Server Optimization / Security tips
Posted: Thu Dec 04, 2014 4:43 pm
Hey all,
I thought there could be a thread were everybody could post optimization / security tips for VestaCP servers.
It would be great to have this thread sticky.
So on new server install i ussually do:
After that follows install:
if you get error message, use:
After installation what i recommend doing:
/etc/php.ini increase post_max_size and upload_max_filesize to somewhat 200MB
/etc/services change SSH ports from 22 to some more than 1024 (fail2ban uses this file)
/etc/ssh/sshd_config uncomment and set port you have set above.
/etc/nginx/nginx.conf increase proxy_read_timeout to something like 500
/etc/exim/exim.conf add disable_ipv6=true (if your system does not support ipv6)
/etc/httpd/httpd.conf at the bottom add
Open firewall tab in vesta panel, and edit SSH port.
Add Allow 12000-12100 port range for Passive FTP too.
Usually i tweak backup days. To make backups everyday is not very good idea.
To change that open Cron tab and edit sudo /usr/local/vesta/bin/v-backup-users
I add 0, 2, 4 in day of week field, for Sunday, Tuesday and Thursday backups.
Now you should restart server for all changes to take place.
Tips:
If you don't like /var/log/messages spammed with rejected DNS queries,
open /etc/named.conf and add
To enable automatic System updates on Centos 6 (not vesta updates)
I thought there could be a thread were everybody could post optimization / security tips for VestaCP servers.
It would be great to have this thread sticky.
So on new server install i ussually do:
Which removes not needed packages and updates system.yum remove httpd bind-9 httpd-tools
su -c 'yum update'
After that follows install:
Some servers will still have BIND installed,curl -O http://vestacp.com/pub/vst-install.sh
bash vst-install.sh
if you get error message, use:
Today when installing a new server i got error:bash vst-install.sh --force
So as a temp fix i have openened /etc/dovecot/dovecot.conf and added "ssl = no" after installation remove this line.Error in configuration file /etc/dovecot/dovecot.conf: ssl enabled, but ssl_cert not set
After installation what i recommend doing:
/etc/php.ini increase post_max_size and upload_max_filesize to somewhat 200MB
/etc/services change SSH ports from 22 to some more than 1024 (fail2ban uses this file)
/etc/ssh/sshd_config uncomment and set port you have set above.
/etc/nginx/nginx.conf increase proxy_read_timeout to something like 500
/etc/exim/exim.conf add disable_ipv6=true (if your system does not support ipv6)
/etc/httpd/httpd.conf at the bottom add
Which will disable server info.ServerSignature Off
ServerTokens Prod
Open firewall tab in vesta panel, and edit SSH port.
Add Allow 12000-12100 port range for Passive FTP too.
Usually i tweak backup days. To make backups everyday is not very good idea.
To change that open Cron tab and edit sudo /usr/local/vesta/bin/v-backup-users
I add 0, 2, 4 in day of week field, for Sunday, Tuesday and Thursday backups.
Now you should restart server for all changes to take place.
Tips:
For real time Apache monitoring
If you don't like /var/log/messages spammed with rejected DNS queries,
open /etc/named.conf and add
Code: Select all
logging {
category security { null; };
};
yum -y install yum-cron
chkconfig yum-cron on
service yum-cron start
chkconfig yum-cron on