Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - ejsolutions

Pages: [1] 2
1
Information / CWP Outbound Packets
« on: April 09, 2020, 12:06:12 PM »
Guys, what's going on here?
I first spotted this issue on a NAT VPS but have since seen similar activity on other VPS' with dedicated IPs. On the NAT one the packets were sourced from root, cwpsrv and amavis.
Why are systems attempting to contact cloudmark/proofpoint via a dedicated port?

Quote
Apr  5 15:43:18 cwp kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=10.0.0.130 DST=208.83.139.205 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26965 DF PROTO=TCP SPT=50278 DPT=2703 WINDOW=29200 RES=0x00 SYN URGP=0 UID=0 GID=0
Apr  5 15:43:19 cwp kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=10.0.0.130 DST=208.83.139.205 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26966 DF PROTO=TCP SPT=50278 DPT=2703 WINDOW=29200 RES=0x00 SYN URGP=0 UID=0 GID=0
Apr  5 15:43:42 cwp kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=10.0.0.130 DST=208.83.137.117 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6618 DF PROTO=TCP SPT=60906 DPT=2703 WINDOW=29200 RES=0x00 SYN URGP=0 UID=990 GID=986
Apr  5 15:43:43 cwp kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=10.0.0.130 DST=208.83.137.117 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6619 DF PROTO=TCP SPT=60906 DPT=2703 WINDOW=29200 RES=0x00 SYN URGP=0 UID=990 GID=986
Apr  5 15:43:43 cwp kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=10.0.0.130 DST=208.83.139.205 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31254 DF PROTO=TCP SPT=50282 DPT=2703 WINDOW=29200 RES=0x00 SYN URGP=0 UID=990 GID=986
Apr  5 15:43:44 cwp kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=10.0.0.130 DST=208.83.139.205 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31255 DF PROTO=TCP SPT=50282 DPT=2703 WINDOW=29200 RES=0x00 SYN URGP=0 UID=990 GID=986

Quote
[root@ny ~]# grep "TCP_OUT Blocked" /var/log/messages
Apr  5 10:43:00 ny kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=23.94.xxx.xxx DST=208.83.139.205 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57075 DF PROTO=TCP SPT=35026 DPT=2703 WINDOW=29200 RES=0x00 SYN URGP=0 UID=0 GID=0
Apr  5 10:43:01 ny kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=23.94.xxx.xxx DST=208.83.139.205 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57076 DF PROTO=TCP SPT=35026 DPT=2703 WINDOW=29200 RES=0x00 SYN URGP=0 UID=0 GID=0
Apr  5 10:43:01 ny kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=23.94.xxx.xxx DST=208.83.137.118 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1495 DF PROTO=TCP SPT=55922 DPT=2703 WINDOW=29200 RES=0x00 SYN URGP=0 UID=0 GID=0
Apr  5 10:43:02 ny kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=23.94.xxx.xxx DST=208.83.137.118 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1496 DF PROTO=TCP SPT=55922 DPT=2703 WINDOW=29200 RES=0x00 SYN URGP=0 UID=0 GID=0

Does appear to be amavis related and I'm very concerned that it runs under root privileges, in some cases - on another server..
Quote
Apr  9 06:09:45 au kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=103.108.xxx.xxx DST=208.83.137.118 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=28676 DF PROTO=TCP SPT=50150 DPT=2703 WINDOW=29200 RES=0x00 SYN URGP=0 UID=0 GID=0
Apr  9 17:01:06 au kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=103.108.xxx.xxx DST=208.83.137.117 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57123 DF PROTO=TCP SPT=56586 DPT=2703 WINDOW=29200 RES=0x00 SYN URGP=0 UID=990 GID=986

[root@au ~]# grep 986 /etc/group
amavis:x:986:clamscan


Is this a known (stealth) activity?

