dedicatedserverlinuxus

Reseller should be signed up for Dedicated Server Linux product

WHM Initial Setup

Note

All necessary information regarding the WHM Setup is available in the setup guide below:

WHM Initial Setup Wizard

A few important points about the Initial setup.

Setup Networking (Step 2)

  • Hostname: This should be a sub-domain name. e.g. server.abc.com or vps.server.com.

  • Resolvers: The resolver IP addresses here will be auto-populated with values 206.127.15.36 & 174.122.47.81. You should only use these IPs, which are the DNS resolver’s IPs at the Data Center.

  • Main Network/Ethernet Device: Always keep this as “venet0:0″

Nameservers (Step 4)

Choose which nameservers your domain’s hosted on this server will use. These will be used as the default NS records for all the domain’s Zone hosted on the server.

  • Add A Entries for Nameservers & Hostname.
  • Add “A Entries” for all Nameservers.

    Note

    If your order has just one IP address, use same IP for all Nameservers. Use different IPs if multiple IPs are added to the order.

  • Add “A Entries” for Hostname

    Note

    This creates a Zone for the primary domain name [used in the Hostname (on Step 2)], and creates its A record. If the Hostname used was vps.server.com, the Zone will be added automatically for server.com with the A record for vps.server.com pointing to the IP address mentioned.

Services (Step 5)

  • Covert Mailbox Format:
    It converts every mailbox to the current server’s mail format, during the migration of an account from another server.

  • Configure cPHulk: cPHulk is recommended for Brute Force Protection.

Managing Add-ons

offers several Add-ons alongwith an Order. These can be purchased and managed from the Order Information view of the Order.

Note
  • Add-ons currently offered are:

    • Dedicated IP

    • cPanel License (provided by default alongwith a Managed Server Order)

    • WHMCS

    • VPS specific Add-ons:

      • Plesk 10-Domain License

      • Plesk 100-Domain License

      • Plesk Unlimited Domain License

    • Dedicated Server and Managed Server specific Add-ons:

      • 50GB SAN Storage

      • 100GB SAN Storage

      • 200GB SAN Storage

      • 300GB SAN Storage

      • 500GB SAN Storage

  • VPS 1 and VPS 2 Plans will support only Dedicated IP, Plesk 10-Domain License and WHMCS Add-ons.

  • VPS 3 Plan onwards will support all Add-ons.

  • Only 1 Plesk license (among Plesk 10-Domain License, Plesk 100-Domain License and Plesk Unlimited Domain License) can be installed on a VPS.

  • cPanel & Plesk licenses can not be installed on a VPS simultaneously, since these are conflicting Add-ons.

To Purchase an Add-on

  1. Login to your Control Panel, Search for the domain name for which you have purchased this Order and go to the
    Order Information view. See details

  2. Click the Manage Add-ons link.

  3. Select the Add-on you wish to purchase from the Available Add-ons menu and click the Add button.

  4. On the next page, you would be displayed the cost of purchasing the Add-on. Click the Buy Now button.

    Note

    You cannot specify the duration of an Add-on. The duration will the same as that of the Order.

  5. Continue to pay for the generated Invoice.

To Delete an Add-on (Anchor: delete)

If required, you may delete an Add-on as explained below.

Note

Before deleting an Add-on, you need to ensure that the functionality offered by that Add-on is no longer in use on your Server.

  1. Login to your Control Panel, Search for the domain name for which you have purchased this Order and go to the
    Order Information view. See details

  2. Click the Manage Add-ons link.

  3. Click the Delete link, next to the Add-on you wish to delete.

  4. Confirm the deletion by clicking the Delete Add-on button.

Server Hardening

Server Hardening is the process of enhancing server security through a variety of means which results in a much more secure server operating environment. This is due to the advanced security measures that are put in place during the server hardening process.

  • Disable lamed server logging:

    1. Run the commands:

      service named stop


      nano -w /etc/named.conf

    2. Add these lines at the top. Some servers will already have a logging {} section. If so, simply add these lines inside the existing logging section:

      logging {


      category lame-servers { null; };


      };

    3. Under the options {} section, add these lines below directory /var/…:

      allow-transfer { none; };


      version “[null]“;


      recursion no;

    4. Restart the named service using the command:

      service named restart
      nano /etc/resolv.conf

    Note

    For BIND, make sure that it is not in a clustered environment or master slave setup.

  • Disable direct root login:

    1. Run the commands below. The third command will prompt you for a password:

      groupadd wheelusername


      useradd wheelusername -gwheelusername


      passwd wheelusername

    2. Run the command to add the user to the group:

      nano -w /etc/group

      Search for wheel and append wheelusername.

