From 58c2ceb3556f17121843e0e685997a3bd2557212 Mon Sep 17 00:00:00 2001
From: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com>
Date: Sun, 15 Dec 2024 21:13:37 -0600
Subject: [PATCH] feat: add security audit

---
 .../settings/servers/security-setup.tsx       | 161 +++++++++++++-----
 apps/dokploy/server/api/routers/server.ts     |  34 +++-
 packages/server/src/index.ts                  |   1 +
 packages/server/src/setup/server-audit.ts     |  12 +-
 packages/server/src/setup/server-security.ts  |  26 +++
 5 files changed, 182 insertions(+), 52 deletions(-)

diff --git a/apps/dokploy/components/dashboard/settings/servers/security-setup.tsx b/apps/dokploy/components/dashboard/settings/servers/security-setup.tsx
index 5026892e..c908a01a 100644
--- a/apps/dokploy/components/dashboard/settings/servers/security-setup.tsx
+++ b/apps/dokploy/components/dashboard/settings/servers/security-setup.tsx
@@ -8,7 +8,7 @@ import {
 	CardTitle,
 } from "@/components/ui/card";
 import { api } from "@/utils/api";
-import { Loader2, PcCase, RefreshCw } from "lucide-react";
+import { Loader2, LockKeyhole, PcCase, RefreshCw } from "lucide-react";
 import { useState } from "react";
 import { StatusRow } from "./gpu-support";
 
