From 0ea0d34c2cb3c7ce5488fc666598a18b8a96d574 Mon Sep 17 00:00:00 2001 From: vboxuser Date: Thu, 22 Jan 2026 20:37:34 +0300 Subject: [PATCH] Initial commit: saikyo-server-security --- bin/saikyo-harden | 287 ++++++++++++++++++ bin/saikyo-security-audit | 230 ++++++++++++++ .../dh_installchangelogs.dch.trimmed | 6 + .../installed-by-dh_install | 3 + .../installed-by-dh_installdocs | 0 debian/changelog | 6 + debian/control | 19 ++ debian/debhelper-build-stamp | 1 + debian/files | 2 + debian/install | 3 + debian/postinst | 17 ++ debian/rules | 10 + debian/saikyo-server-security.substvars | 2 + .../saikyo-server-security/DEBIAN/conffiles | 3 + debian/saikyo-server-security/DEBIAN/control | 16 + debian/saikyo-server-security/DEBIAN/md5sums | 3 + debian/saikyo-server-security/DEBIAN/postinst | 17 ++ .../etc/audit/rules.d/99-saikyo-audit.rules | 58 ++++ .../sshd_config.d/99-saikyo-hardening.conf | 41 +++ .../etc/sysctl.d/99-saikyo-security.conf | 51 ++++ .../usr/bin/saikyo-harden | 287 ++++++++++++++++++ .../usr/bin/saikyo-security-audit | 230 ++++++++++++++ .../doc/saikyo-server-security/changelog.gz | Bin 0 -> 171 bytes etc/audit/rules.d/99-saikyo-audit.rules | 58 ++++ .../sshd_config.d/99-saikyo-hardening.conf | 41 +++ etc/sysctl.d/99-saikyo-security.conf | 51 ++++ 26 files changed, 1442 insertions(+) create mode 100644 bin/saikyo-harden create mode 100644 bin/saikyo-security-audit create mode 100644 debian/.debhelper/generated/saikyo-server-security/dh_installchangelogs.dch.trimmed create mode 100644 debian/.debhelper/generated/saikyo-server-security/installed-by-dh_install create mode 100644 debian/.debhelper/generated/saikyo-server-security/installed-by-dh_installdocs create mode 100644 debian/changelog create mode 100644 debian/control create mode 100644 debian/debhelper-build-stamp create mode 100644 debian/files create mode 100644 debian/install create mode 100755 debian/postinst create mode 100755 debian/rules create mode 100644 debian/saikyo-server-security.substvars create mode 100644 debian/saikyo-server-security/DEBIAN/conffiles create mode 100644 debian/saikyo-server-security/DEBIAN/control create mode 100644 debian/saikyo-server-security/DEBIAN/md5sums create mode 100755 debian/saikyo-server-security/DEBIAN/postinst create mode 100644 debian/saikyo-server-security/etc/audit/rules.d/99-saikyo-audit.rules create mode 100644 debian/saikyo-server-security/etc/ssh/sshd_config.d/99-saikyo-hardening.conf create mode 100644 debian/saikyo-server-security/etc/sysctl.d/99-saikyo-security.conf create mode 100755 debian/saikyo-server-security/usr/bin/saikyo-harden create mode 100755 debian/saikyo-server-security/usr/bin/saikyo-security-audit create mode 100644 debian/saikyo-server-security/usr/share/doc/saikyo-server-security/changelog.gz create mode 100644 etc/audit/rules.d/99-saikyo-audit.rules create mode 100644 etc/ssh/sshd_config.d/99-saikyo-hardening.conf create mode 100644 etc/sysctl.d/99-saikyo-security.conf diff --git a/bin/saikyo-harden b/bin/saikyo-harden new file mode 100644 index 0000000..536baae --- /dev/null +++ b/bin/saikyo-harden @@ -0,0 +1,287 @@ +#!/bin/bash +# Saikyo OS Server Hardening Script +# Copyright (c) 2025-2026 OOO "SAIKO" +# License: GPL-3.0 + +set -e + +VERSION="1.0.0" + +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +BLUE='\033[0;34m' +NC='\033[0m' + +log_info() { echo -e "[${BLUE}INFO${NC}] $1"; } +log_ok() { echo -e "[${GREEN}OK${NC}] $1"; } +log_warn() { echo -e "[${YELLOW}WARN${NC}] $1"; } +log_error() { echo -e "[${RED}ERROR${NC}] $1"; } + +check_root() { + if [ "$(id -u)" -ne 0 ]; then + log_error "Требуются права root. Используйте sudo." + exit 1 + fi +} + +harden_ssh() { + log_info "Настройка SSH..." + + SSH_CONFIG="/etc/ssh/sshd_config" + SSH_BACKUP="/etc/ssh/sshd_config.bak.$(date +%Y%m%d)" + + cp "$SSH_CONFIG" "$SSH_BACKUP" + + # Disable root login + sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' "$SSH_CONFIG" + + # Disable password auth + sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' "$SSH_CONFIG" + + # Enable pubkey auth + sed -i 's/^#*PubkeyAuthentication.*/PubkeyAuthentication yes/' "$SSH_CONFIG" + + # Disable empty passwords + sed -i 's/^#*PermitEmptyPasswords.*/PermitEmptyPasswords no/' "$SSH_CONFIG" + + # Set max auth tries + sed -i 's/^#*MaxAuthTries.*/MaxAuthTries 3/' "$SSH_CONFIG" + + # Set login grace time + sed -i 's/^#*LoginGraceTime.