This tutorial is about setting up and managing a Virtual Private Server (VPS) for hosting websites. It is aimed at people who are considering moving from shared web hosting to VPS or cloud hosting (or even a dedicated server) in order to improve the speed and reliability of their sites, or moving from managed to unmanaged hosting to save cost. By managing the server yourself with the aid of an open-source control panel such as Virtualmin you can save a lot of money while avoiding most of the restrictions of shared hosting.
Managing your own VPS has some big advantages:
- Web pages typically load much faster and more reliably than on shared hosting, even under heavy load.
- You have complete control – install any software package you want and any number of websites or email accounts.
- Secure shell (SSH) access allows secure file transfer, remote backups and command-line control.
- Full isolation from other users greatly reduces your vulnerability to being hacked, or your IP address being blacklisted.
- Encrypted SSL (https) connections can be used to protect login passwords and host eCommerce sites.
- You can give private accounts to friends or customers.
- You avoid expensive management fees and control panel licenses.
- You can resolve problems quickly without waiting for a support ticket to be answered.
- It's easier to move everything to an upgraded server or backup server if necessary.
- You gain a lot of knowledge about how web servers work.
Some disadvantage are:
- A VPS is typically more expensive than “free” or “shared” hosting.
- Some technical ability is needed, and time to learn server management skills.
- Some regular effort is needed to monitor and maintain the server to keep it secure and reliable.
Before you can load websites onto a VPS you will need:
- An account with a web hosting service that gives you administrative access to a virtual server with sufficient resources to run your web sites. This typically involves paying a monthly fee. Some guidelines for choosing a good host are below. You will be given at least one unique IP address for the server and an administrator username and password that allows you to install an operating system and reboot the server. (You may need an additional IP address for each site that uses encrypted SSL connections.) Such accounts can sometimes be created immediately but may take a couple of days.
- Administrative access to a domain name for each web site. This typically involves paying a small yearly fee to a domain registrar. They will give you a username and password that allow you to change the nameserver settings ("A records" and "MX records") that relate your domain name to your new IP address as described below. It can take up to 48 hours for these new settings to completely propagate around the global domain name system (DNS). In the meantime you can access your VPS directly by IP address. Be careful about buying your domain name from the same company that hosts your sites, because that makes it harder to move to a new host if there's a problem.
- A suitable operating system installed on the server - some guidelines for choosing one are below. Often the hosting service will install a standard operating system for you - if not, you can load the OS from an "iso" file. You would normally load the "server" (not "desktop") edition of an operating system in this situation.
- If the server is remote (no screen or keyboard access) you will need to install client programs such as PuTTY and WinSCP on Windows or Transmit on a Mac to send commands and files to your VPS over a secure shell (SSH) connection.
Choosing a hosting company
When choosing a hosting company look for reliability, good network connectivity and good support as well as cost. You're unlikely to get these from a PC under your desk or from a one-person startup company. Redundant network connectivity and power supplies are very desirable, also good security and some sort of file backup system. It’s hard to find objective reviews but www.webhostingtalk.com is a good place to ask for advice.
Here are some suggested things to check when moving to a new VPS hosting company:
- How much RAM and disk space is offered? Life will be easier if you have at least 1 GB of RAM and 20 GB of disk space.
- Are there any restrictions on the amount of data traffic allowed per month? If so, try to find out how much your sites typically used in the past.
- What hypervisor do they use to run VPS instances? "Native" or "bare metal" hypervisors such as Xen or KVM are preferable to "hosted" hypervisors like OpenVZ or Virtuozzo because they allow kernel layer control that may be needed to block denial of service or spam attacks.
- Do they offer IPv6 connectivity?
- Do they have a good reputation for fast and helpful support? Try searching for reports of past problems from other users.
- Is there a trial period or monthly billing option? If possible, monitor the reliabililty and responsiveness of a new host for a few weeks using free services like uptime doctor. If page load times are more than 2s or downtime is more than a few minutes a month you're unlikely to be happy with the hosting.
- Do they offer automated off-site backups? If not, what are your backup plans? How hard is it to restore a full or partial backup?
- Does the data centre have good environmental credentials? Hosting uses a lot of electricity.
Location typically doesn’t matter much – sites will load a little faster if the server is in a country close to your main users and payment and support may be a little easier if the server is close to you (the administrator), but other factors such as price and reliability are often more important than location. Local legislation about privacy, libel, censorship, copyright and taxation may also be relevant. I have used hosts in the UK, continental Europe and the US without problems.
