HOW-TO Setup a PLESK Dedicated Server
(Revision: 2.4 - 10 march 2008)

After several installations of PLESK on different servers, we have decided to write a small HOW-TO for other users. Maybe someone will have a better idea and together we can write a complete guide to setup a new box to be faster and more secure. This manual has been compiled with the help of the guys from this forum, so we thank them, especially "atomicrocketturtle". This tutorial is mostly for REDHAT, for other OS in some cases need some changes for appropiate install.

1. Verify if YUM is installed. If yes I will proceed to edit /etc/yum.conf. If not, I will install from RPM. In order to use yum, you first need to add a few lines in /etc/yum.conf from page, browsing right OS. http://www.atomicrocketturtle.com/ YUM is installed in latest FEDORA by default.

2. Edit /etc/yum.conf to be like this, but in time it can change. Always use only your version PSA channel.

Automatic configuration
Using Lynx (yum -y install lynx):
lynx -source http://www.atomicorp.com/installers/atomic.sh | sh

Using Wget:
wget -q -O - http://www.atomicorp.com/installers/atomic.sh | sh

3. Install some useful tools like, JOE - text editor, Midnight Commander and LYNX text based navigator.

shell: yum install joe mc lynx

4. Also we do an update of packages for yum with, to be up to date.

shell: yum update

5. In PLESK create a domain, usually each of us have a default domain, and this domain users we change to have access with SSH. Is important to create this user (domain) and not go forward to change root access. Of course you can create later as well, just if you disable root, you cannot access server with SSH.
Next I change the root password as well, from default value.

shell: passwd root (same, will ask for password) - WRITE this down somewhere, in your notes.

After this, I follow the description from http://www.crucialparadigm.com/resources/tutorials/secure-server-securing/disable-direct-root-login.php or later, the ELS installer will do this.

6. Now edit some files to be easier to navigate in SSH, like:
shell: joe /etc/bashrc

and add these lines. This will help not to write all the times cd /home/http/vhosts/ just execute phttpd and you are already there. You may create your own rules of course.

alias bye="exit" #if you hit exit, will be the same as say bye, exit user.
alias ns="netstat -lpn" #a shorcut for a specific netstat command.
alias pmysql="cd /var/lib/mysql" #will bring you into mysql data directory
alias phttpd="cd /var/www/vhosts" #will bring you into home users data directory
alias killhttpd="ipcs -s | grep apache | perl -e 'while (< STDIN >) {@a=split(/s+/); print pcrm sem $a[1]}' " #will kill apache semaphore files, if was left accidentally on apache exit
alias tailall="tail -f /var/www/vhosts/*/statistics/logs/error_log" #will tail in all error_log to see which domain have major problems.

This last is for when apache dies and semaphore is not cleared and apache will not restart. Just you enter killhttpd and then start apache.

Edit
shell: joe /root/.bashrc

and add a line like:
echo 'ALERT - Root Shell Access (YOURSERVERNAME) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" YOUREMAIL

This will help to know each time when someone logged in as root, which is theoretically only you, the ELS installer will do this.
You will get on root login a mail to your mail address with subject ALERT - Root Shell Access (YOURSERVERNAME) on:, from which IP is entered and so on.
YOURSERVERNAME and YOUREMAIL must be changed with your data.

7. Because YUM update installed MySQL 4, change also my.cnf and update tables to MySQL 4 compatible. In latest distros, there is already MySQL 5.

shell: /usr/bin/mysql_fix_privilege_tables --user=admin --password=`cat /etc/psa/.psa.shadow`
shell: joe /etc/my.cnf

If you are updated to MySQL 4.1.x, then add to my.cnf old_passwords=1
Rehash user names and passwords (new users only - if database and username/passwords are created after the update)

Replace content with this and after. Sometimes this step should be skipped if you are not familiar with MySQL. Latest PLESK come with InnoDB tables and after you restart with new settings PLESK, will crash the tables. We still study what to do in this situation, to be compatible with PLESK.
You can use MySQL Performance Tuning Primer Script, but MySQL must run minimum 24 hours to get correct data, to configure your server.
We will update in the future this section to 1GB memory or 2GB, because today almost all servers get 1GB memory.

