bookworm-boot/secure-firewall.sh

#!/bin/bash
# ============================================================
# Bookworm Portable - 防火墙加固 (P1-2)
# 配置 UFW + fail2ban 保护 Gitea
# ============================================================
# 用法: ssh root@8.138.11.105 'bash -s' < secure-firewall.sh
# ============================================================

set -euo pipefail

echo "========================================="
echo "  Bookworm 防火墙加固 v1.0"
echo "========================================="

# 1. 确保 Gitea 只监听 127.0.0.1 (Nginx 反代已处理外部访问)
GITEA_INI="/var/lib/gitea/custom/conf/app.ini"
if [ -f "$GITEA_INI" ]; then
  if grep -q "^HTTP_ADDR.*=.*127.0.0.1" "$GITEA_INI"; then
    echo "[1/3] Gitea 已绑定 127.0.0.1"
  else
    echo "[1/3] 配置 Gitea 仅本地监听..."
    sed -i "s/^HTTP_ADDR\s*=.*/HTTP_ADDR = 127.0.0.1/" "$GITEA_INI" 2>/dev/null || \
      sed -i "/^\[server\]/a HTTP_ADDR = 127.0.0.1" "$GITEA_INI"
    systemctl restart gitea
    echo "  [OK] Gitea 已限制为本地监听"
  fi
else
  echo "[1/3] [!] Gitea 配置不存在，跳过"
fi

# 2. 安装配置 fail2ban
echo "[2/3] 配置 fail2ban..."
if ! command -v fail2ban-client &>/dev/null; then
  apt-get update -qq && apt-get install -y -qq fail2ban
fi

# Gitea 登录失败过滤器
cat > /etc/fail2ban/filter.d/gitea.conf << 'EOF'
[Definition]
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
ignoreregex =
EOF

# Gitea jail 配置
cat > /etc/fail2ban/jail.d/gitea.conf << EOF
[gitea]
enabled  = true
port     = http,https
filter   = gitea
logpath  = /var/lib/gitea/log/gitea.log
maxretry = 5
findtime = 3600
bantime  = 86400
action   = iptables-multiport[name=gitea, port="http,https"]
EOF

systemctl restart fail2ban
echo "  [OK] fail2ban 已配置 (5次失败/小时 → 封禁24小时)"

# 3. 输出阿里云安全组配置指引
echo "[3/3] 安全组配置指引..."
echo ""
echo "========================================="
echo "  阿里云安全组配置 (手动操作)"
echo "========================================="
echo ""
echo "  1. 登录阿里云控制台 → ECS → 安全组"
echo "  2. 找到实例 8.138.11.105 所在安全组"
echo "  3. 添加入方向规则:"
echo ""
echo "  ┌────────────┬──────────┬───────────────────────────┐"
echo "  │ 端口       │ 协议     │ 授权对象                  │"
echo "  ├────────────┼──────────┼───────────────────────────┤"
echo "  │ 443/443    │ TCP      │ 0.0.0.0/0 (HTTPS 公开)   │"
echo "  │ 80/80      │ TCP      │ 0.0.0.0/0 (重定向用)     │"
echo "  │ 22/22      │ TCP      │ 你的 IP/32               │"
echo "  ├────────────┼──────────┼───────────────────────────┤"
echo "  │ 3300/3300  │ TCP      │ 拒绝 0.0.0.0/0           │"
echo "  │            │          │ (Gitea 仅本地，不需公开)  │"
echo "  └────────────┴──────────┴───────────────────────────┘"
echo ""
echo "  4. 删除任何允许 3300 端口公开访问的规则"
echo ""
echo "  查看你当前的公网 IP:"
echo "    curl -s ifconfig.me"
echo ""
echo "========================================="
feat: Bookworm Portable v1.5 — 8 fixes (P0 NDA + P1 banners + P2 perf) - P1: Banner v1.3→v1.5, Hooks 29→34 - P1: 卸载脚本补删更新Bookworm.lnk - P1: git stash pop 安全检查 - P2: Playwright 检测改用 npm list - P2: 代理端口扫描 500ms async 超时 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-05 23:34:27 +08:00			`#!/bin/bash`
			`# ============================================================`
			`# Bookworm Portable - 防火墙加固 (P1-2)`
			`# 配置 UFW + fail2ban 保护 Gitea`
			`# ============================================================`
			`# 用法: ssh root@8.138.11.105 'bash -s' < secure-firewall.sh`
			`# ============================================================`