    3. Run the command:

      nano -w /etc/ssh/sshd_config

      Uncomment the line,

      PermitRootLogin no

      and change it to the below:

      PermitRootLogin yes

      At the end of the file, add the below line:

      AllowUsers wheelusername

  • Change the default SSH port:

    cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup


    vi /etc/ssh/sshd_config

    Change the port from 22 to any desired port number.

    Restart the SSH service:

    /etc/init.d/sshd restart

  • Tweak the TCP stack (sysctl.conf):

    mv /etc/sysctl.conf /etc/sysctl.conf.bak


    cd /etc

    Place the following content in the sysctl.conf:
    #Kernel sysctl configuration file for Red Hat Linux

    #

    # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and

    # sysctl.conf(5) for more details.

    # Disables packet forwarding

    net.ipv4.ip_forward=0

    # Disables IP source routing

    net.ipv4.conf.all.accept_source_route = 0

    net.ipv4.conf.lo.accept_source_route = 0

    net.ipv4.conf.eth0.accept_source_route = 0

    net.ipv4.conf.default.accept_source_route = 0

    # Enable IP spoofing protection, turn on source route verification

    net.ipv4.conf.all.rp_filter = 1

    net.ipv4.conf.lo.rp_filter = 1

    net.ipv4.conf.eth0.rp_filter = 1

    net.ipv4.conf.default.rp_filter = 1

    # Disable ICMP Redirect Acceptance

    net.ipv4.conf.all.accept_redirects = 0

    net.ipv4.conf.lo.accept_redirects = 0

    net.ipv4.conf.eth0.accept_redirects = 0

    net.ipv4.conf.default.accept_redirects = 0

    # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets

    net.ipv4.conf.all.log_martians = 0

    net.ipv4.conf.lo.log_martians = 0

    net.ipv4.conf.eth0.log_martians = 0

    # Disables IP source routing

    net.ipv4.conf.all.accept_source_route = 0

    net.ipv4.conf.lo.accept_source_route = 0

    net.ipv4.conf.eth0.accept_source_route = 0

    net.ipv4.conf.default.accept_source_route = 0

    # Enable IP spoofing protection, turn on source route verification

    net.ipv4.conf.all.rp_filter = 1

    net.ipv4.conf.lo.rp_filter = 1

    net.ipv4.conf.eth0.rp_filter = 1

    net.ipv4.conf.default.rp_filter = 1

    # Disable ICMP Redirect Acceptance

    net.ipv4.conf.all.accept_redirects = 0

    net.ipv4.conf.lo.accept_redirects = 0

    net.ipv4.conf.eth0.accept_redirects = 0

    net.ipv4.conf.default.accept_redirects = 0

    # Disables the magic-sysrq key

    kernel.sysrq = 0

    # Decrease the time default value for tcp_fin_timeout connection

    net.ipv4.tcp_fin_timeout = 15

    # Decrease the time default value for tcp_keepalive_time connection

    net.ipv4.tcp_keepalive_time = 1800

    # Turn off the tcp_window_scaling

    net.ipv4.tcp_window_scaling = 0

    # Turn off the tcp_sack

    net.ipv4.tcp_sack = 0

    # Turn off the tcp_timestamps

    net.ipv4.tcp_timestamps = 0

    # Enable TCP SYN Cookie Protection

    net.ipv4.tcp_syncookies = 1

    # Enable ignoring broadcasts request

    net.ipv4.icmp_echo_ignore_broadcasts = 1

    # Enable bad error message Protection

    net.ipv4.icmp_ignore_bogus_error_responses = 1

    # Log Spoofed Packets, Source Routed Packets, Redirect Packets

    net.ipv4.conf.all.log_martians = 1

    # Increases the size of the socket queue (effectively, q0).

    net.ipv4.tcp_max_syn_backlog = 1024

    # Increase the tcp-time-wait buckets pool size

    net.ipv4.tcp_max_tw_buckets = 1440000

    # Allowed local port range

    net.ipv4.ip_local_port_range = 16384 65536

  • Install Rkhunter and setup weekly cron:

    cd /root


    wget https://sourceforge.net/projects/rkhunter-1.3.4.tar.gz/download


    tar -zxf rkhunter-1.3.4.tar.gz


    cd rkhunter*


    ./installer.sh –layout default –install


    cd /etc/cron.weekly


    #!/bin/bash


    EMAIL=your@domain.com


    rkhunter -c –sk –summary -q | mail -s “Rkhunter Scan Report – $hostname” $EMAIL


    chmod 755 /etc/cron.weekly/rkhunter.sh

  • Install chkrootkit and setup weekly cron:

    cd /root/


    wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz


    mv chkrootkit.tar.gz /usr/local/src/


    cd /usr/local/src/


    tar -zxf chkrootkit.tar.gz


    cd /usr/local/src/chkrootkit*


    cd /root


    mv /usr/local/src/chkrootkit* /usr/local/chkrootkit


    cd /etc/cron.weekly


    #!/bin/bash


    EMAIL=your@domain.com


    /usr/local/chkrootkit/chkrootkit -q | mail -s “ChrootKit Scan Report – $(hostname)” $EMAIL

