Skip to content
/ server-hardening Public

πŸ›‘οΈ Server hardening scripts for Ubuntu/Debian - UFW, Fail2ban, SSH, Cloudflare Tunnel

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

moinsen-dev/server-hardening

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

3 Commits
docs
docs
Β 
Β 
scripts
scripts
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

πŸ›‘οΈ Server Hardening Guide

A practical guide to securing your Linux server (Ubuntu/Debian) with UFW, Fail2ban, and Cloudflare Tunnel.

🎯 What This Guide Covers

  • UFW Firewall setup
  • Fail2ban SSH protection
  • Cloudflare Tunnel (zero-trust access)
  • SSH hardening
  • Security audit scripts

πŸ“‹ Quick Start

# Clone this repo
git clone https://github.com/moinsen-dev/server-hardening.git
cd server-hardening

# Run the hardening script (as root)
sudo ./scripts/harden.sh

πŸ”’ Security Layers

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚         Cloudflare Access               β”‚  ← Layer 1: Auth (Email OTP)
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚         Cloudflare Tunnel               β”‚  ← Layer 2: No open ports
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚         UFW Firewall                    β”‚  ← Layer 3: Port filtering
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚         Fail2ban                        β”‚  ← Layer 4: Brute-force protection
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚         SSH Key Auth                    β”‚  ← Layer 5: No passwords
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

πŸ“š Documentation

πŸš€ One-Line Commands

Full Hardening (UFW + Fail2ban + SSH)

curl -fsSL https://raw.githubusercontent.com/moinsen-dev/server-hardening/main/scripts/harden.sh | sudo bash

SSH Hardening Only

curl -fsSL https://raw.githubusercontent.com/moinsen-dev/server-hardening/main/scripts/ssh-harden.sh | sudo bash

Security Audit

curl -fsSL https://raw.githubusercontent.com/moinsen-dev/server-hardening/main/scripts/audit.sh | sudo bash

⚠️ Warning: Always review scripts before running with sudo!

βœ… Security Checklist

After running the hardening script, verify:

Check Command Expected
UFW active sudo ufw status Status: active
SSH only sudo ufw status 22/tcp ALLOW
Fail2ban running sudo systemctl status fail2ban active (running)
SSH jail active sudo fail2ban-client status sshd Currently banned: 0
No root login grep PermitRootLogin /etc/ssh/sshd_config no
Key auth only grep PasswordAuthentication /etc/ssh/sshd_config no

πŸ§ͺ Test Your Security

# Run audit
./scripts/audit.sh

# Or online scanners:
# - https://www.shodan.io/host/YOUR_IP
# - https://hackertarget.com/nmap-online-port-scanner/
# - https://securityheaders.com/

πŸ“„ License

MIT License - Use freely, stay safe!

🀝 Contributing

PRs welcome! Found a security improvement? Open an issue.

About

πŸ›‘οΈ Server hardening scripts for Ubuntu/Debian - UFW, Fail2ban, SSH, Cloudflare Tunnel

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages