From f8983792f7cc2d164fcf31eaed3dfe39bca8ddc7 Mon Sep 17 00:00:00 2001 From: constantprojects Date: Mon, 23 Feb 2026 16:22:10 -0700 Subject: [PATCH] Add firewall (UFW) and fail2ban setup step to guide.md New "Secure Your Server" step between connecting and installing: - apt update/upgrade for security patches - UFW firewall: allow SSH, HTTP, HTTPS only - fail2ban: brute-force SSH protection - Clear danger callout about SSH lockout risk - Expected terminal output for verification - Plain-English explanations of what each command does - Updated "Going Further" to reference earlier security setup Co-Authored-By: Claude Opus 4.6 --- guide.md | 123 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 121 insertions(+), 2 deletions(-) diff --git a/guide.md b/guide.md index 2096458..7bd3c24 100644 --- a/guide.md +++ b/guide.md @@ -149,6 +149,125 @@ When typing a password in the terminal, **nothing appears on screen** — no dot If you get "Connection refused" or "Connection timed out," wait a minute — your server might still be starting up. Try again after 60 seconds. If it still doesn't work, double-check the IP address. [/callout] +[step: Secure Your Server] + +Before installing anything else, let's lock down your server with a **firewall** and **brute-force protection**. This takes about 2 minutes and prevents the vast majority of automated attacks. + +Think of it this way: your server is now on the public internet, and automated bots are already scanning it looking for easy targets. These two tools stop them cold. + +**First, update your server's software:** + +This makes sure you have the latest security patches. It's the equivalent of running Windows Update or updating your phone. + +[code:bash] +apt update && apt upgrade -y +[/code] + +This may take a minute. If you see a pink/purple screen asking about restarting services, just press **Enter** to accept the defaults. + +**Install the firewall and fail2ban:** + +[code:bash] +apt install -y ufw fail2ban +[/code] + +This installs two tools: +- [UFW](https://wiki.ubuntu.com/UncomplicatedFirewall) (Uncomplicated Firewall) — blocks all network traffic except what you explicitly allow +- [Fail2ban](https://www.fail2ban.org/) — watches for repeated failed login attempts and automatically bans those IP addresses + +**Configure the firewall:** + +You need to tell the firewall which types of traffic to allow. Your server needs exactly three things open: + +[code:bash] +ufw allow OpenSSH +ufw allow 80/tcp +ufw allow 443/tcp +[/code] + +Here's what each line does: +- `ufw allow OpenSSH` — allows SSH connections (port 22), so you can keep connecting to your server remotely. **This line is critical** — without it, you'd be locked out of your own server. +- `ufw allow 80/tcp` — allows HTTP web traffic (needed for SSL certificate setup) +- `ufw allow 443/tcp` — allows HTTPS web traffic (your actual website) + +Everything else (thousands of other ports) is blocked by default. That's exactly what you want. + +**Turn on the firewall:** + +[code:bash] +ufw enable +[/code] + +You'll see a warning that says "Command may disrupt existing SSH connections." Type `y` and press Enter. Your current connection will stay active — the warning is just being cautious. + +[callout:danger] +**Make sure you ran `ufw allow OpenSSH` before this step.** If you enable the firewall without allowing SSH first, you will be locked out of your server and will need to use your VPS provider's emergency web console to fix it. +[/callout] + +**Verify the firewall is working:** + +[code:bash] +ufw status +[/code] + +You should see output like this: + +[terminal] +$ ufw status +Status: active + +To Action From +-- ------ ---- +OpenSSH ALLOW Anywhere +80/tcp ALLOW Anywhere +443/tcp ALLOW Anywhere +OpenSSH (v6) ALLOW Anywhere (v6) +80/tcp (v6) ALLOW Anywhere (v6) +443/tcp (v6) ALLOW Anywhere (v6) +[/terminal] + +If you see `Status: active` with those three rules listed, your firewall is properly configured. + +**Configure fail2ban:** + +Fail2ban works out of the box for SSH protection with sensible defaults, but let's make sure it's running: + +[code:bash] +systemctl enable fail2ban +systemctl start fail2ban +[/code] + +The first command tells fail2ban to start automatically whenever your server reboots. The second starts it right now. + +You can verify it's running with: + +[code:bash] +fail2ban-client status sshd +[/code] + +[terminal] +$ fail2ban-client status sshd +Status for the jail: sshd +|- Filter +| |- Currently failed: 0 +| |- Total failed: 0 +| `- File list: /var/log/auth.log +`- Actions + |- Currently banned: 0 + |- Total banned: 0 + `- Banned IP list: +[/terminal] + +This shows fail2ban is monitoring SSH login attempts. After a few hours online, you'll likely see banned IPs here — that's fail2ban doing its job, blocking automated bots that try to guess passwords. + +[callout:info] +**What does fail2ban actually do?** By default, if someone (or a bot) fails to log in via SSH 5 times within 10 minutes, fail2ban bans their IP address for 10 minutes. This makes brute-force password guessing effectively impossible — a bot that can try thousands of passwords per second gets cut off after just 5 attempts. +[/callout] + +[callout:tip] +**That's it for server security.** You now have a firewall blocking all unnecessary ports and fail2ban stopping brute-force attacks. Combined with the security features WebsiteBox sets up later (Wordfence, rate-limited logins, encrypted HTTPS), your server will be well-protected. For further hardening down the road, see the "Going Further" step at the end of this guide. +[/callout] + [step: Run the Installer] Now for the easy part. Copy and paste this single command into your terminal and press Enter: @@ -625,8 +744,8 @@ When you're ready for search engines to find your site, go to **Settings > Readi **Put a CDN in front of your site:** A CDN (Content Delivery Network) caches your images and pages on servers around the world, making your site load faster for visitors far from your server. [Cloudflare](https://www.cloudflare.com/) offers a free plan — you just change your domain's nameservers to Cloudflare's. -**Keep your server secure:** -Your server's root password is the keys to your entire website. Use a strong, unique password and consider setting up [SSH key authentication](https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys-on-ubuntu-22-04) for even better security (this lets you log in without a password, using a cryptographic key stored on your computer instead). +**Harden your server further:** +You already set up a firewall and fail2ban earlier in this guide, which handles the vast majority of threats. For the next level of security, consider setting up [SSH key authentication](https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys-on-ubuntu-22-04) — this lets you log in without a password, using a cryptographic key stored on your computer instead. Once SSH keys are working, you can [disable password login entirely](https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys-on-ubuntu-22-04#step-4-disabling-password-authentication-on-your-server), making brute-force attacks completely impossible. **Learn more about WordPress:** [WordPress.org's documentation](https://wordpress.org/documentation/) and [WPBeginner](https://www.wpbeginner.com/) are excellent free resources for learning how to get the most out of your site. The [WordPress block editor guide](https://wordpress.org/documentation/article/wordpress-block-editor/) is particularly helpful for learning how to create beautiful page layouts.