Afinando un Server

How-To: The Complete Server Optimization Guide (2007)

Greetings,
This guide is composed of material found from various other web hosting, control panel, and script forums related to optimization, hardening and securing. This is also cPanel oriented however can be used for other servers running different control panels just to name a few Plesk, DirectAdmin, Webmin.

Now before we begin I cannot stress enough that you NEED to read my post thoroughly taking every last word into detail as you are applying these methods on your own risk as a VPS is not all sunshine and lollipops. If you don’t know what you are doing, it is strongly suggested to do a bit of research before attempting it, these methods have been tested on several different servers and I personally have conducted benchmarking with these methods on several VPSes right here at PowerVPS. And of course you will learn to love the "cp" command (copy) as I'm going to be mentioning it quite a bit and again I cannot stress enough that you BACK UP EVERYTHING YOU CHANGE don't be one of those people that say "Oh, that will never happen to me!" don't be fooled.. Karma will get you one day =)

Now let's start with the basics:


WHM/cPanel Modifications:


First off, jump into your serveru sing a SECURE connection (https://55.55.55.55:2087) of course changing the 55.55.55.55 part to your servers IP - this is so the data sent across your internet connection to your server is encrypted and undecodable.

Navigate your browser to Server Configuration -> Tweak Settings then making sure the following items are ticked (double check they are if they are not ticked, TICK THEM) unless I specify otherwise (they will be color coded for easy reading - Green = GOOD and Red = BAD):
-----------

(Below is an example on how I will layout my guide)

Under Domains:

(TICK) When adding a new domain, automatically create A entries for the registered nameservers if they would be contained in the zone.
(TICK) Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)
(TICK) When adding a new domain, if the domain is already registered, ignore the configured nameservers, and set the NS line to the authoritative (registered) ones.

And now make sure the following is NOT ticked:

(UNTICK) Allow users to Park/Addon Domains on top of domains owned by other users. (probably a bad idea)
(UNTICK) Allow Creation of Parked/Addon Domains that resolve to other servers (ie domain transfers) [This can be a major security problem. If you must have it enabled, be sure to not allow users to park common internet domains.]
(UNTICK) Allow Creation of Parked/Addon Domains that are not registered

Under Mail:

(TICK) Default catch-all/default address behavior for new accounts. blackhole is usually the best choice if you are getting mail attacks.
(TICK) Set this to "fail" for general use and as stated above "blackhole" if you're getting mail fooded (over 1000 emails in the mail queue)
(TICK) Silently Discard all FormMail-clone requests with a bcc: header in the subject line
(TICK) Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)

Here's a tricky setting, "The maximum each domain can send out per hour (0 is unlimited):" set this number to something you think is reasonable my personal preference is 60.. basically this setting will limit each account (not just the domain) on how many emails it can send out per hour, basically if you have a spammer on your machine and you can't find him.. set this to 60 and you will definitely stop him in his tracks.

Now this next one is also tricky ""Prevent the user "nobody" from sending out mail to remote addresses (PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively.)"" tick this if you want to disable any account on your machine from sending mail as "Nobody" it's really up to you in the end, if you're very strict (like me) you will enable this and force all your accounts to use the local SMTP server (which is probably better as when you receive emails from forums and stuff they don't come as "[email protected]" they come as "[email protected]" which in my sense looks more professional.

(TICK) Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail. (exim 4.34-30+ required)

And the same thing applies with this next one " The number of times users are allowed to check their mail using pop3 per hour. Zero is unlimited. (cppop only):" basically set this limit to again something around 60 or so if you're getting mail attacked.. it will again stop the attack right in it's tracks.

(TICK) Attempt to prevent pop3 connection floods

Now this setting "BoxTrapper Spam Trap" is strongly recommended to disable as having boxtrapper enabled can very easily lead to your server being listed in common RBLs and usually has the effect of increasing the overall spam load, not reducing it.

Under MySQL:

If you aren't required to use MySQL5, don't. Use MySQL 4.1 with the option " Use old style (4.0) passwords with mySQL 4.1+ (required if you have problems with php apps authenticating)" nearly always enabled it will stop certain applications using older methods of authenticating with MySQL.

Under System:

(TICK) Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc.
(TICK) Use jailshell as the default shell for all new accounts and modified accounts

Under cPAddons:

(TICK) Prevent installation of addon scripts not provided by cPanel
(TICK) Prevent installation of cPanel addon scripts that have be altered (Turning this off may be useful when testing custom addons.)
(TICK) Use native SSL support if possible, negating need for Stunnel

(UNTICK) Allow cPanel users to reset their password via email (This option has been vulnerable in the past, so you should keep it disabled)

=========================================
Security
=========================================

Security -> Fix Insecure Permissions (Scripts)
-----------

Fix Insecure Permissions (Scripts) (Run this at least once a month to make sure there are no inscure permissions on scripts running on your server.)

