server_harden.sh - Opengist

server_harden.sh · 29 KiB · Bash Surowy

#!/bin/bash ################################################################################ # 服务器自动化加固脚本 # 作者: Mercas # 日期: 2025-11-09 # 说明: 本脚本用于自动化加固Ubuntu 22.04服务器安全配置 # 版本: v1.4 (多选项菜单版 - 简化交互流程) # 新增功能: # - 全菜单式操作界面 # - 模块化选择加固项目 # - 预设配置选项 # - 一键快速加固 ################################################################################ # 终端类型兼容性处理 if [[ "$TERM" == "xterm-kitty" ]]; then export TERM=xterm-color log_info "检测到xterm-kitty终端，已自动切换到xterm-color" elif [[ -z "$TERM" ]] || [[ "$TERM" == "unknown" ]]; then export TERM=xterm-color log_info "检测到未知终端类型，已设置为xterm-color" fi # 设置脚本使用的基本终端类型（避免颜色问题） export TERM=xterm-color # 禁用一些可能引起终端问题的选项 set +H # 禁用历史扩展 set +e # 暂时禁用错误退出 set -e # 遇到错误立即退出 trap 'echo "错误发生在第 $LINENO 行"' ERR # 颜色定义（使用更兼容的方式） if command -v tput &> /dev/null && [[ -n "$TERM" ]]; then RED=$(tput setaf 1 2>/dev/null || echo '\033[0;31m') GREEN=$(tput setaf 2 2>/dev/null || echo '\033[0;32m') YELLOW=$(tput setaf 3 2>/dev/null || echo '\033[1;33m') BLUE=$(tput setaf 4 2>/dev/null || echo '\033[0;34m') PURPLE=$(tput setaf 5 2>/dev/null || echo '\033[0;35m') CYAN=$(tput setaf 6 2>/dev/null || echo '\033[0;36m') NC=$(tput sgr0 2>/dev/null || echo '\033[0m') else # 回退到简单颜色 RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' PURPLE='\033[0;35m' CYAN='\033[0;36m' NC='\033[0m' fi # 日志文件 LOG_FILE="/var/log/server_hardening_$(date +%Y%m%d_%H%M%S).log" BACKUP_DIR="/root/security_backup_$(date +%Y%m%d_%H%M%S)" # 配置变量 SSH_PORT=22 ADMIN_USERNAME="admin" ENABLE_AUTO_REBOOT=true ################################################################################ # 工具函数 ################################################################################ log() { echo -e "${GREEN}[$(date +'%Y-%m-%d %H:%M:%S')]${NC} $1" | tee -a "$LOG_FILE" } log_info() { echo -e "${BLUE}[INFO]${NC} $1" | tee -a "$LOG_FILE" } log_warning() { echo -e "${YELLOW}[WARNING]${NC} $1" | tee -a "$LOG_FILE" } log_error() { echo -e "${RED}[ERROR]${NC} $1" | tee -a "$LOG_FILE" } log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1" | tee -a "$LOG_FILE" } log_section() { echo -e "\n${BLUE}========================================${NC}" | tee -a "$LOG_FILE" echo -e "${BLUE}$1${NC}" | tee -a "$LOG_FILE" echo -e "${BLUE}========================================${NC}\n" | tee -a "$LOG_FILE" } check_root() { if [[ $EUID -ne 0 ]]; then log_error "此脚本必须以root权限运行" exit 1 fi } backup_file() { local file=$1 if [[ -f "$file" ]]; then mkdir -p "$BACKUP_DIR" cp -p "$file" "$BACKUP_DIR/$(basename $file).bak" 2>/dev/null log_info "备份文件: $file -> $BACKUP_DIR/$(basename $file).bak" fi } safe_execute() { local cmd="$1" local description="$2" log_info "执行: $description" if eval "$cmd" >> "$LOG_FILE" 2>&1; then log_info "成功: $description" return 0 else local exit_code=$? log_warning "警告: $description 失败 (退出码: $exit_code)" return $exit_code fi } # 菜单选择函数 show_menu() { clear echo -e "${BLUE}" cat << "EOF" ╔══════════════════════════════════════════════════════════════╗ ║ Ubuntu 22.04 服务器安全加固脚本 ║ ║ 多选项菜单版 (v1.4) ║ ║ 简化操作 • 模块选择 • 快速加固 ║ ╚══════════════════════════════════════════════════════════════╝ EOF echo -e "${NC}" } show_main_menu() { show_menu echo -e "${CYAN}请选择加固模式:${NC}" echo "" echo -e "${GREEN}1)${NC} 快速加固 (推荐) - 关键安全工具 + 核心加固" echo -e "${GREEN}2)${NC} 自定义加固 - 逐项选择要应用的设置" echo -e "${GREEN}3)${NC} 系统更新 - 仅更新系统包" echo -e "${GREEN}4)${NC} 查看当前安全状态" echo -e "${GREEN}5)${NC} 退出" echo "" echo -e "${YELLOW}请输入选择 [1-5]: ${NC}\c" } get_menu_choice() { local min_choice=$1 local max_choice=$2 local choice while true; do read -p "" choice if [[ "$choice" =~ ^[0-9]+$ ]] && [[ "$choice" -ge "$min_choice" ]] && [[ "$choice" -le "$max_choice" ]]; then echo "$choice" return 0 else echo -e "${RED}无效选择，请输入 $min_choice-$max_choice 之间的数字: ${NC}\c" fi done } show_custom_menu() { show_menu echo -e "${CYAN}自定义加固选项 (可多选):${NC}" echo "" echo -e "${GREEN}1)${NC} 系统更新和包管理" echo -e "${GREEN}2)${NC} SSH安全加固" echo -e "${GREEN}3)${NC} 创建管理用户和SSH密钥" echo -e "${GREEN}4)${NC} 配置防火墙 (UFW)" echo -e "${GREEN}5)${NC} 安装和配置Fail2ban" echo -e "${GREEN}6)${NC} 用户和权限管理" echo -e "${GREEN}7)${NC} 禁用不必要服务" echo -e "${GREEN}8)${NC} 内核参数安全配置" echo -e "${GREEN}9)${NC} 文件系统权限加固" echo -e "${GREEN}10)${NC} 配置自动安全更新" echo -e "${GREEN}11)${NC} 安装完整安全工具套件 (AIDE+Rkhunter+Logwatch+Auditd+Chkrootkit)" echo -e "${GREEN}12)${NC} 生成安全加固报告" echo -e "${GREEN}13)${NC} 返回主菜单" echo "" echo -e "${YELLOW}请输入要执行的项目编号 (多个用逗号分隔，如: 1,2,3): ${NC}\c" } show_security_status() { show_menu echo -e "${CYAN}当前系统安全状态检查:${NC}" echo "" # SSH状态 echo -e "${YELLOW}SSH配置状态:${NC}" if [[ -f "/etc/ssh/sshd_config" ]]; then echo -e "${GREEN}✓${NC} SSH配置文件存在" echo " 端口: $(grep "^Port" /etc/ssh/sshd_config | awk '{print $2}' || echo "22 (默认)")" echo " Root登录: $(grep "^PermitRootLogin" /etc/ssh/sshd_config | awk '{print $2}' || echo "未明确配置")" echo " 密码认证: $(grep "^PasswordAuthentication" /etc/ssh/sshd_config | awk '{print $2}' || echo "未明确配置")" else echo -e "${RED}✗${NC} SSH配置文件不存在" fi echo "" # 防火墙状态 echo -e "${YELLOW}防火墙状态:${NC}" if command -v ufw &> /dev/null; then if ufw status | grep -q "Status: active"; then echo -e "${GREEN}✓${NC} UFW防火墙已启用" ufw status | head -10 else echo -e "${YELLOW}!${NC} UFW防火墙已安装但未启用" fi else echo -e "${RED}✗${NC} UFW防火墙未安装" fi echo "" # Fail2ban状态 echo -e "${YELLOW}Fail2ban状态:${NC}" if command -v fail2ban-client &> /dev/null; then if systemctl is-active --quiet fail2ban; then echo -e "${GREEN}✓${NC} Fail2ban服务正在运行" fail2ban-client status 2>/dev/null | head -5 else echo -e "${YELLOW}!${NC} Fail2ban已安装但未运行" fi else echo -e "${RED}✗${NC} Fail2ban未安装" fi echo "" # 系统用户 echo -e "${YELLOW}系统用户管理:${NC}" local admin_users=$(grep -E ":(sudo|admin)" /etc/group | cut -d: -f4 | head -5) if [[ -n "$admin_users" ]]; then echo -e "${GREEN}✓${NC} 管理员用户: $admin_users" else echo -e "${YELLOW}!${NC} 未检测到管理用户组" fi echo "" echo -e "${CYAN}按回车键返回主菜单...${NC}" read } ################################################################################ # 主要加固功能 ################################################################################ # 1. 系统信息收集 collect_system_info() { log_section "收集系统信息" log_info "操作系统: $(lsb_release -d 2>/dev/null | cut -f2 || echo "Unknown")" log_info "内核版本: $(uname -r)" log_info "主机名: $(hostname)" # 安全获取IP地址 local ip=$(hostname -I 2>/dev/null | awk '{print $1}' || echo "无法获取") log_info "IP地址: $ip" log_info "开始加固时间: $(date)" echo "系统信息收集完成" >> "$LOG_FILE" } # 2. 