AWS Monster | Your Technical Partner

I will show you  how to change the default Vesta port from port 8083 to port 2087. You could change your port number to any other number. I will use 2087 port because Cloudflare  supports that port in their free subscription. So I can protect my server from DDOS Attack using Cloudflare Free Subscription. In brief the steps to change your port are: Add the new port(2087) on VestaCP firewall Edit Nginx to Listen to the new port Restart vesta Delete the old port, 8083 . I am not using VestaCP firewall, I am using CSF firewall to my Vesta Control Panel. So I not showing you Step 1. 2.Edit Nginx to Listen to the new port # vi /usr/local/vesta/nginx/conf/nginx.conf

We have already secure nginx and vesta-nginx using Let's Encrypt SSL in our previous tutorial. Now it is very important to secure Server FQDN where my Server FQDN is mail.datahead.biz. At first I will enable http2   then i will redirect all http request to https . 1. At first Enable http2 in server block # vi /home/admin/conf/web/mail.datahead.biz.nginx.ssl.conf server { listen 192.146.82.3:443 ssl http2; server_name mail.datahead.biz ; server_tokens off; root /home/admin/web/mail.datahead.biz/public_html; index index.php index.html index.htm; access_log /var/log/nginx/domains/mail.datahead.biz.log combined; access_log /var/log/nginx/domains/mail.datahead.biz.bytes bytes; error_log /var/log/nginx/domains/mail.datahead.biz.error.log error; #ssl on; ssl_certificate /home/admin/conf/web/ssl.mail.datahead.biz.pem; ssl_certificate_key /home/admin/conf/web/ssl.mail.datahead.biz.key; 2. Redirect all ht

Nginx 1.17.10 working as a reverse proxy for Vesta Admin Control Panel where it is installed as nginx-vesta. You can check the vesta-nginx version: # /usr/local/vesta/nginx/sbin/vesta-nginx -v nginx version: nginx/1.12.2 Vesta Nginx Location # cd /usr/local/vesta/nginx Take Backup vesta-nginx configuration file # cd /usr/local/vesta/nginx/conf # cp -a nginx.conf nginx.conf-bak 1. Replace the below code  # vi /usr/local/vesta/nginx/conf/nginx.conf # SSL PCI Compliance ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_session_cache shared:SSL:10m; ssl_prefer_server_ciphers on; With # SSL Settings #ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2 ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096 #ssl_ciphers EECDH+AESGCM:EDH+AESGCM; ssl_ciphers ECDHE

I have written those article previously for CentOS Web Panel for both Nginx + Varnish + Apache + PHP-FPM & Apache server only. Source Details: 1.  Install Letsencrypt SSL Certificate for your Server Hostname/FQDN, 100% Working 2.  Install Let'sEncrypt for Admin Panel & User Panel Again, 100% Working My Certificate Score after SSL hardening: There are some changes needed for both article that i mentioned above. I will do it later for CentOS Web Panel. Now I have started to like VestaCP which is very lightweight control panel and It has many templates based on nginx for many CMS. I am using Nginx+PHP-FPM on Ubuntu 16.04 L.T.S . I have added 4096 bits Let's Encrypt SSL for VestaCP Admin Panel which is working perfectly and no warning getting from any browser. Article :  How to Configure 4096 bits Let's Encrypt SSL for VestaCP Control (Admin) Panel? Using a SSL certificate that doesn't mean you are secure . You have to harden(secure) your SSL configurat

VestaCP uses self-sign certificates for VestaCP control panel for login url and you will get warning from your browser. We will generate 4096 bits Let's Encrypt SSL VestaCP Control Panel. It's very easy process to generate the SSL certificate for VestaCP Control Panel. We will link the SSL certificate for Server FQDN that will use for login to VestaCP Control Panel. # mv /usr/local/vesta/ssl/certificate.crt /usr/local/vesta/ssl/certificate.crt.old # mv /usr/local/vesta/ssl/certificate.key /usr/local/vesta/ssl/certificate.key.old # ln -s /home/admin/conf/web/ssl.mail.datahead.biz.pem /usr/local/vesta/ssl/certificate.crt # ln -s /home/admin/conf/web/ssl.mail.datahead.biz.key /usr/local/vesta/ssl/certificate.key # reboot

We need to change some basic configuration after VestaCP successfully installation. There are four default Packages in vestacp as follow :  default, gainsboro, palegreen, slategrey . 1. Change the Name Servers on each packages as per your needs where my name server are  ns1.datahead.biz &  ns2.datahead.biz 2. Create a package as per your needs 3. Change admin password and set SSH Access to nologin 4. Delete alias for Server FQDN 5. Configure DNS for Server FQDN 6. Delete Default database and user from PhpMyAdmin 7. Configure Authoritative DNS from your domain panel

