{"id":256,"date":"2025-02-12T06:29:00","date_gmt":"2025-02-12T11:29:00","guid":{"rendered":"https:\/\/mkt.selfregional.org\/edit\/?p=256"},"modified":"2025-02-23T21:24:08","modified_gmt":"2025-02-24T02:24:08","slug":"server","status":"publish","type":"post","link":"https:\/\/mkt.selfregional.org\/edit\/server\/","title":{"rendered":"Server"},"content":{"rendered":"\n<p>Setting up a new server for a project. This one has to be easily replicated and provide access to multiple systems level administrators. The named &#8216;squid&#8217; \ud83e\udd91 comes from a portmantuau of the hosting data center and because cephalopod intelligence is the best of the invertebrates.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>HIPPA Compliance<\/li>\n\n\n\n<li>Dedicated IPs<\/li>\n\n\n\n<li>Managed<\/li>\n\n\n\n<li>24\/7 Support <\/li>\n\n\n\n<li>East Coast location<\/li>\n<\/ul>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">- Processor: Intel(R) Xeon(R) E E-2456 (12 core)\n- RAM: 32GB DDR4 SDRAM\n- HD1: 2 x 960 GB SSD Hardware Raid 1\n- HD2: 1 x 1.92 TB SSD\n\nStatic hostname: *****.*****.***\nOperating System: AlmaLinux 9.5 (Teal Serval)         \nCPE OS Name: cpe:\/o:almalinux:almalinux:9::baseos\nKernel: Linux 5.14.0-503.23.2.el9_5.x86_64\nArchitecture: x86-64\n\n10 TB Outbound Bandwidth\nGigabit Uplink Port\n<\/code><\/pre>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"system\">System<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"almalinux-9-\">AlmaLinux 9 \ud83d\udc27<\/h3>\n\n\n\n<p>Version 9 will have active support until 31 May 2027, and security support until 31 May 2032<\/p>\n\n\n\n<p>Twenty years ago I started out on CentOS for personal projects because my job was using RHEL. Switched to Debian because it seemed like all the smart folks were using it. Then I started dabbling in Ubuntu and switched because I liked the free security patch model from Canonical. I have an Ubuntu server that has been running for 13 years. CERN switching from Scientific Linux had an impacct and the community model seems better than Rocky which I\u2019d guess might see some of the fate of CentOS. It also seems popular amongst the enterprise folks and the binary is compatible the Red Hat using the Fedora package manager.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Docs &#8211;&nbsp;<a href=\"https:\/\/wiki.almalinux.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/wiki.almalinux.org\/<\/a><\/li>\n\n\n\n<li>CERN &#8211;&nbsp;<a href=\"https:\/\/linux.web.cern.ch\/almalinux\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/linux.web.cern.ch\/almalinux\/<\/a>\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/gitlab.cern.ch\/linuxsupport\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/gitlab.cern.ch\/linuxsupport<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Wiki &#8211;&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/AlmaLinux\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/en.wikipedia.org\/wiki\/AlmaLinux<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"user\">User<\/h3>\n\n\n\n<p>disable root, add user, change ssh ports, add keys<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">useradd ***********\nusermod -aG wheel ***********\nsu - ***********\nsudo vi \/etc\/ssh\/sshd_config\n# disable root login\nPermitRootLogin no\n# obscure ssh port\nPort ****\nsudo systemctl restart sshd<\/code><\/pre>\n\n\n\n<p>add user to www-data<br>psaserv ( \/conf \/httpdocs )<br>psacln ( \/)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">sudo usermod -a -G www-data ***********<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"shell\">Shell<\/h3>\n\n\n\n<p>change to oh-my-zsh<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">sudo dnf install zsh\nchsh -s $(which zsh)\n# log out\/in\nsudo dnf install git curl wget\nsh -c \"$(curl -fsSL https:\/\/raw.github.com\/ohmyzsh\/ohmyzsh\/master\/tools\/install.sh)\"\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"packages\">Packages<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/docs.fedoraproject.org\/en-US\/docs\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/docs.fedoraproject.org\/en-US\/docs\/<\/a><\/li>\n\n\n\n<li>Dandified