  • Disable PHP functions that might pose a risk:

    vi /usr/local/lib/php.ini


    disable_functions = symlink,shell_exec,exec,proc_close,proc_open,popen,system,dl,passthru,escapeshellarg,escapeshellcmd,ini_set,phpinfo

  • Install and configure Mod_security to prevent web based attack:

    cPanel Server

    1. Login to your WHM as root.

    2. Click on EasyApache (Apache Update) under the Software section.

    3. While selecting modules in the Short Options List, select Mod Security.

    4. Select Start customizing based on profile.

    Now, the Wizard will start recompiling Apache. Monitor the screen carefully and note down if there are any error messages being shown. When the build is complete, verify that the PHP pages are loading correctly.

    Plesk Server

    1. Since Plesk is fully rpm based, you can just install the mod_security module. Since mod_secuirty is not available in the common rpm repos, you can use the below script to install
      module:

      wget -q -O - https://www.atomicorp.com/installers/atomic.sh | sh


      yum install mod_security

    2. Unlike other Apache modules rpm installation, this process will not add LoadModule in the httpd.conf file by default. Edit the httpd.conf file and add the
      following lines below the LoadModule section:

      vi /etc/httpd/conf/httpd.conf


      LoadFile /usr/lib/libxml2.so

      LoadModule security2_module modules/mod_security2.so

      Include conf/mod_security.d/*.conf

    3. Create mod_security.d under the /etc/httpd/conf/ folder to download and setup the mod_security rule-set:

      mkdir /etc/httpd/conf/mod_security.d


      cd /etc/httpd/conf/mod_security.d

    4. Download the rule-set from https://www.modsecurity.org/download/ and make sure that you are extracting the file inside the /etc/httpd/conf/mod_security.d directory:

      wget https://www.modsecurity.org/download/modsecurity-core-rules_2.1-1.4.3.tar.gz


      tar zxf modsecurity-core-rules_2.1-1.4.3.tar.gz


      rm -f modsecurity-core-rules_2.1-1.4.3.tar.gz

    5. Restart the web server:

      service httpd restart

    Note

    Rules may block the web application throwing access denied errors. Keep monitoring the /etc/httpd/logs/error_logs file and remove the rules which you do not require. If you are getting the ModSecurity: Rule execution error - PCRE limits exceeded (-8): (null). warning in your error logs, it may eat up all your CPU and memory resources by creating around 100 to 150 MB of RSS memory per pid and you will see an unusual usage of locale-archive around 60 MB in pmap. To solve this problem, create the file pcre_modsecurity_exceeded_limits.conf inside the /etc/httpd/conf folder:

    vi /etc/httpd/conf/pcre_modsecurity_exceeded_limits.conf

    Add the below lines:

    SecPcreMatchLimit 150000

    SecPcreMatchLimitRecursion 150000

    Restart Apache and monitor the Apache error logs.

  • Setup root login alert script:

    vi .bashrc


    echo ‘ALERT – Root Shell Access (hostname) on:’ `date` `who` | mail -s “Alert: Root Access from `who | cut -d”(” -f2 | cut -d”)” -f1`” mailto:you@domain.com

  • Upgrade the kernel:

    Check for kernel update:

    yum check-update | grep kernel

    If kernel update is available:

    yum update kernel

    Edit grub.conf to modify the default value to newly updated kernel and then reboot the server.

    vi /boot/grub/grub.conf

    After server reboot, check the kernel version by using the command:

    uname -r

  • Configure both local and remote backup.

  • Change the permission of /bin/ln to 760.

  • Do the basic package updates using yum commands.

    Note

    Exclude the packages that may possibly break the setup of the server by entering it in the yum.conf file.

  • Complete scan of the server and perform corrective actions needed. Scan the complete server. Install Maldet if not present in the server:

    mkdir tmp


    cd tmp


    wget https://www.rfxn.com/downloads/maldetect-current.tar.gz


    tar xf maldetect-current.tar.gz && cd maldetect-*


    ./install.sh

  • Temporary Directory Hardening:

    /bin/cp /etc/fstab /etc/fstab.bak

    Use df to check if a /tmp partition is already present.

