HOW-TO Setup a PLESK Dedicated Server

HOW-TO Setup a PLESK Dedicated Server

Date: 30 July 2011

Average Rating 4.9 [Total Votes 40]

(Revision: 3.2.8 - 30 July 2011) After several installations of PLESK on different dedicated servers, we have decided to write a small HOW-TO for other users. Maybe someone will have a better idea and together we can write a complete guide to setup a new box to be faster and more secure. This manual has been compiled with the help of the guys from the PLESK forum, so we thank them, especially "atomicrocketturtle".
This tutorial is mostly for REDHAT/FEDORA/CentOS, for other OS in some cases need some changes for appropriate install.
If you want to get updates on this HOW TO, consider to subscribe to our newsletter.
ALERT: Do not upgrade to PHP 5.3.x until you are sure that all of your clients software will be compatible. A lot of functions was deprechated and you can have serious issues.

IMPORTANT NOTE FOR BEGGINERS

Before continue this tutorial, you need to have knowledge of SSH or you may ruin your server.
If you need installation support, better order this service from us, we will do this job for you for only 50USD. Usually could take aprox 2 hours.
We will need to get from you SSH access with root access.
50USD
So login with SSH and enter as root.
1. Verify if YUM is installed. If yes, proceed to edit /etc/yum.conf. If not, install from RPM. In order to use yum, you first need to add a few lines in /etc/yum.conf from page, browsing right OS. http://www.atomicrocketturtle.com/ YUM is installed in latest REDHAT/FEDORA/CentOS by default. Other OS use for example apt-get (Debian)
2. Edit YUM configuration to work with ATOMIC packages. Always use only your version PSA channel. (Other OS skip this step, or configure other channels, specially for OS)
Using Lynx (yum -y install lynx):
view sourceprint?
1.
lynx -source http://www.atomicorp.com/installers/atomic.sh | sh
Using Wget:
view sourceprint?
1.
wget -q -O - http://www.atomicorp.com/installers/atomic.sh | sh
3. Install some useful tools like, JOE - text editor, Midnight Commander and LYNX text based navigator. I usually suggest Midnight Commander, it is visual tool, for beginners too, Joe and Lynx is just optional You can use VIM as well if you are familiar with it. (also mcedit is working nice if you install mc)
view sourceprint?
1.
yum install joe mc lynx
4. Also we do an update of packages for yum with, to be up to date. At this step, we want to be sure we have all the packages updated. Probably if you are use ATOMIC packages, will ask for replace MySQL and PHP/Apache to ART version. It is OK
view sourceprint?
1.
yum update
5. In PLESK create a domain, usually each of us have a default domain, and this domain users we change to have access with SSH. Is important to create this user (domain) and not go forward to change root access. Of course you can create later as well, just if you disable root, you cannot access server with SSH. Linux people will call it a wheel account. We prefer to use SSH personal key, but that is harder to setup.
Next I change the root password as well, from default value.
view sourceprint?
1.
passwd root
(same, will ask for password) - WRITE this down somewhere, in your notes.
After this, I follow the description from http://www.crucialparadigm.com/resources/tutorials/secure-server-securin...
6. Now edit some files to be easier to navigate in SSH, like:
view sourceprint?
1.
joe /root/.bash_profile
view sourceprint?
01.
alias bye="exit"
02.
alias ns="netstat -lpn"
03.
alias pmysql="cd /var/lib/mysql"
04.
alias phttpd="cd /var/www/vhosts"
05.
alias tailall="tail -f /var/www/vhosts/*/statistics/logs/error_log /var/www/vhosts/*/statistics/logs/access_log"
06.
alias tailallerror="tail -f /var/www/vhosts/*/statistics/logs/error_log"
07.
alias tailallaccess="tail -f /var/www/vhosts/*/statistics/logs/access_log"
08.
alias maillog="tail -f /usr/local/psa/var/log/maillog"
09.
alias myadmin="mysql -u admin -p`cat /etc/psa/.psa.shadow`"
10.
alias mchk="/usr/local/psa/admin/sbin/mchk --with-spam"
11.
alias webpsa="/usr/local/psa/admin/sbin/websrvmng -av"
12.
alias ppass="cat /etc/psa/.psa.shadow;"
13.
alias que="/var/qmail/bin/qmail-qstat"
14.

