diff --git a/install-10.99.0.1.md b/install-10.99.0.1.md new file mode 100644 index 0000000..36257cc --- /dev/null +++ b/install-10.99.0.1.md @@ -0,0 +1,283 @@ +#!/bin/bash +# ============================================================================== +# NOTA DE SEGURANÇA E ARQUITETURA REAL (CONVENÇÃO ATUAL): +# 10.99.0.1 -> AMBIENTE DE PRODUÇÃO (Runtime Puro, Traefik, Monitoramento SOC) +# 10.99.0.3 -> BANCO DE DADOS DE PRODUÇÃO DEDICADO (PostgreSQL Bare-metal Appliance) +# 10.99.0.4 -> AMBIENTE DE DESENVOLVIMENTO, HOMOLOGAÇÃO & BUILDER DEPLOYS (GitOps) +# ============================================================================== +# V8 BUNKER EXTREMO FINAL SUPREMA (VERSÃO PRODUÇÃO 10.99.0.1) +# HUB DE MONITORAMENTO CENTRALIZADO (RECEBE LOGS E MÉTRICAS DE TODAS AS VPSs) +# ========================================================= +set -eo pipefail + +echo "🚀 INICIANDO V8 BUNKER EXTREMO FINAL SUPREMA NA VPS 1 (PRODUÇÃO)..." + +# ========================= +# 1. VARIÁVEIS DA INFRA +# ========================= +USER_NAME="deploy" +PUBKEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOnD6GW6oVuY1DcfCQSUQV/JNHa35A2Or1K3X1gEC8D/ rui@DESKTOP-K5Q17QK" +WG_PORT="52830" +VPN_SUBNET="10.99.0.0/24" +SERVER_VPN_IP="10.99.0.1" +DOMAIN_APP="clube67.com" +EMAIL="ruibto@gmail.com" +VPS2_DEV_PUBKEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKm085+8paXXj9AzUa00dhuB1IH2/Y4uTStU1zm2I7QZ deploy@vmi2797860" + +# ========================= +# 2. BASE & PACOTES +# ========================= +echo "🚀 Atualizando sistema e instalando pacotes base..." +apt update && apt upgrade -y +apt install -y curl ufw fail2ban auditd apparmor apparmor-utils \ + ca-certificates gnupg lsb-release htop jq acl + +systemctl enable auditd || true +systemctl enable fail2ban || true + +# ========================= +# 3. USUÁRIO + SSH HARDEN + SUDO (NOPASSWD) +# ========================= +echo "🚀 Criando usuário deploy e blindando SSH..." +id -u $USER_NAME &>/dev/null || adduser --disabled-password --gecos "" $USER_NAME +usermod -aG sudo,adm $USER_NAME + +echo "$USER_NAME ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/$USER_NAME +chmod 0440 /etc/sudoers.d/$USER_NAME + +mkdir -p /home/$USER_NAME/.ssh +echo "$PUBKEY" > /home/$USER_NAME/.ssh/authorized_keys +[[ -n "$VPS2_DEV_PUBKEY" ]] && grep -q "$VPS2_DEV_PUBKEY" /home/$USER_NAME/.ssh/authorized_keys || echo "$VPS2_DEV_PUBKEY" >> /home/$USER_NAME/.ssh/authorized_keys +chmod 700 /home/$USER_NAME/.ssh +chmod 600 /home/$USER_NAME/.ssh/authorized_keys +chown -R $USER_NAME:$USER_NAME /home/$USER_NAME/.ssh + +su - $USER_NAME -c "[[ -f ~/.ssh/id_ed25519 ]] || ssh-keygen -t ed25519 -N '' -f ~/.ssh/id_ed25519" + +sed -i 's/^#\?PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config +sed -i 's/^#\?PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config +grep -q "^AllowUsers" /etc/ssh/sshd_config || echo "AllowUsers $USER_NAME" >> /etc/ssh/sshd_config + +# ========================= +# 4. FIREWALL (UFW) +# ========================= +echo "🚀 Configurando regras do Firewall (UFW)..." +ufw default deny incoming +ufw default allow outgoing +ufw allow 80/tcp +ufw allow 443/tcp +ufw allow $WG_PORT/udp +ufw allow from $VPN_SUBNET + +# ========================= +# 