Update #3 - Hardening Security of the BookStack.

After migrating my BookStack documentation system to a public-facing VPS, my next priority was to harden the server. The goal was to lock down remote access, guard against brute-force attacks, and ensure the system was updated automatically, all while maintaining reliable access for legitimate admin use. 

 

 The Setup 

 The VPS is running Ubuntu 22.04 LTS , hosting BookStack on a full LAMP stack . With the public site live, it was time to secure the perimeter. 

 

 The Process 

 1. Hardened SSH Configuration 

 I edited /etc/ssh/sshd_config to improve SSH security: 

 

 

 Disabled root login 

 

 

 Disabled password-based authentication 

 

 

 Enforced key-based authentication 

 

 

 

 Once updated, I restarted SSH: 

 sudo systemctl restart ssh 

 2. Enabled UFW Firewall 

 I verified UFW firewall settings to ensure only necessary traffic was allowed: 

 

 

 OpenSSH for SSH access 

 

 

 Apache Full for BookStack 

 

 

 3. Installed and Configured Fail2Ban 

 Fail2Ban helps block brute-force attacks. After installation, it was monitoring the SSH log ( /var/log/auth.log ). 

 sudo apt install fail2ban 

 

 Screenshot: Fail2Ban Jail Status 

 

 4. Enabled Unattended Security Updates 

 To keep the VPS patched automatically, I installed and configured unattended upgrades: 

 sudo apt install unattended-upgrades 

sudo dpkg-reconfigure unattended-upgrades 

 This ensures security updates are applied daily with minimal overhead. 

 The Result 

 The VPS is now protected with hardened SSH access, firewall filtering, brute-force detection, and automatic security patching, while keeping full control over my public documentation setup. 

 What I Learned 

 

 

 A single open SSH port can attract attention fast 

 

 

 Disabling root login and passwords makes a big difference 

 

 

 Fail2Ban provides great peace of mind 

 

 

 UFW simplifies firewall management 

 

 

 Automated updates are essential for long-term hardening