Host Your Own Mediawiki Online Ubuntu 22.04

From CompleteNoobs
Jump to navigation Jump to search
Please Select a Licence from the LICENCE_HEADERS page
And place at top of your page
If no Licence is Selected/Appended, Default will be CC0

Default Licence IF there is no Licence placed below this notice! When you edit this page, you agree to release your contribution under the CC0 Licence

LICENCE: More information about the cc0 licence can be found here:
https://creativecommons.org/share-your-work/public-domain/cc0

The person who associated a work with this deed has dedicated the work to the public domain by waiving all of his or her rights to the work worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.

You can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.

Licence:

Statement of Purpose

The laws of most jurisdictions throughout the world automatically confer exclusive Copyright and Related Rights (defined below) upon the creator and subsequent owner(s) (each and all, an "owner") of an original work of authorship and/or a database (each, a "Work").

Certain owners wish to permanently relinquish those rights to a Work for the purpose of contributing to a commons of creative, cultural and scientific works ("Commons") that the public can reliably and without fear of later claims of infringement build upon, modify, incorporate in other works, reuse and redistribute as freely as possible in any form whatsoever and for any purposes, including without limitation commercial purposes. These owners may contribute to the Commons to promote the ideal of a free culture and the further production of creative, cultural and scientific works, or to gain reputation or greater distribution for their Work in part through the use and efforts of others.

For these and/or other purposes and motivations, and without any expectation of additional consideration or compensation, the person associating CC0 with a Work (the "Affirmer"), to the extent that he or she is an owner of Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to the Work and publicly distribute the Work under its terms, with knowledge of his or her Copyright and Related Rights in the Work and the meaning and intended legal effect of CC0 on those rights.

1. Copyright and Related Rights. A Work made available under CC0 may be protected by copyright and related or neighboring rights ("Copyright and Related Rights"). Copyright and Related Rights include, but are not limited to, the following:

   the right to reproduce, adapt, distribute, perform, display, communicate, and translate a Work;
   moral rights retained by the original author(s) and/or performer(s);
   publicity and privacy rights pertaining to a person's image or likeness depicted in a Work;
   rights protecting against unfair competition in regards to a Work, subject to the limitations in paragraph 4(a), below;
   rights protecting the extraction, dissemination, use and reuse of data in a Work;
   database rights (such as those arising under Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, and under any national implementation thereof, including any amended or successor version of such directive); and
   other similar, equivalent or corresponding rights throughout the world based on applicable law or treaty, and any national implementations thereof.

2. Waiver. To the greatest extent permitted by, but not in contravention of, applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and unconditionally waives, abandons, and surrenders all of Affirmer's Copyright and Related Rights and associated claims and causes of action, whether now known or unknown (including existing as well as future claims and causes of action), in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each member of the public at large and to the detriment of Affirmer's heirs and successors, fully intending that such Waiver shall not be subject to revocation, rescission, cancellation, termination, or any other legal or equitable action to disrupt the quiet enjoyment of the Work by the public as contemplated by Affirmer's express Statement of Purpose.

3. Public License Fallback. Should any part of the Waiver for any reason be judged legally invalid or ineffective under applicable law, then the Waiver shall be preserved to the maximum extent permitted taking into account Affirmer's express Statement of Purpose. In addition, to the extent the Waiver is so judged Affirmer hereby grants to each affected person a royalty-free, non transferable, non sublicensable, non exclusive, irrevocable and unconditional license to exercise Affirmer's Copyright and Related Rights in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "License"). The License shall be deemed effective as of the date CC0 was applied by Affirmer to the Work. Should any part of the License for any reason be judged legally invalid or ineffective under applicable law, such partial invalidity or ineffectiveness shall not invalidate the remainder of the License, and in such case Affirmer hereby affirms that he or she will not (i) exercise any of his or her remaining Copyright and Related Rights in the Work or (ii) assert any associated claims and causes of action with respect to the Work, in either case contrary to Affirmer's express Statement of Purpose.

4. Limitations and Disclaimers.

   No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document.
   Affirmer offers the Work as-is and makes no representations or warranties of any kind concerning the Work, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non infringement, or the absence of latent or other defects, accuracy, or the present or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.
   Affirmer disclaims responsibility for clearing rights of other persons that may apply to the Work or any use thereof, including without limitation any person's Copyright and Related Rights in the Work. Further, Affirmer disclaims responsibility for obtaining any necessary consents, permissions or other rights required for any use of the Work.
   Affirmer understands and acknowledges that Creative Commons is not a party to this document and has no duty or obligation with respect to this CC0 or use of the Work.

Creating a MediaWiki Server on Ubuntu with Apache2

DNS

Domain Name System: An index that connects an ip address with a more human readable name(website name):
Like a phone book would index a persons name with a phone number.
If you have a domain name for your wiki, point it to your server's ip address.
This will be required for a letsencrypt cert also.

I am using namecheap.com and on the Advanced DNS Page
Add two Type A Records:

Dns
Type Host Ip address TTL
A record @ 192.248.145.129 auto
A record www 192.248.145.129 auto


Basic Firewall UFW for Container

NOTE:Add Link to a UFW page for more info

Blocking IPv6
$EDITOR /etc/default/ufw

Change the line
IPV6=yes
To
IPV6=no
Save and Exit

Allow port 80
ufw allow 80/tcp
Allow port 443
ufw allow 443/tcp
Start/Enable UFW firewall
ufw enable
Check UFW status
ufw status

If you Entered wrong port number and would like to change/delete rule:

delete a UFW rule you made by mistake.
ufw delete allow 433/tcp
Or you can use a numbered rule list.
ufw status numbered
Will list rules by number.
ufw delete <RULE_NUMBER>
ufw delete 2

Now re-enter rule to allow correct port number and protocol.

Update system

apt update && apt upgrade -y

ssmtp setup

NOTE: need link to ssmtp page - showing how to use other email providers that allow smtp Link to ssmtp wiki page
You can use a number of email providers for sending emails from server using ssmtp.
I am going to use smtp2go.com they do provide a free service if you wish to try.

smtp2go details:

https://www.smtp2go.com/
Has a Free Plan

  1. 1000 emails per month
  2. 5 days of email reporting
  3. Ticket support only


Do not use you username and password you used to sign up!
Go to https://app.smtp2go.com/sending/smtp_users/
Or 'Sending' > 'SMTP Users'
And create/add a SMTP User account.
The User created will be given a good password by default.
Use this username and password for ssmtp.
In this example i have the username "noobwiki" and the password "N0tTelinu"

ssmtp

apt install ssmtp -y

$EDITOR /etc/ssmtp/ssmtp.conf

mailhub=mail.smtp2go.com:587
AuthUser=noobwiki
AuthPass=N0tTelinu
UseSTARTTLS=YES
FromLineOverride=YES
hostname=completenoobs.com

Why use hostname=completenoobs.com

"hostname" needed for ubuntu unattended upgrades to send email.
If missing: will get "(550 unable to verify sender address.)"
If using hostname=localhost "(550 "Localhost" unnaceptable, you must use a public domain-name.)"
If using hostname=admin@completenoobs.com "501 <root@admin@completenoobs.com>: malformed address: @completenoobs.com> may not follow <root@admin"


Do not use user@smtp2go.com as the sender address! you need an email address that has an MX record(mail exchanger record) at its domain name.
$EDITOR /etc/ssmtp/revaliases

root:admin@completenoobs.com:mail.smtp2go.com:587

usermod


usermod can be used to change the email senders name/address.
Instead of your mail coming from 'root' or 'ubuntu' or any other user account.
usermod -c "emailSenderName" <account_sending>
usermod -c "completenoobslxc" root

usermod -c:

The "usermod" command in Linux is used to modify user account details. The "-c" option in the "usermod" command is used to change the comment (or description) field associated with a user account.

Specifically, when you run the command "usermod -c <comment> <username>", it will update the comment field of the user account associated with the given username to the specified comment. The comment is typically used to provide additional information about the user, such as their full name, job title, or department.