15.
echo "############################################################"
16.
echo " Shortcuts to your system "
17.
echo "############################################################"
18.
echo
19.
echo "To see your Plesk password, type: ppass"
20.
echo
21.
echo "To rebuild your Apache/Web Server configuration, type: webpsa"
22.
echo
23.
echo "To rebuild your Qmail/Mail Server configuration, type: mchk"
24.
echo
25.
echo "To see your Qmail/Mail Server queue, type: que"
26.
echo
27.
echo "To connect to your MySQL server as admin, type: myadmin"
28.
echo
29.
echo "To exit from shell, type: exit"
30.
echo
31.
echo "To see netstat command, type: ns"
32.
echo
33.
echo "To see all error/access log, type: tailall"
34.
echo
35.
echo "To see all error log, type: tailallerror"
36.
echo
37.
echo "To see email log, type: maillog"
38.
echo
39.
echo "To see all access log, type: tailallaccess"
40.
echo
41.
echo "To get rid of these messages/aliases, edit your /root/.bash_profile"
42.
echo
and add these lines. This will help not to write all the times cd /home/http/vhosts/ just execute phttpd and you are already there. You may create your own rules of course. Be sure that lines does not broke, always start a line with alias ___.
For example you can create an alias to read mail logs, by add any similar rules, using Linux commands.
view sourceprint?
1.
joe /root/.bashrc
and add a line like (watch out for character ` ):
view sourceprint?
1.
echo 'ALERT - Root Shell Access (YOURSERVERNAME) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" YOUREMAIL
This will help to know each time when someone logged in as root, which is theoretically only you, the ELS installer will do this.
You will get on root login a mail to your mail address with subject ALERT - Root Shell Access (YOURSERVERNAME) on:, from which IP is entered and so on.
YOURSERVERNAME and YOUREMAIL must be changed with your data. (ELS can do this as well)
7. Because YUM update installed MySQL 5, change also my.cnf and update tables to MySQL 5 compatible. In latest distros, there is already MySQL 5.1
If you are upgraded to MySQL 5.1.x, then comment in my.cnf #skip-bdb this will solve to start MySQL again.
After this you will need to update your tables
view sourceprint?
1.
mysql_upgrade -uadmin -p`cat /etc/psa/.psa.shadow`
2.
mysqlcheck -uadmin -p`cat /etc/psa/.psa.shadow` --auto-repair --check --optimize --all-databases
Also be sure that upgrade created in mysql database the servers table, if not exist, create it.
view sourceprint?
01.
CREATE TABLE `servers` (
02.
`Server_name` char(64) NOT NULL,
03.
`Host` char(64) NOT NULL,
04.
`Db` char(64) NOT NULL,
05.
`Username` char(64) NOT NULL,
06.
`Password` char(64) NOT NULL,
07.
`Port` int(4) DEFAULT NULL,
08.
`Socket` char(64) DEFAULT NULL,
09.
`Wrapper` char(64) NOT NULL,
10.
`Owner` char(64) NOT NULL,
11.
PRIMARY KEY (`Server_name`)
12.
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='MySQL Foreign Servers table';
We suggest to consider this my.cnf. How to find which MySQL you run, execute. Be aware that on VPS could be other settings, usually fit, but not always.
view sourceprint?
1.
mysql -uadmin -p`cat /etc/psa/.psa.shadow`
2.
status
Get the files and copy into /etc/my.cnf
my.cnf-4.0
my.cnf-4.1
my.cnf-5.0
my.cnf-5.1
Be sure that after get it, edit. Change the following things. Lines with # ... every 1GB of RAM;
view sourceprint?
1.
joe /etc/my.cnf
view sourceprint?
1.
touch /var/log/mysql_slow_queries.log
2.
chown mysql:mysql /var/log/mysql_slow_queries.log
After my.cnf is configured, you can use MySQL Performance Tuning Primer Script, but MySQL must run minimum 24 hours to get correct data, to configure your server. Link to the script is: http://www.day32.com/MySQL/tuning-primer.sh or MySQLTuner http://wiki.mysqltuner.com/MySQLTuner, run it and correct the data in /etc/my.cnf (we prefer the second one)
view sourceprint?
1.
yum install mysqltuner
8. ANTIVIRUS:
QMAIL
view sourceprint?
