### Enable and Start Fail2ban Service Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Enables the fail2ban service to start automatically on system boot and then starts the service immediately. This ensures continuous protection after configuration. ```bash sudo systemctl enable fail2ban sudo systemctl start fail2ban ``` -------------------------------- ### Troubleshoot Fail2ban Not Starting Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Steps to diagnose and resolve issues when Fail2ban fails to start. Includes checking for syntax errors, viewing logs, and verifying configuration. ```bash # Check for syntax errors sudo fail2ban-client -t # View error logs sudo journalctl -u fail2ban -n 50 # Check configuration sudo fail2ban-client -d ``` -------------------------------- ### Install Fail2ban on Ubuntu/Debian Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Installs the fail2ban package on Ubuntu and Debian-based systems using the apt package manager. This is the first step in setting up server protection against brute-force attacks. ```bash sudo apt update sudo apt install fail2ban -y ``` -------------------------------- ### Allow Common Services with UFW Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/firewall-configuration/SKILL.md Provides examples of UFW rules to allow common network services such as FTP, MySQL, PostgreSQL, SMTP, DNS, and custom application ports. ```bash # FTP sudo ufw allow 21/tcp # MySQL (remote access) sudo ufw allow 3306/tcp # PostgreSQL (remote access) sudo ufw allow 5432/tcp # SMTP sudo ufw allow 25/tcp # DNS sudo ufw allow 53 # Custom application port sudo ufw allow 8080/tcp ``` -------------------------------- ### Troubleshoot UFW Service Not Starting Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/firewall-configuration/SKILL.md Steps to diagnose and resolve issues with the UFW service not starting. This includes checking the service status, enabling and starting the service manually, and reviewing system journal logs for specific UFW errors. ```bash # Check status sudo systemctl status ufw # Enable UFW service sudo systemctl enable ufw sudo systemctl start ufw # Check for errors sudo journalctl -u ufw ``` -------------------------------- ### Install UFW Firewall Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/firewall-configuration/SKILL.md Installs the UFW (Uncomplicated Firewall) package on Ubuntu/Debian systems using apt. This is a prerequisite for configuring firewall rules. ```bash sudo apt update sudo apt install ufw -y ``` -------------------------------- ### Install Security Skills CLI Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/README.md Installs all security skills for VPS hardening using the skills CLI. This is a quick way to add the entire suite of security configurations. ```bash npx skills add mikr13/secure-server-setup-skills ``` -------------------------------- ### Cron Job Scheduling Examples Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/backup-strategy/SKILL.md Provides examples of common cron job schedules for automating backup scripts. Includes daily, weekly, monthly, and hourly schedules, along with examples for logging and error handling. ```bash # Daily at 2 AM 0 2 * * * /usr/local/bin/backup.sh >> /var/log/backup.log 2>&1 # Weekly on Sunday at 3 AM 0 3 * * 0 /usr/local/bin/backup.sh # Daily at 2 AM, keep 30 days 0 2 * * * /usr/local/bin/backup.sh && find /backup -name "backup-*.tar.gz" -mtime +30 -delete # Every 6 hours 0 */6 * * * /usr/local/bin/backup.sh # Monthly on the 1st at midnight 0 0 1 * * /usr/local/bin/backup.sh ``` ```bash # Daily backup with logging and email on failure 0 2 * * * /usr/local/bin/backup.sh > /var/log/backup-$(date +\%Y\%m\%d).log 2>&1 || mail -s "Backup Failed" admin@example.com < /var/log/backup-$(date +\%Y\%m\%d).log ``` -------------------------------- ### Install Skills CLI or Clone Manually Source: https://context7.com/mikr13/secure-server-setup-skills/llms.txt Instructions for installing the VPS Security Skills using either the `skills` CLI or by manually cloning the Git repository. The `skills` CLI provides a streamlined installation process, while manual cloning offers more control. ```bash # Using skills CLI npx skills add mikr13/secure-server-setup-skills # Or clone manually git clone https://github.com/mikr13/secure-server-setup-skills.git ~/.skills/secure-server ``` -------------------------------- ### Install and Configure Fail2ban Source: https://context7.com/mikr13/secure-server-setup-skills/llms.txt Installs and configures Fail2ban to automatically detect and ban IP addresses exhibiting brute-force attack patterns. This script automates the installation and setup, providing a crucial layer of defense