Stop Spam At The Server with Exim RBL

HowTo: RBL or DNSBL with Exim - Stop Spam with Exim
This is my micro-howto for how I set up RBL using the Exim Configuration Editor

Are you and your clients tired of getting bombarded with spam email? Stop spam before it gets to your inbox with Exim's RBL,realtime blackhole list, confAiguration options, an invaluable tool for any Cpanel admin.

What is a RBL?
Realtime Blackhole List. A list of open mail relays and rogue sites. Subscribers to the RBL reject all mail and/or connection attempts from RBL'd IP addresses, effectively cutting off irresponsible/incompetent domains from the rest of the Internet.

UPDATE:
Sept. 26, 2005: Fixed the RBL list begin section, because Exim wasn't accepting the old entries.

With many thanks to cPanel.Net Forum's:
Richard (Noldar), for his invaluable suggestions...
"jcsolutions" for router section blacklist in "Server Setup Tips" thread...
and "Cyberspirit" for his thread "rejecting mail instead of failing it"


TESTED WITH VERSIONS
-------------------------------------------
WHM 9.4.0 cPanel 9.4.1-S65
RedHat Enterprise 3 - WHM X v3.1.0

WHM 8.5.1 cPanel 8.5.3-S3 Exim 4.24
WHM 8.8.0 cPanel 8.8.0-S74
RedHat 7.3 - WHM X v2.1.1 / WHM X v2.1.2
-------------------------------------------

----------------------
Creating lsearch files
These files are used to manually block spammers, ignore certain domains or incoming hosts.
*****************

Create three text files in the /etc directory:
/etc/rblblacklist
/etc/rblbypass
/etc/rblwhitelist

touch /etc/rblblacklist; touch /etc/rblbypass; touch /etc/rblwhitelist

Examples with sample data:
/etc/rblblacklist
Is a manual blacklist, it rejects specific spammer hosts BEFORE they can send more email to your server:
domain1.com
domain2.com
domain3.com

/etc/rblbypass
Bypasses RBL email testing for specific destination (local) domains that don't want RBL filtering or prefer SpamAssassin tagging:
domain1.com
domain2.com
domain3.com

/etc/rblwhitelist
Blocks RBL email testing for listed incoming hosts, (wildcards allowed), in case an important client's mailserver is listed on an RBL you use, also automatically excludes relayhosts:
mail.domain1.com
*.domain2.com
*.domain3.com


-------------------------------
EXIM CONFIGURATION EDITOR
-------------------------------

If you use the WHM-based Exim Configuration Editor, all of your modifications will be reproduced after each update. If you edit exim.conf directly, cPanel updates MAY overwrite your changes! Because of this, the following changes should be entered using the Exim Configuration Editor.

------------------------
Setting up lsearch files
*******************

At the top of the editor, in the window below:
#!!# cPanel Exim 4 Config

Enter these lines:
domainlist rbl_blacklist = lsearch;/etc/rblblacklist
domainlist rbl_bypass = lsearch;/etc/rblbypass
hostlist rbl_whitelist = lsearch;/etc/relayhosts : partial-lsearch;/etc/rblwhitelist

----------------------------
RBL entries in ACL Section
*********************

RBL selection depends on many factors, be sure to edit the list below to reflect your priorities... Postmaster and abuse bypass allows blocked users to contact admin.

In the center window of the ACL section, directly below the line:
accept hosts = :

Enter these lines:

#**#
#**# RBL List Begin
#**#
#
# Always accept mail to postmaster & abuse for any local domain
#
accept domains = +local_domains
local_parts = postmaster:abuse
#
# Check sending hosts against DNS black lists.
# Accept all locally generated messages
# Reject message if address listed in blacklist.
deny message = Message rejected because $sender_fullhost is blacklisted at $dnslist_domain see $dnslist_text :
!hosts = +relay_hosts
!authenticated = *
dnslists = dnsbl.njabl.org : bl.spamcop.net : sbl.spamhaus.org : list.dsbl.org : cbl.abuseat.org : relays.ordb.org :
# RBL Bypass Local Domain List
!domains = +rbl_bypass
# RBL Whitelist incoming hosts
!hosts = +rbl_whitelist
#**#
#**# RBL List End
#**#


NOTICE: The following below didn't work for my configuration of RHE and WHM 9.4
so I had to remove it. I recommend you try it first to see if it works, if not then come back and remove this.

Scroll down the center window of the ACL section, directly below the line:
accept domains = +local_domains

Enter these lines:

#**#
#**# Reject Email to Invalid Recipient
#**#
endpass
message = unknown user
verify = recipient
#**#


--------------------------------
RBL entries in ROUTERS Section
**************************

In the ROUTERS section window, directly below the line:
# in the "local_domains" setting above.

Enter these lines:

# Deny and send notice to list of rejected domains.
reject_domains:
driver = redirect
# RBL Blacklist incoming hosts
domains = +rbl_blacklist
allow_fail
data = :fail: Connection rejected: SPAM source $domain is manually blacklisted.


-----------------------------
RBL Testing and Verification
***********************

Once your file changes are in place, be sure to keep an eye out for errors... missing files and other errors will be listed here:
If the above NOTICE scares you then you need to check this log file. If you see Exim failed message then go back and remove that.
tail -50 /var/log/exim_paniclog

You can view your spam filtering by reviewing the reject log:
tail -50 /var/log/exim_rejectlog

If your RBL tests include sbl.spamhaus.org, you can test the blacklist and whitelist functions by sending an email, USING THE MAILSERVER YOU WISH TESTED, to:
nelson-sbl-test@crynwr.com

It will attempt to send an email from mailserver sbl.crynwr.com, which is blacklisted in sbl.spamhaus.org

If the blacklist works, you'll get an email that looks something like this:

Subj: Your SBL test report
Testing your SBL block. See http://www.crynwr.com/spam/ for more info.
Please note that this test will not tell you if your server is open for
relaying. Instead, it tests to see if your server blocks email from IP
addresses listed in various blocking lists; in this case, the SBL list.

Here's how the conversation looked from sbl.crynwr.com.
Note that some sites don't apply the SBL block to postmaster, so
I use your envelope sender as the To: address.

I connected to 64.246.24.14 and here's the conversation I had:

220-whm.yourserver.com ESMTP Exim 4.24 #1 Thu, 16 Oct 2003 08:23:23 -0700
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
helo sbl.crynwr.com
250 whm.yourserver.com Hello sbl.crynwr.com [192.203.178.107 ]
mail from:<>
250 OK
rcpt to:
550-Message rejected because sbl.crynwr.com [192.203.178.107] is blacklisted at
550 sbl.spamhaus.org see http://www.spamhaus.org/SBL/sbl.lasso?query=SBLTEST
Terminating conversation

If the RBL block fails, you'll receive TWO emails:

Subj: Your SBL test report
Testing your SBL block. See http://www.crynwr.com/spam/ for more info.
Please note that this test will not tell you if your server is open for
relaying. Instead, it tests to see if your server blocks email from IP
addresses listed in various blocking lists; in this case, the SBL list.

Here's how the conversation looked from sbl.crynwr.com.
Note that some sites don't apply the SBL block to postmaster, so
I use your envelope sender as the To: address.

I connected to 64.246.24.14 and here's the conversation I had:

220-whm.yourserver.com ESMTP Exim 4.24 #1 Thu, 16 Oct 2003 08:19:44 -0700
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
helo sbl.crynwr.com
250 whm.yourserver.com Hello sbl.crynwr.com [192.203.178.107 ]
mail from:<>
250 OK
rcpt to:
250 Accepted
data
354 Enter message, ending with "." on a line by itself
From: nelson-SBL-test@crynwr.com
To: eMtnMan@yourdomain.com
Date: Thu, 16 Oct 2003 15:19:46 -0000
Message-Id: <1066317586@sbl.crynwr.com>

Test message
.
250 OK id=1AA9uj-0005xq-2l
quit
Successful termination. As far as I can tell, the email was delivered.
That might not be what you want.

Subj: (BLANK)
Uh-oh, your SBL block is not working!


----------------
RBL Log Counts
*************

I use this script to count the log hits for various RBL's, you should change it to reflect your RBL's and error syntax. Mine relies on the unique word "blacklisted" in every RBL bounce entry.

Place it anywhere you want to view reports in SSH. Eg: /root/spam

pico /root/spam


SAMPLE SCRIPT:
Copy and paste in the following:

grep "blacklisted" /var/log/exim_mainlog -i > kilme
tail -100 kilme
tail /var/log/exim_paniclog
printf "n"
printf "Spam Count = "
grep "blacklisted" kilme -c -i
printf "njabl.org = "
grep " njabl.org" kilme -c
printf "spamcop = "
grep "bl.spamcop" kilme -c
printf "spamhaus = "
grep "sbl.spamhaus" kilme -c
printf "dsbl.org = "
grep "dsbl" kilme -c
printf "abuseat = "
grep "abuseat.org" kilme -c
printf "ordb.org = "
grep "ordb" kilme -c
printf "Manual = "
grep "manual" kilme -c
printf "verify fail= "
grep "verify fail" /var/log/exim_mainlog -c
printf "No Relay = "
grep "not permitted" /var/log/exim_mainlog -c
printf "n"
printf "All Spam: n"
zgrep -ci "blacklisted" /var/log/exim_mainlog*
printf "n"


Save and exit.
Ctrl + O then Y

Assuming the script is called spam, after you:
chmod 755 spam

... it can be executed with: ./spam

Example Spam Script Output!

Spam Count = 488
njabl.org = 134
spamcop = 278
spamhaus = 9
dsbl.org = 4
abuseat = 63
ordb.org = 0
Manual = 0
verify fail= 697
No Relay = 382

How to install mod_security for Apache ?

What is mod_security or modsecurity?
ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding applications from attacks. ModSecurity supports both branches of the Apache web server.

