Much of this is thanks to help I have received here. Major shouts out to Till and Ztk.me and Ahrasis! 1) Update the grub bootloader to log console messages to the screen so you can see errors if the kernel crashes: Code: nano /etc/default/grub Change the GRUB_CMDLINE_LINUX section rhgb quiet from your entry like this: Code: GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet rootflags=uquota,gquota" to this (replacing rhgb quiet with loglevel=7 systemd.log_level=debug): Note: Do not replace the entire line, just change the indicated parts. Code: GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap loglevel=7 systemd.log_level=debug rootflags=uquota,gquota" 2) Enable journalctl persistent logging so you can see logs from past boots: Code: mkdir /var/log/journal systemd-tmpfiles --create --prefix /var/log/journal systemctl restart systemd-journald 3) Update the fail2ban to have longer ban times, longer find times, and fewer retries: Code: nano /etc/fail2ban/jail.local Code: [DEFAULT] bantime = 432000 ; 5day ; 10800 ;3 hours findtime = 86400; 28800 ; 8hr; 1209600 ; 2week; 86400 ;1 day maxretry = 5 #28800 = 8hr #86400 = 1day #432000 = 5day #604800 = 1week #2592000 = 30day [sshd] enabled = true port = 8822 action = iptables[name=sshd, port=ssh, protocol=tcp] maxretry = 2 bantime = 2592000 findtime = 604800 [pure-ftpd] enabled = true action = iptables[name=FTP, port=ftp, protocol=tcp] maxretry = 3 bantime = 2592000 findtime = 604800 [dovecot] enabled = true action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp] maxretry = 5 bantime = 432000 findtime = 604800 [postfix-sasl] enabled = true action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp] maxretry = 3 bantime = 2592000 findtime = 604800 Or better yet implement a permanent ban for IPs! But I haven't yet found a non-complicated reliable way to do this that doesn't involve modifying the core fail2ban files. 4) Add SSL to your Mail server (I also recommend disabling Non-SSL for clients) https://www.howtoforge.com/communit...ut-webmail-works-perfectly.79252/#post-375327 https://www.howtoforge.com/community/threads/pfs-letsencrypt-for-postfix-dovecot-pureftpd.77499/ https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ 5) Update your SPAM filters to be stronger: https://www.howtoforge.com/communit...-of-spam-filter-policies-in-ispconfig3.38480/ 6) Add additional PHP versions to ISPConfig: https://www.howtoforge.com/communit...e-php-versions-already-but.71847/#post-376006 http://www.hexblot.com/blog/centos7-ispconfig3-and-multiple-php-versions https://www.sunaryohadi.info/additional-php-versions-centos-7-nginx-ispconfig-3-gce.htm 7) Use the proper settings on the site for Wordpress to update properly: https://www.howtoforge.com/communit...f-update-or-update-plugins.79238/#post-375063 8) Increase the size of SWAP if you only have 1GB RAM https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-centos-7 https://unix.stackexchange.com/questions/294600/i-cant-enable-swap-space-on-centos-7 Make 2GB swap: fallocate -l 2G /swapfile chmod 600 /swapfile dd if=/dev/zero of=/swapfile count=2048 bs=1MiB mkswap /swapfile swapon /swapfile swapon -s <---verify it worked free <---see usage nano /etc/fstab <---make permanent, add this to file: /swapfile swap swap sw 0 0 9) Make your server an Authoritative DNS nameserver for your sites https://www.howtoforge.com/ispconfig_dns_godaddy https://www.howtoforge.com/how-to-run-your-own-name-server-with-ispconfig-3-and-fast-hosts 10)Add Dynamic DNS to your authoritative DNS nameserver https://www.howtoforge.com/communit...r-for-debian-ubuntu-ispconfig-3-server.69910/ https://github.com/DIXINFOR/ddns-update-for-ispconfig Feel free to make additional suggestions!
