Skip to content

mmahmoudian/server-fortify

BranchesTags
Β 
Β 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

1 Commit
core
core
Β 
Β 
data
data
Β 
Β 
fail2ban
fail2ban
Β 
Β 
modules
modules
Β 
Β 
profiles
profiles
Β 
Β 
tests
tests
Β 
Β 
.gitignore
.gitignore
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 
fortify.sh
fortify.sh
Β 
Β 
install.sh
install.sh
Β 
Β 

Repository files navigation

⚑ Fortify

Harden everything. Trust nothing.

Universal security hardener for proxy & VPN servers

Version License Platform Bash

Fortify automatically detects proxy and VPN services running on your server, scores their security posture (0–100, A+ to F), and hardens them with one-click profiles or granular manual controls.

πŸ’‘ Best practice: Install your proxy/VPN backend first using its official installer, then run fortify to harden it. The built-in Deploy menu is available for quick setup if needed.

πŸš€ Quick Install

bash <(curl -sL https://github.com/SamNet-dev/fortify/raw/main/install.sh)

Then just run:

fortify

πŸ“‹ What It Does

Fortify scans your server, detects running services, and presents an interactive TUI dashboard:

  ⚑ Fortify v0.9
  Harden everything. Trust nothing.
  by Sam β€” SamNet Technologies

  Detected Services:
  β”œβ”€β”€ βœ“ Anti-Abuse (SMTP torrent)
  β”œβ”€β”€ βœ“ Firewall (nftables) 3 ports open
  β”œβ”€β”€ βœ“ hysteria2 v2.7.1 (running)
  β”œβ”€β”€ βœ“ SSH :2222 key-only
  β”œβ”€β”€ βœ“ WireGuard wg0 (3 peers)
  └── βœ“ Xray v26.2.6 (running)

  Security Score: β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–‘β–‘β–‘β–‘ 82/100  [A]

πŸ›‘οΈ Supported Backends

Backend Detection Hardening Deploy
πŸ”· Xray (VLESS/VMess/Trojan) βœ… Auto βœ… Geo-block, port block, sniffing, routing βœ… Core, 3X-UI, Marzban
🟒 WireGuard βœ… Auto βœ… PresharedKey audit, permissions, peer review βœ… Full setup
🟑 sing-box βœ… Auto βœ… Route rules, geo-IP, protocol blocking βœ… Latest release
πŸ”΅ Hysteria 2 βœ… Auto βœ… TLS check, SMTP block, firewall βœ… Official installer
🟠 OpenVPN βœ… Auto βœ… TLS-crypt, cipher hardening, DPI protection βœ… Server setup
🟣 DNSTT βœ… Auto βœ… Rate limiting, connection limits, SMTP block πŸ“˜ Via dnstm-setup
πŸ” SSH βœ… Always βœ… Key-only auth, fail2ban, cipher hardening β€”
🧱 Firewall βœ… Always βœ… nftables/iptables, dual-stack IPv4+IPv6 β€”

🎯 Key Features

πŸ” Auto-Detection

Fortify scans for installed services on every launch β€” no configuration needed. Install a backend, run fortify, and it appears immediately.

πŸ“Š Security Scoring

Each module gets a score (0–100) based on its security posture. The overall score combines all modules into a single grade:

Grade Score Meaning
A+ 95–100 Hardened
A 85–94 Strong
B 70–84 Good
C 50–69 Needs work
D 30–49 Weak
F 0–29 Critical

πŸ›‘οΈ One-Click Profiles

Apply a full hardening profile with one command:

fortify --profile paranoid

Available profiles:

Profile Description
paranoid Maximum security β€” blocks everything unnecessary
public-share Balanced for shared/public VPN servers
minimal Light touch β€” essentials only

🧱 Anti-Abuse Protection

  • SMTP blocking β€” prevent spam (ports 25, 465, 587)
  • Torrent blocking β€” port-based + deep packet inspection (DPI)
  • Rate limiting β€” per-IP SYN flood protection
  • Connection limits β€” cap concurrent connections
  • IP blocking/whitelisting β€” single IPs or CIDR ranges

🌍 Xray Geo-Blocking

Block traffic by country using Xray's GeoIP database:

  • Preset list: China, Russia, North Korea, Syria, Cuba, Venezuela, Belarus, Myanmar
  • Custom country codes: add any 2-letter ISO code (e.g., TR, DE, PK)

πŸ”’ SSH Hardening

  • Disable password authentication (key-only)
  • Change SSH port with automatic firewall update
  • MaxAuthTries enforcement (minimum 4 β€” prevents lockout)
  • fail2ban setup with Fortify-managed jail
  • Cipher/KexAlgorithm hardening
  • Lockout prevention: SSH access rule is always preserved in the firewall, even after flush

