ubuntu服务器初始化安全设置

Posted on Edited on

初始化 ubuntu 20.04 的安全设置 shell 脚本。同时添加 clodflare ip 段到特定端口白名单。

初始化脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#!/bin/bash

# Untuntu 20.04 LTS x64 Server Setup Script

# Variables
new_ssh_port=1222  # Replace with your desired SSH port
new_user="newuser" # Replace with your desired username
public_key="" # Replace with your public SSH key

# Ensure the script is run as root
if [ "$(id -u)" != "0" ]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# 1. Configure SSH
echo "Configuring SSH..."
sed -i "s/#Port 22/Port $new_ssh_port/" /etc/ssh/sshd_config
sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i "s/PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config

# 2. Create new user with sudo privileges
echo "Creating new user '$new_user' with sudo privileges..."
adduser --gecos "" "$new_user"
echo "$new_user ALL=(ALL) ALL" >> /etc/sudoers

# Add public key for new user
echo "Adding public key for new user..."
mkdir -p /home/$new_user/.ssh
echo $public_key > /home/$new_user/.ssh/authorized_keys
chown -R $new_user:$new_user /home/$new_user/.ssh
chmod 700 /home/$new_user/.ssh
chmod 600 /home/$new_user/.ssh/authorized_keys

systemctl restart sshd

# 3. Configure UFW Firewall
echo "Configuring UFW Firewall..."
ufw default deny incoming
ufw default allow outgoing
ufw allow $new_ssh_port/tcp
ufw enable
ufw reload
ufw status

# 4. Install Fail2Ban and configure
echo "Installing Fail2Ban..."
apt-get install -y fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sed -i "s/bantime = 10m/bantime = 1h/" /etc/fail2ban/jail.local
sed -i "s/findtime = 10m/findtime = 10m/" /etc/fail2ban/jail.local
sed -i "s/maxretry = 5/maxretry = 3/" /etc/fail2ban/jail.local
systemctl restart fail2ban

# 5. Install nginx
echo "Installing nginx..."
apt-get install -y nginx

echo "Configuration complete. Please remember to test SSH login before closing your current session."

添加cf白名单

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/bin/bash

# Check if jq is installed
if ! command -v jq &> /dev/null
then
    echo "jq could not be found, attempting to install..."
    sudo apt-get update -y
    sudo apt-get install -y jq
else
    echo "jq is already installed"
fi

# List all UFW rules with numbers and filter by port 8443
rules=$(ufw status numbered | grep '8443' | awk -F '[][]' '{ print $2 }')

# Check if any rules were found
if [ -z "$rules" ]; then
    echo "No UFW rules found for port 8443."
else
    # Reverse the rules order to avoid disrupting the numbering
    for rule in $(echo "$rules" | tac); do
        echo "Deleting rule $rule for port 8443..."
        yes | ufw delete $rule
    done

    echo "UFW rules deletion complete."
    # Show current status
    ufw status verbose

    echo "\n\n----------- update to new ip ranges ---------\n\n"
fi

# Fetch JSON data using curl
json_data=$(curl --request GET \
  --url https://api.cloudflare.com/client/v4/ips \
  --header 'Authorization: Bearer YOUR_BEARER_TOKEN' \
  --header 'Content-Type: application/json')

# Check if curl command was successful
if [ $? -ne 0 ]; then
    echo "Failed to fetch data from API."
    exit 1
fi

# Extract ipv4_cidrs using jq and convert it into a Bash array
readarray -t ip_ranges < <(echo "$json_data" | jq -r '.result.ipv4_cidrs[]')

# Add UFW rules for each IP range
for ip in "${ip_ranges[@]}"; do
    echo "Allowing IP range $ip on port 8443"
    ufw allow from $ip to any port 8443
done

ufw status verbose
ufw reload

echo "UFW rules added successfully."