So you’ve decided to switch to a VPS (virtual private server) to upgrade your website hosting? It’s a great idea, because such solution allows boosting speed and reliability of website. It’s often selected by people who consider switching from shared web hosting to a more advanced server, or from managed to unmanaged hosting to save money. Managing a server on your own with assistance of some open-source control panel (for instance, Virtualmin) can save you lots of money and help to avoid many different restrictions that come with shared hosting.
It’s time to learn how to set up a VPS and manage it.
Why managing VPS?
Managing your own VPS has evident advantages:
- With a VPS, pages usually load much quicker and more reliable than with shared hosting, even when there’s a traffic spike.
- You have overall control over environment and may install any software you need, and use as many websites and email accounts as you need.
- SSH (secure shell) access makes up for command-line control, quicker file transfer, and remote backups.
- Being fully isolated from other users you can reduce the risk of being hacked or having your IP address blacklisted.
- Encrypted SSL (HTTPS) connection protects users’ login credentials and is especially important for eCommerce websites.
- You can render private accounts to your customers of friends.
- You can cut on expenses for management and control panel license.
- You can quickly solve all arising issues without using support tickets and waiting for answers.
- It’s simpler to move your assents to a backup server, or an upgraded server, if necessary.
- You get a lot of knowledge about how web servers function.
However, VPS has some drawbacks, too. These include:
- VPS is a more costly solution than free and shared hosting.
- In order to manage this server, you need technical abilities and a few management skills.
- In order to monitor and maintain the server, you need to apply regular efforts.
Before you can transfer websites on VPS you need to do the following.
With the help of an account in web hosting service, you can get root access to your virtual server with enough resources to run the sites. As a rule, it comes for a monthly free. You will be rendered at least one unique IP address and login credentials (username and password) for administrator access. You need it to reboot the server and install an operating system. For every website that uses SSL connections, you will need an additional IP address. Such account may be created either immediately, or within a couple of days.
Now you need to acquire an administrative access to domain name for every website: as a rule, it requires paying an annual fee to domain registrar. You’ll be given a password and a username with which you can alter nameserver settings that connect your domain name to your IP address. It may take up to 48 hours for the settings to be fixed in domain name system (DNS). While it’s being propagated, you can access VPS by IP address. It’s recommended not to buy domain name in the same company that hosts your website, because it will be more difficult to move to a new host then.
Install an appropriate OS (operating system) on the server. Pretty often, hosting providers install standard operating systems for users. If yours doesn’t you can load the OS from an iso file. In this case, you would typically load the “server” edition of the operating system. If you deal with a remote server, you should install client programs (PuTTY and WinSCP for Windows, and Transmit on a Mac). This way, you’d be able to send commands and files to your VPS server through SSH (secure shell) connection.
How to select a hosting company
When you are in search of a hosting company, pay attention to network quality, reliability and decent customer support together with its cost. Only well-established companies can render these altogether. Reading unbiased reviews is also a good idea, but sometimes it’s hard to find objective opinions. Forums are good spots to ask for advice.
When moving to a new VPS hosting company, ask yourself the following questions:
- How much disk space and RAM is offered? You need to have at least 20 Gb of disk space and 1 Gb of RAM.
- Is there any restriction on the amount of traffic per month? If it is a metered server, you need to find out how much your website uses, and define the volume of bandwidth required.
- What kind of hypervisor is used for VPS? Xen and KVM are preferable to OpenVZ or Virtuozzo, as far as they allow for kernel layer control that is used to deal with spam attacks and denial or service.
- Is IPv6 connectivity offered?
- Is their customer support user-friendly and helpful? Search for reports from other users and feedbacks on different forums. This information will help you to make a decision.
- Is there a trial period and monthly payment options? If yes, you can try a host for a few weeks with free trial services. If page load time exceeds 2-3 seconds, and downtime is more than 5-10 minutes a month, you aren’t likely to be satisfied with such hosting.
- Are there automatic website backups? If it’s not provided, how will you perform backup? Think over Plan B before opting for certain solution.
- Is the datacenter good from environmental standpoint? Server maintenance requires a lot of electricity and care.
