Prior to Setting Up
- Make sure client is set up on CRM
- Make sure client is set up on recurring invoices and direct debit systems
Setting up Google Cloud
Google Cloud Documentation: https://cloud.google.com/compute/docs/
Create Project
- Go to https://console.cloud.google.com/project and Sign In
- Click Create Project
- Type [PROJECTNAME]
- Click Create
- Add any other people you need to work on the project through IAM
Create Instance
- Click [PROJECTNAME]
- Click Menu (3 bars) >> Compute Engine
- Click Create Instance
- Enter the following:phg
- Name: [INSTANCENAME]
- Zone: europe-west1-d
- Machine Type: [MACHINETYPE]
- Click Change in Boot disk and choose:
- CentOS 7
- Boot disk type: SSD persistent disk
- Size: [DISKSIZE]
- In Firewall
- tick Allow HTTP traffic
- tick Allow HTTPS traffic
- Click Create
- Make a note of the IP address in the project variables list
Reserve IP Address
- Click Menu (3 bars) >> VPC network >> External IP addresses
- Click Ephemeral on the row that has VM instance [INSTANCENAME]
- Select Static
- In Name enter [INSTANCENAME]
- Click Reserve
Create Firewall Rules
- In Google Cloud click Firewall Rules
- Click CREATE FIREWALL RULE
- In Name enter cpanel
- In Source filter enter Allow from any source (0.0.0.0/0)
- In Allowed protocols and ports enter:
tcp:20; tcp:21; tcp:22; tcp:25; tcp:26; tcp:37; tcp:43; tcp:53; udp:53; tcp:80; tcp:110; tcp:113; tcp:143; tcp:443; tcp:465; udp:465; tcp:587; tcp:783; udp:783; tcp:873;udp:873; tcp:993; tcp:995; tcp:2073; tcp:2077; tcp:2078; tcp:2079; tcp:2080; tcp:2082; tcp:2083; tcp:2086; tcp:2087; tcp:2089; tcp:2095; tcp:2096; tcp:2525; udp:2525; tcp:3306; udp:50000-60000;tcp:50000-60000
- Click Create
Preparing Server on SSH
Update Root Password
- Click SSH button on the instance row
sudo su -
passwd
- Using LastPass generate a new password, copy it, and make a note of it
- Paste the password and press enter (it will look like there has been nothing pasted in, still press enter)
- Paste the password again and press enter
- Add the password to LastPass
Installing screen
yum install screen
y
Installing wget
yum install wget
y
Change Hostname
- Change Hostname:
hostname [SERVERNAME]
Create A Record
- Add an A record to your DNS management system for [SEVERNAME] with the IP address which can be found on Google Cloud under your project instance
Installing Cloud Linux
Buy Cloudlinux License
Downloading Cloudlinux
- On SSH enter the following:
wget https://repo.cloudlinux.com/cloudlinux/sources/cln/cldeploy
sh cldeploy -k [CLOUDLINUX KEY]
- On completion, on SSH enter the following:
reboot
Installing WHM
WHM Documentation: https://documentation.cpanel.net/display/ALD/WebHost+Manager+-+WHM+User+Guide
Buy WHM License
- Go to https://www.buycpanel.com (choose VPS license not dedicated)
Downloading WHM
- On SSH enter the following:
sudo su -
systemctl disable NetworkManager.service
screen
cd /home && curl -o latest -L https://securedownloads.cpanel.net/latest && sh latest
/usr/local/cpanel/cpkeyclt
/usr/local/cpanel/bin/checkallsslcerts
Initial WHM Setup
- Navigate to http://[SERVERNAME]:2087
- Login using root as the username
- Step 1: Click I Agree/Go To Step 2
- Step 2:
- Enter your chosen email as the Server Contact Email Address (e.g. [email protected])
- Enter 8.8.8.8 as the Primary Resolver
- Enter 8.8.4.4 as the Secondary Resolver
- Click Save & Go to Step 3
- Click Skip This Step and Use Default Settings
- Click Save & Go to Step 5
- Click Skip This Step and Use Default Settings
- Click Finish Setup Wizard
- Click Go to WHM
- Click Save Settings
Configuring WHM Settings
Configure Apache
You can find a apache config online and import via EasyApache 4. Or you can follow the following:
- Go to https://[SERVERNAME]:2087 and login as root
- Go to Software >> EasyApache 4
- Click Customize
- Make sure the following is ticked.
