Hamza/servers_security_sys
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
36976fde592615259492b624efde018196d721cd
servers_security_sys/tripz_fortress_v8.2_generator.sh
Hamza-Ayed 36976fde59 2026-02-05/3
2026-02-05 13:56:04 +03:00

557 lines
22 KiB
Bash
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/bin/bash
# ════════════════════════════════════════════════════════════════
# 🛡️ TRIPZ FORTRESS v9.0 - PRODUCTION-SAFE EDITION
# ════════════════════════════════════════════════════════════════
# الإصدار: 9.0 (Advanced Hardening)
# التاريخ: 2025-02-05
# التحديثات: Safety Net, Sandboxing, Key Management
# ════════════════════════════════════════════════════════════════
set -euo pipefail # Exit on error, undefined vars, pipe failures
IFS=$'\n\t' # Safe word splitting
# ════════════════════════════════════════════════════════════════
# ⚙️ CONFIGURATION SECTION - يتم ملؤها ديناميكياً
# ════════════════════════════════════════════════════════════════
# معلومات السيرفر (REQUIRED)
SERVER_IP="${SERVER_IP:-}"
ADMIN_USER="${ADMIN_USER:-tripzadmin}"
SSH_PORT="${SSH_PORT:-2200}"
SSH_PUBLIC_KEY="${SSH_PUBLIC_KEY:-}"
# Port Knocking Sequence (3 منافذ عشوائية)
KNOCK_PORT_1="${KNOCK_PORT_1:-$(shuf -i 7000-9000 -n 1)}"
KNOCK_PORT_2="${KNOCK_PORT_2:-$(shuf -i 7000-9000 -n 1)}"
KNOCK_PORT_3="${KNOCK_PORT_3:-$(shuf -i 7000-9000 -n 1)}"
# Telegram Integration (OPTIONAL)
TELEGRAM_BOT_TOKEN="${TELEGRAM_BOT_TOKEN:-}"
TELEGRAM_CHAT_ID="${TELEGRAM_CHAT_ID:-}"
# Security Features (TOGGLES)
ENABLE_HONEYPOT="${ENABLE_HONEYPOT:-true}"
ENABLE_FAKE_SERVICES="${ENABLE_FAKE_SERVICES:-true}"
ENABLE_PORT_KNOCKING="${ENABLE_PORT_KNOCKING:-true}"
ENABLE_WIREGUARD="${ENABLE_WIREGUARD:-false}"
ENABLE_FAIL2BAN="${ENABLE_FAIL2BAN:-true}"
ENABLE_AUTO_BACKUP="${ENABLE_AUTO_BACKUP:-true}"
# WireGuard Configuration (if enabled)
VPN_NETWORK="${VPN_NETWORK:-10.8.0.0/24}"
VPN_SERVER_IP="${VPN_SERVER_IP:-10.8.0.1}"
# ════════════════════════════════════════════════════════════════
# 🎨 COLORS & STYLING
# ════════════════════════════════════════════════════════════════
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
NC='\033[0m' # No Color
# ════════════════════════════════════════════════════════════════
# 📝 LOGGING FUNCTIONS
# ════════════════════════════════════════════════════════════════
LOG_DIR="/var/log/fortress"
LOG_FILE="${LOG_DIR}/install_$(date +%Y%m%d_%H%M%S).log"
log() { echo -e "${BLUE}[$(date '+%Y-%m-%d %H:%M:%S')]${NC} $*" | tee -a "$LOG_FILE"; }
info() { echo -e "${CYAN} $*${NC}" | tee -a "$LOG_FILE"; }
success() { echo -e "${GREEN}$*${NC}" | tee -a "$LOG_FILE"; }
warning() { echo -e "${YELLOW}⚠️ $*${NC}" | tee -a "$LOG_FILE"; }
error() { echo -e "${RED}❌ ERROR: $*${NC}" | tee -a "$LOG_FILE"; return 1; }
# ════════════════════════════════════════════════════════════════
# 🔍 PRE-FLIGHT CHECKS
# ════════════════════════════════════════════════════════════════
preflight_checks() {
log "\n🔍 تشغيل الفحوصات الأولية..."