512MB RAM:
==============================================================
[mysqld]
set-variable=local-infile=0
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1

skip-locking
query_cache_limit=1M
query_cache_size=32M
query_cache_type=1
interactive_timeout=100
wait_timeout=100
connect_timeout=10
thread_cache_size=50
key_buffer=40M
table_cache=384
sort_buffer_size=768K
read_buffer_size=512K
max_allowed_packet=16M
max_connect_errors=10
key_buffer=128M
sort_buffer=32M
join_buffer=32M
record_buffer=2M
thread_cache=8
read_buffer=1M
max_connections=300
thread_concurrency=2
myisam_sort_buffer_size=128M
read_rnd_buffer_size=1M
skip-show-database
myisam_sort_buffer_size=64M

[mysql.server]
user=mysql
basedir=/var/lib

[safe_mysqld]
err-log=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
open_files_limit=8192

[mysqldump]
quick
max_allowed_packet=16M

[mysql]
no-auto-rehash
#safe-updates

[isamchk]
key_buffer=64M
sort_buffer=64M
read_buffer=16M
write_buffer=16M

[myisamchk]
key_buffer=64M
sort_buffer=64M
read_buffer=16M
write_buffer=16M

[mysqlhotcopy]
interactive-timeout
==============================================================

8. ANTIVIRUS: You can live with DrWeb or you can install Clamav free solution

shell: yum remove drweb-qmail drweb (in new PLESK Kaspersky)
shell: yum install qmail-scanner clamd maildrop

After install is done, use

shell: /usr/bin/qmail-scanner-reconfigure (/var/qmail/bin/qmail-scanner-queue.pl)

Now all should work fine, you can check to send to you a test virus from http://www.eicar.org/anti_virus_test_file.htm
In meantime check log files to see if all work fine and no errors are there.
shell: tail -f /var/spool/qmailscan/qmail-queue.log
shell: tail -f /usr/local/psa/var/log/maillog
shell: tail -f /var/log/clamav/clamd.log

9. FIREWALL: You can use from PLESK their Firewall Module, easy to install or use APF.
PLESK module is nice, but for more advanced usage, still recommended APF.

We found a very nice auto installer. (http://www.servermonkeys.com/els.php)

Here's what it does (with bold what we suggest):

• Install RKHunter
• Install RKHunter Cronjob which emails a user-set email address nightly
• Install/update APF
• Add SM/TP monitoring IPs (view information on these in Orbit)
• Install/update BFD
• Install CHKROOTKIT
• Install CHKROOTKIT Cronjob which emails a user-set email address nightly
• Disable Telnet
• Force SSH Protocol 2
• Secure /tmp
• Secure /var/tmp
• Secure /dev/shm
• Install/update Zend Optimizer
• Install/update eAccelerator
• Change SSH port (also configure APF as necessary)
• Add wheel user and disable direct root login over SSH
• Optimize MySQL tables
• Install/update Libsafe
• Install/update ImageMagick (from latest source)
• Harden sysctl.conf
• And more!

shell: wget --output-document=installer.sh http://servermonkeys.com/projects/els/installer.sh; chmod +x installer.sh; sh installer.sh; els --all

When you are done, you still need some modification.

VERY IMPORTANT: If you install ZEND, then you will get an apache problem. Zend will have a conflict with Ioncube. Open php.ini and from bottom of the file delete the ZEND files, but copy it somewhere. Then open /etc/php.d/ioncube.ini and copy after ioncube loader. Then restart Apache.

