{"id":226,"date":"2013-06-05T12:15:37","date_gmt":"2013-06-05T12:15:37","guid":{"rendered":"http:\/\/blog.shineservers.com\/?p=226"},"modified":"2013-06-05T12:15:37","modified_gmt":"2013-06-05T12:15:37","slug":"how-to-secure-and-optimize-your-vps","status":"publish","type":"post","link":"https:\/\/www.shineservers.com\/2013\/06\/05\/how-to-secure-and-optimize-your-vps\/","title":{"rendered":"How To Secure and Optimize Your VPS"},"content":{"rendered":"

SECURING CPANEL – WHM – AND ROOT on a VPS<\/span><\/b><\/p>\n

This will help but as mentioned in previous posts, with a VPS you do not have access to your kernal. That is good in some ways, because if you don’t have access to it, neither to hackers or spammers (which limits what they can do). Its bad in ways, because you lose control and if you secure your box as much as possible, you are still at risk because you cannot control your kernal.<\/p>\n

At any rate, here are some helpful hints\u00a0\"\"<\/p>\n

=========================================
\nChecking for formmail<\/span><\/b>
\n=========================================<\/p>\n

Form mail is used by hackers to send out spam email, by relay and injection methods. If you are using matts script or a version of it, you may be in jeopardy.<\/p>\n

Command to find pesky form mails:
\nfind \/ -name “[Ff]orm[mM]ai*”<\/p>\n

CGIemail is also a security risk:
\nfind \/ -name “[Cc]giemai*”<\/p>\n

Command to disable form mails:
\nchmod a-rwx \/path\/to\/filename
\n(a-rwx translates to all types, no read, write or execute permissions).<\/p>\n

(this disables all form mail)<\/p>\n

If a client or someone on your vps installs form mail, you will have to let them know you are disabling their script and give them an alternative.<\/p>\n

=========================================
\nRoot kit checker –\u00a0<\/b><\/span>http:\/\/www.chkrootkit.org\/<\/b><\/span><\/a>
\n=========================================<\/p>\n

Check for root kits and even set a root kit on a cron job. This will show you if anyone has compromised your root. Always update chrootkit to get the latest root kit checker. Hackers and spammers will try to find insecure upload forms on your box and then with injection methods, try to upload the root kit on your server. If he can run it, it will modify *alot* of files, possibly causing you to have to reinstall.<\/p>\n

To install chrootkit, SSH into server and login as root.
\nAt command prompt type:<\/p>\n

cd \/root\/
\nwget\u00a0ftp:\/\/ftp.pangeia.com.br\/pub\/seg\/pac\/chkrootkit.tar.gz<\/a>
\ntar xvzf chkrootkit.tar.gz
\ncd chkrootkit-0.44
\nmake sense<\/p>\n

To run chkrootkit<\/p>\n

At command prompt type:
\n\/root\/chkrootkit-0.44\/chkrootkit<\/p>\n

Make sure you run it on a regular basis, perhaps including it in a cron job.<\/p>\n

Execution<\/p>\n

I use these three commands the most.
\n.\/chkrootkit
\n.\/chkrootkit -q
\n.\/chkrootkit -x | more<\/p>\n

=========================================
\nInstall a root breach DETECTOR and EMAIL WARNING\u00a0<\/span><\/b>
\n=========================================<\/p>\n

If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers\/spammers ip address and be warned someone is in there.<\/p>\n

Server e-mail everytime someone logs in as root<\/p>\n

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.<\/p>\n

At command prompt type:
\npico .bash_profile<\/p>\n

Scroll down to the end of the file and add the following line:<\/p>\n

echo ‘ALERT – Root Shell Access on:’ `date` `who` | mail -s “Alert: Root Access from `who | awk ‘{print $6}’`”\u00a0your@email.com<\/a><\/p>\n

