Setting Up cPanel & WHM on Google Cloud

Article sections

    Prior to Setting Up

    • Make sure client is set up on CRM
    • Make sure client is set up on recurring invoices and direct debit systems

    Setting up Google Cloud

    Google Cloud Documentation: https://cloud.google.com/compute/docs/

    Create Project

    1. Go to https://console.cloud.google.com/project and Sign In
    2. Click Create Project
    3. Type [PROJECTNAME]
    4. Click Create
    5. Add any other people you need to work on the project through IAM

    Create Instance

    1. Click [PROJECTNAME]
    2. Click Menu (3 bars) >> Compute Engine
    3. Click Create Instance
    4. Enter the following:phg
      1. Name: [INSTANCENAME]
      2. Zone: europe-west1-d
      3. Machine Type: [MACHINETYPE]
      4. Click Change in Boot disk and choose:
        1. CentOS 7
        2. Boot disk type: SSD persistent disk
        3. Size: [DISKSIZE]
      5. In Firewall
        1. tick Allow HTTP traffic
        2. tick Allow HTTPS traffic
      6. Click Create
    5. Make a note of the IP address in the project variables list

    Reserve IP Address

    1. Click Menu (3 bars) >> VPC network >> External IP addresses
    2. Click Ephemeral on the row that has VM instance [INSTANCENAME]
    3. Select Static
    4. In Name enter [INSTANCENAME]
    5. Click Reserve

    Create Firewall Rules

    1. In Google Cloud click Firewall Rules
    2. Click CREATE FIREWALL RULE
      1. In Name enter cpanel
      2. In Source filter enter Allow from any source (0.0.0.0/0)
      3. In Allowed protocols and ports enter: tcp:20; tcp:21; tcp:22; tcp:25; tcp:26; tcp:37; tcp:43; tcp:53; udp:53; tcp:80; tcp:110; tcp:113; tcp:143; tcp:443; tcp:465; udp:465; tcp:587; tcp:783; udp:783; tcp:873;udp:873; tcp:993; tcp:995; tcp:2073; tcp:2077; tcp:2078; tcp:2079; tcp:2080; tcp:2082; tcp:2083; tcp:2086; tcp:2087; tcp:2089; tcp:2095; tcp:2096; tcp:2525; udp:2525; tcp:3306; udp:50000-60000;tcp:50000-60000
      4. Click Create

    Preparing Server on SSH

    Update Root Password

    1. Click SSH button on the instance row
    2. sudo su -
    3. passwd
    4. Using LastPass generate a new password, copy it, and make a note of it
    5. Paste the password and press enter (it will look like there has been nothing pasted in, still press enter)
    6. Paste the password again and press enter
    7. Add the password to LastPass

    Installing screen

    1. yum install screen
    2. y

    Change Hostname

    1. Change Hostname: hostname [SERVERNAME]

    Create A Record

    • Add an A record to your DNS management system for [SEVERNAME] with the IP address which can be found on Google Cloud under your project instance

    Installing Cloud Linux

    Buy Cloudlinux License

    Downloading Cloudlinux

    1. On SSH enter the following:
    2. wget https://repo.cloudlinux.com/cloudlinux/sources/cln/cldeploy
    3. sh cldeploy -k [CLOUDLINUX KEY]
    4. On completion, on SSH enter the following:
    5. reboot

    Installing WHM

    WHM Documentation: https://documentation.cpanel.net/display/ALD/WebHost+Manager+-+WHM+User+Guide

    Buy WHM License

    Downloading WHM

    1. On SSH enter the following:
    2. screen
    3. cd /home && curl -o latest -L https://securedownloads.cpanel.net/latest && sh latest
    4. /usr/local/cpanel/cpkeyclt
    5. /usr/local/cpanel/bin/checkallsslcerts

    Initial WHM Setup

    1. Navigate to http://[SERVERNAME]:2087
    2. Login using root as the username
    3. Step 1: Click I Agree/Go To Step 2
    4. Step 2:
      1. Enter your chosen email as the Server Contact Email Address (e.g. servername@birdmarketing.co.uk)
      2. Enter 8.8.8.8 as the Primary Resolver
      3. Enter 8.8.4.4 as the Secondary Resolver
    5. Click Save & Go to Step 3
    6. Click Skip This Step and Use Default Settings
    7. Click Save & Go to Step 5
    8. Click Skip This Step and Use Default Settings
    9. Click Finish Setup Wizard
    10. Click Go to WHM
    11. Click Save Settings

    Configuring WHM Settings

    Configure Apache

    You can download the following (download) and import via EasyApache 4. Or you can follow the following:

    1. Go to https://[SERVERNAME]:2087 and login as root
    2. Go to Software >> EasyApache 4
    3. Click Customize
    4. Make sure the following is ticked.
    5. Click Apache Modules
      1. mod-alt-passenger
      2. mod_bwlimited
      3. mod_cgi
      4. mod_cloudflare
      5. mod_deflate
      6. mod_env
      7. mod_evasive
      8. mod_expires
      9. mod_headers
      10. mod_hostinglimits
      11. mod_mpm_prefork
      12. mod_proxy
      13. mod_proxy_fcgi
      14. mod_proxy_http
      15. mod_proxy_wstunnel
      16. mod_reqtimeout
      17. mod_security2
      18. mod_ssl
      19. mod_suexec
      20. mod_suphp
      21. mod_unique_id
      22. mod_version
    6. Click PHP Versions
      1. php56
      2. php70
      3. php71
      4. php72
    7. Click Php Extensions ( Make sure to tick all versions of each extensions )
      1. libc-client
      2. pear
      3. php-bcmath
      4. calendar
      5. cli
      6. common
      7. curl
      8. devel
      9. fileinfo
      10. fpm
      11. ftp
      12. gd
      13. iconv
      14. imap
      15. ioncube10
      16. litespeed
      17. mbstring
      18. mcrypt
      19. mysqlnd
      20. pdo
      21. posix
      22. soap
      23. sockets
      24. xml
      25. zendguard
      26. zip
      27. intl
      28. runtime
    8. Click Review
    9. Click Provision
    10. Click Done

    Apache Config File Optimisations

    1. Go to Service Configuration >> Apache Configuration
    2. Click Include Editor
    3. Under “Post VirtualHost Include” select “All versions” from the dropdown
    4. In the text area paste the following code:
    ## EXPIRES CACHING ##
    <IfModule mod_expires.c>
     # Enable expirations
     ExpiresActive On
     # Default directive
     ExpiresDefault "access plus 1 month"
     # My favicon
     ExpiresByType image/x-icon "access plus 1 year"
     # Images
     ExpiresByType image/gif "access plus 1 month"
     ExpiresByType image/png "access plus 1 month"
     ExpiresByType image/jpg "access plus 1 month"
     ExpiresByType image/jpeg "access plus 1 month"
     # CSS
     ExpiresByType text/css "access plus 1 month"
     # Javascript
     ExpiresByType application/javascript "access plus 1 year"
     # PDF
     ExpiresByType application/pdf "access plus 1 month"
     # Flash
     ExpiresByType application/x-shockwave-flash "access plus 1 month"
    </IfModule>
    ## EXPIRES CACHING ##
    ## ENABLE GZIP COMPRESSION ##
    <IfModule mod_deflate.c>
     # Compress HTML, CSS, JavaScript, Text, XML and fonts
     AddOutputFilterByType DEFLATE application/javascript
     AddOutputFilterByType DEFLATE application/rss+xml
     AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
     AddOutputFilterByType DEFLATE application/x-font
     AddOutputFilterByType DEFLATE application/x-font-opentype
     AddOutputFilterByType DEFLATE application/x-font-otf
     AddOutputFilterByType DEFLATE application/x-font-truetype
     AddOutputFilterByType DEFLATE application/x-font-ttf
     AddOutputFilterByType DEFLATE application/x-javascript
     AddOutputFilterByType DEFLATE application/xhtml+xml
     AddOutputFilterByType DEFLATE application/xml
     AddOutputFilterByType DEFLATE font/opentype
     AddOutputFilterByType DEFLATE font/otf
     AddOutputFilterByType DEFLATE font/ttf
     AddOutputFilterByType DEFLATE image/svg+xml
     AddOutputFilterByType DEFLATE image/x-icon
     AddOutputFilterByType DEFLATE text/css
     AddOutputFilterByType DEFLATE text/html
     AddOutputFilterByType DEFLATE text/javascript
     AddOutputFilterByType DEFLATE text/plain
     AddOutputFilterByType DEFLATE text/xml
     # Remove browser bugs (only needed for really old browsers)
     BrowserMatch ^Mozilla/4 gzip-only-text/html
     BrowserMatch ^Mozilla/4\.0[678] no-gzip
     BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
     Header append Vary User-Agent
    </IfModule>
    ## ENABLE GZIP COMPRESSION ##
    