    • If /tmp partition does not exist: Run the commands.

      cd /usr


      dd if=/dev/zero of=/usr/tmpMnt bs=1024 count=2000000


      mke2fs -j /usr/tmpMnt


      cd /


      cp -R /tmp /tmp_backup


      mount -o loop,noexec,nosuid,rw /usr/tmpMnt /tmp


      chmod 0777 /tmp


      /bin/cp -R /tmp_backup/* /tmp/


      rm -rf /tmp_backup


      nano -w /etc/fstab

    • If /tmp partition exists: At the end, add the below.

      /usr/tmpMnt /tmp ext3 loop,noexec,nosuid,rw 0 0


      nano -w /etc/fstab


      mount /tmp


      rm -rf /var/tmp


      ln -s /tmp /var/tmp


  • Disable remote MySQL:

    Check the status of skip-networking parameter in MySQL configuration:

    mysql -e "show variables like %networking%"

    It is recommended to disable this parameter.

  • Install a software firewall such as CSF (ConfigServer) firewall or Advanced Policy Firewall (APF)(for Plesk).

Configuring cPHulk in cPanel

Brute force is a hacking method (attack) that involves using an automated system to guess the password to your web server or services. cPHulk provides protection against brute force attacks. WHM / cPanel offers a service known as cPHulk Brute Force Protection which provides protection against such attacks. If several attempts are made to connect using an incorrect password, cPHulk blocks the IP address and sends a notification to the root contact on the server.

To Enable / Disable cPHulk Brute Force Protection via WHM

  1. Login to WHM.

  2. Navigate to Home -> Security Center -> cPHulk Brute Force Protection.

  3. Click the Enable button.

The below message will be displayed when cPHulk blocks your access and there are cases where you unable to login to your Webmail, cPanel, WHM.

You can configure cPHulk settings in WHM as per the image below:

To Whitelist an IP Address in cPHulk

Whitelisting through WHM

  1. Login to WHM.

  2. Navigate to Home -> Security Center -> cPHulk Brute Force Protection.

  3. Click the White/Black List Management tab.

  4. Enter the IP address in the White List (Trusted IP List) field and click Quick Add.

  5. To check login attempts, click the Login/Brute History Report tab.

  6. You can view information about unauthorized users under User and IP.

  7. Block any such users by clicking the White/Black List Management tab, entering the IP address in the Black List (Rejected IP List) field and submitting the data.

Whitelisting through MySQL Prompt

  1. Login to your server via SSH as the root user.

  2. Run the command:

    mysql

  3. cPHulk stores all the information in a database called cPHulkD. Run the command to access cPHulk database:

    use cphulkd

  4. Run the command to view the list of tables under cPHulk database:

    show tables;

  5. There are two tables, logins and brutes that are significant. The logins table stores information about login authentication failures, while the brutes table stores information about excessive authentication failures indicative of a brute force attack.

  6. Run the command to check if your IP address is listed in the brutes table:

    select * from brutes where IP = ‘x.x.x.x’;

  7. If your IP address is listed in the brutes table, run the commands to remove it:

    delete from brutes where IP = ‘x.x.x.x’;


    delete from logins where IP = ‘x.x.x.x’;


    quit

Mail limiting via WHM

This article explains the following topics, helpful in stopping spamming from a server [cPanel & Exim mail server]:

  • To configure Exim mail server in WebHost Manager

  • To control outgoing mail from your server

To configure Exim mail server in WebHost Manager

The configuration page for Exim mail server can be found under Service Configuration in WHM. There are many sections under Exim configuration as listed below:

Note

Before editing the settings in Exim mail server, we recommend to take a backup of existing settings using the Backup option provided in Exim Configuration Manager. You can easily restore the configuration settings through the backup, in case of any eventuality.

  • ACL options: ACL stands for Access Control Options. These settings affect blacklisting, spam control, and other security-related issues. Enable the following options
    :

    • Dictionary attack protection

    • Ratelimit incoming connections with only failed recipients

    • Require HELO before MAIL

    • Require remote (hostname/IP address) HELO

    If you want stricter rules to be followed for restricting outgoing spam mails, you can enable the Reject SPF failures option.

  • Access lists: Here, you can explicitly allow access to your SMTP server for certain hosts, even if they trigger your security measures. This is known as
    whitelisting. Explicitly denying access in a similar fashion is known as blacklisting. Each option in this section has an EDIT link which can optionally be used to whitelist or blacklist a host or IP address.

  • Domain and IPs: The Domains and IPs settings let you control which domain names and IP addresses the server will use to send mail. Normally, we don’t recommend any
    changes in this section.

  • Filters: Use the options under Filters to adjust attachment filtering and SpamAssassin filters. Options to be enabled are:

    • Attachments: Filter messages with dangerous attachments

    • SpamAssassin: Bounce mail when the spam score is greater than 20

    • SpamAssassin™: Global Subject Rewrite

    If you see too much spam getting through your filters, you can lock them down further by adjusting your internal SpamAssassin score. It is important to note that making any of these changes will affect all email accounts on the entire server.

