HestiaCP Installation on VPS

What We Are Setting Up and Why

In this guide, we will focus on the installation and comprehensive configuration of HestiaCP — an open-source web hosting control panel. HestiaCP is a lightweight and powerful solution for automating many tasks related to server management and web application deployment. It allows convenient management of websites (Nginx/Apache2 + PHP-FPM), databases (MySQL/PostgreSQL), mail servers (Exim4/Dovecot), DNS servers (Bind9/PowerDNS), FTP accounts (Pure-FTPd), and SSL certificates (Let's Encrypt) through an intuitive web interface.

Ultimately, you will get a fully configured VPS or dedicated server, ready to host multiple websites, handle email for domains, and manage their DNS records. This is an ideal solution for developers who need to quickly deploy a test or production environment, for solo founders managing multiple projects, or for those who want full control over their infrastructure without having to manually configure each component.

HestiaCP is particularly attractive for its efficiency and minimalistic approach, offering excellent performance even on modest VPS. It is built on standard Linux components, which simplifies further maintenance and system expansion. The panel is not overloaded with redundant features, focusing on key web hosting and mail tasks.

There are various approaches to deploying web services. You can choose cloud-managed services (e.g., AWS Amplify, Google App Engine, Heroku), which offer high infrastructure abstraction, automatic scaling, and minimal administration. However, they often come with higher costs, less flexibility, and can tie you to a specific provider. Another option is containerization (Docker, Kubernetes), which provides portability and scalability but requires deeper DevOps knowledge.

Why self-hosted on a VPS with HestiaCP? This approach offers an optimal balance between control, cost, and convenience. You get full root access to the server, allowing you to fine-tune every aspect of the system to your needs. The cost of a VPS is significantly lower than most managed cloud services, especially with stable loads. HestiaCP handles the routine of configuring and integrating various components, allowing you to focus on your projects rather than administration. This is an ideal choice for those who value independence, want to optimize costs, and still have a modern, functional, and easily manageable platform.

What VPS Configuration is Needed for This Task

Choosing the right VPS or dedicated server is critical for stable and productive HestiaCP operation. Requirements can vary depending on the number of websites hosted, expected traffic, and the use of mail/DNS servers.

Minimum Requirements for HestiaCP (as of 2026):

• Processor (CPU): 1 core. Modern processors with a clock speed of 2.0 GHz or higher. This is sufficient for small projects.
• Random Access Memory (RAM): 1 GB. HestiaCP itself is quite lightweight, but for stable operation of all components (web server, PHP, database, mail), 1 GB is an absolute minimum.
• Disk: 20 GB NVMe/SSD. A fast disk significantly improves web server and database performance. 20 GB is enough for the system and a few small websites.
• Network: 100 Mbps. This is sufficient for most tasks. An IPv4 address is mandatory, IPv6 is highly desirable.
• Operating System: Ubuntu 24.04 LTS (recommended) or Debian 13.

Recommended VPS Plan for Medium Projects (multiple websites, moderate traffic):

For comfortable work with several websites, active email usage, and moderate traffic, the following characteristics are recommended:

• Processor (CPU): 2 cores. Will provide better performance for parallel request processing.
• Random Access Memory (RAM): 2-4 GB. Will allow several PHP processes, database caches, and the mail server to operate comfortably without swapping.
• Disk: 50-100 GB NVMe/SSD. Will provide enough space for website files, databases, mailboxes, and backups. NVMe drives are significantly faster than SSDs and provide better responsiveness.
• Network: 1 Gbps. For projects with expected traffic growth or for faster data synchronization.

You can find VPS with the specified characteristics that are suitable for deploying HestiaCP and your projects.

When is a dedicated server needed, not a VPS?

A dedicated server becomes necessary when your project reaches a scale where a VPS can no longer cope, or when maximum performance and isolation are required. This may include:

• High-load web applications: Thousands of concurrent users, intensive database operations.
• Large number of websites: If you plan to host hundreds of websites or provide hosting to other users.
• Streaming services or game servers: Require stable CPU performance and high network bandwidth.
• Specific security or compliance requirements: Some regulatory norms may require physical isolation.
• Need for significant disk space: More than 1 TB or specific RAID configurations.

