saikyo
/
saikyo-server-security
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
saikyo-server-security/bin/saikyo-harden

288 lines
7.1 KiB
Bash
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/bash
# Saikyo OS Server Hardening Script
# Copyright (c) 2025-2026 OOO "SAIKO"
# License: GPL-3.0
set -e
VERSION="1.0.0"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() { echo -e "[${BLUE}INFO${NC}] $1"; }
log_ok() { echo -e "[${GREEN}OK${NC}] $1"; }
log_warn() { echo -e "[${YELLOW}WARN${NC}] $1"; }
log_error() { echo -e "[${RED}ERROR${NC}] $1"; }
check_root() {
if [ "$(id -u)" -ne 0 ]; then
log_error "Требуются права root. Используйте sudo."
exit 1
fi
}
harden_ssh() {
log_info "Настройка SSH..."
SSH_CONFIG="/etc/ssh/sshd_config"
SSH_BACKUP="/etc/ssh/sshd_config.bak.$(date +%Y%m%d)"
cp "$SSH_CONFIG" "$SSH_BACKUP"
# Disable root login
sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' "$SSH_CONFIG"
# Disable password auth
sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' "$SSH_CONFIG"
# Enable pubkey auth
sed -i 's/^#*PubkeyAuthentication.*/PubkeyAuthentication yes/' "$SSH_CONFIG"
# Disable empty passwords
sed -i 's/^#*PermitEmptyPasswords.*/PermitEmptyPasswords no/' "$SSH_CONFIG"
# Set max auth tries
sed -i 's/^#*MaxAuthTries.*/MaxAuthTries 3/' "$SSH_CONFIG"
# Set login grace time
sed -i 's/^#*LoginGraceTime.*/LoginGraceTime 60/' "$SSH_CONFIG"
systemctl reload sshd 2>/dev/null || systemctl reload ssh 2>/dev/null || true
log_ok "SSH настроен"
}
harden_passwords() {
log_info "Настройка политики паролей..."
PWQUALITY="/etc/security/pwquality.conf"
cat > "$PWQUALITY" << 'EOF'
# Saikyo OS Server Password Policy
# Соответствует требованиям ПП РФ №1236
minlen = 12
minclass = 3
maxrepeat = 3
maxclassrepeat = 4
lcredit = -1
ucredit = -1
dcredit = -1
ocredit = -1
dictcheck = 1
usercheck = 1
enforcing = 1
EOF
log_ok "Политика паролей настроена"
}
harden_kernel() {
log_info "Настройка параметров ядра..."
SYSCTL_CONF="/etc/sysctl.d/99-saikyo-security.conf"
cat > "$SYSCTL_CONF" << 'EOF'
# Saikyo OS Server Kernel Security Settings
# Соответствует требованиям ПП РФ №1236
# Disable IP forwarding
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Ignore source-routed packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Enable TCP SYN cookies
net.ipv4.tcp_syncookies = 1
# Ignore ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Log martian packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Restrict core dumps
fs.suid_dumpable = 0
# Randomize virtual address space
kernel.randomize_va_space = 2
# Restrict dmesg access
kernel.dmesg_restrict = 1
# Restrict kernel pointers
kernel.kptr_restrict = 2
EOF
sysctl -p "$SYSCTL_CONF" > /dev/null 2>&1
log_ok "Параметры ядра настроены"
}
enable_firewall() {
log_info "Настройка firewall..."
if command -v firewall-cmd &>/dev/null; then
systemctl enable --now firewalld 2>/dev/null || true
firewall-cmd --set-default-zone=drop 2>/dev/null || true
firewall-cmd --permanent --add-service=ssh 2>/dev/null || true
firewall-cmd --reload 2>/dev/null || true
log_ok "Firewalld настроен"
elif command -v ufw &>/dev/null; then
ufw default deny incoming 2>/dev/null || true
ufw default allow outgoing 2>/dev/null || true
ufw allow ssh 2>/dev/null || true
ufw --force enable 2>/dev/null || true
log_ok "UFW настроен"
else
log_warn "Firewall не найден"
fi
}
enable_fail2ban() {
log_info "Настройка Fail2ban..."
if command -v fail2ban-client &>/dev/null; then
JAIL_LOCAL="/etc/fail2ban/jail.local"
cat > "$JAIL_LOCAL" << 'EOF'
# Saikyo OS Server Fail2ban Configuration
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
backend = systemd
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 7200
EOF
systemctl enable --now fail2ban 2>/dev/null || true
log_ok "Fail2ban настроен"
else
log_warn "Fail2ban не установлен"
fi
}
enable_auditd() {
log_info "Настройка Auditd..."
if command -v auditctl &>/dev/null; then
AUDIT_RULES="/etc/audit/rules.d/saikyo-security.rules"
cat > "$AUDIT_RULES" << 'EOF'
# Saikyo OS Server Audit Rules
# Соответствует требованиям ПП РФ №1236
# Delete all existing rules
-D
# Set buffer size
-b 8192
# Monitor authentication
-w /etc/passwd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/gshadow -p wa -k identity
# Monitor sudo
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers
# Monitor SSH
-w /etc/ssh/sshd_config -p wa -k sshd
# Monitor system calls
-a always,exit -F arch=b64 -S execve -k exec
# Monitor kernel modules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
EOF
systemctl enable --now auditd 2>/dev/null || true
augenrules --load 2>/dev/null || true
log_ok "Auditd настроен"
else
log_warn "Auditd не установлен"
fi
}
enable_apparmor() {
log_info "Настройка AppArmor..."
if command -v apparmor_status &>/dev/null; then
systemctl enable --now apparmor 2>/dev/null || true
log_ok "AppArmor включён"
else
log_warn "AppArmor не установлен"
fi
}
main() {
echo -e "${BLUE}================================================${NC}"
echo -e "${BLUE} Saikyo OS Server Hardening Script v${VERSION}${NC}"
echo -e "${BLUE} Разработка: ООО «САЙКО»${NC}"
echo -e "${BLUE}================================================${NC}"
echo ""
check_root
log_info "Начало усиления безопасности..."
harden_ssh
harden_passwords
harden_kernel
enable_firewall
enable_fail2ban
enable_auditd
enable_apparmor
echo ""
log_ok "Усиление безопасности завершено!"
log_info "Рекомендуется перезагрузить систему."
}
case "$1" in
--version|-v)
echo "saikyo-harden version $VERSION"
;;
--help|-h)
echo "Usage: saikyo-harden [OPTIONS]"
echo ""
echo "Saikyo OS Server Hardening Script"
echo ""
echo "Options:"
echo " -h, --help Show this help"
echo " -v, --version Show version"
;;
*)
main
;;
esac
Reference in New Issue View Git Blame Copy Permalink