We’re going to cover all of these factors, and giving a few tips to improve the performance of your CentOS VPS.
In today’s market, you can no longer use security as a means to offer more expensive ~tiers of service to your clients – promising more security for the premium clients. Today, it’s expected for all clients no matter the level of service agreement they’ve entered with you. You’ll need to step up your game in order to offer everyone a minimum level of security that is acceptable.
There are several plugins you can install for WHM that can help with security management.
The first is Config server security & Firewall (CSF). After installing CSF, head to the plugin page located at the bottom of the WHM sidebar. There you can access the control center for the CSF plugin for important security settings.
After installing CSF, you need to alter the default settings. Head to the Firewall Configuration section from the CSF plugin settings menu. Here are some options to set a global security preset. Starting at “medium” is the standard practice.
The CSF plugin can give a security audit for your server. In the main menu of CSF plugin, click the “check security” option. This will generate a list of tips to improve security on your server. At the bottom of the report there will be a security score, and it will place your server’s overall security level between insecure and maximum security.
This tool is a handy way to figure out what needs to be done if you’re not sure what still needs better security. You don’t need to make every single change suggested by CSF- every setup is unique and sometimes it may not be possible or reasonable to take certain measures. It’s probably best to shoot for the upper yellow or green area on the chart.
Another useful security auditing tool you can use is “Security Advisor”, which is very similar to CSF. Security Advisor will scan your server and return any potential issues and will display them in the form of a list, color coded in terms of severity. It will also provide tips for correcting these issues and protecting yourself.
After you install the plugin, go to your plugin’s page on WHM and select the “Security Advisor Tool”. From there, select “scan” to initiate the scan. The results are not as verbose or thorough as CSF, but it’s a great tool to use in conjunction with it.
Speed is one of the most important things to improve on customer servers, as this is the most visible change you can make and it allows you to directly compare to your competitors. No one notices something like security unless there’s issues that are taken advantage of, and uptime can only be proven over the long term. Speed is an immediate quantifiable improvement for your clients.
We’re going to cover some handy tips and tricks to improve the speed of a CentOS based WHM setup. Not all tips will be ideal for every situation. Some will cost money, others will cost time for setup, and some may even be a tradeoff between security and speed.
First, the things you can tweak right out of the box with WHM. In you WHM panel, head to the “Tweak Settings” page. You can use the search box to find any setting you need quickly from there.
Below is a list of settings you can change to improve performance, but please note they may contradict security tips given to you by CSF or Security Advisor. Maske changes at your own discretion.
Turn off Mailman:
Update the email delivery retry time to 30 minutes from the 15 minutes default.
Turn off boxtrapper Spam Trap and SpamAssassin Spam Box to off.
If you just have your own website running on the VPS then you can reduce the resources used on the server by disabling MYSQL disk calculations by disabling “Include databases in disk usage calculations”. Keep in mind this will cause a discrepancy between what WHM shows for total disk usage and what’s actually used.
Disable Anonymous Logins and FTP uploads. This is both for security and performance reasons, and if you don’t have a particular reason to need either of these enabled, they should be disabled.
Optimizing Apache will improve the overall performance of your site without updating hardware or expanding your VPS provision. For improving your performance in Apache, WHM is quite limited on what it can configure.
Home >> Service Configuration >> Apache Configuration >> Global Configuration
Alter the following settings in Apache Global Configurations:
When set to “on”, Keep-Alive enables a persistent connection between your server and the user, providing long-lived HTTP sessions which allows multiple requests to be sent over the same TCP connection.
In some cases, this can account for an almost 50% reduction in latency for pages with many images. To enable Keep-Alive in Apache 1.2 or later, set “KeepAlive” on.
This value defines the number of requests allowed per connection when KeepAlive is enabled. When the value of this option is set to “0”, unlimited requests will be allowed on the server. For server performance, it’s recommended to allow unlimited requests unless you have a security or load balancing reason to limit it.
This value defines the number of second Apache will wait for a subsequent request before closing the connection. 10 is a good, generous number to fill in here. Keep this time low as keeping the socket idle for too long is a waste of resources.
