A production-ready, fully automated Bash script that optimizes and hardens Debian servers for OpenLiteSpeed + PHP + WordPress + MySQL/MariaDB workloads.
Non-interactive Β· Idempotent Β· Safe for production Β· Colorful hacker-style output
One command. 17 modules. Your Debian server goes from stock to battle-hardened and performance-tuned in minutes.
sudo bash setup.shThis script automatically detects your system (RAM, CPU, SSD/HDD, Debian version, installed services) and applies dynamic, hardware-aware optimizations β no manual configuration needed.
| # | Module | Description |
|---|---|---|
| 1 | System Update & Packages | Updates system, installs essential tools (htop, iotop, ncdu, dnsutils, irqbalance, etc.) |
| 2 | UFW Firewall | Deny incoming/forward, allow SSH (rate-limited), HTTP, HTTPS, QUIC, OLS WebAdmin, loopback |
| 3 | Fail2Ban | 8 jails: SSH, SSH-DDoS, WordPress, OLS WebAdmin, bad bots, PHP-CGI, port scan, recidive |
| 4 | SSH Hardening | Root login disabled, hardened crypto (ChaCha20, AES-GCM, Curve25519), modern MACs & KEX |
| 5 | Kernel & Network | BBR congestion control, fq qdisc, TCP fast open, SYN flood protection, IRQ balancing |
| 6 | SSD Optimization | TRIM timer, mq-deadline/bfq scheduler, noatime, read_ahead_kb, tmpfs /tmp |
| 7 | OpenLiteSpeed | Connection tuning, LSCache dir, WordPress plugin detection, Brotli check, systemd limits |
| 8 | PHP Tuning | OPcache, JIT (PHP 8+), FPM pool workers, session security, expose_php=Off |
| 9 | MySQL/MariaDB | Dynamic InnoDB buffer pool, bind-address, slow query log + logrotate, skip_log_bin |
| 10 | phpMyAdmin | Blowfish secret, scanner bot blocking, security headers, setup/ removal, session hardening |
| 11 | System Limits | 1M file descriptors, 65k processes, systemd DefaultLimitNOFILE + DefaultLimitNPROC |
| 12 | Security Hardening | Core dump disable, cron/boot permissions, kernel modules blacklist, shared memory protection |
| 13 | Unattended Upgrades | Full policy: security-only, auto-clean, no auto-reboot, syslog enabled |
| 14 | Log Management | OLS logrotate, journald capped at 500MB, MySQL slow query log rotation |
| 15 | NTP Time Sync | systemd-timesyncd or ntpd with pool.ntp.org + Cloudflare/Google fallback |
- Debian 11 (Bullseye)
- Debian 12 (Bookworm)
- Debian 13 (Trixie)
- VPS and Dedicated / Bare Metal servers
- SSD and HDD (auto-detected)
- OpenLiteSpeed (auto-detected)
- LSPHP / PHP-FPM (auto-detected, all versions)
- MySQL / MariaDB (auto-detected, installs if missing)
- phpMyAdmin (auto-detected, installs if missing)
- WordPress (LSCache plugin detection)
- Root access (
sudo bash setup.sh) - Debian 11, 12, or 13 (the script validates this)
- Internet connection (for package installation)
# Download
wget https://raw.githubusercontent.com/administrakt0r/debian-optimizations-and-hardening-shell/main/setup.sh
# Make executable
chmod +x setup.sh
# Run as root
sudo bash setup.shOr clone the repository:
git clone https://github.com/administrakt0r/debian-optimizations-and-hardening-shell.git
cd debian-optimizations-and-hardening-shell
sudo bash setup.sh- Default deny incoming & forwarding
- SSH rate-limiting prevents brute force
- HTTP/HTTPS/QUIC allowed
- OLS WebAdmin port (7080) if detected
- UFW logging enabled
- SSH β 3 attempts β progressive ban (1h β 1 week)
- SSH DDoS β rapid connection flood detection
- WordPress β
wp-login.php/xmlrpc.phpbrute force - OLS WebAdmin β failed login protection
- Bad Bots β automated scanner blocking
- PHP-CGI β URL fopen abuse detection
- Port Scan β common attack port detection
- Recidive β repeat offenders get 7-day ban
- Root login disabled
- Password authentication kept enabled (as requested)
- Modern crypto only:
curve25519-sha256,chacha20-poly1305,aes256-gcm MaxAuthTries 3,LoginGraceTime 30s- X11, TCP, Agent forwarding disabled
kernel.kptr_restrict = 2β hide kernel pointerskernel.dmesg_restrict = 1β restrict dmesgkernel.randomize_va_space = 2β full ASLRkernel.sysrq = 0β disable magic SysRqfs.suid_dumpable = 0β no SUID core dumps- Anti-spoofing (
rp_filter), SYN cookies, martian logging
- Core dumps disabled (limits.conf + systemd coredump)
- Shared memory:
noexec,nosuid,nodev - Boot directory:
chmod 750 - Cron/at permissions tightened
- Blacklisted modules:
dccp,sctp,rds,tipc,cramfs,squashfs,hfs,udf - Automatic security updates (unattended-upgrades)
- TCP BBR congestion control with
fqqdisc - TCP Fast Open enabled (client + server)
