#!/bin/bash # Debian 12 安全配置脚本 # 系统安全加固和配置 set -e # 颜色定义 RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' # 日志函数 log_info() { echo -e "${BLUE}[INFO]${NC} $1" } log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1" } log_warning() { echo -e "${YELLOW}[WARNING]${NC} $1" } log_error() { echo -e "${RED}[ERROR]${NC} $1" } # 配置 fail2ban configure_fail2ban() { log_info "配置 fail2ban..." apt update apt install -y fail2ban # 配置 fail2ban cat > /etc/fail2ban/jail.local << 'EOF' # EM Script Library - Fail2Ban Configuration [DEFAULT] # Ban hosts for one hour: bantime = 3600 # Override /etc/fail2ban/jail.d/00-firewalld.conf: banaction = ufw # A host is banned if it has generated "maxretry" during the last "findtime" seconds. findtime = 600 maxretry = 5 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host which matches an address in this list. Several addresses # can be defined using space (and/or comma) separator. ignoreip = 127.0.0.1/8 ::1 [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 86400 [sshd-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 3 bantime = 86400 [dropbear] enabled = false [nginx-http-auth] enabled = false [nginx-noscript] enabled = false [nginx-badbots] enabled = false [nginx-noproxy] enabled = false [nginx-botsearch] enabled = false [nginx-req-limit] enabled = false [nginx-ddos] enabled = false [php-url-fopen] enabled = false [suhosin] enabled = false [lighttpd-auth] enabled = false [roundcube-auth] enabled = false [openwebmail] enabled = false [horde] enabled = false [groupoffice] enabled = false [sogo-auth] enabled = false [tine20] enabled = false [drupal] enabled = false [plesk-panel] enabled = false [plesk-proftpd] enabled = false [mod-security] enabled = false [mod-evasive] enabled = false [vsftpd] enabled = false [proftpd] enabled = false [pure-ftpd] enabled = false [wuftpd] enabled = false [postfix] enabled = false [dovecot] enabled = false [solid-pop3d] enabled = false [exim] enabled = false [selinux-ssh] enabled = false [mythtv] enabled = false [asterisk] enabled = false [apache-auth] enabled = false [apache-noscript] enabled = false [apache-overflows] enabled = false [apache-nohome] enabled = false [apache-botsearch] enabled = false [apache-noscript] enabled = false [apache-modsecurity] enabled = false [apache-shellshock] enabled = false [openhab-auth] enabled = false [nagios] enabled = false [oracleims] enabled = false [directadmin] enabled = false [portscan] enabled = false [ufw] enabled = false [recidive] enabled = true logpath = /var/log/fail2ban.log banaction = ufw bantime = 604800 findtime = 86400 maxretry = 5 EOF systemctl restart fail2ban systemctl enable fail2ban log_success "fail2ban 配置完成" } # 配置自动安全更新 configure_auto_updates() { log_info "配置自动安全更新..." apt install -y unattended-upgrades apt-listchanges # 配置自动更新 cat > /etc/apt/apt.conf.d/50unattended-upgrades << 'EOF' // EM Script Library - Unattended Upgrades Configuration Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}"; "${distro_id}:${distro_codename}-security"; "${distro_id}ESM:${distro_codename}"; "${distro_id}:${distro_codename}-updates"; "${distro_id}:${distro_codename}-proposed"; "${distro_id}:${distro_codename}-backports"; }; Unattended-Upgrade::Package-Blacklist { }; Unattended-Upgrade::AutoFixInterruptedDpkg "true"; Unattended-Upgrade::MinimalSteps "true"; Unattended-Upgrade::InstallOnShutdown "false"; Unattended-Upgrade::Mail "root"; Unattended-Upgrade::MailOnlyOnError "true"; Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; Unattended-Upgrade::Remove-Unused-Dependencies "true"; Unattended-Upgrade::Automatic-Reboot "false"; Unattended-Upgrade::Automatic-Reboot-WithUsers "false"; Unattended-Upgrade::SyslogEnable "true"; Unattended-Upgrade::SyslogFacility "daemon"; EOF # 启用自动更新 cat > /etc/apt/apt.conf.d/20auto-upgrades << 'EOF' // EM Script Library - Auto Upgrades Configuration APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1"; EOF systemctl restart unattended-upgrades systemctl enable unattended-upgrades log_success "自动安全更新配置完成" } # 强化 SSH 配置 harden_ssh() { log_info "强化 SSH 配置..." # 备份原始配置 cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.