# First setup of a newbie, what to improve now?



## Belucci (Sep 15, 2014)

Ok I just got my first VPS, small one, 512 ram, 20gb ssd, 1 core

I just installed VestaCP which installs on its own, nginx, apache, php, mysql, ftp and some other stuff. It uses nginx for all static content and forwards the dynamic one to apache, which is supposed to give you the best of both worlds (right?)

Also I believe, VestaCP does some configuration of those so I don't have to? (or if I do please let me know) But as far as I can see it e ven has few templates for apache and nginx depending on your needs.

Just in case I put on top of this the free plan of cloudflare with the optimisation settings to the max (minifaction, cashing, compression) and security on medium.

Security wise I plan to put ssh key authentication instead of password and sftp instead of ftp. (but not sure if i need even this behind cloudflare, since I suppose they filter out attemps on those ports?)

So, what i'm asking is the following (please remember i'm a newbie in this)

1. Do i need to configure something else on the server, performance wise?

2. Do I need to do something else security wise?

3. What are the best methods to test this setup so i can compare after each change?

It will be used mostly for hosting bunch of WP based sites with little traffic. Also please note that so far, this setup has costed me $5 (per month) and like 10 mins to do. This VestaCP seems to do all the magic on it's own. Pretty damn cool 

And the goals are performance and security.


----------



## D. Strout (Sep 15, 2014)

Unless you have hundreds (or thousands) of visitors per day, you should be more than fine on the performance piece. For security, you're doing well, you might want to change the port that SSH listens on, and disable password authentication. The SSH configuration file is located at /etc/ssh/sshd_config. The "Port" directive at the top should be edited to something different (a high number, above 10000 but below 65535), "PasswordAuthentication" and "UsePam" should be set to "no". Then reload SSH.

As for protection from CloudFlare, the key is that when you're using CloudFlare, no one knows the IP of your server. A "normal" hosting setup is essentially like this:


Lookup domain
Use domain IP to contact server
With CloudFlare, that changes to:


Lookup domain
Domain IP goes to _CloudFlare_

CloudFlare accesses your site via _your_ IP
CloudFlare returns the content as necessary
To anyone looking from the outside, everything in that sequence after step two is "invisible" - they don't know what IP CloudFlare is talking to to get that content. If someone doesn't know your server's IP, they can't access it via SSH. The reason you want to secure SSH anyway is that there are bots that regularly scan the Internet for open SSH servers.


----------



## Munzy (Sep 15, 2014)

```
apt-get install fail2ban
```


----------



## DomainBop (Sep 15, 2014)

Munzy said:


> apt-get install fail2ban


Fail2ban and CSF (because it is newbie friendly for first time VPS users).



> hosting bunch of WP based sites with little traffic.


For the WP sites I'd also add a couple of plugins for security: BruteProtect (or other brute protection plugin) and Disable XML-RPC Pingback.


----------



## Belucci (Sep 16, 2014)

Thank you guys, that's all very useful!

I was afraid that i'll have to do some complicated php, apache, mysql fine tweaking, but since nobody mentions it, I guess vestaCP takes care for most of it?

I played with some site speed tets, google gives me 93 and some other say my site is faster than 95-98% of the sites tested, isn't that like amazing? 

@DomainBop, do you mean this http://configserver.com/cp/csf.html by CSF?

Also what I should use to monitor and which parameter is most vital, so I know when is time to upgrade the VPS?


----------



## fuseweb (Sep 17, 2014)

I would definitely recommend installing Mod_security with some decent rules if your going to host wordpress with a load of plugins. We have been using the atomicorp rules for years.

Have a look at - 

https://www.atomicorp.com/products/modsecurity.html

Regards,

Ashton


----------



## Belucci (Sep 28, 2014)

DomainBop said:


> Fail2ban and CSF (because it is newbie friendly for first time VPS users).
> 
> For the WP sites I'd also add a couple of plugins for security: BruteProtect (or other brute protection plugin) and Disable XML-RPC Pingback.


From my research seems Fail2ban and CSF do pretty much the same, right? Do you suggest I need both or just mentioning both for me to pick?

Is there a way to use the CSF web interface with vestaCP? (no official support)


----------