Some users think that it’s important to choose a suitable location. However, it doesn’t matter much: a website will load a bit quicker, if it’s hosted on a server in a country close to your target audience. The factors that should primarily be taken into consideration are price and reliability. Note that legislation concerning censorship, copyright, privacy and taxes may also be relevant for your project.
Choice of control panel and OS
Some web-masters recommend LAMP hosting (Linux, Apache, MySQL, PHP). It’s open-source, affordable, and compatible with most content management systems. All of Virtualmin GPL Supported Systems are robust and reliable. Windows hosting appears to be more costly, but it’s obligatory for websites that are scripted with Microsoft ASP.
Virtualmin or ISPConfig open-source software is preferable for managing and configuring a server to licensed control panels (Plesk, cPanel or HSphere), because it’s a more affordable and easier way to set up several websites and provides full control.
If you need to manage the content of separate individual websites, it’s better to choose some popular CMS like WordPress, Drupal, etc. Every website should be updated regularly, and a CMS allows doing that simpler: it provides plugins, themes and different useful functions like spam protection, image gallery, calendar, spam protection, etc. With a proprietary CMS it’s harder to switch to another host, and some features can be limited.
If you want to install an operating system right from the start, you need to choose configuration options. If you don’t know what is to be chosen, select default settings. You will need to set up the following values:
- Country, language and keyboard layout.
- Here you should choose the domain you own (for instance, mail.mywebsite.com). Never use a generic name provided by hosting company and the name containing an IP address, because when you’ll send email from your server, spam filters will block messages.
- HTTP proxy settings may stay blank.
- Username and password. Make up a secure password (at least 10 digits, not a usual dictionary word). It’s crucial, because hackers are all around, and they can quickly compromise weak passwords.
- Encrypting your home directory is not obligatory for servers that are physically secure.
- Time zone – select the one that’s convenient for the administrator.
- When working with disk partition, choose “Guided – the entire disk” for the installer to perform this task.
- Enable OpenSSH server. If you use Virtualmin installer, LAMP and main packages will be installed automatically.
- Install GRUB boot loader.
Since you have a remote server that works on a newly installed Linux OS without anything else, you configure it from your local Windows PC, you should connect the secure shell (SSH) with a client using PuTTY. First, install PuTTY on your Windows computer, then put the IP address of your VPS in the Host Name/IP address, then set the Port to 22 and choose SSH connection type.
After connection, the new server will show a warning that server’s host key is not cached. Save the key and connect. Use login credentials to make changes.
Initial security patches
To ensure decent security level, you should install the latest OS patches as soon as you start the server. If you have Ubuntu or Debian-based systems, you should execute the following commands:
sudo apt-get update
sudo apt-get dist-upgrade
The “sudo” part is obligatory, if you have logged in as an administrator instead of getting root access as a superuser. It’s recommended to avoid logging in as root, because Ubuntu disables password logins for that reason. To make sure that you’re not logged in as a root, do the following steps:
- Check time zone. It’s better to set the time zone that’s convenient for the administrator, because you won’t need to translate timestamps in log files.
- Check locale. You can install a suitable language pack and set the locale with these commands:
sudo apt-cache search language-pack
sudo apt-get install language-pack-en
sudo update-locale LANG=en_GB.utf8 LC_MESSAGES=en_GB.utf8
- Check the hostname. It is displayed on the login screen. Alternatively, you can enter “hostname –f” command.
Unfortunately, some providers can alter this information after every reboot of VPS, so you need to contact them to have it changed. Your hostname should be something like mail.mydomain.com.
Install a control panel
As a rule, hosting companies install commercial control panels that need a license. Instead, you can use open-source Virtualmin control panel. Just follow installation instructions, or execute several commands for that:
sudo /bin/sh install.sh
The install.sh script may require a few minutes to be complete.
Now you need to connect a web browser to the same address that’s required to connect to SSH with PuTTY above. If everything’s done correctly, you’ll see “It Works!” on the screen.
It’s high time to take a snapshot backup of your website. It’s a good idea, because this is a good point to return, if things go wrong.
Now you should finish installation. Connect your browser to port 10000 with HTTPS for secure connection. Ignore the notifications about untrusted certificate. Bookmark the page and login with the credentials used above. When going to post-installation wizard you can leave default answers. Go to the Features and Pluging section and disable features that you don’t need.