*/LoginGraceTime 60/' "$SSH_CONFIG" + + systemctl reload sshd 2>/dev/null || systemctl reload ssh 2>/dev/null || true + + log_ok "SSH настроен" +} + +harden_passwords() { + log_info "Настройка политики паролей..." + + PWQUALITY="/etc/security/pwquality.conf" + + cat > "$PWQUALITY" << 'EOF' +# Saikyo OS Server Password Policy +# Соответствует требованиям ПП РФ №1236 + +minlen = 12 +minclass = 3 +maxrepeat = 3 +maxclassrepeat = 4 +lcredit = -1 +ucredit = -1 +dcredit = -1 +ocredit = -1 +dictcheck = 1 +usercheck = 1 +enforcing = 1 +EOF + + log_ok "Политика паролей настроена" +} + +harden_kernel() { + log_info "Настройка параметров ядра..." + + SYSCTL_CONF="/etc/sysctl.d/99-saikyo-security.conf" + + cat > "$SYSCTL_CONF" << 'EOF' +# Saikyo OS Server Kernel Security Settings +# Соответствует требованиям ПП РФ №1236 + +# Disable IP forwarding +net.ipv4.ip_forward = 0 +net.ipv6.conf.all.forwarding = 0 + +# Ignore ICMP redirects +net.ipv4.conf.all.accept_redirects = 0 +net.ipv6.conf.all.accept_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0 + +# Ignore source-routed packets +net.ipv4.conf.all.accept_source_route = 0 +net.ipv6.conf.all.accept_source_route = 0 + +# Enable TCP SYN cookies +net.ipv4.tcp_syncookies = 1 + +# Ignore ICMP broadcasts +net.ipv4.icmp_echo_ignore_broadcasts = 1 + +# Enable reverse path filtering +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 + +# Log martian packets +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.default.log_martians = 1 + +# Restrict core dumps +fs.suid_dumpable = 0 + +# Randomize virtual address space +kernel.randomize_va_space = 2 + +# Restrict dmesg access +kernel.dmesg_restrict = 1 + +# Restrict kernel pointers +kernel.kptr_restrict = 2 +EOF + + sysctl -p "$SYSCTL_CONF" > /dev/null 2>&1 + + log_ok "Параметры ядра настроены" +} + +enable_firewall() { + log_info "Настройка firewall..." + + if command -v firewall-cmd &>/dev/null; then + systemctl enable --now firewalld 2>/dev/null || true + firewall-cmd --set-default-zone=drop 2>/dev/null || true + firewall-cmd --permanent --add-service=ssh 2>/dev/null || true + firewall-cmd --reload 2>/dev/null || true + log_ok "Firewalld настроен" + elif command -v ufw &>/dev/null; then + ufw default deny incoming 2>/dev/null || true + ufw default allow outgoing 2>/dev/null || true + ufw allow ssh 2>/dev/null || true + ufw --force enable 2>/dev/null || true + log_ok "UFW настроен" + else + log_warn "Firewall не найден" + fi +} + +enable_fail2ban() { + log_info "Настройка Fail2ban..." + + if command -v fail2ban-client &>/dev/null; then + JAIL_LOCAL="/etc/fail2ban/jail.local" + + cat > "$JAIL_LOCAL" << 'EOF' +# Saikyo OS Server Fail2ban Configuration + +[DEFAULT] +bantime = 3600 +findtime = 600 +maxretry = 5 +backend = systemd + +[sshd] +enabled = true +port = ssh +filter = sshd +logpath = /var/log/auth.log +maxretry = 3 +bantime = 7200 +EOF + + systemctl enable --now fail2ban 2>/dev/null || true + log_ok "Fail2ban настроен" + else + log_warn "Fail2ban не установлен" + fi +} + +enable_auditd() { + log_info "Настройка Auditd..." + + if command -v auditctl &>/dev/null; then + AUDIT_RULES="/etc/audit/rules.d/saikyo-security.rules" + + cat > "$AUDIT_RULES" << 'EOF' +# Saikyo OS Server Audit Rules +# Соответствует требованиям ПП РФ №1236 + +# Delete all existing rules +-D + +# Set buffer size +-b 8192 + +# Monitor authentication +-w /etc/passwd -p wa -k identity +-w /etc/group -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/gshadow -p wa -k identity + +# Monitor sudo +-w /etc/sudoers -p wa -k sudoers +-w /etc/sudoers.d/ -p wa -k sudoers + +# Monitor SSH +-w /etc/ssh/sshd_config -p wa -k sshd + +# Monitor system calls +-a always,exit -F arch=b64 -S execve -k exec + +# Monitor kernel modules +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +EOF + + systemctl enable --now auditd 2>/dev/null || true + augenrules --load 2>/dev/null || true + log_ok "Auditd настроен" + else + log_warn "Auditd не установлен" + fi +} + +enable_apparmor() { + log_info "Настройка AppArmor..." + + if command -v apparmor_status &>/dev/null; then + systemctl enable --now apparmor 2>/dev/null || true + log_ok "AppArmor включён" + else + log_warn "AppArmor не установлен" + fi +} + +main() { + echo -e "${BLUE}================================================${NC}" + echo -e "${BLUE} Saikyo OS Server Hardening Script v${VERSION}${NC}" + echo -e "${BLUE} Разработка: ООО «САЙКО»${NC}" + echo -e "${BLUE}================================================${NC}" + echo "" + + check_root + + log_info "Начало усиления безопасности..." + + harden_ssh + harden_passwords + harden_kernel + enable_firewall + enable_fail2ban + enable_auditd + enable_apparmor + + echo "" + log_ok "Усиление безопасности завершено!" + log_info "Рекомендуется перезагрузить систему." +} + +case "$1" in + --version|-v) + echo "saikyo-harden version $VERSION" + ;; + --help|-h) + echo "Usage: saikyo-harden [OPTIONS]" + echo "" + echo "Saikyo OS Server Hardening Script" + echo "" + echo "Options:" + echo " -h, --help Show this help" + echo " -v, --version Show version" + ;; + *) + main + ;; +esac diff --git a/bin/saikyo-security-audit b/bin/saikyo-security-audit new file mode 100644 index 0000000..0c0a4d9 --- /dev/null +++ b/bin/saikyo-security-audit @@ -0,0 +1,230 @@ +#!