Disable MySQL strict mode!

We recently migrated WHMCS to latest CentOS 7 server with cPanel. The WHMCS ClientArea showed White screen when “Client logins were used”. We found that the server had MySQL strict mode enabled which was causing this problem.

I disabled MySQL strict mode as below :

Edited /usr/my.cnf and changed below value :

sql_mode=NO_ENGINE_SUBSTITUTION,NO_AUTO_CREATE_USER

Restarted MySQL :

/scripts/restartsrv mysql

voila this worked…… earlier I was trying to change sql_mode under /etc/my.cnf however found MySQL is using different location /usr/my.cnf

cPanel :: upcp failed, exited with code 25

I noticed below error while updating cPanel to latest one of the server:

Running `/usr/local/cpanel/scripts/updatenow --upcp --log=/var/cpanel/updatelogs/update.9320814564.log` failed, exited with code 25 (signal = 0)

Below was the OS installed on the server :

root@linuxbabu [~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
root@linuxbabu [~]#

Further found that the cPanel config had the OS information missing as below :

root@linuxbabu [~]# cat /var/cpanel/sysinfo.config
# This values in this file are calculated and updated if necessary nightly. If you wish to override
# these values, populate lock= with a comma delimited list of keys you don't want updated.
# This will allow you to change those values to suit your needs.
#
# Example: if you set lock like this, then rpm_dist and rpm_arch will not be updated nightly:
# lock=rpm_dist,rpm_arch
#
ises=2
lock=
release=6.5
rpm_arch=x86_64
rpm_dist=centos
rpm_dist_ver=unknown
root@linuxbabu [~]#

I corrected the OS rpm_dist_ver under the config file and the upcp worked fine :

root@linuxbabu [~]# cat /var/cpanel/sysinfo.config | grep rpm_dist_ver
rpm_dist_ver=6
root@linuxbabu [~]#

Eximstats too large

If the size of your eximstats database is too large, you can do the following steps to empty it.

Login to mysql server from root.

[root@srv1 ~]# mysql

mysql> use eximstats;
Database changed
mysql> show tables;
+---------------------+
| Tables_in_eximstats |
+---------------------+
| defers |
| failures |
| sends |
| smtp |
+---------------------+
4 rows in set (0.00 sec)

mysql> delete from defers;
Query OK, 0 rows affected (0.52 sec)

mysql> delete from failures;
Query OK, 0 rows affected (0.35 sec)

mysql> delete from sends;
Query OK, 17310 rows affected (0.23 sec)

mysql> delete from smtp;
Query OK, 4678 rows affected (0.06 sec)

mysql> exit
Bye
[root@srv1 ~]#

You can also do this by deleting the above .MYD files from the location /var/lib/mysql/eximstats and restart exim service afterwards.

How do I upgrade Apache on my Cpanel box?

There are two ways to update your Apache version on cpanel.

The first is from within WHM. Underneath the “Software” section in the menubar is “Apache Update.” Click this link and then follow the on screen directions.

The second option is from the command line. Run “/scripts/easyapache”, which will provide an update interface including a few more options than WHM.

It is highly recommended that you create a backup of your Apache configuration before preforming an update to a newer version.

Securing CPanel

Running a WHM like Cpanel can sure make hosting easy, but unfortunately running a WHM often makes your server much less secure than it was before!

We do not guaranty that the following steps will make your server hack proof, but it will greatly reduce your chances of compromise. Also note that Layered Technologies does not manage your server and if you do not feel comfortable making system level changes to your server we recommend you open a level2 support ticket (for a fee) or hire a third party sysadmin service to help you.

Basic Steps to Securing CPanel (Linux based OS):

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings

Check the following items…

Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts – blackhole

Under System
Use jailshell as the default shell for all new accounts and modified accounts

Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection
Enable mod_userdir Protection
Disabled Compilers for unprivileged users.

Goto Server Setup =>> Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.

Goto Server Setup =>> Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP

Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)

Goto Mysql =>> MySQL Root Password
Change root password for MySQL

Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:
/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod

These are measures that can be taken to secure your server, with SSH access.

Udate OS, Apache and CPanel to the latest stable versions.

This can be done from WHM/CPanel.

Restrict SSH Access

To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.

SSH into server and login as root.

Note: You can download Putty by Clicking Here. It’s a clean running application that will not require installation on Windows-boxes.

At command prompt type: pico /etc/ssh/sshd_config

Scroll down to the section of the file that looks like this:
Code:

#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::

Uncomment and change

#Port 22

to look like

Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number)

Uncomment and change

#Protocol 2, 1

to look like

Protocol 2

Uncomment and change

#ListenAddress 0.0.0.0

to look like

ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)

Note 1: If you would like to disable direct Root Login, scroll down until you find

#PermitRootLogin yes

and uncomment it and make it look like

PermitRootLogin no

Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.

Now restart SSH

At command prompt type: /etc/rc.d/init.d/sshd restart

Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.

Disable Telnet

To disable telnet, SSH into server and login as root.

