This guide will tell you how to setup WHM/Cpanel on a fresh sever. This guide is specifically for web hosting resellers as it is aim to tune/optimize and secure the server for selling purpose.
- SERVER PARTIION SIZE
Cpanel condition: swap to be 4 GB
Croc Web
Device Mount Point Usage Status
/boot /boot 28% (133,214 of 499,492)
/var/tmp /var/tmp 8% (318,684 of 4,059,840)
/tmp /tmp 8% (318,684 of 4,059,840)
/ / 78% (1,188,088,984 of 1,612,302,348)
All tmp are created by themselves so dedicated server with 32 GB RAM is ordered from WSI with 4GB Swap as recommended by Capnel.
- FQDN
CREATE/UPDATE NAMESERVER
srv1.fqdn.com
Loginto New Dedi
- yum update
- nano /etc/ssh/sshd_config
Port 2244
reboot - hostname srv1.fqdn.com
- Disable NetworkManager (ifconfig -a) for all networks
systemctl stop NetworkManager.service
systemctl disable NetworkManager.service
OR for centos6
service NetworkManager stop
cd /etc/sysconfig/network-scripts
ls
Open the ifcfg-eth0 and ifcfg-lo files with your preferred text editor and, if they exist, set the following keys’ values: /etc/sysconfig/network-scripts/ifcfg-ethX
ifcfg-eth0 and ifcfg-lo OR ifcfg-eno1, ifcfg-eno2(Skipped as on boot was set as no despite being Type Ehternet it was ipv6), ifcfg-lo
NM_CONTROLLED=no
ONBOOT=yes
cp ifcfg-eno1 ifcfg-eno1:0
systemctl enable network.service
systemctl start network.service
systemctl status network
ip a
cd /etc/sysconfig/network-scripts
cd /etc/sysconfig/network-scripts/
Centos7
cp ifcfg-eno1 ifcfg-eno1:0
cp ifcfg-eno1:0 ifcfg-eno1:1
Centos 6
cp ifcfg-eth0 ifcfg-eth0:0 63
cp ifcfg-eth0 ifcfg-eth0:1 64
cp ifcfg-eth0 ifcfg-eth0:2 65
DEVICE=”eth0″
BOOTPROTO=static
ONBOOT=yes
TYPE=”Ethernet”
IPADDR=63.141.238.166
NETMASK=255.255.255.224
GATEWAY=172.16.16.100
HWADDR=00:0C:29:28:FD:4C
DEVICE=”eth0:0″ IMPORTANT
BOOTPROTO=static IMPORTANT
ONBOOT=yes
TYPE=”Ethernet”
IPADDR=172.16.16.126 IMPORTANT
NETMASK=255.255.255.224
GATEWAY=172.16.16.100
HWADDR=00:0C:29:28:FD:4C
/etc/init.d/network restart
- cd /home && curl -o latest -L https://securedownloads.cpanel.net/latest && sh latest
Run the one time url given by cpanel
https://www.cyberciti.biz/faq/howto-setting-rhel7-centos-7-static-ip-configuration/
DNS Zone
Add a DNS ZONE
63.141.238.162 fqdn.com //To resolve Nameserver is not authoritative error
Add a DNS ZONE
63.141.238.163 ns4.fqdn.com
Edit DNS Zone
ns4.fqdn.com
I added A records as well NS A records and NS records inside the DNS of main damain of reseller. then it was resolved.
MySQL
- Upgrage to MariaDB before installing CL MysqlGoverner otherwise run
To remove MySQL Governor :
$ /usr/share/lve/dbgovernor/mysqlgovernor.py –delete
/usr/share/lve/dbgovernor/mysqlgovernor.py –install
Open Remote Connection Port on MySQL / MariaDB
- Feature Manager »Edit Feature ListDocumentation
- Install CL
cd /root
$ wget https://repo.cloudlinux.com/cloudlinux/sources/cln/cldeploy
If you have activation key:
$ sh cldeploy -k
If you have IP-based license:
$ sh cldeploy -i
$ reboot
Run Wizard and install CageFS, LSAPI,MysqlGoverner
- MYSQL MYCNF File in Guides folder
max_connections=150
service mysql restart
pid-file=/var/run/mysqld/mysqld.pid This one not worked.
