#!/bin/bash

  

################################################################################

# 服务器自动化加固脚本

# 作者: Mercas

# 日期: 2025-11-09

# 说明: 本脚本用于自动化加固Ubuntu 22.04服务器安全配置

# 版本: v1.4 (多选项菜单版 - 简化交互流程)

# 新增功能:

# - 全菜单式操作界面

# - 模块化选择加固项目

# - 预设配置选项

# - 一键快速加固

################################################################################

  

# 终端类型兼容性处理

if [[ "$TERM" == "xterm-kitty" ]]; then

export TERM=xterm-color

log_info "检测到xterm-kitty终端，已自动切换到xterm-color"

elif [[ -z "$TERM" ]] || [[ "$TERM" == "unknown" ]]; then

export TERM=xterm-color

log_info "检测到未知终端类型，已设置为xterm-color"

fi

  

# 设置脚本使用的基本终端类型（避免颜色问题）

export TERM=xterm-color

  

# 禁用一些可能引起终端问题的选项

set +H # 禁用历史扩展

set +e # 暂时禁用错误退出

  

set -e # 遇到错误立即退出

trap 'echo "错误发生在第 $LINENO 行"' ERR

  

# 颜色定义（使用更兼容的方式）

if command -v tput &> /dev/null && [[ -n "$TERM" ]]; then

RED=$(tput setaf 1 2>/dev/null || echo '\033[0;31m')

GREEN=$(tput setaf 2 2>/dev/null || echo '\033[0;32m')

YELLOW=$(tput setaf 3 2>/dev/null || echo '\033[1;33m')

BLUE=$(tput setaf 4 2>/dev/null || echo '\033[0;34m')

PURPLE=$(tput setaf 5 2>/dev/null || echo '\033[0;35m')

CYAN=$(tput setaf 6 2>/dev/null || echo '\033[0;36m')

NC=$(tput sgr0 2>/dev/null || echo '\033[0m')

else

# 回退到简单颜色

RED='\033[0;31m'

GREEN='\033[0;32m'

YELLOW='\033[1;33m'

BLUE='\033[0;34m'

PURPLE='\033[0;35m'

CYAN='\033[0;36m'

NC='\033[0m'

fi

  

# 日志文件

LOG_FILE="/var/log/server_hardening_$(date +%Y%m%d_%H%M%S).log"

BACKUP_DIR="/root/security_backup_$(date +%Y%m%d_%H%M%S)"

  

# 配置变量

SSH_PORT=22

ADMIN_USERNAME="admin"

ENABLE_AUTO_REBOOT=true

  

################################################################################

# 工具函数

################################################################################

  

log() {

echo -e "${GREEN}[$(date +'%Y-%m-%d %H:%M:%S')]${NC} $1" | tee -a "$LOG_FILE"

}

  

log_info() {

echo -e "${BLUE}[INFO]${NC} $1" | tee -a "$LOG_FILE"

}

  

log_warning() {

echo -e "${YELLOW}[WARNING]${NC} $1" | tee -a "$LOG_FILE"

}

  

log_error() {

echo -e "${RED}[ERROR]${NC} $1" | tee -a "$LOG_FILE"

}

  

log_success() {

echo -e "${GREEN}[SUCCESS]${NC} $1" | tee -a "$LOG_FILE"

}

  

log_section() {

echo -e "\n${BLUE}========================================${NC}" | tee -a "$LOG_FILE"

echo -e "${BLUE}$1${NC}" | tee -a "$LOG_FILE"

echo -e "${BLUE}========================================${NC}\n" | tee -a "$LOG_FILE"

}

  

check_root() {

if [[ $EUID -ne 0 ]]; then

log_error "此脚本必须以root权限运行"

exit 1

fi

}

  

backup_file() {

local file=$1

if [[ -f "$file" ]]; then

mkdir -p "$BACKUP_DIR"

cp -p "$file" "$BACKUP_DIR/$(basename $file).bak" 2>/dev/null

log_info "备份文件: $file -> $BACKUP_DIR/$(basename $file).bak"

fi

}

  

safe_execute() {

local cmd="$1"

local description="$2"

log_info "执行: $description"

if eval "$cmd" >> "$LOG_FILE" 2>&1; then

log_info "成功: $description"

return 0

else

local exit_code=$?