  • Mail: Mail section contains more conditions that can be checked before an e-mail message is sent. Options to be enabled are:

    • Log sender rates in the Exim mainlog

    • Bounce email for users over quota

    • Sender Verification

  • RBLs [Real-Time Blocklists]: RBLs are Real-Time Blacklists containing IP addresses that have been known to send large quantities of spam. Enable one or both of these
    RBLs if you would prefer to block such emails at Exim. Spamcop and Spamhaus are the two RBLs listed by default in Exim configuration.

  • Security: You should leave the only Security option disabled; turning it on allows weak encryption to be used when connecting via SSL or TLS.

  • SpamAssasin options: Options to be enabled are:

    • Forced Global ON (Turn on SpamAssassin for all accounts, i.e., with no option to disable)

    • Scan outgoing messages for spam and reject based on SpamAssassin internal spam_score setting

    • Sender Verification

Once the changes are made in Exim configuration, click Save to submit them.

Controlling Outgoing Mail from the Server

The process below explains how to configure outgoing mails on the server

  1. Login to WebHost Manager.

  2. Click on Tweak Settings.

  3. Scroll to the Mail section.

  4. Here, update the parameters mentioned below:

    • Number of messages sent per hour: If you wish to limit the number of messages sent per domain per hour, set the desired value in the Max hourly emails per domain
      field. The default value is 60.

    • Prevent nobody from sending mail: Using this option, you can prevent the user nobody from sending out mail to remote addresses.

      Note

      PHP and CGI scripts generally run as nobody, if you are using mod_php or have Suexec disabled.

    • Number of failed or deferred messages a domain may send before protections can be triggered: When a domain sends this number of failed or deferred messages in an hour,
      and the Maximum percentage of failed or deferred messages a domain may send per hour is also reached, the domain will temporarily be blocked from sending mail.

    • Maximum percentage of failed or deferred messages a domain may send per hour: The maximum percentage of a domain’s outgoing mail that can consist of failed or deferred
      messages. Once the domain exceeds this percentage, it is temporarily blocked from sending mail.

    • Track email origin via X-Source email headers: Track the origin of messages sent through the mail server by adding the X-Source headers (Exim 4.34 or higher required).
      It will be useful when a spam mail gets out and with the help of message headers, you can easily find its source.

    • Email delivery retry time: Time interval between mail server queue runs, the default value being 60 minutes. The default is a retry every hour – but you may
      want to extend this so the server is less strained with larger queues.

    • The percentage of email messages (above the account’s hourly maximum) to queue and retry for delivery: When an account exceeds the maximum number of emails it is allowed
      to send per hour, by default, any additional messages are queued for delivery and sent in the next hour. This setting allows you to limit the number of messages that will be queued by the system. For example, if you set this value to 125%, once the account reaches its hourly limit, Exim will queue any additional messages, up to 125% of the maximum hourly emails per domain value. Once the account reaches 125% of the maximum hourly emails per domain value, any additional outgoing messages are discarded.

Optimizing MySql

You may choose optimize the MySQL sserver at a basic level or at an advanced level.

Basic Optimization

MySQL Server can be optimized at a basic level, using the MySQL tuner script.

  1. Download the script using the command:

    wget https://github.com/major/MySQLTuner-perl/zipball/master

  2. Now, run the commands:

    unzip master


    cd major-MySQLTuner*


    chmod +x mysqltuner.pl


    perl mysqltuner.pl

The script will check the status of MySQL and update you with the variables that you need to tweak to optimize MySQL.

Advanced Optimization

For advanced level of optimization, you must fine tune your MySQL server based on the applications and resource utilization. Below are some important system variables that need to be tweaked for normal use.

  • table_cache: Each time MySQL accesses a table, it stores the table in the cache. Data can be retrieved faster from frequently accessed tables if they are stored in cache.

    You can check whether your system needs to have the table_cache value increased by checking the open_tables and opened_tables status variables during peak time. Use the command:

    SHOW STATUS LIKE “open%tables%”;

    open_tables is the number of tables opened in cache, whereas opened_tables is the total number of tables open. Since MySQL supports multi-threading, several queries might be executed on the same table at the same time. So each of these queries will open a table.

    Default value for table_cache is 64. If you have enough RAM available on your server, you can increase the table_cache value. This will reduce total number of tables open by moving those tables to cache.

  • query_cache_size: If you have a MySQL query that is being executed repeatedly by your website, MySQL can be set to cache the results of this query.

    You can enable query caching by setting the server variable query_cache_type to 1 and setting the cache size in the variable query_cache_size. If either of the above is set to 0, query caching will not be enabled.

