Files
vps-oracle-jp/server2/harden.sh
T
Gan, Jimmy 4a91c7a186
Deploy / security (push) Failing after 11m14s
Deploy / lint (push) Failing after 12m3s
Deploy / deploy (push) Has been skipped
Restructure repository to manage both server2 and caddy-vps
- Create server2/ directory and migrate Xray proxy config, Clash config, and utility scripts
- Create caddy-vps/ directory and add Caddyfile reverse proxy configuration
- Update .gitea/workflows/deploy.yml CI/CD pipeline to validate JSON/YAML and check Caddyfile formatting/syntax
- Deploy configurations sequentially to both servers
- Update README.md to document multi-server topology and CI/CD behavior

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-03 03:19:18 +08:00

66 lines
2.0 KiB
Bash

#!/bin/bash
# VPS Hardening Script for oracle-tokyo
# Based on Security Audit 2026-02-14
set -e
echo "Starting VPS hardening..."
# 1. Disable X11Forwarding in SSH
if grep -q "^X11Forwarding yes" /etc/ssh/sshd_config; then
echo "Disabling X11Forwarding..."
sudo sed -i 's/^X11Forwarding yes/X11Forwarding no/' /etc/ssh/sshd_config
sudo systemctl restart ssh
else
echo "X11Forwarding already disabled."
fi
# 2. Restrict Xray config permissions
XRAY_CONFIG="/usr/local/etc/xray/config.json"
if [ -f "$XRAY_CONFIG" ]; then
CURRENT_PERMS=$(stat -c "%a" "$XRAY_CONFIG")
if [ "$CURRENT_PERMS" != "600" ]; then
echo "Restricting permissions on $XRAY_CONFIG to 600..."
sudo chmod 600 "$XRAY_CONFIG"
else
echo "Xray config permissions already restricted."
fi
else
echo "Xray config not found at $XRAY_CONFIG, skipping."
fi
# 3. Close port 80 in iptables if open
if sudo iptables -L INPUT -n | grep -q "dpt:80"; then
echo "Closing port 80 in iptables..."
sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT || true
else
echo "Port 80 already closed in iptables."
fi
# 4. Disable shells for default cloud users (opc, ubuntu)
for user in opc ubuntu; do
if id "$user" &>/dev/null; then
CURRENT_SHELL=$(getent passwd "$user" | cut -d: -f7)
if [ "$CURRENT_SHELL" != "/usr/sbin/nologin" ]; then
echo "Disabling shell for user $user..."
sudo usermod -s /usr/sbin/nologin "$user"
else
echo "Shell for $user already disabled."
fi
fi
done
# 5. AdGuard Home - Ensure bound to private interfaces (Tailscale/Local)
AGH_CONFIG="/opt/AdGuardHome/AdGuardHome.yaml"
if [ -f "$AGH_CONFIG" ]; then
if grep -q "0.0.0.0" "$AGH_CONFIG" | grep -A 5 "bind_hosts"; then
echo "WARNING: AdGuard Home might be bound to 0.0.0.0. Manual check recommended in $AGH_CONFIG."
# Automatic fix is risky with YAML parsing in bash, so we just warn
else
echo "AdGuard Home bind hosts check: OK (not 0.0.0.0)."
fi
fi
echo "Hardening complete."