系统更新 update_system() { log_section "系统更新与安全补丁" log_info "开始系统更新..." safe_execute "apt update -y" "更新软件包列表" safe_execute "apt upgrade -y" "升级已安装的软件包" safe_execute "apt dist-upgrade -y" "安装安全更新" safe_execute "apt autoremove -y" "清理不需要的软件包" safe_execute "apt autoclean -y" "清理缓存" log_success "系统更新完成" } # 3. SSH安全加固 harden_ssh() { log_section "SSH安全加固" local ssh_config="/etc/ssh/sshd_config" if [[ -f "$ssh_config" ]]; then backup_file "$ssh_config" log_info "配置SSH安全参数..." # 应用预设配置 safe_execute "sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' '$ssh_config'" "禁用root登录" safe_execute "sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' '$ssh_config'" "禁用密码认证" safe_execute "sed -i 's/^#*Port.*/Port $SSH_PORT/' '$ssh_config'" "设置SSH端口为$SSH_PORT" # 其他SSH安全配置 local ssh_config_addition=' # 安全加固配置 Protocol 2 MaxAuthTries 3 MaxSessions 2 LoginGraceTime 60 ClientAliveInterval 300 ClientAliveCountMax 2 PermitEmptyPasswords no X11Forwarding no UseDNS no ' echo "$ssh_config_addition" >> "$ssh_config" # 重启SSH服务 safe_execute "systemctl restart sshd" "重启SSH服务" log_success "SSH加固完成 - 端口: $SSH_PORT, Root登录: 禁用, 密码认证: 禁用" log_warning "请确保已在防火墙中开放端口 $SSH_PORT" log_warning "请确保已配置SSH密钥认证" else log_error "SSH配置文件不存在: $ssh_config" fi } # 4. 用户管理和SSH密钥配置 manage_users() { log_section "创建管理用户和配置SSH密钥" local username=$ADMIN_USERNAME local user_home=$(eval echo "~$username") # 检查用户是否已存在 if id "$username" &>/dev/null 2>&1; then log_info "用户 $username 已存在，跳过创建" else # 创建用户 log_info "创建用户: $username" safe_execute "useradd -m -s /bin/bash '$username'" "创建用户 $username" # 设置随机密码 local temp_password=$(openssl rand -base64 32) echo "$username:$temp_password" | chpasswd log_success "用户 $username 创建成功" log_info "临时密码: $temp_password (建议首次登录后修改)" # 将用户添加到sudo组 safe_execute "usermod -aG sudo '$username'" "将 $username 添加到sudo组" fi # 配置SSH密钥 local ssh_dir="$user_home/.ssh" local authorized_keys="$ssh_dir/authorized_keys" # 确保用户有.ssh目录 mkdir -p "$ssh_dir" chown "$username:$username" "$ssh_dir" # 生成SSH密钥对 log_info "生成SSH密钥对..." cd "$user_home" if [[ ! -f "$ssh_dir/id_rsa" ]]; then su - "$username" -c "ssh-keygen -t rsa -b 4096 -f $ssh_dir/id_rsa -N '' -C '$username@$(hostname)'" if [[ -f "$ssh_dir/id_rsa" ]]; then log_success "SSH密钥对生成成功" log_info "私钥文件: $ssh_dir/id_rsa" log_info "公钥文件: $ssh_dir/id_rsa.pub" log_warning "请妥善保管私钥文件，不要上传到公共服务器" # 设置公钥到authorized_keys cat "$ssh_dir/id_rsa.pub" > "$authorized_keys" else log_error "SSH密钥生成失败" return 1 fi else log_info "SSH密钥已存在" fi # 设置sudo无密码 local sudoers_file="/etc/sudoers.d/$username" echo "$username ALL=(ALL) NOPASSWD:ALL" > "$sudoers_file" chmod 440 "$sudoers_file" log_success "已配置 $username sudo无密码权限" # 设置文件权限 safe_execute "chown -R $username:$username '$ssh_dir'" "设置SSH目录权限" safe_execute "chmod 700 '$ssh_dir'" "设置SSH目录权限为700" safe_execute "chmod 600 '$authorized_keys'" "设置公钥文件权限为600" log_success "用户管理完成 - 用户: $username" } # 5. 防火墙配置 configure_firewall() { log_section "配置UFW防火墙" if ! command -v ufw &> /dev/null; then safe_execute "apt install ufw -y" "安装UFW" fi log_info "配置UFW规则..." # 默认策略 safe_execute "ufw default deny incoming" "设置默认入站策略：拒绝" safe_execute "ufw default allow outgoing" "设置默认出站策略：允许" # 允许SSH safe_execute "ufw allow $SSH_PORT/tcp comment 'SSH'" "允许SSH端口: $SSH_PORT" # 允许常用端口 local common_ports=("80/tcp" "443/tcp" "53/udp" "123/udp") local port_comments=("HTTP" "HTTPS" "DNS" "NTP") for i in "${!common_ports[@]}"; do log_info "开放端口 ${common_ports[$i]} (${port_comments[$i]})" safe_execute "ufw allow ${common_ports[$i]} comment '${port_comments[$i]}'" "开放${port_comments[$i]}端口" done # 启用UFW log_info "启用UFW防火墙..." safe_execute "ufw --force enable" "强制启用UFW" # 显示状态 log_success "防火墙配置完成" ufw status | head -15 } # 6. 安装和配置Fail2ban install_fail2ban() { log_section "安装和配置Fail2ban" if ! command -v fail2ban-client &> /dev/null; then safe_execute "apt install fail2ban -y" "安装Fail2ban" else log_info "Fail2ban已安装" fi # 配置fail2ban local jail_local="/etc/fail2ban/jail.local" backup_file "$jail_local" 2>/dev/null || true log_info "创建Fail2ban配置..." cat > "$jail_local" << EOF [DEFAULT] # 封禁时间（秒） bantime = 3600 # 查找时间窗口（秒） findtime = 600 # 最大尝试次数 maxretry = 5 [sshd] enabled = true port = $SSH_PORT filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 7200 [sshd-ddos] enabled = true port = $SSH_PORT filter = sshd-ddos logpath = /var/log/auth.log maxretry = 2 bantime = 7200 EOF safe_execute "systemctl enable fail2ban" "启用Fail2ban服务" safe_execute "systemctl restart fail2ban" "重启Fail2ban服务" sleep 2 if command -v fail2ban-client &> /dev/null; then log_success "Fail2ban配置完成" fail2ban-client status 2>/dev/null | head -5 fi } # 7. 用户和权限管理 harden_users() { log_section "用户和权限加固" # 密码策略 log_info "配置密码策略..." if ! dpkg -l | grep -q libpam-pwquality; then safe_execute "apt install libpam-pwquality -y" "安装密码质量检查工具" fi local pwquality_file="/etc/security/pwquality.conf" backup_file "$pwquality_file" cat >> "$pwquality_file" << 'EOF' # 密码安全策略 minlen = 12 dcredit = -1 ucredit = -1 lcredit = -1 ocredit = -1 maxrepeat = 3 EOF # 密码过期策略 local login_defs="/etc/login.defs" if [[ -f "$login_defs" ]]; then backup_file "$login_defs" safe_execute "sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' '$login_defs'" "设置密码最大有效期" safe_execute "sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 1/' '$login_defs'" "设置密码最小间隔" safe_execute "sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE 14/' '$login_defs'" "设置密码警告时间" fi log_success "密码策略配置完成" # 锁定不必要的系统账户 log_info "锁定系统账户..." local system_users=("bin" "daemon" "adm" "lp" "sync" "shutdown" "halt" "mail" "news" "uucp" "operator" "games" "gopher" "ftp") for user in "${system_users[@]}"; do if id "$user" &>/dev/null 2>&1; then usermod -L -s /usr/sbin/nologin "$user" 2>/dev/null || true fi done log_success "用户加固完成" } # 8. 禁用不必要的服务 disable_services() { log_section "禁用不必要的服务" local services_to_disable=("avahi-daemon" "cups" "isc-dhcp-server" "isc-dhcp-server6" "bluetooth") for service in "${services_to_disable[@]}"; do if systemctl is-enabled "$service" &>/dev/null 2>&1; then safe_execute "systemctl stop '$service'" "停止服务: $service" safe_execute "systemctl disable '$service'" "禁用服务: $service" log_info "已禁用服务: $service" fi done log_success "不必要服务禁用完成" } # 9. 内核参数安全配置 harden_kernel() { log_section "内核参数安全配置" local sysctl_conf="/etc/sysctl.d/99-security.conf" backup_file "$sysctl_conf" 2>/dev/null || true log_info "配置内核安全参数..." cat > "$sysctl_conf" << 'EOF' # IP转发禁用 net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0 # SYN cookies保护 net.ipv4.tcp_syncookies = 1 # 忽略ICMP重定向 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # 忽略安全ICMP重定向 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 # 禁用源路由 net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 # 记录可疑包 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 # 忽略ICMP ping请求 net.ipv4.icmp_echo_ignore_broadcasts = 1 # 反向路径过滤 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # 保护系统免受SYN flood攻击 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 5 EOF if command -v sysctl &> /dev/null; then safe_execute "sysctl -p '$sysctl_conf'" "应用内核参数配置" fi log_success "内核参数配置完成" } # 10. 