arch_hardening_script.sh

arch_hardening_script.sh · 3.9 KiB · Bash 原始文件

#!/usr/bin/env bash set -euo pipefail # ========================= # Config # ========================= NEW_USER="${1:-dev}" SSH_PORT="${2:-22}" DISABLE_PASSWORD_LOGIN="${3:-false}" PUBKEY="${4:-}" # optional public key # ========================= # UI # ========================= log(){ echo -e "\033[1;32m[INFO]\033[0m $1"; } warn(){ echo -e "\033[1;33m[WARN]\033[0m $1"; } err(){ echo -e "\033[1;31m[ERROR]\033[0m $1"; } confirm(){ read -rp "$1 [y/N]: " ans [[ "$ans" == "y" || "$ans" == "Y" ]] } pause(){ read -rp "Press Enter to continue..." } # ========================= # System Detect # ========================= detect_os(){ if [[ -f /etc/arch-release ]]; then OS="arch" elif grep -qi "debian\|ubuntu" /etc/os-release; then OS="debian" else err "Unsupported OS" exit 1 fi log "Detected OS: $OS" } pkg_install(){ case "$OS" in arch) pacman -Sy --noconfirm "$@" ;; debian) apt-get update && apt-get install -y "$@" ;; esac } # ========================= # User # ========================= create_user(){ if id "$NEW_USER" &>/dev/null; then warn "User exists" else useradd -m -s /bin/bash "$NEW_USER" passwd "$NEW_USER" fi usermod -aG sudo "$NEW_USER" 2>/dev/null || usermod -aG wheel "$NEW_USER" } setup_ssh_key(){ mkdir -p /home/$NEW_USER/.ssh chmod 700 /home/$NEW_USER/.ssh if [[ -n "$PUBKEY" ]]; then log "Adding provided public key" echo "$PUBKEY" > /home/$NEW_USER/.ssh/authorized_keys else warn "No public key provided, please paste one" read -rp "Paste your SSH public key: " key echo "$key" > /home/$NEW_USER/.ssh/authorized_keys fi chmod 600 /home/$NEW_USER/.ssh/authorized_keys chown -R $NEW_USER:$NEW_USER /home/$NEW_USER/.ssh } # ========================= # SSH Hardening # ========================= set_ssh(){ local key="$1" local val="$2" if grep -q "^#\?$key" /etc/ssh/sshd_config; then sed -i "s/^#\?$key.*/$key $val/" /etc/ssh/sshd_config else echo "$key $val" >> /etc/ssh/sshd_config fi } config_ssh(){ cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.$(date +%s) set_ssh "PermitRootLogin" "no" set_ssh "PubkeyAuthentication" "yes" set_ssh "Port" "$SSH_PORT" if [[ "$DISABLE_PASSWORD_LOGIN" == "true" ]]; then warn "Disabling password login" confirm "Are you sure?" && set_ssh "PasswordAuthentication" "no" else set_ssh "PasswordAuthentication" "yes" fi } restart_ssh(){ systemctl restart ssh 2>/dev/null || systemctl restart sshd } # ========================= # Firewall (UFW) # ========================= setup_ufw(){ log "Setting up UFW firewall" pkg_install ufw ufw allow "$SSH_PORT"/tcp ufw allow 80/tcp ufw allow 443/tcp ufw --force enable } # ========================= # Fail2ban # ========================= setup_fail2ban(){ log "Installing fail2ban" pkg_install fail2ban cat > /etc/fail2ban/jail.local <<EOF [sshd] enabled = true port = $SSH_PORT maxretry = 5 bantime = 1h EOF systemctl enable fail2ban systemctl restart fail2ban } # ========================= # Main # ========================= main(){ if [[ $EUID -ne 0 ]]; then err "Run as root" exit 1 fi detect_os echo "=================================" echo "User: $NEW_USER" echo "Port: $SSH_PORT" echo "Disable Password: $DISABLE_PASSWORD_LOGIN" echo "=================================" confirm "Start?" || exit 0 pause log "Create user" create_user setup_ssh_key pause log "Configure SSH" config_ssh pause log "Setup Firewall" setup_ufw pause log "Setup Fail2ban" setup_fail2ban pause log "Restart SSH" restart_ssh echo "=================================" log "DONE" echo "Test SSH BEFORE exit!" } main "$@"

