vps-harden 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 DukeDeSouth
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,119 @@
+# vps-harden
+
+Secure your VPS in 2 minutes. One command, zero knowledge required.
+
+```
+npx vps-harden 194.68.0.12
+```
+
+```
+[vps-harden]
+  Target: 194.68.0.12
+
+  ✓  1. Generate SSH key       ~/.ssh/vps_194_68_0_12_ed25519
+  ✓  2. Copy key to server     root@194.68.0.12
+  ✓  3. Create user            deploy (sudo)
+  ✓  4. Change SSH port        22 → 2222
+  ✓  5. Verify new port        deploy@194.68.0.12:2222 OK
+  ✓  6. Close port 22          Port 22 closed
+  ✓  7. Disable password auth  Password auth disabled
+  ✓  8. Disable root login     Root login disabled
+  ✓  9. Setup firewall         ufw on (2222, 80, 443)
+  ✓ 10. Install fail2ban       fail2ban on port 2222
+
+  ════════════════════════════════════════════════════
+  ✓ Server hardened successfully!
+
+  Connect with:
+  ssh -i ~/.ssh/vps_194_68_0_12_ed25519 -p 2222 deploy@194.68.0.12
+
+  Save this command. Port 22 is closed.
+  ════════════════════════════════════════════════════
+```
+
+## What it does
+
+1. **Generates SSH key** locally (ed25519, named after your server)
+2. **Copies key** to server via password auth
+3. **Creates non-root user** with passwordless sudo
+4. **Changes SSH port** (default: 2222)
+5. **Verifies new port works** before closing old one
+6. **Closes port 22** — only after verification
+7. **Disables password auth** — key-only access
+8. **Disables root login** — use your new user
+9. **Sets up UFW firewall** — allows SSH, HTTP, HTTPS
+10. **Installs fail2ban** — brute-force protection
+
+## Safety first
+
+The tool never locks you out:
+
+- Port 22 stays open until the new port is verified
+- Password auth stays on until key auth is confirmed
+- Every step has automatic rollback on failure
+- If anything fails, previous steps are undone in reverse order
+
+## Install
+
+```bash
+# Run instantly (no install)
+npx vps-harden 194.68.0.12
+
+# Or install globally
+npm i -g vps-harden
+```
+
+## Options
+
+```bash
+# Custom username and port
+vps-harden 194.68.0.12 --username admin --port 3322
+
+# Use existing SSH key
+vps-harden 194.68.0.12 --key ~/.ssh/id_ed25519
+
+# Preview without making changes
+vps-harden 194.68.0.12 --dry-run
+
+# Non-interactive (CI/scripts)
+vps-harden 194.68.0.12 --password "rootpass" --username deploy
+```
+
+| Flag | Default | Description |
+|------|---------|-------------|
+| `--password` | prompt | Root password |
+| `--username` | `deploy` | New username |
+| `--port` | `2222` | New SSH port |
+| `--key` | auto-generate | Existing SSH key path |
+| `--dry-run` | `false` | Preview without changes |
+
+## Requirements
+
+- Node.js 18+
+- macOS or Linux (local machine)
+- Ubuntu/Debian VPS with root SSH access
+
+## After hardening
+
+Your server is now protected with:
+
+- Non-standard SSH port (bots scan port 22)
+- Key-only authentication (no password brute-force)
+- Non-root user (limits damage if compromised)
+- UFW firewall (only SSH, HTTP, HTTPS open)
+- fail2ban (auto-bans repeated failed logins)
+
+## Why not a bash script?