In such cases, it is worth considering a suitable dedicated server that will provide you with all the resources of a physical machine.

VPS Location: What it Affects

The choice of server location affects several key factors:

• Latency: The closer the server is to your target audience, the lower the latency and faster page loading for users. This is especially critical for interactive applications and game servers.
• Legal compliance: Data placement in a specific country may be mandatory according to local laws (e.g., GDPR in Europe).
• Prices: The cost of a VPS may vary slightly depending on the data center region.
• Service availability: Some services may be restricted or unavailable in certain regions.

Always try to choose a location as close as possible to your project's primary audience.

Server Preparation

After gaining access to a fresh VPS or dedicated server, it is necessary to perform a series of basic configurations to ensure security and ease of use. We assume that you have gained SSH access as the root user.

1. System Update

First, update all installed packages to their latest versions. This will ensure system stability and security.

sudo apt update             # Update package list
sudo apt upgrade -y         # Upgrade installed packages to the latest versions
sudo apt autoremove -y      # Remove unnecessary packages that remained after the update

2. Creating a New User with Sudo Privileges

Working as the root user is insecure. Create a new user and grant them sudo privileges.

# Create a new user (replace 'youruser' with your desired name)
adduser youruser

# Add the user to the sudo group (for Ubuntu/Debian)
usermod -aG sudo youruser

Now, exit the root session and log in as the new user:

exit
ssh youruser@your_server_ip

3. Configuring SSH Key Authentication

SSH key authentication is much more secure than password authentication. If you don't have an SSH key yet, generate one on your local machine:

# On your LOCAL machine
ssh-keygen -t ed25519 -C "[email protected]"

Then, copy the public key to the server:

# On your LOCAL machine (replace 'youruser' and 'your_server_ip')
ssh-copy-id youruser@your_server_ip

If ssh-copy-id is not available, do it manually:

# On your LOCAL machine
cat ~/.ssh/id_ed25519.pub

# Copy the output, then on the SERVER, execute:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
nano ~/.ssh/authorized_keys
# Paste the copied public key into this file
chmod 600 ~/.ssh/authorized_keys

4. Disabling Password Authentication for SSH (Optional, but Recommended)

After successfully configuring SSH keys, disable password login for SSH. This will significantly enhance security.

# On the SERVER, as your new sudo user
sudo nano /etc/ssh/sshd_config

Find the following lines and modify them (or add them if they are missing):

# ...
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
PermitRootLogin no # If you want to prohibit root login even with a key
# ...

Save the file and restart the SSH service:

sudo systemctl restart sshd

IMPORTANT: Before disabling password authentication, make sure you can log in with an SSH key! Open a new SSH session and try to log in without closing the current one. If the login fails, revert the changes.

5. Installing and Configuring Fail2Ban

Fail2Ban helps protect the server from brute-force attacks by blocking IP addresses from which numerous failed login attempts occur.

sudo apt install fail2ban -y

# Create a copy of the configuration file for modification
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Edit jail.local (example of basic settings)
sudo nano /etc/fail2ban/jail.local

In the jail.local file, ensure that the following lines are configured:

# ...
[DEFAULT]
bantime = 10m           # Ban time (10 minutes)
findtime = 10m          # Time period during which attempts must occur (10 minutes)
maxretry = 5            # Maximum number of attempts before blocking

# Enable SSH protection
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
# ...

Save the file and restart Fail2Ban:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo systemctl status fail2ban # Check status

6. Configuring the Firewall (UFW)

UFW (Uncomplicated Firewall) is an easy-to-use interface for iptables. We will configure it to allow only the necessary ports.

sudo apt install ufw -y

# Allow SSH (port 22, if you haven't changed it)
sudo ufw allow ssh

# Allow HTTP (port 80)
sudo ufw allow http

# Allow HTTPS (port 443)
sudo ufw allow https

# Enable UFW
sudo ufw enable
# Type 'y' and press Enter

# Check firewall status
sudo ufw status verbose

At this point, the basic server preparation is complete. Now you can proceed with HestiaCP installation.