Security -> Manage Wheel Group Users
-----------

Remove all users except for root and your main account from the wheel group. unless you directly need another account there for SUing purposes, never ever have apache or any other system service listed in the wheel group.

Security -> Modify Apache Memory Usage
-----------

You should set a value RLimitCPU to prevent runaway scripts from consuming server resources - DOS exploits can typically do this. Run this at least once a week to reassure the limit is up to date

Security -> Quick Security Scan
-----------

You'll only need to run this once, but make sure you do. (Running this will ensure that bad services are not running on your server)

Security -> Shell Fork Bomb Protection
-----------

Enable Shell Fork Bomb/Memory Protection. (You should enable shell resource limits to prevent shell users from consuming server resources - DOS exploits typically do this.)

Security -> Tweak Security
-----------

Enable PHP's open_basedir Tweak. (To prevent PHP scripts from straying outside their cPanel account, and possibly executing or modifying other accounts files)

Enable Apache's mod_userdir Tweak. (To prevents users from stealing bandwidth or hackers hiding access/accounts to your servers)

Disable Compilers. (This tweak will disable the system's c and c++ compilers for unprivileged accounts on your VPS. Many canned exploits require working compilersc on the system to operate. You can also choose to allow some users to use the compilers while they remain disabled by default.)

=========================================
Service Configuration
=========================================

Service Configuration -> Enable/Disable SuExec
-----------

Enable SuExec. (To reduce the risk of hackers accessing all sites on the server from a compromised CGI web script, you should keep this enabled.)
(UNTICK)Always set the "Sender:" header when the sender is changed from the actual sender. Unchecking this will stop "On behalf of" data in Microsoft(R) Outlook, but may limit your ability to track abuse of the mail system.
(TICK) Verify the existence of email senders.
(TICK) Use callouts to verify the existence of email senders.
(UP2U) Discard email for users who have exceeded their quota rather than keeping it in the queue. (This again is up to you really, if you don't wish to have accounts that are suspended due to exceeding their quota loose all their new mail then leave this unticked)

Now jump into the "Advanced Editor" and in the first white box paste the following;

Quote:
log_selector = +all

smtp_load_reserve = 4

queue_only_load = 2

deliver_queue_load_max = 5
The above settings will allow exim to use extended logging for all accounts on the server, and the functions with the numbers tell exim not to use all the resources on your server if you're processing a lot of mail all at the same time.

Service Configuration -> FTP Configuration
-----------
Disable Anonymous FTP access (Used as an attack vector by hackers and should be disabled unless actively used by your accounts)

Service Configuration -> Service Manager
-----------
Making sure all services are enabled and monitored as it is vital that you know the status of all the services on your machine, however please take note to disable the Java Melange Chat Server as it has been deprecated by cPanel and as such should be considered a security concern.

=========================================
System Health
=========================================

Service Configuration -> Background Process Killer
-----------

You should enable each item in this menu, which will disable the process from running on all accounts.

(TICK) BitchX
(TICK) bnc
(TICK) eggdrop
(TICK) generic-sniffers
(TICK) guardservices
(TICK) ircd
(TICK) psyBNC
(TICK) ptlink
(TICK) services

=========================================
Add-Ons
=========================================

Add-Ons -> Setup Spamd Startup Configuration
-----------

These are the recommended settings for a Power 1 and above VPS:

Maximum Children: 2
Allowed IPs: 127.0.0.1
Maximum Connections Perl Child: 200


Apache Modifications:

=========================================
Configurations File
=========================================

Identification output for Apache. (This is to hide version numbers from potentional hackers)

Quote:
pico /etc/httpd/conf/httpd.conf
Type CTRL + W then type ServerSignature then hit enter, once you've found it replace the "On" with "Off"

Quote:
Restart Apache /etc/rc.d/init.d/httpd restart
=========================================
Optimizing Apache for Low Memory Usage
=========================================

Apache can consume quite a bit of memory, if you’re not careful. This part of the guide discusses how to reduce the amount of memory it uses without killing performance. The caveat, of course, is that you’re not going to be able to run a site with a large database and large amount of traffic with these settings. I’m going to try to explain the WHY more than the WHAT. All of this is in conjunction with my goal of reducing the amount of ram. Before I begin, I’d like to say that you should also look at various system utilities that consume ram. Services like FTP and SMTP can and should be passed off to xinetd. Also, you should look at shells besides bash, such as dash. And, if you’re really serious about low memory, you might look at using something like BusyBox, which brings you into the realm of real embedded systems. Personally, I just want to get as much as I can out of a standard linux distribution. If I need more horsepower, I want to be able to move to bigger, faster virtual machines and/or dedicated servers. For now, optimizing a small virtual machine will do.

First off, Apache. My first statement is, if you can avoid it, try to. Lighttpd and thttpd are both very good no frills webservers, and you can run lighttpd with PHP. Even if you’re running a high volume site, you can seriously gain some performance by passing off static content (images and javascript files, usually) to a lightweight, super-fast HTTPd server such as Lighttpd.
The biggest problem with Apache is the amount of ram it uses. I’ll discuss the following techniques for speeding up Apache and lowering the ram used.

