Skip to content
ShipNode

Server hardening

View raw .md Open in Claude Open in ChatGPT
Terminal window
npx shipnode harden

Applies a sensible baseline. Safe to re-run.

AreaWhat it does
SSHDisables password auth and root login. Only key auth.
FirewallUFW: allow 22 / 80 / 443, deny inbound otherwise.
fail2banEnabled with the SSH jail (default ban window).
Updatesunattended-upgrades enabled for security patches.

Audit

Section titled “Audit”
Terminal window
npx shipnode doctor --security

Reports current SSH config, open ports, fail2ban status, and any drift from the baseline.

With Cloudflare Tunnel

Section titled “With Cloudflare Tunnel”

If you’re using shipnode cloudflare, you can drop 80 and 443 from the firewall — only port 22 is needed inbound. Edit the UFW rules manually after running harden, or restrict ports 80/443 to Cloudflare IP ranges.