文件系统和权限加固 harden_filesystem() { log_section "文件系统权限加固" log_info "设置重要文件权限..." # 关键配置文件权限 local files_to_protect=( "/etc/ssh/sshd_config:600" "/etc/passwd:644" "/etc/shadow:640" "/etc/group:644" "/etc/gshadow:600" ) for file_perm in "${files_to_protect[@]}"; do local file="${file_perm%:*}" local perm="${file_perm#*:}" if [[ -f "$file" ]]; then safe_execute "chmod $perm '$file'" "设置文件权限: $file -> $perm" fi done log_success "重要文件权限已加固" # 查找并报告可疑权限文件 log_info "查找具有SUID/SGID权限的文件（记录到日志）..." if command -v find &> /dev/null; then find / -perm /6000 -type f 2>/dev/null >> "$LOG_FILE" || true fi } # 11. 配置自动安全更新 configure_auto_updates() { log_section "配置自动安全更新" if ! dpkg -l | grep -q unattended-upgrades; then safe_execute "apt install unattended-upgrades apt-listchanges -y" "安装自动更新工具" fi if command -v dpkg-reconfigure &> /dev/null; then safe_execute "echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections && debconf-show unattended-upgrades" "配置自动更新" fi log_success "自动安全更新已启用" } # 12. 安装其他安全工具 install_security_tools() { log_section "安装额外安全工具" # 优先级安全工具 - 快速加固中最重要的 local priority_tools=("aide" "rkhunter") # 完整的工具列表 - 自定义模式中可选择 local all_tools=("aide" "rkhunter" "logwatch" "auditd" "chkrootkit") # 智能选择 - 根据加固模式选择工具 local tools=() if [[ "${INSTALL_MODE:-full}" == "priority" ]]; then tools=("${priority_tools[@]}") log_info "快速加固模式: 安装关键安全工具" else tools=("${all_tools[@]}") log_info "完整安装模式: 安装所有推荐安全工具" fi for tool in "${tools[@]}"; do if apt list --installed 2>/dev/null | grep -q "^$tool/"; then log_info "$tool 已安装" continue fi # 智能安装 - 跳过可能的不可用工具 case "$tool" in "auditd") if ! dpkg -l | grep -q "auditd"; then if safe_execute "apt install '$tool' -y" "安装安全工具: $tool"; then safe_execute "systemctl enable auditd" "启用auditd服务" safe_execute "systemctl start auditd" "启动auditd服务" log_success "已安装并启用: $tool" else log_warning "跳过 $tool 安装" fi fi ;; "chkrootkit") if safe_execute "apt install '$tool' -y" "安装安全工具: $tool"; then log_success "已安装: $tool" else log_warning "跳过 $tool 安装" fi ;; *) if safe_execute "apt install '$tool' -y" "安装安全工具: $tool"; then # 特殊配置 case "$tool" in "rkhunter") if command -v rkhunter &> /dev/null; then safe_execute "rkhunter --update" "更新rkhunter数据库" safe_execute "rkhunter --propupd" "更新rkhunter属性" fi ;; esac log_success "已安装: $tool" else log_warning "跳过 $tool 安装" fi ;; esac done # 显示安装总结 log_info "安全工具安装总结:" for tool in "${tools[@]}"; do if command -v "$tool" &>/dev/null; then log_success "✓ $tool - 已安装" else log_info "- $tool - 跳过或安装失败" fi done } # 13. 生成加固报告 generate_report() { log_section "生成安全加固报告" local report_file="/root/security_hardening_report_$(date +%Y%m%d_%H%M%S).txt" # 安全获取系统信息 local os_info=$(lsb_release -d 2>/dev/null | cut -f2 || echo "Unknown") local kernel_info=$(uname -r) local hostname_info=$(hostname) cat > "$report_file" << EOF ================================================================================ 服务器安全加固报告 ================================================================================ 生成时间: $(date) 主机名: $hostname_info 操作系统: $os_info 内核版本: $kernel_info -------------------------------------------------------------------------------- 1. SSH配置 -------------------------------------------------------------------------------- $(grep -E "^(Port|PermitRootLogin|PasswordAuthentication)" /etc/ssh/sshd_config 2>/dev/null || echo "SSH配置不可读") -------------------------------------------------------------------------------- 2. 防火墙状态 -------------------------------------------------------------------------------- $(ufw status verbose 2>/dev/null || echo "UFW不可用") -------------------------------------------------------------------------------- 3. Fail2ban状态 -------------------------------------------------------------------------------- $(fail2ban-client status 2>/dev/null || echo "Fail2ban未运行") -------------------------------------------------------------------------------- 4. 已安装的安全工具 -------------------------------------------------------------------------------- $(dpkg -l 2>/dev/null | grep -E "fail2ban|ufw|aide|rkhunter|logwatch|unattended-upgrades" | awk '{print $2 " " $3}' | column -t || echo "无法获取包信息") -------------------------------------------------------------------------------- 5. 活动监听端口 -------------------------------------------------------------------------------- $(ss -tunlp 2>/dev/null || netstat -tunlp 2>/dev/null || echo "端口信息不可用") -------------------------------------------------------------------------------- 6. 管理用户 -------------------------------------------------------------------------------- $(grep -E ":(sudo|admin)" /etc/group 2>/dev/null | head -5 || echo "无管理用户组") -------------------------------------------------------------------------------- 备份目录: $BACKUP_DIR 日志文件: $LOG_FILE 配置完成时间: $(date) -------------------------------------------------------------------------------- EOF log_success "安全加固报告已生成: $report_file" # 显示报告摘要 echo -e "${CYAN}报告摘要:${NC}" echo "- 操作系统: $os_info" echo "- SSH端口: $SSH_PORT" echo "- 管理员用户: $ADMIN_USERNAME" echo "- 防火墙: $(ufw status 2>/dev/null | grep -q "active" && echo "已启用" || echo "未启用")" echo "- Fail2ban: $(systemctl is-active fail2ban 2>/dev/null || echo "未运行")" echo "" echo -e "${YELLOW}完整报告请查看: $report_file${NC}" } ################################################################################ # 快速加固流程 ################################################################################ quick_hardening() { log_section "开始快速加固" log_warning "这将应用所有推荐的安全设置" # 设置快速加固模式 - 优先安装关键安全工具 export INSTALL_MODE="priority" # 执行所有加固步骤 collect_system_info update_system harden_ssh manage_users configure_firewall install_fail2ban harden_users disable_services harden_kernel harden_filesystem configure_auto_updates install_security_tools generate_report log_section "快速加固完成" show_completion_message } ################################################################################ # 自定义加固流程 ################################################################################ custom_hardening() { while true; do show_custom_menu local choice=$(get_menu_choice 1 13) case $choice in 1) collect_system_info update_system ;; 2) show_ssh_config_menu ;; 3) show_user_config_menu ;; 4) configure_firewall ;; 5) install_fail2ban ;; 6) harden_users ;; 7) disable_services ;; 8) harden_kernel ;; 9) harden_filesystem ;; 10) configure_auto_updates ;; 11) export INSTALL_MODE="full" install_security_tools ;; 12) generate_report ;; 13) return 0 ;; esac echo "" echo -e "${YELLOW}按回车键继续...