Hamza/servers_security_sys
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

2026-02-05/1

Browse Source
This commit is contained in:
Hamza-Ayed
2026-02-05 13:22:27 +03:00
parent 3d441cfea3
commit d0b3e624cc
7 changed files with 4399 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

952
tripz_fortress_v8.2_generator.sh Normal file
View File

@@ -0,0 +1,952 @@
#!/bin/bash
# ════════════════════════════════════════════════════════════════
# 🛡️ TRIPZ FORTRESS v8.2 - PRODUCTION-SAFE DYNAMIC GENERATOR
# ════════════════════════════════════════════════════════════════
# الإصدار: 8.2
# التاريخ: 2025-02-05
# المطوّر: TRIPZ TEAM
# الترخيص: Proprietary
# ════════════════════════════════════════════════════════════════
set -euo pipefail # Exit on error, undefined vars, pipe failures
IFS=$'\n\t' # Safe word splitting
# ════════════════════════════════════════════════════════════════
# ⚙️ CONFIGURATION SECTION - يتم ملؤها ديناميكياً
# ════════════════════════════════════════════════════════════════
# معلومات السيرفر (REQUIRED)
SERVER_IP="${SERVER_IP:-}"
ADMIN_USER="${ADMIN_USER:-tripzadmin}"
SSH_PORT="${SSH_PORT:-2200}"
SSH_PUBLIC_KEY="${SSH_PUBLIC_KEY:-}"
# Port Knocking Sequence (3 منافذ عشوائية)
KNOCK_PORT_1="${KNOCK_PORT_1:-$(shuf -i 7000-9000 -n 1)}"
KNOCK_PORT_2="${KNOCK_PORT_2:-$(shuf -i 7000-9000 -n 1)}"
KNOCK_PORT_3="${KNOCK_PORT_3:-$(shuf -i 7000-9000 -n 1)}"
# Telegram Integration (OPTIONAL)
TELEGRAM_BOT_TOKEN="${TELEGRAM_BOT_TOKEN:-}"
TELEGRAM_CHAT_ID="${TELEGRAM_CHAT_ID:-}"
# Security Features (TOGGLES)
ENABLE_HONEYPOT="${ENABLE_HONEYPOT:-true}"
ENABLE_FAKE_SERVICES="${ENABLE_FAKE_SERVICES:-true}"
ENABLE_PORT_KNOCKING="${ENABLE_PORT_KNOCKING:-true}"
ENABLE_WIREGUARD="${ENABLE_WIREGUARD:-false}"
ENABLE_FAIL2BAN="${ENABLE_FAIL2BAN:-true}"
ENABLE_AUTO_BACKUP="${ENABLE_AUTO_BACKUP:-true}"
# WireGuard Configuration (if enabled)
VPN_NETWORK="${VPN_NETWORK:-10.8.0.0/24}"
VPN_SERVER_IP="${VPN_SERVER_IP:-10.8.0.1}"
# ════════════════════════════════════════════════════════════════
# 🎨 COLORS & STYLING
# ════════════════════════════════════════════════════════════════
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
PURPLE='\033[0;35m'
CYAN='\033[0;36m'
NC='\033[0m' # No Color
BOLD='\033[1m'
# ════════════════════════════════════════════════════════════════
# 📝 LOGGING FUNCTIONS
# ════════════════════════════════════════════════════════════════
LOG_DIR="/var/log/fortress"
LOG_FILE="${LOG_DIR}/install_$(date +%Y%m%d_%H%M%S).log"
log() {
echo -e "${BLUE}[$(date '+%Y-%m-%d %H:%M:%S')]${NC} $*" | tee -a "$LOG_FILE"
}
info() {
echo -e "${CYAN} $*${NC}" | tee -a "$LOG_FILE"
}
success() {
echo -e "${GREEN}$*${NC}" | tee -a "$LOG_FILE"
}
warning() {
echo -e "${YELLOW}⚠️ $*${NC}" | tee -a "$LOG_FILE"
}
error() {
echo -e "${RED}❌ ERROR: $*${NC}" | tee -a "$LOG_FILE"
return 1
}
# ════════════════════════════════════════════════════════════════
# 🔍 PRE-FLIGHT CHECKS
# ════════════════════════════════════════════════════════════════
preflight_checks() {
log "\n🔍 تشغيل الفحوصات الأولية..."
