#!/bin/bash
# ═══════════════════════════════════════════════════════════════
# HOOK 0165: Alfred Linux — Network Hardening
# 
# Defense-in-depth at the network layer. Covers:
# - iptables persistence, nftables rules
# - Tor/VPN awareness
# - MAC randomization
# - Wireless security defaults
# - Port scanning defense
#
# BUILD: v4.0+ (RC8+)
# ═══════════════════════════════════════════════════════════════
set -e
echo "╔═══════════════════════════════════════════════════════════╗"
echo "║  [0165] Alfred Linux — Network Hardening                   ║"
echo "╚═══════════════════════════════════════════════════════════╝"

# ═══════════════════════════════════════════════════
# 1. MAC ADDRESS RANDOMIZATION
# ═══════════════════════════════════════════════════
echo "[NET-01] Configuring MAC address randomization..."
mkdir -p /etc/NetworkManager/conf.d/
cat > /etc/NetworkManager/conf.d/99-alfred-privacy.conf << 'NMRANDOM'
[device]
wifi.scan-rand-mac-address=yes

[connection]
wifi.cloned-mac-address=random
ethernet.cloned-mac-address=random

[connectivity]
uri=
NMRANDOM

# ═══════════════════════════════════════════════════
# 2. NFTABLES BASELINE RULES
# ═══════════════════════════════════════════════════
echo "[NET-02] Installing nftables baseline firewall rules..."
apt-get install -y --no-install-recommends nftables 2>/dev/null || true

cat > /etc/nftables.conf << 'NFTABLES'
#!/usr/sbin/nft -f
flush ruleset

table inet alfred_firewall {
    chain input {
        type filter hook input priority 0; policy drop;

        # Allow loopback
        iifname "lo" accept
        
        # Allow established/related connections
        ct state established,related accept
        
        # Allow ICMP (ping) but rate-limit
        ip protocol icmp icmp type echo-request limit rate 5/second accept
        ip6 nexthdr ipv6-icmp accept

        # Allow SSH
        tcp dport 22 ct state new limit rate 15/minute accept

        # Log and drop everything else
        log prefix "[ALFRED-FW-DROP] " flags all counter drop
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}
NFTABLES
chmod 600 /etc/nftables.conf
systemctl enable nftables 2>/dev/null || true

# ═══════════════════════════════════════════════════
# 3. TCP WRAPPER DEFAULTS
# ═══════════════════════════════════════════════════
echo "[NET-03] Configuring TCP wrappers..."
if [ -f /etc/hosts.deny ]; then
    if ! grep -q 'ALL: ALL' /etc/hosts.deny 2>/dev/null; then
        echo "ALL: ALL" >> /etc/hosts.deny
    fi
fi
if [ -f /etc/hosts.allow ]; then
    if ! grep -q 'sshd: ALL' /etc/hosts.allow 2>/dev/null; then
        echo "sshd: ALL" >> /etc/hosts.allow
    fi
fi

# ═══════════════════════════════════════════════════
# 4. PORT SCAN DEFENSE (via sysctl + nft)
# ═══════════════════════════════════════════════════
echo "[NET-04] Configuring port scan defense..."
cat > /etc/sysctl.d/98-alfred-antiscan.conf << 'ANTISCAN'
# Drop packets with bogus TCP flags
net.ipv4.tcp_ecn = 0
# Quick FIN timeout against stealth scans
net.ipv4.tcp_fin_timeout = 10
# Don't respond to broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
ANTISCAN

# ═══════════════════════════════════════════════════
# 5. WIRELESS SECURITY
# ═══════════════════════════════════════════════════
echo "[NET-05] Hardening wireless defaults..."
cat > /etc/NetworkManager/conf.d/99-alfred-wifi-security.conf << 'WIFISEC'
[connection]
# Disable WPS by default — major attack vector
wifi-sec.wps-method=disabled

[wifi]
# Prefer 5GHz band to reduce range-based attacks
band-preference=a
WIFISEC

# ═══════════════════════════════════════════════════
# 6. SSH ADDITIONAL HARDENING
# ═══════════════════════════════════════════════════
echo "[NET-06] Applying additional SSH hardening..."
mkdir -p /etc/ssh/sshd_config.d/
cat > /etc/ssh/sshd_config.d/alfred-hardening.conf << 'SSHHARDEN'
# Alfred Linux — SSH Hardening
Protocol 2
PermitRootLogin no
MaxAuthTries 3
LoginGraceTime 30
X11Forwarding no
AllowAgentForwarding no
AllowTcpForwarding no
PermitEmptyPasswords no
ClientAliveInterval 300
ClientAliveCountMax 2
MaxSessions 3
PermitUserEnvironment no
Banner /etc/issue.net
DebianBanner no
# Strong ciphers only
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,curve25519-sha256,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
SSHHARDEN

# ═══════════════════════════════════════════════════
# 7. NETWORK MONITORING TOOL
# ═══════════════════════════════════════════════════
echo "[NET-07] Installing network monitor tool..."
cat > /usr/local/bin/alfred-network-status << 'NETSTATUS'
#!/bin/bash
echo ""
echo "╔════════════════════════════════════════════════════╗"
echo "║  Alfred Linux — Network Security Status            ║"
echo "╚════════════════════════════════════════════════════╝"
echo ""
echo "── Firewall ──"
if command -v nft &>/dev/null; then
    RULES=$(nft list ruleset 2>/dev/null | grep -c "accept\|drop\|reject")
    echo "  nftables: active (${RULES} rules)"
fi
ufw status 2>/dev/null | head -3 | sed 's/^/  /' || true
echo ""
echo "── Listening Services ──"
ss -tlnp 2>/dev/null | grep LISTEN | awk '{print "  " $4 " → " $6}' | head -10
echo ""
echo "── MAC Randomization ──"
NM_RAND=$(cat /etc/NetworkManager/conf.d/99-alfred-privacy.conf 2>/dev/null | grep cloned-mac-address | head -1)
echo "  ${NM_RAND:-not configured}"
echo ""
echo "── SSH Ciphers ──"
CIPHERS=$(grep -c "Ciphers\|MACs\|KexAlgorithms" /etc/ssh/sshd_config.d/alfred-hardening.conf 2>/dev/null || echo 0)
echo "  Hardened cipher config: ${CIPHERS} rules"
echo ""
echo "── Fail2ban ──"
fail2ban-client status 2>/dev/null | grep "jail list" | sed 's/^/  /' || echo "  not running"
echo ""
NETSTATUS
chmod +x /usr/local/bin/alfred-network-status

echo "╔═══════════════════════════════════════════════════════════╗"
echo "║  [0165] Network Hardening — COMPLETE                       ║"
echo "║  ✓ MAC randomization (WiFi + Ethernet)                    ║"
echo "║  ✓ nftables default-deny firewall                         ║"
echo "║  ✓ TCP wrappers (default deny)                            ║"
echo "║  ✓ Port scan defense (sysctl tuning)                      ║"
echo "║  ✓ Wireless security (WPS disabled, 5GHz pref)            ║"
echo "║  ✓ SSH: strong ciphers only, no forwarding                ║"
echo "║  ✓ alfred-network-status monitoring tool                   ║"
echo "╚═══════════════════════════════════════════════════════════╝"