Hamza/servers_security_sys
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d0b3e624ccb3aa64b86a4f55a55821a48513fda4
servers_security_sys/tripz_fortress_v8.2_generator.sh
Hamza-Ayed d0b3e624cc 2026-02-05/1
2026-02-05 13:22:27 +03:00

953 lines
37 KiB
Bash
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/bin/bash
# ════════════════════════════════════════════════════════════════
# 🛡️ TRIPZ FORTRESS v8.2 - PRODUCTION-SAFE DYNAMIC GENERATOR
# ════════════════════════════════════════════════════════════════
# الإصدار: 8.2
# التاريخ: 2025-02-05
# المطوّر: TRIPZ TEAM
# الترخيص: Proprietary
# ════════════════════════════════════════════════════════════════
set -euo pipefail # Exit on error, undefined vars, pipe failures
IFS=$'\n\t' # Safe word splitting
# ════════════════════════════════════════════════════════════════
# ⚙️ CONFIGURATION SECTION - يتم ملؤها ديناميكياً
# ════════════════════════════════════════════════════════════════
# معلومات السيرفر (REQUIRED)
SERVER_IP="${SERVER_IP:-}"
ADMIN_USER="${ADMIN_USER:-tripzadmin}"
SSH_PORT="${SSH_PORT:-2200}"
SSH_PUBLIC_KEY="${SSH_PUBLIC_KEY:-}"
# Port Knocking Sequence (3 منافذ عشوائية)
KNOCK_PORT_1="${KNOCK_PORT_1:-$(shuf -i 7000-9000 -n 1)}"
KNOCK_PORT_2="${KNOCK_PORT_2:-$(shuf -i 7000-9000 -n 1)}"
KNOCK_PORT_3="${KNOCK_PORT_3:-$(shuf -i 7000-9000 -n 1)}"
# Telegram Integration (OPTIONAL)
TELEGRAM_BOT_TOKEN="${TELEGRAM_BOT_TOKEN:-}"
TELEGRAM_CHAT_ID="${TELEGRAM_CHAT_ID:-}"
# Security Features (TOGGLES)
ENABLE_HONEYPOT="${ENABLE_HONEYPOT:-true}"
ENABLE_FAKE_SERVICES="${ENABLE_FAKE_SERVICES:-true}"
ENABLE_PORT_KNOCKING="${ENABLE_PORT_KNOCKING:-true}"
ENABLE_WIREGUARD="${ENABLE_WIREGUARD:-false}"
ENABLE_FAIL2BAN="${ENABLE_FAIL2BAN:-true}"
ENABLE_AUTO_BACKUP="${ENABLE_AUTO_BACKUP:-true}"
# WireGuard Configuration (if enabled)
VPN_NETWORK="${VPN_NETWORK:-10.8.0.0/24}"
VPN_SERVER_IP="${VPN_SERVER_IP:-10.8.0.1}"
# ════════════════════════════════════════════════════════════════
# 🎨 COLORS & STYLING
# ════════════════════════════════════════════════════════════════
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
PURPLE='\033[0;35m'
CYAN='\033[0;36m'
NC='\033[0m' # No Color
BOLD='\033[1m'
# ════════════════════════════════════════════════════════════════
# 📝 LOGGING FUNCTIONS
# ════════════════════════════════════════════════════════════════
LOG_DIR="/var/log/fortress"
LOG_FILE="${LOG_DIR}/install_$(date +%Y%m%d_%H%M%S).log"
log() {
echo -e "${BLUE}[$(date '+%Y-%m-%d %H:%M:%S')]${NC} $*" | tee -a "$LOG_FILE"
}
info() {
echo -e "${CYAN} $*${NC}" | tee -a "$LOG_FILE"
}
success() {
echo -e "${GREEN}$*${NC}" | tee -a "$LOG_FILE"
}
warning() {
echo -e "${YELLOW}⚠️ $*${NC}" | tee -a "$LOG_FILE"
}
error() {
echo -e "${RED}❌ ERROR: $*${NC}" | tee -a "$LOG_FILE"
return 1
}
# ════════════════════════════════════════════════════════════════
# 🔍 PRE-FLIGHT CHECKS
# ════════════════════════════════════════════════════════════════
preflight_checks() {
log "\n🔍 تشغيل الفحوصات الأولية..."