* Loading Fewer Modules
* Handle Fewer Simultaneous Requests
* Recycle Apache Processes
* Use KeepAlives, but not for too long
* Lower your timeout
* Log less
* Don’t Resolve Hostnames
* Don’t use .htaccess

Loading Fewer Modules

First things first, get rid of unnecessary modules. Look through your config files and see what modules you might be loading. Are you using CGI? Perl? If you’re not using modules, by all means, don’t load them. That will save you some ram, but the BIGGEST impact is in how Apache handles multiple requests.

Handle Fewer Simultaneous Requests

The more processes apache is allowed to run, the more simultaneous requests it can serve. As you increase that number, you increase the amount of ram that apache will take. Looking at TOP would suggest that each apache process takes up quite a bit of ram. However, there are a lot of shared libraries being used, so you can run some processes, you just can’t run a lot. With CentOS 4.4 and Apache1, the following lines are the default:

Quote:
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 0
I haven’t found documentation on this, but prefork.c seems to be the module that’s loaded to handle things w/ Apache1 and CentOS 4.4. Other mechanisms could or could not be much more memory efficient, but I’m not digging that deep, yet. I’d like to know more, though, so post a comment and let me know. Anyway, the settings that have worked for me are:

Quote:
Timeout 180
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 3
MinSpareServers 1
MaxSpareServers 5
StartServers 1
MaxClients 5
MaxRequestsPerChild 300
What I’m basically saying is, “set the maximum amount of requests that this server can handle at any one time to 5.” This is pretty low, and I wouldn’t try to do this on a high volume server. However, there is something you can and should do on your webservers to get the most out of them, whether you’re going for low memory or not. That is tweak the keepalive timeout.

Recycle Apache Processes

If you noticed, I changed the MaxRequestsPerChild variable to 500, from 0. This variable tells Apache how many requests a given child process can handle before it should be killed. You want to kill processes, because different page requests will allocate more memory. If a script allocates a lot of memory, the Apache process under which it runs will allocate that memory, and it won’t let it go. If you’re bumping up against the memory limit of your system, this could cause you to have unnecessary swapping. Different people use different settings here. How to set this is probably a function of the traffic you receive and the nature of your site. Use your brain on this one.

Use KeepAlives, but not for too long

Keepalives are a way to have a persistent connection between a browser and a server. Originally, HTTP was envisioned as being “stateless.” Prior to keepalive, every image, javascript, frame, etc. on your pages had to be requested using a separate connection to the server. When keepalives came into wide use with HTTP/1.1, web browsers were able to keep a connection to a server open, in order to transfer multiple files across that same connection. Fewer connections, less overhead, more performance. There’s one thing wrong, though. Apache, by default, keeps the connections open for a bit too long. The default seems to be 15 seconds, but you can get by easily with 2 or 3 seconds.

This is saying, “when a browser stops requesting files, wait for X seconds before terminating the connection.” If you’re on a decent connection, 3 seconds is more than enough time to wait for the browser to make additional requests. The only reason I can think of for setting a higher KeepAliveTimeout is to keep a connection open for the NEXT page request. That is, user downloads page, renders completely, clicks another link. A timeout of 15 would be appropriate for a site that has people clicking from page to page, very often. If you’re running a low volume site where people click, read, click, etc., you probably don’t have this. You’re essentially taking 1 or more apache processes and saying, “for the next 15 seconds, don’t listen to anyone but this one guy, who may or may not actually ask for anything.” The server is optimizing one case at the expense of all the other people who are hopefully hitting your site.

Lower Your Timeout

Also, just in case, since you’re limiting the number of processes, you don’t want one to be “stuck” timing out for too long, so i suggest you lower your “normal” Timeout variable as well.

Log Less
If you’re trying to maximize performance, you can definitely log less. Modules such as Mod_Rewrite will log debugging info. If you don’t need the debugging info, get rid of it. The Rewrite log is set with the RewriteLogUser-Agent or the Http-Referer. I like seeing those things, but it’s up to you. command. Also, if you don’t care about looking at certain statistics, you can choose to not log certain things, like the

Don’t Resolve Hostnames

This one’s easy. Don’t do reverse lookups inside Apache. I can’t think of a good reason to do it. Any self respecting log parser can do this offline, in the background.

Quote:
HostnameLookups Off
Don’t Use .htaccess

You’ve probably seen the AllowOverride None command. This says, “don’t look for .htaccess files” Using .htaccess will cause Apache to 1) look for files frequently and 2) parse the .htaccess file for each request. If you need per-directory changes, make the changes inside your main Apache configuration file, not in .htaccess.

Sería excelente que pusieras la fuente, aunque si no me equivoco, pertenece a //este// post, no?