{"id":51714200,"url":"https://github.com/dsured/ssh-safekit","last_synced_at":"2026-07-17T01:01:23.588Z","repository":{"id":359799632,"uuid":"1247544320","full_name":"DsureD/ssh-safekit","owner":"DsureD","description":"Linux 服务器 SSH 安全一键加固脚本。交互式菜单操作，广泛兼容主流 Linux 发行版。","archived":false,"fork":false,"pushed_at":"2026-06-01T06:19:04.000Z","size":40,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-01T08:15:40.409Z","etag":null,"topics":["bash-script","devops","fail2ban","firewall","hardening","linux-security","server-security","ssh","ssh-hardening","sysadmin","ufw","vps"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DsureD.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-23T13:08:09.000Z","updated_at":"2026-06-01T06:19:42.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/DsureD/ssh-safekit","commit_stats":null,"previous_names":["dsured/ssh-safekit"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/DsureD/ssh-safekit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DsureD%2Fssh-safekit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DsureD%2Fssh-safekit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DsureD%2Fssh-safekit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DsureD%2Fssh-safekit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DsureD","download_url":"https://codeload.github.com/DsureD/ssh-safekit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DsureD%2Fssh-safekit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35563056,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-16T02:00:06.687Z","response_time":83,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bash-script","devops","fail2ban","firewall","hardening","linux-security","server-security","ssh","ssh-hardening","sysadmin","ufw","vps"],"created_at":"2026-07-17T01:00:46.255Z","updated_at":"2026-07-17T01:01:23.559Z","avatar_url":"https://github.com/DsureD.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ssh-safekit\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)\n\nLinux 服务器 SSH 安全一键加固脚本。交互式菜单操作，广泛兼容主流 Linux 发行版。\n\n## 功能\n\n- **SSH 配置管理** — Root 登录策略、密码认证开关、端口修改（自定义/随机高位端口）、认证限制、空闲超时、root 密码管理\n- **SSH 密钥管理** — 服务器端生成密钥对（ed25519/RSA 4096）、导入已有公钥\n- **Fail2ban** — 一键安装、配置 SSH 防暴力破解规则、解封 IP\n- **防火墙** — 自适应 ufw（Debian 系）/ firewalld（RHEL 系）/ iptables（Alpine/Arch 等），IPv4+IPv6 双栈\n- **一键推荐加固** — 7 步引导式加固流程，每步可跳过\n- **安全状态总览** — 一键查看 SSH、防火墙、Fail2ban、监听端口等状态\n- **配置还原** — 从自动备份中恢复 SSH 配置\n- **CLI 参数** — 支持 `--status`、`--quick` 等非交互模式\n- **广泛兼容** — 基于能力检测，自动适配不同发行版的包管理器、防火墙和 init 系统\n\n## 新特性 (v1.2.2)\n\n- ✨ **基于能力检测的系统识别** — 不再依赖硬编码的发行版列表，自动识别包管理器和工具\n- ✨ **Alpine Linux 完整支持** — 支持 apk 包管理器、OpenRC init 系统和 