Checklist for VPS maintenance?

awehost

New Member
As I am moving from shared reseller hosting to a VPS, can someone list some of the important things I should keep an eye on and/or update manually? I see that some things like Cpanel and the firewall appear to have auto updates, but over time I don't want things to unknowingly become insecure and/or out of date.

Thanks
 

Dan

Moderator
Hello awehost,

System updates and software installed by cPanel are all done by cPanel.

CSF does have an auto-update option but you have to turn it on in the configuration.

After that the only things you will need to update yourself are those that you install yourself.

Hope that helps!
 

townwebsites

New Member
Thanks Dan.

What about log files - should the VPS owner be reviewing logs for attacks of various sorts? If so, what logs, and does CPanel provide any interfaces to review them?

Thanks,

Charlie

Hello awehost,

System updates and software installed by cPanel are all done by cPanel.

CSF does have an auto-update option but you have to turn it on in the configuration.

After that the only things you will need to update yourself are those that you install yourself.

Hope that helps!
 

Dan

Moderator
Hi Charlie,

You should get a daily email giving you a summary of your logs, the program that sends it is Logwatch. Now a days I breeze through it pretty fast though as CSF/LFD and mod_security keep things going pretty well for me.
 

woodp

New Member
All those lfd emails ...

Another new Shared-to-VPS convert here. After deleting several hundred "lfd on host.domain.com ..." emails, the logs suggest ~75 permanent and ~75 temporary blocks a month. Is that high, low or average? And more important, should I be doing anything?

Any/all help/comments are appreciated.

And now back to try to figure out where the setting is to turn off all unneeded sftp warnings ...
 

Dan

Moderator
Hi woodp,

There isn't really any 'good' number for CSF blocks as the amount you get will vary depending on a wide variety of things like the domains that the previous owner of those IPs had, the kind of traffic your own websites sees, etc etc. You can, of course, modify the settings for CSF in WHM for the number of different types of attacks that take place before a block takes place. That may be where you will find the SFTP warnings you are receiving as well.

Pretty much the system can take care of the blocks by itself. Even what it calls 'permanent blocks' aren't really permanent as after a couple of weeks it will delete those IPs from it's block list as well. You can even add your own IP blocks to the list and make it so they aren't deleted if you want to.
 

Crunchy

Member
CSF does have an auto-update option but you have to turn it on in the configuration.

I haven't turned mine on. Have had this VPS over a year, would turning that on cause any rebuild issues? Is it obvious in WHM? I have found my way around WHM fairly well up to now.

as CSF/LFD and mod_security keep things going pretty well for me.

Are these installed by default or did you install yourself (well, other than CSF)?

Also, I use Wordpress and noticed some of my security plugins are a bit dated. After some research I have decided that WordFence and Best WP Security are probably the best options for me. Do you have any experience with either? I have read that there are no known issues with using both on a site, but was particularly concerned about the bandwidth usage of the Wordfence scans especially if I have that plugin on a number of sites in the same VPS. I am also particularly interested in being able to block foreign countries since the vast majority of my port scans and such come from outside the US and my sites are locally oriented. I am thinking this feature might actually save me significant bandwidth.
 

Dan

Moderator
Morning Crunchy!

I haven't turned mine on. Have had this VPS over a year, would turning that on cause any rebuild issues? Is it obvious in WHM? I have found my way around WHM fairly well up to now.
I don't see why it would cause any rebuild issues. Personally I monitor for updates and install them manually and have never had any problems at all. They use a shell script to install, no 'make' or './config' or anything.

In WHM click on Plugins then click on Configserver Security&Firewall. If there is an update available it will show on this screen in the Update section, there will even be a button right there you can click to install the upgrade. To enable auto-updates click the Firewall Configuration button and the third option down is it. Reading the section for it says that it it will create a cron job that runs daily to install updates then restart the services.

Are these installed by default or did you install yourself (well, other than CSF)?
When I got my latest VPS CSF was pre-installed on it right from KH.