+
+| | vps-harden | Bash scripts |
+|---|---|---|
+| Install | `npx` (instant) | `curl \| bash` (scary) |
+| Runs from | Your machine | On the server |
+| SSH key gen | Automatic | Manual |
+| Safety | Verify before close | Hope for the best |
+| Rollback | Automatic | None |
+| UI | Interactive TUI | Raw output |
+
+## License
+
+MIT

package/dist/cli.js

@@ -0,0 +1,656 @@
+#!/usr/bin/env node
+
+// src/cli.tsx
+import { render } from "ink";
+import meow from "meow";
+import { homedir } from "os";
+import { join } from "path";
+import { createInterface } from "readline";
+
+// src/app.tsx
+import { useState, useEffect } from "react";
+import { Box as Box3, Text as Text3 } from "ink";
+
+// src/components/Banner.tsx
+import { Box, Text } from "ink";
+import { jsx, jsxs } from "react/jsx-runtime";
+function Banner({ host: host2, dryRun }) {
+  return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", marginBottom: 1, children: [
+    /* @__PURE__ */ jsx(Text, { bold: true, color: "cyan", children: "[vps-harden]" }),
+    /* @__PURE__ */ jsxs(Box, { gap: 1, children: [
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "  Target:" }),
+      /* @__PURE__ */ jsx(Text, { bold: true, children: host2 }),
+      dryRun && /* @__PURE__ */ jsx(Text, { color: "yellow", bold: true, children: " [DRY RUN]" })
+    ] })
+  ] });
+}
+function Result({ host: host2, port, username, keyPath, success }) {
+  if (!success) {
+    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", marginTop: 1, children: [
+      /* @__PURE__ */ jsx(Text, { color: "red", bold: true, children: "  \u2717 Hardening failed. Check errors above." }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "  Port 22 should still be open \u2014 your server is accessible." })
+    ] });
+  }
+  const sshCmd = `ssh -i ${keyPath} -p ${port} ${username}@${host2}`;
+  const configBlock = [
+    `Host ${host2.replace(/\./g, "-")}`,
+    `  HostName ${host2}`,
+    `  User ${username}`,
+    `  Port ${port}`,
+    `  IdentityFile ${keyPath}`
+  ].join("\n");
+  return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", marginTop: 1, children: [
+    /* @__PURE__ */ jsxs(Text, { children: [
+      "  ",
+      "\u2550".repeat(52)
+    ] }),
+    /* @__PURE__ */ jsxs(Text, { color: "green", bold: true, children: [
+      "  ",
+      "\u2713 Server hardened successfully!"
+    ] }),
+    /* @__PURE__ */ jsx(Text, { children: "" }),
+    /* @__PURE__ */ jsxs(Text, { dimColor: true, children: [
+      "  ",
+      "Connect with:"
+    ] }),
+    /* @__PURE__ */ jsxs(Text, { bold: true, color: "cyan", children: [
+      "  ",
+      sshCmd
+    ] }),
+    /* @__PURE__ */ jsx(Text, { children: "" }),
+    /* @__PURE__ */ jsxs(Text, { dimColor: true, children: [
+      "  ",
+      "Save this command. Port 22 is closed."
+    ] }),
+    /* @__PURE__ */ jsxs(Text, { children: [
+      "  ",
+      "\u2550".repeat(52)
+    ] }),
+    /* @__PURE__ */ jsx(Text, { children: "" }),
+    /* @__PURE__ */ jsxs(Text, { dimColor: true, children: [
+      "  ",
+      "Add to ~/.ssh/config:"
+    ] }),
+    configBlock.split("\n").map((line, i) => /* @__PURE__ */ jsxs(Text, { color: "gray", children: [
+      "  ",
+      line
+    ] }, i))
+  ] });
+}
+
+// src/components/StepList.tsx
+import { Box as Box2, Text as Text2 } from "ink";
+import { jsx as jsx2, jsxs as jsxs2 } from "react/jsx-runtime";
+var STATUS_ICON = {
+  pending: { icon: "\u25CB", color: "gray" },
+  running: { icon: "\u25CF", color: "cyan" },
+  done: { icon: "\u2713", color: "green" },
+  failed: { icon: "\u2717", color: "red" },
+  skipped: { icon: "~", color: "yellow" }
+};
+function StepList({ steps }) {
+  return /* @__PURE__ */ jsx2(Box2, { flexDirection: "column", children: steps.map((step, i) => {
