I kept following the same 30-step hardening checklist every time I spun up a new VPS. Disable root login, set up UFW, configure fail2ban, enable SYN cookies, install auditd... Each time I'd miss something or forget a step. So I turned the checklist into a script.
What it does: 14 modules covering SSH hardening (key-only auth, AllowUsers, MaxAuthTries), firewall (UFW default-deny), fail2ban, kernel sysctl hardening, Netbird mesh VPN, SOPS+age secrets management, auditd monitoring, unattended upgrades, and more.
What makes it different from the usual hardening scripts:
Idempotent — checks current state before every action. Re-run it weekly to catch drift. It won't duplicate rules or break existing config.
Dry-run mode — preview every change before applying. Nothing is touched until you're ready.
Lockout protection — validates sshd config syntax, verifies your SSH keys exist, checks AllowUsers includes you, confirms UFW has an SSH rule — all before restarting sshd. Auto-rolls back if anything fails.
Interactive wizard — run sudo vps-harden with no args on a fresh server. It auto-detects your SSH key, IP, and timezone, offers a dry run first, and prints the equivalent CLI command for future runs.
Grouped scorecard — the verify module prints a security scorecard with section headers explaining what each group does ("Kernel Hardening — Prevents network-level attacks"). After a real run, it shows next steps: an SSH test command, a ready-to-paste ~/.ssh/config block, and conditional guidance for anything still WARN/FAIL.
Zero dependencies — single Bash file, no Python, no Ansible, no agents. curl | bash to install, sudo vps-harden to run.
The lockout protection was the hardest part to get right. The script disables password auth and restricts SSH to a single user, so if the key deployment or AllowUsers config is wrong, you're locked out.
It validates everything before reloading sshd, and if validation fails, it removes the config and rolls back.
ranbo•1h ago
What it does: 14 modules covering SSH hardening (key-only auth, AllowUsers, MaxAuthTries), firewall (UFW default-deny), fail2ban, kernel sysctl hardening, Netbird mesh VPN, SOPS+age secrets management, auditd monitoring, unattended upgrades, and more.
What makes it different from the usual hardening scripts:
Idempotent — checks current state before every action. Re-run it weekly to catch drift. It won't duplicate rules or break existing config. Dry-run mode — preview every change before applying. Nothing is touched until you're ready. Lockout protection — validates sshd config syntax, verifies your SSH keys exist, checks AllowUsers includes you, confirms UFW has an SSH rule — all before restarting sshd. Auto-rolls back if anything fails. Interactive wizard — run sudo vps-harden with no args on a fresh server. It auto-detects your SSH key, IP, and timezone, offers a dry run first, and prints the equivalent CLI command for future runs. Grouped scorecard — the verify module prints a security scorecard with section headers explaining what each group does ("Kernel Hardening — Prevents network-level attacks"). After a real run, it shows next steps: an SSH test command, a ready-to-paste ~/.ssh/config block, and conditional guidance for anything still WARN/FAIL. Zero dependencies — single Bash file, no Python, no Ansible, no agents. curl | bash to install, sudo vps-harden to run.
The lockout protection was the hardest part to get right. The script disables password auth and restricts SSH to a single user, so if the key deployment or AllowUsers config is wrong, you're locked out.
It validates everything before reloading sshd, and if validation fails, it removes the config and rolls back.
Your existing session stays alive throughout.
Install: curl -fsSL https://raw.githubusercontent.com/ranjith-src/vps-harden/mai... | bash
Repo: https://github.com/ranjith-src/vps-harden