Setting Up cPanel & WHM on Google Cloud

Prior to Setting Up

• Make sure client is set up on CRM
• Make sure client is set up on recurring invoices and direct debit systems

Setting up Google Cloud

Google Cloud Documentation: https://cloud.google.com/compute/docs/

Create Project

1. Go to https://console.cloud.google.com/project and Sign In
2. Click Create Project
3. Type [PROJECTNAME]
4. Click Create
5. Add any other people you need to work on the project through IAM

Create Instance

1. Click [PROJECTNAME]
2. Click Menu (3 bars) >> Compute Engine
3. Click Create Instance
4. Enter the following:phg
   1. Name: [INSTANCENAME]
   2. Zone: europe-west1-d
   3. Machine Type: [MACHINETYPE]
   4. Click Change in Boot disk and choose:
      1. CentOS 7
      2. Boot disk type: SSD persistent disk
      3. Size: [DISKSIZE]
   5. In Firewall
      1. tick Allow HTTP traffic
      2. tick Allow HTTPS traffic
   6. Click Create
5. Make a note of the IP address in the project variables list

Reserve IP Address

1. Click Menu (3 bars) >> VPC network >> External IP addresses
2. Click Ephemeral on the row that has VM instance [INSTANCENAME]
3. Select Static
4. In Name enter [INSTANCENAME]
5. Click Reserve

Create Firewall Rules

1. In Google Cloud click Firewall Rules
2. Click CREATE FIREWALL RULE
   1. In Name enter cpanel
   2. In Source filter enter Allow from any source (0.0.0.0/0)
   3. In Allowed protocols and ports enter: tcp:20; tcp:21; tcp:22; tcp:25; tcp:26; tcp:37; tcp:43; tcp:53; udp:53; tcp:80; tcp:110; tcp:113; tcp:143; tcp:443; tcp:465; udp:465; tcp:587; tcp:783; udp:783; tcp:873;udp:873; tcp:993; tcp:995; tcp:2073; tcp:2077; tcp:2078; tcp:2079; tcp:2080; tcp:2082; tcp:2083; tcp:2086; tcp:2087; tcp:2089; tcp:2095; tcp:2096; tcp:2525; udp:2525; tcp:3306; udp:50000-60000;tcp:50000-60000
   4. Click Create

Preparing Server on SSH

Update Root Password

1. Click SSH button on the instance row
2. sudo su -
3. passwd
4. Using LastPass generate a new password, copy it, and make a note of it
5. Paste the password and press enter (it will look like there has been nothing pasted in, still press enter)
6. Paste the password again and press enter
7. Add the password to LastPass

Installing screen

1. yum install screen
2. y

Installing wget

1. yum install wget
2. y

Change Hostname

1. Change Hostname: hostname [SERVERNAME]

Create A Record

• Add an A record to your DNS management system for [SEVERNAME] with the IP address which can be found on Google Cloud under your project instance

Installing Cloud Linux

Buy Cloudlinux License

• Go to https://cln.cloudlinux.com/clweb/cart.xhtml?cl=1

Downloading Cloudlinux

1. On SSH enter the following:
2. wget https://repo.cloudlinux.com/cloudlinux/sources/cln/cldeploy
3. sh cldeploy -k [CLOUDLINUX KEY]
4. On completion, on SSH enter the following:
5. reboot

Installing WHM

WHM Documentation: https://documentation.cpanel.net/display/ALD/WebHost+Manager+-+WHM+User+Guide

Buy WHM License

• Go to https://www.buycpanel.com (choose VPS license not dedicated)

Downloading WHM

1. On SSH enter the following:
2. sudo su -
3. systemctl disable NetworkManager.service
4. screen
5. cd /home && curl -o latest -L https://securedownloads.cpanel.net/latest && sh latest
6. /usr/local/cpanel/cpkeyclt
7. /usr/local/cpanel/bin/checkallsslcerts