At command prompt type: pico -w /etc/xinetd.d/telnet

change disable = no to disable = yes

Save and Exit

At command prompt type: /etc/init.d/xinetd restart

Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.

At command prompt type: pico .bash_profile

Scroll down to the end of the file and add the following line:

echo ‘ALERT – Root Shell Access on:’ `date` `who` | mail -s “Alert: Root Access from `who | awk ‘{print $6}’`” [email protected]

Save and exit.

Set an SSH Legal Message

To an SSH legal message, SSH into server and login as root.

At command prompt type: pico /etc/motd

Enter your message, save and exit.

Note: I use the following message…
Code:

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.

This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.

Now everytime someone logs in, they will see this message… go ahead a try it.

Disable Shell Accounts

To disable any shell accounts hosted on your server SSH into server and login as root.

At command prompt type: locate shell.php

Also check for:

locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts

Note: There will be several listings that will be OS/CPanel related. Examples are

/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.

Disable identification output for Apache

To disable the version output for proftp, SSH into server and login as root.

At command prompt type: pico /etc/httpd/conf/httpd.conf

Scroll (way) down and change the following line to

ServerSignature Off

Restart Apache

At command prompt type: /etc/rc.d/init.d/httpd restart

These are applications that will help to secure your server.

Install chkrootkit

To install chrootkit, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

At command prompt type: tar xvzf chkrootkit.tar.gz

At command prompt type: cd chkrootkit-0.44

At command prompt type: make sense

To run chkrootkit

At command prompt type: /root/chkrootkit-0.44/chkrootkit

Make sure you run it on a regular basis, perhaps including it in a cron job.

cPanel : UPCP error : Undefined subroutine &Cpanel::Update::automatic_updates_enabled called at /scripts/upcp line 273.

I have seen recent cPanel upgrade throwing errors are below :

root@server [~]# /scripts/upcp
/scripts/upcp syntax OK
Running Futex Check/Fix……Done
Undefined subroutine &Cpanel::Update::automatic_updates_enabled called at /scripts/upcp line 273.

This can be fixed using below :

wget -O /root/updatenow.static http://httpupdate.cpanel.net/cpanelsync/RELEASE/scripts/updatenow.static && perl /root/updatenow.static --manual

Upgrade the cPanel :

/scripts/upcp --force

This should fix the issue 🙂

Exim Remote Memory Corruption Vulnerability Notification (CVE-2010-4344)

Summary

A memory corruption vulnerability exists in Exim versions 4.69 and older (CVE-2010-4344). Exim is the mail transfer agent used by cPanel & WHM.

Security Rating

This update has been rated as Important by the cPanel Security team.

Description

A memory corruption vulnerability has been discovered in Exim. This vulnerability may lead to arbitrary code execution with the privileges of the user executing the Exim daemon. cPanel previously released RPMs that mitigated the severity of the vulnerability on December 9, 2010 (CVE-2010-4345). This notification is for the release of new RPMs which remove the remote memory corruption vulnerability in its entirety. The vulnerability relies upon “rejected_header” being enabled (default setting) in the log_selector configuration.

Solution

To resolve and work around the issue on Linux systems, cPanel has issued new Exim RPMs. Server Owners are strongly urged to upgrade to the following Exim RPM versions:

Systems configured to use Maildir: Exim 4.69-26

Systems configured to use mbox (deprecated): Exim 4.63-5

Exim RPMs will be distributed through cPanel’s package management system. All cPanel & WHM servers receiving updates automatically will receive the updated Exim RPM during normal update and maintenance operations (upcp). To begin an Exim update on cPanel systems immediately, run the following command as root:

/scripts/eximup

FreeBSD systems should be running Exim 4.72 by default, which is not affected by this issue.

FAQ

This notification covers CVE-2010-4344.

The notification release earlier on December 10, 2010 with the summary “A privilege escalation vulnerability exists in Exim, the mail transfer agent used by cPanel & WHM.” covers CVE-2010-4345. At the time of the earlier announcement, the CVE had not been assigned.

Source

CPU/MySQL Usage is blank in WHM

“CPU/Memory/MySQL Usage” page blank

This is a common error across all cPanel releases. The most likely cause of this issue is related to the utility that actually generates the statistics. When cPanel is installed, several entries are added into crontab for the root user. The following is a list of the default crontab entries from a freshly installed cPanel server:

root@testbox [/etc/cron.hourly]# crontab -l | grep dcpumon

*/5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1

root@testbox [/etc/cron.hourly]#

The dcpumon is the daemon that actually compiles the logs for the Usage page. If your Usage page is blank, it is normally because this utility is not running on the schedule that it is supposed to. The above crontab entry for dcpumon is set to run every five minutes, every hour.

Solution:
The most common resolution for this issue is to restart crond:

root@testbox [~]# /etc/init.d/crond restart
Stopping crond:[OK]
Starting crond:[OK]
root@testbox [~]#

The restart of cron should force all crontab entries to be processed normally again. If after this you are still not seeing statistics on the Usage page, you should force a cpanel update from command line with “/scripts/upcp –force”. This should download and install a new copy of the dcpumon binary.