5. SYSCTL HARDENING & NOEXEC +# ========================= +echo "🚀 Aplicando Hardening no Kernel..." +grep -q "net.ipv4.ip_unprivileged_port_start" /etc/sysctl.conf || cat >> /etc/sysctl.conf <> /etc/fstab +grep -q "/dev/shm tmpfs" /etc/fstab || echo "tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0" >> /etc/fstab +grep -q "/var/tmp tmpfs" /etc/fstab || echo "tmpfs /var/tmp tmpfs defaults,noexec,nosuid 0 0" >> /etc/fstab + +# ========================= +# 6. QUARENTENA INTELIGENTE & EDR +# ========================= +# (Mesma lógica do script anterior, mantida para proteção local da VPS 1) +cat > /usr/local/bin/quarantine-guard.sh <<'EOF' +#!/bin/bash +LOG="/var/log/quarantine.log" +FORENSIC="/var/log/quarantine_forensic.log" +THRESHOLD=80 +MEM=$(free | awk '/Mem:/ {printf("%.0f", $3/$2 * 100)}') +if [ "$MEM" -lt "$THRESHOLD" ]; then exit 0; fi +echo "[$(date)] MEMORIA CRITICA: $MEM%" >> $LOG +ps -eo pid,%mem,user,cmd --sort=-%mem | head -n 15 | tail -n +2 | while read -r PID MEM_USAGE USER CMD +do + NAME=$(echo "$CMD" | awk '{print $1}' | xargs basename) + BIN_PATH=$(readlink -f /proc/$PID/exe 2>/dev/null || echo "") + CWD=$(readlink -f /proc/$PID/cwd 2>/dev/null || echo "") + if [[ "$CWD" == /tmp* ]] || [[ "$BIN_PATH" == /tmp* ]] || [[ "$NAME" =~ (xmrig|kinsing|kdevtmpfsi) ]]; then + kill -9 $PID 2>/dev/null + echo "[$(date)] PROCESSO ELIMINADO: $NAME ($PID)" >> $LOG + fi +done +EOF +chmod +x /usr/local/bin/quarantine-guard.sh +grep -q "quarantine-guard" /etc/crontab || echo "*/1 * * * * root /usr/local/bin/quarantine-guard.sh" >> /etc/crontab + +# ========================= +# 7. CROWDSEC & FALCO (EDR) +# ========================= +curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | bash +apt install -y crowdsec crowdsec-firewall-bouncer-nftables +curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - +echo "deb https://download.falco.org/packages/deb stable main" > /etc/apt/sources.list.d/falco.list +apt update && apt install -y falco + +mkdir -p /var/log +touch /var/log/falco.log +chmod 644 /var/log/falco.log +setfacl -R -m u:$USER_NAME:rx /var/log || true + +# ========================= +# 8. CONFIGURAÇÃO MONITORAMENTO CENTRAL (HUB) +# ========================= +echo "🚀 Preparando HUB de Monitoramento Central..." +SOC_DIR="/opt/soc" +mkdir -p $SOC_DIR/{grafana/provisioning/datasources,grafana/provisioning/dashboards,grafana/provisioning/alerting,grafana/dashboards,prometheus,promtail} + +# Prometheus configurado para monitorar Produção (10.99.0.1), Desenvolvimento (10.99.0.3) e WhatsApp (10.99.0.4) +cat > $SOC_DIR/prometheus/prometheus.yml < $SOC_DIR/promtail/config.yml < $SOC_DIR/grafana/provisioning/datasources/datasources.yml < $SOC_DIR/grafana/dashboards/soc.json <<'EOF' +{ + "title": "SOC GLOBAL OVERVIEW", + "panels": [ + { + "type": "stat", + "title": "CPU Produção", + "targets": [ { "expr": "100 - (avg(rate(node_cpu_seconds_total{job=\"producao\",mode=\"idle\"}[5m])) * 100)" } ] + }, + { + "type": "stat", + "title": "CPU Desenvolvimento", + "gridPos": { "x": 12, "y": 0, "h": 5, "w": 12 }, + "targets": [ { "expr": "100 - (avg(rate(node_cpu_seconds_total{job=\"desenvolvimento\",mode=\"idle\"}[5m])) * 100)" } ] + } + ], + "schemaVersion": 36, + "version": 