Complete WHMCS Firewall & Server Hardening Guide

#!/bin/bash
# Automated System Hardening Script
# File: whmcs-server-harden.sh

echo "Starting WHMCS server hardening process..."

# Update system packages
echo "Updating system packages..."
if command -v apt &> /dev/null; then
    apt update && apt upgrade -y
    apt autoremove -y
    apt autoclean
elif command -v yum &> /dev/null; then
    yum update -y
    yum autoremove -y
    yum clean all
fi

# Install essential security tools
echo "Installing security tools..."
if command -v apt &> /dev/null; then
    apt install -y fail2ban ufw rkhunter chkrootkit lynis aide unattended-upgrades
elif command -v yum &> /dev/null; then
    yum install -y fail2ban firewalld rkhunter chkrootkit lynis aide
fi

# Enable automatic security updates
echo "Configuring automatic security updates..."
if [ -f /etc/apt/apt.conf.d/20auto-upgrades ]; then
    cat > /etc/apt/apt.conf.d/20auto-upgrades << 'EOF'
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
EOF
fi

# Configure kernel parameters for security
echo "Hardening kernel parameters..."
cat > /etc/sysctl.d/99-whmcs-security.conf << 'EOF'
# Network security
net.ipv4.ip_forward = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Memory protection
kernel.exec-shield = 1
kernel.randomize_va_space = 2

# Process protection
fs.suid_dumpable = 0
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2
kernel.yama.ptrace_scope = 1

# Network hardening
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_rmem = 4096 65536 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
EOF

# Apply kernel parameters
sysctl -p /etc/sysctl.d/99-whmcs-security.conf

echo "Core system hardening completed!"

# SSH Security Configuration
# File: /etc/ssh/sshd_config

# Change default port (security through obscurity)
Port 2222

# Protocol and encryption
Protocol 2
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],hmac-sha2-256,hmac-sha2-512
KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

# Authentication
PermitRootLogin no
MaxAuthTries 3
MaxStartups 10:30:100
LoginGraceTime 30
PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes

# User restrictions
AllowUsers whmcsadmin  # Replace with your actual username
DenyUsers root apache nginx www-data

# Session settings
ClientAliveInterval 300
ClientAliveCountMax 2
MaxSessions 4

# Logging
LogLevel VERBOSE
SyslogFacility AUTHPRIV

# Disable dangerous features
X11Forwarding no
AllowAgentForwarding no
AllowTcpForwarding no
GatewayPorts no
PermitTunnel no

# Banner
Banner /etc/ssh/banner.txt

# Apply changes:
# sudo systemctl restart sshd
# sudo systemctl enable sshd

# Create warning banner
cat > /etc/ssh/banner.txt << 'EOF'
********************************************************************************
                    AUTHORIZED ACCESS ONLY
                    
This system is for the use of authorized users only. Individuals using this
computer system without authority, or in excess of their authority, are subject
to having all of their activities on this system monitored and recorded.

All information, including personal information, stored on or transmitted
through this system may be intercepted, monitored, recorded, copied, audited,
inspected, and disclosed to law enforcement personnel, as well as authorized
officials of government agencies, both domestic and foreign.

By using this system, you consent to such monitoring, recording, and disclosure.
If you do not consent to these terms, please disconnect now.

********************************************************************************
EOF

#!/bin/bash
# UFW Firewall Configuration for WHMCS

echo "Configuring UFW firewall for WHMCS server..."

# Reset UFW to defaults
ufw --force reset

# Set default policies
ufw default deny incoming
ufw default allow outgoing

# Allow SSH (adjust port if changed)
ufw allow 2222/tcp comment "SSH"

# Allow HTTP and HTTPS
ufw allow 80/tcp comment "HTTP"
ufw allow 443/tcp comment "HTTPS"

# Allow MySQL (only from localhost - adjust as needed)
ufw allow from 127.0.0.1 to any port 3306 comment "MySQL localhost"

# Allow specific IPs for admin access (replace with your IPs)
ufw allow from 203.0.113.1 to any port 443 comment "Admin IP 1"
ufw allow from 198.51.100.1 to any port 443 comment "Admin IP 2"