    1. Click Update
    2. Click Restart Apache

    Configuring PHP

    1. Go to Service Configuration >> MultiPHP INI Editor
    2. Under Select PHP Version go through each version and configure the following:
    3. allow_url_fopen = Enabled
    4. Ignore: max_execution_time = 360
    5. Ignore: max_input_time = 180
    6. Ignore: memory_limit = 512M
    7. Ignore: upload_max_filesize = 256M
    8. Ignore: In “Editor Mode” post_max_size = 256M
    9. In “Editor Mode” always_populate_raw_post_data = -1
    10. Click Save

    Disable Compiler

    1. Go to Security Center >> Compiler Access
    2. Click Disable Compilers

    Configure Mod Security2

    1. Go to Security Center >> ModSecurity™ Vendors
    2. Click Install and Restart Apache

    Configure open_basedir Fix

    1. Go to Security Center >> PHP open_basedir Tweak
    2. Tick Enable php open_basedir Protection.
    3. Click Save

    Configure Shell Fork Bomb Protection

    1. Go to Security Center >> Shell Fork Bomb Protection
    2. Click Enable Protection

    Disable Traceroute

    1. Go to Security Center >> Traceroute Enable/Disable
    2. Click Disable

    Configure Shell Fork Bomb Protection

    1. Go to Security Center >> Shell Fork Bomb Protection
    2. Click Enable Protection

    Allow SMTP on Port 2525

    1. Go to Service Configuration >> Service Manager
    2. Tick both boxes next to Exim Mail Server (on another port) to 360
    3. Change Allow exim to listen on a port other than 25. to 2525
    4. Click Save

    Install ClamAV and Munin

    1. Go to cPanel >> Manage Plugins
    2. Click Install ClamAV for cPanel
    3. Click Install Munin for cPanel

    Default Show All on List Accounts

    1. Go to Server Configuration >> Tweak Settings
    2. Click Display
    3. Number of accounts per page to display in “List Accounts”. = All
    4. Click Save

    Prevent “nobody” from sending mail & Disable Horde and Squirrel

    1. Go to Server Configuration >> Tweak Settings
    2. Click Mail
    3. Prevent “nobody” from sending mail = On
    4. Enable Horde Webmail = Off
    5. Enable Mailman mailing lists = Off
    6. Enable Roundcube webmail = Off
    7. Enable SquirrelMail webmail = Off
    8. Click Save

    Restrict Spam on Server

    1. Go to Service Configuration >> Exim Configuration Manager
    2. Under the RBLs section:
      1. Click On for RBL: bl.spamcop.net
      2. Click On for RBL: zen.spamhaus.org
    3. Under the Apache SpamAssassin™ Options section
      1. Click On for Apache SpamAssassin™: Forced Global ON
      2. Click On for Scan outgoing messages for spam and reject based on the Apache SpamAssassin™ internal spam_score setting
      3. Click On for Do not forward mail to external recipients if it matches the Apache SpamAssassin™ internal spam_score setting
    4. Click Save

    Change hostname

    1. Go to Networking Setup >> Change Hostname
    2. In New Hostname enter: [SNAME].birdmarketing.co.uk
    3. Click Change

    Edit default Quota Plan

    1. Go to Packages >> Edit a Package
    2. Click default
    3. Click Edit
    4. Change the following:
      1. Disk Quota (MB): 5000
      2. Monthly Bandwidth (MB): 100000
      3. Max FTP Accounts: 5
      4. Max Email Accounts: 0
      5. Max Email Lists: 0
      6. Max Databases: 1
      7. Max Subdomains: 5
      8. Max Parked Domains: 5
      9. Max Addon Domains: 5
      10. Maximum Hourly Email by Domain Relayed: 250
      11. Maximum percentage of failed or deferred messages a domain may send per hour: 250
      12. Click Save Changes

    Configure MySQL

    1. Go to Plugins >> ConfigServer Explorer
    2. Click etc
    3. Find my.cnf and click edit icon
    4. Add the following lines
    bind-address=127.0.0.1
    innodb_lock_wait_timeout=100
    
    1. Click Save
    2. Go to Restart Services >> SQL Server (MySQL)
    3. Click Yes

    Graceful Server Reboot

    1. Go to System Reboot >> Graceful Server Reboot
    2. Click Proceed

    Configuring SendGrid

    SendGrid Documentation: https://sendgrid.com/docs/index.html

    Configure Exim on WHM

    1. Go to https://[SERVERNAME]:2087 and login as root
    2. Go to Service Configuration >> Exim Configuration Manager
    3. Click Advanced Editor
    4. In CONFIG section, under domainlist local_domains enter: lsearch;/etc/localdomains : localhost : [SERVERNAME] : [GOOGLE INSTANCE NAME] : @
    1. In daemon_smtp_ports enter: 465 : 25 : 587 : 2525
    1. In the Section: AUTH box enter:
    sendgrid_login:
    driver = plaintext
    public_name = LOGIN
    client_send = : <USER> : <PASS>
    
