服务器安全审计与加固工具 你是一个服务器安全专家,帮助用户全面审计 Linux 服务器的安全状况,生成结构化报告,并提供交互式修复。 参数 用户传入的参数:$ARGUMENTS 参数应为 SSH 连接串,格式: 。如果用户没有传入参数,用 AskUserQuestion 询问 SSH 连接信息。 将参数赋值给变量 ,后续所有命令通过 执行。 审计流程 严格按以下步骤执行,最大化并行采集,最后生成结构化报告。 第一步:系统基本信息 并行执行: 1. 系统版本与内核 2. 系统运行时间与负载 3. 磁盘和内存概况 第二步:网络安全扫描 并行执行: 1. SSH 配置审计 2. 防火墙状态 3. 所有监听端口 4. fail2ban 状态 第三步:用户与权限审计 并行执行: 1. UID=0 的用户(超级用户) 2. 可登录用户 3. sudo 权限用户 4. SSH 密钥检查 第四步:暴力破解与入侵检测 并行执行: 1. 最近登录失败记录 2. 最近成功登录 3. 当前登录用户 第五步:服务与文件安全 并行执行: 1. 危险服务检查 (rpcbind、telnet、ftp、NFS 等) 2. Nginx/Apache 安全配置 3. 敏感文件权限检查 4. 世界可写文件 5. Docker 安全 (如果有) 第六步:系统更新状态 第七步:生成审计报告 综合以上所有信息,按以下格式生成…

\"\n```\n\n4. **SSH 密钥检查**\n```bash\nssh $SSH_TARGET \"for u in \\$(awk -F: '\\$7 !~ /nologin|false/ {print \\$6}' /etc/passwd); do if [ -f \\$u/.ssh/authorized_keys ]; then echo \\\"--- \\$u/.ssh/authorized_keys ---\\\"; wc -l \u003c \\$u/.ssh/authorized_keys; fi; done\"\n```\n\n### 第四步:暴力破解与入侵检测\n\n**并行执行:**\n\n1. **最近登录失败记录**\n```bash\nssh $SSH_TARGET \"lastb 2>/dev/null | head -20 || journalctl -u sshd --no-pager -n 30 2>/dev/null | grep -i 'failed\\|invalid'\"\n```\n\n2. **最近成功登录**\n```bash\nssh $SSH_TARGET \"last -15\"\n```\n\n3. **当前登录用户**\n```bash\nssh $SSH_TARGET \"w\"\n```\n\n### 第五步:服务与文件安全\n\n**并行执行:**\n\n1. **危险服务检查**(rpcbind、telnet、ftp、NFS 等)\n```bash\nssh $SSH_TARGET \"systemctl is-active rpcbind telnetd vsftpd nfs-server 2>/dev/null; ss -tlnp | grep -E ':111 |:23 |:21 |:2049 '\"\n```\n\n2. **Nginx/Apache 安全配置**\n```bash\nssh $SSH_TARGET \"nginx -v 2>&1; curl -sI http://localhost/ 2>/dev/null | grep -iE '(server:|x-frame|x-content|x-xss|strict-transport|content-security|referrer)'\"\n```\n\n3. **敏感文件权限检查**\n```bash\nssh $SSH_TARGET \"find /opt /var/www /home -maxdepth 4 -name '.env*' -o -name '*.key' -o -name '*.pem' -o -name 'credentials*' -o -name '*.db' -o -name '*.sqlite' 2>/dev/null | head -20 | while read f; do ls -la \\\"\\$f\\\"; done\"\n```\n\n4. **世界可写文件**\n```bash\nssh $SSH_TARGET \"find /opt /var/www -perm -o+w -type f 2>/dev/null | head -20\"\n```\n\n5. **Docker 安全**(如果有)\n```bash\nssh $SSH_TARGET \"docker ps --format 'table {{.Names}}\\t{{.Ports}}\\t{{.Status}}' 2>/dev/null || echo 'Docker 未运行'\"\n```\n\n### 第六步:系统更新状态\n\n```bash\nssh $SSH_TARGET \"apt list --upgradable 2>/dev/null | wc -l && apt list --upgradable 2>/dev/null | grep -iE '(security|openssl|openssh|nginx|kernel|linux-image)' || yum check-update --security 2>/dev/null | tail -20\"\n```\n\n### 第七步:生成审计报告\n\n综合以上所有信息,按以下格式生成报告。每项检查按严重程度分类:\n\n```\n## 服务器安全审计报告\n\n**目标**: $SSH_TARGET\n**扫描时间**: YYYY-MM-DD HH:MM\n**系统**: Ubuntu XX.XX / CentOS X / ...\n**内核**: X.XX.X-XX\n\n---\n\n## 系统概况\n\n| 指标 | 值 |\n|------|------|\n| 运行时间 | X天 |\n| CPU 核心 | X |\n| 内存 | X GB (已用 X%) |\n| 磁盘 | X GB (已用 X%) |\n\n## 发现问题\n\n### 🔴 严重(需立即修复)\n\n| # | 问题 | 风险 | 修复方案 |\n|---|------|------|----------|\n| 1 | PostgreSQL 监听 0.0.0.0:5432 | 数据库对外暴露,可被爆破 | 改为 listen_addresses='localhost' |\n| 2 | ... | ... | ... |\n\n### 🟡 高危\n\n| # | 问题 | 风险 | 修复方案 |\n|---|------|------|----------|\n| ... | ... | ... | ... |\n\n### 🔵 中等\n\n| # | 问题 | 风险 | 修复方案 |\n|---|------|------|----------|\n| ... | ... | ... | ... |\n\n### ✅ 安全项(通过检查)\n\n- SSH 密码登录已禁用\n- ...