${NC}" read done } show_ssh_config_menu() { show_menu echo -e "${CYAN}SSH配置选项:${NC}" echo "" echo -e "${GREEN}1)${NC} 标准配置 (端口2222, 禁用root, 禁用密码)" echo -e "${GREEN}2)${NC} 安全配置 (端口22, 禁用root, 禁用密码)" echo -e "${GREEN}3)${NC} 自定义端口 (输入端口号)" echo -e "${GREEN}4)${NC} 返回" echo "" echo -e "${YELLOW}请选择SSH配置 [1-4]: ${NC}\c" local ssh_choice=$(get_menu_choice 1 4) case $ssh_choice in 1) SSH_PORT=2222 harden_ssh ;; 2) SSH_PORT=22 harden_ssh ;; 3) echo -e "${YELLOW}请输入SSH端口号 (1024-65535): ${NC}\c" read -p "" custom_port if [[ "$custom_port" =~ ^[0-9]+$ ]] && [[ "$custom_port" -gt 1024 ]] && [[ "$custom_port" -lt 65536 ]]; then SSH_PORT=$custom_port harden_ssh else log_error "无效的端口号" fi ;; 4) return 0 ;; esac } show_user_config_menu() { show_menu echo -e "${CYAN}用户管理配置选项:${NC}" echo "" echo -e "${GREEN}1)${NC} 创建admin用户 (推荐)" echo -e "${GREEN}2)${NC} 创建operator用户" echo -e "${GREEN}3)${NC} 自定义用户名" echo -e "${GREEN}4)${NC} 跳过用户创建" echo "" echo -e "${YELLOW}请选择用户配置 [1-4]: ${NC}\c" local user_choice=$(get_menu_choice 1 4) case $user_choice in 1) ADMIN_USERNAME="admin" manage_users ;; 2) ADMIN_USERNAME="operator" manage_users ;; 3) echo -e "${YELLOW}请输入用户名: ${NC}\c" read -p "" ADMIN_USERNAME if [[ -n "$ADMIN_USERNAME" ]] && [[ "$ADMIN_USERNAME" =~ ^[a-z_][a-z0-9_-]*$ ]]; then manage_users else log_error "无效的用户名" fi ;; 4) log_info "跳过用户创建" ;; esac } ################################################################################ # 完成消息 ################################################################################ show_completion_message() { echo -e "${GREEN}" cat << EOF ╔══════════════════════════════════════════════════════════════╗ ║ 安全加固已完成！ ║ ╚══════════════════════════════════════════════════════════════╝ 重要提醒: 1. SSH访问信息: - 端口: $SSH_PORT - 用户: $ADMIN_USERNAME - 认证方式: SSH密钥 (推荐) 2. 文件位置: - 配置备份: $BACKUP_DIR - 详细日志: $LOG_FILE - 安全报告: /root/security_hardening_report_*.txt 3. 后续步骤: - 使用SSH密钥登录新用户账户 - 验证防火墙规则: ufw status - 检查Fail2ban状态: fail2ban-client status - 重启服务器以确保所有更改生效 4. 安全检查: - 定期检查 /var/log/auth.log - 运行: rkhunter --check (如已安装) - 监控fail2ban日志: tail -f /var/log/fail2ban.log EOF echo -e "${NC}" if [[ "$ENABLE_AUTO_REBOOT" == "true" ]]; then echo -e "${YELLOW}是否重启服务器以确保所有更改生效？${NC}" echo -e "${GREEN}1)${NC} 是，立即重启" echo -e "${GREEN}2)${NC} 否，稍后手动重启" echo "" echo -e "${YELLOW}请选择 [1-2]: ${NC}\c" local reboot_choice=$(get_menu_choice 1 2) case $reboot_choice in 1) log "系统将在10秒后重启..." sleep 10 if command -v reboot &> /dev/null; then reboot else shutdown -r now fi ;; 2) log_info "请记得稍后手动重启服务器" ;; esac fi } ################################################################################ # 主程序 ################################################################################ main() { # 检查root权限 check_root while true; do show_main_menu local choice=$(get_menu_choice 1 5) case $choice in 1) log "开始快速加固流程..." quick_hardening break ;; 2) log "开始自定义加固流程..." custom_hardening ;; 3) log "开始系统更新..." collect_system_info update_system echo "" echo -e "${YELLOW}按回车键返回主菜单...${NC}" read ;; 4) show_security_status ;; 5) log "退出脚本" exit 0 ;; esac done } # 运行主程序 main "$@"

1	#!/bin/bash
2
3
4
5	################################################################################
6
7	# 服务器自动化加固脚本
8
9	# 作者: Mercas
10
11	# 日期: 2025-11-09
12
13	# 说明: 本脚本用于自动化加固Ubuntu 22.04服务器安全配置
14
15	# 版本: v1.4 (多选项菜单版 - 简化交互流程)
16
17	# 新增功能:
18
19	# - 全菜单式操作界面
20
21	# - 模块化选择加固项目
22
23	# - 预设配置选项
24
25	# - 一键快速加固
26
27	################################################################################
28
29
30
31	# 终端类型兼容性处理
32
33	if [[ "$TERM" == "xterm-kitty" ]]; then
34
35	export TERM=xterm-color
36
37	log_info "检测到xterm-kitty终端，已自动切换到xterm-color"
38
39	elif [[ -z "$TERM" ]] \|\| [[ "$TERM" == "unknown" ]]; then
40
41	export TERM=xterm-color
42
43	log_info "检测到未知终端类型，已设置为xterm-color"
44
45	fi
46
47
48
49	# 设置脚本使用的基本终端类型（避免颜色问题）
50
51	export TERM=xterm-color
52
53
54
55	# 禁用一些可能引起终端问题的选项
56
57	set +H # 禁用历史扩展
58
59	set +e # 暂时禁用错误退出
60
61
62
63	set -e # 遇到错误立即退出
64
65	trap 'echo "错误发生在第 $LINENO 行"' ERR
66
67
68
69	# 颜色定义（使用更兼容的方式）
70
71	if command -v tput &> /dev/null && [[ -n "$TERM" ]]; then
72
73	RED=$(tput setaf 1 2>/dev/null \|\| echo '\033[0;31m')
74
75	GREEN=$(tput setaf 2 2>/dev/null \|\| echo '\033[0;32m')
76
77	YELLOW=$(tput setaf 3 2>/dev/null \|\| echo '\033[1;33m')
78
79	BLUE=$(tput setaf 4 2>/dev/null \|\| echo '\033[0;34m')
80
81	PURPLE=$(tput setaf 5 2>/dev/null \|\| echo '\033[0;35m')
82
83	CYAN=$(tput setaf 6 2>/dev/null \|\| echo '\033[0;36m')
84
85	NC=$(tput sgr0 2>/dev/null \|\| echo '\033[0m')
86
87	else
88
89	# 回退到简单颜色
90
91	RED='\033[0;31m'
92
93	GREEN='\033[0;32m'
94
95	YELLOW='\033[1;33m'
96
97	BLUE='\033[0;34m'
98
99	PURPLE='\033[0;35m'
100
101	CYAN='\033[0;36m'
102
103	NC='\033[0m'
104
105	fi
106
107
108
109	# 日志文件
110
111	LOG_FILE="/var/log/server_hardening_$(date +%Y%m%d_%H%M%S).log"
112
113	BACKUP_DIR="/root/security_backup_$(date +%Y%m%d_%H%M%S)"
114
115
116
117	# 配置变量
118
119	SSH_PORT=22
120
121	ADMIN_USERNAME="admin"
122
123	ENABLE_AUTO_REBOOT=true
124
125
126
127	################################################################################
128
129	# 工具函数
130
131	################################################################################
132
133
134
135	log() {
136
137	echo -e "${GREEN}[$(date +'%Y-%m-%d %H:%M:%S')]${NC} $1" \| tee -a "$LOG_FILE"
138
139	}
140
141
142
143	log_info() {
144
145	echo -e "${BLUE}[INFO]${NC} $1" \| tee -a "$LOG_FILE"
146
147	}
148
149
150
151	log_warning() {
152
153	echo -e "${YELLOW}[WARNING]${NC} $1" \| tee -a "$LOG_FILE"
154
155	}
156
157
158
159	log_error() {
160
161	echo -e "${RED}[ERROR]${NC} $1" \| tee -a "$LOG_FILE"
162
163	}
164
165
166
167	log_success() {
168
169	echo -e "${GREEN}[SUCCESS]${NC} $1" \| tee -a "$LOG_FILE"
170
171	}
172
173
174
175	log_section() {
176
177	echo -e "\n${BLUE}========================================${NC}" \| tee -a "$LOG_FILE"
178
179	echo -e "${BLUE}$1${NC}" \| tee -a "$LOG_FILE"
180
181	echo -e "${BLUE}========================================${NC}\n" \| tee -a "$LOG_FILE"
182
183	}
184
185
186
187	check_root() {
188
189	if [[ $EUID -ne 0 ]]; then
190
191	log_error "此脚本必须以root权限运行"
192
193	exit 1
194
195	fi
196
197	}
198
199
200
201	backup_file() {
202
203	local file=$1
204
205	if [[ -f "$file" ]]; then
206
207	mkdir -p "$BACKUP_DIR"
208
209	cp -p "$file" "$BACKUP_DIR/$(basename $file).bak" 2>/dev/null
210
211	log_info "备份文件: $file -> $BACKUP_DIR/$(basename $file).bak"
212
213	fi
214
215	}
216
217
218
219	safe_execute() {
220
221	local cmd="$1"
222
223	local description="$2"
224
225	log_info "执行: $description"
226
227	if eval "$cmd" >> "$LOG_FILE" 2>&1; then
228
229	log_info "成功: $description"
230
231	return 0
232
233	else
234
235	local exit_code=$?