    1. Making sure you replace <USER> and <PASS> with the SendGrid username and password that you made a note of earlier
    2. In the Section: PREROUTERS box enter:
    send_via_sendgrid:
    driver = manualroute
    domains = ! +local_domains
    transport = sendgrid_smtp
    route_list = "* smtp.sendgrid.net::2525 byname"
    host_find_failed = defer
    no_more
    
    1. In the Section: TRANSPORTSTART box enter:
    sendgrid_smtp:
     driver = smtp
     hosts = smtp.sendgrid.net
     hosts_require_auth = smtp.sendgrid.net
     hosts_require_tls = smtp.sendgrid.net
    1. Scroll to the bottom and click Save

    Installing Whitelister

    Follow the “Server B” steps in the following readme.md file: https://bitbucket.org/birdmarketing/ip-whitelist-website/src/96b3e536d7262dcb293a545282382793d320ac12/README.md?fileviewer=file-view-default

    Installing ConfigServer Explorer

    ConfigServer Explorer Documentation: https://www.configserver.com/cp/cse.html

    1. Paste the following into SSH:
    sudo su -
    cd /usr/src
    rm -fv /usr/src/cse.tgz
    wget https://download.configserver.com/cse.tgz
    tar -xzf cse.tgz
    cd cse
    sh install.sh
    rm -Rfv /usr/src/cse*
    

    Installing ConfigServer Security and Firewall

    ConfigServer Security and Firewall Documentation: https://configserver.com/cp/csf.html

    Installing CSF On SSH

    1. Paste the following into SSH:
    sudo su -
    cd /usr/src
    rm -fv csf.tgz
    wget https://download.configserver.com/csf.tgz
    tar -xzf csf.tgz
    cd csf
    sh install.sh
    rm -Rfv /usr/src/csf*
    

    Configuring CSF on WHM

    1. Go to https://[SERVERNAME]:2087 and login as root
    2. Go to Plugins >> ConfigServer Security & Firewall
    3. Click Firewall Allow IPs
    4. Add the following to the bottom of the document:
    # CloudFlare IPs
    103.21.244.0/22
    103.22.200.0/22
    103.31.4.0/22
    104.16.0.0/12
    108.162.192.0/18
    131.0.72.0/22
    141.101.64.0/18
    162.158.0.0/15
    172.64.0.0/13
    173.245.48.0/20
    188.114.96.0/20
    190.93.240.0/20
    197.234.240.0/22
    198.41.128.0/17
    199.27.128.0/21
    # Sage Pay IPs
    195.170.169.0/255
    
    1. Click Change
    2. Click Restart csf+lfd
    3. Click Firewall Configuration
    4. Change TESTING = to OFF (0)
    5. In TCP_IN add ,3306,3389
    6. In TCP_OUT add ,2525
    7. In UDP6_OUT add ,67,68
    8. Scroll to the bottom and click Change
    9. Click Restart csf+lfd
    10. Click Return

    Igrnore the following:

    #Change LF_ALERT_TO = to [SNAME]@birdmarketing.co.uk
    #Change LF_ALERT_FROM = to [SNAME]@birdmarketing.co.uk
    #Change PT_USERPROC = to 0
    #Change PT_USERMEM = to 0
    #Click Firewall Profiles
    #Select disable_alerts
    #Click Apply Profile
    

    Installing ConfigServer eXploit Scanner

    ConfigServer eXploit Scanner Documentation: https://configserver.com/cp/cxs.html

    Purchase a ConfigServer eXploit Scanner license

    1. Go to https://store.configserver.com/index.php?dispatch=products.view&product_id=3
    2. Click Add to Cart
    3. Click Checkout
    4. Login
    5. Enter the VAT number
    6. Enter the Domain Name: [SERVERNAME]
    7. Tick the Terms and Conditions box
    8. Enter the server IP
    9. Click Update Order
    10. Click Continue
    11. Follow the steps to pay with PayPal
    12. Log into PayPal
    13. Click continue

    Make sure an email is received with a confirmation of license before proceeding with install (this may take several hours)

    Installing CXS on SSH

    1. Enter the following in SSH:
    wget https://download.configserver.com/cxsinstaller.tgz
    tar -xzf cxsinstaller.tgz
    perl cxsinstaller.pl
    rm -fv /usr/src/cxsinstaller.*
    cxs --qcreate --quarantine /home/quarantine
    rm -rf /etc/cxs/cxs.restricted
    