For example, if you run the command "usermod -c 'John Smith' john", it will update the comment field for the user account "john" to "John Smith". You can then use tools like the "finger" command to display this information, e.g., "finger john".

Send Test eMail
Create a file and add subject header and some content.
$EDITOR test-mail.txt

Subject:test email

Hello You.


Save and Exit
Now send the email:
sendmail email@address2receive.mail < test-mail.txt
Don't forget to check your spam folder if you don't see email
Once tested and email sent, you can delete test-mail.txt.
rm test-mail.txt

sendmail notes

If the sendmail command locks your terminal and CTRL+c does not work

Use CTRL+z which will send a SIGTSTP signal which will put the process to sleep.
use jobs to see the sleeping process.
jobs
and kill %<JOBNUMBER>
kill %1
you can also use ps ax to list processes running on your computer and kill -9 <PROCESS-NUMBER> to kill process.

sendmail in verbose mode for more details:

More info can be found in the man page man sendmail
Use the verbose flag -v
sendmail -v email@address2receive.mail < test-mail.txt

Check mail logs for errors:

send mail error log can be found in
/var/log/mail.err
and sendmail log can be found:
/var/log/mail.log

Create Swap space on server

What are the benifits of having swap space on your server:

Having a swap space on your server can provide several benefits, including:

  • Improved system stability: When your server runs out of RAM, it can cause instability and even crashes. Swap space provides a safety net by allowing the operating system to move inactive data from RAM to disk, freeing up RAM for more active processes.
  • Increased memory availability: Swap space can provide additional virtual memory to the system, allowing it to handle more demanding workloads than it could with just physical memory alone.
  • Enhanced performance: While swap space is not as fast as physical memory, it can help prevent thrashing, which is when the operating system spends too much time swapping data between RAM and disk. By providing an additional layer of memory, swap space can improve overall system performance.
  • More flexibility: Swap space allows you to allocate memory resources more efficiently. For example, you can configure your system to have a smaller amount of physical memory and a larger swap space, or vice versa, depending on your specific workload and requirements.
  • Improved application availability: In some cases, applications may require a certain amount of available memory to function properly. Having swap space can ensure that the system has enough memory to keep these applications running even when physical memory is low.

Overall, having swap space on your server can provide a valuable safety net and help improve system stability and performance.

First check if you already have a swap space

First check if you already have a swap space
free -m
Returns:

              total        used        free      shared  buff/cache   available
Mem:           1987         103        1655           2         228        1732
Swap:             0           0           0


Other methods to check swap space

cat /proc/swaps
swapon -s -v

Create SwapSpace

preallocate a 2 gigabyte space to be used for swap.
Note: you can name swapfile to anything you want.

fallocate -l 2G /swapfile

Initialize the /swapfile file with zeros - see "Working out the count size" to see how to work out the count size.

Working out the count size:

Working out count size to scale the swapsize.

1 kilobyte = 1024 bytes

1 megabyte = 1024 kilobyte

1 gigabyte = 1024 megabytes

bs=1024 = 1 megabyte

1 gigabyte = 1024 megabyte

to get count of 1 gigabyte 1024 * 1024

2 gigabyte (1024 * 2048 ) or 1048576 * 2 = 2,097,152

dd if=/dev/zero of=/swapfile bs=1024 count=2097152

chmod 600 /swapfile

mkswap /swapfile

swapon /swapfile Or swapon -a Or mount -a

append to /etc/fstab so its mounted after reboot.
$EDITOR /etc/fstab
And enter this in a new line at the bottom:
/swapfile swap swap defaults 0 0

and thats it, you can check swap with(or same other methods as above):

free -m
Returns:

              total        used        free      shared  buff/cache   available
Mem:           1987         103          75           2        1808        1712
Swap:          2047           0        2047

auto update server

View here for more info on Ubuntu unattended upgrades
$EDITOR /etc/apt/apt.conf.d/50unattended-upgrades
Uncomment (by removing // at start of line)and amend the lines we want:
// "${distro_id}:${distro_codename}-updates";
to
"${distro_id}:${distro_codename}-updates";
Add email address to send email to:

//Unattended-Upgrade::Mail "";
Unattended-Upgrade::Mail "email@tosendto.com";

We are going to test are send mail, so for now change MailReport to "always"

//Unattended-Upgrade::MailReport "on-change";
Unattended-Upgrade::MailReport "always";
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

// Do automatic removal of newly unused dependencies after the upgrade
//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";

// Automatically reboot *WITHOUT CONFIRMATION* if
//  the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";

// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

Changed to

// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Automatically reboot *WITHOUT CONFIRMATION* if
//  the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "true";

// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "04:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
Acquire::http::Dl-Limit "500";

Test with debug flag -d
unattended-upgrade -d

Once email alerts from auto updates has been tested and working, change MailReport back from 'always' to 'on-change', unless you want to be emailed at every update.

Install Apache2

apt install apache2

Can now visit your domain in browser to check it works:
Make sure you use http and Not https as not yet configured.

CertBot LetsEncrypt https

Install certbot
snap install certbot --classic

Create Cert
certbot --apache -d completenoobs.com -d www.completenoobs.com

Restart apache
systemctl restart apache2
Now check your site on browser.

Install MediaWiki

apt install mysql-server php php-mysql libapache2-mod-php php-xml php-mbstring php-intl -y

wget https://releases.wikimedia.org/mediawiki/1.39/mediawiki-1.39.2.tar.gz

tar -xvf mediawiki-1.39.2.tar.gz

mv mediawiki-1.39.2 /var/www/html/noobs

chown -R www-data:www-data /var/www/html/noobs

Create Database

Will be prompted to set a root password!
mysql -u root -p

CREATE USER 'green'@'localhost' IDENTIFIED BY 'THISpasswordSHOULDbeCHANGED';

CREATE DATABASE mywiki_database;

use mywiki_database;

GRANT ALL ON mywiki_database.* TO 'green'@'localhost';

quit;

Make note of your: database name, username, userpassword

CREATE USER 'green'@'localhost' IDENTIFIED BY 'THISpasswordSHOULDbeCHANGED';
Database Username:green
Database host/location:localhost Database User Password:THISpasswordSHOULDbeCHANGED

CREATE DATABASE mywiki_database;
Database Name:mywiki_database

Config Apache2

Create a Apache2 Config file for your site

$EDITOR /etc/apache2/sites-available/completenoobs.com.conf

<VirtualHost *:80>

    ServerName completenoobs.com
    ServerAdmin admin@completenoobs.com

    # Redirect Requests to SSL
    Redirect permanent "/" "https://www.completenoobs.com"

</VirtualHost>

<IfModule mod_ssl.c>

    <VirtualHost _default_:443>

            ServerName completenoobs.com
            ServerAdmin admin@completenoobs.com
            DocumentRoot /var/www/html/noobs

            ErrorLog ${APACHE_LOG_DIR}/completenoobs.com.error.log
            CustomLog ${APACHE_LOG_DIR}/completenoobs.com.access.log combined
            # Path from certbot can be found in 000-default-le-ssl.conf

            <Directory /var/www/html/noobs>
                    Options None FollowSymLinks
                    #Allow .htaccess
                    AllowOverride All
                    Require all granted
                    <IfModule security2_module>
                            SecRuleEngine Off
                            # or disable only problematic rules
                    </IfModule>
            </Directory>

    </VirtualHost>

</IfModule>


Edit "000-default-le-ssl.conf" created by certbot to correct path

$EDITOR /etc/apache2/sites-enabled/000-default-le-ssl.conf

Change the DocumentRoot path to your mediawiki directory.

  • DocumentRoot /var/www/html
To
  • DocumentRoot /var/www/html/noobs
<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf


ServerName noblemage.com
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.noblemage.com
SSLCertificateFile /etc/letsencrypt/live/noblemage.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/noblemage.com/privkey.pem
</VirtualHost>
</IfModule>

After Change /etc/apache2/sites-enabled/000-default-le-ssl.conf:

<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html/noobs

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf


ServerName noblemage.com
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.noblemage.com
SSLCertificateFile /etc/letsencrypt/live/noblemage.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/noblemage.com/privkey.pem
</VirtualHost>
</IfModule>

Reload Apache2

a2dissite 000-default

a2dissite 000-default:

To disable the default Apache site on a Debian-based system like Ubuntu, you can use the a2dissite command. The default site configuration is usually named 000-default.conf.