Save and exit.<\/p>\n

Set an SSH Legal Message<\/p>\n

To an SSH legal message, SSH into server and login as root.<\/p>\n

At command prompt type:
\npico \/etc\/motd<\/p>\n

Enter your message, save and exit.
\nNote: I use the following message…<\/p>\n

ALERT! You are entering a secured area! Your IP and login information
\nhave been recorded. System administration has been notified.
\nThis system is restricted to authorized access only. All activities on
\nthis system are recorded and logged. Unauthorized access will be fully
\ninvestigated and reported to the appropriate law enforcement agencies.<\/p>\n

=========================================
\nWeb Host manager and CPANEL mods.<\/b><\/span>
\n=========================================<\/p>\n

These are items inside of WHM\/Cpanel that should be changed to secure your server.<\/p>\n

Goto Server Setup =>> Tweak Settings
\nCheck the following items…<\/p>\n

Under Domains
\nPrevent users from parking\/adding on common internet domains. (ie hotmail.com, aol.com)<\/p>\n

Under Mail
\nAttempt to prevent pop3 connection floods
\nDefault catch-all\/default address behavior for new accounts – blackhole
\n(according to ELIX – set this to FAIL, which is what I am going to do to reduce server load)<\/b><\/p>\n

Under System
\nUse jailshell as the default shell for all new accounts and modified accounts<\/p>\n

Goto Server Setup =>> Tweak Security
\nEnable php open_basedir Protection
\nEnable mod_userdir Protection
\nDisabled Compilers for unprivileged users.<\/p>\n

Goto Server Setup =>> Manage Wheel Group Users
\nRemove all users except for root and your main account from the wheel group.<\/p>\n

Goto Server Setup =>> Shell Fork Bomb Protection
\nEnable Shell Fork Bomb\/Memory Protection<\/p>\n

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.<\/p>\n

Goto Service Configuration =>> FTP Configuration
\nDisable Anonymous FTP<\/p>\n

Goto Account Functions =>> Manage Shell Access
\nDisable Shell Access for all users (except yourself)<\/p>\n

Goto Mysql =>> MySQL Root Password
\nChange root password for MySQL<\/p>\n

Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:
\n\/sbin\/depmod
\n\/sbin\/insmod
\n\/sbin\/insmod.static
\n\/sbin\/modinfo
\n\/sbin\/modprobe
\n\/sbin\/rmmod<\/p>\n

=========================================
\nMore Security Measures\u00a0<\/span><\/b>
\n=========================================<\/p>\n

These are measures that can be taken to secure your server, with SSH access.<\/p>\n

Update OS, Apache and CPanel to the latest stable versions.
\nThis can be done from WHM\/CPanel.<\/p>\n

Restrict SSH Access
\nTo restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.<\/p>\n

SSH into server and login as root.
\nNote: You can download Putty by Clicking Here (http:\/\/www.chiark.greenend.org.uk\/~s…\/download.html<\/a>). It’s a clean running application that will not require installation on Windows-boxes.<\/p>\n

At command prompt type:
\npico \/etc\/ssh\/sshd_config<\/p>\n

Scroll down to the section of the file that looks like this:
\n#Port 22
\n#Protocol 2, 1
\n#ListenAddress 0.0.0.0
\n#ListenAddress ::<\/p>\n

Uncomment and change
\n#Port 22
\nto look like
\nPort 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number AND do not use 5678\u00a0\"\"\u00a0lol )<\/p>\n

Uncomment and change
\n#Protocol 2, 1
\nto look like
\nProtocol 2<\/p>\n

Uncomment and change
\n#ListenAddress 0.0.0.0
\nto look like
\nListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)<\/p>\n

Note 1: If you would like to disable direct Root Login, scroll down until you find
\n#PermitRootLogin yes
\nand uncomment it and make it look like
\nPermitRootLogin no<\/p>\n

Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.<\/p>\n

Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.<\/p>\n

Now restart SSH
\nAt command prompt type:
\n\/etc\/rc.d\/init.d\/sshd restart<\/p>\n

Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.<\/p>\n

Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.<\/p>\n

After SSH has been redirected, disable telnet.<\/p>\n

Disable Telnet
\nTo disable telnet, SSH into server and login as root.
\nAt command prompt type: pico -w \/etc\/xinetd.d\/telnet
\nchange disable = no to disable = yes
\nSave and Exit
\nAt command prompt type: \/etc\/init.d\/xinetd restart<\/p>\n

Disable Shell Accounts
\nTo disable any shell accounts hosted on your server SSH into server and login as root.
\nAt command prompt type: locate shell.php
\nAlso check for:
\nlocate irc
\nlocate eggdrop
\nlocate bnc
\nlocate BNC
\nlocate ptlink
\nlocate BitchX
\nlocate guardservices
\nlocate psyBNC
\nlocate .rhosts<\/p>\n

Note: There will be several listings that will be OS\/CPanel related. Examples are
\n\/home\/cpapachebuild\/buildapache\/php-4.3.1\/ext\/ircg
\n\/usr\/local\/cpanel\/etc\/sym\/eggdrop.sym
\n\/usr\/local\/cpanel\/etc\/sym\/bnc.sym
\n\/usr\/local\/cpanel\/etc\/sym\/psyBNC.sym
\n\/usr\/local\/cpanel\/etc\/sym\/ptlink.sym
\n\/usr\/lib\/libncurses.so
\n\/usr\/lib\/libncurses.a
\netc.<\/p>\n

Disable identification output for Apache<\/p>\n

(do this to hide version numbers from potentional hackers)<\/p>\n

To disable the version output for proftp, SSH into server and login as root.
\nAt command prompt type: pico \/etc\/httpd\/conf\/httpd.conf<\/p>\n

Scroll (way) down and change the following line to
\nServerSignature Off<\/p>\n

Restart Apache
\nAt command prompt type: \/etc\/rc.d\/init.d\/httpd restart<\/p>\n

=========================================
\nInstall BFD (Brute Force Detection – optional)<\/span><\/b>
\n=========================================<\/p>\n

To install BFD, SSH into server and login as root.<\/p>\n

At command prompt type:
\ncd \/root\/
\nwget\u00a0http:\/\/www.rfxnetworks.com\/downloads\/bfd-current.tar.gz<\/a>
\ntar -xvzf bfd-current.tar.gz
\ncd bfd-0.4
\n.\/install.sh<\/p>\n

After BFD has been installed, you need to edit the configuration file.<\/p>\n

At command prompt type:
\npico \/usr\/local\/bfd\/conf.bfd<\/p>\n

Under Enable brute force hack attempt alerts:
\nFind
\nALERT_USR=”0″
\nand change it to
\nALERT_USR=”1″<\/p>\n

Find
\nEMAIL_USR=”root”
\nand change it to
\nEMAIL_USR=”your@email.com<\/a>”<\/p>\n

Save the changes then exit.<\/p>\n

To start BFD<\/p>\n

At command prompt type:
\n\/usr\/local\/sbin\/bfd -s<\/p>\n

Modify LogWatch
\nLogwatch is a customizable log analysis system. It parses through your system’s logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.<\/p>\n

To modify LogWatch, SSH into server and login as root.<\/p>\n

At command prompt type:
\npico -w \/etc\/log.d\/conf\/logwatch.conf<\/p>\n

Scroll down to
\nMailTo = root
\nand change to
\nMailto =\u00a0your@email.com<\/a>
\nNote: Set the e-mail address to an offsite account incase you get hacked.<\/p>\n

Now scroll down to
\nDetail = Low
\nChange that to Medium, or High…
\nDetail = 5 or Detail = 10
\nNote: High will give you more detailed logs with all actions.<\/p>\n

Save and exit.<\/p>\n

A number of suggestions to improve system security. Some of this is specific to CPanel, but much can be applied to most Linux systems.
\n————————————————–
\nUse The Latest Software
\nKeep the OS and 3rd party software up to date. Always!
\nCPanel itself can be updated from the root WHM.
\n————————————————–
\nChange Passwords
\nChange the root passwords at least once a month and try to make them hard to guess. Yes it’s a pain to have to keep remembering them, but it’s better than being hacked.<\/p>\n