ANTI-DOS
shell: joe /usr/local/bfd/ignore.hosts

Add your IP to ignore it. VERY IMPORTANT to not be lock out from server.

shell: joe /usr/local/bfd/conf.bfd

ALERT_USR="1"
EMAIL_USR="yourmail@domain.com"

shell: /etc/apf/apf -s

joe /etc/apf/conf.apf
Check as well for ports:
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,3306,8443,35000_35999"
or
IG_TCP_CPORTS="20,21,25,53,80,110,143,443,3306,8443,35000_35999" (notice no 22 port for SSH - we suggest this)

- Other APF Features
APF comes packaged with two trust based files for the inclusion of IP's. These
files allow two trust levels that are, allow and deny.

The allow and deny trust files are located at:
/etc/apf/allow_hosts.rules
/etc/apf/deny_hosts.rules

The format of these files are line-seperated addresses, IP masking is supported.
Example:
24.202.16.11
24.202.11.0/24

FINAL STEP:
If Firewall work OK do not forget to get out from DEVmode

# Set firewall dev cronjob
# 1 = enabled / 0 = disabled
DEVM="0"

TIPS & TRICKS

SYN ATTACKS DETECTION
A little more advanced settings in /etc/apf/ad/conf.antidos
# Try to detect syn-flood attacks [0=off,1=on]
DET_SF="1"
# Parse klog for iptables logged attacks [0=off,1=on]
LP_KLOG="1"

10. Securing /tmp (ONLY IF YOU MISSED TO INSTALL ELS or did not secured /tmp with ELS)
The /tmp partition is one the common places for script kiddies and crackers alike to place trojans or scripts. Because of that you should have the /tmp partition mounted noexec. First we need to check if your /tmp is secure.
shell: df -h |grep tmp

If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.
shell: cat /etc/fstab |grep tmp

If there is a line that includes /tmp and noexec then it is already mounted as non-executable. You will also want to check if /var/tmp is linked to /tmp.
shell: ls -alh /var/ |grep tmp

If it shows something to the effect of "tmp - > /tmp/" then you are ok. If not go ahead an remove the old /var/tmp and replace it with a sym link to /tmp.
shell: rm -rf /var/tmp/
shell: ln -s /tmp/ /var/

If you do not have any /tmp partition you will need to follow the directions below to create and mount a partition.

Create a 190Mb partition
shell: cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=200000

Format the partition
shell: mke2fs /dev/tmpMnt

Make a backup of the old data
shell: cp -Rp /tmp /tmp_backup

Mount the temp filesystem
shell: mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

Set the permissions
shell: chmod 1777 /tmp

Copy the old files back
shell: cp -Rp /tmp_backup/* /tmp/

Once you do that go ahead and start mysql and make sure it works ok.
If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

While we are at it we are going to secure /dev/shm. Look for the mount line for /dev/shm and change it to the following:
none /dev/shm tmpfs noexec,nosuid 0 0

Umount and remount /dev/shm for the changes to take effect.
shell: umount /dev/shm
shell: mount /dev/shm

If everything still works fine you can go ahead and delete the /tmp_backup directory.
shell: rm -rf /tmp_backup

11. Disable some executables
Many php exploit scripts use common *nix tools to download root kits or backdoors. By simply chmod'ing the files so that no none-wheel or root user can use them we can eliminate many possible problems. The downside to doing this is that shell users will be inconvenienced by not being able to use the the commands below. If you run LES, which I would suggest, then you do not need to run the first group of chmods. If you get an error on the chmod 000 because a directory does not exist to not worry they are not on every server.

shell:
chmod 700 /usr/bin/rcp
chmod 700 /usr/bin/wget
chmod 700 /usr/bin/lynx
chmod 700 /usr/bin/links
chmod 700 /usr/bin/scp
chmod 000 /etc/httpd/proxy/
chmod 000 /var/mail/vbox
chmod 700 /usr/bin/mc
chmod 700 /usr/bin/elinks

chmod 700 /usr/bin/lwp-download
chmod 700 /usr/bin/GET
chmod 700 /usr/bin/curl

Also a suggestion that make a backup of /usr/bin, /usr/sbin, /bin, /sbin if someone overwrite in time this executables (will be infected by a chrootkit) then is easy to replace.