- Click Apache Modules
- mod-alt-passenger
- mod_bwlimited
- mod_cgi
- mod_cloudflare
- mod_deflate
- mod_env
- mod_evasive
- mod_expires
- mod_headers
- mod_hostinglimits
- mod_mpm_prefork
- mod_proxy
- mod_proxy_fcgi
- mod_proxy_http
- mod_proxy_wstunnel
- mod_reqtimeout
- mod_security2
- mod_ssl
- mod_suexec
- mod_suphp
- mod_unique_id
- mod_version
- Click PHP Versions
- php56
- php70
- php71
- php72
- Click Php Extensions ( Make sure to tick all versions of each extensions )
- libc-client
- pear
- php-bcmath
- calendar
- cli
- common
- curl
- devel
- fileinfo
- fpm
- ftp
- gd
- iconv
- imap
- ioncube10
- litespeed
- mbstring
- mcrypt
- mysqlnd
- pdo
- posix
- soap
- sockets
- xml
- zendguard
- zip
- intl
- runtime
- Click Review
- Click Provision
- Click Done
Apache Config File Optimisations
- Go to Service Configuration >> Apache Configuration
- Click Include Editor
- Under “Post VirtualHost Include” select “All versions” from the dropdown
- In the text area paste the following code:
## EXPIRES CACHING ## <IfModule mod_expires.c> # Enable expirations ExpiresActive On # Default directive ExpiresDefault "access plus 1 month" # My favicon ExpiresByType image/x-icon "access plus 1 year" # Images ExpiresByType image/gif "access plus 1 month" ExpiresByType image/png "access plus 1 month" ExpiresByType image/jpg "access plus 1 month" ExpiresByType image/jpeg "access plus 1 month" # CSS ExpiresByType text/css "access plus 1 month" # Javascript ExpiresByType application/javascript "access plus 1 year" # PDF ExpiresByType application/pdf "access plus 1 month" # Flash ExpiresByType application/x-shockwave-flash "access plus 1 month" </IfModule> ## EXPIRES CACHING ## ## ENABLE GZIP COMPRESSION ## <IfModule mod_deflate.c> # Compress HTML, CSS, JavaScript, Text, XML and fonts AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/rss+xml AddOutputFilterByType DEFLATE application/vnd.ms-fontobject AddOutputFilterByType DEFLATE application/x-font AddOutputFilterByType DEFLATE application/x-font-opentype AddOutputFilterByType DEFLATE application/x-font-otf AddOutputFilterByType DEFLATE application/x-font-truetype AddOutputFilterByType DEFLATE application/x-font-ttf AddOutputFilterByType DEFLATE application/x-javascript AddOutputFilterByType DEFLATE application/xhtml+xml AddOutputFilterByType DEFLATE application/xml AddOutputFilterByType DEFLATE font/opentype AddOutputFilterByType DEFLATE font/otf AddOutputFilterByType DEFLATE font/ttf AddOutputFilterByType DEFLATE image/svg+xml AddOutputFilterByType DEFLATE image/x-icon AddOutputFilterByType DEFLATE text/css AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/javascript AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE text/xml # Remove browser bugs (only needed for really old browsers) BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/html Header append Vary User-Agent </IfModule> ## ENABLE GZIP COMPRESSION ##
- Click Update
- Click Restart Apache
Configuring PHP
- Go to Service Configuration >> MultiPHP INI Editor
- Under Select PHP Version go through each version and configure the following:
- allow_url_fopen = Enabled
- Ignore: max_execution_time = 360
- Ignore: max_input_time = 180
- Ignore: memory_limit = 512M
- Ignore: upload_max_filesize = 256M
- Ignore: In “Editor Mode” post_max_size = 256M
- In “Editor Mode” always_populate_raw_post_data = -1
- Click Save
Disable Compiler
- Go to Security Center >> Compiler Access
- Click Disable Compilers
Configure Mod Security2
- Go to Security Center >> ModSecurity™ Vendors
- Click Install and Restart Apache
Configure open_basedir Fix
- Go to Security Center >> PHP open_basedir Tweak
- Tick Enable php open_basedir Protection.
