#!/bin/bash
# =========================================
# Linux 生产环境一键加固脚本
# 适用: CentOS 7/8、RHEL 7/8
# 作者: 运维老司机
# =========================================
set -e
SSH_PORT=2233
ADMIN_USER=opsadmin
BACKUP_DIR=/root/security-backup-$(date +%F)
mkdir -p $BACKUP_DIR
echo "[1/8] 备份关键配置..."
cp /etc/ssh/sshd_config $BACKUP_DIR/ 2>/dev/null || true
cp -r /etc/firewalld $BACKUP_DIR/ 2>/dev/null || true
cp /etc/sysctl.conf $BACKUP_DIR/ 2>/dev/null || true
echo "[2/8] 创建运维账号..."
if ! id "$ADMIN_USER" &>/dev/null; then
useradd -m -s /bin/bash $ADMIN_USER
echo "$ADMIN_USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/$ADMIN_USER
mkdir -p /home/$ADMIN_USER/.ssh
chmod 700 /home/$ADMIN_USER/.ssh
fi
echo "[3/8] 配置密码策略..."
yum install -y libpwquality >/dev/null 2>&1 || true
cat > /etc/security/pwquality.conf <<EOF
minlen = 12
dcredit = -1
lcredit = -1
ucredit = -1
ocredit = -1
remember = 5
EOF
echo "[4/8] SSH 加固..."
cat > /etc/ssh/sshd_config.d/00-hardening.conf <<EOF
Port $SSH_PORT
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
X11Forwarding no
AllowUsers $ADMIN_USER
EOF
sshd -t && systemctl reload sshd
echo "[5/8] 配置防火墙..."
systemctl enable --now firewalld >/dev/null 2>&1
firewall-cmd --permanent --zone=trusted --add-source=10.0.0.0/16
firewall-cmd --permanent --zone=public --remove-service=ssh
firewall-cmd --permanent --zone=public --add-port=$SSH_PORT/tcp
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload
echo "[6/8] 应用内核安全参数..."
cat > /etc/sysctl.d/99-security.conf <<EOF
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.log_martians = 1
kernel.randomize_va_space = 2
fs.suid_dumpable = 0
EOF
sysctl --system >/dev/null
echo "[7/8] 部署 fail2ban + AIDE..."
yum install -y epel-release >/dev/null 2>&1
yum install -y fail2ban aide clamav clamav-update >/dev/null 2>&1
systemctl enable --now fail2ban aide-check.timer 2>/dev/null || true
systemctl enable --now fail2ban
echo "[8/8] 配置审计日志..."
yum install -y auditd >/dev/null 2>&1
systemctl enable --now auditd
echo "========================================"
echo " 加固完成!请做以下事项:"
echo " 1. 把 SSH 公钥复制到 ${ADMIN_USER}@服务器"
echo " ssh-copy-id -p $SSH_PORT ${ADMIN_USER}@本机IP"
echo " 2. 验证新端口可以登录后再退出当前会话"
echo " 3. 备份目录: $BACKUP_DIR"
echo "========================================"