Going a step further might be to run the same chmod permission setting on '/usr/bin/*cc*'. This will only allow root to run compile programs like 'gcc'. Such hardening suggestions can help to stave off local and remote attacks, but don't consider them 100% foolproof either. Think of this as just another layer of security. Now I cannot give to you a list here, cause can be different files which is not compile libraries, ex.mysqlaccess, contain *cc*. So best is to use like

shell: cd /usr/bin/
shell: ls -al
shell: chmod 700 /usr/bin/ and here usefiles like gcc, cc, gnatgcc etc (ex chmod 700 byacc cc gcc gnatgcc i386-redhat-linux-gcc perlcc yacc)

12. RKHUNTER (ONLY IF YOU MISSED TO INSTALL WITH ELS)
Now we will install rkhunter so we will at least know if the server has been cracked. Note that a false positive is not always bad and you need to investigate the error before thinking you are hacked. Things such as compiling a 2.6.9 kernel on your server will cause binaries to change and rkhunter to suspect the server was cracked.

shell: yum install rkhunter

Now create a cronjob so it will email you with notifications to the root mailbox:
shell: crontab -e

Now the crontab is going to be created. The first line is an update function so that you can be assured your rkhunter has the latest rules before it scans your system. The second line will run the actual scan an email root the results. At the bottom add the following line
10 0 * * * /usr/bin/rkhunter --update > /dev/null 2 >&1
25 0 * * * /usr/bin/rkhunter -c --nocolors --cronjob --report-mode --createlogfile --skip-keypress --quiet

You can add to Cron from PLESK as well, choose Server > Cron and Add new task

edit /etc/rkhunter.conf for your mail and for ALLOWHIDDENDIR=/etc/.java

Save it ...

13. Register Globals and Error Reporting
Register_globals is something that ideally php coders would code to allow to be turned off but many do not. Because of that disabling this feature may cause a lot of scripts to break. If you are on a shared host it is probably best if you do not enable this. If you are not a shared host then there is probably nothing wrong with it but do make sure by looking at all of your websites to ensure it did not break any. That being said if you can get away with it then your server is going to be more secure. This comes down to the usability vs security issue, yes it makes it more secure but it also blocks some popular scripts. Use this at your own risk! To disable it search for "register_globals". It will currently be set to "On" go ahead and change it to "Off".

Next step is to find display_errors = On and change it to display_errors = Off, you can also turn on log_errors = On and if you like change error_reporting = E_ALL & ~E_NOTICE to error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR

Disable some problematic php variables, which can be insecure for the server.

disable_functions ="phpinfo,shell_exec,exec,virtual,passthru,proc_close,proc_get_status,proc_open,proc_terminate,system"

First open the php.ini file
shell: joe /etc/php.ini

Restart apache for it to take effect.
shell: /etc/init.d/httpd graceful

Register Global change can affect this settings some scripts, you need to tell to your customers about this.

14. Services Version Number
Version numbers can be used by various software scanners to determine if your server is vulnerable. Though you should have the latest versions of everything security though obscurity is one method that can be employed to help secure your server.

First we are going to hide the version information in apache.

shell: joe /etc/httpd/conf/httpd.conf

Search for "ServerSignature"
It should say On, change it to Off
This will remove the identification of apache from error pages

Right below that add a line that has the following:
"ServerTokens Prod"
This will identify apache simply as "apache" with no version numbers or OS information

Save out of the file and restart apache
You can do a TEST before restart
shell: /etc/init.d/httpd configtest
Need to get: Syntax OK
shell: /etc/init.d/httpd graceful

Next we will disable named from giving a version.
shell: joe /etc/named.conf

Search for "query-source address * port 53;"
Add a line right below it with
version "Named";
Save and restart named

Remember this is just security though obscurity and you still need to keep the server updated! This is just going to stop some people from finding your server in the first place. It will not help at all if somebody is trying to actually hack the server.

15. PHP Optimizer/CACHE

We suggest also to install Ioncube Loaders, a lot of softwares come encoded with Ioncube , XCache, Zend Optimizer.

