Complete VestaCP Setup Guide for Ubuntu 18
In this Complete VestaCP Setup Guide for Ubuntu 18 I will show you how to install Ubuntu 18 with all of its updates, Setup VestaCP and configure Name Server and domains. We will also do some security hardening, add SSL’s and update to the latest MariaDB and PHP versions. Finally I will also show you how to configure backups to an external source.
Consider using HestiaCP and Ubuntu 20 as VestaCP has been fading away.
Prerequisites
- Register a Domain to use for your VPS server. I will be using GoDaddy.com as my domain registrar. In my case I have purchased the domain PatricksWebsiteHosting.com for this tutorial.
- Choose and purchase a VPS from a VPS provider. Many factors come into play here but I will be using a2hosting.com they seem to have fair pricing and they provide lots of storage. You could also use your own server at home but it wouldn’t allow mail flow since your ISP’s would block it.
- Download and install Putty, this will be used to connect to the console of the Ubuntu 18 VPS.
The Initial VPS Checkout
- Pick your plan on a2hosting or which ever VPS provider you decided to use.
- They will ask you for the domain you want to use for your server. Since I am using GoDaddy I will select to use an existing domain name.
- Choose the location you want your server to be, closer is better.
- Choose to install Ubuntu 18 as the Operating System.
- Continue with your checkout.
The Initial Domain Setup For VPS
- Log into a2hosting portal locate your vps and click manage.
- Find your server information, We are looking for something that was auto created for you. Mine looks like the following below.
- Lets assign the Primary IP to your Domain.
- Log into your GoDaddy account and Locate your domain and find manage DNS
- Locate Advanced Features and click on Host Names and add your Host Name and Primary IP Address
- Save your changes.
- Go Back to the Nameservers Section and change it to your FQDN. For example for me is the following.
- Save your changes.
Lets Start the Ubuntu 18 VPS Setup
- Within a2hosting their is an Additional Information Tab which will give you the details on how to get connected to your VPS
- Open up Putty, type in the IP Address and SSH information they gave you.
- Click the [ Open ] button to get connected.
- Use the SSH Username and Password they gave you.
- you should now be logged in as Root and ready to go.
- Lets Make Sure your CentOS 7 is fully updated by running the following command.
sudo apt update
7. If you have updates that need to be installed run the following command.
sudo apt upgrade -y
8. Once all updates are installed type in reboot to restart the server. Afterwards log back in.
9. Some VPS hosts auto install Apache/exim4 for Ubuntu and we will want all that to be removed. Lets use the following commands to get the job done.
sudo apt remove apache2 -y sudo apt remove exim4 -y
10. Lets install the latest sudo wget and curl applications for Ubuntu 18.
apt install sudo wget curl
Lets install VestaCP on Ubuntu 18
- We will start by downloading the VestaCP software by running the following command.
curl -O http://vestacp.com/pub/vst-install.sh
2. This following command will run the installer.
bash vst-install-ubuntu.sh --force
3. You should now be prompted with the following. Go ahead and type in Y to continue.
4. Type in the admin email address you would like to use.
5. The FQDN can stay the same, just press enter here.
6. Sit back relax and drink your coffee or browse the web for 15mins. Once VestaCP is successfully installed you will see something similar to the following below. Write Down Your VestaCP Login Information!
Installing Let’s Encrypt SSL
1. I like to use nano editor to edit config files. You can use the following command to install it.
apt install nano -y
2. We will now configure a nginx template that will always force HTTPS/ssl on a domain. In the console type the following commands.
cd /usr/local/vesta/data/templates/web wget http://c.vestacp.com/0.9.8/rhel/force-https/nginx.tar.gz tar -xzvf nginx.tar.gz rm -f nginx.tar.gz
Basic VestaCP Config
1. Login into your VestaCP portal using https://<ServerIPAddress>.com:8083
2. Click on Packages at the top banner.
3. Edit or delete the packages as you see fit but these following settings are a must. Locate Proxy Template, click the dropdown and select force-https.
4. Locate Name Servers and type in your name servers. For me it will be ns1.patrickswebsitehosting.com and ns2.patrickswebsitehosting.com
5. Click the [ Save ] button.
6. The Package should look something similar to this.
Adding Primary Domain
- Now we will add our primary domain. For me it will be patrickswebsitehosting.com.
- Click the Web tab.
- Click the (+) add web domain button
- Type in your primary domain in the Domain field. I will type my domain patrickwebsitehosting.com.
- Keep the IP address the same from the dropdown.
- Leave both check boxes checked for DNS and Mail.
- Click [Add] button
- Click the Web tab again
- Find your Primary domain on the list, hover of the domain and click edit.
- Check mark the box for SSL Support.
- Select Lets Encrypt Support to add SSL cert to the domain.