$(date +%Y%m%d_%H%M%S) # 修改 SSH 配置 sed -i 's/#PermitRootLogin yes/PermitRootLogin without-password/' /etc/ssh/sshd_config sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config sed -i 's/#Protocol 2/Protocol 2/' /etc/ssh/sshd_config sed -i 's/#MaxAuthTries 6/MaxAuthTries 3/' /etc/ssh/sshd_config sed -i 's/#MaxSessions 10/MaxSessions 5/' /etc/ssh/sshd_config sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 300/' /etc/ssh/sshd_config sed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 2/' /etc/ssh/sshd_config # 添加额外安全配置 cat >> /etc/ssh/sshd_config << 'EOF' # EM Script Library - SSH Hardening # 禁用 TCP 转发 AllowTcpForwarding no X11Forwarding no # 禁用用户环境设置 PermitUserEnvironment no # 限制登录用户(取消注释并修改为允许的用户) # AllowUsers yourusername # 使用强加密算法 Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 # 日志级别 LogLevel VERBOSE EOF # 测试配置 if sshd -t; then systemctl restart ssh log_success "SSH 配置强化完成" else log_error "SSH 配置测试失败,已恢复原始配置" cp /etc/ssh/sshd_config.backup.* /etc/ssh/sshd_config systemctl restart ssh exit 1 fi } # 配置 AppArmor configure_apparmor() { log_info "配置 AppArmor..." apt install -y apparmor apparmor-utils apparmor-profiles # 启用 AppArmor systemctl enable apparmor systemctl start apparmor # 检查状态 if aa-status >/dev/null 2>&1; then log_success "AppArmor 配置完成" aa-status | head -10 else log_warning "AppArmor 可能未正确启用" fi } # 配置内核安全参数 configure_kernel_security() { log_info "配置内核安全参数..." cat > /etc/sysctl.d/99-security.conf << 'EOF' # EM Script Library - Kernel Security Configuration # 网络安全 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 # IPv6 安全 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 # TCP 安全 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_synack_retries = 5 net.ipv4.tcp_syn_retries = 5 net.ipv4.tcp_max_syn_backlog = 2048 # ICMP 安全 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 # 文件系统安全 fs.suid_dumpable = 0 kernel.randomize_va_space = 2 # 进程安全 kernel.panic = 10 kernel.panic_on_oops = 1 EOF sysctl -p /etc/sysctl.d/99-security.conf log_success "内核安全参数配置完成" } # 安装和配置 ClamAV 杀毒软件 configure_clamav() { log_info "安装和配置 ClamAV..." apt install -y clamav clamav-daemon # 更新病毒库 systemctl stop clamav-freshclam freshclam systemctl start clamav-freshclam systemctl enable clamav-freshclam # 配置定时扫描 cat > /etc/cron.daily/clamav-scan << 'EOF' #!/bin/bash # EM Script Library - ClamAV Daily Scan SCAN_DIR="/home /tmp /var/tmp /var/www" LOG_FILE="/var/log/clamav/daily-scan.log" mkdir -p /var/log/clamav clamscan -r --log="$LOG_FILE" --quiet $SCAN_DIR # 发送报告(如果发现病毒) if grep -q "FOUND" "$LOG_FILE"; then mail -s "ClamAV Virus Alert" root < "$LOG_FILE" fi EOF chmod +x /etc/cron.daily/clamav-scan log_success "ClamAV 配置完成" } # 配置 sudo configure_sudo() { log_info "配置 sudo 安全策略..." # 创建 sudoers 配置 cat > /etc/sudoers.d/em-security << 'EOF' # EM Script Library - Sudo Security Configuration # 要求密码验证 Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # 记录 sudo 命令 Defaults log_host, log_year, logfile="/var/log/sudo.log" # 限制环境变量 Defaults env_check+="HOME EDITOR" Defaults env_delete+="HOME EDITOR" # 超时设置 Defaults timestamp_timeout=15 # 允许特定用户组使用 sudo #%sudo ALL=(ALL:ALL) ALL EOF # 验证 sudoers 文件 visudo -c -f /etc/sudoers.d/em-security log_success "sudo 安全配置完成" } # 显示安全状态 show_security_status() { log_info "系统安全状态检查:" echo "=== SSH 配置 ===" sshd -T | grep -E "(permitrootlogin|passwordauthentication|maxauthtries)" | head -5 echo "" echo "=== 防火墙状态 ===" ufw status | head -10 echo "" echo "=== Fail2Ban 状态 ===" fail2ban-client status 2>/dev/null || echo "Fail2Ban 未运行" echo "" echo "=== 自动更新状态 ===" systemctl is-active unattended-upgrades 2>/dev/null || echo "自动更新未启用" echo "" echo "=== 内核安全参数 ===" sysctl -a | grep -E "(rp_filter|accept_redirects|tcp_syncookies)" | head -5 echo "" echo "=== 开放端口 ===" ss -tuln | grep LISTEN | head -10 } # 显示帮助信息 show_help() { cat << EOF Debian 12 安全配置工具 用法: $0 [选项] [操作] 操作: fail2ban 配置 fail2ban 入侵检测 auto-updates 配置自动安全更新 ssh-harden 强化 SSH 配置 apparmor 配置 AppArmor kernel-sec 配置内核安全参数 clamav 安装和配置 ClamAV 杀毒软件 sudo-config 配置 sudo 安全策略 status 显示安全状态 all 执行所有安全配置 选项: -h, --help 显示此帮助信息 示例: $0 fail2ban # 配置 fail2ban $0 ssh-harden # 强化 SSH $0 status # 查看安全状态 $0 all # 执行所有配置 EOF } # 主函数 main() { local action="$1" case $action in fail2ban) configure_fail2ban ;; auto-updates) configure_auto_updates ;; ssh-harden) harden_ssh ;; apparmor) configure_apparmor ;; kernel-sec) configure_kernel_security ;; clamav) configure_clamav ;; sudo-config) configure_sudo ;; status) show_security_status ;; all) configure_fail2ban configure_auto_updates harden_ssh configure_apparmor configure_kernel_security configure_clamav configure_sudo ;; ""|-h|--help) show_help ;; *) log_error "未知操作: $action" show_help exit 1 ;; esac log_success "安全配置完成!" } # 执行主函数 main "$@"