1 +} +EOF + +chown -R $USER_NAME:$USER_NAME $SOC_DIR + +# ========================= +# 9. APPARMOR FIX & DOCKER ROOTLESS +# ========================= +apt install -y uidmap dbus-user-session docker-compose-plugin +su - $USER_NAME -c "[[ -f ~/bin/dockerd ]] || curl -fsSL https://get.docker.com/rootless | sh" +loginctl enable-linger $USER_NAME +DEPLOY_UID=$(id -u $USER_NAME) + +# ========================= +# 10. STACKS DE PRODUÇÃO +# ========================= +mkdir -p /home/$USER_NAME/stack/{traefik/letsencrypt,soc,portainer/data} +touch /home/$USER_NAME/stack/traefik/letsencrypt/acme.json +chmod 600 /home/$USER_NAME/stack/traefik/letsencrypt/acme.json + +cat > /home/$USER_NAME/stack/soc/docker-compose.yml < AMBIENTE DE PRODUÇÃO (Runtime Puro, Traefik, Monitoramento SOC) +# 10.99.0.3 -> BANCO DE DADOS DE PRODUÇÃO DEDICADO (PostgreSQL Bare-metal Appliance) +# 10.99.0.4 -> AMBIENTE DE DESENVOLVIMENTO, HOMOLOGAÇÃO & BUILDER DEPLOYS (GitOps) +# ============================================================================== +# ⚠️ CAUTION: ESTE SCRIPT REPLICA AS CONFIGURAÇÕES DE SEGURANÇA DA VPS 1. +# CERTIFIQUE-SE DE QUE A "PRIVATEKEY" DO WIREGUARD DA VPS 10.99.0.3 ESTEJA DISPONÍVEL. +# AS CHAVES SSH E AS CONFIGURAÇÕES DO WIREGUARD SÓ SERÃO CRIADAS SE NÃO EXISTIREM. +# ============================================================================== +# V8 BUNKER EXTREMO FINAL SUPREMA (VERSÃO BANCO DE DADOS DE PRODUÇÃO DEDICADO 10.99.0.3) +# AGENTE DE MONITORAMENTO (MÉTRICAS E LOGS ENVIADOS PARA A VPS 1) +# ========================================================= +set -eo pipefail + +echo "🚀 INICIANDO V8 BUNKER EXTREMO FINAL SUPREMA NA VPS 3 (BANCO DE DADOS DEDICADO)..." + +# ========================= +# 1. VARIÁVEIS DA INFRA +# ========================= +USER_NAME="deploy" +PUBKEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMzqvHpWO69vdujhyeFaKmOssT5leqIUQsknJiFzHKlK rui@DESKTOP-K5Q17QK" +SERVER_VPN_IP="10.99.0.3" # IP desta VPS na WireGuard +SERVER_GATEWAY_IP="10.99.0.1" # IP da VPS 1 (Hub do Monitoramento) +VPN_SUBNET="10.99.0.0/24" +WG_SERVER_PUBKEY="jUWnuc+82vQ6kLMSI7W1i7hBRBgQKcaSZ8yJy56QSUw=" +WG_SERVER_ENDPOINT="158.220.109.237:51820" # IP Público da VPS 1 +DOMAIN_APP="dev.clube67.com" # Domínio de Desenvolvimento +EMAIL="ruibto@gmail.com" +VPS2_DEV_PUBKEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKm085+8paXXj9AzUa00dhuB1IH2/Y4uTStU1zm2I7QZ deploy@vmi2797860" +VPS1_PUBKEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOm8XdsuqpRMM+1y4w4onc+VhPTtqR4iEFJYnA7SRNXS deploy@vmi2849674" + +# ========================= +# 2. BASE & PACOTES +# ========================= +echo "🚀 Atualizando sistema e instalando pacotes base..." +apt update && apt upgrade -y +apt install -y curl ufw fail2ban auditd apparmor apparmor-utils \ + ca-certificates gnupg lsb-release htop jq acl wireguard + +systemctl enable auditd || true +systemctl enable fail2ban || true + +# ========================= +# 3. USUÁRIO + SSH HARDEN + SUDO (NOPASSWD) +# ========================= +echo "🚀 Criando usuário deploy e blindando SSH..." +id -u $USER_NAME &>/dev/null || adduser --disabled-password --gecos "" $USER_NAME +usermod -aG sudo,adm $USER_NAME + +echo "$USER_NAME ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/$USER_NAME +chmod 0440 /etc/sudoers.d/$USER_NAME + +mkdir -p /home/$USER_NAME/.ssh +echo "$PUBKEY" > /home/$USER_NAME/.ssh/authorized_keys +[[ -n "$VPS2_DEV_PUBKEY" ]] && grep -q "$VPS2_DEV_PUBKEY" /home/$USER_NAME/.ssh/authorized_keys || echo "$VPS2_DEV_PUBKEY" >> /home/$USER_NAME/.ssh/authorized_keys +[[ -n "$VPS1_PUBKEY" ]] && grep -q "$VPS1_PUBKEY" /home/$USER_NAME/.ssh/authorized_keys || echo "$VPS1_PUBKEY" >> /home/$USER_NAME/.ssh/authorized_keys +chmod 700 /home/$USER_NAME/.ssh +chmod 600 /home/$USER_NAME/.ssh/authorized_keys + +# 👉 Proteção: Só cria a chave se ela não existir +if [[ ! -f /home/$USER_NAME/.ssh/id_ed25519 ]]; then + echo "🚀 Replicando chave SSH privada..." + cat < /home/$USER_NAME/.ssh/id_ed25519 +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACA7022Ve09QNg3CELPHbj6psUsufcuLBwJqm7i8mWgWXAAAAJglHptaJR6b +WgAAAAtzc2gtZWQyNTUxOQAAACA7022Ve09QNg3CELPHbj6psUsufcuLBwJqm7i8mWgWXA +AAAEASb797x5GRsuKmM3DpBPiY8iPiyyPdrlnn9FmLTmn7BTvTbZV7T1A2DcIQs8duPqmx +Sy59y4sHAmqbuLyZaBZcAAAAEWRlcGxveUB2bWkyODQ5Njc0AQIDBA== +-----END OPENSSH PRIVATE KEY----- +EOF + chmod 600 /home/$USER_NAME/.ssh/id_ed25519 + chown -R $USER_NAME:$USER_NAME /home/$USER_NAME/.ssh +else + echo "⚠️ Chave SSH id_ed25519 já existe. Pulando criação." +fi + +su - $USER_NAME -c "[[ -f ~/.ssh/id_ed25519.pub ]] || ssh-keygen -y -f ~/.ssh/id_ed25519 > ~/.ssh/id_ed25519.pub" + +sed -i 's/^#\?PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config +sed -i 's/^#\?PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config +grep -q "^AllowUsers" /etc/ssh/sshd_config || echo "AllowUsers $USER_NAME" >> /etc/ssh/sshd_config + +# ========================= +# 4. FIREWALL (UFW) +# ========================= +echo "🚀 Configurando regras do Firewall (UFW)..." +ufw default deny incoming +ufw default allow outgoing +ufw allow 80/tcp +ufw allow 443/tcp +ufw allow 52830/udp # Porta local do WG neste Peer +ufw allow from $VPN_SUBNET + +# ========================= +# 5. CONFIGURAÇÃO WIREGUARD (PEER) +# ========================= +if [[ ! -f /etc/wireguard/wg0.conf ]]; then + echo "🚀 Criando configuração do WireGuard (Peer)..." + mkdir -p /etc/wireguard + cat < /etc/wireguard/wg0.conf +[Interface] +Address = $SERVER_VPN_IP/24 +PrivateKey = 8Ck983MKEOVnskrvglzSOxWzR1ybZjQldl5VY2vctWc= +ListenPort = 52830 + +[Peer] +PublicKey = $WG_SERVER_PUBKEY +AllowedIPs = $VPN_SUBNET +Endpoint = $WG_SERVER_ENDPOINT +PersistentKeepalive = 25 +EOF + chmod 600 /etc/wireguard/wg0.conf +else + echo "⚠️ Configuração do WireGuard (/etc/wireguard/wg0.conf) já existe. Pulando criação." +fi +systemctl enable wg-quick@wg0 || true + +# ========================= +# 6. SYSCTL HARDENING & NOEXEC +# ========================= +echo "🚀 Aplicando Hardening no Kernel..." +grep -q "net.ipv4.ip_unprivileged_port_start" /etc/sysctl.conf || cat >> /etc/sysctl.conf < $SOC_DIR/promtail/config.yml < /etc/apt/sources.list.d/falco.list +apt update && apt install -y falco + +mkdir -p /var/log +touch /var/log/falco.log +chmod 644 /var/log/falco.log +setfacl -R -m u:$USER_NAME:rx /var/log || true + +# Script para enviar alertas para o Hub Central via CrowdSec local (opcional) ou logs +cat > /usr/local/bin/falco-active-response.sh <<'EOF' +#!