Suggestions for CentOS 7.4 to make a Perfect Server an Awesome server!

Discussion in 'Tips/Tricks/Mods' started by kyferez, Aug 9, 2018.

  1. kyferez

    kyferez Member

    Much of this is thanks to help I have received here. Major shouts out to Till and Ztk.me and Ahrasis!

    1) Update the grub bootloader to log console messages to the screen so you can see errors if the kernel crashes:
    Code:
    nano /etc/default/grub
    Change the GRUB_CMDLINE_LINUX section rhgb quiet from your entry like this:
    Code:
    GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet rootflags=uquota,gquota"
    to this (replacing rhgb quiet with loglevel=7 systemd.log_level=debug):
    Note: Do not replace the entire line, just change the indicated parts.
    Code:
    GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap loglevel=7 systemd.log_level=debug rootflags=uquota,gquota"
    2) Enable journalctl persistent logging so you can see logs from past boots:
    Code:
    mkdir /var/log/journal
    systemd-tmpfiles --create --prefix /var/log/journal
    systemctl restart systemd-journald
    3) Update the fail2ban to have longer ban times, longer find times, and fewer retries:
    Code:
    nano /etc/fail2ban/jail.local
    Code:
    [DEFAULT]
    bantime  = 432000 ; 5day ; 10800 ;3 hours
    findtime  = 86400; 28800 ; 8hr; 1209600 ; 2week; 86400 ;1 day
    maxretry = 5
    #28800 = 8hr
    #86400 = 1day
    #432000 = 5day
    #604800 = 1week
    #2592000 = 30day
    
    [sshd]
    enabled = true
    port = 8822
    action = iptables[name=sshd, port=ssh, protocol=tcp]
    maxretry = 2
    bantime  = 2592000
    findtime  = 604800
    
    [pure-ftpd]
    enabled = true
    action = iptables[name=FTP, port=ftp, protocol=tcp]
    maxretry = 3
    bantime  = 2592000
    findtime  = 604800
    
    [dovecot]
    enabled = true
    action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
    maxretry = 5
    bantime  = 432000
    findtime  = 604800
    
    [postfix-sasl]
    enabled = true
    action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]
    maxretry = 3
    bantime  = 2592000
    findtime  = 604800
    
    Or better yet implement a permanent ban for IPs! But I haven't yet found a non-complicated reliable way to do this that doesn't involve modifying the core fail2ban files.

    4) Add SSL to your Mail server (I also recommend disabling Non-SSL for clients)
    https://www.howtoforge.com/communit...ut-webmail-works-perfectly.79252/#post-375327
    https://www.howtoforge.com/community/threads/pfs-letsencrypt-for-postfix-dovecot-pureftpd.77499/
    https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/

    5) Update your SPAM filters to be stronger:
    https://www.howtoforge.com/communit...-of-spam-filter-policies-in-ispconfig3.38480/

    6) Add additional PHP versions to ISPConfig:
    https://www.howtoforge.com/communit...e-php-versions-already-but.71847/#post-376006
    http://www.hexblot.com/blog/centos7-ispconfig3-and-multiple-php-versions
    https://www.sunaryohadi.info/additional-php-versions-centos-7-nginx-ispconfig-3-gce.htm

    7) Use the proper settings on the site for Wordpress to update properly:
    https://www.howtoforge.com/communit...f-update-or-update-plugins.79238/#post-375063

    8) Increase the size of SWAP if you only have 1GB RAM
    https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-centos-7
    https://unix.stackexchange.com/questions/294600/i-cant-enable-swap-space-on-centos-7
    Make 2GB swap:
    fallocate -l 2G /swapfile
    chmod 600 /swapfile
    dd if=/dev/zero of=/swapfile count=2048 bs=1MiB
    mkswap /swapfile
    swapon /swapfile
    swapon -s <---verify it worked
    free <---see usage
    nano /etc/fstab <---make permanent, add this to file:
    /swapfile swap swap sw 0 0

    9) Make your server an Authoritative DNS nameserver for your sites
    https://www.howtoforge.com/ispconfig_dns_godaddy
    https://www.howtoforge.com/how-to-run-your-own-name-server-with-ispconfig-3-and-fast-hosts

    10)Add Dynamic DNS to your authoritative DNS nameserver
    https://www.howtoforge.com/communit...r-for-debian-ubuntu-ispconfig-3-server.69910/
    https://github.com/DIXINFOR/ddns-update-for-ispconfig

    Feel free to make additional suggestions!
     
    Last edited: Aug 25, 2018
    ahrasis likes this.
  2. Jesse Norell

    Jesse Norell Well-Known Member

    just modify the .local equivalent, they override the distributed .conf files for doing exactly that.
     
    ahrasis likes this.

Share This Page