#!/bin/bash # 颜色定义 RED='\033[0;31m' GREEN='\033[0;32m' NC='\033[0m' # 无颜色 log() { echo -e "${GREEN}[$(date +'%H:%M:%S')] $1${NC}"; } error() { echo -e "${RED}[$(date +'%H:%M:%S')] ERROR: $1${NC}"; } # 1. 写入多行文本到指定文件 log "正在初始化本地配置文件..." cat < /tmp/custom_setup.log Setup Date: $(date) Target: SSH Hardening EOF # 2. 处理公钥写入 SSH_DIR="$HOME/.ssh" AUTH_KEYS="$SSH_DIR/authorized_keys" REMOTE_KEY_URL="https://f.2ha.me/mek" # 替换为实际公钥地址 mkdir -p "$SSH_DIR" && chmod 700 "$SSH_DIR" log "正在尝试获取远程公钥..." TMP_KEY=$(curl -sL "$REMOTE_KEY_URL") if [[ -n "$TMP_KEY" ]]; then # 检查公钥是否已存在,不存在则追加 if ! grep -qF "$TMP_KEY" "$AUTH_KEYS" 2>/dev/null; then echo "$TMP_KEY" >> "$AUTH_KEYS" chmod 600 "$AUTH_KEYS" log "公钥已成功写入 $AUTH_KEYS" else log "公钥已存在,跳过写入。" fi PUBKEY_SUCCESS=true else error "无法从 $REMOTE_KEY_URL 获取公钥!" PUBKEY_SUCCESS=false fi # 3. 修改 sshd_config (防止重复写入) log "正在配置 sshd_config..." CONFIG="/etc/ssh/sshd_config" [ -f "$CONFIG" ] && cp "$CONFIG" "${CONFIG}.bak" # 定义修改函数:若存在则替换,不存在则追加 set_config() { local key=$1 local value=$2 if grep -q "^#\?${key}" "$CONFIG"; then sed -i "s|^#\?${key}.*|${key} ${value}|" "$CONFIG" else echo "${key} ${value}" >> "$CONFIG" fi } set_config "Port" "2233" set_config "PubkeyAuthentication" "yes" # 4. 根据公钥结果决定是否禁用密码登录并重启 if [ "$PUBKEY_SUCCESS" = true ]; then log "公钥确认无误,正在禁用密码登录并重启服务..." set_config "PasswordAuthentication" "no" if systemctl restart sshd; then log "配置完成!请使用新端口连接:ssh -p 2233 user@ip" else error "SSH 重启失败,请检查配置语法。" fi else echo -e "----------------------------------------------------" error "由于公钥写入失败,为了防止您被锁在系统外,脚本已停止。" echo -e "${RED}请手动检查公钥配置后再执行: systemctl restart sshd${NC}" echo -e "----------------------------------------------------" exit 1 fi