- Install CLAMAV THEN ConfigServer cxs Script Installer
cd /usr/src
rm -f cxs*
wget https://download.configserver.com/cxsinstaller.tgz
tar -xzf cxsinstaller.tgz
perl cxsinstaller.pl ipv4
rm -fv cxsinstaller.*
Run Wizard
Enable IP Reputation after cSF firewall
You should be able to edit
Code: Select all
/etc/cxs/cxs.ignore
Then add:-
Code: Select all
hdir:/public_html/wp-content/cache/supercachehdir is relative to the users home folder.
Then restart cxs:-
Code: Select all
service cxswatch restart
- ConfigServer Security & Firewall (csf)
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl
Resutl all ok
Enable Firewall
Check Basic Security
Change incoming outgoing TCP_IN & TCP_OUT port as of your ssh port.
- Remove All PHP versions from EA4.
Dealing with cPanel’s MultiPHP and CloudLinux’s PHP Selector.
July 8th, 2018 — whplus
If you are using PHP-FPM you cannot use Cloudlinux’s PHP selector so you may want to scrap PHP selector off the bat if that is the case, unless you plan on only using PHP-FPM for some account and not all.
If PHP-FPM isn’t a worry, then what I would recommend you doing is going into:
WHM > EasyApache4
Installed CL+OPCACHE+Modlasapi+All PHP (Then customised ioncube for php)
Then go into
WHM > CloudLinux LVE Manager > Selector
Set your ‘Default php version’ to PHP 7.2(not native).
Then below that, I personally uncheck “native” all together.
at the very bottom click the “Panel Default” option and click “Save”.
This will select all the PHP extensions you chose for the PHP version in EasyApache.
You will want to do this for each PHP version there.
Next, go to
WHM > MultiPHP Manager
Make sure you set “System PHP Version” to EA-PHP70 (or whichever EA version you chose in EasyApache).
Make sure ALL cPanel accounts are set to the inherited version of PHP. This will make sure all cPanel accounts are now only able to use PHP versions from Cloudlinux’s PHP Selector.
I would also go to
WHM > Feature Manager
Edit your default and other feature list’s that you use and disable both the:
MultiPHP INI Editor
MultiPHP Manager
nano /opt/alt/php51/etc/php.ini
Change the already existing options. enable_dl = Off
disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open
We are often asked how to prevent particular php function from being used by all clients. This is especially true about functions like exec, passthru, etc… This is something that can be easily done with php-selector. Your customers are only allowed to modify directives listed in /etc/cl.selector/php.conf file. For example if you want to block system command like ‘exec’ for php53 you have to add ‘disable_functions=exec’ in /opt/alt/php53/etc/php.ini file. As long as this directive is absent in /etc/cl.selector/php.conf file, users will not be able to use ‘exec’ in their scripts.
Do you want a quick check of what directives your users may customize? Execute the following command as root on your server:
grep Directive /etc/cl.selector/php.conf
Yet, trying to secure your hosting with php.ini is wrong approach. It might work for php processes, but it will not work for CGI scripts. The secure environment is already established by CageFS which limits what processes can see or do to only safe actions.
Install a Node.js application
yum install lvemanager lve-utils ea-apache24-mod-alt-passenger
- Install Imunify AV
wget https://repo.imunify360.cloudlinux.com/defence360/imav-deploy.sh
bash imav-deploy.sh - Installation using an SSH client such as Terminal or Putty
HOST_API_KEY will look similar to 56yt8x9s987dfy4324bnv.
