How-To: Next Steps for your cPanel VPS

[Steve]

Depending on who I'm setting up the cPanel server for, these are some of the steps I follow after creating a new cPanel VPS. Please feel free to comment with anything I might have left out, or better ways to do it:

1. Change server time to your locale:
Server Configuration > Server Time

2. Change/Create MySQL Root Password:
SQL Services > MySQL Root Password

3. Security Centre:
Enable php open_basedir Protection
Disabled Compilers for unprivileged users.
Enable Shell Fork Bomb/Memory Protection

4. FTP Server Configuration:
Disallow anonymous

5. Service Manager:
Exim on port 26

6. Exim Advanced Editor:

add the follow lines:

Code:

log_selector = +arguments +subject
recipients_max = 20
recipients_max_reject = true
timeout_frozen_after = 3d
ignore_bounce_errors_after = 2d
delay_warning = 12h:24h:36h:48h:72h:96h

7. Change root password:
Server COnfiguration > Change Root Password

8.Install ConfigServer Firewall:

Shell:

Code:

wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Test install:
perl /etc/csf/csftest.pl

High settings, then change testing to 0 and restart

9. Disable unnecessary services

Code:

/etc/init.d/smartd stop
chkconfig smartd off

/etc/init.d/hidd stop
chkconfig hidd off

/etc/init.d/pcscd stop
chkconfig pcscd off

/etc/init.d/isdn stop
chkconfig isdn off

/etc/init.d/kudzu stop
chkconfig kudzu off

/etc/init.d/cups stop
chkconfig cups off

/etc/init.d/bluetooth stop
chkconfig bluetooth off

/etc/init.d/avahi-daemon stop
chkconfig avahi-daemon off

/etc/init.d/haldaemon stop
chkconfig haldaemon off

10. Change SSH port:

(Make sure you OPEN the port in your firewall first! Plugins > ConfigServer Security&Firewall > Ports)

Code:

nano /etc/ssh/sshd_config

Code:

Port <choose a different port>
Protocol 2
#AddressFamily any
ListenAddress <SERVER_IP>

11. Add server to your DNS cluster if you're using one.
12. Install postgresql, imagick, imagemagick if required
13. Use easyapache to rebuild apache with required modules
14. Install Configserver Mail Manage
cd /tmp
wget http://www.configserver.com/free/cmm.tgz
tar -xzf cmm.tgz
cd cmm/
sh install.sh

15. Install Mail Queues
wget http://www.configserver.com/free/cmq.tgz
tar -xzf cmq.tgz
cd cmq/
sh install.sh

16. Tweak Settings
Go through the various anti-spam options, lower the number of emails clients can send per hour and so on.

17. Install DNS check
mkdir /home/accountdnscheck.install/
cd /home/accountdnscheck.install
wget http://mirrors.ndchost.com/ndchost/s...eck/install.sh
sh install.sh

18. Service Configuration > Apache Configuration > Global Configuration:

ServerSignature: OFF
ServerTokens: PRODUCTONLY

19. Server Contacts > Change System Mail Preferences

Please add your suggested changes/additions below.

[Kody]

If you are using the cPanel template, the first two things I do are:

1). Make sure the update settings are set for (http://your.server.ip.here:2086/scripts2/upcpform)
* Automatic (STABLE tree)

2). Login via SSH and run /scripts/upcp

This will update cPanel/WHM to the latest version.

~k

[webicero]

Nice guide there steve, Thank you

[serversphere]

Excellent guide!

Quote:

Originally Posted by Steve

13. Use easyapache to rebuild apache with required modules

We add locking down PHP to this step:

1. Login via shell with root access.

2. Locate your php.ini file.

Code:

updatedb; locate php.ini

3. Open the file in your favorite editing package, the command below backs up your old file first to your root directory.

Code:

cp /path_to/php.ini /root/php.ini; nano /path_to/php.ini

4. Locate the line that contains "disable_functions="

Code:

CTRL-W

then

Code:

disable_functions

then ENTER.

5. Edit the line to include the following commands that we should disable:

Code:

disable_functions = dl, exec, shell, shell_exec, system, system_exec, passthru, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, symlink

6. Save the file and exit.

Code:

CTRL-X

then Y, then ENTER to save with the same file name.

7. Restart Apache (not necessary but wise when you make a change).

Code:

service httpd restart

This will protect your system and limit PHP's functionality. Please note, this may break some scripts and you might need to tinker with some options to customize the solution for your server.

[mwalters]

I also do this in WHM:

- EasyApache
-- Short Options list -> enable Mod SuPHP
-- Short Options list -> enable Suhosin for PHP

Let Apache/PHP rebuild then:

- Apache Configuration
-- PHP and SuExec Configuration
--- PHP5 Handler: suPHP

I also installed APC recently, but I'd need to dig up the how-to on getting that done.

[webicero]

There is some great stuff in this thread guys. Well done

[Ditlev]

ya - some real gems here. Thanks!

[Steve]

Quote:

Originally Posted by mwalters

I also installed APC recently, but I'd need to dig up the how-to on getting that done.

Thanks -- I did not know that you could use APC and suPHP at the same time? Would be interested to see your notes on that, please.

[mwalters]

Quote:

Originally Posted by Steve

Thanks -- I did not know that you could use APC and suPHP at the same time? Would be interested to see your notes on that, please.

I don't see any problems with it as far as things crashing, however I will mention that having APC installed also is new on the box so I haven't really tested to see if it is working / providing an advantage yet. I'll report back when I've had some more opportunity to play with it.

[geniosity]

A question on the steps above: does anybody upgrade Apache from 2.0 to 2.2?