uptime

free -h

df -hT

# Check for failed services
systemctl --no-pager --failed

# Check critical services
systemctl status apache2 --no-pager
systemctl status mariadb --no-pager
systemctl status php*-fpm --no-pager
systemctl status fail2ban --no-pager
systemctl status ssh --no-pager

vmstat 1 5

ps -eo user,pid,pcpu,pmem,cmd --sort=-pcpu | head -20

ps -eo user,pid,pcpu,pmem,cmd --sort=-pmem | head -20

echo "=== TOP CPU ===" && ps -eo user,pcpu,cmd --sort=-pcpu | head -10 && \
echo "=== TOP RAM ===" && ps -eo user,pmem,cmd --sort=-pmem | head -10

apt update
apt install -y sysstat

# Enable sysstat
sed -i 's/ENABLED="false"/ENABLED="true"/' /etc/default/sysstat

# Start and enable the service
systemctl enable --now sysstat

# CPU averages for today
sar -u

# Memory averages for today
sar -r

# Specific day (replace XX with day of month)
sar -u -f /var/log/sysstat/saXX
sar -r -f /var/log/sysstat/saXX

# I/O statistics
sar -b

mpstat 1 60 | awk '/Average/ {print "CPU Used:", 100-$NF "%"}'

free -m -s 1 -c 60

echo "CPU:" $(top -bn1 | grep "Cpu(s)" | awk '{print 100-$8"%"}') \
     "RAM:" $(free | awk '/Mem/ {printf "%.2f%%", $3/$2*100}')

apt install -y iotop

# Accumulated I/O, only show active processes
iotop -oPa

iostat -x 1 5

apt install -y dstat

# Log CPU, disk, network, memory every 60 seconds
dstat -cdnm --output /var/log/resource-stats.csv 60 &

cat /var/log/resource-stats.csv

/var/www/
└── clients/
    └── client0/                    # Client container
        ├── web1/                   # Site 1 container
        │   ├── web/                # Document root
        │   │   ├── wp-config.php
        │   │   ├── wp-content/
        │   │   └── ...
        │   ├── log/                # Site logs
        │   │   ├── access.log
        │   │   └── error.log
        │   ├── ssl/                # SSL certificates
        │   ├── tmp/                # Temporary files
        │   └── cgi-bin/            # CGI scripts
        ├── web2/                   # Site 2 container
        └── ...

web5  12345  25.0  3.2  php-fpm: pool web5

getent passwd web5

web5:x:5005:5005::/var/www/clients/client0/web5:/bin/false

# List all webX users and their home directories
getent passwd | grep "^web[0-9]" | cut -d: -f1,6

# List all site containers
ls -la /var/www/clients/*/

# More detailed view
for site in /var/www/clients/*/web*/; do
    echo "$site"
done

mysql -u root -p dbispconfig -e "SELECT domain_id, domain, system_user, document_root FROM web_domain WHERE type='vhost';"

ps -eo user,pid,pcpu,pmem,cmd --sort=-pcpu | head -15

# Show PHP-FPM pools sorted by CPU
ps -eo user,pcpu,pmem,cmd --sort=-pcpu | grep "php-fpm" | head -20

# Replace $SITE_USER with the user from Step 2
getent passwd $SITE_USER

# Replace path with actual site log path
awk '{print $7}' /var/www/clients/$CLIENT/$SITE_USER/log/access.log | \
    sort | uniq -c | sort -nr | head -30

for d in /var/www/clients/*/*/log; do
    [ -f "$d/access.log" ] || continue
    echo "==== $d ===="
    awk '{print $7}' "$d/access.log" 2>/dev/null | sort | uniq -c | sort -nr | head
done

# For a specific site
tail -f /var/www/clients/$CLIENT/$SITE_USER/log/access.log

# For Apache global (if configured)
tail -f /var/log/apache2/access.log

# Count xmlrpc hits
grep -c "xmlrpc.php" /var/www/clients/$CLIENT/$SITE_USER/log/access.log

# Count login attempts
grep -c "wp-login.php" /var/www/clients/$CLIENT/$SITE_USER/log/access.log

# Count admin-ajax hits
grep -c "admin-ajax.php" /var/www/clients/$CLIENT/$SITE_USER/log/access.log

# Top IPs hitting xmlrpc
grep "xmlrpc.php" /var/www/clients/$CLIENT/$SITE_USER/log/access.log | \
    awk '{print $1}' | sort | uniq -c | sort -nr | head -20

