J'aime 0
Fork 0

Dernière activité 1 month ago

passive a révisé ce gist 7 months ago. Aller à la révision

Aucun changement

passive a révisé ce gist 7 months ago. Aller à la révision

1 file changed

gistfile1.txt renommé en server_harden.sh

Fichier renommé sans modifications

passive a révisé ce gist 7 months ago. Aller à la révision

1 file changed, 1939 insertions

gistfile1.txt(fichier créé)

@@ -0,0 +1,1939 @@
1 + #!/bin/bash
2 +
3 +
4 +
5 + ################################################################################
6 +
7 + # 服务器自动化加固脚本
8 +
9 + # 作者: Mercas
10 +
11 + # 日期: 2025-11-09
12 +
13 + # 说明: 本脚本用于自动化加固Ubuntu 22.04服务器安全配置
14 +
15 + # 版本: v1.4 (多选项菜单版 - 简化交互流程)
16 +
17 + # 新增功能:
18 +
19 + # - 全菜单式操作界面
20 +
21 + # - 模块化选择加固项目
22 +
23 + # - 预设配置选项
24 +
25 + # - 一键快速加固
26 +
27 + ################################################################################
28 +
29 +
30 +
31 + # 终端类型兼容性处理
32 +
33 + if [[ "$TERM" == "xterm-kitty" ]]; then
34 +
35 + export TERM=xterm-color
36 +
37 + log_info "检测到xterm-kitty终端,已自动切换到xterm-color"
38 +
39 + elif [[ -z "$TERM" ]] || [[ "$TERM" == "unknown" ]]; then
40 +
41 + export TERM=xterm-color
42 +
43 + log_info "检测到未知终端类型,已设置为xterm-color"
44 +
45 + fi
46 +
47 +
48 +
49 + # 设置脚本使用的基本终端类型(避免颜色问题)
50 +
51 + export TERM=xterm-color
52 +
53 +
54 +
55 + # 禁用一些可能引起终端问题的选项
56 +
57 + set +H # 禁用历史扩展
58 +
59 + set +e # 暂时禁用错误退出
60 +
61 +
62 +
63 + set -e # 遇到错误立即退出
64 +
65 + trap 'echo "错误发生在第 $LINENO 行"' ERR
66 +
67 +
68 +
69 + # 颜色定义(使用更兼容的方式)
70 +
71 + if command -v tput &> /dev/null && [[ -n "$TERM" ]]; then
72 +
73 + RED=$(tput setaf 1 2>/dev/null || echo '\033[0;31m')
74 +
75 + GREEN=$(tput setaf 2 2>/dev/null || echo '\033[0;32m')
76 +
77 + YELLOW=$(tput setaf 3 2>/dev/null || echo '\033[1;33m')
78 +
79 + BLUE=$(tput setaf 4 2>/dev/null || echo '\033[0;34m')
80 +
81 + PURPLE=$(tput setaf 5 2>/dev/null || echo '\033[0;35m')
82 +
83 + CYAN=$(tput setaf 6 2>/dev/null || echo '\033[0;36m')
84 +
85 + NC=$(tput sgr0 2>/dev/null || echo '\033[0m')
86 +
87 + else
88 +
89 + # 回退到简单颜色
90 +
91 + RED='\033[0;31m'
92 +
93 + GREEN='\033[0;32m'
94 +
95 + YELLOW='\033[1;33m'
96 +
97 + BLUE='\033[0;34m'
98 +
99 + PURPLE='\033[0;35m'
100 +
101 + CYAN='\033[0;36m'
102 +
103 + NC='\033[0m'
104 +
105 + fi
106 +
107 +
108 +
109 + # 日志文件
110 +
111 + LOG_FILE="/var/log/server_hardening_$(date +%Y%m%d_%H%M%S).log"
112 +
113 + BACKUP_DIR="/root/security_backup_$(date +%Y%m%d_%H%M%S)"
114 +
115 +
116 +
117 + # 配置变量
118 +
119 + SSH_PORT=22
120 +
121 + ADMIN_USERNAME="admin"
122 +
123 + ENABLE_AUTO_REBOOT=true
124 +
125 +
126 +
127 + ################################################################################
128 +
129 + # 工具函数
130 +
131 + ################################################################################
132 +
133 +
134 +
135 + log() {
136 +
137 + echo -e "${GREEN}[$(date +'%Y-%m-%d %H:%M:%S')]${NC} $1" | tee -a "$LOG_FILE"
138 +
139 + }
140 +
141 +
142 +
143 + log_info() {
144 +
145 + echo -e "${BLUE}[INFO]${NC} $1" | tee -a "$LOG_FILE"
146 +
147 + }
148 +
149 +
150 +
151 + log_warning() {
152 +
153 + echo -e "${YELLOW}[WARNING]${NC} $1" | tee -a "$LOG_FILE"
154 +
155 + }
156 +
157 +
158 +
159 + log_error() {
160 +
161 + echo -e "${RED}[ERROR]${NC} $1" | tee -a "$LOG_FILE"
162 +
163 + }
164 +
165 +
166 +
167 + log_success() {
168 +
169 + echo -e "${GREEN}[SUCCESS]${NC} $1" | tee -a "$LOG_FILE"
170 +
171 + }
172 +
173 +
174 +
175 + log_section() {
176 +
177 + echo -e "\n${BLUE}========================================${NC}" | tee -a "$LOG_FILE"
178 +
179 + echo -e "${BLUE}$1${NC}" | tee -a "$LOG_FILE"
180 +
181 + echo -e "${BLUE}========================================${NC}\n" | tee -a "$LOG_FILE"
182 +
183 + }
184 +
185 +
186 +
187 + check_root() {
188 +
189 + if [[ $EUID -ne 0 ]]; then
190 +
191 + log_error "此脚本必须以root权限运行"
192 +
193 + exit 1
194 +
195 + fi
196 +
197 + }
198 +
199 +
200 +
201 + backup_file() {
202 +
203 + local file=$1
204 +
205 + if [[ -f "$file" ]]; then
206 +
207 + mkdir -p "$BACKUP_DIR"
208 +
209 + cp -p "$file" "$BACKUP_DIR/$(basename $file).bak" 2>/dev/null
210 +
211 + log_info "备份文件: $file -> $BACKUP_DIR/$(basename $file).bak"
212 +
213 + fi
214 +
215 + }
216 +
217 +
218 +
219 + safe_execute() {
220 +
221 + local cmd="$1"
222 +
223 + local description="$2"
224 +
225 + log_info "执行: $description"
226 +
227 + if eval "$cmd" >> "$LOG_FILE" 2>&1; then
228 +
229 + log_info "成功: $description"
230 +
231 + return 0
232 +
233 + else
234 +
235 + local exit_code=$?
