This guide is composed of material found from
various other web hosting, control panel, and script forums related to
optimization, hardening and securing. This is also cPanel oriented
however can be used for other servers running different control panels just to
name a few Plesk, DirectAdmin, Webmin.
Now before we begin I cannot stress enough that you NEED to read my post
thoroughly taking every last word into detail as you are applying these methods
on your own risk as a VPS is not all sunshine and lollipops. If you don't know
what you are doing, it is strongly suggested to do a bit of research before
attempting it, these methods have been tested on several different servers and I
personally have conducted benchmarking with these methods on several VPSes right
here at PowerVPS. And of course you will learn to love the "cp" command (copy)
as I'm going to be mentioning it quite a bit and again I cannot stress enough
that you BACK UP EVERYTHING YOU CHANGE don't be one of those people that
say "Oh, that will never happen to me!" don't be fooled.. Karma will get you one
Now let's start with the basics:
First off, jump into your serveru sing a SECURE connection (https://220.127.116.11:2087)
of course changing the
18.104.22.168 part to your servers IP - this is so the data
sent across your internet connection to your server is encrypted and undecodable.
Navigate your browser to Server
Configuration -> Tweak Settings then making sure the following items are
ticked (double check they are if they are not ticked, TICK THEM) unless I
specify otherwise (they will be color coded for easy reading -
Green = GOOD and
(Below is an example on how I will layout my guide)
When adding a new domain, automatically create A entries for
the registered nameservers if they would be contained in the zone.
Prevent users from parking/adding on common internet domains. (ie hotmail.com,
When adding a new
domain, if the domain is already registered, ignore the configured nameservers,
and set the NS line to the authoritative (registered) ones.
And now make sure the following is NOT ticked:
Allow users to Park/Addon Domains on top of domains owned by other users.
(probably a bad idea)
Allow Creation of
Parked/Addon Domains that resolve to other servers (ie domain transfers) [This
can be a major security problem. If you must have it enabled, be sure to not
allow users to park common internet domains.]
Allow Creation of Parked/Addon Domains that are not registered
(TICK) Default catch-all/default address
behavior for new accounts. blackhole is usually the best choice if you are
getting mail attacks.
(TICK) Set this to "fail" for general use and
as stated above "blackhole" if you're getting mail fooded (over 1000 emails in
the mail queue)
(TICK) Silently Discard all FormMail-clone
requests with a bcc: header in the subject line
(TICK) Track the origin of messages sent though
the mail server by adding the X-Source headers (exim 4.34+ required)
Here's a tricky setting, "The maximum each domain can send out per hour
(0 is unlimited):" set this number to something you think is reasonable my
personal preference is 60.. basically this setting will limit each account (not
just the domain) on how many emails it can send out per hour, basically if you
have a spammer on your machine and you can't find him.. set this to 60 and you
will definitely stop him in his tracks.
Now this next one is also tricky ""Prevent the user "nobody" from sending out
mail to remote addresses (PHP and CGI scripts generally run as nobody if you
are not using PHPSuexec and Suexec respectively.)"" tick this if you want to
disable any account on your machine from sending mail as "Nobody" it's really up
to you in the end, if you're very strict (like me) you will enable this and
force all your accounts to use the local SMTP server (which is probably better
as when you receive emails from forums and stuff they don't come as "firstname.lastname@example.org"
they come as "email@example.com" which in my sense looks more professional.
(TICK) Include a list of Pop before SMTP
senders in the X-PopBeforeSMTP header when relaying mail. (exim 4.34-30+
And the same thing applies with this next one " The number of times users are
allowed to check their mail using pop3 per hour. Zero is unlimited. (cppop
only):" basically set this limit to again something around 60 or so if you're
getting mail attacked.. it will again stop the attack right in it's tracks.
(TICK) Attempt to prevent pop3 connection
Now this setting "BoxTrapper Spam Trap" is strongly recommended to disable as
having boxtrapper enabled can very easily lead to your server being listed in
common RBLs and usually has the effect of increasing the overall spam load, not
If you aren't required to use MySQL5, don't. Use MySQL 4.1 with the option "
Use old style (4.0) passwords with mySQL 4.1+ (required if you have problems
with php apps authenticating)" nearly always enabled it will stop certain
applications using older methods of authenticating with MySQL.
(TICK) Always redirect users to the ssl/tls ports
when visiting /cpanel, /webmail, etc.