Check IP addresses and hostname
To check your IP addresses, proceed to Network Interfaces section in Network Configutation. Choose the main interface and alter IPv4 Address from DHCP to Static configuration, and specify the main IP address and Netmask values for the hosting company. If you have IPv6 address and netmask, enter them.
Now get back to Network Configuration, enter the gateway address rendered by the hosting company. Do it carefully: don’t make mistakes on these steps. You may check DNS setting and hostname in Network Configurations, as well. The hosting provider should let you set the hostname as “Reverse DNS” for assigned IP address. It should be set correctly, because spam filters regularly check it.
The default settings that you have chosen already provide more or less decent level of security, if you selected a complicated password and installed security patches. However, VPS is likely to be attacked by spammers and hackers, so you should prevent as much vulnerability as you can by checking log files on a regular basis.
Authentication keys for SSH login
This is a more reliable security measure than passwords. On Ubuntu servers, it’s the only way to get root access and make unattended backups. In order to enable this option, you need to generate a pair of keys with PuTTYgen on Windows or ssh-keygen on Linux. Default options will be enough. You can copy the private key on your computer or a USB flash drive – it’ll be used for backup process.
On your VPS server, you need to create file /.ssh/authorized_keys in admin user’s folder and have “user only” permissions. To have overall control, prefer root access (for admin’s home directory, too). Enter the public key to [admin home]/.ssh/authorized_keys file, or use the following commands to generate the file in admin user’s home folder:
chmod 0700 .ssh
sudo nano authorized_keys (paste your public key on one line and save)
chmod 0600 authorized_keys
Never disclose the private key! When PuTTY is used to connect with server, paste the address the private id_rsa key file in Auth configuration display. If everything works properly, you won’t need to give the password when you try to connect the next time.
As soon as you login successfully without a password, you need to proceed to SSH server > Authentication and set No in the option “Allow authentication by password?”
In order to reduce the risk of hacking and attacks connected with log file entries, you can change the port of the SSH server. It is done in section Servers, SSH server, Networking. Check related firewall settings, or you can restrict the access for yourself.
Restrict Virtualmin logins
Another way hackers can acquire admin access to the server is Virtualmin interface, or any other control panel used. Choose a reliable password and set up connection with SSL encryption (in this case, you have HTTPS instead of HTTP). This way, you’ll prevent capture of your password, particularly when you use WiFi connection.
If you are sure that some certain IP address (or several IP addresses) will be used by administrators, you can limit logins to these addresses in IP Access Control section. Webmin admin port can be changed from the default 10000 to something else, so hackers will find it harder to reveal. Go to Webmin Configuration, Ports and Addresses.
Additionally, enable SSL client certificate, or two-factor authentication. A detailed instruction can be found on Enhanced Authentication wiki page.
Disable FTP login
You can disable FTP server by going to Webmin, Bootup and Shutdown > proftpd and choosing “Delete”. SSH is a better alternative.
Restrict email network
If there’s no need in rendering POP3 and IMAP connections to external users, these can be disabled in Networking and Protocols. Here you can also set the limits for the allowed interfaces. Don’t want to allow external users to send mail via SMTP server? Then go to SMTP Authentication and Encryption and disable “Allow authenticated clients” option.
Hide Apache and PHP version
Although this option is not really helpful (hackers try all possibilities to get this information), you can do it the following way:
If you use Webmin, go to Choose Apache Webserver > Global Configuration > Miscellaneous, set “Server HTTP header” to “Product only”.
If you use Virtualmin, go to Services > PHP 5 Configuration > Edit Configuration Manually for each site add the line “expose_php = Off”.
Enable a firewall
Of course, it’s always better to secure your server normally rather than count on a firewall. For instance, you can disable the services you don’t use at System, Bootup and Shutdown. Besides, it will save you CPU and memory. However, firewall often comes in handy, and you can simply set suitable rules on Webmin > Networking by choosing “Reset Firewall” and Blocking all except ports used for virtual hosting. Then setup firewall.
Some hosting providers don’t allow firewall to start automatically when you boot the server to prevent you from locking yourself out. After every reboot, you should enable firewall manually.
