PTS/QBPOS-Help
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
QBPOS-Help/docs/README_SECURITY.md

3.7 KiB
Raw Permalink Blame History

QBPOS Help Website - Security Configuration

Security Features Implemented

1. Fail2ban - Intrusion Prevention (FREE)

  • Status: Active and monitoring
  • Configuration: /etc/fail2ban/jail.local
  • Features:
    • Blocks bad bots after 2 attempts
    • Blocks proxy attempts after 2 attempts
    • Blocks authentication failures after 5 attempts
    • Ban duration: 1 hour
    • Monitors: nginx access & error logs

Check Status:

sudo fail2ban-client status
sudo fail2ban-client status nginx-badbots

View Banned IPs:

sudo fail2ban-client status nginx-badbots | grep "Banned IP"

2. Automated Backups

  • Schedule: Daily at 2:00 AM
  • Location: /home/pts/backups/qbpos_help/
  • Retention: 7 days
  • Script: /home/pts/Documents/QBPOS_Help_Web/backup_site.sh

Manual Backup:

/home/pts/Documents/QBPOS_Help_Web/backup_site.sh

Restore from Backup:

cd /home/pts/backups/qbpos_help/
tar -xzf qbpos_help_YYYYMMDD_HHMMSS.tar.gz

3. Log Monitoring

  • Script: /home/pts/Documents/QBPOS_Help_Web/monitor_logs.sh
  • Monitors: Failed logins, 404s, suspicious activity, blocked IPs

Run Monitor:

/home/pts/Documents/QBPOS_Help_Web/monitor_logs.sh

4. SSL Certificate Auto-Renewal

  • Status: Enabled via systemd timer
  • Next Renewal: Check with sudo systemctl list-timers | grep certbot
  • Valid Until: April 9, 2026 (89 days)

Manual Renewal Test:

sudo certbot renew --dry-run

5. Security Headers

All pages served with:

  • X-Frame-Options: SAMEORIGIN (prevents clickjacking)
  • X-Content-Type-Options: nosniff (prevents MIME sniffing)
  • X-XSS-Protection: 1; mode=block (XSS protection)
  • Content-Security-Policy (blocks unauthorized scripts)
  • Referrer-Policy: strict-origin-when-cross-origin

6. Access Controls

  • Directory listing disabled
  • Hidden files blocked (.htaccess, .git, etc.)
  • Backup files blocked (.bak, .old, etc.)
  • Script files blocked (.py, .sh)
  • Server version hidden

7. File Permissions

  • Web root: 755 (drwxr-xr-x)
  • HTML files: 644 (rw-r--r--)
  • Scripts: 600 (rw-------)

📊 Security Monitoring Dashboard

Daily Checks:

# View security status
/home/pts/Documents/QBPOS_Help_Web/monitor_logs.sh

# Check fail2ban
sudo fail2ban-client status

# View recent backups
ls -lh /home/pts/backups/qbpos_help/

# SSL certificate status
sudo certbot certificates

🔧 Maintenance Tasks

Weekly:

  • Review /home/pts/Documents/QBPOS_Help_Web/monitor_logs.sh output
  • Check fail2ban banned IPs

Monthly:

  • Verify backups are working
  • Review nginx logs for unusual patterns
  • Update system packages: sudo apt update && sudo apt upgrade

Quarterly:

  • Test backup restoration
  • Review and update firewall rules
  • Security audit

📞 Emergency Procedures

Site Compromised:

  1. Immediately stop nginx: sudo systemctl stop nginx
  2. Restore from backup: See backup section above
  3. Check logs: /var/log/nginx/qbpos-*.log
  4. Review fail2ban: sudo grep "Ban" /var/log/fail2ban.log

SSL Certificate Issues:

sudo certbot renew --force-renewal
sudo systemctl restart nginx

Unban an IP:

sudo fail2ban-client set nginx-badbots unbanip <IP_ADDRESS>

📈 Security Score: 9.2/10

Strengths:

  • Full security headers
  • Automated monitoring
  • Regular backups
  • SSL/TLS encryption
  • Intrusion prevention

Optional Enhancements (Not implemented - require paid services):

  • ModSecurity WAF (complex configuration, minimal benefit for static site)
  • Cloudflare Pro (paid CDN service)
  • Off-site backup replication (requires external storage)

Last Updated: January 10, 2026 Configured By: GitHub Copilot

Reference in New Issue View Git Blame Copy Permalink