🛡️ Complete Security Overview
EasyInstall comes with enterprise-grade security built-in and automatically configured. No additional setup needed!
📋 Security Components Summary
| Component | Purpose | Status |
|---|---|---|
| UFW Firewall | Network traffic control | ✅ Auto-configured |
| Fail2ban | Brute force protection | ✅ Auto-configured |
| SSL/TLS | Encrypted connections | ✅ Auto (with domain) |
| MySQL Secure | Database hardening | ✅ Auto-configured |
| PHP Security | PHP hardening | ✅ Auto-configured |
| Nginx Security | Web server hardening | ✅ Auto-configured |
| Kernel Hardening | OS-level security | ✅ Auto-configured |
| Automatic Updates | Security patches | ✅ Enabled |
| Malware Detection | File integrity | ✅ Optional |
| Backup Encryption | Data protection | ✅ Optional |
🔥 1. Firewall (UFW) Configuration
Default Rules
# View current firewall rules
ufw status verbose
# Output:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
# Allowed ports:
22/tcp # SSH
80/tcp # HTTP
443/tcp # HTTPS
19999/tcp # Netdata monitoring
61208/tcp # Glances monitoringFirewall Management Commands
# Check firewall status
ufw status numbered
# Add custom rule
ufw allow 8080/tcp comment 'Custom app'
# Remove rule
ufw delete allow 8080/tcp
# Allow specific IP
ufw allow from 192.168.1.100 to any port 22
# Block suspicious IP
ufw deny from 1.2.3.4
# Reload firewall
ufw reload
# Disable temporarily (for testing)
ufw disable
ufw enablePort Scanning Protection
# Check for port scans
grep "DPT=" /var/log/ufw.log | tail -20
# Rate limiting (auto-configured)
# UFW includes connection tracking🚫 2. Fail2ban – Brute Force Protection
Active Jails
# List all active jails
fail2ban-client status
# Check specific jail
fail2ban-client status sshd
fail2ban-client status nginx-http-auth
fail2ban-client status wordpress
fail2ban-client status nginx-botsearchConfiguration
# View jail configuration
cat /etc/fail2ban/jail.local
[DEFAULT]
bantime = 3600 # 1 hour ban
findtime = 600 # 10 minute window
maxretry = 5 # 5 attempts before ban[sshd]
enabled = true
[nginx-http-auth]
enabled = true
[nginx-botsearch]
enabled = true
[wordpress]
enabled = true filter = wordpress logpath = /var/log/nginx/wordpress_access.log maxretry = 10 bantime = 3600
Fail2ban Management Commands
# View banned IPs
fail2ban-client status sshd | grep "Banned IP"
# Unban an IP
fail2ban-client set sshd unbanip 1.2.3.4
# Manually ban an IP
fail2ban-client set sshd banip 1.2.3.4
# View logs
tail -f /var/log/fail2ban.log
# Test regex patterns
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.confWordPress-Specific Protection
# WordPress login protection
cat /etc/fail2ban/filter.d/wordpress.conf
[Definition]
failregex = ^<HOST> .* "POST .*wp-login.php
^<HOST> .* "POST .*xmlrpc.php
ignoreregex =🔐 3. SSL/TLS Security
Automatic SSL with Let’s Encrypt
# Install SSL for domain
easyinstall ssl example.com admin@example.com
# Check certificates
certbot certificates
# Test renewal
certbot renew --dry-run
# Force renewal
certbot renew --force-renewal
# View certificate details
openssl x509 -in /etc/letsencrypt/live/example.com/fullchain.pem -text -nooutSSL Configuration Hardening
# Nginx SSL settings (auto-configured)
cat /etc/nginx/sites-available/wordpress | grep -A 10 "ssl_"
# SSL protocols (modern, secure)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;SSL Monitoring
# Check expiry dates
certbot certificates
# Automated check (every 12 hours)
cat /etc/cron.d/easyinstall-monitor | grep ssl
# Manual SSL check
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates🗄️ 4. Database Security
MySQL/MariaDB Hardening
# Check current security settings
mysql -e "SHOW VARIABLES LIKE '%secure%';"
mysql -e "SELECT user, host, authentication_string FROM mysql.user;"
# Remove anonymous users
mysql -e "DELETE FROM mysql.user WHERE User='';"
# Remove test database
mysql -e "DROP DATABASE IF EXISTS test;"
mysql -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';"
# Disable remote root login
mysql -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"Database User Permissions
# View WordPress database user
grep DB_USER /var/www/html/wordpress/wp-config.php
# Check user permissions
mysql -e "SHOW GRANTS FOR 'wpuser'@'localhost';"
# Create limited user for backups
mysql -e "CREATE USER 'backupuser'@'localhost' IDENTIFIED BY 'password';"
mysql -e "GRANT SELECT, LOCK TABLES ON *.* TO 'backupuser'@'localhost';"Connection Security
# MySQL bind address (localhost only)
grep bind-address /etc/mysql/mariadb.conf.d/50-server.cnf
# Should be: bind-address = 127.0.0.1
# Disable symbolic links
grep symbolic-links /etc/mysql/mariadb.conf.d/50-server.cnf
# Should be: symbolic-links = 0🌐 5. Nginx Security Hardening
Security Headers
# View security headers in Nginx config
cat /etc/nginx/sites-available/wordpress | grep -A 5 "add_header"
# Configured headers:
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Cache $upstream_cache_status;Hide Nginx Version
# Check if version is hidden
curl -I http://localhost | grep Server
# Configuration (auto-set)
grep server_tokens /etc/nginx/nginx.conf
# Should be: server_tokens off;Directory Protection
# Protected directories
cat /etc/nginx/sites-available/wordpress | grep -A 5 "location ~ /\\."