Choosing an operating system and control panel
I prefer so-called LAMP hosting (Linux, Apache, MySQL, PHP) because it’s open-source (cheap, patchable) and compatible with popular content management systems. Any of the Virtualmin GPL Supported Systems are reasonably complete and secure. Windows hosting is typically more expensive but may be necessary for sites that are scripted using Microsoft ASP. (Alternatives such as MariaDB or PostreSQL instead of MySQL and nginx instead of Apache are outside the scope of this tutorial but worth considering.)
For configuring and managing the server, I recommend open-source software such as Virtualmin or ISPConfig rather than a licensed control panel such as Plesk, cPanel or HSphere because it's the cheapest way to set up multiple sites (on the same or different IP addresses) and you retain full control of the server.
For managing the content of individual sites, I recommend using a well-supported Content Management System (CMS) such as WordPress or Drupal. Even very basic sites need to be updated regularly and a content management system makes this much easier, as well as giving you access to themes and plugins that add useful functions such as search forms, contact forms with spam protection, image galleries, event calendars, online shops and so on. Proprietary CMS or “website builder” systems generally have more limited features and can be difficult to move to a new host.
If you are installing the operating system from scratch, you will need to select some configuration options. If in doubt, accept the default values. For example, when installing Ubuntu 16.04 LTS you will be asked to choose the following:
- Language, country and keyboard layout - choose the best ones for you (the administrator).
- Hostname - choose a fully-qualified domain that you own, such as "mail.mydomain.com". Do NOT use a generic name provided by the hosting company such as a name containing an IP address if you will be sending email from the server because spam filters will block it.
- HTTP proxy settings - usually blank.
- Administration username and password - it's very important to choose a secure password (at least 10 digits, not a dictionary word and so on) because hackers will try to break into your machine as soon as it connects to the internet.
- Encrypt your home directory - not really necessary on a machine that is physically secure.
- Timezone - select one that is convenient for the main administrator.
- Disk partition - select "Guided - use entire disk" to allow the installer to do this.
- Installing security updates - automatic updates can occasionally cause problems, but so will hackers if you delay. Either way you need good backups.
- Packages - you will almost certainly need to enable an OpenSSH server. The Virtualmin installer will install LAMP and mail packages so you can leave them unselected for now.
- GRUB boot loader - install.
Assuming you now have a remote server running a freshly-installed Linux operating system but nothing else, and you are configuring it from a local Windows PC, you would start by connecting to the secure shell (SSH) using a client such as PuTTY. Install and run PuTTY on your Windows PC and put the IP address of your VPS (which your hosting company will tell you) where it says "Host Name (or IP address)", set the Port to 22 and select Connection type: SSH then click the Open button.
The first time you connect to your new server you will see a warning that the server's host key is not cached. Click “Yes” to save the key and connect. Enter the admin username and password that you set above (or received from your hosting company) when prompted.
Initial security patches
For security reasons, the first thing you should do after starting the server for the first time is install the latest operating system patches. On Ubuntu and other Debian-based systems you can do this with the following commands:
sudo apt-get update
sudo apt-get dist-upgrade
The "sudo" part is necessary if you are logged in as an administrator rather than a superuser such as "root". It will prompt you for the administrator password the first time. It's considered good security practice to avoid logging in as root and Ubuntu disables root password logins for this reason. The following steps all assume you are NOT logged in as root.
Checking timezone and locale
Check that your server has an appropriate timezone set. It is usually most convenient to set it to the zone in which the main administrator is located, since it avoids the need to translate timestamps in log files, for example.
sudo dpkg-reconfigure tzdata
Check that your server has a locale set (used to check that passwords are not dictionary words, for example)
If it’s not set correctly, you can find and install an appropriate language pack and set the locale with the following commands (using British English as an example):
sudo apt-cache search language-pack
sudo apt-get install language-pack-en
sudo update-locale LANG=en_GB.utf8 LC_MESSAGES=en_GB.utf8
Checking the hostname
The hostname of your VPS is shown on the login screen in the previous section, or by entering the following command
Unfortunately, some hosting companies overwrite this information every time a VPS is rebooted - you may need to contact them to get it changed. As explained below, your hostname should be something like mail.mydomain.com.