You should first run update , then upgrade . Neither of them automatically runs the other. apt update updates the list of available packages and their versions, but it does not install or upgrade any packages. apt upgrade actually installs newer versions of the packages you have. After updating the lists, the package manager knows about available updates for the software you have installed. This is why you first want to update. Additionally, you can use apt update && apt upgrade to do both steps after each other. # apt update && apt upgrade

There is no practical way to actually prevent Dos / DDoS attacks, because your server is connected to the internet. When you are connected to the internet, even with a simple local PC computer you are exposed to remote attacks. The only thing you can do is to mittigate its effects. When you are under ddos and trying to mitigate the attack, the server will not respond normally, it will get slower than usual, it can often appear down temporary while the attack is decreasing. On large-volume attacks your provider can even null-route the server IP address to avoid from overload their entire network. Can CSF firewall help me to stop only small / medium attacks? Why not large attacks? Beacuse of the way DDOS works. For very large and distributed attacks, you must use a dedicated firewall, or an specialized antiddos shield that works on network level inside the datacenter where you are hosted, or you can use 3rd party anti-ddos services like Cloudflare, Incapsula or Level3 AntiDDOS servi

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are common threats that every publicly accessible web server faces. The purpose of such attacks, in simplest terms, is to flood a server with connections, overloading it and preventing from accepting legitimate traffic. Step #1: SYNflood Protection A SYNflood attack is a DoS attack exploiting the TCP (Transmission Control Protocol) connection process itself. In basic terms, a TCP connection is established using a three-way handshake: The client (incoming connection) sends a synchronization packet (SYN) to the server. The server responds with a synchronization acknowledgement (SYN/ACK) to the client. The client then responds with an acknowledgement (ACK) back to the server. A SYNflood attack manipulates that three-way handshake by initiating multiple synchronization requests and then refusing to respond with any final acknowledgements. On a Linux server, you can quickly check for SYN packets by running thi

Restricting access by port to IP addresses originating in a specific country or countries can be an effective way to help minimize the negative performance impact that country-level blocking can bring. In this example , we’re blocking access to the FTP Ports (20,21) & SMTP Ports(25,110,143,465,587,993,995)   to IP addresses originating in Belgium & Bulgaria. Step #1: Specify the Country or Countries to be Denied Scroll down to the Country Code Lists and Settings section and add the country code to CC_DENY_PORTS . Multiple countries can be comma separated with no spaces in between, and you can find a list of ISO 3166-1 alpha-2 codes at https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2. List the port that will be blocked in the specified country in the CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP fields. Step #2: Save Your Changes and Restart the Firewall Scroll to the bottom of the Firewall Configuration page and click on the Change button. On the next screen, click the R

I have some listed ports for my services management and I want that listed ports only accessible from my country. Yes, you can choose to allowing incoming traffic by port to only a specific country or countries. Generally, this should be a better option than attempting to deny port access to a long list of countries because the firewall be working with a smaller CIDR range against which each incoming request must be checked. My Listed Ports: 22,2030,2031,2086,2087,5550,55004,1025 To limit the ability to connect on a specific port or ports to visitors with IP addresses originating in a specific country or countries, you must: close the ports in the firewall define the country code allowed to connect on those blocked ports specify the blocked ports to be opened for the specified country In this example, we’re allowing access to above  My Listed Ports , to IP addresses based in My Country ( Germany). Step #1: Close the Ports in the Firewall On the Firewall Configuration page,

CSF (ConfigServer Firewall) on a Linux system and you block a lot of IP addresses. Servers running iptables with CSF firewall can become slow and bogged down while processing the sometimes hundreds of IP addresses in CSF's iptables chains. Thankfully, it is possible to quickly and easily alleviate this slowdown by installing and configuring a took called ipset. This option allows you to use ipset v6+ for the following csf options: CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny, GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER ipset will only be used with the above options when listing IPs and CIDRs. Advanced Allow Filters and temporary blocks use traditional iptables. To use this option you must have a fully functioning installation of ipset installed either via rpm or source from http://ipset.netfilter.org/ It’s a straight forward process. CentOS, Red Hat and Fedora (yum based) users : # yum install ipset -y Ubuntu or Debian: # sudo

First, update your Base Repository for Cpanel/CWP7/VestaCP installation, then install latest EPEL # yum update -y Reboot The Machine # reboot # rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY* # yum -y install epel-release Run Update again & Check # yum update -y # yum repolist If you have getting any error then run: # yum clean all # rm -rf /var/cache/yum # yum update -y # yum repolist Don't need to install latest EPEL before EFA installation. We will install EPEL after EFA installation.