# Top IPs overall
awk '{print $1}' /var/www/clients/$CLIENT/$SITE_USER/log/access.log | \
    sort | uniq -c | sort -nr | head -20

nproc
# or
grep -c ^processor /proc/cpuinfo

df -hT

df -i

du -h / --max-depth=1 2>/dev/null | sort -h

# Check /var (logs, databases, websites)
du -h /var --max-depth=2 2>/dev/null | sort -h

# Check website storage specifically
du -h /var/www/clients --max-depth=3 2>/dev/null | sort -h

# Check logs
du -sh /var/log/*  | sort -h

find / -type f -printf '%s %p\n' 2>/dev/null | sort -nr | head -40

# Large files in /var
find /var -type f -size +100M -exec ls -lh {} \; 2>/dev/null | sort -k5 -h

# Large files in website directories
find /var/www -type f -size +100M -exec ls -lh {} \; 2>/dev/null | sort -k5 -h

apt install -y ncdu

# Scan entire system
ncdu /

# Scan specific directory
ncdu /var/www/clients

# View what would be cleaned
ls -lh /var/log/*.gz
ls -lh /var/log/*/*.gz

# Remove old rotated logs
find /var/log -name "*.gz" -mtime +30 -delete

# Check journal size
journalctl --disk-usage

# Retain only last 7 days
journalctl --vacuum-time=7d

# Or limit to specific size
journalctl --vacuum-size=500M

# View cache size
du -sh /var/cache/apt/archives

# Clean downloaded packages
apt clean
apt autoclean
apt autoremove

# Check cache sizes (run from site docroot)
du -sh wp-content/cache/
du -sh wp-content/*/cache/

# Safe to clear most cache directories
# (plugins will regenerate cache)

# Find the largest files
find /var -type f -size +500M -exec ls -lh {} \; 2>/dev/null

# Truncate (safer than delete - process can continue writing)
truncate -s 0 /path/to/huge-log-file.log

# Verify space recovered
df -h /

# Follow a log in real-time
tail -f /var/log/syslog

# Follow multiple logs
tail -f /var/log/apache2/error.log /var/log/php*-fpm.log

# Last N lines
tail -n 100 /var/log/auth.log

# Recent entries
journalctl -xe

# Specific service
journalctl -u apache2 --no-pager

# Since boot
journalctl -b

# Time range
journalctl --since "1 hour ago"
journalctl --since "2024-01-01" --until "2024-01-02"

# Search for patterns
grep "error" /var/log/syslog | tail -50
grep -i "failed" /var/log/auth.log | tail -50

# Search with context
grep -B2 -A2 "pattern" /var/log/syslog

cat /etc/logrotate.conf

ls -la /etc/logrotate.d/

/var/www/clients/*/*/web/wp-content/debug.log {
    size 50M
    rotate 5
    compress
    missingok
    notifempty
    copytruncate
}

/var/www/clients/*/*/web/*/debug.log
/var/www/clients/*/*/web/**/debug.log {
    size 50M
    rotate 10
    compress
    missingok
    notifempty
    copytruncate
    dateext
    dateformat -%Y%m%d
}

# Dry run (shows what would happen)
logrotate -d /etc/logrotate.d/custom-app

# Force rotation
logrotate -f /etc/logrotate.d/custom-app

┌─────────────────────────────────────┐
│         CDN/Edge (Cloudflare)       │  ← Block/challenge before reaching origin
├─────────────────────────────────────┤
│         Firewall (iptables/ufw)     │  ← Block known bad IPs
├─────────────────────────────────────┤
│         Fail2Ban                    │  ← Ban repeat offenders
├─────────────────────────────────────┤
│         Web Server (Apache)         │  ← Deny at server level (no PHP)
├─────────────────────────────────────┤
│         Application (WordPress)     │  ← Plugin-level protection
└─────────────────────────────────────┘

<FilesMatch "xmlrpc\.php$">
    Require all denied
</FilesMatch>

a2enconf block-xmlrpc
systemctl reload apache2

# Block access to sensitive files
<FilesMatch "(^\.env|\.git|\.htaccess|wp-config\.php|readme\.html|license\.txt)$">
    Require all denied
</FilesMatch>

# Block common exploit paths
<DirectoryMatch "/(\.git|\.svn|\.hg|node_modules)/">
    Require all denied
</DirectoryMatch>

# Block installer leftovers
<FilesMatch "(installer\.php|installer-backup\.php|dup-installer)">
    Require all denied
</FilesMatch>

a2enconf block-probes
systemctl reload apache2

# Test from command line
curl -I https://yourdomain.com/xmlrpc.php
# Should return 403 Forbidden

apt install -y libapache2-mod-evasive

<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        5
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   60
    DOSEmailNotify      admin@yourdomain.com
    DOSLogDir           /var/log/apache2/evasive
</IfModule>

mkdir -p /var/log/apache2/evasive
chown www-data:www-data /var/log/apache2/evasive
a2enmod evasive
systemctl reload apache2

apt install -y fail2ban

# Enable and start
systemctl enable --now fail2ban

# Verify running
systemctl status fail2ban
fail2ban-client ping

[Definition]
failregex = ^<HOST> .* "(GET|POST) .*xmlrpc\.php
            ^<HOST> .* "(GET|POST) .*//xmlrpc\.php
ignoreregex =

[Definition]
failregex = ^<HOST> .* "(GET|POST) .*wp-login\.php
            ^<HOST> .* "(GET|POST) .*//wp-login\.php
ignoreregex =

[Definition]
failregex = ^<HOST> .* "(GET|POST) .*/wp-admin/admin-ajax\.php
ignoreregex =

[wordpress-xmlrpc]
enabled   = true
filter    = wordpress-xmlrpc
port      = http,https
logpath   = /var/www/clients/*/*/log/access.log
maxretry  = 5
findtime  = 600
bantime   = 86400