+    const { icon, color } = STATUS_ICON[step.status] ?? STATUS_ICON.pending;
+    return /* @__PURE__ */ jsxs2(Box2, { gap: 1, children: [
+      /* @__PURE__ */ jsxs2(Text2, { color, bold: step.status === "running", children: [
+        "  ",
+        icon,
+        " ",
+        String(i + 1).padStart(2),
+        ". ",
+        step.name
+      ] }),
+      step.message && /* @__PURE__ */ jsxs2(Text2, { dimColor: true, children: [
+        "  ",
+        step.message
+      ] })
+    ] }, step.id);
+  }) });
+}
+
+// src/ssh.ts
+import { NodeSSH } from "node-ssh";
+var RemoteSSH = class {
+  ssh = new NodeSSH();
+  _host = "";
+  _port = 22;
+  async connect(host2, port, username, auth) {
+    this._host = host2;
+    this._port = port;
+    await this.ssh.connect({
+      host: host2,
+      port,
+      username,
+      ...auth.password ? { password: auth.password } : {},
+      ...auth.privateKeyPath ? { privateKeyPath: auth.privateKeyPath } : {},
+      readyTimeout: 15e3,
+      keepaliveInterval: 5e3
+    });
+  }
+  async exec(command, timeout = 3e4) {
+    const result = await this.ssh.execCommand(command, {
+      execOptions: { ...timeout ? {} : {} }
+    });
+    return {
+      stdout: result.stdout,
+      stderr: result.stderr,
+      code: result.code ?? 0
+    };
+  }
+  async uploadContent(content, remotePath) {
+    const dir = remotePath.substring(0, remotePath.lastIndexOf("/"));
+    await this.ssh.execCommand(`mkdir -p ${dir} && chmod 700 ${dir}`);
+    const escaped = content.replace(/'/g, "'\\''");
+    await this.ssh.execCommand(`echo '${escaped}' > ${remotePath} && chmod 600 ${remotePath}`);
+  }
+  get host() {
+    return this._host;
+  }
+  get port() {
+    return this._port;
+  }
+  isConnected() {
+    return this.ssh.isConnected();
+  }
+  dispose() {
+    this.ssh.dispose();
+  }
+};
+
+// src/engine.ts
+async function runSteps(steps, config, ssh, onUpdate) {
+  const completed = [];
+  for (const step of steps) {
+    onUpdate(step.id, "running");
+    if (config.dryRun) {
+      onUpdate(step.id, "done", `[dry-run] would ${step.name.toLowerCase()}`);
+      continue;
+    }
+    try {
+      const result = await step.run(config, ssh);
+      if (!result.success) {
+        onUpdate(step.id, "failed", result.message);
+        await rollbackCompleted(completed, config, ssh, onUpdate);
+        return false;
+      }
+      onUpdate(step.id, "done", result.message);
+      completed.push(step);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      onUpdate(step.id, "failed", msg);
+      await rollbackCompleted(completed, config, ssh, onUpdate);
+      return false;
+    }
+  }
+  return true;
+}
+async function rollbackCompleted(completed, config, ssh, onUpdate) {
+  for (const step of [...completed].reverse()) {
+    if (step.rollback) {
+      try {
+        await step.rollback(config, ssh);
+        onUpdate(step.id, "skipped", "rolled back");
+      } catch {
+      }
+    }
+  }
+}
+
+// src/steps/01-ssh-key.ts
+import { execSync } from "child_process";
+import { existsSync } from "fs";
+var sshKeyStep = {
+  id: "ssh-key",
+  name: "Generate SSH key",
+  async run(config, _ssh) {
+    if (existsSync(config.keyPath)) {
+      return { success: true, message: `Key exists: ${config.keyPath}` };
+    }
+    try {
+      execSync(
+        `ssh-keygen -t ed25519 -f "${config.keyPath}" -N "" -C "vps-harden@${config.host}"`,
+        { stdio: "pipe" }
+      );
+      return { success: true, message: config.keyPath };
+    } catch (err) {
+      return { success: false, message: `ssh-keygen failed: ${err}` };
+    }
+  },
+  async rollback(config) {
+    try {
+      const { unlinkSync } = await import("fs");
