Fortify: One-Click Server Security Hardening for Proxy and VPN Servers

5 min read
Intermediate Security Hardening Firewall Proxy VPN

Prerequisites

  • A Linux server with proxy or VPN services installed
  • Root or sudo access

Quick Answer: Install: bash <(curl -sL https://github.com/SamNet-dev/fortify/raw/main/install.sh). Run: fortify. It auto-detects your services, scores their security (0-100, A+ to F), and lets you harden everything with one click.

Need a VPS? Vultr (free credit), DigitalOcean ($200 free credit), or RackNerd (cheap annual deals).


The Problem

You set up a proxy or VPN server. It works. But is it secure? Most server setups skip critical hardening steps:

  • SSH still allows password login
  • Firewall has too many ports open
  • Xray has no geo-blocking
  • WireGuard peers don't use preshared keys
  • SMTP ports are open (your server can send spam)
  • No rate limiting against DDoS

Checking all of this manually across multiple services is tedious. Fortify automates it.


What Is Fortify?

Fortify is a universal security hardener for Linux servers running proxy and VPN services. It:

  1. Detects every service running on your server
  2. Scores each service's security posture (0-100)
  3. Hardens everything with interactive controls or one-click profiles
  ⚡ Fortify v0.9
  Harden everything. Trust nothing.

  Detected Services:
  ├── ✓ Anti-Abuse (SMTP torrent)
  ├── ✓ Firewall (nftables) 3 ports open
  ├── ✓ hysteria2 v2.7.1 (running)
  ├── ✓ SSH :2222 key-only
  ├── ✓ WireGuard wg0 (3 peers)
  └── ✓ Xray v26.2.6 (running)

  Security Score: ████████████████░░░░ 82/100  [A]

Install

bash <(curl -sL https://github.com/SamNet-dev/fortify/raw/main/install.sh)

Then:

fortify

The TUI dashboard appears immediately, showing all detected services and their security scores.


Supported Services

Fortify auto-detects and hardens these backends:

Backend Detection Hardening
Xray (VLESS/VMess/Trojan) Auto Geo-blocking, port blocking, sniffing, routing rules
WireGuard Auto PresharedKey audit, permissions, peer review
sing-box Auto Route rules, geo-IP, protocol blocking
Hysteria 2 Auto TLS check, SMTP block, firewall
OpenVPN Auto TLS-crypt, cipher hardening, DPI protection
DNSTT Auto Rate limiting, connection limits, SMTP block
SSH Always Key-only auth, fail2ban, port change, cipher hardening
Firewall Always nftables/iptables, dual-stack IPv4+IPv6, SYN flood protection

You don't configure anything — Fortify scans for installed services on every launch.


Security Scoring

Every module gets a score. The overall grade combines all modules:

Grade Score Meaning
A+ 95-100 Hardened — maximum security
A 85-94 Strong — minor improvements possible
B 70-84 Good — some gaps to address
C 50-69 Needs work — several vulnerabilities
D 30-49 Weak — significant risks
F 0-29 Critical — immediate action needed

What Gets Scored

  • SSH: password auth disabled? Port changed? fail2ban running? Key-only?
  • Firewall: default deny? Only needed ports open? SYN flood protection?
  • Xray: geo-blocking enabled? Torrent/ads blocked? Sniffing on?
  • WireGuard: preshared keys? File permissions? Peer configuration?
  • Anti-abuse: SMTP ports blocked? Torrent blocked? Rate limiting?

One-Click Hardening Profiles

Apply a complete security profile with one command:

fortify --profile paranoid
Profile What It Does
paranoid Maximum security — blocks everything unnecessary, strictest rules
public-share Balanced for shared/public VPN servers — secure but usable
minimal Light touch — essentials only (SSH hardening, basic firewall)

Or use the interactive TUI to selectively enable/disable individual hardening features.


Key Features

Anti-Abuse Protection

Prevents your server from being used for spam or abuse:

  • SMTP blocking — closes ports 25, 465, 587 (prevents spam relay)
  • Torrent blocking — port-based and DPI detection
  • Rate limiting — per-IP SYN flood protection
  • Connection limits — cap concurrent connections per IP
  • IP blocking/whitelisting — single IPs or CIDR ranges

Xray Geo-Blocking

Block traffic by country using Xray's GeoIP database:

  • Preset countries: China, Russia, North Korea, Syria, Cuba, Venezuela, Belarus, Myanmar
  • Custom country codes: add any 2-letter ISO code
  • Applied to Xray routing rules automatically

SSH Hardening

  • Disable password authentication (key-only)
  • Change SSH port (with automatic firewall update)
  • MaxAuthTries enforcement
  • fail2ban setup with managed jail
  • Cipher and key exchange algorithm hardening
  • Lockout prevention — SSH access is always preserved in firewall

Firewall Management

  • Dual-stack: IPv4 + IPv6
  • Supports nftables and iptables (auto-detected)
  • Tagged rules for clean management
  • Persistent across reboot
  • SYN flood protection, invalid packet dropping, ICMP rate limiting

Backup and Restore

  • Automatic backup before every change
  • SHA256 checksum verification
  • Named backups with timestamps
  • Restore any previous state

Notifications

Get alerts when Fortify makes changes or detects issues:

  • Telegram — bot token + chat ID
  • Discord — webhook URL
  • Custom webhook — any HTTP endpoint

CLI Usage

# Interactive TUI (recommended)
fortify

# Apply hardening profile
fortify --profile paranoid

# Score without changing anything
fortify --score

# Harden specific module
fortify --harden ssh
fortify --harden firewall
fortify --harden xray

# Backup current state
fortify --backup

# Restore from backup
fortify --restore

# Check what services are detected
fortify --detect

Typical Workflow

1. Set Up Your Server

Install your proxy or VPN backend using its official method:

2. Run Fortify

fortify

It detects everything and shows your current security score.

3. Apply Hardening

Either use a one-click profile:

fortify --profile paranoid

Or selectively harden through the TUI — enable SMTP blocking, add geo-blocking, harden SSH, etc.

4. Verify

Check your new score. Address any remaining warnings.


Why Not Just Harden Manually?

Manual Fortify
Time 30+ minutes per service 2 minutes total
Consistency Easy to miss steps Automated checklist
Multiple services Check each separately Scans all at once
Scoring Subjective Objective 0-100 score
Rollback Hope you remember what you changed One-click restore
Updates Re-check everything after changes Re-run and re-score

Related Guides

SamNet Tools

Tool Purpose
fortify Server security hardening
Port Scanner Check which ports are open
VPN Leak Test Verify proxy/VPN is working
IP Blacklist Checker Check if your IP is flagged
SSL Certificate Checker Verify TLS configuration