Installing a control panel
Commercial control panels are usually installed by the hosting company because they require a license. To download and install open source Virtualmin instead, follow the instructions or simply run the following two commands:
sudo /bin/sh install.sh
(The install.sh script may take several minutes to complete.)
Now point a web browser to the same address that you used to connect to SSH using PuTTY above. For example, if the IP address of your server is 18.104.22.168 then you would visit address http://22.214.171.124 using a web browser. You should see a screen saying “It Works!”.
If you have the ability to take a "snapshot" backup of your entire server it might be a good idea to make one now, because this is a good place to return to if you mess things up.
To connect to the Virtualmin web interface and complete the installation, point your browser to port 10000, using https for a secure encrypted connection. If the IP address is 126.96.36.199, the address to visit would be https://188.8.131.52:10000. You may get a warning about an untrusted certificate, which you can ignore for now. Bookmark that page and login with same administrator username and password you used above.
You will be taken through a post-installation wizard. The default answers will usually be fine although you may wish to select "Skip check for resolvability" beside "Primary Nameserver" and "Only store hashed passwords" for the "Password storage mode".
You can visit Virtualmin > System Settings > Features and Plugins to deselect any features you won't use. Personally I deselect the following modules to save memory usage:
- BIND DNS domain - I use free nameservers from Cloudflare
- Webalizer reporting - I use Awstats and Piwik for analysing visitors. Google analytics are also popular.
- PostgreSQL database - I use MySQL because many scripts require it
- ProFTPd virtual FTP - I use secure file transfers (SCP or SFTP) via SSH instead, for security and reliability
Check IP addresses and hostname
You can check your IP addresses at Webmin > Networking > Network Configuration > Network Interfaces. Select the main interface (probably eth0 or ens3) and change the IPv4 Address from DHCP to "Static configuration" and enter the main IP address and Netmask values that your hosting company has assigned to this VPS. (This ensures the server uses the correct IP address if it boots when the DHCP server is down.) You can also enter an IPv6 address and netmask here if you have one. Then return to Network Configuration and select Routing and Gateways. Enter the gateway address that your hosting company gave you here. Check these carefully - you may lock yourself out if you get these settings wrong or miss this step.
You can check your DNS resolver settings and hostname under Network Configuration > Hostname and DNS Client.
Your hosting provider should allow you to set your chosen hostname as the "Reverse DNS" settings for the IP addresses they have assigned you. Spam filters sometimes check that this is set correctly, so it's worth configuring.
The default settings that we have installed so far provide a reasonable level of security, as long as you choose hard-to-guess passwords and install security patches quickly. Nevertheless, your VPS will be attacked constantly by hackers and spammers so you should remove as many vulnerabilities as possible and check your log files regularly.
Set authentication keys for SSH login
Authentication keys are much more secure than passwords, and by default on Ubuntu this is the only way to login as the root user and the only way to perform unattended backups. First, generate a public/private key pair using PuTTYgen on Windows or ssh-keygen on Linux. The default options (2048 bit RSA key, no password) are fine. Copy the private key to a confidential location on the machine that the administrator or backup process will use to login by SSH, or to a USB flash drive.
On your VPS, we need to create the file /.ssh/authorized_keys in the admin user's folder with "user only" permissions. In this case (for administering the whole server) you probably want the user to be "root" and the admin's home directory will be /root.
Copy and paste the public key to the [admin home]/.ssh/authorized_keys file on your VPS that was created above. You can use commands such as the following to create the file with necessary permissions in the admin user's home folder:
chmod 0700 .ssh
sudo nano authorized_keys (paste your public key on one line and save)
chmod 0600 authorized_keys
Don't disclose the private key to anyone! If you use PuTTY to connect to your server, enter the address of the private id_rsa key file in the Connection > SSH > Auth configuration screen. If it's working you should NOT be prompted for a password the next time you try to connect.
Once you are sure you can login successfully without a password, you can go to Webmin > Servers > SSH server > Authentication and set "Allow authentication by password?" to "No".
You can also change the port that the SSH server listens on to reduce hacking attempts and associated log file entries. The setting is in Webmin > Servers > SSH Server > Networking. Don't forget to check related firewall settings as well, or you may lock yourself out!