‘YOUR_COMPANY_NAME’ should be wrapped in quotes like so ‘Awesome Hosting’
bash<(curl -s https://raw.githubusercontent.com/Clouflare/Cloudflare-Cpanel/master/cloudflare.install.sh) -k 0ed0828a859f2de15fbd2d5c3bedf391 -n ‘Host Mayo’
bash <(curl -s https://raw.githubusercontent.com/cloudflare/CloudFlare-CPanel/master/cloudflare.install.sh) -k 0ed0828a859f2de15fbd2d5c3bedf391 -n ‘Host Mayo’
- Nginx
cd /; rm -f engintron.sh; wget –no-check-certificate https://raw.githubusercontent.com/engintron/engintron/master/engintron.sh; bash engintron.sh install - Apache Optimisation
curl -sL https://raw.githubusercontent.com/richardforth/apache2buddy/master/apache2buddy.pl | sudo perl
curl -sL apachebuddy.pl | perl Not working on nginx
Max Request Workers 200 (Dont know why but error under apache log AH00286: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting
We had the same problem on Apache 2.4.6. After monitoring the server and adjusting the setting for several hours it appears to us that Apache may have a bug. What appears to happen is that the server processes occasionally goes into the G state (Gracefully finishing) and restarts to accept new requests, that’s normal. What is not normal is that for some reason this can take up to a few minutes to restart. If you only have a few server process running and they all go into the G state at the same time then your scoreboard fills up and you won’t be able to server any more requests.
What we did was increase the number of servers so there is a less of a chance that they will all go into the G state at the same time. Also make sure you allocate at least 25 threads (MaxRequestWorkers) for each server process because that appears to be the default (i.e. if 5 Servers x 25 ThreadsPerChild = 125 MaxRequestWorkers). You can change ThreadsPerChild if you like, we left it at default. If you don’t allocate enough threads the additional servers will not start. We left MinSpareThreads at the default value which is 25 and the default for MaxSpareThreads which is 75. If you do modify these settings, the value for MaxSpareThreads must be greater than or equal to the sum of MinSpareThreads and ThreadsPerChild. Also MaxRequestWorkers must be equal to or less than the ServerLimit.
- I change apache from event mpm to worker mpm and my server problem solved.
- Switch to MPM Prefork
mod_mpm_event
Apache MPMs – Prefork vs Worker vs Event
By default, Apache servers typically have 3 threads available:
Prefork
Implements a non-threaded, pre-forking web server.
The default one, most stable and also compatible with older software. Unfortunately, also the slowest.
I’m guessing it’s called that because it’s the original version before they forked off into the other versions.
You will almost always find this one installed by default as many companies are too lazy to reconfigure hundreds of their servers. There’s also a shady skepticism that they don’t want your server to perform that well since they want to upsell you to a bigger server sooner.
Worker
Multi-Processing Module implementing a hybrid multi-threaded multi-process web server.
Faster than prefork and can handle more visitors.
Event
A variant of the worker MPM with the goal of consuming threads only for connections with active processing.
The fastest MPM and considered least stable…although fine for most people in real-world practices.
Uses the least resources and can handle the most visits.
An effective method used by the administrators is the reverse proxying method.
Here Nginx is served as a static web server front and Apache processing the back end utilizing the advantages of two web servers to great effect.
Nginx acts as a web traffic proxy serving all static contents like CSS, JS, images etc. by default.
This significantly reduces the CPU/RAM resources consumed by Apache. Apache serves the dynamic contents like PHP, PERL, etc.
Enable HTTP/2 in Cpanel Server
The HTTP/2 increases the speed as well as security.
To Install or uninstall the mod_http2 Apache module with WHM’s EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4). If your server requires that you run websites as the user, you must also install the mod_suexec Apache module. Check if http2 is enabled using following website.
Q. Will it work with CloudFlare?
A. Yes, but there is a minor gotcha. You need to adjust your “custom_rules” Nginx configuration file a bit.
When you open that file via Engintron’s WHM app, you’ll see examples of the rules to add for Engintron to work seamlessly with CloudFlare.
To briefly explain the process, you need to set your server’s shared (main) IP and/or any additional dedicated IPs matching certain domains
(everything is documented with examples in there).
For Memcache
chmod +x /usr/local/src/engintron/utilities/install_memcached_in_cpanel_ea4.sh
/usr/local/src/engintron/utilities/install_memcached_in_cpanel_ea4.sh
Edit your custom_rules for Nginx
set $PROXY_DOMAIN_OR_IP “63.141.238.162”; # Use your cPanel’s shared IP address
* If your server has a single shared IP ONLY and you wish to use CloudFlare for any (or all) of your sites you will have to specify this shared IP address below otherwise you’ll get errors from CloudFlare. This change will simply tell Nginx to skip DNS resolving and simply forward traffic to the shared IP.
