HestiaCP is an open-source web hosting control panel forked from the now-abandoned VestaCP project. It gives you a clean web interface for managing websites, email accounts, DNS zones, databases, and more on your Linux server. The project is actively maintained with regular security patches and feature updates, making it a solid choice for anyone who relied on VestaCP or needs a lightweight hosting panel.

In this guide, you will install HestiaCP on Ubuntu 24.04/22.04 or Debian 13/12, walk through initial configuration, and cover everyday management tasks including domain setup, email, SSL certificates, and security hardening.

What HestiaCP Offers

  • Nginx (with or without Apache as a backend) for web serving
  • PHP-FPM with multi-PHP version support
  • MySQL/MariaDB and PostgreSQL database management
  • Exim mail server with Dovecot IMAP/POP3
  • BIND DNS server
  • Let’s Encrypt SSL automation
  • Built-in file manager
  • Firewall management (iptables with fail2ban integration)
  • Backup and restore functionality
  • User and reseller account management

Prerequisites

Before you start, make sure you have the following in place:

  • A clean/fresh installation of Ubuntu 24.04, Ubuntu 22.04, Debian 13, or Debian 12. HestiaCP must be installed on a server with no pre-existing web server, mail server, or control panel – the installer handles all of that.
  • A fully qualified domain name (FQDN) pointing to your server’s public IP address. For example, panel.example.com with an A record resolving to your server IP.
  • Minimum 1 GB RAM (2 GB or more recommended if you plan to run mail services and multiple sites).
  • Root SSH access to the server.
  • At least 20 GB of disk space.

Step 1 – Update the System

Start by connecting to your server over SSH as root and bringing all packages up to date.

For Ubuntu/Debian:

apt update && apt upgrade -y

Set the correct hostname for your server. This should match the FQDN you plan to use for the control panel:

hostnamectl set-hostname panel.example.com

Verify the hostname is set:

hostname -f

Expected output:

panel.example.com

Step 2 – Download the HestiaCP Install Script

Download the latest installer script from the official HestiaCP repository:

wget https://raw.githubusercontent.com/hestiacp/hestiacp/release/install/hst-install.sh

Verify the script was downloaded:

ls -lh hst-install.sh

You should see the file listed with a reasonable file size (typically around 50-80 KB).

Step 3 – Run the HestiaCP Installer

The install script accepts a number of flags that let you customize exactly which components get installed. Here is a full installation with all major services enabled:

bash hst-install.sh \
  --nginx yes \
  --apache yes \
  --phpfpm yes \
  --multiphp yes \
  --mysql yes \
  --postgresql yes \
  --exim yes \
  --dovecot yes \
  --sieve yes \
  --clamav yes \
  --spamassassin yes \
  --iptables yes \
  --fail2ban yes \
  --named yes \
  --api yes \
  --interactive yes \
  --hostname panel.example.com \
  --email [email protected] \
  --password YourStrongPasswordHere \
  --lang en

Here is what each flag controls:

FlagDescription
--nginx yesInstall Nginx as the front-end web server
--apache yesInstall Apache as a backend (proxied behind Nginx). Set to no for Nginx-only setup
--phpfpm yesInstall PHP-FPM for PHP processing
--multiphp yesInstall multiple PHP versions (5.6 through 8.3) so you can assign different versions per domain
--mysql yesInstall MariaDB for MySQL-compatible databases
--postgresql yesInstall PostgreSQL. Set to no if you do not need it
--exim yesInstall Exim4 mail transfer agent for sending and receiving email
--dovecot yesInstall Dovecot for IMAP/POP3 mailbox access
--sieve yesEnable Sieve mail filtering rules
--clamav yesInstall ClamAV antivirus for email scanning
--spamassassin yesInstall SpamAssassin for spam filtering
--iptables yesConfigure iptables firewall
--fail2ban yesInstall Fail2ban for brute-force protection
--named yesInstall BIND DNS server
--api yesEnable the HestiaCP API
--hostnameServer FQDN for the panel
--emailAdmin contact email address
--passwordAdmin account password
--langPanel language (en, de, fr, es, etc.)

If you want a lighter setup without Apache (Nginx only), without PostgreSQL, and without mail antivirus scanning:

bash hst-install.sh \
  --nginx yes \
  --apache no \
  --phpfpm yes \
  --multiphp no \
  --mysql yes \
  --postgresql no \
  --exim yes \
  --dovecot yes \
  --sieve yes \
  --clamav no \
  --spamassassin no \
  --iptables yes \
  --fail2ban yes \
  --named yes \
  --hostname panel.example.com \
  --email [email protected] \
  --password YourStrongPasswordHere

The installer will show you a summary of what it plans to install and ask for confirmation. Review the summary and press y to proceed.

Installation typically takes between 5 and 15 minutes depending on your server specs and internet speed. When it finishes, you will see output similar to this:

Congratulations!