Restrict Virtualmin logins
The Virtualmin interface (or a different control panel) is another way a hacker could get admin access to your server. You should always set a good password and connect using an encrypted SSL connection (a URL beginning "https", not "http") to prevent your password being captured, especially if you are on a public Wifi connection.
If you know that only a particular IP address (or hostname, or range of IP addresses) will always be used by administrators, you can restrict logins to those ranges from Webmin > Webmin Configuration > IP Access Control.
You can also change the webmin admin port from the default 10000 to a different one that is harder for hackers to find, at Webmin > Webmin Configuration > Ports and Addresses.
You can enable two-factor authentication or an SSL client certificate as described on the Enhanced Authentication wiki page.
Disable FTP login
The FTP server can be disabled by going to Webmin > Bootup and Shutdown > proftpd and clicking "Delete". Use SSH instead.
Restrict email connections
If you don't need to offer POP3 or IMAP connections to external users you can disable them at Webmin > Servers > Dovecot IMAP > POP3 Server > Networking and Protocols. On the same page you can also restrict the allowed interfaces to IP address 127.0.0.1.
If you don't need to allow external users to send mail via your SMTP server you can prevent that at Webmin > Servers > Postfix Mail Server > SMTP Authentication and Encryption by unchecking the "Allow authenticated clients" option.
Hide Apache and PHP version
Some people advise hiding Apache and PHP version information from external view. It probably doesn't help much because hackers will try all possibilities eventually, but it's easily done by changing these settings:
- In Webmin > Servers > Apache Webserver > Global Configuration > Miscellaneous, set "Server HTTP header" to "Product only".
- In Virtualmin > Services > PHP 5 Configuration > Edit Configuration Manually for each site add the line "expose_php = Off".
Mitigate cookie hijacks
In your global PHP configuration (Webmin > Others > PHP Configuration) set
session.cookie_httponly = 1
session.cookie_secure = 1
Restrict obsolete cipher suites
In your Apache global configuration restrict the use of obsolete and insecure SSL ciphers:
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
# Prefer PFS, allow TLS, avoid SSL, for IE8 on XP still allow 3DES
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH EDH+AESGCM EDH+aRSA HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS"
Enabling a firewall
It's generally preferable to secure your server properly rather than rely on a firewall for protection. You should for example disable unwanted services (e.g. bind, proftpd) at Webmin > System > Bootup and Shutdown. This also saves memory and CPU. Nevertheless a firewall is sometimes useful and you can easily set up a suitable set of rules at Webmin > Networking > Linux Firewall by clicking "Reset Firewall" then selecting "Block all except ports used for virtual hosting" then clicking "Setup Firewall".
Note that sometimes hosting companies may prevent your firewall starting automatically at boot time as a safety measure to prevent you accidentally locking yourself out. You will have to remember to re-enable it manually after each reboot in that case.
Installing web sites
Web sites can be created by going to Virtualmin > Create Virtual Server and entering the domain name you will use (e.g. subdomain.mydomain.com) and an administrator password. The default settings are usually OK and come from a configurable "Server Template" at Virtualmin > System Settings > Server Templates.
Note that the PHP script execution mode will be set to FastCGI by default - this can be changed under Virtualmin > Server Configuration > Website Options.
It's possible for many sites to share the main IP address of the server this way. It's also possible to create a sub-server (a subdomain of a domain on the same VPS) or an alias of another site (with an alternative spelling, for example).
If you want to forward administrative email messages to an external address you can set this in two places:
- Virtualmin > Edit Virtual Server > Configurable Settings > Contact email > Administrator’s mailbox
- Virtualmin > Services > Configure Website > Networking and Addresses > Server admin email address
You will need to change the DNS settings in your nameservers (probably at your domain registrar, or hosting company) to point to the new site. A set of suggested settings can be found at Virtualmin > Server Configuration > Suggested DNS Records. DNS changes can take up to 48 hours to propagate around the worldwide DNS network.
Once DNS settings have propagated, files in the public_html folder will automatically be displayed to the world. By default, the file for the home page should be named index.html or index.php. A MySQL database is created for each site by default and can be managed at Virtualmin > Edit Databases. You can also install the useful database management tool phpMyAdmin on one of your sites from Virtualmin > Install Scripts.
Adding email users
Email users can be added at Virtualmin > Edit Users > Add a user to this server. Make sure your users have "strong" passwords to prevent accounts being hacked. A password policy can be set at Webmin > System > Users and Groups > Password restrictions.