2
E-Mail / 25: Connection Refused
« on: April 02, 2020, 12:45:57 PM »
An update to thread http://forum.centos-webpanel.com/index.php?topic=8489 , seeing as it has been locked.  :-\

My previous quote:
Quote
Alternatively, if your installation has the official Configserver Firewall GUI..  ::)
Go to Firewall Configuration..
SMTP_ALLOWGROUP = mail,exim,postfix,dovecot
(not all will be required)
It is sufficient to just have..
Quote
SMTP_ALLOWGROUP = mail,postfix
.. assuming you don't use mailman (you shouldn't!) and you're looking to allow CWP server messages to be sent.

3
CentOS-WebPanel Bugs / [BUG] Installation: perl(DBD::mysql)
« on: March 29, 2020, 10:39:19 AM »
A long-standing omission this one:
Code: [Select]
error: Failed dependencies:
        perl(DBD::mysql) >= 1.0 is needed by percona-toolkit-2.2.16-1.noarch
Easy to resolve post installation but should be addressed.
Code: [Select]
yum install perl-DBD-MySQL

4
CentOS-WebPanel GUI / [REQUEST] Reinstate CSF OFFICIAL GUI
« on: March 28, 2020, 12:17:22 PM »
As title says, the official GUI is much more useful than the two custom ones supplied with CWP.
You are doing your users a disservice to have removed this vital piece of server security!
The structured GUI firewall configuration guides users through the settings, rather than enforcing them to revert to the command line, to read the CSF documentation.
The preferred option is to reinstate this module and remove the existing custom ones, to save confusion. Perhaps just leave a very minimal custom one, to for example, enable/disable and flush rules.

Thankfully, I have managed to copy across the relevant files from an existing VPS, to a newly installed one. It helps to keep my productivity high and reduce the chance of typos. ;)

5
CentOS-WebPanel Bugs / Editor Wrecks Modsecurity Configuration
« on: March 27, 2020, 01:32:06 PM »
I was trying to add the SecStatusEngine option, using the GUI Configuration Files: Main Configuration.
It appeared to Save OK. Restarted Apache and it failed.
Upon re-opening the Main Configuration:
Code: [Select]
LoadFile /usr/lib64/libxml2.so
            LoadFile /usr/lib64/liblua-5.1.so
           
            <IfModule !unique_id_module>
              LoadModule unique_id_module modules/mod_unique_id.so
            </IfModule>
           
            <IfModule !mod_security2.c>
              LoadModule security2_module  modules/mod_security2.so
            </IfModule��Y�[�[H[���X�\�]L��ς�Y�[�[H[�ܝZY ��ς��X�]Y]���ܘY�Q\� �\܋���[ �\X�K�����[��X��]Y]��X�]Y]��\H�ۘ�\��[�� �Y�[�[O��Y�[�[H]˘ς��X�]Y]���ܘY�Q\� �\܋���[ �\X�K�����[��X��]Y]��X�]Y]��\H�ۘ�\��[�� �Y�[�[O���X��]\�[��[�H�ۂ��Xԝ[Q[��[�Hۂ��X�]Y][��[�H�[]�[�ۛB��X�]Y]�� �\܋���[ �\X�K�����[��X��]Y] ��ˆ�X�X�Y��� �\܋���[ �\X�K�����[��X��X�Y˛�ˆ�X�]Y]��\H�\�X[��X�X�Y���]�[ ��Xԙ\]Y\���PX��\��ۂ��X�]Q\� �\��X�\\� �\��X�\�Y\� �\��X���X�[ە[Y[�]
� ��X�ܙSX]�[Z] L�L ��X�ܙSX]�[Z]�X�\��[ۈ L�L �[��YH��\܋���[ �\X�K�[��X�\�]K[��\� []\� ���\� ��ۙ��� �Y�[�[

Not good!  :(
Fortunately, this is on CWP Pro and I don't (yet) have custom rules set. I switched to old OWASP rules, then back. This reset the configuraion.

6
Backup / Custom Backup
« on: March 15, 2020, 03:12:38 PM »
Run this as a nightly cron task, calling it for example custom-backup.sh
  • Ensure that you have /backup/custom and /home/tmp_bak directories (change to suit).
  • Adjust the retention value to suit.
  • Optional: create a /home/username/backup_exclude.conf to ignore cache, tmp etc. Just list each on a different line.
Caveats: currently untested for mail forwarders or subdomains.

