Third party scripts like rv site builder, fantastico, and softaculous, have names that might confuse users. We found it better to change the names of these icons to what they are not the business names.
You do that in this folder:
/usr/local/cpanel/base/frontend/x3/dynamicui
Then changing the permissions to read only is a good idea in case the script tries to change it with a update.
→ No Comments Tags: Cpanel and WHM
The “setroubleshootd” process is included as part of SELinux. SELinux is not considered compatible with cPanel, and we recommend disabling it per our installation documentation:
Disable SELinux security features
For a fully successful installation you should disable SELinux. When installing a Red Hat or CentOS distribution, you will be able to use the graphical interface to disable SELinux when configuring the operating system.
This can also be accomplished by editing /etc/selinux/config from the command line, and setting the SELINUX parameter to disabled with a text editor such as nano or vi. The file should resemble the following text:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted – Only targeted network daemons are protected.
# strict – Full SELinux protection.
SELINUXTYPE=targeted
Once you save the changes to the file above you will need to reboot the server for the changes to take effect.
PICK Important: SELinux must remain disabled in order for WHM and cPanel to run on your web server. Ensure that the pound sign (#) does not precede SELINUX=disabled. If # precedes this configuration option, the line will be ignored.
ALERT! Warning: Do not transfer the SELinux configuration file between computers as it may destroy the file’s integrity.
ALERT! You will need to reboot the server for the changes to take effect.
For a quick fix that is not permanent:
There is a bug with the new option in Centos 5 called setroubleshoot.
The bug spins the program over and over causing high memory and sometimes CPU use. Unfortunately there is no permanent fix yet, but if you see something like this high in your daily process log:
/usr/bin/python -E /usr/sbin/setroubleshootd
To fix for now you simply have to restart the process:
/etc/init.d/setroubleshoot restart
→ 1 Comment Tags: Cpanel and WHM · Linux Security · Linux Software / Scripts
SSH attacks are normally happened if you are running SSH on comman Port 22 . If you have simple or weak root password then chances of your server get compromised .
We can secure SSH server with two methods :
Method 1:
A best option to secure your SSH is to run SSH on the different port instead of default port 22 .
Disable Root Logins
Disable password authentication
Disable Port 22 and use any other port to run SSH (like Port 59122). Aslo block port 22 using firewall.
You have to take following steps before you harden the SSH, first make sure you create a user name and password. If you are running cpanel, then you want to add the username to cpanel wheel group.
use commaands as follows
#adduser <username> -G wheel
#passwd <username>
Once the user has been created and added to Wheel group, edit the ssh configuration file /etc/ssh/sshd_conf
Change the default port 22 to any port number, say 2199 and set the protocol to just Protocol 2 which is a more secure protocol
#vi /etc/ssh/sshd_config
Port 59122
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
#LoginGraceTime 2m
IgnoreRhosts yes
X11Forwarding no
Disable root login
Locate the line # PermitRootLogin yes in the configuration file and change it to no
PermitRootLogin no
save configuration and restart your SSH . Now you won’t be able to login as root and will be able to login only at Port 59122
method 2: SSH Public/Private Key Authentication
SSH with public key authentication the best proven method to safeguard your SSH server. You have to put the private key in your putty (ssh client) and put the public key on your server
PrivateKey -> It should be Stored in Client and used by Putty
PublicKey -> It should be Stored in Remote Server ( in /home/<username>/.ssh/authorized_keys file)
The required tools as
Putty (SSH Login client)
PuttyGen (Putty Key Generator Tool to save Private key)
1 Enable the public key authentication you have to enable it in the SSH config file /etc/ssh/sshd_config. Look for the following lines and uncomment them
[HTML]RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
[/HTML]
2
we generate both public and private keys in the server.
[HTML][tux@localhost ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/<username>/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/<username>/.ssh/id_dsa.
Your public key has been saved in /home/<username>/.ssh/id_dsa.pub.
The key fingerprint is:
a9:22:30:c5:ed:df:2c:e7:7b:34:53:b4:82:bb:33:17 tux@localhost[/HTML]
id_dsa -> private key stored at /home/<username>/.ssh/
id_dsa.pub -> is the public key /home/<username>/.ssh/
3. copy Private Key to Putty (SSH client)
Here we need copy the private key from server to our putty in the form of .ppk file (putty private key file). private key must be stored in the client side and the public key in the server side
inside /home/<username>/.ssh/authorized_keys file
Open the file id_dsa and copy the contents of the file. On client side paste it into a notepad file (say privkey.txt). Make sure that there is no new line at the top or else you will get “invalid private key” from puttygen.