# Rate limiting for SSH
ufw limit 2222/tcp comment "SSH rate limit"

# Rate limiting for HTTP/HTTPS (basic)
ufw limit 80/tcp comment "HTTP rate limit"
ufw limit 443/tcp comment "HTTPS rate limit"

# Advanced UFW configuration
cat > /etc/ufw/before.rules << 'EOF'
# Custom rules for WHMCS protection
*filter

# Allow loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# Quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Drop INVALID packets
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# Block common attacks
-A ufw-before-input -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A ufw-before-input -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A ufw-before-input -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A ufw-before-input -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A ufw-before-input -p tcp --tcp-flags FIN,ACK FIN -j DROP
-A ufw-before-input -p tcp --tcp-flags ACK,URG URG -j DROP

# Block Christmas tree packets
-A ufw-before-input -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP

# Block null packets
-A ufw-before-input -p tcp --tcp-flags ALL NONE -j DROP

# Allow ICMP (ping) but rate limit
-A ufw-before-input -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

COMMIT
EOF

# Enable UFW
ufw --force enable

# Show status
ufw status verbose

echo "UFW firewall configuration completed!"

#!/bin/bash
# Firewalld Configuration for WHMCS (CentOS/RHEL)

echo "Configuring firewalld for WHMCS server..."

# Start and enable firewalld
systemctl start firewalld
systemctl enable firewalld

# Set default zone
firewall-cmd --set-default-zone=public

# Remove unnecessary services
firewall-cmd --permanent --remove-service=cockpit
firewall-cmd --permanent --remove-service=dhcpv6-client

# Add essential services
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https

# Add custom SSH port (if changed)
firewall-cmd --permanent --add-port=2222/tcp

# Create rich rules for advanced protection
# Block countries (example: block China and Russia)
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='1.0.0.0/8' drop"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='14.0.0.0/8' drop"

# Rate limiting for SSH
firewall-cmd --permanent --add-rich-rule="rule service name=ssh limit value=5/m accept"

# Rate limiting for HTTP
firewall-cmd --permanent --add-rich-rule="rule service name=http limit value=100/m accept"

# Allow admin IPs only for specific ports
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='203.0.113.1' port protocol='tcp' port='443' accept"

# Block common attack ports
for port in 23 135 139 445 1433 1521 3389 5432 5900; do
    firewall-cmd --permanent --add-rich-rule="rule port protocol='tcp' port='$port' drop"
done

# Reload firewall
firewall-cmd --reload

# Show configuration
firewall-cmd --list-all

echo "Firewalld configuration completed!"

# /etc/fail2ban/jail.local
# Custom Fail2ban configuration for WHMCS

[DEFAULT]
# Ban settings
bantime = 3600        # 1 hour ban
findtime = 600        # 10 minute window
maxretry = 3          # 3 attempts before ban
banaction = iptables-multiport
backend = systemd

# Email notifications
destemail = [email protected]
sendername = WHMCS-Fail2ban
mta = sendmail
action = %(action_mwl)s

# Whitelist trusted IPs
ignoreip = 127.0.0.1/8 ::1 203.0.113.1 198.51.100.1

[sshd]
enabled = true
port = 2222
logpath = /var/log/auth.log
maxretry = 3
bantime = 7200
findtime = 300

[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 5
bantime = 3600

[nginx-req-limit]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 10
bantime = 600
findtime = 60

[whmcs-admin]
enabled = true
port = http,https
logpath = /var/www/html/whmcs/admin/logs/access.log
maxretry = 5
bantime = 7200
findtime = 300
filter = whmcs-admin

[whmcs-api]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 20
bantime = 1800
findtime = 300
filter = whmcs-api

[mysql-brute]
enabled = true
port = 3306
logpath = /var/log/mysql/mysql.log
maxretry = 3
bantime = 86400
findtime = 600

[recidive]
enabled = true
logpath = /var/log/fail2ban.log
maxretry = 3
bantime = 86400
findtime = 43200