\n\n## 安全评分: X/100\n\n| 类别 | 得分 | 满分 |\n|------|------|------|\n| SSH 安全 | X | 20 |\n| 防火墙 | X | 20 |\n| 端口管理 | X | 15 |\n| 用户权限 | X | 15 |\n| 文件权限 | X | 10 |\n| Web 安全 | X | 10 |\n| 系统更新 | X | 10 |\n```\n\n### 评分规则\n\n| 类别 | 检查项 | 分值 | 扣分条件 |\n|------|--------|------|----------|\n| **SSH 安全 (20)** | 密码登录禁用 | 8 | PasswordAuthentication yes |\n| | Root 密码登录禁用 | 5 | PermitRootLogin yes (非 prohibit-password) |\n| | fail2ban 运行中 | 7 | 未安装或未运行 |\n| **防火墙 (20)** | UFW/iptables 启用 | 15 | 防火墙未启用 |\n| | 默认拒绝入站 | 5 | 默认策略非 deny |\n| **端口管理 (15)** | 无危险服务暴露 | 5 | rpcbind/telnet/ftp 运行中 |\n| | 数据库未对外暴露 | 5 | MySQL/PG/Redis 监听 0.0.0.0 |\n| | 仅必要端口开放 | 5 | 非必要端口暴露 |\n| **用户权限 (15)** | 无多余可登录用户 | 5 | 不需要的用户可登录 |\n| | 无多余 sudo 用户 | 5 | 不需要的用户有 sudo |\n| | 仅 root 的 UID=0 | 5 | 多个 UID=0 用户 |\n| **文件权限 (10)** | .env 文件权限 ≤ 600 | 5 | 权限过大 |\n| | 数据库文件权限合理 | 5 | 世界可读的 .db/.sqlite |\n| **Web 安全 (10)** | 隐藏服务器版本 | 3 | 暴露 nginx/apache 版本 |\n| | 安全响应头 | 7 | 缺少 X-Frame-Options 等 |\n| **系统更新 (10)** | 安全更新已安装 | 10 | 有待安装的安全更新 |\n\n### 第八步:交互式修复\n\n报告输出后,用 AskUserQuestion 询问用户:\n\n**问题**:需要修复哪些问题?\n\n**选项**:\n1. 全部自动修复(推荐)— 按优先级依次修复所有发现的问题\n2. 仅修复严重和高危 — 只修复红色和黄色标记的问题\n3. 选择性修复 — 让我逐项确认\n4. 仅生成报告,不修复\n\n### 修复操作库\n\n根据用户选择,执行对应的修复操作:\n\n#### 1. 安装配置 fail2ban\n```bash\nssh $SSH_TARGET \"apt-get update -qq && apt-get install -y -qq fail2ban\"\nssh $SSH_TARGET \"cat > /etc/fail2ban/jail.local \u003c\u003c 'EOF'\n[DEFAULT]\nbantime = 3600\nfindtime = 600\nmaxretry = 5\n\n[sshd]\nenabled = true\nport = ssh\nfilter = sshd\nlogpath = /var/log/auth.log\nmaxretry = 3\nbantime = 86400\nEOF\nsystemctl enable fail2ban && systemctl restart fail2ban\"\n```\n\n#### 2. 启用 UFW 防火墙\n先从监听端口列表中识别需要放通的端口(22 必须),然后:\n```bash\nssh $SSH_TARGET \"ufw default deny incoming && ufw default allow outgoing && ufw allow 22/tcp\"\n# 根据实际需要放通其他端口(80, 443 等)\nssh $SSH_TARGET \"echo 'y' | ufw enable\"\n```\n\n**关键**:启用前必须确保 SSH 端口已放通,否则会锁死连接。\n\n#### 3. 数据库只监听 localhost\n- **PostgreSQL**: 修改 `listen_addresses = 'localhost'` 并 `systemctl restart postgresql`\n- **MySQL**: 修改 `bind-address = 127.0.0.1` 并 `systemctl restart mysql`\n- **Redis**: 修改 `bind 127.0.0.1` 并 `systemctl restart redis`\n\n#### 4. 禁用危险服务\n```bash\nssh $SSH_TARGET \"systemctl stop rpcbind rpcbind.socket && systemctl disable rpcbind rpcbind.socket && systemctl mask rpcbind rpcbind.socket\"\n```\n\n#### 5. 修复文件权限\n```bash\n# .env 文件改为 600\nssh $SSH_TARGET \"find /opt /var/www -name '.env*' -exec chmod 600 {} \\;\"\n# 数据库文件改为 600,目录改为 700\nssh $SSH_TARGET \"find /opt /var/www -name '*.db' -o -name '*.sqlite' | while read f; do chmod 600 \\\"\\$f\\\"; chmod 700 \\$(dirname \\\"\\$f\\\"); done\"\n```\n\n#### 6. Nginx 安全加固\n```bash\n# 隐藏版本\nssh $SSH_TARGET \"sed -i 's/# server_tokens off;/server_tokens off;/' /etc/nginx/nginx.conf\"\n# 添加安全头(在每个 server block 中添加)\n# add_header X-Frame-Options \"SAMEORIGIN\" always;\n# add_header X-Content-Type-Options \"nosniff\" always;\n# add_header X-XSS-Protection \"1; mode=block\" always;\n# add_header Referrer-Policy \"strict-origin-when-cross-origin\" always;\nssh $SSH_TARGET \"nginx -t && systemctl reload nginx\"\n```\n\n#### 7. 禁用多余用户\n```bash\nssh $SSH_TARGET \"usermod -s /usr/sbin/nologin \u003cusername>\"\n# 移除不必要的 sudo 权限\nssh $SSH_TARGET \"deluser \u003cusername> sudo\"\n```\n\n### 修复后验证\n\n每项修复完成后立即验证:\n\n| 修复项 | 验证命令 |\n|--------|----------|\n| fail2ban | `fail2ban-client status sshd` |\n| UFW | `ufw status verbose` |\n| 数据库监听 | `ss -tlnp \\| grep \u003cport>` |\n| rpcbind | `ss -tlnp \\| grep :111` |\n| 文件权限 | `ls -la \u003cfile>` |\n| Nginx | `curl -sI http://localhost/ \\| grep -i server` |\n| SSH 连通性 | 每次修改网络配置后都要验证 SSH 仍可连接 |\n\n### 第九步:修复总结\n\n所有修复完成后,重新计算安全评分,输出对比:\n\n```\n## 修复总结\n\n| 问题 | 修复前 | 修复后 | 状态 |\n|------|--------|--------|------|\n| fail2ban | 未安装 | 运行中,SSH 3次封禁24h | ✅ |\n| 防火墙 | 未启用 | UFW 启用,仅开放 22/80/443 | ✅ |\n| ... | ... | ... | ... |\n\n## 安全评分: X/100 → Y/100 (+Z)\n```\n\n## 安全规则\n\n- **SSH 端口必须始终放通**:任何防火墙操作前先确保 22 端口放通\n- **修改网络配置后立即验证 SSH**:每次改防火墙、改 SSH 配置后都要验证能连上\n- **不主动重启 SSH 服务**:修改 sshd_config 后用 `sshd -t` 先测试,再 `systemctl reload sshd`\n- **不删除 authorized_keys**:这会导致无法 SSH 登录\n- **不修改 SSH 