Disabling unused services:
Fail2Ban
- It is a firewall service that monitors log files and performs blocking according to detected failures, and is configured by default to prevent SSH attacks
- Disable it if you have implemented other forms of protection against brute force attacks
sudo systemctl disable fail2ban --now
MariaDB
- It is the default database service for CloudPanel when installed with MariaDB
- Disable it if you do not use this database
sudo systemctl disable mariadb --now
Memcached
- It is an object caching system equivalent to Redis
- Disable it if you do not use this system
sudo systemctl disable memcached --now
PHP.FPM
- These are the services that allow running PHP applications
- Disable them if you do not use PHP applications; you can disable only the unused versions. PHP sites use PHP 8.0 as default and can be changed through the configuration panel. If PHP 8.0 is disabled, some processes such as PHP site creation may fail.
sudo systemctl disable php7.1-fpm --now sudo systemctl disable php7.2-fpm --now sudo systemctl disable php7.3-fpm --now sudo systemctl disable php7.4-fpm --now sudo systemctl disable php8.0-fpm --now sudo systemctl disable php8.1-fpm --now sudo systemctl disable php8.2-fpm --now sudo systemctl disable php8.3-fpm --now sudo systemctl disable php8.4-fpm --now
Postfix
- It is a service for sending and delivering email messages
- Disable it if you do not use applications that rely on a local email sending service
sudo systemctl disable postfix --now
ProFTPD
- It is a service that enables FTP access
- Disable it if you do not use this form of access
sudo systemctl disable proftpd --now
Redis
- It is a good object caching system
- Disable it if you do not use this system
sudo systemctl disable redis-server --now
Uncomplicated Firewall
- It is a good firewall to protect open ports on the operating system
- Disable it if you use another firewall, such as ACLs or Security Groups
sudo systemctl disable ufw --now
Varnish
- It is a good page caching system
- Disable it if you do not use this system
sudo systemctl disable varnish --now
Important panel settings:
- Panel site backup: https://[domain]/admin/remote-backup
- Panel domain (default port: 8443): https://[domain]/admin/settings
- Panel time zone: https://[domain]/admin/instance/settings
- User 2FA: https://[domain]/security
- User time zone: https://[domain]/settings
Important shell settings:
Redis recommends that the vm.overcommit_memory setting should always be 1, and a bind setting that is not yet available can prevent Redis from starting. You can run the lines below to add vm.overcommit_memory = 1 and net.ipv4.ip_nonlocal_bind = 1 to the /etc/sysctl.conf file and then apply the configuration by running sysctl -p.
{
# 1. Handle vm.overcommit_memory
if grep -q "^vm.overcommit_memory" /etc/sysctl.conf; then
sudo sed -i 's/^vm.overcommit_memory.*/vm.overcommit_memory = 1/' /etc/sysctl.conf
else
echo "vm.overcommit_memory = 1" | sudo tee -a /etc/sysctl.conf
fi
# 2. Handle net.ipv4.ip_nonlocal_bind
if grep -q "^net.ipv4.ip_nonlocal_bind" /etc/sysctl.conf; then
sudo sed -i 's/^net.ipv4.ip_nonlocal_bind.*/net.ipv4.ip_nonlocal_bind = 1/' /etc/sysctl.conf
else
echo "net.ipv4.ip_nonlocal_bind = 1" | sudo tee -a /etc/sysctl.conf
fi
# 3. Apply changes immediately
sudo sysctl -p
}
You can check if Redis shows this recommendation or any other error in its log by running:
sudo tail -f /var/log/redis/redis-server.log
You can check the execution queries that reach Redis with this command:
redis-cli monitor
Important vhost settings:
Protocol, cache, and security settings for CloudPanel vhosts:
Enabling HTTP/3:
- Open UDP port 443 to access the server:
- Edit the line from
http3 off;tohttp3 on;.