Initial WHM Setup

1. Navigate to http://[SERVERNAME]:2087
2. Login using root as the username
3. Step 1: Click I Agree/Go To Step 2
4. Step 2:
   1. Enter your chosen email as the Server Contact Email Address (e.g. [email protected])
   2. Enter 8.8.8.8 as the Primary Resolver
   3. Enter 8.8.4.4 as the Secondary Resolver
5. Click Save & Go to Step 3
6. Click Skip This Step and Use Default Settings
7. Click Save & Go to Step 5
8. Click Skip This Step and Use Default Settings
9. Click Finish Setup Wizard
10. Click Go to WHM
11. Click Save Settings

Configuring WHM Settings

Configure Apache

You can find a apache config online and import via EasyApache 4. Or you can follow the following:

1. Go to https://[SERVERNAME]:2087 and login as root
2. Go to Software >> EasyApache 4
3. Click Customize
4. Make sure the following is ticked.
5. Click Apache Modules
   1. mod-alt-passenger
   2. mod_bwlimited
   3. mod_cgi
   4. mod_cloudflare
   5. mod_deflate
   6. mod_env
   7. mod_evasive
   8. mod_expires
   9. mod_headers
   10. mod_hostinglimits
   11. mod_mpm_prefork
   12. mod_proxy
   13. mod_proxy_fcgi
   14. mod_proxy_http
   15. mod_proxy_wstunnel
   16. mod_reqtimeout
   17. mod_security2
   18. mod_ssl
   19. mod_suexec
   20. mod_suphp
   21. mod_unique_id
   22. mod_version
6. Click PHP Versions
   1. php56
   2. php70
   3. php71
   4. php72
7. Click Php Extensions ( Make sure to tick all versions of each extensions )
   1. libc-client
   2. pear
   3. php-bcmath
   4. calendar
   5. cli
   6. common
   7. curl
   8. devel
   9. fileinfo
   10. fpm
   11. ftp
   12. gd
   13. iconv
   14. imap
   15. ioncube10
   16. litespeed
   17. mbstring
   18. mcrypt
   19. mysqlnd
   20. pdo
   21. posix
   22. soap
   23. sockets
   24. xml
   25. zendguard
   26. zip
   27. intl
   28. runtime
8. Click Review
9. Click Provision
10. Click Done

Apache Config File Optimisations

1. Go to Service Configuration >> Apache Configuration
2. Click Include Editor
3. Under “Post VirtualHost Include” select “All versions” from the dropdown
4. In the text area paste the following code:

## EXPIRES CACHING ##
<IfModule mod_expires.c>
 # Enable expirations
 ExpiresActive On
 # Default directive
 ExpiresDefault "access plus 1 month"
 # My favicon
 ExpiresByType image/x-icon "access plus 1 year"
 # Images
 ExpiresByType image/gif "access plus 1 month"
 ExpiresByType image/png "access plus 1 month"
 ExpiresByType image/jpg "access plus 1 month"
 ExpiresByType image/jpeg "access plus 1 month"
 # CSS
 ExpiresByType text/css "access plus 1 month"
 # Javascript
 ExpiresByType application/javascript "access plus 1 year"
 # PDF
 ExpiresByType application/pdf "access plus 1 month"
 # Flash
 ExpiresByType application/x-shockwave-flash "access plus 1 month"
</IfModule>
## EXPIRES CACHING ##
## ENABLE GZIP COMPRESSION ##
<IfModule mod_deflate.c>
 # Compress HTML, CSS, JavaScript, Text, XML and fonts
 AddOutputFilterByType DEFLATE application/javascript
 AddOutputFilterByType DEFLATE application/rss+xml
 AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
 AddOutputFilterByType DEFLATE application/x-font
 AddOutputFilterByType DEFLATE application/x-font-opentype
 AddOutputFilterByType DEFLATE application/x-font-otf
 AddOutputFilterByType DEFLATE application/x-font-truetype
 AddOutputFilterByType DEFLATE application/x-font-ttf
 AddOutputFilterByType DEFLATE application/x-javascript
 AddOutputFilterByType DEFLATE application/xhtml+xml
 AddOutputFilterByType DEFLATE application/xml
 AddOutputFilterByType DEFLATE font/opentype
 AddOutputFilterByType DEFLATE font/otf
 AddOutputFilterByType DEFLATE font/ttf
 AddOutputFilterByType DEFLATE image/svg+xml
 AddOutputFilterByType DEFLATE image/x-icon
 AddOutputFilterByType DEFLATE text/css
 AddOutputFilterByType DEFLATE text/html
 AddOutputFilterByType DEFLATE text/javascript
 AddOutputFilterByType DEFLATE text/plain
 AddOutputFilterByType DEFLATE text/xml
 # Remove browser bugs (only needed for really old browsers)
 BrowserMatch ^Mozilla/4 gzip-only-text/html
 BrowserMatch ^Mozilla/4\.0[678] no-gzip
 BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
 Header append Vary User-Agent
</IfModule>
## ENABLE GZIP COMPRESSION ##

