Automate server hardening in install.sh, update guide accordingly

Move firewall (UFW), fail2ban, auto-updates, and Docker log rotation
from manual guide steps into install.sh automation. Update guide.md
to describe the automated process instead of manual commands.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

install.sh

@@ -63,6 +63,82 @@ esac
 
 echo "Detected: ${OS_ID} ${OS_VERSION}"
 
+# --- Secure the Server ---
+
+echo ""
+echo "───────────────────────────────────────────────────────────"
+echo "  Securing your server..."
+echo "───────────────────────────────────────────────────────────"
+
+# Update system packages
+echo "Updating system packages..."
+$SUDO apt-get update -qq
+$SUDO apt-get upgrade -y -qq
+echo "System packages updated."
+
+# Install firewall, fail2ban, and automatic updates
+echo "Installing firewall, fail2ban, and automatic updates..."
+$SUDO apt-get install -y -qq ufw fail2ban unattended-upgrades
+
+# Configure firewall — allow SSH first to avoid lockout
+if ! $SUDO ufw status | grep -q "Status: active"; then
+    echo "Configuring firewall..."
+    $SUDO ufw allow OpenSSH
+    $SUDO ufw allow 80/tcp
+    $SUDO ufw allow 443/tcp
+    $SUDO ufw --force enable
+    echo "Firewall enabled: SSH, HTTP, and HTTPS allowed. All other ports blocked."
+else
+    # Firewall already active — just make sure our ports are open
+    $SUDO ufw allow OpenSSH 2>/dev/null || true
+    $SUDO ufw allow 80/tcp 2>/dev/null || true
+    $SUDO ufw allow 443/tcp 2>/dev/null || true
+    echo "Firewall already active. Verified SSH, HTTP, and HTTPS are allowed."
+fi
+
+# Enable fail2ban
+$SUDO systemctl enable fail2ban --quiet 2>/dev/null || true
+$SUDO systemctl start fail2ban 2>/dev/null || true
+echo "Fail2ban enabled: brute-force SSH protection active."
+
+# Enable automatic security updates (non-interactive)
+echo 'Unattended-Upgrade::Allowed-Origins {
+    "${distro_id}:${distro_codename}";
+    "${distro_id}:${distro_codename}-security";
+    "${distro_id}ESMApps:${distro_codename}-apps-security";
+    "${distro_id}ESM:${distro_codename}-infra-security";
+};
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+Unattended-Upgrade::Remove-Unused-Dependencies "true";' | $SUDO tee /etc/apt/apt.conf.d/50unattended-upgrades-websitebox > /dev/null
+
+echo 'APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";' | $SUDO tee /etc/apt/apt.conf.d/20auto-upgrades > /dev/null
+echo "Automatic security updates enabled."
+
+# Configure Docker log rotation (create config before Docker install)
+$SUDO mkdir -p /etc/docker
+if [ ! -f /etc/docker/daemon.json ]; then
+    echo '{
+  "log-driver": "json-file",
+  "log-opts": {
+    "max-size": "10m",
+    "max-file": "3"
+  }
+}' | $SUDO tee /etc/docker/daemon.json > /dev/null
+    echo "Docker log rotation configured (10MB max per log, 3 files per container)."
+else
+    echo "Docker daemon.json already exists. Skipping log rotation config."
+fi
+
+echo ""
+echo "  Server secured:"
+echo "    Firewall:          active (SSH, HTTP, HTTPS only)"
+echo "    Fail2ban:          active (SSH brute-force protection)"
+echo "    Auto-updates:      enabled (daily security patches)"
+echo "    Docker log limits: configured (30MB max per container)"
+echo ""
+
 # --- Install Docker if needed ---
 
 DOCKER_JUST_INSTALLED=false
@@ -103,6 +179,11 @@ else
     $SUDO systemctl enable docker
 
     echo "Docker installation complete."
+else
+    # Docker exists — restart to pick up daemon.json if it was just created
+    if [ -f /etc/docker/daemon.json ]; then
+        $SUDO systemctl restart docker 2>/dev/null || true
+    fi
 fi
 
 # --- Clone Repository ---