#!/bin/bash # VPS Hardening Script for oracle-tokyo # Based on Security Audit 2026-02-14 set -e echo "Starting VPS hardening..." # 1. Disable X11Forwarding in SSH if grep -q "^X11Forwarding yes" /etc/ssh/sshd_config; then echo "Disabling X11Forwarding..." sudo sed -i 's/^X11Forwarding yes/X11Forwarding no/' /etc/ssh/sshd_config sudo systemctl restart ssh else echo "X11Forwarding already disabled." fi # 2. Restrict Xray config permissions XRAY_CONFIG="/usr/local/etc/xray/config.json" if [ -f "$XRAY_CONFIG" ]; then CURRENT_PERMS=$(stat -c "%a" "$XRAY_CONFIG") if [ "$CURRENT_PERMS" != "600" ]; then echo "Restricting permissions on $XRAY_CONFIG to 600..." sudo chmod 600 "$XRAY_CONFIG" else echo "Xray config permissions already restricted." fi else echo "Xray config not found at $XRAY_CONFIG, skipping." fi # 3. Close port 80 in iptables if open if sudo iptables -L INPUT -n | grep -q "dpt:80"; then echo "Closing port 80 in iptables..." sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT || true else echo "Port 80 already closed in iptables." fi # 4. Disable shells for default cloud users (opc, ubuntu) for user in opc ubuntu; do if id "$user" &>/dev/null; then CURRENT_SHELL=$(getent passwd "$user" | cut -d: -f7) if [ "$CURRENT_SHELL" != "/usr/sbin/nologin" ]; then echo "Disabling shell for user $user..." sudo usermod -s /usr/sbin/nologin "$user" else echo "Shell for $user already disabled." fi fi done # 5. AdGuard Home - Ensure bound to private interfaces (Tailscale/Local) AGH_CONFIG="/opt/AdGuardHome/AdGuardHome.yaml" if [ -f "$AGH_CONFIG" ]; then if grep -q "0.0.0.0" "$AGH_CONFIG" | grep -A 5 "bind_hosts"; then echo "WARNING: AdGuard Home might be bound to 0.0.0.0. Manual check recommended in $AGH_CONFIG." # Automatic fix is risky with YAML parsing in bash, so we just warn else echo "AdGuard Home bind hosts check: OK (not 0.0.0.0)." fi fi echo "Hardening complete."