236
237	log_warning "警告: $description 失败 (退出码: $exit_code)"
238
239	return $exit_code
240
241	fi
242
243	}
244
245
246
247	# 菜单选择函数
248
249	show_menu() {
250
251	clear
252
253	echo -e "${BLUE}"
254
255	cat << "EOF"
256
257	╔══════════════════════════════════════════════════════════════╗
258
259	║ Ubuntu 22.04 服务器安全加固脚本 ║
260
261	║ 多选项菜单版 (v1.4) ║
262
263	║ 简化操作 • 模块选择 • 快速加固 ║
264
265	╚══════════════════════════════════════════════════════════════╝
266
267	EOF
268
269	echo -e "${NC}"
270
271	}
272
273
274
275	show_main_menu() {
276
277	show_menu
278
279	echo -e "${CYAN}请选择加固模式:${NC}"
280
281	echo ""
282
283	echo -e "${GREEN}1)${NC} 快速加固 (推荐) - 关键安全工具 + 核心加固"
284
285	echo -e "${GREEN}2)${NC} 自定义加固 - 逐项选择要应用的设置"
286
287	echo -e "${GREEN}3)${NC} 系统更新 - 仅更新系统包"
288
289	echo -e "${GREEN}4)${NC} 查看当前安全状态"
290
291	echo -e "${GREEN}5)${NC} 退出"
292
293	echo ""
294
295	echo -e "${YELLOW}请输入选择 [1-5]: ${NC}\c"
296
297	}
298
299
300
301	get_menu_choice() {
302
303	local min_choice=$1
304
305	local max_choice=$2
306
307	local choice
308
309	while true; do
310
311	read -p "" choice
312
313	if [[ "$choice" =~ ^[0-9]+$ ]] && [[ "$choice" -ge "$min_choice" ]] && [[ "$choice" -le "$max_choice" ]]; then
314
315	echo "$choice"
316
317	return 0
318
319	else
320
321	echo -e "${RED}无效选择，请输入 $min_choice-$max_choice 之间的数字: ${NC}\c"
322
323	fi
324
325	done
326
327	}
328
329
330
331	show_custom_menu() {
332
333	show_menu
334
335	echo -e "${CYAN}自定义加固选项 (可多选):${NC}"
336
337	echo ""
338
339	echo -e "${GREEN}1)${NC} 系统更新和包管理"
340
341	echo -e "${GREEN}2)${NC} SSH安全加固"
342
343	echo -e "${GREEN}3)${NC} 创建管理用户和SSH密钥"
344
345	echo -e "${GREEN}4)${NC} 配置防火墙 (UFW)"
346
347	echo -e "${GREEN}5)${NC} 安装和配置Fail2ban"
348
349	echo -e "${GREEN}6)${NC} 用户和权限管理"
350
351	echo -e "${GREEN}7)${NC} 禁用不必要服务"
352
353	echo -e "${GREEN}8)${NC} 内核参数安全配置"
354
355	echo -e "${GREEN}9)${NC} 文件系统权限加固"
356
357	echo -e "${GREEN}10)${NC} 配置自动安全更新"
358
359	echo -e "${GREEN}11)${NC} 安装完整安全工具套件 (AIDE+Rkhunter+Logwatch+Auditd+Chkrootkit)"
360
361	echo -e "${GREEN}12)${NC} 生成安全加固报告"
362
363	echo -e "${GREEN}13)${NC} 返回主菜单"
364
365	echo ""
366
367	echo -e "${YELLOW}请输入要执行的项目编号 (多个用逗号分隔，如: 1,2,3): ${NC}\c"
368
369	}
370
371
372
373	show_security_status() {
374
375	show_menu
376
377	echo -e "${CYAN}当前系统安全状态检查:${NC}"
378
379	echo ""
380
381	# SSH状态
382
383	echo -e "${YELLOW}SSH配置状态:${NC}"
384
385	if [[ -f "/etc/ssh/sshd_config" ]]; then
386
387	echo -e "${GREEN}✓${NC} SSH配置文件存在"
388
389	echo " 端口: $(grep "^Port" /etc/ssh/sshd_config \| awk '{print $2}' \|\| echo "22 (默认)")"
390
391	echo " Root登录: $(grep "^PermitRootLogin" /etc/ssh/sshd_config \| awk '{print $2}' \|\| echo "未明确配置")"
392
393	echo " 密码认证: $(grep "^PasswordAuthentication" /etc/ssh/sshd_config \| awk '{print $2}' \|\| echo "未明确配置")"
394
395	else
396
397	echo -e "${RED}✗${NC} SSH配置文件不存在"
398
399	fi
400
401	echo ""
402
403	# 防火墙状态
404
405	echo -e "${YELLOW}防火墙状态:${NC}"
406
407	if command -v ufw &> /dev/null; then
408
409	if ufw status \| grep -q "Status: active"; then
410
411	echo -e "${GREEN}✓${NC} UFW防火墙已启用"
412
413	ufw status \| head -10
414
415	else
416
417	echo -e "${YELLOW}!${NC} UFW防火墙已安装但未启用"
418
419	fi
420
421	else
422
423	echo -e "${RED}✗${NC} UFW防火墙未安装"
424
425	fi
426
427	echo ""
428
429	# Fail2ban状态
430
431	echo -e "${YELLOW}Fail2ban状态:${NC}"
432
433	if command -v fail2ban-client &> /dev/null; then
434
435	if systemctl is-active --quiet fail2ban; then
436
437	echo -e "${GREEN}✓${NC} Fail2ban服务正在运行"
438
439	fail2ban-client status 2>/dev/null \| head -5
440
441	else
442
443	echo -e "${YELLOW}!${NC} Fail2ban已安装但未运行"
444
445	fi
446
447	else
448
449	echo -e "${RED}✗${NC} Fail2ban未安装"
450
451	fi
452
453	echo ""
454
455	# 系统用户
456
457	echo -e "${YELLOW}系统用户管理:${NC}"
458
459	local admin_users=$(grep -E ":(sudo\|admin)" /etc/group \| cut -d: -f4 \| head -5)
460
461	if [[ -n "$admin_users" ]]; then
462
463	echo -e "${GREEN}✓${NC} 管理员用户: $admin_users"
464
465	else
466
467	echo -e "${YELLOW}!${NC} 未检测到管理用户组"
468
469	fi
470
471	echo ""
472
473	echo -e "${CYAN}按回车键返回主菜单...${NC}"
474
475	read
476
477	}
478
479
480
481	################################################################################
482
483	# 主要加固功能
484
485	################################################################################
486
487
488
489	# 1. 系统信息收集
490
491	collect_system_info() {
492
493	log_section "收集系统信息"
494
495	log_info "操作系统: $(lsb_release -d 2>/dev/null \| cut -f2 \|\| echo "Unknown")"
496
497	log_info "内核版本: $(uname -r)"
498
499	log_info "主机名: $(hostname)"
500
501	# 安全获取IP地址
502
503	local ip=$(hostname -I 2>/dev/null \| awk '{print $1}' \|\| echo "无法获取")
504
505	log_info "IP地址: $ip"
506
507	log_info "开始加固时间: $(date)"
508
509	echo "系统信息收集完成" >> "$LOG_FILE"
510
511	}
512
513
514
515	# 2. 系统更新
516
517	update_system() {
518
519	log_section "系统更新与安全补丁"
520
521	log_info "开始系统更新..."
522
523	safe_execute "apt update -y" "更新软件包列表"
524
525	safe_execute "apt upgrade -y" "升级已安装的软件包"
526
527	safe_execute "apt dist-upgrade -y" "安装安全更新"
528
529	safe_execute "apt autoremove -y" "清理不需要的软件包"
530
531	safe_execute "apt autoclean -y" "清理缓存"
532
533	log_success "系统更新完成"
534
535	}
536
537
538
539	# 3. SSH安全加固
540
541	harden_ssh() {
542
543	log_section "SSH安全加固"
544
545	local ssh_config="/etc/ssh/sshd_config"
546
547	if [[ -f "$ssh_config" ]]; then
548
549	backup_file "$ssh_config"
550
551	log_info "配置SSH安全参数..."
552
553	# 应用预设配置
554
555	safe_execute "sed -i 's/^#PermitRootLogin./PermitRootLogin no/' '$ssh_config'" "禁用root登录"
556
557	safe_execute "sed -i 's/^#PasswordAuthentication./PasswordAuthentication no/' '$ssh_config'" "禁用密码认证"
558
559	safe_execute "sed -i 's/^#Port./Port $SSH_PORT/' '$ssh_config'" "设置SSH端口为$SSH_PORT"
560
561	# 其他SSH安全配置
562
563	local ssh_config_addition='
564
565	# 安全加固配置
566
567	Protocol 2
568
569	MaxAuthTries 3
570
571	MaxSessions 2
572
573	LoginGraceTime 60
574
575	ClientAliveInterval 300
576
577	ClientAliveCountMax 2
578
579	PermitEmptyPasswords no
580
581	X11Forwarding no
582
583	UseDNS no
584
585	'
586
587	echo "$ssh_config_addition" >> "$ssh_config"
588
589	# 重启SSH服务
590
591	safe_execute "systemctl restart sshd" "重启SSH服务"
592
593	log_success "SSH加固完成 - 端口: $SSH_PORT, Root登录: 禁用, 密码认证: 禁用"
594
595	log_warning "请确保已在防火墙中开放端口 $SSH_PORT"
596
597	log_warning "请确保已配置SSH密钥认证"
598
599	else
600
601	log_error "SSH配置文件不存在: $ssh_config"
602
603	fi
604
605	}
606
607
608
609	# 4. 用户管理和SSH密钥配置
610
611	manage_users() {
612
613	log_section "创建管理用户和配置SSH密钥"
614
615	local username=$ADMIN_USERNAME
616
617	local user_home=$(eval echo "~$username")
618
619	# 检查用户是否已存在
620
621	if id "$username" &>/dev/null 2>&1; then
622
623	log_info "用户 $username 已存在，跳过创建"
624
625	else
626
627	# 创建用户
628
629	log_info "创建用户: $username"
630
631	safe_execute "useradd -m -s /bin/bash '$username'" "创建用户 $username"
632
633	# 设置随机密码
634
635	local temp_password=$(openssl rand -base64 32)
636
637	echo "$username:$temp_password" \| chpasswd
638
639	log_success "用户 $username 创建成功"
640
641	log_info "临时密码: $temp_password (建议首次登录后修改)"
642
643	# 将用户添加到sudo组
644
645	safe_execute "usermod -aG sudo '$username'" "将 $username 添加到sudo组"
646
647	fi
648
649	# 配置SSH密钥
650
651	local ssh_dir="$user_home/.ssh"
652
653	local authorized_keys="$ssh_dir/authorized_keys"
654
655	# 确保用户有.ssh目录
656
657	mkdir -p "$ssh_dir"
658
659	chown "$username:$username" "$ssh_dir"
660
661	# 生成SSH密钥对
662
663	log_info "生成SSH密钥对..."