This will create local backups only which you can then FTP/rsync (whatever) to a remote location, with a different cron task running, say an hour later.
Backups are stored in three directories: home_dir, mysql and vmail - this way you can restore only a portion of a backup if needs be. Just unzip/untar to a temporary location and grab the files that you need.

Code: [Select]
#!/usr/bin/bash
tmp_dir=/home/tmp_bak/
backup_dir=/backup/custom/
retention=2
# -------------------
mysql root_cwp -B -N -s -e "SELECT username,domain FROM user WHERE backup='on'" | while read -r username domain
do

echo Custom backup task starting for $username at $domain
mkdir -p ${tmp_dir}${username}/home_dir
echo Copying home directory
ionice -c 3 nice -n +19 rsync -a /home/${username}/ ${tmp_dir}${username}/home_dir
echo Backing up databases
mkdir -p ${tmp_dir}${username}/mysql/
mysql --defaults-extra-file=/root/.my.cnf -e "show databases LIKE '${username}%';" | grep -v Database | while read databasename
 do
     echo Dumping $databasename
     mysqldump --defaults-extra-file=/root/.my.cnf "$databasename" > ${tmp_dir}${username}/mysql/"$databasename.sql" \
               2> ${tmp_dir}${username}/mysql/errors.txt

 done
if [ -d /var/vmail/${domain} ]; then
 mkdir -p ${tmp_dir}${username}/vmail/
 echo Copying email
 ionice -c 3 nice -n +19 cp -fR /var/vmail/${domain} ${tmp_dir}${username}/vmail/
fi
echo Consolidating files
if [ -f /home/${username}/backup_exclude.conf ]; then
 ionice -c 3 nice -n +19 tar -cjf ${tmp_dir}${username}.tar.bz2 --exclude-from=/home/${username}/backup_exclude.conf ${tmp_dir}${username}
else
 ionice -c 3 nice -n +19 tar -cjf ${tmp_dir}${username}.tar.bz2 ${tmp_dir}${username}
fi
mv ${tmp_dir}${username}.tar.bz2 ${backup_dir}${username}-$(date -d "today" +"%Y%m%d%H%M").tar.bz2
echo Cleaning up
/usr/bin/find ${backup_dir} -name "*.bz2" -mtime +${retention} -delete > /dev/null 2>&1
rm -Rf ${tmp_dir}${username}

done
echo Custom Backup Job Finished


Use at your own risk!
I currently use this to supplement the CWP (new) backup function.

7
CentOS-WebPanel Bugs / Nameservers Coding
« on: March 09, 2020, 12:16:20 AM »
MINOR BUG

I have looked at the CWP database and notice that there is a table for nameservers.
I've added a further column pair for a third nameserver.
It appears that both the entry and display of nameservers, in the GUI, is hardcoded for only 2 entries. This should really be extendable.

Also, if you intend to restrict the use of nameservers to IPv4, then VARCHAR(15) will suffice, rather than the current VARCHAR(50). Unless, of course, you have future plans to allow IPv6.

8
CentOS-WebPanel GUI / [Suggestion] Nameservers
« on: February 23, 2020, 02:33:16 PM »
Allow four (preferably configurable for more) nameservers to be specified/displayed in the GUI.
RFC recommends a minimum of two and up to six, be used.

9
Installation / [Suggestion] Installation Instructions
« on: February 23, 2020, 01:55:17 PM »
On page http://centos-webpanel.com/cwp-configuration
Quote
Setup root email
There is no indication of how to do this.  :o
(No article in the wiki either.)
Email, Email Accounts can't be used, as it's tied to user/admin accounts.

10
Other / Locked out of replying to threads?
« on: February 21, 2020, 04:38:08 PM »
Is is just me? If so, maybe just as well, with all the nonsense going on.  ::)
One recent reply has nothing to do with the topic nor points made, for example.

Hey, I can reply to Keto spam though - yipee!

11
Updates / CWP version: 0.9.8.939
« on: February 17, 2020, 07:27:49 PM »
Anyone know the secret of what's been changed?
 ???