1.
yum remove drweb-qmail drweb
2.
yum install qmail-scanner clamd qgreylist spamassassin dcc pyzor razor-agents
3.
service spamassassin restart
4.
service clamd start
5.
cat > /var/log/clamav/freshclam.log
6.
chown qscand:qscand /var/log/clamav/freshclam.log
7.
qmail-scanner-reconfigure (/usr/share/qmail-scanner/qmail-scanner-reconfigure.psa)
Configure qmail-scanner with the /etc/qmail-scanner.ini file.
POSTFIX
For this you need to enable ATOMIC REPO - TEST
joe /etc/yum.repos.d/atomic.repo
[atomic-testing]
enabled = 1
view sourceprint?
1.
yum install clapf
Now all should work fine, you can check to send to you a test virus from http://www.aleph-tec.com/eicar/index.php
In meantime check log files to see if all work fine and no errors are there.
view sourceprint?
1.
tail -f /var/spool/qmailscan/qmail-queue.log /usr/local/psa/var/log/maillog /var/log/clamav/clamd.log
9. FIREWALL: You can use from PLESK their Firewall Module, easy to install or use APF.
PLESK module is nice, but for more advanced usage, still recommended APF.
We found a very nice auto installer. (http://www.servermonkeys.com/els.php)
view sourceprint?
1.
wget --output-document=installer.sh http://servermonkeys.com/projects/els/installer.sh
2.
sh installer.sh
3.
els --apf
4.
els --bfd
Install ONLY APF, BDF from it, the rest will be ignored. You can still see els --help for other packages.
When you are done, you still need some modification.
view sourceprint?
1.
joe /etc/apf/allow_hosts.rules
Here you will add your IP to ignore it. VERY IMPORTANT to not be lock out from server.
The format of these files are line-seperated addresses, IP masking is supported.
Example:
24.202.16.11
24.202.11.0/24
view sourceprint?
1.
joe /etc/apf/ad/conf.antidos
# Try to detect syn-flood attacks [0=off,1=on]
DET_SF="1"
# Parse klog for iptables logged attacks [0=off,1=on]
LP_KLOG="1"
USR_ALERT="1"
USR="yourmail@domain.com"
ARIN_ALERT="1"
Here you setup to send to you some antidos alert.
view sourceprint?
1.
/etc/apf/apf -s
2.
joe /etc/apf/conf.apf
Check as well for ports:
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,3306,5224,8443,8080,10000,11443,11444,30000,35000_35999"
or
IG_TCP_CPORTS="20,21,25,53,80,110,143,443,465,993,995,3306,5224,8443,8080,10000,11443,11444,30000,35000_35999" (notice no 22 port for SSH - we suggest this, also if you use ASL, add 30000, 11443_11444 port for sitebuilder, SSO)
Also look for USE_DS="1", usually have value 0, change to 1.
view sourceprint?
1.
/etc/apf/apf -s
If you get: "Cannot load iptables" message, then you need to set in /etc/apf/conf.apf line SET_MONOKERN="1" (especially if you use VPS or ASL module from AtomicCorp)
FINAL STEP:
If Firewall work OK do not forget to get out from DEV mode and restart ...
# Set firewall dev cronjob
# 1 = enabled / 0 = disabled
DEVM="0"
10. Disable some executables
Many php exploit scripts use common *nix tools to download root kits or backdoors. By simply chmod'ing the files so that no none-wheel or root user can use them we can eliminate many possible problems. The downside to doing this is that shell users will be inconvenienced by not being able to use the the commands below. If you run LES, which I would suggest, then you do not need to run the first group of chmods. If you get an error on the chmod 000 because a directory does not exist to not worry they are not on every server.
view sourceprint?
01.
chmod 700 /usr/bin/rcp
02.
chmod 700 /usr/bin/wget
03.
chmod 700 /usr/bin/lynx
04.
chmod 700 /usr/bin/links
05.
chmod 700 /usr/bin/scp
06.
chmod 000 /etc/httpd/proxy/
07.
chmod 000 /var/mail/vbox
08.
chmod 700 /usr/bin/mc
09.
chmod 700 /usr/bin/elinks
10.
chmod 700 /usr/bin/lwp-download
11.
chmod 700 /usr/bin/GET
12.
chmod 700 /usr/bin/curl
Also a suggestion that make a backup of /usr/bin, /usr/sbin, /bin, /sbin if someone overwrite in time this executables (will be infected by a chrootkit) then is easy to replace.
