Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - hanliong

Pages: [1] 2
1
CentOS 7 Problems / You need a CWPPRO license to use this module
« on: August 02, 2021, 07:07:19 AM »
I have used CWP for years. Today I face the strange think. I have bought CWP Pro license. When I go to admin panel, it is written CWP7Pro. But when I login to user panel to change the PHP Selector, it is unable. it show: You need a CWPPRO license to use this module
I have tried to run sh /scripts/update_cwp and /etc/cron.daily/cwp, but the issue still happen.

How can it happen? Admin Panel said: CWP7Pro, but user panel said: Not Pro?

2
FTP / Re: Enabling FTPs or FPTes
« on: June 19, 2021, 02:34:55 AM »
post the contents of your pure-ftpd.conf
Dear Joseph,

here it is all content of my pure-ftpd.conf

Code: [Select]
############################################################
#                                                          #
#             Configuration file for pure-ftpd             #
#                                                          #
############################################################

# If you want to run Pure-FTPd with this configuration
# instead of command-line options, please run the
# following command :
#
# /usr/sbin/pure-ftpd /etc/pure-ftpd/pure-ftpd.conf
#
# Online documentation:
# https://www.pureftpd.org/project/pure-ftpd/doc


# Restrict users to their home directory

ChrootEveryone               yes



# If the previous option is set to "no", members of the following group
# won't be restricted. Others will be. If you don't want chroot()ing anyone,
# just comment out ChrootEveryone and TrustedGID.

# TrustedGID                   100



# Turn on compatibility hacks for broken clients

BrokenClientsCompatibility   no



# Maximum number of simultaneous users

MaxClientsNumber             50



# Run as a background process

Daemonize                    yes



# Maximum number of simultaneous clients with the same IP address

MaxClientsPerIP              8



# If you want to log all client commands, set this to "yes".
# This directive can be specified twice to also log server responses.

VerboseLog                   no



# List dot-files even when the client doesn't send "-a".

DisplayDotFiles              yes



# Disallow authenticated users - Act only as a public FTP server.

AnonymousOnly                no



# Disallow anonymous connections. Only accept authenticated users.

NoAnonymous                  no



# Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)
# The default facility is "ftp". "none" disables logging.

SyslogFacility               ftp



# Display fortune cookies

# FortunesFile                 /usr/share/fortune/zippy



# Don't resolve host names in log files. Recommended unless you trust
# reverse host names, and don't care about DNS resolution being possibly slow.

DontResolve                  yes



# Maximum idle time in minutes (default = 15 minutes)

MaxIdleTime                  15



# LDAP configuration file (see README.LDAP)

# LDAPConfigFile                /etc/pure-ftpd/pureftpd-ldap.conf



# MySQL configuration file (see README.MySQL)

# MySQLConfigFile               /etc/pure-ftpd/pureftpd-mysql.conf


# PostgreSQL configuration file (see README.PGSQL)

# PGSQLConfigFile               /etc/pure-ftpd/pureftpd-pgsql.conf


# PureDB user database (see README.Virtual-Users)

PureDB /etc/pure-ftpd/pureftpd.pdb


# Path to pure-authd socket (see README.Authentication-Modules)

# ExtAuth                       /var/run/ftpd.sock



# If you want to enable PAM authentication, uncomment the following line

PAMAuthentication    yes



# If you want simple Unix (/etc/passwd) authentication, uncomment this

UnixAuthentication       yes



# Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and
# UnixAuthentication can be used specified once, but can be combined
# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,
# the SQL server will be used first. If the SQL authentication fails because the
# user wasn't found, a new attempt will be done using system authentication.
# If the SQL authentication fails because the password didn't match, the
# authentication chain stops here. Authentication methods are chained in
# the order they are given.



# 'ls' recursion limits. The first argument is the maximum number of
# files to be displayed. The second one is the max subdirectories depth.

LimitRecursion               10000 8



# Are anonymous users allowed to create new directories?

AnonymousCanCreateDirs       no



# If the system load is greater than the given value, anonymous users
# aren't allowed to download.

MaxLoad                      4



# Port range for passive connections - keep it as broad as possible.

# PassivePortRange             30000 50000



# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
# Symbolic host names are also accepted for gateways with dynamic IP
# addresses.