664
665	cd "$user_home"
666
667	if [[ ! -f "$ssh_dir/id_rsa" ]]; then
668
669	su - "$username" -c "ssh-keygen -t rsa -b 4096 -f $ssh_dir/id_rsa -N '' -C '$username@$(hostname)'"
670
671	if [[ -f "$ssh_dir/id_rsa" ]]; then
672
673	log_success "SSH密钥对生成成功"
674
675	log_info "私钥文件: $ssh_dir/id_rsa"
676
677	log_info "公钥文件: $ssh_dir/id_rsa.pub"
678
679	log_warning "请妥善保管私钥文件，不要上传到公共服务器"
680
681	# 设置公钥到authorized_keys
682
683	cat "$ssh_dir/id_rsa.pub" > "$authorized_keys"
684
685	else
686
687	log_error "SSH密钥生成失败"
688
689	return 1
690
691	fi
692
693	else
694
695	log_info "SSH密钥已存在"
696
697	fi
698
699	# 设置sudo无密码
700
701	local sudoers_file="/etc/sudoers.d/$username"
702
703	echo "$username ALL=(ALL) NOPASSWD:ALL" > "$sudoers_file"
704
705	chmod 440 "$sudoers_file"
706
707	log_success "已配置 $username sudo无密码权限"
708
709	# 设置文件权限
710
711	safe_execute "chown -R $username:$username '$ssh_dir'" "设置SSH目录权限"
712
713	safe_execute "chmod 700 '$ssh_dir'" "设置SSH目录权限为700"
714
715	safe_execute "chmod 600 '$authorized_keys'" "设置公钥文件权限为600"
716
717	log_success "用户管理完成 - 用户: $username"
718
719	}
720
721
722
723	# 5. 防火墙配置
724
725	configure_firewall() {
726
727	log_section "配置UFW防火墙"
728
729	if ! command -v ufw &> /dev/null; then
730
731	safe_execute "apt install ufw -y" "安装UFW"
732
733	fi
734
735	log_info "配置UFW规则..."
736
737	# 默认策略
738
739	safe_execute "ufw default deny incoming" "设置默认入站策略：拒绝"
740
741	safe_execute "ufw default allow outgoing" "设置默认出站策略：允许"
742
743	# 允许SSH
744
745	safe_execute "ufw allow $SSH_PORT/tcp comment 'SSH'" "允许SSH端口: $SSH_PORT"
746
747	# 允许常用端口
748
749	local common_ports=("80/tcp" "443/tcp" "53/udp" "123/udp")
750
751	local port_comments=("HTTP" "HTTPS" "DNS" "NTP")
752
753	for i in "${!common_ports[@]}"; do
754
755	log_info "开放端口 ${common_ports[$i]} (${port_comments[$i]})"
756
757	safe_execute "ufw allow ${common_ports[$i]} comment '${port_comments[$i]}'" "开放${port_comments[$i]}端口"
758
759	done
760
761	# 启用UFW
762
763	log_info "启用UFW防火墙..."
764
765	safe_execute "ufw --force enable" "强制启用UFW"
766
767	# 显示状态
768
769	log_success "防火墙配置完成"
770
771	ufw status \| head -15
772
773	}
774
775
776
777	# 6. 安装和配置Fail2ban
778
779	install_fail2ban() {
780
781	log_section "安装和配置Fail2ban"
782
783	if ! command -v fail2ban-client &> /dev/null; then
784
785	safe_execute "apt install fail2ban -y" "安装Fail2ban"
786
787	else
788
789	log_info "Fail2ban已安装"
790
791	fi
792
793	# 配置fail2ban
794
795	local jail_local="/etc/fail2ban/jail.local"
796
797	backup_file "$jail_local" 2>/dev/null \|\| true
798
799	log_info "创建Fail2ban配置..."
800
801	cat > "$jail_local" << EOF
802
803	[DEFAULT]
804
805	# 封禁时间（秒）
806
807	bantime = 3600
808
809
810
811	# 查找时间窗口（秒）
812
813	findtime = 600
814
815
816
817	# 最大尝试次数
818
819	maxretry = 5
820
821
822
823	[sshd]
824
825	enabled = true
826
827	port = $SSH_PORT
828
829	filter = sshd
830
831	logpath = /var/log/auth.log
832
833	maxretry = 3
834
835	bantime = 7200
836
837
838
839	[sshd-ddos]
840
841	enabled = true
842
843	port = $SSH_PORT
844
845	filter = sshd-ddos
846
847	logpath = /var/log/auth.log
848
849	maxretry = 2
850
851	bantime = 7200
852
853	EOF
854
855	safe_execute "systemctl enable fail2ban" "启用Fail2ban服务"
856
857	safe_execute "systemctl restart fail2ban" "重启Fail2ban服务"
858
859	sleep 2
860
861	if command -v fail2ban-client &> /dev/null; then
862
863	log_success "Fail2ban配置完成"
864
865	fail2ban-client status 2>/dev/null \| head -5
866
867	fi
868
869	}
870
871
872
873	# 7. 用户和权限管理
874
875	harden_users() {
876
877	log_section "用户和权限加固"
878
879	# 密码策略
880
881	log_info "配置密码策略..."
882
883	if ! dpkg -l \| grep -q libpam-pwquality; then
884
885	safe_execute "apt install libpam-pwquality -y" "安装密码质量检查工具"
886
887	fi
888
889	local pwquality_file="/etc/security/pwquality.conf"
890
891	backup_file "$pwquality_file"
892
893	cat >> "$pwquality_file" << 'EOF'
894
895
896
897	# 密码安全策略
898
899	minlen = 12
900
901	dcredit = -1
902
903	ucredit = -1
904
905	lcredit = -1
906
907	ocredit = -1
908
909	maxrepeat = 3
910
911	EOF
912
913	# 密码过期策略
914
915	local login_defs="/etc/login.defs"
916
917	if [[ -f "$login_defs" ]]; then
918
919	backup_file "$login_defs"
920
921	safe_execute "sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' '$login_defs'" "设置密码最大有效期"
922
923	safe_execute "sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 1/' '$login_defs'" "设置密码最小间隔"
924
925	safe_execute "sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE 14/' '$login_defs'" "设置密码警告时间"
926
927	fi
928
929	log_success "密码策略配置完成"
930
931	# 锁定不必要的系统账户
932
933	log_info "锁定系统账户..."
934
935	local system_users=("bin" "daemon" "adm" "lp" "sync" "shutdown" "halt" "mail" "news" "uucp" "operator" "games" "gopher" "ftp")
936
937	for user in "${system_users[@]}"; do
938
939	if id "$user" &>/dev/null 2>&1; then
940
941	usermod -L -s /usr/sbin/nologin "$user" 2>/dev/null \|\| true
942
943	fi
944
945	done
946
947	log_success "用户加固完成"
948
949	}
950
951
952
953	# 8. 禁用不必要的服务
954
955	disable_services() {
956
957	log_section "禁用不必要的服务"
958
959	local services_to_disable=("avahi-daemon" "cups" "isc-dhcp-server" "isc-dhcp-server6" "bluetooth")
960
961	for service in "${services_to_disable[@]}"; do
962
963	if systemctl is-enabled "$service" &>/dev/null 2>&1; then
964
965	safe_execute "systemctl stop '$service'" "停止服务: $service"
966
967	safe_execute "systemctl disable '$service'" "禁用服务: $service"
968
969	log_info "已禁用服务: $service"
970
971	fi
972
973	done
974
975	log_success "不必要服务禁用完成"
976
977	}
978
979
980
981	# 9. 内核参数安全配置
982
983	harden_kernel() {
984
985	log_section "内核参数安全配置"
986
987	local sysctl_conf="/etc/sysctl.d/99-security.conf"
988
989	backup_file "$sysctl_conf" 2>/dev/null \|\| true
990
991	log_info "配置内核安全参数..."
992
993	cat > "$sysctl_conf" << 'EOF'
994
995	# IP转发禁用
996
997	net.ipv4.ip_forward = 0
998
999	net.ipv6.conf.all.forwarding = 0
1000
1001
1002
1003	# SYN cookies保护
1004
1005	net.ipv4.tcp_syncookies = 1
1006
1007
1008
1009	# 忽略ICMP重定向
1010
1011	net.ipv4.conf.all.accept_redirects = 0
1012
1013	net.ipv6.conf.all.accept_redirects = 0
1014
1015	net.ipv4.conf.default.accept_redirects = 0
1016
1017	net.ipv6.conf.default.accept_redirects = 0
1018
1019
1020
1021	# 忽略安全ICMP重定向
1022
1023	net.ipv4.conf.all.secure_redirects = 0
1024
1025	net.ipv4.conf.default.secure_redirects = 0
1026
1027
1028
1029	# 禁用源路由
1030
1031	net.ipv4.conf.all.accept_source_route = 0
1032
1033	net.ipv6.conf.all.accept_source_route = 0
1034
1035	net.ipv4.conf.default.accept_source_route = 0
1036
1037	net.ipv6.conf.default.accept_source_route = 0
1038
1039
1040
1041	# 记录可疑包
1042
1043	net.ipv4.conf.all.log_martians = 1
1044
1045	net.ipv4.conf.default.log_martians = 1
1046
1047
1048
1049	# 忽略ICMP ping请求
1050
1051	net.ipv4.icmp_echo_ignore_broadcasts = 1
1052
1053
1054
1055	# 反向路径过滤
1056
1057	net.ipv4.conf.all.rp_filter = 1
1058
1059	net.ipv4.conf.default.rp_filter = 1
1060
1061
1062
1063	# 保护系统免受SYN flood攻击
1064
1065	net.ipv4.tcp_max_syn_backlog = 2048
1066
1067	net.ipv4.tcp_synack_retries = 2
1068
1069	net.ipv4.tcp_syn_retries = 5
1070
1071	EOF
1072
1073	if command -v sysctl &> /dev/null; then
1074
1075	safe_execute "sysctl -p '$sysctl_conf'" "应用内核参数配置"
1076
1077	fi
1078
1079	log_success "内核参数配置完成"
1080
1081	}
1082
1083
1084
1085	# 10. 文件系统和权限加固
1086
1087	harden_filesystem() {
1088
1089	log_section "文件系统权限加固"
1090
1091	log_info "设置重要文件权限..."