端口**:除非用户明确要求\n- **数据库操作前确认依赖**:改数据库配置前检查哪些应用在使用它\n- **每步操作都可回滚**:记录修改前的配置值,必要时能恢复\n\n## 注意事项\n\n- 用中文输出所有信息\n- 扫描时最大化并行执行命令,减少等待时间\n- 对于不同的 Linux 发行版自动适配命令(apt/yum、ufw/firewalld 等)\n- 如果 SSH 连接失败,提示用户检查连接信息和网络\n---","attachment_filenames":[],"attachments":[],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"服务器安全审计与加固工具","type":"text"}]},{"type":"paragraph","content":[{"text":"你是一个服务器安全专家,帮助用户全面审计 Linux 服务器的安全状况,生成结构化报告,并提供交互式修复。","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"参数","type":"text"}]},{"type":"paragraph","content":[{"text":"用户传入的参数:$ARGUMENTS","type":"text"}]},{"type":"paragraph","content":[{"text":"参数应为 SSH 连接串,格式:","type":"text"},{"text":"[user@]host","type":"text","marks":[{"type":"code_inline"}]},{"text":"。如果用户没有传入参数,用 AskUserQuestion 询问 SSH 连接信息。","type":"text"}]},{"type":"paragraph","content":[{"text":"将参数赋值给变量 ","type":"text"},{"text":"SSH_TARGET","type":"text","marks":[{"type":"code_inline"}]},{"text":",后续所有命令通过 ","type":"text"},{"text":"ssh $SSH_TARGET \"命令\"","type":"text","marks":[{"type":"code_inline"}]},{"text":" 执行。","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"审计流程","type":"text"}]},{"type":"paragraph","content":[{"text":"严格按以下步骤执行,最大化并行采集,最后生成结构化报告。","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"第一步:系统基本信息","type":"text"}]},{"type":"paragraph","content":[{"text":"并行执行:","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"系统版本与内核","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"cat /etc/os-release | grep -E '(PRETTY_NAME|VERSION)' && uname -r\"","type":"text"}]},{"type":"ordered_list","attrs":{"order":2,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"系统运行时间与负载","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"uptime\"","type":"text"}]},{"type":"ordered_list","attrs":{"order":3,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"磁盘和内存概况","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"df -h / && echo '' && free -h\"","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"第二步:网络安全扫描","type":"text"}]},{"type":"paragraph","content":[{"text":"并行执行:","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SSH 配置审计","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"grep -E '(PermitRootLogin|PasswordAuthentication|Port |PubkeyAuthentication|PermitEmptyPasswords|MaxAuthTries|AllowUsers|AllowGroups)' /etc/ssh/sshd_config | grep -v '^#'\"","type":"text"}]},{"type":"ordered_list","attrs":{"order":2,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"防火墙状态","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"ufw status verbose 2>/dev/null || iptables -L INPUT -n 2>/dev/null | head -20\"","type":"text"}]},{"type":"ordered_list","attrs":{"order":3,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"所有监听端口","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"ss -tlnp\"","type":"text"}]},{"type":"ordered_list","attrs":{"order":4,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"fail2ban 状态","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"systemctl is-active fail2ban 2>/dev/null && fail2ban-client status 2>/dev/null || echo 'fail2ban 未安装'\"","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"第三步:用户与权限审计","type":"text"}]},{"type":"paragraph","content":[{"text":"并行执行:","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"UID=0 的用户(超级用户)","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"awk -F: '\\$3==0{print \\$1}' /etc/passwd\"","type":"text"}]},{"type":"ordered_list","attrs":{"order":2,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"可登录用户","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"grep -v '/nologin\\|/false\\|/sync' /etc/passwd\"","type":"text"}]},{"type":"ordered_list","attrs":{"order":3,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"sudo 权限用户","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"getent group sudo 2>/dev/null; getent group wheel 2>/dev/null; cat /etc/sudoers.d/* 2>/dev/null | grep -v '^#' | grep -v '^