- Click Save
Configure Shell Fork Bomb Protection
- Go to Security Center >> Shell Fork Bomb Protection
- Click Enable Protection
Disable Traceroute
- Go to Security Center >> Traceroute Enable/Disable
- Click Disable
Allow SMTP on Port 2525
- Go to Service Configuration >> Service Manager
- Tick both boxes next to Exim Mail Server (on another port) to 360
- Change Allow exim to listen on a port other than 25. to 2525
- Click Save
Install ClamAV and Munin
- Go to cPanel >> Manage Plugins
- Click Install ClamAV for cPanel
- Click Install Munin for cPanel
Default Show All on List Accounts
- Go to Server Configuration >> Tweak Settings
- Click Display
- Number of accounts per page to display in “List Accounts”. = All
- Click Save
Prevent “nobody” from sending mail & Disable Horde and Squirrel
- Go to Server Configuration >> Tweak Settings
- Click Mail
- Prevent “nobody” from sending mail = On
- Enable Horde Webmail = Off
- Enable Mailman mailing lists = Off
- Enable Roundcube webmail = Off
- Enable SquirrelMail webmail = Off
- Click Save
Restrict Spam on Server
- Go to Service Configuration >> Exim Configuration Manager
- Under the RBLs section:
- Click On for RBL: bl.spamcop.net
- Click On for RBL: zen.spamhaus.org
- Under the Apache SpamAssassin™ Options section
- Click On for Apache SpamAssassin™: Forced Global ON
- Click On for Scan outgoing messages for spam and reject based on the Apache SpamAssassin™ internal spam_score setting
- Click On for Do not forward mail to external recipients if it matches the Apache SpamAssassin™ internal spam_score setting
- Click Save
Change hostname
- Go to Networking Setup >> Change Hostname
- In New Hostname enter: [SNAME].bird.co.uk
- Click Change
Edit default Quota Plan
- Go to Packages >> Edit a Package
- Click default
- Click Edit
- Change the following:
- Disk Quota (MB): 5000
- Monthly Bandwidth (MB): 100000
- Max FTP Accounts: 5
- Max Email Accounts: 0
- Max Email Lists: 0
- Max Databases: 1
- Max Subdomains: 5
- Max Parked Domains: 5
- Max Addon Domains: 5
- Maximum Hourly Email by Domain Relayed: 250
- Maximum percentage of failed or deferred messages a domain may send per hour: 250
- Click Save Changes
Graceful Server Reboot
- Go to System Reboot >> Graceful Server Reboot
- Click Proceed
Configuring SendGrid
SendGrid Documentation: https://sendgrid.com/docs/index.html
Configure Exim on WHM
- Go to https://[SERVERNAME]:2087 and login as root
- Go to Service Configuration >> Exim Configuration Manager
- Click Advanced Editor
- In CONFIG section, under domainlist local_domains enter:
lsearch;/etc/localdomains : localhost : [SERVERNAME] : [GOOGLE INSTANCE NAME] : @
- In daemon_smtp_ports enter:
465 : 25 : 587 : 2525
- In the Section: AUTH box enter:
sendgrid_login: driver = plaintext public_name = LOGIN client_send = : <USER> : <PASS>
- Making sure you replace <USER> and <PASS> with the SendGrid username and password that you made a note of earlier
- In the Section: PREROUTERS box enter:
send_via_sendgrid: driver = manualroute domains = ! +local_domains transport = sendgrid_smtp route_list = "* smtp.sendgrid.net::2525 byname" host_find_failed = defer no_more
- In the Section: TRANSPORTSTART box enter:
sendgrid_smtp: driver = smtp hosts = smtp.sendgrid.net hosts_require_auth = smtp.sendgrid.net hosts_require_tls = smtp.sendgrid.net
- Scroll to the bottom and click Save
Installing Whitelister
Follow the “Server B” steps in the following readme.md file: https://bitbucket.org/birdmarketing/ip-whitelist-website/src/96b3e536d7262dcb293a545282382793d320ac12/README.md?fileviewer=file-view-default
Installing ConfigServer Explorer
ConfigServer Explorer Documentation: https://www.configserver.com/cp/cse.html
- Paste the following into SSH:
sudo su - cd /usr/src rm -fv /usr/src/cse.tgz wget https://download.configserver.com/cse.tgz tar -xzf cse.tgz cd cse sh install.sh rm -Rfv /usr/src/cse*
Configure MySQL
- On WHM go to Plugins >> ConfigServer Explorer
- Click etc