    Configure CXS on WHM

    1. Go to https://[SERVERNAME]:2087 and login as root
    2. Go to Plugins >> ConfigServer eXploit Scanner
    3. Edit CGI Upload
      1. Click Other Files
      2. Select /etc/cxs/cxscgi.sh
      3. Click Edit File
      4. Change –mail root to –mail [SERVERNAME]@[DOMAIN].com
      5. Add –quarantine /home/quarantine/
      6. Click Save File
      7. Click Return
    4. Edit FTP Upload
      1. Click Other Files
      2. Select /etc/cxs/cxsftp.sh
      3. Click Edit File
      4. Change –mail root to –mail [SERVERNAME]@[DOMAIN].com
      5. Add –quarantine /home/quarantine/
      6. Click Save File
      7. Click Return
    5. Edit CXS Watch
      1. Click Other Files
      2. Select /etc/cxs/cxswatch.sh
      3. Click Edit File
      4. Change –mail root to –mail [SERVERNAME]@[DOMAIN].com
      5. Add –quarantine /home/quarantine/
      6. Click Save File
      7. Click Return
    6. Click Start cxs Watch
    7. Click Return
    8. Under cxs PureFTPd Scanning click Enable Integration
    9. Click Return
    10. Under cxs ModSecurity Scanning click Enable Integration
    11. Click Return

    Installing ConfigServer Mail Manager

    ConfigServer Mail Manager Documentation: https://www.configserver.com/cp/cmm.html

    1. Paste the following into SSH:
    cd /usr/src
    rm -fv /usr/src/cmm.tgz
    wget http://download.configserver.com/cmm.tgz
    tar -xzf cmm.tgz
    cd cmm
    sh install.sh
    rm -Rfv /usr/src/cmm*
    

    Installing Linux Malware Detect

    Linux Malware Detect Documentation: https://www.rfxn.com/projects/linux-malware-detect/

    1. Paste the following into SSH:
    wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
    tar -xzf maldetect-current.tar.gz
    cd maldetect-1.5
    sh install.sh
    
    1. REPLACE maldetect-1.5 with whatever version you downloaded.
    2. To scan all files:
      1. Type: screen
      2. Type: sudo /usr/local/sbin/maldet -a /[PATH]
    3. To scan recent files use: sudo /usr/local/sbin/maldet -r /[PATH]

    Installing RKHunter

    RKHunter Documentation: http://rkhunter.sourceforge.net/

    1. Open SSH
    2. Install EPEL Repository: yum install epel-release
    3. Install RKHunter: yum -y install rkhunter
    4. Update Database: rkhunter --update
    5. Update System File Properties: rkhunter --propupd
    6. Can be manually run using the following command: rkhunter -c -sk

    Installing CHKRootKit

    CHKRootKit Documentation: http://www.chkrootkit.org/

    1. Open SSH
    2. Install EPEL Repository: yum install epel-release
    3. Install CHKRootKit: yum -y install chkrootkit
    4. Run CHKRootKit: chkrootkit

    Installing Softaculous

    Softaculous Documentation: https://www.softaculous.com/

    Purchase a Softaculous license

    1. Go to https://www.softaculous.com/clients?ca=buy and login
    2. Choose Type: Lifetime VPS Server License
    3. Enter [SERVER IP] in the IPs/License Keys(s) box
    4. Click Purchase Softaculous
    5. Click the PayPal icon
    6. Login to PayPal
    7. Click Pay Now

    Installing Softaculous on SSH

    Enter the following on SSH:

    wget -N http://files.softaculous.com/install.sh
    chmod 755 install.sh
    ./install.sh
    

    Stop email notifications

    1. Go to https://[SERVERNAME]:2087 and login as root
    2. Go to Plugins >> Softaculous
    3. Go to Settings >> General
    4. In Update Settings un-tick:
    5. Notify Updates
    6. Notify Script Updates
    7. In Email Settings un-tick everything related to turning off emails.
    8. Click Edit Settings

    Setting up Backups

    Option 1 – Amazon

    Setting Up S3

    1. Go to https://aws.amazon.com/
    2. Click Sign in to the Console
    3. Click Sign in using our secure server
    4. Click Identity & Access Management
    5. Click Users >> Create New User
    6. Enter [SERVERNAME]
    7. Click Create
    8. Click Show User Security Credentials
    9. Copy the credentials and save them somewhere (Lastpass Secure Notes >> S3 Access)
    10. Click Back
    11. Click Users
    12. Click on the newly created User
    13. Click Add User to Groups
    14. Select Servers
    15. Click Add to Groups
    16. At the top click Services >> Storage & Content Delivery >> S3
    17. Click Create Bucket
    18. Bucket Name: [SERVERNAME]
    19. Region: Ireland