(TICK) Use jailshell as the default shell for
all new accounts and modified accounts
(TICK) Use native SSL support if possible,
negating need for Stunnel
Allow cPanel users to reset their password
via email (This option has been vulnerable in the past, so you should keep it
(TICK) Prevent installation of addon scripts not
provided by cPanel
(TICK) Prevent installation of cPanel addon
scripts that have be altered (Turning this off may be useful when testing custom
Fix Insecure Permissions (Scripts)
Fix Insecure Permissions (Scripts) (Run this at least once a month to make sure
there are no inscure permissions on scripts running on your server.)
Security -> Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.
unless you directly need another account there for SUing purposes, never ever
have apache or any other system service listed in the wheel group.
Security -> Modify Apache Memory Usage
You should set a value RLimitCPU to prevent runaway scripts from consuming
server resources - DOS exploits can typically do this. Run this at least once a
week to reassure the limit is up to date
Security -> Quick Security Scan
You'll only need to run this once, but make sure you do. (Running this will
ensure that bad services are not running on your server)
Security -> Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection. (You should enable shell resource
limits to prevent shell users from consuming server resources - DOS exploits
typically do this.)
Security -> Tweak Security
Enable PHP's open_basedir Tweak. (To prevent
PHP scripts from straying outside their cPanel account, and possibly executing
or modifying other accounts files)
Enable Apache's mod_userdir Tweak. (To
prevents users from stealing bandwidth or hackers hiding access/accounts to your
Disable Compilers. (This tweak will disable the system's c and c++ compilers for
unprivileged accounts on your VPS. Many canned exploits require working
compilersc on the system to operate. You can also choose to allow some users to
use the compilers while they remain disabled by default.)
-> Enable/Disable SuExec
(To reduce the risk of hackers accessing all sites on the server from a
compromised CGI web script, you should keep this enabled.)
-> Exim Configuration Editor
set the "Sender:" header when the sender is changed from the actual sender. Unchecking this will stop "On behalf of" data in Microsoft(R) Outlook, but may
limit your ability to track abuse of the mail system.
Verify the existence of email senders.
callouts to verify the existence of email senders.
Discard email for users who have exceeded their quota rather than keeping
it in the queue. (This again is up to you really, if you don't wish to have
accounts that are suspended due to exceeding their quota loose all their new
mail then leave this unticked)
Now jump into the "Advanced Editor" and in the first white box paste the
log_selector = +all
smtp_load_reserve = 4
queue_only_load = 2
deliver_queue_load_max = 5
The above settings will allow exim to use
extended logging for all accounts on the server, and the functions with the
numbers tell exim not to use all the resources on your server if you're
processing a lot of mail all at the same time.
Then click Save
-> FTP Configuration
Disable Anonymous FTP access (Used as an attack vector by hackers and should be
disabled unless actively used by your accounts)
-> Service Manager
Making sure all services are enabled and monitored as it is vital that you know
the status of all the services on your machine, however please take note to
disable the Java Melange Chat Server as it has been deprecated by cPanel and as
such should be considered a security concern.
-> Background Process Killer
You should enable each item in this menu, which will disable the process from
running on all accounts.
-> Setup Spamd Startup Configuration
These are the recommended settings for a Power 1 and above VPS:
Maximum Children: 2
Allowed IPs: 127.0.0.1
Maximum Connections Perl Child: 200
Identification output for Apache. (This is
to hide version numbers from potentional hackers)
Type CTRL + W then type ServerSignature then hit
enter, once you've found it replace the "On" with "Off"
Apache /etc/rc.d/init.d/httpd restart
for Low Memory Usage
Apache can consume quite a bit of memory, if
you're not careful. This part of the guide discusses how to reduce the amount of
memory it uses without killing performance. The caveat, of course, is that
you're not going to be able to run a site with a large database and large amount
of traffic with these settings. I'm going to try to explain the WHY more
than the WHAT. All of this is in conjunction with my goal of reducing the
amount of ram. Before I begin, I'd like to say that you should also look at
various system utilities that consume ram. Services like FTP and SMTP can and
should be passed off to xinetd. Also, you should look at shells besides bash,
such as dash. And, if you're really serious about low memory, you might look at
using something like BusyBox,
which brings you into the realm of real embedded systems. Personally, I
just want to get as much as I can out of a standard linux distribution. If I
need more horsepower, I want to be able to move to bigger, faster virtual
machines and/or dedicated servers. For now, optimizing a small virtual machine
First off, Apache. My first statement is, if you can avoid it, try to.
both very good no frills webservers, and you can run lighttpd with PHP.
Even if you're running a high volume site, you can seriously gain some
to a lightweight, super-fast HTTPd server such as Lighttpd.