/bin/bash +# Saikyo OS Server Security Audit Tool +# Copyright (c) 2025-2026 OOO "SAIKO" +# License: GPL-3.0 + +set -e + +VERSION="1.0.0" +SCRIPT_NAME=$(basename "$0") + +# Colors +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +BLUE='\033[0;34m' +NC='\033[0m' + +print_header() { + echo -e "${BLUE}================================================${NC}" + echo -e "${BLUE} Saikyo OS Server - Security Audit Tool v${VERSION}${NC}" + echo -e "${BLUE} Разработка: ООО «САЙКО»${NC}" + echo -e "${BLUE} https://saikyo-server.ru${NC}" + echo -e "${BLUE}================================================${NC}" + echo "" +} + +check_passed() { + echo -e "[${GREEN}PASS${NC}] $1" +} + +check_failed() { + echo -e "[${RED}FAIL${NC}] $1" +} + +check_warning() { + echo -e "[${YELLOW}WARN${NC}] $1" +} + +check_info() { + echo -e "[${BLUE}INFO${NC}] $1" +} + +audit_ssh() { + echo -e "\n${BLUE}=== Проверка SSH ===${NC}" + + if grep -q "^PermitRootLogin no" /etc/ssh/sshd_config 2>/dev/null; then + check_passed "Root-логин через SSH отключён" + else + check_failed "Root-логин через SSH разрешён" + fi + + if grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config 2>/dev/null; then + check_passed "Аутентификация по паролю отключена" + else + check_warning "Аутентификация по паролю включена" + fi + + if grep -q "^PubkeyAuthentication yes" /etc/ssh/sshd_config 2>/dev/null; then + check_passed "Аутентификация по ключам включена" + else + check_failed "Аутентификация по ключам отключена" + fi +} + +audit_firewall() { + echo -e "\n${BLUE}=== Проверка Firewall ===${NC}" + + if systemctl is-active --quiet firewalld; then + check_passed "Firewalld активен" + elif systemctl is-active --quiet ufw; then + check_passed "UFW активен" + elif systemctl is-active --quiet nftables; then + check_passed "nftables активен" + else + check_failed "Firewall не активен" + fi +} + +audit_apparmor() { + echo -e "\n${BLUE}=== Проверка AppArmor ===${NC}" + + if systemctl is-active --quiet apparmor; then + check_passed "AppArmor активен" + + if command -v aa-status &>/dev/null; then + PROFILES=$(aa-status --profiled 2>/dev/null || echo "0") + check_info "Загружено профилей: ${PROFILES}" + fi + else + check_failed "AppArmor не активен" + fi +} + +audit_fail2ban() { + echo -e "\n${BLUE}=== Проверка Fail2ban ===${NC}" + + if systemctl is-active --quiet fail2ban; then + check_passed "Fail2ban активен" + + if command -v fail2ban-client &>/dev/null; then + JAILS=$(fail2ban-client status 2>/dev/null | grep "Jail list" | cut -d: -f2 | tr -d ' ') + check_info "Активные jail: ${JAILS:-нет}" + fi + else + check_warning "Fail2ban не активен" + fi +} + +audit_auditd() { + echo -e "\n${BLUE}=== Проверка Auditd ===${NC}" + + if systemctl is-active --quiet auditd; then + check_passed "Auditd активен" + + RULES=$(auditctl -l 2>/dev/null | wc -l) + check_info "Загружено правил аудита: ${RULES}" + else + check_warning "Auditd не активен" + fi +} + +audit_updates() { + echo -e "\n${BLUE}=== Проверка обновлений ===${NC}" + + if dpkg -l | grep -q unattended-upgrades; then + check_passed "unattended-upgrades установлен" + else + check_warning "unattended-upgrades не установлен" + fi + + if systemctl is-active --quiet unattended-upgrades; then + check_passed "Автообновления активны" + else + check_warning "Автообновления не активны" + fi +} + +audit_passwords() { + echo -e "\n${BLUE}=== Проверка политики паролей ===${NC}" + + if [ -f /etc/security/pwquality.conf ]; then + check_passed "pwquality.conf настроен" + + if grep -q "minlen" /etc/security/pwquality.conf; then + MINLEN=$(grep "minlen" /etc/security/pwquality.conf | grep -v "^#" | cut -d= -f2 | tr -d ' ') + check_info "Минимальная длина пароля: ${MINLEN:-не задана}" + fi + else + check_warning "pwquality.conf не найден" + fi +} + +audit_integrity() { + echo -e "\n${BLUE}=== Проверка контроля целостности ===${NC}" + + if command -v aide &>/dev/null; then + check_passed "AIDE установлен" + else + check_warning "AIDE не установлен" + fi + + if command -v rkhunter &>/dev/null; then + check_passed "rkhunter установлен" + else + check_warning "rkhunter не установлен" + fi +} + +generate_report() { + echo -e "\n${BLUE}=== Генерация отчёта ===${NC}" + + REPORT_FILE="/var/log/saikyo-security-audit-$(date +%Y%m%d-%H%M%S).log" + + { + echo "Saikyo OS Server Security Audit Report" + echo "Date: $(date)" + echo "Hostname: $(hostname)" + echo "OS: $(cat /etc/os-release | grep PRETTY_NAME | cut -d= -f2 | tr -d '"')" + echo "" + echo "=== Summary ===" + } > "$REPORT_FILE" 2>/dev/null || { + REPORT_FILE="/tmp/saikyo-security-audit-$(date +%Y%m%d-%H%M%S).log" + echo "Saikyo OS Server Security Audit Report" > "$REPORT_FILE" + } + + check_info "Отчёт сохранён: ${REPORT_FILE}" +} + +main() { + print_header + + check_info "Начало аудита безопасности..." + check_info "Хост: $(hostname)" + check_info "Дата: $(date)" + + audit_ssh + audit_firewall + audit_apparmor + audit_fail2ban + audit_auditd + audit_updates + audit_passwords + audit_integrity + + generate_report + + echo -e "\n${GREEN}Аудит завершён.