236 +
237 + log_warning "警告: $description 失败 (退出码: $exit_code)"
238 +
239 + return $exit_code
240 +
241 + fi
242 +
243 + }
244 +
245 +
246 +
247 + # 菜单选择函数
248 +
249 + show_menu() {
250 +
251 + clear
252 +
253 + echo -e "${BLUE}"
254 +
255 + cat << "EOF"
256 +
257 + ╔══════════════════════════════════════════════════════════════╗
258 +
259 + ║ Ubuntu 22.04 服务器安全加固脚本 ║
260 +
261 + ║ 多选项菜单版 (v1.4) ║
262 +
263 + ║ 简化操作 • 模块选择 • 快速加固 ║
264 +
265 + ╚══════════════════════════════════════════════════════════════╝
266 +
267 + EOF
268 +
269 + echo -e "${NC}"
270 +
271 + }
272 +
273 +
274 +
275 + show_main_menu() {
276 +
277 + show_menu
278 +
279 + echo -e "${CYAN}请选择加固模式:${NC}"
280 +
281 + echo ""
282 +
283 + echo -e "${GREEN}1)${NC} 快速加固 (推荐) - 关键安全工具 + 核心加固"
284 +
285 + echo -e "${GREEN}2)${NC} 自定义加固 - 逐项选择要应用的设置"
286 +
287 + echo -e "${GREEN}3)${NC} 系统更新 - 仅更新系统包"
288 +
289 + echo -e "${GREEN}4)${NC} 查看当前安全状态"
290 +
291 + echo -e "${GREEN}5)${NC} 退出"
292 +
293 + echo ""
294 +
295 + echo -e "${YELLOW}请输入选择 [1-5]: ${NC}\c"
296 +
297 + }
298 +
299 +
300 +
301 + get_menu_choice() {
302 +
303 + local min_choice=$1
304 +
305 + local max_choice=$2
306 +
307 + local choice
308 +
309 + while true; do
310 +
311 + read -p "" choice
312 +
313 + if [[ "$choice" =~ ^[0-9]+$ ]] && [[ "$choice" -ge "$min_choice" ]] && [[ "$choice" -le "$max_choice" ]]; then
314 +
315 + echo "$choice"
316 +
317 + return 0
318 +
319 + else
320 +
321 + echo -e "${RED}无效选择,请输入 $min_choice-$max_choice 之间的数字: ${NC}\c"
322 +
323 + fi
324 +
325 + done
326 +
327 + }
328 +
329 +
330 +
331 + show_custom_menu() {
332 +
333 + show_menu
334 +
335 + echo -e "${CYAN}自定义加固选项 (可多选):${NC}"
336 +
337 + echo ""
338 +
339 + echo -e "${GREEN}1)${NC} 系统更新和包管理"
340 +
341 + echo -e "${GREEN}2)${NC} SSH安全加固"
342 +
343 + echo -e "${GREEN}3)${NC} 创建管理用户和SSH密钥"
344 +
345 + echo -e "${GREEN}4)${NC} 配置防火墙 (UFW)"
346 +
347 + echo -e "${GREEN}5)${NC} 安装和配置Fail2ban"
348 +
349 + echo -e "${GREEN}6)${NC} 用户和权限管理"
350 +
351 + echo -e "${GREEN}7)${NC} 禁用不必要服务"
352 +
353 + echo -e "${GREEN}8)${NC} 内核参数安全配置"
354 +
355 + echo -e "${GREEN}9)${NC} 文件系统权限加固"
356 +
357 + echo -e "${GREEN}10)${NC} 配置自动安全更新"
358 +
359 + echo -e "${GREEN}11)${NC} 安装完整安全工具套件 (AIDE+Rkhunter+Logwatch+Auditd+Chkrootkit)"
360 +
361 + echo -e "${GREEN}12)${NC} 生成安全加固报告"
362 +
363 + echo -e "${GREEN}13)${NC} 返回主菜单"
364 +
365 + echo ""
366 +
367 + echo -e "${YELLOW}请输入要执行的项目编号 (多个用逗号分隔,如: 1,2,3): ${NC}\c"
368 +
369 + }
370 +
371 +
372 +
373 + show_security_status() {
374 +
375 + show_menu
376 +
377 + echo -e "${CYAN}当前系统安全状态检查:${NC}"
378 +
379 + echo ""
380 +
381 + # SSH状态
382 +
383 + echo -e "${YELLOW}SSH配置状态:${NC}"
384 +
385 + if [[ -f "/etc/ssh/sshd_config" ]]; then
386 +
387 + echo -e "${GREEN}✓${NC} SSH配置文件存在"
388 +
389 + echo " 端口: $(grep "^Port" /etc/ssh/sshd_config | awk '{print $2}' || echo "22 (默认)")"
390 +
391 + echo " Root登录: $(grep "^PermitRootLogin" /etc/ssh/sshd_config | awk '{print $2}' || echo "未明确配置")"
392 +
393 + echo " 密码认证: $(grep "^PasswordAuthentication" /etc/ssh/sshd_config | awk '{print $2}' || echo "未明确配置")"
394 +
395 + else
396 +
397 + echo -e "${RED}✗${NC} SSH配置文件不存在"
398 +
399 + fi
400 +
401 + echo ""
402 +
403 + # 防火墙状态
404 +
405 + echo -e "${YELLOW}防火墙状态:${NC}"
406 +
407 + if command -v ufw &> /dev/null; then
408 +
409 + if ufw status | grep -q "Status: active"; then
410 +
411 + echo -e "${GREEN}✓${NC} UFW防火墙已启用"
412 +
413 + ufw status | head -10
414 +
415 + else
416 +
417 + echo -e "${YELLOW}!${NC} UFW防火墙已安装但未启用"
418 +
419 + fi
420 +
421 + else
422 +
423 + echo -e "${RED}✗${NC} UFW防火墙未安装"
424 +
425 + fi
426 +
427 + echo ""
428 +
429 + # Fail2ban状态
430 +
431 + echo -e "${YELLOW}Fail2ban状态:${NC}"
432 +
433 + if command -v fail2ban-client &> /dev/null; then
434 +
435 + if systemctl is-active --quiet fail2ban; then
436 +
437 + echo -e "${GREEN}✓${NC} Fail2ban服务正在运行"
438 +
439 + fail2ban-client status 2>/dev/null | head -5
440 +
441 + else
442 +
443 + echo -e "${YELLOW}!${NC} Fail2ban已安装但未运行"
444 +
445 + fi
446 +
447 + else
448 +
449 + echo -e "${RED}✗${NC} Fail2ban未安装"
450 +
451 + fi
452 +
453 + echo ""
454 +
455 + # 系统用户
456 +
457 + echo -e "${YELLOW}系统用户管理:${NC}"
458 +
459 + local admin_users=$(grep -E ":(sudo|admin)" /etc/group | cut -d: -f4 | head -5)
460 +
461 + if [[ -n "$admin_users" ]]; then
462 +
463 + echo -e "${GREEN}✓${NC} 管理员用户: $admin_users"
464 +
465 + else
466 +
467 + echo -e "${YELLOW}!${NC} 未检测到管理用户组"
468 +
469 + fi
470 +
471 + echo ""
472 +
473 + echo -e "${CYAN}按回车键返回主菜单...${NC}"
474 +
475 + read
476 +
477 + }
478 +
479 +
480 +
481 + ################################################################################
482 +
483 + # 主要加固功能
484 +
485 + ################################################################################
486 +
487 +
488 +
489 + # 1. 系统信息收集
490 +
491 + collect_system_info() {
492 +
493 + log_section "收集系统信息"
494 +
495 + log_info "操作系统: $(lsb_release -d 2>/dev/null | cut -f2 || echo "Unknown")"
496 +
497 + log_info "内核版本: $(uname -r)"
498 +
499 + log_info "主机名: $(hostname)"
500 +
501 + # 安全获取IP地址
502 +
503 + local ip=$(hostname -I 2>/dev/null | awk '{print $1}' || echo "无法获取")
504 +
505 + log_info "IP地址: $ip"
506 +
507 + log_info "开始加固时间: $(date)"
508 +
509 + echo "系统信息收集完成" >> "$LOG_FILE"
510 +
511 + }
512 +
513 +
514 +
515 + # 2. 系统更新
516 +
517 + update_system() {
518 +
519 + log_section "系统更新与安全补丁"
520 +
521 + log_info "开始系统更新..."