Rfx Networks Recommended:
"mod_security is great and I encourage it be used by everyone; it does have the potential to break some web applications but so far iv seen very few issues to say the least. Likewise it is easy to fix any applications that may break with the granular filter rules that can be setup to either deny or allow certain content. Overall mod_security is a needed addition to apache, providing a layer of security yet unseen for apache. I highly encourage you read the reference document on the modsecurity.org site (under documentation) to better understand each directive and the role it plays in protecting your server and sites."




Requirements:
Apache Web Server 1.3x or 2.x

Note: We have confirmed this security addon works with Cpanel based servers.

UPDATE: Sept. 15, 2004:
Changed # Prevent path traversal (..) attacks rules to fix a typo in tutorial.

How to install?
1. Login to your server through SSH and su to the root user.

2. First your going to start out by grabbing the latest version of mod_security
wget http://www.modsecurity.org/download/mod_security-1.7.4.tar.gz

3. Next we untar the archive and cd into the directory:
tar zxvf mod_security-1.7.4.tar.gz
cd mod_security-1.7.4/

4. Now you need to determine which version of apache you use:
APACHE 1.3.x users
cd apache1/
APACHE 2.x users
cd apache2/

5. Lets Compile the module now:
/usr/local/apache/bin/apxs -cia mod_security.c

6. Ok, now its time to edit the httpd conf file. First we will make a backup just incase something goes wrong:
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup

7. Now that we have backed it all up, we can edit the httpd.conf. Replace pico with nano depending on what you have
pico /usr/local/apache/conf/httpd.conf

8. Lets look for something in the config, do this by holding control and pressing W and you are going to search for

(altho any of the IfModules would work fine)

9. Now add this


# Turn the filtering engine On or Off
SecFilterEngine On

# Change Server: string
SecServerSignature " "

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off

# Only allow bytes from this range
SecFilterForceByteRange 1 255

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Action to take by default
SecFilterDefaultAction "deny,log,status:500"

# Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

# Prevent path traversal (..) attacks
SecFilter "../"

# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"

# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"

# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"


10. Save the file Ctrl + X then Y

11. Restart Apache

/etc/rc.d/init.d/httpd stop
/etc/rc.d/init.d/httpd start

Thats it ....................................

Preventing Brute Force Attacks

Overview:
Blocking and preventing brute force attacks is one of the main things you want to do on your web server to add a layer of security. While someone might not be targeting your site or server specifically, they will have automated tools that will try to guess random usernames and passwords that are common against your system. They're essentially forcing their way to user only authorized area's of a system, such as FTP accounts, e-mail accounts, databases, script based administration areas and root or any shell access are most common attempts. They will try multiple login attempts, guessing usernames and passwords, trying to force their way onto your machine.
This is a large topic with a lot of things to cover, I'll try to do my best to help you understand how brute force attacks work, prevention, signs of an attack, and tools to help stop brute force attacks.

How the brute force attack works
Hackers can try to get into your system using a few different methods.
1) Manual login attempts, they will try to type in a few usernames and passwords

2) Dictionary based attacks, automated scripts and programs will try guessing thousands of usernames and passwords from a dictionary file, sometimes a file for usernames and another file for passwords.

3) Generated logins, a cracking program will generate random usernames set by the user. They could generate numbers only, a combination of numbers and letters or other combinations.

Signs of a brute force attempt
You can easily spot a brute force attempt by checking your servers log files. You will see a series of failed login attempts for the service they're trying to break into.

# pico /var/log/secure
or
# tail –f /var/log/secure

Check for failed login attemps such as:
Apr 11 19:02:10 fox proftpd[6950]: yourserver (usersip[usersip]) - USER theusername (Login failed): Incorrect password.


How to prevent a brute force attack
There are a few main ways to stop a brute force attack we'll cover;

1) restricting the amount of login attempts that a user can perform

2) banning a users IP after multiple failed login attempts

3) keep a close eye on your log files for suspicious login attempts


Tools to stop and prevent brute force hack attempts
Never enable demo or guest accounts as they will be the first way an attacker will get access into your system and further exploit it.

Never have more than one user in the root group.

APF & BFD (rfxnetworks.com)
There are many different tools you can use to prevent and stop brute force hackers. The two of them we'll focus on in this article are APF firewall and BFD (brute force detection) developed by rfxnetworks.

APF is a firewall that works using iptables but has some nice features added and makes it easy to use, including Anti-Dos protection. BFD is a modular shell script for parsing applicable logs and checking for authentication failures. If it finds that your authentication failed the set amount of times for an application, it will ban your IP address using APF firewall.

The two of these make an excellent, automated brute force prevention package. BFD checks your logs every few minutes for multiple failed logins attempts, based on a set of rules, if the person fails to login X amount of times the IP is automatically banned at the firewall, preventing further attacks on your system.

Follow our APF Firewall tutorial and our BFD Tutorial installation and configuration guides.

LogWatch (logwatch.org)
LogWatch is highly recommended tool that sends you daily reports of system activity including disk space, failed login attempts and much more. If you have a Cpanel server LogWatch *should* be installed by default.

Output can look like the following – which I received in an email report =)

Illegal users failed login attempts sample from LogWatch
anonymous/none from (IP HERE): 8 Time(s)
anonymous/password from (IP HERE): 8 Time(s)
guest/none from (IP HERE): 8 Time(s)
guest/password from (IP HERE): 8 Time(s)
root/password from (IP HERE): 24 Time(s)

Report Attackers
Instead of simply blocking the IP and ignoring the user you can also report the attacker to the IP source upstream provider, such as an ISP.

Lookup their IP: Go to DNSStuff.com and enter their IP the in IP Whois Lookup tool.
It will give you information about the ISP, including company and website. Go to their website and look for an abuse section, such as abuse@company.com

Compose an email including the attackers IP, time, any log snipplets and other relevant information.

Summing Up Brute Force Logins and Hack Attempts
Brute force attacks are more and more common these days as hacking tools are widely available for script kiddies to play with. Arming yourself with knowledge and tools to deal with such attacks can give you peace of mind knowing your system is relatively protected but it will never be 100% foolproof safe.

How to Disable Telnet ?

How to Disable Telnet

Telnet sends clear text passwords and usernames through logins and should be disabled on all web servers and replaced with SSH.
Some hosting providers are not disabling telnet by default but you should ensure that it has been turned off as it's a great security risk to your servers. TELNET server listens for incoming messages on port 23, and sends outgoing messages to port 23.

1. Login to your server through SSH and su to root.

2. Type pico /etc/xinetd.d/telnet

3. Look for the line: disable = no and replace with disable = yes

4. Now restart the inetd service: /etc/rc.d/init.d/xinetd restart

5. Turn off it through chkconfig as well because it can still start through that.
/sbin/chkconfig telnet off
6. Scan your server to ensure port 23 is closed.
nmap -sT -O localhost
Also run ps -aux | grep telnet and if you find anything other than "grep telnet" as result kill the process.

Preventing Brute Force Attacks

Preventing Brute Force Attacks

T0rn Rootkit

Tornkit is a rootkit, a set of programs that is used by an intruder to have unrestricted access to a compromised Linux system. Tornkit is also attempts to hide its presence.

The t0rn rootkit is designed for speed. By that I mean that it was designed to install quickly on Linux machines. T0rn can do this because it takes very little skill to install and run. All of the binaries that the attacker would need come pre-compiled and the installation process is as simple as ./t0rn. T0rn comes standard with a log cleaner called t0rnsb, a sniffer named t0rns and a log parser called t0rnp.


I am including this so that you all diag and clean up your hacked server.

First of all,
Login to WHM as root
Click Tweak Settings
and please remove the tick from
Allow cPanel users to reset their password via email


Step 1. run chkrootkit, and you will see some INFECTED lines. It will also report that some process are hidden from the ps

chkrootkit

Checking `ifconfig'... INFECTED
Checking `login'... INFECTED
Checking `pstree'... INFECTED
and also:
Checking `lkm'... You have X process hidden for ps command
Warning: Possible LKM Trojan installed


Step 2. /etc/init.d/syslog restart

Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [FAILED]
Starting kernel logger: [ OK ]

Step 3. top

top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory

Step 4. tail /etc/rc.d/rc.sysinit

# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q

--------------------------------------------------------


OK.. looks like someone got to your server as well. Since we know what rootkit it is, let us investigate further.

Configuration files



/usr/include/file.h (for file hiding)
/usr/include/proc.h (for ps proc hiding)
/lib/lidps1.so (for pstree hiding)
/usr/include/hosts.h (for netstat and net-hiding)
/usr/include/log.h (for log hiding)
/lib/lblip.tk/ (backdoored ssh configuration files are in this directory)
/dev/sdr0 (systems md5 checksum)
/lib/ldd.so {placing tks(sniffer), tkp(parser) and tksb(log cleaner)}


Infected Binaries:

top, ps, pstree lsof, md5sum, dir, login, encrypt,ifconfig,find,ls,slocate,
tks,tksb,top,tkpnetstat,pg,syslogd,sz

Infected Librairies:
libproc.a,libproc.so.2.0.6,libproc.so

BackDoor: (located at /lib/lblip.tk)

shdc
shhk.pub
shk
shrs


--------------------------------------------------------


Now, Lets start the cleaning process:

Step 1.
pico /etc/rc.d/rc.sysinit

remove the lines that show

# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q


Step 2.
reboot the system

WARNING: 2 servers got their kernel removed after reboot.
If your's is the case and that is what the DataCenter complains after reboot, please ask them to do the following:

reboot the system using the redhat CD into rescue mode
chroot to the /mnt/sysimage
reinstall kernel packages

that should fix it.

-- since already in resuce mode, perhaps also ask them to --force install the following rpm's

procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm

Step 3.
After the system is up

cd /lib
rm -rf lblip.tk

Step 4.
remove the configuration files given above.

Step 5.
cat /etc/redhat-release
note down your version of redhat, then from
www.rpmfind.net
search for the following rpm's

procps*.rpm
psmisc*.rpm
findutils*.rpm
fileutils*.rpm
util-linux*.rpm
net-tools*.rpm
textutils*.rpm
sysklogd*.rpm

-- and rpm --force install them


Step 6.
if you see the hosts.h file, it says to hide all IP's from

cat /usr/include/hosts.h
193.60

thus, if you want, you can block all the IP's from 193.60 to your server via iptables.

