—————————————————————————————————————————-
This guide will help you set up your OpenVZ Container with a failover IP at online.net and OVH
inside proxmox 3.x.
—————————————————————————————————————————-
Note)
All commands are written with a DOT in front and in RED like this:
- This is a command in ssh
This guide assumes you have the following:
- Added an IP-Failover to your server
- Created a Virtual MAC for the IP failover
(See this for the above: http://forum.online.net/index.php?/topic/4437-all-about-failover-ips-beginners-guide/)
- Installed Proxmox Distribution 3.x
- Have access to the proxmox webinterface
- Have an SSH client and logged into the host server with root permissions.
- Know the basics of creating a CT (This focuses mainly on the networking)
Contents
1.1 Creating the container (Proxmox Webinterface)
1.2 Adding the MAC (Proxmox Webinterface)
1.3 Configuring the containers interface (SSH).
1.4 Testing
Let’s get started Image may be NSFW.
Clik here to view.
1.1 Creating the container (Proxmox Webinterface)
Let’s start by creating a CT (OpenVZ Container)
Image may be NSFW.
Clik here to view.
I will not go into detail with the following screens:
- Fill in the form General (a VMID, a hostname and a root password)
- Now choose an OS Template (I will be using the Debian Minimal amd64)
- Now we need to give it some resources (Can be changed anytime later)
You can also download manually pre-created template caches for different distributions. To install, download and put to the host system’s /var/lib/vz/template/cache directory, do not unpack!
A list of templates available at http://openvz.org/Download/template/precreated
Here i will go into detail again:
For networking we need to use “Bridged Mode” and use the default bridge “vmbr0” that comes with proxmox.
Image may be NSFW.
Clik here to view.
You can either select your own DNS settings for the container, or you can just leave them blank it will then use the hosts settings. (we are going to leave them blank here)
Image may be NSFW.
Clik here to view.
The last page is simply an overview and just click finish to create the container.
Do not start the container just yet!
1.2 Adding the MAC (Proxmox Webinterface)
Now we have our stopped newly created container, and we need to supply it with some Network Device configurations.
Select your CT and goto network
Image may be NSFW.
Clik here to view.
Select the Network device and click Edit or simply double-click the line (Network Device).
Now we need to change the MAC address to the Virtual Mac we created for the Failover IP:
Image may be NSFW.
Clik here to view.
The rest we just leave as-is and click OK.
1.3 Configuring the containers interfaces (SSH).
Start the CT.
Now we need to login to the host via SSH to add the IP to the CT.
Note) I will as an example use VMID 100 here, be sure to change this to the actual number of your CT.
Since there is no networking on the CT yet, we cannot ssh into it.
So type the following command to log into the CT from the Host:
- vzctl enter 100
You should see the following:
Image may be NSFW.
Clik here to view.
This means you are now logged into the container as you would by ssh!
————————————————————————————————————————-
Tip) This is pretty genius, you could just use this method, instead of ssh and disable ssh
all together on the container for better security.
————————————————————————————————————————-
Now we need to change the interfaces file.
We will be using nano editor, as this is the default (and since we have no connection, we cannot install another one)
type the following command:
- nano /etc/network/interfaces
Now we need to enter the Failover configuration to the BOTTOM of the file (do not change anything already there) as follows
Legend:
Red = Interface name (leave as eth0)
Green = Change with your IP Failover
Blue = Change with your MAIN server IP ending in .1 (eg. “xxx.xxx.xxx.1”)
Interface:
————————————————————————————————————————-
auto eth0
iface eth0 inet static
address IP-Failover
netmask 255.255.255.255
broadcast IP-Failover
gateway MAIN-SERVER-IP.1
pointopoint MAIN-SERVER-IP.1
————————————————————————————————————————-
Now it should look something like this:
Image may be NSFW.
Clik here to view.
Save and close (ctrl+x | y)
now type the following command to bring the interface up:
- ifup eth0
1.4 Testing
Now lets do a simple test to see if we have internet access.
by pinging googles dns servers:
- ping 8.8.8.8
Result should be:
Image may be NSFW.
Clik here to view.
Installing Plesk on Ubuntu 14.04LTS
Start with some basic updates
To ensure we have the latest updates and patches of the basic install we run some updates.
Login to your server through a terminal programme such as puTTY
run the following command:
|
1
|
apt-get update
|
then
|
1
|
apt-get upgrade
|
While upgrading you will be given a Yes / No option, type yes and press enter to proceed with the upgrades.
Wait while the system runs through all updates.
Give the server its new name
At this point we want to set our hostname, this should be your servers intended FQDN (fully qualified domain name). The file to update will be located at:
etc/HOSTNAME
This file will likely be empty when you open it. Within this file you should include the FQDN that the server will be known by. It can be any domain or subdomain you own and can manage the DNS of (e.g. server.yourdomain.tld). You will need to create an A record on your DNS server managing this FQDN pointing to your servers IP address.