# 1. التحقق من root
if [ "$EUID" -ne 0 ]; then
error "يجب تشغيل هذا السكريبت كـ root أو باستخدام sudo"
exit 1
fi
# 2. التحقق من النظام
if ! [ -f /etc/debian_version ] && ! [ -f /etc/redhat-release ]; then
warning "نظام غير مدعوم رسمياً - قد تحدث مشاكل"
fi
# 3. التحقق من الاتصال
if ! ping -c 2 8.8.8.8 &>/dev/null; then
error "لا يوجد اتصال بالإنترنت"
exit 1
fi
# 4. التحقق من المتطلبات الأساسية
local required_vars=("SERVER_IP" "SSH_PUBLIC_KEY")
for var in "${required_vars[@]}"; do
if [ -z "${!var}" ]; then
error "المتغير $var مطلوب ولكنه فارغ!"
exit 1
fi
done
# 5. التحقق من صلاحية IP
if ! [[ $SERVER_IP =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
error "عنوان IP غير صالح: $SERVER_IP"
exit 1
fi
# 6. التحقق من SSH Key format
if ! echo "$SSH_PUBLIC_KEY" | grep -qE '^(ssh-rsa|ssh-ed25519|ecdsa-sha2)'; then
error "تنسيق SSH Key غير صالح"
exit 1
fi
# 7. إنشاء مجلد السجلات
mkdir -p "$LOG_DIR"
# 8. نسخة احتياطية سريعة
log "إنشاء نسخة احتياطية للملفات الحساسة..."
mkdir -p /root/backup_before_fortress_$(date +%Y%m%d)
cp -r /etc/ssh /root/backup_before_fortress_$(date +%Y%m%d)/ 2>/dev/null || true
success "✓ الفحوصات الأولية مكتملة"
}
# ════════════════════════════════════════════════════════════════
# 📦 SYSTEM PREPARATION
# ════════════════════════════════════════════════════════════════
system_preparation() {
log "\n📦 تحضير النظام..."
# تحديث النظام
info "تحديث قوائم الحزم..."
export DEBIAN_FRONTEND=noninteractive
apt-get update -qq
# تثبيت الأدوات الأساسية
info "تثبيت الأدوات الأساسية..."
apt-get install -y -qq \
curl \
wget \
git \
ufw \
fail2ban \
openssh-server \
sudo \
htop \
net-tools \
knockd \
openssl \
cron \
bc \
jq \
netcat-openbsd
success "✓ تحضير النظام مكتمل"
}
# ════════════════════════════════════════════════════════════════
# 👤 USER MANAGEMENT
# ════════════════════════════════════════════════════════════════
create_admin_user() {
log "\n👤 إنشاء المستخدم الإداري..."
# التحقق من وجود المستخدم
if id "$ADMIN_USER" &>/dev/null; then
warning "المستخدم $ADMIN_USER موجود بالفعل - سيتم تحديثه"
else
info "إنشاء المستخدم $ADMIN_USER..."
useradd -m -s /bin/bash -G sudo "$ADMIN_USER"
fi
# تعطيل كلمة المرور (سنستخدم المفاتيح فقط)
passwd -l "$ADMIN_USER"
# إعداد SSH
mkdir -p "/home/$ADMIN_USER/.ssh"
echo "$SSH_PUBLIC_KEY" > "/home/$ADMIN_USER/.ssh/authorized_keys"
chmod 700 "/home/$ADMIN_USER/.ssh"
chmod 600 "/home/$ADMIN_USER/.ssh/authorized_keys"
chown -R "$ADMIN_USER:$ADMIN_USER" "/home/$ADMIN_USER/.ssh"
# صلاحيات sudo بدون كلمة مرور
cat > /etc/sudoers.d/"$ADMIN_USER" <<EOF
# TRIPZ FORTRESS - Admin User
$ADMIN_USER ALL=(ALL) NOPASSWD:ALL
EOF
chmod 440 /etc/sudoers.d/"$ADMIN_USER"
# التحقق من صحة sudoers
visudo -c || error "خطأ في ملف sudoers!"
