# New server setup ## Install Tailscale ```bash curl -fsSL https://tailscale.com/install.sh | sh ``` - Enable and login to tailscale ```bash tailscale up ``` - Make sure to assign the prod tag in the tailscale console ## Install Synology activate backup for business client. - Package needs to be downloaded from [Download Center - download | Synology Inc.](https://www.synology.com/en-us/support/download/RS1619xs+?version=7.2#utilities) - Upload the zip file to the server and unzip it ```bash unzip Synology\ Active\ Backup\ for\ Business\ Agent-<version>-x64-deb.zip ``` - Then run the installer ```bash ./install.run ``` ## Configure fail2ban - Create `jail.local` file by making a copy of the default jail.conf ```bash cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local ``` - Then you'll need to edit your `/etc/fail2ban/jail.local` file and add the following ```bash [wordpress] enabled = true filter = wordpress action = iptables-multiport[name="wordpress", port="http,https"] logpath = /sites/*/logs/access.log /var/log/nginx/access.log maxretry = 5 ``` - Enable the following jails `nginx-botsearch`, `recidive` by adding `enabled=true` in each section - Update the `bantime` under the default section to 1 hour by setting it to `bantime = 1h` - Update `banaction` and `banaction_allports` to `ufw` but setting them to ```bash banaction = ufw banaction_allports = ufw ``` - Create the file `/etc/fail2ban/filter.d/wordpress.conf`. Then added the following contents to it ```bash # Fail2Ban filter for wordpress authentication failures [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # # Note: wp-login will return a 200 code on failed login and a 302 on success failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200 # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = ``` - Reload Fail2Ban ```bash sudo fail2ban-client reload ``` - Check the active jails ```bash sudo fail2ban-client status ``` ## Configure unattended updates - Update the unattended updates configuration file `/etc/apt/apt.conf.d/50unattended-upgrades` and set the following ```bash Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}"; "${distro_id}:${distro_codename}-security"; // Extended Security Maintenance; doesn\'t necessarily exist for // every release and this system may not have it installed, but if // available, the policy for updates is such that unattended-upgrades // should also install from here by default. "${distro_id}ESMApps:${distro_codename}-apps-security"; "${distro_id}ESM:${distro_codename}-infra-security"; "${distro_id}:${distro_codename}-updates"; // "${distro_id}:${distro_codename}-proposed"; // "${distro_id}:${distro_codename}-backports"; "LP-PPA-ondrej-php:${distro_codename}"; "LP-PPA-ondrej-nginx:${distro_codename}"; "Tailscale:${distro_codename}"; }; Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; Unattended-Upgrade::Remove-Unused-Dependencies "true"; Unattended-Upgrade::Automatic-Reboot "true"; Unattended-Upgrade::Automatic-Reboot-Time "02:00"; ```