Going a step further might be to run the same chmod permission setting on '/usr/bin/*cc*'. This will only allow root to run compile programs like 'gcc'. Such hardening suggestions can help to stave off local and remote attacks, but don't consider them 100% foolproof either. Think of this as just another layer of security. Now I cannot give to you a list here, cause can be different files which is not compile libraries, ex.mysqlaccess, contain *cc*. So best is to use like
view sourceprint?
1.
cd /usr/bin/;
2.
ls -al *gcc
3.
chmod 700 byacc cc gcc gnatgcc i386-redhat-linux-gcc perlcc yacc
(this is just an example, see what *gcc return)
12. RKHUNTER & LYNIS
Now we will install rkhunter so we will at least know if the server has been cracked. Note that a false positive is not always bad and you need to investigate the error before thinking you are hacked. Things such as compiling a 2.6.9 kernel on your server will cause binaries to change and rkhunter to suspect the server was cracked. Also unfortunatelly rkhunter will give a lot of false positive as well, you will need to configure what to ignore in rkhunter.conf
view sourceprint?
1.
yum install rkhunter lynis
2.
rkhunter -c
3.
lynis -c
13. Register Globals and Error Reporting and mod_security
First open the php.ini file
view sourceprint?
1.
joe /etc/php.ini
Register_globals is something that ideally php coders would code to allow to be turned off but many do not. Because of that disabling this feature may cause a lot of scripts to break. If you are on a shared host it is probably best if you do not enable this. If you are not a shared host then there is probably nothing wrong with it but do make sure by looking at all of your web sites to ensure it did not break any. That being said if you can get away with it then your server is going to be more secure. This comes down to the usability vs security issue, yes it makes it more secure but it also blocks some popular scripts. Use this at your own risk! To disable it search for "register_globals". It will currently be set to "On" go ahead and change it to "Off".
Next step is to find display_errors = On and change it to display_errors = Off, you can also turn on log_errors = On and if you like change
error_reporting = E_ALL & ~E_NOTICE into
error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR
Disable some problematic php variables, which can be insecure for the server (but also be aware this disable_functions can affect some PHP programs).
disable_functions="dl,exec,fsockopen,passthru,pcntl_exec,pfsockopen,popen,posix_kill,posix_mkfifo,posix_setuid,proc_close,proc_open,proc_terminate,shell_exec,system"
Just a note here: If you disable functions, in some cases can broke Horde. There is a workaround for fix this, better disable and then use the workaround. Also can broke some other programs like Joomla, Wordpress etc.
For workaround for HORDE - Breun was posted on PLESK forum a solution. Edit /etc/psa-horde/horde/conf.php (Plesk 8) or /etc/psa/webmail/horde/horde/conf.php (Plesk 9 and, I assume Plesk 10?)
1) Change $conf['mailer']['type'] from 'sendmail' to 'smtp' 2) Add the following line: $conf['mailer']['params']['host'] = 'localhost';
In this way, horde will use SMTP and no longer needs popen to be enabled.
Also I suggest to change some settings, search for them.
view sourceprint?
1.
max_execution_time = 120
2.
max_input_time = 240
3.
memory_limit = 128M
4.
session.save_path = "/tmp"
5.
expose_php = Off
Restart apache for it to take effect.
view sourceprint?
1.
/etc/init.d/httpd graceful
Register Global change can affect this settings some scripts, you need to tell to your customers about this.
Install mod_security with YUM. This tool can prevent a lot of problems, file injections, attacks etc to APACHE.
view sourceprint?
1.
yum install mod_security
From this pages, you can get the Free Mod_Security Rules (Delayed 30+ days). http://downloads.prometheus-group.com/delayed/rules/ You can get it, and untar it to /etc/httpd/modsecurity.d Be sure that 00_asl_rbl.conf, 00_asl_whitelist.conf will be uninstalled, renamed or deleted (if anyone know an another workaround??!). But still consider to use ASL services, pay for it, you are more secured.
Also create a file, this is for your custom security rules.
view sourceprint?
1.
joe /etc/httpd/modsecurity.d/00_asl_custom_exclude.conf
Then you can add a few line like for example. You can disable some rules what you do not need or create problems.
view sourceprint?
01.
< LocationMatch .* >
02.
SecRuleRemoveById 351000
03.
SecRuleRemoveById 340162
04.
< /LocationMatch >
05.
SecRule REMOTE_ADDR "
06.
@pmFromFile /etc/asl/whitelist" "nolog,phase:1,allow"
07.
< LocationMatch /var/www/vhosts/YOURDOMAIN/httpdocs/admin/ >
08.