Step 7.
If all goes OK,
please reboot the server, and run chkrootkit again...

You should be OK!

Securing PHP

Well PHP is one of the most popular applications that run on Linux and Windows servers today. It's also one of the main sources for servers and user accounts getting compromised. I want to go over some of the things you can do to help lock down PHP, securing php and securing php.ini

First off you want to figure out how you can edit php.ini This is the main configuration file for PHP. You can find it by logging into shell and typing in the following:

# php -i |grep php.ini

Turn on safe_mode

Safe mode is an easy way to lock down the security and functions you can use. PHP.net explains php safe_mode as, "The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now."

I highly recommend you enable safe_mode on production servers, especially in shared environments. This will stop exec functions and others that can easily prevent a security breach.

See our article on Customizing PHP Safe Mode


Disable Dangerous PHP Functions

PHP has a lot of potential to mess up your server and hack user accounts and even get root. I've seen many times where users use an insecure PHP script as an entry point to a server to start unleashing dangerous commands and taking control.

Search the php.ini file for:
disable_functions =

Add the following:

disable_functions = dl,system,exec,passthru,shell_exec


Turn off Register Globals

Register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier.
See http://us2.php.net/register_globals

register_globals = On

Replace it with

register_globals = Off

Run PHP through PHPsuexec Preventing Nobody Access

The biggest problem with PHP is that on cPanel servers is that PHP will run as nobody. When someone sets a script to 777 access that means the nobody user has write access to that file. So if someone on the same shared server wrote a script to search the system for 777 files they could inject anything they wanted, compromising the unsuspecting users account.

PHPsuexec makes PHP run as the user so 777 permissions are not allowed. There are a few downfalls to PHPsuexec but I think it's required on a shared environment for the security of everyone. Safe_mode doesn't prevent you from compromising other users files. This is where PHPsuexec comes in, it stops the user from being able to read another users files. It also makes it easier for you, the administrator, to track PHP mail function spamming and lots of other issues caused by PHP scripts because now you can easily track it ot the users account responsible.

For this you will need to recompile PHP with suexec. On cPanel /scripts/easyapach has this build in.

How to install BFD (Brute Force Detection) ?

What is BFD (Brute Force Detection)?
BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans. BFD is available at: http://www.rfxnetworks.com/bfd.php

This guide will show you how to install and configure BFD to protect your system from brute force hack attempts.

Requirements:
- You MUST have APF Firewall Installed before installing BFD - it works with APF and requires some APF files to operate.
- Root SSH access to your server

Lets begin!
Login to your server through SSH and su to the root user.

1. cd /root/downloads or another temporary folder where you store your files.

2. wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

3. tar -xvzf bfd-current.tar.gz

4. cd bfd-0.7

5. Run the install file: ./install.sh
You will receive a message saying it has been installed

.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd

6. Lets edit the configuration file: pico /usr/local/bfd/conf.bfd

7. Enable brute force hack attempt alerts:
Find: ALERT_USR="0" CHANGE TO: ALERT_USR="1"

Find: EMAIL_USR="root" CHANGE TO: EMAIL_USR="your@yourdomain.com"

Save the changes: Ctrl+X then Y

8. Prevent locking yourself out!
pico -w /usr/local/bfd/ignore.hosts and add your own trusted IPs
Eg: 192.168.1.1

Save the changes: Ctrl+X then Y

BFD uses APF' cli insert feature
and as such will override any allow_hosts.rules entries users have in-place.
So be sure to add your trusted ip addresses to the ignore file to prevent
locking yourself out.

9. Run the program!
/usr/local/sbin/bfd -s

10. Customize your applicatoins brute force configuration
Check out the rules directory in your /usr/local/bfd

Here you'll find all kinds of pre-made rules for popular services such as Apache, and ProFTPD w00t!
If you have any clue about shell scripting you can customize them or create new rules for enhanced brute force detection and prevent attacks.

How to install APF (Advanced Policy Firewall)

What is APF (Advanced Policy Firewall)? APF Firewall
APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux. APF is developed and maintained by R-fx Networks: http://www.rfxnetworks.com/apf.php

This guide will show you how to install and configure APF firewall, one of the better known Linux firewalls available.10

Updated: August 23, 2005 - coming soon, advanced APF usage and configuration, part 2 guide!
Updated: April 13, 2005


Requirements:
- Root SSH access to your server

Lets begin!
Login to your server through SSH and su to the root user.

1. cd /root/downloads or another temporary folder where you store your files.

2. wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

3. tar -xvzf apf-current.tar.gz

4. cd apf-0.9.5-1/ or whatever the latest version is.

5. Run the install file: ./install.sh
You will receive a message saying it has been installed

Installing APF 0.9.5-1: Completed.

Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/

Other Details:
Listening TCP ports: 1,21,22,25,53,80,110,111,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306
Listening UDP ports: 53,55880
Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.

6. Lets configure the firewall: pico /etc/apf/conf.apf
We will go over the general configuration to get your firewall running. This isn't a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.

We like to use DShield.org's "block" list of top networks that have exhibited
suspicious activity.
FIND: USE_DS="0"
CHANGE TO: USE_DS="1"

7. Configuring Firewall Ports:

Cpanel Servers
We like to use the following on our Cpanel Servers

Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"

Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"


Ensim Servers
We have found the following can be used on Ensim Servers - although we have not tried these ourselves as I don't run Ensim boxes.

Common ingress (inbound) ports
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,19638"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"

Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"

Save the changes: Ctrl+X then Y


8. Starting the firewall
/usr/local/sbin/apf -s

Other commands:
usage ./apf [OPTION]
-s|--start ......................... load firewall policies
-r|--restart ....................... flush & load firewall
-f|--flush|--stop .................. flush firewall
-l|--list .......................... list chain rules
-st|--status ....................... firewall status
-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall


9. After everything is fine, change the DEV option
Stop the firewall from automatically clearing itself every 5 minutes from cron.
We recommend changing this back to "0" after you've had a chance to ensure everything is working well and tested the server out.

pico /etc/apf/conf.apf

FIND: DEVM="1"
CHANGE TO: DEVM="0"


10. Configure AntiDOS for APF
Relatively new to APF is the new AntiDOS feature which can be found in: /etc/apf/ad
The log file will be located at /var/log/apfados_log so you might want to make note of it and watch it!

pico /etc/apf/ad/conf.antidos

There are various things you might want to fiddle with but I'll get the ones that will alert you by email.

# [E-Mail Alerts]
Under this heading we have the following:

# Organization name to display on outgoing alert emails
CONAME="Your Company"
Enter your company information name or server name..

# Send out user defined attack alerts [0=off,1=on]
USR_ALERT="0"
Change this to 1 to get email alerts

# User for alerts to be mailed to
USR="your@email.com"
Enter your email address to receive the alerts

Save your changes! Ctrl+X then press Y
Restart the firewall: /usr/local/sbin/apf -r

11. Checking the APF Log

Will show any changes to allow and deny hosts among other things.
tail -f /var/log/apf_log

Example output:
Aug 23 01:25:55 ocean apf(31448): (insert) deny all to/from 185.14.157.123
Aug 23 01:39:43 ocean apf(32172): (insert) allow all to/from 185.14.157.123


12. New - Make APF Start automatically at boot time
To autostart apf on reboot, run this:

chkconfig --level 2345 apf on

To remove it from autostart, run this:

chkconfig --del apf


13. Denying IPs with APF Firewall (Blocking)
Now that you have your shiny new firewall you probably want to block a host right, of course you do! With this new version APF now supports comments as well. There are a few ways you can block an IP, I'll show you 2 of the easier methods.

A) /etc/apf/apf -d IPHERE COMMENTHERENOSPACES
> The -d flag means DENY the IP address
> IPHERE is the IP address you wish to block
> COMMENTSHERENOSPACES is obvious, add comments to why the IP is being blocked
These rules are loaded right away into the firewall, so they're instantly active.
Example:

./apf -d 185.14.157.123 TESTING

pico /etc/apf/deny_hosts.rules

Shows the following:

# added 185.14.157.123 on 08/23/05 01:25:55
# TESTING
185.14.157.123

B) pico /etc/apf/deny_hosts.rules

You can then just add a new line and enter the IP you wish to block. Before this becomes active though you'll need to reload the APF ruleset.

/etc/apf/apf -r

14. Allowing IPs with APF Firewall (Unblocking)

I know I know, you added an IP now you need it removed right away! You need to manually remove IPs that are blocked from deny_hosts.rules.
A)
pico /etc/apf/deny_hosts.rules

Find where the IP is listed and remove the line that has the IP.
After this is done save the file and reload apf to make the new changes active.

/etc/apf/apf -r

B) If the IP isn't already listed in deny_hosts.rules and you wish to allow it, this method adds the entry to allow_hosts.rules

/etc/apf/apf -a IPHERE COMMENTHERENOSPACES
> The -a flag means ALLOW the IP address
> IPHERE is the IP address you wish to allow
> COMMENTSHERENOSPACES is obvious, add comments to why the IP is being removed These rules are loaded right away into the firewall, so they're instantly active.
Example:

./apf -a 185.14.157.123 UNBLOCKING

pico /etc/apf/allow_hosts.rules

# added 185.14.157.123 on 08/23/05 01:39:43
# UNBLOCKING
185.14.157.123

How to install KISS Firewall

KISS My Firewall is a FREE iptables script designed for a typical web server. It takes advantage of the latest firewall technologies including stateful packet inspection and connection tracking. It also contains some preventative measures for port scanning, DoS attacks, and IP spoofing, among other things.

KISS My Firewall 2 is very easy to install and does not require any initial configuration. It will work with any stock installation of Ensim WEBppliance Basic & Pro, Plesk, and Webmin. Cpanel installations require some modifications. Available at: http://www.geocities.com/steve93138/

What's New in Version 2?