if [ "$EUID" -ne 0 ]; then error "يجب تشغيل هذا السكريبت كـ root"; exit 1; fi
if ! ping -c 2 8.8.8.8 &>/dev/null; then error "لا يوجد اتصال بالإنترنت"; exit 1; fi
local required_vars=("SERVER_IP" "SSH_PUBLIC_KEY")
for var in "${required_vars[@]}"; do
if [ -z "${!var}" ]; then error "المتغير $var مطلوب ولكنه فارغ!"; exit 1; fi
done
mkdir -p "$LOG_DIR"
mkdir -p /root/backup_before_fortress_$(date +%Y%m%d)
cp -r /etc/ssh /root/backup_before_fortress_$(date +%Y%m%d)/ 2>/dev/null || true
success "✓ الفحوصات الأولية مكتملة"
}
# ════════════════════════════════════════════════════════════════
# 📦 SYSTEM PREPARATION
# ════════════════════════════════════════════════════════════════
system_preparation() {
log "\n📦 تحضير النظام..."
export DEBIAN_FRONTEND=noninteractive
apt-get update -qq
apt-get install -y -qq curl wget git ufw fail2ban openssh-server sudo htop net-tools knockd openssl cron bc jq netcat-openbsd at
success "✓ تحضير النظام مكتمل"
}
# ════════════════════════════════════════════════════════════════
# 🛟 SAFETY NET (NEW in v9.0)
# ════════════════════════════════════════════════════════════════
setup_safety_net() {
log "\n🛟 إعداد شبكة الأمان (Safety Net)..."
# سكريبت استعادة الطوارئ
cat > /usr/local/bin/fortress_emergency_reset.sh <<EOF
#!/bin/bash
# 🆘 EMERGENCY RESET triggered by Safety Net
ufw disable
iptables -F
systemctl stop knockd
# إعادة SSH للوضع الافتراضي مؤقتاً
if [ -d "/root/backup_before_fortress_$(date +%Y%m%d)" ]; then
cp /root/backup_before_fortress_$(date +%Y%m%d)/ssh/sshd_config /etc/ssh/sshd_config 2>/dev/null
systemctl restart sshd
fi
echo "⚠️ تم تفعيل استعادة الطوارئ بسبب فقدان الاتصال!" >> /var/log/fortress/emergency.log
EOF
chmod +x /usr/local/bin/fortress_emergency_reset.sh
# جدولة المهمة بعد 15 دقيقة
if command -v at &>/dev/null; then
echo "/usr/local/bin/fortress_emergency_reset.sh" | at now + 15 minutes
info "تم ضبط مؤقت طوارئ (15 دقيقة). سيتم إلغاؤه عند نجاح التثبيت."
else
(crontab -l 2>/dev/null; echo "*/15 * * * * /usr/local/bin/fortress_emergency_reset.sh # SAFETY_NET") | crontab -
warning "تم استخدام Cron للطوارئ. سيتم إلغاؤه عند النجاح."
fi
}
remove_safety_net() {
log "\n✅ إلغاء شبكة الأمان (نجح التثبيت)..."
if command -v atq &>/dev/null; then
for job in $(atq | awk '{print $1}'); do atrm $job; done
fi
crontab -l 2>/dev/null | grep -v "SAFETY_NET" | crontab -
success "✓ تم تعطيل مؤقت الطوارئ."
}
# ════════════════════════════════════════════════════════════════
# 👤 USER MANAGEMENT
# ════════════════════════════════════════════════════════════════
create_admin_user() {
log "\n👤 إنشاء المستخدم الإداري..."
if ! id "$ADMIN_USER" &>/dev/null; then
useradd -m -s /bin/bash -G sudo "$ADMIN_USER"
fi
passwd -l "$ADMIN_USER"
mkdir -p "/home/$ADMIN_USER/.ssh"
echo "$SSH_PUBLIC_KEY" > "/home/$ADMIN_USER/.ssh/authorized_keys"
chmod 700 "/home/$ADMIN_USER/.ssh"
chmod 600 "/home/$ADMIN_USER/.ssh/authorized_keys"
chown -R "$ADMIN_USER:$ADMIN_USER" "/home/$ADMIN_USER/.ssh"
echo "$ADMIN_USER ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/"$ADMIN_USER"
chmod 440 /etc/sudoers.d/"$ADMIN_USER"
success "✓ المستخدم $ADMIN_USER جاهز"
}
# ════════════════════════════════════════════════════════════════
# 🔐 SSH HARDENING
# ════════════════════════════════════════════════════════════════
harden_ssh() {
log "\n🔐 تأمين SSH..."