SecRuleEngine Off
09.
< /LocationMatch >
See more docs here: http://www.atomicorp.com/wiki/index.php/Mod_security
IMPORTANT: Mod_security can introduce a lot of issues, so if you think that you cannot handle it, or your clients will start to yell on you because they get a lot of 550 Forbidden, better use ASL WEB GUI or learn more about mod_sec on forums. Also Power Toys can help at least manage/disable more easily some rules.
14. Services Version Number
Version numbers can be used by various software scanners to determine if your server is vulnerable. Though you should have the latest versions of everything security though obscurity is one method that can be employed to help secure your server.
First we are going to hide the version information in apache.
view sourceprint?
1.
joe /etc/httpd/conf/httpd.conf
Search for "ServerSignature"
It should say On, change it to Off
This will remove the identification of apache from error pages
Right below that add a line that has the following:
"ServerTokens Prod"
This will identify apache simply as "apache" with no version numbers or OS information
Save out of the file and restart apache
You can do a TEST before restart
view sourceprint?
1.
/etc/init.d/httpd configtest
Need to get: Syntax OK
view sourceprint?
1.
/etc/init.d/httpd graceful
Next we will disable named from giving a version.
view sourceprint?
1.
joe /etc/named.conf
Search for "query-source address * port 53;"
Add a line right below it with
version "Named";
Save and restart named
Remember this is just security though obscurity and you still need to keep the server updated! This is just going to stop some people from finding your server in the first place. It will not help at all if somebody is trying to actually hack the server.
15. PHP Optimizer/CACHE
We suggest also to install Ioncube Loaders, a lot of software come encoded with Ioncube , XCache, Zend Optimizer, php-eaccelerator.
view sourceprint?
1.
yum install php-ioncube-loader php-zend-optimizer php-eaccelerator
On PHP 5.3 you cannot use php-zend-optimizer, you must use ZendGuard.
view sourceprint?
1.
yum install php-zend-guard-loader
XCache is also easy to install, you can get from http://xcache.lighttpd.net/pub/Releases/1.3.0/xcache-1.3.0.tar.gz.
To install:
view sourceprint?
1.
wget http://xcache.lighttpd.net/pub/Releases/1.3.0/xcache-1.3.0.tar.gz
2.
tar zxvf xcache-1.3.0.tar.gz
3.
cd xcache-1.3.0
4.
phpize./configuremakemake install
Check the place where the xcache.so is installed (some lib directory)
Then copy from xcache-1.3.0/xcache.ini into /etc/php.d/axcache.ini (use axcache to avoid problems with any zend extensions (Ioncube, Zend etc))
Edit /etc/php.d/axcache.ini and correct the path for xcache.so (to load from correct place).
Restart apache and check with php -v if is loaded.
If apache not restart, see if the problem is not with Zend Optimizer and XCache.
IMPORTANT: After restart Apache, and execute php -v you may get error messages like "Failed loading /usr/local/Zend/lib/Optimizer-3.3.0/php-5.2.x/ZendOptimizer.so: /usr/local/Zend/lib/Optimizer-3.3.0/php-5.2.x/ZendOptimizer.so: cannot restore segment prot after reloc: Permission denied".
You will need to execute like this, just change the correct path to SO files.
view sourceprint?
1.
chcon -t texrel_shlib_t /usr/lib/php/zend/ZendOptimizer-5.2.so
2.
execstack -c /usr/local/Zend/lib/Optimizer-3.3.0/php-5.2.x/ZendOptimizer.so php -v
If you fo not get any error, problem is solved. In some cases also SELinux can create problems, we always disable it and use ASL.
16. FTP Passive Mode Port
You need to edit /etc/proftpd.conf and add a line like
PassivePorts 35000 35999
After this see please APF Firewall settings at line IG_TCP_CPORTS= is there this port??
Then execute restart of XINETD
view sourceprint?
1.
/etc/rc.d/init.d/xinetd restart
Also read this article about extra FTP info and check ... http://www.grafxsoftware.com/faq.php/Web-Site-hacked-iframe-inserted-whe...
17. Secure MORE your server with ASL - (Subscribe here ...)

Atomic Secured Linux is designed to improve overall system security by introducing both Kernel hardening techniques, as well as userspace utilities to your linux server. Currently, Atomic Secured Linux contains the latest 2.4 and 2.6 linux kernels, modified with the grsecurity.net kernel patch, mod_dosevasive and mod_security. Grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. Even if is a pay service, it worth every penny. Belive me, we use it. Also have a PLESK Control Panel Addon where you can edit everything visual.
