Build systems that stay stable, simple, and secure.
Hardened Linux ops with a modular framework: SELinux, firewall profiles, Fail2Ban jails, secure
defaults, and clean dashboards —
built to scale from solo VPS to enterprise-grade environments.
Hitsukaya builds security-focused tooling and infrastructure patterns — from hardened server baselines to composable Laravel-first UI — designed for production reliability and auditability.
Built for AlmaLinux/RHEL-like environments • DevOps-ready • Audit-friendly defaults
curl -fsSL https://hitsukaya.com/doragon/install.sh -o install-doragon.sh | bash install-doragon.sh
Harden. Operate. Observe.
Build a secure baseline, enforce a predictable posture, then monitor it continuously. Designed to stay auditable, minimal, and production-friendly.
Framework
Security-first hardening & operations for Linux VPS: Fail2Ban, firewall, timers, sane defaults, and a clean CLI.
- ✓ Modular scripts & configs
- ✓ Safe-by-default posture
- ✓ Audit-friendly structure
Hardened VPS Baselines
Opinionated deployment patterns for production: least privilege, reduced attack surface, monitored services.
- ✓ SELinux & permissions hygiene
- ✓ Log rotation + alerts
- ✓ Service health checks
Doragon Control Panel
A lightweight web interface for monitoring security posture, Fail2Ban activity, and service health across hardened VPS environments.
- ✓ Security score & diagnostics
- ✓ Fail2Ban monitoring
- ✓ Jobs history + downloadable reports
How Doragon works
Doragon applies a consistent baseline, verifies service posture, and produces auditable reports. No opaque automation — just clear modules and predictable outputs.
Identify platform capabilities (systemd, SELinux, Fail2Ban, firewall).
Apply baseline policies and safe defaults via modular operations.
Generate a security score + logs you can audit and archive.
doragon
├─ doragon status - Check quality review
├─ harden/* (apply baseline)
├─ services/* (verify services)
└─ report/* (score + output)
Secure by architecture
Doragon is designed to stay predictable and auditable. It avoids opaque automation and favors explicit configuration, clear modules, and rollback-friendly operations.
Principles
- ✓ Least privilege by default
- ✓ Auditable configuration and outputs
- ✓ Minimal moving parts
- ✓ Backup-first changes
Non-goals
- • No magic “one-click fix everything”
- • No hidden remote execution layer
- • No intrusive always-on agent (by default)
- • No destructive changes without confirmation
Responsible Disclosure
If you discover a security vulnerability related to Doragon or the Hitsukaya infrastructure, please report it responsibly. We take security issues seriously and aim to respond promptly.
- ✓ Provide a clear description of the issue
- ✓ Include reproduction steps if possible
- ✓ Avoid public disclosure before coordination
Designed for predictable operations
Doragon is a modular infrastructure framework operated through a CLI interface. The framework provides system checks, hardening modules, and reporting capabilities, while the CLI acts as the operational entry point for administrators.
┌─────────────────────────┐
│ Operator / Admin │
│ SSH / terminal │
└─────────────┬───────────┘
│
│ doragon commands
▼
┌─────────────────────────┐
│ CLI Interface │
│ status • doctor • run │
│ report • diagnose │
└─────────────┬───────────┘
│
│ invokes framework
▼
┌─────────────────────────────────────────┐
│ Doragon Framework │
│ │
│ modules checks services │
│ security network reporting │
│ helpers configs utilities │
└───────────────┬─────────────────────────┘
│
│ interacts with system
▼
┌─────────────────────────────────────────┐
│ RHEL-like Host │
│ │
│ systemd • SELinux • logs │
│ Fail2Ban • firewall • services │
│ system configuration & state │
└─────────────────────────────────────────┘
(Observability Layer - Optional)
┌─────────────────────────┐
│ Doragon Control Panel │
│ │
│ security score │
│ activity timeline │
│ reports & history │
└─────────────────────────┘
Core idea
Doragon separates operational access from framework logic. The CLI exposes the framework capabilities while modules remain modular, auditable, and predictable.
Inputs / outputs
- ✓ Inputs: configuration profiles, service state, logs
- ✓ Outputs: system status, security score, audit reports
Panel boundary
The control panel focuses on observability and reporting. Core hardening logic remains inside the framework and CLI modules to keep operations transparent.
Operate from the command line
Doragon is operated through a clean CLI interface designed for predictable infrastructure operations and auditable system checks.
$ doragon status Security score: 92 Fail2Ban: active Firewall: active SELinux: enforcing
$ doragon doctor Checking services... Checking SELinux... Checking Fail2Ban... System health: OK
$ doragon report Collecting logs... Analyzing services... Generating audit report... Report ready
Hardening you can audit.
Doragon is a modular infrastructure security framework operated through a CLI. It enforces strict defaults, keeps changes reversible, and produces reports meant to be archived.
- ✓ Coverage — SSH / HTTP / DB protections (Fail2Ban profiles & filters)
- ✓ Posture — strict defaults, minimal surface, least privilege
- ✓ Audit — status + score + reports designed for review and history
Security posture, executed via CLI.
Doragon is a modular hardening & operations toolkit for RHEL-like hosts. Changes are explicit, reversible, and designed for audit-friendly outputs.
-
✓
Fail2Ban coverageSSH + web patterns (Nginx auth/error, app scans) with visible jails, bans, and safe unban workflows.
-
✓
Firewall baselineA reduced attack surface by default: explicit ports, predictable rules, and clear status output.
-
✓
SELinux & permissions hygieneGuardrails for production posture: consistent policy checks and permission sanity to avoid “silent drift”.
-
✓
Services & health visibilityOperational status for core services (web / db / cache) + system health (uptime, load, disk, memory).
-
✓
SSH / SFTP controlsAdmin-friendly toggles and checks designed to be reversible, with backups before changes.
-
✓
SFTP access controlManage SFTP access safely using a dedicated Doragon configuration. Access rules are defined in /etc/doragon/sftp.conf, keeping SSH configuration clean while maintaining reversible, backup-first updates.
-
✓
Diagnose + reportsDiagnostics that summarize posture and generate audit-ready reports for archiving and review.
Calm output. Clear posture.
Doragon prints operator-friendly output designed for terminals and audit trails. Commands are explicit, changes are reversible, and reports are built for archiving.
- ✓
- ✓
- ✓
- ✓ Run a report per host and archive it consistently.
- ✓ Keep the same profile + modules across environments.
- ✓ Use stable naming for outputs (host + date).
- ✓ Prefer readable diffs over ad-hoc changes.
Defaults bias toward least privilege and reduced surface. Changes remain explicit and reversible.
Stable structure for score/WARN/CRIT and reports so evidence can be archived and compared over time.
-
✓
Config-first — baseline driven by /etc/doragon.
-
✓
Backup-first changes — rollback stays obvious before any write.
-
✓
No hidden automation — hardening logic remains in CLI modules.
-
✓
Panel boundary — panel (MVP) is observability + history.
Pick the pieces. Keep the root clean.
Small, auditable modules. Reversible changes. No hidden automation.
Clear answers, no marketing fog.
Security-first products need clarity. Here’s what Hitsukaya and Doragon are — and what they are not.
The baseline is opinionated, but not opaque. You should always be able to understand what changed, why it changed, and how to roll it back.