[wordpress-login]
enabled   = true
filter    = wordpress-login
port      = http,https
logpath   = /var/www/clients/*/*/log/access.log
maxretry  = 10
findtime  = 600
bantime   = 21600

# Reload Fail2Ban
fail2ban-client reload

# Check active jails
fail2ban-client status

# Check specific jail
fail2ban-client status wordpress-xmlrpc
fail2ban-client status wordpress-login

# Test XML-RPC filter against an actual log
fail2ban-regex /var/www/clients/client0/web1/log/access.log \
    /etc/fail2ban/filter.d/wordpress-xmlrpc.conf

# Test login filter
fail2ban-regex /var/www/clients/client0/web1/log/access.log \
    /etc/fail2ban/filter.d/wordpress-login.conf

fail2ban-client status wordpress-xmlrpc

fail2ban-client set wordpress-xmlrpc unbanip 192.168.1.100

fail2ban-client unban --all

fail2ban-client banned

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 YOUR.STATIC.IP.ADDRESS

apt install -y libapache2-mod-remoteip
a2enmod remoteip

RemoteIPHeader CF-Connecting-IP

# Cloudflare IPv4 Ranges
RemoteIPTrustedProxy 173.245.48.0/20
RemoteIPTrustedProxy 103.21.244.0/22
RemoteIPTrustedProxy 103.22.200.0/22
RemoteIPTrustedProxy 103.31.4.0/22
RemoteIPTrustedProxy 141.101.64.0/18
RemoteIPTrustedProxy 108.162.192.0/18
RemoteIPTrustedProxy 190.93.240.0/20
RemoteIPTrustedProxy 188.114.96.0/20
RemoteIPTrustedProxy 197.234.240.0/22
RemoteIPTrustedProxy 198.41.128.0/17
RemoteIPTrustedProxy 162.158.0.0/15
RemoteIPTrustedProxy 104.16.0.0/13
RemoteIPTrustedProxy 104.24.0.0/14
RemoteIPTrustedProxy 172.64.0.0/13
RemoteIPTrustedProxy 131.0.72.0/22

# Cloudflare IPv6 Ranges
RemoteIPTrustedProxy 2400:cb00::/32
RemoteIPTrustedProxy 2606:4700::/32
RemoteIPTrustedProxy 2803:f800::/32
RemoteIPTrustedProxy 2405:b500::/32
RemoteIPTrustedProxy 2405:8100::/32
RemoteIPTrustedProxy 2a06:98c0::/29
RemoteIPTrustedProxy 2c0f:f248::/32

a2enconf cloudflare-remoteip
systemctl reload apache2

#!/bin/bash
# Update Cloudflare IP ranges for Apache RemoteIP

CONFIG="/etc/apache2/conf-available/cloudflare-remoteip.conf"
TEMP=$(mktemp)

{
    echo "RemoteIPHeader CF-Connecting-IP"
    echo ""
    echo "# Cloudflare IPs - Updated: $(date -u +%Y-%m-%d)"
    echo "# Source: https://www.cloudflare.com/ips/"
    echo ""
    echo "# IPv4"
    curl -s https://www.cloudflare.com/ips-v4 | while read ip; do
        echo "RemoteIPTrustedProxy $ip"
    done
    echo ""
    echo "# IPv6"
    curl -s https://www.cloudflare.com/ips-v6 | while read ip; do
        echo "RemoteIPTrustedProxy $ip"
    done
} > "$TEMP"

if [ -s "$TEMP" ]; then
    mv "$TEMP" "$CONFIG"
    systemctl reload apache2
    echo "Cloudflare IPs updated successfully"
else
    rm "$TEMP"
    echo "Error: Failed to fetch Cloudflare IPs"
    exit 1
fi

chmod +x /usr/local/bin/update-cloudflare-ips.sh

# Add to crontab (monthly update)
echo "0 3 1 * * root /usr/local/bin/update-cloudflare-ips.sh" >> /etc/cron.d/cloudflare-ips

# Check recent log entries
tail -5 /var/www/clients/client0/web1/log/access.log

grep -rn "LogFormat" /etc/apache2/ | grep -v ".dpkg"

LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

# Not recommended - use RemoteIP instead
# Cloudflare module is deprecated

# Don't reveal Apache version
ServerTokens Prod
ServerSignature Off

# Disable TRACE method
TraceEnable Off

a2enconf security
systemctl reload apache2

<Directory /var/www/>
    Options -Indexes +FollowSymLinks
</Directory>

<IfModule mod_headers.c>
    # Prevent clickjacking
    Header always set X-Frame-Options "SAMEORIGIN"
    
    # Prevent MIME-type sniffing
    Header always set X-Content-Type-Options "nosniff"
    
    # Enable XSS filter
    Header always set X-XSS-Protection "1; mode=block"
    
    # Referrer policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    
    # Permissions policy
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>

a2enmod headers
a2enconf security-headers
systemctl reload apache2

<IfModule mod_ssl.c>
    # Modern SSL configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder     off
    SSLSessionTickets       off
    
