new feature provider cleanup

README.md

@@ -7,9 +7,9 @@
 [![Shell](https://img.shields.io/badge/Shell-Bash%204.4%2B-green)](https://www.gnu.org/software/bash/)
 [![Type](https://img.shields.io/badge/Type-Setup%20%26%20Hardening-blue)](https://github.com/buildplan/du_setup)
 
-**Version:** v0.69
+**Version:** v0.70
 
-**Last Updated:** 2025-10-13
+**Last Updated:** 2025-10-14
 
 **Compatible With:**
 
@@ -51,22 +51,22 @@ This script automates the initial setup and security hardening of a fresh Debian
 * For remote backups: An SSH-accessible server (e.g., Hetzner Storage Box) with credentials or SSH key access. For Hetzner, SSH (port 23) is used for rsync.
 * For Tailscale: A pre-auth key from [https://login.tailscale.com/admin](https://login.tailscale.com/admin) (standard, starts with `tskey-auth-`) or from a custom server (e.g., `https://ts.mydomain.cloud`).
 
-### 1\. Download & Prepare Script
+### 1. Download & Prepare Script
 
-```
+```bash
 wget https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_setup.sh
 chmod +x du_setup.sh
 ```
 
-### 2\. Verify Script Integrity (Recommended)
+### 2. Verify Script Integrity (Recommended)
 
 To ensure the script has not been altered, you can verify its SHA256 checksum.
 
-**Option A: Automatic Check**
+#### Option A: Automatic Check
 
 This command downloads the official checksum file and automatically compares it against your downloaded script.
 
-```
+```bash
 # Download the official checksum file
 wget https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_setup.sh.sha256
 
@@ -74,9 +74,9 @@ wget https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/main/du_set
 sha256sum -c du_setup.sh.sha256
 ```
 
-**Option B: Manual Check**
+#### Option B: Manual Check
 
-```
+```bash
 # Generate the hash of your downloaded script
 sha256sum du_setup.sh
 ```
@@ -87,32 +87,33 @@ Compare the output hash to the one below. They must match exactly.
 
 Or echo the hash to check, it should output: `du_setup.sh: OK`
 
-```
-echo 8b9c3bee3e1c571561f46bdcb23dc1cd435a55934b4e91356e0a2545ab98772d du_setup.sh | sha256sum --check -
+```bash
+echo 8b9c3bee3e1c571561f46bdcb23dc1cd435a55934b4e91356e0a2545ab98772d du_setup.sh | sha256sum --check
 ```
 
-### 3\. Run the Script
+### 3. Run the Script
 
-**Interactively (Recommended)**
+#### Interactively (Recommended)
 
 Ideally run as root, if you are a sudo user you can switch to root with `sudo su`
 
-```
+```bash
 ./du_setup
 ```
+
 Alternatively run with sudo -E, -E flag preserve the environment variables.
 
-```
+```bash
 sudo -E ./du_setup.sh
 ```
 
-**Quiet Mode (For Automation)**
+#### Quiet Mode (For Automation)
 
-```
+```bash
 sudo -E ./du_setup.sh --quiet
 ```
 
-> **Warning**: The script pauses to verify SSH access on the new port before disabling old access methods. **Test the new SSH connection from a separate terminal before proceeding\!**
+> **Warning**: The script pauses to verify SSH access on the new port before disabling old access methods. **Test the new SSH connection from a separate terminal before proceeding!**
 >
 > Ensure your VPS provider’s firewall allows the custom SSH port, backup server’s SSH port (e.g., 23 for Hetzner Storage Box), and Tailscale traffic (UDP 41641 for direct connections).
 
@@ -139,6 +140,23 @@ sudo -E ./du_setup.sh --quiet
 | **Final Summary** | Generates a detailed report of all changes and saves it to `/var/log/du_setup_report_*.txt`. |
 | **Final Cleanup** | Removes unused packages and reloads system daemons. |
 
+## Provider Package Cleanup (Since v0.70)
+
+This script can now detect and optionally remove provider-installed packages, monitoring agents, and default users for enhanced security.
+
+### Usage
+
+* Preview what would be cleaned: `sudo ./du_setup.sh --cleanup-preview`
+* Run cleanup only: `sudo ./du_setup.sh --cleanup-only`
+* Skip cleanup: `sudo ./du_setup.sh --skip-cleanup`
+
+### What it detects
+
+* Cloud provider monitoring agents (DigitalOcean, Hetzner, Vultr, etc.)
+* Guest tools (qemu-guest-agent, cloud-init)
+* Default provisioning users (ubuntu, debian, admin, cloud-user)
+* Unexpected SSH keys in /root/.ssh/authorized_keys
+
 ## Logs & Backups
 
 * **Log Files**: `/var/log/du_setup_*.log`
@@ -201,16 +219,21 @@ After rebooting, verify the setup:
 If locked out, use your provider’s console:
 
 1. **Remove Hardened Configuration**:
-    ```
+
+    ```bash
     sudo rm /etc/ssh/sshd_config.d/99-hardening.conf
     ```
+
 2. **Restore Original `sshd_config`**:
-    ```
+
+    ```bash
     LATEST_BACKUP=$(ls -td /root/setup_harden_backup_* | head -1)
     sudo cp "$LATEST_BACKUP"/sshd_config.backup_* /etc/ssh/sshd_config
     ```
+
 3. **Restart SSH**:
-    ```
+
+    ```bash
     sudo systemctl restart ssh
     ```
 
@@ -227,9 +250,11 @@ If backups fail:
       * Review: `sudo less /var/log/backup_rsync.log`
       * If automated key copy fails: `cat /tmp/ssh-copy-id.log`
 3. **Test Backup Manually**:
-    ```
+
+    ```bash
     sudo /root/run_backup.sh
     ```
+
 4. **Verify Cron Job**:
       * Check: `sudo crontab -l`
       * Ensure: `5 3 * * * /root/run_backup.sh #-*- managed by setup_harden script -*-`
@@ -279,6 +304,6 @@ If Tailscale fails to connect:
       * Ensure UDP 41641 is open: `nc -zvu <tailscale-server> 41641`
       * Check VPS firewall for Tailscale traffic.
 
-## [MIT](https://github.com/buildplan/du_setup/blob/main/LICENSE) License
+## MIT [License](https://github.com/buildplan/du_setup/blob/main/LICENSE)
 
 This script is open-source and provided "as is" without warranty. Use at your own risk.