First steps after ServerPilot has been installed

Selection_514

If you see this message in your online ServerPilot panel, your Ubuntu web server is ready to host your websites. Or maybe not?

If you host only a single WordPress website with your VPS, this setup might be enough. If you like to do a bit more, than follow these steps and make your server just a bit better.

General settings and useful tools

Create a SSH session with root as user, enter command below and enter your root password. If you use SSH keys for authentication  a password is not necessary.

# ssh [email protected]

Most of my servers are located in Amsterdam and the first thing I do is changing the locale settings (location and time settings)

# locale-gen en_US en_US.UTF-8 nl_NL nl_NL.UTF-8
# dpkg-reconfigure locales
# dpkg-reconfigure tzdata

After this you need to choose your location to get the right time zone. You will see something like:

Current default time zone: 'Europe/Amsterdam'
Local time is now: Thu May 21 22:10:00 CEST 2015.
Universal Time is now: Thu May 21 20:10:00 UTC 2015.

Optional for Vultr servers

I have a mix of servers from DigitalOcean and from Vultr. The following step is for Vultr servers only. To add your hostname to the server, you need to edit the file “/etc/hostname”. Replace guest.vultr with your own hostname (f.e. vps1.yourdomain.com). Next use the following command to set the hostname permanently:

# hostname -F /etc/hostname

After you’ve opened a new SSL session, you will notice the change in your SSH client window.

Before I continue to the next part I will install the tool unzip because most scripts are compressed. Enter this command to install the tool. I like to install imagemagick, too.

# apt-get install zip unzip imagemagick

MySQL and phpMyAdmin

ServerPilot doesn’t provide a lot of features for MySQL. You can create  databases with a single user from their panel. For all other database transactions you need a client like phpMyAdmin. I use the “default” app for phpMyAdmin. Create in ServerPilot your first app and name it “0default”. Skip the domain name and choose the user “serverpilot”. After the app is created return to the command line from your server and enter:

# su serverpilot
$ cd ~/apps/0default

From here I will download the latest version op phpMyAdmin, unzip the zip file and move the files into the “public” directory

$ wget https://github.com/phpmyadmin/phpmyadmin/archive/STABLE.zip
$ unzip STABLE.zip
$ mv phpmyadmin-STABLE/* public/

With the last action you’re able to use phpMyAdmin from your server’s hostname or IP address. Let’s limit the access to phpMyAdmin for your own IP address. Create inside the “public” directory a file named “.htaccess” and paste this code (using your own IP address).

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Password Protected Area"
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from xxx.xxx.xxx.xxx

The default time-out for your phpMyAdmin session is limited to 14400 seconds. Since the access is limited to your IP address,  you can raise that value. Open the file “config.sample.inc.php” and add this row (add also a value for $cfg[‘blowfish_secret’]):

$cfg['LoginCookieValidity'] = 86400; // 1 day

Save the file under the new name “config.inc.php”. Create another file with the name “.user.ini” and add this directive for the PHP configuration.

session.gc_maxlifetime = 86400

The tool AutoMySQLBackup is a great and easy way to backup your databases frequently. As root enter:

# apt-get install automysqlbackup

Before we run this tool the first time, I like to change the default backup location. Edit the file “/etc/default/automysqlbackup” and change the BACKUPDIR value to:

BACKUPDIR="/srv/users/serverpilot/apps/automysqlbackup"

Run AutoMySQLBackup the first time (as root) with:

# automysqlbackup

Like the name mentions, AutoMySQLBackup will create the database backups from now on automatically. Let’s create a cronjob for mysqlcheck, a tool that will optimize all your MySQL tables. Enter as root crontab -e and place this job to run the tool every day at 8:15 am.

15 8 * * * mysqlcheck -o --all-databases > /dev/null 2>&1

UFW Firewall

The default firewall settings are set by ServerPilot. If you check these settings with ufw status you will see something like:

To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
68/udp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
68/udp (v6) ALLOW Anywhere (v6)

These firewall settings are good except for port 22 (SSH). It’s a good strategy to restrict the access for the SSH port to your own IP address (or more if you work on multiple locations). First disable the firewall option inside the ServerPilot control panel, otherwise SP will overrule your modifications later.

