To set up a web hosting environment on a bare metal dedicated server, install a Linux server OS, secure SSH, configure a firewall, and deploy a web stack (LAMP/LEMP) with PHP and a database. Create virtual hosts, add SSL/TLS via Let’s Encrypt, point DNS to your server, harden services, and implement backups and monitoring.
In this guide, you’ll learn how to set up a production-grade web hosting environment on a bare metal dedicated server from scratch. We’ll cover OS installation, security hardening, LAMP/LEMP setup, SSL, DNS, performance tuning, monitoring, and backups—using beginner-friendly steps and commands that work on Ubuntu and AlmaLinux.
What Is a Bare Metal Dedicated Server (and Why Choose It)?
A bare metal dedicated server is a physical machine reserved exclusively for you—no hypervisor layer, no noisy neighbors. It gives you predictable performance, full root access, and hardware-level customization for CPU, RAM, NVMe/SSD storage, and RAID. It’s ideal when you need high performance, strict compliance, or total control.
Planning Checklist: Before You Touch the Terminal
- Choose an OS: Ubuntu 22.04 LTS or AlmaLinux 9 (stable, long support, great documentation).
- Networking: Static IPv4 (and IPv6 if available), rDNS/PTR record, and hostname (e.g., host1.yourdomain.com).
- Storage: NVMe/SSD preferred, RAID1/RAID10 for redundancy, decide on LVM or plain partitions.
- Security: SSH keys ready, plan firewall rules, and enable automatic updates.
- Domains: Registrar access for DNS or custom nameservers; decide if you’ll use registrar DNS or a DNS server on the host.
- Backup strategy: Offsite backups or object storage; define retention (e.g., 7 daily, 4 weekly, 3 monthly).
Provision the Server and Log In
Most providers let you remotely install Ubuntu or AlmaLinux via IPMI/console. After the OS boots, connect via SSH as root or a provided user. Immediately create a non-root sudo user and add your SSH key.
# Log in
ssh root@your_server_ip
# Create a sudo user and add your SSH key (Ubuntu/AlmaLinux)
adduser deploy
usermod -aG sudo deploy # Ubuntu
usermod -aG wheel deploy # AlmaLinux
# Harden SSH access
mkdir -p /home/deploy/.ssh
chmod 700 /home/deploy/.ssh
nano /home/deploy/.ssh/authorized_keys
chmod 600 /home/deploy/.ssh/authorized_keys
chown -R deploy:deploy /home/deploy/.sshLock Down SSH and Enable a Firewall
Disabling password authentication and limiting SSH helps block brute-force attacks. Use UFW on Ubuntu or firewalld on AlmaLinux.
# SSH hardening
nano /etc/ssh/sshd_config
# Set:
# PermitRootLogin no
# PasswordAuthentication no
# PubkeyAuthentication yes
# Port 22 (optionally change, but security-by-obscurity is not a control)
systemctl restart sshd
# Ubuntu firewall (UFW)
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable
ufw status
# AlmaLinux firewall (firewalld)
systemctl enable --now firewalld
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reloadKeep the Core System Updated
Regularly patching the OS is non-negotiable. Enable unattended updates for security patches and schedule kernel reboots during maintenance windows.
# Updates
# Ubuntu
apt update && apt -y upgrade
apt install -y unattended-upgrades
dpkg-reconfigure --priority=low unattended-upgrades
# AlmaLinux
dnf -y update
dnf -y install dnf-automatic
systemctl enable --now dnf-automatic.timerLAMP vs. LEMP: Choose Your Web Stack
Your web hosting environment typically uses either LAMP (Linux, Apache, MariaDB/MySQL, PHP) or LEMP (Linux, Nginx, MariaDB/MySQL, PHP-FPM). For high concurrency, Nginx + PHP-FPM shines; for .htaccess compatibility and legacy apps, Apache is familiar.
- LAMP pros: .htaccess support, rich Apache modules, easier for legacy PHP apps.
- LEMP pros: Event-driven, lower memory footprint, great for static assets and reverse proxy.
- Databases: MariaDB often performs well and is drop-in for MySQL in most cases.
Install the Web Stack (Ubuntu)
Below are quick-start installs for both stacks. Pick one.
# LAMP on Ubuntu
apt update
apt install -y apache2 mariadb-server php php-cli php-fpm php-mysql php-xml php-curl php-zip php-mbstring php-gd unzip
systemctl enable --now apache2 mariadb php8.1-fpm
# LEMP on Ubuntu
apt update
apt install -y nginx mariadb-server php php-cli php-fpm php-mysql php-xml php-curl php-zip php-mbstring php-gd unzip
systemctl enable --now nginx mariadb php8.1-fpm
# Secure MariaDB
mysql_secure_installationInstall the Web Stack (AlmaLinux)
AlmaLinux uses dnf and the PHP version may vary by repository. Consider enabling Remi repo for newer PHP if required by your application.