You have successfully installed Hestia Control Panel on your server.

https://panel.example.com:8083
username: admin
password: YourStrongPasswordHere

We hope you enjoy using Hestia Control Panel!

Save these login credentials. You will need them to access the web panel.

Step 4 – Verify the Installation

Confirm that HestiaCP services are running:

systemctl status hestia

You should see active (running) in the output. Check Nginx as well:

systemctl status nginx

Verify that the panel port is listening:

ss -tlnp | grep 8083

You should see output showing that port 8083 is open and listening.

If you have a firewall running outside of the server (such as a cloud provider security group), make sure port 8083 is allowed along with ports 80, 443, 22, 25, 465, 587, 993, 995, and 53 (TCP/UDP).

Step 5 – Access the HestiaCP Web Panel

Open your browser and navigate to:

https://panel.example.com:8083

You may see an SSL certificate warning on first access because the installer generates a self-signed certificate. Accept the warning to continue. Once you add your domain and configure Let’s Encrypt (covered below), this warning will go away.

Log in with the admin credentials displayed at the end of the installation.

Step 6 – Add a Domain

To host a website, you need to add a domain to HestiaCP:

  1. Log in to the HestiaCP panel.
  2. Click on the Web tab in the top navigation.
  3. Click Add Web Domain.
  4. Enter your domain name (for example, example.com).
  5. Check the box for DNS Support if you want HestiaCP to manage DNS for this domain.
  6. Check Mail Support if you want to handle email for this domain.
  7. Click Save.

Verify the domain was added from the command line:

v-list-web-domain admin example.com

The output will show the domain configuration including the document root, which defaults to /home/admin/web/example.com/public_html/.

Step 7 – Configure SSL with Let’s Encrypt

HestiaCP has built-in Let’s Encrypt support that handles certificate issuance and automatic renewal.

SSL for Hosted Domains

  1. Go to the Web tab and click Edit on the domain you want to secure.
  2. Scroll down to the SSL Certificate section.
  3. Check Enable SSL.
  4. Check Use Let’s Encrypt.
  5. Click Save.

HestiaCP will automatically request the certificate and configure Nginx/Apache to use it. Renewal is handled automatically by a cron job.

Verify the certificate was issued:

v-list-web-domain-ssl admin example.com

SSL for the HestiaCP Panel Itself

To replace the self-signed certificate on the panel with a trusted Let’s Encrypt certificate:

v-add-letsencrypt-host

After running this command, the browser warning on port 8083 will disappear and the panel will be served over a valid SSL certificate.

Step 8 – Create Email Accounts

If you installed Exim and Dovecot, you can create email accounts for any domain managed by HestiaCP.

  1. Click the Mail tab in the top navigation.
  2. Click on the domain you want to create an email account for.
  3. Click Add Mail Account.
  4. Enter the account name (the part before the @), set a password, and optionally set a quota.
  5. Click Save.

You can also do this from the command line:

v-add-mail-account admin example.com info YourMailPassword

This creates [email protected]. Verify it exists:

v-list-mail-accounts admin example.com

To access the mailbox, users can connect with any standard mail client using these settings:

  • IMAP server: mail.example.com – Port 993 (SSL)
  • SMTP server: mail.example.com – Port 587 (STARTTLS)
  • Username: full email address
  • Password: the password you set

HestiaCP also ships with a Roundcube webmail interface accessible at https://panel.example.com/webmail/.

Step 9 – Manage DNS Zones

If you enabled BIND during installation, HestiaCP automatically creates DNS zone files when you add a domain with DNS support enabled.

To view and edit DNS records:

  1. Click the DNS tab.
  2. Click on the domain name.
  3. You will see all DNS records (A, AAAA, MX, TXT, CNAME, NS, SRV).
  4. Click Add Record to create new records or click an existing record to edit it.

From the command line, list all DNS records for a domain:

v-list-dns-records admin example.com

Add a new A record:

v-add-dns-record admin example.com subdomain A 203.0.113.10

Step 10 – Database Management

HestiaCP provides a web interface for creating and managing MySQL/MariaDB and PostgreSQL databases.

  1. Click the DB tab.
  2. Click Add Database.
  3. Enter a database name, database user, and password.
  4. Select the database type (MySQL or PostgreSQL).
  5. Click Save.

The panel also includes phpMyAdmin for MySQL and phpPgAdmin for PostgreSQL, accessible from the database listing page.

From the command line:

# Create a MySQL database
v-add-database admin myapp_db myapp_user YourDBPassword mysql

# List all databases for the admin user
v-list-databases admin

Step 11 – File Manager

HestiaCP includes a built-in web-based file manager. To use it:

  1. Log in to the panel.
  2. Click the Files tab (or the file manager icon).
  3. You can browse, upload, download, edit, rename, and delete files directly from the browser.