# 1. التحقق من root
if [ "$EUID" -ne 0 ]; then
error "يجب تشغيل هذا السكريبت كـ root أو باستخدام sudo"
exit 1
fi
# 2. التحقق من النظام
if ! [ -f /etc/debian_version ] && ! [ -f /etc/redhat-release ]; then
warning "نظام غير مدعوم رسمياً - قد تحدث مشاكل"
fi
# 3. التحقق من الاتصال
if ! ping -c 2 8.8.8.8 &>/dev/null; then
error "لا يوجد اتصال بالإنترنت"
exit 1
fi
# 4. التحقق من المتطلبات الأساسية
local required_vars=("SERVER_IP" "SSH_PUBLIC_KEY")
for var in "${required_vars[@]}"; do
if [ -z "${!var}" ]; then
error "المتغير $var مطلوب ولكنه فارغ!"
exit 1
fi
done
# 5. التحقق من صلاحية IP
if ! [[ $SERVER_IP =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
error "عنوان IP غير صالح: $SERVER_IP"
exit 1
fi
# 6. التحقق من SSH Key format
if ! echo "$SSH_PUBLIC_KEY" | grep -qE '^(ssh-rsa|ssh-ed25519|ecdsa-sha2)'; then
error "تنسيق SSH Key غير صالح"
exit 1
fi
# 7. إنشاء مجلد السجلات
mkdir -p "$LOG_DIR"
# 8. نسخة احتياطية سريعة
log "إنشاء نسخة احتياطية للملفات الحساسة..."
mkdir -p /root/backup_before_fortress_$(date +%Y%m%d)
cp -r /etc/ssh /root/backup_before_fortress_$(date +%Y%m%d)/ 2>/dev/null || true
success "✓ الفحوصات الأولية مكتملة"
}
# ════════════════════════════════════════════════════════════════
# 📦 SYSTEM PREPARATION
# ════════════════════════════════════════════════════════════════
system_preparation() {
log "\n📦 تحضير النظام..."
# تحديث النظام
info "تحديث قوائم الحزم..."
export DEBIAN_FRONTEND=noninteractive
apt-get update -qq
# تثبيت الأدوات الأساسية
info "تثبيت الأدوات الأساسية..."
apt-get install -y -qq \
curl \
wget \
git \
ufw \
fail2ban \
openssh-server \
sudo \
htop \
net-tools \
knockd \
openssl \
cron \
bc \
jq \
netcat-openbsd
success "✓ تحضير النظام مكتمل"
}
# ════════════════════════════════════════════════════════════════
# 👤 USER MANAGEMENT
# ════════════════════════════════════════════════════════════════
create_admin_user() {
log "\n👤 إنشاء المستخدم الإداري..."
# التحقق من وجود المستخدم
if id "$ADMIN_USER" &>/dev/null; then
warning "المستخدم $ADMIN_USER موجود بالفعل - سيتم تحديثه"
else
info "إنشاء المستخدم $ADMIN_USER..."
useradd -m -s /bin/bash -G sudo "$ADMIN_USER"
fi
# تعطيل كلمة المرور (سنستخدم المفاتيح فقط)
passwd -l "$ADMIN_USER"
# إعداد SSH
mkdir -p "/home/$ADMIN_USER/.ssh"
echo "$SSH_PUBLIC_KEY" > "/home/$ADMIN_USER/.ssh/authorized_keys"
chmod 700 "/home/$ADMIN_USER/.ssh"
chmod 600 "/home/$ADMIN_USER/.ssh/authorized_keys"
chown -R "$ADMIN_USER:$ADMIN_USER" "/home/$ADMIN_USER/.ssh"
# صلاحيات sudo بدون كلمة مرور
cat > /etc/sudoers.d/"$ADMIN_USER" <<EOF
# TRIPZ FORTRESS - Admin User
$ADMIN_USER ALL=(ALL) NOPASSWD:ALL
EOF
chmod 440 /etc/sudoers.d/"$ADMIN_USER"
# التحقق من صحة sudoers
visudo -c || error "خطأ في ملف sudoers!"
success "✓ المستخدم $ADMIN_USER جاهز"
}
# ════════════════════════════════════════════════════════════════
# 🔐 SSH HARDENING
# ════════════════════════════════════════════════════════════════
harden_ssh() {
log "\n🔐 تأمين SSH..."
