em-script/scripts/security/configure_security.sh

#!/bin/bash

# Debian 12 安全配置脚本
# 系统安全加固和配置

set -e

# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

# 日志函数
log_info() {
    echo -e "${BLUE}[INFO]${NC} $1"
}

log_success() {
    echo -e "${GREEN}[SUCCESS]${NC} $1"
}

log_warning() {
    echo -e "${YELLOW}[WARNING]${NC} $1"
}

log_error() {
    echo -e "${RED}[ERROR]${NC} $1"
}

# 配置 fail2ban
configure_fail2ban() {
    log_info "配置 fail2ban..."

    apt update
    apt install -y fail2ban

    # 配置 fail2ban
    cat > /etc/fail2ban/jail.local << 'EOF'
# EM Script Library - Fail2Ban Configuration

[DEFAULT]
# Ban hosts for one hour:
bantime = 3600

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = ufw

# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime = 600
maxretry = 5

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400

[sshd-ddos]
enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400

[dropbear]
enabled = false

[nginx-http-auth]
enabled = false

[nginx-noscript]
enabled = false

[nginx-badbots]
enabled = false

[nginx-noproxy]
enabled = false

[nginx-botsearch]
enabled = false

[nginx-req-limit]
enabled = false

[nginx-ddos]
enabled = false

[php-url-fopen]
enabled = false

[suhosin]
enabled = false

[lighttpd-auth]
enabled = false

[roundcube-auth]
enabled = false

[openwebmail]
enabled = false

[horde]
enabled = false

[groupoffice]
enabled = false

[sogo-auth]
enabled = false

[tine20]
enabled = false

[drupal]
enabled = false

[plesk-panel]
enabled = false

[plesk-proftpd]
enabled = false

[mod-security]
enabled = false

[mod-evasive]
enabled = false

[vsftpd]
enabled = false

[proftpd]
enabled = false

[pure-ftpd]
enabled = false

[wuftpd]
enabled = false

[postfix]
enabled = false

[dovecot]
enabled = false

[solid-pop3d]
enabled = false

[exim]
enabled = false

[selinux-ssh]
enabled = false

[mythtv]
enabled = false

[asterisk]
enabled = false

[apache-auth]
enabled = false

[apache-noscript]
enabled = false

[apache-overflows]
enabled = false

[apache-nohome]
enabled = false

[apache-botsearch]
enabled = false

[apache-noscript]
enabled = false

[apache-modsecurity]
enabled = false

[apache-shellshock]
enabled = false

[openhab-auth]
enabled = false

[nagios]
enabled = false

[oracleims]
enabled = false

[directadmin]
enabled = false

[portscan]
enabled = false

[ufw]
enabled = false

[recidive]
enabled = true
logpath = /var/log/fail2ban.log
banaction = ufw
bantime = 604800
findtime = 86400
maxretry = 5
EOF

    systemctl restart fail2ban
    systemctl enable fail2ban

    log_success "fail2ban 配置完成"
}

# 配置自动安全更新
configure_auto_updates() {
    log_info "配置自动安全更新..."

    apt install -y unattended-upgrades apt-listchanges

    # 配置自动更新
    cat > /etc/apt/apt.conf.d/50unattended-upgrades << 'EOF'
// EM Script Library - Unattended Upgrades Configuration
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}";
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESM:${distro_codename}";
    "${distro_id}:${distro_codename}-updates";
    "${distro_id}:${distro_codename}-proposed";
    "${distro_id}:${distro_codename}-backports";
};

Unattended-Upgrade::Package-Blacklist {
};

Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::InstallOnShutdown "false";
Unattended-Upgrade::Mail "root";
Unattended-Upgrade::MailOnlyOnError "true";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
Unattended-Upgrade::SyslogEnable "true";
Unattended-Upgrade::SyslogFacility "daemon";
EOF

    # 启用自动更新
    cat > /etc/apt/apt.conf.d/20auto-upgrades << 'EOF'
// EM Script Library - Auto Upgrades Configuration
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
EOF

    systemctl restart unattended-upgrades
    systemctl enable unattended-upgrades

    log_success "自动安全更新配置完成"
}

# 强化 SSH 配置
harden_ssh() {
    log_info "强化 SSH 配置..."

    # 备份原始配置
    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.$(date +%Y%m%d_%H%M%S)

    # 修改 SSH 配置
    sed -i 's/#PermitRootLogin yes/PermitRootLogin without-password/' /etc/ssh/sshd_config
    sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
    sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
    sed -i 's/#Protocol 2/Protocol 2/' /etc/ssh/sshd_config
    sed -i 's/#MaxAuthTries 6/MaxAuthTries 3/' /etc/ssh/sshd_config
    sed -i 's/#MaxSessions 10/MaxSessions 5/' /etc/ssh/sshd_config
    sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 300/' /etc/ssh/sshd_config
    sed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 2/' /etc/ssh/sshd_config

    # 添加额外安全配置
    cat >> /etc/ssh/sshd_config << 'EOF'

# EM Script Library - SSH Hardening
# 禁用 TCP 转发
AllowTcpForwarding no
X11Forwarding no

# 禁用用户环境设置
PermitUserEnvironment no

# 限制登录用户（取消注释并修改为允许的用户）
# AllowUsers yourusername

# 使用强加密算法
Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

# 日志级别
LogLevel VERBOSE
EOF

    # 测试配置
    if sshd -t; then
        systemctl restart ssh
        log_success "SSH 配置强化完成"
    else
        log_error "SSH 配置测试失败，已恢复原始配置"
        cp /etc/ssh/sshd_config.backup.* /etc/ssh/sshd_config
        systemctl restart ssh
        exit 1
    fi
}