log_warning "警告: $description 失败 (退出码: $exit_code)"

return $exit_code

fi

}

  

# 菜单选择函数

show_menu() {

clear

echo -e "${BLUE}"

cat << "EOF"

╔══════════════════════════════════════════════════════════════╗

║ Ubuntu 22.04 服务器安全加固脚本 ║

║ 多选项菜单版 (v1.4) ║

║ 简化操作 • 模块选择 • 快速加固 ║

╚══════════════════════════════════════════════════════════════╝

EOF

echo -e "${NC}"

}

  

show_main_menu() {

show_menu

echo -e "${CYAN}请选择加固模式:${NC}"

echo ""

echo -e "${GREEN}1)${NC} 快速加固 (推荐) - 关键安全工具 + 核心加固"

echo -e "${GREEN}2)${NC} 自定义加固 - 逐项选择要应用的设置"

echo -e "${GREEN}3)${NC} 系统更新 - 仅更新系统包"

echo -e "${GREEN}4)${NC} 查看当前安全状态"

echo -e "${GREEN}5)${NC} 退出"

echo ""

echo -e "${YELLOW}请输入选择 [1-5]: ${NC}\c"

}

  

get_menu_choice() {

local min_choice=$1

local max_choice=$2

local choice

while true; do

read -p "" choice

if [[ "$choice" =~ ^[0-9]+$ ]] && [[ "$choice" -ge "$min_choice" ]] && [[ "$choice" -le "$max_choice" ]]; then

echo "$choice"

return 0

else

echo -e "${RED}无效选择，请输入 $min_choice-$max_choice 之间的数字: ${NC}\c"

fi

done

}

  

show_custom_menu() {

show_menu

echo -e "${CYAN}自定义加固选项 (可多选):${NC}"

echo ""

echo -e "${GREEN}1)${NC} 系统更新和包管理"

echo -e "${GREEN}2)${NC} SSH安全加固"

echo -e "${GREEN}3)${NC} 创建管理用户和SSH密钥"

echo -e "${GREEN}4)${NC} 配置防火墙 (UFW)"

echo -e "${GREEN}5)${NC} 安装和配置Fail2ban"

echo -e "${GREEN}6)${NC} 用户和权限管理"

echo -e "${GREEN}7)${NC} 禁用不必要服务"

echo -e "${GREEN}8)${NC} 内核参数安全配置"

echo -e "${GREEN}9)${NC} 文件系统权限加固"

echo -e "${GREEN}10)${NC} 配置自动安全更新"

echo -e "${GREEN}11)${NC} 安装完整安全工具套件 (AIDE+Rkhunter+Logwatch+Auditd+Chkrootkit)"

echo -e "${GREEN}12)${NC} 生成安全加固报告"

echo -e "${GREEN}13)${NC} 返回主菜单"

echo ""

echo -e "${YELLOW}请输入要执行的项目编号 (多个用逗号分隔，如: 1,2,3): ${NC}\c"

}

  

show_security_status() {

show_menu

echo -e "${CYAN}当前系统安全状态检查:${NC}"

echo ""

# SSH状态

echo -e "${YELLOW}SSH配置状态:${NC}"

if [[ -f "/etc/ssh/sshd_config" ]]; then

echo -e "${GREEN}✓${NC} SSH配置文件存在"

echo " 端口: $(grep "^Port" /etc/ssh/sshd_config | awk '{print $2}' || echo "22 (默认)")"

echo " Root登录: $(grep "^PermitRootLogin" /etc/ssh/sshd_config | awk '{print $2}' || echo "未明确配置")"

echo " 密码认证: $(grep "^PasswordAuthentication" /etc/ssh/sshd_config | awk '{print $2}' || echo "未明确配置")"

else

echo -e "${RED}✗${NC} SSH配置文件不存在"

fi

echo ""

# 防火墙状态

echo -e "${YELLOW}防火墙状态:${NC}"

if command -v ufw &> /dev/null; then

if ufw status | grep -q "Status: active"; then

echo -e "${GREEN}✓${NC} UFW防火墙已启用"

ufw status | head -10

else

echo -e "${YELLOW}!${NC} UFW防火墙已安装但未启用"

fi

else

echo -e "${RED}✗${NC} UFW防火墙未安装"

fi

echo ""