- Find my.cnf and click edit icon
- Add the following lines
bind-address=127.0.0.1 innodb_lock_wait_timeout=100
- Click Save
- Go to Restart Services >> SQL Server (MySQL)
- Click Yes
Installing ConfigServer Security and Firewall
ConfigServer Security and Firewall Documentation: https://configserver.com/cp/csf.html
Installing CSF On SSH
- Paste the following into SSH:
sudo su - cd /usr/src rm -fv csf.tgz wget https://download.configserver.com/csf.tgz tar -xzf csf.tgz cd csf sh install.sh rm -Rfv /usr/src/csf*
Configuring CSF on WHM
- Go to https://[SERVERNAME]:2087 and login as root
- Go to Plugins >> ConfigServer Security & Firewall
- Click Firewall Allow IPs
- Add the following to the bottom of the document:
# CloudFlare IPs 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 104.16.0.0/12 108.162.192.0/18 131.0.72.0/22 141.101.64.0/18 162.158.0.0/15 172.64.0.0/13 173.245.48.0/20 188.114.96.0/20 190.93.240.0/20 197.234.240.0/22 198.41.128.0/17 199.27.128.0/21 # Sage Pay IPs 195.170.169.0/255
- Click Change
- Click Restart csf+lfd
- Click Firewall Configuration
- Change TESTING = to OFF (0)
- In TCP_IN add
,3306,3389
- In TCP_OUT add
,2525
- In UDP6_OUT add
,67,68
- Scroll to the bottom and click Change
- Click Restart csf+lfd
- Click Return
Igrnore the following:
#Change LF_ALERT_TO = to [SNAME]@bird.co.uk #Change LF_ALERT_FROM = to [SNAME]@bird.co.uk #Change PT_USERPROC = to 0 #Change PT_USERMEM = to 0 #Click Firewall Profiles #Select disable_alerts #Click Apply Profile
Installing ConfigServer eXploit Scanner
ConfigServer eXploit Scanner Documentation: https://configserver.com/cp/cxs.html
Purchase a ConfigServer eXploit Scanner license
- Go to https://store.configserver.com/index.php?dispatch=products.view&product_id=3
- Click Add to Cart
- Click Checkout
- Login
- Enter the VAT number
- Enter the Domain Name: [SERVERNAME]
- Tick the Terms and Conditions box
- Enter the server IP
- Click Update Order
- Click Continue
- Follow the steps to pay with PayPal
- Log into PayPal
- Click continue
Make sure an email is received with a confirmation of license before proceeding with install (this may take several hours)
Installing CXS on SSH
- Enter the following in SSH:
wget https://download.configserver.com/cxsinstaller.tgz tar -xzf cxsinstaller.tgz perl cxsinstaller.pl rm -fv /usr/src/cxsinstaller.* cxs --qcreate --quarantine /home/quarantine rm -rf /etc/cxs/cxs.restricted
Configure CXS on WHM
- Go to https://[SERVERNAME]:2087 and login as root
- Go to Plugins >> ConfigServer eXploit Scanner
- Edit CGI Upload
- Click Other Files
- Select /etc/cxs/cxscgi.sh
- Click Edit File
- Change –mail root to –mail [SERVERNAME]@[DOMAIN].com
- Add –quarantine /home/quarantine/
- Click Save File
- Click Return
- Edit FTP Upload
- Click Other Files
- Select /etc/cxs/cxsftp.sh
- Click Edit File
- Change –mail root to –mail [SERVERNAME]@[DOMAIN].com
- Add –quarantine /home/quarantine/
- Click Save File
- Click Return
- Edit CXS Watch
- Click Other Files
- Select /etc/cxs/cxswatch.sh
- Click Edit File
- Change –mail root to –mail [SERVERNAME]@[DOMAIN].com
- Add –quarantine /home/quarantine/
- Click Save File
- Click Return
- Click Start cxs Watch
- Click Return
- Under cxs PureFTPd Scanning click Enable Integration
- Click Return
- Under cxs ModSecurity Scanning click Enable Integration
- Click Return
Installing ConfigServer Mail Manager
ConfigServer Mail Manager Documentation: https://www.configserver.com/cp/cmm.html
- Paste the following into SSH:
cd /usr/src rm -fv /usr/src/cmm.tgz wget http://download.configserver.com/cmm.tgz tar -xzf cmm.tgz cd cmm sh install.sh rm -Rfv /usr/src/cmm*
Installing Linux Malware Detect
Linux Malware Detect Documentation: https://www.rfxn.com/projects/linux-malware-detect/
- Paste the following into SSH:
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar -xzf maldetect-current.tar.gz cd maldetect-1.5 sh install.sh
- REPLACE maldetect-1.5 with whatever version you downloaded.