The biggest change is that it does not require any initial configuration. With version 2, you won't automatically lock yourself out of your server unless you set some of the variables incorrectly. It also does extensive error checking and is distributed as a tar file. This solves a lot of the issues that were present with the older version. In addition, version 2 is highly configurable and was tested to work with the latest version of iptables - version 1.2.8.

HOW TO: Install KISS My Firewall

1) When logged in as root ( "su -" ), type:

2) cd /usr/bin

3) Download KISS firewall
wget http://www.geocities.com/steve93138/kiss-2.0.1.tar.gz

4) Extract it
tar zxvf kiss-2.0.1.tar.gz

If you want to block an offenders IP address/subnet, simply edit the BLOCK_LIST variable in the /usr/bin/kiss file. You can separate IP addresses and subnet's with a space. Once you are finished, restart the firewall.

5) Editing the config
pico -w /usr/bin/kiss

You must change config from: NOTE see our Printer friendly version to avoid text wrapping!

# Uncomment to allow DNS zone transfers
#
#$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT

To:

# Uncomment to allow DNS zone transfers
#
$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT

6) Cpanel Users Config - other users ignore this step
In the /usr/bin/kiss file scroll down until you see the line: TCP_IN and replace it with this.

TCP_IN="20 21 25 53 80 110 143 443 995 2082:2083 2086:2087 2095:2096 3306"

Now find the line that says TCP_OUT and replace it with this.

TCP_OUT="21 22 25 37 43 53 80 443 873 2089"

7) Save the changes and restart the firewall
Ctrl + X then Y

Restart KISS by typing:
kiss restart

That's it! You now have a nice IPtables firewall running that's easy to configure and use.



Firewall Commands
That's it! To get it running anywhere on the command line, you simply type:
kiss start

To stop the firewall, type:
kiss stop

To get status information, type:
kiss status

Restart KISS by typing:
kiss restart

Cpanel Tutorials

http://www.hostingpacket.com/videos/index.htm --> Cpanel 10

http://www.wwm.net/index.php?page=support --> Cpanel 10

http://www.2serveu.net/support/cpanel-tutorial.htm --> Cpanel Live Demo

To know more about cpanel tutorials :

http://www.uurnet.net/cpanelhowto/

Cpanel & WHM Newbie Guide :

http://www.webhostgear.com/3_print.html

Expired License Checklist

Expired License Checklist

--------------------------------------------------------------------------------

This is the down and dirty on resolving your "expired license" woes. Let me know if you think there should be any additions.

1. Is the license expired?

This is the most obvious cause and simple to verify. Check http://verify.cpanel.net/ with the server's IP.

2. Is the server's hostname a fully qualified domain name?

I like to check this one and the whether the hostname resolves locally with this command:

root@spaceboy [~]# host `hostname`
spaceboy.domain.com has address 192.168.1.69

The hostname should be properly formated. We've seen cases were leading or trailing whitespace in the hostname was causing the licensing verification to fail.

3. Does the server's hostname resolve locally and remotely?

I'm not so sure how important this one is, but it should be the case regardless. And if it's not obvious, local and remote name resolution should match (unless the server is going through NAT). You can also check the server's public IP address using cPanel's IP chicken:

root@spaceboy [~]# curl cpanel.net/myip/
x.x.x.x

4. Does cpkeyclt report a problem?

Run the following command:

/usr/local/cpanel/cpkeyclt

This should promptly return the command line with no messages. If it takes a while (longer than 3 seconds), then there is likely a connectivity issue between your server and the licensing server. If it quickly returns the command line, then all is well with your license, and you can consider the issue resolved.

5. Is there a firewall blocking connections to the licensing server?

Out going tcp connections to port 2089 need to be open, with all established and related traffic being allowed back through the firewall (It is using a stateful firewall, right?). If you're not sure that your firewall is properly configured, then the best thing to do is temporarily flush your firewall rules (iptables -F). Afterwards give cpkeyclt a try. If it works then you know the issue is with your firewall.

6. Is the license IP address bound directly to the interface and not an IP alias?

This one is a little more flexible, but can be a problem at times. On a VPS system, I don't think this one applies as the public IP is usually bound to venet0:0 by default. This is usually worth checking and shouldn't be anything strange on a properly configured system anyways.

7. Does the licensing server think the server's query is coming from the proper IP address?

I suggest watching your net traffic using tcpdump while running cpkeyclt. That should give you a pretty good indication.

The above checks should cover 99.3% of all expired license issues. If your issue isn't resolved by going through this checklist, then please submit a support ticket.

/usr/local/cpanel/3rdparty/mailman/data/master-qrunner.pid

PID unreadable in: /usr/local/cpanel/3rdparty/mailman/data/master-qrunner.pid [Errno 2] No such file or directory: '/usr/local/cpanel/3rdparty/mailman/data/master-qrunner.pid' Is qrunner even running? Shutting down Mailman's master qrunner mailmanctl: no process killed when trying to install Neo-mail from Tweak settings

Sol:

$>/scripts/reinstallmailman

=====================================================================================

You can also use

$>/scripts/mailman212

to completly upgrade it along with necessary cpanel upgrades.

Port Block using IP tables

Blocking specific ports is very easy to do by directly controlling
iptables. Iptables is the utility which the "GUI-Based" firewall tools
are based on.

Here is what to do:

Step 1, discover where you GUI-firewall tool is keeping its "iptables"
script. (This is a text file with a list of iptables command in it.)


Step 2, As root, add these two line to that script

iptables -A INPUT -p TCP --dport -j DROP
iptables -A INPUT -p UDP --dport -j DROP



Step 3, Source that script (which means run it) syntax:

.

For example, if the name of the script is /tmp/foo, you would say:
. /tmp/foo


Step 4, As root, issue the command "iptables-save"
This command will write your iptables configuration to the file:
"/etc/sysconfig/iptables". This file is executed by your system at
reboot time to restore your iptables configuration.

Step 5, save a copy of the iptables script you modified above just in
case you ever need to add anything else to your firewall. You will,
eventually, probably want to add or delete something from it.


Step 6, NEVER, EVER run the GUI-Firewall tool again. It will very
likely destroy/overwrite the port blocks you just added.

=====================================================================================

iptables -I INPUT -s {IP} -j DROP

http://forums.rackshack.net/showthread.php?s=3366493fc4c840330d8134a0d966a044&threadid=27618&highlight=iptables+drop

UPgrade Advanced Guestbook v2.2: How to?

Please check this link:

http://www.totalchoicehosting.com/forums/index.php?showtopic=9922

How to enable "update now" button in awstats

Hi,

Here is how it can be done :

There's a awstats configuration file in each user's tmp folder:

/home/username/tmp/awstats/awstats.domain.com.conf

in this file search for the "AllowToUpdateStatsFromBrowser" parameter. This parameter should be set to 1. By default it is 0.

Check out!

SSL certificate warning

If you are getting SSL certificate warning as under :

"The security certificate was issued by a company you have not chosen to trust"

while accesing the site using https, please follow the steps :
1) Copy the .crt file for the domain along with the SSL key.
2) Delete the SSL Host.
3) Install the SSL certificate with the .crt file and key. Also please paste the CA bundle file downloaded from the SSL company website which is required to install the certificate correctly.

Check this !

How to secure cpanel

This is nice post for securing the WHM/Cpanel

http://www.cpanelplanet.com/showthread.php?t=26
http://forums.ev1servers.net/showth...&threadid=48077

=====================================================================================

http://www.shareware-promotion.org/resources,9.html


this is link for A Beginner's Guide to Securing Your WHM/cPanel

=====================================================================================

W32.Novarg.A@mm / Mydoom Virus

Put this in /etc/antivirus.exim file

#This will bounce message to sender
if $message_body: contains "Windows-1252"
then
fail text "Message rejected, looks like Novarg Virus"
seen finish
endif

OR

# This will descard the message for virus
if $message_body: contains "Windows-1252"
then
#fail text "Message rejected, looks like Novarg Virus"
seen finish
endif

Fix Trojans

Find trojans and fix them. Use following commands

/scripts/findtrojans > /var/log/trojans
/scripts/fixtrojans /var/log/trojans

Cpanel Licence verification & reinitialisation

Please refer to the following link to confirm that the CPanel License is active:
http://layer1.cpanel.net/verify/index.cgi?ip=server_ip

Try running the program /usr/local/cpanel/cpkeyclt
to re-initialize the license again if you encounter any other licensing errors.

=====================================================================================

Please also check the following as one of it might be the case for invalid Lic. for Cpanel/WHM

1. Is the license expired?
2. Is the server's hostname a fully qualified domain name?
has address xxx.xxx.xxx
3. Does the server's hostname resolve locally and remotely?
4. Does cpkeyclt report a problem?
5. Is there a firewall blocking connections to the licensing server?
6. Is the license IP address bound directly to the interface and not an IP alias?
7. Does the licensing server think the server's query is coming from the proper IP address?

Block attachments using filters for exim

BLOCK .PIF, .SCR, OR .EXE ATTACHMENTS

In /etc/antivirus.exim, before the section:

if not first_delivery
then
finish
endif


Add the following:

# Look for .pif, .scr or .exe in files and REMOVE them!
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|exe|pif|scr)\")"
then
seen finish
endif

# same again using unquoted filename [content_type_unquoted_fn_match]
if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|exe|pif|scr))"
then
seen finish
endif

# Look for .pif, .scr or .exe in files and REMOVE them!
# Quoted filename - [body_quoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|exe|pif|scr)\")[\\\\s;]"
then
seen finish
endif

# same again using unquoted filename [body_unquoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|exe|pif|scr))[\\\\s;]"
then
seen finish
endif

Original post found here:
http://forums.cpanel.net/showthread.php?s=&threadid=13699&postid=64732#post64732

Awstats

In order to update the awstats in cpanel / whm server use the following commands

Check this :

1. Login to shell
2. cd /home/username/tmp/awstats
3. locate awstats.pl
4. cp /usr/local/cpanel/base/awstats.pl .
5. chown usrname:usrname awstats.pl
6. perl awstats.pl - config=domain - update
7. Check awstats in cpanel now.