# Fail2ban状态

echo -e "${YELLOW}Fail2ban状态:${NC}"

if command -v fail2ban-client &> /dev/null; then

if systemctl is-active --quiet fail2ban; then

echo -e "${GREEN}✓${NC} Fail2ban服务正在运行"

fail2ban-client status 2>/dev/null | head -5

else

echo -e "${YELLOW}!${NC} Fail2ban已安装但未运行"

fi

else

echo -e "${RED}✗${NC} Fail2ban未安装"

fi

echo ""

# 系统用户

echo -e "${YELLOW}系统用户管理:${NC}"

local admin_users=$(grep -E ":(sudo|admin)" /etc/group | cut -d: -f4 | head -5)

if [[ -n "$admin_users" ]]; then

echo -e "${GREEN}✓${NC} 管理员用户: $admin_users"

else

echo -e "${YELLOW}!${NC} 未检测到管理用户组"

fi

echo ""

echo -e "${CYAN}按回车键返回主菜单...${NC}"

read

}

  

################################################################################

# 主要加固功能

################################################################################

  

# 1. 系统信息收集

collect_system_info() {

log_section "收集系统信息"

log_info "操作系统: $(lsb_release -d 2>/dev/null | cut -f2 || echo "Unknown")"

log_info "内核版本: $(uname -r)"

log_info "主机名: $(hostname)"

# 安全获取IP地址

local ip=$(hostname -I 2>/dev/null | awk '{print $1}' || echo "无法获取")

log_info "IP地址: $ip"

log_info "开始加固时间: $(date)"

echo "系统信息收集完成" >> "$LOG_FILE"

}

  

# 2. 系统更新

update_system() {

log_section "系统更新与安全补丁"

log_info "开始系统更新..."

safe_execute "apt update -y" "更新软件包列表"

safe_execute "apt upgrade -y" "升级已安装的软件包"

safe_execute "apt dist-upgrade -y" "安装安全更新"

safe_execute "apt autoremove -y" "清理不需要的软件包"

safe_execute "apt autoclean -y" "清理缓存"

log_success "系统更新完成"

}

  

# 3. SSH安全加固

harden_ssh() {

log_section "SSH安全加固"

local ssh_config="/etc/ssh/sshd_config"

if [[ -f "$ssh_config" ]]; then

backup_file "$ssh_config"

log_info "配置SSH安全参数..."

# 应用预设配置

safe_execute "sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' '$ssh_config'" "禁用root登录"

safe_execute "sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' '$ssh_config'" "禁用密码认证"

safe_execute "sed -i 's/^#*Port.*/Port $SSH_PORT/' '$ssh_config'" "设置SSH端口为$SSH_PORT"

# 其他SSH安全配置

local ssh_config_addition='

# 安全加固配置

Protocol 2

MaxAuthTries 3

MaxSessions 2

LoginGraceTime 60

ClientAliveInterval 300

ClientAliveCountMax 2

PermitEmptyPasswords no

X11Forwarding no

UseDNS no

'

echo "$ssh_config_addition" >> "$ssh_config"

# 重启SSH服务

safe_execute "systemctl restart sshd" "重启SSH服务"

log_success "SSH加固完成 - 端口: $SSH_PORT, Root登录: 禁用, 密码认证: 禁用"

log_warning "请确保已在防火墙中开放端口 $SSH_PORT"

log_warning "请确保已配置SSH密钥认证"

else

log_error "SSH配置文件不存在: $ssh_config"

fi

}

  

# 4. 用户管理和SSH密钥配置

manage_users() {

log_section "创建管理用户和配置SSH密钥"

local username=$ADMIN_USERNAME

local user_home=$(eval echo "~$username")

# 检查用户是否已存在

if id "$username" &>/dev/null 2>&1; then

log_info "用户 $username 已存在，跳过创建"

else

# 创建用户

log_info "创建用户: $username"

safe_execute "useradd -m -s /bin/bash '$username'" "创建用户 $username"

