đŸ–Ĩī¸ Server Maintenance Tasks

A Comprehensive Guide to Server Administration and Maintenance

📋 Table of Contents

Introduction

This comprehensive guide covers essential server maintenance tasks for backend server professionals. Regular server maintenance is crucial for maintaining the security, stability, and performance of your server infrastructure. These updates encompass a variety of tasks, including installing security patches to safeguard against threats, fixing bugs to enhance reliability, and optimizing performance through software upgrades and the removal of obsolete components.

⚠ī¸ Important Note About Automated Updates:

While automated updates can seem convenient, they may introduce compatibility issues. Automated updates may not always account for specific server configurations or dependencies. They may inadvertently install patches or upgrades that haven't been thoroughly tested for compatibility or reliability. Regular manual oversight allows server administrators to carefully assess the impact of updates, thereby ensuring compatibility with the existing server configuration.

1. Server Updates

Understanding Update Commands

There are three essential update commands you need to run to keep the packages installed on your server up to date:

Command Purpose
sudo apt update Updates the package list from repositories
sudo apt upgrade Upgrades the packages identified in the package list
sudo apt autoremove Removes any unneeded packages from the server

Basic Update Commands

Individual Commands:

sudo apt update
sudo apt upgrade
sudo apt autoremove

Combined Commands (with confirmation prompts):

sudo apt update && sudo apt upgrade && sudo apt autoremove
ℹī¸ Command Chaining:

The double ampersand (&&) chains commands together. It means "execute the next command only if the previous command succeeds." If sudo apt update completes successfully, then sudo apt upgrade will execute, and so on.

Combined Commands (automatic confirmation with -y flag):

sudo apt update && sudo apt upgrade -y && sudo apt autoremove -y
⚠ī¸ Caution with -y Flag:

Using the -y flag will automatically confirm all prompts. While this speeds up the process, it's recommended to check which packages are being updated, especially if components of your hosting stack (nginx, PHP, MariaDB) are being upgraded.

Update Process Flow

sudo apt update
→
sudo apt upgrade
→
sudo apt autoremove


Each step must complete successfully before the next one executes

Understanding Common Messages

Deferred Upgrades Due to Phasing

You may encounter messages indicating that upgrades have been deferred due to phasing. This means that some software repositories use a phased approach to roll out updates gradually to users. Updates are not made available to everyone at once, but are instead released to a subset of users initially.

Packages Kept Back

Having some packages kept or held back from upgrading could be due to dependency conflicts. The package manager APT defers their upgrade until the issues preventing their upgrade are resolved.

⚠ī¸ Important:

Do NOT attempt to manually force an upgrade. The packages will upgrade automatically once any underlying issues have been resolved. These issues are not specific to your server, but rather exist at the repository level, or are related to dependencies or conflicts with the packages themselves. Allow APT to manage the upgrades for you.

Method 1: Creating a Bash Alias

To speed up the process, you can create a bash alias that combines all update commands:

Step 1: Navigate to home directory and edit .bash_aliases

cd
nano .bash_aliases

Step 2: Add the alias

alias server_updates='sudo apt update && sudo apt upgrade -y && sudo apt autoremove -y'

Step 3: Activate the alias

You can activate the alias by typing the following source command or by logging out and logging back in:

exit

After logging back in, simply type:

server_updates

Method 2: Creating a Bash Script

Another approach is to create a bash script for server updates:

Step 1: Create the script file

sudo nano server_updates.sh

Step 2: Add the script contents

#!/bin/bash # Check if script is run as root if [ "$EUID" -ne 0 ]; then echo "Please run this script with sudo or as root." exit fi # Update package lists echo "Updating package lists..." sudo apt update # Upgrade installed packages echo "Upgrading installed packages..." sudo apt upgrade # Remove unnecessary packages echo "Removing unnecessary packages..." sudo apt autoremove echo "Update, upgrade, and autoremove completed."
ℹī¸ Note:

The script shown above does NOT include the -y flag after upgrade and autoremove, allowing you to review packages before confirming. You can add -y flags if you prefer automatic confirmation.

Step 3: Make the script executable

chmod +x server_updates.sh

Step 4: Run the script

sudo ./server_updates.sh

2. WordPress Updates

WordPress updates require specific file permissions to run smoothly through the dashboard. There are two approaches: default permissions and hardened permissions.

Method 1: Default PHP Pool User and Permissions

This method uses standard permissions that allow easy updates through the WordPress dashboard.

Step 1: Navigate to the site directory

cd /var/www/example.com/

Step 2: Check current permissions

sudo ls -l public_html/

Step 3: Set ownership to PHP pool user

sudo chown -R PHP_POOL_USER:PHP_POOL_USER public_html/

Step 4: Set directory permissions

sudo find /var/www/example.com/public_html/ -type d -exec chmod 770 {} \;

Step 5: Set file permissions

sudo find /var/www/example.com/public_html/ -type f -exec chmod 660 {} \;

Step 6: Run updates in WordPress dashboard

Open the WordPress dashboard and all updates will run without issue.