iptables 防火墙\n- ✨ **Arch Linux 支持** — 支持 pacman 包管理器\n- ✨ **openSUSE 支持** — 支持 zypper 包管理器\n- ✨ **多 init 系统支持** — 兼容 systemd、OpenRC 和 SysVinit\n- ✨ **iptables 防火墙支持** — 适用于轻量级系统和容器环境\n- ✨ **智能用户选择** — 在纯 root 环境下自动查找普通用户或使用 root\n- 🔧 **统一服务管理** — 抽象层自动适配不同 init 系统的服务管理命令\n\n## 菜单结构\n\n```\nssh-safekit 主菜单\n├── 1) SSH 配置管理\n│   ├── 1) Root 登录设置 (yes / prohibit-password / no)\n│   ├── 2) 密码认证开关 (启用 / 禁用，带公钥检查)\n│   ├── 3) 修改 SSH 端口 (自定义 / 随机高位 / 恢复22)\n│   ├── 4) 认证限制 (MaxAuthTries / LoginGraceTime)\n│   ├── 5) 空闲超时 (ClientAliveInterval / ClientAliveCountMax)\n│   ├── 6) 修改 root 密码 (passwd)\n│   ├── 7) 锁定 root 密码 (passwd -l)\n│   └── 0) 返回主菜单\n├── 2) SSH 密钥管理\n│   ├── 1) 生成新密钥对 (ed25519 / RSA 4096)\n│   ├── 2) 导入已有公钥 (粘贴)\n│   ├── 3) 查看当前 authorized_keys\n│   └── 0) 返回主菜单\n├── 3) Fail2ban 管理\n│   ├── 1) 安装 Fail2ban\n│   ├── 2) 配置 SSH 防护规则 (bantime / findtime / maxretry)\n│   ├── 3) 查看状态\n│   ├── 4) 解封 IP\n│   └── 0) 返回主菜单\n├── 4) 防火墙管理 (自适应 ufw / firewalld)\n│   ├── 1) 放行端口 (TCP / UDP / TCP+UDP)\n│   ├── 2) 关闭端口\n│   ├── 3) 设置默认策略 (拒绝入站 / 允许所有)\n│   ├── 4) 启用防火墙\n│   ├── 5) 禁用防火墙\n│   ├── 6) 查看状态\n│   └── 0) 返回主菜单\n├── 5) 一键推荐加固\n│   ├── 步骤 1. 检测系统环境\n│   ├── 步骤 2. SSH 端口设置 (保持 / 自定义 / 随机)\n│   ├── 步骤 3. SSH 密钥配置 (生成 / 粘贴公钥)\n│   ├── 步骤 4. 防火墙配置\n│   ├── 步骤 5. 安装 Fail2ban\n│   ├── 步骤 6. 禁用密码登录\n│   └── 步骤 7. 限制 root 登录 + 锁定 root 密码\n├── 6) 查看当前安全状态\n│   ├── 系统信息\n│   ├── SSH 配置 (含空闲超时)\n│   ├── Root 密码状态\n│   ├── 防火墙规则\n│   ├── Fail2ban 状态\n│   ├── 当前 SSH 会话\n│   └── 监听端口\n├── 7) 从备份还原 SSH 配置\n└── 0) 退出\n```\n\n## 安全保护\n\n- 禁用密码登录前强制检查 `authorized_keys` 是否有有效公钥，防止锁死\n- 修改 SSH 端口前自动在防火墙放行新端口\n- RHEL 系自动处理 SELinux 端口策略（`semanage port`），避免改端口后 sshd 启动失败\n- 启用防火墙前强制放行当前 SSH 端口\n- 所有 SSH 配置变更前 `sshd -t` 校验，失败自动回滚\n- 仅使用 `systemctl reload`，不中断现有会话\n- 每次修改前自动备份到带时间戳的文件，自动保留最近 20 份\n- 自动适配 OpenSSH 版本，新版使用 `KbdInteractiveAuthentication`，旧版使用 `ChallengeResponseAuthentication`\n- 日志文件超过 10MB 时自动轮转\n\n## 快速开始\n\n### GitHub下载并运行（推荐）\n\n使用 `curl`：\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/DsureD/ssh-safekit/main/ssh-safekit.sh -o ssh-safekit.sh \u0026\u0026 chmod +x ssh-safekit.sh \u0026\u0026 ./ssh-safekit.sh\n```\n\n使用 `wget`：\n\n```bash\nwget -qO ssh-safekit.sh https://raw.githubusercontent.com/DsureD/ssh-safekit/main/ssh-safekit.sh \u0026\u0026 chmod +x ssh-safekit.sh \u0026\u0026 ./ssh-safekit.sh\n```\n\n### 一键脚本（直接运行）\n\n```bash\nbash \u003c(curl -fsSL https://raw.githubusercontent.com/DsureD/ssh-safekit/main/ssh-safekit.sh)\n```\n\n\u003e 注意：管道执行需要 root 权限，建议先下载审查后再运行。