By default, all mail will be stored on your VPS. I generally prefer to forward all my user's mail to an external service such as Gmail instead, to take advantage of the free storage, spam filtering and search capabilities. This can be changed under "Mail forwarding settings". If you do this, you will need to filter out the worst spam first, otherwise your IP address may be blacklisted. The Postfix Postscreen module is useful for this. The greylisting module at Vitualmin > Email Messages > Email Greylisting is also effective at reducing spam but it can cause annoying delays in email delivery. Alternatively, users can configure their Gmail accounts to use POP3 to retrieve mail that is temporarily stored on your VPS. This avoids problems with Gmail blocking your IP address, but can delay mail delivery by up to an hour.
Users can access stored mail at the Usermin address (e.g. https://mydomain.com:20000) or you can install a more sophisticated application such as Roundcube or Squirrelmail, which are easily installed with "one click" from Virtualmin > Install Scripts.
Enabling encrypted SSL connections
It's very risky for you or your users to transmit passwords or other sensitive information in plain text when logging in to a web site - especially on a public network such as an open Wifi connection or hotel network.
You can enable SSL (secure sockets layer) connections for one site on your server simply by going to Virtualmin > Edit Virtual Server > Enabled features and checking the box "SSL website enabled?". This will immediately allow encrypted connections to this site with a URL that begins "https" rather than "http".
The first problem is, the automatically-generated certificate is "self-signed" which means users will get a warning from their browser that the connection can't be trusted (because there might be a man-in-the-middle intercepting the encrypted traffic). The solution is to install a certificate from a trusted authority. Virtualmin now supports installing free Letsencrypt certificates automatically. If you've done everything correctly your web site will now load with no warnings in most browsers.
Now that most browsers support Server Name Indication it's no longer really necessary to have a separate IP address for each site that uses an SSL certificate.
Testing and monitoring
By default, email reports of any system problems will be sent to user "root". You can read them by going to Webmin > System > Users and Groups > root and clicking the "Read Email" button. It's usually more convenient to forward them to an external email address. You can configure this by going to Webmin > Servers > Postfix Mail Server > Mail Aliases, selecting Create a new alias and setting Address to "root" and your email address in "Alias to", "Email address".
You should check log files regularly at Webmin > System > System Logs and at Virtualmin > Logs and Reports for signs of problems or malicious activity.
There are a number of very useful free services that can be used to monitor your sites:
- Logwatch - Analyses logs and sends a daily digest to the administrator. Needs installation.
- Dnssy - checks all your DNS settings
- F8lure - pings your server once a second to check for network problems or CPU overload, alerts when down
- Mxtoolbox - checks your mail server every 15 mins, alerts when down or blacklisted, can also "port scan" your firewall
- Uptime Doctor - checks how fast your pages load once a minute, alerts when down
- Loadimpact - simulates many simultaneous users
- Piwik - Similar to Google Analytics but hosted on your own server, shows how your visitors behave
- SSL Labs server test - Checks SSL installation
I suggest enabling these scheduled update and validation checks:
- Webmin > System > Software Package Updates > Scheduled checking options
- System Information > Virtualmin Packages > Scheduled checking options
- Virtualmin > Limits and Validation > Scheduled Validation
- Webmin > System > Scheduled Cron Jobs - create a job that runs "clamscan -ir /home" weekly
- Webmin > Others > System and Server Status – Enable Scheduled Monitoring of Postfix, SSH, Webmin, Dovecot, Apache, MySQL, Webmin, Free Memory, Load Average and Disk space
If you want to test your setup at home before paying for commercial hosting, you can easily do so using a virtual machine. VirtualBox is free and easy to use and runs on Windows, MacOS, Linux and Solaris. Create a virtual machine with at least 1 GB of RAM and 20 GB of disk space and set the network mode to “bridged”. Then download the operating system you plan to use as an "iso" file, mount it as a virtual CD, reboot the virtual server and follow the installation prompts.
