If you see this message in your online ServerPilot panel, your Ubuntu web server is ready to host your websites. Or maybe not?
If you host only a single WordPress website with your VPS, this setup might be enough. If you like to do a bit more, than follow these steps and make your server just a bit better.
General settings and useful tools
Create a SSH session with root as user, enter command below and enter your root password. If you use SSH keys for authentication a password is not necessary.
# ssh root@xxx.xxx.xxx.xxx
Most of my servers are located in Amsterdam and the first thing I do is changing the locale settings (location and time settings)
# locale-gen en_US en_US.UTF-8 nl_NL nl_NL.UTF-8 # dpkg-reconfigure locales
# dpkg-reconfigure tzdata
After this you need to choose your location to get the right time zone. You will see something like:
Current default time zone: 'Europe/Amsterdam' Local time is now: Thu May 21 22:10:00 CEST 2015. Universal Time is now: Thu May 21 20:10:00 UTC 2015.
Optional for Vultr servers
I have a mix of servers from DigitalOcean and from Vultr. The following step is for Vultr servers only. To add your hostname to the server, you need to edit the file “/etc/hostname”. Replace guest.vultr with your own hostname (f.e. vps1.yourdomain.com). Next use the following command to set the hostname permanently:
# hostname -F /etc/hostname
After you’ve opened a new SSL session, you will notice the change in your SSH client window.
Before I continue to the next part I will install the tool unzip because most scripts are compressed. Enter this command to install the tool. I like to install imagemagick, too.
# apt-get install zip unzip imagemagick
MySQL and phpMyAdmin
ServerPilot doesn’t provide a lot of features for MySQL. You can create databases with a single user from their panel. For all other database transactions you need a client like phpMyAdmin. I use the “default” app for phpMyAdmin. Create in ServerPilot your first app and name it “0default”. Skip the domain name and choose the user “serverpilot”. After the app is created return to the command line from your server and enter:
# su serverpilot $ cd ~/apps/0default
From here I will download the latest version op phpMyAdmin, unzip the zip file and move the files into the “public” directory
$ wget https://github.com/phpmyadmin/phpmyadmin/archive/STABLE.zip $ unzip STABLE.zip $ mv phpmyadmin-STABLE/* public/
With the last action you’re able to use phpMyAdmin from your server’s hostname or IP address. Let’s limit the access to phpMyAdmin for your own IP address. Create inside the “public” directory a file named “.htaccess” and paste this code (using your own IP address).
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Password Protected Area" AuthType Basic order deny,allow deny from all # whitelist home IP address allow from xxx.xxx.xxx.xxx
The default time-out for your phpMyAdmin session is limited to 14400 seconds. Since the access is limited to your IP address, you can raise that value. Open the file “config.sample.inc.php” and add this row (add also a value for $cfg[‘blowfish_secret’]):
$cfg['LoginCookieValidity'] = 86400; // 1 day
Save the file under the new name “config.inc.php”. Create another file with the name “.user.ini” and add this directive for the PHP configuration.
session.gc_maxlifetime = 86400
The tool AutoMySQLBackup is a great and easy way to backup your databases frequently. As root enter:
# apt-get install automysqlbackup
Before we run this tool the first time, I like to change the default backup location. Edit the file “/etc/default/automysqlbackup” and change the BACKUPDIR value to:
BACKUPDIR="/srv/users/serverpilot/apps/automysqlbackup"
Run AutoMySQLBackup the first time (as root) with:
# automysqlbackup
Like the name mentions, AutoMySQLBackup will create the database backups from now on automatically. Let’s create a cronjob for mysqlcheck, a tool that will optimize all your MySQL tables. Enter as root crontab -e
and place this job to run the tool every day at 8:15 am.