# /etc/fail2ban/filter.d/whmcs-admin.conf
# Filter for WHMCS admin login attempts

[Definition]
failregex = ^<HOST> -.*"POST /admin/index\.php.*" 200.*
            ^<HOST> -.*"POST /admin/login\.php.*" 200.*
            ^<HOST> -.*"GET /admin/.*" 403.*

ignoreregex =

# /etc/fail2ban/filter.d/whmcs-api.conf  
# Filter for WHMCS API abuse

[Definition]
failregex = ^<HOST> -.*"POST /includes/api\.php.*" 200.*
            ^<HOST> -.*"GET /includes/api\.php.*" 405.*

ignoreregex =

# /etc/fail2ban/filter.d/nginx-req-limit.conf
# Filter for nginx request limiting

[Definition]
failregex = limiting requests, excess: \d+\.\d+ by zone .*, client: <HOST>

ignoreregex =

# /etc/fail2ban/filter.d/mysql-brute.conf
# Filter for MySQL brute force attempts

[Definition]
failregex = ^.*\[Warning\] Access denied for user .*@'<HOST>'
            ^.*\[Warning\] Aborted connection .* from '<HOST>'

ignoreregex =

#!/bin/bash
# Real-time WHMCS Security Monitor
# File: /usr/local/bin/whmcs-security-monitor.sh

ALERT_EMAIL="[email protected]"
LOG_FILE="/var/log/whmcs-security.log"
WHMCS_PATH="/var/www/html/whmcs"

log_alert() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> "$LOG_FILE"
    echo "$1" | mail -s "WHMCS Security Alert" "$ALERT_EMAIL"
}

# Monitor file integrity
monitor_file_changes() {
    # Key WHMCS files to monitor
    CRITICAL_FILES=(
        "$WHMCS_PATH/configuration.php"
        "$WHMCS_PATH/admin/templates/blend/header.tpl" 
        "$WHMCS_PATH/includes/dbconnect.php"
        "/etc/nginx/sites-available/whmcs-ssl"
        "/etc/ssh/sshd_config"
    )
    
    for file in "${CRITICAL_FILES[@]}"; do
        if [ -f "$file" ]; then
            CURRENT_HASH=$(sha256sum "$file" | cut -d' ' -f1)
            STORED_HASH_FILE="/var/lib/whmcs-monitor/$(echo "$file" | sed 's/\//_/g').hash"
            
            if [ -f "$STORED_HASH_FILE" ]; then
                STORED_HASH=$(cat "$STORED_HASH_FILE")
                if [ "$CURRENT_HASH" != "$STORED_HASH" ]; then
                    log_alert "CRITICAL: File modification detected - $file"
                fi
            else
                mkdir -p /var/lib/whmcs-monitor
                echo "$CURRENT_HASH" > "$STORED_HASH_FILE"
            fi
        fi
    done
}

# Monitor suspicious login patterns
monitor_login_patterns() {
    # Check for multiple failed login attempts
    FAILED_LOGINS=$(grep "authentication failure" /var/log/auth.log | grep "$(date '+%Y-%m-%d')" | wc -l)
    
    if [ "$FAILED_LOGINS" -gt 50 ]; then
        log_alert "WARNING: $FAILED_LOGINS failed login attempts today"
    fi
    
    # Check for successful logins from new IPs
    TODAY_LOGINS=$(grep "Accepted" /var/log/auth.log | grep "$(date '+%Y-%m-%d')" | awk '{print $11}' | sort -u)
    
    for ip in $TODAY_LOGINS; do
        if ! grep -q "$ip" /var/lib/whmcs-monitor/known_ips.txt; then
            log_alert "INFO: New successful login from IP: $ip"
            echo "$ip" >> /var/lib/whmcs-monitor/known_ips.txt
        fi
    done
}

# Monitor system resources
monitor_system_resources() {
    # CPU usage
    CPU_USAGE=$(top -bn1 | grep "Cpu(s)" | awk '{print $2}' | cut -d'%' -f1)
    if (( $(echo "$CPU_USAGE > 90" | bc -l) )); then
        log_alert "WARNING: High CPU usage - $CPU_USAGE%"
    fi
    
    # Memory usage
    MEM_USAGE=$(free | grep Mem | awk '{printf("%.1f", $3/$2 * 100.0)}')
    if (( $(echo "$MEM_USAGE > 90" | bc -l) )); then
        log_alert "WARNING: High memory usage - $MEM_USAGE%"
    fi
    