To re-enable use a2ensite 000-default

a2ensite completenoobs.com

a2ensite completenoobs.com:

a2ensite is a command-line utility in Debian-based systems, like Ubuntu, that enables a specific site configuration in the Apache web server. The term a2ensite is derived from "Apache 2 Enable Site."

When you create a new virtual host configuration file for your website in the /etc/apache2/sites-available/ directory, you need to enable it for Apache to start serving the site. The a2ensite command is used to enable a site by creating a symbolic link from the sites-available directory to the sites-enabled directory.

Here's how to use a2ensite:

Create a virtual host configuration file for your website in the /etc/apache2/sites-available/ directory. For example:

sudo nano /etc/apache2/sites-available/mywebsite.conf

Replace mywebsite with the name of your website or domain.

Add the appropriate configuration to the virtual host file, and save it.

Use the a2ensite command to enable the new site configuration:

sudo a2ensite mywebsite

Replace mywebsite with the name of your website or domain (without the .conf extension).

a2enmod ssl

a2enmod ssl:

a2enmod ssl is a command used to enable the ssl module in the Apache web server on Debian-based systems, like Ubuntu. The ssl module provides support for SSL/TLS encryption, which is necessary for serving websites securely over HTTPS.

a2enmod headers

a2enmod headers:

a2enmod is a command-line utility in Debian-based systems, like Ubuntu, used to enable Apache modules. The term a2enmod is derived from "Apache 2 Enable Module."

headers is an Apache module that allows you to manipulate HTTP response headers sent back to clients. It is commonly used to add, modify, or remove response headers in various situations, such as implementing security headers, cache control, or Content Security Policy (CSP).

The command a2enmod headers is used to enable the headers module in the Apache web server. Once the module is enabled, you can use its features in your Apache configuration files (e.g., .htaccess or httpd.conf).

Here's a step-by-step explanation of the command:

  • a2enmod: This is the utility you are using to enable Apache modules.
  • headers: This is the specific Apache module you want to enable.

apache2ctl configtest

apache2ctl configtest:

apache2ctl configtest is a command used to check the syntax of your Apache configuration files without actually restarting the server. This is useful for detecting any syntax errors or issues in your configuration files before applying changes to the running server.

systemctl restart apache2

Check Wiki Working

MediaWiki Basic Setup

Landing page

Open a web browser and go to your containers private ip address (you can get ip address by running lxc list on host).

https://10.194.171.251

Are certs are self-signed and you may/will get warning "your connection is not private"
Click "Advance" and "Proceed to 10.194.171.251 (unsafe)"

You will now find yourself on the mediawiki setup landing page.

MediaWiki 1.35.0
LocalSettings.php not found.
Please set up the wiki first.

Click set up the wiki to be taken to the "mw-config/index.php" page.


Basic Configure MediaWiki

Language Page

Just pick a language mate

Welcome to MediaWiki!

read and click Continue

Connect to database - going to need the details from when you created the database.

Database host:localhost
Database name:mywiki_database
Database table prefix (no hyphens): LEAVE BLANK
Database username:green
Database password:THISpasswordSHOULDbeCHANGED

Database Settings

Database account for web access
[x]Use the same account as for installation
Leave ticked

Name

Name of wiki:CompleteNoobs
Project namespace:
[x]Same as the wiki name:
[ ]Project
[ ]Other (specify)
Administrator account Will be the admin account on the wiki.

Options

User rights profile:
[ ] Open wiki
[x] Account creation required
[ ] Authorised editors only
[ ] Private wiki

Copyright and licence:
[ ] Creative Commons Attribution
[ ] Creative Commons Attribution-ShareAlike
[ ] Creative Commons Attribution-NonCommercial-ShareAlike
[ ] Creative Commons Zero (Public Domain)
[ ] GNU Free Documentation Licence 1.3 or later
[x] No licence footer
[ ] Select a custom Creative Commons licence


Email settings
[ ] Enable outbound email
Return email address:apache@🌻.invalid
[ ]Enable user-to-user email
[ ]Enable user talk page notification
[ ]Enable watchlist notification
[ ]Enable email authentication


Skins Pick a skin


Extensions
Special pages
[ ]CiteThisPage
[ ]Interwiki
[ ]Nuke
[ ]Renameuser
[ ]ReplaceText

Editors
[x]CodeEditor
[x]VisualEditor
[x]WikiEditor

Parser hooks
[ ]CategoryTree
[ ]Cite
[ ]ImageMap
[ ]InputBox
[ ]ParserFunctions
[ ]Poem
[ ]Scribunto
[x]SyntaxHighlight_GeSHi
[ ]TemplateData

Media handlers
[ ]PdfHandler

Spam prevention
[x]ConfirmEdit
[ ]SpamBlacklist
[ ]TitleBlacklist

API
[ ]PageImages

Other
[ ]Gadgets
[ ]LocalisationUpdate
[ ]MultimediaViewer
[ ]OATHAuth
[ ]SecureLinkFixer
[ ]TextExtracts


Images and file uploads
[ ]Enable file uploads
Logo URL:$wgResourceBasePath/resources/assets/wiki.png
[ ]Enable Instant Commons


Advanced configuration
Settings for object caching:
[x] No caching (no functionality is removed, but speed may be impacted on larger wiki sites)
[ ] Use Memcached (requires additional setup and configuration)

LocalSettings.php Launch Wiki

Send the Downloaded LocalSettings.php file to your server's mediawiki directory:

scp Downloads/LocalSettings.php root@www.completenoobs.com:/var/www/html/noobs/

And revisit you site on Browser www.completenoobs.com
Welcome to your wiki

Customize and Config your Wiki

Setup Email Config

$EDITOR /var/www/html/noobs/LocalSettings.php

Make sure $wgEnableEmail is set to true.
$wgEnableEmail = true;
https://www.mediawiki.org/wiki/Manual:$wgEnableEmail

$wgEmergencyContact = "";
$wgPasswordSender = "";
$wgEmergencyContact = "admin@completenoobs.com";
$wgPasswordSender = "admin@completenoobs.com";
$wgSMTP = [
    'host' => 'ssl://mail.smtp2go.com', // outbox server of the email account
    'IDHost' => 'completenoobs.com',
    'port' => 465,
    'username' => 'noobwiki', // user of the email account
    'password' => 'N0tTelinu', // app password of the email account
    'auth' => true
];

You need a 135px by 135px image, in this example its named 'completenoobs-logo.png'
scp completenoobs-logo.png root@www.completenoobs.com:/var/www/html/noobs/resources/assets/
Back in Server edit the LocalSettings.php file

## The URL paths to the logo.  Make sure you change this from the default,
## or else you'll overwrite your logo when you upgrade!
$wgLogos = [
        '1x' => "$wgResourceBasePath/resources/assets/change-your-logo.svg",
        'icon' => "$wgResourceBasePath/resources/assets/change-your-logo.svg",
];

Change to your new logo:

$wgLogos = [
        '1x' => "$wgResourceBasePath/resources/assets/completenoobs-logo.png",
        'icon' => "$wgResourceBasePath/resources/assets/completenoobs-logo.png",
];

Request Account and Confirm Email to edit

In LocalSettings change $wgEmailAuthentication = false; to true

https://www.mediawiki.org/wiki/Manual:$wgEmailAuthentication
https://www.mediawiki.org/wiki/Extension:ConfirmAccount

wget https://extdist.wmflabs.org/dist/extensions/ConfirmAccount-REL1_39-2b96e90.tar.gz
tar xzf ConfirmAccount-REL1_39-2b96e90.tar.gz -C /var/www/html/noobs/extensions/

In LocalSettings.php
set $wgEmailAuthentication to true.

wfLoadExtension( 'ConfirmAccount' );  
$wgConfirmAccountContact = 'admin@completenoobs.com'; 

Run maintenance update
php /var/www/html/noobs/maintenance/update.php
use Special:ConfirmAccounts to see if anyone requested a account.
And yep, your gonna get spammed! Bots love a wiki.