+      if (existsSync(config.keyPath)) unlinkSync(config.keyPath);
+      if (existsSync(config.keyPubPath)) unlinkSync(config.keyPubPath);
+    } catch {
+    }
+  }
+};
+
+// src/steps/02-copy-key.ts
+import { readFileSync } from "fs";
+var copyKeyStep = {
+  id: "copy-key",
+  name: "Copy key to server",
+  async run(config, ssh) {
+    try {
+      const pubKey = readFileSync(config.keyPubPath, "utf-8").trim();
+      await ssh.exec("mkdir -p /root/.ssh && chmod 700 /root/.ssh");
+      const { stdout: existing } = await ssh.exec('cat /root/.ssh/authorized_keys 2>/dev/null || echo ""');
+      if (existing.includes(pubKey)) {
+        return { success: true, message: "Key already on server" };
+      }
+      await ssh.exec(`echo "${pubKey}" >> /root/.ssh/authorized_keys`);
+      await ssh.exec("chmod 600 /root/.ssh/authorized_keys");
+      return { success: true, message: `Key copied to root@${config.host}` };
+    } catch (err) {
+      return { success: false, message: `Copy failed: ${err}` };
+    }
+  }
+};
+
+// src/steps/03-create-user.ts
+import { readFileSync as readFileSync2 } from "fs";
+var createUserStep = {
+  id: "create-user",
+  name: "Create user",
+  async run(config, ssh) {
+    const { username } = config;
+    try {
+      const { code } = await ssh.exec(`id ${username} 2>/dev/null`);
+      if (code === 0) {
+      } else {
+        await ssh.exec(`useradd -m -s /bin/bash ${username}`);
+      }
+      await ssh.exec(`usermod -aG sudo ${username}`);
+      const sudoLine = `${username} ALL=(ALL) NOPASSWD:ALL`;
+      await ssh.exec(`echo '${sudoLine}' > /etc/sudoers.d/${username}`);
+      await ssh.exec(`chmod 440 /etc/sudoers.d/${username}`);
+      const { code: visudoCode } = await ssh.exec(`visudo -cf /etc/sudoers.d/${username}`);
+      if (visudoCode !== 0) {
+        await ssh.exec(`rm -f /etc/sudoers.d/${username}`);
+        return { success: false, message: "sudoers syntax error \u2014 removed" };
+      }
+      const pubKey = readFileSync2(config.keyPubPath, "utf-8").trim();
+      await ssh.exec(`mkdir -p /home/${username}/.ssh && chmod 700 /home/${username}/.ssh`);
+      await ssh.exec(`echo "${pubKey}" > /home/${username}/.ssh/authorized_keys`);
+      await ssh.exec(`chmod 600 /home/${username}/.ssh/authorized_keys`);
+      await ssh.exec(`chown -R ${username}:${username} /home/${username}/.ssh`);
+      return { success: true, message: `${username} (sudo)` };
+    } catch (err) {
+      return { success: false, message: `User creation failed: ${err}` };
+    }
+  },
+  async rollback(config, ssh) {
+    await ssh.exec(`userdel -r ${config.username} 2>/dev/null || true`);
+    await ssh.exec(`rm -f /etc/sudoers.d/${config.username}`);
+  }
+};
+
+// src/steps/04-change-port.ts
+var changePortStep = {
+  id: "change-port",
+  name: "Change SSH port",
+  async run(config, ssh) {
+    const { sshPort } = config;
+    try {
+      await ssh.exec(`sed -i '/^Port /d' /etc/ssh/sshd_config`);
+      await ssh.exec(`sed -i '/^#Port /d' /etc/ssh/sshd_config`);
+      await ssh.exec(`echo "Port ${sshPort}" >> /etc/ssh/sshd_config`);
+      await ssh.exec(`echo "Port 22" >> /etc/ssh/sshd_config`);
+      await ssh.exec("systemctl restart sshd");
+      return { success: true, message: `Listening on 22 + ${sshPort}` };
+    } catch (err) {
+      return { success: false, message: `Port change failed: ${err}` };
+    }
+  },
+  async rollback(_config, ssh) {
+    await ssh.exec(`sed -i '/^Port /d' /etc/ssh/sshd_config`);
+    await ssh.exec(`echo "Port 22" >> /etc/ssh/sshd_config`);
+    await ssh.exec("systemctl restart sshd");
+  }
+};
+
+// src/steps/05-verify-port.ts
+var verifyPortStep = {
+  id: "verify-port",
+  name: "Verify new port",