15 8 * * * mysqlcheck -o --all-databases > /dev/null 2>&1
UFW Firewall
The default firewall settings are set by ServerPilot. If you check these settings with ufw status
you will see something like:
To Action From -- ------ ---- 22/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 68/udp ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6) 68/udp (v6) ALLOW Anywhere (v6)
These firewall settings are good except for port 22 (SSH). It’s a good strategy to restrict the access for the SSH port to your own IP address (or more if you work on multiple locations). First disable the firewall option inside the ServerPilot control panel, otherwise SP will overrule your modifications later.
Now we need to re-enable the UFW from the command line (we need to add the default rules again). Don’t destroy your current SSH session!
# ufw enable # ufw allow www # ufw allow https/tcp # ufw allow bootpc/udp # ufw allow ssh/tcp
If your home or office location has a static IP address, you can deny SSH access and allow access to all ports and services from your own IP address.
# ufw delete allow ssh/tcp # ufw allow from xxx.xxx.xxx.xxx
Open en second terminal and connect to your server for a test that your firewall rules doesn’t deny your own access.
Rsync backups
I use the standard backup function offered by DO or Vultr for all my servers, but this option is useful for a full server recovery. If you need to restore single files or apps, it’s better to have a second backup option. I use a 3rd party backup location and rsync for secondary backups.
First I create a pair of SSH keys (as root user):
# ssh-keygen
Hit enter to accept the default location and leave the pass-phrase empty (twice). Next use the following command to copy your public key to your external backup location.
# cat ~/.ssh/id_rsa.pub | ssh user@123.45.67.89 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Create on your backup location a directory called “daily-backup” to avoid a missing directory error (I do this using my sFTP client). I backup all user directories including the user “serverpilot” to include my database backups, too.
I don’t like to backup the files from the “tmp” and “log” directory. So I add them (and maybe others) to a file called “exclude.txt”, which I create inside the root directory. Add the following rules to the file.
log/* tmp/*
Now it’s time to run the first backup, execute this command:
# rsync -avz --delete --exclude-from "/root/exclude.txt" -e "ssh -i /root/.sshid_rsa" "/srv/users" user@123.45.67.89:daily-backup
If you first backup was successful, you will see a list of files and at the end a message like:
sent 29,890,197 bytes received 40,770 bytes 6,651,326.00 bytes/sec total size is 76,150,004 speedup is 2.54
If your backup works fine, create a CRON job for the rsync command you executed before.
45 9 * * * rsync -avz --delete --exclude-from "/root/exclude.txt" -e "ssh -i /root/.sshid_rsa" "/srv/users" user@123.45.67.89:daily-backup >/dev/null 2>&1
Tip! Create a second CRON job for a backup once a week to get a weekly backup as well.
NewRelic server monitoring
NewRelic offers several monitoring options. I used PHP application monitoring for a while, but it doesn’t deliver accurate data for the PHP-FPM processes. I use server monitoring for all my servers, to get some basic information and notifications whenever my server is in trouble. To install NewRelic follow these steps (you need to signup for an account to get your own (free) license key).
# echo deb http://apt.newrelic.com/debian/ newrelic non-free >> /etc/apt/sources.list.d/newrelic.list # wget -O- https://download.newrelic.com/548C16BF.gpg | apt-key add - # apt-get update # apt-get install newrelic-sysmond # nrsysmond-config --set license_key=YOUR_LICENSE_KEY # /etc/init.d/newrelic-sysmond start
This is currently my additional configuration for each new VPS I use with ServerPilot on top. If you like to monitor you server I suggest to install the tool htop:
# apt-get install htop
To get detailed information about RAM usage, you can try this Python script from Pixelb. I use this script from the root directory like:
# cd ~ # wget https://raw.githubusercontent.com/pixelb/ps_mem/master/ps_mem.py # python ~/ps_mem.py -s -w 15
Please leave a comment if you have any question about this “guide” or if you have any suggestions.
