Suggestions for CentOS 7.4 to make a Perfect Server an Awesome server!

Much of this is thanks to help I have received here. Major shouts out to Till and Ztk.me and Ahrasis!

1) Update the grub bootloader to log console messages to the screen so you can see errors if the kernel crashes:

Code:

nano /etc/default/grub

Change the GRUB_CMDLINE_LINUX section rhgb quiet from your entry like this:

Code:

GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet rootflags=uquota,gquota"

to this (replacing rhgb quiet with loglevel=7 systemd.log_level=debug):
Note: Do not replace the entire line, just change the indicated parts.

Code:

GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap loglevel=7 systemd.log_level=debug rootflags=uquota,gquota"

2) Enable journalctl persistent logging so you can see logs from past boots:

Code:

mkdir /var/log/journal
systemd-tmpfiles --create --prefix /var/log/journal
systemctl restart systemd-journald

3) Update the fail2ban to have longer ban times, longer find times, and fewer retries:

Code:

nano /etc/fail2ban/jail.local

Code:

[DEFAULT]
bantime  = 432000 ; 5day ; 10800 ;3 hours
findtime  = 86400; 28800 ; 8hr; 1209600 ; 2week; 86400 ;1 day
maxretry = 5
#28800 = 8hr
#86400 = 1day
#432000 = 5day
#604800 = 1week
#2592000 = 30day

[sshd]
enabled = true
port = 8822
action = iptables[name=sshd, port=ssh, protocol=tcp]
maxretry = 2
bantime  = 2592000
findtime  = 604800

[pure-ftpd]
enabled = true
action = iptables[name=FTP, port=ftp, protocol=tcp]
maxretry = 3
bantime  = 2592000
findtime  = 604800

[dovecot]
enabled = true
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
maxretry = 5
bantime  = 432000
findtime  = 604800

[postfix-sasl]
enabled = true
action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]
maxretry = 3
bantime  = 2592000
findtime  = 604800

Or better yet implement a permanent ban for IPs! But I haven't yet found a non-complicated reliable way to do this that doesn't involve modifying the core fail2ban files.

4) Add SSL to your Mail server (I also recommend disabling Non-SSL for clients)
https://www.howtoforge.com/communit...ut-webmail-works-perfectly.79252/#post-375327
https://www.howtoforge.com/community/threads/pfs-letsencrypt-for-postfix-dovecot-pureftpd.77499/
https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/

5) Update your SPAM filters to be stronger:
https://www.howtoforge.com/communit...-of-spam-filter-policies-in-ispconfig3.38480/

6) Add additional PHP versions to ISPConfig:
https://www.howtoforge.com/communit...e-php-versions-already-but.71847/#post-376006
http://www.hexblot.com/blog/centos7-ispconfig3-and-multiple-php-versions
https://www.sunaryohadi.info/additional-php-versions-centos-7-nginx-ispconfig-3-gce.htm

7) Use the proper settings on the site for Wordpress to update properly:
https://www.howtoforge.com/communit...f-update-or-update-plugins.79238/#post-375063

8) Increase the size of SWAP if you only have 1GB RAM
https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-centos-7
https://unix.stackexchange.com/questions/294600/i-cant-enable-swap-space-on-centos-7
Make 2GB swap:
fallocate -l 2G /swapfile
chmod 600 /swapfile
dd if=/dev/zero of=/swapfile count=2048 bs=1MiB
mkswap /swapfile
swapon /swapfile
swapon -s <---verify it worked
free <---see usage
nano /etc/fstab <---make permanent, add this to file:
/swapfile swap swap sw 0 0

9) Make your server an Authoritative DNS nameserver for your sites
https://www.howtoforge.com/ispconfig_dns_godaddy
https://www.howtoforge.com/how-to-run-your-own-name-server-with-ispconfig-3-and-fast-hosts

10)Add Dynamic DNS to your authoritative DNS nameserver
https://www.howtoforge.com/communit...r-for-debian-ubuntu-ispconfig-3-server.69910/
https://github.com/DIXINFOR/ddns-update-for-ispconfig

Feel free to make additional suggestions!