success "✓ المستخدم $ADMIN_USER جاهز"
}
# ════════════════════════════════════════════════════════════════
# 🔐 SSH HARDENING
# ════════════════════════════════════════════════════════════════
harden_ssh() {
log "\n🔐 تأمين SSH..."
# نسخة احتياطية
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.$(date +%Y%m%d)
# التكوين الآمن
cat > /etc/ssh/sshd_config <<SSHEOF
# ════════════════════════════════════════
# TRIPZ FORTRESS v8.2 - SSH Configuration
# ════════════════════════════════════════
# الأساسيات
Port $SSH_PORT
Protocol 2
AddressFamily inet
ListenAddress 0.0.0.0
# المصادقة
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
# تعطيل root login
PermitRootLogin no
# المستخدمون المسموح لهم
AllowUsers $ADMIN_USER
# الأمان
X11Forwarding no
PermitUserEnvironment no
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no
GatewayPorts no
# الجلسات
MaxAuthTries 3
MaxSessions 2
ClientAliveInterval 300
ClientAliveCountMax 2
LoginGraceTime 30
# التشفير القوي (Modern Algorithms)
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
# السجلات
SyslogFacility AUTH
LogLevel VERBOSE
# Banner
Banner /etc/ssh/banner.txt
SSHEOF
# إنشاء Banner
cat > /etc/ssh/banner.txt <<'BANNEREOF'
════════════════════════════════════════════════════════
⚠️ AUTHORIZED ACCESS ONLY ⚠️
This system is protected by TRIPZ FORTRESS v8.2
All connections are monitored and logged.
Unauthorized access attempts will be prosecuted.
🛡️ Protected by 9-Layer Security System
════════════════════════════════════════════════════════
BANNEREOF
# اختبار التكوين
info "اختبار تكوين SSH..."
if ! sshd -t; then
error "تكوين SSH غير صالح!"
cp /etc/ssh/sshd_config.backup.$(date +%Y%m%d) /etc/ssh/sshd_config
exit 1
fi
# إعادة تحميل SSH (بدون قطع الاتصال!)
systemctl reload sshd
success "✓ SSH محمي (Port: $SSH_PORT)"
}
# ════════════════════════════════════════════════════════════════
# 🔥 FIREWALL CONFIGURATION
# ════════════════════════════════════════════════════════════════
configure_firewall() {
log "\n🔥 تكوين جدار الحماية..."
# السياسة الافتراضية
ufw default deny incoming
ufw default allow outgoing
# السماح بالمنافذ الأساسية
info "السماح بـ HTTP/HTTPS..."
ufw allow 80/tcp comment 'HTTP'
ufw allow 443/tcp comment 'HTTPS'
# SSH: سيتم إدارته بواسطة Port Knocking
if [ "$ENABLE_PORT_KNOCKING" == "true" ]; then
info "Port Knocking مفعّل - SSH سيُفتح عبر الطرق فقط"
else
ufw allow "$SSH_PORT/tcp" comment 'SSH Direct Access'
fi
# WireGuard VPN
if [ "$ENABLE_WIREGUARD" == "true" ]; then
ufw allow 51820/udp comment 'WireGuard VPN'
fi
# Honeypot (Port 22 للخداع)
if [ "$ENABLE_HONEYPOT" == "true" ]; then
ufw allow 22/tcp comment 'Endlessh Honeypot'
fi
# Fake Services
if [ "$ENABLE_FAKE_SERVICES" == "true" ]; then
ufw allow 3306/tcp comment 'Fake MySQL Trap'
fi
# تفعيل UFW
info "تفعيل جدار الحماية..."
echo "y" | ufw enable
# عرض الحالة
ufw status verbose | head -20
success "✓ جدار الحماية نشط"
}
# ════════════════════════════════════════════════════════════════
# 🚫 FAIL2BAN SETUP
# ════════════════════════════════════════════════════════════════
setup_fail2ban() {
if [ "$ENABLE_FAIL2BAN" != "true" ]; then
warning "Fail2Ban معطّل - تخطي..."
return 0
fi
log "\n🚫 تكوين Fail2Ban..."