  • key_buffer_size: This is the size of buffer used by all the indexes. Ideally, it should be set to at least a quarter of the memory available or more.

    The optimum solution is to keep the ratio as follows:

    • Key_reads : Key_read_requests should be 1 : 100 and Key_writes / Key_write_requests should always be less than 1.

    • If the Key_reads value is high compared to Key_read_requests, you need to increase key_buffer_size.

    You can get the value of these variables using the command:

    SHOW GLOBAL STATUS where Variable_name like “Key_%”;
    +————————+———–+

    | Variable_name | Value |

    +————————+———–+

    | Key_blocks_not_flushed | 0 |

    | Key_blocks_unused | 48394 |

    | Key_blocks_used | 8078 |

    | Key_read_requests | 973911676 |

    | Key_reads | 54135 |

    | Key_write_requests | 824911 |

    | Key_writes | 739554 |

    +————————+———–+

  • sort_buffer_size: This value improves large and complex sorts. Increase this value for faster ORDER BY or GROUP BY operations. The default value is 2MB.

    Sufficient size of sort_buffer_size allows the sort operations to be performed in memory cache rather than in temp files in hard disks.

  • thread_cache_size: If your server has large traffic on MySQL server, then the server will create a lot of new threads at a very high rate. This may take up a lot of CPU
    time. When a connection disconnects, the threads are put in the cache and a new thread is taken from this cache.

    If the value of the Threads_created status variable is large, you may want to increase value for the thread_cache_size system variable. The cache hit rate can be calculated using the commands:

    SHOW GLOBAL STATUS where Variable_name like “Connections”;


    SHOW GLOBAL STATUS where Variable_name like “Threads_created”;

  • read_rnd_buffer_size: This is used after a sort operation, to read the rows in the sorted order. If your application has a lot of queries with ORDER BY, increasing value
    of this variable can improve the performance. This buffer is also at a per client basis. The default value for read_rnd_buffer_size is 128K. General rule is to allot 1MB of read_rnd_buffer_size for every 1GB memory in server.

  • tmp_table_size: Sometimes, a temporary table needs to be created for executing a statement. This variable determines the maximum size for a temporary table in memory.

    Always try to avoid temporary table creation by optimizing your query. But if it is unavoidable, make sure that the table is created in the memory. If the memory is not sufficient, a MyISAM table will be created in the disk. If a large number of tables are created in the disk, you need to increase your tmp_table_size. You can also check the status variables Created_tmp_disk_tables and Created_tmp_tables. Created_tmp_disk_tables is the number of temporary tables created on disk while executing a statement, while Created_tmp_tables is the number of in-memory tables created.

    Use the commands:

    SHOW GLOBAL STATUS where Variable_name like “Created_tmp_disk_tables”;


    SHOW GLOBAL STATUS where Variable_name like “Created_tmp_tables”;

Optimizing Apache

The efficiency with which Apache runs with can be greatly improved with a few small tweaks in the Apache configuration file. Below are the major parameters that can be tweaked to improve the performance of the server.

  • Timeout: This directive is used to define the amount of time Apache will wait for a GET, POST, PUT request and acknowledges on transmissions before automatically disconnecting, when idle time exceeds this value. This value is set to 120 to improve performance in heavily loaded servers. It is recommended to set this value lower if your clients have low latencies. Some times, setting this directive to a low value may cause problems, depending on your network and server setup. The best option is to experiment with different values to find the one that fits your need.

  • KeepAlive: This directive, if set to On, enables persistent connections on the web server. For better performance, it is recommended to set this option to On and allow more than one request per connection. In the original HTTP specification, every HTTP request had to establish a separate connection to the server. This reduced the overhead of frequent connects to the server for multiple HTTP requests.

  • MaxKeepAliveRequests: This directive is used to define the number of requests allowed per connection when the KeepAlive option is set to On. Socket connections will be terminated when the number of requests set by the MaxKeepAliveRequests directive is reached. When the value of this option is set to 0, unlimited requests are allowed on the server. For server performance, it is recommended to allow unlimited requests.

  • KeepAliveTimeout: This directive is used to define how much time (in seconds) Apache will wait for a subsequent request before closing the connection. Once a request has been received, the timeout value specified by the Timeout directive applies. The value of 10 seconds is a good average for server performance. This value should be kept low as the socket will be idle for extended periods otherwise.

  • StartServers: This directive is used to define the number of child server processes that will be created by Apache on start-up. As the number of processes with Apache 2.x is dynamically controlled depending on the load, there is usually little reason to adjust this parameter now. Normally a default value of 5 is set for this parameter.