# Blocks access to:
# - .git, .svn, .htaccess
# - wp-config.php
# - wp-config-sample.php
# - readme.html, license.txtRate Limiting
# Add rate limiting manually if needed
cat > /etc/nginx/conf.d/rate-limit.conf <<EOF
limit_req_zone \$binary_remote_addr zone=login:10m rate=5r/m;
limit_req zone=login burst=10 nodelay;
EOF
nginx -t && systemctl reload nginx🐘 6. PHP Security
PHP Configuration Hardening
# PHP version
php -v
# Security settings in php.ini
PHP_VERSION=$(php -r 'echo PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')
cat /etc/php/$PHP_VERSION/fpm/php.ini | grep -E "^disable_functions|^expose_php|^open_basedir"Critical PHP Security Settings
; Auto-configured in php.ini:
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
expose_php = Off
open_basedir = /var/www/html/wordpress:/tmp
display_errors = Off
log_errors = On
error_log = /var/log/php-fpm.log
max_execution_time = 60
memory_limit = 128M
post_max_size = 64M
upload_max_filesize = 64M
allow_url_fopen = Off
allow_url_include = OffPHP-FPM Pool Security
# Check pool settings
cat /etc/php/$PHP_VERSION/fpm/pool.d/www.conf | grep -E "^user|^group|^listen.owner|^listen.group"
# Should show:
user = www-data
group = www-data
listen.owner = www-data
listen.group = www-data🧪 7. Kernel Security Hardening
Sysctl Security Settings
# View kernel security settings
cat /etc/sysctl.d/99-easyinstall.conf
# Network security
net.ipv4.tcp_syncookies = 1 # SYN flood protection
net.ipv4.tcp_max_syn_backlog = 8192 # Connection queue
net.ipv4.conf.all.rp_filter = 1 # Reverse path filtering
net.ipv4.conf.default.rp_filter = 1 # Reverse path filtering
net.ipv4.icmp_echo_ignore_broadcasts = 1 # Ignore ICMP broadcasts
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Apply settings
sysctl -p /etc/sysctl.d/99-easyinstall.conf🔄 8. Automatic Security Updates
Unattended Upgrades
# Check if automatic updates are enabled
systemctl status unattended-upgrades
# Configuration
cat /etc/apt/apt.conf.d/50unattended-upgrades | grep -v "^//"
# Security updates only
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
};
# Automatic reboot if needed
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";View Update History
# Check update logs
cat /var/log/unattended-upgrades/unattended-upgrades.log
cat /var/log/apt/history.log | grep -A 10 "Start-Date"🛡️ 9. File Integrity Monitoring
AIDE (Advanced Intrusion Detection Environment)
# Install AIDE manually (optional)
apt install -y aide
# Initialize database
aideinit
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Check for changes
aide --check
# Add to cron for daily checks
echo "0 5 * * * /usr/bin/aide --check | mail -s 'AIDE Report' admin@example.com" >> /etc/crontabTripwire Alternative
# Simple file integrity check
cat > /usr/local/bin/check-integrity.sh <<'EOF'
#!/bin/bash
find /var/www/html/wordpress -type f -name "*.php" -mtime -1 | grep -v wp-content/cache
EOF
chmod +x /usr/local/bin/check-integrity.sh🔑 10. SSH Security
SSH Hardening
# SSH configuration
cat /etc/ssh/sshd_config | grep -E "^PermitRootLogin|^PasswordAuthentication|^Port"
# Recommended settings (auto-configured):
Port 22 # Change to custom port for security
PermitRootLogin without-password # or 'prohibit-password'
PasswordAuthentication no # Use SSH keys only
PubkeyAuthentication yes
MaxAuthTries 3
MaxSessions 2
ClientAliveInterval 300
ClientAliveCountMax 0SSH Key Management