# نسخة احتياطية
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.$(date +%Y%m%d)
# التكوين الآمن
cat > /etc/ssh/sshd_config <<SSHEOF
# ════════════════════════════════════════
# TRIPZ FORTRESS v8.2 - SSH Configuration
# ════════════════════════════════════════
# الأساسيات
Port $SSH_PORT
Protocol 2
AddressFamily inet
ListenAddress 0.0.0.0
# المصادقة
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
# تعطيل root login
PermitRootLogin no
# المستخدمون المسموح لهم
AllowUsers $ADMIN_USER
# الأمان
X11Forwarding no
PermitUserEnvironment no
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no
GatewayPorts no
# الجلسات
MaxAuthTries 3
MaxSessions 2
ClientAliveInterval 300
ClientAliveCountMax 2
LoginGraceTime 30
# التشفير القوي (Modern Algorithms)
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
# السجلات
SyslogFacility AUTH
LogLevel VERBOSE
# Banner
Banner /etc/ssh/banner.txt
SSHEOF
# إنشاء Banner
cat > /etc/ssh/banner.txt <<'BANNEREOF'
════════════════════════════════════════════════════════
⚠️ AUTHORIZED ACCESS ONLY ⚠️
This system is protected by TRIPZ FORTRESS v8.2
All connections are monitored and logged.
Unauthorized access attempts will be prosecuted.
🛡️ Protected by 9-Layer Security System
════════════════════════════════════════════════════════
BANNEREOF
# اختبار التكوين
info "اختبار تكوين SSH..."
if ! sshd -t; then
error "تكوين SSH غير صالح!"
cp /etc/ssh/sshd_config.backup.$(date +%Y%m%d) /etc/ssh/sshd_config
exit 1
fi
# إعادة تحميل SSH (بدون قطع الاتصال!)
systemctl reload sshd
success "✓ SSH محمي (Port: $SSH_PORT)"
}
# ════════════════════════════════════════════════════════════════
# 🔥 FIREWALL CONFIGURATION
# ════════════════════════════════════════════════════════════════
configure_firewall() {
log "\n🔥 تكوين جدار الحماية..."
# السياسة الافتراضية
ufw default deny incoming
ufw default allow outgoing
# السماح بالمنافذ الأساسية
info "السماح بـ HTTP/HTTPS..."
ufw allow 80/tcp comment 'HTTP'
ufw allow 443/tcp comment 'HTTPS'
# SSH: سيتم إدارته بواسطة Port Knocking
if [ "$ENABLE_PORT_KNOCKING" == "true" ]; then
info "Port Knocking مفعّل - SSH سيُفتح عبر الطرق فقط"
else
ufw allow "$SSH_PORT/tcp" comment 'SSH Direct Access'
fi
# WireGuard VPN
if [ "$ENABLE_WIREGUARD" == "true" ]; then
ufw allow 51820/udp comment 'WireGuard VPN'
fi
# Honeypot (Port 22 للخداع)
if [ "$ENABLE_HONEYPOT" == "true" ]; then
ufw allow 22/tcp comment 'Endlessh Honeypot'
fi
# Fake Services
if [ "$ENABLE_FAKE_SERVICES" == "true" ]; then
ufw allow 3306/tcp comment 'Fake MySQL Trap'
fi
# تفعيل UFW
info "تفعيل جدار الحماية..."
echo "y" | ufw enable
# عرض الحالة
ufw status verbose | head -20
success "✓ جدار الحماية نشط"
}
# ════════════════════════════════════════════════════════════════
# 🚫 FAIL2BAN SETUP
# ════════════════════════════════════════════════════════════════
setup_fail2ban() {
if [ "$ENABLE_FAIL2BAN" != "true" ]; then
warning "Fail2Ban معطّل - تخطي..."
return 0
fi
log "\n🚫 تكوين Fail2Ban..."