${NC}" +} + +case "$1" in + --version|-v) + echo "$SCRIPT_NAME version $VERSION" + echo "Copyright (c) 2025-2026 OOO SAIKO" + ;; + --help|-h) + echo "Usage: $SCRIPT_NAME [OPTIONS]" + echo "" + echo "Saikyo OS Server Security Audit Tool" + echo "" + echo "Options:" + echo " -h, --help Show this help" + echo " -v, --version Show version" + echo "" + echo "Website: https://saikyo-server.ru" + echo "Support: support@saikyo-os.ru" + ;; + *) + main + ;; +esac diff --git a/debian/.debhelper/generated/saikyo-server-security/dh_installchangelogs.dch.trimmed b/debian/.debhelper/generated/saikyo-server-security/dh_installchangelogs.dch.trimmed new file mode 100644 index 0000000..14459b7 --- /dev/null +++ b/debian/.debhelper/generated/saikyo-server-security/dh_installchangelogs.dch.trimmed @@ -0,0 +1,6 @@ +saikyo-server-security (1.0.0) stable; urgency=medium + + * Initial release + * Security hardening for Saikyo OS Server + + -- Saikyo OS Team Tue, 21 Jan 2026 23:30:00 +0300 diff --git a/debian/.debhelper/generated/saikyo-server-security/installed-by-dh_install b/debian/.debhelper/generated/saikyo-server-security/installed-by-dh_install new file mode 100644 index 0000000..c832e3e --- /dev/null +++ b/debian/.debhelper/generated/saikyo-server-security/installed-by-dh_install @@ -0,0 +1,3 @@ +./etc/ssh/sshd_config.d/99-saikyo-hardening.conf +./etc/sysctl.d/99-saikyo-security.conf +./etc/audit/rules.d/99-saikyo-audit.rules diff --git a/debian/.debhelper/generated/saikyo-server-security/installed-by-dh_installdocs b/debian/.debhelper/generated/saikyo-server-security/installed-by-dh_installdocs new file mode 100644 index 0000000..e69de29 diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..14459b7 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,6 @@ +saikyo-server-security (1.0.0) stable; urgency=medium + + * Initial release + * Security hardening for Saikyo OS Server + + -- Saikyo OS Team Tue, 21 Jan 2026 23:30:00 +0300 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..d24a909 --- /dev/null +++ b/debian/control @@ -0,0 +1,19 @@ +Source: saikyo-server-security +Section: admin +Priority: optional +Maintainer: Saikyo OS Team +Build-Depends: debhelper-compat (= 13) +Standards-Version: 4.6.2 + +Package: saikyo-server-security +Architecture: all +Depends: ${misc:Depends} +Description: Saikyo OS Server - профиль безопасности + Настройки безопасности для Saikyo OS Server: + - Усиленные политики паролей + - Настройки SSH (только ключи, без root) + - Политики AppArmor + - Правила Firewall + - Настройки аудита + . + Соответствует требованиям ПП РФ №1236 и №325. diff --git a/debian/debhelper-build-stamp b/debian/debhelper-build-stamp new file mode 100644 index 0000000..553dbff --- /dev/null +++ b/debian/debhelper-build-stamp @@ -0,0 +1 @@ +saikyo-server-security diff --git a/debian/files b/debian/files new file mode 100644 index 0000000..707c298 --- /dev/null +++ b/debian/files @@ -0,0 +1,2 @@ +saikyo-server-security_1.0.0_all.deb admin optional +saikyo-server-security_1.0.0_amd64.buildinfo admin optional diff --git a/debian/install b/debian/install new file mode 100644 index 0000000..a4c7622 --- /dev/null +++ b/debian/install @@ -0,0 +1,3 @@ +etc/ssh/sshd_config.d/99-saikyo-hardening.conf +etc/sysctl.d/99-saikyo-security.conf +etc/audit/rules.d/99-saikyo-audit.rules diff --git a/debian/postinst b/debian/postinst new file mode 100755 index 0000000..e384ec3 --- /dev/null +++ b/debian/postinst @@ -0,0 +1,17 @@ +#!/bin/bash +set -e + +# Применить sysctl настройки +sysctl --system > /dev/null 2>&1 || true + +# Перезагрузить auditd +systemctl restart auditd > /dev/null 2>&1 || true + +# Перезагрузить sshd +systemctl reload sshd > /dev/null 2>&1 || true + +echo "Saikyo Server Security profile applied" + +#DEBHELPER# + +exit 0 diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..6247c2c --- /dev/null +++ b/debian/rules @@ -0,0 +1,10 @@ +#!/usr/bin/make -f + +%: + dh $@ + +override_dh_auto_install: + install -d $(CURDIR)/debian/saikyo-server-security/usr/bin + install -d $(CURDIR)/debian/saikyo-server-security/usr/share/saikyo-server-security + install -m 755 bin/saikyo-security-audit $(CURDIR)/debian/saikyo-server-security/usr/bin/ + install -m 755 bin/saikyo-harden $(CURDIR)/debian/saikyo-server-security/usr/bin/ diff --git a/debian/saikyo-server-security.substvars b/debian/saikyo-server-security.substvars new file mode 100644 index 0000000..978fc8b --- /dev/null +++ b/debian/saikyo-server-security.substvars @@ -0,0 +1,2 @@ +misc:Depends= +misc:Pre-Depends= diff --git a/debian/saikyo-server-security/DEBIAN/conffiles b/debian/saikyo-server-security/DEBIAN/conffiles new file mode 100644 index 0000000..9fbab18 --- /dev/null +++ b/debian/saikyo-server-security/DEBIAN/conffiles @@ -0,0 +1,3 @@ +/etc/audit/rules.d/99-saikyo-audit.rules +/etc/ssh/sshd_config.d/99-saikyo-hardening.conf +/etc/sysctl.d/99-saikyo-security.conf diff --git a/debian/saikyo-server-security/DEBIAN/control b/debian/saikyo-server-security/DEBIAN/control new file mode 100644 index 0000000..aba61b7 --- /dev/null +++ b/debian/saikyo-server-security/DEBIAN/control @@ -0,0 +1,16 @@ +Package: saikyo-server-security +Version: 1.0.0 +Architecture: all +Maintainer: Saikyo OS Team +Installed-Size: 38 +Section: admin +Priority: optional +Description: Saikyo OS Server - профиль безопасности + Настройки безопасности для Saikyo OS Server: + - Усиленные политики паролей + - Настройки SSH (только ключи, без root) + - Политики AppArmor + - Правила Firewall + - Настройки аудита + . + Соответствует требованиям ПП РФ №1236 и №325. diff --git a/debian/saikyo-server-security/DEBIAN/md5sums b/debian/saikyo-server-security/DEBIAN/md5sums new file mode 100644 index 0000000..09a3fe1 --- /dev/null +++ b/debian/saikyo-server-security/DEBIAN/md5sums @@ -0,0 +1,3 @@ +15a0d62376d7f57aff78e2c8c74f197f usr/bin/saikyo-harden +46ed56d9851855129c370f177a38489f usr/bin/saikyo-security-audit +76bf834098cb2eb26e09daa040959a9c usr/share/doc/saikyo-server-security/changelog.gz diff --git a/debian/saikyo-server-security/DEBIAN/postinst b/debian/saikyo-server-security/DEBIAN/postinst new file mode 100755 index 0000000..84f09f0 --- /dev/null +++ b/debian/saikyo-server-security/DEBIAN/postinst @@ -0,0 +1,17 @@ +#!