# 设置随机密码

local temp_password=$(openssl rand -base64 32)

echo "$username:$temp_password" | chpasswd

log_success "用户 $username 创建成功"

log_info "临时密码: $temp_password (建议首次登录后修改)"

# 将用户添加到sudo组

safe_execute "usermod -aG sudo '$username'" "将 $username 添加到sudo组"

fi

# 配置SSH密钥

local ssh_dir="$user_home/.ssh"

local authorized_keys="$ssh_dir/authorized_keys"

# 确保用户有.ssh目录

mkdir -p "$ssh_dir"

chown "$username:$username" "$ssh_dir"

# 生成SSH密钥对

log_info "生成SSH密钥对..."

cd "$user_home"

if [[ ! -f "$ssh_dir/id_rsa" ]]; then

su - "$username" -c "ssh-keygen -t rsa -b 4096 -f $ssh_dir/id_rsa -N '' -C '$username@$(hostname)'"

if [[ -f "$ssh_dir/id_rsa" ]]; then

log_success "SSH密钥对生成成功"

log_info "私钥文件: $ssh_dir/id_rsa"

log_info "公钥文件: $ssh_dir/id_rsa.pub"

log_warning "请妥善保管私钥文件，不要上传到公共服务器"

# 设置公钥到authorized_keys

cat "$ssh_dir/id_rsa.pub" > "$authorized_keys"

else

log_error "SSH密钥生成失败"

return 1

fi

else

log_info "SSH密钥已存在"

fi

# 设置sudo无密码

local sudoers_file="/etc/sudoers.d/$username"

echo "$username ALL=(ALL) NOPASSWD:ALL" > "$sudoers_file"

chmod 440 "$sudoers_file"

log_success "已配置 $username sudo无密码权限"

# 设置文件权限

safe_execute "chown -R $username:$username '$ssh_dir'" "设置SSH目录权限"

safe_execute "chmod 700 '$ssh_dir'" "设置SSH目录权限为700"

safe_execute "chmod 600 '$authorized_keys'" "设置公钥文件权限为600"

log_success "用户管理完成 - 用户: $username"

}

  

# 5. 防火墙配置

configure_firewall() {

log_section "配置UFW防火墙"

if ! command -v ufw &> /dev/null; then

safe_execute "apt install ufw -y" "安装UFW"

fi

log_info "配置UFW规则..."

# 默认策略

safe_execute "ufw default deny incoming" "设置默认入站策略：拒绝"

safe_execute "ufw default allow outgoing" "设置默认出站策略：允许"

# 允许SSH

safe_execute "ufw allow $SSH_PORT/tcp comment 'SSH'" "允许SSH端口: $SSH_PORT"

# 允许常用端口

local common_ports=("80/tcp" "443/tcp" "53/udp" "123/udp")

local port_comments=("HTTP" "HTTPS" "DNS" "NTP")

for i in "${!common_ports[@]}"; do

log_info "开放端口 ${common_ports[$i]} (${port_comments[$i]})"

safe_execute "ufw allow ${common_ports[$i]} comment '${port_comments[$i]}'" "开放${port_comments[$i]}端口"

done

# 启用UFW

log_info "启用UFW防火墙..."

safe_execute "ufw --force enable" "强制启用UFW"

# 显示状态

log_success "防火墙配置完成"

ufw status | head -15

}

  

# 6. 安装和配置Fail2ban

install_fail2ban() {

log_section "安装和配置Fail2ban"

if ! command -v fail2ban-client &> /dev/null; then

safe_execute "apt install fail2ban -y" "安装Fail2ban"

else

log_info "Fail2ban已安装"

fi

# 配置fail2ban

local jail_local="/etc/fail2ban/jail.local"

backup_file "$jail_local" 2>/dev/null || true

log_info "创建Fail2ban配置..."

cat > "$jail_local" << EOF

[DEFAULT]

# 封禁时间（秒）

bantime = 3600

  

# 查找时间窗口（秒）

findtime = 600

  

# 最大尝试次数

maxretry = 5

  

[sshd]

enabled = true

port = $SSH_PORT

filter = sshd

logpath = /var/log/auth.log

maxretry = 3

bantime = 7200

  