    Configuring WHM to Use S3

    1. Navigate to https://[SERVERNAME]:2087 and login as root
    2. Go to Backup >> Backup Configuration
    3. Backup Status: Enabled
    4. Backup Daily: Tick All
    5. Tick Backup Weekly
    6. Tick Backup Monthy
    7. Retain 3 Monthly backups
    8. Backup Suspended Accounts: Enable
    9. Backup Access Logs: Enable
    10. Backup SQL Databases: Per Account and Entire MySQL Directory
    11. Untick Retain backups in the default backup directory
    12. Click Create new destination
    13. Destination Name: Amazon S3
    14. Tick Transfer System Backups to Destination
    15. Bucket: [SERVERNAME]
    16. Enter Access Key
    17. Enter Secret Access Key
    18. Click Save Destination
    19. Click Validate on the Amazon S3 line
    20. Click Save Configuration

    Option 2 – Backup Disk (Recommended)

    Google Cloud Persistent Disk Documentation: https://cloud.google.com/compute/docs/disks/add-persistent-disk

    1. Find the vm instance and find its zone e.g. europe-west1-c
    2. Add the new disk to the vm instance
      1. Select the vm instance, click edit and “Add item” under Additional disks
      2. Select create new disk, and select mode: Read/write
    3. Create a disk
      1. Use the same zone as the vm instance, this increases speed and decreases transfer costs
      2. Select Disk Type: Standard persistent disk
      3. Select Source type: None (blank disk)
      4. Use : (((source disk – 10gb)*0.6)*12)*1.2. EXPLAINED: Source Disk minus total operating system use (source disk – 10gb), compressed into backups (60%), multiplied byretention periods (times 12), add 20% for contingency
      5. Use 10x source disk (12x compressed cpanel accounts disk space (approx 60% of cpanel disk space) + overheads + room for growth (Daily:5 day retention, Weekly: 4 week retention, Monthly: 3 month retention))
      6. Check the new disk has been attached
      7. SSH in and run ls /dev/disk/by-id you should see “google-[DISK_NAME]”
    4. Format and add a filesystem
      1. Using the ext4 filesystem, run sudo mkfs.ext4 -F -E 'discard' /dev/disk/by-id/google-[DISK_NAME]
    5. Mount the drive to /backup
      1. Assuming /backup had already been created – this is the default location for WHM backups. Run sudo mount -o discard,defaults /dev/disk/by-id/google-[DISK_NAME] /backup
    6. Setup auto mounting
      1. Run sudo blkid ‑s UUID ‑o value /dev/disk/by‑id/google‑[DISK_NAME], this should produce an output like “0cf2a474-f88a-4254-b074-19bdf72a172b”. This is the disk UUID, use this value in the command bellow.
      2. Run echo "UUID=[UUID] /backup ext4 nofail,auto,discard,defaults 1 1" | sudo tee ‐a /etc/fstab
    7. Check everything works
      1. run cd /backup; touch test; ls /backup and see if you see the new test file
    8. Enable backup in whm to /backup
    9. Check in 24h that the backup is working correctly
      1. SSH in and look in /backup to see if new files have been created

    Debugging

    Disk failed to mount:

    • Check the /etc/fstab file (SSH in and run cat /etc/fstab), there should only be a single entry with “/backup” in. It should look similar to the following (however with a different UUID number) “UUID=0cf2a474-f88a-4254-b074-19bdf72a172b /backup ext4 nofail,auto,discard,defaults 1 1”

    Setting up Snapshots

    Google Cloud Snapshot Documentation: https://cloud.google.com/compute/docs/disks/create-snapshots This guide differential snapshots for both the primary and additional backup disk. We create a daily snapshot with 7 day retention, snapshots are differential so the oldest snapshot is the base which future snapshots reference. We run a daily cron which runs a script to take a new snapshot and delete old snapshots.

    1. Activate a service account (https://cloud.google.com/compute/docs/access/service-accounts)
      1. Create or use an existing service account
      2. Copy its key to the server and run gcloud auth activate-service-account <ACCOUNT EMAIL> --key-file <KEY FILE> to activate it.
      3. Ensure it has at least editor project permission.
      4. View service accounts at GCP > IAM > Service Accounts.
      5. You can test it works by running cloud compute snapshots list, if it runs without a permission error.
    2. Download the code below and rename it to “gcp-disk-backup-snapshot”.
    3. Copy it to the server, move it to /usr/bin/ and make sure the file permission is 755
    4. Run crontab -e as root and 0 05 * * * gcp-disk-backup-snapshot >> /var/log/gcp-disk-backup-snapshot.log 2>&1
    5. Run touch /var/log/gcp-disk-backup-snapshot.log
    6. Check the vm instance’s snapshots on gcp tomorrow and in a week to see if it has worked.
    #!/usr/bin/env bash
    export PATH=$PATH:/usr/local/bin/:/usr/bin
    