/bin/bash +set -e + +# Применить sysctl настройки +sysctl --system > /dev/null 2>&1 || true + +# Перезагрузить auditd +systemctl restart auditd > /dev/null 2>&1 || true + +# Перезагрузить sshd +systemctl reload sshd > /dev/null 2>&1 || true + +echo "Saikyo Server Security profile applied" + + + +exit 0 diff --git a/debian/saikyo-server-security/etc/audit/rules.d/99-saikyo-audit.rules b/debian/saikyo-server-security/etc/audit/rules.d/99-saikyo-audit.rules new file mode 100644 index 0000000..85041de --- /dev/null +++ b/debian/saikyo-server-security/etc/audit/rules.d/99-saikyo-audit.rules @@ -0,0 +1,58 @@ +# Saikyo OS Server - Audit Rules +# Соответствует требованиям безопасности Минцифры + +# Удаление всех правил +-D + +# Буфер +-b 8192 + +# Аудит изменений времени +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +# Аудит пользователей и групп +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +# Аудит сети +-w /etc/hosts -p wa -k system-network +-w /etc/network/ -p wa -k system-network +-w /etc/sysconfig/network -p wa -k system-network + +# Аудит SELinux/AppArmor +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy + +# Аудит входа +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p wa -k logins + +# Аудит сессий +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins +-w /var/log/btmp -p wa -k logins + +# Аудит sudo +-w /etc/sudoers -p wa -k scope +-w /etc/sudoers.d/ -p wa -k scope + +# Аудит монтирования +-a always,exit -F arch=b64 -S mount -S umount2 -F auid>=1000 -F auid!=4294967295 -k mounts + +# Аудит удаления файлов +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +# Аудит загрузки модулей +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +# Сделать конфигурацию неизменяемой +-e 2 diff --git a/debian/saikyo-server-security/etc/ssh/sshd_config.d/99-saikyo-hardening.conf b/debian/saikyo-server-security/etc/ssh/sshd_config.d/99-saikyo-hardening.conf new file mode 100644 index 0000000..8e6dc8f --- /dev/null +++ b/debian/saikyo-server-security/etc/ssh/sshd_config.d/99-saikyo-hardening.conf @@ -0,0 +1,41 @@ +# Saikyo OS Server SSH Hardening +# Соответствует требованиям безопасности Минцифры + +# Отключить root login +PermitRootLogin prohibit-password + +# Только ключи +PubkeyAuthentication yes +PasswordAuthentication no + +# Отключить пустые пароли +PermitEmptyPasswords no + +# Протокол 2 только +Protocol 2 + +# Алгоритмы шифрования (ГОСТ-совместимые + современные) +Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 + +# Таймауты +ClientAliveInterval 300 +ClientAliveCountMax 2 +LoginGraceTime 60 + +# Логирование +LogLevel VERBOSE + +# Ограничения +MaxAuthTries 3 +MaxSessions 10 +MaxStartups 10:30:60 + +# Отключить forwarding по умолчанию +AllowTcpForwarding no +X11Forwarding no +AllowAgentForwarding no + +# Banner +Banner /etc/issue.net diff --git a/debian/saikyo-server-security/etc/sysctl.d/99-saikyo-security.conf b/debian/saikyo-server-security/etc/sysctl.d/99-saikyo-security.conf new file mode 100644 index 0000000..81531ea --- /dev/null +++ b/debian/saikyo-server-security/etc/sysctl.d/99-saikyo-security.conf @@ -0,0 +1,51 @@ +# Saikyo OS Server - Kernel Security Hardening +# Соответствует требованиям безопасности Минцифры + +# Защита от IP spoofing +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 + +# Отключить ICMP redirect +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0 + +# Отключить source routing +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 +net.ipv6.conf.all.accept_source_route = 0 +net.ipv6.conf.default.accept_source_route = 0 + +# Защита от SYN flood +net.ipv4.tcp_syncookies = 1 +net.ipv4.tcp_max_syn_backlog = 2048 +net.ipv4.tcp_synack_retries = 2 + +# Игнорировать ICMP broadcast +net.ipv4.icmp_echo_ignore_broadcasts = 1 + +# Логировать martian пакеты +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.default.log_martians = 1 + +# Защита памяти +kernel.randomize_va_space = 2 +kernel.kptr_restrict = 2 +kernel.dmesg_restrict = 1 +kernel.perf_event_paranoid = 3 + +# Ограничение core dumps +fs.suid_dumpable = 0 + +# Защита от symlink/hardlink атак +fs.protected_symlinks = 1 +fs.protected_hardlinks = 1 +fs.protected_fifos = 2 +fs.protected_regular = 2 + +# IPv6 (отключить если не используется) +# net.ipv6.conf.all.disable_ipv6 = 1 +# net.ipv6.conf.default.disable_ipv6 = 1 diff --git a/debian/saikyo-server-security/usr/bin/saikyo-harden b/debian/saikyo-server-security/usr/bin/saikyo-harden new file mode 100755 index 0000000..536baae --- /dev/null +++ b/debian/saikyo-server-security/usr/bin/saikyo-harden @@ -0,0 +1,287 @@ +#!