522 +
523 + safe_execute "apt update -y" "更新软件包列表"
524 +
525 + safe_execute "apt upgrade -y" "升级已安装的软件包"
526 +
527 + safe_execute "apt dist-upgrade -y" "安装安全更新"
528 +
529 + safe_execute "apt autoremove -y" "清理不需要的软件包"
530 +
531 + safe_execute "apt autoclean -y" "清理缓存"
532 +
533 + log_success "系统更新完成"
534 +
535 + }
536 +
537 +
538 +
539 + # 3. SSH安全加固
540 +
541 + harden_ssh() {
542 +
543 + log_section "SSH安全加固"
544 +
545 + local ssh_config="/etc/ssh/sshd_config"
546 +
547 + if [[ -f "$ssh_config" ]]; then
548 +
549 + backup_file "$ssh_config"
550 +
551 + log_info "配置SSH安全参数..."
552 +
553 + # 应用预设配置
554 +
555 + safe_execute "sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' '$ssh_config'" "禁用root登录"
556 +
557 + safe_execute "sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' '$ssh_config'" "禁用密码认证"
558 +
559 + safe_execute "sed -i 's/^#*Port.*/Port $SSH_PORT/' '$ssh_config'" "设置SSH端口为$SSH_PORT"
560 +
561 + # 其他SSH安全配置
562 +
563 + local ssh_config_addition='
564 +
565 + # 安全加固配置
566 +
567 + Protocol 2
568 +
569 + MaxAuthTries 3
570 +
571 + MaxSessions 2
572 +
573 + LoginGraceTime 60
574 +
575 + ClientAliveInterval 300
576 +
577 + ClientAliveCountMax 2
578 +
579 + PermitEmptyPasswords no
580 +
581 + X11Forwarding no
582 +
583 + UseDNS no
584 +
585 + '
586 +
587 + echo "$ssh_config_addition" >> "$ssh_config"
588 +
589 + # 重启SSH服务
590 +
591 + safe_execute "systemctl restart sshd" "重启SSH服务"
592 +
593 + log_success "SSH加固完成 - 端口: $SSH_PORT, Root登录: 禁用, 密码认证: 禁用"
594 +
595 + log_warning "请确保已在防火墙中开放端口 $SSH_PORT"
596 +
597 + log_warning "请确保已配置SSH密钥认证"
598 +
599 + else
600 +
601 + log_error "SSH配置文件不存在: $ssh_config"
602 +
603 + fi
604 +
605 + }
606 +
607 +
608 +
609 + # 4. 用户管理和SSH密钥配置
610 +
611 + manage_users() {
612 +
613 + log_section "创建管理用户和配置SSH密钥"
614 +
615 + local username=$ADMIN_USERNAME
616 +
617 + local user_home=$(eval echo "~$username")
618 +
619 + # 检查用户是否已存在
620 +
621 + if id "$username" &>/dev/null 2>&1; then
622 +
623 + log_info "用户 $username 已存在,跳过创建"
624 +
625 + else
626 +
627 + # 创建用户
628 +
629 + log_info "创建用户: $username"
630 +
631 + safe_execute "useradd -m -s /bin/bash '$username'" "创建用户 $username"
632 +
633 + # 设置随机密码
634 +
635 + local temp_password=$(openssl rand -base64 32)
636 +
637 + echo "$username:$temp_password" | chpasswd
638 +
639 + log_success "用户 $username 创建成功"
640 +
641 + log_info "临时密码: $temp_password (建议首次登录后修改)"
642 +
643 + # 将用户添加到sudo组
644 +
645 + safe_execute "usermod -aG sudo '$username'" "将 $username 添加到sudo组"
646 +
647 + fi
648 +
649 + # 配置SSH密钥
650 +
651 + local ssh_dir="$user_home/.ssh"
652 +
653 + local authorized_keys="$ssh_dir/authorized_keys"
654 +
655 + # 确保用户有.ssh目录
656 +
657 + mkdir -p "$ssh_dir"
658 +
659 + chown "$username:$username" "$ssh_dir"
660 +
661 + # 生成SSH密钥对
662 +
663 + log_info "生成SSH密钥对..."