For Ioncube Loaders is easy, download the correct loader for your operating system, then in /etc/php.d/ioncube.ini add the line extension=FILENAME and copy the SO file to /usr/lib/php4/ Be sure that you choose the correct loader for your PHP version.

XCache is also easy to install, you can get from http://www.jasonlitka.com/2007/01/30/how-to-compiling-xcache-from-source/ the SRC RPM.
Then also you need php-devel to compile it. Install with shell: yum install php-devel
Then shell: rpmbuild --rebuild php-xcache-1.2.1-jason.1.src.rpm (or new filename) . You will see in cd /usr/src/redhat/RPMS the RPM file, so install it with shell: rpm -i FILENAME
If apache not restart, see if the problem is not with Zend Optimizer and XCache, Zend Optimizer MUST be load after XCache. Of course you can edit /etc/php.d/xcache.ini to fit with your wish. Also you can get from /usr/share/doc/XCACHEPATH/ the admin directory and copy where you can reach it. Read more on XCache home page.

Zend Optimizer should be installed with ELS.

16. FTP Passive Mode Port
You need to edit /etc/proftpd.conf and add a line like

PassivePorts 35000 35999

After this see please APF Firewall settings at line IG_TCP_CPORTS= is there this port??

Then execute restart of XINETD

shell: /etc/rc.d/init.d/xinetd restart

17. Secure MORE your server with ASL - (Subscribe here ...)

Atomic Secured Linux is designed to improve overall system security by introducing both Kernel hardening techniques, as well as userspace utilities to your linux server. Currently, Atomic Secured Linux contains the latest 2.4 and 2.6 linux kernels, modified with the grsecurity.net kernel patch, mod_dosevasive and mod_security. Grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. Even if is a payed service, it worth every penny. Belive me, we use it.

18. mod-suPHP (still experimental on PLESK to work 100% ok).

A lot of people have problems with different PHP softwares like Joomla, different Gallery softwares, especially where need to upload pictures. Why? Because now in a new settings, PHP will work as apache:apache user and any files uploaded via a web interface will get this user rights. Any files uploaded via FTP clients, will get the domain ownership. SO, if you for example want to get all picture files added via WEB INTERFACE, you cannot download or overwrite via FTP because the file rights. Also on install a lot of people need to setup folders to 777 rights to uload in it.

So seems the mod_suPHP solution is nice and working with the following settings.

shell: yum install mod_suphp
(alternate http://dag.wieers.com/rpm/packages/mod_suphp/)

After this, /etc/httpd/conf.d/mod_suphp.conf (imporatnt this line LoadModule suphp_module modules/mod_suphp.so, rest can be uncommented); /etc/suphp.conf (use default, except ; Security options allow_file_group_writeable=false allow_file_others_writeable=false allow_directory_group_writeable=true allow_directory_others_writeable=false; )

If is PHP5, change in /etc/suphp.conf

unmask=0022
[handlers]
;Handler for php-scripts
php5-script=php:/usr/bin/php-cgi

In some case, suphp.conf in /etc/httpd/conf.d will not work, so
shell: mv /etc/httpd/conf.d/suphp.conf /etc/httpd/conf.d/mod_suphp.conf

If you compiled suphp with setid-mode "force" or "paranoid", you can specify the user- and groupname to run PHP-scripts with.
Example: suPHP_UserGroup ftpuser psacln

The major things come with: httpd.include of each domain need to add, before < /VirtualHost >, the line Include /var/www/vhosts/fieldstonealliance.com/conf/vhost.conf
Then create vhost.conf. (We suggest to use for this Power Toys, this will suggest exacctly what you need to do and modify the file for you)

In vhost.conf you need:

< IfModule mod_suphp.c >

< Directory "/var/www/vhosts/DOMAIN/httpdocs/" >

php_admin_flag engine on

suPHP_Engine On

suPHP_ConfigPath "/var/www/vhosts/DOMAIN/httpdocs/"