/bin/bash +# Saikyo OS Server Hardening Script +# Copyright (c) 2025-2026 OOO "SAIKO" +# License: GPL-3.0 + +set -e + +VERSION="1.0.0" + +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +BLUE='\033[0;34m' +NC='\033[0m' + +log_info() { echo -e "[${BLUE}INFO${NC}] $1"; } +log_ok() { echo -e "[${GREEN}OK${NC}] $1"; } +log_warn() { echo -e "[${YELLOW}WARN${NC}] $1"; } +log_error() { echo -e "[${RED}ERROR${NC}] $1"; } + +check_root() { + if [ "$(id -u)" -ne 0 ]; then + log_error "Требуются права root. Используйте sudo." + exit 1 + fi +} + +harden_ssh() { + log_info "Настройка SSH..." + + SSH_CONFIG="/etc/ssh/sshd_config" + SSH_BACKUP="/etc/ssh/sshd_config.bak.$(date +%Y%m%d)" + + cp "$SSH_CONFIG" "$SSH_BACKUP" + + # Disable root login + sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' "$SSH_CONFIG" + + # Disable password auth + sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' "$SSH_CONFIG" + + # Enable pubkey auth + sed -i 's/^#*PubkeyAuthentication.*/PubkeyAuthentication yes/' "$SSH_CONFIG" + + # Disable empty passwords + sed -i 's/^#*PermitEmptyPasswords.*/PermitEmptyPasswords no/' "$SSH_CONFIG" + + # Set max auth tries + sed -i 's/^#*MaxAuthTries.*/MaxAuthTries 3/' "$SSH_CONFIG" + + # Set login grace time + sed -i 's/^#*LoginGraceTime.*/LoginGraceTime 60/' "$SSH_CONFIG" + + systemctl reload sshd 2>/dev/null || systemctl reload ssh 2>/dev/null || true + + log_ok "SSH настроен" +} + +harden_passwords() { + log_info "Настройка политики паролей..." + + PWQUALITY="/etc/security/pwquality.conf" + + cat > "$PWQUALITY" << 'EOF' +# Saikyo OS Server Password Policy +# Соответствует требованиям ПП РФ №1236 + +minlen = 12 +minclass = 3 +maxrepeat = 3 +maxclassrepeat = 4 +lcredit = -1 +ucredit = -1 +dcredit = -1 +ocredit = -1 +dictcheck = 1 +usercheck = 1 +enforcing = 1 +EOF + + log_ok "Политика паролей настроена" +} + +harden_kernel() { + log_info "Настройка параметров ядра..." + + SYSCTL_CONF="/etc/sysctl.d/99-saikyo-security.conf" + + cat > "$SYSCTL_CONF" << 'EOF' +# Saikyo OS Server Kernel Security Settings +# Соответствует требованиям ПП РФ №1236 + +# Disable IP forwarding +net.ipv4.ip_forward = 0 +net.ipv6.conf.all.forwarding = 0 + +# Ignore ICMP redirects +net.ipv4.conf.all.accept_redirects = 0 +net.ipv6.conf.all.accept_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0 + +# Ignore source-routed packets +net.ipv4.conf.all.accept_source_route = 0 +net.ipv6.conf.all.accept_source_route = 0 + +# Enable TCP SYN cookies +net.ipv4.tcp_syncookies = 1 + +# Ignore ICMP broadcasts +net.ipv4.icmp_echo_ignore_broadcasts = 1 + +# Enable reverse path filtering +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 + +# Log martian packets +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.default.log_martians = 1 + +# Restrict core dumps +fs.suid_dumpable = 0 + +# Randomize virtual address space +kernel.randomize_va_space = 2 + +# Restrict dmesg access +kernel.dmesg_restrict = 1 + +# Restrict kernel pointers +kernel.kptr_restrict = 2 +EOF + + sysctl -p "$SYSCTL_CONF" > /dev/null 2>&1 + + log_ok "Параметры ядра настроены" +} + +enable_firewall() { + log_info "Настройка firewall..." + + if command -v firewall-cmd &>/dev/null; then + systemctl enable --now firewalld 2>/dev/null || true + firewall-cmd --set-default-zone=drop 2>/dev/null || true + firewall-cmd --permanent --add-service=ssh 2>/dev/null || true + firewall-cmd --reload 2>/dev/null || true + log_ok "Firewalld настроен" + elif command -v ufw &>/dev/null; then + ufw default deny incoming 2>/dev/null || true + ufw default allow outgoing 2>/dev/null || true + ufw allow ssh 2>/dev/null || true + ufw --force enable 2>/dev/null || true + log_ok "UFW настроен" + else + log_warn "Firewall не найден" + fi +} + +enable_fail2ban() { + log_info "Настройка Fail2ban..." + + if command -v fail2ban-client &>/dev/null; then + JAIL_LOCAL="/etc/fail2ban/jail.local" + + cat > "$JAIL_LOCAL" << 'EOF' +# Saikyo OS Server Fail2ban Configuration + +[DEFAULT] +bantime = 3600 +findtime = 600 +maxretry = 5 +backend = systemd + +[sshd] +enabled = true +port = ssh +filter = sshd +logpath = /var/log/auth.log +maxretry = 3 +bantime = 7200 +EOF + + systemctl enable --now fail2ban 2>/dev/null || true + log_ok "Fail2ban настроен" + else + log_warn "Fail2ban не установлен" + fi +} + +enable_auditd() { + log_info "Настройка Auditd..." + + if command -v auditctl &>/dev/null; then + AUDIT_RULES="/etc/audit/rules.d/saikyo-security.rules" + + cat > "$AUDIT_RULES" << 'EOF' +# Saikyo OS Server Audit Rules +# Соответствует требованиям ПП РФ №1236 + +# Delete all existing rules +-D + +# Set buffer size +-b 8192 + +# Monitor authentication +-w /etc/passwd -p wa -k identity +-w /etc/group -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/gshadow -p wa -k identity + +# Monitor sudo +-w /etc/sudoers -p wa -k sudoers +-w /etc/sudoers.d/ -p wa -k sudoers + +# Monitor SSH +-w /etc/ssh/sshd_config -p wa -k sshd + +# Monitor system calls +-a always,exit -F arch=b64 -S execve -k exec + +# Monitor kernel modules +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +EOF + + systemctl enable --now auditd 2>/dev/null || true + augenrules --load 2>/dev/null || true + log_ok "Auditd настроен" + else + log_warn "Auditd не установлен" + fi +} + +enable_apparmor() { + log_info "Настройка AppArmor..." + + if command -v apparmor_status &>/dev/null; then + systemctl enable --now apparmor 2>/dev/null || true + log_ok "AppArmor включён" + else + log_warn "AppArmor не установлен" + fi +} + +main() { + echo -e "${BLUE}================================================${NC}" + echo -e "${BLUE} Saikyo OS Server Hardening Script v${VERSION}${NC}" + echo -e "${BLUE} Разработка: ООО «САЙКО»${NC}" + echo -e "${BLUE}================================================${NC}" + echo "" + + check_root + + log_info "Начало усиления безопасности..." + + harden_ssh + harden_passwords + harden_kernel + enable_firewall + enable_fail2ban + enable_auditd + enable_apparmor + + echo "" + log_ok "Усиление безопасности завершено!" + log_info "Рекомендуется перезагрузить систему." +} + +case "$1" in + --version|-v) + echo "saikyo-harden version $VERSION" + ;; + --help|-h) + echo "Usage: saikyo-harden [OPTIONS]" + echo "" + echo "Saikyo OS Server Hardening Script" + echo "" + echo "Options:" + echo " -h, --help Show this help" + echo " -v, --version Show version" + ;; + *) + main + ;; +esac diff --git a/debian/saikyo-server-security/usr/bin/saikyo-security-audit b/debian/saikyo-server-security/usr/bin/saikyo-security-audit new file mode 100755 index 0000000..0c0a4d9 --- /dev/null +++ b/debian/saikyo-server-security/usr/bin/saikyo-security-audit @@ -0,0 +1,230 @@ +#!/bin/bash +# Saikyo OS Server Security Audit Tool +# Copyright (c) 2025-2026 OOO "SAIKO" +# License: GPL-3.0 + +set -e + +VERSION="1.0.0" +SCRIPT_NAME=$(basename "$0") + +# Colors +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +BLUE='\033[0;34m' +NC='\033[0m' + +print_header() { + echo -e "${BLUE}================================================${NC}" + echo -e "${BLUE} Saikyo OS Server - Security Audit Tool v${VERSION}${NC}" + echo -e "${BLUE} Разработка: ООО «САЙКО»${NC}" + echo -e "${BLUE} https://saikyo-server.ru${NC}" + echo -e "${BLUE}================================================${NC}" + echo "" +} + +check_passed() { + echo -e "[${GREEN}PASS${NC}] $1" +} + +check_failed() { + echo -e "[${RED}FAIL${NC}] $1" +} + +check_warning() { + echo -e "[${YELLOW}WARN${NC}] $1" +} + +check_info() { + echo -e "[${BLUE}INFO${NC}] $1" +} + +audit_ssh() { + echo -e "\n${BLUE}=== Проверка SSH ===${NC}" + + if grep -q "^PermitRootLogin no" /etc/ssh/sshd_config 2>/dev/null; then + check_passed "Root-логин через SSH отключён" + else + check_failed "Root-логин через SSH разрешён" + fi + + if grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config 2>/dev/null; then + check_passed "Аутентификация по паролю отключена" + else + check_warning "Аутентификация по паролю включена" + fi + + if grep -q "^PubkeyAuthentication yes" /etc/ssh/sshd_config 2>/dev/null; then + check_passed "Аутентификация по ключам включена" + else + check_failed "Аутентификация по ключам отключена" + fi +} + +audit_firewall() { + echo -e "\n${BLUE}=== Проверка Firewall ===${NC}" + + if systemctl is-active --quiet firewalld; then + check_passed "Firewalld активен" + elif systemctl is-active --quiet ufw; then + check_passed "UFW активен" + elif systemctl is-active --quiet nftables; then + check_passed "nftables активен" + else + check_failed "Firewall не активен" + fi +} + +audit_apparmor() { + echo -e "\n${BLUE}=== Проверка AppArmor ===${NC}" + + if systemctl is-active --quiet apparmor; then + check_passed "AppArmor активен" + + if command -v aa-status &>/dev/null; then + PROFILES=$(aa-status --profiled 2>/dev/null || echo "0") + check_info "Загружено профилей: ${PROFILES}" + fi + else + check_failed "AppArmor не активен" + fi +} + +audit_fail2ban() { + echo -e "\n${BLUE}=== Проверка Fail2ban ===${NC}" + + if systemctl is-active --quiet fail2ban; then + check_passed "Fail2ban активен" + + if command -v fail2ban-client &>/dev/null; then + JAILS=$(fail2ban-client status 2>/dev/null | grep "Jail list" | cut -d: -f2 | tr -d ' ') + check_info "Активные jail: ${JAILS:-нет}" + fi + else + check_warning "Fail2ban не активен" + fi +} + +audit_auditd() { + echo -e "\n${BLUE}=== Проверка Auditd ===${NC}" + + if systemctl is-active --quiet auditd; then + check_passed "Auditd активен" + + RULES=$(auditctl -l 2>/dev/null | wc -l) + check_info "Загружено правил аудита: ${RULES}" + else + check_warning "Auditd не активен" + fi +} + +audit_updates() { + echo -e "\n${BLUE}=== Проверка обновлений ===${NC}" + + if dpkg -l | grep -q unattended-upgrades; then + check_passed "unattended-upgrades установлен" + else + check_warning "unattended-upgrades не установлен" + fi + + if systemctl is-active --quiet unattended-upgrades; then + check_passed "Автообновления активны" + else + check_warning "Автообновления не активны" + fi +} + +audit_passwords() { + echo -e "\n${BLUE}=== Проверка политики паролей ===${NC}" + + if [ -f /etc/security/pwquality.conf ]; then + check_passed "pwquality.conf