    # HSTS (be careful - commits you to HTTPS)
    Header always set Strict-Transport-Security "max-age=63072000"
</IfModule>

a2enconf ssl-hardening
systemctl reload apache2

# In apache2.conf or vhost
LimitRequestBody 10485760
LimitRequestFields 50
LimitRequestFieldSize 8190
LimitRequestLine 8190

# Prevent slowloris attacks
Timeout 60
KeepAliveTimeout 5
MaxKeepAliveRequests 100

apache2ctl -M

# Examples - evaluate each for your environment
a2dismod autoindex    # Directory listings
a2dismod status       # Server status page (or restrict it)

# List all pool configs
ls -la /etc/php/*/fpm/pool.d/

# Find config for specific site user
grep -rl "^\[web5\]" /etc/php/*/fpm/pool.d/

[web5]
user = web5
group = client0

listen = /var/lib/php/sessions/web5.sock
listen.owner = web5
listen.group = www-data
listen.mode = 0660

pm = dynamic
pm.max_children = 10
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 5
pm.max_requests = 500

request_terminate_timeout = 300

php_admin_value[open_basedir] = /var/www/clients/client0/web5/...

Available RAM / Average PHP worker memory = Max workers across all pools

pm = ondemand
pm.max_children = 5
pm.process_idle_timeout = 10s
pm.max_requests = 500
request_terminate_timeout = 120

pm = dynamic
pm.max_children = 10
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 5
pm.max_requests = 500
request_terminate_timeout = 300

pm = dynamic
pm.max_children = 20
pm.start_servers = 5
pm.min_spare_servers = 3
pm.max_spare_servers = 10
pm.max_requests = 1000
request_terminate_timeout = 300

# Test configuration
php-fpm8.2 -t

# Restart PHP-FPM
systemctl restart php8.2-fpm

# Or restart all PHP-FPM versions
systemctl restart php*-fpm

pm.status_path = /status

<LocationMatch "/status">
    Require ip 127.0.0.1
    ProxyPass "unix:/var/lib/php/sessions/web5.sock|fcgi://localhost/status"
</LocationMatch>

# All PHP-FPM processes
ps aux | grep php-fpm

# By pool
ps -eo user,pid,pcpu,pmem,cmd | grep "php-fpm: pool"

# Count by pool
ps aux | grep "php-fpm" | grep "pool " | awk '{print $NF}' | sort | uniq -c

slowlog = /var/log/php/$pool.slow.log
request_slowlog_timeout = 5s

mkdir -p /var/log/php
chown www-data:www-data /var/log/php

tail -f /var/log/php/*.slow.log

// Disable file editing in admin
define('DISALLOW_FILE_EDIT', true);

// Disable plugin/theme installation
// define('DISALLOW_FILE_MODS', true);  // Uncomment if desired

// Disable debug logging in production
define('WP_DEBUG', false);
define('WP_DEBUG_LOG', false);
define('WP_DEBUG_DISPLAY', false);

// Security keys (generate unique keys at: https://api.wordpress.org/secret-key/1.1/salt/)
// ... keys here ...

// Force SSL admin
define('FORCE_SSL_ADMIN', true);

// Limit revisions
define('WP_POST_REVISIONS', 5);

// Empty trash more frequently
define('EMPTY_TRASH_DAYS', 7);

// Disable WordPress auto-updates (manage manually)
// define('WP_AUTO_UPDATE_CORE', false);

# Navigate to site docroot
cd /var/www/clients/$CLIENT/$SITE_USER/web/

# Directories: 755
find . -type d -exec chmod 755 {} \;

# Files: 644
find . -type f -exec chmod 644 {} \;

# wp-config.php: More restrictive
chmod 640 wp-config.php

# Make wp-content/uploads writable
chmod 775 wp-content/uploads

chown -R $SITE_USER:$CLIENT /var/www/clients/$CLIENT/$SITE_USER/web/

# Protect wp-config.php
<files wp-config.php>
    order allow,deny
    deny from all
</files>

# Protect .htaccess
<files .htaccess>
    order allow,deny
    deny from all
</files>

# Block PHP execution in uploads
<Directory "/wp-content/uploads/">
    <Files "*.php">
        Order Deny,Allow
        Deny from all
    </Files>
</Directory>

# Block access to sensitive files
<FilesMatch "(^#.*#|\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|sw[op])|~)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Block XML-RPC
<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
    # Allow specific IPs if needed:
    # Allow from 192.168.1.100
</Files>

# Limit login access by IP (if you have static IP)
<Files wp-login.php>
    Order Deny,Allow
    Deny from all
    Allow from YOUR.IP.ADDRESS.HERE
</Files>

# Or add basic auth
<Files wp-login.php>
    AuthType Basic
    AuthName "Restricted Access"
    AuthUserFile /path/to/.htpasswd
    Require valid-user
</Files>

htpasswd -c /var/www/clients/$CLIENT/$SITE_USER/.htpasswd username

# Check for WordPress core updates
wp core check-update --path=/var/www/clients/$CLIENT/$SITE_USER/web/

# Update core (backup first!)
wp core update --path=/var/www/clients/$CLIENT/$SITE_USER/web/

# Update plugins
wp plugin update --all --path=/var/www/clients/$CLIENT/$SITE_USER/web/

# Update themes
wp theme update --all --path=/var/www/clients/$CLIENT/$SITE_USER/web/

curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod +x wp-cli.phar
mv wp-cli.phar /usr/local/bin/wp

mysql -e "SHOW STATUS LIKE 'Threads_connected';"
mysql -e "SHOW STATUS LIKE 'Max_used_connections';"

mysql -e "SHOW FULL PROCESSLIST;"