+  async run(config, _ssh) {
+    const test = new RemoteSSH();
+    try {
+      await test.connect(config.host, config.sshPort, config.username, {
+        privateKeyPath: config.keyPath
+      });
+      const { stdout: whoami } = await test.exec("whoami");
+      if (whoami.trim() !== config.username) {
+        return { success: false, message: `Expected ${config.username}, got ${whoami.trim()}` };
+      }
+      const { stdout: sudoTest } = await test.exec("sudo whoami");
+      if (sudoTest.trim() !== "root") {
+        return { success: false, message: "sudo not working for new user" };
+      }
+      return {
+        success: true,
+        message: `${config.username}@${config.host}:${config.sshPort} OK`
+      };
+    } catch (err) {
+      return {
+        success: false,
+        message: `CANNOT connect on port ${config.sshPort} \u2014 aborting (port 22 still open). Error: ${err}`
+      };
+    } finally {
+      test.dispose();
+    }
+  }
+};
+
+// src/steps/06-close-old.ts
+var closeOldPortStep = {
+  id: "close-old",
+  name: "Close port 22",
+  async run(config, ssh) {
+    try {
+      await ssh.exec(`sed -i '/^Port 22$/d' /etc/ssh/sshd_config`);
+      await ssh.exec("systemctl restart sshd");
+      return { success: true, message: "Port 22 closed" };
+    } catch (err) {
+      return { success: false, message: `Failed to close port 22: ${err}` };
+    }
+  },
+  async rollback(_config, ssh) {
+    await ssh.exec(`echo "Port 22" >> /etc/ssh/sshd_config`);
+    await ssh.exec("systemctl restart sshd");
+  }
+};
+
+// src/steps/07-disable-pw.ts
+var disablePasswordStep = {
+  id: "disable-pw",
+  name: "Disable password auth",
+  async run(_config, ssh) {
+    try {
+      await ssh.exec(`sed -i 's/^#\\?PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config`);
+      await ssh.exec(`sed -i 's/^#\\?ChallengeResponseAuthentication .*/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config`);
+      await ssh.exec(`sed -i 's/^#\\?KbdInteractiveAuthentication .*/KbdInteractiveAuthentication no/' /etc/ssh/sshd_config`);
+      const { stdout } = await ssh.exec('grep -c "^PasswordAuthentication" /etc/ssh/sshd_config');
+      if (stdout.trim() === "0") {
+        await ssh.exec('echo "PasswordAuthentication no" >> /etc/ssh/sshd_config');
+      }
+      await ssh.exec("systemctl restart sshd");
+      return { success: true, message: "Password auth disabled" };
+    } catch (err) {
+      return { success: false, message: `Failed: ${err}` };
+    }
+  },
+  async rollback(_config, ssh) {
+    await ssh.exec(`sed -i 's/^PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config`);
+    await ssh.exec("systemctl restart sshd");
+  }
+};
+
+// src/steps/08-disable-root.ts
+var disableRootStep = {
+  id: "disable-root",
+  name: "Disable root login",
+  async run(_config, ssh) {
+    try {
+      await ssh.exec(`sed -i 's/^#\\?PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config`);
+      const { stdout } = await ssh.exec('grep -c "^PermitRootLogin" /etc/ssh/sshd_config');
+      if (stdout.trim() === "0") {
+        await ssh.exec('echo "PermitRootLogin no" >> /etc/ssh/sshd_config');
+      }
+      await ssh.exec("systemctl restart sshd");
+      return { success: true, message: "Root login disabled" };
+    } catch (err) {
+      return { success: false, message: `Failed: ${err}` };
+    }
+  },
+  async rollback(_config, ssh) {
+    await ssh.exec(`sed -i 's/^PermitRootLogin no/PermitRootLogin yes/' /etc/ssh/sshd_config`);
+    await ssh.exec("systemctl restart sshd");
+  }
+};
+
+// src/steps/09-ufw.ts
+var ufwStep = {
+  id: "ufw",
+  name: "Setup firewall",
+  async run(config, ssh) {
+    try {
+      await ssh.exec("apt-get update -qq && apt-get install -y -qq ufw", 12e4);