against unauthorized access attempts. ```bash # Run automated setup script sudo bash secure-server-setup/fail2ban-setup/scripts/setup-fail2ban.sh # Manual setup: # Step 1: Install fail2ban sudo apt install fail2ban -y # Step 2: Create local configuration (NEVER edit jail.conf) sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local ``` -------------------------------- ### AI Assistant Prompts for Server Hardening (Natural Language) Source: https://context7.com/mikr13/secure-server-setup-skills/llms.txt Example natural language prompts to instruct an AI assistant to perform various server hardening tasks. These prompts cover full security setups, specific skills like SSH hardening or backups, and Fail2ban configuration. ```text # Full security setup "Harden my new Ubuntu VPS server with all security best practices" # Specific skills "Set up SSH hardening and firewall on my server" "Configure automatic backups to AWS S3" "Install fail2ban to protect against brute-force attacks" ``` -------------------------------- ### Emergency VPS Hardening Script Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/README.md A bash script for rapid VPS hardening, covering essential security measures like system updates, user creation, basic firewall setup, and Fail2ban installation. It disables root password login as a critical immediate step. ```bash # Update everything sudo apt update && sudo apt upgrade -y # Create non-root user adduser deployer && usermod -aG sudo deployer # Basic firewall sudo apt install ufw sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow ssh sudo ufw enable # Fail2ban with defaults sudo apt install fail2ban sudo systemctl enable fail2ban # Disable root password login sudo passwd -l root ``` -------------------------------- ### Install Fail2ban on CentOS/RHEL Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Installs the fail2ban package on CentOS and RHEL-based systems using the yum package manager. It first ensures the EPEL repository is available, which is a prerequisite for fail2ban. ```bash sudo yum install epel-release -y sudo yum install fail2ban -y ``` -------------------------------- ### Fail2ban Configuration Files Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Lists the primary configuration files for Fail2ban, including main settings, jail overrides, filters, and actions. Explains the purpose of each file. ```text /etc/fail2ban/fail2ban.conf # Main fail2ban configuration /etc/fail2ban/fail2ban.local # Local fail2ban config (create if needed) /etc/fail2ban/jail.conf # Default jail configurations (don't edit!) /etc/fail2ban/jail.local # Local jail overrides (edit this!) /etc/fail2ban/jail.d/ # Additional jail configs /etc/fail2ban/filter.d/ # Log file filters /etc/fail2ban/action.d/ # Ban actions (iptables, ufw, etc.) /var/log/fail2ban.log # Fail2ban log file ``` -------------------------------- ### Clone Security Skills Manually Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/README.md Manually clones the secure server setup skills repository into the local skills directory. This method is useful for direct integration or custom setups. ```bash git clone https://github.com/mikr13/secure-server-setup-skills.git ~/.skills/secure-server ``` -------------------------------- ### Troubleshoot Fail2ban Jails Not Working Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Guidance on troubleshooting issues where Fail2ban jails are not functioning as expected. Involves checking jail status, configuration parameters, and testing filters against logs. ```bash # Check jail status sudo fail2ban-client status # View jail configuration sudo fail2ban-client get sshd maxretry sudo fail2ban-client get sshd bantime # Test filter against log fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf ``` -------------------------------- ### Get Fail2ban Statistics Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Commands to retrieve statistics about Fail2ban bans, such as the number of bans per jail, currently banned IPs, and total bans. Provides insights into attack patterns. ```bash # Count bans by jail sudo fail2ban-client status | grep "Jail list" # Count current bans sudo fail2ban-client status sshd | grep "Currently banned" # Total bans sudo fail2ban-client status sshd | grep "Total banned" ``` -------------------------------- ### Backblaze B2 Backup Upload Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/backup-strategy/references/backup-locations.md Details the steps to install the Backblaze B2 CLI, authorize your account, and upload a backup file to a specified bucket. ```bash # Install B2 CLI sudo pip3 install b2 # Authorize b2 authorize-account # Upload backup b2 upload-file my-bucket /backup/backup-2024-01-31.tar.gz backups/backup-2024-01-31.tar.gz ``` -------------------------------- ### Verify Fail2ban Service Status Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Checks the current status of the fail2ban service using systemctl. This command is used to confirm if fail2ban is running correctly after installation or configuration changes. ```bash sudo systemctl status fail2ban ``` -------------------------------- ### Configure Auto-Updates on Ubuntu/Debian Source: https://context7.com/mikr13/secure-server-setup-skills/llms.txt Automates the setup of unattended security updates on Ubuntu/Debian VPS servers using the `unattended-upgrades` package. This ensures that security vulnerabilities are patched automatically. Includes steps for installation, configuration, verification, and log viewing. ```bash # Run automated setup script sudo bash secure-server-setup/auto-updates/scripts/setup-auto-updates.sh # Or configure manually: # Step 1: Update system sudo apt update && sudo apt upgrade -y # Step 2: Install unattended-upgrades sudo apt install unattended-upgrades -y # Step 3: Enable automatic updates sudo dpkg-reconfigure unattended-upgrades # Step 4: Verify configuration sudo systemctl status unattended-upgrades # Test with dry run sudo unattended-upgrade --dry-run --debug # View logs sudo cat /var/log/unattended-upgrades/unattended-upgrades.log ``` -------------------------------- ### Manage UFW Application Profiles Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/firewall-configuration/SKILL.md Commands to list, view details of, and create custom application profiles for UFW. Custom profiles are defined in `/etc/ufw/applications.d/` and require updating UFW after creation. ```bash sudo ufw app list sudo ufw app info 'Nginx Full' # Create /etc/ufw/applications.d/myapp with content: # [MyApp] # title=My Application # description=My custom application # ports=8080,8443/tcp sudo ufw app update MyApp sudo ufw allow 'MyApp' ``` -------------------------------- ### Check Firewall Rules for Fail2ban Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Commands to inspect firewall rules (iptables and UFW) that Fail2ban manages. Useful for verifying that Fail2ban is correctly applying bans. ```bash # View iptables rules sudo iptables -L -n # View fail2ban chains sudo iptables -L fail2ban-sshd -n # View UFW status sudo ufw status numbered ``` -------------------------------- ### Monitor Fail2ban Logs Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Commands to view Fail2ban's log file and filter for ban/unban events. Helps in monitoring Fail2ban's activity and troubleshooting issues. ```bash # View fail2ban log sudo tail -f /var/log/fail2ban.log # View recent bans sudo grep "Ban" /var/log/fail2ban.log # View unbans sudo grep "Unban" /var/log/fail2ban.log ``` -------------------------------- ### Restart Fail2ban Service Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Commands to restart the Fail2ban service and check its status. Necessary after significant configuration changes or if the service is unresponsive. ```bash # Restart fail2ban sudo systemctl restart fail2ban # Check status sudo systemctl status fail2ban ``` -------------------------------- ### Create Custom Fail2ban Filter and Jail Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Steps to create a custom Fail2ban filter for a specific application and configure a corresponding jail. Includes defining regex patterns and setting jail parameters. ```ini [Definition] failregex = ^.*Failed login attempt from .* ^.*Invalid user .* from .* ignoreregex = [myapp] enabled = true port = 8080 filter = myapp logpath = /var/log/myapp/access.log maxretry = 5 bantime = 3600 ``` -------------------------------- ### Create Fail2ban Local Configuration Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Copies the default fail2ban configuration file (`jail.conf`) to a local file (`jail.local`). This is a crucial step to ensure custom configurations are preserved during package updates. ```bash sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local ``` -------------------------------- ### AWS S3 Backup Upload and Lifecycle Policy Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/backup-strategy/references/backup-locations.md Demonstrates how to install the AWS CLI, configure credentials, upload a backup file to an S3 bucket, and configure a lifecycle policy for managing backup retention and archival. ```bash # Install AWS CLI sudo apt install awscli # Configure credentials aws configure # Upload backup aws s3 cp /backup/backup-2024-01-31.tar.gz s3://my-backups/ ``` ```json { "Rules": [ { "Id": "Archive old backups", "Status": "Enabled", "Transitions": [ { "Days": 