# ForcePassiveIP               192.168.0.1



# Upload/download ratio for anonymous users.

# AnonymousRatio               1 10



# Upload/download ratio for all users.
# This directive supersedes the previous one.

# UserRatio                    1 10



# Disallow downloads of files owned by the "ftp" system user;
# files that were uploaded but not validated by a local admin.

AntiWarez                    yes



# IP address/port to listen to (default=all IP addresses, port 21).

# Bind                         127.0.0.1,21



# Maximum bandwidth for anonymous users in KB/s

# AnonymousBandwidth           8



# Maximum bandwidth for *all* users (including anonymous) in KB/s
# Use AnonymousBandwidth *or* UserBandwidth, not both.

# UserBandwidth                8



# File creation mask. <umask for files>:<umask for dirs> .
# 177:077 if you feel paranoid.

Umask                        133:022



# Minimum UID for an authenticated user to log in.
# For example, a value of 100 prevents all users whose user id is below
# 100 from logging in. If you want "root" to be able to log in, use 0.

MinUID                      1000



# Do not use the /etc/ftpusers file to disable accounts. We're already
# using MinUID to block users with uid < 1000

UseFtpUsers no



# Allow FXP transfers for authenticated users.

AllowUserFXP                 no



# Allow anonymous FXP for anonymous and non-anonymous users.

AllowAnonymousFXP            no



# Users can't delete/write files starting with a dot ('.')
# even if they own them. But if TrustedGID is enabled, that group
# will exceptionally have access to dot-files.

ProhibitDotFilesWrite        no



# Prohibit *reading* of files starting with a dot (.history, .ssh...)

ProhibitDotFilesRead         no



# Don't overwrite files. When a file whose name already exist is uploaded,
# it gets automatically renamed to file.1, file.2, file.3, ...

AutoRename                   no



# Prevent anonymous users from uploading new files (no = upload is allowed)

AnonymousCantUpload         yes



# Only connections to this specific IP address are allowed to be
# non-anonymous. You can use this directive to open several public IPs for
# anonymous FTP, and keep a private firewalled IP for remote administration.
# You can also only allow a non-routable local IP (such as 10.x.x.x) for
# authenticated users, and run a public anon-only FTP server on another IP.

# TrustedIP                    10.1.1.1



# To add the PID to log entries, uncomment the following line.

# LogPID                       yes



# Create an additional log file with transfers logged in a Apache-like format :
# fw.c9x.org - jedi [13/Apr/2017:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338
# This log file can then be processed by common HTTP traffic analyzers.

AltLog                     clf:/var/log/pureftpd.log



# Create an additional log file with transfers logged in a format optimized
# for statistic reports.

# AltLog                     stats:/var/log/pureftpd.log



# Create an additional log file with transfers logged in the standard W3C
# format (compatible with many HTTP log analyzers)

# AltLog                     w3c:/var/log/pureftpd.log



# Disallow the CHMOD command. Users cannot change perms of their own files.

# NoChmod                      yes



# Allow users to resume/upload files, but *NOT* to delete them.

# KeepAllFiles                 yes



# Automatically create home directories if they are missing

# CreateHomeDir                yes



# Enable virtual quotas. The first value is the max number of files.
# The second value is the maximum size, in megabytes.
# So 1000:10 limits every user to 1000 files and 10 MB.

# Quota                        1000:10



# If your pure-ftpd has been compiled with standalone support, you can change
# the location of the pid file. The default is /var/run/pure-ftpd.pid

#PIDFile                     /var/run/pure-ftpd.pid



# If your pure-ftpd has been compiled with pure-uploadscript support,
# this will make pure-ftpd write info about new uploads to
# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and
# spawn a script to handle the upload.
# Don't enable this option if you don't actually use pure-uploadscript.

# CallUploadScript             yes



# This option is useful on servers where anonymous upload is
# allowed. When the partition is more that percententage full,
# new uploads are disallowed.

