Complete VestaCP Setup Guide for CentOS 7

In this Complete VestaCP Setup Guide for CentOS 7 I will show you how to install CentOS with all of its updates, Setup VestaCP and configure Name Server and domains. We will also do some security hardening, add SSL’s and update to the latest MariaDB and PHP versions. Finally I will also show you how to configure backups to an external source.

 Prerequisites

  • Register a Domain to use for your VPS server. I will be using GoDaddy.com as my domain registrar. In my case I have purchased the domain PatricksWebsiteHosting.com for this tutorial.
  • Choose and purchase a VPS from a VPS provider. Many factors come into play here but I will be using a2hosting.com they seem to have fair pricing and they provide lots of storage. You could also use your own server at home but it wouldn’t allow mail flow since your ISP’s would block it.
  • Download and install Putty, this will be used to connect to the console of the CentOS 7 VPS. 

The Initial VPS Checkout

  1. Pick your plan on a2hosting or which ever VPS provider you decided to use.
  2. They will ask you for the domain you want to use for your server. Since I am using GoDaddy I will select to use an existing domain name.
  3. Choose the location you want your server to be, closer is better.
  4. Choose to install CentOS 7 as the Operating System.
  5. Continue with your checkout.

The Initial Domain Setup For VPS

  1. Log into a2hosting portal locate your vps and click manage. 
  2. Find your server information, We are looking for something that was auto created for you. Mine looks like the following below.
  3. Lets assign the Primary IP to your Domain.
  4. Log into your GoDaddy account and Locate your domain and find manage DNS
  5. Locate Advanced Features and click on Host Names and add your Host Name and Primary IP Address
  6. Save your changes.
  7. Go Back to the Nameservers Section and change it to your FQDN. For example for me is the following.
  8. Save your changes.

Lets Start the CentOS 7 VPS Setup

  1. Within a2hosting their is an Additional Information Tab which will give you the details on how to get connected to your VPS
  2. Open up Putty, type in the IP Address and SSH information they gave you.
  3. Click the [ Open ] button to get connected.
  4. Use the SSH Username and Password they gave you.
  5. you should now be logged in as Root and ready to go.
  6. Lets Make Sure your CentOS 7 is fully updated by running the following command.
yum check-update

7. If you have updates that need to be installed run the following command.

yum update -y

8. Once all updates are installed type in reboot to restart the server. Afterwards log back in.
9. Some VPS hosts auto install Apache/httpd and we will want that to be removed. Lets use the following commands to get the job done.

service httpd stop
yum remove httpd –y
yum list installed "httpd*"
yum remove httpd-tools.x86_64

10. You will be prompted to allow the removal of the software, select: Y . Afterwards run the following command to clean up any messes.

yum clean all
reboot

Lets install VestaCP on CentOS 7. 

  1. We will stare by downloading the VestaCP software by running the following command.
wget http://vestacp.com/pub/vst-install.sh

2. This following command will run the installer. 

bash vst-install.sh

3. You should now be prompted with the following. Go ahead and type in Y to continue.

4. Type in the admin email address you would like to use.
5. The FQDN can stay the same, just press enter here.
6. Sit back relax and drink your coffee or browse the web for 15mins. Once VestaCP is successfully installed you will see something similar to the following below. Write Down Your VestaCP Login Information!

Installing Let’s Encrypt SSL  

1. I like to use nano editor to edit config files. You can use the following command to install it.

yum install nano -y

2. We will now configure a nginx template that will always force HTTPS/ssl on a domain. In the console type the following commands.

cd /usr/local/vesta/data/templates/web
wget http://c.vestacp.com/0.9.8/rhel/force-https/nginx.tar.gz
tar -xzvf nginx.tar.gz
rm -f nginx.tar.gz

Basic VestaCP Config

1. Login into your VestaCP portal
2. Click on Packages at the top banner.
 
3. Edit or delete the packages as you see fit but these following settings are a must. Locate Proxy Template, click the dropdown and select force-https.
4. Locate Name Servers and type in your name servers. For me it will be ns1.patrickswebsitehosting.com and ns2.patrickswebsitehosting.com 
5. Click the [ Save ] button.
6. The Package should look something similar to this.

Adding Primary Domain

  1. Now we will add our primary domain. For me it will be patrickswebsitehosting.com.
  2. Click the Web tab.
  3. Click the (+) add web domain button
  4. Type in your primary domain in the Domain field. I will type my domain patrickwebsitehosting.com.
  5. Keep the IP address the same from the dropdown.
  6. Leave both check boxes checked for DNS and Mail.
  7. Click [Add] button
  8. Click the Web tab again
  9. Find your Primary domain on the list, hover of the domain and click edit.
  10. Check mark the box for SSL Support.
  11. Select Lets Encrypt Support to add SSL cert to the domain.
  12. If you want Web Statistics you can select what I believe is better is the awstats.
  13. Check mark Statistics Authorization and give it a username and password. Make sure to write it down.
  14. For FTP access just for this domain check mark the box Additional FTP. Give yourself a username and password. The path can be left empty.
  15. Now lets move onto adding an SSL cert to your servers hostname domain
  16. Click Web tab and locate your Server Hostname Domain. For me the server hostname domain is server.patrickswebsitehosting.com
  17. Hover of the domain and click the [ Edit ] button.
  18. Make sure Proxy Support template is set to force-https
  19. Make sure SSL Support and Lets Encrypt Support are checked.
  20. Scroll down to the bottom and click the [ Save ] button.