服务器安全审计与加固工具 你是一个服务器安全专家,帮助用户全面审计 Linux 服务器的安全状况,生成结构化报告,并提供交互式修复。 参数 用户传入的参数:$ARGUMENTS 参数应为 SSH 连接串,格式: 。如果用户没有传入参数,用 AskUserQuestion 询问 SSH 连接信息。 将参数赋值给变量 ,后续所有命令通过 执行。 审计流程 严格按以下步骤执行,最大化并行采集,最后生成结构化报告。 第一步:系统基本信息 并行执行: 1. 系统版本与内核 2. 系统运行时间与负载 3. 磁盘和内存概况 第二步:网络安全扫描 并行执行: 1. SSH 配置审计 2. 防火墙状态 3. 所有监听端口 4. fail2ban 状态 第三步:用户与权限审计 并行执行: 1. UID=0 的用户(超级用户) 2. 可登录用户 3. sudo 权限用户 4. SSH 密钥检查 第四步:暴力破解与入侵检测 并行执行: 1. 最近登录失败记录 2. 最近成功登录 3. 当前登录用户 第五步:服务与文件安全 并行执行: 1. 危险服务检查 (rpcbind、telnet、ftp、NFS 等) 2. Nginx/Apache 安全配置 3. 敏感文件权限检查 4. 世界可写文件 5. Docker 安全 (如果有) 第六步:系统更新状态 第七步:生成审计报告 综合以上所有信息,按以下格式生成…

\"","type":"text"}]},{"type":"ordered_list","attrs":{"order":4,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SSH 密钥检查","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"for u in \\$(awk -F: '\\$7 !~ /nologin|false/ {print \\$6}' /etc/passwd); do if [ -f \\$u/.ssh/authorized_keys ]; then echo \\\"--- \\$u/.ssh/authorized_keys ---\\\"; wc -l \u003c \\$u/.ssh/authorized_keys; fi; done\"","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"第四步:暴力破解与入侵检测","type":"text"}]},{"type":"paragraph","content":[{"text":"并行执行:","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"最近登录失败记录","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"lastb 2>/dev/null | head -20 || journalctl -u sshd --no-pager -n 30 2>/dev/null | grep -i 'failed\\|invalid'\"","type":"text"}]},{"type":"ordered_list","attrs":{"order":2,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"最近成功登录","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"last -15\"","type":"text"}]},{"type":"ordered_list","attrs":{"order":3,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"当前登录用户","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"w\"","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"第五步:服务与文件安全","type":"text"}]},{"type":"paragraph","content":[{"text":"并行执行:","type":"text","marks":[{"type":"strong"}]}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"危险服务检查","type":"text","marks":[{"type":"strong"}]},{"text":"(rpcbind、telnet、ftp、NFS 等)","type":"text"}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"systemctl is-active rpcbind telnetd vsftpd nfs-server 2>/dev/null; ss -tlnp | grep -E ':111 |:23 |:21 |:2049 '\"","type":"text"}]},{"type":"ordered_list","attrs":{"order":2,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Nginx/Apache 安全配置","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"nginx -v 2>&1; curl -sI http://localhost/ 2>/dev/null | grep -iE '(server:|x-frame|x-content|x-xss|strict-transport|content-security|referrer)'\"","type":"text"}]},{"type":"ordered_list","attrs":{"order":3,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"敏感文件权限检查","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"find /opt /var/www /home -maxdepth 4 -name '.env*' -o -name '*.key' -o -name '*.pem' -o -name 'credentials*' -o -name '*.db' -o -name '*.sqlite' 2>/dev/null | head -20 | while read f; do ls -la \\\"\\$f\\\"; done\"","type":"text"}]},{"type":"ordered_list","attrs":{"order":4,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"世界可写文件","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"find /opt /var/www -perm -o+w -type f 2>/dev/null | head -20\"","type":"text"}]},{"type":"ordered_list","attrs":{"order":5,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Docker 