# (Optional) Enable EPEL and Remi for newer PHP
dnf -y install epel-release
dnf -y install https://rpms.remirepo.net/enterprise/remi-release-9.rpm
dnf module reset php -y
dnf module enable php:remi-8.2 -y
# LAMP on AlmaLinux
dnf -y install httpd mariadb-server php php-cli php-fpm php-mysqlnd php-xml php-curl php-zip php-mbstring php-gd unzip
systemctl enable --now httpd mariadb php-fpm
# LEMP on AlmaLinux
dnf -y install nginx mariadb-server php php-cli php-fpm php-mysqlnd php-xml php-curl php-zip php-mbstring php-gd unzip
systemctl enable --now nginx mariadb php-fpm
# Secure MariaDB
mysql_secure_installationCreate Sites with Virtual Hosts / Server Blocks
Use one site per configuration file. The document root can be under /var/www/domain or /home/user/public_html if you prefer per-user separation.
Nginx server block example
# /etc/nginx/sites-available/example.com
server {
listen 80;
server_name example.com www.example.com;
root /var/www/example.com/public;
index index.php index.html;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php-fpm.sock;
}
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg)$ {
expires 7d;
access_log off;
}
}
# Enable and test
ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
nginx -t && systemctl reload nginxApache virtual host example
# /etc/apache2/sites-available/example.com.conf (Ubuntu)
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/public
<Directory /var/www/example.com/public>
AllowOverride All
Require all granted
</Directory>
ProxyPassMatch "^/(.*\.php(/.*)?)$" "unix:/run/php/php-fpm.sock|fcgi://localhost/var/www/example.com/public"
ErrorLog ${APACHE_LOG_DIR}/example_error.log
CustomLog ${APACHE_LOG_DIR}/example_access.log combined
</VirtualHost>
# Enable site and modules
a2enmod proxy_fcgi setenvif rewrite
a2enconf php*-fpm
a2ensite example.com
apachectl configtest && systemctl reload apache2Add Free SSL/TLS with Let’s Encrypt
Use Certbot to install and renew certificates automatically. Ensure your domain’s DNS A/AAAA records point to your server first.
# Ubuntu
apt install -y certbot python3-certbot-nginx python3-certbot-apache
# Nginx
certbot --nginx -d example.com -d www.example.com
# Apache
certbot --apache -d example.com -d www.example.com
# AlmaLinux
dnf -y install certbot python3-certbot-nginx python3-certbot-apache
# Nginx
certbot --nginx -d example.com -d www.example.com
# Apache
certbot --apache -d example.com -d www.example.com
# Auto-renew check
systemctl list-timers | grep certbot
certbot renew --dry-runPoint Your Domain: DNS Configuration
At your registrar or DNS provider, create:
- A record: example.com → your IPv4
- AAAA record: example.com → your IPv6 (if available)
- Optional: www CNAME → example.com
- PTR/rDNS: contact provider to map your IP to host1.yourdomain.com (important for mail reputation)
DNS propagation can take minutes to hours. Use dig, nslookup, or online checkers to verify.
dig +short A example.com
dig +short AAAA example.com
curl -I http://example.comDatabase Hardening Basics
- Run mysql_secure_installation to remove test DBs and set a strong root password.
- Create per-app users with least privileges; avoid using root in application configs.
- Bind MySQL/MariaDB to 127.0.0.1 unless you need remote access, then restrict by IP and SSL.
# Bind locally (MariaDB/MySQL)
# /etc/mysql/mariadb.conf.d/50-server.cnf (Ubuntu)
# /etc/my.cnf.d/server.cnf (AlmaLinux)
bind-address = 127.0.0.1
# Create least-privileged user
mysql -u root -p -e "CREATE DATABASE appdb;"
mysql -u root -p -e "CREATE USER 'appuser'@'localhost' IDENTIFIED BY 'StrongPass!';"
mysql -u root -p -e "GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,ALTER,INDEX ON appdb.* TO 'appuser'@'localhost'; FLUSH PRIVILEGES;"Security Hardening: Beyond the Basics
- Fail2ban: Blocks repeated brute-force attempts for SSH and web login endpoints.
- AppArmor/SELinux: Keep enforcement enabled for process confinement.
- Disable unused services: systemctl disable –now service_name you don’t use.
- Regular audits: Logwatch, Lynis, or manual log reviews.
- Secrets management: Keep app secrets out of repos; use environment variables or a vault.
# Install and enable fail2ban (Ubuntu)
apt install -y fail2ban
systemctl enable --now fail2ban
# AlmaLinux
dnf -y install fail2ban fail2ban-firewalld
systemctl enable --now fail2banPerformance Tuning for Production
- PHP-FPM: Set pm = ondemand or dynamic; tune pm.max_children based on RAM.
- Compression and Caching: Enable Gzip/Brotli and long cache headers for static assets.
- HTTP/2/3: Enable ALPN with modern ciphers; consider QUIC if your stack supports it.
- OPcache: Enable and size appropriately for PHP apps like WordPress.