Step 7: Restart PHP-FPM

sudo systemctl reload php8.3-fpm

Method 2: Hardened Permissions (Recommended for Production)

This method provides enhanced security by using restrictive permissions, but requires permission changes before and after updates.

Initial Setup with Hardened Permissions:

cd /var/www/example.com/
sudo ls -l public_html/
sudo chown -R PHP_POOL_USER:PHP_POOL_USER public_html/
sudo find /var/www/example.com/public_html/ -type d -exec chmod 550 {} \;
sudo find /var/www/example.com/public_html/ -type f -exec chmod 440 {} \;
sudo find /var/www/example.com/public_html/wp-content/ -type d -exec chmod 770 {} \;
sudo find /var/www/example.com/public_html/wp-content/ -type f -exec chmod 660 {} \;

WordPress Update Process with Hardened Permissions

Loosen Permissions
→
Run WordPress Updates
→
Harden Permissions
→
Reload PHP-FPM

Step 1: Change permissions to allow updates

sudo find /var/www/example.com/public_html/ -type d -exec chmod 770 {} \;
sudo find /var/www/example.com/public_html/ -type f -exec chmod 660 {} \;

Step 2: Run WordPress updates through the dashboard

Open the WordPress dashboard and perform all necessary updates.

Step 3: Harden permissions after updates

sudo find /var/www/example.com/public_html/ -type d -exec chmod 550 {} \;
sudo find /var/www/example.com/public_html/ -type f -exec chmod 440 {} \;
sudo find /var/www/example.com/public_html/wp-content/ -type d -exec chmod 770 {} \;
sudo find /var/www/example.com/public_html/wp-content/ -type f -exec chmod 660 {} \;

Step 4: Reload PHP-FPM

sudo systemctl reload php8.3-fpm
✅ Security Best Practice:

Hardened permissions significantly improve security by restricting write access. The wp-content directory maintains write permissions (770/660) to allow uploads and plugin/theme installations, while the rest of the WordPress installation uses read-only permissions (550/440).

Permission Explanation Table

Permission Directories Files Purpose
Standard 770 660 Allows updates and modifications through WordPress
Hardened (Root) 550 440 Read and execute only - maximum security
Hardened (wp-content) 770 660 Allows uploads and plugin/theme management

3. ClamAV Antivirus

ClamAV is an open-source antivirus engine for detecting trojans, viruses, malware, and other malicious threats on your server.

Installation

sudo apt update
sudo apt install clamav
ℹī¸ Note:

The ClamAV definition database will be updated automatically after installation.

Disable Automatic Updates (Optional)

If you prefer manual control over virus definition updates, you can disable the automatic freshclam service:

sudo systemctl stop clamav-freshclam
sudo systemctl disable clamav-freshclam

Manual Database Updates

To manually update the virus definitions:

sudo freshclam

Running Manual Scans

To scan a directory or path on your server:

sudo clamscan -r /path/2/scan
ℹī¸ Command Options:
  • -r: Recursive scan (scans subdirectories)
  • /path/2/scan: Replace with the actual path you want to scan

Complete Manual Workflow

When using ClamAV with automatic updates disabled, follow this workflow:

Update database and run scan:

sudo freshclam
sudo clamscan -r /path/2/scan

ClamAV Workflow Diagram

Install ClamAV
→
Disable Auto-Update (Optional)
→
Update Definitions (freshclam)
→
Run Scan (clamscan)

Example: Scanning WordPress Installation

sudo freshclam
sudo clamscan -r /var/www/example.com/public_html/

4. Rootkit Hunter (rkhunter)

Rootkit Hunter (rkhunter) is a Unix-based tool that scans for rootkits, backdoors, and possible local exploits on your server.

Installation

sudo apt install rkhunter

Initial Setup

After installation, update the file properties database:

sudo rkhunter --propupd

Running a Complete System Scan

To run a comprehensive check of your system:

sudo rkhunter --checkall --sk
ℹī¸ Command Flags:
  • --checkall: Performs all available tests
  • --sk or --skip-keypress: Skips the need to press Enter after each test (useful for automated runs)

Viewing Scan Results

After running a scan, you can view the detailed log file:

Using cat (displays entire log):

sudo cat /var/log/rkhunter.log

Using less (allows scrolling through log):

sudo less /var/log/rkhunter.log

Disable Automatic Scheduled Scans

By default, rkhunter may be configured to run automatically via cron. If you prefer manual control:

Remove daily cron job:

cd /etc/cron.daily/
sudo rm rkhunter

Remove weekly cron job:

cd /etc/cron.weekly/
sudo rm rkhunter

Rootkit Hunter Workflow

Install rkhunter
→
Update Properties Database
→
Run System Scan
→
Review Logs
⚠ī¸ Important:

Always run sudo rkhunter --propupd after system updates or when you make legitimate changes to system files. This prevents false positives in future scans.