You can install ASL, but will require login and password. (Subscribe here, 158USD/year)
view sourceprint?
1.
wget -q -O - http://www.atomicorp.com/installers/asl |sh
18. mod-suPHP
A lot of people have problems with different PHP softwares like Joomla, Drupal, Wordpress, different Gallery software, especially where need to upload pictures. Why? Because now in a new settings, PHP will work as apache:apache user and any files uploaded via a web interface will get this user rights. Any files uploaded via FTP clients, will get the domain ownership. SO, if you for example want to get all picture files added via WEB INTERFACE, you cannot download or overwrite via FTP because the file rights. Also on install a lot of people need to setup folders to 777 rights to uload in it.
So seems the mod_suPHP solution is nice and working with the following settings. Some people recommending mod_ruid2 but I did not found a way to have with that module php.ini for each directory. mod_suphp is older but it work 100% guaranteed.
IMPORTANT UPDATE: In 0.7.1 handle_userdir=true is deprecated, if you do an upgrade, just delete this line. If is new install, should not be there.
view sourceprint?
1.
yum install mod_suphp
(alternate http://dag.wieers.com/rpm/packages/mod_suphp/)
After this, /etc/httpd/conf.d/mod_suphp.conf (important this line LoadModule suphp_module modules/mod_suphp.so, rest can be uncommented on Debian/Ubuntu is not the same place, is in apache kind of directory); /etc/suphp.conf (use default, except umask=0022)
If is PHP5, change in /etc/suphp.conf
view sourceprint?
01.
loglevel=warn
02.
docroot=/var/www/vhosts:${ HOME}/httpdocs
03.
umask=0022
04.
;Use correct permissions for mod_userdir sites
05.
;handle_userdir=true
06.
[handlers]
07.
;Handler for php-scripts
08.
php5-script="php:/usr/bin/php-cgi"
09.
;Handler for CGI-scripts
10.
x-suphp-cgi="execute:!self"
NOTE:
allow_file_group_writeable:
Allow files to be group writeable. Is disabled by default.
allow_directory_group_writeable:
Allow directories scripts are residing in to be group writeable.
Is disabled by default.
allow_file_others_writeable:
Allow files to be writeable by world. Is disabled by default:
WARNING: Enabling this option is very dangerous and causes major
security issues, especially the danger of arbitrary code execution!
allow_directoy_others_writeable:
Allow directories scripts are residing in to be writeable by world.
Is disabled by default:
WARNING: Enabling this option is dangerous!
view sourceprint?
1.
joe /etc/httpd/conf.d/mod_suphp.conf
Here change line suPHP_Engine on into #suPHP_Engine on (this is very important)
If you compiled suphp with setid-mode "force" or "paranoid", you can specify the user- and groupname to run PHP-scripts with.
Example: suPHP_UserGroup ftpuser psacln
The major things come with: httpd.include of each domain need to add, before < /VirtualHost >, the line Include /var/www/vhosts/domain.com/conf/vhost.conf
Then create vhost.conf. (We suggest to use for this Power Toys, this will suggest exactly what you need to do and modify the file for you). Also from version 4.9.0 will fix the permissions if suphp will be turned to ON.
In vhost.conf you need (delete the spaces between < and > in the config.):
view sourceprint?
01.
< IfModule mod_suphp.c >
02.
< Directory "/var/www/vhosts/DOMAIN/httpdocs/" >
03.
php_admin_flag engine on
04.
suPHP_Engine On
05.
suPHP_ConfigPath "/var/www/vhosts/DOMAIN/httpdocs/"
06.
AddHandler x-httpd-php .php
07.
AddHandler php5-script .php
08.
AddHandler x-httpd-php .php .php5 .php4 .php3 .phtml
09.
suPHP_AddHandler x-httpd-php
10.
suPHP_AddHandler php5-script .php
11.
suPHP_PHPPath
12.
php_value open_basedir "/tmp/"
13.
php_value upload_tmp_dir "/var/www/vhosts/DOMAIN/tmp/"
14.
< Files php.ini >
15.
order allow,deny
16.
deny from all
17.
php_value open_basedir "/tmp/"
18.
php_value upload_tmp_dir "/var/www/vhosts/DOMAIN/httpdocs/tmp/"
19.
