General Setup Advice - Plesk 7.5 and 4PSA

[zboyblue]

Hi,

I have been using Plesk 6 for quite some time pretty much trouble free (Thank God cause I don't know what I am doing. : )

I am about to load a new server with 7.5.1 and plan to use 4PSA's Extreme bundle (which includes 4PSA Notifications, 4PSA Client Backup, 4PSA Clean Server, 4PSA Spam Guardian, 4PSA Total Domains, 4PSA Total Backup, 4PSA Server Assistant and 4PSA Integrator.)

My questions are mostly related to how to set this all up properly and avoid problems in the future.

1. On my current Plesk 6 server I only gave it 1 IP address and I have 25 or 30 domains on the machine. The only issue I have really seen is that when email is sent or received the domain name changes in the header info. For instance if I send a message from domain1.com the header info may show domain1, or domain2, or domain3, etc. as the server that sent the message. This really doesn't hurt too much I don't guess but we plan to start doing some hosting for other people and I imagine they would have a problem with their messages appearing to be sent from my domain's mail server. Any ideas on why this happens and what I can do to fix it? Like I said, I am going to 7.5.1 so it may be something that was a bug that was fixed but if not I would like to know how to set things up so it does not happen.

2. What is the rule of thumb for how many domains to put on a single IP?

3. What do you recommend I do once I have a clean server that is ready to be configured? On the old server the first thing I did was setup our company’s domain which is not related to web hosting. I cannot remember exactly what causes this to happen but I vaguely remember that sometimes people trying to go to other domains on the server can end up at my domain. Is there a way to make that not happen and if not I would like to have those people going to another domain, not this one. In that case should I set that domain up on the server first so it is the "default"? Does domains having separate IP's have anything to do with this?

4. Do you recommend opening the IP's to the Plesk server in my firewall so that all traffic goes to Plesk and then restricting access using the Plesk firewall? I wonder if managing the access to that server in one place (Plesk rather than my Cisco firewall) would be a lot easier to manage.

5. Out of all of the options Plesk offers while installing (ASP Support, Backup Utilities, Frontpage Support, Firewall, FileServer, etc., etc.) what do you recommend installing or NOT installing? If there is something you recommend not installing what would you use instead or if you recommend not using it at all, why?

6. Are there any of the 4PSA products in the Extreme Bundle (above) that you would not use? Why?

7. Do you have any advise for setting up or using any of the 4PSA products above?

8. Do you have any other advise to offer me to keep me out of trouble? : )

I greatly appreciate all your help in advance. This forum has always been so helpful to me and I thank you for all of your participation in it.

Craig

 

[NightStorm]

1: Happens on 7.5.1 too... I think it's related to the traceback on the IP, and not the actual sender domain... would be nice if it was domain-based, but I doubt we'll see it happen anytime soon.
Downside is that some spam filters may detect it as spam and reject the mail because the domain in the headers does not match the domain in the from line, but there's not much I can do about that, short of dropping each domain on it's own IP with a reverse pointer.

2: As many as you can. Plesk (Apache) uses virtual hosting, so essentially, you could drop thousands onto a single IP. The plus to having less per IP is, as you listed above, the email header issue. Another plus is tracking... if someone httpd-floods your IP, you'll be spending quite some time going through the server logs to find which domain was targetted so you can disable it and block the flood.

3: UPDATE. Bring PHP up to the most recent release. MySQL could probably do with an upgrade too. Install mod_dosevasive ,patch it for the new /tmp exploit (found at http://security.lss.hr/index.php?page=details&ID=LSS-2005-01-01) and mod_security. These both work with Apache, and will help you to secure the server more.
I suggest blocking all traffic on the server except SSH until you are ready to go into service. This will give you a chance to secure things before getting hammered.
Tweak your httpd.conf and my.cnf files (Apache, and MySQL) for better performance. I can't advise you much on this, since it's all dependant on the stats for your server, and the traffic load you expect... but done properly, it will keep the server load lower, and allow for cleaner running.
Install /tmp on a seperate partition. Why? Because there are more flaws coming out for PHP than there are fixes at the moment. You can find more about that on the forum here... it'll probably be under "phpBB exploit".
Install APF and BFD. They happily co-exist with the firewall (the OS firewall, not the Plesk firewall). They're simple to set up, and will more than make up for the time with the problems they will help you avoid.. like brute force attempts, floods, and general "quick-fix" firewall blocks that will survive iptables flushes and restarts.