\n\n### 手动安装\n\n```bash\ngit clone https://github.com/DsureD/ssh-safekit.git\ncd ssh-safekit\nchmod +x ssh-safekit.sh\nsudo ./ssh-safekit.sh\n```\n\n## 自定义日志路径\n\n默认日志写入 `/var/log/ssh-safekit.log`，可通过环境变量覆盖：\n\n```bash\nsudo SSH_SAFEKIT_LOG=/var/log/my-ssh-audit.log ./ssh-safekit.sh\n```\n\n## CLI 参数\n\n除交互式菜单外，还支持以下命令行参数：\n\n```bash\nsudo ./ssh-safekit.sh --help      # 显示帮助\nsudo ./ssh-safekit.sh --version   # 显示版本号\nsudo ./ssh-safekit.sh --status    # 非交互式查看安全状态\nsudo ./ssh-safekit.sh --quick     # 直接进入一键加固流程\n```\n\n## 系统要求\n\n**支持的发行版：**\n\n脚本采用**基于能力检测**的设计，自动识别包管理器、防火墙工具和 init 系统，理论上支持所有主流 Linux 发行版：\n\n| 发行版系列 | 包管理器 | 防火墙 | Init 系统 | 测试状态 |\n|-----------|---------|--------|----------|---------|\n| **Debian/Ubuntu** | apt | ufw | systemd | ✅ 完全支持 |\n| Debian 10+ | apt | ufw | systemd | ✅ 完全支持 |\n| Ubuntu 18.04+ | apt | ufw | systemd | ✅ 完全支持 |\n| Linux Mint | apt | ufw | systemd | ✅ 完全支持 |\n| **RHEL/CentOS** | dnf/yum | firewalld | systemd | ✅ 完全支持 |\n| CentOS 7+ | yum | firewalld | systemd | ✅ 完全支持 |\n| Rocky Linux 8+ | dnf | firewalld | systemd | ✅ 完全支持 |\n| AlmaLinux 8+ | dnf | firewalld | systemd | ✅ 完全支持 |\n| Fedora 33+ | dnf | firewalld | systemd | ✅ 完全支持 |\n| **云厂商定制版** | dnf/yum | firewalld | systemd | ✅ 完全支持 |\n| Alibaba Cloud Linux 2+ | yum | firewalld | systemd | ✅ 完全支持 |\n| Amazon Linux 2+ | yum | firewalld | systemd | ✅ 完全支持 |\n| TencentOS Server 2+ | yum | firewalld | systemd | ✅ 完全支持 |\n| openEuler 20.03+ | dnf | firewalld | systemd | ✅ 完全支持 |\n| 龙蜥 OpenAnolis 8+ | dnf | firewalld | systemd | ✅ 完全支持 |\n| **国产操作系统** | dnf/yum | firewalld | systemd | ✅ 完全支持 |\n| 银河麒麟 Kylin V10 | yum | firewalld | systemd | ✅ 完全支持 |\n| 统信 UOS 20+ | apt | ufw | systemd | ✅ 完全支持 |\n| **Alpine Linux** | apk | iptables | openrc | ✅ 完全支持 |\n| Alpine 3.x | apk | iptables | openrc | ✅ 完全支持 |\n| **Arch Linux** | pacman | iptables | systemd | ✅ 理论支持 |\n| Arch Linux | pacman | iptables | systemd | ⚠️ 未充分测试 |\n| Manjaro | pacman | iptables | systemd | ⚠️ 未充分测试 |\n| **openSUSE** | zypper | firewalld | systemd | ✅ 理论支持 |\n| openSUSE Leap | zypper | firewalld | systemd | ⚠️ 未充分测试 |\n| openSUSE Tumbleweed | zypper | firewalld | systemd | ⚠️ 未充分测试 |\n\n**最低要求：**\n- root 权限或 sudo\n- bash 4.0+\n- OpenSSH Server\n\n**可选组件：**\n- systemd / openrc / sysvinit（服务管理）\n- ufw / firewalld / iptables（防火墙）\n- fail2ban（防暴力破解）\n\n## 使用建议\n\n1. 首次运行建议先选菜单 `6) 查看当前安全状态`，了解服务器现状\n2. 使用 `5) 一键推荐加固` 可快速完成全套加固\n3. **操作全程不要关闭当前 SSH 会话**，新开一个终端验证连接成功后再退出\n4. 如果改了端口，记得用新端口连接：`ssh -p \u003c新端口\u003e user@server`\n5. **云服务器用户注意**：修改 SSH 端口后，除了本机防火墙，还需要在云厂商控制台的**安全组**中放行新端口（TCP），否则仍然无法连接\n\n## 许可证\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdsured%2Fssh-safekit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdsured%2Fssh-safekit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdsured%2Fssh-safekit/lists"}