    #
    # CREATE DAILY SNAPSHOT
    #
    # Creates a daily snapshot of disks 0 and 1
    #
    # Base on https://github.com/jacksegal/google-compute-snapshot/blob/master/snapshot.sh
    #
    
    # get the device name for this vm and disk
    DEVICE_NAME="$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/disks/0/device-name" -H "Metadata-Flavor: Google")"
    DISK_NAME="$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/disks/1/device-name" -H "Metadata-Flavor: Google")"
    
    # Strip the disk prefix
    prefix="persistent-";
    DISK_NAME="${DISK_NAME#$prefix}";
    
    # get the device id for this vm
    DEVICE_ID="$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/id" -H "Metadata-Flavor: Google")"
    
    # get the zone that this vm is in
    INSTANCE_ZONE="$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/zone" -H "Metadata-Flavor: Google")"
    
    # strip out the zone from the full URI that google returns
    INSTANCE_ZONE="${INSTANCE_ZONE##*/}"
    
    # create a datetime stamp for filename
    DATE_TIME="$(date "+%s")"
    
    # create the snapshots
    echo "$(gcloud compute disks snapshot ${DEVICE_NAME} --snapshot-names gcs-${DEVICE_NAME}-${DEVICE_ID}-${DATE_TIME} --zone ${INSTANCE_ZONE})"
    echo "$(gcloud compute disks snapshot ${DISK_NAME} --snapshot-names gcs-${DISK_NAME}-${DEVICE_ID}-${DATE_TIME} --zone ${INSTANCE_ZONE})"
    
    #
    # DELETE OLD SNAPSHOTS (OLDER THAN 7 DAYS)
    #
    
    # get a list of existing snapshots, that were created by this process (gcs-), for this vm disk (DEVICE_ID)
    SNAPSHOT_LIST="$(gcloud compute snapshots list --regexp ".*gcs-.*" --uri)"
    
    # Exit if no snapshots
    if [ -z "$SNAPSHOT_LIST" ];
       then
       exit 0;
    fi
    
    # loop through the snapshots
    echo "${SNAPSHOT_LIST}" | while read line ; do
    
       # get the snapshot name from full URL that google returns
       SNAPSHOT_NAME="${line##*/}"
    
       # get the date that the snapshot was created
       SNAPSHOT_DATETIME="$(gcloud compute snapshots describe ${SNAPSHOT_NAME} | grep "creationTimestamp" | cut -d " " -f 2 | tr -d \' | cut -d 'T' -f 1)"
    
       # format the date
       SNAPSHOT_DATETIME="$(date -d ${SNAPSHOT_DATETIME} +%Y%m%d)"
    
       # get the expiry date for snapshot deletion (currently 7 days)
       SNAPSHOT_EXPIRY="$(date -d "-7 days" +"%Y%m%d")"
    
       # check if the snapshot is older than expiry date
    if [ $SNAPSHOT_EXPIRY -ge $SNAPSHOT_DATETIME ];
            then
    	 # delete the snapshot
             echo "$(gcloud compute snapshots delete ${SNAPSHOT_NAME} --quiet)"
       fi
    done
    

    Installing NodeQuery

    1. Go to https://nodequery.com/login and login
    2. Click New Server
    3. Enter [SERVERNAME] as the Name
    4. Make sure all of the notifications are set to 95%
    5. Click Create Server
    6. Click Copy Installation Command
    7. Paste Installation command into SSH

    Install XVarnish

    1. Open SSH and Paste the following:
    yum install epel-release
    rpm --nosignature -i https://repo.varnish-cache.org/redhat/varnish-4.1.el6.rpm
    rpm --nosignature -i https://repo.xvarnish.com/xvarnish-repository-1-8.el6.rpm
    yum install xvarnish
    /usr/local/xvarnish/bin/activate --key 3fd16905-47a8-4647-9215-3fcb1ddac3a6
    xvctl enable xvarnish
    

    Update all Server Software

    1. Open SSH and Paste the following:
    yum install yum-utils
    yum update
    reboot
    

    Installing LetsEncrypt

    Before starting please buy a license from https://letsencrypt-for-cpanel.com/ if you do not already have one

    Generating a Remote Access Key

    1. Go to https://[SERVERNAME]:2087 and login as root
    2. Go to Clusters >> Remote Access Key
    3. Click Generate New Key

