Installing Plesk on Ubuntu 14.04LTS
I often find myself running through the same setup procedure while getting a server ready for clients. Our hosting platform for clients is Plesk so this is going to be a quick step by step cheat sheet. It won’t go into deep explanations on why each of these things are being done, but if you want a simple way to get Plesk installed and secured quickly you can follow these steps.
Fresh Install of Ubuntu 14.04LTS
As your starting point you should have a shiny new VPS or dedicated server with Ubuntu 14.04LTS freshly installed from your hosting provider, these steps will likely work with most recent versions of Ubuntu, but at the time of writing this we use Ubuntu 14.04LTS on our production servers.
Start with some basic updates
To ensure we have the latest updates and patches of the basic install we run some updates.
Login to your server through a terminal programme such as puTTY
run the following command:
While upgrading you will be given a Yes / No option, type yes and press enter to proceed with the upgrades.
Wait while the system runs through all updates.
Give the server its new name
At this point we want to set our hostname, this should be your servers intended FQDN (fully qualified domain name). The file to update will be located at:
This file will likely be empty when you open it. Within this file you should include the FQDN that the server will be known by. It can be any domain or subdomain you own and can manage the DNS of (e.g. server.yourdomain.tld). You will need to create an A record on your DNS server managing this FQDN pointing to your servers IP address.
This will now be your servers hostname and you will be able to navigate to your Plesk control panel using this name when we are done. The line in the file should follow the following format:
It’s important that you actually configure your DNS for your chosen FQDN to point to your servers IP address otherwise your Plesk installation will experience errors and will not complete.
Once done, reboot the server
Begin Installing Plesk and its requirements
Confirm AppArmor isn’t installed as it has some compatibility problems with Plesk, run this command:
sudo apt-get remove apparmor
Now we download and start the plesk installer script:
wget -O - http://autoinstall.plesk.com/one-click-installer | sh
Plesk should now be installed and running, you can confirm this by typing in:
You can now head on over to https://<your server IP>:8443 or your hostname that you configured a little earlier https://server.yourdomain.tld:8443
You can then login with the username root and your root password. On your first login you will need to accept the Plesk terms and conditions and you should configure an admin user when prompted. You will also need to fill in your details.
At this point you will either need to purchase a license, or you can try plesk free for 15 days.
Install Some Additional Services & Features
At this point we generally install some extra items that aren’t included in Plesk by default.
apt-get install mcrypt
apt-get install php5-mcrypt
apt-get install php5-ioncube-loader
apt-get install php-apc
apt-get install php5-memcached memcached
apt-get install php5-imap
service apache2 restart
Avoiding Slow DNS Response Times with resolv.conf
Occasionally a DNS server will slow down and start responding slowly producing a knock on effect to your servers response times, to help avoid this we can add a couple of extra lines to our configuration.
Navigate to: /etc/resolvconf/resolv.conf.d
Within this folder create a file named tail
Within this file include the following:
options timeout:1 attempts:1
#nameserver 22.214.171.124 #Google NS1
#nameserver 126.96.36.199 #Google NS2
#nameserver 188.8.131.52 #OpenDNS2
#nameserver 184.108.40.206 #OpenDNS1
#options timeout:1 rotate attempts:1
You’ll notice most of these lines are commented out, but you can remove the # at the start of each line if you wish to use them.
The only line that we normally include is:
options timeout:1 attempts:1
timeout:1 tells the server to timeout and try the next DNS resolver address if it takes longer than 1 second to respond. The attempts:1 setting changes the default behaviour to only try each DNS resolver once before trying the next DNS resolver option. It’s important that before you do this you confirm by running a ping test from your server that the default DNS provided by your server host responds faster than 1 second, if it doesn’t you can include either the Google or OpenDNS providers commented out in the example above, you may wish to do this anyway if they consistently respond faster than your hosts own DNS.
You can additionally include the rotate option (commented out in the bottom line) which will automatically cycle through all of the available DNS servers and can spread the load more evenly, otherwise it will consistently use the first DNS listed (unless it responds slower than 1 second after 1 try, in which case it will try the second DNS and so on).
Open up Passive ports on proFTPd server
edit /etc/proftpd.conf and add the following line to the end of the file:
PassivePorts 20000 20250
In this example we are using ports 20000 to 20250, but you can choose your own port number range so long as it doesn’t overlap any other active port allocations. This can be a bigger or smaller number range (in this example 250) but keep in mind the smaller the number the smaller the hole we’ll have to make through the firewall. Equally you need to ensure you have enough ports for all of your active FTP users. It’s theoretically possible for each active FTP user to use between 10 – 20 ports.
then restart the ftp service:
Install mod_cloudflare to allow correct IP tracking of visitors
We generally use Cloudflare quite a bit for clients sites and if you want the tracking information of your site visitor and not Cloudflares server IP’s you’ll need to add a little code:
apt-get install libtool apache2-dev
apt-get install libtool apache2-threaded-dev
apxs -a -i -c mod_cloudflare.c
apxs2 -a -i -c mod_cloudflare.c
Then restart apache
service apache2 restart
Auto reboot server when out of memory
As a last resort it can be better to automatically reboot your server when it runs out of memory than to let it hang for a long period of time. This will cause a minute or two of downtime, but it’s better than languishing in the swapping state for potentially hours or never recovering at all.