CookieWarning Extension

https://www.mediawiki.org/wiki/Extension:CookieWarning
wget https://extdist.wmflabs.org/dist/extensions/CookieWarning-REL1_39-778fe72.tar.gz
tar -xzf CookieWarning-REL1_39-778fe72.tar.gz -C /var/www/html/noobs/extensions/
In LocalSettings.php add:

wfLoadExtension( 'CookieWarning' );
$wgCookieWarningEnabled = 'true';
# $wgCookieWarningMoreUrl allows to to select a link for your moreinfo button
$wgCookieWarningMoreUrl = 'https://www.completenoobs.com/link';
$wgCookieWarningEnabled = 'true';

To change message sign in with admin account and visit these pages of your wiki and edit.
MediaWiki:Cookiewarning-info Edit the display message.
https://www.completenoobs.com/index.php/MediaWiki:Cookiewarning-info
MediaWiki:Cookiewarning-moreinfo-label
Edit and change display of the moreinfo button: link can be made/changed at LocalSettings with:
$wgCookieWarningMoreUrl = 'https://www.completenoobs.com/link'

https://www.completenoobs.com/index.php/MediaWiki:Cookiewarning-moreinfo-label

MediaWiki:Cookiewarning-ok-label Edit and change the text on the OK button.
https://www.completenoobs.com/index.php/MediaWiki:Cookiewarning-ok-label

Contribution Scores Extension

https://www.mediawiki.org/wiki/Extension:Contribution_Scores
wget https://extdist.wmflabs.org/dist/extensions/ContributionScores-REL1_39-0e7e99d.tar.gz
tar -xzf ContributionScores-REL1_39-0e7e99d.tar.gz -C /var/www/html/noobs/extensions
In LocalSettings.php add:

wfLoadExtension( 'ContributionScores' );
// Exclude Bots from the reporting - Can be omitted.
$wgContribScoreIgnoreBots = true; 
// Exclude Blocked Users from the reporting - Can be omitted.
$wgContribScoreIgnoreBlockedUsers = true;
// Use real user names when available - Can be omitted. Only for MediaWiki 1.19 and later.
$wgContribScoresUseRealName = true;
// Set to true to disable cache for parser function and inclusion of table.
$wgContribScoreDisableCache = false;       
// Each array defines a report - 7,50 is "past 7 days" and "LIMIT 50" - Can be omitted.
$wgContribScoreReports = [
    [ 7, 50 ],
    [ 30, 50 ],
    [ 0, 50 ]
];


Add to Main Landing Page:

{{Special:ContributionScores/10/5}}


Place Notice at top of every new page created

Using the PageNotice Extension.

https://www.mediawiki.org/wiki/Extension:PageNotice#Configuration

Download PageNotice and extract to extensions directory.

  • tar zxvf PageNotice-REL1_39-bf69636.tar.gz -C /var/www/html/noobs/extensions/

in LocalSettings.php add the lines:

wfLoadExtension( 'PageNotice' );
$wgPageNoticeDisablePerPageNotices = 'true';

To have message in every name space go to your wiki's page
index.php/mediawiki:top-notice-ns-0
Only admin account can edit this page:
What you place in this page will be displayed at the top of every page created.

Youtube extension

  • needed to view embedded videos

https://www.mediawiki.org/wiki/Extension:YouTube

wget https://extdist.wmflabs.org/dist/extensions/YouTube-REL1_39-f272bb3.tar.gz

tar -xzf YouTube-REL1_39-f272bb3.tar.gz -C /var/www/html/mediawiki/extensions/

  • Append to LocalSettings.php

wfLoadExtension( 'YouTube' );

  • On wiki page can now embed youtube videos
  • Defaults width=640 pixels height=385 pixels
  • Change defaults <youtube width="800" height="400">wB4gvSgYmfY</youtube>

Syntax highlighting not working

Install pygments
apt install python3-pygments

Add to LocalSettings:
wfLoadExtension( 'SyntaxHighlight_GeSHi' );

Policy Pages

Remove index.php from URL

mediawiki remove index.php path of wiki is /var/www/html/noobs/ i want apache to show completenoobs.com/noobs/Main_Page

To remove the "index.php" from the URLs of your MediaWiki installation, you need to enable pretty URLs using the .htaccess file and modify your LocalSettings.php. Here's how you can do that:

Create or modify the .htaccess file

First, navigate to your MediaWiki root folder, in your case /var/www/html/noobs/. If you don't have a .htaccess file, create one in this folder. Then, add the following content to the .htaccess file:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L,QSA]

This code enables the Apache rewrite engine and tells it to redirect requests that don't match existing files or directories to the index.php file.

Modify the LocalSettings.php file:

Next, you'll need to modify the LocalSettings.php file, which should be located in your MediaWiki root folder (/var/www/html/noobs/). Add or modify the following lines:


$wgScriptPath = "/noobs";
$wgArticlePath = "{$wgScriptPath}/$1";
$wgUsePathInfo = true;
  • note: you should already have $wgScriptPath = "/noobs"; in LocalSettings.php

This code sets the base path for your wiki (/noobs), defines the article path pattern, and enables the use of path info.

Enable the Apache mod_rewrite module

root@noobs:/var/www/html/noobs# cat /etc/apache2/sites-available/000-default-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf


ServerName completenoobs.com
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.completenoobs.com
SSLCertificateFile /etc/letsencrypt/live/completenoobs.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/completenoobs.com/privkey.pem
</VirtualHost>
</IfModule>

Add

    <Directory /var/www/html/noobs>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory /var/www/html/noobs>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf


ServerName completenoobs.com
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.completenoobs.com
SSLCertificateFile /etc/letsencrypt/live/completenoobs.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/completenoobs.com/privkey.pem
</VirtualHost>
</IfModule>

Make sure the mod_rewrite module is enabled in your Apache configuration. You can enable it by running the following command:

sudo a2enmod rewrite

After enabling the module, restart Apache:

sudo systemctl restart apache2

Now, your MediaWiki installation should use pretty URLs without "index.php" in the path. In your case, it will show URLs like completenoobs.com/noobs/Main_Page.

Fail2Ban - optional

This Will Ban an IP who incorrectly enters wrong login details, a (you can select) amount of times for a (you can select) amount of time.

Fail2Log Extension

https://www.mediawiki.org/wiki/Extension:Fail2Log

Create Log file

Could not get PHP to create and set permissions for log file: So for now doing manually!
touch /var/log/Fail2Log.log
chown www-data:www-data /var/log/Fail2Log.log
chmod 0755 /var/log/Fail2Log.log
Failed login's with wrong user name and/or password should now be logged in:/var/log/Fail2Log.log

Log Format:
Failed:<IP_ADDRESS> <DATE>

Download and install extension

wget https://github.com/greenhatmonkey/Fail2Log/blob/main/Fail2Log.tar.gz?raw=true
tar xzvf Fail2Log.tar.gz?raw=true -C /var/www/html/noobs/extensions/
Add to your LocalSettings.php

wfLoadExtension( 'Fail2Log' );
$wgFail2LogFile = '/var/log/Fail2Log.log';

Install and Setup Fail2Ban

Fail2Ban works in a container. If using fail2ban on Host for container:
Just include log path: /var/snap/lxd/common/mntns/var/snap/lxd/common/lxd/storage-pools/default/containers/<CONTAINER_NAME>/rootfs/var/log/Fail2Log.log

apt install fail2ban

  • Fail2ban will use file.local over file.conf if file.local exists:
  • file.conf can be written over if file2ban gets updated.
  • Make a file.local of the file you are working on.


cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

$EDITOR /etc/fail2ban/jail.local

Default /etc/fail2ban/jail.conf file: Expand to view

#
# WARNING: heavily refactored in 0.9.0 release.  Please review and
#          customize settings for your setup.
#
# Changes:  in most of the cases you should not modify this
#           file, but provide customizations in jail.local file,
#           or separate .conf files under jail.d/ directory, e.g.:
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwritten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
#
# [DEFAULT]
# bantime = 1h
#
# [sshd]
# enabled = true
#
# See jail.conf(5) man page for more information



# Comments: use '#' for comment lines and ';' (following a space) for inline comments


[INCLUDES]

#before = paths-distro.conf
before = paths-debian.conf

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "bantime.increment" allows to use database for searching of previously banned ip's to increase a 
# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
#bantime.increment = true

# "bantime.rndtime" is the max number of seconds using for mixing with random time 
# to prevent "clever" botnets calculate exact time IP can be unbanned again:
#bantime.rndtime = 

# "bantime.maxtime" is the max number of seconds using the ban time can reach (don't grows further)
#bantime.maxtime = 

# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
# default value of factor is 1 and with default value of formula, the ban time 
# grows by 1, 2, 4, 8, 16 ...
#bantime.factor = 1

# "bantime.formula" used by default to calculate next value of ban time, default value bellow,
# the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32...
#bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor
#
# more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
#bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)

# "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding 
# previously ban count and given "bantime.factor" (for multipliers default is 1);
# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, 
# always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
#bantime.multipliers = 1 2 4 8 16 32 64
# following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin,
# for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
#bantime.multipliers = 1 5 30 60 300 720 1440 2880

# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed 
# cross over all jails, if false (dafault), only current jail of the ban IP will be searched
#bantime.overalljails = false

# --------------------

# "ignoreself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses.
#ignoreself = true

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
#ignoreip = 127.0.0.1/8 ::1

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 10m

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 10m

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

# "maxmatches" is the number of matches stored in ticket (resolvable via tag <matches> in actions).
maxmatches = %(maxretry)s

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#              If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#              If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external libraries.
# systemd:   uses systemd python library to access the systemd journal.
#              Specifying "logpath" is not valid for this backend.
#              See "journalmatch" in the jails associated filter config
# auto:      will try to use the following backends, in order:
#              pyinotify, gamin, polling.
#
# Note: if systemd backend is chosen as the default but you enable a jail
#       for which logs are present only in its own log files, specify some other
#       backend for that jail (e.g. polling) and provide empty value for
#       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
#   warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes:   if a hostname is encountered, a DNS lookup will be performed.
# warn:  if a hostname is encountered, a DNS lookup will be performed,
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
# raw:   use raw value (no hostname), allow use it for no-host filters/actions (example user)
usedns = warn

# "logencoding" specifies the encoding of the log files handled by the jail
#   This is used to decode the lines from the log file.
#   Typical examples:  "ascii", "utf-8"
#
#   auto:   will use the system locale setting
logencoding = auto

# "enabled" enables the jails.
#  By default all jails are disabled, and it should stay this way.
#  Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true:  jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = false


# "mode" defines the mode of the filter (see corresponding filter implementation for more info).
mode = normal

# "filter" defines the filter to use by the jail.
#  By default jails have names matching their filter name
#
filter = %(__name__)s[mode=%(mode)s]


#
# ACTIONS
#

# Some options used for actions

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost

# Sender email address used solely for some actions
sender = root@<fq-hostname>

# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

# Specify chain where jumps would need to be added in ban-actions expecting parameter chain
chain = <known/chain>

# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535

# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
fail2ban_agent = Fail2Ban/%(fail2ban_version)s

#
# Action shortcuts. To be used to define action parameter

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
#
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
# to the destemail.
action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]

# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
# to the destemail.
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

# Report block via blocklist.de fail2ban reporting service API
# 
# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in 
# corresponding jail.d/my-jail.local file).
#
action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]

# Report ban via badips.com, and use as blacklist
#
# See BadIPsAction docstring in config/action.d/badips.py for
# documentation for this action.
#
# NOTE: This action relies on banaction being present on start and therefore
# should be last action defined for a jail.
#
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
#
# Report ban via badips.com (uses action.d/badips.conf for reporting only)
#
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]

# Report ban via abuseipdb.com.
#
# See action.d/abuseipdb.conf for usage example and details.
#
action_abuseipdb = abuseipdb

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s


#
# JAILS
#

#
# SSH servers
#

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s


[dropbear]

port     = ssh
logpath  = %(dropbear_log)s
backend  = %(dropbear_backend)s


[selinux-ssh]

port     = ssh
logpath  = %(auditd_log)s


#
# HTTP servers
#

[apache-auth]

port     = http,https
logpath  = %(apache_error_log)s


[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 48h
maxretry = 1


[apache-noscript]

port     = http,https
logpath  = %(apache_error_log)s


[apache-overflows]

port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2


[apache-nohome]

port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2


[apache-botsearch]

port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2


[apache-fakegooglebot]

port     = http,https
logpath  = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>


[apache-modsecurity]

port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2


[apache-shellshock]

port    = http,https
logpath = %(apache_error_log)s
maxretry = 1


[openhab-auth]

filter = openhab
action = iptables-allports[name=NoAuthFailures]
logpath = /opt/openhab/logs/request.log


[nginx-http-auth]

port    = http,https
logpath = %(nginx_error_log)s

# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` 
# and define `limit_req` and `limit_req_zone` as described in nginx documentation
# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
# or for example see in 'config/filter.d/nginx-limit-req.conf'
[nginx-limit-req]
port    = http,https
logpath = %(nginx_error_log)s

[nginx-botsearch]

port     = http,https
logpath  = %(nginx_error_log)s
maxretry = 2


# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.

[php-url-fopen]

port    = http,https
logpath = %(nginx_access_log)s
          %(apache_access_log)s


[suhosin]

port    = http,https
logpath = %(suhosin_log)s


[lighttpd-auth]
# Same as above for Apache's mod_auth
# It catches wrong authentifications
port    = http,https
logpath = %(lighttpd_error_log)s


#
# Webmail and groupware servers
#

[roundcube-auth]

port     = http,https
logpath  = %(roundcube_errors_log)s
# Use following line in your jail.local if roundcube logs to journal.
#backend = %(syslog_backend)s


[openwebmail]

port     = http,https
logpath  = /var/log/openwebmail.log


[horde]

port     = http,https
logpath  = /var/log/horde/horde.log


[groupoffice]

port     = http,https
logpath  = /home/groupoffice/log/info.log


[sogo-auth]
# Monitor SOGo groupware server
# without proxy this would be:
# port    = 20000
port     = http,https
logpath  = /var/log/sogo/sogo.log


[tine20]

logpath  = /var/log/tine20/tine20.log
port     = http,https


#
# Web Applications
#
#

[drupal-auth]

port     = http,https
logpath  = %(syslog_daemon)s
backend  = %(syslog_backend)s

[guacamole]

port     = http,https
logpath  = /var/log/tomcat*/catalina.out

[monit]
#Ban clients brute-forcing the monit gui login
port = 2812
logpath  = /var/log/monit
           /var/log/monit.log


[webmin-auth]

port    = 10000
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s


[froxlor-auth]

port    = http,https
logpath  = %(syslog_authpriv)s
backend  = %(syslog_backend)s


#
# HTTP Proxy servers
#
#

[squid]

port     =  80,443,3128,8080
logpath = /var/log/squid/access.log


[3proxy]

port    = 3128
logpath = /var/log/3proxy.log


#
# FTP servers
#


[proftpd]

port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(proftpd_log)s
backend  = %(proftpd_backend)s


[pure-ftpd]

port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(pureftpd_log)s
backend  = %(pureftpd_backend)s


[gssftpd]

port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(syslog_daemon)s
backend  = %(syslog_backend)s


[wuftpd]

port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(wuftpd_log)s
backend  = %(wuftpd_backend)s


[vsftpd]
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(vsftpd_log)s


#
# Mail servers
#

# ASSP SMTP Proxy Jail
[assp]

port     = smtp,465,submission
logpath  = /root/path/to/assp/logs/maillog.txt


[courier-smtp]

port     = smtp,465,submission
logpath  = %(syslog_mail)s
backend  = %(syslog_backend)s