This error hasn't been modified:
Quote
Execution Schedule
Daily Backup Retention | Weekly Backup Retention |Monthly Backup Retention
Retention is not the same as schedule.
Should read..
Quote
Execution Schedule
Daily Backup | Weekly Backup | Monthly Backup
Daily Retention | Weekly Retention | Monthly Retention
Where there is a numeric entry box for each of the above retentions; example 7 days, 4 weeks, 6 months
[Supplied free of charge from a former specialist in enterprise backups, amongst other things]

12
I can build it / Apache Status - Accesses
« on: February 15, 2020, 02:10:42 PM »
Following my feature request, I have now integrated it in CWP, so for the benefit of others..

1. Create /usr/local/cwpsrv/htdocs/resources/admin/modules/apache_status.php with the following contents (I use vi but you may prefer nano or File Manager)
Code: [Select]
<?php
$apache_status 
shell_exec("/usr/local/apache/bin/apachectl fullstatus | grep \"GET\" | grep -v \"server-status\" | sed 's/[[:space:]]*$//' | cut -d\" \" -f\"5,14-\" " );
echo 
"<h3>Apache Status - Accesses</h3>";
echo 
"<pre>".$apache_status."</pre>";
?>



2. Append (add to the end) the following to /usr/local/cwpsrv/htdocs/resources/admin/include/3rdparty.php
Code: [Select]
<li><a href="index.php?module=apache_status"><span class="icon16 icomoon-icon-arrow-right-3"></span>Apache Status - Accesses</a></li>

3. Refresh your CWP admin screen.

13
Suggestions / [Feature Request] Apachectl FullStatus
« on: February 15, 2020, 12:13:52 PM »
Please consider adding the above, similar to what is available in WHM. The current "httpd_fullstatus" although useful, is really a replication of what is shown in "apache_builder" plus the currently running processes.
It should be very easy for you to implement:

Code: [Select]
/usr/local/apache/bin/apachectl fullstatus | grep GET | grep -v server-status  | sed 's/[[:space:]]*$//'

Add to the rather misnamed "Service SSH"?

Try running the above on an active server, in ssh, to see the usefulness. :-)

14
CentOS-WebPanel GUI / Caution: CWP Default ModSecurity Holes
« on: February 10, 2020, 11:34:06 AM »
I've been setting up a new server and needed to add a few modsec exceptions for an oscommerce derivative..
I've only just discovered that CWP, in their wisdom have decided to disable quite a few modsec rules by default.
Code: [Select]
########################################
## Removed Rules for Joomla, WordPress and Drupal CMSs ##
########################################
## Joomla ##
SecRuleRemoveById 960024
SecRuleRemoveById 950120
SecRuleRemoveById 981173
SecRuleRemoveById 950901
SecRuleRemoveById 981257
SecRuleRemoveById 981245
SecRuleRemoveById 973338
SecRuleRemoveById 973300
SecRuleRemoveById 973304
SecRuleRemoveById 973333
SecRuleRemoveById 973333
## Wordpress ##
SecRuleRemoveById 981242
SecRuleRemoveById 981246
SecRuleRemoveById 981243
SecRuleRemoveById 959073
SecRuleRemoveById 958030
## Drupal ##
SecRuleRemoveById 981231
## Removed rules for the webftp_simple ##
SecRuleRemoveById 950922
SecRuleRemoveById 981000
SecRuleRemoveById 950109

These should NOT be disabled by default, as not everyone installs all these applications.  :o You are defeating the principle purpose of modsec!
If you must, then why not include a couple of /scripts to install these exceptions, should the need arise?

15
Addons / Sitepad Removal
« on: January 24, 2020, 12:24:01 AM »
OK, now that there's a script installer for a trial licence of Sitepad (waste of time/effort, IMO).
What's the point of a GUI installer when there's no means to remove the software?
Other than a manual deletion of all files with sitepad directories, what else needs to be done, rather than a complete re-install?
 >:(

Like Softaculous and (horrible) netdata, there should be removal facilities in /scripts, if not in the GUI.
It really isn't that much to ask for.

Pages: [1] 2