YUM manager &#8211;&nbsp;<a href=\"https:\/\/docs.fedoraproject.org\/en-US\/docs\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/docs.fedoraproject.org\/en-US\/docs\/<\/a><\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">sudo dnf clean all\nsudo dnf update<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">dnf --help\ndnf history\ndnf list installed\ndnf [ search\/install\/info\/list\/remove\/upgrade\/history\/repolist\/deplist ]\nsudo dnf upgrade package_name\nsudo dnf upgrade\n\nsudo dnf install htop<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"systemd\">Systemd<\/h3>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"rsyslog\">rsyslog<\/h3>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"security\">Security<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"hardening\">Hardening<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>FIPS 140-3 security certification for its Linux distro<\/li>\n\n\n\n<li>AlmaLinux 9 OpenSCAP Guide &#8211;&nbsp;<a href=\"https:\/\/wiki.almalinux.org\/documentation\/openscap-guide-for-9.html\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/wiki.almalinux.org\/documentation\/openscap-guide-for-9.html<\/a>\n<ul class=\"wp-block-list\">\n<li>SCAP is a U.S. standard maintained by the National Institute of Standards and Technology<\/li>\n\n\n\n<li><a href=\"https:\/\/almalinux.org\/blog\/2023-11-28-cis-benchmarks-update\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/almalinux.org\/blog\/2023-11-28-cis-benchmarks-update\/<\/a><\/li>\n\n\n\n<li>DoD Guide &#8211;&nbsp;<a href=\"https:\/\/public.cyber.mil\/stigs\/downloads\/?_dl_facet_stigs=unix-linux\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/public.cyber.mil\/stigs\/downloads\/?_dl_facet_stigs=unix-linux<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"ports\">Ports<\/h3>\n\n\n\n<p>these are the default open ports for plesk<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">- 53&nbsp;- DNS (TCP and UDP)\n- 80&nbsp;- HTTP (TCP)\n- 110&nbsp;- POP3 (TCP)\n- 123&nbsp;- NTP (UDP)\n- 143&nbsp;- IMAP (TCP)\n- 443&nbsp;- HTTPS (TCP) (mandatory licensing)\n- 465&nbsp;- SMTPS (TCP)\n- 587&nbsp;- SMTP (Submission) (TCP)\n- 953&nbsp;- RNDC (TCP)\n- 990&nbsp;- FTPS (TCP)\n- 993&nbsp;- IMAPS (TCP)\n- 995&nbsp;- POP3S (TCP)\n- 3306&nbsp;- MySQL (remote only) (TCP)\n- 5432&nbsp;- PostgreSQL (TCP)\n- 8443&nbsp;- Plesk HTTPS (TCP)\n- 8447&nbsp;- Plesk Installer (TCP)\n- 8880&nbsp;- Plesk HTTP (TCP)\n- 49152 - 65535&nbsp;- (TCP) for FTP passive mode - incoming only<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"firewalld\">FirewallD<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\"># status\nsudo systemctl status firewalld\n# open port\nsudo firewall-cmd --zone=public --add-port=80\/tcp --permanent\n# close port\nsudo firewall-cmd --zone=public --remove-port=80\/tcp --permanent\n# reload\nsudo firewall-cmd --reload\n# list all ports\nsudo netstat -tunlp\n\n### Mail\n\n- Mail\n    - _Fail_&nbsp;for un-routable email.\n    - _nobody_&nbsp;user<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"iptables\">IPTables<\/h4>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"blacklist\">Blacklist<\/h4>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"admin\">Admin<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"backup\">Backup<\/h3>\n\n\n\n<p>Acronis Backups of full server everyday at 1:00am<br>Keep &#8211; daily 7days &#8211; weekly 4wks &#8211; monthly 1mo<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"migrations\">Migrations<\/h4>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"monitor\">Monitor<\/h3>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"plesk\">Plesk<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>docs &#8211;&nbsp;<a href=\"https:\/\/docs.plesk.