Messages

751

Updates / Re: Upgrade Nginx

« on: April 01, 2023, 09:51:57 PM »

Sandeep has a tutorial here:
https://www.uxlinux.com/update-nginx-to-latest-official-version-in-centos-8-el8-cwp/

Also consider hardening Nginx with the instructions here:
https://www.awsmonster.com/2019/09/how-to-secureharden-cwp-nginx-server.html

752

iptables / Re: ssh brute force attacks to random ports/users

« on: April 01, 2023, 09:48:43 PM »

I fully agree with all the other advice given above.

i change my default server ssh port and i have one ssh user(root)

I would highly recommend NOT using root for SSH, unless you have a specific one-off case where you need it for a migration or rsync or the like. Once you leave a known user name provided for brute force attacks, that's 50% of the information needed for a successful hack. Consider creating a sudo user (with a strong passphrase) specifically for SSH duties and use that exclusively. So in /etc/ssh/sshd_config set:

Code: [Select]

PermitRootLogin noand

Code: [Select]

AllowUsers sudouseror create a group of allowed SSH users and set:

Code: [Select]

AllowGroups sshusersAnd of course, use keys instead of interactive passphrases...

753

Information / Re: Cloudflare Tunnel

« on: April 01, 2023, 03:04:00 AM »

It sounds like it should; I use their other services, but not Cloudflare Tunnel. Does your ISP block ports 80, 443 and/or 25? Or does their EULA preclude running a home based server?

754

CentOS 7 Problems / Re: Disk Quota Exceeded???

« on: April 01, 2023, 03:01:40 AM »

Can you try uploading with a regular system user, created outside of CWP? (I usually keep a sudo user in my back pocket...)

755

Apache / Re: PHP Processing in .htm & .html files

« on: March 29, 2023, 07:43:55 AM »

I am using php-fpm for performance reasons and to give each account its own possible choice of PHP version. In your use case, it probably doesn't matter. Except I could guide you better if you switch back to php-fpm, since that is what I use

It doesn't sound as if PHP 8.1 is installed properly under the CGI PHP. Can you confirm that it is present and built successfully? Does it have an ini file? Otherwise, php-fpm for 8.1 should be:
/opt/alt/php-fpm81/usr/bin/php
and in fact, I also have:
/opt/alt/php-fpm81/usr/bin/php-cgi

756

Apache / Re: PHP Processing in .htm & .html files

« on: March 28, 2023, 09:56:08 PM »

Are you running php-fpm? Or PHP via CGI?

757

FTP / Re: FTP admin 502 gateway

« on: March 28, 2023, 07:57:41 PM »

500 series errors are usually timeouts or connection errors between the client and server.

Really large file uploads are a bit dicey -- if the connection gets interrupted at all, you wind up with partial uploads. So if you don't have a means to resume (via an FTP client like Filezilla or whatever), you won't succeed. I've tried to upload and resume 20+GB VM images and never gotten them succeed until I changed connections to a rock solid, stable fiber link.

But if you absolutely need web uploads, you may need far larger PHP timeouts -- execution time, upload sizes, post sizes, etc.

758

Mod_Security / Re: Excluded rule for a domain is ignored

« on: March 28, 2023, 06:33:26 PM »

Are you using the OWASP ruleset? If so, I would suggest starting with the Comodo rules and tune from there.

759

Information / Re: Licensing issues, probably due to not being able to reach the needed server

« on: March 28, 2023, 06:31:58 PM »

Your server pings their licensing server to validate your CWP Pro license.

And as JeroenL discovered, CSF can be overly aggressive and block different IPs and ranges. And be careful about what countries you block -- their data center is in France but the dev team is eastern European. So I have blocked Romania and Bulgaria in the past due to hacking sprees out of those countries. But it could interfere with their support attempts if you need their help. So best just to block the big 3 culprits, based on my experience:

Code: [Select]

CC_DENY = "CN,RU,KP"

760

E-Mail / Re: MX records value for email service

« on: March 27, 2023, 09:23:04 AM »

DNS Functions > List DNS Zones > Edit Record on the domain name you need the MX record.
Add New Records > Type Record [MX]

761

Information / Re: Roundcube version

« on: March 27, 2023, 09:16:56 AM »

Eventually automatically.
Currently manually.

762

SSL / Re: Unable to install AutoSSL with IPv6 only

« on: March 26, 2023, 01:15:18 PM »

This was from cPanel, but applies equally well here:

In AutoSSL, IPv6 checks take precedent and because these records do not resolve, the SSL checks fail. To address this, the IPv6 records should either be removed or updated to an address that is bound and resolves to the server.

Here are a couple of salient links:
https://letsencrypt.org/docs/ipv6-support/
https://community.letsencrypt.org/t/enable-ipv6-and-http2/108026

if you have a working ipv6 configuration, Letsencrypt will use it. If your ipv6 is broken (AAAA record, but no / different answer checking http + /.well-known/acme-challenge/random-filename), that blocks creating a new certificate.

763

Information / Re: Roundcube version

« on: March 26, 2023, 02:55:40 AM »

Your instructions worked fine on 3x CWP Pro servers. 2 were running 1.5.0, one was still running 1.4.11. All updated just fine, now all 3 are running 1.5.3. Thanks!

764

DKIM / Re: How to implement 2048 bit DKIM keys on CWP servers.

« on: March 25, 2023, 08:38:43 PM »

Here's a shot in the dark, since I am sticking with the default 1024 for the time being.
/etc/opendkim.conf

MinimumKeyBits (integer)
Establishes a minimum key size for acceptable signatures. Signatures with smaller key sizes, even if they otherwise pass DKIM validation, will me marked as invalid. The default is 1024, which accepts all signatures. A value of 0 causes the default to be used.

765

SSL / Re: Unable to install AutoSSL with IPv6 only

« on: March 25, 2023, 08:25:15 PM »

A few points to consider (from an outsider who is only using IPv4):

• Is your server fully IPv6 compliant -- in the kernel and also CWP? And in Apache/Nginx: https://geekflare.com/enable-ipv6-nginx-apache/
• The DNS/.htaccess error you noted usually stems from a redirect from HTTP to HTTPS. You must have HTTPS connections enabled.
  
• If self-signed works for you, go for it! You control your own destiny. And honestly, renewing every 90 days is a pain!
• Consider a Cloudflare Origin SSL Certificate instead if you only need HTTPS/443 service on the server. But their cert is limited to HTTP traffic and won't work with other services (mail,FTP, etc.)
• Otherwise, consider investing in a Comodo PositiveSSL certificate. They typically run $10/yr and are industry standard. So it's set-it-and-forget-it, valid for 1 year. I've had many cases where this is the better option. Pay a few shekels and get peace of mind for a year!

[/li]
[/list]