    # Disk usage
    DISK_USAGE=$(df / | tail -1 | awk '{print $5}' | cut -d'%' -f1)
    if [ "$DISK_USAGE" -gt 90 ]; then
        log_alert "WARNING: High disk usage - $DISK_USAGE%"
    fi
}

# Monitor network connections
monitor_network_connections() {
    # Check for suspicious connections
    SUSPICIOUS_CONNECTIONS=$(netstat -tn | grep ':443' | grep ESTABLISHED | wc -l)
    
    if [ "$SUSPICIOUS_CONNECTIONS" -gt 100 ]; then
        log_alert "WARNING: High number of HTTPS connections - $SUSPICIOUS_CONNECTIONS"
    fi
    
    # Check for connections from blacklisted countries
    FOREIGN_CONNECTIONS=$(netstat -tn | grep ESTABLISHED | awk '{print $5}' | cut -d':' -f1 | sort -u | while read ip; do
        COUNTRY=$(geoiplookup "$ip" 2>/dev/null | grep "Country" | cut -d':' -f2 | tr -d ' ')
        if [[ "$COUNTRY" == "CN" || "$COUNTRY" == "RU" || "$COUNTRY" == "KP" ]]; then
            echo "$ip ($COUNTRY)"
        fi
    done)
    
    if [ -n "$FOREIGN_CONNECTIONS" ]; then
        log_alert "WARNING: Connections from restricted countries: $FOREIGN_CONNECTIONS"
    fi
}

# Monitor WHMCS specific threats
monitor_whmcs_threats() {
    # Check for SQL injection attempts
    SQL_INJECTION_ATTEMPTS=$(grep -i "union select\|or 1=1\|' or '1'='1" /var/log/nginx/access.log | grep "$(date '+%d/%b/%Y')" | wc -l)
    
    if [ "$SQL_INJECTION_ATTEMPTS" -gt 0 ]; then
        log_alert "CRITICAL: $SQL_INJECTION_ATTEMPTS SQL injection attempts detected"
    fi
    
    # Check for file upload attempts to dangerous locations
    UPLOAD_ATTEMPTS=$(grep -i "\.php\|\.exe\|\.sh" /var/log/nginx/access.log | grep POST | grep "$(date '+%d/%b/%Y')" | wc -l)
    
    if [ "$UPLOAD_ATTEMPTS" -gt 10 ]; then
        log_alert "WARNING: $UPLOAD_ATTEMPTS suspicious file upload attempts"
    fi
    
    # Check for admin directory enumeration
    ADMIN_ENUM=$(grep -i "/admin/" /var/log/nginx/access.log | grep -E "404|403" | grep "$(date '+%d/%b/%Y')" | wc -l)
    
    if [ "$ADMIN_ENUM" -gt 20 ]; then
        log_alert "WARNING: $ADMIN_ENUM admin directory enumeration attempts"
    fi
}

# Run all monitoring functions
echo "Starting WHMCS security monitoring - $(date)"
monitor_file_changes
monitor_login_patterns  
monitor_system_resources
monitor_network_connections
monitor_whmcs_threats
echo "Security monitoring completed - $(date)"

# Add to crontab to run every 5 minutes:
# */5 * * * * /usr/local/bin/whmcs-security-monitor.sh

# /etc/nginx/conf.d/rate-limit.conf
# Advanced rate limiting for WHMCS protection

# Define rate limit zones
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
limit_req_zone $binary_remote_addr zone=api:10m rate=30r/m;  
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=admin:10m rate=3r/m;

# Connection limiting
limit_conn_zone $binary_remote_addr zone=addr:10m;

# Map for whitelisted IPs
geo $whitelist {
    default         0;
    127.0.0.1       1;
    203.0.113.1     1;  # Admin IP 1
    198.51.100.1    1;  # Admin IP 2
}

# Map to apply rate limiting
map $whitelist $rate_limit_key {
    0     $binary_remote_addr;
    1     "";
}

# Update rate limit zones to use whitelist
limit_req_zone $rate_limit_key zone=login_protected:10m rate=5r/m;
limit_req_zone $rate_limit_key zone=api_protected:10m rate=50r/m;
limit_req_zone $rate_limit_key zone=general_protected:10m rate=20r/s;