Updating Webstats

Hi,

I came accross the problem of updating the webstats, particularly AWstats were not getting updated. I found the solution.... please verify and tell me if this does not work...

/usr/local/cpanel/3rdparty/bin/webalizer -n blumarten.com -o /home/blumartn/tmp/webalizer /usr/local/apache/domlogs/blumarten.com

/usr/local/cpanel/3rdparty/bin/webalizer ---->path for location of webalizer stats
-n blumarten.com --->hostname
-o /home/blumartn/tmp/webalizer ---->path of output directory
/usr/local/apache/domlogs/blumarten.com --->path for log files


UPDATING AWSTATS:
cd /home/blumartn/tmp/awstats
locate awstats.pl
cp /usr/local/cpanel/base/awstats.pl .
chown blumartn:blumartn awstats.pl
perl awstats.pl - config=blumarten.com - update

/usr/local/cpanel/Cpanel/Mysql.pm line 42 ERROR 1045

If you are facing mysql error on all cpanel/WHM pages

ERROR :

DBI connect(mysql:localhost,root,...) failed: Access denied for user: root@localhost (Using password: YES) at /usr/local/cpanel/Cpanel/Mysql.pm line 42 ERROR 1045: Access denied for user: root@localhost (Using password: YES) 0 / unlimited

Solution :

1. Edit the file /root/.my.cnf
pico /root/.my.cnf
2. Use the mysql root password in the file and reset the mysql password to that password in .my.cnf file.

/etc/init.d/mysqld stop
safe_mysqld --skip-grant-tables
mysql
USE mysql
UPDATE user
SET password=password("Password in .my.cnf file")
WHERE user="root";
flush privileges;
exit;
killall mysqld
/etc/init.d/mysql start
=====================================================================================
One more addition to this....

Log into the shell and then execute the following command:

$mysqladmin flush-hosts

I would say first run this command and then if it doesn't work, try increasing the limit in my.cnf file or the method above.

Please let me know if I am incorrect.
=====================================================================================

failed to lock mailbox

This is the problem where exim cannot lock the mailbox for reading the messges in that case try following

1. Go in mail folder search for inbox.lock and delete it or
2. run ./mailperm script

Changing update series from shell

Edit /etc/cpupdate.conf file to change the update series from shell if WHM is not accessible to change the release, stable, edge version series.

CPANEL=daily
RPMUP=daily
SYSUP=daily

Change first line to
CPANEL=Stable
or
CPANEL=Release
or
CPANEL=Edge

then run /scripts/upcp to update the cpanel

Mysql gives "access denied" error for root@localhost

First, stop the mysqld,

/etc/rc.d/init.d/mysql stop

Then stop chkservd to keep it from interfering with mysqld while you work on it with

/etc/rc.d/init.d/chkservd stop

Start up mysqld , but, without the grant tables,

mysqld --skip-grant-tables -u mysql &

Then change the pass..

mysql

$mysql>use mysql;
$mysql>UPDATE user SET Password=PASSWORD('new_password') WHERE user='root';
$mysql>FLUSH PRIVILEGES;

Now restart mysql
=====================================================================================
----> Another Method

If at all the mysql password is not set. You can do so using the following commands on shell to set a password to the user root for mysql
*******************************************
killall mysqld
/usr/libexec/mysqld -Sg --user=root &
mysql
USE mysql
UPDATE user
SET password=password("your root password")
WHERE user="root";
flush privileges;
exit;
killall mysqld
/etc/init.d/mysqld start

*************************************

** The command work for only the user root..
=====================================================================================
Another method which will resolve the privileges error too.

$>service mysqld stop
$>safe_mysqld --skip-grant-tables &
$>mysql

mysql>FLUSH PRIVILEGES;

mysql>GRANT ALL PRIVILEGES ON *.* TO root@localhost INDENTIFIED BY 'password' WITH GRANT OPTION;

mysql>exit;

$>service mysqld restart


Done........
=====================================================================================

Fatal Error for setting default address in Cpanel

Please check if you get the error below to configure default mail address in cpanel

Fatal! Write Failure: /etc/valiases/domain.com . Ignore any messages of success this can only result in failure!

Solution:

You have to just touch the file domain.com at the path /etc/valiases/ & chown the file as user.mail


cd /etc/valiases/
touch domain.com
chown user:mail domain.com

Can't add addresses in address book in horde

Go to http://faq.cpanel.net/list.cgi

You will get there faq The Address Book in Horde returns an error "There was an error adding this object" ?

or(not from faq) error could be "An error has occurred, pls contact to your sys admin"

Use same solution, that is also given below.
Actually you need to check whether table turba_objects is present in horde database. If it is not present create it by using following :


SSH to the server as root. Type `mysql` to get the mysql prompt and cut and paste the following:

CREATE TABLE horde.turba_objects (object_id varchar(32) PRIMARY KEY,owner_id varchar(255),object_name varchar(255),object_alias varchar(32),object_email varchar(255),object_homeAddress varchar(255),object_workAddress varchar(255),object_homePhone varchar(25),object_workPhone varchar(25),object_cellPhone varchar(25),object_fax varchar(25),object_title varchar(32), object_company varchar(32),object_notes text);

After that has been entered the address book (turba objects) should work again.

SMTP Authentication ON

You can change the SMTP port by adding following line to exim.conf :

daemon_smtp_port = 35

This line should be added in run-time-configuration section...

mySQL query error: SELECT DISTINCT(ibf_posts.author_id), ibf

Hi,

Error :
------------------------------------------------------
mySQL query error: SELECT DISTINCT(ibf_posts.author_id), ibf_topics.* FROM ibf_topics
LEFT JOIN ibf_posts ON
(ibf_topics.tid=ibf_posts.topic_id AND ibf_posts.author_id=2)
WHERE ibf_topics.forum_id=4
and ibf_topics.approved=1
and (ibf_topics.pinned=1 or ibf_topics.last_post > 0) ORDER BY pinned DESC, last_post DESC LIMIT 0,50

mySQL error: Can't open file: 'ibf_posts.MYI'. (errno: 145)
mySQL error code:
Date: Thursday 28th of January 2004 03:30:26 AM
----------------------------------------------------

Solution :

This error is caused by a table corruption in your database. To correct this error, you can run the following SQL query in your shell(command : mysql databasename) or phpMyAdmin:

REPAIR TABLE ibf_posts;

I would also recommend to upgrade the version of mySQL to 4.0.15+, as the developers say they have fixed this frequent table corruption bug.

This doesn't mean that your database is failsafe if you upgrade though, as table corruptions can happen at any time. It is always recommended to backup your board files and database often.

For a great script to make mySQL backup / restore easy, check out Wraith's mySQL Backup / Restore Tool.

Cpanel sends email that exim fails

If exim is running but still cpanel emails about exim fails then do following....:


pico /etc/chkserv.d/exim

service[exim]=25,QUIT,554,/etc/rc.d/init.d/exim stop;/etc/rc.d/init.d/exim stop;/etc/rc.d/init.d/exim stop;/etc/rc.d/init.d/exim start

to:

service[exim]=25,QUIT,220,/etc/rc.d/init.d/exim stop;/etc/rc.d/init.d/exim stop;/etc/rc.d/init.d/exim stop;/etc/rc.d/init.d/exim start

Note: 554 -> 220 is the difference. Then run:
/etc/init.d/chkservd stop
/etc/init.d/chkservd start

How to stop SYN-ACK attack

A good security tutorial is at : http://www.toplayer.com/content/resource/faq.jsp


One more link

http://www.google.com/search?q=How+to+stop+SYN+attack+on+server&hl=en&lr=&ie=UTF-8&oe=UTF-8

Horde Address Book Error

If you face this error in Adding email addresses in your Horde address book and you receive this error "There was an error adding this object. Contact your system administrator for further help."

Then try this Fix as it is provided by Cpanel support itself.

To correct the problem with the Horde address book not working correctly, you will need to SSH into your server as root, and type "mysql" to get a mysql prompt. Enter the following queries, and your problem should be fixed:

CREATE TABLE horde.turba_objects (object_id varchar(32) PRIMARY KEY,owner_id varchar(255),object_name varchar(255),object_alias varchar(32),object_email varchar(255),object_homeAddress varchar(255),object_workAddress varchar(255),object_homePhone varchar(25),object_workPhone varchar(25),object_cellPhone varchar(25),object_fax varchar(25),object_title varchar(32), object_company varchar(32),object_notes text); insert into mysql.tables_priv values("%","horde","horde","turba_objects","root@localhost",now()+0,"Select,Insert,Update,Delete",""); flush privileges;


It worked like a charm for me on one of My server.

=====================================================================================
If you are unable to login to the horde showing you following error :

A fatal error has occurred:

DB Error: connect failed

[line 108 of /usr/local/cpanel/base/horde/lib/Prefs/sql.php]

Details have been logged for the administrator.


And horde DB is missing from mysql,

Then :

To create horde db in mysql use following command.

$>mysql < /usr/local/cpanel/base/horde/scripts/db/create_mysql.sql

Then run

$>/scripts/resethorde
$>/scripts/fullhordereset

Horde errors

If you see the following error in Cpanel horde...

A fatal error has occurred:

DB Error: connect failed

[line 108 of /usr/local/cpanel/base/horde/lib/Prefs/sql.php]

do the following

Login in to shell using ssh/telnet as root and then into mysql as root

mysql> create database horde;
msyql>\q

# /scripts/fullhordereset

Thats it .. bingo.!!

don't forget to test it though !

