Quick Answer: Install:
bash <(curl -sL https://github.com/SamNet-dev/fortify/raw/main/install.sh). Run:fortify. It auto-detects your services, scores their security (0-100, A+ to F), and lets you harden everything with one click.
Need a VPS? Vultr (free credit), DigitalOcean ($200 free credit), or RackNerd (cheap annual deals).
The Problem
You set up a proxy or VPN server. It works. But is it secure? Most server setups skip critical hardening steps:
- SSH still allows password login
- Firewall has too many ports open
- Xray has no geo-blocking
- WireGuard peers don't use preshared keys
- SMTP ports are open (your server can send spam)
- No rate limiting against DDoS
Checking all of this manually across multiple services is tedious. Fortify automates it.
What Is Fortify?
Fortify is a universal security hardener for Linux servers running proxy and VPN services. It:
- Detects every service running on your server
- Scores each service's security posture (0-100)
- Hardens everything with interactive controls or one-click profiles
⚡ Fortify v0.9
Harden everything. Trust nothing.
Detected Services:
├── ✓ Anti-Abuse (SMTP torrent)
├── ✓ Firewall (nftables) 3 ports open
├── ✓ hysteria2 v2.7.1 (running)
├── ✓ SSH :2222 key-only
├── ✓ WireGuard wg0 (3 peers)
└── ✓ Xray v26.2.6 (running)
Security Score: ████████████████░░░░ 82/100 [A]
Install
bash <(curl -sL https://github.com/SamNet-dev/fortify/raw/main/install.sh)
Then:
fortify
The TUI dashboard appears immediately, showing all detected services and their security scores.
Supported Services
Fortify auto-detects and hardens these backends:
| Backend | Detection | Hardening |
|---|---|---|
| Xray (VLESS/VMess/Trojan) | Auto | Geo-blocking, port blocking, sniffing, routing rules |
| WireGuard | Auto | PresharedKey audit, permissions, peer review |
| sing-box | Auto | Route rules, geo-IP, protocol blocking |
| Hysteria 2 | Auto | TLS check, SMTP block, firewall |
| OpenVPN | Auto | TLS-crypt, cipher hardening, DPI protection |
| DNSTT | Auto | Rate limiting, connection limits, SMTP block |
| SSH | Always | Key-only auth, fail2ban, port change, cipher hardening |
| Firewall | Always | nftables/iptables, dual-stack IPv4+IPv6, SYN flood protection |
You don't configure anything — Fortify scans for installed services on every launch.
Security Scoring
Every module gets a score. The overall grade combines all modules:
| Grade | Score | Meaning |
|---|---|---|
| A+ | 95-100 | Hardened — maximum security |
| A | 85-94 | Strong — minor improvements possible |
| B | 70-84 | Good — some gaps to address |
| C | 50-69 | Needs work — several vulnerabilities |
| D | 30-49 | Weak — significant risks |
| F | 0-29 | Critical — immediate action needed |
What Gets Scored
- SSH: password auth disabled? Port changed? fail2ban running? Key-only?
- Firewall: default deny? Only needed ports open? SYN flood protection?
- Xray: geo-blocking enabled? Torrent/ads blocked? Sniffing on?
- WireGuard: preshared keys? File permissions? Peer configuration?
- Anti-abuse: SMTP ports blocked? Torrent blocked? Rate limiting?
One-Click Hardening Profiles
Apply a complete security profile with one command:
fortify --profile paranoid
| Profile | What It Does |
|---|---|
paranoid |
Maximum security — blocks everything unnecessary, strictest rules |
public-share |
Balanced for shared/public VPN servers — secure but usable |
minimal |
Light touch — essentials only (SSH hardening, basic firewall) |
Or use the interactive TUI to selectively enable/disable individual hardening features.
Key Features
Anti-Abuse Protection
Prevents your server from being used for spam or abuse:
- SMTP blocking — closes ports 25, 465, 587 (prevents spam relay)
- Torrent blocking — port-based and DPI detection
- Rate limiting — per-IP SYN flood protection
- Connection limits — cap concurrent connections per IP
- IP blocking/whitelisting — single IPs or CIDR ranges
Xray Geo-Blocking
Block traffic by country using Xray's GeoIP database:
- Preset countries: China, Russia, North Korea, Syria, Cuba, Venezuela, Belarus, Myanmar
- Custom country codes: add any 2-letter ISO code
- Applied to Xray routing rules automatically
SSH Hardening
- Disable password authentication (key-only)
- Change SSH port (with automatic firewall update)
- MaxAuthTries enforcement
- fail2ban setup with managed jail
- Cipher and key exchange algorithm hardening
- Lockout prevention — SSH access is always preserved in firewall
Firewall Management
- Dual-stack: IPv4 + IPv6
- Supports nftables and iptables (auto-detected)
- Tagged rules for clean management
- Persistent across reboot
- SYN flood protection, invalid packet dropping, ICMP rate limiting
Backup and Restore
- Automatic backup before every change
- SHA256 checksum verification
- Named backups with timestamps
- Restore any previous state
Notifications
Get alerts when Fortify makes changes or detects issues:
- Telegram — bot token + chat ID
- Discord — webhook URL
- Custom webhook — any HTTP endpoint
CLI Usage
# Interactive TUI (recommended)
fortify
# Apply hardening profile
fortify --profile paranoid
# Score without changing anything
fortify --score
# Harden specific module
fortify --harden ssh
fortify --harden firewall
fortify --harden xray
# Backup current state
fortify --backup
# Restore from backup
fortify --restore
# Check what services are detected
fortify --detect
Typical Workflow
1. Set Up Your Server
Install your proxy or VPN backend using its official method:
- 3X-UI Panel for Xray
- WireGuard with SamNet-WG for VPN
- dnstm-setup for DNS tunnels
2. Run Fortify
fortify
It detects everything and shows your current security score.
3. Apply Hardening
Either use a one-click profile:
fortify --profile paranoid
Or selectively harden through the TUI — enable SMTP blocking, add geo-blocking, harden SSH, etc.
4. Verify
Check your new score. Address any remaining warnings.
Why Not Just Harden Manually?
| Manual | Fortify | |
|---|---|---|
| Time | 30+ minutes per service | 2 minutes total |
| Consistency | Easy to miss steps | Automated checklist |
| Multiple services | Check each separately | Scans all at once |
| Scoring | Subjective | Objective 0-100 score |
| Rollback | Hope you remember what you changed | One-click restore |
| Updates | Re-check everything after changes | Re-run and re-score |
Related Guides
- Server Hardening Guide — manual hardening walkthrough
- How to Secure SSH — SSH-specific hardening
- Fail2ban Setup — brute-force protection
- Complete Firewall Guide — UFW and iptables
- iptables Cheat Sheet — firewall rules reference
- UFW Cheat Sheet — simple firewall
- 3X-UI Panel Setup — Xray setup
- WireGuard Setup — VPN setup
- DNS Tunneling Guide — DNS tunnel setup
- Complete Self-Hosting Guide — server basics
SamNet Tools
| Tool | Purpose |
|---|---|
| fortify | Server security hardening |
| Port Scanner | Check which ports are open |
| VPN Leak Test | Verify proxy/VPN is working |
| IP Blacklist Checker | Check if your IP is flagged |
| SSL Certificate Checker | Verify TLS configuration |