This will now be your servers hostname and you will be able to navigate to your Plesk control panel using this name when we are done. The line in the file should follow the following format:
|
1
|
server.yourdomain.tld
|
It’s important that you actually configure your DNS for your chosen FQDN to point to your servers IP address otherwise your Plesk installation will experience errors and will not complete.
Once done, reboot the server
Begin Installing Plesk and its requirements
Confirm AppArmor isn’t installed as it has some compatibility problems with Plesk, run this command:
|
1
|
sudo apt-get remove apparmor
|
Now we download and start the plesk installer script:
|
1
|
wget -O – http://autoinstall.plesk.com/one-click-installer | sh
|
Plesk should now be installed and running, you can confirm this by typing in:
/etc/init.d/psa status
Show password plesk
/usr/local/psa/bin/admin --show-password
You can now head on over to https://<your server IP>:8443 or your hostname that you configured a little earlier https://server.yourdomain.tld:8443
You can then login with the username root and your root password. On your first login you will need to accept the Plesk terms and conditions and you should configure an admin user when prompted. You will also need to fill in your details.
At this point you will either need to purchase a license, or you can try plesk free for 15 days.
Install Some Additional Services & Features
At this point we generally install some extra items that aren’t included in Plesk by default.
|
1
|
apt-get install mcrypt
|
|
1
|
apt-get install php5-mcrypt
|
|
1
|
apt-get install php5-ioncube-loader
|
|
1
|
apt-get install php-apc
|
|
1
|
apt-get install php5-memcached memcached
|
|
1
2
3
|
apt-get install php5-imap
php5enmod imap
service apache2 restart
|
Avoiding Slow DNS Response Times with resolv.conf
Occasionally a DNS server will slow down and start responding slowly producing a knock on effect to your servers response times, to help avoid this we can add a couple of extra lines to our configuration.
Navigate to: /etc/resolvconf/resolv.conf.d
Within this folder create a file named tail
Within this file include the following:
|
1
2
3
4
5
6
|
options timeout:1 attempts:1
#nameserver 8.8.8.8 #Google NS1
#nameserver 8.8.2.2 #Google NS2
#nameserver 208.67.220.220 #OpenDNS2
#nameserver 208.67.222.222 #OpenDNS1
#options timeout:1 rotate attempts:1
|
You’ll notice most of these lines are commented out, but you can remove the # at the start of each line if you wish to use them.
The only line that we normally include is:
|
1
|
options timeout:1 attempts:1
|
timeout:1 tells the server to timeout and try the next DNS resolver address if it takes longer than 1 second to respond. The attempts:1 setting changes the default behaviour to only try each DNS resolver once before trying the next DNS resolver option. It’s important that before you do this you confirm by running a ping test from your server that the default DNS provided by your server host responds faster than 1 second, if it doesn’t you can include either the Google or OpenDNS providers commented out in the example above, you may wish to do this anyway if they consistently respond faster than your hosts own DNS.
You can additionally include the rotate option (commented out in the bottom line) which will automatically cycle through all of the available DNS servers and can spread the load more evenly, otherwise it will consistently use the first DNS listed (unless it responds slower than 1 second after 1 try, in which case it will try the second DNS and so on).
Open up Passive ports on proFTPd server
edit /etc/proftpd.conf and add the following line to the end of the file:
|
1
|
PassivePorts 20000 20250
|
In this example we are using ports 20000 to 20250, but you can choose your own port number range so long as it doesn’t overlap any other active port allocations. This can be a bigger or smaller number range (in this example 250) but keep in mind the smaller the number the smaller the hole we’ll have to make through the firewall. Equally you need to ensure you have enough ports for all of your active FTP users. It’s theoretically possible for each active FTP user to use between 10 – 20 ports.
then restart the ftp service:
|
1
|
/etc/init.d/xinetd restart
|
Install mod_cloudflare to allow correct IP tracking of visitors
We generally use Cloudflare quite a bit for clients sites and if you want the tracking information of your site visitor and not Cloudflares server IP’s you’ll need to add a little code:
|
1
2
3
4
5
6
|
apt-get install libtool apache2-dev
apt-get install libtool apache2-threaded-dev
wget https://www.cloudflare.com/static/misc/mod_cloudflare/mod_cloudflare.c
apxs -a -i -c mod_cloudflare.c
or
apxs2 -a -i -c mod_cloudflare.c
|
Then restart apache
|
1
|
service apache2 restart
|
Auto reboot server when out of memory
As a last resort it can be better to automatically reboot your server when it runs out of memory than to let it hang for a long period of time. This will cause a minute or two of downtime, but it’s better than languishing in the swapping state for potentially hours or never recovering at all.