@@ -34,7 +34,7 @@ export const SecuritySetup = ({ serverId }: Props) => {
 						<div className="flex flex-row gap-2 justify-between w-full  max-sm:flex-col">
 							<div className="flex flex-col gap-1">
 								<div className="flex items-center gap-2">
-									<PcCase className="size-5" />
+									<LockKeyhole className="size-5" />
 									<CardTitle className="text-xl">
 										Setup Security Sugestions
 									</CardTitle>
@@ -42,11 +42,11 @@ export const SecuritySetup = ({ serverId }: Props) => {
 								<CardDescription>Check the security sugestions</CardDescription>
 							</div>
 							<Button
-								// isLoading={isRefreshing}
+								isLoading={isRefreshing}
 								onClick={async () => {
-									// setIsRefreshing(true);
+									setIsRefreshing(true);
 									await refetch();
-									// setIsRefreshing(false);
+									setIsRefreshing(false);
 								}}
 							>
 								<RefreshCw className="size-4" />
@@ -71,72 +71,149 @@ export const SecuritySetup = ({ serverId }: Props) => {
 						) : (
 							<div className="grid w-full gap-4">
 								<div className="border rounded-lg p-4">
-									<h3 className="text-lg font-semibold mb-1">Status</h3>
+									<h3 className="text-lg font-semibold mb-1">UFW</h3>
 									<p className="text-sm text-muted-foreground mb-4">
-										Shows the server configuration status
+										UFW (Uncomplicated Firewall) is a simple firewall that can
+										be used to block incoming and outgoing traffic from your
+										server.
 									</p>
 									<div className="grid gap-2.5">
 										<StatusRow
-											label="Docker Installed"
-											isEnabled={data?.docker?.enabled}
+											label="UFW Installed"
+											isEnabled={data?.ufw?.installed}
 											description={
-												data?.docker?.enabled
-													? `Installed: ${data?.docker?.version}`
-													: undefined
+												data?.ufw?.installed 
+													? "Installed (Recommended)" 
+													: "Not Installed (UFW should be installed for security)"
 											}
 										/>
 										<StatusRow
-											label="RClone Installed"
-											isEnabled={data?.rclone?.enabled}
+											label="Status"
+											isEnabled={data?.ufw?.active}
 											description={
-												data?.rclone?.enabled
-													? `Installed: ${data?.rclone?.version}`
-													: undefined
+												data?.ufw?.active 
+													? "Active (Recommended)" 
+													: "Not Active (UFW should be enabled for security)"
 											}
 										/>
 										<StatusRow
-											label="Nixpacks Installed"
-											isEnabled={data?.nixpacks?.enabled}
+											label="Default Incoming"
+											isEnabled={data?.ufw?.defaultIncoming === "deny"}
 											description={
-												data?.nixpacks?.enabled
-													? `Installed: ${data?.nixpacks?.version}`
-													: undefined
+												data?.ufw?.defaultIncoming === "deny"
+													? "Default: Deny (Recommended)"
+													: `Default: ${data?.ufw?.defaultIncoming} (Should be set to 'deny' for security)`
+											}
+										/>
+									</div>
+								</div>
+
+								<div className="border rounded-lg p-4">
+									<h3 className="text-lg font-semibold mb-1">SSH</h3>
+									<p className="text-sm text-muted-foreground mb-4">
+										SSH (Secure Shell) is a protocol that allows you to securely
+										connect to a server and execute commands on it.
+									</p>
+									<div className="grid gap-2.5">
+										<StatusRow
+											label="Enabled"
+											isEnabled={data?.ssh.enabled}
+											description={
+												data?.ssh.enabled ? "Enabled" : "Not Enabled (SSH should be enabled)"
 											}
 										/>
 										<StatusRow
-											label="Buildpacks Installed"
-											isEnabled={data?.buildpacks?.enabled}
+											label="Key Auth"
+											isEnabled={data?.ssh.keyAuth}
 											description={
-												data?.buildpacks?.enabled
-													? `Installed: ${data?.buildpacks?.version}`
-													: undefined
+												data?.ssh.keyAuth
+													? "Enabled (Recommended)"
+													: "Not Enabled (Key Authentication should be enabled)"
 											}
 										/>
 										<StatusRow
-											label="Docker Swarm Initialized"
-											isEnabled={data?.isSwarmInstalled}
+											label="Password Auth"
+											isEnabled={data?.ssh.passwordAuth === "no"}
 											description={
-												data?.isSwarmInstalled
-													? "Initialized"
-													: "Not Initialized"
+												data?.ssh.passwordAuth === "no"
+													? "Disabled (Recommended)"
+													: "Enabled (Password Authentication should be disabled)"
 											}
 										/>
 										<StatusRow
-											label="Dokploy Network Created"
-											isEnabled={data?.isDokployNetworkInstalled}
+											label="Permit Root Login"
+											isEnabled={data?.ssh.permitRootLogin === "no"}
 											description={
-												data?.isDokployNetworkInstalled
-													? "Created"
-													: "Not Created"
+												data?.ssh.permitRootLogin === "no"
+													? "Disabled (Recommended)"
+													: `Enabled: ${data?.ssh.permitRootLogin} (Root Login should be disabled)`
 											}
 										/>
 										<StatusRow
-											label="Main Directory Created"
-											isEnabled={data?.isMainDirectoryInstalled}
+											label="Use PAM"
+											isEnabled={data?.ssh.usePam === "no"}
 											description={
-												data?.isMainDirectoryInstalled
-													? "Created"
-													: "Not Created"
+												data?.ssh.usePam === "no"
+													? "Disabled (Recommended for key-based auth)"
+													: "Enabled (Should be disabled when using key-based auth)"
+											}
+										/>
+									</div>
+								</div>
+
+								<div className="border rounded-lg p-4">
+									<h3 className="text-lg font-semibold mb-1">Fail2Ban</h3>
+									<p className="text-sm text-muted-foreground mb-4">
+										Fail2Ban (Fail2Ban) is a service that can be used to prevent
+										brute force attacks on your server.
+									</p>
+									<div className="grid gap-2.5">
+										<StatusRow
+											label="Installed"
+											isEnabled={data?.fail2ban.installed}
+											description={
+												data?.fail2ban.installed 
+													? "Installed (Recommended)" 
+													: "Not Installed (Fail2Ban should be installed for protection against brute force attacks)"
+											}
+										/>
+
+										<StatusRow
+											label="Enabled"
+											isEnabled={data?.fail2ban.enabled}
+											description={
+												data?.fail2ban.enabled 
+													? "Enabled (Recommended)" 
+													: "Not Enabled (Fail2Ban service should be enabled)"
+											}
+										/>
+										<StatusRow
+											label="Active"
+											isEnabled={data?.fail2ban.active}
+											description={
+												data?.fail2ban.active 
+													? "Active (Recommended)" 
+													: "Not Active (Fail2Ban service should be running)"
+											}
+										/>
+
+										<StatusRow
+											label="SSH Protection"
+											isEnabled={data?.fail2ban.sshEnabled === "true"}
+											description={
+												data?.fail2ban.sshEnabled === "true"
+													? "Enabled (Recommended)"
+													: "Not Enabled (SSH protection should be enabled to prevent brute force attacks)"
+											}
+										/>
+
+										<StatusRow
+											label="SSH Mode"
+											isEnabled={data?.fail2ban.sshMode === "aggressive"}
+											description={
+												data?.fail2ban.sshMode === "aggressive"
+													? "Aggressive Mode (Recommended)"
+													: `Mode: ${data?.fail2ban.sshMode || "Not Set"} (Aggressive mode recommended for better protection)`
 											}
 										/>
 									</div>
diff --git a/apps/dokploy/server/api/routers/server.ts b/apps/dokploy/server/api/routers/server.ts
index 725fbbaa..51212fc2 100644
--- a/apps/dokploy/server/api/routers/server.ts
+++ b/apps/dokploy/server/api/routers/server.ts
@@ -26,6 +26,7 @@ import {
 	getPublicIpWithFallback,
 	haveActiveServices,
 	removeDeploymentsByServerId,
+	serverAudit,
 	serverSecurity,
 	serverSetup,
 	serverValidate,
@@ -179,11 +180,36 @@ export const serverRouter = createTRPCRouter({
 						message: "You are not authorized to validate this server",
 					});
 				}
-				const response = await serverSecurity(input.serverId);
-				return {} as unknown as {
-					docker: {
+				const response = await serverAudit(input.serverId);
+				console.log(response);
+				return response as unknown as {
+					ufw: {
+						installed: boolean;
+						active: boolean;
+						defaultIncoming: string;
+					};
+					ssh: {
 						enabled: boolean;
-						version: string;
+						keyAuth: boolean;
+						permitRootLogin: string;
+						passwordAuth: string;
+						usePam: string;
+					};
+					nonRootUser: {
+						hasValidSudoUser: boolean;
+					};
+					unattendedUpgrades: {
+						installed: boolean;
+						active: boolean;
+						updateEnabled: number;
+						upgradeEnabled: number;
+					};
+					fail2ban: {
+						installed: boolean;
+						enabled: boolean;
+						active: boolean;
+						sshEnabled: string;
+						sshMode: string;
 					};
 				};
 			} catch (error) {
diff --git a/packages/server/src/index.ts b/packages/server/src/index.ts
index 8f2b8f76..36028993 100644
--- a/packages/server/src/index.ts
+++ b/packages/server/src/index.ts
@@ -43,6 +43,7 @@ export * from "./setup/server-security";
 export * from "./setup/setup";
 export * from "./setup/traefik-setup";
 export * from "./setup/server-validate";
+export * from "./setup/server-audit";
 