/var/lib/mysql/mysql.sock' (111) error

Try this first:

service mysql stop
rm -f /var/lib/mysql/mysql.sock
service mysql start
ln -s /tmp/mysql.sock /var/lib/mysql/mysql.sock

if fails :
The the final solution is :

I read a post at the RackShack forum that the following needed to be in the /etc/my.cnf file:

[mysqld]
set-variable = max_connections=500

[client]
port = 3306
socket = /tmp/mysql.sock
[mysqld]
port = 3306
socket = /tmp/mysql.sock


I only had the first 2 lines, so I added the [client] and [mysqld] parts.


Then I shut down mysql and chkservd with the following commands:

service mysql stop
/etc/rc.d/init.d/chkservd stop


Then I removed the following files:

rm -rf /tmp/mysql.sock
rm -rf /var/lib/mysql/mysql.sock


Now restart mysql and chkservd with the following commands and mysql will create the mysql.sock file in the /tmp directory as oulined in the updated my.cnf file:

service mysql start
/etc/rc.d/init.d/chkservd start


Now create the softlink with this:

ln -s /tmp/mysql.sock /var/lib/mysql/mysql.sock


There were a couple of variations in that last last command to create the softlink. I guess it depends on where mysql creates the mysql.sock file when it starts. So if you are trouble shooting you might shut down mysql as shown above, then remove the mysql.sock files. Then restart mysql as shown above and see where it creates the mysql.sock file. If it creates it in the /tmp directory then you need the softlink command shown above. If it creates the mysql.sock file in the /var/lib/mysql directory then you problaby need to use the softlink command like this as shown in some of the other related posts:

ln -s /var/lib/mysql/mysql.sock /tmp/mysql.sock


That worked for me. Hope this helps someone down the line.
=====================================================================================
If you want to make sure which should be the valid symlink among the two below used widely.

1. /tmp/mysql.sock

2. /var/tmp/mysql.sock

For the valid link used on the server among the above two, check the /etc/my.cnf file for follwoing line.

" socket=/var/tmp/mysql.sock "

You need to create the symlink for the socket mentioned in above line.
=====================================================================================
Try all the above. if it doesn't work then do this :
ln -s /var/lib/mysql/server.servername.com.pid /var/run/mysqld/mysqld.pid
service mysqld start
=====================================================================================

Restart Cpanel in SSH

Restart Cpanel in SSH (Shell is like a DOS prompt)#:

/etc/init.d/cpanel restart

How do I reinstall Front Page Extensions for the entire server ?

How do I reinstall Front Page Extensions for the entire server? (updated - FP 5.2)

Update the extensions with
rpm -Uvh http://layer1.cpanel.net/fp/frontpage-5.2-0.i386.rpm

------------------------------------------------------------------------------------

rpm -Uvh http://layer1.cpanel.net/fp-5.0-upgrade/frontpage/frontpage-5.0-0.i386.rpm

To view my clients FTP without knowing the password

Is there a backdoor to view my clients FTP without knowing the password? I am a reseller.

There is no plaintext record, even for root, to view clients passwords. The only copies on the server will be in the password hashes in the /etc/proftpd/* files.

How to install clamav on cpanel (antivirus)

How to install clamav on cpanel (antivirus)

Main >> cPanel >> Manage Plugins

Select

Name: clamavconnector
Author: cPanel Inc.
Installed Version: 0.91.2-1.9.8
Version: 0.91.2-1.9.8
Description: Virus Protection for Email and Filemanager Uploads !!BETA VERSION!!
Price: free

Installing zend optimiser on whm cpanel

Installing zend optimiser on whm cpanel
-----------------------------------------------

Installing zend optimiser on whm cpanel

First go to this directory "cd /usr/local/src" then run this command "/scripts/installzendopt"

Complete details
Visit http://www.webhostgear.com/184.html

Conf Paths

Conf Paths :

HTTPD conf

/usr/local/apache/conf/httpd.conf


Exim

Exim configuration file is stored at /etc/exim.conf on cPanel

FTP :: Logins and General Errors

FTP :: Logins and General Errors :

Logins and General Errors

/var/log/messages»»

General information and login attempts are logged here

-----------------

FTP Transactions

/var/log/xferlog»»

Is a symbolic link in most cases to /usr/local/apache/domlogs/ftpxferlog, which contains a history of the transactions made by FTP users.

How do I restart a daemon ?

How do I restart a daemon ?

Most of the services can be restarted from WebHostManager, however sometimes you will need to restart them from the shell. You must be logged in as root to do this. All standard linux services, such as http, ftp, exim, cpanel/whm, interchange, mysql etc, have init scripts in /etc/rc.d/init.d/

root@host [~]# ls /etc/rc.d/init.d/
./ atd* exim* httpd.tmpeditlib kdcrotate* named* nscd* rawdevices* snmpd* yppasswdd* ../ autofs* filelimits* identd* keytable* netfs* portmap* rstatd* sshd* ypserv* anacron* bandmin* functions* ipaliases* killall* network* portsentry* rusersd* syslog* ypxfrd* antirelayd* chkservd* gpm* ipchains* kudzu* nfs* proftpd* rwalld* xfs* apmd* cpanel3* halt* iptables* lpd* nfslock* radvd* rwhod* xinetd* arpwatch* crond* httpd@ isdn* mysql* nofsck* random* single* ypbind*

This is typical of what you will find in this directory.

The main ones you should be concerned with are :

cpanel3 - starts/stops cpanel and WHM. This includes Interchange, cppop, and cluster management services as well.
exim - starts/stops the exim mail server
httpd - starts/stops the apache webserver
mysql - starts/stops the mySQL database server
named - starts/stops the BIND dns server
proftpd - starts/stop the ProFTPD (or pureftpd when that is enabled) ftp server

Using these scripts is very easy. Let's say that named/bind is down and we need to restart it. As root, simply type /etc/rc.d/init.d/named start

You should see it start up, with a green [OK] on the left side of the shell/terminal window.
It you see a red [FAILED], check the message log. tail /var/log/messages .
You should be able to see the error where things went wrong.
If you can not fix it yourself, contact tech support.
Some of these services have more options than just start and stop, and other ways to do them.
Let's say you have a lot of domains using your dns server and you don't want to stop and restart named just because you edited one domain. type "ndc reload". ndc controls the named daemon.
If you make a minor change to the /usr/local/apache/conf/httpd.conf, but don't want to restart it, type "/etc/rc.d/init.d/httpd graceful" to do a graceful restart (finishes current requests before killing the child processes).

If you want to learn more about what commands each script offers, you can simply run the script without passing any arguments to it.

root@saturn [~]# /etc/rc.d/init.d/cpanel3
Usage: /etc/rc.d/init.d/cpanel3 {start|stop|status|restart}

This let's us know we can start, stop, check the running status of the service(s), or restart it. If you can't get a service to start, and don't know how to fix it, contact tech support for assistance.

Making login to admin first and then su to root.

1. Add username admin from shell (adduser)
2. Assign a password to the username: admin
3. then add admin to the wheel group using WHM
4. pico /etc/ssh/sshd_config
uncomment :
#PermitRootLogin yes
and make it:
PermitRootLogin no

Restart sshd.

-------------------------------------------------------------------------------------

Why on earth would you want to disable root login?
Well,.. you're not.. You are disabling "direct" root login. This will force a hacker to have to guess 2 seperate passwords to gain root access.. (you do have 2 seperate passwords for admin and root right?)

After you do this, you will have to login as 'admin' then you will 'su -' to get to root.. We also will be forcing the use of SSH protocol 2, which is a newer, more secure SSH protocol. It's just a couple more ways to help your server stay safe from the bad guys.

If you're using cPanel make sure you add your admin user to the 'wheel' group so that you will be able to 'su -' to root, otherwise you may lock yourself out of root


1) SSH into your server as 'admin' and gain root access by

su -

2) Copy and paste this line to edit the file

pico -w /etc/ssh/sshd_config

3) Find the line

#Protocol 2, 1

4) Uncomment it and change it to look like

Protocol 2

5) Next, find the line

#PermitRootLogin yes

6)Uncomment it and make it look like

PermitRootLogin no

7) Save the file

ctrl 'x' then 'y' then enter

Restart SSH

/etc/rc.d/init.d/sshd restart

Now, no one will be able to login to root with out first loggin in as admin and 'su -' to root, and you will be forcing the use of a more secure protocol.

-------------------------------------------------------------------------------------

Also check this link:

http://forum.rackshack.net/showthread.php?s=&threadid=16888&highlight=root

How do I setup my mail to use SSL?

How do I setup my mail to use SSL?

Set your mail server to the host name for SMTP/POP3/IMAP (instead of mail.domain.com) and then make sure that your mail client is using the following ports for SSL:

SMTP - 465
POP3 - 995
IMAP - 993

As always you want to make sure that your account name is user@domain.com (or user+domain.com) and that you are using authentication on your SMTP server.

How can I create a database from an sql backup file ?

First, create the database..

How can I create a database from an sql backup file ?

/path/to/bin/mysqladmin -u $mysqlusername -p$mysqlpassword create $mysqldatabasename

Then, add user permission to it...

/path/to/bin/mysqladmin -u usernamehere -ppasshere create databasename
Finally, add the tables back....
/path/to/bin/mysql -u $mysqlusername -p$mysqlpassword $mysqldatabasename < backup.sql

OR:

mysql -u user -p -e 'source backup_file' database

Standard ports for firewall

Follwoing are the standard ports need to be released through the firewall for a cpanel server.