# التكوين الرئيسي
cat > /etc/fail2ban/jail.local <<F2BEOF
[DEFAULT]
# الإعدادات العامة
bantime = 3600
findtime = 600
maxretry = 3
destemail = root@localhost
sendername = TRIPZ-FORTRESS
action = %(action_mwl)s
# Whitelist
ignoreip = 127.0.0.1/8 ::1
# ══════════════════════════════════════
# SSH Protection (Progressive)
# ══════════════════════════════════════
[sshd]
enabled = true
port = $SSH_PORT
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 7200
findtime = 600
[sshd-aggressive]
enabled = true
port = $SSH_PORT
filter = sshd
logpath = /var/log/auth.log
maxretry = 2
bantime = 86400
findtime = 300
# ══════════════════════════════════════
# Nginx Protection
# ══════════════════════════════════════
[nginx-http-auth]
enabled = true
port = 80,443
logpath = /var/log/nginx/error.log
[nginx-noscript]
enabled = true
port = 80,443
logpath = /var/log/nginx/access.log
[nginx-badbots]
enabled = true
port = 80,443
logpath = /var/log/nginx/access.log
F2BEOF
# تفعيل وبدء
systemctl enable fail2ban
systemctl restart fail2ban
# التحقق
sleep 2
if systemctl is-active --quiet fail2ban; then
success "✓ Fail2Ban نشط"
else
warning "Fail2Ban لم يبدأ - راجع السجلات"
fi
}
# ════════════════════════════════════════════════════════════════
# 🚪 PORT KNOCKING
# ════════════════════════════════════════════════════════════════
setup_port_knocking() {
if [ "$ENABLE_PORT_KNOCKING" != "true" ]; then
warning "Port Knocking معطّل - تخطي..."
return 0
fi
log "\n🚪 إعداد Port Knocking..."
info "تسلسل الطرق: $KNOCK_PORT_1, $KNOCK_PORT_2, $KNOCK_PORT_3"
# تكوين knockd
cat > /etc/knockd.conf <<KNOCKEOF
[options]
UseSyslog
LogFile = /var/log/knockd.log
[openSSH]
sequence = $KNOCK_PORT_1,$KNOCK_PORT_2,$KNOCK_PORT_3
seq_timeout = 15
command = /usr/sbin/ufw allow from %IP% to any port $SSH_PORT proto tcp
tcpflags = syn
[closeSSH]
sequence = $KNOCK_PORT_3,$KNOCK_PORT_2,$KNOCK_PORT_1
seq_timeout = 15
command = /usr/sbin/ufw delete allow from %IP% to any port $SSH_PORT proto tcp
tcpflags = syn
KNOCKEOF
# تفعيل knockd
sed -i 's/START_KNOCKD=0/START_KNOCKD=1/' /etc/default/knockd
systemctl enable knockd
systemctl restart knockd
# التحقق
if systemctl is-active --quiet knockd; then
success "✓ Port Knocking نشط"
else
error "فشل بدء knockd!"
fi
}
# ════════════════════════════════════════════════════════════════
# 🎣 HONEYPOT (Endlessh)
# ════════════════════════════════════════════════════════════════
setup_honeypot() {
if [ "$ENABLE_HONEYPOT" != "true" ]; then
warning "Honeypot معطّل - تخطي..."
return 0
fi
log "\n🎣 إعداد Honeypot (Endlessh)..."