30, "StorageClass": "GLACIER" }, { "Days": 90, "StorageClass": "DEEP_ARCHIVE" } ], "Expiration": { "Days": 365 } } ] } ``` -------------------------------- ### Enable, Disable, and Reload UFW Firewall Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/firewall-configuration/SKILL.md Commands to control the UFW firewall service. This includes enabling the firewall to start enforcing rules, disabling it to temporarily stop enforcement, and reloading rules after configuration changes. ```bash # Enable firewall sudo ufw enable # Disable firewall (temporarily) sudo ufw disable # Reload rules sudo ufw reload ``` -------------------------------- ### Reload Fail2ban Configuration Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Commands to reload Fail2ban's configuration without restarting the service, preserving existing bans. Also shows how to reload specific jails. ```bash # Reload without restarting (keeps existing bans) sudo fail2ban-client reload # Reload specific jail sudo fail2ban-client reload sshd ``` -------------------------------- ### Automate Server Backups (Bash) Source: https://context7.com/mikr13/secure-server-setup-skills/llms.txt Scripts for performing full server backups, database dumps (MySQL/MariaDB), and synchronizing backups to AWS S3. Includes examples for running backups manually, with credentials, and scheduling them using cron. ```bash # Run full server backup sudo bash secure-server-setup/backup-strategy/scripts/backup-full.sh # Run MySQL/MariaDB backup sudo bash secure-server-setup/backup-strategy/scripts/backup-mysql.sh # Or with credentials: DB_USER=root DB_PASS=yourpassword sudo -E bash secure-server-setup/backup-strategy/scripts/backup-mysql.sh # Upload to AWS S3 # First, configure AWS CLI: aws configure sudo bash secure-server-setup/backup-strategy/scripts/backup-to-s3.sh # Schedule automated backups with cron sudo crontab -e # Add these lines: # Daily full backup at 2 AM 0 2 * * * /path/to/secure-server-setup/backup-strategy/scripts/backup-full.sh >> /var/log/backup.log 2>&1 # Daily MySQL backup at 1 AM 0 1 * * * /path/to/secure-server-setup/backup-strategy/scripts/backup-mysql.sh >> /var/log/mysql-backup.log 2>&1 ``` -------------------------------- ### Check Fail2ban Status Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Commands to check the overall status of Fail2ban and the status of specific jails. Useful for verifying if Fail2ban is running and protecting services. ```bash # Overall status sudo fail2ban-client status # Specific jail status sudo fail2ban-client status sshd ``` -------------------------------- ### Test Fail2ban Filters Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Command to test if a Fail2ban filter correctly matches log lines. Essential for creating and debugging custom filters before deploying them. ```bash fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf ``` -------------------------------- ### Configure Global Fail2ban Settings Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Sets global parameters for Fail2ban, including ban time, find time window, and maximum retries before an IP is banned. These settings define the general behavior of the protection. ```ini [DEFAULT] bantime = 3600 findtime = 600 maxretry = 3 destemail = admin@example.com sendername = Fail2ban action = %(action_)s ``` -------------------------------- ### Configure UFW Firewall Source: https://context7.com/mikr13/secure-server-setup-skills/llms.txt Sets up UFW (Uncomplicated Firewall) to restrict network access and minimize the server's attack surface. This includes installing UFW, setting default policies, allowing essential ports (like SSH and web traffic), enabling the firewall, and verifying the configuration. ```bash # Run automated setup script (interactive) sudo bash secure-server-setup/firewall-configuration/scripts/setup-firewall.sh # Manual setup: # Step 1: Install UFW sudo apt install ufw -y # Step 2: Set default policies (BEFORE enabling!) sudo ufw default deny incoming sudo ufw default allow outgoing # Step 3: Allow SSH (CRITICAL - do this before enabling) sudo ufw allow ssh # Or for custom port: sudo ufw allow 2222/tcp # Step 4: Allow web traffic (if running web server) sudo ufw allow 80/tcp sudo ufw allow 443/tcp # Step 5: Enable firewall sudo ufw enable # Step 6: Verify configuration sudo ufw status verbose # Output: # Status: active # Default: deny (incoming), allow (outgoing) # To Action From # 22/tcp ALLOW IN Anywhere # 80/tcp ALLOW IN Anywhere # 443/tcp ALLOW IN Anywhere # Advanced rules: # Allow from specific IP only sudo ufw allow from 203.0.113.10 to any port 22 # Rate limit SSH (max 6 connections in 30 seconds) sudo ufw limit 22/tcp # Delete a rule sudo ufw status numbered sudo ufw