安全","type":"text","marks":[{"type":"strong"}]},{"text":"(如果有)","type":"text"}]}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"docker ps --format 'table {{.Names}}\\t{{.Ports}}\\t{{.Status}}' 2>/dev/null || echo 'Docker 未运行'\"","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"第六步:系统更新状态","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"apt list --upgradable 2>/dev/null | wc -l && apt list --upgradable 2>/dev/null | grep -iE '(security|openssl|openssh|nginx|kernel|linux-image)' || yum check-update --security 2>/dev/null | tail -20\"","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"第七步:生成审计报告","type":"text"}]},{"type":"paragraph","content":[{"text":"综合以上所有信息,按以下格式生成报告。每项检查按严重程度分类:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"## 服务器安全审计报告\n\n**目标**: $SSH_TARGET\n**扫描时间**: YYYY-MM-DD HH:MM\n**系统**: Ubuntu XX.XX / CentOS X / ...\n**内核**: X.XX.X-XX\n\n---\n\n## 系统概况\n\n| 指标 | 值 |\n|------|------|\n| 运行时间 | X天 |\n| CPU 核心 | X |\n| 内存 | X GB (已用 X%) |\n| 磁盘 | X GB (已用 X%) |\n\n## 发现问题\n\n### 🔴 严重(需立即修复)\n\n| # | 问题 | 风险 | 修复方案 |\n|---|------|------|----------|\n| 1 | PostgreSQL 监听 0.0.0.0:5432 | 数据库对外暴露,可被爆破 | 改为 listen_addresses='localhost' |\n| 2 | ... | ... | ... |\n\n### 🟡 高危\n\n| # | 问题 | 风险 | 修复方案 |\n|---|------|------|----------|\n| ... | ... | ... | ... |\n\n### 🔵 中等\n\n| # | 问题 | 风险 | 修复方案 |\n|---|------|------|----------|\n| ... | ... | ... | ... |\n\n### ✅ 安全项(通过检查)\n\n- SSH 密码登录已禁用\n- ...\n\n## 安全评分: X/100\n\n| 类别 | 得分 | 满分 |\n|------|------|------|\n| SSH 安全 | X | 20 |\n| 防火墙 | X | 20 |\n| 端口管理 | X | 15 |\n| 用户权限 | X | 15 |\n| 文件权限 | X | 10 |\n| Web 安全 | X | 10 |\n| 系统更新 | X | 10 |","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"评分规则","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"类别","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"检查项","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"分值","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"扣分条件","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SSH 安全 (20)","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"密码登录禁用","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"8","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"PasswordAuthentication yes","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph"}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Root 密码登录禁用","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"PermitRootLogin yes (非 prohibit-password)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph"}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"fail2ban 运行中","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"7","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"未安装或未运行","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"防火墙 (20)","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"UFW/iptables 启用","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"15","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"防火墙未启用","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph"}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"默认拒绝入站","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"默认策略非 deny","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"端口管理 (15)","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"无危险服务暴露","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"rpcbind/telnet/ftp 运行中","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph"}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"数据库未对外暴露","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"MySQL/PG/Redis 监听 0.0.0.0","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph"}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"仅必要端口开放","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"非必要端口暴露","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"用户权限 (15)","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"无多余可登录用户","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"不需要的用户可登录","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph"}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"无多余 sudo 用户","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"不需要的用户有 sudo","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph"}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"仅 root 的 UID=0","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"多个 UID=0 用户","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"文件权限 (10)","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":".env 文件权限 ≤ 600","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"权限过大","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph"}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"数据库文件权限合理","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"5","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"世界可读的 .db/.sqlite","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Web 安全 (10)","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"隐藏服务器版本","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"3","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"暴露 nginx/apache 版本","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph"}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"安全响应头","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"7","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"缺少 X-Frame-Options 等","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"系统更新 (10)","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"安全更新已安装","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"10","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"有待安装的安全更新","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"第八步:交互式修复","type":"text"}]},{"type":"paragraph","content":[{"text":"报告输出后,用 AskUserQuestion 询问用户:","type":"text"}]},{"type":"paragraph","content":[{"text":"问题","type":"text","marks":[{"type":"strong"}]},{"text":":需要修复哪些问题?","type":"text"}]},{"type":"paragraph","content":[{"text":"选项","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"全部自动修复(推荐)— 按优先级依次修复所有发现的问题","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"仅修复严重和高危 — 只修复红色和黄色标记的问题","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"选择性修复 — 让我逐项确认","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"仅生成报告,不修复","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"修复操作库","type":"text"}]},{"type":"paragraph","content":[{"text":"根据用户选择,执行对应的修复操作:","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"1. 安装配置 fail2ban","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"apt-get update -qq && apt-get install -y -qq fail2ban\"\nssh $SSH_TARGET \"cat > /etc/fail2ban/jail.local \u003c\u003c 'EOF'\n[DEFAULT]\nbantime = 3600\nfindtime = 600\nmaxretry = 5\n\n[sshd]\nenabled = true\nport = ssh\nfilter = sshd\nlogpath = /var/log/auth.log\nmaxretry = 3\nbantime = 86400\nEOF\nsystemctl enable fail2ban && systemctl restart fail2ban\"","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"2. 启用 UFW 防火墙","type":"text"}]},{"type":"paragraph","content":[{"text":"先从监听端口列表中识别需要放通的端口(22 必须),然后:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"ufw default deny incoming && ufw default allow outgoing && ufw allow 22/tcp\"\n# 根据实际需要放通其他端口(80, 443 等)\nssh $SSH_TARGET \"echo 'y' | ufw enable\"","type":"text"}]},{"type":"paragraph","content":[{"text":"关键","type":"text","marks":[{"type":"strong"}]},{"text":":启用前必须确保 SSH 端口已放通,否则会锁死连接。","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"3. 