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/docs.plesk.com\/<\/a><\/li>\n<\/ul>\n\n\n\n<p>Plesk is somewhat painful for me but I need to have a system that is migration capable in case it or me need to be replaced. I\u2019d prefer a stripped down version of Linux variant but it isn\u2019t the best choice in this case. I like to complain about it. What gets me most of all is the lack of a barrier to entry means a bunch of novice users junking up the forums and making it hard to find the good information easily. It\u2019s highly opinionated in how it operates creating a messy web of permissions and configuration files in an effort to give those features to the GUI users.<\/p>\n\n\n\n<p>Admin<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\"># admin password\nplesk bin admin --info\nplesk bin --get-login-link\nplesk bin admin --set-admin-password -passwd **********\nplesk&nbsp;bin&nbsp;admin&nbsp;--set-login ********\nplesk bin admin --enable-access-domain **************.com<\/code><\/pre>\n\n\n\n<p>Theme<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">zip -r srh_theme.zip . -x '**\/.DS_Store'\nplesk bin branding_theme -i -vendor ******* -source\nsrh_theme.zip\nplesk bin branding_theme -u -name srh_theme<\/code><\/pre>\n\n\n\n<p>Repair file system permissions<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">sudo plesk&nbsp;repair&nbsp;fs\nsudo plesk&nbsp;repair&nbsp;fs&nbsp;-vhosts\nsudo plesk&nbsp;repair&nbsp;fs&nbsp;example.com&nbsp;-vhosts<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"extensions\">Extensions<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">plesk bin extension --list\nplesk bin extension --install extension_name\nplesk bin extension --upgrade extension_name\nplesk bin extension --uninstall extension_name\nplesk bin extension --disable extension_name\nplesk bin extension --enable extension_name<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">\nplesk bin extension --disable servershield\nplesk bin extension --disable laravel\nplesk bin extension --disable plesk-sitejet\nplesk bin extension --disable xovi\nplesk bin extension --disable nodejs\nplesk bin extension --disable composer\nplesk bin extension --disable wp-toolkit\n\n# default installs\n- acronis-backup - Acronis Backup\n- advisor - Advisor\n- composer - PHP Composer\n- configurations-troubleshooter - Webserver Configurations Troubleshooter\n- dnssec - Plesk DNSSEC\n- git - Git\n- heavy-metal-skin - Skins and Color Schemes\n- help-center - Help Center\n- imunify360 - Imunify\n- laravel - Laravel Toolkit\n- letsencrypt - Let's Encrypt\n- log-browser - Log Browser\n- mfa - Multi-Factor Authentication (MFA)\n- monitoring - Monitoring\n- nodejs - Node.js Toolkit\n- ntp-timesync - NTP Timesync\n- panel-ini-editor - Panel.ini Editor\n- plesk-sitejet - Sitejet Builder\n- repair-kit - Repair Kit\n- servershield - ServerShield by Cloudflare\n- site-import - Site Import\n- ssh-terminal - SSH Terminal\n- sslit - SSL It!\n- wp-toolkit - WP Toolkit\n- xovi- SEO Toolkit<\/code><\/pre>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"mail\"><strong>Mail<\/strong><\/h3>\n\n\n\n<p>\ud83d\udeab I\u2019ve maintained a lot of different servers over the years and the only thing I\u2019ve constantly had issues with was email. I\u2019ve also maintained servers dedicated just to email. I learned some years ago with my web servers to just wipe out the email systems and relay it to a third party. A lot of folks do this too\u2026 Google Cloud Platform, Amazon Web Services, and Microsoft Azure all blocks outbound traffic on port 25 which effectively blocks all email features. I no longer maintain any email servers and it\u2019s one of the few services where I always rely on a third parties.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"security-1\">Security<\/h4>\n\n\n\n<p>Anyone who\u2019s spent anytime in an enterprise IT environment can tell you that email phishing, compliance, training, and management is the bain of existence for sysadmins. Since email hacking tends to be the origin of a lot of bad stuff, I avoid the liability by refusing to manage anything other than pointing domain records elsewhere.