This is a general, share with the community post. There are a bunch of things I do whenever I set up a new Hestia server. Some pretty generic, and personal like fixing .bashrc to my satisfaction. But there are a bunch of others, so I thought I’d share them here, and see if anyone wanted to add to the list.
OK, so this one for a start … I generally set up a script called weekly_maintenance.sh and run it via root’s cron. Currently it looks like this
#!/bin/bash
# See if there's an update for wp-cli
/usr/local/bin/wp-cli cli update --allow-root --yes
# Clean systemlog
/bin/journalctl --vacuum-size=500M > /dev/null
# Remove tmp session files over one day old
find /home/*/tmp -type f -name 'sess_*' -mtime +1 -delete
# Clean fail2ban db
/usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "delete from bans where timeofban <= strftime('%s', date('now', '-90 days'));"
/usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "vacuum;"
If you haven’t checked out the size of your fail2ban and system log databases, its worth doing. I’ve found gigabytes of wasted space in there …
Thanks for sharing @pluto , keep in mind that the sqlite3 database could be in use by fail2ban when you run this script and the database will be locked during that time. You could retry a couple of times to execute the SQL query (with a timeout and a delay between runs)
thanks for sharing @pluto let’s see what other suggestions come up.
enabling unattended-upgrades might be something to add to the one-time todo list.
maybe changing ssh port to avoid ground noise (needs adjusting firewall obviously)
also I use AllowUsers to add another level of control on ssh access, though this needs to be adjusted manually each time you add a new user that should be able to use ssh or sftp.
setting up something ipset in conjunction with a script that automatically pulls ip-blacklist I also find very helpful
…
Just thought of another. I like to add additional logging to exim with this line in /etc/exim4/exim4.conf.template. Just a few things I’ve found useful over the years. YMMV.
Speaking of that… I use AbuseIPDB for that. But since the free plan at AbuseIPDB allows only a certain number of downloads per day, I download once per day the DB from AbuseIPDB and save it on a web accessible URL. I then use that URL to download the DB from, from my other servers. It’s not perfect but it works quite well. The only downside is that the free plan at AbuseIPDB can download a maximum of 10.000 blacklisted IPs If you’re using another IP DB, please do share.
their level 1 compiles a few well-known lists already and cover quite some ground with 600M+ IPs … I also use level 2, while this isn’t as big it include blocklist_de amongst others, which is quite relevant here.
obviously there is a lot more available to pick from
You must not use this tool from root user, wonder a warning is issued about this. Why? During the update, new files and directories will be created and all of them will have an root:root owner. What happens in this case? PHP interpreter will not have the necessary access to them.
I also like to retain logs for a bit longer than the default settings, so I go into /etc/logrotate.d and change apache and exim logfiles to rotate weekly, and retain for a year. None of my sites are particularly heavily used, so the log build-up isn’t too good.
I also install logwatch to send me daily reports (I write a few custom scripts depending on what I want to see). And I install vnstat so I can look at server traffic from the command line, and incorporate a summary into my logwatch daily report.
Thanks @falzo for sharing that info. Which lead me eventually to a GUI feature of Hestia that I was totally unaware of: Server > Firewall > Manage IP Lists > Add IP List.
The Block Malicious IPs list contains Firehol Level 1 rules
And the end result (command line) for my Post Install Tweak is:
v-add-firewall-ipset BlockMalicious script:/usr/local/hestia/install/deb/firewall/ipset/blacklist.sh v4 yes
v-add-firewall-rule DROP ipset:BlockMalicious 0-65535 TCP ALL