# التكوين الرئيسي
cat > /etc/fail2ban/jail.local <<F2BEOF
[DEFAULT]
# الإعدادات العامة
bantime = 3600
findtime = 600
maxretry = 3
destemail = root@localhost
sendername = TRIPZ-FORTRESS
action = %(action_mwl)s
# Whitelist
ignoreip = 127.0.0.1/8 ::1
# ══════════════════════════════════════
# SSH Protection (Progressive)
# ══════════════════════════════════════
[sshd]
enabled = true
port = $SSH_PORT
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 7200
findtime = 600
[sshd-aggressive]
enabled = true
port = $SSH_PORT
filter = sshd
logpath = /var/log/auth.log
maxretry = 2
bantime = 86400
findtime = 300
# ══════════════════════════════════════
# Nginx Protection
# ══════════════════════════════════════
[nginx-http-auth]
enabled = true
port = 80,443
logpath = /var/log/nginx/error.log
[nginx-noscript]
enabled = true
port = 80,443
logpath = /var/log/nginx/access.log
[nginx-badbots]
enabled = true
port = 80,443
logpath = /var/log/nginx/access.log
F2BEOF
# تفعيل وبدء
systemctl enable fail2ban
systemctl restart fail2ban
# التحقق
sleep 2
if systemctl is-active --quiet fail2ban; then
success "✓ Fail2Ban نشط"
else
warning "Fail2Ban لم يبدأ - راجع السجلات"
fi
}
# ════════════════════════════════════════════════════════════════
# 🚪 PORT KNOCKING
# ════════════════════════════════════════════════════════════════
setup_port_knocking() {
if [ "$ENABLE_PORT_KNOCKING" != "true" ]; then
warning "Port Knocking معطّل - تخطي..."
return 0
fi
log "\n🚪 إعداد Port Knocking..."
info "تسلسل الطرق: $KNOCK_PORT_1, $KNOCK_PORT_2, $KNOCK_PORT_3"
# تكوين knockd
cat > /etc/knockd.conf <<KNOCKEOF
[options]
UseSyslog
LogFile = /var/log/knockd.log
[openSSH]
sequence = $KNOCK_PORT_1,$KNOCK_PORT_2,$KNOCK_PORT_3
seq_timeout = 15
command = /usr/sbin/ufw allow from %IP% to any port $SSH_PORT proto tcp
tcpflags = syn
[closeSSH]
sequence = $KNOCK_PORT_3,$KNOCK_PORT_2,$KNOCK_PORT_1
seq_timeout = 15
command = /usr/sbin/ufw delete allow from %IP% to any port $SSH_PORT proto tcp
tcpflags = syn
KNOCKEOF
# تفعيل knockd
sed -i 's/START_KNOCKD=0/START_KNOCKD=1/' /etc/default/knockd
systemctl enable knockd
systemctl restart knockd
# التحقق
if systemctl is-active --quiet knockd; then
success "✓ Port Knocking نشط"
else
error "فشل بدء knockd!"
fi
}
# ════════════════════════════════════════════════════════════════
# 🎣 HONEYPOT (Endlessh)
# ════════════════════════════════════════════════════════════════
setup_honeypot() {
if [ "$ENABLE_HONEYPOT" != "true" ]; then
warning "Honeypot معطّل - تخطي..."
return 0
fi
log "\n🎣 إعداد Honeypot (Endlessh)..."