Within your “Custom Rules” file, add the following line if all your sites on the shared (main) IP of your server are on CloudFlare:
set $PROXY_DOMAIN_OR_IP “XXX.XXX.XXX.XXX”; # Use your cPanel’s shared IP address here
set $PROXY_DOMAIN_OR_IP “63.141.238.162”; # Use your cPanel’s shared IP address
Only using one ip lets see.
Restrict access to ports 8080 & 8443 used by Apache only for Nginx
(originally posted by Engintron user @speegs in Engintron’s Issues)
To restrict access to ports 8080 & 8443 used by Apache only for Nginx, follow these steps:
- Install ConfigServer Firewall (CSF) from https://configserver.com/cp/csf.html – it’s the best IPTables GUI for cPanel (and not only)!
- Edit the file /etc/csf/csf.allow (either via terminal or via CSF’s WHM app) and append these lines:(Fireweall Allow ips)
tcp|in|d=8080|s=127.0.0.1 # The loopback address
tcp|in|d=8080|s=63.141.238.162 # Replace 1.2.3.4 with your server's shared IP - if you have multiple IPs, clone this line and edit the IP
tcp|in|d=8080|s=63.141.238.163 # Replace 1.2.3.4 with your server's shared IP - if you have multiple IPs, clone this line and edit the IP
tcp|in|d=8443|s=127.0.0.1 # The loopback address
tcp|in|d=8443|s=63.141.238.162 # Replace 1.2.3.4 with your server's shared IP - if you have multiple IPs, clone this line and edit the IP
tcp|in|d=8080|s=63.141.238.163 # Replace 1.2.3.4 with your server's shared IP - if you have multiple IPs, clone this line and edit the IP- Edit /etc/csf/csf.deny (either via terminal or via CSF’s WHM app) and append this line: (Fireweall deny ips)
# Block all connections to port 8080 except those already allowed in csf.allow
tcp|in|d=8080|s=0.0.0.0/0 # do not delete
# Block all connections to port 8443 except those already allowed in csf.allow
tcp|in|d=8443|s=0.0.0.0/0 # do not deleteEXCESSIVE PROCESSES
CT_LIMIT = 150 Default: 0 [0 or 10-1000]
CT_PERMANENT = ON
PT_USERMEM = 1024 Default: 256 [0-1024]
NFS for file sharing. No harm in disabling but dont need to as per cpanel special due to quota but I disabled it
You can disable them by running the following commands as root:
systemctl disable rpcbind
Mailman Excessive Resources
added the following to csf.pignore
pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner.*
pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl.*
Also add (tHE BELOW ONE I FOUND OK) ALREADY IN CSF.PGINORE FILE
pcmd:/usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl.*
pcmd:/usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner.*
cmd:spamd child
ADD THIS FOR Memcache
exe:/usr/bin/memcached
NFS for file sharing
rpcbind is a close analog of BIND I think WP uses this for remote procedure calls using xml. Anyways looks a legit processor so disabling its execution alert.
pcmd:/sbin/rpcbind.*
For NodeJS10
exe:/opt/alt/alt-nodejs10/root/usr/bin/node
or exe/home/thereapn/.nvm/versions/node/v13.12.0/bin/node
If you use Cpanel & easy apache 3 then the location is the second set. If you use easy apache 4 then it is the first set
- Install Comodo WAF
https://waf.comodo.com/user/cwaf_revisions
cd /root
wget https://waf.comodo.com/cpanel/cwaf_client_install.sh
bash /root/cwaf_client_install.sh Check : http://www.rustcollegesports.com/?a=b%20AND%201=1 - Install clamav
- Install Solr
- Why Mod_lsapi
https://www.cloudlinux.com/mod-lsapi Better than suexe
drop-in replacement for SuPHP, FCGID, RUID2, and ITK.
Doesn’t suffer from stability issues in process management like PHP FPM and mod_fcgid.
Includes the full benefits of opcode caching.
