VestaCP Server Installer – The Perfect Server

I decided to create the perfect VestaCP server installer script (in my opinion) for CentOS 7 (I have only tried it on CentOS 7). Basically, you run it, it asks a few questions and then it sets up a perfect server including CSF, Monit and PHP 7 (if you want it). Amazing, right?

THIS SCRIPT SHOULD BE USED ON A NEW SERVER. THIS SCRIPT INSTALLS VESTACP TOO.
I DO NOT ACCEPT ANY RESPONSIBILITY, SHOULD THIS SCRIPT DAMAGE YOUR SERVER.

What this VestaCP Server Installer does:

  1. Installs VestaCP with: NGINX & PHP-FPM, MariaDB, Named, Remi repository, vsftpd, no firewall (CSF will be installed), Exim, Dovecot, and SpamAssassin.
  2. Makes the new LetsEncrypt in-built script work properly + creates an SSL certificate for the hostname.
  3. Installs CSF as a Firewall with common settings.
  4. Sets the hostname properly (so Exim uses the full hostname), and then prevents the system from editing the file (because of reboots).
  5. Makes the server use it’s own DNS server to perform lookups. This helps SpamAssassin to reduce more spam. It also prevents the server from editing the file.
  6. Hardens the /etc/sysctl.conf file for security.
  7. Enables Dovecot quotas and configures Dovecot performance.
  8. Installs SpamAssassin rules to help prevent further spam.
  9. Updates the file /etc/exim/dnsbl.conf to further reduce spam.
  10. Updates Exim to make sure there is no delay accepting email.
  11. Fixes NGINX and secures it even further so you receive a A (A+ requires you enable HSTS) at Quality SSL Labs.
  12. Fixes PHP-FPM to use less memory and crash less often.
  13. Installs and configures Monit to monitor your server.
  14. Asks you if you want to install PHP 7. WordPress supports PHP 7.
  15. Makes websites use HTTP2 instead of HTTP1.1

vestacp server installer  monit-logo  csf_large

 

Run the following commands to install the VestaCP Server Installer

Before installing please make sure your hostname resolves to an IP address otherwise the LetsEncrypt script won’t be able to secure your VestaCP Server Installer correctly!

wget https://vestacp.ss88.uk/VestaCP_Installer/CentOS7.sh
chmod 777 ./CentOS7.sh
sudo ./CentOS7.sh

 

Next hold tight and watch it set-up the server. It may take 15 minutes just securing the server as part of the script generates DH parameters to secure NGINX (this could take up to 1 hour on 1 core DigitalOcean VPS’s).

Right at the very end the console instructs you to reboot the server – you should.

  • yavuzselim

    I am not expert about VPS. So can i use this installation for Worpress (permalink). And do i need a caching software like Redis or anything else after this installation?

    • SSULLIVAN88

      This will only install a control panel to manage all your websites, databases, emails, and DNS. Once you have installed this you’ll have to manually install WordPress by using its own installer. With this install you shouldn’t need a cache, as PHP7 is very fast however, you can install it, or use a third party WordPress plugin to speed the website up even further.

      I hope this helps!

      • yavuzselim

        Thanks for reply. I will use your package with Redis cache. Good work…

  • António

    Great work!

    If I install this today, will it install the latest version of VestaCP (v. 0.9.8-17)?

    Also anyway, to install your script, but without named/dns and mail related services. Because I host all my DNS and Mail offsite? Thanks

    • SSULLIVAN88

      Yes – it will always install the latest version of VestaCP.

      A user reported that this install by default uses around 300MB of memory: https://forum.vestacp.com/viewtopic.php?f=10&t=12802&start=40#p54098

      So the fact it installs Exim and DNS should not be a problem. Exim would be used to send out notifications from Monit and CSF.

  • Andrew Hacker

    Brilliant. Love this script. 2 servers setup in under an hour. But…
    can’t get monit to run on https as letsencrypt only supports ports 80 and 443. Would be great to include private cert setup in the script as well…

    Thanks for your work on this.

    • SSULLIVAN88

      Thank you @abhacker:disqus! 🙂

      The good news is that it CAN work.The bad news is that there has to be a “hack”.

      Monit will run over SSL with LetsEncrypt however, not with Vesta’s current setup. Vesta creates a .pem file but does not include the RSA private key within that file. In order for Monit to work under SSL it needs to read one file with the certificate, RSA private key, and CA certificate (optional). Once that key and those certificates are in the file, it will read it and work. Unfortunately as LE expires once every 3 months it’s not a good idea to get this made into the script.

      The other option you suggested of creating a self-signed certificate for monit exclusively would work. We could even make sure it expires once every 10 years. I however am not one for the nasty “not secure” Google chrome shows — but in a funny way at least it means it’s secure.

