================
# 1a. Блокировка через pam_faillock (с fail_interval)
# ============================================
# Очистка старых конфликтующих настроек
sed -i '/pam_faillock.so/d' /etc/pam.d/common-auth
sed -i '/pam_tally/d' /etc/pam.d/common-auth
sed -i '/pam_tally/d' /etc/pam.d/common-account
# Добавление pam_faillock в common-auth (порядок важен!)
sed -i '1i auth required pam_faillock.so preauth deny=2 fail_interval=10 unlock_time=900' /etc/pam.d/common-auth
sed -i '2i auth [default=die] pam_faillock.so authfail deny=2 fail_interval=10 unlock_time=900' /etc/pam.d/common-auth
sed -i '3i auth sufficient pam_faillock.so authsucc deny=2 fail_interval=10 unlock_time=900' /etc/pam.d/common-auth
# Добавление сброса счётчика в common-account
sed -i '/pam_unix.so/a account required pam_faillock.so' /etc/pam.d/common-account
# ============================================
# 1b. Требования к паролю
# ============================================
cat > /etc/security/pwquality.conf << EOF
minlen = 9
lcredit = -3
ucredit = -3
dcredit = -1
ocredit = -2
usercheck = 1
EOF
cat > /usr/local/bin/check_extra.sh << 'EOF'
#!/bin/bash
PASSWORD="$1"
USERNAME="$2"
if echo "$PASSWORD" | grep -qE '[0-9]{7,11}'; then
exit 1
fi
if echo "$PASSWORD" | grep -qE '[0-9]{2,4}'; then
exit 1
fi
exit 0
EOF
chmod +x /usr/local/bin/check_extra.sh
if ! grep -q "check_extra.sh" /etc/pam.d/common-password; then
sed -i '/pam_pwquality.so/a password optional pam_exec.so seteuid /usr/local/bin/check_extra.sh' /etc/pam.d/common-password
fi
# ============================================
# 1c. Пользователь FranzLiszt (6 попыток)
# ============================================
useradd -m -s /bin/bash franzliszt 2>/dev/null
passwd franzliszt
# Для pam_faillock настройка 6 попыток для конкретного пользователя
mkdir -p /etc/security/faillock.d/
cat > /etc/security/faillock.d/franzliszt.conf << EOF
deny=6
fail_interval=10
unlock_time=900
EOF
# ============================================
# 1d. Sudo для franzliszt с паролем
# ============================================
echo "franzliszt ALL=(ALL:ALL) ALL" > /etc/sudoers.d/franzliszt
chmod 440 /etc/sudoers.d/franzliszt
# ============================================
# 2. Настройка UFW
# ============================================
ufw --force disable
ufw --force enable
ufw allow 9000:9100/udp
mkdir -p /etc/ufw/applications.d
cat > /etc/ufw/applications.d/myapp << EOF
[MyApp]
title=My Application
description=Килейкин Андрей
ports=8080/tcp|8080/udp|4799/tcp|4799/udp
EOF
ufw app update MyApp
ufw allow MyApp
ufw deny 2333
ufw reload
# ============================================
# 3. Пользователь testuser
# ============================================
useradd -m -s /bin/bash testuser 2>/dev/null
# Максимальный уровень целостности
if command -v pdpl-user &>/dev/null; then
pdpl-user -v 63 testuser 2>/dev/null
fi
# Добавление в группу astra-admin
groupadd astra-admin 2>/dev/null
usermod -aG astra-admin testuser
# Sudo без пароля только для journalctl
echo "testuser ALL=(ALL) NOPASSWD: /usr/bin/journalctl" > /etc/sudoers.d/testuser-journalctl
chmod 440 /etc/sudoers.d/testuser-journalctl
echo "Готово. pam_faillock настроен: deny=2 fail_interval=10 unlock_time=900"