Now we need to re-enable the UFW from the command line (we need to add the default rules again). Don’t destroy your current SSH session!

# ufw enable
# ufw allow www
# ufw allow https/tcp
# ufw allow bootpc/udp
# ufw allow ssh/tcp

If your home or office location has a static IP address, you can deny SSH access and allow access to all ports and services from your own IP address.

# ufw delete allow ssh/tcp
# ufw allow from xxx.xxx.xxx.xxx

Open en second terminal and connect to your server for a test that your firewall rules doesn’t deny your own access.

Rsync backups

I use the standard backup function offered by DO or Vultr for all my servers, but this option is useful for a full server recovery. If you need to restore single files or apps, it’s better to have a second backup option. I use a 3rd party backup location and rsync for secondary backups.

First I create a pair of SSH keys (as root user):

# ssh-keygen

Hit enter to accept the default location and leave the pass-phrase empty (twice). Next use the following command to copy your public key to your external backup location.

# cat ~/.ssh/id_rsa.pub | ssh [email protected] "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Create on your backup location a directory called “daily-backup” to avoid a missing directory error (I do this using my sFTP client). I backup all user directories including the user “serverpilot” to include my database backups, too.

I don’t like to backup the files from the “tmp” and “log” directory. So I add them (and maybe others) to a file called “exclude.txt”, which I create inside the root directory. Add the following rules to the file.

log/*
tmp/*

Now it’s time to run the first backup, execute this command:

# rsync -avz --delete --exclude-from "/root/exclude.txt" -e "ssh -i /root/.sshid_rsa" "/srv/users" [email protected]:daily-backup

If you first backup was successful, you will see a list of files and at the end a message like:

sent 29,890,197 bytes received 40,770 bytes 6,651,326.00 bytes/sec
total size is 76,150,004 speedup is 2.54

If your backup works fine, create a CRON job for the rsync command you executed before.

45 9 * * * rsync -avz --delete --exclude-from "/root/exclude.txt" -e "ssh -i /root/.sshid_rsa" "/srv/users" [email protected]:daily-backup >/dev/null 2>&1

Tip! Create a second CRON job for a backup once a week to get a weekly backup as well.

NewRelic server monitoring

NewRelic offers several monitoring options. I used PHP application monitoring for a while, but it doesn’t deliver accurate data for the PHP-FPM processes. I use server monitoring for all my servers, to get some basic information and notifications whenever my server is in trouble. To install NewRelic follow these steps (you need to signup for an account to get your own (free) license key).

# echo deb http://apt.newrelic.com/debian/ newrelic non-free >> /etc/apt/sources.list.d/newrelic.list
# wget -O- https://download.newrelic.com/548C16BF.gpg | apt-key add -
# apt-get update
# apt-get install newrelic-sysmond
# nrsysmond-config --set license_key=YOUR_LICENSE_KEY
# /etc/init.d/newrelic-sysmond start

This is currently my additional configuration for each new VPS I use with ServerPilot on top. If you like to monitor you server I suggest to install the tool htop:

# apt-get install htop

To get detailed information about RAM usage, you can try this Python script from Pixelb. I use this script from the root directory like:

# cd ~
# wget https://raw.githubusercontent.com/pixelb/ps_mem/master/ps_mem.py
# python ~/ps_mem.py -s -w 15

Please leave a comment if you have any question about this “guide” or if you have any suggestions.

35 thoughts on “First steps after ServerPilot has been installed”

  1. Hi,

    nice guide! I’m also very happy with my ServerPilot VPS at Vultr. I have some addition for the UFW firewall part. The following two steps allow you to limit MySQL access for a single server IP:

    First configure MySQL to listen to more than just localhost, edit the config file with

    nano /etc/mysql/my.cnf

    and add a “#” character to this row bind-address = 127.0.0.1.

