Linux File Permissions & Security
Audits and corrects file permissions on web roots, config files, and SSH directories. Fixes the most common Linux permission misconfigurations.
Full guide →$linux-security
Linux Security Bash Scripts
5 scripts · permissions · SSH · ports · certificates
Security hardening on Linux isn't a one-time task — it's a set of checks you run every time you set up a server, every time you deploy new software, and periodically on servers that have been running for a while. The checks are not exotic. Most of them come down to four questions: who can read what, who can connect from where, what ports are listening, and are the certificates current?
The scripts on this page answer those four questions. They don't require security tools, scanners, or paid software. They use chmod, ssh-keygen, ss, and openssl — the same tools that came with your Linux install.
File permissions are the most common security misconfiguration on Linux servers. Not 777 on a web root (obviously wrong) but more subtle issues: world-readable configuration files containing database passwords, log directories writable by the web server user, SSH authorized_keys files with group-write permissions that sshd silently ignores but that indicate a broader permission problem. file-permissions-security audits and corrects the most common of these.
Open ports are the attack surface. Every port in LISTEN state on 0.0.0.0 is a service that can be reached from the internet. Most of them should be. Some of them shouldn't — debug interfaces left open, old services from previous configurations, packages that start listeners on install without asking. list-open-ports-linux maps your complete listening surface in one command. Run it on a new server before you open firewall rules.
SSH key authentication is the single highest-value security upgrade for any Linux server that accepts remote access. Disabling password authentication and switching to key pairs eliminates the entire class of brute-force SSH attacks. ssh-key-setup-script automates the setup so there's no manual copying of authorized_keys files and no risk of locking yourself out.
SSL certificate expiry is the silent failure. certbot renews automatically — until it doesn't. A failed renewal produces no alert visible to the user until the certificate expires and browsers start showing the warning. check-ssl-certificate-expiry runs the check from outside the server (the same way a browser would), catches the failure that the renewal hook misses, and gives you 30 days of warning before the site goes red.
Harden a fresh DigitalOcean droplet in minutes — these four scripts cover the baseline.
Get $200 free credit — DigitalOcean
Get $200 Free →Affiliate link · we earn a commission
Scripts in This Collection (5)
SSH Key Setup Script
Generates an SSH key pair and sets up key-based authentication. The setup that eliminates SSH password brute-force attacks.
Full guide →List All Open Ports on Linux
Maps every port your server is listening on with the process name holding it. Run before opening firewall rules on a new server.
Full guide →Check SSL Certificate Expiry
Reads the live TLS certificate from any domain and reports days until expiry. Catches the renewal failure that certbot misses.
Full guide →Kill Process on Port
Frees a port blocked by EADDRINUSE — lsof/ss discovery, SIGTERM, then SIGKILL escalation. Security-adjacent: identifies what is holding each port.
Full guide →