[postfix]
# To use another modes set filter parameter "mode" in jail.local:
mode    = more
port    = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s


[postfix-rbl]

filter   = postfix[mode=rbl]
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
maxretry = 1


[sendmail-auth]

port    = submission,465,smtp
logpath = %(syslog_mail)s
backend = %(syslog_backend)s


[sendmail-reject]
# To use more aggressive modes set filter parameter "mode" in jail.local:
# normal (default), extra or aggressive
# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
#mode    = normal
port     = smtp,465,submission
logpath  = %(syslog_mail)s
backend  = %(syslog_backend)s


[qmail-rbl]

filter  = qmail
port    = smtp,465,submission
logpath = /service/qmail/log/main/current


# dovecot defaults to logging to the mail syslog facility
# but can be set by syslog_facility in the dovecot configuration.
[dovecot]

port    = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s


[sieve]

port   = smtp,465,submission
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s


[solid-pop3d]

port    = pop3,pop3s
logpath = %(solidpop3d_log)s


[exim]
# see filter.d/exim.conf for further modes supported from filter:
#mode = normal
port   = smtp,465,submission
logpath = %(exim_main_log)s


[exim-spam]

port   = smtp,465,submission
logpath = %(exim_main_log)s


[kerio]

port    = imap,smtp,imaps,465
logpath = /opt/kerio/mailserver/store/logs/security.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courier-auth]

port     = smtp,465,submission,imap,imaps,pop3,pop3s
logpath  = %(syslog_mail)s
backend  = %(syslog_backend)s


[postfix-sasl]

filter   = postfix[mode=auth]
port     = smtp,465,submission,imap,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s


[perdition]

port   = imap,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s


[squirrelmail]

port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log


[cyrus-imap]

port   = imap,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s


[uwimap-auth]

port   = imap,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s


#
#
# DNS servers
#


# !!! WARNING !!!
#   Since UDP is connection-less protocol, spoofing of IP and imitation
#   of illegal actions is way too simple.  Thus enabling of this filter
#   might provide an easy way for implementing a DoS against a chosen
#   victim. See
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
#   Please DO NOT USE this jail unless you know what you are doing.
#
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks UDP traffic for DNS requests.
# [named-refused-udp]
#
# filter   = named-refused
# port     = domain,953
# protocol = udp
# logpath  = /var/log/named/security.log

# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.

[named-refused]

port     = domain,953
logpath  = /var/log/named/security.log


[nsd]

port     = 53
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/nsd.log


#
# Miscellaneous
#

[asterisk]

port     = 5060,5061
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath  = /var/log/asterisk/messages
maxretry = 10


[freeswitch]

port     = 5060,5061
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath  = /var/log/freeswitch.log
maxretry = 10


# enable adminlog; it will log to a file inside znc's directory by default.
[znc-adminlog]

port     = 6667
logpath  = /var/lib/znc/moddata/adminlog/znc.log


# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
# equivalent section:
# log-warnings = 2
#
# for syslog (daemon facility)
# [mysqld_safe]
# syslog
#
# for own logfile
# [mysqld]
# log-error=/var/log/mysqld.log
[mysqld-auth]

port     = 3306
logpath  = %(mysql_log)s
backend  = %(mysql_backend)s


# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
[mongodb-auth]
# change port when running with "--shardsvr" or "--configsvr" runtime operation
port     = 27017
logpath  = /var/log/mongodb/mongodb.log


# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
#    is not at DEBUG level -- which might then cause fail2ban to fall into
#    an infinite loop constantly feeding itself with non-informative lines
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
#    to maintain entries for failed logins for sufficient amount of time
[recidive]

logpath  = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime  = 1w
findtime = 1d


# Generic filter for PAM. Has to be used with action which bans all
# ports such as iptables-allports, shorewall

[pam-generic]
# pam-generic filter can be customized to monitor specific subset of 'tty's
banaction = %(banaction_allports)s
logpath  = %(syslog_authpriv)s
backend  = %(syslog_backend)s


[xinetd-fail]

banaction = iptables-multiport-log
logpath   = %(syslog_daemon)s
backend   = %(syslog_backend)s
maxretry  = 2


# stunnel - need to set port for this
[stunnel]

logpath = /var/log/stunnel4/stunnel.log


[ejabberd-auth]

port    = 5222
logpath = /var/log/ejabberd/ejabberd.log


[counter-strike]

logpath = /opt/cstrike/logs/L[0-9]*.log
# Firewall: http://www.cstrike-planet.com/faq/6
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]

[bitwarden]
port    = http,https
logpath = /home/*/bwdata/logs/identity/Identity/log.txt

[centreon]
port    = http,https
logpath = /var/log/centreon/login.log

# consider low maxretry and a long bantime
# nobody except your own Nagios server should ever probe nrpe
[nagios]

logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
backend  = %(syslog_backend)s
maxretry = 1


[oracleims]
# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
logpath = /opt/sun/comms/messaging64/log/mail.log_current
banaction = %(banaction_allports)s

[directadmin]
logpath = /var/log/directadmin/login.log
port = 2222

[portsentry]
logpath  = /var/lib/portsentry/portsentry.history
maxretry = 1

[pass2allow-ftp]
# this pass2allow example allows FTP traffic after successful HTTP authentication
port         = ftp,ftp-data,ftps,ftps-data
# knocking_url variable must be overridden to some secret value in jail.local
knocking_url = /knocking/
filter       = apache-pass[knocking_url="%(knocking_url)s"]
# access log of the website with HTTP auth
logpath      = %(apache_access_log)s
blocktype    = RETURN
returntype   = DROP
action       = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s,
                        actionstart_on_demand=false, actionrepair_on_unban=true]
bantime      = 1h
maxretry     = 1
findtime     = 1


[murmur]
# AKA mumble-server
port     = 64738
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
logpath  = /var/log/mumble-server/mumble-server.log


[screensharingd]
# For Mac OS Screen Sharing Service (VNC)
logpath  = /var/log/system.log
logencoding = utf-8

[haproxy-http-auth]
# HAProxy by default doesn't log to file you'll need to set it up to forward
# logs to a syslog server which would then write them to disk.
# See "haproxy-http-auth" filter for a brief cautionary note when setting
# maxretry and findtime.
logpath  = /var/log/haproxy.log

[slapd]
port    = ldap,ldaps
logpath = /var/log/slapd.log

[domino-smtp]
port    = smtp,ssmtp
logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log

[phpmyadmin-syslog]
port    = http,https
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s


[zoneminder]
# Zoneminder HTTP/HTTPS web interface auth
# Logs auth failures to apache2 error log
port    = http,https
logpath = %(apache_error_log)s

[traefik-auth]
# to use 'traefik-auth' filter you have to configure your Traefik instance,
# see `filter.d/traefik-auth.conf` for details and service example.
port    = http,https
logpath = /var/log/traefik/access.log

Default /etc/fail2ban/jail.local file with (almost all) comments removed:

Default /etc/fail2ban/jail.local with (almost) comments removed:
[INCLUDES]

before = paths-debian.conf


[DEFAULT]

ignorecommand =

bantime  = 10m

findtime  = 10m

maxretry = 5

maxmatches = %(maxretry)s

backend = auto

usedns = warn

logencoding = auto

enabled = false


mode = normal

filter = %(__name__)s[mode=%(mode)s]

#
# ACTIONS
#


destemail = root@localhost

sender = root@<fq-hostname>

mta = sendmail

protocol = tcp

chain = <known/chain>

port = 0:65535

fail2ban_agent = Fail2Ban/%(fail2ban_version)s

banaction = iptables-multiport
banaction_allports = iptables-allports

action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]

action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]

action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]

action_abuseipdb = abuseipdb

action = %(action_)s

#
# JAILS
#

#
# SSH servers
#

[sshd]

port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

Disconnect/kick and ban an ip from list


Just below we are going to append these lines to /etc/fail2ban/jail.local

# Reject/Disconnect Connections that failed username password
_action_tcp_udp = %(banaction)s[name=%(__name__)s-tcp, protocol="tcp", port="%(port)s", blocktype="REJECT --reject-with tcp-reset", chain="%(chain)s", actname=%(banaction)s-tcp]
    %(banaction)s[name=%(__name__)s-udp, protocol="udp", port="%(port)s", blocktype="REJECT --reject-with icmp-port-unreachable", chain="%(chain)s", actname=%(banaction)s-udp]


actionx = %(_action_tcp_udp)s

Before Changes:

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s


#
# JAILS
#

#
# SSH servers
#

After Changes:

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

# Reject/Disconnect Connections that failed username password
_action_tcp_udp = %(banaction)s[name=%(__name__)s-tcp, protocol="tcp", port="%(port)s", blocktype="REJECT --reject-with tcp-reset", chain="%(chain)s", actname=%(banaction)s-tcp]
    %(banaction)s[name=%(__name__)s-udp, protocol="udp", port="%(port)s", blocktype="REJECT --reject-with icmp-port-unreachable", chain="%(chain)s", actname=%(banaction)s-udp]


actionx = %(_action_tcp_udp)s

#
# JAILS
#

#
# SSH servers
#

Jail for MediaWiki - /etc/fail2ban/jail.local

[mediawiki]

enabled = true
filter = mediawiki
action = iptables-allports
bantime = 1m
maxretry = 2
logpath = /var/log/Fail2Log.log


Before:

#
# JAILS
#

#
# SSH servers
#

After:

#
# JAILS
#
[mediawiki]

enabled = true
filter = mediawiki
action = iptables-allports
bantime = 1h
maxretry = 20
logpath = /var/log/Fail2Log.log
#
# SSH servers
#


Filter for mediawiki

Regex quick up and running tutorial: External Link:(youtube)

This Is a link to a video made by "Corey Schafer".
The best no nonsense up and running regex tut there is.
https://www.youtube.com/watch?v=sa-TUpSx1JA

$EDITOR /etc/fail2ban/filter.d/mediawiki.conf

[Definition]

failregex = ^Failed:<HOST>

ignoreregex =
Try out regex on log file

fail2ban-regex --print-all-matched /var/log/Fail2Log.log /etc/fail2ban/filter.d/mediawiki.conf

Restart Fail2Ban

systemctl restart fail2ban

fail2ban-client status

fail2ban-client status mediawiki

Now test by trying to login to your wiki with wrong password three times.

fail2ban regex and error checking

Check regex:

  • Syntax: fail2ban-regex <logfile> <failregex> <ignoreregex>
    • Example: fail2ban-regex /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-correct-up.conf
  • If you want to test ignoreregex enter filter file twice:
    • Example: fail2ban-regex /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-correct-up.conf /etc/fail2ban/filter.d/nginx-correct-up.conf
  • Read man fail2ban-regex for some more opitions:
  • Examples:
    • -v, --verbose
      • Be verbose in output
    • --print-all-missed
      • Print all missed lines
    • --print-all-ignored
      • Print all ignored lines
    • --print-all-matched
      • Print all matched lines

Debug Fail2Ban:

  • -d dump configuration. For debugging.

fail2ban-client -d

  • --dp, --dump-pretty dump the configuration using more human readable representation.

fail2ban-client --dp

  • will print the systemd log for Fail2Ban.

journalctl -u fail2ban


Change ban time After testing

$EDITOR /etc/fail2ban/jail.local

[mediawiki]

enabled = true
filter = mediawiki
action = iptables-allports
bantime = 1h
maxretry = 20
logpath = /var/log/Fail2Log.log

Unban IP's

Get list of Jails:
fail2ban-client status

See banned ips by that jail:
fail2ban-client status <jailname>

Unban IP from jail:
fail2ban-client set <jailname> unbanip <ip_address>

Log File:
/var/log/Fail2Log.log

Sitemap for search engines

  • Command to be run in your mediawiki directory
  • cd /var/www/html/noobs


php maintenance/generateSitemap.php --memory-limit=50M --fspath=/var/www/html/noobs/sitemap/ --identifier=completenoobs --urlpath=www.completenoobs.com/sitemap/ --server=https://www.completenoobs.com --compress=yes --skip-redirects
  • There should now be a sitemaps Directory in your mediawiki direcotry /var/www/html/noobs/sitemap with the following content:
sitemap-completenoobs-NS_0-0.xml.gz  
sitemap-completenoobs-NS_4-0.xml.gz  
sitemap-completenoobs-NS_5-0.xml.gz  
sitemap-completenoobs-NS_8-0.xml.gz  
sitemap-index-completenoobs.xml

Warning Bug:
there was error getting this on google, could not remember how i fixed it, will look into later


Backup Your Wiki

Its always a good idea to backup your wiki! Losing days of work is not fun!

Full Wiki Dump and Restore

Backing up

Making your wiki READ ONLY - will lock database

$EDITOR LocalSettings.php
$wgReadOnly = 'Dumping Database, Access will be restored shortly';

Dump and gzip database for transport

  • Will be prompted for password:
    • Note: If you forgot your Database details, you can find them on your LocalSettings.php file

mysqldump -h localhost --default-character-set=binary --no-tablespaces -u green -p mywiki_database | gzip > /root/greenwiki.sql.gz

ALt method for dump(password in cmd):

mysqldump -h localhost --default-character-set=binary --no-tablespaces -u green --password=THISpasswordSHOULDbeCHANGED -p mywiki_database | gzip > /root/greenwiki.sql.gz

php /var/www/html/mediawiki/maintenance/dumpBackup.php --full > /root/dump_mediawiki.xml

Back mediawiki Root Directory.
tar cvzhf /root/mediawiki-rootDir.tgz /var/www/html/mediawiki

All into one file for easy transport.
cd /root/
tar cvzhf mediawiki-transfer.tgz mediawiki-rootDir.tgz greenwiki.sql.gz dump_mediawiki.xml

All file in mediawiki-transfer.tgz for transfer to new server

Backup Script

  • tis script will need a dir /var/wikibk
#!/bin/bash

# Define paths and filenames
mediawiki_root_dir="/var/www/html/noobs"
local_settings_path="/var/www/html/noobs/LocalSettings.php"
database_backup_filename="Noobs_db.sql.gz"
root_dir_backup_filename="mediawiki-rootDir.tgz"

# Get the current timestamp
timestamp=$(date +"%Y-%m-%d_%H-%M-%S")
combined_backup_filename="mediawiki-transfer-${timestamp}.tgz"

# Get database details from LocalSettings.php
db_host=$(grep -oP "\$wgDBserver\s*=\s*'\K[^']*" "$local_settings_path")
db_name=$(grep -oP "\$wgDBname\s*=\s*'\K[^']*" "$local_settings_path")
db_user=$(grep -oP "\$wgDBuser\s*=\s*'\K[^']*" "$local_settings_path")
db_pass=$(grep -oP "\$wgDBpassword\s*=\s*'\K[^']*" "$local_settings_path")

# Set the wiki to read-only
sed -i "/^\$wgDBpassword/ a \$wgReadOnly = 'Dumping Database, Access will be restored shortly';" "$local_settings_path"

# Run mysqldump command using the extracted details
mysqldump -h "$db_host" --default-character-set=binary --no-tablespaces -u "$db_user" --password="$db_pass" "$db_name" | gzip > /root/"$database_backup_filename"

# Remove read-only mode
sed -i "/^\$wgReadOnly = 'Dumping Database, Access will be restored shortly';/d" "$local_settings_path"

# Back up MediaWiki root directory
tar cvzhf /root/"$root_dir_backup_filename" "$mediawiki_root_dir"

# Combine backup files into a single file for easy transport
cd /root/
tar cvzhf "/var/wikibk/$combined_backup_filename" "$root_dir_backup_filename" "$database_backup_filename"
Backup the Backup to Local Server/Computer

Backup Full Dumps to Home Computer using script:

#!/bin/bash

# Set variables
local_backup_dir="/home/ubunix/wiki-backups"
remote_user="your_remote_username"
remote_host="completenoobs.com"
remote_backup_dir="/var/wikibk"
private_key_path="/home/ubunix/.ssh/key"