Correct SSH Access in VestCP

  1. Log into the VestaCP Admin Portal.
  2. At the top banner click on the Firewall tab.
  3. Locate SSH and click the edit button.
  4. Change the default port 22 to the port given to you by your VPS provider. In my case A2Hosting gave me port 7822. Your VPS provider may of kept it default if you are not experiencing issues trying to connect via SSH.
  5. Reboot the server after the change.

Installing SSL Onto VestaCP Admin Portal

1. We are now going to configure and install Let’s Encrypt SSL on VestaCP Admin Portal and Mail Server
2. We will start by creating a CRON job for Lets Encrypt. Use the following command to start a new config.

nano /etc/cron.daily/vestassl

3. Use the following code below. This script checks the certs and install the certs for the first time and secondly when the source certs are changed. Change the cert_src and key_src to your admin panel url.

#!/bin/bash

cert_src="/home/admin/conf/web/ssl.server.patrickswebsitehosting.com.pem"
key_src="/home/admin/conf/web/ssl.server.patrickswebsitehosting.com.key"
cert_dst="/usr/local/vesta/ssl/certificate.crt"
key_dst="/usr/local/vesta/ssl/certificate.key"

if ! cmp -s $cert_dst $cert_src
then
        # Copy Certificate
        cp $cert_src $cert_dst

        # Copy Keyfile
        cp $key_src $key_dst

        # Change Permission
        chown root:mail $cert_dst
        chown root:mail $key_dst

        # Restart Services
        service vesta restart &> /dev/null
        service exim restart &> /dev/null
        service dovecot restart &> /dev/null
fi

4. To save the file use the following keys [CTRL] + [o] 
5. Press enter to save the path
6. To exit use the following keys [CTRL] + [x] 
7. Use the following command to fix con job permissions

chmod +x /etc/cron.daily/vestassl

8. Restart the recent con job to install the new SSL cert onto your VestaCP admin portal. Then fully restart the server.

sh /etc/cron.daily/vestassl
restart

9. Once the server is back on online you will now be able to access your VestaCP admin portal securely:  https://server.yourdomain.com:8083 

Fixing Fail2Ban on VestaCP, Brute Force Monitor

  1. It is important to protect the server from Brute force attacks and Fail2Ban will help with just that.
  2. We will now need to check and see if your Fail2Ban is corrupted.
  3. Log into the VestaCP admin portal and then at the top banner click on Server tab.
  4. Scroll down to the bottom and see if Fail2Ban is greyed out. If you cannot start it we will need to resolve the issue with a few lines of code through the Console.
  5. Open up the console and log into your CentOS server and lets start by typing the following command to edit the file we need.
nano /usr/local/vesta/bin/v-list-sys-services

6. Once you have access press [ctrl] + [w] to search. Type in fail2ban in the search field and press enter.
7. You should now see the following

8. Replace what you see above with the following code:

# Checking FIREWALL Fail2ban extention
if [ ! -z "$FIREWALL_EXTENSION" ]; then
    get_srv_state $FIREWALL_EXTENSION f2b/server script
    data="$data\nNAME='$FIREWALL_EXTENSION' SYSTEM='brute-force monitor'"
    data="$data STATE='$state' CPU='$cpu' MEM='$mem' RTIME='$rtime'"
fi

9. Press the following keys [CTRL] + [x] 
10. You will be prompted to save so type in Y to commit changes. 
11. Press enter to confirm path.
12. Reboot server, log into your VestaCP admin portal. Check server services and Fail2Ban should now be working.

Upgrade to MariaDB 10.5 from 5.5 to resolve older vulnerabilities.

  1. To upgrade/install MariaDB to latest Mariadb10.5 on Centos 7 we will have to remove the old version and then install the latest and greatest stable version.
  2. You can check the current version by typing in mysql in the console. Use the following commands to create a backup config and to remove MariaDB 5.5.
cp /etc/my.cnf /etc/my.cnf.bak
service mariadb stop  /  service mysql stop
rpm -e --nodeps galera
yum remove mariadb mariadb-server

3. We will now go through the process to install MariaDB 10.5

yum install nano epel-release -y
nano /etc/yum.repos.d/mariadb.repo

5. You should now be prompted with a nano screen to add in some code. Please use what was provided below.

[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.5/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

6. Press the following keys [CTRL] + [x] 
7. You will be prompted to save so type in Y to commit changes. 
8. Press enter to confirm path.
9. Use the following lines to complete a clean the installation of MariaDB 10.5 on CentOS 7.

yum clean all
yum install MariaDB-server MariaDB-client net-snmp perl-DBD-MySQL -y
yum update -y

10. We will now restore the backup we created when we first started.

rm -rf /etc/my.cnf
cp /etc/my.cnf.bak /etc/my.cnf

11. We will now configure MariaDB to auto start at bootup.

systemctl enable mariadb
service mysql start

12. This following line will upgrade all the older databases to the latest MariaDB 10.5 version.

mysql_upgrade

13. If you would like to check your version you can type in mysql.

Do we need to upgrade to latest PHP?