delete 3 # View logs sudo tail -f /var/log/ufw.log ``` -------------------------------- ### Common Log File Paths for Fail2ban Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Lists common log file locations for SSH and web server access/error logs across different Linux distributions. Helps in configuring the `logpath` in Fail2ban jails. ```text # Ubuntu/Debian SSH logs /var/log/auth.log # CentOS/RHEL SSH logs /var/log/secure # Nginx logs /var/log/nginx/error.log /var/log/nginx/access.log ``` -------------------------------- ### Enable and Verify UFW Firewall Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/firewall-configuration/SKILL.md Enables the UFW firewall after rules have been configured and provides a command to verify the active status and applied rules. This ensures the firewall is operational and correctly configured. ```bash # Enable UFW (confirm when prompted) sudo ufw enable # Check firewall status and rules sudo ufw status verbose ``` -------------------------------- ### View Banned IPs with Fail2ban Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Commands to view IP addresses that have been banned by Fail2ban. This helps in identifying malicious activity and understanding which IPs are currently blocked. ```bash # List banned IPs for SSH sudo fail2ban-client status sshd # List all banned IPs sudo fail2ban-client banned ``` -------------------------------- ### Configure WordPress Authentication Protection Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Sets up Fail2ban to protect WordPress sites from brute-force login attempts. It monitors authentication logs for suspicious activity targeting the WordPress login page. ```ini [wordpress-auth] enabled = true port = http,https filter = wordpress-auth logpath = /var/log/auth.log maxretry = 3 ``` -------------------------------- ### UFW Advanced: Port Ranges and Rate Limiting Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/firewall-configuration/SKILL.md Illustrates UFW configurations for opening a range of TCP ports and implementing rate limiting to protect against brute-force attacks, particularly for services like SSH. ```bash # Allow a range of TCP ports sudo ufw allow 6000:6007/tcp # Limit SSH connections (e.g., 6 attempts per 30 seconds) sudo ufw limit 22/tcp ``` -------------------------------- ### Enable IPv6 Support in UFW Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/firewall-configuration/SKILL.md Instructions to enable IPv6 support for UFW by modifying the configuration file and then reloading the firewall rules. This ensures that UFW rules apply to both IPv4 and IPv6 traffic. ```bash # Edit /etc/default/ufw and set IPV6=yes # Then reload: sudo ufw reload ``` -------------------------------- ### Configure Fail2ban Recidive Jail for Permanent Bans Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Enables the 'recidive' jail in Fail2ban, which automatically bans IPs that have been banned multiple times previously. This provides a layer of defense against persistent attackers. ```ini [recidive] enabled = true filter = recidive logpath = /var/log/fail2ban.log bantime = 604800 findtime = 86400 maxretry = 3 ``` -------------------------------- ### UFW Advanced: Allow from Specific IPs Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/firewall-configuration/SKILL.md Demonstrates how to create UFW rules that allow incoming traffic only from specific IP addresses or subnets. This enhances security by restricting access to authorized sources. ```bash # Allow SSH only from a specific IP sudo ufw allow from 203.0.113.10 to any port 22 # Allow MySQL only from an application server IP sudo ufw allow from 203.0.113.20 to any port 3306 # Allow traffic from an entire subnet sudo ufw allow from 192.168.1.0/24 ``` -------------------------------- ### Troubleshoot Service Accessibility with UFW Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/firewall-configuration/SKILL.md Commands to diagnose why a service might not be accessible after configuring UFW. This involves checking if the port is allowed by UFW, verifying if the service is listening, and examining UFW logs for any blocked traffic. ```bash # Check if port is allowed sudo ufw status | grep # Check if service is listening sudo ss -tulpn | grep # Check logs for blocks sudo tail -f /var/log/ufw.log ``` -------------------------------- ### Configure UFW Logging Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/firewall-configuration/SKILL.md Commands to manage logging for the UFW firewall. This includes enabling logging, setting the logging level (low, medium, high, full), and disabling logging. Logs are typically found at `/var/log/ufw.log`. ```bash # Enable logging sudo ufw logging on # Set