664 +
665 + cd "$user_home"
666 +
667 + if [[ ! -f "$ssh_dir/id_rsa" ]]; then
668 +
669 + su - "$username" -c "ssh-keygen -t rsa -b 4096 -f $ssh_dir/id_rsa -N '' -C '$username@$(hostname)'"
670 +
671 + if [[ -f "$ssh_dir/id_rsa" ]]; then
672 +
673 + log_success "SSH密钥对生成成功"
674 +
675 + log_info "私钥文件: $ssh_dir/id_rsa"
676 +
677 + log_info "公钥文件: $ssh_dir/id_rsa.pub"
678 +
679 + log_warning "请妥善保管私钥文件,不要上传到公共服务器"
680 +
681 + # 设置公钥到authorized_keys
682 +
683 + cat "$ssh_dir/id_rsa.pub" > "$authorized_keys"
684 +
685 + else
686 +
687 + log_error "SSH密钥生成失败"
688 +
689 + return 1
690 +
691 + fi
692 +
693 + else
694 +
695 + log_info "SSH密钥已存在"
696 +
697 + fi
698 +
699 + # 设置sudo无密码
700 +
701 + local sudoers_file="/etc/sudoers.d/$username"
702 +
703 + echo "$username ALL=(ALL) NOPASSWD:ALL" > "$sudoers_file"
704 +
705 + chmod 440 "$sudoers_file"
706 +
707 + log_success "已配置 $username sudo无密码权限"
708 +
709 + # 设置文件权限
710 +
711 + safe_execute "chown -R $username:$username '$ssh_dir'" "设置SSH目录权限"
712 +
713 + safe_execute "chmod 700 '$ssh_dir'" "设置SSH目录权限为700"
714 +
715 + safe_execute "chmod 600 '$authorized_keys'" "设置公钥文件权限为600"
716 +
717 + log_success "用户管理完成 - 用户: $username"
718 +
719 + }
720 +
721 +
722 +
723 + # 5. 防火墙配置
724 +
725 + configure_firewall() {
726 +
727 + log_section "配置UFW防火墙"
728 +
729 + if ! command -v ufw &> /dev/null; then
730 +
731 + safe_execute "apt install ufw -y" "安装UFW"
732 +
733 + fi
734 +
735 + log_info "配置UFW规则..."
736 +
737 + # 默认策略
738 +
739 + safe_execute "ufw default deny incoming" "设置默认入站策略:拒绝"
740 +
741 + safe_execute "ufw default allow outgoing" "设置默认出站策略:允许"
742 +
743 + # 允许SSH
744 +
745 + safe_execute "ufw allow $SSH_PORT/tcp comment 'SSH'" "允许SSH端口: $SSH_PORT"
746 +
747 + # 允许常用端口
748 +
749 + local common_ports=("80/tcp" "443/tcp" "53/udp" "123/udp")
750 +
751 + local port_comments=("HTTP" "HTTPS" "DNS" "NTP")
752 +
753 + for i in "${!common_ports[@]}"; do
754 +
755 + log_info "开放端口 ${common_ports[$i]} (${port_comments[$i]})"
756 +
757 + safe_execute "ufw allow ${common_ports[$i]} comment '${port_comments[$i]}'" "开放${port_comments[$i]}端口"
758 +
759 + done
760 +
761 + # 启用UFW
762 +
763 + log_info "启用UFW防火墙..."
764 +
765 + safe_execute "ufw --force enable" "强制启用UFW"
766 +
767 + # 显示状态
768 +
769 + log_success "防火墙配置完成"
770 +
771 + ufw status | head -15
772 +
773 + }
774 +
775 +
776 +
777 + # 6. 安装和配置Fail2ban
778 +
779 + install_fail2ban() {
780 +
781 + log_section "安装和配置Fail2ban"
782 +
783 + if ! command -v fail2ban-client &> /dev/null; then
784 +
785 + safe_execute "apt install fail2ban -y" "安装Fail2ban"
786 +
787 + else
788 +
789 + log_info "Fail2ban已安装"
790 +
791 + fi
792 +
793 + # 配置fail2ban
794 +
795 + local jail_local="/etc/fail2ban/jail.local"
796 +
797 + backup_file "$jail_local" 2>/dev/null || true
798 +
799 + log_info "创建Fail2ban配置..."
800 +
801 + cat > "$jail_local" << EOF
802 +
803 + [DEFAULT]
804 +
805 + # 封禁时间(秒)
806 +
807 + bantime = 3600
808 +
809 +
810 +
811 + # 查找时间窗口(秒)
812 +
813 + findtime = 600
814 +
815 +
816 +
817 + # 最大尝试次数
818 +
819 + maxretry = 5
820 +
821 +
822 +
823 + [sshd]
824 +
825 + enabled = true
826 +
827 + port = $SSH_PORT
828 +
829 + filter = sshd
830 +
831 + logpath = /var/log/auth.log
832 +
833 + maxretry = 3
834 +
835 + bantime = 7200
836 +
837 +
838 +
839 + [sshd-ddos]
840 +
841 + enabled = true
842 +
843 + port = $SSH_PORT
844 +
845 + filter = sshd-ddos
846 +
847 + logpath = /var/log/auth.log
848 +
849 + maxretry = 2
850 +
851 + bantime = 7200
852 +
853 + EOF
854 +
855 + safe_execute "systemctl enable fail2ban" "启用Fail2ban服务"
856 +
857 + safe_execute "systemctl restart fail2ban" "重启Fail2ban服务"
858 +
859 + sleep 2
860 +
861 + if command -v fail2ban-client &> /dev/null; then
862 +
863 + log_success "Fail2ban配置完成"
864 +
865 + fail2ban-client status 2>/dev/null | head -5
866 +
867 + fi
868 +
869 + }
870 +
871 +
872 +
873 + # 7. 用户和权限管理
874 +
875 + harden_users() {
876 +
877 + log_section "用户和权限加固"
878 +
879 + # 密码策略
880 +
881 + log_info "配置密码策略..."
882 +
883 + if ! dpkg -l | grep -q libpam-pwquality; then
884 +
885 + safe_execute "apt install libpam-pwquality -y" "安装密码质量检查工具"
886 +
887 + fi
888 +
889 + local pwquality_file="/etc/security/pwquality.conf"
890 +
891 + backup_file "$pwquality_file"
892 +
893 + cat >> "$pwquality_file" << 'EOF'
894 +
895 +
896 +
897 + # 密码安全策略
898 +
899 + minlen = 12
900 +
901 + dcredit = -1
902 +
903 + ucredit = -1
904 +
905 + lcredit = -1
906 +
907 + ocredit = -1
908 +
909 + maxrepeat = 3
910 +
911 + EOF
912 +
913 + # 密码过期策略
914 +
915 + local login_defs="/etc/login.defs"
916 +
917 + if [[ -f "$login_defs" ]]; then
918 +
919 + backup_file "$login_defs"
920 +
921 + safe_execute "sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' '$login_defs'" "设置密码最大有效期"
922 +
923 + safe_execute "sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 1/' '$login_defs'" "设置密码最小间隔"
924 +
925 + safe_execute "sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE 14/' '$login_defs'" "设置密码警告时间"
926 +
927 + fi
928 +
929 + log_success "密码策略配置完成"
930 +
931 + # 锁定不必要的系统账户
932 +
933 + log_info "锁定系统账户..."