- If you want Web Statistics you can select what I believe is better is the awstats.
- Check mark Statistics Authorization and give it a username and password. Make sure to write it down.
- For FTP access just for this domain check mark the box Additional FTP. Give yourself a username and password. The path can be left empty.
- Now lets move onto adding an SSL cert to your servers hostname domain.
- Click Web tab and locate your Server Hostname Domain. For me the server hostname domain is server.patrickswebsitehosting.com
- Hover of the domain and click the [ Edit ] button.
- Make sure Proxy Support template is set to force-https
- Make sure SSL Support and Lets Encrypt Support are checked.
- Scroll down to the bottom and click the [ Save ] button.
Correct SSH Access in VestCP
- Log into the VestaCP Admin Portal.
- At the top banner click on the Firewall tab.
- Locate SSH and click the edit button.
- Change the default port 22 to the port given to you by your VPS provider. In my case A2Hosting gave me port 7822. Your VPS provider may of kept it default if you are not experiencing issues trying to connect via SSH.
- Reboot the server after the change.
Installing SSL Onto VestaCP Admin Portal
1. We are now going to configure and install Let’s Encrypt SSL on VestaCP Admin Portal and Mail Server
2. We will start by creating a CRON job for Lets Encrypt. Use the following command to start a new config.
nano /etc/cron.daily/vestassl
3. Use the following code below. This script checks the certs and install the certs for the first time and secondly when the source certs are changed. Change the cert_src and key_src to your admin panel url.
#!/bin/bash cert_src="/home/admin/conf/web/ssl.server.patrickswebsitehosting.com.pem" key_src="/home/admin/conf/web/ssl.server.patrickswebsitehosting.com.key" cert_dst="/usr/local/vesta/ssl/certificate.crt" key_dst="/usr/local/vesta/ssl/certificate.key" if ! cmp -s $cert_dst $cert_src then # Copy Certificate cp $cert_src $cert_dst # Copy Keyfile cp $key_src $key_dst # Change Permission chown root:mail $cert_dst chown root:mail $key_dst # Restart Services service vesta restart &> /dev/null service exim restart &> /dev/null service dovecot restart &> /dev/null fi
4. To save the file use the following keys [CTRL] + [o]
5. Press enter to save the path
6. To exit use the following keys [CTRL] + [x]
7. Use the following command to fix con job permissions
chmod +x /etc/cron.daily/vestassl
8. Restart the recent con job to install the new SSL cert onto your VestaCP admin portal. Then fully restart the server.
sh /etc/cron.daily/vestassl restart
9. Once the server is back on online you will now be able to access your VestaCP admin portal securely: https://server.yourdomain.com:8083
Fixing Fail2Ban on VestaCP, Brute Force Monitor
- It is important to protect the server from Brute force attacks and Fail2Ban will help with just that.
- We will now need to check and see if your Fail2Ban is corrupted.
- Log into the VestaCP admin portal and then at the top banner click on Server tab.
- Scroll down to the bottom and see if Fail2Ban is greyed out. If you cannot start it we will need to resolve the issue with a few lines of code through the Console.
- Open up the console and log into your Ubuntu 18 server and lets start by typing the following command to edit the file we need.
nano /usr/local/vesta/bin/v-list-sys-services
6. Once you have access press [ctrl] + [w] to search. Type in fail2ban in the search field and press enter.
7. You should now see the following
8. Replace what you see above with the following code:
# Checking FIREWALL Fail2ban extention if [ ! -z "$FIREWALL_EXTENSION" ]; then get_srv_state $FIREWALL_EXTENSION f2b/server script data="$data\nNAME='$FIREWALL_EXTENSION' SYSTEM='brute-force monitor'" data="$data STATE='$state' CPU='$cpu' MEM='$mem' RTIME='$rtime'" fi
9. Press the following keys [CTRL] + [x]
10. You will be prompted to save so type in Y to commit changes.
11. Press enter to confirm path.
12. Reboot server, log into your VestaCP admin portal. Check server services and Fail2Ban should now be working.
Upgrade to MariaDB 10.5 from 5.5 to resolve older vulnerabilities.
- To upgrade/install MariaDB to latest Mariadb10.5 on Centos 7 we will have to remove the old version and then install the latest and greatest stable version.
