autoharden uses Ansible to deploy a comprehensive security hardening script on new VPS instances, automating the transition from a default root account to a hardened system with a custom SSH port and key-based admin access.
- Control Node: Ansible (
>= 2.10), SSH Client. - Target Nodes: Fresh Debian/Ubuntu or RHEL/CentOS systems with initial root access (key or password).
- Keys: The admin user's private key must be loaded into your
ssh-agent.
Edit inventory.ini to list the IPs of the target servers and configure the initial root connection (via password or key).
[new_vps]
198.51.100.10
198.51.100.11
[new_vps:vars]
ansible_user = root
ansible_ssh_pass = 'your-root-password'The playbook will prompt for the new admin username, the admin public key, and the new SSH port once, then apply the hardening to all hosts in the [new_vps] group.
# Load your admin key first
ssh-add /path/to/your/admin_private_key
# Run the automation
ansible-playbook playbook.ymlThe script performs a final reboot. You can then connect to your hardened server:
ssh -p <new_ssh_port> <admin_username>@<server_ip>DO NOT RUN THIS SCRIPT ON A PRODUCTION SERVER WITHOUT THOROUGH TESTING!
This script makes significant, potentially breaking changes to system configuration (SSH access, firewall, kernel parameters, etc.). Test it exclusively on a disposable Virtual Machine or VPS first to ensure it doesn't break required functionality and that you can still access the machine afterward. You are responsible for any consequences of running this script.
- A freshly provisioned VPS running a supported Linux distribution (Debian, Ubuntu, CentOS, RHEL, AlmaLinux, Rocky Linux). Running on an already configured system may have unpredictable results.
- Root access (or the ability to run commands with
sudo) on the VPS.
- Upload: Transfer the script file (e.g.,
scriptsh) to your target VPS usingscpor another method. Place it somewhere accessible, like the/rootor your user's home directory.# Example using scp (replace with your details) scp script.sh root@YOUR_VPS_IP:/root/ - Connect: Log in to your VPS as the
rootuser via SSH. - Make Executable: Navigate to where you uploaded the script and make it executable:
chmod +x script
- Execute: Run the script using
sudoor directly asroot:sudo ./script.sh # OR if already root: # ./script.sh
- Answer Prompts: The script will prompt you for:
- The username for a new administrative user.
- The SSH public key for this new user (paste the full key).
- The desired SSH port (defaults to 2222).
- Confirmation to proceed.
- You will also be interactively prompted to set a password for the new administrative user.
- Monitor Output: Watch the script's output carefully for any errors or warnings.
- Set GRUB Password (Manual): The script reminds you but cannot automate setting the GRUB bootloader password. Follow the instructions printed at the end of the script's output to set this manually before rebooting. This is crucial for preventing unauthorized physical access or console access from bypassing security.
- Reboot: Once the script finishes and you have set the GRUB password, reboot the server immediately:
This is necessary for changes like
sudo reboot
fstabmount options and kernel module blacklisting to take full effect. - Test Login: After the server reboots, attempt to log in via SSH using:
- The new username you provided.
- Your SSH private key (corresponding to the public key you provided).
- The new SSH port you specified (default 2222).
- Password login and root login should be disabled.
# Example login command ssh -p YOUR_NEW_PORT YOUR_NEW_USER@YOUR_VPS_IP - Verify: Check firewall status, SSH status, and potentially run
sudo lynis audit systemagain to see the results.
The hardening script cannot automate setting the GRUB password. You must perform this step manually after the playbook completes. Review the script output for OS-specific instructions.