# التثبيت من المصدر
cd /opt
if [ ! -d "endlessh" ]; then
git clone --depth=1 https://github.com/skeeto/endlessh
fi
cd endlessh
make
cp endlessh /usr/local/bin/
# التكوين
mkdir -p /etc/endlessh
cat > /etc/endlessh/config <<'ENDLESSHEOF'
Port 22
Delay 10000
MaxLineLength 32
MaxClients 4096
LogLevel 1
ENDLESSHEOF
# Systemd service
cat > /etc/systemd/system/endlessh.service <<'SERVICEEOF'
[Unit]
Description=Endlessh SSH Tarpit
After=network.target
[Service]
Type=simple
User=nobody
ExecStart=/usr/local/bin/endlessh -c /etc/endlessh/config
Restart=always
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
SERVICEEOF
systemctl daemon-reload
systemctl enable endlessh
systemctl start endlessh
success "✓ Endlessh Honeypot نشط (Port 22)"
}
# ════════════════════════════════════════════════════════════════
# 🎭 FAKE SERVICES
# ════════════════════════════════════════════════════════════════
setup_fake_services() {
if [ "$ENABLE_FAKE_SERVICES" != "true" ]; then
warning "Fake Services معطّل - تخطي..."
return 0
fi
log "\n🎭 إعداد Fake MySQL..."
# سكريبت Fake MySQL
cat > /usr/local/bin/fake-mysql.sh <<'FAKEMYSQLEOF'
#!/bin/bash
LOG_FILE="/var/log/fortress/fake-mysql.log"
PORT=3306
mkdir -p /var/log/fortress
while true; do
nc -l -p $PORT -k 2>&1 | while read line; do
echo "$(date '+%Y-%m-%d %H:%M:%S') - MySQL probe: ${line:0:100}" >> "$LOG_FILE"
echo -e "\x4a\x00\x00\x00\x0a\x35\x2e\x37\x2e\x33\x33"
sleep 2
done
done
FAKEMYSQLEOF
chmod +x /usr/local/bin/fake-mysql.sh
# Systemd service
cat > /etc/systemd/system/fake-mysql.service <<'EOF'
[Unit]
Description=Fake MySQL Honeypot
After=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/fake-mysql.sh
Restart=always
User=nobody
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable fake-mysql
systemctl start fake-mysql
success "✓ Fake MySQL نشط (Port 3306)"
}
# ════════════════════════════════════════════════════════════════
# ⚡ SYSTEM OPTIMIZATION
# ════════════════════════════════════════════════════════════════
optimize_system() {
log "\n⚡ تحسينات النظام..."
# Kernel hardening
cat >> /etc/sysctl.conf <<'SYSCTLEOF'
# ════════════════════════════════════════
# TRIPZ FORTRESS v8.2 - Kernel Hardening
# ════════════════════════════════════════
# SYN flood protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
# TCP hardening
net.ipv4.tcp_rfc1337 = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# IP spoofing protection
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# ICMP protection
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Performance
net.core.netdev_max_backlog = 2048
net.core.somaxconn = 1024
# TCP BBR
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
# Security
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
SYSCTLEOF
# تطبيق التعديلات
sysctl -p || warning "بعض إعدادات sysctl غير مدعومة"
success "✓ تحسينات النظام مطبّقة"
}
# ════════════════════════════════════════════════════════════════
# 💾 AUTO BACKUP SYSTEM
# ════════════════════════════════════════════════════════════════
setup_auto_backup() {
if [ "$ENABLE_AUTO_BACKUP" != "true" ]; then
warning "Auto Backup معطّل - تخطي..."
return 0
fi
log "\n💾 إعداد النسخ الاحتياطي التلقائي..."