- To scan all files:
- Type: screen
- Type: sudo /usr/local/sbin/maldet -a /[PATH]
- To scan recent files use: sudo /usr/local/sbin/maldet -r /[PATH]
Installing RKHunter
RKHunter Documentation: http://rkhunter.sourceforge.net/
- Open SSH
- Install EPEL Repository:
yum install epel-release
- Install RKHunter:
yum -y install rkhunter
- Update Database:
rkhunter --update
- Update System File Properties:
rkhunter --propupd
- Can be manually run using the following command:
rkhunter -c -sk
Installing CHKRootKit
CHKRootKit Documentation: http://www.chkrootkit.org/
- Open SSH
- Install EPEL Repository:
yum install epel-release
- Install CHKRootKit:
yum -y install chkrootkit
- Run CHKRootKit:
chkrootkit
Installing Softaculous
Softaculous Documentation: https://www.softaculous.com/
Purchase a Softaculous license
- Go to https://www.softaculous.com/clients?ca=buy and login
- Choose Type: Lifetime VPS Server License
- Enter [SERVER IP] in the IPs/License Keys(s) box
- Click Purchase Softaculous
- Click the PayPal icon
- Login to PayPal
- Click Pay Now
Installing Softaculous on SSH
Enter the following on SSH:
wget -N http://files.softaculous.com/install.sh chmod 755 install.sh ./install.sh
Stop email notifications
- Go to https://[SERVERNAME]:2087 and login as root
- Go to Plugins >> Softaculous
- Go to Settings >> General
- In Update Settings un-tick:
- Notify Updates
- Notify Script Updates
- In Email Settings un-tick everything related to turning off emails.
- Click Edit Settings
Setting up Backups
Option 1 – Amazon
Setting Up S3
- Go to https://aws.amazon.com/
- Click Sign in to the Console
- Click Sign in using our secure server
- Click Identity & Access Management
- Click Users >> Create New User
- Enter [SERVERNAME]
- Click Create
- Click Show User Security Credentials
- Copy the credentials and save them somewhere (Lastpass Secure Notes >> S3 Access)
- Click Back
- Click Users
- Click on the newly created User
- Click Add User to Groups
- Select Servers
- Click Add to Groups
- At the top click Services >> Storage & Content Delivery >> S3
- Click Create Bucket
- Bucket Name: [SERVERNAME]
- Region: Ireland
Configuring WHM to Use S3
- Navigate to https://[SERVERNAME]:2087 and login as root
- Go to Backup >> Backup Configuration
- Backup Status: Enabled
- Backup Daily: Tick All
- Tick Backup Weekly
- Tick Backup Monthy
- Retain 3 Monthly backups
- Backup Suspended Accounts: Enable
- Backup Access Logs: Enable
- Backup SQL Databases: Per Account and Entire MySQL Directory
- Untick Retain backups in the default backup directory
- Click Create new destination
- Destination Name: Amazon S3
- Tick Transfer System Backups to Destination
- Bucket: [SERVERNAME]
- Enter Access Key
- Enter Secret Access Key
- Click Save Destination
- Click Validate on the Amazon S3 line
- Click Save Configuration
Option 2 – Backup Disk (Recommended)
Google Cloud Persistent Disk Documentation: https://cloud.google.com/compute/docs/disks/add-persistent-disk
- Find the vm instance and find its zone e.g. europe-west1-c
- Add the new disk to the vm instance
- Select the vm instance, click edit and “Add item” under Additional disks
- Select create new disk, and select mode: Read/write
- Create a disk
- Use the same zone as the vm instance, this increases speed and decreases transfer costs
- Select Disk Type: Standard persistent disk
- Select Source type: None (blank disk)
- Use : (((source disk – 10gb)*0.6)*12)*1.2. EXPLAINED: Source Disk minus total operating system use (source disk – 10gb), compressed into backups (60%), multiplied byretention periods (times 12), add 20% for contingency