# التثبيت من المصدر
cd /opt
if [ ! -d "endlessh" ]; then
git clone --depth=1 https://github.com/skeeto/endlessh
fi
cd endlessh
make
cp endlessh /usr/local/bin/
# التكوين
mkdir -p /etc/endlessh
cat > /etc/endlessh/config <<'ENDLESSHEOF'
Port 22
Delay 10000
MaxLineLength 32
MaxClients 4096
LogLevel 1
ENDLESSHEOF
# Systemd service
cat > /etc/systemd/system/endlessh.service <<'SERVICEEOF'
[Unit]
Description=Endlessh SSH Tarpit
After=network.target
[Service]
Type=simple
User=nobody
ExecStart=/usr/local/bin/endlessh -c /etc/endlessh/config
Restart=always
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
SERVICEEOF
systemctl daemon-reload
systemctl enable endlessh
systemctl start endlessh
success "✓ Endlessh Honeypot نشط (Port 22)"
}
# ════════════════════════════════════════════════════════════════
# 🎭 FAKE SERVICES
# ════════════════════════════════════════════════════════════════
setup_fake_services() {
if [ "$ENABLE_FAKE_SERVICES" != "true" ]; then
warning "Fake Services معطّل - تخطي..."
return 0
fi
log "\n🎭 إعداد Fake MySQL..."
# سكريبت Fake MySQL
cat > /usr/local/bin/fake-mysql.sh <<'FAKEMYSQLEOF'
#!/bin/bash
LOG_FILE="/var/log/fortress/fake-mysql.log"
PORT=3306
mkdir -p /var/log/fortress
while true; do
nc -l -p $PORT -k 2>&1 | while read line; do
echo "$(date '+%Y-%m-%d %H:%M:%S') - MySQL probe: ${line:0:100}" >> "$LOG_FILE"
echo -e "\x4a\x00\x00\x00\x0a\x35\x2e\x37\x2e\x33\x33"
sleep 2
done
done
FAKEMYSQLEOF
chmod +x /usr/local/bin/fake-mysql.sh
# Systemd service
cat > /etc/systemd/system/fake-mysql.service <<'EOF'
[Unit]
Description=Fake MySQL Honeypot
After=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/fake-mysql.sh
Restart=always
User=nobody
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable fake-mysql
systemctl start fake-mysql
success "✓ Fake MySQL نشط (Port 3306)"
}
# ════════════════════════════════════════════════════════════════
# ⚡ SYSTEM OPTIMIZATION
# ════════════════════════════════════════════════════════════════
optimize_system() {
log "\n⚡ تحسينات النظام..."
# Kernel hardening
cat >> /etc/sysctl.conf <<'SYSCTLEOF'
# ════════════════════════════════════════
# TRIPZ FORTRESS v8.2 - Kernel Hardening
# ════════════════════════════════════════
# SYN flood protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
# TCP hardening
net.ipv4.tcp_rfc1337 = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# IP spoofing protection
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# ICMP protection
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Performance
net.core.netdev_max_backlog = 2048
net.core.somaxconn = 1024
# TCP BBR
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
# Security
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
SYSCTLEOF
# تطبيق التعديلات
sysctl -p || warning "بعض إعدادات sysctl غير مدعومة"
success "✓ تحسينات النظام مطبّقة"
}
# ════════════════════════════════════════════════════════════════
# 💾 AUTO BACKUP SYSTEM
# ════════════════════════════════════════════════════════════════
setup_auto_backup() {
if [ "$ENABLE_AUTO_BACKUP" != "true" ]; then
warning "Auto Backup معطّل - تخطي..."
return 0
fi
log "\n💾 إعداد النسخ الاحتياطي التلقائي..."