MaxDiskUsage                   99



# Set to 'yes' to prevent users from renaming files.

# NoRename                     yes



# Be 'customer proof': forbids common customer mistakes such as
# 'chmod 0 public_html', that are valid, but can cause customers to
# unintentionally shoot themselves in the foot.

CustomerProof                yes



# Per-user concurrency limits. Will only work if the FTP server has
# been compiled with --with-peruserlimits.
# Format is: <max sessions per user>:<max anonymous sessions>
# For example, 3:20 means that an authenticated user can have up to 3 active
# sessions, and that up to 20 anonymous sessions are allowed.

# PerUserLimits                3:20



# When a file is uploaded and there was already a previous version of the file
# with the same name, the old file will neither get removed nor truncated.
# The file will be stored under a temporary name and once the upload is
# complete, it will be atomically renamed. For example, when a large PHP
# script is being uploaded, the web server will keep serving the old version and
# later switch to the new one as soon as the full file will have been
# transferred. This option is incompatible with virtual quotas.

# NoTruncate                   yes



# This option accepts three values:
# 0: disable SSL/TLS encryption layer (default).
# 1: accept both cleartext and encrypted sessions.
# 2: refuse connections that don't use the TLS security mechanism,
#    including anonymous sessions.
# Do _not_ uncomment this blindly. Double check that:
# 1) The server has been compiled with TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

# TLS                          1


# Cipher suite for TLS sessions.
# The default suite is secure and setting this property is usually
# only required to *lower* the security to cope with legacy clients.
# Prefix with -C: in order to require valid client certificates.
# If -C: is used, make sure that clients' public keys are present on
# the server.

# TLSCipherSuite               HIGH



# Certificate file, for TLS

# CertFile                     /etc/ssl/private/pure-ftpd.pem



# Listen only to IPv4 addresses in standalone mode (ie. disable IPv6)
# By default, both IPv4 and IPv6 are enabled.

# IPV4Only                     yes



# Listen only to IPv6 addresses in standalone mode (i.e. disable IPv4)
# By default, both IPv4 and IPv6 are enabled.

# IPV6Only                     yes



# UTF-8 support for file names (RFC 2640)
# Set the charset of the server filesystem and optionally the default charset
# for remote clients that don't use UTF-8.
# Works only if pure-ftpd has been compiled with --with-rfc2640

# FileSystemCharset                big5
# ClientCharset                    big5
TLS 1
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3
CertFile /etc/pki/tls/private/hostname.pem

Thanks.

3
FTP / Re: Error when enable jailkit to a user
« on: June 18, 2021, 05:01:12 AM »
After reviewing for days, I can figure out to fix the symlink of /home/[user] to /home/jail/[user]/home/[user] in cse jailkit failed to be enabled for a user.

Everytime we enable jailkit for a user, it will add a new line in
Code: [Select]
/etc/fstab/the new line is like this
Code: [Select]
/home/[user_cwp] /home/jail/[user_cwp]/home/[user_cwp] none bind,nobootwait 0 0
And it also automatically create file
Code: [Select]
/run/systemd/generator/home-jail-[user_cwp]-home-[user_cwp].mount
/run/systemd/generator/local-fs.target.requires/home-jail-[user_cwp]-home-[user_cwp].mount that symlink to /run/systemd/generator/home-jail-[user_cwp]-home-[user_cwp].mount

It causes we cant remove /home/jail/user when we do not use jailkit anymore. And everytime we reboot the server, the /home/jail/user will be created automatically.

So, to fix this issue, just follow this step
Code: [Select]
rm -rf /run/systemd/generator/home-jail-[user_cwp]-home-[user_cwp].mount
rm /run/systemd/generator/local-fs.target.requires/home-jail-[user_cwp]-home-[user_cwp].mount to remove the symlink
vi /etc/fstab
add comment (#) before /home/[user_cwp] /home/jail/[user_cwp]/home/[user_cwp] none bind,nobootwait 0 0 or delete that line
reboot server

Now /hom/jail/[user] will not exist anymore.
Remember, it just in case jailkit error when enabling for a user. You do not need to do this if jailkit is enabled successfully. It it enabled successfully, it will remove the line at /etc/fstab/ and /home/jail/[used] when you disable jailkit for that user.