  • Bill

    Thank you. A very brilliant script. A full working box setup in under 20 minutes.

    Not part of the script, but facing a couple of issues with WordPress though. I tried installing WP without issues, site is working fine. Copied files using Winscp. However, when I try to install a plugin from WP admin, there is a prompt asking for FTP username and pass. Guess the WP auto update is not working as well.

    I tried granting permission to nginx.niginx to the web directory, tried changing file permissions, but did not help.

    Can you please help?

    Thanks – Regards – Bill

    • SSULLIVAN88

      Hi Bill,

      Someone else has the same problem as you and it was because they uploaded WordPress as another user and/or with root access. VestaCP uses the actual user you set it up under, so if you set it up under the account named “admin” then you must chown it admin:admin — this is the same for if you set it up under the username “user20”, you must chown it user20:user20.

      I hope this helps!

      • Bill

        Phew! tried with admin:admin and It worked 🙂

        chown -R admin.admin /home/admin/web/

        This was killing me 🙂 – Thank you very much.

        Sorting one more thing, the LetsEncrypt works cool, but, when I try to change the WP URL to www, it displays as insecure connection. Works like a charm without the www.

        Cheers

        • SSULLIVAN88

          Not a million percent sure on this one but how did you create the SSL certificate? If you used the web interface, then I’m not sure what could be wrong (if it was successful). If you used the command line, you have to add www as part of the alias as by default Vesta doesn’t put this there.

          i.e. v-add-lets-encrypt-domain user20 mydomain.com http://www.mydomain.com

          P.S. Perhaps a reboot of NGINX might help too?

          • Bill

            SSL was created by your script, assigned automatically to the default host domain, which was brilliant.

            I can see the Vesta alias textbox contains the www, but for some reason it is not working.

            I am checking my domain control panel as well, just to be sure everything is pointed correctly.

            Tried the NGINX reboot, did not help. Let me try adding another domain name to VESTA and see what happens.

            Will come back and update you.

            Thanks again. Regards – Bill

          • SSULLIVAN88

            Hi @disqus_pBR8AzwZLv:disqus – by default it should be a hostname i.e. there is no www on hostnames. However, it’s a quick fix.

            Run this as root:

            v-add-letsencrypt-domain admin hostname.domain.com http://www.hostname.domain.com

            That should fix it!

          • Bill

            Thank you, it worked 🙂 – oh by the way, must say, you are awesome 🙂

  • Lfd service all time sends email with IP ban alert. It’s normal? Is it botnet attack?

    • SSULLIVAN88

      Can you let me know more information:

      * How many emails in a 5 minute period do you get?
      * Do the emails all contain different IP addresses?
      * What is the reason they are blocked? i.e. “sshd[24217]: pam_unix(sshd:auth): authentication failure;”

      • – Email interval is about 30 minutes.
        – Yes. On email end has list with blocked IP address.
        – Reason is “Invalid user”, “Failed password for invalid user 0″, ” Failed password for admin”.

        Screenshot: http://prnt.sc/f2i8ek

        • SSULLIVAN88

          That looks correct to me. I get a lot of emails every minute. I’ve had over 16,000 since February.

          Your server may just be under stress at the minute. If your let CSF do its job for a while it will eventually permanently ban the IP addresses that are causing the issue which will inturn reduce the amount of emails you receive.

  • File upload limit? Where can change it?
    I have made changes in VestaCP panel but phpinfo() shows: http://prnt.sc/f30n14

    • SSULLIVAN88

      PHP7: /etc/opt/remi/php70/php.ini

  • Loc Nguyen

    I can’t not install it. Can you help me please ?

    • SSULLIVAN88

      What are you having trouble with? Are there any error codes?

  • Ar1sC

    Can I Use this script on Debian?

    • SSULLIVAN88

      Sorry, not yet. 🙁

      • Ar1sC

        Will you create a Script for Debian or Ubuntu ?

  • When I’m running your script
    I receive this error :
    sysctl: setting key “net.ipv4.ip_local_port_range”: Invalid argument
    net.ipv4.ip_local_port_range = 16384 65536

    Everything else works perfectly 😉

    • SSULLIVAN88

      Thank you for reporting.

      I’ve changed it so that there’s a TAB in-between the ranges (that’s the correct way).

      Also worth to note, sometimes some providers don’t allow you to change these values especially if you’re on a VPS but it won’t harm a system if these values are set.

  • Ar1sC

    Im Getting error with hostname…. My Hostname is pointed with my server IP using A Record… sub.hostname.tld and http://www.sub.hostname.tld….