cat > /etc/ssh/sshd_config <<SSHEOF
Port $SSH_PORT
Protocol 2
AddressFamily inet
ListenAddress 0.0.0.0
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
PermitRootLogin no
AllowUsers $ADMIN_USER
X11Forwarding no
PermitUserEnvironment no
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no
GatewayPorts no
MaxAuthTries 3
MaxSessions 2
ClientAliveInterval 300
ClientAliveCountMax 2
LoginGraceTime 30
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512
SyslogFacility AUTH
LogLevel VERBOSE
Banner /etc/ssh/banner.txt
SSHEOF
echo "⚠️ AUTHORIZED ACCESS ONLY - TRIPZ FORTRESS v9.0 PROTECTED" > /etc/ssh/banner.txt
if ! sshd -t; then
error "تكوين SSH غير صالح!"
cp /root/backup_before_fortress_$(date +%Y%m%d)/ssh/sshd_config /etc/ssh/sshd_config
exit 1
fi
systemctl reload sshd
success "✓ SSH محمي (Port: $SSH_PORT)"
}
# ════════════════════════════════════════════════════════════════
# 🔥 FIREWALL & FAIL2BAN
# ════════════════════════════════════════════════════════════════
configure_firewall() {
log "\n🔥 تكوين جدار الحماية..."
ufw default deny incoming
ufw default allow outgoing
ufw allow 80/tcp
ufw allow 443/tcp
if [ "$ENABLE_PORT_KNOCKING" != "true" ]; then
ufw allow "$SSH_PORT/tcp"
fi
if [ "$ENABLE_HONEYPOT" == "true" ]; then ufw allow 22/tcp; fi
if [ "$ENABLE_FAKE_SERVICES" == "true" ]; then ufw allow 3306/tcp; fi
echo "y" | ufw enable
success "✓ جدار الحماية نشط"
}
setup_fail2ban() {
if [ "$ENABLE_FAIL2BAN" != "true" ]; then return 0; fi
log "\n🚫 تكوين Fail2Ban..."
cat > /etc/fail2ban/jail.local <<F2BEOF
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
ignoreip = 127.0.0.1/8 ::1
[sshd]
enabled = true
port = $SSH_PORT
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 7200
[sshd-aggressive]
enabled = true
port = $SSH_PORT
filter = sshd
logpath = /var/log/auth.log
maxretry = 2
bantime = 86400
findtime = 300
F2BEOF
systemctl enable fail2ban
systemctl restart fail2ban
success "✓ Fail2Ban نشط"
}
# ════════════════════════════════════════════════════════════════
# 🚪 PORT KNOCKING (HARDENED v9.0)
# ════════════════════════════════════════════════════════════════
setup_port_knocking() {
if [ "$ENABLE_PORT_KNOCKING" != "true" ]; then return 0; fi
log "\n🚪 إعداد Port Knocking (Hardened)..."
# تحديد واجهة الشبكة تلقائياً
NET_INTERFACE=$(ip route | grep default | awk '{print $5}' | head -1)
cat > /etc/knockd.conf <<KNOCKEOF
[options]
UseSyslog
LogFile = /var/log/knockd.log
Interface = $NET_INTERFACE
[openSSH]
sequence = $KNOCK_PORT_1,$KNOCK_PORT_2,$KNOCK_PORT_3
seq_timeout = 5
command = /usr/sbin/ufw allow from %IP% to any port $SSH_PORT proto tcp
tcpflags = syn
[closeSSH]
sequence = $KNOCK_PORT_3,$KNOCK_PORT_2,$KNOCK_PORT_1
seq_timeout = 5
command = /usr/sbin/ufw delete allow from %IP% to any port $SSH_PORT proto tcp
tcpflags = syn
KNOCKEOF
sed -i 's/START_KNOCKD=0/START_KNOCKD=1/' /etc/default/knockd
systemctl enable knockd
systemctl restart knockd
success "✓ Port Knocking نشط (Timeout: 5s)"
}
# ════════════════════════════════════════════════════════════════
# 🎣 HONEYPOT (SANDBOXED v9.0)
# ════════════════════════════════════════════════════════════════
setup_honeypot() {
if [ "$ENABLE_HONEYPOT" != "true" ]; then return 0; fi
log "\n🎣 إعداد Honeypot (Sandboxed)..."