< /Files >
20.
< /Directory >
21.
< /IfModule >
Need to focus on BOLD issues. DOMAIN is your domain, AddHandler one line is for PHP4, the other for PHP5, dunno if will work both together. Create in httpdocs/tmp directory, to write in it, as temporary upload dir. We still study this to move one directory up, but is not tested yet: DOMAIN/tmp/. After this, you need to add a php.ini file in your httpdocs directory, which will be use for that domain. this file cannot be read from outside because is restricted. To test if is work, create a file wit lines, < ?php phpinfo(); ? > and call it from web. You can see if is loaded new PHP.INI or not and mod_suPHP is on.
People have asked for a good php.ini (for each httpdocs environment, on suPHP only). So here it is our suggestion for Joomla.
view sourceprint?
01.
allow_url_fopen=On
02.
upload_tmp_dir = "/tmp"
03.
session.save_path = "/tmp"
04.
output_buffering = On
05.
zlib.output_compression = On
06.
max_execution_time = 120
07.
max_input_time = 120
08.
memory_limit = 256M
09.
error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR
10.
display_errors = Off
11.
register_long_arrays = Off
12.
post_max_size = 32M
13.
session.gc_maxlifetime = 3600
14.
magic_quotes_gpc = On
15.
upload_max_filesize = 32M
IMPORTANT: By default, we disabled mod_suphp, so you need to add to all existing domains manually (Power Toys will add automatically on new domains). Why is this so important? Because if you enable on all domains, and before you had 777 rights on folders or files, suPHP will give error on wrong GID or UID and will stop executing. So before enable, be sure that all folders on a domain is 755 and files 644.
19. Disable SELinux
Usually we disable SE Linux, we got only problems with it. We prefer to let ASL to do the job, but if you do not use ASL, no problem still we suggest to disable it. A lot of other security layers are out. In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and change the SELINUX line to SELINUX=disabled
You can check the status with
view sourceprint?
1.
cat /selinux/enforce
You can also switch the system into permissive mode with the following command
view sourceprint?
1.
echo 0 >/selinux/enforce
20. Check if mail is sending out
Sometimes mailsending is not working, you can check easily if you send from shell command line a mail
view sourceprint?
1.
mail yourname@tourdomain.com
2.
Subject: TestTest
Press Control + D. If mail goes out, is OK, or you get an error.
20. Additional PHP Modules to install, mod_dav_svn and mailparse
In the webhosting business, you should support more then the default modules for PHP and why not SVN. So I suggest to install the following modules:
view sourceprint?
1.
yum install php-mbstring php-pear php-xml php-soap php-suhosin php-xmlrpc mod_dav_svn php-bcmath
view sourceprint?
01.
pecl download mailparse
02.
tar xvzf mailparse-XXX.tgz
03.
cd mailparse-XXX
04.
phpize
05.
./configure
06.
make
07.
make install
08.
echo "extension=mailparse.so" > /etc/php.d/mmailparse.ini
09.
service httpd restart
Note that I've called the ini file 'mmailparse.ini' as the php.d ini files are loaded in alphabetical order. Mailparse needs mbstring so it needs to be loaded firstor else you will get a warning like ......PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/mailparse.so' - /usr/lib64/php/modules/mailparse.so: undefined symbol: mbfl_name2no_encoding in Unknown on line 0
Also is good to have Image Magick installed, a lot of people use it. Simple, just run
view sourceprint?
1.
yum install ImageMagick ImageMagick-devel ImageMagick-perl
Also we recommend to install a new PECL module, installprogress (http://pecl.php.net/package/uploadprogress). This is very used in the last period.
view sourceprint?
1.
pecl install uploadprogress
21. Add more Courier-IMAP connections
Plesk comes configured with a limit of 4 connections per IP address and a limit of 40 connections total. Modern IMAP clients such as Mozilla Thunderbird use mailbox caching to open up multiple connections to increase performance. In the case of Thunderbird, it opens up 5 connections by default which is already 1 connection more than Courier-IMAP's default restriction. Add another few family or corporate computers behind a firewall and those additional users won't be able to connect at all since a single Thunderbird client is already utilizing all 4 connections. This can increase the load of the server, but also is a must to not have complains from clients that they cannot connect to the server to get mails. You can raise this numbers depending on your server memory (our suggestion is for 2GB memory)
view sourceprint?
1.
joe /etc/courier-imap/imapd
2.