————————————————–
\nSet Up A More Secure SSH Environment As described here.
\n————————————————–
\nDisable Telnet
\n1. Type: pico -w \/etc\/xinetd.d\/telnet
\n2. Change the disable = no line to disable = yes.
\n3. Hit CTRL+X press y and then enter to save the file.
\n4. Restart xinted with: \/etc\/rc.d\/init.d\/xinetd restart
\nAlso, add the following line to \/etc\/deny.hosts to flag Telnet access attempts as ’emergency’ messages.<\/p>\n

in.telnetd : ALL : severity emerg<\/p>\n

————————————————–
\nDisable Unnecessary Ports (optional)
\nFirst backup the file that contains your list of ports with:
\ncp \/etc\/services \/etc\/services.original
\nNow configure \/etc\/services so that it only has the ports you need in it. This will match the ports enabled in your firewall.
\nOn a typical CPanel system it would look something like this:
\n<?php
\ntcpmux 1\/tcp # TCP port service multiplexer
\necho 7\/tcp
\necho 7\/udp
\nftp-data 20\/tcp
\nftp 21\/tcp
\nssh 22\/tcp # SSH Remote Login Protocol
\nsmtp 25\/tcp mail
\ndomain 53\/tcp # name-domain server
\ndomain 53\/udp
\nhttp 80\/tcp www www-http # WorldWideWeb HTTP
\npop3 110\/tcp pop-3 # POP version 3
\nimap 143\/tcp imap2 # Interim Mail Access Proto v2
\nhttps 443\/tcp # MCom
\nsmtps 465\/tcp # SMTP over SSL (TLS)
\nsyslog 514\/udp
\nrndc 953\/tcp # rndc control sockets (BIND 9)
\nrndc 953\/udp # rndc control sockets (BIND 9)
\nimaps 993\/tcp # IMAP over SSL
\npop3s 995\/tcp # POP-3 over SSL
\ncpanel 2082\/tcp
\ncpanels 2083\/tcp
\nwhm 2086\/tcp
\nwhms 2087\/tcp
\nwebmail 2095\/tcp
\nwebmails 2096\/tcp
\nmysql 3306\/tcp # MySQL
\n?>
\nAdditional ports are controlled by \/etc\/rpc. These aren’t generally needed, so get shot of that file with: mv \/etc\/rpc \/etc\/rpc-moved
\n————————————————–
\nWatch The Logs
\nInstall something like logwatch to keep an eye on your system logs. This will extract anything ‘interesting’ from the logs and e-mail to you on a daily basis.
\nLogwatch can be found at:\u00a0http:\/\/www.logwatch.org<\/a>
\nInstall instructions here.
\n————————————————–
\nAvoid CPanel Demo Mode
\nSwitch it off via WHM Account Functions => Disable or Enable Demo Mode.
\n————————————————–
\nJail All Users
\nVia WHM Account Functions => Manage Shell Access => Jail All Users.
\nBetter still never allow shell access to anyone – no exceptions.
\n————————————————–
\nImmediate Notification Of Specific Attackers
\nIf you need immediate notification of a specific attacker (TCPWrapped services only), add the following to \/etc\/hosts.deny<\/p>\n