# Generate SSH key (on local machine)
ssh-keygen -t ed25519 -C "your_email@example.com"
# Copy public key to server
ssh-copy-id root@your-server-ip
# Or manually add key
echo "ssh-ed25519 AAAA... your_key" >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys📊 11. Security Monitoring Commands
Real-time Security Monitoring
# Check for failed login attempts
grep "Failed password" /var/log/auth.log | tail -20
grep "Failed password" /var/log/auth.log | wc -l
# Check sudo usage
grep "sudo" /var/log/auth.log | tail -20
# Check for suspicious processes
ps aux | grep -E "minerd|cpuminer|xmrig|bitcoin|nmap|sqlmap|nikto"
# Check for open ports
netstat -tulpn | grep LISTEN
# Check listening services
ss -tulpn
# Check established connections
netstat -an | grep ESTABLISHEDSecurity Logs Analysis
# View Fail2ban logs
tail -f /var/log/fail2ban.log
# View firewall logs
tail -f /var/log/ufw.log
# View authentication logs
tail -f /var/log/auth.log
# View all security logs
journalctl -u ssh -u fail2ban -u ufw --since "1 hour ago"🛡️ 12. WordPress Security Plugins
Pre-installed Security Features
# WordPress hardening in wp-config.php
cat /var/www/html/wordpress/wp-config.php | grep -E "DISALLOW_FILE_EDIT|WP_DEBUG"
define('DISALLOW_FILE_EDIT', true); # Disable plugin/theme editor
define('WP_DEBUG', false); # Debug mode off
define('WP_DEBUG_LOG', false); # No debug logging
define('WP_DEBUG_DISPLAY', false); # No error displayRecommended Security Plugins
# Install via WP-CLI
cd /var/www/html/wordpress
# Wordfence Security
wp plugin install wordfence --activate
# Sucuri Security
wp plugin install sucuri-scanner --activate
# All In One WP Security
wp plugin install all-in-one-wp-security-and-firewall --activate
# iThemes Security
wp plugin install better-wp-security --activate
# WPS Hide Login
wp plugin install wps-hide-login --activate🕵️ 13. Malware Scanning
ClamAV Installation (Optional)
# Install ClamAV
apt install -y clamav clamav-daemon
freshclam # Update virus definitions
# Scan WordPress
clamscan -r /var/www/html/wordpress --log=/var/log/clamav.log
# Daily scan cron
echo "0 3 * * * clamscan -r /var/www/html/wordpress --log=/var/log/clamav.log --quiet" >> /etc/crontabLinux Malware Detect (LMD)
# Install LMD
cd /tmp
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzf maldetect-current.tar.gz
cd maldetect-*
./install.sh
# Scan WordPress
maldet --scan-all /var/www/html/wordpress
# Update signatures
maldet --update-ver🔒 14. Security Best Practices Checklist
Daily Security Checks
#!/bin/bash
# Save as /usr/local/bin/security-check.sh
echo "=== SECURITY CHECK $(date) ==="
# Check failed logins
FAILED=$(grep "Failed password" /var/log/auth.log | wc -l)
echo "Failed logins today: $FAILED"
# Check Fail2ban status
BANNED=$(fail2ban-client status sshd | grep "Banned IP" | awk '{print $4}')
echo "Currently banned IPs: $BANNED"
# Check open ports
echo "Open ports:"
netstat -tulpn | grep LISTEN
# Check disk usage
DISK=$(df / | awk 'NR==2 {print $5}' | sed 's/%//')
if [ $DISK -gt 90 ]; then
echo "WARNING: Disk usage at $DISK%"
fi
# Check for updates
UPDATES=$(apt list --upgradable 2>/dev/null | grep -c upgradable)
echo "Available updates: $UPDATES"
# Check SSL expiry
if [ -f /etc/letsencrypt/live/$(hostname)/cert.pem ]; then
EXPIRY=$(openssl x509 -enddate -noout -in /etc/letsencrypt/live/$(hostname)/cert.pem)
echo "SSL expiry: $EXPIRY"
fiMake it executable and run daily