MAXDAEMONS=100
3.
MAXPERIP=40
22. Backup your server
We suggest to setup a backup system to your server. This mean that in 99% of the cases, datacenters offer a backup place. Use that and backup your important files. Read how to do this at page - Automated Remote FTP Backup shell script
23. Avoid Dr.Web update notifications
In latest plesk version (plesk 9.5) following notifications generated from plesk and send to plesk administrator which irritate sometimes. You can stop such notifications by applying following fix on server.
Please open file /etc/cron.d/drweb-update using an editor and add '>/dev/null 2>&1' at the end of the line. In this case no email will be generated.
*/30 * * * * drweb /opt/drweb/update.pl >/dev/null 2>&1
23. Install JSON libraries for PHP.
Some people have requested to have JSON libraries available by default on server, to not use different libraries and is much more stable as well. SO here is how easy you can install it.
pecl install json
If all goes well, json.so module is already installed now, just restart apache. You can check if exist /etc/php.d/json.ini.
24. ATMail search bug in PLESK 10.x.
After upgrading to Plesk 10, the search facility in Atmail stopped working, people search for emails and they get empty results. The problem is with the search.php file in the ATMail directory which was appending '20' to the search date range years, even though they already had a leading 20. This was producing an IMAP query like this:

FROM "test search" BEFORE "31-Dec-202011" SINCE "25-Sep-202010"

To fix, edit search.php in the atmail directory (/var/www/atmail/search.php)

Change Line 364: $before = "$BeforeDay-$BeforeMonth-$BeforeYear";
Change Line 369: $after = "$AfterDay-$AfterMonth-$AfterYear";
PLESK SETTINGS:
Go and login into PLESK admin and do the following steps.
Before all, click on update and do an update.
Click on SERVERS:
1. Change password: Change passwords to access into PLESK.
2. Access: Setup PLESK ADMIN access and add your IP, in this way you restrict ADMIN access from your IP.
3. System time: I use synchronize time with server: time.windows.com, anyway setup here the correct zone.
4. Mail preferences: Enable MAPS protection to zen.spamhaus.org;cbl.abuseat.org and also I use POP3 lock time to 20 minutes.(important)
5. Mailman settings: Setup email and password.
6. DNS - Read the manual.
7. Logo Setup - to setup your Company LOGO
8. Crontab - Set crontab message, if need change here the mail to not send to root.9. Activate Watchdog, each services, disk space etc.
Next step is CLIENTS AND DOMAINS, but this is documented in manuals, so I suggest to read it.
ADDITIONAL USEFULL TOOLS:
http://www.web-hosting-control-panel-addons.com/product.php/Power-Toys-f... - Power Toys for PLESK - Must have for PLESK
http://www.grafxsoftware.com/product.php/Backup-on-Demand-for-PLESK/189/ - Backup on Demand for Power Toys for PLESK
http://www.day32.com/MySQL/tuning-primer.sh - MySQL Performance Tuning Primer Script
http://gert.sos.be/demo/mysqlar/ - MySQL Activity Report
http://www.4psa.com/ - 4PSA have several nice tools for PLESK.
http://www.host-tracker.com/ - you can subscribe to this services to get reports (SMS if you need) about your server uptime.
http://jeremy.zawodny.com/mysql/mytop/ - MySQL Top program
http://www.ex-parrot.com/~pdw/iftop/ - IFTop, display bandwidth usage on an interface.
http://www.webta.org/projects/ - ApacheTOP
http://ngm.id.au/checkhab - checkHAB is a script based on checkattach
http://sourceforge.net/projects/automysqlbackup/ - MySQL Backup
http://www.mod-top.org/versions.html - Mod Top
ADDITIONAL USEFULL TRICK:
How To Filter Tagged Spam to a Spam IMAP Folder - http://forum.swsoft.com/showthread.php?s=&threadid=46883
Qmail-scanner package has options for blocking specific extensions -
If anyone has any suggestions, please drop me a note on the forum or e-mail me at contact page .
I will update this manual.
If you need installation support, better order this service from us, we will do this job for you for only 50USD. Usually could take aprox 2 hours.
50USD
Regards,
Valics Lehel
THANX TO:
Thanx to eth00 (http://eth0.us/) site, even if he write a help for CPanel, help a lot to adapt to PLESK.
Also thanx for atomicrocketturtle site - http://www.atomicrocketturtle.com/