Hosting WHMCS on VPS

[HSc]

Looking for opinions on hosting WHMCS on a VPS.

Risks, security, experiences, etc.

 

Two options:

1) Use a VPS for soley hosting WHMCS and nothing else.

2) Use a VPS to host both WHMCS and resell space to host other sites.

 

If option 1, what are the minimum specs required to run WHMCS adequetly (RAM, bandwidth, IP's, etc)?

 

If option 2, same question: what are the minimum specs required to run WHMCS and host other sites using cPanel/WHM?

 

Anyone with real-life experience doing either of the above would be appreciated. Any recommendations for a VPS provider also appreciated.

 

Thanks.

[HostOrca]

There's no problem hosting whmcs on a vps. I do it myself. Would not recommend having clients sites on the same vps purely from a security point of view.

 

I'd recommend http://www.clustered.net if your uk based

[chickendippers]

Yup, we run WHMCS on a VPS no probs.

[HSc]

Yup, we run WHMCS on a VPS no probs.

 

Any security issues with other domains on same VPS?

 

Also, what are minimum VPS specs you suggest if running cPanel as well?

[chickendippers]

Dunno, we don't host customers on the same server as our support system...neither do we run cPanel on our VPS. Maybe this page will help: http://www.cpanel.net/products/cpwhm/cpanel11/sys_requirements.htm

[HSc]

Dunno, we don't host customers on the same server as our support system...neither do we run cPanel on our VPS. Maybe this page will help: http://www.cpanel.net/products/cpwhm/cpanel11/sys_requirements.htm

 

Thanks but that misses the point of my question. I can figure out what cpanel needs on my own but I was asking about whmcs and cpanel to run together. But since you don't do that, nuff said

[cyberneticos]

Not only is it a good idea to run whmcs alone on a vps, I strongly recommend it, for all of the reasons given above.

 

Minimum a VPS. If you have more than 2000 customers, make sure you've got a potent vps.

[othellotech]

We have a number of people using our VPS's for their WHMCS installs

 

Min specs to run efficiently are 512Mb/Ram, 1024Mb/Swap, processing equivalent to a P3.

That changes a little depending on the virtualisation technology, we saw problems with it under Xen3, but it's been a dream under 4.01. If using Virtuozzo, due to the lack of swap and I/O limitations, you'll want to get more guaranteed ram.

 

Having the VPS supplier "realtively" close to your servers can help, especially with the automation, and obviously ensure the IP(s) allowed in/out of the firewalls at each side (that has many support tickets over the months !)

 

You will find that as the DB grows much larger, that more RAM will help overall performance. Tweaking MySQL is essential.

 

CPanel/WHM adds an overhead only in terms of disk as long as you're not using it for hosting as well.

 

I'd never recommend having your critical system (i.e. Billing Information) on a shared-server, it's just asking for things to go disasterously wrong.

[HSc]

Thanks othellotech, some really helpful info there.

[somebodyrocks]

I run WHMCS and cPanel for hosting clients on a few VPS, but my main one with WHMCS and the most clients is: 60GB Space, 600GB Bandwidth, 1GB Guaranteed RAM/2GB Max, and 2x 2.6ghz processors. I'm with a fair company who doesn't run very many clients per vps. Runs tip top.

[webcasting]

I run a small (100 client) WHMCS setup on a 256MB/Xen account (I am not a fan of OpenVZ, personally)

 

but, do consult your tech guru, unless you are this person, and look at pricing.

 

I use one of these two mentioned, which I will detract from mentioning since it can get pretty polemic when you address such issues, but find that these two providers below tend to be the "top recommended" and I have had good enough service/experiences with both that warrant a recommendation:

 

VPSLink (http://www.vpslink.com) -- they have a coupon code until the end of the month, too, I think.

 

and:

 

Slicehost.com -- they allow custom images to be run, so this might be of interest for someone.

[HSc]

thanks to all who replied, it's very helpful!

[neobug103]

We run whmcs on

 

Intel Xeon 3220-Quad Core [2.4GHz]

4-GB DDR2

Raid 10 (x4 250gb SATA II drives)

Redundant Power Supply

 

Works great

[SilverNodashi]

There's no problem hosting whmcs on a vps. I do it myself. Would not recommend having clients sites on the same vps purely from a security point of view.

 

I'd recommend http://www.clustered.net if your uk based

 

And why not? How can running client sites on the same server / VPS / even reseller account be a problem if WHMCS is running on it as well?

[HostOrca]

And why not? How can running client sites on the same server / VPS / even reseller account be a problem if WHMCS is running on it as well?

For a number of reasons.

1. Clients running outdated/insecure scripts making it possible for a server breach/exploit.
   
2. A client using a weak password resulting in someone gaining access to the account and sending spam, resulting in the server/server ip being listed.
   
3. A client running a process/memory intensive script that causes the server to slow. Will not look very impressive trying to sell web hosting if your site is slow.

If the only site(s) on the vps/dedicated are your own it is easier for you to make sure everything is up to date, and to keep your clients info secure, especially if you are storing credit card details etc.,

[neobug103]

If your willing to put your main site on the same server where you put your clients on - no offense but you shouldn't be in the hosting biz.

[SteveV]

If your willing to put your main site on the same server where you put your clients on - no offense but you shouldn't be in the hosting biz.