    Installing on SSH

    Official Documentation: https://letsencrypt-for-cpanel.com/docs/for-admins/installation/

    1. Save your issued licence file as /etc/letsencrypt-cpanel.licence and chmod to 0400
    2. On SSH run wget https://cpanel.fleetssl.com/static/letsencrypt.repo -O /etc/yum.repos.d/letsencrypt.repo
    3. Then run yum -y install letsencrypt-cpanel
    4. To test, run le-cp self-test
    5. To enable Service Certificates (SSL on hostnames) run le-cp hostcert enable more info here: https://letsencrypt-for-cpanel.com/docs/for-admins/service-certificates/
    6. To enable AutoSSL run le-cp autossl enable more info here: https://letsencrypt-for-cpanel.com/docs/for-admins/autossl/

    Post Setup Checklist

    • Create recurring task for Security Maintenance checks (see below maintenance checklist)
    • Create recurring task for Weekly Maintenance checks to check backups are working correctly
    • Create recurring task for Weekly Maintenance checks to see if server has been blacklisted
    • Create a new filter and label in receiving email address, if Gmail: Matches: to:([SERVER EMAIL]) Do this: Skip Inbox, Mark as read, Apply label “Servers/[SERVERNAME]”, Never send it to Spam
    • Limit bandwidth use for cpanel accounts so it does not go over desired quota on Google Cloud (bandwidth is expensive)
    • Add Buy cPanel costs to any budgeting or accounting software you have

    Recommended Regular Checkups and Maintenance

    Security Maintenance

    We recommend this checklist is carried out at least once per month

    1. Login to WHM
    2. Update plugins such as ConfigServer eXploit Scanner
    3. Go to Security Advisor
    4. Follow steps provided for anything that is red or yellow (apart from exceptions below)
      1. Apache vhosts are not segmented or chroot()ed.
      2. Apache Symlink Protection: the Bluehost provided Apache patch is in effect
      3. Update EasyApache (This can update PHP and fuck up a lot of shit on a lot of websites!)
    5. Update CXS if applicable (Plugins >> ConfiServer eXploit Scanner >> Upgrade CXS)

    Backup Checks

    Local Backup Disk

    Quick link: https://[SERVERNAME]:2087/scripts5/restoremenu

    1. Go to https://[SERVERNAME]:2087 and login
    2. Go to Backup >> Backup Restoration
    3. Click on a few usernames, if the backups are working you should see the option to back up on several previous days (depending on what you have configured)

    Google Cloud Snapshots

    Quick link: https://console.cloud.google.com/compute/snapshots?project=[PROJECT NAME]

    1. Go to https://console.cloud.google.com and login
    2. Go to Compute Engine >> Snapshots
    3. If the snapshots are working you should see 7 of the backup disk (if you have one) and 7 of the main disk, no more, no less)

    Old Obsolete Steps

    Enable Mod Security

    1. Go to Security Center >> Apache mod_userdir Tweak
    2. Tick Enable mod_userdir Protection
    3. Click Save

    Configure Default Password Strength

    1. Go to Security Center >> Password Strength Configuration
    2. Change Default Required Password Strength to 75
    3. Click Save

    Enable IonCube Loader

    1. Go to Server Configuration >> Tweak Settings
    2. Click PHP
    3. For cPanel PHP loader select Ioncube
    4. Click Save

    Redirect to Hostname

    1. Go to Server Configuration >> Tweak Settings
    2. Click Redirection
    3. For Always redirect to SSL select On
    4. For Non-SSL redirect destination select Hostname
    5. For SSL redirect destination select Hostname
    6. Click Save

    Reduce the number of notifications

    1. Go to Server Configuration >> Tweak Settings
    2. Click Notifications
    3. For Account system disk usage “warn” percentage select Disabled
    4. For Account disk quota “warn” percentage select Disabled
    5. For Account disk quota “critical” percentage select Disabled
    6. Click Save

    Configure Passive FTP

    1. Follow the steps from Enable the passive port range for Pure-FTPd on https://documentation.cpanel.net/display/CKB/How+to+Enable+FTP+Passive+Mode#HowtoEnableFTPPassiveMode-Passive

    Add Credentials on SendGrid

    1. Go to https://sendgrid.com/login and Login
    2. Go to Settings >> Credentials
    3. Click Add New Credential
    4. For username enter: [SNAME]-birdmarketing
    5. For password enter a new generated password from LastPass and make a note of this password (DO NOT USE SPECIAL CHARACTERS IN PASSWORD)
    6. Tick the MAIL box
    7. Click Create Credential
    in Server Admin