[sshd-ddos]

enabled = true

port = $SSH_PORT

filter = sshd-ddos

logpath = /var/log/auth.log

maxretry = 2

bantime = 7200

EOF

safe_execute "systemctl enable fail2ban" "启用Fail2ban服务"

safe_execute "systemctl restart fail2ban" "重启Fail2ban服务"

sleep 2

if command -v fail2ban-client &> /dev/null; then

log_success "Fail2ban配置完成"

fail2ban-client status 2>/dev/null | head -5

fi

}

  

# 7. 用户和权限管理

harden_users() {

log_section "用户和权限加固"

# 密码策略

log_info "配置密码策略..."

if ! dpkg -l | grep -q libpam-pwquality; then

safe_execute "apt install libpam-pwquality -y" "安装密码质量检查工具"

fi

local pwquality_file="/etc/security/pwquality.conf"

backup_file "$pwquality_file"

cat >> "$pwquality_file" << 'EOF'

  

# 密码安全策略

minlen = 12

dcredit = -1

ucredit = -1

lcredit = -1

ocredit = -1

maxrepeat = 3

EOF

# 密码过期策略

local login_defs="/etc/login.defs"

if [[ -f "$login_defs" ]]; then

backup_file "$login_defs"

safe_execute "sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' '$login_defs'" "设置密码最大有效期"

safe_execute "sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 1/' '$login_defs'" "设置密码最小间隔"

safe_execute "sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE 14/' '$login_defs'" "设置密码警告时间"

fi

log_success "密码策略配置完成"

# 锁定不必要的系统账户

log_info "锁定系统账户..."

local system_users=("bin" "daemon" "adm" "lp" "sync" "shutdown" "halt" "mail" "news" "uucp" "operator" "games" "gopher" "ftp")

for user in "${system_users[@]}"; do

if id "$user" &>/dev/null 2>&1; then

usermod -L -s /usr/sbin/nologin "$user" 2>/dev/null || true

fi

done

log_success "用户加固完成"

}

  

# 8. 禁用不必要的服务

disable_services() {

log_section "禁用不必要的服务"

local services_to_disable=("avahi-daemon" "cups" "isc-dhcp-server" "isc-dhcp-server6" "bluetooth")

for service in "${services_to_disable[@]}"; do

if systemctl is-enabled "$service" &>/dev/null 2>&1; then

safe_execute "systemctl stop '$service'" "停止服务: $service"

safe_execute "systemctl disable '$service'" "禁用服务: $service"

log_info "已禁用服务: $service"

fi

done

log_success "不必要服务禁用完成"

}

  

# 9. 内核参数安全配置

harden_kernel() {

log_section "内核参数安全配置"

local sysctl_conf="/etc/sysctl.d/99-security.conf"

backup_file "$sysctl_conf" 2>/dev/null || true

log_info "配置内核安全参数..."

cat > "$sysctl_conf" << 'EOF'

# IP转发禁用

net.ipv4.ip_forward = 0

net.ipv6.conf.all.forwarding = 0

  

# SYN cookies保护

net.ipv4.tcp_syncookies = 1

  

# 忽略ICMP重定向

net.ipv4.conf.all.accept_redirects = 0

net.ipv6.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv6.conf.default.accept_redirects = 0

  

# 忽略安全ICMP重定向

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

  

# 禁用源路由

net.ipv4.conf.all.accept_source_route = 0

net.ipv6.conf.all.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

net.ipv6.conf.default.accept_source_route = 0

  

# 记录可疑包

net.ipv4.conf.all.log_martians = 1

net.ipv4.conf.default.log_martians = 1

  

# 忽略ICMP ping请求

net.ipv4.icmp_echo_ignore_broadcasts = 1

  

# 反向路径过滤

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

  

# 保护系统免受SYN flood攻击

net.ipv4.tcp_max_syn_backlog = 2048

net.ipv4.tcp_synack_retries = 2

net.ipv4.tcp_syn_retries = 5

EOF

if command -v sysctl &> /dev/null; then

safe_execute "sysctl -p '$sysctl_conf'" "应用内核参数配置"

fi

log_success "内核参数配置完成"

}

  

# 10. 文件系统和权限加固

harden_filesystem() {

log_section "文件系统权限加固"

log_info "设置重要文件权限..."