- Optimized buffer sizes (
rmem,wmem,somaxconn) - SYN backlog increased to 8192
tcp_tw_reuse,tcp_slow_start_after_idle=0
- Periodic TRIM via
fstrim.timer mq-deadlinescheduler for SSD,bfqfor HDDread_ahead_kb=256,nr_requests=256noatimeauto-applied in fstab/tmpon tmpfs (reduces SSD wear)- Persistent tuning via udev rules
| RAM | Buffer Pool | Max Conn | Log File |
|---|---|---|---|
| < 2GB | 50% RAM | 75 | 64M |
| 2β4GB | 55% RAM | 100 | 256M |
| 4β8GB | 60% RAM | 150 | 512M |
| 8β16GB | 65% RAM | 200 | 1G |
| 16β32GB | 65% RAM | 300 | 2G |
| 32GB+ | 70% RAM | 500 | 4G |
bind-address = 127.0.0.1(security)local_infile = 0(prevent file injection)- Slow query log + logrotate
transaction_isolation = READ-COMMITTED(WordPress-optimal)skip_log_binfor single-server setups
- OPcache: dynamic memory (128β512MB based on RAM)
- JIT compilation enabled for PHP 8+
- FPM pool workers auto-scaled to RAM
- Session security:
cookie_httponly,cookie_secure,use_strict_mode expose_php = Offmax_input_vars = 10000,upload_max_filesize = 256M
- Max connections auto-scaled to CPU cores
- File descriptor limits: 1,048,576
- LSCache directory created
- WordPress LSCache plugin detection
- Tuning notes written to
/root/ols-tuning-notes.txt
| Path | Description |
|---|---|
/var/log/server-optimizer.log |
Full execution log |
/root/.server-optimizer-backups/<timestamp>/ |
All original configs before modification |
/root/ols-tuning-notes.txt |
OLS WebAdmin tuning recommendations |
/etc/sysctl.d/99-server-optimizations.conf |
Kernel parameters |
/etc/fail2ban/jail.local |
Fail2Ban jail configuration |
/etc/fail2ban/filter.d/wordpress-auth.conf |
WordPress brute-force filter |
/etc/fail2ban/filter.d/openlitespeed-auth.conf |
OLS auth filter |
/etc/fail2ban/filter.d/port-scan.conf |
Port scan detection filter |
This script is designed to be run multiple times safely:
- β Checks for existing configurations before writing
- β Creates timestamped backups before every modification
- β Uses markers to prevent duplicate entries
- β
Tests SSH config before restarting (
sshd -t) - β Validates Debian version before proceeding
- β Non-interactive β no prompts, no user input required
- Root SSH login is disabled after running. Create a non-root user first:
adduser myuser && usermod -aG sudo myuser - Password authentication remains enabled β you can still log in with passwords.
- A reboot is recommended after running to apply all kernel and fstab changes.
- Review the log at
/var/log/server-optimizer.logfor any warnings. - OLS WebAdmin changes require manual action via the web panel (port 7080).
The script uses modular functions β you can comment out any module in the main() function:
main() {
show_banner
check_root
check_os
detect_system
install_packages
setup_ufw
setup_fail2ban
harden_ssh
optimize_kernel
optimize_ssd
optimize_openlitespeed
optimize_php
optimize_mysql
setup_phpmyadmin
optimize_system_limits
harden_security
configure_log_management
configure_ntp
show_summary
}debian server hardening Β· debian optimization script Β· debian 12 bookworm security Β· debian 13 trixie hardening Β· openlitespeed optimization Β· wordpress server tuning Β· mysql mariadb performance tuning Β· php opcache jit Β· fail2ban wordpress Β· ufw firewall debian Β· ssh hardening script Β· linux server security Β· vps optimization Β· dedicated server hardening Β· bbr congestion control Β· ssd optimization linux Β· innodb buffer pool tuning Β· bash automation script Β· server security automation Β· debian production server
|
π₯ LLM.kiwi
AI-powered tools and LLM resources. Explore large language model applications, comparisons, and tutorials. |
πͺπΊ WPinEU.com
European WordPress hosting & optimization. GDPR-compliant WordPress hosting with OpenLiteSpeed & LSCache. |
π§ administraktor.com
Server administration, DevOps, and Linux tutorials. Guides for Debian, OpenLiteSpeed, WordPress, and security hardening. |
This project is open source and available under the MIT License.
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch (
git checkout -b feature/improvement) - Commit your changes (
git commit -am 'Add new feature') - Push to the branch (
git push origin feature/improvement) - Open a Pull Request
If this script helped you, please star the repository and share it!
- π Found a bug? Open an issue
- π‘ Have a suggestion? Start a discussion
- π Share it with fellow sysadmins
Made with β‘ by administrakt0r
LLM.kiwi Β· WPinEU.com Β· administraktor.com