Back to MCP Servers

Kastell

Server security auditing and hardening toolkit. 413 security checks across 29 categories (SSH, Firewall, Docker, TLS, HTTP Headers), CIS/PCI-DSS/HIPAA compliance mapping, 19-step production hardening, fleet management, and forensic evidence collection. Supports Hetzner, DigitalO…

securitygonodedocker
By kastelldev
552Updated 4 days agoTypeScriptApache-2.0

Installation

npx -y kastell

Configuration

{
  "mcpServers": {
    "kastell": {
      "command": "npx",
      "args": ["-y", "kastell"]
    }
  }
}

How to use

  1. Run the installation command above (if needed)
  2. Open your Claude Code settings file (~/.claude/settings.json)
  3. Add the configuration to the mcpServers section
  4. Restart Claude Code to apply changes
<p align="center"> <img src="assets/logo.png" alt="Kastell" width="120" /> </p> <h1 align="center">Kastell</h1> <p align="center">Your infrastructure, fortified.</p>

English | Türkçe

Tests Coverage npm Downloads License GitHub stars Socket Badge Snyk Website DeepWiki Zero Telemetry

Why Kastell?

Server security is fragmented. Lynis scans but doesn't fix. OpenSCAP is powerful but complex. Custom scripts work until they don't -- and nobody maintains them. Each tool has its own output format, its own update cycle, its own learning curve.

Kastell takes a different approach: one CLI that audits, fixes, hardens, and monitors. Scan your server, apply safe fixes, lock it down to production standards, and keep watching -- all with the same tool.

AI-native from day one. Kastell ships with a built-in MCP server, so Claude, Cursor, or any MCP-compatible AI agent can manage your servers directly. Go from a prompt to production hardening in seconds.

You don't need four separate tools to secure a server.

Quick Start

# Interactive mode -- no commands to memorize
npx kastell

Running kastell without any arguments launches an interactive search menu with a gradient ASCII banner and quick-start examples. Browse actions by emoji-categorized groups, type to filter results instantly, and configure options step by step -- no need to remember any command names or flags.

 ██╗  ██╗  ██████╗  ███████╗████████╗███████╗██╗     ██╗
 ██║ ██╔╝  ██╔══██╗ ██╔════╝╚══██╔══╝██╔════╝██║     ██║
 █████╔╝   ███████║ ███████╗   ██║   █████╗  ██║     ██║
 ██╔═██╗   ██╔══██║ ╚════██║   ██║   ██╔══╝  ██║     ██║
 ██║  ██╗  ██║  ██║ ███████║   ██║   ███████╗███████╗███████╗
 ╚═╝  ╚═╝  ╚═╝  ╚═╝ ╚══════╝   ╚═╝   ╚══════╝╚══════╝╚══════╝

  KASTELL  v2.3.1  ·  Your infrastructure, fortified.

  $ kastell init --template production  → deploy a new server
  $ kastell status --all                → check all servers
  $ kastell secure setup                → harden SSH + fail2ban
  $ kastell maintain --all              → full maintenance cycle

? What would you like to do?
   Server Management
❯    Deploy a new server
     Add an existing server
     List all servers
     ...
   Security
     Harden SSH & fail2ban
     Manage firewall (UFW)
     ...

Each action includes sub-options (server mode, template, log source, port number, etc.) and a <- Back option to return to the main menu at any point.

If you already know the commands, you can still use them directly:

kastell init                    # Deploy a new server
kastell status my-server        # Check server status
kastell backup --all            # Backup all servers

Kastell handles server provisioning, SSH key setup, firewall configuration, and platform installation automatically.

What Makes Kastell Different?

ProblemSolution
Broke your server with an update?Pre-update snapshot protection via maintain
No idea if your server is healthy?Built-in monitoring, health checks, and doctor diagnostics
Security is an afterthought?Firewall, SSH hardening, SSL, and security audits built-in
Backups? Maybe someday...One-command backup & restore with manifest tracking
Managing multiple servers?--all flag across backup, maintain, status, and health
Existing server not tracked?kastell add brings any server under management
Don't want to memorize commands?Just run kastell -- interactive menu guides you

Kastell vs Alternatives

FeatureKastellLynisOpenSCAP
Installationnpm i -g kastellPackage managerPackage manager
LanguageTypeScriptShellC/Python
Security Checks449300+Varies by profile
Auto-FixSafe tierSuggest onlySuggest only
MCP (AI Agent)17 tools----
ComplianceCIS, PCI-DSS, HIPAACIS, HIPAACIS, STIG, PCI-DSS
Cloud Provision4 providers----
Hardening (Lock)24-step----
Remote MonitoringGuard daemon----
Telegram BotBuilt-in----
Platform SupportLinux (SSH)Linux/macOS/BSDLinux
LicenseApache 2.0GPL-3.0LGPL-2.1

What Can You Do?