+      await ssh.exec("ufw default deny incoming");
+      await ssh.exec("ufw default allow outgoing");
+      await ssh.exec(`ufw allow ${config.sshPort}/tcp`);
+      await ssh.exec("ufw allow 80/tcp");
+      await ssh.exec("ufw allow 443/tcp");
+      const { stdout } = await ssh.exec("ufw status");
+      if (!stdout.includes(String(config.sshPort))) {
+        return { success: false, message: "SSH port not in ufw rules \u2014 aborting" };
+      }
+      await ssh.exec("ufw --force enable");
+      return { success: true, message: `ufw on (${config.sshPort}, 80, 443)` };
+    } catch (err) {
+      return { success: false, message: `Firewall setup failed: ${err}` };
+    }
+  },
+  async rollback(_config, ssh) {
+    await ssh.exec("ufw disable 2>/dev/null || true");
+  }
+};
+
+// src/steps/10-fail2ban.ts
+var fail2banStep = {
+  id: "fail2ban",
+  name: "Install fail2ban",
+  async run(config, ssh) {
+    try {
+      await ssh.exec("apt-get install -y -qq fail2ban", 12e4);
+      const jailConfig = [
+        "[sshd]",
+        "enabled = true",
+        `port = ${config.sshPort}`,
+        "filter = sshd",
+        "logpath = /var/log/auth.log",
+        "maxretry = 5",
+        "bantime = 3600",
+        "findtime = 600"
+      ].join("\n");
+      const escaped = jailConfig.replace(/'/g, "'\\''");
+      await ssh.exec(`echo '${escaped}' > /etc/fail2ban/jail.local`);
+      await ssh.exec("systemctl enable fail2ban && systemctl restart fail2ban");
+      return { success: true, message: `fail2ban on port ${config.sshPort}` };
+    } catch (err) {
+      return { success: false, message: `fail2ban failed: ${err}` };
+    }
+  },
+  async rollback(_config, ssh) {
+    await ssh.exec("apt-get remove -y fail2ban 2>/dev/null || true");
+  }
+};
+
+// src/steps/index.ts
+var allSteps = [
+  sshKeyStep,
+  copyKeyStep,
+  createUserStep,
+  changePortStep,
+  verifyPortStep,
+  closeOldPortStep,
+  disablePasswordStep,
+  disableRootStep,
+  ufwStep,
+  fail2banStep
+];
+
+// src/app.tsx
+import { jsx as jsx3, jsxs as jsxs3 } from "react/jsx-runtime";
+function App({ config }) {
+  const [stepStates, setStepStates] = useState(
+    allSteps.map((s) => ({ id: s.id, name: s.name, status: "pending" }))
+  );
+  const [done, setDone] = useState(false);
+  const [success, setSuccess] = useState(false);
+  const [error, setError] = useState(null);
+  useEffect(() => {
+    let cancelled = false;
+    async function run() {
+      const ssh = new RemoteSSH();
+      try {
+        if (!config.dryRun) {
+          await ssh.connect(config.host, 22, "root", {
+            password: config.rootPassword
+          });
+        }
+        const ok = await runSteps(allSteps, config, ssh, (stepId, status, message) => {
+          if (cancelled) return;
+          setStepStates(
+            (prev) => prev.map((s) => s.id === stepId ? { ...s, status, message } : s)
+          );
+        });
+        if (!cancelled) {
+          setSuccess(ok);
+          setDone(true);
+        }
+      } catch (err) {
+        if (!cancelled) {
+          setError(err instanceof Error ? err.message : String(err));
+          setDone(true);
+        }
+      } finally {
+        ssh.dispose();
+      }
+    }
+    run();
+    return () => {
+      cancelled = true;
+    };
+  }, []);
+  return /* @__PURE__ */ jsxs3(Box3, { flexDirection: "column", paddingX: 1, children: [
+    /* @__PURE__ */ jsx3(Banner, { host: config.host, dryRun: config.dryRun }),
+    /* @__PURE__ */ jsx3(StepList, { steps: stepStates }),
+    !done && /* @__PURE__ */ jsx3(Box3, { marginTop: 1, children: /* @__PURE__ */ jsxs3(Text3, { color: "yellow", children: [
+      "  ",
+      "Keep this terminal open!"
