#!/bin/bash


echo_rgb() {
  # Echo a colored string to the terminal based on rgb values
  #
  # Positional Arguments:
  #
  #   message <type: string> <position: 1> <required: true>
  #     - The message to be printed to stdout
  #   red <type: int> <position: 2> <required: true>
  #     - The red value from 0 to 255
  #   green <type: int> <position: 3> <required: true>
  #     - The green value from 0 to 255
  #   blue <type: int> <position: 4> <required: true>
  #     - The blue value from 0 to 255
  #
  # Usage:
  #   echo_rgb "Yep" 10 8 30
  #
  # POSIX Compliant:
  #   N/A
  #

  local red
  local green
  local blue
  local input

  input="${1}"
  red="${2}"
  green="${3}"
  blue="${4}"

  printf "\e[0;38;2;%s;%s;%sm%s\e[m\n" "${red}" "${green}" "${blue}" "${input}"
}

log() {
  # Print a message and send it to stdout or stderr depending upon log level, also configurable with debug etc.
  #
  # Arguments:
  #   level <type: string> <position: 1> <required: true>
  #     - The log level, defined within a case check in this function
  #   message <type: string> <position: 2> <required: true>
  #     - The info message
  #   line_number <type: int> <position: 3> <required: false>
  #     - The line number of the calling function (${LINNO})
  #
  # Usage:
  #   log "info" "Could not find that directory"
  #
  # POSIX Compliant:
  #   Yes
  #

  # Set debug status depending if a global debug variable has been set to either 1 or 0
  local debug
  if [ ${DEBUG} ]; then
    debug=${DEBUG}
  else
    debug=0
  fi

  local FORMAT
  FORMAT="[$(echo_rgb "$(date +%Y-%m-%dT%H:%M:%S)" 180 140 255)]"

  # Convert the level to uppercase
  local level
  level=$(echo "${1}" | tr '[:lower:]' '[:upper:]')

  local message
  message="${2}"

  case "${level}" in
    INFO)
      # Output all info log levels to stdout
      printf "${FORMAT}[$(echo_rgb "INFO" 0 140 255)] %s\n" "${message}" >&1
      return 0
      ;;
    WARN | WARNING)
      # Output all info log levels to stdout
      printf "${FORMAT}[$(echo_rgb "WARNING" 255 255 0)] %s\n" "${message}" >&1
      return 0
      ;;
    DEBUG)
      [[ ${debug} == 0 ]] && return
      printf "${FORMAT}[$(echo_rgb "DEBUG" 0 160 110)] %s\n" "${message}" >&1
      return 0
      ;;
    ERROR)
      # Output all error log levels to stderr
      printf "${FORMAT}[$(echo_rgb "ERROR" 255 0 0)] %s\n" "${message}" >&2
      return 0
      ;;
    # Further log levels can be added by extending this switch statement with more comparisons

    *) # Default case, no matches
      # Returns non-zero code as an improper log option was passed, this helps with using `set -e`
      printf "${FORMAT}[ERROR] %s\n" "Invalid log level passed, received level \"${level}\" with message \"${message}\"" >&2
      return 1
      ;;
  esac
}

# Install Extra Packages for Enterprise Linux if Missing
log "info" "Installing extra packages for enterprise linux if they are missing..."
sudo dnf install epel-release -y \
  && log "info" "Successfully installed extra packages for enterprise linux"

## Fail2ban Setup
# Install Fail2ban
log "info" "Installing fail2ban..."
sudo dnf install fail2ban -y \
  && log "info" "Successfully installed fail2ban"

# Enable and run Fail2ban
log "info" "Enabling and starting fail2ban"
sudo systemctl enable --now fail2ban \
  && log "info" "Successfully enabled and started fail2ban"

# Write config files to jail.d

JAIL_D_PATH="/etc/fail2ban/jail.d/"
log "info" "Writing fail2ban local configurations to ${JAIL_D_PATH}"

log "info" "Writing SSHD Configuration"
cat << '__EOF__' | sudo tee "${JAIL_D_PATH}/sshd.local"
[sshd]
enabled = true
port = ssh
ignoreip = 127.0.0.1/8
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
findtime = 1d
bantime = 15mm
usedns = warn
__EOF__

log "info" "Finished writing fail2ban local configurations to ${JAIL_D_PATH}"

sudo systemctl restart fail2ban \
  && log "info" "Restarted fail2ban"


## SSH Configuration
log "info" "Installing SSHD configuration..."

SSHD_CONFIG_BACKUP_PATH="/etc/ssh/sshd_config.back"
sudo cp /etc/ssh/sshd_config "${SSHD_CONFIG_BACKUP_PATH}"

log "info" "Made a backup of sshd_config located at ${SSHD_CONFIG_BACKUP_PATH}"

log "info" "Creating SSH banner..."
cat << '__EOF__' | sudo tee "/etc/ssh/banner"

┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃          Orion Technologies - Security Notice           ┃
┃          ------------------------------------           ┃
┃   The following source file(s) contains confidential,   ┃
┃  proprietary information. Unauthorized use is strictly  ┃
┃    prohibited. No portions may be copied, reproduced,   ┃
┃      or incorporated outside of this domain without     ┃
┃         Price Hiller's prior written consent.           ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛

__EOF__
log "info" "Created SSH banner"

log "info" "Writing new SSHD configuration..."
cat << __EOF__ | sudo tee /etc/ssh/sshd_config
UsePAM yes
UsePrivilegeSeparation yes
X11Forwarding yes
PermitRootLogin yes
LogLevel VERBOSE
SyslogFacility AUTH
AllowAgentForwarding yes
AllowTcpForwarding yes
PrintMotd no
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
Banner /etc/ssh/banner
AuthorizedKeysFile .ssh/authorized_keys
Subsystem sftp /usr/libexec/openssh/sftp-server
Compression delayed
__EOF__

log "info" "Wrote new SSHD configuration"

sudo systemctl restart sshd.service \
  && log "info" "Restarted SSHD"