# 关键配置文件权限

local files_to_protect=(

"/etc/ssh/sshd_config:600"

"/etc/passwd:644"

"/etc/shadow:640"

"/etc/group:644"

"/etc/gshadow:600"

)

for file_perm in "${files_to_protect[@]}"; do

local file="${file_perm%:*}"

local perm="${file_perm#*:}"

if [[ -f "$file" ]]; then

safe_execute "chmod $perm '$file'" "设置文件权限: $file -> $perm"

fi

done

log_success "重要文件权限已加固"

# 查找并报告可疑权限文件

log_info "查找具有SUID/SGID权限的文件（记录到日志）..."

if command -v find &> /dev/null; then

find / -perm /6000 -type f 2>/dev/null >> "$LOG_FILE" || true

fi

}

  

# 11. 配置自动安全更新

configure_auto_updates() {

log_section "配置自动安全更新"

if ! dpkg -l | grep -q unattended-upgrades; then

safe_execute "apt install unattended-upgrades apt-listchanges -y" "安装自动更新工具"

fi

if command -v dpkg-reconfigure &> /dev/null; then

safe_execute "echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections && debconf-show unattended-upgrades" "配置自动更新"

fi

log_success "自动安全更新已启用"

}

  

# 12. 安装其他安全工具

install_security_tools() {

log_section "安装额外安全工具"

# 优先级安全工具 - 快速加固中最重要的

local priority_tools=("aide" "rkhunter")

# 完整的工具列表 - 自定义模式中可选择

local all_tools=("aide" "rkhunter" "logwatch" "auditd" "chkrootkit")

# 智能选择 - 根据加固模式选择工具

local tools=()

if [[ "${INSTALL_MODE:-full}" == "priority" ]]; then

tools=("${priority_tools[@]}")

log_info "快速加固模式: 安装关键安全工具"

else

tools=("${all_tools[@]}")

log_info "完整安装模式: 安装所有推荐安全工具"

fi

for tool in "${tools[@]}"; do

if apt list --installed 2>/dev/null | grep -q "^$tool/"; then

log_info "$tool 已安装"

continue

fi

# 智能安装 - 跳过可能的不可用工具

case "$tool" in

"auditd")

if ! dpkg -l | grep -q "auditd"; then

if safe_execute "apt install '$tool' -y" "安装安全工具: $tool"; then

safe_execute "systemctl enable auditd" "启用auditd服务"

safe_execute "systemctl start auditd" "启动auditd服务"

log_success "已安装并启用: $tool"

else

log_warning "跳过 $tool 安装"

fi

fi

;;

"chkrootkit")

if safe_execute "apt install '$tool' -y" "安装安全工具: $tool"; then

log_success "已安装: $tool"

else

log_warning "跳过 $tool 安装"

fi

;;

*)

if safe_execute "apt install '$tool' -y" "安装安全工具: $tool"; then

# 特殊配置

case "$tool" in

"rkhunter")

if command -v rkhunter &> /dev/null; then

safe_execute "rkhunter --update" "更新rkhunter数据库"

safe_execute "rkhunter --propupd" "更新rkhunter属性"

fi

;;

esac

log_success "已安装: $tool"

else

log_warning "跳过 $tool 安装"

fi

;;

esac

done

# 显示安装总结

log_info "安全工具安装总结:"

for tool in "${tools[@]}"; do

if command -v "$tool" &>/dev/null; then

log_success "✓ $tool - 已安装"

else

log_info "- $tool - 跳过或安装失败"

fi

done

}

  

# 13. 生成加固报告

generate_report() {

log_section "生成安全加固报告"

local report_file="/root/security_hardening_report_$(date +%Y%m%d_%H%M%S).txt"

# 安全获取系统信息

local os_info=$(lsb_release -d 2>/dev/null | cut -f2 || echo "Unknown")

local kernel_info=$(uname -r)

local hostname_info=$(hostname)

cat > "$report_file" << EOF

================================================================================

服务器安全加固报告

================================================================================

生成时间: $(date)

主机名: $hostname_info

操作系统: $os_info

内核版本: $kernel_info

  

