#!/bin/bash

echo "=== 🔥 HARDENING PORTS FEDORA ==="

# 1. Firewall ON + reset
echo "[+] Configuration firewall..."
sudo systemctl enable --now firewalld
sudo firewall-cmd --set-default-zone=public
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload

# 2. Stop Docker containers (gros nettoyage ports)
echo "[+] Arrêt des containers Docker..."
if command -v docker &> /dev/null; then
    docker stop $(docker ps -q) 2>/dev/null
fi

# 3. Désactiver Docker au démarrage (optionnel mais safe)
echo "[+] Désactivation Docker au boot..."
sudo systemctl disable docker --now

# 4. Désactiver services réseau inutiles
echo "[+] Désactivation services inutiles..."

sudo systemctl disable --now wsdd 2>/dev/null
sudo systemctl disable --now avahi-daemon 2>/dev/null
sudo systemctl disable --now cups 2>/dev/null
sudo systemctl disable --now passim 2>/dev/null

# 5. Kill des serveurs node exposés
echo "[+] Nettoyage des serveurs Node exposés..."
for pid in $(ss -tulnp | grep LISTEN | grep node | awk -F'pid=' '{print $2}' | cut -d',' -f1); do
    echo "Killing Node PID $pid"
    kill -9 $pid 2>/dev/null
done

# 6. Kill ports exposés non désirés (hors localhost)
echo "[+] Fermeture des ports publics suspects..."
for pid in $(ss -tulnp | grep LISTEN | grep "0.0.0.0" | grep -v sshd | awk -F'pid=' '{print $2}' | cut -d',' -f1); do
    echo "Killing PID $pid"
    kill -9 $pid 2>/dev/null
done

# 7. Désactiver IP forwarding
echo "[+] Désactivation IP forwarding..."
sudo sysctl -w net.ipv4.ip_forward=0

# 8. Résumé
echo ""
echo "=== ✅ ETAT FINAL ==="
ss -tulnp | grep LISTEN

echo ""
echo "🔥 Nettoyage terminé"