Hi,
nice guide! I’m also very happy with my ServerPilot VPS at Vultr. I have some addition for the UFW firewall part. The following two steps allow you to limit MySQL access for a single server IP:
First configure MySQL to listen to more than just localhost, edit the config file with
and add a “#” character to this row
bind-address = 127.0.0.1
.Restart MySQL
Now add the following firewall rule to UFW (don’t forget to add your server’s IP address, too)
Read more about this feature on the ServerPilot website:
https://serverpilot.io/community/articles/connect-to-mysql-remotely.html
Thanks for the guide!
I use mod_status on my server to get more information about current connections. It’s very useful if your server or websites is getting a lot of visitors from a bot or hacker. I add add the following code into the .htaccess file from phpMyAdmin app (add your own IP address)
Access the server status page by using the hostname or IP address
http://vps1.yourdomain.com/server-status
Nice Guide! I’m sure I will follow your advice for my next ServerPilot powered VPS.
For my current VPS I’m, using the simple bash backup script: http://sourceforge.net/projects/simplebashbu/
The script doesn’t needs a lot of server resources, actually I didn’t notice the compression of files bigger than 3GB!
The script is very easy to use by changing these options:
Great article. Did you make any other additions or changes in regard to security? (Ie; change ssh port, install mod_security, install a firewall like cfs, add fail2ban, etc.?)
Hi Daniel,
I didn’t change the SSH port because I block SSH access right in the firewall. It’s not advised to use mod_security together with ServerPilot.
I’ve used CSF before and must say after > 5 years I’m glad that I don’t need it anymore. The biggest advantage is that your ServerPilot installation is really a webserver. No more ports or services you don’t need.
Great tutorial, thanks. Could Monit be a useful add-on to this list?
Hi Dave,
sure you can use Monit to monitor your server, but personally I trust/like New Relic. Before you install the agent you should check it with ServerPilot support.
If you need more information about the UFW firewall, than check this post on DigitalOcean:
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-14-04
Many example rules you can use :)
Hi, thank you for the guide.
I would like to know if I have to disable root access and if yes, to do it before or after I installed Serverpilot?
Thank you
Hi,
to install the Serverpilot you need a fresh install of Ubuntu 14.04 LTS. Nothing installed beside the OS and yes you need root access.
Just try it, get a free month of Vultr hosting and install ServerPilot. The paid version of SP rocks: They updated the panel recently and SSL is available by a single mouse click and you didn’t need to buy or install a SSL certificate!
Hey,
Awesome article, helped me a lot so thank you for it! What do you recommend against Bruteforce attacks? Disabling root access, getting rid of passwords and use SSH keys (or just long passwords?) are on my list. Do you have any experience with Fail2Ban + Serverpilot? Last time I tried to install it, I’ve messed up nginx somehow so I’m not sure how to give it a go again.
Thanks!
Hi Andre,
Bruteforce attacks are a big problem and most WordPress website are going down if you don’t tweak them. @Serverpilot they don’t advice to use fail2ban, their comment was “In general, as long as you use strong passwords, you don’t need fail2ban.” A later question regarding SSH + security was that other users tried it and it would be better to try fail2ban on a test server first. If you like to use UFW together with fail2ban, the list of rules might be very long after some days :) If you’re the only administrator on a server, than block port 22 for everyone except your own IP address.
Really useful guide.
We have just installed WordPress on Vultr using Server Pilot and are looking at improving speeds and security and this guide came in very handy.
I just realised Vultr seem to set the hostname automatically now, it seems.
Hi Adam,
thanks for sharing. What do you mean with “set the hostname automatically…”
Do you say a new server doesn’t have the hostname “vultr” anymore?
That would be great news.
About Rsync Backups above.
In the code:
# cat ~/.ssh/id_rsa.pub | ssh user@123.45.67.89 “mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys”
Do I have to change “user” and what IP address do I put in here the main server IP or the backup server IP?
You need to replace “user” with Linux user name and the IP address from your backup server. This action will copy your plubic SSH key to your backup server.
Serverpilot does not offer Server alerts yet (Aug 2016) when the server is down, neither does Digital Ocean.