--------------------------------------------------------------------------------

1. SSH配置

--------------------------------------------------------------------------------

$(grep -E "^(Port|PermitRootLogin|PasswordAuthentication)" /etc/ssh/sshd_config 2>/dev/null || echo "SSH配置不可读")

  

--------------------------------------------------------------------------------

2. 防火墙状态

--------------------------------------------------------------------------------

$(ufw status verbose 2>/dev/null || echo "UFW不可用")

  

--------------------------------------------------------------------------------

3. Fail2ban状态

--------------------------------------------------------------------------------

$(fail2ban-client status 2>/dev/null || echo "Fail2ban未运行")

  

--------------------------------------------------------------------------------

4. 已安装的安全工具

--------------------------------------------------------------------------------

$(dpkg -l 2>/dev/null | grep -E "fail2ban|ufw|aide|rkhunter|logwatch|unattended-upgrades" | awk '{print $2 " " $3}' | column -t || echo "无法获取包信息")

  

--------------------------------------------------------------------------------

5. 活动监听端口

--------------------------------------------------------------------------------

$(ss -tunlp 2>/dev/null || netstat -tunlp 2>/dev/null || echo "端口信息不可用")

  

--------------------------------------------------------------------------------

6. 管理用户

--------------------------------------------------------------------------------

$(grep -E ":(sudo|admin)" /etc/group 2>/dev/null | head -5 || echo "无管理用户组")

  

--------------------------------------------------------------------------------

备份目录: $BACKUP_DIR

日志文件: $LOG_FILE

配置完成时间: $(date)

--------------------------------------------------------------------------------

EOF

log_success "安全加固报告已生成: $report_file"

# 显示报告摘要

echo -e "${CYAN}报告摘要:${NC}"

echo "- 操作系统: $os_info"

echo "- SSH端口: $SSH_PORT"

echo "- 管理员用户: $ADMIN_USERNAME"

echo "- 防火墙: $(ufw status 2>/dev/null | grep -q "active" && echo "已启用" || echo "未启用")"

echo "- Fail2ban: $(systemctl is-active fail2ban 2>/dev/null || echo "未运行")"

echo ""

echo -e "${YELLOW}完整报告请查看: $report_file${NC}"

}

  

################################################################################

# 快速加固流程

################################################################################

  

quick_hardening() {

log_section "开始快速加固"

log_warning "这将应用所有推荐的安全设置"

# 设置快速加固模式 - 优先安装关键安全工具

export INSTALL_MODE="priority"

# 执行所有加固步骤

collect_system_info

update_system

harden_ssh

manage_users

configure_firewall

install_fail2ban

harden_users

disable_services

harden_kernel

harden_filesystem

configure_auto_updates

install_security_tools

generate_report

log_section "快速加固完成"

show_completion_message

}

  

################################################################################

# 自定义加固流程

################################################################################

  

custom_hardening() {

while true; do

show_custom_menu

local choice=$(get_menu_choice 1 13)

case $choice in

1)

collect_system_info

update_system

;;

2)

show_ssh_config_menu

;;

3)

show_user_config_menu

;;

4)

configure_firewall

;;

5)

install_fail2ban

;;

6)

harden_users

;;

7)

disable_services

;;

8)

harden_kernel

;;

9)

harden_filesystem

;;

10)

configure_auto_updates

;;

11)

export INSTALL_MODE="full"

install_security_tools

;;

12)

generate_report

;;

13)

return 0

;;

esac

echo ""

echo -e "${YELLOW}按回车键继续...${NC}"

read

done

}

  

show_ssh_config_menu() {

show_menu

echo -e "${CYAN}SSH配置选项:${NC}"

echo ""

echo -e "${GREEN}1)${NC} 标准配置 (端口2222, 禁用root, 禁用密码)"

echo -e "${GREEN}2)${NC} 安全配置 (端口22, 禁用root, 禁用密码)"

echo -e "${GREEN}3)${NC} 自定义端口 (输入端口号)"

echo -e "${GREEN}4)${NC} 返回"

echo ""

echo -e "${YELLOW}请选择SSH配置 [1-4]: ${NC}\c"

local ssh_choice=$(get_menu_choice 1 4)

case $ssh_choice in

1)