1. Click Update
2. Click Restart Apache

Configuring PHP

1. Go to Service Configuration >> MultiPHP INI Editor
2. Under Select PHP Version go through each version and configure the following:
3. allow_url_fopen = Enabled
4. Ignore: max_execution_time = 360
5. Ignore: max_input_time = 180
6. Ignore: memory_limit = 512M
7. Ignore: upload_max_filesize = 256M
8. Ignore: In “Editor Mode” post_max_size = 256M
9. In “Editor Mode” always_populate_raw_post_data = -1
10. Click Save

Disable Compiler

1. Go to Security Center >> Compiler Access
2. Click Disable Compilers

Configure Mod Security2

1. Go to Security Center >> ModSecurity™ Vendors
2. Click Install and Restart Apache

Configure open_basedir Fix

1. Go to Security Center >> PHP open_basedir Tweak
2. Tick Enable php open_basedir Protection.
3. Click Save

Configure Shell Fork Bomb Protection

1. Go to Security Center >> Shell Fork Bomb Protection
2. Click Enable Protection

Disable Traceroute

1. Go to Security Center >> Traceroute Enable/Disable
2. Click Disable

Allow SMTP on Port 2525

1. Go to Service Configuration >> Service Manager
2. Tick both boxes next to Exim Mail Server (on another port) to 360
3. Change Allow exim to listen on a port other than 25. to 2525
4. Click Save

Install ClamAV and Munin

1. Go to cPanel >> Manage Plugins
2. Click Install ClamAV for cPanel
3. Click Install Munin for cPanel

Default Show All on List Accounts

1. Go to Server Configuration >> Tweak Settings
2. Click Display
3. Number of accounts per page to display in “List Accounts”. = All
4. Click Save

Prevent “nobody” from sending mail & Disable Horde and Squirrel

1. Go to Server Configuration >> Tweak Settings
2. Click Mail
3. Prevent “nobody” from sending mail = On
4. Enable Horde Webmail = Off
5. Enable Mailman mailing lists = Off
6. Enable Roundcube webmail = Off
7. Enable SquirrelMail webmail = Off
8. Click Save

Restrict Spam on Server

1. Go to Service Configuration >> Exim Configuration Manager
2. Under the RBLs section:
   1. Click On for RBL: bl.spamcop.net
   2. Click On for RBL: zen.spamhaus.org
3. Under the Apache SpamAssassin™ Options section
   1. Click On for Apache SpamAssassin™: Forced Global ON
   2. Click On for Scan outgoing messages for spam and reject based on the Apache SpamAssassin™ internal spam_score setting
   3. Click On for Do not forward mail to external recipients if it matches the Apache SpamAssassin™ internal spam_score setting
4. Click Save