For an automated scripts (that needs however a cronjob setup), see the discussion at https://www.digitalocean.com/community/questions/alert-notification-when-server-is-down
Hi Kai,
do I mention on my article that ServerPilot offers this feature? That’s why I install NewRelic to all my servers.
It’s not perfect because ServerPilot’s PHP-FPM setup reflects the memory usage reported to NewRelic, but that it not really a problem.
Regarding Rsync backups:
In your code you state “user@123.45.67.89” to access “/srv/users”.
I have tried this but user “serverpilot” does not have access to “/srv/users”, so should I allow “root” so its:”root@123.45.67.89″
“user@123.45.67.89” is the user/server where you like to upload the backups. Let’s say the user on your backup server (1.2.3.4) is named “backupuser”, it must be “backupuser@1.2.3.4” (sorry for the delay, I was very busy the last week)
Using automysqlbackup as detailed above and changed the backup directory to: “/srv/users/serverpilot/apps/automysqlbackup” and the sql.gz files are all in there on the source server. BUT when using rsync like you have detailed, the directory structure goes over to the backup server (e.g. apps/automysqlbackup/daily/mswhs) but the sql.gz files are not in there?
You need to run the rsync / backup task as root user. This is the only way to access the files for all users. Use “root” for your backup tasks even if you have only the serverpilot user in the free version.
Also regarding rsync Linode recommends using the “–exclude-from” and “_$(date -I)” parameters like this:
rsync -ahvz –delete –exclude-from “/root/exclude.txt” –link-dest=~/backups/daily_orig serverpilot@00.00.00.00:~ ~/backups/daily_$(date -I)
would you recommend those 2 values?
Actually I can’t answer this, I use my own “rsync” example on many different servers for years now and never tried Linode as a production server until now. My next server will be on Linode for sure. Their price is very attractive now, after they raiser the amount of RAM for the servers :)
Great article and guide. i was on way to install comodo WAF for test and suddenly your article showed up on google . can you suggest why mod_security can’t be used with serverpilot ? what are downside, is this going to affect website performance or server performance .
Thank you
Hi,
ServerPilot doesn’t support mod_security. You can install that Apache module on your own but it might break your server.
Using your Rsync backups detailed above does it just keep the one day backup and overwrite it daily? Also do the backups on the backup server use up all the space available over time?
Yes there is only one version, you need to create multiple backups if you need more than one. Tip! Sync the files to your own desktop PS and use the Dropbox revision functionality.
Could you explain more how to Sync the files to my own desktop PC and use the Dropbox revision functionality please?
Actually this works only if your Desktop PC is Linux based (at least while using the rsync function)
1) sync the files from you server to your PC using rsync
2) Include the target directory in Dropbox
Now every file change is is monitored by Dropbox (check the Dropbox revision system online). The revision period is limited for the free version of Dropbox.
I’m running the above command:
rsync -avz –delete –exclude-from “/root/exclude.txt” -e “ssh -i /root/.ssh/id_rsa” “/srv/users” root@139.162.228.129:daily-backup
But its saying:
rsync: link_stat “/srv/users” failed: No such file or directory (2)
Any ideas
Hi Philip,
you need to run this command as root (sudo). You’re doing this on a server installed with ServerPilot right?
You are using the new relic apm? What agents did you install? I am using the free version of heatshield.io….its a firewall service…a sister company of server pilot. It seems that new relic needs to have my firewall let it communicate stats….but it seems the free version of heatshield wont allow me to setup custom rules?
Hi,
I’m using heatshield.io too, but only new relic server monitoring. This combination works well.
I am using serverpilot with vultr VPS. On same server i am running 3-5 different serverpilot apps(websites). All of them are wordpress but issue is same: none of email come of my gmail account when user submit contact form. It says “form is submitted” but i never get email. Also, i have host domain on cloudflare and have done required DNS settings but still getting no email. Kindly please let me know how to solve this issue? otherwise i will have to use cpanel which is very costly and out of my budget. Please help me out.
You need to use an external SMTP service like I do. Mailgun of PostmarkApp a great providers.