# 配置 AppArmor
configure_apparmor() {
    log_info "配置 AppArmor..."

    apt install -y apparmor apparmor-utils apparmor-profiles

    # 启用 AppArmor
    systemctl enable apparmor
    systemctl start apparmor

    # 检查状态
    if aa-status >/dev/null 2>&1; then
        log_success "AppArmor 配置完成"
        aa-status | head -10
    else
        log_warning "AppArmor 可能未正确启用"
    fi
}

# 配置内核安全参数
configure_kernel_security() {
    log_info "配置内核安全参数..."

    cat > /etc/sysctl.d/99-security.conf << 'EOF'
# EM Script Library - Kernel Security Configuration

# 网络安全
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# IPv6 安全
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# TCP 安全
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 5
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_max_syn_backlog = 2048

# ICMP 安全
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# 文件系统安全
fs.suid_dumpable = 0
kernel.randomize_va_space = 2

# 进程安全
kernel.panic = 10
kernel.panic_on_oops = 1
EOF

    sysctl -p /etc/sysctl.d/99-security.conf

    log_success "内核安全参数配置完成"
}

# 安装和配置 ClamAV 杀毒软件
configure_clamav() {
    log_info "安装和配置 ClamAV..."

    apt install -y clamav clamav-daemon

    # 更新病毒库
    systemctl stop clamav-freshclam
    freshclam
    systemctl start clamav-freshclam
    systemctl enable clamav-freshclam

    # 配置定时扫描
    cat > /etc/cron.daily/clamav-scan << 'EOF'
#!/bin/bash
# EM Script Library - ClamAV Daily Scan
SCAN_DIR="/home /tmp /var/tmp /var/www"
LOG_FILE="/var/log/clamav/daily-scan.log"

mkdir -p /var/log/clamav
clamscan -r --log="$LOG_FILE" --quiet $SCAN_DIR

# 发送报告（如果发现病毒）
if grep -q "FOUND" "$LOG_FILE"; then
    mail -s "ClamAV Virus Alert" root < "$LOG_FILE"
fi
EOF

    chmod +x /etc/cron.daily/clamav-scan

    log_success "ClamAV 配置完成"
}

# 配置 sudo
configure_sudo() {
    log_info "配置 sudo 安全策略..."

    # 创建 sudoers 配置
    cat > /etc/sudoers.d/em-security << 'EOF'
# EM Script Library - Sudo Security Configuration

# 要求密码验证
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# 记录 sudo 命令
Defaults log_host, log_year, logfile="/var/log/sudo.log"

# 限制环境变量
Defaults env_check+="HOME EDITOR"
Defaults env_delete+="HOME EDITOR"

# 超时设置
Defaults timestamp_timeout=15

# 允许特定用户组使用 sudo
#%sudo ALL=(ALL:ALL) ALL
EOF

    # 验证 sudoers 文件
    visudo -c -f /etc/sudoers.d/em-security

    log_success "sudo 安全配置完成"
}

# 显示安全状态
show_security_status() {
    log_info "系统安全状态检查:"

    echo "=== SSH 配置 ==="
    sshd -T | grep -E "(permitrootlogin|passwordauthentication|maxauthtries)" | head -5

    echo ""
    echo "=== 防火墙状态 ==="
    ufw status | head -10

    echo ""
    echo "=== Fail2Ban 状态 ==="
    fail2ban-client status 2>/dev/null || echo "Fail2Ban 未运行"

    echo ""
    echo "=== 自动更新状态 ==="
    systemctl is-active unattended-upgrades 2>/dev/null || echo "自动更新未启用"

    echo ""
    echo "=== 内核安全参数 ==="
    sysctl -a | grep -E "(rp_filter|accept_redirects|tcp_syncookies)" | head -5

    echo ""
    echo "=== 开放端口 ==="
    ss -tuln | grep LISTEN | head -10
}

# 显示帮助信息
show_help() {
    cat << EOF
Debian 12 安全配置工具

用法: $0 [选项] [操作]

操作:
    fail2ban       配置 fail2ban 入侵检测
    auto-updates   配置自动安全更新
    ssh-harden     强化 SSH 配置
    apparmor       配置 AppArmor
    kernel-sec     配置内核安全参数
    clamav         安装和配置 ClamAV 杀毒软件
    sudo-config    配置 sudo 安全策略
    status         显示安全状态
    all            执行所有安全配置

选项:
    -h, --help     显示此帮助信息

示例:
    $0 fail2ban     # 配置 fail2ban
    $0 ssh-harden   # 强化 SSH
    $0 status       # 查看安全状态
    $0 all          # 执行所有配置

EOF
}

# 主函数
main() {
    local action="$1"

    case $action in
        fail2ban)
            configure_fail2ban
            ;;
        auto-updates)
            configure_auto_updates
            ;;
        ssh-harden)
            harden_ssh
            ;;
        apparmor)
            configure_apparmor
            ;;
        kernel-sec)
            configure_kernel_security
            ;;
        clamav)
            configure_clamav
            ;;
        sudo-config)
            configure_sudo
            ;;
        status)
            show_security_status
            ;;
        all)
            configure_fail2ban
            configure_auto_updates
            harden_ssh
            configure_apparmor
            configure_kernel_security
            configure_clamav
            configure_sudo
            ;;
        ""|-h|--help)
            show_help
            ;;
        *)
            log_error "未知操作: $action"
            show_help
            exit 1
            ;;
    esac

    log_success "安全配置完成！"
}

# 执行主函数
main "$@"