This value will define the number of child processes that can be created to serve HTTP requests. The default number of 512 means that up to 512 concurrent requests can be handled. This is an important parameter to tune to your situation. For a higher load operation, the default of 512 is acceptable. 256 would be appropriate for more standard circumstances.
You need to get this right based on what your server can handle. This constraints for the number of client processes are mainly memory. First find out how much memory other processes of your server takes, then leave some buffer. About 20% should do. Assume about 75MB per client process, in other words:
(Total Memory – (Other Processes * 1.2)) / 75MB = Max clients
Error on the side of less client processes.
This value will define the minimum number of child processes that should be present at all times, idle and ready to take a request. If there are fewer than the “MinSpareServers” value or more than the “MaxSpareServer” value, then the parent process adjust the number of idle child processes at a rate of 1 per second. Set the minimum to “10” and the maximum to “15”.
This option is used to define the number of requests that an individual child server process will handle. Leaving this at the default value of “0” will not limit the number of requests a child can handle before it dies and a new one is made in its place. Technically it is faster to let these never die as it will not burned apache with making new ones, but this can lead to issues with memory leaks for old processes, a problem.
Figure out how many requests in total you get in a day, and divide by the number of child processes you have. This will give you the ideal number to make a process live about a day, spreading out the burden of creating new child processes to the point that it really doesn’t affect performance, but not keeping processes alive long enough to have a memory leak become serious. If you’re not sure, “2500” is a good value to start with. Don’t set this value too low, there’s no reason to constantly kill and restart these processes.
When set to “Off”, this option will disable DNS lookups. It’s recommended to set this turn this off in order to avoid latency with every request. This will also reduce network traffic and improve the performance of your Apache web server.
For security, it is also a good idea to disable directory listings. You can do this by scrolling to the “Directory Options” section on the Global configuration page. There you will be able to disable indexing.
In a dynamic environment, it is very beneficial to correctly configure your SQL settings.
Find your “my.cnf” file, and replace it with the following:
max_allowed_packet = 1M
max_connections = 300
max_user_connections = 35
quick max_allowed_packet = 16M
To reduce memory usage, you should convert all of your InnoDB tables to MyISAM if you have any. Memory usage is a very important factor in your server environment. InnoDB suffers from high memory usage, and we recommend that you avoid using it. This can impact load times slightly, but it allows database tables to be accessed with a much smaller memory footprint. You can change this with any SQL UI like PHPMyAdmin.
To change this is PHPMyAdmin, click on your database, in the SQL tab enter
ALTER TABLE table_name ENGINE = MyISAM;
And click “go”
For MySQL 5.6.6+, disable performance_schema. This is turned on by default and tends to use a lot of memory!
To disable performance_schema:
Instead of using compressed backups, use incremental backups. This will take more space but perform better. You can configure this in WHM directly at:
WHM >> Home >> Backup >> Backup Configuration
In your php.ini file, reduce the memory_limit value. Alternatively, instead of editing the file directly, you do it in WHM. Head to
WHM >> Service Configuration >> PHP Configuration Editor >> Core >> memory_limit
When providing a virtual service, ease of use for clients should be a key focus. In order for your business to grow, you not only need to offer a reliable service, you also need to offer a setup that doesn’t need to rely solely on your IT department if the client is capable of making changes themselves. This means providing your clients and users with access to secure tools and settings so they’re able to use and take control of their own site.
Providing that functionality isn’t only about making their site user friendly, it’s also about providing a service that users can not take advantage of and use for malicious behavior. Thankful, WHM makes this easy.
There are several web hosting tools that you can use to help sell your service including enabling SSH access to your users. This can all be done through the WHM UI.
When allowing SSH access you have to be careful with the amount of access you give your users. There are three types of access; open, jailed and closed. Open and Closed are self-explanatory, either the user has access or they don’t, however, jailed is a bit different. Jailed access means the user will only have access to their home directory, meaning they won’t be able to fiddle with configuration files etc. If SSH is a must, we strongly suggest setting access to jailed – if they have access at all.
If you need expert web server consultation or any other web or application development related services, CodeClouds has the expertise you need to get the job done right and we have 18 hour a day 5 day a week service to back it up. If you’d like to learn more, contact us today!