Software Installation — Step-by-Step

HestiaCP installation is relatively straightforward, as it provides a convenient installation script. We will use the current version of HestiaCP, which will be supported in 2026, and install it on Ubuntu 24.04 LTS.

1. Downloading the HestiaCP Installation Script

First, download the installation script from the official HestiaCP GitHub repository. Make sure you use curl for the download.

# Change to a temporary directory
cd /tmp

# Download HestiaCP installation script version 1.9.10 (current as of late 2025/early 2026)
# Always check the latest version on the official HestiaCP website.
wget https://raw.githubusercontent.com/hestiacp/hestiacp/release/1.9.10/install/hst-install.sh

2. Running the Installation Script

After downloading the script, make it executable and run it. The script will guide you through the installation process, prompting you to select components and enter credentials.

# Make the script executable
chmod +x hst-install.sh

# Run the installation script with superuser privileges
sudo ./hst-install.sh

During installation, the script will ask a few questions:

• Would you like to continue? [y/n]: Enter y and press Enter.
• Please enter admin email address: Enter your email address, which will be used for the HestiaCP administrator account. For example, [email protected].
• Please enter hostname: Enter your server's Fully Qualified Domain Name (FQDN). For example, panel.yourdomain.com. Ensure that this domain points to your server's IP address.

The installation will take some time (10-30 minutes) depending on your server's performance and internet connection speed. The script will automatically install and configure:

• Web server (Nginx + Apache2 or Nginx + Nginx)
• PHP-FPM (multiple versions, e.g., 8.1, 8.2, 8.3)
• Database management system (MySQL/MariaDB or PostgreSQL)
• Mail server (Exim4, Dovecot, SpamAssassin, ClamAV)
• DNS server (Bind9 or PowerDNS)
• FTP server (Pure-FTPd)
• Let's Encrypt for automatic SSL certificates
• Firewall (UFW)
• Fail2Ban

3. Ports Used by HestiaCP

HestiaCP uses several ports for its services. Make sure they are allowed in your UFW firewall:

# If you installed UFW before HestiaCP, HestiaCP might add its own rules.
# Check them. If not, add them manually.

# HestiaCP Panel (default 8083)
sudo ufw allow 8083/tcp

# SSH (usually 22, already allowed)
sudo ufw allow 22/tcp

# HTTP (websites, 80, already allowed)
sudo ufw allow 80/tcp

# HTTPS (websites, 443, already allowed)
sudo ufw allow 443/tcp

# FTP (21)
sudo ufw allow 21/tcp

# SFTP (22, via SSH, already allowed)

# DNS (53)
sudo ufw allow 53/tcp
sudo ufw allow 53/udp

# SMTP (25, 465, 587)
sudo ufw allow 25/tcp
sudo ufw allow 465/tcp
sudo ufw allow 587/tcp

# IMAP/POP3 (110, 143, 993, 995)
sudo ufw allow 110/tcp
sudo ufw allow 143/tcp
sudo ufw allow 993/tcp
sudo ufw allow 995/tcp

# Reload UFW to apply changes
sudo ufw reload

4. Obtaining Login Credentials

After successful installation, the script will display the login credentials for the HestiaCP panel:

-------------------------------------------------------------------------------
Congratulations! You have successfully installed Hestia Control Panel.
Go to https://your_server_ip:8083 to get started!

Username: admin
Password: YOUR_GENERATED_PASSWORD
-------------------------------------------------------------------------------

Be sure to save this password! It will be needed for the first login. If you lose it, you can reset the password for the admin user later.

5. First Login to HestiaCP

Open a web browser and navigate to https://your_server_ip:8083 or https://panel.yourdomain.com:8083 (if you specified an FQDN and DNS has already updated). You might see a warning about an insecure connection, as a self-signed SSL certificate is used by default. Ignore it and proceed. Enter admin as the username and the generated password. After logging in, you will be taken to the HestiaCP control panel.

At this stage, HestiaCP is successfully installed and ready for further configuration.

Configuration

After installing HestiaCP, you need to perform basic configuration for your websites, mail, and DNS. All of this is done through the HestiaCP web interface, but we will also cover some important aspects and manual checks.