SSH_PORT=2222

harden_ssh

;;

2)

SSH_PORT=22

harden_ssh

;;

3)

echo -e "${YELLOW}请输入SSH端口号 (1024-65535): ${NC}\c"

read -p "" custom_port

if [[ "$custom_port" =~ ^[0-9]+$ ]] && [[ "$custom_port" -gt 1024 ]] && [[ "$custom_port" -lt 65536 ]]; then

SSH_PORT=$custom_port

harden_ssh

else

log_error "无效的端口号"

fi

;;

4)

return 0

;;

esac

}

  

show_user_config_menu() {

show_menu

echo -e "${CYAN}用户管理配置选项:${NC}"

echo ""

echo -e "${GREEN}1)${NC} 创建admin用户 (推荐)"

echo -e "${GREEN}2)${NC} 创建operator用户"

echo -e "${GREEN}3)${NC} 自定义用户名"

echo -e "${GREEN}4)${NC} 跳过用户创建"

echo ""

echo -e "${YELLOW}请选择用户配置 [1-4]: ${NC}\c"

local user_choice=$(get_menu_choice 1 4)

case $user_choice in

1)

ADMIN_USERNAME="admin"

manage_users

;;

2)

ADMIN_USERNAME="operator"

manage_users

;;

3)

echo -e "${YELLOW}请输入用户名: ${NC}\c"

read -p "" ADMIN_USERNAME

if [[ -n "$ADMIN_USERNAME" ]] && [[ "$ADMIN_USERNAME" =~ ^[a-z_][a-z0-9_-]*$ ]]; then

manage_users

else

log_error "无效的用户名"

fi

;;

4)

log_info "跳过用户创建"

;;

esac

}

  

################################################################################

# 完成消息

################################################################################

  

show_completion_message() {

echo -e "${GREEN}"

cat << EOF

╔══════════════════════════════════════════════════════════════╗

║ 安全加固已完成！ ║

╚══════════════════════════════════════════════════════════════╝

  

重要提醒:

1. SSH访问信息:

- 端口: $SSH_PORT

- 用户: $ADMIN_USERNAME

- 认证方式: SSH密钥 (推荐)

2. 文件位置:

- 配置备份: $BACKUP_DIR

- 详细日志: $LOG_FILE

- 安全报告: /root/security_hardening_report_*.txt

  

3. 后续步骤:

- 使用SSH密钥登录新用户账户

- 验证防火墙规则: ufw status

- 检查Fail2ban状态: fail2ban-client status

- 重启服务器以确保所有更改生效

  

4. 安全检查:

- 定期检查 /var/log/auth.log

- 运行: rkhunter --check (如已安装)

- 监控fail2ban日志: tail -f /var/log/fail2ban.log

  

EOF

echo -e "${NC}"

if [[ "$ENABLE_AUTO_REBOOT" == "true" ]]; then

echo -e "${YELLOW}是否重启服务器以确保所有更改生效？${NC}"

echo -e "${GREEN}1)${NC} 是，立即重启"

echo -e "${GREEN}2)${NC} 否，稍后手动重启"

echo ""

echo -e "${YELLOW}请选择 [1-2]: ${NC}\c"

local reboot_choice=$(get_menu_choice 1 2)

case $reboot_choice in

1)

log "系统将在10秒后重启..."

sleep 10

if command -v reboot &> /dev/null; then

reboot

else

shutdown -r now

fi

;;

2)

log_info "请记得稍后手动重启服务器"

;;

esac

fi

}

  

################################################################################

# 主程序

################################################################################

  

main() {

# 检查root权限

check_root

while true; do

show_main_menu

local choice=$(get_menu_choice 1 5)

case $choice in

1)

log "开始快速加固流程..."

quick_hardening

break

;;

2)

log "开始自定义加固流程..."

custom_hardening

;;

3)

log "开始系统更新..."

collect_system_info

update_system

echo ""

echo -e "${YELLOW}按回车键返回主菜单...${NC}"

read

;;

4)

show_security_status

;;

5)

log "退出脚本"

exit 0

;;

esac

done

}

  

# 运行主程序

main "$@"