+    ] }) }),
+    error && /* @__PURE__ */ jsx3(Box3, { marginTop: 1, children: /* @__PURE__ */ jsxs3(Text3, { color: "red", children: [
+      "  ",
+      "Error: ",
+      error
+    ] }) }),
+    done && /* @__PURE__ */ jsx3(
+      Result,
+      {
+        host: config.host,
+        port: config.sshPort,
+        username: config.username,
+        keyPath: config.keyPath,
+        success
+      }
+    )
+  ] });
+}
+
+// src/cli.tsx
+import { jsx as jsx4 } from "react/jsx-runtime";
+var cli = meow(
+  `
+  Usage
+    $ vps-harden <server-ip> [options]
+
+  Options
+    --password    Root password (or will prompt)
+    --username    New username (default: deploy)
+    --port        New SSH port (default: 2222)
+    --key         Use existing SSH key (skip generation)
+    --dry-run     Preview steps without changes
+    --help        Show help
+    --version     Show version
+
+  Examples
+    $ vps-harden 194.68.0.12
+    $ vps-harden 194.68.0.12 --username admin --port 3322
+    $ vps-harden 194.68.0.12 --dry-run
+`,
+  {
+    importMeta: import.meta,
+    flags: {
+      password: { type: "string" },
+      username: { type: "string", default: "deploy" },
+      port: { type: "number", default: 2222 },
+      key: { type: "string" },
+      dryRun: { type: "boolean", default: false }
+    }
+  }
+);
+var host = cli.input[0];
+if (!host) {
+  console.error("Error: server IP is required\n");
+  console.error("Usage: vps-harden <server-ip>");
+  console.error("Example: npx vps-harden 194.68.0.12");
+  process.exit(1);
+}
+async function prompt(question, hidden = false) {
+  const rl = createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+  if (hidden && process.stdout.isTTY) {
+    process.stdout.write(question);
+    return new Promise((resolve) => {
+      let input = "";
+      process.stdin.setRawMode(true);
+      process.stdin.resume();
+      process.stdin.setEncoding("utf8");
+      const onData = (char) => {
+        if (char === "\n" || char === "\r") {
+          process.stdin.setRawMode(false);
+          process.stdin.pause();
+          process.stdin.removeListener("data", onData);
+          rl.close();
+          process.stdout.write("\n");
+          resolve(input);
+        } else if (char === "") {
+          process.exit(0);
+        } else if (char === "\x7F") {
+          if (input.length > 0) {
+            input = input.slice(0, -1);
+            process.stdout.write("\b \b");
+          }
+        } else {
+          input += char;
+          process.stdout.write("*");
+        }
+      };
+      process.stdin.on("data", onData);
+    });
+  }
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer);
+    });
+  });
+}
+async function main() {
+  let password = cli.flags.password;
+  if (!password && !cli.flags.dryRun) {
+    password = await prompt(`Root password for ${host}: `, true);
+    if (!password) {
+      console.error("Password is required");
+      process.exit(1);
+    }
+  }
+  const sanitizedHost = host.replace(/[.:]/g, "_");
+  const keyName = `vps_${sanitizedHost}_ed25519`;
+  const keyPath = cli.flags.key ?? join(homedir(), ".ssh", keyName);
+  const config = {
+    host,
+    rootPassword: password ?? "",
+    username: cli.flags.username,
+    sshPort: cli.flags.port,
+    keyPath,
+    keyPubPath: `${keyPath}.pub`,
+    dryRun: cli.flags.dryRun
+  };
+  render(/* @__PURE__ */ jsx4(App, { config }));
+}
+main();

package/package.json

@@ -0,0 +1,50 @@
+{
+  "name": "vps-harden",
+  "version": "1.0.0",
+  "description": "Secure your VPS in 2 minutes. Interactive CLI wizard for SSH hardening.",
+  "type": "module",
+  "bin": {
+    "vps-harden": "dist/cli.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "start": "node dist/cli.js"
+  },
+  "keywords": [
+    "vps",
+    "hardening",
+    "ssh",
+    "security",
+    "server",
+    "firewall",
+    "ufw",
+    "fail2ban",
+    "cli",
+    "tui",
+    "devops"
+  ],
+  "author": "DukeDeSouth",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/DukeDeSouth/vps-harden.git"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "dependencies": {
+    "ink": "^6.8.0",
+    "meow": "^14.1.0",
+    "node-ssh": "^13.2.1",
+    "react": "^19.2.4"
+  },
+  "devDependencies": {
+    "@types/react": "^19.2.14",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3"
+  }
+}