- Use 10x source disk (12x compressed cpanel accounts disk space (approx 60% of cpanel disk space) + overheads + room for growth (Daily:5 day retention, Weekly: 4 week retention, Monthly: 3 month retention))
- Check the new disk has been attached
- SSH in and run
ls /dev/disk/by-id
you should see “google-[DISK_NAME]”
- Format and add a filesystem
- Using the ext4 filesystem, run
sudo mkfs.ext4 -F -E 'discard' /dev/disk/by-id/google-[DISK_NAME]
- Using the ext4 filesystem, run
- Mount the drive to /backup
- Assuming /backup had already been created – this is the default location for WHM backups. Run
sudo mount -o discard,defaults /dev/disk/by-id/google-[DISK_NAME] /backup
- Assuming /backup had already been created – this is the default location for WHM backups. Run
- Setup auto mounting
- Run
sudo blkid ‑s UUID ‑o value /dev/disk/by‑id/google‑[DISK_NAME]
, this should produce an output like “0cf2a474-f88a-4254-b074-19bdf72a172b”. This is the disk UUID, use this value in the command bellow. - Run
echo "UUID=[UUID] /backup ext4 nofail,auto,discard,defaults 1 1" | sudo tee ‐a /etc/fstab
- Run
- Check everything works
- run
cd /backup; touch test; ls /backup
and see if you see the new test file
- run
- Enable backup in whm to /backup
- Check in 24h that the backup is working correctly
- SSH in and look in /backup to see if new files have been created
Debugging
Disk failed to mount:
- Check the /etc/fstab file (SSH in and run
cat /etc/fstab
), there should only be a single entry with “/backup” in. It should look similar to the following (however with a different UUID number) “UUID=0cf2a474-f88a-4254-b074-19bdf72a172b /backup ext4 nofail,auto,discard,defaults 1 1”
Setting up Snapshots
- Go to Snapshots >> Create a Snapshot Schedule (https://console.cloud.google.com/compute/snapshotSchedulePolicies/add)
- Give it a name
- Choose the same region that your disk is in.
- Schedule Frequency: daily
- Auto-delete snapshots after: 7 days
- Create
- Go to Disks
- Go into each disk and click edit
- On Snapshot schedule select the schedule we just created
- Click Save
Installing NodeQuery
- Go to https://nodequery.com/login and login
- Click New Server
- Enter [SERVERNAME] as the Name
- Make sure all of the notifications are set to 95%
- Click Create Server
- Click Copy Installation Command
- Paste Installation command into SSH
Install XVarnish
- Open SSH and Paste the following:
yum install epel-release rpm --nosignature -i https://repo.varnish-cache.org/redhat/varnish-4.1.el6.rpm rpm --nosignature -i https://repo.xvarnish.com/xvarnish-repository-1-8.el6.rpm yum install xvarnish /usr/local/xvarnish/bin/activate --key 3fd16905-47a8-4647-9215-3fcb1ddac3a6 xvctl enable xvarnish
Update all Server Software
- Open SSH and Paste the following:
yum install yum-utils yum update reboot
Installing LetsEncrypt
Before starting please buy a license from https://docs.cpanel.net/knowledge-base/third-party/the-lets-encrypt-plugin/ if you do not already have one
Generating a Remote Access Key
- Go to https://[SERVERNAME]:2087 and login as root
- Go to Clusters >> Remote Access Key
- Click Generate New Key
Installing on SSH
Official Documentation: https://letsencrypt-for-cpanel.com/docs/for-admins/installation/
- Save your issued licence file as /etc/letsencrypt-cpanel.licence and chmod to 0400
- On SSH run
wget https://cpanel.fleetssl.com/static/letsencrypt.repo -O /etc/yum.repos.d/letsencrypt.repo
- Then run
yum -y install letsencrypt-cpanel
- To test, run
le-cp self-test
- To enable Service Certificates (SSL on hostnames) run
le-cp hostcert enable
more info here: https://letsencrypt-for-cpanel.com/docs/for-admins/service-certificates/ - To enable AutoSSL run