logging level (low, medium, high, full) sudo ufw logging medium # Disable logging sudo ufw logging off # View logs sudo tail -f /var/log/ufw.log ``` -------------------------------- ### UFW Advanced: Deny Specific IPs Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/firewall-configuration/SKILL.md Shows how to create UFW rules to explicitly deny incoming traffic from specific IP addresses. This is useful for blocking known malicious sources or unwanted connections. ```bash # Deny all traffic from a specific IP sudo ufw deny from 203.0.113.100 ``` -------------------------------- ### Check UFW Firewall Status Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/firewall-configuration/SKILL.md Various commands to check the current status and rules of the UFW firewall. Includes basic status, verbose output with details, and numbered rules for easier rule deletion. ```bash # Basic status sudo ufw status # Detailed status sudo ufw status verbose # Numbered rules (for deletion) sudo ufw status numbered ``` -------------------------------- ### Perform a Dry Run of Unattended Upgrades Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/auto-updates/references/apt-config.md This command simulates the unattended upgrade process without actually installing any packages. It's a valuable tool for testing your configuration and identifying potential issues before applying changes to a production system. ```bash sudo unattended-upgrade --dry-run --debug ``` -------------------------------- ### Basic Web Server UFW Configuration Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/firewall-configuration/SKILL.md A common UFW configuration for a basic web server. It denies all incoming traffic by default, allows all outgoing traffic, permits SSH access, and opens ports 80 (HTTP) and 443 (HTTPS). ```bash sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow ssh sudo ufw allow 80/tcp sudo ufw allow 443/tcp sudo ufw enable ``` -------------------------------- ### List and Search Backup Contents Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/backup-strategy/SKILL.md Demonstrates how to list the contents of a tar.gz backup archive and how to search for specific files within it. Dependencies: tar, less, grep. ```bash # List files in backup tar -tzf /backup/backup-2024-01-31.tar.gz | less # Search for specific file tar -tzf /backup/backup-2024-01-31.tar.gz | grep "config.php" ``` -------------------------------- ### Example Custom Application Filter (myapp.conf) Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/references/fail2ban-filters.md This is an example of a custom Fail2ban filter for a hypothetical application named 'myapp'. It defines regex patterns to catch failed login attempts and invalid API requests, while ignoring successful logins. ```ini [INCLUDES] before = common.conf [Definition] # Match failed login attempts failregex = ^\[error\] .*: Failed login attempt from ^\[warning\].*: Invalid credentials from ^ - .* "POST /api/auth" 401 # Ignore successful authentications ignoreregex = ^\[info\].*: Successful login from ``` -------------------------------- ### Database Restoration Commands Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/backup-strategy/SKILL.md Shows commands for restoring MySQL and PostgreSQL databases from compressed SQL dump files. Dependencies: gunzip, mysql client, psql client. ```bash # MySQL restore gunzip < /backup/mysql/all-databases-2024-01-31.sql.gz | mysql -uroot -p # PostgreSQL restore gunzip < /backup/postgresql/pg-backup-2024-01-31.sql.gz | sudo -u postgres psql ``` -------------------------------- ### phpMyAdmin Access Filter (phpmyadmin.conf) Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/references/fail2ban-filters.md This filter monitors access attempts to phpMyAdmin installations. It aims to block brute-force or unauthorized access attempts. ```ini [Definition] failregex = ^ -.*"(GET|POST) /(?:pma|phpmyadmin|myadmin|mysql|sql) ``` -------------------------------- ### Whitelist IPs in Fail2ban Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Specifies IP addresses or ranges that should be ignored by Fail2ban and never banned. This is essential for ensuring trusted IPs are not accidentally blocked. ```ini [DEFAULT] ignoreip = 127.0.0.1/8 ::1 203.0.113.10 192.168.1.0/24 ``` -------------------------------- ### DigitalOcean Spaces Backup Upload Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/backup-strategy/references/backup-locations.md Shows how to configure `s3cmd` for DigitalOcean Spaces and upload a backup file to a specified bucket and path. ```bash # Use s3cmd with Spaces s3cmd --configure # Upload backup s3cmd put /backup/backup-2024-01-31.tar.gz s3://my-space/backups/ ``` -------------------------------- ### Monitor SSH Authentication Logs (Bash) Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/ssh-hardening/references/sshd-config.md Provides commands to monitor and analyze SSH authentication logs. It includes real-time monitoring, counting failed attempts, identifying malicious IP addresses, and viewing successful logins. These commands are essential for detecting and responding to brute-force attacks. ```bash # Authentication log (Ubuntu/Debian) /var/log/auth.log # Authentication log (RHEL/CentOS) /var/log/secure # SSH daemon log sudo journalctl -u sshd ``` ```bash # Watch authentication attempts in real-time sudo tail -f /var/log/auth.log # Count failed login attempts sudo grep "Failed password" /var/log/auth.log | wc -l # Show failed login IPs sudo grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn # Show successful logins sudo grep "Accepted publickey" /var/log/auth.log # Show last login times lastlog # Show who is currently logged in who w ``` -------------------------------- ### Configure ProFTPD Protection Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Configures Fail2ban to protect ProFTPD FTP servers from brute-force attacks. It monitors ProFTPD logs for excessive failed login attempts. ```ini [proftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data filter = proftpd logpath = /var/log/proftpd/proftpd.log maxretry = 3 ``` -------------------------------- ### Create Custom UFW Application Profile Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/firewall-configuration/references/ufw-rules.md Define custom application profiles by creating configuration files in `/etc/ufw/applications.d/`. These profiles specify application titles, descriptions, and the ports they use, allowing for easier management. ```bash # Example custom profile file (/etc/ufw/applications.d/myapp): # [MyApp] # title=My Application # description=Custom application ports # ports=8080,8443/tcp # # [MyAppHTTP] # title=My Application (HTTP only) # description=Custom app HTTP only # ports=8080/tcp # Update UFW with the new profile and then allow it sudo ufw app update MyApp sudo ufw allow 'MyApp' ``` -------------------------------- ### Full System Restore Script Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/backup-strategy/SKILL.md Restores a full system from a backup archive. It prompts for confirmation before overwriting existing files and requires manual service restarts after restoration. Dependencies: tar. ```bash #!/bin/bash # Restore from backup BACKUP_FILE="/backup/backup-2024-01-31.tar.gz" # WARNING: This will overwrite existing files! echo "WARNING: This will restore files and may overwrite existing data!" read -p "Continue? (yes/no): " CONFIRM if [ "$CONFIRM" != "yes" ]; then echo "Aborted" exit 1 fi # Extract to root cd / tar -xzf "$BACKUP_FILE" echo "Restore complete. Review extracted files and restart services." ``` -------------------------------- ### Unban IP Address with Fail2ban Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Commands to remove an IP address from Fail2ban's ban list. This is useful for unblocking legitimate users who may have been accidentally banned. ```bash # Unban specific IP from specific jail sudo fail2ban-client set sshd unbanip 203.0.113.100 # Unban from all jails sudo fail2ban-client unban 203.0.113.100 ``` -------------------------------- ### Unban IP Address or Stop Fail2ban Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Commands to unban your own IP address if accidentally banned or to temporarily stop the Fail2ban service. Useful for regaining access to a locked-out server. ```bash # Unban your IP sudo fail2ban-client set sshd unbanip YOUR.IP.ADDRESS # Or stop fail2ban temporarily sudo systemctl stop fail2ban ``` -------------------------------- ### Manually Ban IP with Fail2ban Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Command to manually ban an IP address using Fail2ban. This can be used for immediate blocking of suspicious IPs not yet caught by automated rules. ```bash sudo fail2ban-client set sshd banip 203.0.113.100 ``` -------------------------------- ### Reset UFW Firewall to Defaults Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/firewall-configuration/SKILL.md Command to completely reset the UFW firewall, removing all existing rules and returning it to its default state. Use with caution as this deletes all configurations. ```bash sudo ufw reset ``` -------------------------------- ### Encrypted Backup with GPG Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/backup-strategy/SKILL.md Creates a compressed backup and then encrypts it using GPG with a specified recipient's public key. The unencrypted backup file is removed after successful encryption. Dependencies: tar, gzip, gpg. ```bash #!