Create a file called /etc/sysctl.d/oom_reboot.conf and enter the following lines:
|
1
2
3
4
|
# panic kernel on OOM
vm.panic_on_oom=1
# reboot after 10 sec on panic
kernel.panic=10
|
Then confirm and activate with:
|
1
|
sysctl -p /etc/sysctl.d/oom_reboot.conf
|
Securing your Server
There are a huge number of things you can do to secure your server, I hope to go into some of these in more detail at a later date, but the following is a pretty good starting point.
Change your default SSH Port
modify /etc/ssh/sshd_config
change from:
|
1
|
Port 22
|
to any port of your choice, make sure its not a port being used by any other service on your server, in this example I’ve used 4444
|
1
|
Port 4444
|
Then restart the SSH service using this line:
|
1
|
service ssh restart
|
It’s important to remember to connect to SSH through your new port number from now on, so make it something you’ll remember.
Setup SSH Keys and disable password login
I created a separate post on how to do this: Secure SSH Keys Setup
Install and configure CSF Firewall
CSF firewall isn’t controllable from within Plesk, however it’s a great adaptive firewall that can be made to work with Plesk, it simply needs to be managed from command line, which is easier than it sounds with a little practise.
So lets install CSF:
|
1
2
3
4
5
|
rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
|
Then run the following line to confirm that CSF should be able to function fully on your system:
|
1
|
perl /etc/csf/csftest.pl
|
Now open the file /etc/csf/csf.conf with WinSCP or similar
This document is really well documented and is the core configuration of CSF. The great thing about CSF is its great documentation which is a good thing as it’s really quite a powerful firewall when set up correctly.
The configuration of this file will vary depending on your servers needs and environment and I suggest you take your time and read each option before you make a change, but the following are the ports that will always need to be configured to work with Plesk.
|
1
2
|
# Allow incoming TCP ports
TCP_IN = « 20,21,22,25,26,53,80,106,110,113,143,443,465,587,990,993,995,5432,8443,8447,8880,9080,11443,11444,20000:20250,4444″
|
|
1
2
|
# Allow outgoing TCP ports
TCP_OUT = « 20,21,22,25,26,53,80,106,110,113,143,443,465,587,990,993,995,5432,5224,8443,8447,8880,9080,11443,11444,20000:20250″
|
|
1
2
|
# Allow incoming UDP ports
UDP_IN = « 20,21,53″
|
|
1
2
|
# Allow outgoing UDP ports
UDP_OUT = « 20,21,53,113,123,873,6277″
|
Please remember to swap out the 4444 for your own SSH port and the 20000:20250 to your own FTP Passive Ports. With a little trial and error you can also close some of these ports down if you don’t need the service they correspond to, but these should be a good starting point to open all ports Plesk will require.
Once you’ve configured your csf.conf just the way you want it you should open the csf.blocklists file located at/etc/csf/csf.blocklists
Again, this is a well documented file, but essentially it allows you to pick which of the available firewall block lists you would like to import into CSF as it’s base setting. It’s tempting to enable all of the block lists, but it’s recommended to just go with two or three as the IP block list can quickly become quite huge and can cause CSF to bog down your system with firewall rules, we’re looking for secure, not slow.
There are a number of other files that can be edited, the primary ones are listed below:
csf.conf – the main configuration file, it has helpful comments explaining what each option does
csf.allow – a list of IP’s and CIDR addresses that should always be allowed through the firewall
csf.deny – a list of IP’s and CIDR addresses that should never be allowed through the firewall
csf.ignore – a list of IP’s and CIDR addresses that lfd should ignore and not block if detected
csf.*ignore – various ignore files that list files, users, IP’s that lfd should ignore. See each file for their specific purpose
If you modify any of the files listed above, you will need to restart csf to have them take effect
If you use Cloudflare you may wish to whitelist their IP’s, view their current IP list and add them to csf.allow to let them pass through your firewall.
CSF has very good documentation, but if you get stuck for the csf command you are looking for just type in:
|
1
|
csf -h
|
this should display all possible csf command lines
This isn’t intended as an in depth user guide to CSF, but one final feature you may want to check out is the emailed security report, from command line run the following:
|
1
|
csf -m you@youremailaddress.com
|
This will email you a report with a score and areas you can enhance your servers security.
Remove SSL3
Due to vulnerabilities in SSL3 it’s a good idea to remove all possible inclusions in all services. It’s possible to do this one at a time by visiting the configuration file of each service, thankfully however Plesk have made a little script to do all this in one go.
read about the issue and download the script
after downloading the script and uploading it to your server run:
|
1
|
sh ssl_v3_disable.sh
|
You can use this online ssl tool to confirm this has worked.
At this point you should now have Plesk installed on Ubuntu 14.04 LTS, secured and ready for use. If you have any problems just add a comment and I’ll try and help if I can.