934 +
935 + local system_users=("bin" "daemon" "adm" "lp" "sync" "shutdown" "halt" "mail" "news" "uucp" "operator" "games" "gopher" "ftp")
936 +
937 + for user in "${system_users[@]}"; do
938 +
939 + if id "$user" &>/dev/null 2>&1; then
940 +
941 + usermod -L -s /usr/sbin/nologin "$user" 2>/dev/null || true
942 +
943 + fi
944 +
945 + done
946 +
947 + log_success "用户加固完成"
948 +
949 + }
950 +
951 +
952 +
953 + # 8. 禁用不必要的服务
954 +
955 + disable_services() {
956 +
957 + log_section "禁用不必要的服务"
958 +
959 + local services_to_disable=("avahi-daemon" "cups" "isc-dhcp-server" "isc-dhcp-server6" "bluetooth")
960 +
961 + for service in "${services_to_disable[@]}"; do
962 +
963 + if systemctl is-enabled "$service" &>/dev/null 2>&1; then
964 +
965 + safe_execute "systemctl stop '$service'" "停止服务: $service"
966 +
967 + safe_execute "systemctl disable '$service'" "禁用服务: $service"
968 +
969 + log_info "已禁用服务: $service"
970 +
971 + fi
972 +
973 + done
974 +
975 + log_success "不必要服务禁用完成"
976 +
977 + }
978 +
979 +
980 +
981 + # 9. 内核参数安全配置
982 +
983 + harden_kernel() {
984 +
985 + log_section "内核参数安全配置"
986 +
987 + local sysctl_conf="/etc/sysctl.d/99-security.conf"
988 +
989 + backup_file "$sysctl_conf" 2>/dev/null || true
990 +
991 + log_info "配置内核安全参数..."
992 +
993 + cat > "$sysctl_conf" << 'EOF'
994 +
995 + # IP转发禁用
996 +
997 + net.ipv4.ip_forward = 0
998 +
999 + net.ipv6.conf.all.forwarding = 0
1000 +
1001 +
1002 +
1003 + # SYN cookies保护
1004 +
1005 + net.ipv4.tcp_syncookies = 1
1006 +
1007 +
1008 +
1009 + # 忽略ICMP重定向
1010 +
1011 + net.ipv4.conf.all.accept_redirects = 0
1012 +
1013 + net.ipv6.conf.all.accept_redirects = 0
1014 +
1015 + net.ipv4.conf.default.accept_redirects = 0
1016 +
1017 + net.ipv6.conf.default.accept_redirects = 0
1018 +
1019 +
1020 +
1021 + # 忽略安全ICMP重定向
1022 +
1023 + net.ipv4.conf.all.secure_redirects = 0
1024 +
1025 + net.ipv4.conf.default.secure_redirects = 0
1026 +
1027 +
1028 +
1029 + # 禁用源路由
1030 +
1031 + net.ipv4.conf.all.accept_source_route = 0
1032 +
1033 + net.ipv6.conf.all.accept_source_route = 0
1034 +
1035 + net.ipv4.conf.default.accept_source_route = 0
1036 +
1037 + net.ipv6.conf.default.accept_source_route = 0
1038 +
1039 +
1040 +
1041 + # 记录可疑包
1042 +
1043 + net.ipv4.conf.all.log_martians = 1
1044 +
1045 + net.ipv4.conf.default.log_martians = 1
1046 +
1047 +
1048 +
1049 + # 忽略ICMP ping请求
1050 +
1051 + net.ipv4.icmp_echo_ignore_broadcasts = 1
1052 +
1053 +
1054 +
1055 + # 反向路径过滤
1056 +
1057 + net.ipv4.conf.all.rp_filter = 1
1058 +
1059 + net.ipv4.conf.default.rp_filter = 1
1060 +
1061 +
1062 +
1063 + # 保护系统免受SYN flood攻击
1064 +
1065 + net.ipv4.tcp_max_syn_backlog = 2048
1066 +
1067 + net.ipv4.tcp_synack_retries = 2
1068 +
1069 + net.ipv4.tcp_syn_retries = 5
1070 +
1071 + EOF
1072 +
1073 + if command -v sysctl &> /dev/null; then
1074 +
1075 + safe_execute "sysctl -p '$sysctl_conf'" "应用内核参数配置"
1076 +
1077 + fi
1078 +
1079 + log_success "内核参数配置完成"
1080 +
1081 + }
1082 +
1083 +
1084 +
1085 + # 10. 文件系统和权限加固
1086 +
1087 + harden_filesystem() {
1088 +
1089 + log_section "文件系统权限加固"
1090 +
1091 + log_info "设置重要文件权限..."
1092 +
1093 + # 关键配置文件权限
1094 +
1095 + local files_to_protect=(
1096 +
1097 + "/etc/ssh/sshd_config:600"
1098 +
1099 + "/etc/passwd:644"
1100 +
1101 + "/etc/shadow:640"
1102 +
1103 + "/etc/group:644"
1104 +
1105 + "/etc/gshadow:600"
1106 +
1107 + )
1108 +
1109 + for file_perm in "${files_to_protect[@]}"; do
1110 +
1111 + local file="${file_perm%:*}"
1112 +
1113 + local perm="${file_perm#*:}"
1114 +
1115 + if [[ -f "$file" ]]; then
1116 +
1117 + safe_execute "chmod $perm '$file'" "设置文件权限: $file -> $perm"
1118 +
1119 + fi
1120 +
1121 + done
1122 +
1123 + log_success "重要文件权限已加固"
1124 +
1125 + # 查找并报告可疑权限文件
1126 +
1127 + log_info "查找具有SUID/SGID权限的文件(记录到日志)..."