You may need to install extra packages that are required by the programs you install. Often the installation program for a content management system will do a configuration check and inform you about missing packages or configuration settings that need to be changed. Some examples that I have found useful (install from Webmin > Software Packages > Package from APT):
Needed by Virtualmin:
- ispell, ibritish (for password checks)
- Authen::Libwrap Authen::PAM DBD::mysql DBI IO::Pty Net::SSLeay Sys::Syslog (recommended)
- Authen::OATH (for two-factor logins)
Needed by WordPress:
Needed by Drupal:
- php-dev (contains phpize for uploadprogress)
- curl (for cron jobs)
- fail2ban (to prevent brute forcing of passwords)
- logcheck (early warning of problems)
- php-mcrypt, php-gettext (for phpMyAdmin)
- ntp (accurate times for two-factor authentication)
- php-memcache, memcached (for Postscreen)
PHP extensions can be installed using an SSH command like this:
pecl install [extension]
Then enable the extension by adding "extension=[the_extension_name.so]" to php.ini for each site that needs it in Virtualmin > Services > PHP 5 Configuration > Edit Configuration Manually.
Apache modules can be enabled and disabled in Webmin > Servers > Apache Webserver > Configure Apache Modules. I suggest enabling the following modules, which are often used in ".htaccess" files to provide "friendly" URLs and control page cache timeouts. If you see the server's default Apache page instead of your website these missing modules might be the cause.
Don't forget to click "Apply Changes" at the top right afterwards.
Tweaking performance and memory usage
I strongly suggest testing your site with a (free) service such as Loadimpact to ensure it can withstand a sudden spike in traffic. If you find problems, here are some parameters to check:
- "MaxClients" - should be tuned in file /etc/apache2/apache2.conf, accessible from Webmin > Servers > Apache Webserver > Global Configuration > Edit Config Files. If it's too large your server will run out of memory, if too small you will restrict simultaneous users
- Reduce the number of server processes in the Processes and Limits screen to save RAM
- In Webmin > Webmin Configuration > Advanced Options you can change the CPU priority for scheduled jobs
- Enable Postfix Postscreen to prevent email spam without damaging performance or risking false positives
Your websites could vanish without warning, even at a large reputable host. It has happened to me more than once. Common causes are denial of service attacks, your site being hacked, the host going out of business, power or network failure, an expired credit card or simple human error. Your hosting provider may be swamped with calls and unresponsive when this happens. If you have a recent off-site backup and control of your domain names you can recover everything within a couple of hours - if not, recovery may be lengthy or impossible. Backups are important!
- Backup fast-changing content such as MySQL database contents at least daily using an automated script such as AutoMySQLBackup.
- Virtualmin can do scheduled backups of all files, database contents, email and settings, locally or remotely. Set it up at Virtualmin > Backup and Restore > Scheduled Backup. Webmin settings can also be saved, see Webmin > Backup Configuration Files > Scheduled backups.
- Local storage on your own PC or a NAS appliance is cheapest, if you have a good internet connection. I use a Synology Diskstation. Storing individual Linux files on a Windows PC can be tricky but zip files are usually OK. Restoring from home can take a long time though due to limited upload bandwidth.
- Commercial services such as Amazon Glacier or Google Nearline are faster to restore but have monthly fees.
- Your VPS host may offer snapshot backups and you should use those, but remember they are likely to vanish if your hosting provider does.
- Keep control of your domain names by using external nameservers (e.g. at Cloudflare) rather than at your hosting provider.
A final word about security
My no. 1 tip for keeping a VPS secure is to keep it constantly updated with security patches (including all CMS plugins, libraries and so on). Most hacks happen through known vulnerabilities that are easily exploited.
My no. 2 tip is to set up daily off-site backups, including database contents. It's impossible to make a VPS 100% secure or reliable so you need to be able to recover quickly. Individual WordPress sites (even on shared hosting) can be backed up using a plugin such as UpdraftPlus, perhaps to a free Google Drive account.
My no. 3 tip is to enforce long passwords and limit login attempts on every account that can upload files or modify the server.
My no. 4 tip is to keep an eye on log files using a utility like logcheck or logwatch so you're warned quickly if something is wrong.
RootSudo - Ubuntu community help
Locale - Ubuntu community help
Virtualmin installation instructions
Postfix Postscreen - How to enable and configure it to prevent spam
Preventing backscatter (non-delivery records) from forwarded spam
Fastcgi vs CGI vs mod_php - bit51 blog
Apache with fcgid - 2bits blog
Faster, PHP! Kill! Kill! - P'unk Avenue blog
More VPS tutorials
Firstsiteguide Web Hosting Services Explained
The Perfect Server tutorials from HowtoForge, using ISPConfig as a control panel