5. Database Tuning

Proper database tuning is essential for optimal performance. This section covers MariaDB/MySQL tuning and monitoring queries.

InnoDB Buffer Pool Monitoring

The InnoDB buffer pool is the memory area that holds cached data and indexes. Monitoring its usage helps optimize memory allocation.

View InnoDB Buffer Pool Actual Memory Usage:

SHOW GLOBAL STATUS LIKE 'Innodb_buffer_pool_bytes_data';

Database Size Analysis

View all database sizes:

SELECT table_schema AS "Database", ROUND(SUM(data_length + index_length) / 1024 / 1024, 2) AS "Size (MB)" FROM information_schema.tables GROUP BY table_schema;

View InnoDB database sizes only:

SELECT table_schema AS "Database", SUM(data_length + index_length) / 1024 / 1024 AS "Size (MB)" FROM information_schema.tables WHERE engine = 'InnoDB' GROUP BY table_schema;

View buffer pool usage by database:

SELECT table_schema AS "Database", SUM(data_length + index_length) / 1024 / 1024 AS "Size (MB)" FROM information_schema.tables WHERE engine = 'InnoDB' GROUP BY table_schema;

Table I/O Statistics

Understanding which tables are frequently accessed helps optimize queries and indexing:

SELECT object_schema AS 'Database', object_name AS 'Table', COUNT_READ AS 'Reads', COUNT_WRITE AS 'Writes', SUM_TIMER_READ / 1000000000 AS 'Read Time (ms)', SUM_TIMER_WRITE / 1000000000 AS 'Write Time (ms)' FROM performance_schema.table_io_waits_summary_by_table ORDER BY SUM_TIMER_READ + SUM_TIMER_WRITE DESC;

MySQLTuner

MySQLTuner is a script that analyzes your MariaDB/MySQL installation and provides optimization recommendations.

Running MySQLTuner:

cd
cd MySQLTuner/
ls -l
sudo ./mysqltuner
ℹī¸ Note:

MySQLTuner requires sudo privileges as it needs to login to MariaDB to gather statistics and analyze performance.

Database Tuning Process

Check Buffer Pool Usage
→
Analyze Database Sizes
→
Review I/O Statistics
→
Run MySQLTuner
→
Apply Recommendations

Key Performance Metrics Table

Metric Query Purpose
Buffer Pool Usage Innodb_buffer_pool_bytes_data Monitor actual memory usage
Database Sizes information_schema.tables Identify large databases
Table I/O performance_schema Find frequently accessed tables

6. Disk Space Management

Administering disk space on an Ubuntu server is an important task, as your server can crash if you run out of space. The process involves monitoring disk usage and cleaning up unnecessary files.

Check Disk Space

df -h
ℹī¸ Command Flag:

The -h flag means "human readable format" - displays sizes in KB, MB, GB instead of bytes.

Cleanup Methods

1. Remove Unused Packages

sudo apt autoremove && sudo apt clean

2. Cleanup System Logs

System logs can accumulate and consume significant disk space. You can clean logs older than a specified time:

sudo journalctl --vacuum-time=1days
ℹī¸ Vacuum Options:
  • --vacuum-time=1days: Remove logs older than 1 day
  • --vacuum-time=7days: Remove logs older than 7 days
  • --vacuum-size=100M: Keep only 100MB of logs

Analyze Directory Sizes

To identify which directories are consuming the most disk space:

Navigate to root directory:

cd /

List directory sizes sorted by size:

du -ah --max-depth=1 | sort -h
ℹī¸ Command Options:
  • -a: Display all files and directories
  • -h: Human readable format
  • --max-depth=1: Only show top-level directories
  • | sort -h: Sort results by size (largest at bottom)

The largest directories are displayed at the bottom. You can change to any directory and run the du -ah command to drill down further.

Disk Space Management Workflow

Check Disk Space (df -h)
→
Identify Large Directories (du)
→
Clean Packages & Logs
→
Verify Space Freed

Common Space-Consuming Directories

Directory Typical Contents Cleanup Strategy
/var/log/ System and application logs Use journalctl --vacuum or manually delete old logs
/var/cache/apt/ Package cache files sudo apt clean
/tmp/ Temporary files Usually auto-cleaned, but can manually remove old files
/var/www/ Web files and backups Remove old backups and unused files
⚠ī¸ Caution:

Always verify what you're deleting before removing files. Never delete system files or logs that are currently in use without understanding the consequences.