1128 +
1129 + if command -v find &> /dev/null; then
1130 +
1131 + find / -perm /6000 -type f 2>/dev/null >> "$LOG_FILE" || true
1132 +
1133 + fi
1134 +
1135 + }
1136 +
1137 +
1138 +
1139 + # 11. 配置自动安全更新
1140 +
1141 + configure_auto_updates() {
1142 +
1143 + log_section "配置自动安全更新"
1144 +
1145 + if ! dpkg -l | grep -q unattended-upgrades; then
1146 +
1147 + safe_execute "apt install unattended-upgrades apt-listchanges -y" "安装自动更新工具"
1148 +
1149 + fi
1150 +
1151 + if command -v dpkg-reconfigure &> /dev/null; then
1152 +
1153 + safe_execute "echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections && debconf-show unattended-upgrades" "配置自动更新"
1154 +
1155 + fi
1156 +
1157 + log_success "自动安全更新已启用"
1158 +
1159 + }
1160 +
1161 +
1162 +
1163 + # 12. 安装其他安全工具
1164 +
1165 + install_security_tools() {
1166 +
1167 + log_section "安装额外安全工具"
1168 +
1169 + # 优先级安全工具 - 快速加固中最重要的
1170 +
1171 + local priority_tools=("aide" "rkhunter")
1172 +
1173 + # 完整的工具列表 - 自定义模式中可选择
1174 +
1175 + local all_tools=("aide" "rkhunter" "logwatch" "auditd" "chkrootkit")
1176 +
1177 + # 智能选择 - 根据加固模式选择工具
1178 +
1179 + local tools=()
1180 +
1181 + if [[ "${INSTALL_MODE:-full}" == "priority" ]]; then
1182 +
1183 + tools=("${priority_tools[@]}")
1184 +
1185 + log_info "快速加固模式: 安装关键安全工具"
1186 +
1187 + else
1188 +
1189 + tools=("${all_tools[@]}")
1190 +
1191 + log_info "完整安装模式: 安装所有推荐安全工具"
1192 +
1193 + fi
1194 +
1195 + for tool in "${tools[@]}"; do
1196 +
1197 + if apt list --installed 2>/dev/null | grep -q "^$tool/"; then
1198 +
1199 + log_info "$tool 已安装"
1200 +
1201 + continue
1202 +
1203 + fi
1204 +
1205 + # 智能安装 - 跳过可能的不可用工具
1206 +
1207 + case "$tool" in
1208 +
1209 + "auditd")
1210 +
1211 + if ! dpkg -l | grep -q "auditd"; then
1212 +
1213 + if safe_execute "apt install '$tool' -y" "安装安全工具: $tool"; then
1214 +
1215 + safe_execute "systemctl enable auditd" "启用auditd服务"
1216 +
1217 + safe_execute "systemctl start auditd" "启动auditd服务"
1218 +
1219 + log_success "已安装并启用: $tool"
1220 +
1221 + else
1222 +
1223 + log_warning "跳过 $tool 安装"
1224 +
1225 + fi
1226 +
1227 + fi
1228 +
1229 + ;;
1230 +
1231 + "chkrootkit")
1232 +
1233 + if safe_execute "apt install '$tool' -y" "安装安全工具: $tool"; then
1234 +
1235 + log_success "已安装: $tool"
1236 +
1237 + else
1238 +
1239 + log_warning "跳过 $tool 安装"
1240 +
1241 + fi
1242 +
1243 + ;;
1244 +
1245 + *)
1246 +
1247 + if safe_execute "apt install '$tool' -y" "安装安全工具: $tool"; then
1248 +
1249 + # 特殊配置
1250 +
1251 + case "$tool" in
1252 +
1253 + "rkhunter")
1254 +
1255 + if command -v rkhunter &> /dev/null; then
1256 +
1257 + safe_execute "rkhunter --update" "更新rkhunter数据库"
1258 +
1259 + safe_execute "rkhunter --propupd" "更新rkhunter属性"
1260 +
1261 + fi
1262 +
1263 + ;;
1264 +
1265 + esac
1266 +
1267 + log_success "已安装: $tool"
1268 +
1269 + else
1270 +
1271 + log_warning "跳过 $tool 安装"
1272 +
1273 + fi
1274 +
1275 + ;;
1276 +
1277 + esac
1278 +
1279 + done
1280 +
1281 + # 显示安装总结
1282 +
1283 + log_info "安全工具安装总结:"
1284 +
1285 + for tool in "${tools[@]}"; do
1286 +
1287 + if command -v "$tool" &>/dev/null; then
1288 +
1289 + log_success "✓ $tool - 已安装"
1290 +
1291 + else
1292 +
1293 + log_info "- $tool - 跳过或安装失败"
1294 +
1295 + fi
1296 +
1297 + done
1298 +
1299 + }
1300 +
1301 +
1302 +
1303 + # 13. 生成加固报告
1304 +
1305 + generate_report() {
1306 +
1307 + log_section "生成安全加固报告"
1308 +
1309 + local report_file="/root/security_hardening_report_$(date +%Y%m%d_%H%M%S).txt"
1310 +
1311 + # 安全获取系统信息
1312 +
1313 + local os_info=$(lsb_release -d 2>/dev/null | cut -f2 || echo "Unknown")
1314 +
1315 + local kernel_info=$(uname -r)
1316 +
1317 + local hostname_info=$(hostname)
1318 +
1319 + cat > "$report_file" << EOF
1320 +
1321 + ================================================================================
1322 +
1323 + 服务器安全加固报告
1324 +
1325 + ================================================================================
1326 +
1327 + 生成时间: $(date)
1328 +
1329 + 主机名: $hostname_info
1330 +
1331 + 操作系统: $os_info
1332 +
1333 + 内核版本: $kernel_info
1334 +
1335 +
1336 +
1337 + --------------------------------------------------------------------------------
1338 +
1339 + 1. SSH配置
1340 +
1341 + --------------------------------------------------------------------------------
1342 +
1343 + $(grep -E "^(Port|PermitRootLogin|PasswordAuthentication)" /etc/ssh/sshd_config 2>/dev/null || echo "SSH配置不可读")
1344 +
1345 +
1346 +
1347 + --------------------------------------------------------------------------------
1348 +
1349 + 2. 防火墙状态
1350 +
1351 + --------------------------------------------------------------------------------
1352 +
1353 + $(ufw status verbose 2>/dev/null || echo "UFW不可用")
1354 +
1355 +
1356 +
1357 + --------------------------------------------------------------------------------
1358 +
1359 + 3. Fail2ban状态
1360 +
1361 + --------------------------------------------------------------------------------
1362 +
1363 + $(fail2ban-client status 2>/dev/null || echo "Fail2ban未运行")