Change hostname

1. Go to Networking Setup >> Change Hostname
2. In New Hostname enter: [SNAME].bird.co.uk
3. Click Change

Edit default Quota Plan

1. Go to Packages >> Edit a Package
2. Click default
3. Click Edit
4. Change the following:
   1. Disk Quota (MB): 5000
   2. Monthly Bandwidth (MB): 100000
   3. Max FTP Accounts: 5
   4. Max Email Accounts: 0
   5. Max Email Lists: 0
   6. Max Databases: 1
   7. Max Subdomains: 5
   8. Max Parked Domains: 5
   9. Max Addon Domains: 5
   10. Maximum Hourly Email by Domain Relayed: 250
   11. Maximum percentage of failed or deferred messages a domain may send per hour: 250
   12. Click Save Changes

Graceful Server Reboot

1. Go to System Reboot >> Graceful Server Reboot
2. Click Proceed

Configuring SendGrid

SendGrid Documentation: https://sendgrid.com/docs/index.html

Configure Exim on WHM

1. Go to https://[SERVERNAME]:2087 and login as root
2. Go to Service Configuration >> Exim Configuration Manager
3. Click Advanced Editor
4. In CONFIG section, under domainlist local_domains enter:lsearch;/etc/localdomains : localhost : [SERVERNAME] : [GOOGLE INSTANCE NAME] : @

1. In daemon_smtp_ports enter:465 : 25 : 587 : 2525

1. In the Section: AUTH box enter:

sendgrid_login:
driver = plaintext
public_name = LOGIN
client_send = : <USER> : <PASS>

1. Making sure you replace <USER> and <PASS> with the SendGrid username and password that you made a note of earlier
2. In the Section: PREROUTERS box enter:

send_via_sendgrid:
driver = manualroute
domains = ! +local_domains
transport = sendgrid_smtp
route_list = "* smtp.sendgrid.net::2525 byname"
host_find_failed = defer
no_more

1. In the Section: TRANSPORTSTART box enter:

sendgrid_smtp:
 driver = smtp
 hosts = smtp.sendgrid.net
 hosts_require_auth = smtp.sendgrid.net
 hosts_require_tls = smtp.sendgrid.net

1. Scroll to the bottom and click Save

Installing Whitelister

Follow the “Server B” steps in the following readme.md file: https://bitbucket.org/birdmarketing/ip-whitelist-website/src/96b3e536d7262dcb293a545282382793d320ac12/README.md?fileviewer=file-view-default

Installing ConfigServer Explorer

ConfigServer Explorer Documentation: https://www.configserver.com/cp/cse.html

1. Paste the following into SSH:

sudo su -
cd /usr/src
rm -fv /usr/src/cse.tgz
wget https://download.configserver.com/cse.tgz
tar -xzf cse.tgz
cd cse
sh install.sh
rm -Rfv /usr/src/cse*

Configure MySQL

1. On WHM go to Plugins >> ConfigServer Explorer
2. Click etc
3. Find my.cnf and click edit icon
4. Add the following lines

bind-address=127.0.0.1
innodb_lock_wait_timeout=100

1. Click Save
2. Go to Restart Services >> SQL Server (MySQL)
3. Click Yes

Installing ConfigServer Security and Firewall

ConfigServer Security and Firewall Documentation: https://configserver.com/cp/csf.html

Installing CSF On SSH

1. Paste the following into SSH:

sudo su -
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
rm -Rfv /usr/src/csf*

Configuring CSF on WHM

1. Go to https://[SERVERNAME]:2087 and login as root
2. Go to Plugins >> ConfigServer Security & Firewall
3. Click Firewall Allow IPs
4. Add the following to the bottom of the document:

# CloudFlare IPs
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
104.16.0.0/12
108.162.192.0/18
131.0.72.0/22
141.101.64.0/18
162.158.0.0/15
172.64.0.0/13
173.245.48.0/20
188.114.96.0/20
190.93.240.0/20
197.234.240.0/22
198.41.128.0/17
199.27.128.0/21
# Sage Pay IPs
195.170.169.0/255