- Database: Tweak innodb_buffer_pool_size (50–70% RAM for DB-heavy servers).
# Example: enable Brotli on Nginx (Ubuntu)
apt install -y nginx-extras
# In nginx.conf http block:
brotli on;
brotli_comp_level 5;
brotli_types text/plain text/css application/javascript application/json image/svg+xml;
# PHP OPcache (php.ini)
opcache.enable=1
opcache.memory_consumption=128
opcache.max_accelerated_files=10000
opcache.validate_timestamps=1
opcache.revalidate_freq=60Backups and Disaster Recovery
- Files: rsync or tar to remote storage; consider incremental backups.
- Databases: Nightly mysqldump or Percona XtraBackup for hot backups.
- Offsite: Store backups in a different availability zone or provider.
- Test restores: A backup isn’t a backup until you’ve restored it.
# Simple daily DB dump (cron)
crontab -e
# Add (run at 02:30):
30 2 * * * mysqldump -u root -p'StrongPass!' --all-databases | gzip > /backup/db_$(date +\%F).sql.gz
# Simple site files backup
rsync -a /var/www/ /backup/www_$(date +%F)/Monitoring, Logging, and Alerts
- System and service health: systemd, journalctl, and vendor graphs.
- Metrics: node_exporter + Prometheus + Grafana for dashboards.
- Uptime checks: External monitors to alert if HTTP/HTTPS fails.
- Log management: Centralize with rsyslog or ship to a log service for retention and search.
Optional: Control Panels and Containers
If you prefer a GUI, cPanel/WHM, DirectAdmin, or open-source panels (e.g., CyberPanel) can automate virtual hosts, DNS, and mail. For microservices, use Docker with Nginx as a reverse proxy and Traefik or Caddy for automated TLS.
Go‑Live Checklist
- All packages updated and security patches applied.
- Firewall, fail2ban, SSH hardening in place; root login disabled.
- LEMP/LAMP working with PHP info test and example vhost.
- SSL/TLS valid; HTTP redirects to HTTPS.
- DNS A/AAAA/PTR verified; TTLs set appropriately.
- Backups scheduled; test restore completed.
- Monitoring and alerts configured with on-call notifications.
When to Choose Managed Bare Metal
Running a bare metal dedicated server well requires time and expertise in Linux, networking, and security. If you want the performance of bare metal without the day‑to‑day ops burden, consider a managed dedicated server. At YouStable, our engineers handle stack deployment, security hardening, monitoring, and proactive updates—so you can focus on your applications.
Common Pitfalls to Avoid
- Hosting email yourself without SPF/DKIM/DMARC and rDNS—deliverability will suffer; use a reputable SMTP or managed email.
- Skipping automatic security updates—leaves you exposed to known CVEs.
- No offsite backups—single point of failure if the server dies.
- Running everything as root—use least privilege and dedicated system users.
- Exposing databases publicly—bind to localhost or secure with SSL and IP allowlists.
FAQs: Set Up a Web Hosting Environment
Which Linux distribution is best for a bare metal web hosting environment?
Ubuntu 22.04 LTS and AlmaLinux 9 are top choices. Ubuntu offers fast updates and huge community support; AlmaLinux provides RHEL compatibility and enterprise stability. Pick based on your team’s familiarity and the software ecosystem you rely on.
Is LAMP or LEMP better for performance?
LEMP (Nginx + PHP-FPM) generally handles concurrent connections more efficiently and uses less memory, making it great for high-traffic sites and APIs. LAMP (Apache) is excellent for legacy apps and .htaccess workflows. Both can be tuned for speed and reliability.
Do I need a control panel like cPanel to host websites?
No. You can manually configure Nginx/Apache, PHP-FPM, and MariaDB using SSH. Control panels simplify multi-tenant hosting, DNS, email, and backups—but add overhead and licensing. If you prefer automation, a managed panel or managed server from a provider like YouStable is a time-saver.
How do I migrate an existing site to my dedicated server?
Copy files (rsync or SFTP), export/import the database (mysqldump), create a new vhost, update environment configs, and test using your hosts file before switching DNS. Once verified, lower TTL, switch DNS A/AAAA records, and monitor logs for errors.
How many websites can a bare metal server host?
It depends on CPU, RAM, storage IOPS, and workload. A modern 8–16 core CPU with 32–64 GB RAM and NVMe can host dozens to hundreds of typical WordPress sites. Resource-heavy apps or large databases reduce density. Monitor usage and scale horizontally if needed.
Conclusion
A bare metal dedicated server is worth it when you’re tired of “almost good enough” performance and want full control over your hosting stack without noisy neighbors slowing you down.
If you carefully choose the right provider, secure the OS, install a solid web stack (Apache/Nginx/LiteSpeed + MySQL/MariaDB + PHP/Node), wire up DNS and SSL, and put backups and monitoring in place, you end up with a fast, resilient hosting environment that can grow with your projects for years instead of months