1364 +
1365 +
1366 +
1367 + --------------------------------------------------------------------------------
1368 +
1369 + 4. 已安装的安全工具
1370 +
1371 + --------------------------------------------------------------------------------
1372 +
1373 + $(dpkg -l 2>/dev/null | grep -E "fail2ban|ufw|aide|rkhunter|logwatch|unattended-upgrades" | awk '{print $2 " " $3}' | column -t || echo "无法获取包信息")
1374 +
1375 +
1376 +
1377 + --------------------------------------------------------------------------------
1378 +
1379 + 5. 活动监听端口
1380 +
1381 + --------------------------------------------------------------------------------
1382 +
1383 + $(ss -tunlp 2>/dev/null || netstat -tunlp 2>/dev/null || echo "端口信息不可用")
1384 +
1385 +
1386 +
1387 + --------------------------------------------------------------------------------
1388 +
1389 + 6. 管理用户
1390 +
1391 + --------------------------------------------------------------------------------
1392 +
1393 + $(grep -E ":(sudo|admin)" /etc/group 2>/dev/null | head -5 || echo "无管理用户组")
1394 +
1395 +
1396 +
1397 + --------------------------------------------------------------------------------
1398 +
1399 + 备份目录: $BACKUP_DIR
1400 +
1401 + 日志文件: $LOG_FILE
1402 +
1403 + 配置完成时间: $(date)
1404 +
1405 + --------------------------------------------------------------------------------
1406 +
1407 + EOF
1408 +
1409 + log_success "安全加固报告已生成: $report_file"
1410 +
1411 + # 显示报告摘要
1412 +
1413 + echo -e "${CYAN}报告摘要:${NC}"
1414 +
1415 + echo "- 操作系统: $os_info"
1416 +
1417 + echo "- SSH端口: $SSH_PORT"
1418 +
1419 + echo "- 管理员用户: $ADMIN_USERNAME"
1420 +
1421 + echo "- 防火墙: $(ufw status 2>/dev/null | grep -q "active" && echo "已启用" || echo "未启用")"
1422 +
1423 + echo "- Fail2ban: $(systemctl is-active fail2ban 2>/dev/null || echo "未运行")"
1424 +
1425 + echo ""
1426 +
1427 + echo -e "${YELLOW}完整报告请查看: $report_file${NC}"
1428 +
1429 + }
1430 +
1431 +
1432 +
1433 + ################################################################################
1434 +
1435 + # 快速加固流程
1436 +
1437 + ################################################################################
1438 +
1439 +
1440 +
1441 + quick_hardening() {
1442 +
1443 + log_section "开始快速加固"
1444 +
1445 + log_warning "这将应用所有推荐的安全设置"
1446 +
1447 + # 设置快速加固模式 - 优先安装关键安全工具
1448 +
1449 + export INSTALL_MODE="priority"
1450 +
1451 + # 执行所有加固步骤
1452 +
1453 + collect_system_info
1454 +
1455 + update_system
1456 +
1457 + harden_ssh
1458 +
1459 + manage_users
1460 +
1461 + configure_firewall
1462 +
1463 + install_fail2ban
1464 +
1465 + harden_users
1466 +
1467 + disable_services
1468 +
1469 + harden_kernel
1470 +
1471 + harden_filesystem
1472 +
1473 + configure_auto_updates
1474 +
1475 + install_security_tools
1476 +
1477 + generate_report
1478 +
1479 + log_section "快速加固完成"
1480 +
1481 + show_completion_message
1482 +
1483 + }
1484 +
1485 +
1486 +
1487 + ################################################################################
1488 +
1489 + # 自定义加固流程
1490 +
1491 + ################################################################################
1492 +
1493 +
1494 +
1495 + custom_hardening() {
1496 +
1497 + while true; do
1498 +
1499 + show_custom_menu
1500 +
1501 + local choice=$(get_menu_choice 1 13)
1502 +
1503 + case $choice in
1504 +
1505 + 1)
1506 +
1507 + collect_system_info
1508 +
1509 + update_system
1510 +
1511 + ;;
1512 +
1513 + 2)
1514 +
1515 + show_ssh_config_menu
1516 +
1517 + ;;
1518 +
1519 + 3)
1520 +
1521 + show_user_config_menu
1522 +
1523 + ;;
1524 +
1525 + 4)
1526 +
1527 + configure_firewall
1528 +
1529 + ;;
1530 +
1531 + 5)
1532 +
1533 + install_fail2ban
1534 +
1535 + ;;
1536 +
1537 + 6)
1538 +
1539 + harden_users
1540 +
1541 + ;;
1542 +
1543 + 7)
1544 +
1545 + disable_services
1546 +
1547 + ;;
1548 +
1549 + 8)
1550 +
1551 + harden_kernel
1552 +
1553 + ;;
1554 +
1555 + 9)
1556 +
1557 + harden_filesystem
1558 +
1559 + ;;
1560 +
1561 + 10)
1562 +
1563 + configure_auto_updates
1564 +
1565 + ;;
1566 +
1567 + 11)
1568 +
1569 + export INSTALL_MODE="full"
1570 +
1571 + install_security_tools
1572 +
1573 + ;;
1574 +
1575 + 12)
1576 +
1577 + generate_report
1578 +
1579 + ;;
1580 +
1581 + 13)
1582 +
1583 + return 0
1584 +
1585 + ;;
1586 +
1587 + esac
1588 +
1589 + echo ""
1590 +
1591 + echo -e "${YELLOW}按回车键继续...${NC}"
1592 +
1593 + read
1594 +
1595 + done
1596 +
1597 + }
1598 +
1599 +
1600 +
1601 + show_ssh_config_menu() {
1602 +
1603 + show_menu
1604 +
1605 + echo -e "${CYAN}SSH配置选项:${NC}"
1606 +
1607 + echo ""
1608 +
1609 + echo -e "${GREEN}1)${NC} 标准配置 (端口2222, 禁用root, 禁用密码)"
1610 +
1611 + echo -e "${GREEN}2)${NC} 安全配置 (端口22, 禁用root, 禁用密码)"
1612 +
1613 + echo -e "${GREEN}3)${NC} 自定义端口 (输入端口号)"
1614 +
1615 + echo -e "${GREEN}4)${NC} 返回"
1616 +
1617 + echo ""
1618 +
1619 + echo -e "${YELLOW}请选择SSH配置 [1-4]: ${NC}\c"
1620 +
1621 + local ssh_choice=$(get_menu_choice 1 4)
1622 +
1623 + case $ssh_choice in
1624 +
1625 + 1)
1626 +
1627 + SSH_PORT=2222
1628 +
1629 + harden_ssh