The file manager operates within the user’s home directory. For the admin user, website files are located at /home/admin/web/example.com/public_html/.

Step 12 – Backup and Restore

HestiaCP includes an automated backup system that can back up user accounts, websites, databases, mail, and DNS configurations.

Configure Backup Settings

  1. Log in as admin and go to Server settings (gear icon at the top right).
  2. Navigate to the Backups section.
  3. Set the number of backups to retain, the backup directory, and optionally configure remote backup to SFTP or Amazon S3.

Create a Manual Backup

From the web panel, go to the user account and click the backup icon. From the command line:

# Create a full backup for the admin user
v-backup-user admin

# List available backups
v-list-user-backups admin

Restore from Backup

# Restore a specific backup
v-restore-user admin admin.2026-03-18.tar

# Restore only the web component
v-restore-user admin admin.2026-03-18.tar web

Automatic backups run daily via a cron job. You can verify the cron schedule:

grep backup /var/spool/cron/crontabs/hestiaweb

Step 13 – Security Hardening

A production hosting server should be locked down properly. Here are the key steps.

Change the Default Panel Port

Port 8083 is well-known for HestiaCP. Change it to something less predictable:

v-change-sys-port 2083

After running this, the panel will be accessible on https://panel.example.com:2083. Verify it works before closing your current session.

Verify Fail2ban is Active

Fail2ban protects against brute-force login attempts on SSH, the panel, mail, and FTP:

systemctl status fail2ban

Check which jails are active:

fail2ban-client status

You should see jails for sshd, hestia, exim, dovecot, and other services.

Restrict SSH Access

Disable root password login and switch to SSH key authentication. Edit the SSH configuration:

nano /etc/ssh/sshd_config

Set these values:

PermitRootLogin prohibit-password
PasswordAuthentication no
PubkeyAuthentication yes

Restart SSH to apply the changes:

systemctl restart sshd

Make sure you have your SSH key configured before doing this, or you will lock yourself out.

Enable Automatic Security Updates

On Ubuntu, enable unattended security upgrades:

apt install -y unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades

Review Firewall Rules

HestiaCP manages iptables rules through its panel. View the current rules:

v-list-firewall

Add a custom firewall rule if needed (for example, allow a specific IP on a custom port):

v-add-firewall-rule ACCEPT 203.0.113.50 8443 tcp

Step 14 – Update HestiaCP

HestiaCP updates are delivered through the system package manager. To update:

apt update && apt upgrade -y

Check the currently installed version:

v-list-sys-info

Troubleshooting

Cannot Access the Panel on Port 8083

Check that the Hestia service is running:

systemctl status hestia

If it is stopped, start it:

systemctl start hestia

Check if the port is open in the firewall:

iptables -L -n | grep 8083

Also check your cloud provider’s security group or firewall settings.

Let’s Encrypt Certificate Fails

Let’s Encrypt validation requires that ports 80 and 443 are open and your domain resolves to the server IP. Verify:

# Check DNS resolution
dig +short example.com

# Check that port 80 is reachable
curl -I http://example.com

If the domain does not resolve to your server or port 80 is blocked, Let’s Encrypt validation will fail. Fix the DNS or firewall and try again.

Mail Not Sending or Receiving

Check the Exim mail queue:

exim -bpc

View the mail log for errors:

tail -50 /var/log/exim4/mainlog

Common causes:

  • Port 25 is blocked by your hosting provider (common on cloud platforms). Contact support to unblock it or use a relay service.
  • Missing or incorrect MX, SPF, DKIM, or DMARC DNS records. HestiaCP creates these automatically when you add a mail domain, but verify they are correct.
  • The server IP is on a blacklist. Check at mxtoolbox.com.

Nginx or Apache Fails to Start

Test the configuration syntax:

# For Nginx
nginx -t

# For Apache
apachectl configtest

If there is a syntax error, the output will tell you which file and line number is the problem. Fix the config and restart:

systemctl restart nginx
systemctl restart apache2

Reset Admin Password

If you have lost the admin password, reset it from the command line:

v-change-user-password admin NewStrongPassword

View HestiaCP Logs

HestiaCP stores its logs in /var/log/hestia/. Check them when diagnosing issues:

# Panel access and error logs
tail -100 /var/log/hestia/nginx-error.log
tail -100 /var/log/hestia/auth.log

Conclusion

You now have a working HestiaCP installation on your Ubuntu or Debian server with web hosting, email, DNS, database management, and automated SSL certificates. HestiaCP gives you a clean and responsive panel while keeping resource usage low compared to heavier alternatives. Spend some time exploring the panel settings and the command-line tools (all prefixed with v-) to get familiar with the full range of features available.

RELATED ARTICLESMORE FROM AUTHOR

7 COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here