4a91c7a186
- Create server2/ directory and migrate Xray proxy config, Clash config, and utility scripts - Create caddy-vps/ directory and add Caddyfile reverse proxy configuration - Update .gitea/workflows/deploy.yml CI/CD pipeline to validate JSON/YAML and check Caddyfile formatting/syntax - Deploy configurations sequentially to both servers - Update README.md to document multi-server topology and CI/CD behavior Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
66 lines
2.0 KiB
Bash
66 lines
2.0 KiB
Bash
#!/bin/bash
|
|
|
|
# VPS Hardening Script for oracle-tokyo
|
|
# Based on Security Audit 2026-02-14
|
|
|
|
set -e
|
|
|
|
echo "Starting VPS hardening..."
|
|
|
|
# 1. Disable X11Forwarding in SSH
|
|
if grep -q "^X11Forwarding yes" /etc/ssh/sshd_config; then
|
|
echo "Disabling X11Forwarding..."
|
|
sudo sed -i 's/^X11Forwarding yes/X11Forwarding no/' /etc/ssh/sshd_config
|
|
sudo systemctl restart ssh
|
|
else
|
|
echo "X11Forwarding already disabled."
|
|
fi
|
|
|
|
# 2. Restrict Xray config permissions
|
|
XRAY_CONFIG="/usr/local/etc/xray/config.json"
|
|
if [ -f "$XRAY_CONFIG" ]; then
|
|
CURRENT_PERMS=$(stat -c "%a" "$XRAY_CONFIG")
|
|
if [ "$CURRENT_PERMS" != "600" ]; then
|
|
echo "Restricting permissions on $XRAY_CONFIG to 600..."
|
|
sudo chmod 600 "$XRAY_CONFIG"
|
|
else
|
|
echo "Xray config permissions already restricted."
|
|
fi
|
|
else
|
|
echo "Xray config not found at $XRAY_CONFIG, skipping."
|
|
fi
|
|
|
|
# 3. Close port 80 in iptables if open
|
|
if sudo iptables -L INPUT -n | grep -q "dpt:80"; then
|
|
echo "Closing port 80 in iptables..."
|
|
sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT || true
|
|
else
|
|
echo "Port 80 already closed in iptables."
|
|
fi
|
|
|
|
# 4. Disable shells for default cloud users (opc, ubuntu)
|
|
for user in opc ubuntu; do
|
|
if id "$user" &>/dev/null; then
|
|
CURRENT_SHELL=$(getent passwd "$user" | cut -d: -f7)
|
|
if [ "$CURRENT_SHELL" != "/usr/sbin/nologin" ]; then
|
|
echo "Disabling shell for user $user..."
|
|
sudo usermod -s /usr/sbin/nologin "$user"
|
|
else
|
|
echo "Shell for $user already disabled."
|
|
fi
|
|
fi
|
|
done
|
|
|
|
# 5. AdGuard Home - Ensure bound to private interfaces (Tailscale/Local)
|
|
AGH_CONFIG="/opt/AdGuardHome/AdGuardHome.yaml"
|
|
if [ -f "$AGH_CONFIG" ]; then
|
|
if grep -q "0.0.0.0" "$AGH_CONFIG" | grep -A 5 "bind_hosts"; then
|
|
echo "WARNING: AdGuard Home might be bound to 0.0.0.0. Manual check recommended in $AGH_CONFIG."
|
|
# Automatic fix is risky with YAML parsing in bash, so we just warn
|
|
else
|
|
echo "AdGuard Home bind hosts check: OK (not 0.0.0.0)."
|
|
fi
|
|
fi
|
|
|
|
echo "Hardening complete."
|