Add VPS hardening, Tailscale exit node, and uptime check scripts
Deploy / lint (push) Failing after 0s
Deploy / security (push) Failing after 1s
Deploy / deploy (push) Has been skipped

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Gan, Jimmy
2026-06-03 02:55:05 +08:00
parent 49f73b3962
commit 55a8dbc457
4 changed files with 151 additions and 0 deletions
+9
View File
@@ -6,6 +6,9 @@ on:
jobs: jobs:
lint: lint:
runs-on: ubuntu-latest runs-on: ubuntu-latest
env:
HTTP_PROXY: http://100.70.115.1:8118
HTTPS_PROXY: http://100.70.115.1:8118
steps: steps:
- name: Checkout - name: Checkout
run: | run: |
@@ -18,6 +21,9 @@ jobs:
security: security:
runs-on: ubuntu-latest runs-on: ubuntu-latest
env:
HTTP_PROXY: http://100.70.115.1:8118
HTTPS_PROXY: http://100.70.115.1:8118
steps: steps:
- name: Checkout - name: Checkout
run: | run: |
@@ -35,6 +41,9 @@ jobs:
deploy: deploy:
needs: [lint, security] needs: [lint, security]
runs-on: ubuntu-latest runs-on: ubuntu-latest
env:
HTTP_PROXY: http://100.70.115.1:8118
HTTPS_PROXY: http://100.70.115.1:8118
steps: steps:
- name: Checkout - name: Checkout
run: | run: |
+65
View File
@@ -0,0 +1,65 @@
#!/bin/bash
# VPS Hardening Script for oracle-tokyo
# Based on Security Audit 2026-02-14
set -e
echo "Starting VPS hardening..."
# 1. Disable X11Forwarding in SSH
if grep -q "^X11Forwarding yes" /etc/ssh/sshd_config; then
echo "Disabling X11Forwarding..."
sudo sed -i 's/^X11Forwarding yes/X11Forwarding no/' /etc/ssh/sshd_config
sudo systemctl restart ssh
else
echo "X11Forwarding already disabled."
fi
# 2. Restrict Xray config permissions
XRAY_CONFIG="/usr/local/etc/xray/config.json"
if [ -f "$XRAY_CONFIG" ]; then
CURRENT_PERMS=$(stat -c "%a" "$XRAY_CONFIG")
if [ "$CURRENT_PERMS" != "600" ]; then
echo "Restricting permissions on $XRAY_CONFIG to 600..."
sudo chmod 600 "$XRAY_CONFIG"
else
echo "Xray config permissions already restricted."
fi
else
echo "Xray config not found at $XRAY_CONFIG, skipping."
fi
# 3. Close port 80 in iptables if open
if sudo iptables -L INPUT -n | grep -q "dpt:80"; then
echo "Closing port 80 in iptables..."
sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT || true
else
echo "Port 80 already closed in iptables."
fi
# 4. Disable shells for default cloud users (opc, ubuntu)
for user in opc ubuntu; do
if id "$user" &>/dev/null; then
CURRENT_SHELL=$(getent passwd "$user" | cut -d: -f7)
if [ "$CURRENT_SHELL" != "/usr/sbin/nologin" ]; then
echo "Disabling shell for user $user..."
sudo usermod -s /usr/sbin/nologin "$user"
else
echo "Shell for $user already disabled."
fi
fi
done
# 5. AdGuard Home - Ensure bound to private interfaces (Tailscale/Local)
AGH_CONFIG="/opt/AdGuardHome/AdGuardHome.yaml"
if [ -f "$AGH_CONFIG" ]; then
if grep -q "0.0.0.0" "$AGH_CONFIG" | grep -A 5 "bind_hosts"; then
echo "WARNING: AdGuard Home might be bound to 0.0.0.0. Manual check recommended in $AGH_CONFIG."
# Automatic fix is risky with YAML parsing in bash, so we just warn
else
echo "AdGuard Home bind hosts check: OK (not 0.0.0.0)."
fi
fi
echo "Hardening complete."
+42
View File
@@ -0,0 +1,42 @@
#!/bin/bash
# Tailscale Exit Node Setup Script
# Automates UFW and IP forwarding requirements
set -e
echo "Setting up Tailscale exit node requirements..."
# 1. Enable IP Forwarding in sysctl
if ! grep -q "^net.ipv4.ip_forward=1" /etc/sysctl.conf; then
echo "Enabling IPv4 forwarding in sysctl..."
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
else
echo "IPv4 forwarding already enabled."
fi
# 2. Update UFW default forward policy
UFW_DEFAULT="/etc/default/ufw"
if grep -q 'DEFAULT_FORWARD_POLICY="DROP"' "$UFW_DEFAULT"; then
echo "Updating UFW default forward policy to ACCEPT..."
sudo sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' "$UFW_DEFAULT"
sudo ufw reload
else
echo "UFW default forward policy is already ACCEPT."
fi
# 3. Add NAT MASQUERADE to UFW before.rules
UFW_BEFORE="/etc/ufw/before.rules"
if ! grep -q "POSTROUTING -s 100.64.0.0/10 -o ens3 -j MASQUERADE" "$UFW_BEFORE"; then
echo "Adding NAT MASQUERADE rule to $UFW_BEFORE..."
# This is a bit tricky to automate safely without ruining the file.
# We look for the *filter line and insert before it.
sudo sed -i '/\*filter/i # NAT rules\n*nat\n:POSTROUTING ACCEPT [0:0]\n-A POSTROUTING -s 100.64.0.0/10 -o ens3 -j MASQUERADE\nCOMMIT\n' "$UFW_BEFORE"
sudo ufw reload
else
echo "NAT MASQUERADE rule already exists in $UFW_BEFORE."
fi
echo "Tailscale exit node setup complete."
+35
View File
@@ -0,0 +1,35 @@
#!/bin/bash
# Simple Uptime & Service Health Check for VPS
# Checks Xray, AdGuard Home, Tailscale, and WireGuard
SERVICES=("xray" "AdGuardHome" "tailscaled" "wg-quick@wg0")
echo "--- Service Health Check ($(date)) ---"
for svc in "${SERVICES[@]}"; do
if systemctl is-active --quiet "$svc"; then
echo "[OK] $svc is running"
else
echo "[ERROR] $svc is NOT running!"
# Optional: Attempt restart
# sudo systemctl restart "$svc"
fi
done
# Check if Xray is listening on 443
if ss -tuln | grep -q ":443 "; then
echo "[OK] Port 443 is listening (Xray)"
else
echo "[ERROR] Port 443 is NOT listening!"
fi
# Check if AdGuard Home is listening on 53 (Tailscale IP)
TAILSCALE_IP="100.70.115.1"
if ss -tuln | grep -q "$TAILSCALE_IP:53 "; then
echo "[OK] AdGuard Home is listening on $TAILSCALE_IP:53"
else
echo "[WARNING] AdGuard Home is NOT listening on $TAILSCALE_IP:53"
fi
echo "--- Check Complete ---"