# In your WHMCS server block:
server {
    # ... existing configuration ...
    
    # General connection limiting
    limit_conn addr 10;
    
    # Apply general rate limiting
    limit_req zone=general_protected burst=20 nodelay;
    
    location ^~ /admin/ {
        limit_req zone=login_protected burst=3 nodelay;
        limit_req zone=general_protected burst=10 nodelay;
        
        # Block requests with suspicious user agents
        if ($http_user_agent ~* (bot|crawler|spider|scraper|wget|curl)) {
            return 444;
        }
        
        # Your existing admin location config...
    }
    
    location = /includes/api.php {
        limit_req zone=api_protected burst=20 nodelay;
        
        # Only allow POST requests
        limit_except POST {
            deny all;
        }
        
        # Your existing API location config...
    }
    
    location ~* \.(php|asp|aspx|jsp)$ {
        # Rate limit all script execution
        limit_req zone=general_protected burst=10 nodelay;
        
        # Your existing PHP location config...
    }
    
    # Block common attack patterns
    location ~* (eval\(|base64_decode|gzinflate|rot13|str_rot13) {
        return 444;
    }
    
    location ~* \.(htaccess|htpasswd|ini|log|sh|sql|bak|backup)$ {
        return 444;
    }
}

#!/bin/bash
# Advanced IPTables DDoS Protection for WHMCS
# File: /etc/iptables/ddos-protection.sh

echo "Implementing DDoS protection rules..."

# Clear existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Drop invalid packets
iptables -A INPUT -m state --state INVALID -j DROP

# SYN flood protection
iptables -A INPUT -p tcp --syn -m limit --limit 2/s --limit-burst 30 -j ACCEPT

# Ping flood protection  
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Port scan protection
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A INPUT -m recent --name portscan --remove
iptables -A INPUT -p tcp --tcp-flags ALL NONE -m recent --name portscan --set -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -m recent --name portscan --set -j DROP

# SSH protection (adjust port if needed)
iptables -A INPUT -p tcp --dport 2222 -m state --state NEW -m recent --name ssh --set
iptables -A INPUT -p tcp --dport 2222 -m state --state NEW -m recent --name ssh --rcheck --seconds 60 --hitcount 4 -j DROP
iptables -A INPUT -p tcp --dport 2222 -m state --state NEW -j ACCEPT

# HTTP/HTTPS with connection limiting
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -A INPUT -p tcp --dport 443 -m connlimit --connlimit-above 20 --connlimit-mask 32 -j DROP
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

# Block common attack patterns
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

# Log dropped packets
iptables -A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "[IPTables Dropped]: " --log-level 4

# Save rules
iptables-save > /etc/iptables/rules.v4

echo "DDoS protection rules applied!"

# Create service to load rules on boot
cat > /etc/systemd/system/iptables-ddos.service << 'EOF'
[Unit]
Description=IPTables DDoS Protection
After=network.target

[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /etc/iptables/rules.v4
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
EOF

systemctl enable iptables-ddos.service
systemctl start iptables-ddos.service

#!/bin/bash
# Comprehensive WHMCS Security Audit Script
# File: /usr/local/bin/whmcs-security-audit.sh

AUDIT_LOG="/var/log/whmcs-audit.log"
WHMCS_PATH="/var/www/html/whmcs"
EMAIL="[email protected]"

echo "=== WHMCS Security Audit Report ===" > $AUDIT_LOG
echo "Generated: $(date)" >> $AUDIT_LOG
echo "" >> $AUDIT_LOG

# System hardening checks
echo "== System Hardening Checks ==" >> $AUDIT_LOG

# Check if automatic updates are enabled
if [ -f /etc/apt/apt.conf.d/20auto-upgrades ]; then
    echo " Automatic security updates: ENABLED" >> $AUDIT_LOG
else
    echo "✗ Automatic security updates: DISABLED" >> $AUDIT_LOG
fi

# Check SSH configuration
if grep -q "PermitRootLogin no" /etc/ssh/sshd_config; then
    echo " SSH root login: DISABLED" >> $AUDIT_LOG
else
    echo "✗ SSH root login: ENABLED (security risk)" >> $AUDIT_LOG
fi

if grep -q "PasswordAuthentication no" /etc/ssh/sshd_config; then
    echo " SSH password authentication: DISABLED" >> $AUDIT_LOG
else
    echo "✗ SSH password authentication: ENABLED (use keys)" >> $AUDIT_LOG
fi

