1b4f3a7bbe
Some checks failed
CD Pipeline / deploy (push) Failing after 59s
- 建立 Gitea Actions CD pipeline (.gitea/workflows/cd.yaml) - 部署模式: rsync Python 檔案至 188 → docker restart (volume mount) - Dockerfile/requirements 變動時自動重建 Docker image - 部署通知: Telegram (開始/成功/失敗) - 健康檢查: https://mo.wooo.work/health (最多 5 次重試) - 同步最新 CLAUDE.md / ADR-008 / memory (2026-04-19) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
87 lines
2.4 KiB
Bash
87 lines
2.4 KiB
Bash
#!/bin/bash
|
|
# ==========================================================
|
|
# 192.168.0.188 (Ollama Server) 安全加固腳本
|
|
#
|
|
# 使用方式:
|
|
# ssh ollama@192.168.0.188
|
|
# sudo bash harden_ollama_server.sh
|
|
# ==========================================================
|
|
|
|
set -e
|
|
|
|
echo "=========================================="
|
|
echo " Ollama Server 安全加固腳本"
|
|
echo "=========================================="
|
|
|
|
# 1. 安裝並配置 Fail2Ban
|
|
echo ""
|
|
echo "=== 1. 安裝 Fail2Ban (SSH 防暴力破解) ==="
|
|
apt-get update -qq
|
|
apt-get install -y fail2ban
|
|
|
|
cat > /etc/fail2ban/jail.local << 'JAIL'
|
|
[DEFAULT]
|
|
bantime = 3600
|
|
findtime = 600
|
|
maxretry = 3
|
|
ignoreip = 127.0.0.1/8 192.168.0.0/24
|
|
|
|
[sshd]
|
|
enabled = true
|
|
port = ssh
|
|
filter = sshd
|
|
logpath = /var/log/auth.log
|
|
maxretry = 3
|
|
JAIL
|
|
|
|
systemctl enable fail2ban
|
|
systemctl restart fail2ban
|
|
echo "✅ Fail2Ban 已安裝並啟用"
|
|
|
|
# 2. 設定 UFW 防火牆
|
|
echo ""
|
|
echo "=== 2. 設定 UFW 防火牆 ==="
|
|
apt-get install -y ufw
|
|
|
|
# 重置並設定預設規則
|
|
ufw --force reset
|
|
ufw default deny incoming
|
|
ufw default allow outgoing
|
|
|
|
# 允許必要的服務
|
|
ufw allow 22/tcp comment 'SSH'
|
|
ufw allow 80/tcp comment 'HTTP'
|
|
ufw allow 443/tcp comment 'HTTPS'
|
|
ufw allow from 192.168.0.0/24 to any port 11434 comment 'Ollama API (內網)'
|
|
ufw allow from 192.168.0.0/24 to any port 3000 comment 'Open WebUI (內網)'
|
|
ufw allow from 192.168.0.0/24 to any port 5678 comment 'n8n (內網)'
|
|
ufw allow from 192.168.0.0/24 to any port 8080 comment 'SearXNG (內網)'
|
|
|
|
# 啟用防火牆
|
|
ufw --force enable
|
|
echo "✅ UFW 防火牆已設定"
|
|
|
|
# 3. 修改 Docker 容器端口綁定 (n8n 改為只允許內網)
|
|
echo ""
|
|
echo "=== 3. 檢查 Docker Compose 配置 ==="
|
|
echo "⚠️ 請手動修改 docker-compose.yml 將以下服務改為內網綁定:"
|
|
echo " n8n: 5678:5678 → 192.168.0.188:5678:5678"
|
|
echo " searxng: 8080:8080 → 192.168.0.188:8080:8080"
|
|
|
|
# 4. 顯示最終狀態
|
|
echo ""
|
|
echo "=========================================="
|
|
echo " 安全加固完成!"
|
|
echo "=========================================="
|
|
echo ""
|
|
echo "Fail2Ban 狀態:"
|
|
fail2ban-client status sshd 2>/dev/null || echo " (啟動中...)"
|
|
echo ""
|
|
echo "UFW 防火牆規則:"
|
|
ufw status verbose
|
|
echo ""
|
|
echo "⚠️ 注意事項:"
|
|
echo " 1. 外部訪問 Ollama API/n8n/SearXNG 已被限制為內網 (192.168.0.0/24)"
|
|
echo " 2. 如需從外部訪問,請透過 Nginx 反向代理並加入認證"
|
|
echo " 3. 建議定期檢查 fail2ban-client status sshd"
|