πŸ”₯ Firewall Management

  • Dual-stack: IPv4 + IPv6
  • Supports nftables and iptables (auto-detected)
  • Tagged rules for clean management (fortify-* comments)
  • Persistent across reboot via systemd service
  • SYN flood protection, invalid packet dropping, ICMP rate limiting

πŸ’Ύ Backup & Restore

  • Automatic backup before every change
  • Checksum verification (SHA256)
  • Named backups with timestamps
  • Restore any previous state

πŸ“¬ Notifications

  • Telegram β€” bot token + chat ID
  • Discord β€” webhook URL
  • Custom webhook β€” any HTTP endpoint

πŸ’» CLI Usage

# Interactive TUI
fortify

# Quick security scan
fortify --scan

# One-line status (great for monitoring)
fortify --status
# Output: fortify score=82 grade=A modules=8

# JSON report (for automation)
fortify --json

# Apply hardening profile
fortify --profile paranoid

# Deploy a new backend
fortify --deploy

# Backup all configs
fortify --backup

# Show version
fortify --version

πŸ“ Project Structure

/opt/fortify/
β”œβ”€β”€ fortify.sh              # Main entry point + TUI + help pages
β”œβ”€β”€ install.sh              # Installer
β”œβ”€β”€ core/
β”‚   β”œβ”€β”€ utils.sh            # Shared utilities, validators, logging
β”‚   β”œβ”€β”€ tui.sh              # Terminal UI (menus, boxes, colors)
β”‚   β”œβ”€β”€ firewall.sh         # nftables/iptables abstraction layer
β”‚   β”œβ”€β”€ loader.sh           # Module loader + service scanner
β”‚   β”œβ”€β”€ scorer.sh           # Score calculator + grade system
β”‚   β”œβ”€β”€ backup.sh           # Backup/restore with checksums
β”‚   β”œβ”€β”€ notify.sh           # Telegram/Discord/webhook notifications
β”‚   β”œβ”€β”€ deployer.sh         # Backend installers
β”‚   └── updater.sh          # Self-update mechanism
β”œβ”€β”€ modules/
β”‚   β”œβ”€β”€ antabuse.sh         # Anti-abuse (SMTP, torrent, rate limit)
β”‚   β”œβ”€β”€ ssh.sh              # SSH hardening
β”‚   β”œβ”€β”€ firewall_mod.sh     # Firewall module (audit, rules)
β”‚   β”œβ”€β”€ xray.sh             # Xray/panel security
β”‚   β”œβ”€β”€ wireguard.sh        # WireGuard hardening
β”‚   β”œβ”€β”€ singbox.sh          # sing-box security
β”‚   β”œβ”€β”€ hysteria.sh         # Hysteria 2 hardening
β”‚   β”œβ”€β”€ openvpn.sh          # OpenVPN hardening
β”‚   └── dnstt.sh            # DNSTT security
└── profiles/
    β”œβ”€β”€ paranoid.conf        # Maximum security
    β”œβ”€β”€ public-share.conf    # Balanced for shared servers
    └── minimal.conf         # Light touch

πŸ” Security Design

No Lockout Guarantee

Fortify is designed to never lock you out of your server:

  • πŸ”‘ SSH port is always allowed in the firewall (even after flush)
  • πŸ”‘ MaxAuthTries minimum of 4 enforced (prevents multi-key lockout)
  • πŸ”‘ Password auth only disabled after confirming SSH keys exist
  • πŸ”‘ Root login falls back to prohibit-password if no keys found
  • πŸ”‘ Firewall flush automatically re-creates SSH safety rule
  • πŸ”‘ SSH port change updates the safety rule to match

Tagged Firewall Rules

Every rule Fortify creates is tagged with a fortify-* comment, making cleanup simple and preventing conflicts with other tools (Docker, fail2ban, etc.).

Non-Destructive

  • Uses a separate inet fortify nftables table (never touches system tables)
  • Backs up configs before every change
  • All changes are reversible

πŸ–₯️ Requirements

  • OS: Ubuntu 20.04+, Debian 11+, CentOS 8+, AlmaLinux 8+, Fedora 36+
  • Bash: 4.4+
  • Root access required
  • Optional: jq (for Xray/sing-box JSON editing β€” installed automatically if missing)

πŸ“ License

MIT License β€” see LICENSE for details.

πŸ‘€ Author

Sam β€” SamNet Technologies

⚑ Harden everything. Trust nothing.

About

Universal server security hardener

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Shell 100.0%