ALL : nnn.nnn.nnn.nnn : spawn \/bin\/ ‘date’ %c %d | mail -s”Access attempt by nnn.nnn.nnn.nnn on for hostname”\u00a0notify@mydomain.com<\/a>
\nReplacing nnn.nnn.nnn.nnn with the attacker’s IP address.
\nReplacing hostname with your hostname.
\nReplacing\u00a0notify@mydomain.com<\/a>\u00a0with your e-mail address.
\nThis will deny access to the attacker and e-mail the sysadmin about the access attempt.
\n————————————————–
\nCheck Open Ports
\nFrom time to time it’s worth checking which ports are open to the outside world. This can be done with:
\nnmap -sT -O localhost
\nIf nmap isn’t installed, it can be selected from root WHM’s Install an RPM option.
\n————————————————–
\nSet The MySQL Root Password
\nThis can be done in CPanel from the root WHM Server Setup -> Set MySQL Root Password.
\nMake it different to your root password!
\n————————————————–
\nTweak Security (CPanel)
\nFrom the root WHM, Server Setup -> Tweak Security, you will most likely want to enable:
\n– php open_basedir Tweak.
\n– SMTP tweak.
\nYou may want to enable:
\n– mod_userdir Tweak. But that will disable domain preview.
\n————————————————–
\nUse SuExec (CPanel)
\nFrom root WHM, Server Setup -> Enable\/Disable SuExec. This is CPanel’s decription of what it does:
\n“suexec allows cgi scripts to run with the user’s id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody. ”
\nEven if you don’t use phpsuexec (which often causes more problems), SuExec should be considered.
\n————————————————–
\nUse PHPSuExec (CPanel)
\nThis needs to built into Apache (Software -> Update Apache from the root WHM) and does the same as SuExec but for PHP scripts.
\nWisth PHPSuExec enabled, you users will have to make sure that all their PHP files have permissions no greater than 0755 and that their htaccess files contain no PHP directives.
\n————————————————–
\nDisable Compilers
\nThis will prevent hackers from compiling worms, root kits and the like on your machine.
\nTo disable them, do the following:<\/p>\n

chmod 000 \/usr\/bin\/perlcc
\nchmod 000 \/usr\/bin\/byacc
\nchmod 000 \/usr\/bin\/yacc
\nchmod 000 \/usr\/bin\/bcc
\nchmod 000 \/usr\/bin\/kgcc
\nchmod 000 \/usr\/bin\/cc
\nchmod 000 \/usr\/bin\/gcc
\nchmod 000 \/usr\/bin\/i386*cc
\nchmod 000 \/usr\/bin\/*c++
\nchmod 000 \/usr\/bin\/*g++
\nchmod 000 \/usr\/lib\/bcc \/usr\/lib\/bcc\/bcc-cc1
\nchmod 000 \/usr\/i386-glibc21-linux\/lib\/gcc-lib\/i386-redhat-linux\/2.96\/cc1<\/p>\n

You will need to enable them again when you need to perform system updates. To do this, run:<\/p>\n

chmod 755 \/usr\/bin\/perlcc
\nchmod 755 \/usr\/bin\/byacc
\nchmod 755 \/usr\/bin\/yacc
\nchmod 755 \/usr\/bin\/bcc
\nchmod 755 \/usr\/bin\/kgcc
\nchmod 755 \/usr\/bin\/cc
\nchmod 755 \/usr\/bin\/gcc
\nchmod 755 \/usr\/bin\/i386*cc
\nchmod 755 \/usr\/bin\/*c++
\nchmod 755 \/usr\/bin\/*g++
\nchmod 755 \/usr\/lib\/bcc \/usr\/lib\/bcc\/bcc-cc1
\nchmod 755 \/usr\/i386-glibc21-linux\/lib\/gcc-lib\/i386-redhat-linux\/2.96\/cc1<\/p>\n

————————————————–
\nObfuscate The Apache Version Number
\n1. Type: pico \/etc\/httpd\/conf\/httpd.conf
\n2. Change the line that begins ServerSignature to:<\/p>\n

ServerSignature Off<\/p>\n

3. Add a line underneath that which reads:<\/p>\n

ServerTokens ProductOnly<\/p>\n

4. Hit CTRL+X, they y, the enter to save the file.
\n5. Restart Apache with: \/etc\/rc.d\/init.d\/httpd restart
\n——————–<\/p>\n