Hope it helps.


4
FTP / Re: Enabling FTPs or FPTes
« on: June 18, 2021, 04:23:26 AM »
Dear Joseph,

Thanks for your help.
I have checked my pure-ftpd.conf.
The line
Code: [Select]
CertFile                     /etc/ssl/private/pure-ftpd.pem
CertFileAndKey               "/etc/pure-ftpd.pem" "/etc/pure-ftpd.key"
is not same with mine.
My conf file contains:

Code: [Select]
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3
CertFile /etc/pki/tls/private/hostname.pem

There is no line:
Code: [Select]
CertFileAndKey               "/etc/pure-ftpd.pem" "/etc/pure-ftpd.key"
And these files do not exist in my vps:
Quote
/etc/ssl/private/pure-ftpd.pem
/etc/pure-ftpd.pem
/etc/pure-ftpd.key

What should I do? And should TLSCipherSuite need to be changed to TLS 1.2?

Thanks.

5
FTP / Re: Enabling FTPs or FPTes
« on: June 17, 2021, 05:00:58 AM »
Set this in
Code: [Select]
vsftpd.conf
Code: [Select]
ssl_enable=YES
# do not allow anonymous users to access ftp
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
# enable tlsv1 encryption
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
# disallow ssl reuse
require_ssl_reuse=NO
ssl_ciphers=HIGH
rsa_cert_file=/etc/vsftpd.pem
rsa_private_key_file=/etc/vsftpd.pem
# port range for passive mode
pasv_max_port=65535
pasv_min_port=64000

Dear Joseph,

CWP uses pure-ftpd with the file location
Code: [Select]
/etc/pure-ftpd/pure-ftpd.conf
Is it same with vsftpd? and where is the config file of vsftp location?
Thanks.

6
FTP / Re: Enabling FTPs or FPTes
« on: June 16, 2021, 04:19:33 AM »
You need to create SSL certificate for TLS - something like
Code: [Select]
/etc/certs/pure-ftpd.pem or whatever you have defined as the existence of your cert in
Code: [Select]
/etc/pure-ftpd/pureftpd.conf
something like
Code: [Select]
CertFile   /etc/certs/pure-ftpd.pem

In the /etc/pure-ftpd/pure-ftpd.conf, the Cert file is CertFile /etc/pki/tls/private/hostname.pem
And that file is exist.
But what I should do next? I want to force my customer just login to FTPs or FTPes only, and disable plain FTP.

Which part of my pure-ftpd.conf that I have to modify?
Thanks.


7
FTP / Re: Error when enable jailkit to a user
« on: June 15, 2021, 08:28:33 AM »
I saw when selecting Jailkit In shell access at CWP Admin, there is a file careated name:
/run/systemd/generator/home-jail-[user_cwp]-home-[user_cwp].mount
It looks like mount the hard disk, so I checked at /etc/fstab, and I found this line
/home/[user_cwp] /home/jail/[user_cwp]/home/[user_cwp] none bind,nobootwait 0 0

It causes the /home/[user_cwp] has symlink to /home/jail/
So, how can I unmount this since I have disabled jailkit, because it was error when trying to use it.

Thanks.

8
FTP / Error when enable jailkit to a user
« on: June 15, 2021, 06:20:07 AM »
I tried to use jailkit for a user in CWP.
It create directory /home/jail/[user]/home/[user]
But after waiting for minutes, the page at CWP admin said: Error enabling jailkit.
I then switch to SFTP, and no problem.
But the problem is that I cant remove /home/jail/[user]
If I removed it, it automatically remove /home/[user] too. It looks like /home/[user] is symlinked to /home/jail[user]
If I remooved file inside /home/jail/[user], it removed the file inside /home/[user] too.

I tried to remove that symlink. But  I cant find it.
Even, I have uninstall jailkit, but still unable to remove /home/jail/ and the symlink still run.

How to fix it? where is the symlink configuration store?
Thanks.