mkdir -p /usr/local/bin/fortress
mkdir -p /backup/fortress
# سكريبت النسخ الاحتياطي
cat > /usr/local/bin/fortress/backup.sh <<'BACKUPEOF'
#!/bin/bash
BACKUP_DIR="/backup/fortress"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
TEMP_DIR="/tmp/fortress_backup_$TIMESTAMP"
BACKUP_FILE="${BACKUP_DIR}/fortress_${TIMESTAMP}.tar.gz"
ENCRYPTED_FILE="${BACKUP_FILE}.enc"
RETENTION_DAYS=30
mkdir -p "$TEMP_DIR"
# نسخ الملفات المهمة
cp -r /etc/ssh "$TEMP_DIR/" 2>/dev/null
cp -r /etc/fail2ban "$TEMP_DIR/" 2>/dev/null
cp -r /etc/ufw "$TEMP_DIR/" 2>/dev/null
cp /etc/knockd.conf "$TEMP_DIR/" 2>/dev/null
# ضغط
tar -czf "$BACKUP_FILE" -C /tmp "$(basename $TEMP_DIR)"
# تشفير AES-256
BACKUP_PASSWORD="TRIPZ_$(hostname)_$(date +%Y)"
openssl enc -aes-256-cbc -salt -pbkdf2 -in "$BACKUP_FILE" -out "$ENCRYPTED_FILE" -k "$BACKUP_PASSWORD"
# حذف غير المشفر
rm -f "$BACKUP_FILE"
rm -rf "$TEMP_DIR"
# تطبيق سياسة الاحتفاظ
find "$BACKUP_DIR" -name "fortress_*.tar.gz.enc" -mtime +$RETENTION_DAYS -delete
echo "✅ نسخة احتياطية: $ENCRYPTED_FILE"
echo "🔑 كلمة فك التشفير: $BACKUP_PASSWORD"
BACKUPEOF
chmod +x /usr/local/bin/fortress/backup.sh
# جدولة cron (يومياً 2 صباحاً)
(crontab -l 2>/dev/null; echo "0 2 * * * /usr/local/bin/fortress/backup.sh >> ${LOG_DIR}/backup.log 2>&1") | crontab -
success "✓ النسخ الاحتياطي التلقائي مجدول"
}
# ════════════════════════════════════════════════════════════════
# 📱 TELEGRAM NOTIFICATIONS
# ════════════════════════════════════════════════════════════════
setup_telegram_alerts() {
if [ -z "$TELEGRAM_BOT_TOKEN" ] || [ -z "$TELEGRAM_CHAT_ID" ]; then
warning "Telegram غير مكوّن - تخطي التنبيهات..."
return 0
fi
log "\n📱 إعداد تنبيهات Telegram..."
# سكريبت الإرسال
cat > /usr/local/bin/fortress/telegram_notify.sh <<TELEGRAMEOF
#!/bin/bash
TELEGRAM_BOT_TOKEN="$TELEGRAM_BOT_TOKEN"
TELEGRAM_CHAT_ID="$TELEGRAM_CHAT_ID"
MESSAGE=\$1
if [ -z "\$MESSAGE" ]; then
echo "Usage: \$0 'message'"
exit 1
fi
curl -s -X POST "https://api.telegram.org/bot\${TELEGRAM_BOT_TOKEN}/sendMessage" \\
-d chat_id="\${TELEGRAM_CHAT_ID}" \\
-d text="🛡️ FORTRESS ALERT
🖥️ Server: \$(hostname)
📍 IP: \$(curl -s ifconfig.me)
🕐 Time: \$(date '+%Y-%m-%d %H:%M:%S')
📨 \$MESSAGE" \\
-d parse_mode="HTML" > /dev/null
echo "✅ تم إرسال التنبيه"
TELEGRAMEOF
chmod +x /usr/local/bin/fortress/telegram_notify.sh
# اختبار
/usr/local/bin/fortress/telegram_notify.sh "✅ تم تثبيت TRIPZ FORTRESS v8.2 بنجاح!"
success "✓ تنبيهات Telegram جاهزة"
}
# ════════════════════════════════════════════════════════════════
# ✅ FINAL VERIFICATION
# ════════════════════════════════════════════════════════════════
final_verification() {
log "\n✅ التحقق النهائي..."
