IronTux is a powerful, offline, and Object-Oriented Programming (OOP) based Python script designed to secure fresh Linux installations (VPS or Homelab) in seconds. It specializes in sealing your server against brute-force attacks, patching the infamous Docker firewall bypass issue, and applying kernel-level network security.
When you install Docker, it silently bypasses ufw or iptables to expose your container ports to the entire internet. IronTux automatically patches this critical vulnerability. Furthermore, securing a Linux server manually takes hours of configuring SSH, Fail2Ban, Sysctl, and Firewalls. IronTux automates this entire process with a 1-click rollback system—all while providing a beautiful terminal UI and advanced CLI customizations.
-
🛡️ Multi-Distro Support & OS Auto-Detection
- Automatically adapts to Debian, Ubuntu, RHEL, CentOS, Rocky, SUSE, Arch, and Alpine Linux.
- Dynamically selects the correct package manager (
apt,dnf,zypper,pacman,apk).
-
🐳 Docker-Safe Firewall Automation
- Docker Port Leak Fix: Automatically injects custom
DOCKER-USERiptables rules into UFW to prevent Docker from exposing internal container ports to the public internet. - Implements a strict "Default Deny" policy.
- Custom Ports: Interactively allows you to open additional custom ports (e.g.,
8080/tcp,51820/udp) alongside standard web and SSH ports.
- Docker Port Leak Fix: Automatically injects custom
-
⚙️ Deep Kernel Hardening (
sysctl)- Enables TCP SYN Cookies to mitigate SYN flood DDoS attacks.
- Enables Reverse Path Filtering (RP Filter) to prevent IP spoofing.
- Disables ICMP Redirects to prevent MITM routing attacks.
- Enables ASLR (Address Space Layout Randomization) to protect against buffer overflow exploits.
-
🔐 Zero-Trust SSH Hardening
- Disables vulnerable root logins (
PermitRootLogin no). - Enforces Public Key Authentication (
PasswordAuthentication no). - Disables
X11Forwardingand limitsMaxAuthTriesto 3.
- Disables vulnerable root logins (
-
🔄 Automated Patching & Anti-Bruteforce
- Auto-Updates: Updates packages and configures
unattended-upgrades(Debian) ordnf-automatic(RHEL) for silent background patching. - Fail2Ban: Installs and configures brute-force protection out of the box (1-hour ban after 3 failed login retries).
- Auto-Updates: Updates packages and configures
-
🔍 Post-Hardening Service Verification
- Actively verifies if critical services (
sshd,fail2ban,ufw/firewalld) are successfully running after configuration changes are made, alerting you instantly if something crashes.
- Actively verifies if critical services (
-
⏪ 1-Click Rollback & System Snapshots
- Before executing any changes, the script creates a
.tar.gzbackup archive of all critical configuration files (sshd_config,ufw rules,fstab, etc.). - Instantly revert your system to its previous state with a single command.
- Before executing any changes, the script creates a
Make sure you have Python 3 and the rich UI library installed:
# Debian/Ubuntu
sudo apt update && sudo apt install python3-pip
sudo pip3 install rich
# RHEL/CentOS/Rocky
sudo dnf install python3-pip
sudo pip3 install richClone the repository and run the script as root:
git clone https://github.com/YOUR_USERNAME/irontux.git
cd irontux
sudo python3 IronTux.pyWant to see what the script would do without changing anything on your system?
sudo python3 IronTux.py --dry-runAre you an advanced user who only wants to apply specific hardening modules? IronTux supports CLI flags to skip certain operations:
# Skip system updates and patching
sudo python3 IronTux.py --no-update
# Harden everything EXCEPT the firewall (useful if you use a cloud provider's external firewall)
sudo python3 IronTux.py --skip-fw
# Skip SSH configuration (useful if you already configured it manually)
sudo python3 IronTux.py --skip-ssh
# Combine flags: Only apply Sysctl, User creation, and SSH Hardening
sudo python3 IronTux.py --no-update --skip-fw --skip-f2bMade a mistake or locked yourself out? IronTux takes a snapshot of your system right before execution. You can easily restore your previous state:
sudo python3 IronTux.py --restore /var/backups/hardening_tool/snapshot_YYYYMMDD_HHMMSS.tar.gz(This automatically extracts the old configuration files and restarts sshd, fail2ban, and your firewall instantly).
Contributions, issues, and feature requests are welcome!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
Distributed under the MIT License. See LICENSE for more information.
Built with ❤️ for secure homelabs and peaceful nights.