  1. You can check your version by typing in php -v in the console window. If it says 8.0+ your fine.
  2. If it says anything older you can review this tutorial to upgrade your PHP version to the latest.

Create New User and add Domain Association 

  1. I will start by saying do not mix your personal domains or other clients with the main admin account. My reasoning behind this is for security. You never know what website or plugin could have a vulnerability and you do not want all your websites to be compromised. 
  2. Do you have additional domains or a new client? Let’s start by creating a new user.
  3. Log into VestaCP.
  4. Click the User tab.
  5. Next click on the green (+) to add a new user.
  6. Fill out the form and click the green [ Add ] button.
  7. Go back to the User section.
  8. You should see the newly created user account.
  9. To add a domain to that account you can login as that user.
  10. You can hover of that user and you will be displayed with “Login As (user)” which you would want to click on.
  11. To add the domain under that user now click on the WEB tab.
  12. Next click on the green (+) to Add Web Domain

  13. Type in the domain address and Click on the green [ Add ] button.
  14. We will now apply SSL certificate.
  15. Click the Web tab again.
  16. Find the domain on the list you recently added hover of the domain and click edit.
  17. Check mark the box for SSL Support.
  18. Select Lets Encrypt Support to add SSL cert to the domain.
  19. If you want Web Statistics you can select what I believe is better is the awstats.
  20. Check mark Statistics Authorization and give it a username and password. Make sure to write it down.
  21. For FTP access just for this domain check mark the box Additional FTP. Give yourself a username and password. The path can be left empty.
  22. Scroll down to the bottom and click the [ Save ] button.

Backups of VestaCP and CentOS 7 are important!

VestCP already creates backups for each user. You can also change how many backups to keep in the repository, the default is 3. However this will not protect you from a complete server meltdown. If your server gets hacked or corrupted so do the backups. It is best to install a 3rd party backup solution that transfers data to cloud storage.

In this tutorial we will be using Duplicati Backup Software and BackBlaze B2 Cloud Storage.

  1. Lets start by installing the prerequisite for  Duplicati Backup Software. Login into your servers console and use following commands one at a time.
yum install yum-utils

rpm --import "http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF"

yum-config-manager --add-repo http://download.mono-project.com/repo/centos7/

yum install mono-devel

2. We can now install Duplicati Backup Software onto CentOS 7 by using the following commands one at a time.

yum install epel-release

yum install libappindicator

curl -O https://updates.duplicati.com/beta/duplicati-2.0.3.3-2.0.3.3_beta_20180402.noarch.rpm

yum install duplicati*

3. We are now going to create a Duplicati service with these commands.

nano /etc/systemd/system/duplicati.service

4. Insert the following the nano editor and then press [CTRL] + [x] to proceed with saving. 

Insert the following into it and save:

[Unit]
Description=Duplicati Backup software
[Service]
ExecStart=/usr/bin/mono /usr/lib/duplicati/Duplicati.Server.exe --webservice-interface=any
Restart=on-failure
RestartSec=30
[Install]
WantedBy=multi-user.target

5. Lets enable and start the Duplicati Service.

systemctl enable duplicati
systemctl start duplicati

6. Now we have to allow traffic to port 8200.
7. Log into VestaCP Admin Portal > Server > Configure iptables > Add Rule > Comment Duplicati, Port 8200, IP 0.0.0.0/0

8. Create your Backblaze account and create your Backblaze B2 Cloud Storage Bucket.

9. Locate App Keys section on the left in Backblaze we will create a new application key specifically to access this bucket for backups. One created make sure to save the application bucket keys somewhere.

10. We can now access your Duplicati backup software from http://ipaddress:8200/ 
11. Click on settings and immediately configure a password for the portal.
12. From this point click Add Backup and configure Duplicati to backup all sources/data to the B2 storage destination. You will be required to provide those security B2 keys. It’s pretty self-explanatory from here.

I hope the information provided meets your expectations for a Complete VestaCP Setup Guide for CentOS 7. If you happen to have any questions please feel free to ask me.

If you do not want to go through the process of setting up your own VPS I will be more than willing to assist you for a fixed donation. If you would like me to Host your website on my website feel free to reach out to me.

Leave a Reply