#!/bin/bash # NAC端口审计和标准化脚本 # 版本: 1.0.0 # 日期: 2026-02-20 set -e echo "==========================================" echo "NAC端口审计和标准化工具" echo "==========================================" echo "" # 颜色定义 GREEN='\033[0;32m' RED='\033[0;31m' YELLOW='\033[1;33m' NC='\033[0m' # No Color # 1. 检查当前端口占用 echo "1. 检查当前NAC端口占用情况" echo "----------------------------------------" echo -e "${YELLOW}核心服务端口(9500-9599):${NC}" netstat -tlnp 2>/dev/null | grep -E ":95[0-9]{2}" | awk '{print $4 "\t" $7}' || echo " 无占用" echo "" echo -e "${YELLOW}网络协议端口(39000-39999):${NC}" netstat -tlnp 2>/dev/null | grep -E ":39[0-9]{3}" | awk '{print $4 "\t" $7}' || echo " 无占用" echo "" echo -e "${YELLOW}管理服务端口:${NC}" netstat -tlnp 2>/dev/null | grep -E ":9090|:3000|:3333|:8081" | awk '{print $4 "\t" $7}' echo "" echo "" # 2. 检查配置文件 echo "2. 检查配置文件中的端口定义" echo "----------------------------------------" if [ -f "/opt/nac/config/api-server.toml" ]; then echo -e "${GREEN}✓${NC} /opt/nac/config/api-server.toml" grep -E "port\s*=" /opt/nac/config/api-server.toml | head -5 else echo -e "${RED}✗${NC} /opt/nac/config/api-server.toml 不存在" fi echo "" if [ -f "/opt/nac/config/mainnet_config.toml" ]; then echo -e "${GREEN}✓${NC} /opt/nac/config/mainnet_config.toml" grep -E "port\s*=" /opt/nac/config/mainnet_config.toml | head -10 else echo -e "${RED}✗${NC} /opt/nac/config/mainnet_config.toml 不存在" fi echo "" echo "" # 3. 检查systemd服务 echo "3. 检查systemd服务状态" echo "----------------------------------------" for service in nac-cbpp-node nac-api-server nac-auth-service; do if systemctl list-unit-files | grep -q "$service"; then status=$(systemctl is-active $service 2>/dev/null || echo "inactive") if [ "$status" = "active" ]; then echo -e "${GREEN}✓${NC} $service: $status" else echo -e "${YELLOW}⚠${NC} $service: $status" fi else echo -e "${RED}✗${NC} $service: 未安装" fi done echo "" echo "" # 4. NAC标准端口清单 echo "4. NAC标准端口清单" echo "----------------------------------------" cat << 'EOF' L0层(网络层): 39303 CSNP主节点(TCP/UDP) 39304 CSNP发现服务(UDP) 39305 CSNP同步服务(TCP) L1层(协议层): 9545 CBPP节点RPC(HTTP) 9546 CBPP WebSocket 9547 NAC Lens HTTP 9548 NAC Lens WebSocket 9549 NVM RPC L2层(应用层): 9550 NAC API Gateway ✓ 运行中 9554 CNNL编译服务 9555 Charter编译服务 9556 ACC-20协议服务 管理服务: 9090 Prometheus ✓ 运行中 9091 Prometheus Metrics 3000 量子浏览器 ✓ 运行中 3333 Gitea ✓ 运行中 8081 认证服务 ✓ 运行中 EOF echo "" echo "" # 5. 以太坊端口检查 echo "5. 以太坊端口残留检查" echo "----------------------------------------" ETH_PORTS="8545 8546 30303" found_eth=0 for port in $ETH_PORTS; do if netstat -tlnp 2>/dev/null | grep -q ":$port "; then echo -e "${RED}✗ 发现以太坊端口占用: $port${NC}" netstat -tlnp 2>/dev/null | grep ":$port " found_eth=1 fi done if [ $found_eth -eq 0 ]; then echo -e "${GREEN}✓ 无以太坊端口占用${NC}" fi echo "" echo "" # 6. 防火墙规则检查 echo "6. 防火墙规则检查" echo "----------------------------------------" if command -v ufw &> /dev/null; then echo "UFW状态:" ufw status | grep -E "9550|39303|80|443" || echo " 未找到NAC相关规则" else echo "UFW未安装" fi echo "" echo "" # 7. 生成端口映射表 echo "7. 当前端口映射表" echo "----------------------------------------" echo "端口 状态 进程" echo "---- ---- ----" for port in 9550 9545 9546 9547 9548 9549 9554 9555 9556 39303 39304 39305 9090 9091 3000 3333 8081; do pid=$(lsof -ti :$port 2>/dev/null || echo "") if [ -n "$pid" ]; then proc=$(ps -p $pid -o comm= 2>/dev/null || echo "unknown") echo -e "$port\t${GREEN}监听${NC}\t$proc" else echo -e "$port\t${YELLOW}未用${NC}\t-" fi done echo "" echo "==========================================" echo "审计完成" echo "=========================================="