 export * from "./utils/backups/index";
 export * from "./utils/backups/mariadb";
diff --git a/packages/server/src/setup/server-audit.ts b/packages/server/src/setup/server-audit.ts
index c3da6887..3bb894d5 100644
--- a/packages/server/src/setup/server-audit.ts
+++ b/packages/server/src/setup/server-audit.ts
@@ -26,18 +26,18 @@ const validateSsh = () => `
 `;
 
 const validateNonRootUser = () => `
-  sudoUsers=$(grep -Po '^sudo:.*:\\K.*$' /etc/group | tr ',' '\\n' | grep -v root)
-  adminUsers=$(grep -Po '^admin:.*:\\K.*$' /etc/group | tr ',' '\\n' | grep -v root)
-  privilegedUsers=$(echo -e "${sudoUsers}\\n${adminUsers}" | sort -u | grep -v '^$')
+  sudoUsers=\$(grep -Po '^sudo:.*:\\K.*$' /etc/group | tr ',' '\\n' | grep -v root)
+  adminUsers=\$(grep -Po '^admin:.*:\\K.*$' /etc/group | tr ',' '\\n' | grep -v root)
+  privilegedUsers=\$(echo -e "\${sudoUsers}\\n\${adminUsers}" | sort -u | grep -v '^$')
   validUserFound=false
 
   while IFS= read -r user; do
-    userShell=$(getent passwd "$user" | cut -d: -f7)
-    if [[ "$userShell" != "/usr/sbin/nologin" && "$userShell" != "/bin/false" ]]; then
+    userShell=\$(getent passwd "\$user" | cut -d: -f7)
+    if [[ "\$userShell" != "/usr/sbin/nologin" && "\$userShell" != "/bin/false" ]]; then
       validUserFound=true
       break
     fi
-  done <<< "$privilegedUsers"
+  done <<< "\$privilegedUsers"
 
   echo "{\\"hasValidSudoUser\\": $validUserFound}"
 `;
diff --git a/packages/server/src/setup/server-security.ts b/packages/server/src/setup/server-security.ts
index 5e4bc499..718efe9a 100644
--- a/packages/server/src/setup/server-security.ts
+++ b/packages/server/src/setup/server-security.ts
@@ -89,6 +89,32 @@ export const serverSecurity = async (serverId: string) => {
             fi
           }
 
+		  check_dependencies() {
+			echo -e "Checking required dependencies..."
+			
+			local required_commands=("curl" "jq" "systemctl" "apt-get")
+			local missing_commands=()
+
+			for cmd in "\${required_commands[@]}"; do
+				if ! command -v "\$cmd" >/dev/null 2>&1; then
+					missing_commands+=("\$cmd")
+				fi
+			done
+
+		if [ \${#missing_commands[@]} -ne 0 ]; then
+				echo -e "\${RED}The following required commands are missing:\${NC}"
+				for cmd in "\${missing_commands[@]}"; do
+					echo "  - \$cmd"
+				done
+				echo
+				echo -e "\${YELLOW}Please install these commands before running this script.\${NC}"
+				exit 1
+		fi
+
+			echo -e "All required dependencies are installed\n"
+			return 0
+		}
+
 
           os=$(check_os)