SERVICES_OK=0
SERVICES_FAILED=0
check_service() {
if systemctl is-active --quiet "$1"; then
success "$1"
((SERVICES_OK++))
else
warning "$1"
((SERVICES_FAILED++))
fi
}
info "فحص الخدمات..."
check_service "sshd"
check_service "ufw"
[ "$ENABLE_FAIL2BAN" == "true" ] && check_service "fail2ban"
[ "$ENABLE_PORT_KNOCKING" == "true" ] && check_service "knockd"
[ "$ENABLE_HONEYPOT" == "true" ] && check_service "endlessh"
[ "$ENABLE_FAKE_SERVICES" == "true" ] && check_service "fake-mysql"
log "\nالخدمات النشطة: $SERVICES_OK"
log "الخدمات الفاشلة: $SERVICES_FAILED"
}
# ════════════════════════════════════════════════════════════════
# 📝 GENERATE INFO FILE
# ════════════════════════════════════════════════════════════════
generate_info_file() {
log "\n📝 إنشاء ملف المعلومات..."
cat > /root/FORTRESS_INFO.txt <<INFOEOF
════════════════════════════════════════════════════════
🛡️ TRIPZ FORTRESS v8.2 - معلومات السيرفر
════════════════════════════════════════════════════════
تاريخ التثبيت: $(date '+%Y-%m-%d %H:%M:%S')
السيرفر: $(hostname)
IP: $(curl -s ifconfig.me 2>/dev/null || echo "غير متاح")
🔐 معلومات الأمان:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
المستخدم الإداري: $ADMIN_USER
منفذ SSH: $SSH_PORT
Port Knocking: $KNOCK_PORT_1, $KNOCK_PORT_2, $KNOCK_PORT_3
🛡️ الطبقات الأمنية النشطة:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ SSH Key-Only Authentication
✅ UFW Firewall
$([ "$ENABLE_FAIL2BAN" == "true" ] && echo "✅ Fail2Ban Progressive Blocking" || echo "⊘ Fail2Ban (معطّل)")
$([ "$ENABLE_PORT_KNOCKING" == "true" ] && echo "✅ Port Knocking" || echo "⊘ Port Knocking (معطّل)")
$([ "$ENABLE_HONEYPOT" == "true" ] && echo "✅ Endlessh Honeypot (Port 22)" || echo "⊘ Honeypot (معطّل)")
$([ "$ENABLE_FAKE_SERVICES" == "true" ] && echo "✅ Fake MySQL (Port 3306)" || echo "⊘ Fake Services (معطّل)")
✅ Kernel Hardening
$([ "$ENABLE_AUTO_BACKUP" == "true" ] && echo "✅ Encrypted Auto Backups" || echo "⊘ Auto Backup (معطّل)")
$([ -n "$TELEGRAM_BOT_TOKEN" ] && echo "✅ Telegram Alerts" || echo "⊘ Telegram (غير مكوّن)")
🔧 أوامر مفيدة:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
• فحص UFW: sudo ufw status verbose
• فحص Fail2Ban: sudo fail2ban-client status
• سجل Knockd: sudo tail -f /var/log/knockd.log
• نسخة احتياطية يدوية: sudo /usr/local/bin/fortress/backup.sh
📁 الملفات المهمة:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
• السجلات: $LOG_DIR/
• النسخ الاحتياطية: /backup/fortress/
• التكوينات: /etc/ssh/, /etc/fail2ban/
⚠️ للاتصال بالسيرفر:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
$(if [ "$ENABLE_PORT_KNOCKING" == "true" ]; then
echo "1. knock $SERVER_IP $KNOCK_PORT_1 $KNOCK_PORT_2 $KNOCK_PORT_3"
echo "2. ssh -p $SSH_PORT $ADMIN_USER@$SERVER_IP"
else
echo "ssh -p $SSH_PORT $ADMIN_USER@$SERVER_IP"
fi)
📞 الدعم:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
https://tripz-egypt.com
[email protected]
════════════════════════════════════════════════════════
✅ السيرفر محمي بالكامل!
