advice for setting up small 2GB RAM webserver (Vserver)

Discussion in 'General' started by manarak, Jun 18, 2018.

  1. manarak

    manarak Member

    I have been a long time user of ISPconfig3, thank you for this great tool!

    I would like to ask advice for setting up a small Vserver with 2GB RAM as a full-featured webserver with ISPConfig3, firewall, email, FTP, phpmyadmin, webmail, etc. and a maximum of features, such as mod security, fail2ban, and if possible spam protection and other useful tools you can suggest.

    First, about the operating system - I have used Debian for a long time, but I feel the major version changes are too quick for my taste.
    Would CentOS be a better choice? any drawbacks?

    Is the following configuration the best for my 2 GB RAM setup?
    https://www.howtoforge.com/tutorial...l-php-pureftpd-postfix-dovecot-and-ispconfig/

    About fail2ban and firewall: in the past, I had the issue that my Vservers didn't have access to IPtables due to the virtualization technique used. Is this still an issue? what should I lookout for to have a functional firewall that fail2ban can use?

    mod_security: here the issue was that mod_security for debian didn't get updated for whatever reason, so I had to run obsolete versions for ages. is this issue still current, or is it different if I use centOS ? of course, a functional fail2ban with mod_security is a big win for blacklisting attacker IPs.

    SSL: I haven't looked at the latest ISPconfig version for some time, but I had to work with Plesk. Plesk makes it easy to setup certificates with Let's Encrypt and installation including http to https 301-redirects is practically a 2-click process. How easy is that on ISPconfig?

    DNS: most domain registrars now offer fully configurable DNS, is it really necessary to run a DNS server such as BIND? (I'm not good at DNS, so this maybe a stupid question)

    regarding email setup - this topic is often overlooked, but the PHP mail() function and sendmail is not performing well vs. spamfilters. programs need to be able to send emails using a properly configured SMTP server. In the past I used PEAR mail to do that, is there a better to do things now?
    Still regarding email, is there a comprehensive guide on how to best setup a small server to not trigger spamfilters? I am thinking about servername, reverse DNS, SPF, DKIM, DMARC and any other relevant stuff.
    still about emails: what tools are there to process the response of other mailservers to mails sent from my server, for example converting mail logs into mysql tables?

    2 GB RAM and munin/monit : the Vservers I used in the past have a "processkiller daemon" which kills processes when RAM limits are reached.
    so I tried to use munin/monit to get critical processes to restart, but quite frequently one of these munin or monit processes got killed itself, thus thwarting my cunning attempt at server stability. are there now better solutions to restart processes that were killed?

    saslauthd: this horrible little piece of crap has been haunting my email servers for years. it would always end up crashing (bug related, I believe), and suddenly users would not be able to send emails anymore. I believe it's part of postfix and I see that the proposed centOS configuration above also makes use of postfix. Has saslauthd been fixed? If not, are there any workarounds?

    as you can see, I would like to setup the server in a perfect way, getting all the small details right.
    I am thankful for any advice.
    If you know about any guides or checklists focusing on the details of small webserver setup, please let me know.

    P.S.
    another question - I run several Vservers, the main reason being the different IP addresses - I don't want that people can relate two websites as being hosted on the same machine. so... as hosters also offer additional IP addresses for Vservers, is there a way to run a larger server with several IP addresses and groups of websites assigned to specific IP addresses with different hostnames? i.e. it is impossible to tell from the outside that the websites on different IPs are running on the same server?
     
    Last edited: Jun 18, 2018
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I won't use CentOS, too much trouble. CentOS is changing more than one would expect, they just don't alter the major version number. And some other parts in CentOS 7 are so old nowadays that one would have to add third party repos for e.g. PHP to get a recent system config. If the life cycle on Debian is too short, then you might want to consider Ubuntu LTS.
     
    manarak likes this.
  3. manarak

    manarak Member

    thank you Till, ubuntu LTS looks good indeed, I will give it a try!
     
  4. manarak

    manarak Member

    regarding a server running several IP addresses, I have researched a bit about Postfix, it seems smtp_helo_name based on reverse IP have to be manually added in master.cf ?
    is that correct, or does ISPconfig do it?
     
  5. Jesse Norell

    Jesse Norell Well-Known Member

    That is correct, ISPConfig does not have any means to configure that currently.
     
    manarak likes this.
  6. manarak

    manarak Member

    thank you..
    do you know a howto for that?
     
  7. manarak

    manarak Member

    does anyone know if SSH uses different hostnames for different IPs ?
     
  8. Jesse Norell

    Jesse Norell Well-Known Member

    You just specify multiple entries for smtp service in /etc/postfix/master.cf, bound to specific ip addresses eg.
    Code:
    x.x.x.1:smtp      inet  n       -       y       -       100      smtpd
        -o myhostname=mail.domain1.com
        -o mydomain=domain1.com
        -o smtpd_tls_cert_file=/etc/ssl/certs/mail.domain1.pem
    
    x.x.x.2:smtp      inet  n       -       y       -       100      smtpd
        -o myhostname=mail.domain2.com
        -o mydomain=domain2.com
        -o smtpd_tls_cert_file=/etc/ssl/certs/mail.domain2.pem
    
    x.x.x.3:smtp      inet  n       -       y       -       100      smtpd
        -o myhostname=mail.domain3.com
        -o mydomain=domain3.com
        -o smtpd_tls_cert_file=/etc/ssl/certs/mail.domain3.pem
    
    Also see this for corresponding changes on the sending side: https://www.howtoforge.com/community/threads/different-ip-for-email.70582/#post-332222
     
    manarak and ahrasis like this.
  9. manarak

    manarak Member

    thank you @ Jesse
     

Share This Page