# Create the local backup directory if it doesn't exist
mkdir -p "$local_backup_dir"

# Create temporary files
local_tmp_file="/tmp/FILE1.txt"
remote_tmp_file="/tmp/FILE2.txt"

# List files in the local and remote backup directories to temporary files
find "$local_backup_dir" -mindepth 1 -maxdepth 1 -type f -exec basename {} \; | sort > "$local_tmp_file"
ssh -i "$private_key_path" "$remote_user@$remote_host" "find $remote_backup_dir -mindepth 1 -maxdepth 1 -type f -exec basename {} \; | sort" > "$remote_tmp_file"

# Compare the temporary files and download missing files using scp
while read -r remote_file; do
    if ! grep -q -F "$remote_file" "$local_tmp_file"; then
        scp -i "$private_key_path" -r "$remote_user@$remote_host:$remote_backup_dir/$remote_file" "$local_backup_dir/"
    fi
done < "$remote_tmp_file"

# Remove temporary files
rm "$local_tmp_file"
rm "$remote_tmp_file"

Restore wiki

apt update && apt upgrade -y
apt install apache2 mysql-server php php-mysql libapache2-mod-php php-xml php-mbstring php-intl -y

tar xvf mediawiki.bk.tgz
tar xvf mediawiki-rootDir.tgz -C /

Create basebase

NOTE: If you use diff username, passwd, database_name, append/correct details on LocalSettings.

mysql -u root

CREATE USER 'green'@'localhost' IDENTIFIED BY 'THISpasswordSHOULDbeCHANGED';

CREATE DATABASE mywiki_database;

use mywiki_database;

GRANT ALL ON mywiki_database.* TO 'green'@'localhost';

quit;

Restore Database

gunzip -d greenwiki.sql.gz

mysql -u green -p mywiki_database < greenwiki.sql


php /var/www/html/mediawiki/maintenance/importDump.php --conf /var/www/html/mediawiki/LocalSettings.php /root/dump_mediawiki.xml
php /var/www/html/mediawiki/maintenance/rebuildrecentchanges.php
php /var/www/html/mediawiki/maintenance/initSiteStats.php
php /var/www/html/mediawiki/maintenance/rebuildall.php

Config Apache2

$EDITOR /etc/apache2/sites-available/000-default.conf

<VirtualHost *:80>
        DocumentRoot /var/www/html/mediawiki
</VirtualHost>


Reload Apache2

systemctl restart apache2

XML Dump only

Dump mediawiki database - xml

Log into container root dir
lxc exec NAME bash
In container of wiki:
php /var/www/html/mediawiki/maintenance/dumpBackup.php --full > /root/dump_mediawiki.xml
Exit container
exit Pull file to host
lxc file pull NAME/root/dump_mediawiki.xml wiki-dump.xml

automate xml dumps to server

TIP: Create an scp only account on server first
$EDITOR /usr/local/bin/auto-export.sh

#!/bin/bash
set -x

time_stamp=$(date '+%d_%m_%y')
dumps_dir="/var/www/dumps"
noobs_dir="/var/www/html/noobs"
local_settings="$noobs_dir/LocalSettings.php"
wiki_dump_dir="$dumps_dir/$time_stamp.Noobs"
xmlkey="/root/.ssh/xmlkey"
remote_host="rscp@xml.completenoobs.com"
remote_path="/home/rscp/media/"

function ensure_read_only_line_exists {
    if ! grep -q "wgReadOnly" "$local_settings"; then
        cat <<EOF >> "$local_settings"
\$wgReadOnly = 'Dumping Database, Access will be restored shortly';
EOF
    fi
}

function set_wiki_read_only {
    sed -i 's/^#*\(\$wgReadOnly\)/\1/' "$local_settings"
}

function unset_wiki_read_only {
    sed -i 's/^\(\$wgReadOnly\)/#\1/' "$local_settings"
}

function create_directories {
    mkdir -p "$dumps_dir"
    mkdir -p "$wiki_dump_dir"
}

function dump_wiki {
    php "$noobs_dir/maintenance/dumpBackup.php" --full > "$wiki_dump_dir/$time_stamp.Noobs.xml"
}

function generate_checksums {
    md5sum "$wiki_dump_dir/$time_stamp.Noobs.xml" > "$wiki_dump_dir/$time_stamp.md5sum.txt"
    sha256sum "$wiki_dump_dir/$time_stamp.Noobs.xml" > "$wiki_dump_dir/$time_stamp.sha256sum.txt"
}

function push_to_remote {
    scp -i /root/.ssh/xmlkey -r /var/www/dumps/$time_stamp.Noobs rscp@xml.completenoobs.com:/home/rscp/media/
    #rsync -avz -e "ssh -i $xmlkey" "$wiki_dump_dir" "$remote_host:$remote_path"
}

# Main script
ensure_read_only_line_exists
create_directories
set_wiki_read_only
dump_wiki
generate_checksums
unset_wiki_read_only
push_to_remote


chmod +x /usr/local/bin/auto-export.sh

add to cron to export every 5 days

crontab -e

30 3 */5 * * /usr/local/bin/auto-export.sh

Will export at 3:30 am every 5 days, check Ubuntu Cron Quick start for more info

Import XML Dump

Create Quick local wiki

localwiki

Restore dump

php /var/www/html/mediawiki/maintenance/importDump.php --conf /var/www/html/mediawiki/LocalSettings.php /root/wiki-dump.xml
php /var/www/html/mediawiki/maintenance/rebuildrecentchanges.php
php /var/www/html/mediawiki/maintenance/initSiteStats.php
php /var/www/html/mediawiki/maintenance/rebuildall.php

Everything apart from index.php/Main_Page restored.

Upgrading MediaWiki

BACK SURE YOU BACKUP FIRST!!! just in case.

This example update 1.35 to 1.36 from 1.36 onwards php-intl is required.

Download the wiki you are going to upgrade to.
https://releases.wikimedia.org/mediawiki/1.36/
cd /root
wget https://releases.wikimedia.org/mediawiki/1.36/mediawiki-1.36.1.tar.gz

In LocalSettings.php put in readonly mode
$EDITOR /var/www/html/mediawiki/LocalSettings.php
$wgReadOnly = "Upgrading";

tar xvzf mediawiki-1.36.1.tar.gz -C /var/www/html/mediawiki --strip-components=1
php /var/www/html/mediawiki/maintenance/update.php

Returns:

Error: Missing one or more required components of PHP.
You are missing a required extension to PHP that MediaWiki needs.
Please install:
 * intl <https://www.php.net/intl>

apt install php-intl
php /var/www/html/mediawiki/maintenance/update.php
And thats it. If you do get an error:

MediaWiki 1.36 internal error Installing some PHP extensions is required.

Required components You are missing a required extension to PHP that MediaWiki requires to run. Please install:

intl (more information)

Then reboot the container and its all fine after.


Useful Notes - tips

Forgot your Admin Password

Can use for any user:
php /var/www/html/mediawiki/maintenance/changePassword.php --user=admin --password=newpassword

Make Wiki Read Only

Add to LocalSettings.php:
$wgReadOnly = 'Read Only';

Restrict account creation on wiki

Add to LocalSettings.php:
$wgGroupPermissions['*']['createaccount'] = false;


Only Admin accounts can edit

Add to LocalSettings.php:

$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['user']['edit'] = false;
$wgGroupPermissions['sysop']['edit'] = true;

Protect a page so only admin can edit

At the top of the page when logged in with admin account, click More.
A drop down of three opitions: Delete, Move, Protect.
Clicking Protect will not allow any non admin from editing the page.

When logged in as admin
Read Edit View history (STAR) More

Make User an Admin

go to special pages

With Admin Account go to:
index.php/Special:SpecialPages

List of users can be found here:
index.php/Special:ListUsers

Go to:
index.php/Special:UserRights
And enter username:
Groups you can change
And rest is self explanatory.

Remove admin rights

Same thing, just untick admin rights!