[MOD] VestaCP improved Installer
[MOD] VestaCP improved Installer
Hi,
I made my own Installer to make vestacp run smoother even on very low specs vps also hardening the server even more. With this build hopefully it will survived with all vesta exploit in the future.
What This installer do is:
1. Installs VestaCP with: Apache, MariaDB, Remi repository, iptables + Fail2ban
-) no dns (use 3rd party dns hosting such as cloudflare to hide your server ip)
-) no mail (use 3rd party mail hosting, to hide your server ip)
-) no ftp but we use SFTP so its much more safer
-) no nginx (i know a lot of people will ask why, for me too much software will increase bug and error level on the server so i tend to use as few software as possible, and I will set cloudflare as my cache server as the 1st layer)
2. Install monit (to make sure all service auto restart after crash) I dont know why vestacp doesnt include monit as built in package (they even already have the setting for monit here: http://c.vestacp.com/rhel/7/monit/)
3. install php selector
4. add swapfile (virtual memory) and it will automagically calculate the best swapfile size based on server's specs. (also make sure it reattached even after server reboot)
5. install ssh key (for additional protection please enable this, and it will only allow ssh login from ssh key, and will disable login using password, to protect you from bruteforce) You know even when you just created an instance on DO/Vultr/OVH, the first time you login into ssh, sometime it already have 'xxx failed login' GEEZ. so this is a must.
6. optimize server's max process (maxclients) based on server specs (vestacp default setting is out of mind, it is set to 200, for static content its ok but for dynamic content its crazy. lets say each process need 50 mb for wordpress the average need 80mb, so 50mb x 200 = 10G. server with 10G will also crash with this setting because theres not enough memory for other process)
7. Disable only the most dangerous php functions like exec,system,passthru,shell_exec,proc_open,popen
8. Disable admin shell (never host a site as admin, its safer to create a user to host your sites)
9. make admin panel, phpmyadmin, mysql only accessible via localhost (you can still access all of this feature by using ssh tunnel its much more safer this way)
10. automatically make backup and upload it to your dropbox every week (you need dropbox api access, but its free)
Here's the recommendation for 3rd party services:
(For DNS Hosting)
Hurricane Electric Hosted DNS
CloudFlare DNS
ClouDNS
NameCheap FreeDNS
Afraid Free DNS
NSONE.NET
(For Mail Hosting)
Zoho Mail
PawnMail
Inbox.eu
Yandex
Mail.ru
How to install:
https://github.com/erikdemarco/VestaCP-Improved
Recommended OS: CentOS7
I made my own Installer to make vestacp run smoother even on very low specs vps also hardening the server even more. With this build hopefully it will survived with all vesta exploit in the future.
What This installer do is:
1. Installs VestaCP with: Apache, MariaDB, Remi repository, iptables + Fail2ban
-) no dns (use 3rd party dns hosting such as cloudflare to hide your server ip)
-) no mail (use 3rd party mail hosting, to hide your server ip)
-) no ftp but we use SFTP so its much more safer
-) no nginx (i know a lot of people will ask why, for me too much software will increase bug and error level on the server so i tend to use as few software as possible, and I will set cloudflare as my cache server as the 1st layer)
2. Install monit (to make sure all service auto restart after crash) I dont know why vestacp doesnt include monit as built in package (they even already have the setting for monit here: http://c.vestacp.com/rhel/7/monit/)
3. install php selector
4. add swapfile (virtual memory) and it will automagically calculate the best swapfile size based on server's specs. (also make sure it reattached even after server reboot)
5. install ssh key (for additional protection please enable this, and it will only allow ssh login from ssh key, and will disable login using password, to protect you from bruteforce) You know even when you just created an instance on DO/Vultr/OVH, the first time you login into ssh, sometime it already have 'xxx failed login' GEEZ. so this is a must.