The biggest problem with Apache is the
amount of ram it uses. I'll discuss the following techniques for speeding up
Apache and lowering the ram used.
- Loading Fewer Modules
- Handle Fewer Simultaneous Requests
- Recycle Apache Processes
- Use KeepAlives, but not for too long
- Lower your timeout
- Log less
- Don't Resolve Hostnames
- Don't use .htaccess
Loading Fewer Modules
First things first, get rid of
unnecessary modules. Look through your config files and see what modules you
might be loading. Are you using CGI? Perl? If you're not using modules, by all
means, don't load them. That will save you some ram, but the BIGGEST impact is
in how Apache handles multiple requests.
Handle Fewer Simultaneous Requests
The more processes apache is allowed to run,
the more simultaneous requests it can serve. As you increase that number, you
increase the amount of ram that apache will take. Looking at TOP would suggest
that each apache process takes up quite a bit of ram. However, there are a lot
of shared libraries being used, so you can run some processes, you just
can't run a lot. With CentOS 4.4 and Apache1, the following lines are the
I haven't found documentation on this, but
prefork.c seems to be the module that's loaded to handle things w/ Apache1 and
CentOS 4.4. Other mechanisms could or could not be much more memory efficient,
but I'm not digging that deep, yet. I'd like to know more, though, so post a
comment and let me know. Anyway, the settings that have worked for me are:
What I'm basically saying is, “set the maximum
amount of requests that this server can handle at any one time to 5.” This is
pretty low, and I wouldn't try to do this on a high volume server. However,
there is something you can and should do on your webservers to get the most out
of them, whether you're going for low memory or not. That is tweak the keepalive
Recycle Apache Processes
If you noticed, I changed the
MaxRequestsPerChild variable to 500, from 0. This variable tells Apache how many
requests a given child process can handle before it should be killed. You want
to kill processes, because different page requests will allocate more memory. If
a script allocates a lot of memory, the Apache process under which it runs will
allocate that memory, and it won't let it go. If you're bumping up against the
memory limit of your system, this could cause you to have unnecessary swapping.
Different people use different settings here. How to set this is probably a
function of the traffic you receive and the nature of your site. Use your brain
on this one.
Use KeepAlives, but not for too long
Keepalives are a way to have a
persistent connection between a browser and a server. Originally, HTTP was
frame, etc. on your pages had to be requested using a separate connection to the
server. When keepalives came into wide use with HTTP/1.1, web browsers were able
to keep a connection to a server open, in order to transfer multiple files
across that same connection. Fewer connections, less overhead, more performance.
There's one thing wrong, though. Apache, by default, keeps the connections open
for a bit too long. The default seems to be 15 seconds, but you can get by
easily with 2 or 3 seconds.
This is saying, “when a browser stops
requesting files, wait for X seconds before terminating the connection.” If
you're on a decent connection, 3 seconds is more than enough time to wait for
the browser to make additional requests. The only reason I can think of for
setting a higher KeepAliveTimeout is to keep a connection open for the NEXT page
request. That is, user downloads page, renders completely, clicks another link.
A timeout of 15 would be appropriate for a site that has people clicking from
page to page, very often. If you're running a low volume site where people
click, read, click, etc., you probably don't have this. You're essentially
taking 1 or more apache processes and saying, “for the next 15 seconds, don't
listen to anyone but this one guy, who may or may not actually ask for
anything.” The server is optimizing one case at the expense of all the other
people who are hopefully hitting your site.
Lower Your Timeout
Also, just in case, since you're limiting
the number of processes, you don't want one to be “stuck” timing out for too
long, so i suggest you lower your “normal” Timeout variable as well.
If you're trying to maximize performance,
you can definitely log less. Modules such as Mod_Rewrite will log
debugging info. If you don't need the debugging info, get rid of it. The Rewrite
log is set with the RewriteLogUser-Agent or the Http-Referer. I
like seeing those things, but it's up to you.
command. Also, if you don't care about looking at certain statistics, you can
choose to not log certain things, like the
Don't Resolve Hostnames
This one's easy. Don't do reverse lookups
inside Apache. I can't think of a good reason to do it. Any self respecting log
parser can do this offline, in the background.
Don't Use .htaccess
You've probably seen the AllowOverride
None command. This says, “don't look for .htaccess files” Using .htaccess
will cause Apache to 1) look for files frequently and 2) parse the .htaccess
file for each request. If you need per-directory changes, make the changes
inside your main Apache configuration file, not in .htaccess.