COMMON COMMANDS I USE
\nSystem Information
\nwho
\nList the users logged in on the machine. —<\/p>\n

rwho -a
\nList all users logged in on your network. The rwho service must be enabled for this command to work.<\/p>\n

finger user_name
\nSystem info about a user. Try: finger root last. This lists the users last logged-in on your system.<\/p>\n

history | more
\nShow the last (1000 or so) commands executed from the command line on the current account. The | more causes the display to stop after each screen fill.<\/p>\n

pwd
\nPrint working directory, i.e. display the name of your current directory on the screen.<\/p>\n

hostname
\nPrint the name of the local host (the machine on which you are working).<\/p>\n

whoami
\nPrint your login name.<\/p>\n

id username
\nPrint user id (uid) and his\/her group id (gid), effective id (if different than the real id) and the supplementary groups.<\/p>\n

date
\nPrint or change the operating system date and time. E.g., change the date and time to 2000-12-31 23:57 using this command<\/p>\n

date 123123572000
\nTo set the hardware clock from the system clock, use the command (as root)
\nsetclock<\/p>\n

time
\nDetermine the amount of time that it takes for a process to complete+ other info. Don\u2019t confuse it with date command. For e.g. we can find out how long it takes to display a directory content using time ls<\/p>\n

uptime
\nAmount of time since the last reboot<\/p>\n

ps
\nList the processes that are have been run by the current user.<\/p>\n

ps aux | more
\nList all the processes currently running, even those without the controlling terminal, together with the name of the user that owns each process.<\/p>\n

top
\nKeep listing the currently running processes, sorted by cpu usage (top users first).<\/p>\n

uname -a
\nInfo on your server.<\/p>\n

free
\nMemory info (in kilobytes).<\/p>\n

df -h
\nPrint disk info about all the file systems in a human-readable form.<\/p>\n

du \/ -bh | more
\nPrint detailed disk usage for each subdirectory starting at root (in a human readable form).<\/p>\n

lsmod
\n(as root. Use \/sbin\/lsmod to execute this command when you are a non-root user.) Show the kernel modules currently loaded.<\/p>\n

set|more
\nShow the current user environment.<\/p>\n

echo $PATH
\nShow the content of the environment variable PATH. This command can be used to show other environment variables as well. Use set to see the full environment.<\/p>\n

dmesg | less
\nPrint kernel messages (the current content of the so-called kernel ring buffer). Press q to quit less. Use less \/var\/log\/dmesg to see what dmesg dumped into the file right after bootup. – only works on dedciated systems<\/p>\n

Commands for Process control
\nps
\nDisplay the list of currently running processes with their process IDs (PID) numbers. Use ps aux to see all processes currently running on your system (also those of other users or without a controlling terminal),
\neach with the name of the owner. Use top to keep listing the processes currently running.<\/p>\n

fg
\nPID Bring a background or stopped process to the foreground.<\/p>\n

bg
\nPID Send the process to the background. This is the opposite of fg. The same can be accomplished with Ctrl z<\/p>\n

any_command &
\nRun any command in the background (the symbol \u2018&\u2019 means run the command in the background?).<\/p>\n

kill PID
\nForce a process shutdown. First determine the PID of the process to kill using ps.<\/p>\n

killall -9 program_name
\nKill program(s) by name.<\/p>\n

xkill
\n(in an xwindow terminal) Kill a GUI-based program with mouse. (Point with your mouse cursor at the window of the process you want to kill and click.)<\/p>\n

lpc
\n(as root) Check and control the printer(s). Type ??? to see the list of available commands.<\/p>\n

lpq
\nShow the content of the printer queue.<\/p>\n

lprm job_number
\nRemove a printing job job_number from the queue.<\/p>\n

nice program_name
\nRun program_name adjusting its priority. Since the priority is not specified in this example, it will be adjusted by 10 (the process will run slower), from the default value (usually 0). The lower the number (of niceness to other users on the system), the higher the priority. The priority value may be in the range -20 to 19. Only root may specify negative values. Use top to display the priorities of the running processes.<\/p>\n

renice -1 PID
\n(as root) Change the priority of a running process to -1. Normal users can only adjust processes they own, and only up from the current value (make them run slower).<\/p>\n

Optimising mysql is very well commented on the net, and you\u2019ll find huge information on how to do this. There is never \u201cbest parameters\u201d, the best parameters is those fits your needs, box hardware, mysql usage\u2026
\nSo, I\u2019ll not give the best parameters but rather how to define these ones. Make some tests, and you\u2019ll quickly find your own parameters.<\/p>\n

