Skip to main content

How to Change epproot Password and Optimize Endpoint Protector On-Prem Appliance

The procedures and instructions provided in this document are intended for use by experienced administrators. Proceeding with these steps is done entirely at your own risk. Netwrix is not responsible for any data loss, system instability, or other issues that may arise from following these instructions. Ensure that you have a complete backup of your system before making any changes.

Overview

This article outlines the steps to boot the Endpoint Protector (EPP) On-Prem appliance into single-user (recovery) mode to change the epproot user password and optimize appliance performance. These steps apply only to on-premises deployments.
They do not work for appliances hosted in cloud environments.

Instructions

  1. Go to your VM manager and reboot the EPP appliance.
    While it reboots, press the Esc key on your keyboard to access the GRUB boot menu, and select Advanced options for Ubuntu.

    GRUB boot menu screenshot

  2. Choose the first entry labeled (recovery mode).

    Recovery mode selection screenshot

  3. Press Enter when prompted.

    Boot confirmation screenshot

  4. Change the password for the epproot user using the command:

    passwd epproot

    NOTE: When requested, input the new password.

  5. Reboot the appliance with the command:

    reboot

  6. Once the system restarts, connect to the appliance via SSH using your preferred application.

  7. To reduce the number of password prompts, elevate privileges to root using:

    sudo su

    NOTE: When requested, use the password for the epproot user.

  8. Backup the Nginx, MySQL, and PHP-FPM configuration files:

    cp -p /etc/nginx/nginx.conf{,.bkp}
    cp -p /etc/mysql/mysql.conf.d/mysqld.cnf{,.bkp}
    cp -p /opt/alt/php56/etc/php-fpm.conf{,.bkp}

    NOTE: The {,.bkp} syntax creates a copy of each file in the same location with .bkp appended, preserving metadata (permissions, ownership, and timestamps).

  9. Run the following command and note down the number of CPU cores and the memory assigned to the VM:

    htop

  10. Edit the Nginx configuration file:

    vim /etc/nginx/nginx.conf
    • Press Insert to edit.
    • Set worker_processes to the number of CPU cores.
    • Change the values of error_log and access_log from off to /dev/null.
    • To save and quit, press Esc, type :wq, and press Enter.

  11. Edit the MySQL configuration file:

    vim /etc/mysql/mysql.conf.d/mysqld.cnf

    • Press Insert to edit.

    • Ensure or update the following parameters:

      max_allowed_packet = 8M
      thread_stack = 256K
      read_buffer_size = 128K
      read_rnd_buffer_size = 256K
      join_buffer_size = 128K
      key_buffer_size = 16M
      tmp_table_size = 256M
      sort_buffer_size = 2M
      thread_cache_size = 64M
      query_cache_type = 0
      query_cache_limit = 1M
      query_cache_size = 0
      transaction_isolation = READ-COMMITTED
      expire_logs_days = 5
      max_binlog_size = 128M

    • Adjust max_connections based on system memory:

      RAMmax_connections
      ≤4 GB75
      8 GB100
      16 GB150
      32 GB250
      64 GB500
      128 GB1000

    • Set innodb_buffer_pool_size to ~60% of total memory.
      Example (72 GB RAM):

      innodb_buffer_pool_size = 44236M

    • Set innodb_log_file_size to ~12.5% of the buffer pool size.
      Example (72 GB RAM):

      innodb_log_file_size = 5G

    • Set innodb_buffer_pool_instances to the approximate number of gigabytes of buffer pool size.
      Example:

      innodb_buffer_pool_instances = 43

    • Set innodb_thread_concurrency to the number of CPU cores.
      Example (8 cores):

      innodb_thread_concurrency = 8

    • Ensure the following parameters exist or add them if missing:

      innodb_file_per_table = 1
      innodb_flush_log_at_trx_commit = 0
      innodb_log_buffer_size = 16M
      innodb_lock_wait_timeout = 300
      innodb_flush_method = O_DIRECT
      innodb_autoinc_lock_mode = 1
      innodb_fast_shutdown = 1
      innodb_max_purge_lag = 0
      innodb_max_dirty_pages_pct = 60

    • To save and quit, press Esc, type :wq, and press Enter.

  12. Edit the PHP-FPM configuration file:

    vim /opt/alt/php56/etc/php-fpm.conf

    • Press Insert to edit.

    • Update the following parameters based on total RAM:

      Total RAMpm.max_childrenpm.start_serverspm.min_spare_serverspm.max_spare_servers
      ≤2 GB10515
      ≤4 GB50638
      ≤8 GB1008512
      ≤16 GB20012820
      ≤32 GB400201240
      ≤64 GB800281870
      ≤128 GB16004028100
      >128 GBScale using the formula, then round down ~10–15%

    • To save and quit, press Esc, type :wq, and press Enter.

  13. Restart the services:

    systemctl restart nginx
    systemctl restart mysql
    systemctl restart alt-php56-fpm

  14. If any of the services fail to start, review the relevant configuration files for errors.

    NOTE: You can restore the backup files created in Step 8 if necessary.