Suggestions for CentOS 7.4 to make a Perfect Server an Awesome server!

Discussion in 'Tips/Tricks/Mods' started by kyferez, Aug 9, 2018.

  1. kyferez

    kyferez Member

    Much of this is thanks to help I have received here. Major shouts out to Till and and Ahrasis!

    1) Update the grub bootloader to log console messages to the screen so you can see errors if the kernel crashes:
    nano /etc/default/grub
    Change the GRUB_CMDLINE_LINUX section rhgb quiet from your entry like this:
    GRUB_CMDLINE_LINUX="crashkernel=auto rhgb quiet rootflags=uquota,gquota"
    to this (replacing rhgb quiet with loglevel=7 systemd.log_level=debug):
    Note: Do not replace the entire line, just change the indicated parts.
    GRUB_CMDLINE_LINUX="crashkernel=auto loglevel=7 systemd.log_level=debug rootflags=uquota,gquota"
    2) Enable journalctl persistent logging so you can see logs from past boots:
    mkdir /var/log/journal
    systemd-tmpfiles --create --prefix /var/log/journal
    systemctl restart systemd-journald
    3) Update the fail2ban to have longer ban times, longer find times, and fewer retries:
    nano /etc/fail2ban/jail.local
    bantime  = 432000 ; 5day ; 10800 ;3 hours
    findtime  = 86400; 28800 ; 8hr; 1209600 ; 2week; 86400 ;1 day
    maxretry = 5
    #28800 = 8hr
    #86400 = 1day
    #432000 = 5day
    #604800 = 1week
    #2592000 = 30day
    enabled = true
    port = 8822
    action = iptables[name=sshd, port=ssh, protocol=tcp]
    maxretry = 2
    bantime  = 2592000
    findtime  = 604800
    enabled = true
    action = iptables[name=FTP, port=ftp, protocol=tcp]
    maxretry = 3
    bantime  = 2592000
    findtime  = 604800
    enabled = true
    action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
    maxretry = 5
    bantime  = 432000
    findtime  = 604800
    enabled = true
    action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]
    maxretry = 3
    bantime  = 2592000
    findtime  = 604800
    Or better yet implement a permanent ban for IPs! But I haven't yet found a non-complicated reliable way to do this that doesn't involve modifying the core fail2ban files.

    4) Add SSL to your Mail server (I also recommend disabling Non-SSL for clients)

    5) Update your SPAM filters to be stronger:

    6) Add additional PHP versions to ISPConfig:

    7) Use the proper settings on the site for Wordpress to update properly:

    8) Increase the size of SWAP if you only have 1GB RAM
    Make 2GB swap:
    fallocate -l 2G /swapfile
    chmod 600 /swapfile
    dd if=/dev/zero of=/swapfile count=2048 bs=1MiB
    mkswap /swapfile
    swapon /swapfile
    swapon -s <---verify it worked
    free <---see usage
    nano /etc/fstab <---make permanent, add this to file:
    /swapfile swap swap sw 0 0

    9) Make your server an Authoritative DNS nameserver for your sites

    10)Add Dynamic DNS to your authoritative DNS nameserver

    Feel free to make additional suggestions!
    Last edited: Aug 25, 2018
    ahrasis likes this.
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    just modify the .local equivalent, they override the distributed .conf files for doing exactly that.
    ahrasis likes this.

Share This Page