It’s easier that you think. Go to Virtualmin > Create Virtual Server and specify the domain name and admin’s password. As a rule, default settings are okay, and you can find them in Server Templates. Pay attention that you can customize execution of PHP script in Server Configuration > Website Options.
In this case, several servers can share the main server’s IP address. Besides, you can create a sub-server (a subdomain on your VPS) or a copy of another website (with similar spelling, for instance).
If you need to direct administrative email messages to some other address, it can be set up in two sections.
Virtualmin > Edit Virtual Server > Configurable Settings > Contact email > Administrator’s mailbox
Virtualmin > Services > Configure Website > Networking and Addresses > Server admin email address
You shall alter DNS settings in your nameservers (maybe in domain registrar, or in hosting company) to refer to the new website. Check for Suggested DNS records. The changes can be made within 24-48 hours to be set up throughout the whole DNS network.
When DNS settings have been propagated, the files in public_html folder will be automatically visible for visitors. The file for the home page should be called index.html or index.php. MySQL databases are created for every website separately, and they can be managed in Edit Databases. Besides, phpMyAdmin management tool can be installed for your websites.
Add email users
In order to do that, open Edit Users, Add a user to this server. Ensure your users all have consistent passwords so that their accounts wouldn’t be hacked. You can specify password policy in Users and Groups > Password restrictions.
Initially, all main is stored on the virtual server. However, many advanced webmasters prefer to direct all user’s main to an external email service: you will enjoy free storage, spam filters and search abilities. In order to redirect messages, open Mail forwarding settings. When you start doing that, filter spam messages first and foremost, or your IP address can be blacklisted. Use Postfix Postscreen module for that: it comes in handy for this. Email Greylisting is another useful method of spam reduction (used for Virtualmin), but sometimes it delays email delivery. You can also configure Gmail account to use POP3 to redirect mail that is stored on VPS. It’ll help you to avoid problems with Gmail blocking, but delivery of messages can be delayed by 1 hour.
The mail can be accessed at the Usermin address, or with the help of more state-of-art applications, for instance, Roundcube or Squirrelmail. They can be installed in one click in Install Scripts section.
Enable SSL connections
When users login to your website and transmit passwords and other personal information simply in text, it poses vulnerability, especially when accounts are accessed via public networks and WiFi connections. To ensure unbeatable security, you can enable SSL connection for a website on your server by going to Edit Virtual Server > Enabled features and proceeding to the box SSL website enabled. This way, you will allow for encrypted connections with the website, and users will see HTTPS instead of HTTP.
However, since it’s an automatically generated certificate, visitors will be warned from their browser that the connection can’t be trusted (the encrypted traffic still can be intercepted by third parties). Therefore, you need to install a certificate from a trusted authority. Virtualmin allows implementing free Letsencrypt certificates automatically. If everything is done correctly, your website will be loaded in most browsers without problems.
As far as the vast majority of websites support Server Name Indication, you don’t have to make a separate IP address for every website that applies an SSL certificate.
Testing and monitoring
By default, the reports of system failure and problems are directed to user root, and you can check them by proceeding to System > Users and Groups > root, “Read Email” button. Directing messages to external email address is usually more convenient. That can be configured in Postfix Mail Server > Mail Aliases. Here, you need to select Create a new alias and set address to the root. Add your external email address to “Alias to”.
Check log files in System Logs and Reports to define the signs of hackers’ activity and problems in time. Besides, there is the full spectrum of free services for website monitoring:
- Logwatch checks logs and provides daily reports for the administrator. Preliminary installation is required.
- Dnssy examines DNS settings.
- F8lure pings the server every second to reveal network problems, such as CPU overuse, and gives warning when down.
- Mxtoolbox checks your mail server regularly, warns when it’s blacklisted, or is out of work, and also “port scans” the firewall.
- Uptime Doctor defines how quickly your pages load, and alerts when the website is down.
- Loadimpact simulates presence of multiple simultaneous users to analyze website performance.
- Piwik is a good alternative to Google Analytics, with only difference that it’s hosted on your own server. It shows statistics and users’ behaviour.
- SSL Labs server test checks SSL installation.
Besides, you can also set up validation checks and updates on your server via admin panel. Enable Scheduled checking options and Schedules validation. There should be regular monitoring of free memory, Apache, Dovecot, Load Average, Postfix, SSH, Webmin, and Disk Space.