Server Time Zone is very important for any Internet Services. My Time Zone is Asia/Dhaka . Follow the steps to configure your Time Zone. # timedatectl list-timezones # timedatectl list-timezones | grep Asia # mv /etc/localtime /root/localtime.old # ln -s /usr/share/zoneinfo/Asia/Dhaka /etc/localtime # timedatectl set-ntp yes # timedatectl set-timezone Asia/Dhaka # systemctl restart systemd-timedated.service # timedatectl Local time: Wed 2018-10-31 11:15:50 +06 Universal time: Wed 2018-10-31 05:15:50 UTC RTC time: Wed 2018-10-31 05:15:50 Time zone: Asia/Dhaka (+06, +0600) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: n/a # hwclock Wed 31 Oct 2018 11:21:37 AM +06 -0.084209 seconds

Accurate time keeping is important for a number of reasons in IT. This setup is the best practice that helps with problem diagnosis and informal server monitoring. I am living in Asia that's why i'm using this pool. Install Chrony and Configure The NTP server . # yum -y install chrony ( for rpm based ) # apt install chrony ( for debian based ) # vi /etc/chrony.conf ( for rpm based ) # vi /etc/chrony/chrony.conf ( for debian based ) #server 0.centos.pool.ntp.org iburst #server 1.centos.pool.ntp.org iburst #server 2.centos.pool.ntp.org iburst #server 3.centos.pool.ntp.org iburst server 0.asia.pool.ntp.org iburst server 1.asia.pool.ntp.org iburst server 2.asia.pool.ntp.org iburst server 3.asia.pool.ntp.org iburst add the network range you allow to receive requests allow 127.0.0.1 or allow your network cidr :x (save & quit) Reminder: We have disabled firewalld, So we will add the port 123/udp after the CWP installation using CSF firewall.  Start the services and e

This Tutorial describes how to disable the Network Manager service. The Network Manager service automates the network's settings and disrupts connections to the IP addresses that reside in the ipaliases module. We recommend that you disable the Network Manager service and enable the network.service service before you install EFA/Cpanel/CWP7/VestaCP. # systemctl stop NetworkManager # systemctl disable NetworkManager # nmcli device status # systemctl list-unit-files | grep NetworkManager # systemctl enable network.service # systemctl restart network.service Reboot The Machine # reboot I have two NIC in my VPS, So Add the below parameter in /etc/sysconfig/network-scripts/ifcfg-eXXX of interfaces that are managed by NetworkManager to make it unmanaged. NM_CONTROLLED="no“ # vi /etc/sysconfig/network-scripts/ifcfg-ens33 BOOTPROTO=static NM_CONTROLLED=no ONBOOT=yes #DOMAIN=datahead.biz HOSTNAME=host.datahead.biz :x (save & quit) # vi /etc/sysconfig/network-scripts/if

A computer hostname represents a unique name that gets assigned to a computer in a network in order to uniquely identify that computer in that specific network. The hostname is set at the time when the CentOS operating system is installed or if you are spinning up a virtual machine it is dynamically assigned to the instance at startup. The hostname is used by many of the networking programs (such as sendmail, Apache servers) to identify the machine. By default, your server is started with the server’s given name as the hostname. Some software, such as cPanel, CWP requires a valid Fully Qualified Domain Name (FQDN) for the hostname. Types of hostnames (The hostname can be configured as follows): Static host name assigned by sysadmin. For example, “server1”, “wwwBot2”, or “host.datahead.biz”. Transient/dynamic host name assigned by DHCP or mDNS server at run time. Pretty host name assigned by sysadmin/end-users and it is a free-form UTF8 host name for presentation to the user.

CentOS 7 comes with firewalld by default. So disable firewalld because Cpanel & CWP uses CSF Firewall & LFD with IPTables. Here CSF - ConfigServer Security & Firewall LFD - Login Failure Daemon # systemctl stop firewalld.service # systemctl disable firewalld.service Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. # systemctl mask firewalld.service Created symlink from /etc/systemd/system/firewalld.service to /dev/null. Reboot your server so that all updates can take affect and then check your Firewalld Status. # reboot # systemctl status firewalld In EFA , FirewallD & Fail2Ban Intrusion Detector comes with by default. But I prefer to use CSF. So i will disable firewalld services.  

SELinux is an acronym for Security-enhanced Linux. It is a security feature of the Linux kernel. It is designed to protect the server against misconfigurations and/or compromised daemons. In the Linux kernel, SELinux relies on mandatory access controls (MAC) that restrict users to rules and policies set by the system administrator. MAC is a higher level of access control than the standard discretionary access control (DAC) , and prevents security breaches in the system by only processing necessary files that the administrator pre-approves. SELinux was initially released as a collaborative between Red Hat and the National Security Agency . SELinux receives periodic updates and additions as new Linux distributions are released. SELinux modes There are three modes of SELinux: Enforcing, Permissive and Disabled. Enforcing mode is the default mode at installation of SELinux. It will enforce the policies on the system, deny access and log actions. Permissive mode is the most com