One-Line Security Hardening for Ubuntu Servers

I wanted to deploy OpenClaw to Hetzner the other day, and it hit me again: basic security hardening of a VPS by hand is a pain. Editing sshd_config, creating users, configuring the firewall, setting up fail2ban, copying keys. It’s the same tedious checklist every time. Hardening a new server shouldn’t take more than a few seconds.

So I built a utility for it. One command, and you’re done.

secure-server - one-line security hardening for Ubuntu servers. Here’s what it does:

🔒 Disables root login and password authentication for SSH. No more default root access or password-based logins. SSH becomes key-only.

🔒 Creates a non-root app user with sudo. You get a dedicated user for running your app, with sudo when you need it, instead of doing everything as root.

🔒 Installs and configures UFW. The firewall is set up and enabled with sensible defaults so only what you need is open.

🔒 Installs and configures fail2ban. Brute-force attempts on SSH (and other services) get throttled and banned automatically.

🔒 Sets up SSH key authentication from your GitHub keys. Point it at your GitHub username and it pulls your public keys and configures them for the new user. No manual key copying.

The goal is simple: spin up a fresh Ubuntu box, run one command with your GitHub username (and optionally your new user name), and in under a minute you have a locked-down server with key-based SSH, a firewall, and fail2ban, without touching config files by hand.

If you’re tired of the same manual hardening routine every time you deploy a VPS, give it a try: github.com/shiroyasha/secure-server.