Server Security Skill

A Claude Code / agent skill that audits and hardens basic security on a Debian/Ubuntu server over SSH. Always produces a read-only report first, only applies changes after explicit confirmation, and guards SSH changes with a 5-minute automatic rollback so a misconfigured sshd_config cannot lock you out.

Based on the checklist in Server Security for AI Agents — Part 1.

Install

npx skills@latest add zerostaff/server-security-skill

When the picker shows up, select server-security and whichever agent (Claude Code, Codex, etc.) you want it installed into.

What it does

Eight checks, in two batches:

Batch A — safe fixes (no lockout risk):

1. System packages up to date; sudo, curl, ufw, fail2ban, unattended-upgrades installed.
2. A non-root user in the sudo group with a populated ~/.ssh/authorized_keys.
3. Keys in authorized_keys are ed25519 or RSA ≥ 3072 bits.
4. UFW is active with default-deny incoming, default-allow outgoing, and SSH allowed.
5. Unattended-upgrades configured with automatic reboot at 04:00 and unused-kernel cleanup.
6. Fail2ban active with the sshd jail enabled (bantime 1h, findtime 10m, maxretry 5, aggressive mode).
7. visudo -c clean; each sudo user's home directory is mode 700.

Batch B — SSH hardening (lockout risk, runs with fail-safe rollback):

8. /etc/ssh/sshd_config.d/01-hardening.conf enforces PermitRootLogin no, PasswordAuthentication no, PubkeyAuthentication yes, MaxAuthTries 3, LoginGraceTime 30, ClientAliveInterval 300, AllowUsers <deploy>, and disables X11/agent/TCP forwarding. The skill checks alphabetically-earlier drop-in files for conflicting directives (cloud-init images often set PasswordAuthentication yes in 00-cloud-init.conf, which would otherwise win).

The skill never reboots, never generates SSH keys on the server, never wipes user-added firewall rules, and never edits sshd_config without scheduling an automatic rollback first.

How the SSH rollback works

Before touching /etc/ssh/sshd_config.d/01-hardening.conf the skill:

1. Validates the new file with sshd -t.
2. Backs up the existing file (if any) to /tmp.
3. Schedules a transient systemd-run unit to fire in 5 minutes that restores the backup and reloads ssh.
4. Moves the new file into place and reloads ssh.
5. Asks you to open a second terminal and confirm ssh <user>@<host> still works.
6. Cancels the rollback only after you confirm. Silence rolls it back automatically.

Walk away from the keyboard mid-change and the worst that happens is ssh ends up exactly how it was 5 minutes ago.

Full protocol: skills/server-security/references/ssh-safety.md.

Requirements

• Target server: Debian 11+ / Ubuntu 20.04+ (or a derivative). Other distros are explicitly out of scope for now.
• Init system: systemd (the rollback uses systemd-run).
• Connection: SSH access to the server with either root or a user with sudo. Connecting as root is fine on a fresh VPS — the skill will create the non-root user as part of the fixes.
• Local agent: any coding agent that supports skills (Claude Code, Codex, etc.) installed via skills.sh.

What is not covered

This is the universal first-pass for any new server, not a full hardening guide. The skill explicitly does not touch:

• Application-layer config (nginx, postgres, docker daemon, app secrets)
• AppArmor / SELinux profiles
• Network segmentation, VPN-only SSH, port knocking
• 2FA on SSH (TOTP via PAM)
• Centralised logging or SIEM
• CIS / STIG benchmark compliance

See skills/server-security/references/checks.md for the precise scope of each check and the commands used.

Repository layout

.
├── .claude-plugin/
│   └── plugin.json            # skills.sh marketplace metadata
├── skills/
│   └── server-security/
│       ├── SKILL.md           # main skill instructions
│       └── references/
│           ├── checks.md      # per-check detection + remediation commands
│           └── ssh-safety.md  # SSH rollback protocol
├── LICENSE
└── README.md

License

MIT — see LICENSE.