21 FTP
22 shell
80 apache
25 smtp
53 DNS
110 POP3
143 Imap
443 Apache SSL
465 SMTP SSL
993 Imap SSL
3306 MySQL (Optional)
2086 WHM
2082 Cpanel
2083 Cpanel SSL
2084 EntropyChat
2087 WHM SSL
2095 Horde

------------------------------------------------------------------------------------

Another LIST :

0
1 tcpmux
3
4
5 rje
7 echo
9 discard
11 systat
13 daytime
15 netstat
17 qotd
18 send/rwp
19 chargen
20 ftp-data
21 ftp
22 ssh, pcAnywhere , SFTP
23 Telnet
25 SMTP
27 ETRN
29 msg-icp
31 msg-auth
33 dsp
37 time
38 RAP
39 rlp
40
41
42 nameserv, WINS
43 whois, nickname
49 TACACS, Login Host Protocol
50 RMCP, re-mail-ck
53 DNS
57 MTP
59 NFILE
63 whois++
66 sql*net
67 bootps
68 bootpd/dhcp
69 Trivial File Transfer Protocol (tftp)
70 Gopher
79 finger
80 www-http
81 siteadmin on RAQ4
87
88 Kerberos, WWW
95 supdup
96 DIXIE
98 linuxconf
101 HOSTNAME
102 ISO, X.400, ITOT
105 cso
106 poppassd
109 POP2
110 POP3
111 Sun RPC Portmapper
113 identd/auth
115 sftp
116
117 uucp
118
119 NNTP
120 CFDP
123 NTP
124 SecureID
129 PWDGEN
133 statsrv
135 loc-srv/epmap
137 netbios-ns
138 netbios-dgm (UDP)
139 NetBIOS
143 IMAP
144 NewS
150
152 BFTP
153 SGMP
156
161 SNMP
175 vmnet
177 XDMCP
178 NextStep Window Server
179 BGP
180 SLmail admin
199 smux
210 Z39.50
213
218 MPP
220 IMAP3
256
257
258
259 ESRO
264 FW1_topo
311 Apple WebAdmin
350 MATIP type A
351 MATIP type B
360
363 RSVP tunnel
366 ODMR (On-Demand Mail Relay)
371
387 AURP (AppleTalk Update-Based Routing Protocol)
389 LDAP
407 Timbuktu
427
434 Mobile IP
443 ssl
444 snpp, Simple Network Paging Protocol, RAQ550
445 SMB
458 QuickTime TV/Conferencing
465 smtps
468 Photuris
475
500 ISAKMP, pluto
511
512 biff, rexec
513 who, rlogin
514 syslog, rsh
515 lp, lpr, line printer
517 talk
520 RIP (Routing Information Protocol)
521 RIPng
522 ULS
531 IRC
543 KLogin, AppleShare over IP
545 QuickTime
548 AFP
554 Real Time Streaming Protocol
555 phAse Zero
563 NNTP over SSL
575 VEMMI
581 Bundle Discovery Protocol
593 MS-RPC
608 SIFT/UFT
626 Apple ASIA
631 IPP (Internet Printing Protocol)
635 mountd
636 sldap
642 EMSD
648 RRP (NSI Registry Registrar Protocol)
655 tinc
660 Apple MacOS Server Admin
666 Doom
674 ACAP
687 AppleShare IP Registry
700 buddyphone
705 AgentX for SNMP
901 swat, realsecure
993 s-imap
995 s-pop
999 Urchin
1024
1025
1050
1062 Veracity
1080 SOCKS
1085 WebObjects
1100
1105
1114
1227 DNS2Go
1234
1243 SubSeven
1338 Millennium Worm
1352 Lotus Notes
1381 Apple Network License Manager
1417 Timbuktu
1418 Timbuktu
1419 Timbuktu
1420
1433 Microsoft SQL Server
1434 Microsoft SQL Monitor
1477
1478
1490
1494 Citrix ICA Protocol
1498
1500
1503 T.120
1521 Oracle SQL
1522
1524
1525 prospero
1526 prospero
1527 tlisrv
1529
1547
1604 Citrix ICA, MS Terminal Server
1645 RADIUS Authentication
1646 RADIUS Accounting
1680 Carbon Copy
1701 L2TP/LSF
1717 Convoy
1720 H.323/Q.931
1723 PPTP control port
1731
1755 Windows Media .asf
1758 TFTP multicast
1761
1762
1808
1812 RADIUS server
1813 RADIUS accounting
1818 ETFTP
1968
1973 DLSw DCAP/DRAP
1975
1978
1979
1985 HSRP
1999 Cisco AUTH
2000
2001 glimpse
2005
2010
2023
2048
2049 NFS
2064 distributed.net
2065 DLSw
2066 DLSw
2080
2082 CPANEL - USER Control Panel - unsecure
2083 CPANEL - USER Control Panel - Secure
2086 CPANEL - WEBHOST / WHM - unsecure
2087 CPANEL - WEBHOST / WHM - Secure
2095 (cpanel webmail) - unsecure
2096 (cpanel webmail) - secure
2106 MZAP
2140 DeepThroat
2222 DirectAdmin
2300 MSflightsim2002
2301 Compaq Insight Management Web Agents
2327 Netscape Conference
2336 Apple UG Control
2345
2400 MSflightsim2002
2427 MGCP gateway
2504 WLBS
2535 MADCAP
2543 sip
2565
2592 netrek
2727 MGCP call agent
2766
2628 DICT
2998 ISS Real Secure Console Service Port
3000 Firstclass
3001
3031 Apple AgentVU
3052
3128 squid
3130 ICP
3150 DeepThroat
3264 ccmail
3283 Apple NetAssitant
3288 COPS
3305 ODETTE
3306 mySQL
3352
3389 RDP Protocol (Terminal Server)
3520
3521 netrek
3782 Roger Wilco
3879
4000 icq, command-n-conquer
4045
4144
4242
4321 rwhois
4333 mSQL
4444
47017
4827 HTCP
5000
5001
5002
5004 RTP
5005 RTP
5010 Yahoo! Messenger
5050
5060 SIP
5135
5150
5190 AIM
5222
5353
5400
5500 securid
5501 securidprop
5300
5423 Apple VirtualUser
5432 PostGres
5555
5556
5631 PCAnywhere data
5632 PCAnywhere
5678
5800 VNC
5801 VNC
5900 VNC
5901 VNC
5843
6000 X Windows
6112 BattleNet
6050
6073 directplay8
6499
6500
6502 Netscape Conference
6547
6548
6549
6666
6667 IRC
6670 VocalTec Internet Phone, DeepThroat
6699 napster
6776 Sub7
6968
6969
6970 RTP
6971
7000
7007 MSBD, Windows Media encoder
7070 RealServer/QuickTime
7161
7323
7777
7778 Unreal
7640
7648 CU-SeeMe
7649 CU-SeeMe
7654
7786 MiniVend
8000
8002
8010 WinGate 2.1
8080 HTTP
8100
8181 HTTP
8383 IMail WWW
8443 Plesk
8765
8875 napster
8888 napster
8890
9000
9090
9200
9704
9669
9876
9989
10000 Webmin
10008 cheese worm
10752
12345
11371 PGP 5 Keyserver
12346
13000
13223 PowWow
13224 PowWow
14000
14237 Palm
14238 Palm
14690
16969
18888 LiquidAudio
19638 ensim
21157 Activision
22555
22703
22793
23213 PowWow
23214 PowWow
23456 EvilFTP
26000 Quake
27000
27001 QuakeWorld
27010 Half-Life
27015 Half-Life
27374
27444
27665
27910
27960 QuakeIII
28000
28001
28002
28003
28004
28005
28006
28007
28008
30029 AOL Admin
30100
30101
30102
30103
30303
30464
31335
31337 Back Orifice
32000
32771
32777 rpc.walld
34555
40193 Novell
41524 arcserve discovery
45000 Cisco NetRanger postofficed
47624 directplaysrvr
50505
52901
54321
61000
65301
Multicast hidden
ICMP Type hidden
9998
32773 rpc.ttdbserverd
32776 rpc.spray
32779 rpc.cmsd
38036 timestep

------------------------------------------------------------------------------------
Content of /etc/sysconfig/ipchains :


# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 110 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 53 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 953 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 2082 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 2083 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 2086 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 2087 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 2095 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 143 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 993 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 465 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 443 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 995 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 111 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 127.0.0.1 53 -d 0/0 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
-A input -s 0/0 -d 0/0 -p udp -j REJECT
-A input -s 0/0 -d 0/0 995 -p tcp -y -j ACCEPT

Postgres gives an error of 'Password authentication failed

Postgres gives an error of 'Password authentication failed for user.

Make sure the password is in /var/lib/pgsql/.pgpass The format is as follows... *:*:*:postgres:PASSWORD Modify /var/lib/pgsql/data/pg_hba.conf It should contain the following... local all all md5 host all all 127.0.0.1 255.255.255.255 md5 Change 'md5' to 'trust' to disable authentication then restart postgres. `/etc/init.d/postgresql restart` Now you should be able to connect to postgresql as user 'postgres' without a password to modify the password. `psql -u template1` Run the following sql command. "alter user postgres with password 'NEW PASSWORD HERE';" Finally change /var/lib/pgsql/data/pg_hba.conf back to its original format and restart postgresql one more time. Now you should be able to authenticate using user postgres and the password you specified.

Where do i go to find out if a new build of cpanel is release ?

Where do i go to find out if a new build of cpanel is released?

Some sort of builds are released quicker than others, for example, CURRENT builds are released quicker than RELEASE builds, and EDGE builds are released quicker than CURRENT Builds. To find the latest builds, go to http://layer2.cpanel.net , look for your operating system (FreeBSD/Linux).

How do I block an IP address from my server ?

If you want to block access to your server for whatever reason, you will need to log into the shell as root. Your server should either have ipchains or iptables to help accomplish this.

In this example, the attacking IP is 192.168.56.210 .

If you are using ipchains, type "ipchains -A input -j DENY -p all -l -s 192.168.56.210/32"

If you are using iptables, type "iptables -A INPUT -s 192.168.56.210/32 -j DROP"

If you just want to block access to one port from an ip :

iptables -A INPUT -s 192.168.56.210/32 -p tcp --destination-port 23 -j DROP

The above would drop all packets from 192.168.56.210/32 to port 23 (telnet) on the server.

There are many indepth tutorials available on the internet, search google.com for some more information on it.