4: I personally reccomend using the router firewall, as it would keep the bad traffic from even touching the server, but that's just my own personal preferance. I used the Plesk Firewall, and found myself simply getting frustrated... not enough options, and the traffic is already on the server when it hits that wall.
But for what it's worth, I would manage access by port, and not by IP, with the exception of SSH. You'll want to deny access to the SSH port for all IPs except the one that needs it... this will make brute forcing a little more difficult.

5: I would reccemend stearing clear of the modules that you do not need. Fileserver, unless you intend to actually use it, and VPN, unless you are ready for a kernel upgrade (run a search to see the headache this has caused some). Any further than that, you have to basically look at what your customers will need, and what you intend to offer them. But by all means, you will want Backup Utilities... give them the choice to run and save their own backup of their sites, as this will take some of the demand off of you to run a nightly for all the sites.
And, as I said before, I would leave out the Firewall, and go with something more full-featured. I'd probably go with APF and BFD inplace of the Plesk Firewall Module... they work well with iptables, and running alongside mod_dosevasive, communicate directly with the firewall. With the Plesk module, co-existance is extremely difficult, and one of the biggest letdowns I could ever think of with this new feature.

6: I can't comment on this, as I have never used any of the 4PSA's products... I don't think I've even been to the site in a year now. Perhaps someone else will ahve something better to offer for this question.

7: See #6

8: Keep it legal. Run a check for rootkits periodically, make sure no one on your server runs old copies of programs (like phpBB). Keep a backup onhand *just in case*. Do your best to not piss off any packet monkeys, or at least have a number for the FBI handy (I just went through this, and the kiddie had all his and his parents computer equipment seized on December 23rd... Merry Christmas). Be determined to make this all work... don't give up if it doesn't go well the first or second time, just stick with it.

Good luck. I'm sure I missed loads, but there are others who I know will come along and add to this.

 

[zboyblue]

1: Happens on 7.5.1 too... I think it's related to the traceback on the IP, and not the actual sender domain... would be nice if it was domain-based, but I doubt we'll see it happen anytime soon.
Downside is that some spam filters may detect it as spam and reject the mail because the domain in the headers does not match the domain in the from line, but there's not much I can do about that, short of dropping each domain on it's own IP with a reverse pointer.

Have you seen mail get rejected as spam because of this? What have YOU done on your server? One domain per IP or a bunch on one and not worry about it or what?

2: As many as you can. Plesk (Apache) uses virtual hosting, so essentially, you could drop thousands onto a single IP. The plus to having less per IP is, as you listed above, the email header issue. Another plus is tracking... if someone httpd-floods your IP, you'll be spending quite some time going through the server logs to find which domain was targeted so you can disable it and block the flood.

I hope nothing like that happens, I would not know what it was or how to figure out what to do about it. : )

3: UPDATE. Bring PHP up to the most recent release. MySQL could probably do with an upgrade too.

Would up2date do the trick or do I need to do it manually? I am not very good at the manual stuff yet so if up2date will do it that is great. : ) Is there anything wrong with letting it update everything that is outdated? I know that Plesk wants a clean server before installing, is it ok to start adding things back in after it is loaded? Does it have to be clean just so Plesk installs without trouble?


Install mod_dosevasive ,patch it for the new /tmp exploit (found at http://security.lss.hr/index.php?pa...=LSS-2005-01-01) and mod_security. These both work with Apache, and will help you to secure the server more.

What do both of those do and where/how can I get and install them? Are they "nice to have" or "necessary"? Like I said, I am not too good with all this yet so the less I have to maintain and worry about the better. Let me know your opinions.

I suggest blocking all traffic on the server except SSH until you are ready to go into service. This will give you a chance to secure things before getting hammered.

All traffic to all IP's is blocked inside the Network except the current pleck box and I only have web and mail open now. I can do whatever I want with the new server and it will be ok until I open it up to the public.