1. Click Change
2. Click Restart csf+lfd
3. Click Firewall Configuration
4. Change TESTING = to OFF (0)
5. In TCP_IN add ,3306,3389
6. In TCP_OUT add ,2525
7. In UDP6_OUT add ,67,68
8. Scroll to the bottom and click Change
9. Click Restart csf+lfd
10. Click Return

Igrnore the following:

#Change LF_ALERT_TO = to [SNAME]@bird.co.uk
#Change LF_ALERT_FROM = to [SNAME]@bird.co.uk
#Change PT_USERPROC = to 0
#Change PT_USERMEM = to 0
#Click Firewall Profiles
#Select disable_alerts
#Click Apply Profile

Installing ConfigServer eXploit Scanner

ConfigServer eXploit Scanner Documentation: https://configserver.com/cp/cxs.html

Purchase a ConfigServer eXploit Scanner license

1. Go to https://store.configserver.com/index.php?dispatch=products.view&product_id=3
2. Click Add to Cart
3. Click Checkout
4. Login
5. Enter the VAT number
6. Enter the Domain Name: [SERVERNAME]
7. Tick the Terms and Conditions box
8. Enter the server IP
9. Click Update Order
10. Click Continue
11. Follow the steps to pay with PayPal
12. Log into PayPal
13. Click continue

Make sure an email is received with a confirmation of license before proceeding with install (this may take several hours)

Installing CXS on SSH

1. Enter the following in SSH:

wget https://download.configserver.com/cxsinstaller.tgz
tar -xzf cxsinstaller.tgz
perl cxsinstaller.pl
rm -fv /usr/src/cxsinstaller.*
cxs --qcreate --quarantine /home/quarantine
rm -rf /etc/cxs/cxs.restricted

Configure CXS on WHM

1. Go to https://[SERVERNAME]:2087 and login as root
2. Go to Plugins >> ConfigServer eXploit Scanner
3. Edit CGI Upload
   1. Click Other Files
   2. Select /etc/cxs/cxscgi.sh
   3. Click Edit File
   4. Change –mail root to –mail [SERVERNAME]@[DOMAIN].com
   5. Add –quarantine /home/quarantine/
   6. Click Save File
   7. Click Return
4. Edit FTP Upload
   1. Click Other Files
   2. Select /etc/cxs/cxsftp.sh
   3. Click Edit File
   4. Change –mail root to –mail [SERVERNAME]@[DOMAIN].com
   5. Add –quarantine /home/quarantine/
   6. Click Save File
   7. Click Return
5. Edit CXS Watch
   1. Click Other Files
   2. Select /etc/cxs/cxswatch.sh
   3. Click Edit File
   4. Change –mail root to –mail [SERVERNAME]@[DOMAIN].com
   5. Add –quarantine /home/quarantine/
   6. Click Save File
   7. Click Return
6. Click Start cxs Watch
7. Click Return
8. Under cxs PureFTPd Scanning click Enable Integration
9. Click Return
10. Under cxs ModSecurity Scanning click Enable Integration
11. Click Return

Installing ConfigServer Mail Manager

ConfigServer Mail Manager Documentation: https://www.configserver.com/cp/cmm.html

1. Paste the following into SSH:

cd /usr/src
rm -fv /usr/src/cmm.tgz
wget http://download.configserver.com/cmm.tgz
tar -xzf cmm.tgz
cd cmm
sh install.sh
rm -Rfv /usr/src/cmm*

Installing Linux Malware Detect

Linux Malware Detect Documentation: https://www.rfxn.com/projects/linux-malware-detect/

1. Paste the following into SSH:

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzf maldetect-current.tar.gz
cd maldetect-1.5
sh install.sh

1. REPLACE maldetect-1.5 with whatever version you downloaded.
2. To scan all files:
   1. Type: screen
   2. Type: sudo /usr/local/sbin/maldet -a /[PATH]
3. To scan recent files use: sudo /usr/local/sbin/maldet -r /[PATH]