Want to test the setup before opting for commercial hosting? You can do it on the virtual machine. VirtualBox is free intuitive platform that is compatible with Windows, Mac, Linux and Solaris. You need to generate a virtual machine with minimum 1 Gb RAM and 20 Gb of disk space, and set the network mode to “bridged”. After that, download the OS you want to use as an “ISO” file, use it as a virtual CD, then reboot the server and perform installation steps.
Sometimes it’s required to install additional packages for certain programs. Pretty often, installation program for CMS performs configuration checks and informs, if there are missing packages or wrong configurations that should be changed.
You can enable or disable Apache modules in Apache Webserver > Configure Apache Modules. It’s better to enable modules used in “.htaccess” files to provide page cache timeouts and appropriate URLs. If you see a server default Apache page instead of a website, there can be several modules missing:
Don’t forget to click “Apply Changes” at the top right afterwards.
Tweaking performance and memory usage
I strongly suggest testing your site with a (free) service such as Loadimpact to ensure it can withstand a sudden spike in traffic. If you find problems, here are some parameters to check:
“MaxClients” – should be tuned in file /etc/apache2/apache2.conf, accessible from Webmin > Servers > Apache Webserver > Global Configuration > Edit Config Files. If it’s too large your server will run out of memory, if too small you will restrict simultaneous users
Reduce the number of server processes in the Processes and Limits screen to save RAM
In Webmin > Webmin Configuration > Advanced Options you can change the CPU priority for scheduled jobs
Enable Postfix Postscreen to prevent email spam without damaging performance or risking false positives
Your websites could vanish without warning, even at a large reputable host. It has happened to me more than once. Common causes are denial of service attacks, your site being hacked, the host going out of business, power or network failure, an expired credit card or simple human error. Your hosting provider may be swamped with calls and unresponsive when this happens. If you have a recent off-site backup and control of your domain names you can recover everything within a couple of hours – if not, recovery may be lengthy or impossible. Backups are important!
Backup fast-changing content such as MySQL database contents at least daily using an automated script such as AutoMySQLBackup.
Virtualmin can do scheduled backups of all files, database contents, email and settings, locally or remotely. Set it up at Virtualmin > Backup and Restore > Scheduled Backup. Webmin settings can also be saved, see Webmin > Backup Configuration Files > Scheduled backups.
Local storage on your own PC or a NAS appliance is cheapest, if you have a good internet connection. I use a Synology Diskstation. Storing individual Linux files on a Windows PC can be tricky but zip files are usually OK. Restoring from home can take a long time though due to limited upload bandwidth.
Commercial services such as Amazon Glacier or Google Nearline are faster to restore but have monthly fees.
Your VPS host may offer snapshot backups and you should use those, but remember they are likely to vanish if your hosting provider does.
Keep control of your domain names by using external nameservers (e.g. at Cloudflare) rather than at your hosting provider.
A final word about security
My no. 1 tip for keeping a VPS secure is to keep it constantly updated with security patches (including all CMS plugins, libraries and so on). Most hacks happen through known vulnerabilities that are easily exploited.
My no. 2 tip is to set up daily off-site backups, including database contents. It’s impossible to make a VPS 100% secure or reliable so you need to be able to recover quickly. Individual WordPress sites (even on shared hosting) can be backed up using a plugin such as UpdraftPlus, perhaps to a free Google Drive account.
My no. 3 tip is to enforce long passwords and limit login attempts on every account that can upload files or modify the server.
My no. 4 tip is to keep an eye on log files using a utility like logcheck or logwatch so you’re warned quickly if something is wrong.
RootSudo – Ubuntu community help
Locale – Ubuntu community help
Virtualmin installation instructions
Postfix Postscreen – How to enable and configure it to prevent spam
Preventing backscatter (non-delivery records) from forwarded spam
Fastcgi vs CGI vs mod_php – bit51 blog
Apache with fcgid – 2bits blog
Faster, PHP! Kill! Kill! – P’unk Avenue blog
More VPS tutorials
Guide to starting a hosting business
Firstsiteguide Web Hosting Services Explained
The Perfect Server tutorials from HowtoForge, using ISPConfig as a control panel