PHP Myadmin error

PHP Myadmin error
----------------------

==================
Error
==================
2002 - The server is not responding (or the local MySQL server's socket is not correctly configured)

==================
FIX
==================

nano /usr/local/cpanel/base/3rdparty/phpMyAdmin/config.inc.php

change

$cfg['Servers'][$i]['host'] = 'localhost'; // MySQL hostname or IP address

to

$cfg['Servers'][$i]['host'] = '127.0.0.1'; // MySQL hostname or IP address

Horde webmail Authentication Error (Cpanel)

Horde webmail Authentication Error (Cpanel) :

/scripts/restartsrv_imap

Try this procedure to fix mysql.sock error: Cpanel

Try this procedure to fix mysql.sock error: Cpanel

cd /var/lib/mysql
touch mysql.sock
chown mysql:mysql mysql.sock
chmod 1777 mysql.sock

now make a sym link into /tmp

ln -s /var/lib/mysql/mysql.sock /tmp
then
chmod 1777 /tmp

now
/scripts/mysqlup --force


now just restart mysql
/etc/rc.d/init.d/mysql restart

How to check cron is running or not ?

How to check cron is running or not.


tail -f /var/log/cron

Will show the crons that had been executed.

Installing zend optimiser on whm cpanel

Installing zend optimiser on whm cpanel :


First go to this directory "cd /usr/local/src" then run this command "/scripts/installzendopt"

Complete details
Visit http://www.webhostgear.com/184.html

MySQL :: General Information and Errors

MySQL :: General Information and Errors :

General Information and Errors

/var/lib/mysql/$(hostname).err

This path could vary, but is generally located in /var/lib/mysql. Could also be located at

/var/log/mysqld.log

IMAP/POP/SpamAssassin logs

IMAP/POP/SpamAssassin logs :

General Logging and Errors

/var/log/maillog»»
/var/log/messages»»

The IMAP, POP, and SpamAssassin services all log here. This includes all general logging information (login attempts, transactions, spam scoring), along with fatal errors.

lsof -U command :

lsof -U command :

is a command meaning "list open files", which is used in many Unix-like systems to report a list of all open files and the processes that opened them. It works in and supports several UNIX flavors.

<-U> means list file open by user.

How to watch for file and file size changes of one folder live and not by email ?

How to watch for file and file size changes of one folder live and not by email ?

How to watch for file and file size changes of one folder live and not by email ?

# cd your-folder
# watch ls -la

How to find a specific filename and delete it ?

How to find a specific filename and delete it ?

# find / -name specific-filename.txt -exec rm -rf {} \;

Mysql user logsout after few minutes

Mysql user logsout after few minutes :

few minutes of inactivity and it logs members out of mysql

nano /etc/my.cnf

add the below lines to my.cnf before

interactive_timeout=10
wait_timeout=10

add it in between

[mysqld]

[safe_mysqld]

[mysqld]
set-variable = max_connections=500
safe-show-database
set-variable = connect_timeout=15
interactive_timeout=10
wait_timeout=10
[safe_mysqld]
err-log=/var/log/mysqld.log

Exim Commands

Exim Commands

Display Number of mails in queue :
exim -bpru | wc -l

Display mails :
exim -bpru | awk '{print $3}'

Remove mails from queue :
exim -bpru | awk '{print $3}' | xargs exim -Mrm

kill nobody process
ps aux | grep nobody | awk '{print $2}' | xargs kill -9


exim -bp
mailq --- The mailq is relevant as it gives your the email IDs.

exim -M emailID
force delivery of one message

exim -qf
Force another queue run

exim -qff
Force another queue run and attempt to flush frozen messages

exim -Mvl messageID
View Log for message

exim -Mvb messageID
View Body for message

exim -Mvh messageID
View Header for message

exim -Mrm messageID
ReMove message (no errors sent)

exim -Mg messageID
Give up and fail message, message bounces to sender.

Exim Logs

Exim Logs
--------------------

Message Reception and Delivery

/var/log/exim_mainlog»» ( Linux )
/var/log/exim/mainlog»» (FreeBSD)

Receives an entry every time a message is received or delivered
Rejections based on ACLs/Policies

/var/log/exim_rejectlog »» ( Linux )
/var/log/exim/rejectlog»» (FreeBSD)

Receives an entry every time a message is rejected based on either ACLs or other policies (for example, aliases configured to :fail:)

Unexpected or Fatal Errors

/var/log/exim_paniclog»» ( Linux )
/var/log/exim/paniclog»» (FreeBSD)

Receives all entries exim doesn’t know how to handle. It’s generally a really bad thing when log entries are being written here, and they should be thoroughly investigated.

General Information and Configuration for Exim Logs:
http://exim.org/exim-html-current/doc/html/spec_html/ch49.html

How can I debug problems with an email account ?

How can I debug problems with an email account ?

Trace the path of the email when sent from the server and see what path it follows:
exim -d2 -bt user@domain.com

How do I manually kill the exim mail queue?

/usr/local/cpanel/whostmgr/bin/whostmgr2 killeximq

How to Find a Members List of a Mailing list

To Find a Members list of a Mailing list on the server you can use this command to find it
"/usr/local/cpanel/3rdparty/mailman/bin/list_members List name (user_domainname.com)". This will display the members list of that mailing list.

-------------------------------------------------------------------------------------

To add a mailing list:
1)Click on the Mailing Lists link in the Mail area.
2)Click on the Add Mailing List link.
3)Enter the name of the mailing list in the List Name field, the password for the list in the Password field, and the domain it is for from the Domain drop-down list.
4)Click on the Create button. The list is created in the /usr/local/cpanel/3rdparty/mailman/lists folder.

General solutions to Email problems

Basic steps to check for email problems :-

If your client is getting problem for emails then please check with the following steps

1.Check the domain name by putting it on the domain dossier
>> a. Address lookup : IP resolves properly to your nameserver or it is in DNS propagation
>> b. Domain Whois record : Registration Status is not "HOLD" which indicates the domain name registrar has been blocking
>> c. Service scan : SMTP and POP3 are working properly with out giving " Time out "

2. Configure the account in the outlook Express at your end with following details of the clients

Email Address : anybody@domain.com
Username : anybody@domain.com
Password : Password
SMTP : mail.domain.com
POP3 : mail.domain.com
Please tick the option for "My server requires authentication"

Note : All the details are entered properly.

3. If you get error at your end, check the error properly if there is some thing like
>> a. Account was suspended :- Which indicates your billing department or somebody else has suspended the hosting account due to some reasons
>> b. Rejected username or password : Check if you have entered the username and password properly, If still does not then try to reset the password for that email address on Control Panel.
>> c. Next check for the Quota for the email if exceeded ? Then try to increase the limit otherwise he will not be able to receive mails
>> d. "My server requires authentication" not ticked you will get the error while sending emails.
>> f. Otherwise copy the error on google and search for it

4. If you can send and receive mails successfully but the client is not able to send and recieve.
>> a. Provide the details for the account you configured in the outlook express in step 2.
>> b. If still not tell him to check by disabling firewall at his end.
>> c. Tell him to change SMTP and POP3 as that of his ISP i.e HisISPname.domain.com
>> d. If he is able to receive mails but cannot send then ask him to change the port for SMTP to 465 (SMTP SSL) with setting in 4.a and 4.c steps above
>> e. Otherwise there is possiblity that his ISP has blocked the port and ask him to contact his ISP for more information.

Horde error /usr/local/cpanel/base/horde/lib/Prefs/sql.php

Hello Friends,

If anyone face the following error with horde :

Fatal error has occurred:
DB Error: connect failed
[line 102 of /usr/local/cpanel/base/horde/lib/Prefs/sql.php]
Details have been logged for the administrator.

Use the following scripts to fix it :
cd /scripts/
/scripts/resethorde
/scripts/fullhordereset
------------------------------------------------------------------------------
------------------------------------------------------------------------------
If you get this error while login to webmail through cpanel :
Fatal error: Call to undefined function: _() in /usr/local/cpanel/base/horde/config/registry.php on line 86

or something like:
undefined class name 'log in user/local/cpanel/base/horde/lib/horde/php


do this:
cp /usr/local/cpanel/3rdparty/bin/imapd /usr/sbin

touch /var/cpanel/usecpphp

How to Install Java on cpanel server ?

How to Install Java on cpanel server ?

1. Download the SDK, Standard Edition 1.4.2_04 from java.sun.com (RPM) in the local machine (Not to the server)
2. upload the file via filemanager from Cpanel to /usr/local (Around 35 MB)
3. chmod 755 j2sdk.....bin
4. ./j2sdk....bin
5. cd /usr - > mkdir java
6.cd local
7. mv j2sdk1.4.2_04/ ../java
8. cd..
9. cd java
10. cd ../local
11. ln -s /usr/java/j2sdk1.4.2_04/ jdk
12. ln -s /usr/java/j2sdk1.4.2_04/jre/ jre
13. cd ..
14. set classpath=/usr/local/jdk
15. check up with typing java / javac if installed


-----------------------------------------------------------

For installation on plain linux server refer:

http://www.dougsparling.com/comp/howto/linux_java.html

Disabling Password Reset Option : Cpanel

url : http://www.webhostgear.com/70.html

Disabling Password Reset Option

Cpanel recently announced a new vulnerability for their servers for the password reset option.
We'll show you how to turn off the password reset option for failed logins to Cpanel through Web Host Manager.

Description
The feature "Allow cPanel users to reset their password via email",
found in WebHostManager in the "Tweak Settings" section allows for a
cpanel user to run some commands as the root user.

It's strongly suggested that all Cpanel users disable this feature.

Affected Systems
All builds of Cpanel on all platforms are vulnerable up to and including (9.1.0
build 34), all builds after that have been fixed.

Step 1) Fixing The Problem - Disable It

1. Login into you WHM control panel as root.

2. Click on Tweak Settings in the upper left hand corner.

3. Scroll down until you see "Allow cPanel users to reset their password via email"

4. Uncheck the check box and click Save.

Click the screenshot for a larger image.


Step 2) Fixing The Problem - Update Cpanel
You can also update your Cpanel server to the latest release, which now fixes this issue.

1. Login into you WHM control panel as root.

2. Click on Upgrade to Latest Version on the bottom right hand corner.

Your server is now protected from this exploit!