mkdir -p /usr/local/bin/fortress
mkdir -p /backup/fortress
# سكريبت النسخ الاحتياطي
cat > /usr/local/bin/fortress/backup.sh <<'BACKUPEOF'
#!/bin/bash
BACKUP_DIR="/backup/fortress"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
TEMP_DIR="/tmp/fortress_backup_$TIMESTAMP"
BACKUP_FILE="${BACKUP_DIR}/fortress_${TIMESTAMP}.tar.gz"
ENCRYPTED_FILE="${BACKUP_FILE}.enc"
RETENTION_DAYS=30
mkdir -p "$TEMP_DIR"
# نسخ الملفات المهمة
cp -r /etc/ssh "$TEMP_DIR/" 2>/dev/null
cp -r /etc/fail2ban "$TEMP_DIR/" 2>/dev/null
cp -r /etc/ufw "$TEMP_DIR/" 2>/dev/null
cp /etc/knockd.conf "$TEMP_DIR/" 2>/dev/null
# ضغط
tar -czf "$BACKUP_FILE" -C /tmp "$(basename $TEMP_DIR)"
# تشفير AES-256
BACKUP_PASSWORD="TRIPZ_$(hostname)_$(date +%Y)"
openssl enc -aes-256-cbc -salt -pbkdf2 -in "$BACKUP_FILE" -out "$ENCRYPTED_FILE" -k "$BACKUP_PASSWORD"
# حذف غير المشفر
rm -f "$BACKUP_FILE"
rm -rf "$TEMP_DIR"
# تطبيق سياسة الاحتفاظ
find "$BACKUP_DIR" -name "fortress_*.tar.gz.enc" -mtime +$RETENTION_DAYS -delete
echo "✅ نسخة احتياطية: $ENCRYPTED_FILE"
echo "🔑 كلمة فك التشفير: $BACKUP_PASSWORD"
BACKUPEOF
chmod +x /usr/local/bin/fortress/backup.sh
# جدولة cron (يومياً 2 صباحاً)
(crontab -l 2>/dev/null; echo "0 2 * * * /usr/local/bin/fortress/backup.sh >> ${LOG_DIR}/backup.log 2>&1") | crontab -
success "✓ النسخ الاحتياطي التلقائي مجدول"
}
# ════════════════════════════════════════════════════════════════
# 📱 TELEGRAM NOTIFICATIONS
# ════════════════════════════════════════════════════════════════
setup_telegram_alerts() {
if [ -z "$TELEGRAM_BOT_TOKEN" ] || [ -z "$TELEGRAM_CHAT_ID" ]; then
warning "Telegram غير مكوّن - تخطي التنبيهات..."
return 0
fi
log "\n📱 إعداد تنبيهات Telegram..."
# سكريبت الإرسال
cat > /usr/local/bin/fortress/telegram_notify.sh <<TELEGRAMEOF
#!/bin/bash
TELEGRAM_BOT_TOKEN="$TELEGRAM_BOT_TOKEN"
TELEGRAM_CHAT_ID="$TELEGRAM_CHAT_ID"
MESSAGE=\$1
if [ -z "\$MESSAGE" ]; then
echo "Usage: \$0 'message'"
exit 1
fi
curl -s -X POST "https://api.telegram.org/bot\${TELEGRAM_BOT_TOKEN}/sendMessage" \\
-d chat_id="\${TELEGRAM_CHAT_ID}" \\
-d text="🛡️ FORTRESS ALERT
🖥️ Server: \$(hostname)
📍 IP: \$(curl -s ifconfig.me)
🕐 Time: \$(date '+%Y-%m-%d %H:%M:%S')
📨 \$MESSAGE" \\
-d parse_mode="HTML" > /dev/null
echo "✅ تم إرسال التنبيه"
TELEGRAMEOF
chmod +x /usr/local/bin/fortress/telegram_notify.sh
# اختبار
/usr/local/bin/fortress/telegram_notify.sh "✅ تم تثبيت TRIPZ FORTRESS v8.2 بنجاح!"
success "✓ تنبيهات Telegram جاهزة"
}
# ════════════════════════════════════════════════════════════════
# ✅ FINAL VERIFICATION
# ════════════════════════════════════════════════════════════════
final_verification() {
log "\n✅ التحقق النهائي..."