- You can check the current version by typing in mysql in the console. Use the following commands to create a backup config and to remove MariaDB 5.5.
cp /etc/my.cnf /etc/my.cnf.bak service mariadb stop / service mysql stop rpm -e --nodeps galera yum remove mariadb mariadb-server
3. We will now go through the process to install MariaDB 10.5
yum install nano epel-release -y nano /etc/yum.repos.d/mariadb.repo
5. You should now be prompted with a nano screen to add in some code. Please use what was provided below.
[mariadb] name = MariaDB baseurl = http://yum.mariadb.org/10.5/centos7-amd64 gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB gpgcheck=1
6. Press the following keys [CTRL] + [x]
7. You will be prompted to save so type in Y to commit changes.
8. Press enter to confirm path.
9. Use the following lines to complete a clean the installation of MariaDB 10.5 on CentOS 7.
yum clean all yum install MariaDB-server MariaDB-client net-snmp perl-DBD-MySQL -y yum update -y
10. We will now restore the backup we created when we first started.
rm -rf /etc/my.cnf cp /etc/my.cnf.bak /etc/my.cnf
11. We will now configure MariaDB to auto start at bootup.
systemctl enable mariadb service mysql start
12. This following line will upgrade all the older databases to the latest MariaDB 10.5 version.
mysql_upgrade
13. If you would like to check your version you can type in mysql.
Do we need to upgrade to latest PHP?
- You can check your version by typing in php -v in the console window. If it says 8.0+ your fine.
- If it says anything older you can review this tutorial to upgrade your PHP version to the latest.
Create New User and add Domain Association
- I will start by saying do not mix your personal domains or other clients with the main admin account. My reasoning behind this is for security. You never know what website or plugin could have a vulnerability and you do not want all your websites to be compromised.
- Do you have additional domains or a new client? Let’s start by creating a new user.
- Log into VestaCP.
- Click the User tab.
- Next click on the green (+) to add a new user.
- Fill out the form and click the green [ Add ] button.
- Go back to the User section.
- You should see the newly created user account.
- To add a domain to that account you can login as that user.
- You can hover of that user and you will be displayed with “Login As (user)” which you would want to click on.
- To add the domain under that user now click on the WEB tab.
- Next click on the green (+) to Add Web Domain
- Type in the domain address and Click on the green [ Add ] button.
- We will now apply SSL certificate.
- Click the Web tab again.
- Find the domain on the list you recently added hover of the domain and click edit.
- Check mark the box for SSL Support.
- Select Lets Encrypt Support to add SSL cert to the domain.
- If you want Web Statistics you can select what I believe is better is the awstats.
- Check mark Statistics Authorization and give it a username and password. Make sure to write it down.
- For FTP access just for this domain check mark the box Additional FTP. Give yourself a username and password. The path can be left empty.
- Scroll down to the bottom and click the [ Save ] button.
Backups of VestaCP and Ubuntu 18 are important!
VestCP already creates backups for each user. You can also change how many backups to keep in the repository, the default is 3. However this will not protect you from a complete server meltdown. If your server gets hacked or corrupted so do the backups. It is best to install a 3rd party backup solution that transfers data to cloud storage.
In this tutorial we will be using Duplicati Backup Software and BackBlaze B2 Cloud Storage.
- Lets start by installing the prerequisite for Duplicati Backup Software. Login into your servers console and use following commands one at a time.
yum install yum-utils rpm --import "http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF" yum-config-manager --add-repo http://download.mono-project.com/repo/centos7/ yum install mono-devel
2. We can now install Duplicati Backup Software onto CentOS 7 by using the following commands one at a time.
yum install epel-release yum install libappindicator curl -O https://updates.duplicati.com/beta/duplicati-2.0.3.3-2.0.3.3_beta_20180402.noarch.rpm yum install duplicati*
3. We are now going to create a Duplicati service with these commands.
nano /etc/systemd/system/duplicati.service
4. Insert the following the nano editor and then press [CTRL] + [x] to proceed with saving.
Insert the following into it and save: [Unit] Description=Duplicati Backup software [Service] ExecStart=/usr/bin/mono /usr/lib/duplicati/Duplicati.Server.exe --webservice-interface=any Restart=on-failure RestartSec=30 [Install] WantedBy=multi-user.target
5. Lets enable and start the Duplicati Service.
systemctl enable duplicati systemctl start duplicati
6. Now we have to allow traffic to port 8200.
7. Log into VestaCP Admin Portal > Server > Configure iptables > Add Rule > Comment Duplicati, Port 8200, IP 0.0.0.0/0
8. Create your Backblaze account and create your Backblaze B2 Cloud Storage Bucket.
9. Locate App Keys section on the left in Backblaze we will create a new application key specifically to access this bucket for backups. One created make sure to save the application bucket keys somewhere.
10. We can now access your Duplicati backup software from http://ipaddress:8200/
11. Click on settings and immediately configure a password for the portal.
12. From this point click Add Backup and configure Duplicati to backup all sources/data to the B2 storage destination. You will be required to provide those security B2 keys. It’s pretty self-explanatory from here.
I hope this article was helpful, if you have any questions, please feel free to contact me. If you would like to be notified of when I create a new post, you can subscribe to my blog alert.
Discover more from Patrick Domingues
Subscribe to get the latest posts sent to your email.