cd /opt
if [ ! -d "endlessh" ]; then git clone --depth=1 https://github.com/skeeto/endlessh; fi
cd endlessh
make
cp endlessh /usr/local/bin/
mkdir -p /etc/endlessh
echo -e "Port 22\nDelay 10000\nMaxLineLength 32\nMaxClients 4096\nLogLevel 1" > /etc/endlessh/config
# Systemd Hardened Service
cat > /etc/systemd/system/endlessh.service <<'SERVICEEOF'
[Unit]
Description=Endlessh SSH Tarpit
After=network.target
[Service]
Type=simple
User=nobody
Group=nogroup
ExecStart=/usr/local/bin/endlessh -c /etc/endlessh/config
Restart=always
# 🛡️ Security Sandboxing
PrivateTmp=true
PrivateDevices=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectControlGroups=true
NoNewPrivileges=true
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
[Install]
WantedBy=multi-user.target
SERVICEEOF
systemctl daemon-reload
systemctl enable endlessh
systemctl start endlessh
success "✓ Endlessh Honeypot معزول (Sandboxed)"
}
setup_fake_services() {
if [ "$ENABLE_FAKE_SERVICES" != "true" ]; then return 0; fi
log "\n🎭 إعداد Fake MySQL..."
cat > /usr/local/bin/fake-mysql.sh <<'FAKEMYSQLEOF'
#!/bin/bash
LOG_FILE="/var/log/fortress/fake-mysql.log"
mkdir -p /var/log/fortress
while true; do
nc -l -p 3306 -k 2>&1 | while read line; do
echo "$(date '+%Y-%m-%d %H:%M:%S') - Probe: ${line:0:50}" >> "$LOG_FILE"
echo -e "\x4a\x00\x00\x00\x0a\x35\x2e\x37\x2e\x33\x33"
sleep 2
done
done
FAKEMYSQLEOF
chmod +x /usr/local/bin/fake-mysql.sh
cat > /etc/systemd/system/fake-mysql.service <<'EOF'
[Unit]
Description=Fake MySQL Honeypot
After=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/fake-mysql.sh
Restart=always
User=nobody
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable fake-mysql
systemctl start fake-mysql
success "✓ Fake MySQL نشط"
}
# ════════════════════════════════════════════════════════════════
# ⚡ KERNEL HARDENING (ADVANCED v9.0)
# ════════════════════════════════════════════════════════════════
optimize_system() {
log "\n⚡ تحسين وتصليب النواة (Kernel Hardening)..."
cat >> /etc/sysctl.conf <<'SYSCTLEOF'
# Network Security
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirects (MITM Protection)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
# Log Martian Packets
net.ipv4.conf.all.log_martians = 1
# Ignore ICMP Broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Memory & Process Security
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
kernel.sysrq = 0
kernel.yama.ptrace_scope = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
# TCP/IP Stack Tuning
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
SYSCTLEOF
sysctl -p
success "✓ Kernel Hardening: Advanced Profile Applied"
}
# ════════════════════════════════════════════════════════════════
# 💾 AUTO BACKUP (KEY MANAGEMENT v9.0)
# ════════════════════════════════════════════════════════════════
setup_auto_backup() {
if [ "$ENABLE_AUTO_BACKUP" != "true" ]; then return 0; fi
log "\n💾 إعداد النسخ الاحتياطي التلقائي..."
mkdir -p /usr/local/bin/fortress
mkdir -p /backup/fortress
# توليد كلمة مرور وحفظها
BACKUP_KEY="TRIPZ_$(openssl rand -hex 12)"
echo "$BACKUP_KEY" > /root/BACKUP_DECRYPTION_KEY.txt
chmod 600 /root/BACKUP_DECRYPTION_KEY.txt
cat > /usr/local/bin/fortress/backup.sh <<BACKUPEOF
#!/bin/bash
BACKUP_DIR="/backup/fortress"
TIMESTAMP=\$(date +%Y%m%d_%H%M%S)
BACKUP_FILE="\${BACKUP_DIR}/fortress_\${TIMESTAMP}.tar.gz"
ENCRYPTED_FILE="\${BACKUP_FILE}.enc"
BACKUP_PASSWORD=\$(cat /root/BACKUP_DECRYPTION_KEY.txt)
tar -czf "\$BACKUP_FILE" -C /etc ssh fail2ban ufw knockd.conf 2>/dev/null
openssl enc -aes-256-cbc -salt -pbkdf2 -in "\$BACKUP_FILE" -out "\$ENCRYPTED_FILE" -k "\$BACKUP_PASSWORD"
rm -f "\$BACKUP_FILE"
find "\$BACKUP_DIR" -name "*.enc" -mtime +30 -delete
echo "✅ Backup: \$ENCRYPTED_FILE"
BACKUPEOF
chmod +x /usr/local/bin/fortress/backup.sh
(crontab -l 2>/dev/null; echo "0 2 * * * /usr/local/bin/fortress/backup.sh >> ${LOG_DIR}/backup.log 2>&1") | crontab -
success "✓ النسخ الاحتياطي مجدول"
warning "🔑 مفتاح التشفير محفوظ في: /root/BACKUP_DECRYPTION_KEY.txt (قم بتنزيله واحذفه!)"