[mysqld]
slow_query_log = 1
slow_query_log_file = /var/log/mysql/slow.log
long_query_time = 2
log_queries_not_using_indexes = 1

systemctl restart mariadb

tail -100 /var/log/mysql/slow.log

mysqldumpslow -s t -t 10 /var/log/mysql/slow.log

mysql -e "
SELECT 
    table_schema AS 'Database',
    ROUND(SUM(data_length + index_length) / 1024 / 1024, 2) AS 'Size (MB)'
FROM information_schema.tables
GROUP BY table_schema
ORDER BY SUM(data_length + index_length) DESC;"

mysql -e "
SELECT 
    table_schema,
    table_name,
    ROUND((data_length + index_length) / 1024 / 1024, 2) AS 'Size (MB)'
FROM information_schema.tables
ORDER BY (data_length + index_length) DESC
LIMIT 20;"

# Single database
mysqlcheck -o database_name

# All databases
mysqlcheck -o --all-databases

wp post delete $(wp post list --post_type='revision' --format=ids) \
    --path=/var/www/clients/$CLIENT/$SITE_USER/web/

wp transient delete --expired --path=/var/www/clients/$CLIENT/$SITE_USER/web/
wp transient delete --all --path=/var/www/clients/$CLIENT/$SITE_USER/web/

[mysqld]
# Memory allocation (adjust based on RAM)
innodb_buffer_pool_size = 512M
key_buffer_size = 128M
max_connections = 100

# Query cache (deprecated in MySQL 8, still in MariaDB)
query_cache_type = 1
query_cache_size = 64M
query_cache_limit = 2M

# Temp tables
tmp_table_size = 64M
max_heap_table_size = 64M

# Connection handling
wait_timeout = 300
interactive_timeout = 300

# Disable root login
PermitRootLogin no

# Disable password authentication (use keys only)
PasswordAuthentication no
PubkeyAuthentication yes

# Restrict to specific users
AllowUsers youradminuser

# Disable empty passwords
PermitEmptyPasswords no

# Limit authentication attempts
MaxAuthTries 3

# Idle timeout
ClientAliveInterval 300
ClientAliveCountMax 2

# Disable X11 forwarding (unless needed)
X11Forwarding no

# Use strong ciphers
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

# Change port (optional, security through obscurity)
# Port 2222

# Test configuration
sshd -t

# Restart SSH
systemctl restart sshd

ssh-keygen -t ed25519 -C "your_email@example.com"

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server

ssh user@server

fail2ban-client status sshd

# Create user
adduser adminuser

# Add to sudo group
usermod -aG sudo adminuser

# Copy SSH key
mkdir -p /home/adminuser/.ssh
cp /root/.ssh/authorized_keys /home/adminuser/.ssh/
chown -R adminuser:adminuser /home/adminuser/.ssh
chmod 700 /home/adminuser/.ssh
chmod 600 /home/adminuser/.ssh/authorized_keys

apt install -y ufw

# Set defaults
ufw default deny incoming
ufw default allow outgoing

# Allow SSH (critical - do this before enabling!)
ufw allow ssh
# Or specific port:
# ufw allow 22/tcp

# Allow HTTP/HTTPS
ufw allow 80/tcp
ufw allow 443/tcp

# Enable firewall
ufw enable

# Check status
ufw status verbose

# Allow ISPConfig admin (8080)
ufw allow 8080/tcp

# Allow FTP (if needed)
ufw allow 20/tcp
ufw allow 21/tcp

# Allow from specific IP only
ufw allow from 192.168.1.100 to any port 22

# Delete a rule
ufw delete allow 8080/tcp

# Limit SSH connections (6 connections per 30 seconds per IP)
ufw limit ssh

# Reset HTTP/HTTPS rules
ufw delete allow 80/tcp
ufw delete allow 443/tcp

# Allow only Cloudflare IPs (add all Cloudflare ranges)
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
    ufw allow from $ip to any port 80,443 proto tcp
done

iptables -L -n -v

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT

# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Drop everything else
iptables -A INPUT -j DROP

apt install -y iptables-persistent
netfilter-persistent save

apt install -y unattended-upgrades apt-listchanges

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}";
    "${distro_id}:${distro_codename}-security";
    "${distro_id}:${distro_codename}-updates";
};

// Email notifications
Unattended-Upgrade::Mail "admin@yourdomain.com";

// Remove unused dependencies
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Automatic reboot (careful in production!)
// Unattended-Upgrade::Automatic-Reboot "true";
// Unattended-Upgrade::Automatic-Reboot-Time "03:00";

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";