# Check firewall status
if systemctl is-active --quiet ufw || systemctl is-active --quiet firewalld; then
    echo " Firewall: ACTIVE" >> $AUDIT_LOG
else
    echo "✗ Firewall: INACTIVE or not configured" >> $AUDIT_LOG
fi

# Check fail2ban status
if systemctl is-active --quiet fail2ban; then
    echo " Fail2ban: ACTIVE" >> $AUDIT_LOG
    BANNED_IPS=$(fail2ban-client status | grep "Jail list" | cut -d':' -f2 | xargs -n1 fail2ban-client status | grep "Currently banned" | awk '{print $4}' | paste -sd+ | bc 2>/dev/null)
    echo "  Currently banned IPs: ${BANNED_IPS:-0}" >> $AUDIT_LOG
else
    echo "✗ Fail2ban: INACTIVE" >> $AUDIT_LOG
fi

echo "" >> $AUDIT_LOG

# WHMCS specific checks
echo "== WHMCS Security Checks ==" >> $AUDIT_LOG

# Check file permissions
echo "File Permissions Audit:" >> $AUDIT_LOG
find $WHMCS_PATH -name "*.php" -perm 777 2>/dev/null | while read file; do
    echo "✗ Insecure permissions (777): $file" >> $AUDIT_LOG
done

find $WHMCS_PATH -name "configuration.php" -perm /044 2>/dev/null | while read file; do
    echo "✗ Configuration file readable by others: $file" >> $AUDIT_LOG
done

if [ ! -f "$WHMCS_PATH/configuration.php" ]; then
    echo "✗ Configuration file missing" >> $AUDIT_LOG
elif [ $(stat -c %a "$WHMCS_PATH/configuration.php") -eq 600 ]; then
    echo " Configuration file permissions: SECURE (600)" >> $AUDIT_LOG
else
    echo "⚠ Configuration file permissions: $(stat -c %a $WHMCS_PATH/configuration.php) (should be 600)" >> $AUDIT_LOG
fi

# Check for backup files
BACKUP_FILES=$(find $WHMCS_PATH -name "*.bak" -o -name "*.backup" -o -name "*~" -o -name "*.old" 2>/dev/null | wc -l)
if [ $BACKUP_FILES -eq 0 ]; then
    echo " Backup files: NONE found in web directory" >> $AUDIT_LOG
else
    echo "✗ Found $BACKUP_FILES backup files in web directory" >> $AUDIT_LOG
fi

# Check for version disclosure
if grep -q "X-Powered-By" /etc/nginx/nginx.conf /etc/apache2/apache2.conf 2>/dev/null; then
    echo "⚠ Server version disclosure may be enabled" >> $AUDIT_LOG
else
    echo " Server signature: HIDDEN" >> $AUDIT_LOG
fi

echo "" >> $AUDIT_LOG

# SSL/TLS checks
echo "== SSL/TLS Security Checks ==" >> $AUDIT_LOG

# Check SSL certificate expiry
if command -v openssl &> /dev/null; then
    DOMAIN=$(grep "server_name" /etc/nginx/sites-available/default | head -1 | awk '{print $2}' | tr -d ';')
    if [ ! -z "$DOMAIN" ] && [ "$DOMAIN" != "_" ]; then
        CERT_EXPIRY=$(echo | timeout 5 openssl s_client -connect $DOMAIN:443 -servername $DOMAIN 2>/dev/null | openssl x509 -noout -dates 2>/dev/null | grep notAfter | cut -d= -f2)
        if [ ! -z "$CERT_EXPIRY" ]; then
            EXPIRY_TIMESTAMP=$(date -d "$CERT_EXPIRY" +%s 2>/dev/null)
            CURRENT_TIMESTAMP=$(date +%s)
            DAYS_LEFT=$(( (EXPIRY_TIMESTAMP - CURRENT_TIMESTAMP) / 86400 ))
            
            if [ $DAYS_LEFT -gt 30 ]; then
                echo " SSL certificate expires in $DAYS_LEFT days" >> $AUDIT_LOG
            elif [ $DAYS_LEFT -gt 7 ]; then
                echo "⚠ SSL certificate expires in $DAYS_LEFT days (renew soon)" >> $AUDIT_LOG
            else
                echo "✗ SSL certificate expires in $DAYS_LEFT days (URGENT)" >> $AUDIT_LOG
            fi
        fi
    fi
fi