Deploy

kastell                               # Interactive menu (recommended)
kastell init                          # Interactive setup (direct)
kastell init --provider hetzner       # Non-interactive
kastell init --config kastell.yml     # From YAML config
kastell init --template production    # Use a template
kastell init --mode bare              # Generic VPS (no platform)
kastell init --mode dokploy           # Dokploy (Docker Swarm PaaS)

Manage

kastell list                  # List all servers
kastell status my-server      # Check server status
kastell status --all          # Check all servers
kastell ssh my-server         # SSH into server
kastell restart my-server     # Restart server
kastell destroy my-server     # Destroy cloud server entirely
kastell add                   # Add existing server
kastell remove my-server      # Remove from local config
kastell config set key value  # Manage default configuration
kastell config validate       # Validate servers.yaml structure and types
kastell export                # Export server list to JSON
kastell import servers.json   # Import servers from JSON

Update & Maintain

kastell update my-server              # Update platform (Coolify or Dokploy, auto-detected)
kastell update my-server --dry-run    # Preview update without executing
kastell maintain my-server            # Full maintenance (snapshot + update + health + reboot)
kastell maintain my-server --dry-run  # Preview maintenance steps
kastell maintain --all                # Maintain all servers

Back Up & Restore

kastell backup my-server      # Backup DB + config
kastell backup --all          # Backup all servers
kastell restore my-server     # Restore from backup

Snapshots

kastell snapshot create my-server   # Create VPS snapshot (with cost estimate)
kastell snapshot list my-server     # List snapshots
kastell snapshot list --all         # List all snapshots across servers
kastell snapshot delete my-server   # Delete a snapshot

Security

kastell firewall status my-server   # Check firewall
kastell firewall setup my-server    # Configure UFW
kastell secure audit my-server      # Security audit
kastell secure setup my-server      # SSH hardening + fail2ban
kastell domain add my-server --domain example.com  # Set domain + SSL

Security Audit

kastell audit my-server                  # Full security audit (31 categories, 449 checks)
kastell audit my-server --json           # JSON output for automation
kastell audit my-server --threshold 70   # Exit code 1 if score below threshold
kastell audit my-server --fix            # Interactive fix mode (prompts per severity)
kastell audit my-server --fix --dry-run  # Preview fixes without executing
kastell audit my-server --watch          # Re-audit every 5 min, show only changes
kastell audit my-server --watch 60       # Custom interval (60 seconds)
kastell audit --host root@1.2.3.4       # Audit unregistered server
kastell audit my-server --badge          # SVG badge output
kastell audit my-server --report html    # Full HTML report
kastell audit my-server --score-only     # Just the score (CI-friendly)
kastell audit my-server --summary        # Compact dashboard view
kastell audit my-server --explain        # Explain failed checks with remediation guidance
kastell audit my-server --compliance cis # Filter by compliance framework (cis-level1, cis-level2, pci-dss, hipaa)

Security Hardening

kastell lock my-server                        # 24-step production hardening (SSH + UFW + sysctl + auditd + AIDE + Docker)
kastell lock my-server --dry-run              # Preview hardening steps without applying

Monitor & Debug

kastell monitor my-server             # CPU, RAM, disk usage
kastell logs my-server                 # View platform logs (Coolify or Dokploy)
kastell logs my-server -f              # Follow logs
kastell health                         # Health check all servers
kastell doctor                         # Check local environment

Supported Providers

ProviderStatusRegionsStarting Price
Hetzner CloudStableEU, US~€4/mo
DigitalOceanStableGlobal~$18/mo
VultrStableGlobal~$12/mo
Linode (Akamai)BetaGlobal~$12/mo

Prices reflect the cheapest plan with at least 2 GB RAM (required by Coolify and Dokploy). Bare mode has no minimum requirements -- plans start from ~$2.50/mo depending on provider. You can choose a different size during setup. Linode support is in beta -- community testing welcome.

Supported Platforms

PlatformMode FlagMin RAMMin CPUDescription
Coolify--mode coolify (default)2 GB2 vCPUDocker-based PaaS (port 8000)
Dokploy--mode dokploy2 GB2 vCPUDocker Swarm-based PaaS (port 3000)
Bare--mode bareGeneric VPS, no platform overhead

Kastell uses a PlatformAdapter architecture -- the same commands (update, maintain, logs, health) work across all platforms. The platform is stored in your server record and auto-detected on each command.

Developer Experience

FeatureCommand / FlagDescription
Dry Run--dry-runPreview destructive commands without executing. Available on: destroy, update, restart, remove, maintain, restore, firewall, domain, backup, snapshot, secure.
Shell Completionskastell completions bash|zsh|fishGenerate shell completion scripts for tab-completion of commands and options.
Config Validationkastell config validateCheck servers.yaml for structural and type errors using Zod strict schemas.
Version Checkkastell --versionShows current version and notifies if a newer version is available on npm.

YAML Config

Deploy with a single config file:

# kastell.yml
provider: hetzner
region: nbg1
size: cax11
name: my-coolify
fullSetup: true
domain: coolify.example.com
kastell init --config kastell.yml

Templates

TemplateBest ForIncludes
starterTesting, side projects1-2 vCPU, 2-4 GB RAM
productionLive applications2-4 vCPU, 4-8

View source on GitHub