PHP-FPM not only provides better security than suPHP, but it also processes PHP scripts much more efficiently than suPHP
DSO(mod_php)>suPHP>FastCGI (FCGI)>PHP-FPM>Mod_lsapi - Installing Softaculous
Step 1: Enable IonCube
wget -N http://files.softaculous.com/install.sh
chmod 755 install.sh
./install.sh
WHM > Plugins (Add-Ons on older versions than 11) > Softaculous – Instant Installs
Tweak Settings enable ioncube’
Bult profitl for EA for CL+Mod_lsapi+OPCACHE+IONCE10 php7,71,72,+NodeJS
- Install Kernel Monitor by CL and sys-snap.pl script Both to see reason for server crashing.
Imunify MYSQL NGINX MEMCACHE Softaculous cloudflare
ERROR: INSTALL COMODO FIREWALL BEFORE NGINX
ERROR 2: RESELLER ACL TO BE CREATED AND SET AGAIN UNDER RESELLER PRIVILEGES
- Stop CPhulk
display_errors = off
allow_url_fopen = On
asp_tags = off
display_errors = off
enable_dl = on
file_uploads = on
max_execution_time 30 default 90
max_input_time = -1
memory_limit = 128
post_max_size = 8M
safe_mode = on
register_argc_argv = OFF instead of on
serialize_precision = 100 instead of -1
ereg not enabled
gmp
mcrypt The PHP developers deprecated mcrypt in version 7.1, and removed support in version 7.2. Applications should use either sodium or openssl for encryption needs.
mhash
sslv3 not enabled due to poodle attack
Registered Stream Filters: mcrypt., mdecrypt.
- Stop email notification of Expired SSL of Users.
Home »SSL/TLS »Manage AutoSSLDocumentation memory_limit = 1024M
post_max_size = 512M
upload_max_filesize = 256M
max_execution_time = 300. max_input_vars = 3000 Not set Its depend on server settings but there is one thing always remember while setting upload_max_filesize <= post_max_size if you are not doing that will be throws an error.
For example, Your configuration allows user to upload 50MB file but you post_max_size is 20MB.That mean you request doesn’t fullfill because you can post only 20MB for single request.
Recommandations
To upload large files, post_max_size value must be larger than upload_max_filesize.
memory_limit should be larger than post_max_size
Guide line of PHP offical site
http://php.net/manual/en/ini.core.php#ini.post-max-size
Sets max size of post data allowed. This setting also affects file upload. To upload large files, this value must be larger than upload_max_filesize.
Generally speaking, memory_limit should be larger than post_max_size.
I think it is unlikely that your email account is currently compromised. (But keep checking, anything can happen in the future 😀 )
You can use the Exim Blacklist to refuse all SMTP traffic from an IP
WHM >> Service Configuration >> Exim Configuration Manager
Basic Editor
Access Lists
Blacklisted SMTP IP addresses (IP addresses from which SMTP connections are dropped unconditionally)
Install SSL for other domains
vps.fqdn.com CAA 1 issue “letsencrypt.org”
For any questions please ask in the comment section or in our forum.
Install Softaculous
wget -N http://files.softaculous.com/install.sh chmod 755 install.sh ./install.sh
Security
Change SSH port from 22 to 2233 or anything else in centos. [root@srv ~]# nano /etc/ssh/sshd_config
Install CpCleaner
Features:
- Clean out files by extensions or name.
- Clean out the “tmp” and “.trash” folders.
- Support cPanel, cPanel with CloudLinux. CentOS 5/6/7.
Go To http://www.gk-root.com/GK-Apps/CpCleaner/.
Installation
Run the following shell commands as root via SSH:
wget -O cpc-1.0.3.tar "http://store.gk-root.com/dl.php?type=d&id=233"
tar -xf cpc-1.0.3.tar
cd cpc-1.0.3
sh cpc-installer -install
cd ..
rm -Rfv cpc-1.0.3/ cpc-1.0.3.tar
Update
Run the update by the following shell commands as root:
/usr/local/cpanel/base/3rdparty/CpCleaner/conf/update
[…] There are three popular solutions right now which can help you fight malicious content/viruses for web hosting servers. This article is part of our series in setting up WHM server. […]
Good Work. Is there any other recommendation for litespeed server to perform better and high security
You can use nginx server.