I\u2019ll give you at the end of this post some web pointers which may help you.<\/p>\n

There a lot of available parameters but only few one are very important to tweak your mysql box.<\/p>\n

The most important variables are (for me, and it is not exhaustive)<\/p>\n

\n
\n
\n
<\/div>\n

– max_connections
\n– wait_timeout
\n– thread_cache_size
\n–
\n– table_cache
\n–
\n– key_buffer_size
\n– query_cache_size
\n– tmp_table_size<\/p><\/div>\n<\/div>\n<\/div>\n

First of all, how to find your variable, and the mysql usage ?<\/b><\/span><\/p>\n

*VARIABLES<\/b><\/p>\n

\n
\n
\n
<\/div>\n

from mysql :
\nshow variables;<\/p>\n

or from command line :
\nmysqladmin variables<\/p><\/div>\n<\/div>\n<\/div>\n

*PROCESS \/ STATUS<\/b><\/p>\n

\n
\n
\n
<\/div>\n

from Mysql :
\nshow status;<\/p>\n

or from command line
\nmysqladmin \u2013i10 processlist extended-status<\/p><\/div>\n<\/div>\n<\/div>\n

*SOME USEFUL COMMAND FOR YOU BOX USAGE<\/b><\/p>\n

\n
\n
\n
<\/div>\n

>Top<\/p>\n

>ps \u2013axfu<\/p>\n

>vmstat 1<\/p><\/div>\n<\/div>\n<\/div>\n

* OPTIMISING MYSQL<\/b><\/p>\n

To obtain the stat of your mysql server since it has been loaded, run mysqladmin processlist extended-status as mentionned above.<\/p>\n

1 – The two most important variables\u00a0<\/span>:\u00a0Table_cache and Key_buffer_size<\/span><\/b><\/p>\n

* If Opened_tables is big, then your table_cache variable is probably
\ntoo small.<\/span>
\ntable_cache 64
\nOpen_tables 64
\nOpened_tables 544468<\/p>\n

This is the first serious problem. “The table_cache is the number of open
\ntables for all threads. MySQL, being multi-threaded, may be running many
\nqueries on the table at one time, and each of these will open a table.”
\nTherefore, even though we only have a few tables, we will need many more
\nopen_tables.<\/p>\n

The Opened_tables value is high and shows the number of
\ncache misses. Getting the table_cache size correct is one of the two best
\nthings you can do to improve performance.<\/p>\n

* If Key_reads is big, then your key_buffer_size variable is probably
\ntoo small. The cache hit rate can be calculated with
\nKey_reads\/Key_read_requests.<\/span>
\nkey_buffer_size 16M
\nKey_read_requests 2973620399
\nKey_reads 8490571
\n(cache hit rate = 0.0028)<\/p>\n

\u201cThe key_buffer_size affects the size of the index buffers and the speed
\nof index handling, particularly reading.” The MySQL manual (and other sources) say that
\n“Key_reads\/Key_read_request ratio should normally be < 0.01.” This is the
\nother most important thing to get correct. Here the value seems to be correct (< 0.01)<\/p>\n

Also check key_write_requests and key_writes.
\nThe key_writes\/key_writes_request should normally be < 1 (near 0.5 seems to be fine)<\/p>\n

Here is a very interesting web pointer :http:\/\/www.databasejournal.com\/features\/mysql\/article.php\/10897_1402311_3<\/p>\n

2 –\u00a0Others important settings are\u00a0<\/span>:\u00a0Wait_timeout, max_connexion, thread_cache<\/span><\/b><\/p>\n

A little explanation :<\/b>
\nGeneraly you have a lot of mysql process that are sleeping because wait_timeout are not set low. So I make sure that the wait_timeout is set to a very low value: 15 seconds (for me) . That means MySQL would close any connection that was idle for more than 15 seconds.<\/p>\n