			`set -euo pipefail`

			`echo "========================================="`
			`echo " Bookworm 防火墙加固 v1.0"`
			`echo "========================================="`

			`# 1. 确保 Gitea 只监听 127.0.0.1 (Nginx 反代已处理外部访问)`
			`GITEA_INI="/var/lib/gitea/custom/conf/app.ini"`
			`if [ -f "$GITEA_INI" ]; then`
			`if grep -q "^HTTP_ADDR.=.127.0.0.1" "$GITEA_INI"; then`
			`echo "[1/3] Gitea 已绑定 127.0.0.1"`
			`else`
			`echo "[1/3] 配置 Gitea 仅本地监听..."`
			`sed -i "s/^HTTP_ADDR\s=./HTTP_ADDR = 127.0.0.1/" "$GITEA_INI" 2>/dev/null \|\| \`
			`sed -i "/^\[server\]/a HTTP_ADDR = 127.0.0.1" "$GITEA_INI"`
			`systemctl restart gitea`
			`echo " [OK] Gitea 已限制为本地监听"`
			`fi`
			`else`
			`echo "[1/3] [!] Gitea 配置不存在，跳过"`
			`fi`

			`# 2. 安装配置 fail2ban`
			`echo "[2/3] 配置 fail2ban..."`
			`if ! command -v fail2ban-client &>/dev/null; then`
			`apt-get update -qq && apt-get install -y -qq fail2ban`
			`fi`

			`# Gitea 登录失败过滤器`
			`cat > /etc/fail2ban/filter.d/gitea.conf << 'EOF'`
			`[Definition]`
			`failregex = .(Failed authentication attempt\|invalid credentials\|Attempted access of unknown user). from <HOST>`
			`ignoreregex =`
			`EOF`

			`# Gitea jail 配置`
			`cat > /etc/fail2ban/jail.d/gitea.conf << EOF`
			`[gitea]`
			`enabled = true`
			`port = http,https`
			`filter = gitea`
			`logpath = /var/lib/gitea/log/gitea.log`
			`maxretry = 5`
			`findtime = 3600`
			`bantime = 86400`
			`action = iptables-multiport[name=gitea, port="http,https"]`
			`EOF`

			`systemctl restart fail2ban`
			`echo " [OK] fail2ban 已配置 (5次失败/小时 → 封禁24小时)"`

			`# 3. 输出阿里云安全组配置指引`
			`echo "[3/3] 安全组配置指引..."`
			`echo ""`
			`echo "========================================="`
			`echo " 阿里云安全组配置 (手动操作)"`
			`echo "========================================="`
			`echo ""`
			`echo " 1. 登录阿里云控制台 → ECS → 安全组"`
			`echo " 2. 找到实例 8.138.11.105 所在安全组"`
			`echo " 3. 添加入方向规则:"`
			`echo ""`
			`echo " ┌────────────┬──────────┬───────────────────────────┐"`
			`echo " │ 端口 │ 协议 │ 授权对象 │"`
			`echo " ├────────────┼──────────┼───────────────────────────┤"`
			`echo " │ 443/443 │ TCP │ 0.0.0.0/0 (HTTPS 公开) │"`
			`echo " │ 80/80 │ TCP │ 0.0.0.0/0 (重定向用) │"`
			`echo " │ 22/22 │ TCP │ 你的 IP/32 │"`
			`echo " ├────────────┼──────────┼───────────────────────────┤"`
			`echo " │ 3300/3300 │ TCP │ 拒绝 0.0.0.0/0 │"`
			`echo " │ │ │ (Gitea 仅本地，不需公开) │"`
			`echo " └────────────┴──────────┴───────────────────────────┘"`
			`echo ""`
			`echo " 4. 删除任何允许 3300 端口公开访问的规则"`
			`echo ""`
			`echo " 查看你当前的公网 IP:"`
			`echo " curl -s ifconfig.me"`
			`echo ""`
			`echo "========================================="`