Changing the cache for "static" files from 5 years to 6 hours:
- Replace the line
expires max;with the code below:
### BEGIN adjusting hard cache # expires max; add_header Cache-Control "max-age=21600, public, no-transform"; ### END adjusting hard cache
.well-known settings in CloudPanel vhosts:
In installations where /.well-known may undergo unsolicited changes, save the files you want in /.persistent/.well-known and look for the files in the folder:
location ~ /.well-known {
auth_basic off;
allow all;
### BEGIN fixing .well-known deletion
try_files $uri $uri/ /.persistent$uri =404;
### END fixing .well-known deletion
}In installations where /.well-known may undergo unsolicited changes and nginx acts as a reverse proxy, save the files in /.persistent/.well-known and look for the files in the folder:
location ^~ /.well-known {
auth_basic off;
allow all;
### BEGIN fixing .well-known deletion
try_files $uri $uri/ /.persistent$uri @reverse_proxy;
# try_files $uri @reverse_proxy;
### END fixing .well-known deletion
}In files where the use of CORS is necessary and considering the fix where /.well-known may undergo unsolicited changes, save the files in /.persistent/.well-known and configure the CORS action as follows:
### BEGIN Enabling Nostr domain validation and Lightning Address
location ~.well-known/(nostr.json|lnurlp/*) {
### BEGIN fixing .well-known deletion
try_files $uri $uri/ /.persistent$uri =404;
### END fixing .well-known deletion
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
}
### END Enabling Nostr domain validation and Lightning AddressInstallation of specific systems on CloudPanel:
In YOURLS installations, where it is necessary to change the search for index.php to yourls-loader.php, modify the entry try_files $uri $uri/ /index.php?$args; as follows:
### BEGIN custom entry for YOURLS try_files $uri $uri/ /yourls-loader.php$is_args$args; # try_files $uri $uri/ /index.php?$args; ### END custom entry for YOURLS
Adding security headers in CloudPanel vhosts:
In any installation, you can improve security by adding headers to your configuration. In this case, the following are added:
- HSTS (HTTP Strict Transport Security),
- Restriction of permissions such as microphone and camera,
- Content Security Policies to control the use of resources such as scripts, styles, fonts, frames, and objects.
You can insert these settings just before the rules for /.well-known, as follows:
### BEGIN adding security header lines add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; add_header Permissions-Policy "geolocation=(), microphone=(), accelerometer=(), camera=(), gyroscope=(), magnetometer=()"; add_header Content-Security-Policy "img-src https: data:; script-src 'unsafe-inline' 'unsafe-eval'; script-src-elem 'self' 'unsafe-inline' https://*.zapwp.com/ https://*.cloudfront.net/ https://code.jquery.com/ https://cdn.jsdelivr.net/ https://plugin.handtalk.me/ https://optimizerwpc.b-cdn.net/ https://www.googletagmanager.com/ https://www.google.com/ https://www.gstatic.com/ https://www.youtube.com/ https://kit.fontawesome.com/ https://googleads.g.doubleclick.net/ https://www.google-analytics.com/ https://cdnjs.cloudflare.com/; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline' https://*.zapwp.com/ https://code.jquery.com/ https://cdn.jsdelivr.net/ https://p.typekit.net/ https://use.typekit.net/ https://cdnjs.cloudflare.com/ https://fonts.googleapis.com/ https://www.gstatic.com/; frame-src 'self' https://*.substack.com/ https://www.google.com/ https://www.youtube.com/ https://www.youtube-nocookie.com/ https://open.spotify.com/ https://td.doubleclick.net/ https://www.googletagmanager.com/; worker-src 'self' blob:; frame-ancestors 'self'; object-src 'none'; base-uri about:; upgrade-insecure-requests;"; ### END adding security header lines
You can configure a static site server in nginx to act as a forwarder without losing the functionality of /.well-known. Just add the configuration right after the rules for /.well-known, as follows:
### BEGIN Redirect all requests
location / {
return 301 https://example.com/;
}
### END Redirect all requests