le-cp autossl enable
more info here: https://letsencrypt-for-cpanel.com/docs/for-admins/autossl/
Post Setup Checklist
- Create recurring task for Security Maintenance checks (see below maintenance checklist)
- Create recurring task for Weekly Maintenance checks to check backups are working correctly
- Create recurring task for Weekly Maintenance checks to see if server has been blacklisted
- Create a new filter and label in receiving email address, if Gmail: Matches: to:([SERVER EMAIL]) Do this: Skip Inbox, Mark as read, Apply label “Servers/[SERVERNAME]”, Never send it to Spam
- Limit bandwidth use for cpanel accounts so it does not go over desired quota on Google Cloud (bandwidth is expensive)
- Add Buy cPanel costs to any budgeting or accounting software you have
Recommended Regular Checkups and Maintenance
Security Maintenance
We recommend this checklist is carried out at least once per month
- Login to WHM
- Update plugins such as ConfigServer eXploit Scanner
- Go to Security Advisor
- Follow steps provided for anything that is red or yellow (apart from exceptions below)
- Apache vhosts are not segmented or chroot()ed.
- Apache Symlink Protection: the Bluehost provided Apache patch is in effect
- Update EasyApache (This can update PHP and fuck up a lot of shit on a lot of websites!)
- Update CXS if applicable (Plugins >> ConfiServer eXploit Scanner >> Upgrade CXS)
Backup Checks
Local Backup Disk
Quick link: https://[SERVERNAME]:2087/scripts5/restoremenu
- Go to https://[SERVERNAME]:2087 and login
- Go to Backup >> Backup Restoration
- Click on a few usernames, if the backups are working you should see the option to back up on several previous days (depending on what you have configured)
Google Cloud Snapshots
Quick link: https://console.cloud.google.com/compute/snapshots?project=[PROJECT NAME]
- Go to https://console.cloud.google.com and login
- Go to Compute Engine >> Snapshots
- If the snapshots are working you should see 7 of the backup disk (if you have one) and 7 of the main disk, no more, no less)
Old Obsolete Steps
Enable Mod Security
- Go to Security Center >> Apache mod_userdir Tweak
- Tick Enable mod_userdir Protection
- Click Save
Configure Default Password Strength
- Go to Security Center >> Password Strength Configuration
- Change Default Required Password Strength to 75
- Click Save
Enable IonCube Loader
- Go to Server Configuration >> Tweak Settings
- Click PHP
- For cPanel PHP loader select Ioncube
- Click Save
Redirect to Hostname
- Go to Server Configuration >> Tweak Settings
- Click Redirection
- For Always redirect to SSL select On
- For Non-SSL redirect destination select Hostname
- For SSL redirect destination select Hostname
- Click Save
Reduce the number of notifications
- Go to Server Configuration >> Tweak Settings
- Click Notifications
- For Account system disk usage “warn” percentage select Disabled
- For Account disk quota “warn” percentage select Disabled
- For Account disk quota “critical” percentage select Disabled
- Click Save
Configure Passive FTP
- Follow the steps from Enable the passive port range for Pure-FTPd on https://documentation.cpanel.net/display/CKB/How+to+Enable+FTP+Passive+Mode#HowtoEnableFTPPassiveMode-Passive
Add Credentials on SendGrid
- Go to https://sendgrid.com/login and Login
- Go to Settings >> Credentials
- Click Add New Credential
- For username enter: [SNAME]-birdmarketing
- For password enter a new generated password from LastPass and make a note of this password (DO NOT USE SPECIAL CHARACTERS IN PASSWORD)
- Tick the MAIL box
- Click Create Credential