  • MaxClients: This directive is used to define the limit on the number of child processes that will be created to serve requests. By default, up to 512 HTTP requests can be handled concurrently. Any further connection requests are queued. For high load operation, a value of 512 is recommended. For standard use, you can set the value to 256.

  • ServerLimit: This directive is used to define the maximum configured value for the MaxClients directive for the lifetime of the Apache process. It is important to note that any attempts to change this directive during a restart will be ignored, but the MaxClients directive can be modified during a restart of the server. For high load operation, a value of 1024 is highly recommended. For standard use, you can set the value to 256.

    Special care must be taken when using this directive. If it is set to a value much higher than necessary, extra, unused shared memory will be allocated. If both ServerLimit and MaxClients directives are set to values higher than the system can handle, Apache may not start or the system may become unstable.

  • MinSpareServers: This directive is used to define the minimum number of idle child server processes that should be created. An idle process is one which is not handling a request. If there are fewer idle processes than the MinSpareServers value, the parent process creates new children at a maximum rate of 1 per second.

  • MaxSpareServers: This directive is used to define the maximum number of idle child server processes that should be created. If there are more idle processes than the MaxSpareServers value, then the parent process will kill off the excess processes and these extra processes will be terminated.

  • MaxRequestsPerChild: This option is used to define the number of requests that an individual child server process will handle. This value can be set to 0 to get the maximum performance and scalability for the server.

Installing and Configuring Clamscan

ClamAV is an open source (GPL) antivirus engine designed for detecting trojans, viruses, malware and other malicious threats.

To Install ClamAV for Non-cPanel Servers

  1. Install EPEL Repo using the command:

    rpm -Uvh https://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

    This will create an EPEL Repo file /etc/yum.repos.d/epel.repo.

  2. Install required ClamAV packages.

    yum install clamav clamd

  3. Start the clamd service and set it to auto-start.

    /etc/init.d/clamd on


    chkconfig clamd on


    /etc/init.d/clamd start

  4. Update ClamAV signatures using the command:

    /usr/bin/freshclam

Now, you can configure daily scan as given below:

  1. Create a cron file using the command

    vim /etc/cron.daily/manual_clamscan

  2. Add the following lines in the file /etc/cron.daily/manual_clamscan:

    #!/bin/bash

    SCAN_DIR=”/home”

    LOG_FILE=”/var/log/clamav/manual_clamscan.log”

    /usr/bin/clamscan -i -r $SCAN_DIR >> $LOG_FILE

    Note

    You need to change SCAN_DIR to the directory that you want to scan.

  3. Set executable permission for the cron script using the command:

    chmod +x /etc/cron.daily/manual_clamscan

To Install ClamAV for cPanel Servers

  1. Login to your WHM panel as the root user.

  2. Click the cPanel icon.

  3. Select Manage Plugins. This will bring up a list of additional cPanel modules.

  4. Select the checkbox next to ClamAV Install and Keep Updated.

  5. Submit the settings by clicking Save.

Listed below are some important options for Clamscan:

  • -h, –help: Print help information and exit

  • -v, –verbose: Be verbose

  • -l FILE, –log=FILE: Save scan report to FILE

  • -f FILE, –file-list=FILE: Scan files listed line by line in FILE

  • -r, –recursive: Scan directories recursively. All the subdirectories in the given directory will be scanned. These options can be used multiple times.

  • -i: Print infected files

  • –remove[=yes/no(*)]: Remove infected files

  • –move=DIRECTORY: Move infected files into DIRECTORY. Directory must be writeable for the user or unprivileged user running clamscan.

  • –copy=DIRECTORY: Copy infected files into DIRECTORY. Directory must be writeable for the user or unprivileged user running clamscan.

CSF Firewall installation and configuration

ConfigServer Firewall (CSF) is an advanced firewall suite for Linux systems that enhances the security on your Server. It also has the Login Failure Daemon (LFD) process that regularly scans for failed login attempts on your Server and takes action against the offending IP Addresses.

Note

This documentation assumes that you are connected to the Server using an SSH client as a root user.

To Install CSF on a Server

  1. Change the present working directory to /usr/local/src using the command below. You may choose any other directory of your choice, where you want the installation script to be downloaded.

    cd /usr/local/src

  2. Run the below command to download the archive file to the present working directory:

    wget https://configserver.com/free/csf.tgz

  3. Extract the files using the command:

    tar xfz csf.tgz

  4. Go to the CSF directory using the command:

    cd csf

  5. To install CSF:

    • On a Server Without any Hosting Panel

      Run the general installation script ./install.generic.sh.

    • On a Server With cPanel or DirectAdmin

      • Run the installation script ./install.cpanel.sh to install CSF on a Server with cPanel.

      • Run the installation script ./install.directadmin.sh to install CSF on a Server with DirectAdmin.