 

I disagree -- if you're unable to keep the server(s) your clients' sites are on secure and running well, then you shouldn't be in the hosting business. If you can keep it secure, then there's no reason not to run WHMCS on it, as well.

[neobug103]

By putting your billing system on a server where you add your clients as well, your risking the chance of intrusion by 100%. Attacks coming from somebody who don't have an account on the server is one thing but if a hacker gains access to one of your clients accounts your in for one wild ride. Your risking the integrity of your clients data tremendously by having your billing system on the same server as your clients. There are a million extra things that could go wrong by doing this.

 

It is quite stupid and very much so frowned upon. If you decide to ignore my warning anyway...don't say I didn't tell you so.

[SilverNodashi]

If your willing to put your main site on the same server where you put your clients on - no offense but you shouldn't be in the hosting biz.

I've been in the hosting business since 2000. I've worked on UNIX & Linux since '98 - I know security quite well, and have never, never had a problem with this. What you're saying is impractical, and implies that no one should host shopping carts, CRM's, of for that matter even website that gather & store client info (for example a MySQL based mailing list, forums, etc) on shared servers. I'm sorry, but there's no business sense behind this. We have many clients with very sensitive information on our servers and haven't had a problem with it whatsoever.

 

For a number of reasons.

1. Clients running outdated/insecure scripts making it possible for a server breach/exploit.
   

As above. Also, since PHP & MySQL get's updated on a regular basis, outdated scripts tend to break before they become a problem. We also force many security updates on to clients, and penalize them if they don't keep their stuff up to date. Even so, while we have had site defacements, it's never been more than that.
 

A client using a weak password resulting in someone gaining access to the account and

Even if someone got one of my passwords, he can ONLY access & use my account via FTP or cPanel, nothing else. There's no public shell access (which if you have it, is your biggest problem). Some of our developers have limited SSH access with a lot of security checks running the whole time.

sending spam, resulting in the server/server ip being listed.

A client running a process/memory intensive script that causes the server to slow. Will not look very impressive trying to sell web hosting if your site is slow.

Not possible, we have checks for that, and can suspend such a client the moment his processes are running away. Heavy usage clients are moved to VPS's

 

If the only site(s) on the vps/dedicated are your own it is easier for you to make sure everything is up to date, and to keep your clients info secure, especially if you are storing credit card details etc.,

I'm sorry, but I CANNOT see how it's business-viable to tell a client with a DB full of user info to get his own private server if he doesn't need it. A whole server will cost 20 times more than a shared account. Even a VPS for this is overkill.

 

I disagree -- if you're unable to keep the server(s) your clients' sites are on secure and running well, then you shouldn't be in the hosting business. If you can keep it secure, then there's no reason not to run WHMCS on it, as well.

 

My point exactly. We've been running Linux servers since 2000 and have had no security breach on the server whatsoever. SSH access is limited to certain known & trusted people only, and all software & kernels are up to date. Besides, what you're saying doesn't make full sense if your server is in someone else's datacenter. What if someone in the DC steals your server? What then? Are you going to build your own DC just to protect the server which runs WHMCS?

[neobug103]

Ask just about every competant and successful host out there and they will tell you they run their own box just for their website.

 

Server overloads, ddos attacks, hardware failure on one of your client servers would also result in your website going down, therefore your clients would have nowhere to go in order to find out why their site and your site happens to be down.

 

The simple fact is if you want your clients to always be able to visit your website, you should have your site on it's own box as I will guarantee you that your site will have less downtime noting that there are less variables (ie, other accounts) on the server to affect your website.

 

Now if you want to be cheap and put your main site on the same server as your clients, go right on ahead but if you have money to spare and if you want to have a greater chance of success get your own box for your site and billing system.

 

Imagine what people would be saying if they saw their host's website go down.

[redrat]

The simple fact is if you want your clients to always be able to visit your website, you should have your site on it's own box as I will guarantee you that your site will have less downtime noting that there are less variables (ie, other accounts) on the server to affect your website.

 

Now if you want to be cheap and put your main site on the same server as your clients, go right on ahead but if you have money to spare and if you want to have a greater chance of success get your own box for your site and billing system.

 

Imagine what people would be saying if they saw their host's website go down.

This is the main point and not the security issue.

 

Yes it is possible and many people do run their billing system on the same server as their clients. However, if that server goes down, how the heck can you help your clients? In fact you cannot. Simple as that. Not only are they messed up but you are even more messed up.

 

I would be seriously pissed if my site went down and my host could not help because his provisioning/billing software was on the same server.

[BionHostStan]

anyone care to write up somewhat of a tutorial on how to achieve this?

[cyberneticos]

How to achieve what ?

[isdoo]

Surely putting it on a VPS is a risk?

 

You do not own the machine that you are putting all your client info on, and so if that hardware fails or the VPS provider goes bust or has a security issue then your data is just as much at risk. If not more surely?

 

I would only ever consider running sensitive software on hardware that I had full control over.

 

Please tell me VPS's are safer than my own controlled hardware and I will rethink my opinion

[meeven]

isdoo, I would think that a VPS is a much safer option than a shared hosting account as it isolates its users far better from each other than a shared hosting account. Or, am I mistaken?

 

Not every hosting startup, especially the smaller ones, can begin with a dedicated server, after all.