1. Adding a Domain and Website

1. Log in to the HestiaCP panel as admin.

2. Go to the WEB section.

3. Click the + Add Web Domain button.

4. Enter your domain name (e.g., example.com).

5. Make sure the Enable SSL for this domain and Use Let's Encrypt to obtain SSL certificate checkboxes are selected. This will automatically configure HTTPS.

6. Select the desired templates (Nginx, Apache, PHP). For most PHP applications, the standard settings are suitable.

7. Click Save.

HestiaCP will automatically create all necessary configuration files for Nginx and Apache, configure PHP-FPM, and request an SSL certificate from Let's Encrypt. This may take a few minutes.

Example Nginx configuration (after creating a domain via the panel):

You can view the generated Nginx config in HestiaCP or on the server at the path:

# /home/admin/conf/web/nginx.conf
server {
    listen      XXX.XXX.XXX.XXX:80;
    listen      XXX.XXX.XXX.XXX:443 ssl http2;
    server_name example.com www.example.com;
    root        /home/admin/web/example.com/public_html;

    index       index.php index.html index.htm;

    # SSL Configuration (generated by Let's Encrypt)
    ssl_certificate         /home/admin/conf/web/ssl.example.com.pem;
    ssl_certificate_key     /home/admin/conf/web/ssl.example.com.key;
    # ... other SSL settings ...

    # PHP-FPM Configuration
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass    unix:/run/php/php8.3-fpm.sock; # PHP version may vary
        fastcgi_index   index.php;
        include         fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param   PATH_INFO $fastcgi_path_info;
    }

    # ... other settings (gzip, security headers, etc.) ...
}

2. DNS Configuration

For your website to be accessible, you need to configure the domain's DNS records. You can use HestiaCP's DNS server (Bind9/PowerDNS) or an external DNS provider.

Using HestiaCP's DNS server:

1. In the HestiaCP panel, go to the DNS section.

2. Click + Add DNS Domain.

3. Enter your domain (example.com) and your server's IP address.

4. HestiaCP will automatically create standard A, NS, MX, TXT records.

5. IMPORTANT: You need to change your domain's NS servers with your domain registrar (e.g., GoDaddy, Namecheap) to ns1.example.com and ns2.example.com (or those specified in HestiaCP). To do this, on the HestiaCP server itself, you need to create A records for ns1.example.com and ns2.example.com, pointing to your server's IP. If you have one IP, both NS servers will point to it.

# Example DNS records in HestiaCP for example.com
# A record for example.com
example.com.      A    XXX.XXX.XXX.XXX

# A record for www.example.com
www.example.com.  A    XXX.XXX.XXX.XXX

# NS records for example.com (point to your server)
example.com.      NS   ns1.example.com.
example.com.      NS   ns2.example.com.

# A records for NS servers (Glue Records, if NS servers are on the same domain)
ns1.example.com.  A    XXX.XXX.XXX.XXX
ns2.example.com.  A    XXX.XXX.XXX.XXX

# MX record for mail
example.com.      MX   10 example.com.

Using an external DNS provider:

If you use Cloudflare, Google DNS, or another provider, simply add an A-record for your domain (example.com and www.example.com) pointing to your HestiaCP server's IP address.

3. Mailbox Configuration

1. In the HestiaCP panel, go to the MAIL section.

2. Select the domain for which you want to create a mailbox (e.g., example.com).

3. Click + Add Mail Account.

4. Enter a username (e.g., info) and create a strong password. The full address will be [email protected].

5. Click Save.

HestiaCP will automatically configure Exim4 (SMTP) and Dovecot (IMAP/POP3) for this mailbox. You can configure a mail client (Outlook, Thunderbird) or use webmail (Roundcube, if installed) to access the mailbox. Mail ports: IMAP (143/993), POP3 (110/995), SMTP (25/465/587).

4. Database Configuration

1. In the HestiaCP panel, go to the DB section.

2. Click + Add Database.

3. Select the database type (MySQL or PostgreSQL).

4. Enter the database name (e.g., wp_database), username (wp_user), and a strong password.

5. Click Save.

HestiaCP will create the database and user. You can use this data in your web applications' configuration files (e.g., wp-config.php for WordPress).