/bin/bash +LOG="/var/log/falco-response.log" +while read -r INPUT; do + echo "[$(date)] EVENTO LIDO: $INPUT" >> $LOG + PID=$(echo "$INPUT" | grep -oP 'pid=\K[0-9]+' | head -n1) + if [[ -n "$PID" ]]; then + kill -9 "$PID" 2>/dev/null + echo "[$(date)] PROCESSO MORTO PELO FALCO: $PID" >> $LOG + fi +done +EOF +chmod +x /usr/local/bin/falco-active-response.sh + +sed -i 's/^#file_output:/file_output:/g' /etc/falco/falco.yaml || true +grep -q "falco-active-response" /etc/falco/falco.yaml || cat >> /etc/falco/falco.yaml < /home/$USER_NAME/stack/soc/docker-compose.yml < AMBIENTE DE PRODUÇÃO (Runtime Puro, Traefik, Monitoramento SOC) +# 10.99.0.3 -> BANCO DE DADOS DE PRODUÇÃO DEDICADO (PostgreSQL Bare-metal Appliance) +# 10.99.0.4 -> AMBIENTE DE DESENVOLVIMENTO, HOMOLOGAÇÃO & BUILDER DEPLOYS (GitOps) +# ============================================================================== +# ⚠️ CAUTION: ESTE SCRIPT REPLICA AS CONFIGURAÇÕES DE SEGURANÇA DA VPS 1 (HUB). +# CERTIFIQUE-SE DE QUE A "PRIVATEKEY" DO WIREGUARD DA VPS 10.99.0.4 ESTEJA DISPONÍVEL. +# ============================================================================== +# V8 BUNKER EXTREMO FINAL SUPREMA (VERSÃO DESENVOLVIMENTO, HOMOLOGAÇÃO & BUILDER DEPLOYS 10.99.0.4) +# AGENTE DE MONITORAMENTO (MÉTRICAS E LOGS ENVIADOS PARA A VPS 1) +# ========================================================= +set -eo pipefail + +echo "🚀 INICIANDO V8 BUNKER EXTREMO FINAL SUPREMA NA VPS 4 (DESENVOLVIMENTO & BUILDER)..." + +# ========================= +# 1. VARIÁVEIS DA INFRA +# ========================= +USER_NAME="deploy" +PUBKEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMzqvHpWO69vdujhyeFaKmOssT5leqIUQsknJiFzHKlK rui@DESKTOP-K5Q17QK" +SERVER_VPN_IP="10.99.0.4" # IP desta VPS na WireGuard +SERVER_GATEWAY_IP="10.99.0.1" # IP da VPS 1 (Hub do Monitoramento) +VPN_SUBNET="10.99.0.0/24" +WG_SERVER_PUBKEY="jUWnuc+82vQ6kLMSI7W1i7hBRBgQKcaSZ8yJy56QSUw=" +WG_SERVER_ENDPOINT="158.220.109.237:51820" # IP Público da VPS 1 +DOMAIN_APP="wa.clube67.com" # Domínio sugerido para gestão do WhatsApp +EMAIL="ruibto@gmail.com" +VPS2_DEV_PUBKEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKm085+8paXXj9AzUa00dhuB1IH2/Y4uTStU1zm2I7QZ deploy@vmi2797860" + +# ========================= +# 2. BASE & PACOTES +# ========================= +echo "🚀 Atualizando sistema e instalando pacotes base..." +apt update && apt upgrade -y +apt install -y curl ufw fail2ban auditd apparmor apparmor-utils \ + ca-certificates gnupg lsb-release htop jq acl wireguard + +systemctl enable auditd || true +systemctl enable fail2ban || true + +# ========================= +# 3. USUÁRIO + SSH HARDEN + SUDO (NOPASSWD) +# ========================= +echo "🚀 Criando usuário deploy e blindando SSH..." +id -u $USER_NAME &>/dev/null || adduser --disabled-password --gecos "" $USER_NAME +usermod -aG sudo,adm $USER_NAME + +echo "$USER_NAME ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/$USER_NAME +chmod 0440 /etc/sudoers.d/$USER_NAME + +mkdir -p /home/$USER_NAME/.ssh +echo "$PUBKEY" > /home/$USER_NAME/.ssh/authorized_keys +[[ -n "$VPS2_DEV_PUBKEY" ]] && grep -q "$VPS2_DEV_PUBKEY" /home/$USER_NAME/.ssh/authorized_keys || echo "$VPS2_DEV_PUBKEY" >> /home/$USER_NAME/.ssh/authorized_keys +chmod 700 /home/$USER_NAME/.ssh +chmod 600 /home/$USER_NAME/.ssh/authorized_keys + +# 👉 Proteção: Só cria a chave se ela não existir +if [[ ! -f /home/$USER_NAME/.ssh/id_ed25519 ]]; then + echo "🚀 Replicando chave SSH privada..." + cat < /home/$USER_NAME/.ssh/id_ed25519 +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACBwG0DcQ412wn2+/xm3K2AETCU4o4wao+T5aDMwkN53LgAAAJhUF47tVBeO +7QAAAAtzc2gtZWQyNTUxOQAAACBwG0DcQ412wn2+/xm3K2AETCU4o4wao+T5aDMwkN53Lg +AAAEAZh+6LoVaBZldCRv+wXl+L2gUJqm9x65rTGiTm7I/WTXAbQNxDjXbCfb7/GbcrYARM +JTijjBqj5PloMzCQ3ncuAAAAEWRlcGxveUB2bWkyODQ5Njc0AQIDBA== +-----END OPENSSH PRIVATE KEY----- +EOF + chmod 600 /home/$USER_NAME/.ssh/id_ed25519 + chown -R $USER_NAME:$USER_NAME /home/$USER_NAME/.ssh +fi + +su - $USER_NAME -c "[[ -f ~/.ssh/id_ed25519.pub ]] || ssh-keygen -y -f ~/.ssh/id_ed25519 > ~/.ssh/id_ed25519.pub" + +sed -i 's/^#\?PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config +sed -i 's/^#\?PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config +grep -q "^AllowUsers" /etc/ssh/sshd_config || echo "AllowUsers $USER_NAME" >> /etc/ssh/sshd_config + +# ========================= +# 4. FIREWALL (UFW) +# ========================= +echo "🚀 Configurando regras do Firewall (UFW)..." +ufw default deny incoming +ufw default allow outgoing +# O Baileys geralmente se comunica via portas variáveis, mas o container estará isolado. +# Expomos apenas o Dashboard/API se necessário (VPN ONLY). +ufw allow 80/tcp +ufw allow 443/tcp +ufw allow 52830/udp # Porta local do WG neste Peer +ufw allow from $VPN_SUBNET + +# ========================= +# 5. CONFIGURAÇÃO WIREGUARD (PEER) +# ========================= +if [[ ! -f /etc/wireguard/wg0.conf ]]; then + echo "🚀 Criando configuração do WireGuard (Peer)..." + mkdir -p /etc/wireguard + cat < /etc/wireguard/wg0.conf +[Interface] +Address = $SERVER_VPN_IP/24 +PrivateKey = [COLOQUE_A_PRIVATE_KEY_DA_VPS4_AQUI] +ListenPort = 52830 + +[Peer] +PublicKey = $WG_SERVER_PUBKEY +AllowedIPs = $VPN_SUBNET +Endpoint = $WG_SERVER_ENDPOINT +PersistentKeepalive = 25 +EOF + chmod 600 /etc/wireguard/wg0.conf +fi +systemctl enable wg-quick@wg0 || true + +# ========================= +# 6. SYSCTL HARDENING & NOEXEC +# ========================= +echo "🚀 Aplicando Hardening no Kernel..." +grep -q "net.ipv4.ip_unprivileged_port_start" /etc/sysctl.conf || cat >> /etc/sysctl.conf < $SOC_DIR/promtail/config.yml < /etc/apt/sources.list.d/falco.list +apt update && apt install -y falco + +mkdir -p /var/log +touch /var/log/falco.log +chmod 644 /var/log/falco.log +setfacl -R -m u:$USER_NAME:rx /var/log || true + +# Script para enviar alertas para o Hub Central +cat > /usr/local/bin/falco-active-response.sh <<'EOF' +#!/bin/bash +LOG="/var/log/falco-response.log" +while read -r INPUT; do + PID=$(echo "$INPUT" | grep -oP 'pid=\K[0-9]+' | head -n1) + if [[ -n "$PID" ]]; then + kill -9 "$PID" 2>/dev/null + echo "[$(date)] PROCESSO MORTO PELO FALCO NA VPS 4: $PID" >> $LOG + fi +done +EOF +chmod +x /usr/local/bin/falco-active-response.sh + +sed -i 's/^#file_output:/file_output:/g' /etc/falco/falco.yaml || true +grep -q "falco-active-response" /etc/falco/falco.yaml || cat >> /etc/falco/falco.yaml < /home/$USER_NAME/stack/soc/docker-compose.yml <