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\"># disable all mail services and ports<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"smtp\">SMTP<\/h4>\n\n\n\n<p>Will need to create a couple SMTP relay accounts<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>sysadmin notifications<\/li>\n\n\n\n<li>cms notifications<\/li>\n\n\n\n<li>form notifications<\/li>\n<\/ul>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"webserver\">Webserver<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"apache\">Apache<\/h3>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"nginx\">Nginx<\/h3>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"languages\">Languages<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"php\">PHP<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">v8.3.16 FPM<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/support.plesk.com\/hc\/en-us\/articles\/12377086904471-How-to-calculate-pm-max-children-value-on-a-Plesk-server\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/support.plesk.com\/hc\/en-us\/articles\/12377086904471-How-to-calculate-pm-max-children-value-on-a-Plesk-server<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/support.plesk.com\/hc\/en-us\/articles\/12377661896343-Websites-on-PHP-FPM-are-unavailable-or-loading-slowly-server-reached-max-children-setting-consider-raising-it\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/support.plesk.com\/hc\/en-us\/articles\/12377661896343-Websites-on-PHP-FPM-are-unavailable-or-loading-slowly-server-reached-max-children-setting-consider-raising-it<\/a><\/li>\n\n\n\n<li>Monitoring PHP-FPM &#8211;&nbsp;<a href=\"https:\/\/docs.360monitoring.com\/docs\/php-fpm-plugin\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/docs.360monitoring.com\/docs\/php-fpm-plugin<\/a><\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">ps -ylC php-fpm --sort:rss<br>S UID PID PPID C PRI NI RSS SZ WCHAN TTY TIME CMD<br>S 0 931 1 0 80 0 87040 99039 ep_pol ? 00:00:00 php-fpm<br><br>pm.max_children = Total RAM \/ Max child process size<\/code><\/pre>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"databases\">Databases<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"mariadb\">MariaDB<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>allow local connections only<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\"> MariaDB v10.5.27<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Setting up a new server for a project. This one has to be easily replicated and provide access to multiple systems level administrators. The named &#8216;squid&#8217; \ud83e\udd91 comes from a portmantuau of the hosting data center and because cephalopod intelligence is the best of the invertebrates. System AlmaLinux 9 \ud83d\udc27 Version 9 will have active [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-256","post","type-post","status-publish","format-standard","hentry","category-code"],"_links":{"self":[{"href":"https:\/\/mkt.selfregional.org\/edit\/wp-json\/wp\/v2\/posts\/256","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mkt.selfregional.org\/edit\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mkt.selfregional.org\/edit\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mkt.selfregional.org\/edit\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mkt.selfregional.org\/edit\/wp-json\/wp\/v2\/comments?post=256"}],"version-history":[{"count":27,"href":"https:\/\/mkt.selfregional.org\/edit\/wp-json\/wp\/v2\/posts\/256\/revisions"}],"predecessor-version":[{"id":660,"href":"https:\/\/mkt.selfregional.org\/edit\/wp-json\/wp\/v2\/posts\/256\/revisions\/660"}],"wp:attachment":[{"href":"https:\/\/mkt.selfregional.org\/edit\/wp-json\/wp\/v2\/media?parent=256"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mkt.selfregional.org\/edit\/wp-json\/wp\/v2\/categories?post=256"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mkt.selfregional.org\/edit\/wp-json\/wp\/v2\/tags?post=256"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}