-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathchangesshport.sh
More file actions
115 lines (104 loc) · 4.47 KB
/
changesshport.sh
File metadata and controls
115 lines (104 loc) · 4.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
#!/bin/bash
# 检查 root 权限
if [ "$(id -u)" -ne 0 ]; then
echo "错误:请使用 root 用户或通过 sudo 运行此脚本。"
exit 1
fi
# 交互式输入
read -p "请输入要放行的端口号 (默认: 2222): " PORT
PORT=${PORT:-2222}
read -p "请输入协议类型 [tcp/udp] (默认: tcp): " PROTOCOL
PROTOCOL=${PROTOCOL:-tcp}
PROTOCOL=$(echo "$PROTOCOL" | tr '[:upper:]' '[:lower:]')
# 校验端口和协议
if ! [[ "$PORT" =~ ^[0-9]+$ ]] || [ "$PORT" -lt 1 ] || [ "$PORT" -gt 65535 ]; then
echo "错误:端口号必须为 1~65535 之间的整数。"
exit 1
fi
if [[ "$PROTOCOL" != "tcp" && "$PROTOCOL" != "udp" ]]; then
echo "错误:协议必须是 tcp 或 udp。"
exit 1
fi
# 配置防火墙
echo "正在配置防火墙..."
# 1. 尝试 Firewalld
if command -v firewall-cmd >/dev/null 2>&1 && systemctl is-active --quiet firewalld; then
echo "检测到 Firewalld 正在运行。"
firewall-cmd --zone=public --add-port="${PORT}/${PROTOCOL}" --permanent
firewall-cmd --reload
echo "Firewalld 规则已添加。"
# 2. 尝试 UFW
elif command -v ufw >/dev/null 2>&1 && ufw status | grep -q "Status: active"; then
echo "检测到 UFW 正在运行。"
ufw allow "${PORT}/${PROTOCOL}"
echo "UFW 规则已添加。"
# 3. 回退到 Iptables
elif command -v iptables >/dev/null 2>&1; then
echo "使用 iptables 配置规则..."
REJECT_LINE=$(iptables -L INPUT -n --line-numbers | grep -m 1 "REJECT" | awk '{print $1}')
INSERT_LINE=${REJECT_LINE:-1}
iptables -I INPUT "$INSERT_LINE" -p "$PROTOCOL" --dport "$PORT" -j ACCEPT
read -p "是否保存 iptables 规则? [y/n] (默认: y): " SAVE
SAVE=${SAVE:-y}
if [[ "$SAVE" =~ ^[Yy]$ ]]; then
echo "保存 iptables 规则..."
mkdir -p /etc/iptables 2>/dev/null
iptables-save > /etc/iptables/rules.v4 2>/dev/null || iptables-save > /etc/sysconfig/iptables 2>/dev/null || echo "警告:无法自动保存 iptables 规则,请手动保存。"
fi
else
echo "警告:未检测到支持的防火墙工具,跳过防火墙配置。"
fi
# 配置 SELinux (如果启用)
if [[ "$PROTOCOL" == "tcp" ]] && command -v getenforce >/dev/null 2>&1; then
if [ "$(getenforce)" == "Enforcing" ]; then
echo "检测到 SELinux 处于 Enforcing 模式,正在修改端口上下文..."
if command -v semanage >/dev/null 2>&1; then
semanage port -a -t ssh_port_t -p tcp "$PORT" 2>/dev/null || semanage port -m -t ssh_port_t -p tcp "$PORT" 2>/dev/null
echo "SELinux 端口上下文已更新。"
else
echo "警告:未找到 semanage 命令。如果 SSH 重启失败,请安装 policycoreutils-python 并手动执行:"
echo "semanage port -a -t ssh_port_t -p tcp $PORT"
fi
fi
fi
# 修改 sshd_config 添加端口(仅 tcp)
if [[ "$PROTOCOL" == "tcp" ]]; then
if ! grep -q "^Port $PORT" /etc/ssh/sshd_config; then
echo "添加 SSH 端口 $PORT 到 /etc/ssh/sshd_config..."
sed -i -e '$a\' /etc/ssh/sshd_config
echo "Port $PORT" >> /etc/ssh/sshd_config
else
echo "SSH 配置中已包含 Port $PORT,无需修改。"
fi
fi
# 重启 SSH 服务
read -p "是否现在重启 SSH 服务?[y/n] (默认: y): " RESTART_SSH
RESTART_SSH=${RESTART_SSH:-y}
if [[ "$RESTART_SSH" =~ ^[Yy]$ ]]; then
echo "正在重启 SSH 服务..."
if command -v systemctl >/dev/null 2>&1; then
systemctl restart sshd 2>/dev/null || systemctl restart ssh 2>/dev/null
elif command -v service >/dev/null 2>&1; then
service sshd restart 2>/dev/null || service ssh restart 2>/dev/null
elif [ -f /etc/init.d/ssh ]; then
/etc/init.d/ssh restart
elif [ -f /etc/init.d/sshd ]; then
/etc/init.d/sshd restart
fi
sleep 1
pgrep -x "sshd" >/dev/null && echo "SSH 服务重启完成。" || echo "警告:SSH 服务可能未成功启动。"
fi
# 显示当前规则
echo -e "\n当前防火墙规则状态:"
if command -v firewall-cmd >/dev/null 2>&1 && systemctl is-active --quiet firewalld; then
firewall-cmd --list-ports | grep "$PORT"
elif command -v ufw >/dev/null 2>&1 && ufw status | grep -q "Status: active"; then
ufw status | grep "$PORT"
else
iptables -L INPUT -n --line-numbers | grep -E --color "($PORT|$PROTOCOL|REJECT)" 2>/dev/null
fi
# 检查监听状态
echo -e "\n正在检查端口监听状态:"
ss -ntlp | grep ":$PORT" || echo "未监听端口 $PORT,请检查 SSH 配置或服务状态。"
echo -e "\n操作完成!"
exit 0