1092
1093	# 关键配置文件权限
1094
1095	local files_to_protect=(
1096
1097	"/etc/ssh/sshd_config:600"
1098
1099	"/etc/passwd:644"
1100
1101	"/etc/shadow:640"
1102
1103	"/etc/group:644"
1104
1105	"/etc/gshadow:600"
1106
1107	)
1108
1109	for file_perm in "${files_to_protect[@]}"; do
1110
1111	local file="${file_perm%:*}"
1112
1113	local perm="${file_perm#*:}"
1114
1115	if [[ -f "$file" ]]; then
1116
1117	safe_execute "chmod $perm '$file'" "设置文件权限: $file -> $perm"
1118
1119	fi
1120
1121	done
1122
1123	log_success "重要文件权限已加固"
1124
1125	# 查找并报告可疑权限文件
1126
1127	log_info "查找具有SUID/SGID权限的文件（记录到日志）..."
1128
1129	if command -v find &> /dev/null; then
1130
1131	find / -perm /6000 -type f 2>/dev/null >> "$LOG_FILE" \|\| true
1132
1133	fi
1134
1135	}
1136
1137
1138
1139	# 11. 配置自动安全更新
1140
1141	configure_auto_updates() {
1142
1143	log_section "配置自动安全更新"
1144
1145	if ! dpkg -l \| grep -q unattended-upgrades; then
1146
1147	safe_execute "apt install unattended-upgrades apt-listchanges -y" "安装自动更新工具"
1148
1149	fi
1150
1151	if command -v dpkg-reconfigure &> /dev/null; then
1152
1153	safe_execute "echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true \| debconf-set-selections && debconf-show unattended-upgrades" "配置自动更新"
1154
1155	fi
1156
1157	log_success "自动安全更新已启用"
1158
1159	}
1160
1161
1162
1163	# 12. 安装其他安全工具
1164
1165	install_security_tools() {
1166
1167	log_section "安装额外安全工具"
1168
1169	# 优先级安全工具 - 快速加固中最重要的
1170
1171	local priority_tools=("aide" "rkhunter")
1172
1173	# 完整的工具列表 - 自定义模式中可选择
1174
1175	local all_tools=("aide" "rkhunter" "logwatch" "auditd" "chkrootkit")
1176
1177	# 智能选择 - 根据加固模式选择工具
1178
1179	local tools=()
1180
1181	if [[ "${INSTALL_MODE:-full}" == "priority" ]]; then
1182
1183	tools=("${priority_tools[@]}")
1184
1185	log_info "快速加固模式: 安装关键安全工具"
1186
1187	else
1188
1189	tools=("${all_tools[@]}")
1190
1191	log_info "完整安装模式: 安装所有推荐安全工具"
1192
1193	fi
1194
1195	for tool in "${tools[@]}"; do
1196
1197	if apt list --installed 2>/dev/null \| grep -q "^$tool/"; then
1198
1199	log_info "$tool 已安装"
1200
1201	continue
1202
1203	fi
1204
1205	# 智能安装 - 跳过可能的不可用工具
1206
1207	case "$tool" in
1208
1209	"auditd")
1210
1211	if ! dpkg -l \| grep -q "auditd"; then
1212
1213	if safe_execute "apt install '$tool' -y" "安装安全工具: $tool"; then
1214
1215	safe_execute "systemctl enable auditd" "启用auditd服务"
1216
1217	safe_execute "systemctl start auditd" "启动auditd服务"
1218
1219	log_success "已安装并启用: $tool"
1220
1221	else
1222
1223	log_warning "跳过 $tool 安装"
1224
1225	fi
1226
1227	fi
1228
1229	;;
1230
1231	"chkrootkit")
1232
1233	if safe_execute "apt install '$tool' -y" "安装安全工具: $tool"; then
1234
1235	log_success "已安装: $tool"
1236
1237	else
1238
1239	log_warning "跳过 $tool 安装"
1240
1241	fi
1242
1243	;;
1244
1245	*)
1246
1247	if safe_execute "apt install '$tool' -y" "安装安全工具: $tool"; then
1248
1249	# 特殊配置
1250
1251	case "$tool" in
1252
1253	"rkhunter")
1254
1255	if command -v rkhunter &> /dev/null; then
1256
1257	safe_execute "rkhunter --update" "更新rkhunter数据库"
1258
1259	safe_execute "rkhunter --propupd" "更新rkhunter属性"
1260
1261	fi
1262
1263	;;
1264
1265	esac
1266
1267	log_success "已安装: $tool"
1268
1269	else
1270
1271	log_warning "跳过 $tool 安装"
1272
1273	fi
1274
1275	;;
1276
1277	esac
1278
1279	done
1280
1281	# 显示安装总结
1282
1283	log_info "安全工具安装总结:"
1284
1285	for tool in "${tools[@]}"; do
1286
1287	if command -v "$tool" &>/dev/null; then
1288
1289	log_success "✓ $tool - 已安装"
1290
1291	else
1292
1293	log_info "- $tool - 跳过或安装失败"
1294
1295	fi
1296
1297	done
1298
1299	}
1300
1301
1302
1303	# 13. 生成加固报告
1304
1305	generate_report() {
1306
1307	log_section "生成安全加固报告"
1308
1309	local report_file="/root/security_hardening_report_$(date +%Y%m%d_%H%M%S).txt"
1310
1311	# 安全获取系统信息
1312
1313	local os_info=$(lsb_release -d 2>/dev/null \| cut -f2 \|\| echo "Unknown")
1314
1315	local kernel_info=$(uname -r)
1316
1317	local hostname_info=$(hostname)
1318
1319	cat > "$report_file" << EOF
1320
1321	================================================================================
1322
1323	服务器安全加固报告
1324
1325	================================================================================
1326
1327	生成时间: $(date)
1328
1329	主机名: $hostname_info
1330
1331	操作系统: $os_info
1332
1333	内核版本: $kernel_info
1334
1335
1336
1337	--------------------------------------------------------------------------------
1338
1339	1. SSH配置
1340
1341	--------------------------------------------------------------------------------
1342
1343	$(grep -E "^(Port\|PermitRootLogin\|PasswordAuthentication)" /etc/ssh/sshd_config 2>/dev/null \|\| echo "SSH配置不可读")
1344
1345
1346
1347	--------------------------------------------------------------------------------
1348
1349	2. 防火墙状态
1350
1351	--------------------------------------------------------------------------------
1352
1353	$(ufw status verbose 2>/dev/null \|\| echo "UFW不可用")
1354
1355
1356
1357	--------------------------------------------------------------------------------
1358
1359	3. Fail2ban状态
1360
1361	--------------------------------------------------------------------------------
1362
1363	$(fail2ban-client status 2>/dev/null \|\| echo "Fail2ban未运行")
1364
1365
1366
1367	--------------------------------------------------------------------------------
1368
1369	4. 已安装的安全工具
1370
1371	--------------------------------------------------------------------------------
1372
1373	$(dpkg -l 2>/dev/null \| grep -E "fail2ban\|ufw\|aide\|rkhunter\|logwatch\|unattended-upgrades" \| awk '{print $2 " " $3}' \| column -t \|\| echo "无法获取包信息")
1374
1375
1376
1377	--------------------------------------------------------------------------------
1378
1379	5. 活动监听端口
1380
1381	--------------------------------------------------------------------------------
1382
1383	$(ss -tunlp 2>/dev/null \|\| netstat -tunlp 2>/dev/null \|\| echo "端口信息不可用")
1384
1385
1386
1387	--------------------------------------------------------------------------------
1388
1389	6. 管理用户
1390
1391	--------------------------------------------------------------------------------
1392
1393	$(grep -E ":(sudo\|admin)" /etc/group 2>/dev/null \| head -5 \|\| echo "无管理用户组")
1394
1395
1396
1397	--------------------------------------------------------------------------------
1398
1399	备份目录: $BACKUP_DIR
1400
1401	日志文件: $LOG_FILE
1402
1403	配置完成时间: $(date)
1404
1405	--------------------------------------------------------------------------------
1406
1407	EOF
1408
1409	log_success "安全加固报告已生成: $report_file"
1410
1411	# 显示报告摘要
1412
1413	echo -e "${CYAN}报告摘要:${NC}"
1414
1415	echo "- 操作系统: $os_info"
1416
1417	echo "- SSH端口: $SSH_PORT"
1418
1419	echo "- 管理员用户: $ADMIN_USERNAME"
1420
1421	echo "- 防火墙: $(ufw status 2>/dev/null \| grep -q "active" && echo "已启用" \|\| echo "未启用")"
1422
1423	echo "- Fail2ban: $(systemctl is-active fail2ban 2>/dev/null \|\| echo "未运行")"
1424
1425	echo ""
1426
1427	echo -e "${YELLOW}完整报告请查看: $report_file${NC}"
1428
1429	}
1430
1431
1432