    The CSF Firewall will be installed in the /etc/csf directory and the allowed inbound/outbound port configuration will be adjusted as per the current settings. You can make further adjustments through the configuration file /etc/csf/csf.conf.

  6. Restart the firewall for the changes to take effect using the command:

    /etc/init.d/csf restart

  7. You can disable the testing flag by changing the value for TESTING from 1 to 0 in the configuration file /etc/csf/csf.conf using an editor like vi.

    Note

    Ensure that all your custom firewall settings are working perfectly before you disable the testing mode.

    Disabling Testing Mode

  8. Restart the Firewall again.

To Manage CSF

CSF can be managed through the Command Line Interface. The command csf would present a list of commands and the information related to them.

CSF Commands

A few basic commands are:

  • Allowing an IP Address

    csf -a <ip_address>

  • Denying an IP Address

    csf -d <ip_address>

You can manage the CSF settings from your WHM Panel (Home >> Plugins).

Managing CSF through WHM

Once the installation is complete, you need to make sure that you have configured the firewall properly, before turning the testing mode off.

Ports and Settings to be enabled

cPanel Plesk
TCP_IN 20, 21, 22, 25, 26, 53, 80, 110, 143, 443, 465, 993, 995, 2082, 2083, 2086, 2087, 2095, 2096 20, 21, 22, 25, 53, 80, 110, 143, 443, 465, 993, 995, 8443, 8880
TCP_OUT 21, 22, 25, 26, 27, 37, 43, 53, 80, 110, 113, 443, 465, 873, 2089 20, 21, 22, 25, 53, 37, 43, 80, 113, 443, 465, 873, 5224, 5443
UDP_IN 20, 21, 53, 953 20, 21, 37, 53, 873
UDP_OUT 20, 21, 53, 113, 123, 873, 953 20, 21, 53, 113, 123, 873, 6277
Configure SMTP

SMTP_BLOCK = "1"

SMTP_ALLOWLOCAL = "1"

SMTP_PORTS = "25,26"

SMTPAUTH_LOG = "/var/log/exim_mainlog"

SMTP_BLOCK = "1"

SMTP_ALLOWLOCAL = "1"

SMTP_PORTS = "25,587"

SMTPAUTH_LOG = "/usr/local/psa/var/log/maillog"

Installing and configuring Maldet

Linux Malware Detect (LMD) or Maldet is a malware scanner for Linux released under the GNU GPLv2 (free, open source) license, that is designed around the threats faced in hosting environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature, threats found on the TCH network of over 30,000 hosted domains and from malware community resources.

To install Maldet

  1. Change the present working directory to /usr/local/src using the command below. You may choose any other directory of your choice, where you want the installation script to be downloaded.

    cd /usr/local/src

  2. Run the below command to download the archive file to the present working directory:

    wget https://www.rfxn.com/downloads/maldetect-current.tar.gz

  3. Extract the files using the command:

    tar -xzf maldetect-current.tar.gz

  4. Go to the Maldet directory using the command:

    cd maldetect-*

  5. Run the installation script:

    sh ./install.sh

Sample Output:


Linux Malware Detect v1.3.4

(C) 1999-2010, R-fx Networks


(C) 2010, Ryan MacDonald

inotifywait (C) 2007, Rohan McGovern



This program may be freely redistributed under the terms of the GNU GPL



installation completed to /usr/local/maldetect

config file: /usr/local/maldetect/conf.maldet

exec file: /usr/local/maldetect/maldet

exec link: /usr/local/sbin/maldet

cron.daily: /etc/cron.daily/maldet

maldet(32517): {sigup} performing signature update check…

maldet(32517): {sigup} local signature set is version 2010051510029

maldet(32517): {sigup} latest signature set already installed

To configure LMD

By default, all options are fully commented in the configuration file (/usr/local/maldetect/conf.maldet). You can configure them as per your requirement. Various options are listed below:

  • email_alert: Set it to 1 to receive email alerts.

  • email_subj: Specify your email subject.

  • email_addr: Add your email address to receive malware alerts.

  • quar_hits: This is the default quarantine action for malware hits and should be set to 1.

  • quar_clean: This is the cleaning action for detected malware injections and should be set to 1.

  • quar_susp: This is the default suspend action for users with hits. Set it as per your requirement.

  • quar_susp_minuid: Minimum userid that can be suspended.

You can update Maldet, using the command:

maldet -u or maldet -d

To Scan using Maldet

  • To scan the files of a particular user, use the command:

    maldet -a /home/username/

  • To scan all users under /home/public_html, use the command:

    maldet –scan-all /home?/?/public_html

  • To attempt a clean on all malware results from a previous scan that did not have the feature enabled, use the command:

    maldet –clean SCANID