/bin/bash # Create encrypted backup BACKUP_DIR="/backup" DATE=$(date +%Y-%m-%d) BACKUP_FILE="backup-$DATE.tar.gz" ENCRYPTED_FILE="backup-$DATE.tar.gz.gpg" GPG_RECIPIENT="admin@example.com" # Create compressed backup tar -czf "$BACKUP_DIR/$BACKUP_FILE" /home /etc /var/www # Encrypt with GPG gpg --encrypt --recipient "$GPG_RECIPIENT" \ --output "$BACKUP_DIR/$ENCRYPTED_FILE" \ "$BACKUP_DIR/$BACKUP_FILE" # Remove unencrypted version rm "$BACKUP_DIR/$BACKUP_FILE" # Upload encrypted backup (S3, SCP, etc.) # ... echo "Encrypted backup created: $ENCRYPTED_FILE" ``` -------------------------------- ### Configure SSH Protection in Fail2ban Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Enables and configures Fail2ban to protect the SSH service. It specifies the log path, retry thresholds, and ban times specifically for SSH login attempts. ```ini [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 3600 findtime = 600 ``` -------------------------------- ### View Unattended Upgrades and APT Logs Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/auto-updates/references/apt-config.md These commands allow you to inspect the logs generated by the unattended-upgrades system and APT. Checking these logs is crucial for troubleshooting update issues and understanding what actions have been taken. ```bash # View unattended-upgrades log sudo cat /var/log/unattended-upgrades/unattended-upgrades.log # View with systemd journal sudo journalctl -u unattended-upgrades # View APT history sudo cat /var/log/apt/history.log ``` -------------------------------- ### UFW Advanced: Delete Rules Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/firewall-configuration/SKILL.md Explains how to remove existing firewall rules from UFW, either by their rule number (obtained from `ufw status numbered`) or by specifying the rule details. ```bash # View rules with numbers sudo ufw status numbered # Delete a rule by number sudo ufw delete 3 # Delete a rule by specification sudo ufw delete allow 80/tcp ``` -------------------------------- ### Restore Server Backups (Bash) Source: https://context7.com/mikr13/secure-server-setup-skills/llms.txt Commands to restore data from backups created by the backup strategy scripts. Includes listing archive contents, restoring specific directories, and restoring MySQL/MariaDB dumps. ```bash # List contents tar -tzf /backup/server-backup-2024-01-31.tar.gz | less # Restore specific directory tar -xzf /backup/server-backup-2024-01-31.tar.gz -C / etc/ # Restore MySQL gunzip < /backup/mysql/server-mysql-2024-01-31.sql.gz | mysql -uroot -p ``` -------------------------------- ### Manage Held Packages with apt-mark Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/auto-updates/references/apt-config.md These commands are used to manage package holding status, which prevents specific packages from being automatically installed, upgraded, or removed. This is useful for maintaining specific versions of software. ```bash # List held packages apt-mark showhold # Unhold a package sudo apt-mark unhold package-name # Hold a package sudo apt-mark hold package-name ``` -------------------------------- ### Run Backup Script with Email Notification (Bash) Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/backup-strategy/SKILL.md This script executes a backup process and sends an email notification indicating success or failure. It relies on the BACKUP_SCRIPT environment variable to determine the outcome and sends alerts to a predefined ADMIN_EMAIL address. ```bash if $BACKUP_SCRIPT; then echo "Backup completed successfully on $(date)" | \ mail -s "Backup Success - $(hostname)" "$ADMIN_EMAIL" else echo "Backup failed on $(date)" | \ mail -s "BACKUP FAILED - $(hostname)" "$ADMIN_EMAIL" fi ``` -------------------------------- ### Configure Fail2ban Email Notifications Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Sets up Fail2ban to send email notifications when an IP address is banned. This requires configuring the destination email, sender name, and Mail Transfer Agent (MTA). ```ini [DEFAULT] destemail = admin@example.com sendername = Fail2Ban mta = sendmail ``` -------------------------------- ### Configure Aggressive SSH Ban Times Source: https://github.com/mikr13/secure-server-setup-skills/blob/main/secure-server-setup/fail2ban-setup/SKILL.md Defines more aggressive ban settings for SSH, increasing the ban time and find time for repeated or persistent suspicious activity. This is useful for targeting more persistent threats. ```ini [sshd-aggressive] enabled = true port = ssh filter = sshd-aggressive logpath = /var/log/auth.log maxretry = 1 bantime = 86400 findtime = 3600 ```