SERVICES_OK=0
SERVICES_FAILED=0
check_service() {
if systemctl is-active --quiet "$1"; then
success "$1"
((SERVICES_OK++))
else
warning "$1"
((SERVICES_FAILED++))
fi
}
info "فحص الخدمات..."
check_service "sshd"
check_service "ufw"
[ "$ENABLE_FAIL2BAN" == "true" ] && check_service "fail2ban"
[ "$ENABLE_PORT_KNOCKING" == "true" ] && check_service "knockd"
[ "$ENABLE_HONEYPOT" == "true" ] && check_service "endlessh"
[ "$ENABLE_FAKE_SERVICES" == "true" ] && check_service "fake-mysql"
log "\nالخدمات النشطة: $SERVICES_OK"
log "الخدمات الفاشلة: $SERVICES_FAILED"
}
# ════════════════════════════════════════════════════════════════
# 📝 GENERATE INFO FILE
# ════════════════════════════════════════════════════════════════
generate_info_file() {
log "\n📝 إنشاء ملف المعلومات..."
cat > /root/FORTRESS_INFO.txt <<INFOEOF
════════════════════════════════════════════════════════
🛡️ TRIPZ FORTRESS v8.2 - معلومات السيرفر
════════════════════════════════════════════════════════
تاريخ التثبيت: $(date '+%Y-%m-%d %H:%M:%S')
السيرفر: $(hostname)
IP: $(curl -s ifconfig.me 2>/dev/null || echo "غير متاح")
🔐 معلومات الأمان:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
المستخدم الإداري: $ADMIN_USER
منفذ SSH: $SSH_PORT
Port Knocking: $KNOCK_PORT_1, $KNOCK_PORT_2, $KNOCK_PORT_3
🛡️ الطبقات الأمنية النشطة:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ SSH Key-Only Authentication
✅ UFW Firewall
$([ "$ENABLE_FAIL2BAN" == "true" ] && echo "✅ Fail2Ban Progressive Blocking" || echo "⊘ Fail2Ban (معطّل)")
$([ "$ENABLE_PORT_KNOCKING" == "true" ] && echo "✅ Port Knocking" || echo "⊘ Port Knocking (معطّل)")
$([ "$ENABLE_HONEYPOT" == "true" ] && echo "✅ Endlessh Honeypot (Port 22)" || echo "⊘ Honeypot (معطّل)")
$([ "$ENABLE_FAKE_SERVICES" == "true" ] && echo "✅ Fake MySQL (Port 3306)" || echo "⊘ Fake Services (معطّل)")
✅ Kernel Hardening
$([ "$ENABLE_AUTO_BACKUP" == "true" ] && echo "✅ Encrypted Auto Backups" || echo "⊘ Auto Backup (معطّل)")
$([ -n "$TELEGRAM_BOT_TOKEN" ] && echo "✅ Telegram Alerts" || echo "⊘ Telegram (غير مكوّن)")
🔧 أوامر مفيدة:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
• فحص UFW: sudo ufw status verbose
• فحص Fail2Ban: sudo fail2ban-client status
• سجل Knockd: sudo tail -f /var/log/knockd.log
• نسخة احتياطية يدوية: sudo /usr/local/bin/fortress/backup.sh
📁 الملفات المهمة:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
• السجلات: $LOG_DIR/
• النسخ الاحتياطية: /backup/fortress/
• التكوينات: /etc/ssh/, /etc/fail2ban/
⚠️ للاتصال بالسيرفر:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
$(if [ "$ENABLE_PORT_KNOCKING" == "true" ]; then
echo "1. knock $SERVER_IP $KNOCK_PORT_1 $KNOCK_PORT_2 $KNOCK_PORT_3"
echo "2. ssh -p $SSH_PORT $ADMIN_USER@$SERVER_IP"
else
echo "ssh -p $SSH_PORT $ADMIN_USER@$SERVER_IP"
fi)
📞 الدعم:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
https://tripz-egypt.com
[email protected]
════════════════════════════════════════════════════════
✅ السيرفر محمي بالكامل!