9
FTP / Enabling FTPs or FPTes
« on: June 15, 2021, 02:51:05 AM »
I dont know which one is better. FTPs or FTPes. But as I know, it need TLS for the FTP.
I tried to follow the instruction at http://wiki.centos-webpanel.com/how-to-install-tls-for-ftp
It said it can use sh /scripts/install_pure-ftpd_tls if using Centos 7 and CWP version 0.9.8.757+. I used Centos 7 and latest CWP Pro version.
I run that sh command, it said it was installed successfully. But then what need to do? how can I know the FTPs and FTPes can be used?

I read the instruction above, it said to check:
/etc/pki/tls/private/hostname.key
/etc/pki/tls/certs/hostname.crt

I have /etc/pki/tls/certs/hostname.key at my vps, but I didnt see /etc/pki/tls/certs/hostname.crt.

So, how exactly enabling FTPs and FTPes?

Thanks.

10
FTP / Re: How to disable port 21 for plain FTP?
« on: June 14, 2021, 02:13:36 AM »
is that mean that whiteliisted IP can access all ports in server although the ports have been remove from CSF/LFD? I'm not sure about that.
I have whiteisted an IP at my CWP server.Then I try to login to ssh via port 22, and it was refused, since port 22 has removed from CSF/LFD.
But it does not impact with PORT 21.
What's the difference?

Thanks.

11
FTP / How to disable port 21 for plain FTP?
« on: June 13, 2021, 08:26:56 AM »
I have removed PORT 21 from CSF at TCP_IN, TCP_OUT, TCP6_IN, and TCP6_OUT.
I have restarted CSF and LFD.
I have restarted pure ftpd service.

but when I tried to login to FTP with port 21, I can login successfully.
So, how can I totally disable PORT 21? I just want to use SFTP for security reason.

Thanks.

12
Suggestions / Providing ImunifyAV Free and or Imunify360
« on: May 04, 2021, 03:04:30 AM »
It is better is CWP provide ImunifyAV free and or Imunify360 to replace maldet scan. I have tried to install imunifyAV free but it said the panel is not compatbile.
it is good for malware detection.

By improving great feature, CWP may be able to increase the price of CWPPro

Thanks.

13
Suggestions / Providing Better full backup
« on: May 04, 2021, 02:54:39 AM »
I think it will be great if CWP has feature to full backup for all home user, mysql, and everything just like cpanel does. Then it can be restored to another CWP easily.
at this time CWP provide separate backup. Even when user try to backup from user panel, it does not show any progress or finishing file.
Customer must dump sql one by one including mail data, then create again mysql user password at the new server. It takes too long if we have many customers.

And it is better if customer's mail is moved to /home/[user], not being separated at /var/vmail/

Thanks.

14
CentOS 7 Problems / Re: PHP Defender/snuffleupagus fecks up PHP
« on: May 04, 2021, 02:38:23 AM »
I faced another problem with PHPDefender. It can be installed well. But I cant change the rule at all.
The path for the rule is: /usr/local/cwp/.conf/phpdefender/rules/
When installed I choose intermediate.
One of my site got blocked with the reason: fatal error because of usage ini_set("display_errors").
Then I open the  cwp_php_defender_interm.rules
I change the line:
sp.disable_function.function("ini_set").param("varname").value_r("display_errors").drop()
to
#sp.disable_function.function("ini_set").param("varname").value_r("display_errors").drop() --> add comment sign, so it is ignored.

Restarting apache, but still get the same error. Then change that line to:
sp.disable_function.function("ini_set").param("varname").value_r("display_errors").allow()

But still gave the same error.
So, where is actually PHPdefender store the log data and is there any file contains the locked domain, so it kept giving the same error, even when I have removed PHPdefender, the same error still show up.
And which the rules file that PHPdefender execute for real?

It is really confusing, and there is no complete documentation at CWP. Opening the site snuffleupagus.readthedocs.io does not give any useful information.

Has CWP developer tested it before launching this feature?

Thanks.

15
CentOS 7 Problems / Re: PHPDefender permission denied
« on: May 03, 2021, 06:13:36 AM »
I have opened the ticket with number: 140213
Thanks.

Pages: [1] 2