5. Operational Check

After all settings, it's important to ensure everything is working correctly.

• Website Check: Open your domain (https://example.com) in a browser. You should see the standard HestiaCP placeholder or your website if you have already uploaded files. Check for the SSL certificate (padlock in the address bar).
• DNS Check: Use online tools like DNS Checker to ensure your A-records and NS servers have propagated correctly worldwide.

  
  # On your local machine
  dig example.com A
  dig ns1.example.com A
  dig example.com NS
  

• Mail Check: Send a test email from your new mailbox to an external address and vice versa. Check mail server logs if there are issues:

  
  sudo tail -f /var/log/exim4/mainlog
  sudo tail -f /var/log/mail.log
  

• Port Check: Ensure that the necessary ports are open and accessible externally.

  
  # From local machine
  curl -v telnet://your_server_ip:8083 # HestiaCP panel
  curl -v telnet://your_server_ip:443  # HTTPS
  curl -v telnet://your_server_ip:25   # SMTP
  

6. Managing Secrets and Environment Variables

For web applications, especially those using databases or external APIs, it's important to properly store sensitive data (passwords, API keys). HestiaCP does not have a built-in secret management system for applications, but you can use standard approaches:

• .env files: For PHP applications (Laravel, Symfony), use a .env file in the project root. It should be excluded from version control and should not be publicly accessible (Nginx/Apache should be configured for this).

  
  # Example .env file
  DB_DATABASE=wp_database
  DB_USERNAME=wp_user
  DB_PASSWORD=YOUR_DB_PASSWORD
  APP_KEY=YOUR_APP_KEY
  

• Environment Variables: You can set environment variables for PHP-FPM processes via HestiaCP. In the WEB section, select the domain, then "Edit". In the "Advanced Options" section, you will find "Custom Nginx Configuration" and "Custom PHP-FPM Configuration". For PHP-FPM, you can add lines like:

  
  # In Custom PHP-FPM Configuration
  env[DB_PASSWORD] = "YOUR_DB_PASSWORD"
  

  This will make the variable accessible via getenv('DB_PASSWORD') or $_ENV['DB_PASSWORD'] in PHP. Be careful not to expose these variables in logs or error reports.

Never store passwords and API keys directly in application code or in publicly accessible configuration files.

Backups and Maintenance

Reliable backup and regular maintenance are key to your server's stable operation and data integrity. HestiaCP has built-in backup functions, but it's also useful to understand how to set up your own mechanisms.

1. What to Back Up

• Website Data: All files in the directories /home/admin/web/yourdomain.com/public_html/.
• Databases: All MySQL/PostgreSQL databases.
• Mailboxes: Contents of mailboxes (usually in /home/admin/mail/yourdomain.com/).
• HestiaCP Configuration Files: Important HestiaCP settings stored in /usr/local/hestia/conf/ and /home/admin/conf/.
• SSL Certificates: In HestiaCP, these are usually stored in /home/admin/conf/web/ssl.yourdomain.com..

#!/bin/bash

# HestiaCP backup directory
BACKUP_DIR="/home/backup/"

# Remote server and path
REMOTE_USER="backup_user"
REMOTE_HOST="your_backup_server_ip"
REMOTE_PATH="/mnt/external_backups/hestiacp/"

# rsync command
# -avz: Archive mode, verbose, compress
# --delete: Delete files on receiver that are not in source
# --exclude: Exclude temporary files or caches, if any in BACKUP_DIR
# --stats: Show transfer statistics
rsync -avz --delete --stats "$BACKUP_DIR" "$REMOTE_USER@$REMOTE_HOST:$REMOTE_PATH"

if [ $? -eq 0 ]; then
    echo "$(date): HestiaCP backups successfully synced to $REMOTE_HOST"
else
    echo "$(date): ERROR: HestiaCP backup sync failed to $REMOTE_HOST"
fi

sudo crontab -e

0 3 * * * /usr/local/bin/sync_hestia_backups.sh >> /var/log/hestia_backup_sync.log 2>&1