Suggestions for CentOS 7.4 to make a Perfect Server an Awesome server!

Discussion in 'Tips/Tricks/Mods' started by kyferez, Aug 9, 2018 at 1:27 AM.

  1. kyferez

    kyferez Member

    Much of this is thanks to help I have received here. Major shouts out to Till and Ztk.me and Ahrasis!

    1) Update the grub bootloader to log console messages to the screen so you can see errors if the kernel crashes:
    Code:
    nano /etc/default/grub
    Change the GRUB_CMDLINE_LINUX section rhgb quiet from your entry like this:
    Code:
    GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet rootflags=uquota,gquota"
    to this (replacing rhgb quiet with loglevel=7 systemd.log_level=debug):
    Note: Do not replace the entire line, just change the indicated parts.
    Code:
    GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap loglevel=7 systemd.log_level=debug rootflags=uquota,gquota"
    2) Enable journalctl persistent logging so you can see logs from past boots:
    Code:
    mkdir /var/log/journal
    systemd-tmpfiles --create --prefix /var/log/journal
    systemctl restart systemd-journald
    3) Update the fail2ban to have longer ban times, longer find times, and fewer retries:
    Code:
    nano /etc/fail2ban/jail.local
    Code:
    [DEFAULT]
    bantime  = 432000 ; 5day ; 10800 ;3 hours
    findtime  = 86400; 28800 ; 8hr; 1209600 ; 2week; 86400 ;1 day
    maxretry = 5
    #28800 = 8hr
    #86400 = 1day
    #432000 = 5day
    #604800 = 1week
    #2592000 = 30day
    
    [sshd]
    enabled = true
    port = 8822
    action = iptables[name=sshd, port=ssh, protocol=tcp]
    maxretry = 2
    bantime  = 2592000
    findtime  = 604800
    
    [pure-ftpd]
    enabled = true
    action = iptables[name=FTP, port=ftp, protocol=tcp]
    maxretry = 3
    bantime  = 2592000
    findtime  = 604800
    
    [dovecot]
    enabled = true
    action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
    maxretry = 5
    bantime  = 432000
    findtime  = 604800
    
    [postfix-sasl]
    enabled = true
    action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]
    maxretry = 3
    bantime  = 2592000
    findtime  = 604800
    
    Or better yet implement a permanent ban for IPs! But I haven't yet found a non-complicated reliable way to do this that doesn't involve modifying the core fail2ban files.

    4) Add SSL to your Mail server (I also recommend disabling Non-SSL for clients)
    https://www.howtoforge.com/communit...ut-webmail-works-perfectly.79252/#post-375327
    https://www.howtoforge.com/community/threads/pfs-letsencrypt-for-postfix-dovecot-pureftpd.77499/
    https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/

    5) Update your SPAM filters to be stronger:
    https://www.howtoforge.com/communit...-of-spam-filter-policies-in-ispconfig3.38480/

    6) Add additional PHP versions to ISPConfig:
    https://www.howtoforge.com/communit...e-php-versions-already-but.71847/#post-376006
    http://www.hexblot.com/blog/centos7-ispconfig3-and-multiple-php-versions
    https://www.sunaryohadi.info/additional-php-versions-centos-7-nginx-ispconfig-3-gce.htm

    7) Use the proper settings on the site for Wordpress to update properly:
    https://www.howtoforge.com/communit...f-update-or-update-plugins.79238/#post-375063

    Feel free to make additional suggestions!
     
    Last edited: Aug 9, 2018 at 1:32 AM
    ahrasis likes this.
  2. Jesse Norell

    Jesse Norell Well-Known Member

    just modify the .local equivalent, they override the distributed .conf files for doing exactly that.
     
    ahrasis likes this.

Share This Page