Installing RKHunter

RKHunter Documentation: http://rkhunter.sourceforge.net/

1. Open SSH
2. Install EPEL Repository: yum install epel-release
3. Install RKHunter: yum -y install rkhunter
4. Update Database: rkhunter --update
5. Update System File Properties: rkhunter --propupd
6. Can be manually run using the following command: rkhunter -c -sk

Installing CHKRootKit

CHKRootKit Documentation: http://www.chkrootkit.org/

1. Open SSH
2. Install EPEL Repository: yum install epel-release
3. Install CHKRootKit: yum -y install chkrootkit
4. Run CHKRootKit: chkrootkit

Installing Softaculous

Softaculous Documentation: https://www.softaculous.com/

Purchase a Softaculous license

1. Go to https://www.softaculous.com/clients?ca=buy and login
2. Choose Type: Lifetime VPS Server License
3. Enter [SERVER IP] in the IPs/License Keys(s) box
4. Click Purchase Softaculous
5. Click the PayPal icon
6. Login to PayPal
7. Click Pay Now

Installing Softaculous on SSH

Enter the following on SSH:

wget -N http://files.softaculous.com/install.sh
chmod 755 install.sh
./install.sh

Stop email notifications

1. Go to https://[SERVERNAME]:2087 and login as root
2. Go to Plugins >> Softaculous
3. Go to Settings >> General
4. In Update Settings un-tick:
5. Notify Updates
6. Notify Script Updates
7. In Email Settings un-tick everything related to turning off emails.
8. Click Edit Settings

Setting up Backups

Option 1 – Amazon

Setting Up S3

1. Go to https://aws.amazon.com/
2. Click Sign in to the Console
3. Click Sign in using our secure server
4. Click Identity & Access Management
5. Click Users >> Create New User
6. Enter [SERVERNAME]
7. Click Create
8. Click Show User Security Credentials
9. Copy the credentials and save them somewhere (Lastpass Secure Notes >> S3 Access)
10. Click Back
11. Click Users
12. Click on the newly created User
13. Click Add User to Groups
14. Select Servers
15. Click Add to Groups
16. At the top click Services >> Storage & Content Delivery >> S3
17. Click Create Bucket
18. Bucket Name: [SERVERNAME]
19. Region: Ireland

Configuring WHM to Use S3

1. Navigate to https://[SERVERNAME]:2087 and login as root
2. Go to Backup >> Backup Configuration
3. Backup Status: Enabled
4. Backup Daily: Tick All
5. Tick Backup Weekly
6. Tick Backup Monthy
7. Retain 3 Monthly backups
8. Backup Suspended Accounts: Enable
9. Backup Access Logs: Enable
10. Backup SQL Databases: Per Account and Entire MySQL Directory
11. Untick Retain backups in the default backup directory
12. Click Create new destination
13. Destination Name: Amazon S3
14. Tick Transfer System Backups to Destination
15. Bucket: [SERVERNAME]
16. Enter Access Key
17. Enter Secret Access Key
18. Click Save Destination
19. Click Validate on the Amazon S3 line
20. Click Save Configuration

Option 2 – Backup Disk (Recommended)

Google Cloud Persistent Disk Documentation: https://cloud.google.com/compute/docs/disks/add-persistent-disk

