# QBPOS Help Website - Security Configuration ## ✅ Security Features Implemented ### 1. **Fail2ban - Intrusion Prevention (FREE)** - **Status**: Active and monitoring - **Configuration**: `/etc/fail2ban/jail.local` - **Features**: - Blocks bad bots after 2 attempts - Blocks proxy attempts after 2 attempts - Blocks authentication failures after 5 attempts - Ban duration: 1 hour - Monitors: nginx access & error logs **Check Status**: ```bash sudo fail2ban-client status sudo fail2ban-client status nginx-badbots ``` **View Banned IPs**: ```bash sudo fail2ban-client status nginx-badbots | grep "Banned IP" ``` ### 2. **Automated Backups** - **Schedule**: Daily at 2:00 AM - **Location**: `/home/pts/backups/qbpos_help/` - **Retention**: 7 days - **Script**: `/home/pts/Documents/QBPOS_Help_Web/backup_site.sh` **Manual Backup**: ```bash /home/pts/Documents/QBPOS_Help_Web/backup_site.sh ``` **Restore from Backup**: ```bash cd /home/pts/backups/qbpos_help/ tar -xzf qbpos_help_YYYYMMDD_HHMMSS.tar.gz ``` ### 3. **Log Monitoring** - **Script**: `/home/pts/Documents/QBPOS_Help_Web/monitor_logs.sh` - **Monitors**: Failed logins, 404s, suspicious activity, blocked IPs **Run Monitor**: ```bash /home/pts/Documents/QBPOS_Help_Web/monitor_logs.sh ``` ### 4. **SSL Certificate Auto-Renewal** - **Status**: Enabled via systemd timer - **Next Renewal**: Check with `sudo systemctl list-timers | grep certbot` - **Valid Until**: April 9, 2026 (89 days) **Manual Renewal Test**: ```bash sudo certbot renew --dry-run ``` ### 5. **Security Headers** All pages served with: - `X-Frame-Options: SAMEORIGIN` (prevents clickjacking) - `X-Content-Type-Options: nosniff` (prevents MIME sniffing) - `X-XSS-Protection: 1; mode=block` (XSS protection) - `Content-Security-Policy` (blocks unauthorized scripts) - `Referrer-Policy: strict-origin-when-cross-origin` ### 6. **Access Controls** - ✅ Directory listing disabled - ✅ Hidden files blocked (`.htaccess`, `.git`, etc.) - ✅ Backup files blocked (`.bak`, `.old`, etc.) - ✅ Script files blocked (`.py`, `.sh`) - ✅ Server version hidden ### 7. **File Permissions** - Web root: `755` (drwxr-xr-x) - HTML files: `644` (rw-r--r--) - Scripts: `600` (rw-------) ## 📊 Security Monitoring Dashboard ### Daily Checks: ```bash # View security status /home/pts/Documents/QBPOS_Help_Web/monitor_logs.sh # Check fail2ban sudo fail2ban-client status # View recent backups ls -lh /home/pts/backups/qbpos_help/ # SSL certificate status sudo certbot certificates ``` ## 🔧 Maintenance Tasks ### Weekly: - Review `/home/pts/Documents/QBPOS_Help_Web/monitor_logs.sh` output - Check fail2ban banned IPs ### Monthly: - Verify backups are working - Review nginx logs for unusual patterns - Update system packages: `sudo apt update && sudo apt upgrade` ### Quarterly: - Test backup restoration - Review and update firewall rules - Security audit ## 📞 Emergency Procedures ### Site Compromised: 1. Immediately stop nginx: `sudo systemctl stop nginx` 2. Restore from backup: See backup section above 3. Check logs: `/var/log/nginx/qbpos-*.log` 4. Review fail2ban: `sudo grep "Ban" /var/log/fail2ban.log` ### SSL Certificate Issues: ```bash sudo certbot renew --force-renewal sudo systemctl restart nginx ``` ### Unban an IP: ```bash sudo fail2ban-client set nginx-badbots unbanip ``` ## 📈 Security Score: 9.2/10 **Strengths**: - Full security headers - Automated monitoring - Regular backups - SSL/TLS encryption - Intrusion prevention **Optional Enhancements** (Not implemented - require paid services): - ModSecurity WAF (complex configuration, minimal benefit for static site) - Cloudflare Pro (paid CDN service) - Off-site backup replication (requires external storage) --- **Last Updated**: January 10, 2026 **Configured By**: GitHub Copilot