Create a file called /etc/sysctl.d/oom_reboot.conf and enter the following lines:
# panic kernel on OOM
# reboot after 10 sec on panic
Then confirm and activate with:
sysctl -p /etc/sysctl.d/oom_reboot.conf
Securing your Server
There are a huge number of things you can do to secure your server, I hope to go into some of these in more detail at a later date, but the following is a pretty good starting point.
Change your default SSH Port
to any port of your choice, make sure its not a port being used by any other service on your server, in this example I’ve used 4444
Then restart the SSH service using this line:
service ssh restart
It’s important to remember to connect to SSH through your new port number from now on, so make it something you’ll remember.
Setup SSH Keys and disable password login
I created a separate post on how to do this: Secure SSH Keys Setup
Install and configure CSF Firewall
CSF firewall isn’t controllable from within Plesk, however it’s a great adaptive firewall that can be made to work with Plesk, it simply needs to be managed from command line, which is easier than it sounds with a little practise.
So lets install CSF:
rm -fv csf.tgz
tar -xzf csf.tgz
Then run the following line to confirm that CSF should be able to function fully on your system:
Now open the file /etc/csf/csf.conf with WinSCP or similar
This document is really well documented and is the core configuration of CSF. The great thing about CSF is its great documentation which is a good thing as it’s really quite a powerful firewall when set up correctly.
The configuration of this file will vary depending on your servers needs and environment and I suggest you take your time and read each option before you make a change, but the following are the ports that will always need to be configured to work with Plesk.
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,26,53,80,106,110,113,143,443,465,587,990,993,995,5432,8443,8447,8880,9080,11443,11444,20000:20250,4444"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,26,53,80,106,110,113,143,443,465,587,990,993,995,5432,5224,8443,8447,8880,9080,11443,11444,20000:20250"
# Allow incoming UDP ports
UDP_IN = "20,21,53"
# Allow outgoing UDP ports
UDP_OUT = "20,21,53,113,123,873,6277"
Please remember to swap out the 4444 for your own SSH port and the 20000:20250 to your own FTP Passive Ports. With a little trial and error you can also close some of these ports down if you don’t need the service they correspond to, but these should be a good starting point to open all ports Plesk will require.
Once you’ve configured your csf.conf just the way you want it you should open the csf.blocklists file located at/etc/csf/csf.blocklists
Again, this is a well documented file, but essentially it allows you to pick which of the available firewall block lists you would like to import into CSF as it’s base setting. It’s tempting to enable all of the block lists, but it’s recommended to just go with two or three as the IP block list can quickly become quite huge and can cause CSF to bog down your system with firewall rules, we’re looking for secure, not slow.
There are a number of other files that can be edited, the primary ones are listed below:
csf.conf – the main configuration file, it has helpful comments explaining what each option does
csf.allow – a list of IP’s and CIDR addresses that should always be allowed through the firewall
csf.deny – a list of IP’s and CIDR addresses that should never be allowed through the firewall
csf.ignore – a list of IP’s and CIDR addresses that lfd should ignore and not block if detected
csf.*ignore – various ignore files that list files, users, IP’s that lfd should ignore. See each file for their specific purpose
If you modify any of the files listed above, you will need to restart csf to have them take effect
If you use Cloudflare you may wish to whitelist their IP’s, view their current IP list and add them to csf.allow to let them pass through your firewall.
CSF has very good documentation, but if you get stuck for the csf command you are looking for just type in:
this should display all possible csf command lines
This isn’t intended as an in depth user guide to CSF, but one final feature you may want to check out is the emailed security report, from command line run the following:
csf -m firstname.lastname@example.org
This will email you a report with a score and areas you can enhance your servers security.
Due to vulnerabilities in SSL3 it’s a good idea to remove all possible inclusions in all services. It’s possible to do this one at a time by visiting the configuration file of each service, thankfully however Plesk have made a little script to do all this in one go.
after downloading the script and uploading it to your server run:
You can use this online ssl tool to confirm this has worked.
At this point you should now have Plesk installed on Ubuntu 14.04 LTS, secured and ready for use. If you have any problems just add a comment and I’ll try and help if I can.