From d63701abfb1daa975e7cbcba2c213a7f5607d1ac Mon Sep 17 00:00:00 2001 From: constantprojects Date: Mon, 23 Feb 2026 16:25:20 -0700 Subject: [PATCH] Add auto-updates and Docker log rotation to server setup In the "Secure Your Server" guide step: - Install unattended-upgrades for automatic OS security patches - dpkg-reconfigure to enable daily auto-updates - Callout explaining auto-updates won't touch Docker/WordPress - Create /etc/docker/daemon.json with log rotation (10MB max, 3 files per container) before Docker is installed - mkdir -p to handle pre-Docker directory creation - Harmless docker restart with || true fallback - Updated intro text to reflect four setup concerns Co-Authored-By: Claude Opus 4.6 --- guide.md | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 57 insertions(+), 6 deletions(-) diff --git a/guide.md b/guide.md index 7bd3c24..7e70f83 100644 --- a/guide.md +++ b/guide.md @@ -151,9 +151,9 @@ If you get "Connection refused" or "Connection timed out," wait a minute — you [step: Secure Your Server] -Before installing anything else, let's lock down your server with a **firewall** and **brute-force protection**. This takes about 2 minutes and prevents the vast majority of automated attacks. +Before installing anything else, let's lock down your server with a **firewall**, **brute-force protection**, **automatic security updates**, and **Docker log management**. This takes about 3 minutes and prevents the vast majority of problems before they start. -Think of it this way: your server is now on the public internet, and automated bots are already scanning it looking for easy targets. These two tools stop them cold. +Think of it this way: your server is now on the public internet, and automated bots are already scanning it looking for easy targets. These steps stop them cold and keep your server healthy long-term. **First, update your server's software:** @@ -165,15 +165,16 @@ apt update && apt upgrade -y This may take a minute. If you see a pink/purple screen asking about restarting services, just press **Enter** to accept the defaults. -**Install the firewall and fail2ban:** +**Install the firewall, fail2ban, and automatic updates:** [code:bash] -apt install -y ufw fail2ban +apt install -y ufw fail2ban unattended-upgrades [/code] -This installs two tools: +This installs three tools: - [UFW](https://wiki.ubuntu.com/UncomplicatedFirewall) (Uncomplicated Firewall) — blocks all network traffic except what you explicitly allow - [Fail2ban](https://www.fail2ban.org/) — watches for repeated failed login attempts and automatically bans those IP addresses +- [Unattended Upgrades](https://wiki.debian.org/UnattendedUpgrades) — automatically installs security patches so you don't have to remember to do it manually **Configure the firewall:** @@ -264,8 +265,58 @@ This shows fail2ban is monitoring SSH login attempts. After a few hours online, **What does fail2ban actually do?** By default, if someone (or a bot) fails to log in via SSH 5 times within 10 minutes, fail2ban bans their IP address for 10 minutes. This makes brute-force password guessing effectively impossible — a bot that can try thousands of passwords per second gets cut off after just 5 attempts. [/callout] +**Enable automatic security updates:** + +Your server should install security patches on its own — you don't want to rely on remembering to SSH in and run updates. Enable it with: + +[code:bash] +dpkg-reconfigure -plow unattended-upgrades +[/code] + +When asked "Automatically download and install stable updates?", select **Yes** and press Enter. + +That's all it takes. From now on, your server will check for and install security updates daily in the background. It won't restart your server or touch your website — it only patches the underlying operating system. + +[callout:info] +**Will auto-updates break anything?** No. Unattended upgrades only installs security patches for your operating system (Ubuntu/Debian), not major version upgrades. It won't touch Docker, WordPress, or anything in your website. It's the same type of automatic update your phone does overnight. +[/callout] + +**Set up Docker log rotation:** + +Docker containers generate log files that grow over time. Without a size limit, these logs can eventually fill up your server's disk. Let's set a sensible limit now so this never becomes a problem. + +Create the Docker configuration file: + +[code:bash] +mkdir -p /etc/docker +cat > /etc/docker/daemon.json << 'EOF' +{ + "log-driver": "json-file", + "log-opts": { + "max-size": "10m", + "max-file": "3" + } +} +EOF +[/code] + +This tells Docker to: +- Keep each log file to a maximum of **10 megabytes** +- Keep at most **3** rotated log files per container +- That's a maximum of 30 MB of logs per container — plenty for troubleshooting, but no risk of filling your disk + +[callout:info] +You're running this **before** the WebsiteBox installer, so Docker may or may not be installed yet. That's fine — if Docker isn't installed yet, the file will be waiting for it. If Docker is already installed, restart it to apply the setting: `systemctl restart docker` +[/callout] + +Now restart Docker if it's already running (if it's not installed yet, this will harmlessly fail): + +[code:bash] +systemctl restart docker 2>/dev/null || true +[/code] + [callout:tip] -**That's it for server security.** You now have a firewall blocking all unnecessary ports and fail2ban stopping brute-force attacks. Combined with the security features WebsiteBox sets up later (Wordfence, rate-limited logins, encrypted HTTPS), your server will be well-protected. For further hardening down the road, see the "Going Further" step at the end of this guide. +**That's it for server setup.** You now have a firewall blocking all unnecessary ports, fail2ban stopping brute-force attacks, automatic security updates keeping your OS patched, and Docker log rotation preventing disk bloat. Combined with the security features WebsiteBox sets up later (Wordfence, rate-limited logins, encrypted HTTPS), your server will be well-protected and low-maintenance. For further hardening down the road, see the "Going Further" step at the end of this guide. [/callout] [step: Run the Installer]