Tweak your httpd.conf and my.cnf files (Apache, and MySQL) for better performance. I can't advise you much on this, since it's all dependant on the stats for your server, and the traffic load you expect... but done properly, it will keep the server load lower, and allow for cleaner running.

Whoa hoarsee! I would rather sacrifice a finger than to poke around in any files right now. If there is something very specific I need to do I might be willing to do that but I would be scared to go messing around in files I know nothing about, I know what can happen. : )

Install /tmp on a separate partition. Why? Because there are more flaws coming out for PHP than there are fixes at the moment. You can find more about that on the forum here... it'll probably be under "phpBB exploit".

/tmp for the O/S? I vaguely know what you are talking about. Enough to know that means messing with the partitions on the hard drive. Eeeek! I tell you what though, if you tell me what size each partition should be (/, /tmp, and so on (notice I didn't say ", etc." hehe) I will make them that way when I load the server. I have wondered if there was a better way to do that than the default way that RH suggests.

Install APF and BFD. They happily co-exist with the firewall (the OS firewall, not the Plesk firewall). They're simple to set up, and will more than make up for the time with the problems they will help you avoid.. like brute force attempts, floods, and general "quick-fix" firewall blocks that will survive iptables flushes and restarts.

Ok, I think I have heard of those 2 things but I didn't (and still don't) know really what they are. So exactly what are their duties, do they have graphical interfaces, etc. So are you suggesting to use the Fedora firewall on the machine along with these 2 things? How do they stop the attacks you mentioned better than a normal firewall or than the Plesk one?

4: I personally recommend using the router firewall, as it would keep the bad traffic from even touching the server, but that's just my own personal preference. I used the Plesk Firewall, and found myself simply getting frustrated... not enough options, and the traffic is already on the server when it hits that wall.
But for what it's worth, I would manage access by port, and not by IP, with the exception of SSH. You'll want to deny access to the SSH port for all IPs except the one that needs it... this will make brute forcing a little more difficult.

Yea, I keep all ports blocked from the server except web and the mail ports (and maybe a few I am not thinking about). I also have SSH blocked from the outside and any other machine (in the Plesk firewall) except my workstation. I just thought of something, I thought the Plesk firewall was just an interface for the O/S one? If that is the case how can you use the O/S firewall without using Plesk since it is kinda the same?


5: I would recommend steering clear of the modules that you do not need. Fileserver, unless you intend to actually use it, and VPN, unless you are ready for a kernel upgrade (run a search to see the headache this has caused some). Any further than that, you have to basically look at what your customers will need, and what you intend to offer them.

Yea, I know there are some things I dont need (like VPN) and others I do not really know much about yet but may want to use (like File Server). I guess I just wanted to know if there were any that REALLY caused problems and I guess VPN must be one of them so I will stay away from it.

But by all means, you will want Backup Utilities... give them the choice to run and save their own backup of their sites, as this will take some of the demand off of you to run a nightly for all the sites.
And, as I said before, I would leave out the Firewall, and go with something more full-featured. I'd probably go with APF and BFD in place of the Plesk Firewall Module... they work well with iptables, and running alongside mod_dosevasive, communicate directly with the firewall. With the Plesk module, co-existence is extremely difficult, and one of the biggest letdowns I could ever think of with this new feature.

I am not sure what the mod_dosevasive is yet so I am not sure what all this means. I guess by the time you answer the other questions for me I will. : )


6: I can't comment on this, as I have never used any of the 4PSA's products... I don't think I've even been to the site in a year now. Perhaps someone else will ahve something better to offer for this question.

7: See #6

8: Keep it legal. Run a check for rootkits periodically, make sure no one on your server runs old copies of programs (like phpBB). Keep a backup onhand *just in case*. Do your best to not piss off any packet monkeys, or at least have a number for the FBI handy (I just went through this, and the kiddie had all his and his parents computer equipment seized on December 23rd... Merry Christmas). Be determined to make this all work... don't give up if it doesn't go well the first or second time, just stick with it.

Legal? Rootkits? old copies of phpBB?

Good luck. I'm sure I missed loads, but there are others who I know will come along and add to this.

I am so very grateful for your answers to my questions so far. As I said before, it is so nice to have folks that are willing to help out others. If you (or others) can follow up on my follow up questions I would appreciate it.