════════════════════════════════════════════════════════
INFOEOF
chmod 600 /root/FORTRESS_INFO.txt
success "✓ ملف المعلومات: /root/FORTRESS_INFO.txt"
}
# ════════════════════════════════════════════════════════════════
# 🎯 MAIN INSTALLATION FLOW
# ════════════════════════════════════════════════════════════════
main() {
clear
cat <<'BANNER'
════════════════════════════════════════════════════════════════
████████╗██████╗ ██╗██████╗ ███████╗
╚══██╔══╝██╔══██╗██║██╔══██╗╚══███╔╝
██║ ██████╔╝██║██████╔╝ ███╔╝
██║ ██╔══██╗██║██╔═══╝ ███╔╝
██║ ██║ ██║██║██║ ███████╗
╚═╝ ╚═╝ ╚═╝╚═╝╚═╝ ╚══════╝
███████╗ ██████╗ ██████╗ ████████╗██████╗ ███████╗███████╗
██╔════╝██╔═══██╗██╔══██╗╚══██╔══╝██╔══██╗██╔════╝██╔════╝
█████╗ ██║ ██║██████╔╝ ██║ ██████╔╝█████╗ ███████╗
██╔══╝ ██║ ██║██╔══██╗ ██║ ██╔══██╗██╔══╝ ╚════██║
██║ ╚██████╔╝██║ ██║ ██║ ██║ ██║███████╗███████║
╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝╚══════╝
🛡️ v8.2 - PRODUCTION-SAFE EDITION
9-Layer Security System | Enterprise Ready
════════════════════════════════════════════════════════════════
BANNER
log "\n🚀 بدء التثبيت..."
log "الإصدار: 8.2"
log "التاريخ: $(date '+%Y-%m-%d %H:%M:%S')"
log "════════════════════════════════════════════════════════════════\n"
# تنفيذ المراحل
preflight_checks
system_preparation
create_admin_user
harden_ssh
configure_firewall
setup_fail2ban
setup_port_knocking
setup_honeypot
setup_fake_services
optimize_system
setup_auto_backup
setup_telegram_alerts
final_verification
generate_info_file
# النتيجة النهائية
log "\n════════════════════════════════════════════════════════════════"
success "🎉 اكتمل تثبيت TRIPZ FORTRESS v8.2!"
log "════════════════════════════════════════════════════════════════\n"
cat <<FINALEOF
╔══════════════════════════════════════════════════════════════════╗
║ 🔐 TRIPZ FORTRESS v8.2 🔐 ║
║ PRODUCTION-SAFE EDITION ║
╠══════════════════════════════════════════════════════════════════╣
║ ║
║ ✅ التثبيت مكتمل بنجاح! ║
║ ║
║ 📊 معلومات الاتصال: ║
║ • السيرفر: $SERVER_IP ║
║ • المستخدم: $ADMIN_USER ║
║ • منفذ SSH: $SSH_PORT ║
║ ║
$(if [ "$ENABLE_PORT_KNOCKING" == "true" ]; then
cat <<KNOCKEOF
║ 🚪 Port Knocking مفعّل: ║
║ • knock $SERVER_IP $KNOCK_PORT_1 $KNOCK_PORT_2 $KNOCK_PORT_3 ║
KNOCKEOF
fi)
║ ║
║ ⚠️ التحذيرات المهمة: ║
║ 1. اختبر الاتصال قبل قطع الجلسة الحالية! ║
║ 2. احفظ معلومات Port Knocking في مكان آمن ║
║ 3. راجع: /root/FORTRESS_INFO.txt ║
║ 4. السجلات: $LOG_FILE ║
║ ║
╚══════════════════════════════════════════════════════════════════╝
FINALEOF
warning "\n⚠ لاختبار الاتصال، افتح terminal جديد وجرّب:"
if [ "$ENABLE_PORT_KNOCKING" == "true" ]; then
echo "knock $SERVER_IP $KNOCK_PORT_1 $KNOCK_PORT_2 $KNOCK_PORT_3"
fi
echo "ssh -p $SSH_PORT $ADMIN_USER@$SERVER_IP"
log "\n✅ التثبيت مكتمل - السيرفر الآن محمي!"
}
# ════════════════════════════════════════════════════════════════
# 🚀 RUN
# ════════════════════════════════════════════════════════════════
main "$@"
Reference in New Issue View Git Blame Copy Permalink