#!/usr/bin/env bash # ============================================================================ # MAX SecurityScan — 安全基线快速扫描 # 原创脚本,受 lynis 安全审计理念启发但更精简聚焦 # 检查 SSH 配置 / 防火墙 / 开放端口 / 异常登录 / 更新 # # 风险等级: 🟢 只读 — 不修改任何系统设置 # 用法: bash <(curl -fsSL https://dl.unvmax.com/linux/scripts/max-tools/max-security-scan.sh) # ============================================================================ set -e R='\033[1;31m' G='\033[1;32m' Y='\033[1;33m' B='\033[1;34m' C='\033[1;36m' M='\033[1;35m' W='\033[1;37m' N='\033[0m' GR='\033[90m' PASS=0 WARN=0 FAIL=0 check() { local status="$1" msg="$2" case "$status" in pass) echo -e " ${G}✔ $msg${N}"; PASS=$((PASS+1)) ;; warn) echo -e " ${Y}⚠ $msg${N}"; WARN=$((WARN+1)) ;; fail) echo -e " ${R}✘ $msg${N}"; FAIL=$((FAIL+1)) ;; esac } echo -e "${B}┌─────────────────────────────────────────────┐${N}" echo -e "${B}│${N} ${G}MAX 安全基线扫描${N} ${GR}(只读)${N}" echo -e "${B}└─────────────────────────────────────────────┘${N}" echo echo -e " ${GR}扫描时间: $(date '+%Y-%m-%d %H:%M:%S')${N}" echo -e " ${GR}主机: $(hostname)${N}" echo # 1. SSH 安全配置 echo -e " ${M}1. SSH 安全配置${N}" echo -e " ${GR}───${N}" if [ -f /etc/ssh/sshd_config ]; then root_login=$(grep -Ei '^PermitRootLogin\s+' /etc/ssh/sshd_config 2>/dev/null | awk '{print $2}') pass_auth=$(grep -Ei '^PasswordAuthentication\s+' /etc/ssh/sshd_config 2>/dev/null | awk '{print $2}') port=$(grep -Ei '^Port\s+' /etc/ssh/sshd_config 2>/dev/null | awk '{print $2}') [ "$root_login" = "prohibit-password" ] || [ "$root_login" = "no" ] && check pass "Root 登录: $root_login" || check warn "Root 登录: ${root_login:-默认允许}" [ "$pass_auth" = "no" ] && check pass "密码认证: 已禁用" || check warn "密码认证: ${pass_auth:-启用}" [ -n "$port" ] && [ "$port" != "22" ] && check pass "SSH 端口: $port (非默认)" || check warn "SSH 端口: ${port:-22} (默认)" else check warn "sshd_config 未找到" fi # 2. 防火墙状态 echo -e "\n ${M}2. 防火墙${N}" echo -e " ${GR}───${N}" if command -v ufw &>/dev/null; then ufw_active=$(ufw status 2>/dev/null | grep -c active || true) [ "$ufw_active" -gt 0 ] && check pass "UFW: 已启用" || check fail "UFW: 未启用" fi if command -v iptables &>/dev/null; then rules=$(iptables -L INPUT -n 2>/dev/null | wc -l) [ "$rules" -gt 10 ] && check pass "iptables: 有规则 ($rules 条)" || check warn "iptables: 规则较少 ($rules 条)" fi # 3. 公网开放端口 echo -e "\n ${M}3. 公网开放端口${N}" echo -e " ${GR}───${N}" open_ports=$(ss -tlnp 2>/dev/null | awk 'NR>1{print $4}' | grep -v '127.0.0.1\|::1\|\[::1\]' | grep -oP ':\K\d+' | sort -n | uniq | tr '\n' ' ') [ -n "$open_ports" ] && check warn "公网端口: $open_ports" || check pass "无公网监听端口" echo -e " ${GR} 建议仅开放必要端口并搭配防火墙白名单${N}" # 4. 系统更新 echo -e "\n ${M}4. 系统更新${N}" echo -e " ${GR}───${N}" if command -v apt-get &>/dev/null; then updates=$(apt list --upgradable 2>/dev/null | grep -c upgradable || true) security_updates=$(apt list --upgradable 2>/dev/null | grep -ci security || true) [ "$updates" -eq 0 ] && check pass "所有包已更新" || check warn "$updates 个包可升级 (含 $security_updates 个安全更新)" fi # 5. 无人值守更新 echo -e "\n ${M}5. 自动安全更新${N}" echo -e " ${GR}───${N}" if dpkg -l | grep -q unattended-upgrades 2>/dev/null; then uu_active=$(systemctl is-active unattended-upgrades 2>/dev/null || echo "inactive") [ "$uu_active" = "active" ] && check pass "unattended-upgrades: 运行中" || check fail "unattended-upgrades: 未运行" else check warn "unattended-upgrades 未安装" fi # 6. 最近失败登录 echo -e "\n ${M}6. 异常登录检查${N}" echo -e " ${GR}───${N}" failed=$(grep 'Failed password' /var/log/auth.log 2>/dev/null | tail -1 || echo "无日志") echo -e " ${GR}最近失败登录: $failed${N}" lastb 2>/dev/null | head -5 | while read -r line; do echo -e " ${Y}$line${N}" done # 7. 可疑 SUID 文件 echo -e "\n ${M}7. SUID 文件检查${N}" echo -e " ${GR}───${N}" suid_count=$(find / -perm -4000 -type f 2>/dev/null | wc -l) echo -e " SUID 文件数: ${W}$suid_count${N}" echo -e " ${GR}(超过 50 可能有问题,可查看: find / -perm -4000 -type f 2>/dev/null)${N}" # 总结 echo -e "\n ${B}──────────────────────────────${N}" echo -e " ${M}扫描结果汇总${N}" echo -e " ${G}通过: $PASS${N} ${Y}警告: $WARN${N} ${R}失败: $FAIL${N}" [ "$FAIL" -gt 0 ] && echo -e " ${R}⚠ 建议修复上述失败项${N}" echo echo -e "${GR}👉 完整审计建议: CISOfy/lynis (https://github.com/CISOfy/lynis)${N}"