Start puttygen.exe > > Load Existing Private Key > > privkey.txt >> Save Private Key
Save the private key as privkey.ppk
4 Copying Public Key to Server
Create new file called authorized_keys inside .ssh folder within the users home directory as /home/<username>/.ssh/authorized_keys and store the public key there.
OR rename the existing id_dsa.pub to authorized_keys as we wont be needing the ida_dsa.pub file.
mv /home/<user>/.ssh/ida_dsa.pub authorized_keys
To connect ssh use putty
Start Putty > Enter servers IP address > New Port, then load the private key SSH > Auth > Browse Private Key for Authentication
Now connect and enter the user name the putty would authenticate yourself with public key authentication.
In this way you can secure your SSH .
→ No Comments Tags: Linux Security · Linux Tricks
Open DNS gives a error and means that anyone can use your DNS resolvers. To lock it down you can add this.
1. Login to your server as root.
2. Wget and run the script as :
Code:
http://shashank.net/scripts/named.patch
sh named.patch
3. It will provide you with an output like :
Code:
allow-recursion {
127.0.0.1;
xxx.xxx.xxx.xxx;
xxx.xxx.xxx.xxx;
};
4. Copy and paste this code in the Options section of your named.conf. Something like :
Code:
options {
options {
directory “/var/named”;
allow-recursion {
127.0.0.1;
xxx.xxx.xxx;
…. ….
…. ….
};
};
5. Save named.conf and restart the named service. All all zones to load and check dns report now. The open nameservers warning no longer shows up. Hope it works fine for you. Any additions, corrections welcome.
→ No Comments Tags: Cpanel and WHM · Linux Security
~/.accesshash
for root /root/.accesshash
→ No Comments Tags: Cpanel and WHM
1. wget http://www.configserver.com/free/cmm.tgz
2. Untar the distribution:
tar -xzf cmm.tgz
3. cd into the directory created and run the install script:
cd cmm/
sh install.sh
4. Login to WHM and scroll to the bottom of the left hand menu and you should see “ConfigServer Mail Manage”
If you want to uninstall, simply:
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmm.cgi
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmmversion.txt
rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmm/
→ No Comments Tags: Cpanel and WHM · Linux Software / Scripts
mkdir -p /var/cpanel/buildapache/scripts
#AUTO PATCH FROM http://choon.net/php-mail-header.php
PHPVER=`find -type d -iname "php-*"|sed "s/.///g"`
wget http://choon.net/opensource/php/$PHPVER-mail-header.patch
patch -p0 < $PHPVER-mail-header.patch
/scripts/easyapache
and now the patch will be automatically applied.
When you receive spam complaints you will now be able to look at the headers of the message and view what script and site these came from. This is extremely useful because PHP runs as nobody unless phpsuexec is enabled and in a virtual environment it can be difficult trying to track down the broken script!
→ No Comments Tags: Linux Security · Linux Software / Scripts
If you are online then you should run: mysqlcheck
mysqlcheck -o –all-databases
If you are offline then you can run myisamchk which is a little more thorough.
myisamchk –sort-index
myisamchk -r tbl_name
→ No Comments Tags: Linux Software / Scripts · Linux Tricks
To avoid sites too big from being back upped, just run this script in a weekly cron from root.
#!/bin/bash
max_size=”2097152″ # This is 2097152KB or 2GB
for u in `ls /var/cpanel/users/`;
do
size=$(repquota -a | grep ${u}|awk ‘{print $3}’|sort -k 1 -nr|head -1);
if [ "${size}" -ge "${max_size}" ];
then
echo “${u}” >> /tmp/cpbackup-userskip.conf;
fi;
done;sort -u /tmp/cpbackup-userskip.conf /etc/cpbackup-userskip.conf > /tmp/cpbackup-userskip.conf.uniq;
cp -f /tmp/cpbackup-userskip.conf.uniq /etc/cpbackup-userskip.conf;
rm -f /tmp/cpbackup-userskip.conf.*;
→ No Comments Tags: Cpanel and WHM
Run each line from Root command:
replace :blackhole: :fail: — /etc/valiases/*
replace :blackhole :fail: — /etc/valiases/*
replace blackhole: :fail: — /etc/valiases/*
replace blackhole :fail: — /etc/valiases/*
replace ” fail:” ” :fail:” — /etc/valiases/*
replace /dev/null :fail: — /etc/valiases/*
cd /etc/valiases/
grep fail * | grep -v ” :fail:”
→ No Comments Tags: Cpanel and WHM