    Restart MySQL

    service mysql restart

    Now add the following firewall rule to UFW (don’t forget to add your server’s IP address, too)

    ufw allow from xxx.xxx.xxx.xxx to any port 3306 proto tcp

    Read more about this feature on the ServerPilot website:
    https://serverpilot.io/community/articles/connect-to-mysql-remotely.html

  2. Thanks for the guide!
    I use mod_status on my server to get more information about current connections. It’s very useful if your server or websites is getting a lot of visitors from a bot or hacker. I add add the following code into the .htaccess file from phpMyAdmin app (add your own IP address)

    <Files server-status>
    SetHandler server-status
    Require ip xxx.xxx.xxx.xxx
    </Files>
    

    Access the server status page by using the hostname or IP address http://vps1.yourdomain.com/server-status

  3. Nice Guide! I’m sure I will follow your advice for my next ServerPilot powered VPS.
    For my current VPS I’m, using the simple bash backup script: http://sourceforge.net/projects/simplebashbu/
    The script doesn’t needs a lot of server resources, actually I didn’t notice the compression of files bigger than 3GB!
    The script is very easy to use by changing these options:

    # Which day of the week do we want to do full backups? 0=Sunday
      LEVEL0DAY=0
    # Where to create the backups; It should already exist
      BACKUP_DIR=/mnt/backups/fwatl01
    # Filesystems to backup seperated by spaces and the entire string in double quotes; each must start with /
      FILESYSTEMS="/root /etc /var/lib/rpm /home /var/named"
    # Should we email results? Also should we email critical errors?  0=false, 1=true 
      EMAIL=1
    # EMAIL address to send results to
      [email protected]
    # Email Subject
      EMAILSUBJECT="$HOSTNAME Backup"
    # Only keep last weeks level0 backup (0) or keep all lvl 0 backups (1).  Keeping all data may take a lot of space!
      KEEPALL=0
    # Do we wnat to compress the backup file using gzip? 0=false, 1=true
      COMPRESS=1
    # Should we compress the log file when we are done?  0=false, 1=true
      COMPRESSLOG=1
    # If we are compressing, what level do we use?
      COMPRESSLEVEL=6
    # Determines whether we see all output to screen. It will still go to log regardless of this value.   0=false, 1=true 
      QUIET=1
    # Would you like to get detailed information from tar and gzip? 0=false, 1=true   
      VERBOSE=1
    
  4. Great article. Did you make any other additions or changes in regard to security? (Ie; change ssh port, install mod_security, install a firewall like cfs, add fail2ban, etc.?)

    1. Hi Daniel,
      I didn’t change the SSH port because I block SSH access right in the firewall. It’s not advised to use mod_security together with ServerPilot.
      I’ve used CSF before and must say after > 5 years I’m glad that I don’t need it anymore. The biggest advantage is that your ServerPilot installation is really a webserver. No more ports or services you don’t need.

  5. Great tutorial, thanks. Could Monit be a useful add-on to this list?

    1. Hi Dave,

      sure you can use Monit to monitor your server, but personally I trust/like New Relic. Before you install the agent you should check it with ServerPilot support.

  6. Hi, thank you for the guide.

    I would like to know if I have to disable root access and if yes, to do it before or after I installed Serverpilot?

    Thank you

    1. Hi,

      to install the Serverpilot you need a fresh install of Ubuntu 14.04 LTS. Nothing installed beside the OS and yes you need root access.
      Just try it, get a free month of Vultr hosting and install ServerPilot. The paid version of SP rocks: They updated the panel recently and SSL is available by a single mouse click and you didn’t need to buy or install a SSL certificate!

  7. Hey,

    Awesome article, helped me a lot so thank you for it! What do you recommend against Bruteforce attacks? Disabling root access, getting rid of passwords and use SSH keys (or just long passwords?) are on my list. Do you have any experience with Fail2Ban + Serverpilot? Last time I tried to install it, I’ve messed up nginx somehow so I’m not sure how to give it a go again.

    Thanks!

    1. Hi Andre,
      Bruteforce attacks are a big problem and most WordPress website are going down if you don’t tweak them. @Serverpilot they don’t advice to use fail2ban, their comment was “In general, as long as you use strong passwords, you don’t need fail2ban.” A later question regarding SSH + security was that other users tried it and it would be better to try fail2ban on a test server first. If you like to use UFW together with fail2ban, the list of rules might be very long after some days :) If you’re the only administrator on a server, than block port 22 for everyone except your own IP address.