# Dry run
unattended-upgrade --dry-run --debug

cat /var/log/unattended-upgrades/unattended-upgrades.log

# Weekly update script
cat > /usr/local/bin/weekly-updates.sh << 'EOF'
#!/bin/bash
apt update
apt upgrade -y
apt autoremove -y
apt clean
EOF

chmod +x /usr/local/bin/weekly-updates.sh

# Add to crontab (Sunday 3 AM)
echo "0 3 * * 0 root /usr/local/bin/weekly-updates.sh >> /var/log/weekly-updates.log 2>&1" >> /etc/cron.d/weekly-updates

#!/bin/bash
BACKUP_DIR="/srv/backups/databases"
DATE=$(date +%Y%m%d_%H%M%S)
RETENTION_DAYS=7

mkdir -p "$BACKUP_DIR"

# Backup all databases
for db in $(mysql -N -e "SHOW DATABASES;" | grep -Ev "(information_schema|performance_schema|sys)"); do
    mysqldump --single-transaction --routines --triggers "$db" | gzip > "$BACKUP_DIR/${db}_${DATE}.sql.gz"
    echo "Backed up: $db"
done

# Remove old backups
find "$BACKUP_DIR" -name "*.sql.gz" -mtime +$RETENTION_DAYS -delete
echo "Removed backups older than $RETENTION_DAYS days"

chmod +x /usr/local/bin/backup-databases.sh

# Daily at 2 AM
echo "0 2 * * * root /usr/local/bin/backup-databases.sh >> /var/log/backup-db.log 2>&1" >> /etc/cron.d/database-backup

#!/bin/bash
BACKUP_DIR="/srv/backups/websites"
DATE=$(date +%Y%m%d)
SOURCE="/var/www/clients/"

mkdir -p "$BACKUP_DIR"

rsync -avz --delete "$SOURCE" "$BACKUP_DIR/websites_$DATE/"

# Keep only last 7 days
find "$BACKUP_DIR" -maxdepth 1 -type d -name "websites_*" -mtime +7 -exec rm -rf {} \;

apt install -y restic

export AWS_ACCESS_KEY_ID="your-key"
export AWS_SECRET_ACCESS_KEY="your-secret"

restic init --repo s3:s3.amazonaws.com/bucket-name

#!/bin/bash
export AWS_ACCESS_KEY_ID="your-key"
export AWS_SECRET_ACCESS_KEY="your-secret"
export RESTIC_REPOSITORY="s3:s3.amazonaws.com/bucket-name"
export RESTIC_PASSWORD="your-restic-password"

# Backup databases
restic backup /srv/backups/databases/

# Backup websites
restic backup /var/www/clients/

# Cleanup old snapshots
restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 3
restic prune

# Backup ISPConfig database
mysqldump dbispconfig | gzip > /srv/backups/ispconfig/dbispconfig_$(date +%Y%m%d).sql.gz

# Backup ISPConfig files
tar -czf /srv/backups/ispconfig/ispconfig_files_$(date +%Y%m%d).tar.gz /usr/local/ispconfig/

# Last 7 days
find /var/www/clients/$CLIENT/$SITE_USER/web -type f -name "*.php" -mtime -7 -ls

# Last 24 hours
find /var/www/clients/$CLIENT/$SITE_USER/web -type f -name "*.php" -mtime -1 -ls

grep -rIn --include="*.php" \
    "base64_decode\|eval(\|gzinflate\|shell_exec\|system(\|passthru\|exec(" \
    /var/www/clients/$CLIENT/$SITE_USER/web/wp-content/ 2>/dev/null | head -50

find /var/www/clients/$CLIENT/$SITE_USER/web -type f \
    \( -name "*.php.suspected" -o -name "*.php.bak" -o -name "*.php.old" \
    -o -name "wp-*.php" -o -name "*.ico.php" \) -ls

find /var/www/clients/$CLIENT/$SITE_USER/web -name ".*" -type f -ls

find /var/www/clients/$CLIENT/$SITE_USER/web/wp-content/uploads -name "*.php" -ls

apt install -y clamav clamav-daemon

# Update signatures
freshclam

# Start daemon
systemctl start clamav-daemon

clamscan -r --infected /var/www/clients/$CLIENT/$SITE_USER/web/

# Weekly full scan
echo "0 4 * * 0 root clamscan -r --infected --log=/var/log/clamav/weekly-scan.log /var/www/" >> /etc/cron.d/clamav-weekly

# WordPress admin password
wp user update admin --user_pass=NewSecurePassword --path=/path/to/wordpress

# Database user
mysql -e "ALTER USER 'dbuser'@'localhost' IDENTIFIED BY 'NewSecurePassword';"
# Update wp-config.php accordingly

# FTP/SFTP passwords through ISPConfig

php -m | grep -i opcache

opcache.enable=1
opcache.memory_consumption=256
opcache.interned_strings_buffer=16
opcache.max_accelerated_files=10000
opcache.revalidate_freq=2
opcache.save_comments=1
opcache.enable_file_override=1