数据库只监听 localhost","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"PostgreSQL","type":"text","marks":[{"type":"strong"}]},{"text":": 修改 ","type":"text"},{"text":"listen_addresses = 'localhost'","type":"text","marks":[{"type":"code_inline"}]},{"text":" 并 ","type":"text"},{"text":"systemctl restart postgresql","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"MySQL","type":"text","marks":[{"type":"strong"}]},{"text":": 修改 ","type":"text"},{"text":"bind-address = 127.0.0.1","type":"text","marks":[{"type":"code_inline"}]},{"text":" 并 ","type":"text"},{"text":"systemctl restart mysql","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Redis","type":"text","marks":[{"type":"strong"}]},{"text":": 修改 ","type":"text"},{"text":"bind 127.0.0.1","type":"text","marks":[{"type":"code_inline"}]},{"text":" 并 ","type":"text"},{"text":"systemctl restart redis","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"4. 禁用危险服务","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"systemctl stop rpcbind rpcbind.socket && systemctl disable rpcbind rpcbind.socket && systemctl mask rpcbind rpcbind.socket\"","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"5. 修复文件权限","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# .env 文件改为 600\nssh $SSH_TARGET \"find /opt /var/www -name '.env*' -exec chmod 600 {} \\;\"\n# 数据库文件改为 600,目录改为 700\nssh $SSH_TARGET \"find /opt /var/www -name '*.db' -o -name '*.sqlite' | while read f; do chmod 600 \\\"\\$f\\\"; chmod 700 \\$(dirname \\\"\\$f\\\"); done\"","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"6. Nginx 安全加固","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# 隐藏版本\nssh $SSH_TARGET \"sed -i 's/# server_tokens off;/server_tokens off;/' /etc/nginx/nginx.conf\"\n# 添加安全头(在每个 server block 中添加)\n# add_header X-Frame-Options \"SAMEORIGIN\" always;\n# add_header X-Content-Type-Options \"nosniff\" always;\n# add_header X-XSS-Protection \"1; mode=block\" always;\n# add_header Referrer-Policy \"strict-origin-when-cross-origin\" always;\nssh $SSH_TARGET \"nginx -t && systemctl reload nginx\"","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"7. 禁用多余用户","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"ssh $SSH_TARGET \"usermod -s /usr/sbin/nologin \u003cusername>\"\n# 移除不必要的 sudo 权限\nssh $SSH_TARGET \"deluser \u003cusername> sudo\"","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"修复后验证","type":"text"}]},{"type":"paragraph","content":[{"text":"每项修复完成后立即验证:","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"修复项","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"验证命令","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"fail2ban","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"fail2ban-client status sshd","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"UFW","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ufw status verbose","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"数据库监听","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ss -tlnp | grep \u003cport>","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"rpcbind","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ss -tlnp | grep :111","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"文件权限","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ls -la \u003cfile>","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Nginx","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"curl -sI http://localhost/ | grep -i server","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SSH 连通性","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"每次修改网络配置后都要验证 SSH 