# Update #3 - Hardening Security of the BookStack.

#### After migrating my BookStack documentation system to a public-facing VPS, my next priority was to harden the server. The goal was to lock down remote access, guard against brute-force attacks, and ensure the system was updated automatically, all while maintaining reliable access for legitimate admin use.

---

### The Setup

The VPS is running **Ubuntu 22.04 LTS**, hosting BookStack on a full **LAMP stack**. With the public site live, it was time to secure the perimeter.

---

### The Process

#### 1. Hardened SSH Configuration

I edited `/etc/ssh/sshd_config` to improve SSH security:

- Disabled root login
- Disabled password-based authentication
- Enforced key-based authentication

[![2025-05-04 15_10_31-Greenshot.png](https://docs.natenetworks.com/uploads/images/gallery/2025-05/scaled-1680-/V38RYHMj5VKKBM6R-2025-05-04-15-10-31-greenshot.png)](https://docs.natenetworks.com/uploads/images/gallery/2025-05/V38RYHMj5VKKBM6R-2025-05-04-15-10-31-greenshot.png)

Once updated, I restarted SSH:

```bash
sudo systemctl restart ssh
```

#### 2. Enabled UFW Firewall

I verified UFW firewall settings to ensure only necessary traffic was allowed:

- **OpenSSH** for SSH access
- **Apache Full** for BookStack

#### 3. Installed and Configured Fail2Ban

Fail2Ban helps block brute-force attacks. After installation, it was monitoring the SSH log (`/var/log/auth.log`).

```bash
sudo apt install fail2ban
```

[![2025-05-04 15_18_44-Greenshot.png](https://docs.natenetworks.com/uploads/images/gallery/2025-05/scaled-1680-/ojLQTcEUAbErY8Vi-2025-05-04-15-18-44-greenshot.png)](https://docs.natenetworks.com/uploads/images/gallery/2025-05/ojLQTcEUAbErY8Vi-2025-05-04-15-18-44-greenshot.png)

**Screenshot: Fail2Ban Jail Status**

[![2025-05-04 15_19_00-Greenshot.png](https://docs.natenetworks.com/uploads/images/gallery/2025-05/scaled-1680-/FXhajLcESi3DuYYP-2025-05-04-15-19-00-greenshot.png)](https://docs.natenetworks.com/uploads/images/gallery/2025-05/FXhajLcESi3DuYYP-2025-05-04-15-19-00-greenshot.png)

#### 4. Enabled Unattended Security Updates

To keep the VPS patched automatically, I installed and configured unattended upgrades:

```bash
sudo apt install unattended-upgrades  
sudo dpkg-reconfigure unattended-upgrades
```

This ensures security updates are applied daily with minimal overhead.

### The Result

The VPS is now protected with hardened SSH access, firewall filtering, brute-force detection, and automatic security patching, while keeping full control over my public documentation setup.

### What I Learned

- A single open SSH port can attract attention fast
- Disabling root login and passwords makes a big difference
- Fail2Ban provides great peace of mind
- UFW simplifies firewall management
- Automated updates are essential for long-term hardening