7. OPcache File Monitoring

OPcache improves PHP performance by storing precompiled script bytecode in memory. Monitoring the number of PHP files per pool helps optimize the opcache.max_accelerated_files setting.

Understanding OPcache Max Accelerated Files

The opcache.max_accelerated_files directive determines how many PHP files can be cached. PHP uses prime numbers for this setting to optimize hash table distribution.

ℹī¸ Prime Number Set:

PHP uses the following prime numbers: 223, 463, 983, 1979, 3907, 7963, 16229, 32531, 65407, 130987, 262237, 524524, 1048793

The actual value used will be the first prime number in this set that is greater than or equal to the configured value.

Nginx Backlog Configuration

Before diving into OPcache monitoring, it's worth noting the backlog configuration for nginx:

In nginx configuration:

backlog=2048 listen 80 backlog=2048; listen 443 ssl backlog=2048;

OPcache Monitoring Script

Create a script to monitor OPcache settings and count PHP files:

Create the script:

nano opcache_files.sh

Script contents:

#!/bin/bash round_to_prime() { local value=$1 primes=(223 463 983 1979 3907 7963 16229 32531 65407 130987 262237 524524 1048793) closest=0 min_diff=$((value - primes[0])) for prime in "${primes[@]}"; do diff=$((value - prime)) if [ $diff -lt 0 ]; then closest=$prime break elif [ $diff -lt $min_diff ]; then min_diff=$diff closest=$prime fi done echo "$closest" } echo "" echo "Checking for opcache.max_accelerated_files directive in PHP pool files..." echo "" echo "The value used (actual value) will be the first number in the set of prime numbers" echo "223, 463, 983, 1979, 3907, 7963, 16229, 32531, 65407, 130987, 262237, 524521, 1048793" echo "that is greater than or equal to the configured value (value set)" echo "" POOL_DIR="/etc/php/8.3/fpm/pool.d/" for file in "$POOL_DIR"*.conf; do filename=$(basename "$file") if grep -q "opcache.max_accelerated_files" "$file"; then value=$(grep "opcache.max_accelerated_files" "$file" | awk -F'=' '{print $2}' | tr -d ' ') rounded_value=$(round_to_prime "$value") echo "File: $filename - opcache.max_accelerated_files: set value ($value) actual value ($rounded_value)" else echo "File: $filename - opcache.max_accelerated_files directive not found" fi done echo "" echo "Listing domain names and number of PHP files in public_html directories..." echo "" WWW_DIR="/var/www/" for domain_dir in "$WWW_DIR"*/ ; do if [ "$domain_dir" == "/var/www/html/" ]; then continue fi domain_name=$(basename "$domain_dir") public_html_dir="$domain_dir/public_html/" if [ -d "$public_html_dir" ]; then php_file_count=$(find "$public_html_dir" -type f -name "*.php" | wc -l) echo "WordPress site: $domain_name - PHP files: $php_file_count" else echo "Domain: $domain_name - public_html directory not found" fi done echo ""

Script Features

Feature Description
Prime Rounding Calculates the actual prime number used by PHP OPcache
Pool Analysis Checks opcache settings in PHP-FPM pool configuration files
File Counting Counts PHP files in each WordPress installation
Comparison Allows you to compare configured vs. actual values

Running the Script

chmod +x opcache_files.sh
./opcache_files.sh

Optimizing OPcache Settings

Count PHP Files
→
Choose Prime Number
→
Update Pool Config
→
Reload PHP-FPM
✅ Best Practice:

Set opcache.max_accelerated_files to the next prime number above your total PHP file count. For example, if you have 2,500 PHP files, set it to 3907. This ensures all files can be cached with optimal hash table distribution.

Conclusion

Regular server maintenance is essential for ensuring the security, stability, and performance of your hosting infrastructure. This guide has covered the fundamental maintenance tasks that every backend server professional should perform regularly:

  • Server Updates: Keep your system secure with regular package updates using apt commands or automated scripts
  • WordPress Updates: Manage permissions correctly to ensure smooth updates while maintaining security
  • Security Scanning: Use ClamAV and rkhunter to detect malware, rootkits, and security threats
  • Database Optimization: Monitor and tune MariaDB/MySQL for optimal performance
  • Disk Space Management: Prevent server crashes by monitoring and managing disk usage
  • OPcache Optimization: Improve PHP performance through proper OPcache configuration
✅ Key Takeaways:
  • Manual oversight is preferable to fully automated updates for critical systems
  • Security requires layered approaches: permissions, scanning, and monitoring
  • Performance optimization is an ongoing process requiring regular analysis
  • Documentation and scripting save time and reduce errors
  • Regular maintenance prevents major issues and downtime

By following these practices and understanding the commands and processes involved, you'll be able to maintain a secure, stable, and high-performing server infrastructure. Remember to always test changes in a development environment before applying them to production systems, and maintain regular backups as a safety net.