Also, I use Wordpress and noticed some of my security plugins are a bit dated. After some research I have decided that WordFence and Best WP Security are probably the best options for me. Do you have any experience with either? I have read that there are no known issues with using both on a site, but was particularly concerned about the bandwidth usage of the Wordfence scans especially if I have that plugin on a number of sites in the same VPS. I am also particularly interested in being able to block foreign countries since the vast majority of my port scans and such come from outside the US and my sites are locally oriented. I am thinking this feature might actually save me significant bandwidth.
I do not have any experience with any Wordpress security plugins what so ever. If you are concerned about bandwidth I would suggest installing them onto just one site and then monitoring it to see just how much of an increase you see. Although I just ran a quick search and turned this up in their FAQ "Wordfence scans do not consume large amounts of your precious bandwidth because all scans happen on your web server which makes them very fast." so perhaps all your worry is for naught.

CSF can be configured to block based on country code although it looks like it will consume quite a bit of overhead as IPtables rules have to be created for each CIDR listed for that country at maxmind.com and these can become quite large.

Personally what I do is monitor my mod_security log (if you don't run mod_security your normal access logs are fine of course) for blocks that it makes. If I find a bunch of blocks from an abusive IP I will look up the IP and many times will block the whole CIDR myself by editing the file /etc/csf/csf.deny making sure to put "# Do not delete" at the end of the rule.
 

Sherrie

Member
*edit: found it*

On another note, I clicked on software and saw the option to upgrade MySQL. This I would really like to do (I run a vbulletin forum), do these upgrades cause issues?
 

Sherrie

Member
OK in the left hand menu in WHM I scrolled down to cPanel and then clicked on Manage Plugins. The only plugins I have there are:

clamavconnector
cpgs
cronconfig
munin
spamdconf
 

Skyview

Member
CSF can be configured to block based on country code although it looks like it will consume quite a bit of overhead as IPtables rules have to be created for each CIDR listed for that country at maxmind.com and these can become quite large.

Personally what I do is monitor my mod_security log (if you don't run mod_security your normal access logs are fine of course) for blocks that it makes. If I find a bunch of blocks from an abusive IP I will look up the IP and many times will block the whole CIDR myself by editing the file /etc/csf/csf.deny making sure to put "# Do not delete" at the end of the rule.
Along these lines, could a wildcard be used to say you want to deny ALL traffic to the server unless it is from say the US, Mexico, Canada? I realize IP addresses can be spoofed, but that doesn't appear to be the case most of the time as they are showing coming from China, Russia, Middle East, etc. Do you think a VPS4 would be able to handle the load? This would be so much simpler. Would appreciate if you could provide specific guidance on how to achieve this. Thanks.
 

KH-Jonathan

Director of Managed Services
Staff member
Along these lines, could a wildcard be used to say you want to deny ALL traffic to the server unless it is from say the US, Mexico, Canada? I realize IP addresses can be spoofed, but that doesn't appear to be the case most of the time as they are showing coming from China, Russia, Middle East, etc. Do you think a VPS4 would be able to handle the load? This would be so much simpler. Would appreciate if you could provide specific guidance on how to achieve this. Thanks.
Yes this is definitely possible with CSF/iptables, however it's not recommended to do in VPSs as it creates a very large number of iptables rules depending on what countries you block/allow - especially if it's large countries such as USA, Russia, China, etc.
 

Skyview

Member
Yes this is definitely possible with CSF/iptables, however it's not recommended to do in VPSs as it creates a very large number of iptables rules depending on what countries you block/allow - especially if it's large countries such as USA, Russia, China, etc.
Could you at least point me in the right direction as to how to test this, unless you know for a fact that it will cripple the VPS or something. Most things can be implemented in varying degrees so I could for instance, just block a few countries that seem to be the worst offenders and see how it runs.
 

Dan

Moderator
Hi Skyview,

If you go into the Config Server & Firewall applet under Plugins in your WHM then go to Firewall Configuration there is a section for Country code lists and settings. The description given there is quite good.
 

KH-Jonathan

Director of Managed Services
Staff member
Skyview,

I do know for a fact that the number of iptables rules this will generate will most likely crash iptables or prevent it from starting to begin with.
 

Skyview

Member
Thanks Dan.

Jonathan, is there anyway to do the reverse? In other words, have an approved country code list that is "whitelisted" say for US, Candada, Mexico, then the server only has to check against that list and deny access to all others?
 

KH-Jonathan

Director of Managed Services
Staff member
Either way you do it you'll run into issues because the US is so large, and has so much IP space, therefore it still is a ton of rules. For each IP block you end up with 4 rules. Considering the US has 1.5 billion IPs alone, and the next smallest country is China with 330 million, you can see the issue here...
 
Top