1. Find the vm instance and find its zone e.g. europe-west1-c
2. Add the new disk to the vm instance
   1. Select the vm instance, click edit and “Add item” under Additional disks
   2. Select create new disk, and select mode: Read/write
3. Create a disk
   1. Use the same zone as the vm instance, this increases speed and decreases transfer costs
   2. Select Disk Type: Standard persistent disk
   3. Select Source type: None (blank disk)
   4. Use : (((source disk – 10gb)*0.6)*12)*1.2. EXPLAINED: Source Disk minus total operating system use (source disk – 10gb), compressed into backups (60%), multiplied byretention periods (times 12), add 20% for contingency
   5. Use 10x source disk (12x compressed cpanel accounts disk space (approx 60% of cpanel disk space) + overheads + room for growth (Daily:5 day retention, Weekly: 4 week retention, Monthly: 3 month retention))
   6. Check the new disk has been attached
   7. SSH in and run ls /dev/disk/by-id you should see “google-[DISK_NAME]”
4. Format and add a filesystem
   1. Using the ext4 filesystem, run sudo mkfs.ext4 -F -E 'discard' /dev/disk/by-id/google-[DISK_NAME]
5. Mount the drive to /backup
   1. Assuming /backup had already been created – this is the default location for WHM backups. Run sudo mount -o discard,defaults /dev/disk/by-id/google-[DISK_NAME] /backup
6. Setup auto mounting
   1. Run sudo blkid ‑s UUID ‑o value /dev/disk/by‑id/google‑[DISK_NAME], this should produce an output like “0cf2a474-f88a-4254-b074-19bdf72a172b”. This is the disk UUID, use this value in the command bellow.
   2. Run echo "UUID=[UUID] /backup ext4 nofail,auto,discard,defaults 1 1" | sudo tee ‐a /etc/fstab
7. Check everything works
   1. run cd /backup; touch test; ls /backup and see if you see the new test file
8. Enable backup in whm to /backup
9. Check in 24h that the backup is working correctly
   1. SSH in and look in /backup to see if new files have been created

Debugging

Disk failed to mount:

• Check the /etc/fstab file (SSH in and run cat /etc/fstab), there should only be a single entry with “/backup” in. It should look similar to the following (however with a different UUID number) “UUID=0cf2a474-f88a-4254-b074-19bdf72a172b /backup ext4 nofail,auto,discard,defaults 1 1”

Setting up Snapshots

1. Go to Snapshots >> Create a Snapshot Schedule (https://console.cloud.google.com/compute/snapshotSchedulePolicies/add)
2. Give it a name
3. Choose the same region that your disk is in.
4. Schedule Frequency: daily
5. Auto-delete snapshots after: 7 days
6. Create
7. Go to Disks
8. Go into each disk and click edit
9. On Snapshot schedule select the schedule we just created
10. Click Save

Installing NodeQuery

1. Go to https://nodequery.com/login and login
2. Click New Server
3. Enter [SERVERNAME] as the Name
4. Make sure all of the notifications are set to 95%
5. Click Create Server
6. Click Copy Installation Command
7. Paste Installation command into SSH

Install XVarnish

1. Open SSH and Paste the following:

yum install epel-release
rpm --nosignature -i https://repo.varnish-cache.org/redhat/varnish-4.1.el6.rpm
rpm --nosignature -i https://repo.xvarnish.com/xvarnish-repository-1-8.el6.rpm
yum install xvarnish
/usr/local/xvarnish/bin/activate --key 3fd16905-47a8-4647-9215-3fcb1ddac3a6
xvctl enable xvarnish

Update all Server Software

1. Open SSH and Paste the following:

yum install yum-utils
yum update
reboot

Installing LetsEncrypt

Before starting please buy a license from  https://docs.cpanel.net/knowledge-base/third-party/the-lets-encrypt-plugin/ if you do not already have one

Generating a Remote Access Key

1. Go to https://[SERVERNAME]:2087 and login as root
2. Go to Clusters >> Remote Access Key
3. Click Generate New Key

Installing on SSH

Official Documentation: https://letsencrypt-for-cpanel.com/docs/for-admins/installation/

1. Save your issued licence file as /etc/letsencrypt-cpanel.licence and chmod to 0400
2. On SSH run wget https://cpanel.fleetssl.com/static/letsencrypt.repo -O /etc/yum.repos.d/letsencrypt.repo
3. Then run yum -y install letsencrypt-cpanel
4. To test, run le-cp self-test
5. To enable Service Certificates (SSL on hostnames) run le-cp hostcert enable more info here: https://letsencrypt-for-cpanel.com/docs/for-admins/service-certificates/
6. To enable AutoSSL run le-cp autossl enable more info here: https://letsencrypt-for-cpanel.com/docs/for-admins/autossl/

