#!/bin/bash # Saikyo OS Server Hardening Script # Copyright (c) 2025-2026 OOO "SAIKO" # License: GPL-3.0 set -e VERSION="1.0.0" RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' log_info() { echo -e "[${BLUE}INFO${NC}] $1"; } log_ok() { echo -e "[${GREEN}OK${NC}] $1"; } log_warn() { echo -e "[${YELLOW}WARN${NC}] $1"; } log_error() { echo -e "[${RED}ERROR${NC}] $1"; } check_root() { if [ "$(id -u)" -ne 0 ]; then log_error "Требуются права root. Используйте sudo." exit 1 fi } harden_ssh() { log_info "Настройка SSH..." SSH_CONFIG="/etc/ssh/sshd_config" SSH_BACKUP="/etc/ssh/sshd_config.bak.$(date +%Y%m%d)" cp "$SSH_CONFIG" "$SSH_BACKUP" # Disable root login sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' "$SSH_CONFIG" # Disable password auth sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' "$SSH_CONFIG" # Enable pubkey auth sed -i 's/^#*PubkeyAuthentication.*/PubkeyAuthentication yes/' "$SSH_CONFIG" # Disable empty passwords sed -i 's/^#*PermitEmptyPasswords.*/PermitEmptyPasswords no/' "$SSH_CONFIG" # Set max auth tries sed -i 's/^#*MaxAuthTries.*/MaxAuthTries 3/' "$SSH_CONFIG" # Set login grace time sed -i 's/^#*LoginGraceTime.*/LoginGraceTime 60/' "$SSH_CONFIG" systemctl reload sshd 2>/dev/null || systemctl reload ssh 2>/dev/null || true log_ok "SSH настроен" } harden_passwords() { log_info "Настройка политики паролей..." PWQUALITY="/etc/security/pwquality.conf" cat > "$PWQUALITY" << 'EOF' # Saikyo OS Server Password Policy # Соответствует требованиям ПП РФ №1236 minlen = 12 minclass = 3 maxrepeat = 3 maxclassrepeat = 4 lcredit = -1 ucredit = -1 dcredit = -1 ocredit = -1 dictcheck = 1 usercheck = 1 enforcing = 1 EOF log_ok "Политика паролей настроена" } harden_kernel() { log_info "Настройка параметров ядра..." SYSCTL_CONF="/etc/sysctl.d/99-saikyo-security.conf" cat > "$SYSCTL_CONF" << 'EOF' # Saikyo OS Server Kernel Security Settings # Соответствует требованиям ПП РФ №1236 # Disable IP forwarding net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0 # Ignore ICMP redirects net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # Ignore source-routed packets net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 # Enable TCP SYN cookies net.ipv4.tcp_syncookies = 1 # Ignore ICMP broadcasts net.ipv4.icmp_echo_ignore_broadcasts = 1 # Enable reverse path filtering net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Log martian packets net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 # Restrict core dumps fs.suid_dumpable = 0 # Randomize virtual address space kernel.randomize_va_space = 2 # Restrict dmesg access kernel.dmesg_restrict = 1 # Restrict kernel pointers kernel.kptr_restrict = 2 EOF sysctl -p "$SYSCTL_CONF" > /dev/null 2>&1 log_ok "Параметры ядра настроены" } enable_firewall() { log_info "Настройка firewall..." if command -v firewall-cmd &>/dev/null; then systemctl enable --now firewalld 2>/dev/null || true firewall-cmd --set-default-zone=drop 2>/dev/null || true firewall-cmd --permanent --add-service=ssh 2>/dev/null || true firewall-cmd --reload 2>/dev/null || true log_ok "Firewalld настроен" elif command -v ufw &>/dev/null; then ufw default deny incoming 2>/dev/null || true ufw default allow outgoing 2>/dev/null || true ufw allow ssh 2>/dev/null || true ufw --force enable 2>/dev/null || true log_ok "UFW настроен" else log_warn "Firewall не найден" fi } enable_fail2ban() { log_info "Настройка Fail2ban..." if command -v fail2ban-client &>/dev/null; then JAIL_LOCAL="/etc/fail2ban/jail.local" cat > "$JAIL_LOCAL" << 'EOF' # Saikyo OS Server Fail2ban Configuration [DEFAULT] bantime = 3600 findtime = 600 maxretry = 5 backend = systemd [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 7200 EOF systemctl enable --now fail2ban 2>/dev/null || true log_ok "Fail2ban настроен" else log_warn "Fail2ban не установлен" fi } enable_auditd() { log_info "Настройка Auditd..." if command -v auditctl &>/dev/null; then AUDIT_RULES="/etc/audit/rules.d/saikyo-security.rules" cat > "$AUDIT_RULES" << 'EOF' # Saikyo OS Server Audit Rules # Соответствует требованиям ПП РФ №1236 # Delete all existing rules -D # Set buffer size -b 8192 # Monitor authentication -w /etc/passwd -p wa -k identity -w /etc/group -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/gshadow -p wa -k identity # Monitor sudo -w /etc/sudoers -p wa -k sudoers -w /etc/sudoers.d/ -p wa -k sudoers # Monitor SSH -w /etc/ssh/sshd_config -p wa -k sshd # Monitor system calls -a always,exit -F arch=b64 -S execve -k exec # Monitor kernel modules -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules EOF systemctl enable --now auditd 2>/dev/null || true augenrules --load 2>/dev/null || true log_ok "Auditd настроен" else log_warn "Auditd не установлен" fi } enable_apparmor() { log_info "Настройка AppArmor..." if command -v apparmor_status &>/dev/null; then systemctl enable --now apparmor 2>/dev/null || true log_ok "AppArmor включён" else log_warn "AppArmor не установлен" fi } main() { echo -e "${BLUE}================================================${NC}" echo -e "${BLUE} Saikyo OS Server Hardening Script v${VERSION}${NC}" echo -e "${BLUE} Разработка: ООО «САЙКО»${NC}" echo -e "${BLUE}================================================${NC}" echo "" check_root log_info "Начало усиления безопасности..." harden_ssh harden_passwords harden_kernel enable_firewall enable_fail2ban enable_auditd enable_apparmor echo "" log_ok "Усиление безопасности завершено!" log_info "Рекомендуется перезагрузить систему." } case "$1" in --version|-v) echo "saikyo-harden version $VERSION" ;; --help|-h) echo "Usage: saikyo-harden [OPTIONS]" echo "" echo "Saikyo OS Server Hardening Script" echo "" echo "Options:" echo " -h, --help Show this help" echo " -v, --version Show version" ;; *) main ;; esac