chmod +x /usr/local/bin/security-check.sh
echo "0 8 * * * /usr/local/bin/security-check.sh | mail -s 'Security Report' admin@example.com" >> /etc/crontab🚨 15. Emergency Security Commands
Immediate Threat Response
# Block attacking IP immediately
iptables -A INPUT -s 1.2.3.4 -j DROP
ufw deny from 1.2.3.4
# Temporarily stop all web access (maintenance mode)
mv /etc/nginx/sites-available/wordpress /etc/nginx/sites-available/wordpress.bak
systemctl reload nginx
# Enable maintenance mode in WordPress
cd /var/www/html/wordpress
wp maintenance-mode activate
# Change all passwords
# MySQL
mysqladmin -u root -p password 'newpassword'
# WordPress admin
wp user update 1 --user_pass='newpassword'
# SSH keys only mode
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart ssh
# Disable XML-RPC (prevents brute force)
echo '<files xmlrpc.php>' >> /var/www/html/wordpress/.htaccess
echo 'order allow,deny' >> /var/www/html/wordpress/.htaccess
echo 'deny from all' >> /var/www/html/wordpress/.htaccess
echo '</files>' >> /var/www/html/wordpress/.htaccess📊 16. Security Status Command
# Quick security overview
easyinstall security
# If not available, create it:
cat > /usr/local/bin/security-status <<'EOF'
#!/bin/bash
GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[1;33m'
NC='\033[0m'
echo "🔒 EASYINSTALL SECURITY STATUS"
echo "=============================="
# Firewall
if ufw status | grep -q "active"; then
echo -e "${GREEN}✅ Firewall: ACTIVE${NC}"
else
echo -e "${RED}❌ Firewall: INACTIVE${NC}"
fi
# Fail2ban
if systemctl is-active --quiet fail2ban; then
echo -e "${GREEN}✅ Fail2ban: ACTIVE${NC}"
BANNED=$(fail2ban-client status sshd | grep "Banned IP" | awk '{print $4}')
echo " Banned IPs: $BANNED"
else
echo -e "${RED}❌ Fail2ban: INACTIVE${NC}"
fi
# SSL
if [ -d "/etc/letsencrypt/live" ]; then
echo -e "${GREEN}✅ SSL: INSTALLED${NC}"
certbot certificates | grep "Expiry Date" | head -1
else
echo -e "${YELLOW}⚠️ SSL: NOT INSTALLED${NC}"
fi
# SSH
if grep -q "PasswordAuthentication no" /etc/ssh/sshd_config; then
echo -e "${GREEN}✅ SSH: Key-only auth${NC}"
else
echo -e "${YELLOW}⚠️ SSH: Password auth enabled${NC}"
fi
# PHP security
if php -i | grep -q "expose_php => Off"; then
echo -e "${GREEN}✅ PHP: Version hidden${NC}"
else
echo -e "${YELLOW}⚠️ PHP: Version exposed${NC}"
fi
# Last failed logins
FAILED=$(grep "Failed password" /var/log/auth.log | tail -5 | wc -l)
if [ $FAILED -gt 0 ]; then
echo -e "${YELLOW}⚠️ Failed logins (last 5): $FAILED${NC}"
fi
echo "=============================="
EOF
chmod +x /usr/local/bin/security-status
security-status🎯 Security Quick Reference
| Security Feature | Check Command | Fix Command |
|---|---|---|
| Firewall | ufw status | ufw enable |
| Fail2ban | fail2ban-client status | systemctl restart fail2ban |
| SSL | certbot certificates | certbot renew |
| MySQL | mysql_secure_installation | mysql -e "DROP USER ''@'localhost'" |
| SSH | grep PasswordAuthentication /etc/ssh/sshd_config | sed -i 's/yes/no/' /etc/ssh/sshd_config |
| PHP | php -i | grep expose_php | sed -i 's/expose_php = On/expose_php = Off/' /etc/php/*/fpm/php.ini |
| Updates | apt list --upgradable | apt upgrade -y |
| Malware | clamscan -r /var/www | freshclam && clamscan --remove -r /var/www |
EasyInstall provides enterprise-grade security out-of-the-box! No manual configuration needed – everything is automatically hardened for production use. 🛡️