AddHandler x-httpd-php .php

AddHandler php5-script .php

AddHandler x-httpd-php .php .php5 .php4 .php3 .phtml

suPHP_AddHandler x-httpd-php

suPHP_AddHandler php5-script .php

suPHP_UserGroup ftpuser psacln

php_value open_basedir "/tmp/"

php_value upload_tmp_dir "/var/www/vhosts/DOMAIN/tmp/"

< Files php.ini >

order allow,deny

deny from all

< /Files >

< /Directory >

< /IfModule >

Need to focus on BOLD issues. DOMAIN is your domain, AddHandler one line is for PHP4, the other for PHP5, dunno if will work both together. Create in httpdocs/tmp directory, to write in it, as temporary upload dir. We still study this to move one directory up, but is not tested yet: DOMAIN/tmp/. After this, you need to add a php.ini file in your httpdocs directory, which will be use for that domain. this file cannot be read from outside because is restricted. To test if is work, create a file wit lines, < ?php phpinfo(); ? > and call it from web. You can see if is loaded new PHP.INI or not and mod_suPHP is on.

PLESK SETTINGS:

Go and login into PLESK admin and do the following steps.
Before all, click on update and do an update.
Click on SERVERS:
1. Change password: Change passwords to access into PLESK.
2. Access: Setup PLESK ADMIN access and add your IP, in this way you restrict ADMIN access from your IP.
3. System time: I use synchronize time with server: time.windows.com, anyway setup here the correct zone.
4. Mail preferences: Enable MAPS protection to blackholes.mail-abuse.org;relays.ordb.org;bl.spamcop.net;list.dsbl.org and also I use POP3 lock time to 20 minutes.
5. Mailman settings: Setup email and password.
6. DNS - Read the manual.
7. Logo Setup - to setup your Company LOGO
8. Crontab - Set crontab message, if need change here the mail to not send to root.

Next step is CLIENTS AND DOMAINS, but this is documented in manuals, so I suggest to read it.

ADDITIONAL USEFULL TOOLS:
http://www.web-hosting-control-panel-addons.com/product.php/Search-Engine-Optimization-Tools-for-Control-Panels/2/ - SEO Tools for PLESK
http://www.web-hosting-control-panel-addons.com/product.php/Power-Toys-for-PLESK/1/ - Power Toys for PLESK
http://forum.swsoft.com/showthread.php?s=&threadid=37061 - Automated Remote FTP Backup shell script
http://www.day32.com/MySQL/tuning-primer.sh - MySQL Performance Tuning Primer Script
http://gert.sos.be/demo/mysqlar/ - MySQL Activity Report
http://www.4psa.com/ - 4PSA have several nice tools.
http://www.host-tracker.com/ - you can subscribe to this services to get reports (SMS if you need) about your server uptime.
http://jeremy.zawodny.com/mysql/mytop/ - MySQL Top program
http://www.ex-parrot.com/~pdw/iftop/ - IFTop, display bandwidth usage on an interface.
http://www.webta.org/projects/apachetop/ - ApacheTOP
http://ngm.id.au/checkhab - checkHAB is a script based on checkattach
http://sourceforge.net/projects/automysqlbackup/ - MySQL Backup
http://www.mod-top.org/versions.html - Mod_Top

ADDITIONAL USEFULL TRICK:
How To Filter Tagged Spam to a Spam IMAP Folder - http://forum.swsoft.com/showthread.php?s=&threadid=46883
Qmail-scanner package has options for blocking specific extensions -

If anyone has any suggestions, please drop me a note on the forum or e-mail me at contact page .
I will update this manual.

Regards,
Valics Lehel
http://www.web-hosting-control-panel-addons.com
Affordable Solutions For All Your Software Needs - Website Builders, Shopping Cart Software/Programs, PHP Software, Ecommerce Solutions…

THANX TO:
Thanx to eth00 (http://eth0.us/) site, even if he write a help for CPanel, help a lot to adapt to PLESK.
Also thanx for atomicrocketturtle site - http://www.atomicrocketturtle.com/