════════════════════════════════════════════════════════
INFOEOF
chmod 600 /root/FORTRESS_INFO.txt
success "✓ ملف المعلومات: /root/FORTRESS_INFO.txt"
}
# ════════════════════════════════════════════════════════════════
# 🎯 MAIN INSTALLATION FLOW
# ════════════════════════════════════════════════════════════════
main() {
clear
cat <<'BANNER'
════════════════════════════════════════════════════════════════
████████╗██████╗ ██╗██████╗ ███████╗
╚══██╔══╝██╔══██╗██║██╔══██╗╚══███╔╝
██║ ██████╔╝██║██████╔╝ ███╔╝
██║ ██╔══██╗██║██╔═══╝ ███╔╝
██║ ██║ ██║██║██║ ███████╗
╚═╝ ╚═╝ ╚═╝╚═╝╚═╝ ╚══════╝
███████╗ ██████╗ ██████╗ ████████╗██████╗ ███████╗███████╗
██╔════╝██╔═══██╗██╔══██╗╚══██╔══╝██╔══██╗██╔════╝██╔════╝
█████╗ ██║ ██║██████╔╝ ██║ ██████╔╝█████╗ ███████╗
██╔══╝ ██║ ██║██╔══██╗ ██║ ██╔══██╗██╔══╝ ╚════██║
██║ ╚██████╔╝██║ ██║ ██║ ██║ ██║███████╗███████║
╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝╚══════╝
🛡️ v8.2 - PRODUCTION-SAFE EDITION
9-Layer Security System | Enterprise Ready
════════════════════════════════════════════════════════════════
BANNER
log "\n🚀 بدء التثبيت..."
log "الإصدار: 8.2"
log "التاريخ: $(date '+%Y-%m-%d %H:%M:%S')"
log "════════════════════════════════════════════════════════════════\n"
# تنفيذ المراحل
preflight_checks
system_preparation
create_admin_user
harden_ssh
configure_firewall
setup_fail2ban
setup_port_knocking
setup_honeypot
setup_fake_services
optimize_system
setup_auto_backup
setup_telegram_alerts
final_verification
generate_info_file
# النتيجة النهائية
log "\n════════════════════════════════════════════════════════════════"
success "🎉 اكتمل تثبيت TRIPZ FORTRESS v8.2!"
log "════════════════════════════════════════════════════════════════\n"
cat <<FINALEOF
╔══════════════════════════════════════════════════════════════════╗
║ 🔐 TRIPZ FORTRESS v8.2 🔐 ║
║ PRODUCTION-SAFE EDITION ║
╠══════════════════════════════════════════════════════════════════╣
║ ║
║ ✅ التثبيت مكتمل بنجاح! ║
║ ║
║ 📊 معلومات الاتصال: ║
║ • السيرفر: $SERVER_IP ║
║ • المستخدم: $ADMIN_USER ║
║ • منفذ SSH: $SSH_PORT ║
║ ║
$(if [ "$ENABLE_PORT_KNOCKING" == "true" ]; then
cat <<KNOCKEOF
║ 🚪 Port Knocking مفعّل: ║
║ • knock $SERVER_IP $KNOCK_PORT_1 $KNOCK_PORT_2 $KNOCK_PORT_3 ║
KNOCKEOF
fi)
║ ║
║ ⚠️ التحذيرات المهمة: ║
║ 1. اختبر الاتصال قبل قطع الجلسة الحالية! ║
║ 2. احفظ معلومات Port Knocking في مكان آمن ║
║ 3. راجع: /root/FORTRESS_INFO.txt ║
║ 4. السجلات: $LOG_FILE ║
║ ║
╚══════════════════════════════════════════════════════════════════╝
FINALEOF
warning "\n⚠ لاختبار الاتصال، افتح terminal جديد وجرّب:"
if [ "$ENABLE_PORT_KNOCKING" == "true" ]; then
echo "knock $SERVER_IP $KNOCK_PORT_1 $KNOCK_PORT_2 $KNOCK_PORT_3"
fi
echo "ssh -p $SSH_PORT $ADMIN_USER@$SERVER_IP"
log "\n✅ التثبيت مكتمل - السيرفر الآن محمي!"
}
# ════════════════════════════════════════════════════════════════
# 🚀 RUN
# ════════════════════════════════════════════════════════════════
main "$@"