}
setup_telegram_alerts() {
if [ -z "$TELEGRAM_BOT_TOKEN" ]; then return 0; fi
log "\n📱 إعداد تنبيهات Telegram..."
cat > /usr/local/bin/fortress/telegram_notify.sh <<TELEGRAMEOF
#!/bin/bash
TELEGRAM_BOT_TOKEN="$TELEGRAM_BOT_TOKEN"
TELEGRAM_CHAT_ID="$TELEGRAM_CHAT_ID"
MESSAGE=\$1
curl -s -X POST "https://api.telegram.org/bot\${TELEGRAM_BOT_TOKEN}/sendMessage" \
-d chat_id="\${TELEGRAM_CHAT_ID}" \
-d text="🛡️ ALERT: \$MESSAGE" > /dev/null
TELEGRAMEOF
chmod +x /usr/local/bin/fortress/telegram_notify.sh
/usr/local/bin/fortress/telegram_notify.sh "TRIPZ FORTRESS v9.0 Installed Successfully"
success "✓ تنبيهات Telegram جاهزة"
}
# ════════════════════════════════════════════════════════════════
# 🎯 MAIN EXECUTION
# ════════════════════════════════════════════════════════════════
generate_info_file() {
log "\n📝 إنشاء ملف المعلومات..."
cat > /root/FORTRESS_INFO.txt <<INFOEOF
════════════════════════════════════════════════════════
🛡️ TRIPZ FORTRESS v9.0 - Server Information
════════════════════════════════════════════════════════
تاريخ التثبيت: $(date '+%Y-%m-%d %H:%M:%S')
السيرفر: $(hostname)
المستخدم الإداري: $ADMIN_USER
منفذ SSH: $SSH_PORT
🔐 الوصول (Port Knocking):
1. knock $SERVER_IP $KNOCK_PORT_1 $KNOCK_PORT_2 $KNOCK_PORT_3
2. ssh -p $SSH_PORT $ADMIN_USER@$SERVER_IP
🔑 النسخ الاحتياطي:
مفتاح فك التشفير: /root/BACKUP_DECRYPTION_KEY.txt
⚠️ هام: تم تفعيل Safety Net. تأكد من الاتصال بنجاح!
════════════════════════════════════════════════════════
INFOEOF
chmod 600 /root/FORTRESS_INFO.txt
}
main() {
clear
log "🚀 TRIPZ FORTRESS v9.0 - Starting Installation..."
preflight_checks
system_preparation
create_admin_user
setup_safety_net # ✅ تفعيل شبكة الأمان
harden_ssh
configure_firewall
setup_fail2ban
setup_port_knocking
setup_honeypot
setup_fake_services
optimize_system
setup_auto_backup
setup_telegram_alerts
generate_info_file
log "\n🧪 التحقق النهائي..."
if systemctl is-active --quiet sshd; then
remove_safety_net # ✅ تعطيل شبكة الأمان عند النجاح
success "🎉 اكتمل التثبيت بنجاح!"
else
error "فشل في خدمة SSH - تم الإبقاء على Safety Net لاستعادة الوصول بعد 15 دقيقة."
fi
echo ""
warning "⚠️ لا تغلق هذه الجلسة! افتح نافذة جديدة واختبر الاتصال:"
if [ "$ENABLE_PORT_KNOCKING" == "true" ]; then
echo "knock $SERVER_IP $KNOCK_PORT_1 $KNOCK_PORT_2 $KNOCK_PORT_3"
fi
echo "ssh -p $SSH_PORT $ADMIN_USER@$SERVER_IP"
}
main "$@"
Reference in New Issue View Git Blame Copy Permalink