настроен" + + if grep -q "minlen" /etc/security/pwquality.conf; then + MINLEN=$(grep "minlen" /etc/security/pwquality.conf | grep -v "^#" | cut -d= -f2 | tr -d ' ') + check_info "Минимальная длина пароля: ${MINLEN:-не задана}" + fi + else + check_warning "pwquality.conf не найден" + fi +} + +audit_integrity() { + echo -e "\n${BLUE}=== Проверка контроля целостности ===${NC}" + + if command -v aide &>/dev/null; then + check_passed "AIDE установлен" + else + check_warning "AIDE не установлен" + fi + + if command -v rkhunter &>/dev/null; then + check_passed "rkhunter установлен" + else + check_warning "rkhunter не установлен" + fi +} + +generate_report() { + echo -e "\n${BLUE}=== Генерация отчёта ===${NC}" + + REPORT_FILE="/var/log/saikyo-security-audit-$(date +%Y%m%d-%H%M%S).log" + + { + echo "Saikyo OS Server Security Audit Report" + echo "Date: $(date)" + echo "Hostname: $(hostname)" + echo "OS: $(cat /etc/os-release | grep PRETTY_NAME | cut -d= -f2 | tr -d '"')" + echo "" + echo "=== Summary ===" + } > "$REPORT_FILE" 2>/dev/null || { + REPORT_FILE="/tmp/saikyo-security-audit-$(date +%Y%m%d-%H%M%S).log" + echo "Saikyo OS Server Security Audit Report" > "$REPORT_FILE" + } + + check_info "Отчёт сохранён: ${REPORT_FILE}" +} + +main() { + print_header + + check_info "Начало аудита безопасности..." + check_info "Хост: $(hostname)" + check_info "Дата: $(date)" + + audit_ssh + audit_firewall + audit_apparmor + audit_fail2ban + audit_auditd + audit_updates + audit_passwords + audit_integrity + + generate_report + + echo -e "\n${GREEN}Аудит завершён.${NC}" +} + +case "$1" in + --version|-v) + echo "$SCRIPT_NAME version $VERSION" + echo "Copyright (c) 2025-2026 OOO SAIKO" + ;; + --help|-h) + echo "Usage: $SCRIPT_NAME [OPTIONS]" + echo "" + echo "Saikyo OS Server Security Audit Tool" + echo "" + echo "Options:" + echo " -h, --help Show this help" + echo " -v, --version Show version" + echo "" + echo "Website: https://saikyo-server.ru" + echo "Support: support@saikyo-os.ru" + ;; + *) + main + ;; +esac diff --git a/debian/saikyo-server-security/usr/share/doc/saikyo-server-security/changelog.gz b/debian/saikyo-server-security/usr/share/doc/saikyo-server-security/changelog.gz new file mode 100644 index 0000000000000000000000000000000000000000..3fba295d565ff5ef54a5c854a0afef36406ea2ca GIT binary patch literal 171 zcmV;c095}UiwFP!0000215J**4uU`wM0>tsN?(u*Bo_FHtu_|$11nr{BkYp9yC(d- zh%vF6=1000 -F auid!=4294967295 -k mounts + +# Аудит удаления файлов +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + +# Аудит загрузки модулей +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit -F arch=b64 -S init_module -S delete_module -k modules + +# Сделать конфигурацию неизменяемой +-e 2 diff --git a/etc/ssh/sshd_config.d/99-saikyo-hardening.conf b/etc/ssh/sshd_config.d/99-saikyo-hardening.conf new file mode 100644 index 0000000..8e6dc8f --- /dev/null +++ b/etc/ssh/sshd_config.d/99-saikyo-hardening.conf @@ -0,0 +1,41 @@ +# Saikyo OS Server SSH Hardening +# Соответствует требованиям безопасности Минцифры + +# Отключить root login +PermitRootLogin prohibit-password + +# Только ключи +PubkeyAuthentication yes +PasswordAuthentication no + +# Отключить пустые пароли +PermitEmptyPasswords no + +# Протокол 2 только +Protocol 2 + +# Алгоритмы шифрования (ГОСТ-совместимые + современные) +Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 + +# Таймауты +ClientAliveInterval 300 +ClientAliveCountMax 2 +LoginGraceTime 60 + +# Логирование +LogLevel VERBOSE + +# Ограничения +MaxAuthTries 3 +MaxSessions 10 +MaxStartups 10:30:60 + +# Отключить forwarding по умолчанию +AllowTcpForwarding no +X11Forwarding no +AllowAgentForwarding no + +# Banner +Banner /etc/issue.net diff --git a/etc/sysctl.d/99-saikyo-security.conf b/etc/sysctl.d/99-saikyo-security.conf new file mode 100644 index 0000000..81531ea --- /dev/null +++ b/etc/sysctl.d/99-saikyo-security.conf @@ -0,0 +1,51 @@ +# Saikyo OS Server - Kernel Security Hardening +# Соответствует требованиям безопасности Минцифры + +# Защита от IP spoofing +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 + +# Отключить ICMP redirect +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0 + +# Отключить source routing +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 +net.ipv6.conf.all.accept_source_route = 0 +net.ipv6.conf.default.accept_source_route = 0 + +# Защита от SYN flood +net.ipv4.tcp_syncookies = 1 +net.ipv4.tcp_max_syn_backlog = 2048 +net.ipv4.tcp_synack_retries = 2 + +# Игнорировать ICMP broadcast +net.ipv4.icmp_echo_ignore_broadcasts = 1 + +# Логировать martian пакеты +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.default.log_martians = 1 + +# Защита памяти +kernel.randomize_va_space = 2 +kernel.kptr_restrict = 2 +kernel.dmesg_restrict = 1 +kernel.perf_event_paranoid = 3 + +# Ограничение core dumps +fs.suid_dumpable = 0 + +# Защита от symlink/hardlink атак +fs.protected_symlinks = 1 +fs.protected_hardlinks = 1 +fs.protected_fifos = 2 +fs.protected_regular = 2 + +# IPv6 (отключить если не используется) +# net.ipv6.conf.all.disable_ipv6 = 1 +# net.ipv6.conf.default.disable_ipv6 = 1