1630 +
1631 + ;;
1632 +
1633 + 2)
1634 +
1635 + SSH_PORT=22
1636 +
1637 + harden_ssh
1638 +
1639 + ;;
1640 +
1641 + 3)
1642 +
1643 + echo -e "${YELLOW}请输入SSH端口号 (1024-65535): ${NC}\c"
1644 +
1645 + read -p "" custom_port
1646 +
1647 + if [[ "$custom_port" =~ ^[0-9]+$ ]] && [[ "$custom_port" -gt 1024 ]] && [[ "$custom_port" -lt 65536 ]]; then
1648 +
1649 + SSH_PORT=$custom_port
1650 +
1651 + harden_ssh
1652 +
1653 + else
1654 +
1655 + log_error "无效的端口号"
1656 +
1657 + fi
1658 +
1659 + ;;
1660 +
1661 + 4)
1662 +
1663 + return 0
1664 +
1665 + ;;
1666 +
1667 + esac
1668 +
1669 + }
1670 +
1671 +
1672 +
1673 + show_user_config_menu() {
1674 +
1675 + show_menu
1676 +
1677 + echo -e "${CYAN}用户管理配置选项:${NC}"
1678 +
1679 + echo ""
1680 +
1681 + echo -e "${GREEN}1)${NC} 创建admin用户 (推荐)"
1682 +
1683 + echo -e "${GREEN}2)${NC} 创建operator用户"
1684 +
1685 + echo -e "${GREEN}3)${NC} 自定义用户名"
1686 +
1687 + echo -e "${GREEN}4)${NC} 跳过用户创建"
1688 +
1689 + echo ""
1690 +
1691 + echo -e "${YELLOW}请选择用户配置 [1-4]: ${NC}\c"
1692 +
1693 + local user_choice=$(get_menu_choice 1 4)
1694 +
1695 + case $user_choice in
1696 +
1697 + 1)
1698 +
1699 + ADMIN_USERNAME="admin"
1700 +
1701 + manage_users
1702 +
1703 + ;;
1704 +
1705 + 2)
1706 +
1707 + ADMIN_USERNAME="operator"
1708 +
1709 + manage_users
1710 +
1711 + ;;
1712 +
1713 + 3)
1714 +
1715 + echo -e "${YELLOW}请输入用户名: ${NC}\c"
1716 +
1717 + read -p "" ADMIN_USERNAME
1718 +
1719 + if [[ -n "$ADMIN_USERNAME" ]] && [[ "$ADMIN_USERNAME" =~ ^[a-z_][a-z0-9_-]*$ ]]; then
1720 +
1721 + manage_users
1722 +
1723 + else
1724 +
1725 + log_error "无效的用户名"
1726 +
1727 + fi
1728 +
1729 + ;;
1730 +
1731 + 4)
1732 +
1733 + log_info "跳过用户创建"
1734 +
1735 + ;;
1736 +
1737 + esac
1738 +
1739 + }
1740 +
1741 +
1742 +
1743 + ################################################################################
1744 +
1745 + # 完成消息
1746 +
1747 + ################################################################################
1748 +
1749 +
1750 +
1751 + show_completion_message() {
1752 +
1753 + echo -e "${GREEN}"
1754 +
1755 + cat << EOF
1756 +
1757 + ╔══════════════════════════════════════════════════════════════╗
1758 +
1759 + ║ 安全加固已完成! ║
1760 +
1761 + ╚══════════════════════════════════════════════════════════════╝
1762 +
1763 +
1764 +
1765 + 重要提醒:
1766 +
1767 + 1. SSH访问信息:
1768 +
1769 + - 端口: $SSH_PORT
1770 +
1771 + - 用户: $ADMIN_USERNAME
1772 +
1773 + - 认证方式: SSH密钥 (推荐)
1774 +
1775 + 2. 文件位置:
1776 +
1777 + - 配置备份: $BACKUP_DIR
1778 +
1779 + - 详细日志: $LOG_FILE
1780 +
1781 + - 安全报告: /root/security_hardening_report_*.txt
1782 +
1783 +
1784 +
1785 + 3. 后续步骤:
1786 +
1787 + - 使用SSH密钥登录新用户账户
1788 +
1789 + - 验证防火墙规则: ufw status
1790 +
1791 + - 检查Fail2ban状态: fail2ban-client status
1792 +
1793 + - 重启服务器以确保所有更改生效
1794 +
1795 +
1796 +
1797 + 4. 安全检查:
1798 +
1799 + - 定期检查 /var/log/auth.log
1800 +
1801 + - 运行: rkhunter --check (如已安装)
1802 +
1803 + - 监控fail2ban日志: tail -f /var/log/fail2ban.log
1804 +
1805 +
1806 +
1807 + EOF
1808 +
1809 + echo -e "${NC}"
1810 +
1811 + if [[ "$ENABLE_AUTO_REBOOT" == "true" ]]; then
1812 +
1813 + echo -e "${YELLOW}是否重启服务器以确保所有更改生效?${NC}"
1814 +
1815 + echo -e "${GREEN}1)${NC} 是,立即重启"
1816 +
1817 + echo -e "${GREEN}2)${NC} 否,稍后手动重启"
1818 +
1819 + echo ""
1820 +
1821 + echo -e "${YELLOW}请选择 [1-2]: ${NC}\c"
1822 +
1823 + local reboot_choice=$(get_menu_choice 1 2)
1824 +
1825 + case $reboot_choice in
1826 +
1827 + 1)
1828 +
1829 + log "系统将在10秒后重启..."
1830 +
1831 + sleep 10
1832 +
1833 + if command -v reboot &> /dev/null; then
1834 +
1835 + reboot
1836 +
1837 + else
1838 +
1839 + shutdown -r now
1840 +
1841 + fi
1842 +
1843 + ;;
1844 +
1845 + 2)
1846 +
1847 + log_info "请记得稍后手动重启服务器"
1848 +
1849 + ;;
1850 +
1851 + esac
1852 +
1853 + fi
1854 +
1855 + }
1856 +
1857 +
1858 +
1859 + ################################################################################
1860 +
1861 + # 主程序
1862 +
1863 + ################################################################################
1864 +
1865 +
1866 +
1867 + main() {
1868 +
1869 + # 检查root权限
1870 +
1871 + check_root
1872 +
1873 + while true; do
1874 +
1875 + show_main_menu
1876 +
1877 + local choice=$(get_menu_choice 1 5)
1878 +
1879 + case $choice in
1880 +
1881 + 1)
1882 +
1883 + log "开始快速加固流程..."
1884 +
1885 + quick_hardening
1886 +
1887 + break
1888 +
1889 + ;;
1890 +
1891 + 2)
1892 +
1893 + log "开始自定义加固流程..."
1894 +
1895 + custom_hardening
1896 +
1897 + ;;
1898 +
1899 + 3)
1900 +
1901 + log "开始系统更新..."
1902 +
1903 + collect_system_info
1904 +
1905 + update_system
1906 +
1907 + echo ""
1908 +
1909 + echo -e "${YELLOW}按回车键返回主菜单...${NC}"
1910 +
1911 + read
1912 +
1913 + ;;
1914 +
1915 + 4)
1916 +
1917 + show_security_status
1918 +
1919 + ;;
1920 +
1921 + 5)
1922 +
1923 + log "退出脚本"
1924 +
1925 + exit 0
1926 +
1927 + ;;
1928 +
1929 + esac
1930 +
1931 + done
1932 +
1933 + }
1934 +
1935 +
1936 +
1937 + # 运行主程序
1938 +
1939 + main "$@"
Plus récent Plus ancien

Propulsé par Opengist Load: 107ms

Français