Features: - PHP 8.4 support (from 8.3) - WordPress 7.0 (auto-update via WP-CLI) - Modern TLS 1.3 cipher suites (2026 best practices) - Fail2Ban security integration (5 jails: SSH, Nginx, WordPress, recidive) - Auto-update cron job for WordPress (weekly Minor updates) - Debian 14 Forky support (testing) - Ubuntu 25.04 support - Python 3.12 in GitHub Actions Security: - Fail2Ban with SSH brute force protection (24h ban) - WordPress wp-login.php protection (2h ban) - Nginx bot scanner protection - Recidive jail for repeat offenders (1 week ban) - Modern TLS ciphers (AEAD only) - HSTS 2 years for preload Documentation: - docs/autoupdate.md - WordPress auto-update guide - docs/fail2ban.md - Fail2Ban configuration guide - docs/troubleshooting.md - Updated with php_version variable Breaking changes: - PHP 8.4 is now the default (requires Ubuntu 20.04+ or Debian 11+)
155 lines
3.2 KiB
Markdown
155 lines
3.2 KiB
Markdown
# Fail2Ban Security Guide
|
|
|
|
## Overview
|
|
|
|
Fail2Ban is included in this project to protect your server against brute-force attacks. It monitors log files and bans IPs that show malicious behavior.
|
|
|
|
## Enabled Jails
|
|
|
|
| Jail | Description | Default Actions |
|
|
|------|-------------|-----------------|
|
|
| sshd | SSH brute force | Ban for 24h after 3 failures |
|
|
| nginx-http-auth | HTTP Auth failures | Ban for 1h after 5 failures |
|
|
| nginx-botsearch | Bot scanners | Ban for 2h after 2 failures |
|
|
| wordpress-login | WordPress login attempts | Ban for 2h after 5 failures |
|
|
| recidive | Repeat offenders | Ban for 1 week after 3 bans |
|
|
|
|
## Quick Commands
|
|
|
|
### Check Status
|
|
|
|
```bash
|
|
# See all bans
|
|
sudo fail2ban-client status
|
|
|
|
# See specific jail
|
|
sudo fail2ban-client status sshd
|
|
sudo fail2ban-client status wordpress-login
|
|
```
|
|
|
|
### Unban IP
|
|
|
|
```bash
|
|
# Unban specific IP
|
|
sudo fail2ban-client set sshd unbanip 192.168.1.100
|
|
sudo fail2ban-client unban 192.168.1.100
|
|
|
|
# Unban all
|
|
sudo fail2ban-client unban --all
|
|
```
|
|
|
|
### Manage Jails
|
|
|
|
```bash
|
|
# Disable a jail
|
|
sudo fail2ban-client set wordpress-login disabled
|
|
|
|
# Enable a jail
|
|
sudo fail2ban-client set wordpress-login enabled
|
|
```
|
|
|
|
## Log Files
|
|
|
|
- Fail2Ban log: `/var/log/fail2ban.log`
|
|
- Banned IPs database: `/var/lib/fail2ban/fail2ban.sqlite3`
|
|
|
|
## Configuration
|
|
|
|
### Default Settings
|
|
|
|
| Setting | Value | Description |
|
|
|--------|-------|-------------|
|
|
| bantime | 3600s (1h) | Default ban duration |
|
|
| findtime | 600s (10m) | Window to count failures |
|
|
| maxretry | 5 | Failures before ban |
|
|
| bantime.increment | true | Increase for repeat offenders |
|
|
|
|
### Add Trusted IP
|
|
|
|
Edit `/etc/fail2ban/jail.local`:
|
|
|
|
```ini
|
|
[DEFAULT]
|
|
ignoreip = 127.0.0.1/8 ::1 203.0.113.42
|
|
```
|
|
|
|
## Testing
|
|
|
|
### Test SSH Filter
|
|
|
|
```bash
|
|
sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
|
|
```
|
|
|
|
### Test WordPress Filter
|
|
|
|
```bash
|
|
sudo fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/wordpress-login.conf
|
|
```
|
|
|
|
## Whitelist Your IP (Important!)
|
|
|
|
Before testing, add your IP to the whitelist:
|
|
|
|
```bash
|
|
# Edit jail.local
|
|
sudo nano /etc/fail2ban/jail.local
|
|
|
|
# Add to [DEFAULT]:
|
|
ignoreip = 127.0.0.1/8 ::1 YOUR_IP_ADDRESS
|
|
```
|
|
|
|
## Troubleshooting
|
|
|
|
### No Bans Happen
|
|
|
|
1. Check log path: `sudo fail2ban-client get wordpress-login logpath`
|
|
2. Test filter: `sudo fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/wordpress-login.conf`
|
|
3. Verify log exists: `sudo tail /var/log/nginx/access.log`
|
|
|
|
### Locked Out
|
|
|
|
```bash
|
|
# Unban yourself
|
|
sudo fail2ban-client unban YOUR_IP
|
|
```
|
|
|
|
### Service Not Starting
|
|
|
|
```bash
|
|
# Check status
|
|
sudo systemctl status fail2ban
|
|
|
|
# Check logs
|
|
sudo journalctl -u fail2ban -n 50
|
|
```
|
|
|
|
## Customize Ban Time
|
|
|
|
For specific services, edit `/etc/fail2ban/jail.local`:
|
|
|
|
```ini
|
|
[sshd]
|
|
bantime = 86400 # 24 hours for SSH
|
|
|
|
[wordpress-login]
|
|
bantime = 7200 # 2 hours for WordPress
|
|
maxretry = 3 # Stricter for WordPress
|
|
```
|
|
|
|
## Disable Fail2Ban
|
|
|
|
```bash
|
|
# Stop service
|
|
sudo systemctl stop fail2ban
|
|
|
|
# Disable on boot
|
|
sudo systemctl disable fail2ban
|
|
```
|
|
|
|
## Security Notes
|
|
|
|
- Always whitelist your own IP before deploying
|
|
- SSH jail has strict settings (3 retries) - ensure you use SSH keys
|
|
- Incremental bans enabled - repeat offenders get longer bans
|
|
- Recidive jail bans for 1 week after 3 bans in 24h |