#!/bin/bash
set -euo pipefail

# 全局配置
readonly LOG_FILE="/var/log/install_backtrance.log"
readonly COWRIE_INSTALL_DIR="/opt/cowrie"
readonly MAX_BACKUPS=3
readonly SSH_PORT_RANGE_MIN=1024
readonly SSH_PORT_RANGE_MAX=65535

# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
BLUE='\033[0;34m'
NC='\033[0m'

# 日志系统
log() {
    local level=$1
    local message=$2
    local timestamp=$(date +'%Y-%m-%d %H:%M:%S')
    case $level in
        "INFO") echo -e "${BLUE}[INFO]${NC} $timestamp $message" | tee -a "$LOG_FILE" ;;
        "WARN") echo -e "${YELLOW}[WARN]${NC} $timestamp $message" | tee -a "$LOG_FILE" ;;
        "ERROR") echo -e "${RED}[ERROR]${NC} $timestamp $message" | tee -a "$LOG_FILE"; exit 1 ;;
    esac
}

# 初始化检查
init_check() {
    log "INFO" "正在检查系统环境..."
    [[ $EUID -ne 0 ]] && log "ERROR" "必须使用root权限运行"
    [[ ! -f /etc/debian_version ]] && log "ERROR" "仅支持Debian系系统"
}

# 安装系统依赖
install_deps() {
    log "INFO" "开始安装系统依赖..."
    local deps=(net-tools ufw fail2ban git python3.9 python3.9-venv python3.9-dev python3-systemd)
    if ! apt-get update || ! apt-get install -y "${deps[@]}"; then
        log "ERROR" "依赖安装失败"
    fi
    log "INFO" "系统依赖安装完成"
}

# 配置防火墙
configure_firewall() {
    log "INFO" "开始配置防火墙..."
    if ! command -v ufw >/dev/null; then
        log "WARN" "未检测到UFW防火墙，跳过配置"
        return
    fi

    ufw --force reset
    ufw allow ssh
    ufw allow 2222/tcp comment 'Cowrie Honeypot'
    ufw --force enable
    log "INFO" "防火墙配置完成"
}

# 配置Fail2Ban
configure_fail2ban() {
    log "INFO" "开始配置Fail2Ban..."
    if ! command -v fail2ban-client >/dev/null; then
        log "WARN" "未检测到Fail2Ban，跳过配置"
        return
    fi

    cat > /etc/fail2ban/jail.local <<EOF
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 86400
findtime = 1800
maxretry = 3

[sshd]
enabled = true
EOF

    systemctl restart fail2ban
    log "INFO" "Fail2Ban配置完成"
}

# 安装Cowrie蜜罐
install_cowrie() {
    log "INFO" "开始安装Cowrie蜜罐..."
    if [ -d "$COWRIE_INSTALL_DIR" ]; then
        log "WARN" "检测到已有Cowrie安装，跳过安装"
        return
    fi

    git clone https://github.com/cowrie/cowrie.git "$COWRIE_INSTALL_DIR"
    cd "$COWRIE_INSTALL_DIR"
    python3 -m venv cowrie-env
    source cowrie-env/bin/activate
    pip install --upgrade pip
    pip install -r requirements.txt
    deactivate

    # 配置Cowrie
    cp etc/cowrie.cfg.dist etc/cowrie.cfg
    sed -i 's/hostname = svr04/hostname = debian-s31343/' etc/cowrie.cfg
    sed -i 's/^#listen_port=2222/listen_port=2222/' etc/cowrie.cfg

    # 设置权限
    chown -R cowrie:cowrie "$COWRIE_INSTALL_DIR"
    chmod -R 755 "$COWRIE_INSTALL_DIR"
    log "INFO" "Cowrie蜜罐安装完成"
}

# 配置Cowrie服务
configure_cowrie_service() {
    log "INFO" "开始配置Cowrie服务..."
    cat > /etc/systemd/system/cowrie.service <<EOF
[Unit]
Description=Cowrie SSH Honeypot
After=network.target

[Service]
Type=simple
User=cowrie
Group=cowrie
WorkingDirectory=$COWRIE_INSTALL_DIR
Environment="PYTHONPATH=$COWRIE_INSTALL_DIR/cowrie-env/lib/python3.9/site-packages"
ExecStart=$COWRIE_INSTALL_DIR/cowrie-env/bin/python $COWRIE_INSTALL_DIR/bin/cowrie start -n
Restart=always
RestartSec=30

[Install]
WantedBy=multi-user.target
EOF

    systemctl daemon-reload
    systemctl enable cowrie
    systemctl start cowrie
    log "INFO" "Cowrie服务配置完成"
}

# 最终验证
post_install_check() {
    log "INFO" "开始安装后验证..."
    if systemctl is-active --quiet cowrie; then
        log "INFO" "Cowrie服务运行正常"
    else
        log "ERROR" "Cowrie服务未运行"
    fi

    if systemctl is-active --quiet fail2ban; then
        log "INFO" "Fail2Ban服务运行正常"
    else
        log "ERROR" "Fail2Ban服务未运行"
    fi

    if ufw status | grep -q "Status: active"; then
        log "INFO" "防火墙运行正常"
    else
        log "WARN" "防火墙未启用"
    fi
}

# 主逻辑
main() {
    init_check
    install_deps
    configure_firewall
    configure_fail2ban
    install_cowrie
    configure_cowrie_service
    post_install_check
    log "INFO" "Backtrance安装完成！"
}

main "$@"