<?php
// Create opcache-status.php (restrict access!)
print_r(opcache_get_status());

apt install -y redis-server php-redis

maxmemory 256mb
maxmemory-policy allkeys-lru

systemctl enable --now redis-server

define('WP_REDIS_HOST', '127.0.0.1');
define('WP_REDIS_PORT', 6379);
define('WP_REDIS_DATABASE', 0);

a2enmod deflate   # Compression
a2enmod expires   # Browser caching headers
a2enmod http2     # HTTP/2 support

<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
    AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript
    AddOutputFilterByType DEFLATE application/json application/xml application/xhtml+xml
</IfModule>

<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/webp "access plus 1 year"
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType text/javascript "access plus 1 month"
</IfModule>

a2enconf compression expires
systemctl reload apache2

# Show key metrics
mysql -e "SHOW GLOBAL STATUS LIKE 'Threads_%';"
mysql -e "SHOW GLOBAL STATUS LIKE 'Connections';"
mysql -e "SHOW GLOBAL STATUS LIKE 'Slow_queries';"

#!/bin/bash
# Server Health Check Script

ALERT_EMAIL="admin@yourdomain.com"
HOSTNAME=$(hostname)

# Thresholds
DISK_THRESHOLD=85
LOAD_THRESHOLD=$(nproc)
SWAP_THRESHOLD=50

# Check disk usage
DISK_USAGE=$(df / | awk 'NR==2 {print $5}' | sed 's/%//')
if [ "$DISK_USAGE" -gt "$DISK_THRESHOLD" ]; then
    echo "ALERT: Disk usage at ${DISK_USAGE}% on $HOSTNAME" | \
        mail -s "Disk Alert: $HOSTNAME" "$ALERT_EMAIL"
fi

# Check load average
LOAD=$(uptime | awk -F'load average:' '{print $2}' | awk -F',' '{print $1}' | xargs)
LOAD_INT=${LOAD%.*}
if [ "$LOAD_INT" -gt "$LOAD_THRESHOLD" ]; then
    echo "ALERT: Load average at $LOAD on $HOSTNAME" | \
        mail -s "Load Alert: $HOSTNAME" "$ALERT_EMAIL"
fi

# Check swap usage
SWAP_TOTAL=$(free | awk '/Swap/ {print $2}')
SWAP_USED=$(free | awk '/Swap/ {print $3}')
if [ "$SWAP_TOTAL" -gt 0 ]; then
    SWAP_PERCENT=$((SWAP_USED * 100 / SWAP_TOTAL))
    if [ "$SWAP_PERCENT" -gt "$SWAP_THRESHOLD" ]; then
        echo "ALERT: Swap usage at ${SWAP_PERCENT}% on $HOSTNAME" | \
            mail -s "Swap Alert: $HOSTNAME" "$ALERT_EMAIL"
    fi
fi

# Check failed services
FAILED=$(systemctl --failed --no-legend | wc -l)
if [ "$FAILED" -gt 0 ]; then
    echo "ALERT: $FAILED failed services on $HOSTNAME" | \
        mail -s "Service Alert: $HOSTNAME" "$ALERT_EMAIL"
fi

chmod +x /usr/local/bin/server-health-check.sh
echo "*/5 * * * * root /usr/local/bin/server-health-check.sh" >> /etc/cron.d/health-check

docker run -d \
    --name uptime-kuma \
    -p 3001:3001 \
    -v uptime-kuma:/app/data \
    --restart unless-stopped \
    louislam/uptime-kuma:1

# Check for pending updates
apt update
apt list --upgradable

# Check disk space
df -h

# Check for active swapping
vmstat 1 5

# Check load
uptime

# Check running jobs
ps aux | grep -E "(mysql|backup|rsync)"

# Notify users if applicable
# ...

# Reboot
reboot

# Check services
systemctl --failed

# Check websites (sample curl)
curl -Is https://yoursite.com | head -5

# Check logs for errors
journalctl -p err -b

# Verify resource levels
uptime
free -h
df -h

# Preview updates
apt update
apt list --upgradable

# Apply updates (non-interactive)
apt upgrade -y

# If kernel updated, schedule reboot

# Clean up
apt autoremove -y
apt clean

# Check which PHP version is active
php -v

# List installed PHP packages
dpkg -l | grep php

# After PHP upgrade, restart PHP-FPM
systemctl restart php*-fpm

# Verify sites work

# Force log rotation to test
logrotate -f /etc/logrotate.conf

# Check for errors
cat /var/lib/logrotate/status

High Load Detected
├── Check what's consuming CPU
│   └── ps -eo user,pcpu,cmd --sort=-pcpu | head -20
│
├── Is it PHP-FPM?
│   ├── YES → Identify which pool
│   │   ├── Map pool to site: getent passwd webX
│   │   ├── Check site access logs for attack patterns
│   │   ├── Block attacking IPs / endpoints
│   │   └── Consider reducing pm.max_children
│   │
│   └── NO → Check other processes
│       ├── MySQL? → Check SHOW PROCESSLIST for slow queries
│       ├── ClamAV? → Scanning activity, wait or adjust schedule
│       └── Unknown? → Investigate process, possibly kill
│
├── Is memory exhausted?
│   ├── YES → free -h shows high usage
│   │   ├── Reduce PHP workers
│   │   ├── Check for memory leaks
│   │   └── Consider more RAM
│   │
│   └── Swap active? (vmstat si/so non-zero)
│       └── Reduce load or add RAM
│
└── Immediate relief
    ├── Block XML-RPC: a2enconf block-xmlrpc
    ├── Restart PHP-FPM: systemctl restart php*-fpm
    └── If necessary: reboot