Post Setup Checklist

• Create recurring task for Security Maintenance checks (see below maintenance checklist)
• Create recurring task for Weekly Maintenance checks to check backups are working correctly
• Create recurring task for Weekly Maintenance checks to see if server has been blacklisted
• Create a new filter and label in receiving email address, if Gmail: Matches: to:([SERVER EMAIL]) Do this: Skip Inbox, Mark as read, Apply label “Servers/[SERVERNAME]”, Never send it to Spam
• Limit bandwidth use for cpanel accounts so it does not go over desired quota on Google Cloud (bandwidth is expensive)
• Add Buy cPanel costs to any budgeting or accounting software you have

Recommended Regular Checkups and Maintenance

Security Maintenance

We recommend this checklist is carried out at least once per month

1. Login to WHM
2. Update plugins such as ConfigServer eXploit Scanner
3. Go to Security Advisor
4. Follow steps provided for anything that is red or yellow (apart from exceptions below)
   1. Apache vhosts are not segmented or chroot()ed.
   2. Apache Symlink Protection: the Bluehost provided Apache patch is in effect
   3. Update EasyApache (This can update PHP and fuck up a lot of shit on a lot of websites!)
5. Update CXS if applicable (Plugins >> ConfiServer eXploit Scanner >> Upgrade CXS)

Backup Checks

Local Backup Disk

Quick link: https://[SERVERNAME]:2087/scripts5/restoremenu

1. Go to https://[SERVERNAME]:2087 and login
2. Go to Backup >> Backup Restoration
3. Click on a few usernames, if the backups are working you should see the option to back up on several previous days (depending on what you have configured)

Google Cloud Snapshots

Quick link: https://console.cloud.google.com/compute/snapshots?project=[PROJECT NAME]

1. Go to https://console.cloud.google.com and login
2. Go to Compute Engine >> Snapshots
3. If the snapshots are working you should see 7 of the backup disk (if you have one) and 7 of the main disk, no more, no less)

Old Obsolete Steps

Enable Mod Security

1. Go to Security Center >> Apache mod_userdir Tweak
2. Tick Enable mod_userdir Protection
3. Click Save

Configure Default Password Strength

1. Go to Security Center >> Password Strength Configuration
2. Change Default Required Password Strength to 75
3. Click Save

Enable IonCube Loader

1. Go to Server Configuration >> Tweak Settings
2. Click PHP
3. For cPanel PHP loader select Ioncube
4. Click Save

Redirect to Hostname

1. Go to Server Configuration >> Tweak Settings
2. Click Redirection
3. For Always redirect to SSL select On
4. For Non-SSL redirect destination select Hostname
5. For SSL redirect destination select Hostname
6. Click Save

Reduce the number of notifications

1. Go to Server Configuration >> Tweak Settings
2. Click Notifications
3. For Account system disk usage “warn” percentage select Disabled
4. For Account disk quota “warn” percentage select Disabled
5. For Account disk quota “critical” percentage select Disabled
6. Click Save

Configure Passive FTP

1. Follow the steps from Enable the passive port range for Pure-FTPd on https://documentation.cpanel.net/display/CKB/How+to+Enable+FTP+Passive+Mode#HowtoEnableFTPPassiveMode-Passive

Add Credentials on SendGrid

1. Go to https://sendgrid.com/login and Login
2. Go to Settings >> Credentials
3. Click Add New Credential
4. For username enter: [SNAME]-birdmarketing
5. For password enter a new generated password from LastPass and make a note of this password (DO NOT USE SPECIAL CHARACTERS IN PASSWORD)
6. Tick the MAIL box
7. Click Create Credential