  8. Really useful guide.

    We have just installed WordPress on Vultr using Server Pilot and are looking at improving speeds and security and this guide came in very handy.

  9. I just realised Vultr seem to set the hostname automatically now, it seems.

    1. Hi Adam,

      thanks for sharing. What do you mean with “set the hostname automatically…”
      Do you say a new server doesn’t have the hostname “vultr” anymore?
      That would be great news.

  10. About Rsync Backups above.

    In the code:
    # cat ~/.ssh/id_rsa.pub | ssh [email protected] “mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys”
    Do I have to change “user” and what IP address do I put in here the main server IP or the backup server IP?

    1. You need to replace “user” with Linux user name and the IP address from your backup server. This action will copy your plubic SSH key to your backup server.

    1. Hi Kai,

      do I mention on my article that ServerPilot offers this feature? That’s why I install NewRelic to all my servers.
      It’s not perfect because ServerPilot’s PHP-FPM setup reflects the memory usage reported to NewRelic, but that it not really a problem.

    1. [email protected]” is the user/server where you like to upload the backups. Let’s say the user on your backup server (1.2.3.4) is named “backupuser”, it must be “[email protected]” (sorry for the delay, I was very busy the last week)

  11. Using automysqlbackup as detailed above and changed the backup directory to: “/srv/users/serverpilot/apps/automysqlbackup” and the sql.gz files are all in there on the source server. BUT when using rsync like you have detailed, the directory structure goes over to the backup server (e.g. apps/automysqlbackup/daily/mswhs) but the sql.gz files are not in there?

    1. You need to run the rsync / backup task as root user. This is the only way to access the files for all users. Use “root” for your backup tasks even if you have only the serverpilot user in the free version.

  12. Also regarding rsync Linode recommends using the “–exclude-from” and “_$(date -I)” parameters like this:

    rsync -ahvz –delete –exclude-from “/root/exclude.txt” –link-dest=~/backups/daily_orig [email protected]:~ ~/backups/daily_$(date -I)

    would you recommend those 2 values?

    1. Actually I can’t answer this, I use my own “rsync” example on many different servers for years now and never tried Linode as a production server until now. My next server will be on Linode for sure. Their price is very attractive now, after they raiser the amount of RAM for the servers :)

  13. saurabh kartikay says:

    Great article and guide. i was on way to install comodo WAF for test and suddenly your article showed up on google . can you suggest why mod_security can’t be used with serverpilot ? what are downside, is this going to affect website performance or server performance .
    Thank you

    1. Hi,
      ServerPilot doesn’t support mod_security. You can install that Apache module on your own but it might break your server.

  14. Using your Rsync backups detailed above does it just keep the one day backup and overwrite it daily? Also do the backups on the backup server use up all the space available over time?

    1. Yes there is only one version, you need to create multiple backups if you need more than one. Tip! Sync the files to your own desktop PS and use the Dropbox revision functionality.

      1. Could you explain more how to Sync the files to my own desktop PC and use the Dropbox revision functionality please?

        1. Actually this works only if your Desktop PC is Linux based (at least while using the rsync function)
          1) sync the files from you server to your PC using rsync
          2) Include the target directory in Dropbox

          Now every file change is is monitored by Dropbox (check the Dropbox revision system online). The revision period is limited for the free version of Dropbox.

  15. Philip Churchill says:

    I’m running the above command:
    rsync -avz –delete –exclude-from “/root/exclude.txt” -e “ssh -i /root/.ssh/id_rsa” “/srv/users” [email protected]:daily-backup
    But its saying:
    rsync: link_stat “/srv/users” failed: No such file or directory (2)
    Any ideas

    1. Hi Philip,

      you need to run this command as root (sudo). You’re doing this on a server installed with ServerPilot right?

  16. You are using the new relic apm? What agents did you install? I am using the free version of heatshield.io….its a firewall service…a sister company of server pilot. It seems that new relic needs to have my firewall let it communicate stats….but it seems the free version of heatshield wont allow me to setup custom rules?

    1. Hi,
      I’m using heatshield.io too, but only new relic server monitoring. This combination works well.

Leave a Reply

Your email address will not be published. Required fields are marked *