6. optimize server's max process (maxclients) based on server specs (vestacp default setting is out of mind, it is set to 200, for static content its ok but for dynamic content its crazy. lets say each process need 50 mb for wordpress the average need 80mb, so 50mb x 200 = 10G. server with 10G will also crash with this setting because theres not enough memory for other process)
7. Disable only the most dangerous php functions like exec,system,passthru,shell_exec,proc_open,popen
8. Disable admin shell (never host a site as admin, its safer to create a user to host your sites)
9. make admin panel, phpmyadmin, mysql only accessible via localhost (you can still access all of this feature by using ssh tunnel its much more safer this way)
10. automatically make backup and upload it to your dropbox every week (you need dropbox api access, but its free)
Here's the recommendation for 3rd party services:
(For DNS Hosting)
Hurricane Electric Hosted DNS
CloudFlare DNS
ClouDNS
NameCheap FreeDNS
Afraid Free DNS
NSONE.NET
(For Mail Hosting)
Zoho Mail
PawnMail
Inbox.eu
Yandex
Mail.ru
How to install:
https://github.com/erikdemarco/VestaCP-Improved
Recommended OS: CentOS7
Last edited by maman on Fri Aug 31, 2018 3:43 pm, edited 1 time in total.
-
grayfolk
- Support team
- Posts: 1111
- Joined: Tue Jul 30, 2013 10:18 pm
- Contact:
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: [MOD] VestaCP improved Installer
Not sure about daily reboot are good idea :)
Also, keep in mind about some issue while updating php version - rights to /var/lib/php/session folder will be resetted after update.
I'm sure about all updates should be carried out under the control of admin, not automatically.
Also, keep in mind about some issue while updating php version - rights to /var/lib/php/session folder will be resetted after update.
I'm sure about all updates should be carried out under the control of admin, not automatically.
Re: [MOD] VestaCP improved Installer
Its updated with more security features and improvements. Hope you guys like it :)
-
mehargags
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: [MOD] VestaCP improved Installer
Hello Maman,
nice to see someone trying to improve. Any chance you can make this script for Debian/Ubuntu ? More seasoned and hardcore sysadmins are Debian fanatics and literally don't touch CentOS (including me).
Would love to help and try this for Debian/Ubuntu. PM me if you need a test VPS or other requirements.
nice to see someone trying to improve. Any chance you can make this script for Debian/Ubuntu ? More seasoned and hardcore sysadmins are Debian fanatics and literally don't touch CentOS (including me).
Would love to help and try this for Debian/Ubuntu. PM me if you need a test VPS or other requirements.
Re: [MOD] VestaCP improved Installer
Hi.
Yes it will be available on debian soon. :)
I recommend centos because its more stable overall. (just 2 cents)
Even cpanel & directadmin (big 3 control panel in my opinion) recommend centos. Cloudlinux and amazon linux also based on centos. But centos official repo update is really slow.
Is there any causes you dont want to touch centos at all?
Yes it will be available on debian soon. :)
I recommend centos because its more stable overall. (just 2 cents)
Even cpanel & directadmin (big 3 control panel in my opinion) recommend centos. Cloudlinux and amazon linux also based on centos. But centos official repo update is really slow.
Is there any causes you dont want to touch centos at all?
-
mehargags
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: [MOD] VestaCP improved Installer
Debian is and will always be miles ahead in stability... and things just work flawless. OS upgrades (even major releases) work like a charm, something CentOS would never be even ever close to. The Software and apps in the Debian repo are a bit outdated too... but the rigorous testing they go under ensures stability over features.
CentOS is not more stable, it is just more "used" because it is backed by RedHat and has been made more commercially viable with cPanel. Performance wise and stability wise it will never come close to Debian anyday soon.
CentOS is not more stable, it is just more "used" because it is backed by RedHat and has been made more commercially viable with cPanel. Performance wise and stability wise it will never come close to Debian anyday soon.
Re: [MOD] VestaCP improved Installer
Hi
Is your Debian copy in the way ?
Great work !
Is your Debian copy in the way ?
Great work !
Re: [MOD] VestaCP improved Installer
hi, why you disable open_basedir in template ?
thanks
thanks