    • SSULLIVAN88

      If it matches and you know it’s pointed correctly, edit CentOS.sh and uncomment out line 19 and comment out line 20 so it ends up like so:


      yum clean all
      yum -y install bind-utils
      IPAddress=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/')
      #IPAddress=$(hostname -i)
      DigResult=$(dig @8.8.8.8 +short $vHostname)

      • Ar1sC

        I get this error /etc/monit/monitrc:3: syntax error ‘port’
        probably because i typed $vSMTPPort and enter… How can I fix it?

        • SSULLIVAN88

          You need to edit file: /etc/monit/monitrc

          • Ar1sC

            What do i need to change?

          • Ar1sC

            Also I think i found a typo mistakee on this file https://vestacp.ss88.uk/VestaCP_Installer/CentOS7/monitrc
            http://imgur.com/a/lcPMz
            But not sure..

          • SSULLIVAN88

            Thank you for the report. I have fixed this online.

            You’ll need to change the /etc/monit/monitrc file at the top to be something like:


            set daemon 60
            set logfile syslog facility log_daemon
            set mailserver SMTP.DOMAIN.COM port 587 username "EMAIL@DOMAIN.COM" password "PASSWORD"
            set mail-format { from: EMAIL@DOMAIN.COM }

          • Ar1sC

            set mailserver SMTP.DOMAIN.COM port 587 username “EMAIL@DOMAIN.COM” password “PASSWORD”
            set mail-format { from: EMAIL@DOMAIN.COM }

            EMAIL@DOMAIN.COM
            Something like admin@domain.com ? or should i make an email only for this?

          • SSULLIVAN88

            It needs to be a real working email address and e-mail server.

          • Ar1sC

            I get ERR_SSL_PROTOCOL_ERROR on this port 2812

          • SSULLIVAN88

            That’s not to do with emails.

            Send me your full monitrc details without these I cannot do anything.

          • Ar1sC

            Can We Talk On The Live Chat?

          • SSULLIVAN88

            Sure

  • Ahsan Habib Khan

    I need to increase the Max file size on phpmyadmin database import section. i use your provided vestacp .sh file to setup my server. can you please help to to increase this ? its 2MB only, I need it 50MB.

    • SSULLIVAN88

      Hi Ahsan,

      You need to edit the value `upload_max_filesize` and `post_max_size` in either one of the following:

      PHP 7: /etc/opt/remi/php70/php.ini

      PHP 5: /etc/php.ini

      • Ahsan Habib Khan

        yes its working. thank you so much for your quick reply.

  • Victoria Fyodorova

    I have a very poor idea about the server management but for a nonprofit religious organization, I have to build a server. Purchased a VPS from contabo. But the issue is, with your provided script my server(24GB RAM-Full SSD) loads like a shared hosting (WordPress- woo commerce), But with server pilot its working great. but the lack of server pilot others advantages I am looking to use Vesta cp. is there any solution for increasing the page load & full utilization of CPU + Ram per visitor. Thanks

    • SSULLIVAN88

      Hi Victoria. Firstly, thank you for using my script. Secondly, the speed issue could be a number of things:

      Are you using PHP 7? If not, please upgrade as this will give you a speed increase almost instantly.

      You might need to increase the memory usage in the php.ini file. This variable is named `memory_limit`. Don’t set it too high or you will experience a slow server when lots of visitors are on your website.

      With WordPress, the best way to test the speed is by logging in, and then logging out. When you are logged out, you can browse the website as a visitor would see it. When you are logged in, it uses more server resources because you’re loading more things (such as plugins, core updates, etc).

      The rest is heavily dependent upon your WordPress install. This script is optimized for smaller websites, not heavy ones. I do however use this on a very heavy WordPress + WooCommerce install with millions of hits and it runs great.

      I would also advise getting some kind of cache script (only non logged in visitors will see the cached result) and the only one I would recommend is called WP Fastest Cache.

  • Guido

    hi

    Thanks for your script. I installed it now with php 7.
    I need install mcrypt and zip php libraries. Opencart requires them…
    Can you help please?

    • SSULLIVAN88

      yum install php70-php-mcrypt php70-php-zip

      • Guido

        thanks!
        it is working now.

        • SSULLIVAN88

          Glad I could help!

        • SSULLIVAN88

          Glad I could help!

  • Guido

    Hi
    sorry for my issues.
    I see an old Monit version installed in your script. Is it possible to install the latest version?
    Or can you say how we can upgrade it, please ?

    Regards

    • SSULLIVAN88

      Unfortunately this is not my script — it’s the CentOS official repo that needs to be updated but they never are really once it’s flagged as stable.

      You would first need to remove the monit package via yum and then install from source to get the latest version.

      What features are in the new version you need?

      • Guido

        I understand it.
        I see many issues fixed in the last versions….so I asked if was possible to update it.
        Thanks for your soon reply.