The problem is you also have to increment your max_connexion (mine is set to 300) to be sure there is not a lot of idle clients holding connections and blocking out new clients from connecting and getting real work done.
\nThe pbm is that the box has to create new threads (MySQL is a multi-threaded server) at a very high rate. That may sucks up a measurable amount of CPU time.<\/p>\n

So the solution is to use the Thread_cache (from mysql doc) :
\n\u201cHow many threads we should keep in a cache for reuse. When a client disconnects, the client’s threads are put in the cache if there aren’t more than thread_cache_size threads from before. All new threads are first taken from the cache, and only when the cache is empty is a new thread created. This variable can be increased to improve performance if you have a lot of new connections. (Normally this doesn’t give a notable performance improvement if you have a good thread implementation.) By examing the difference between the Connections and Threads_created you can see how efficient the current thread cache is for you.\u201d<\/p>\n

* If Threads_created is big, you may want to increase the
\nthread_cache_size variable. The cache hit rate can be calculated with
\nThreads_created\/Connections.<\/span>
\nthread_cache_size 0
\nThreads_created 150022
\nConnections 150023<\/p>\n

This is the second problem that should be fixed. A cache size of zero is the default for my-medium.cnf but the recommended size in my-large.cnf is 8.<\/p>\n

you may try this formula : table_cache = opened table \/ max_used_connection<\/p>\n

3 – Finally, you may also have a look at\u00a0<\/span>:\u00a0tmp_table_size and Handler_read_rnd \/ Handler_read_rnd_next<\/span>\u00a0<\/b><\/p>\n

* If Created_tmp_disk_tables is big, you may want to increase the
\ntmp_table_size variable to get the temporary tables memory-based instead
\nof disk based.<\/span><\/p>\n

tmp_table_size 32M
\nCreated_tmp_disk_tables 3227
\nCreated_tmp_tables 159832
\nCreated_tmp_files 4444<\/p>\n

Created_tmp_disk_tables are the “number of implicit temporary tables on
\ndisk created while executing statements” and Created_tmp_tables are
\nmemory-based. Obviously it is bad if you have to go to disk instead of
\nmemory. About 2% of temp tables go to disk, which doesn’t seem too bad
\nbut increasing the tmp_table_size probably couldn’t hurt either.<\/p>\n

* If Handler_read_rnd is big, then you probably have a lot of queries
\nthat require MySQL to scan whole tables or you have joins that don’t use
\nkeys properly.<\/span>
\nHandler_read_rnd 27712353
\nHandler_read_rnd_next 283536234<\/p>\n

These values are high, that we could probably stand to improve
\nthe indexes and queries.<\/p>\n

I hope this will help some of you to more understand how it is possible to optimise MYSQL to fit your needs, hardaware box, or mysql current usage.<\/p>\n

Maybe there is others tweaks to perform, but I know well only these ones. I did setup using these ones on differents mysql box, and generally it did help us to increase performance without have to change hardware (our boxes have 2GB ram)<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

SECURING CPANEL – WHM – AND ROOT on a VPS This will help but as mentioned in previous posts, with a VPS you do not have access to your kernal. That is good in some ways, because if you don’t have access to it, neither to hackers or spammers (which limits what they can do). […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[58,60],"tags":[101],"class_list":["post-226","post","type-post","status-publish","format-standard","hentry","category-cpanel-control-panel","category-linux","tag-how-to-secure-and-optimize-your-vps"],"acf":[],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.shineservers.com\/wp-json\/wp\/v2\/posts\/226","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.shineservers.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.shineservers.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.shineservers.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.shineservers.com\/wp-json\/wp\/v2\/comments?post=226"}],"version-history":[{"count":0,"href":"https:\/\/www.shineservers.com\/wp-json\/wp\/v2\/posts\/226\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.shineservers.com\/wp-json\/wp\/v2\/media?parent=226"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.shineservers.com\/wp-json\/wp\/v2\/categories?post=226"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.shineservers.com\/wp-json\/wp\/v2\/tags?post=226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}