Website Not Loading
├── Is the server reachable?
│   └── ping server-ip
│
├── Is SSH working?
│   └── ssh user@server
│
├── Is Apache running?
│   ├── NO → systemctl start apache2
│   └── YES → Check error logs
│
├── Is PHP-FPM running?
│   ├── NO → systemctl start php*-fpm
│   └── YES → Check PHP error logs
│
├── Is MySQL running?
│   ├── NO → systemctl start mariadb
│   └── YES → Check database connectivity
│
├── Check site-specific logs
│   └── tail -50 /var/www/clients/$CLIENT/$SITE_USER/log/error.log
│
├── Is disk full?
│   └── df -h /
│       └── YES → Emergency cleanup
│
├── Is it a Cloudflare issue?
│   ├── Test direct to origin IP
│   └── Check Cloudflare status page
│
└── Is it DNS?
    └── dig yourdomain.com

Disk > 90% Full
├── Identify biggest offenders
│   └── du -h / --max-depth=1 | sort -h
│
├── Common culprits
│   ├── /var/log/ → Rotate/clean old logs
│   │   └── find /var/log -name "*.gz" -mtime +30 -delete
│   │
│   ├── /var/www/ → Check for huge debug logs, backup files
│   │   └── find /var/www -size +500M -ls
│   │
│   ├── /var/lib/mysql/ → Database growth
│   │   └── May need to optimize or archive
│   │
│   └── /tmp/ → Clear temporary files
│       └── find /tmp -type f -mtime +7 -delete
│
├── Truncate large log files (don't delete)
│   └── truncate -s 0 /path/to/huge.log
│
├── Clean apt cache
│   └── apt clean
│
└── Verify space recovered
    └── df -h /

# Full health snapshot
uptime && free -h && df -hT

# Top CPU consumers
ps -eo user,pid,pcpu,pmem,cmd --sort=-pcpu | head -15

# Top RAM consumers
ps -eo user,pid,pcpu,pmem,cmd --sort=-pmem | head -15

# Active swapping check
vmstat 1 5

# Service status
systemctl --failed

# Map webX user to directory
getent passwd $SITE_USER

# List all sites
ls -la /var/www/clients/*/

# Find site by domain (in ISPConfig DB)
mysql dbispconfig -e "SELECT domain, system_user, document_root FROM web_domain WHERE domain LIKE '%example%';"

# Top requested URLs for a site
awk '{print $7}' $ACCESS_LOG | sort | uniq -c | sort -nr | head -30

# Top IPs
awk '{print $1}' $ACCESS_LOG | sort | uniq -c | sort -nr | head -20

# Count specific endpoint hits
grep -c "xmlrpc.php" $ACCESS_LOG
grep -c "wp-login.php" $ACCESS_LOG

# Live log watching
tail -f $ACCESS_LOG

# Overview
df -hT

# Top directories
du -h / --max-depth=1 2>/dev/null | sort -h

# Website storage
du -h /var/www/clients --max-depth=3 2>/dev/null | sort -h

# Large files
find /var -type f -size +100M -ls 2>/dev/null | sort -k7 -n

# Interactive
ncdu /

# Fail2Ban status
fail2ban-client status
fail2ban-client status $JAIL_NAME

# Unban IP
fail2ban-client set $JAIL_NAME unbanip $IP_ADDRESS

# Auth log review
tail -100 /var/log/auth.log | grep -i fail

# Check listening ports
ss -tlnp

# Apache
systemctl status apache2
systemctl reload apache2
systemctl restart apache2
apache2ctl configtest

# PHP-FPM
systemctl status php*-fpm
systemctl restart php*-fpm
php-fpm8.2 -t

# MariaDB
systemctl status mariadb
systemctl restart mariadb

# Fail2Ban
systemctl status fail2ban
fail2ban-client reload

# Quick config backup
tar -czf /root/pre-change-$(date +%Y%m%d-%H%M).tar.gz /etc/apache2/ /etc/php/

# Database backup
mysqldump dbname > /root/dbname-$(date +%Y%m%d).sql

# Watch logs for errors
tail -f /var/log/apache2/error.log

# Monitor load
watch -n 5 uptime

# Check service status
systemctl status apache2 php*-fpm mariadb

# Quick status
alias status='uptime && free -h && df -h /'

# Top consumers
alias topcpu='ps -eo user,pcpu,cmd --sort=-pcpu | head -15'
alias topmem='ps -eo user,pmem,cmd --sort=-pmem | head -15'

# Fail2Ban
alias f2bstatus='fail2ban-client status'

# Apache
alias aptest='apache2ctl configtest'
alias apreload='systemctl reload apache2'

# PHP-FPM
alias phprestart='systemctl restart php*-fpm'

# Logs
alias syslog='tail -f /var/log/syslog'
alias authlog='tail -f /var/log/auth.log'