1433	################################################################################
1434
1435	# 快速加固流程
1436
1437	################################################################################
1438
1439
1440
1441	quick_hardening() {
1442
1443	log_section "开始快速加固"
1444
1445	log_warning "这将应用所有推荐的安全设置"
1446
1447	# 设置快速加固模式 - 优先安装关键安全工具
1448
1449	export INSTALL_MODE="priority"
1450
1451	# 执行所有加固步骤
1452
1453	collect_system_info
1454
1455	update_system
1456
1457	harden_ssh
1458
1459	manage_users
1460
1461	configure_firewall
1462
1463	install_fail2ban
1464
1465	harden_users
1466
1467	disable_services
1468
1469	harden_kernel
1470
1471	harden_filesystem
1472
1473	configure_auto_updates
1474
1475	install_security_tools
1476
1477	generate_report
1478
1479	log_section "快速加固完成"
1480
1481	show_completion_message
1482
1483	}
1484
1485
1486
1487	################################################################################
1488
1489	# 自定义加固流程
1490
1491	################################################################################
1492
1493
1494
1495	custom_hardening() {
1496
1497	while true; do
1498
1499	show_custom_menu
1500
1501	local choice=$(get_menu_choice 1 13)
1502
1503	case $choice in
1504
1505	1)
1506
1507	collect_system_info
1508
1509	update_system
1510
1511	;;
1512
1513	2)
1514
1515	show_ssh_config_menu
1516
1517	;;
1518
1519	3)
1520
1521	show_user_config_menu
1522
1523	;;
1524
1525	4)
1526
1527	configure_firewall
1528
1529	;;
1530
1531	5)
1532
1533	install_fail2ban
1534
1535	;;
1536
1537	6)
1538
1539	harden_users
1540
1541	;;
1542
1543	7)
1544
1545	disable_services
1546
1547	;;
1548
1549	8)
1550
1551	harden_kernel
1552
1553	;;
1554
1555	9)
1556
1557	harden_filesystem
1558
1559	;;
1560
1561	10)
1562
1563	configure_auto_updates
1564
1565	;;
1566
1567	11)
1568
1569	export INSTALL_MODE="full"
1570
1571	install_security_tools
1572
1573	;;
1574
1575	12)
1576
1577	generate_report
1578
1579	;;
1580
1581	13)
1582
1583	return 0
1584
1585	;;
1586
1587	esac
1588
1589	echo ""
1590
1591	echo -e "${YELLOW}按回车键继续...${NC}"
1592
1593	read
1594
1595	done
1596
1597	}
1598
1599
1600
1601	show_ssh_config_menu() {
1602
1603	show_menu
1604
1605	echo -e "${CYAN}SSH配置选项:${NC}"
1606
1607	echo ""
1608
1609	echo -e "${GREEN}1)${NC} 标准配置 (端口2222, 禁用root, 禁用密码)"
1610
1611	echo -e "${GREEN}2)${NC} 安全配置 (端口22, 禁用root, 禁用密码)"
1612
1613	echo -e "${GREEN}3)${NC} 自定义端口 (输入端口号)"
1614
1615	echo -e "${GREEN}4)${NC} 返回"
1616
1617	echo ""
1618
1619	echo -e "${YELLOW}请选择SSH配置 [1-4]: ${NC}\c"
1620
1621	local ssh_choice=$(get_menu_choice 1 4)
1622
1623	case $ssh_choice in
1624
1625	1)
1626
1627	SSH_PORT=2222
1628
1629	harden_ssh
1630
1631	;;
1632
1633	2)
1634
1635	SSH_PORT=22
1636
1637	harden_ssh
1638
1639	;;
1640
1641	3)
1642
1643	echo -e "${YELLOW}请输入SSH端口号 (1024-65535): ${NC}\c"
1644
1645	read -p "" custom_port
1646
1647	if [[ "$custom_port" =~ ^[0-9]+$ ]] && [[ "$custom_port" -gt 1024 ]] && [[ "$custom_port" -lt 65536 ]]; then
1648
1649	SSH_PORT=$custom_port
1650
1651	harden_ssh
1652
1653	else
1654
1655	log_error "无效的端口号"
1656
1657	fi
1658
1659	;;
1660
1661	4)
1662
1663	return 0
1664
1665	;;
1666
1667	esac
1668
1669	}
1670
1671
1672
1673	show_user_config_menu() {
1674
1675	show_menu
1676
1677	echo -e "${CYAN}用户管理配置选项:${NC}"
1678
1679	echo ""
1680
1681	echo -e "${GREEN}1)${NC} 创建admin用户 (推荐)"
1682
1683	echo -e "${GREEN}2)${NC} 创建operator用户"
1684
1685	echo -e "${GREEN}3)${NC} 自定义用户名"
1686
1687	echo -e "${GREEN}4)${NC} 跳过用户创建"
1688
1689	echo ""
1690
1691	echo -e "${YELLOW}请选择用户配置 [1-4]: ${NC}\c"
1692
1693	local user_choice=$(get_menu_choice 1 4)
1694
1695	case $user_choice in
1696
1697	1)
1698
1699	ADMIN_USERNAME="admin"
1700
1701	manage_users
1702
1703	;;
1704
1705	2)
1706
1707	ADMIN_USERNAME="operator"
1708
1709	manage_users
1710
1711	;;
1712
1713	3)
1714
1715	echo -e "${YELLOW}请输入用户名: ${NC}\c"
1716
1717	read -p "" ADMIN_USERNAME
1718
1719	if [[ -n "$ADMIN_USERNAME" ]] && [[ "$ADMIN_USERNAME" =~ ^[a-z_][a-z0-9_-]*$ ]]; then
1720
1721	manage_users
1722
1723	else
1724
1725	log_error "无效的用户名"
1726
1727	fi
1728
1729	;;
1730
1731	4)
1732
1733	log_info "跳过用户创建"
1734
1735	;;
1736
1737	esac
1738
1739	}
1740
1741
1742
1743	################################################################################
1744
1745	# 完成消息
1746
1747	################################################################################
1748
1749
1750
1751	show_completion_message() {
1752
1753	echo -e "${GREEN}"
1754
1755	cat << EOF
1756
1757	╔══════════════════════════════════════════════════════════════╗
1758
1759	║ 安全加固已完成！ ║
1760
1761	╚══════════════════════════════════════════════════════════════╝
1762
1763
1764
1765	重要提醒:
1766
1767	1. SSH访问信息:
1768
1769	- 端口: $SSH_PORT
1770
1771	- 用户: $ADMIN_USERNAME
1772
1773	- 认证方式: SSH密钥 (推荐)
1774
1775	2. 文件位置:
1776
1777	- 配置备份: $BACKUP_DIR
1778
1779	- 详细日志: $LOG_FILE
1780
1781	- 安全报告: /root/security_hardening_report_*.txt
1782
1783
1784
1785	3. 后续步骤:
1786
1787	- 使用SSH密钥登录新用户账户
1788
1789	- 验证防火墙规则: ufw status
1790
1791	- 检查Fail2ban状态: fail2ban-client status
1792
1793	- 重启服务器以确保所有更改生效
1794
1795
1796
1797	4. 安全检查:
1798
1799	- 定期检查 /var/log/auth.log
1800
1801	- 运行: rkhunter --check (如已安装)
1802
1803	- 监控fail2ban日志: tail -f /var/log/fail2ban.log
1804
1805
1806
1807	EOF
1808
1809	echo -e "${NC}"
1810
1811	if [[ "$ENABLE_AUTO_REBOOT" == "true" ]]; then
1812
1813	echo -e "${YELLOW}是否重启服务器以确保所有更改生效？${NC}"
1814
1815	echo -e "${GREEN}1)${NC} 是，立即重启"
1816
1817	echo -e "${GREEN}2)${NC} 否，稍后手动重启"
1818
1819	echo ""
1820
1821	echo -e "${YELLOW}请选择 [1-2]: ${NC}\c"
1822
1823	local reboot_choice=$(get_menu_choice 1 2)
1824
1825	case $reboot_choice in
1826
1827	1)
1828
1829	log "系统将在10秒后重启..."
1830
1831	sleep 10
1832
1833	if command -v reboot &> /dev/null; then
1834
1835	reboot
1836
1837	else
1838
1839	shutdown -r now
1840
1841	fi
1842
1843	;;
1844
1845	2)
1846
1847	log_info "请记得稍后手动重启服务器"
1848
1849	;;
1850
1851	esac
1852
1853	fi
1854
1855	}
1856
1857
1858
1859	################################################################################
1860
1861	# 主程序
1862
1863	################################################################################
1864
1865
1866
1867	main() {
1868
1869	# 检查root权限
1870
1871	check_root
1872
1873	while true; do
1874
1875	show_main_menu
1876
1877	local choice=$(get_menu_choice 1 5)
1878
1879	case $choice in
1880
1881	1)
1882
1883	log "开始快速加固流程..."
1884
1885	quick_hardening
1886
1887	break
1888
1889	;;
1890
1891	2)
1892
1893	log "开始自定义加固流程..."
1894
1895	custom_hardening
1896
1897	;;
1898
1899	3)
1900
1901	log "开始系统更新..."
1902
1903	collect_system_info
1904
1905	update_system
1906
1907	echo ""
1908
1909	echo -e "${YELLOW}按回车键返回主菜单...${NC}"
1910
1911	read
1912
1913	;;
1914
1915	4)
1916
1917	show_security_status
1918
1919	;;
1920
1921	5)
1922
1923	log "退出脚本"
1924
1925	exit 0
1926
1927	;;
1928
1929	esac
1930
1931	done
1932
1933	}
1934
1935
1936
1937	# 运行主程序
1938
1939	main "$@"
1940