1	#!/usr/bin/env bash
2	set -euo pipefail
3
4	# =========================
5	# Config
6	# =========================
7	NEW_USER="${1:-dev}"
8	SSH_PORT="${2:-22}"
9	DISABLE_PASSWORD_LOGIN="${3:-false}"
10	PUBKEY="${4:-}" # optional public key
11
12	# =========================
13	# UI
14	# =========================
15
16	log(){ echo -e "\033[1;32m[INFO]\033[0m $1"; }
17	warn(){ echo -e "\033[1;33m[WARN]\033[0m $1"; }
18	err(){ echo -e "\033[1;31m[ERROR]\033[0m $1"; }
19
20	confirm(){
21	read -rp "$1 [y/N]: " ans
22	[[ "$ans" == "y" \|\| "$ans" == "Y" ]]
23	}
24
25	pause(){
26	read -rp "Press Enter to continue..."
27	}
28
29	# =========================
30	# System Detect
31	# =========================
32
33	detect_os(){
34	if [[ -f /etc/arch-release ]]; then
35	OS="arch"
36	elif grep -qi "debian\\|ubuntu" /etc/os-release; then
37	OS="debian"
38	else
39	err "Unsupported OS"
40	exit 1
41	fi
42	log "Detected OS: $OS"
43	}
44
45	pkg_install(){
46	case "$OS" in
47	arch) pacman -Sy --noconfirm "$@" ;;
48	debian) apt-get update && apt-get install -y "$@" ;;
49	esac
50	}
51
52	# =========================
53	# User
54	# =========================
55
56	create_user(){
57	if id "$NEW_USER" &>/dev/null; then
58	warn "User exists"
59	else
60	useradd -m -s /bin/bash "$NEW_USER"
61	passwd "$NEW_USER"
62	fi
63	usermod -aG sudo "$NEW_USER" 2>/dev/null \|\| usermod -aG wheel "$NEW_USER"
64	}
65
66	setup_ssh_key(){
67	mkdir -p /home/$NEW_USER/.ssh
68	chmod 700 /home/$NEW_USER/.ssh
69
70	if [[ -n "$PUBKEY" ]]; then
71	log "Adding provided public key"
72	echo "$PUBKEY" > /home/$NEW_USER/.ssh/authorized_keys
73	else
74	warn "No public key provided, please paste one"
75	read -rp "Paste your SSH public key: " key
76	echo "$key" > /home/$NEW_USER/.ssh/authorized_keys
77	fi
78
79	chmod 600 /home/$NEW_USER/.ssh/authorized_keys
80	chown -R $NEW_USER:$NEW_USER /home/$NEW_USER/.ssh
81	}
82
83	# =========================
84	# SSH Hardening
85	# =========================
86
87	set_ssh(){
88	local key="$1"
89	local val="$2"
90
91	if grep -q "^#\?$key" /etc/ssh/sshd_config; then
92	sed -i "s/^#\?$key.*/$key $val/" /etc/ssh/sshd_config
93	else
94	echo "$key $val" >> /etc/ssh/sshd_config
95	fi
96	}
97
98	config_ssh(){
99	cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.$(date +%s)
100
101	set_ssh "PermitRootLogin" "no"
102	set_ssh "PubkeyAuthentication" "yes"
103	set_ssh "Port" "$SSH_PORT"
104
105	if [[ "$DISABLE_PASSWORD_LOGIN" == "true" ]]; then
106	warn "Disabling password login"
107	confirm "Are you sure?" && set_ssh "PasswordAuthentication" "no"
108	else
109	set_ssh "PasswordAuthentication" "yes"
110	fi
111	}
112
113	restart_ssh(){
114	systemctl restart ssh 2>/dev/null \|\| systemctl restart sshd
115	}
116
117	# =========================
118	# Firewall (UFW)
119	# =========================
120
121	setup_ufw(){
122	log "Setting up UFW firewall"
123
124	pkg_install ufw
125
126	ufw allow "$SSH_PORT"/tcp
127	ufw allow 80/tcp
128	ufw allow 443/tcp
129
130	ufw --force enable
131	}
132
133	# =========================
134	# Fail2ban
135	# =========================
136
137	setup_fail2ban(){
138	log "Installing fail2ban"
139
140	pkg_install fail2ban
141
142	cat > /etc/fail2ban/jail.local <<EOF
143	[sshd]
144	enabled = true
145	port = $SSH_PORT
146	maxretry = 5
147	bantime = 1h
148	EOF
149
150	systemctl enable fail2ban
151	systemctl restart fail2ban
152	}
153
154	# =========================
155	# Main
156	# =========================
157
158	main(){
159	if [[ $EUID -ne 0 ]]; then
160	err "Run as root"
161	exit 1
162	fi
163
164	detect_os
165
166	echo "================================="
167	echo "User: $NEW_USER"
168	echo "Port: $SSH_PORT"
169	echo "Disable Password: $DISABLE_PASSWORD_LOGIN"
170	echo "================================="
171
172	confirm "Start?" \|\| exit 0
173
174	pause
175	log "Create user"
176	create_user
177	setup_ssh_key
178
179	pause
180	log "Configure SSH"
181	config_ssh
182
183	pause
184	log "Setup Firewall"
185	setup_ufw
186
187	pause
188	log "Setup Fail2ban"
189	setup_fail2ban
190
191	pause
192	log "Restart SSH"
193	restart_ssh
194
195	echo "================================="
196	log "DONE"
197	echo "Test SSH BEFORE exit!"
198	}
199
200	main "$@"
201