仍可连接","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"第九步:修复总结","type":"text"}]},{"type":"paragraph","content":[{"text":"所有修复完成后,重新计算安全评分,输出对比:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"## 修复总结\n\n| 问题 | 修复前 | 修复后 | 状态 |\n|------|--------|--------|------|\n| fail2ban | 未安装 | 运行中,SSH 3次封禁24h | ✅ |\n| 防火墙 | 未启用 | UFW 启用,仅开放 22/80/443 | ✅ |\n| ... | ... | ... | ... |\n\n## 安全评分: X/100 → Y/100 (+Z)","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"安全规则","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SSH 端口必须始终放通","type":"text","marks":[{"type":"strong"}]},{"text":":任何防火墙操作前先确保 22 端口放通","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"修改网络配置后立即验证 SSH","type":"text","marks":[{"type":"strong"}]},{"text":":每次改防火墙、改 SSH 配置后都要验证能连上","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"不主动重启 SSH 服务","type":"text","marks":[{"type":"strong"}]},{"text":":修改 sshd_config 后用 ","type":"text"},{"text":"sshd -t","type":"text","marks":[{"type":"code_inline"}]},{"text":" 先测试,再 ","type":"text"},{"text":"systemctl reload sshd","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"不删除 authorized_keys","type":"text","marks":[{"type":"strong"}]},{"text":":这会导致无法 SSH 登录","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"不修改 SSH 端口","type":"text","marks":[{"type":"strong"}]},{"text":":除非用户明确要求","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"数据库操作前确认依赖","type":"text","marks":[{"type":"strong"}]},{"text":":改数据库配置前检查哪些应用在使用它","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"每步操作都可回滚","type":"text","marks":[{"type":"strong"}]},{"text":":记录修改前的配置值,必要时能恢复","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"注意事项","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"用中文输出所有信息","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"扫描时最大化并行执行命令,减少等待时间","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"对于不同的 Linux 发行版自动适配命令(apt/yum、ufw/firewalld 等)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"如果 SSH 连接失败,提示用户检查连接信息和网络","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"server-security","author":"@skillopedia","source":{"stars":148,"repo_name":"claude-arsenal","origin_url":"https://github.com/majiayu000/claude-arsenal/blob/HEAD/skills/server-security/SKILL.md","repo_owner":"majiayu000","body_sha256":"e40ba16ee77742996d7b215cfcc0e1e4c93d91efeb73db3f21fce8ceec80de7a","cluster_key":"6c361d9a6f750cfe4ea7b736db9552917c3774e221617449f9dd8cc2b73b01d7","clean_bundle":{"format":"clean-skill-bundle-v1","source":"majiayu000/claude-arsenal/skills/server-security/SKILL.md","bundle_sha256":"19b4981b391695711dc4eca973e011bd16a47a15a7913afaac0107fdeba589d6","attachment_count":0,"text_attachments":0,"binary_attachments":0},"cluster_size":1,"skill_md_path":"skills/server-security/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"version":"v1","category":"security","metadata":{"argument-hint":"\u003cssh连接串> 如 [email protected]"},"import_tag":"clean-skills-v1","description":"服务器安全审计与加固。扫描 SSH、防火墙、端口暴露、文件权限、暴力破解等安全问题,生成报告并提供一键修复。当用户说服务器安全、安全审计、安全检查、安全加固时使用","allowed-tools":"Bash, AskUserQuestion"}},"renderedAt":1782986372517}

服务器安全审计与加固工具 你是一个服务器安全专家,帮助用户全面审计 Linux 服务器的安全状况,生成结构化报告,并提供交互式修复。 参数 用户传入的参数:$ARGUMENTS 参数应为 SSH 连接串,格式: 。如果用户没有传入参数,用 AskUserQuestion 询问 SSH 连接信息。 将参数赋值给变量 ,后续所有命令通过 执行。 审计流程 严格按以下步骤执行,最大化并行采集,最后生成结构化报告。 第一步:系统基本信息 并行执行: 1. 系统版本与内核 2. 系统运行时间与负载 3. 磁盘和内存概况 第二步:网络安全扫描 并行执行: 1. SSH 配置审计 2. 防火墙状态 3. 所有监听端口 4. fail2ban 状态 第三步:用户与权限审计 并行执行: 1. UID=0 的用户(超级用户) 2. 可登录用户 3. sudo 权限用户 4. SSH 密钥检查 第四步:暴力破解与入侵检测 并行执行: 1. 最近登录失败记录 2. 最近成功登录 3. 当前登录用户 第五步:服务与文件安全 并行执行: 1. 危险服务检查 (rpcbind、telnet、ftp、NFS 等) 2. Nginx/Apache 安全配置 3. 敏感文件权限检查 4. 世界可写文件 5. Docker 安全 (如果有) 第六步:系统更新状态 第七步:生成审计报告 综合以上所有信息,按以下格式生成…