# Check for HTTPS redirect
if curl -s -I http://localhost | grep -q "Location: https://"; then
    echo " HTTP to HTTPS redirect: ENABLED" >> $AUDIT_LOG
else
    echo "✗ HTTP to HTTPS redirect: MISSING" >> $AUDIT_LOG
fi

echo "" >> $AUDIT_LOG

# Database security checks
echo "== Database Security Checks ==" >> $AUDIT_LOG

# Check MySQL configuration
if [ -f /etc/mysql/my.cnf ] || [ -f /etc/my.cnf ]; then
    if grep -q "bind-address.*127.0.0.1" /etc/mysql/my.cnf /etc/my.cnf 2>/dev/null; then
        echo " MySQL bind address: LOCALHOST only" >> $AUDIT_LOG
    else
        echo "⚠ MySQL bind address: Check configuration" >> $AUDIT_LOG
    fi
    
    if grep -q "log-error" /etc/mysql/my.cnf /etc/my.cnf 2>/dev/null; then
        echo " MySQL error logging: ENABLED" >> $AUDIT_LOG
    else
        echo "⚠ MySQL error logging: Not explicitly configured" >> $AUDIT_LOG
    fi
fi

echo "" >> $AUDIT_LOG

# System resource checks
echo "== System Resource Checks ==" >> $AUDIT_LOG

# Check disk usage
DISK_USAGE=$(df / | tail -1 | awk '{print $5}' | cut -d'%' -f1)
if [ $DISK_USAGE -lt 80 ]; then
    echo " Disk usage: ${DISK_USAGE}% (healthy)" >> $AUDIT_LOG
elif [ $DISK_USAGE -lt 90 ]; then
    echo "⚠ Disk usage: ${DISK_USAGE}% (monitor)" >> $AUDIT_LOG
else
    echo "✗ Disk usage: ${DISK_USAGE}% (critical)" >> $AUDIT_LOG
fi

# Check memory usage
MEM_USAGE=$(free | grep Mem | awk '{printf("%.0f", $3/$2 * 100.0)}')
if [ $MEM_USAGE -lt 80 ]; then
    echo " Memory usage: ${MEM_USAGE}% (healthy)" >> $AUDIT_LOG
else
    echo "⚠ Memory usage: ${MEM_USAGE}% (monitor)" >> $AUDIT_LOG
fi

# Check load average
LOAD_AVG=$(uptime | awk '{print $(NF-2)}' | tr -d ',')
echo "ℹ Current load average: $LOAD_AVG" >> $AUDIT_LOG

echo "" >> $AUDIT_LOG

# Security log analysis
echo "== Security Log Analysis ==" >> $AUDIT_LOG

# Check for recent failed logins
FAILED_LOGINS=$(grep "authentication failure" /var/log/auth.log | grep "$(date '+%Y-%m-%d')" | wc -l)
echo "Failed login attempts today: $FAILED_LOGINS" >> $AUDIT_LOG

# Check for successful logins
SUCCESSFUL_LOGINS=$(grep "Accepted" /var/log/auth.log | grep "$(date '+%Y-%m-%d')" | wc -l)
echo "Successful logins today: $SUCCESSFUL_LOGINS" >> $AUDIT_LOG

# Check web server error log
if [ -f /var/log/nginx/error.log ]; then
    ERROR_COUNT=$(grep "$(date '+%Y/%m/%d')" /var/log/nginx/error.log | wc -l)
    echo "Web server errors today: $ERROR_COUNT" >> $AUDIT_LOG
fi

echo "" >> $AUDIT_LOG
echo "=== End of Security Audit ===" >> $AUDIT_LOG

# Email the report
mail -s "WHMCS Security Audit Report - $(date '+%Y-%m-%d')" $EMAIL < $AUDIT_LOG

echo "Security audit completed. Report saved to $AUDIT_LOG and emailed to $EMAIL"

# Add to crontab to run daily:
# 0 6 * * * /usr/local/bin/whmcs-security-audit.sh