Messages

1

Apache / Re: How to stop malicious scans

« on: March 30, 2025, 12:57:22 AM »

I don't know what header you talking about, I copied the original code from the access_log and didn't change them.

I use Nginx & Apache.
(...)

The useragent header is the HTTP header that identifies the navigator acessing you HTTP server.

Does this affect Googlebot and Bingbot crawling pages?

No.

Is there any other way to stop it?

Yes.
Googlebot and Bing use honest useragents, so if you want to block them, you can simply block the "Googlebot" and "bingbot" useragents directly:

Code: [Select]

if ($http_user_agent ~* "(Googlebot|bingbot)") {
    return 403;
}

You can choose too any other useragent:

Code: [Select]

if ($http_user_agent ~* "(Googlebot|bingbot|Android|iPhone|iPod|Symbian|BlackBerry|Windows Phone|Mobile|J2ME)") {
    return 403;
}

You can install the "Nginx Ultimate Bad Blocker" to block hundreds other useragents:
https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker

2

Nginx / Re: How to update NGINX version to version 1.26.2

« on: March 27, 2025, 02:48:11 AM »

My Approach to Upgrading Nginx Without a Full Reinstallation

In my experience, the optimal strategy is to update Nginx directly using the official stable repository, rather than removing it entirely. This approach helps maintain your current configuration and avoids the hassle of extensive reconfiguration.

(...)

No only the package installation, but nginx have modules too, and you need to follow up and maintain updated the modules too.
This is much more easy to do with AlmaLinux modules.

A manual installation would impose to you build the module packages, this is not good.
For this reason, I do "module" installation.

To check available modules:

Code: [Select]

# dnf module list nginx

There are only nginx version 1.24 available to install.

Code: [Select]

# dnf -y module enable nginx:1.24

Installing nginx and modules ..."

Code: [Select]

# dnf -y module install nginx

Changing permissions to directory /var/lib/nginx :

Code: [Select]

# chmod +x -R /var/lib/nginx

Changing ownership of directory /var/lib/nginx :

Code: [Select]

# chown nobody -R /var/lib/nginx/

Ps.: the downside is that AlmaLinux modules do not have such up-to-date versions. But the current nginx version (1.24) is good to work.

Regards,
Netino

3

Apache / Re: How to stop malicious scans

« on: March 27, 2025, 02:20:43 AM »

Seems all accesses are being without user access header, isn't?
These are bad bots, wasting you bandwidth and machine resources.

You are using nginx?

I did the following, in file '/etc/nginx/conf.d/vhosts/domain.com.conf', change before "location / {" directive, including the following:

Code: [Select]

if ($http_user_agent = "") { return 444; }

...like in the following:

Code: [Select]

server {
        listen 11.22.33.44:80;       
        server_name domain.com  www.domain.com;
        (...)
        if ($http_user_agent = "") { return 444; }

        location / {
        (...)
}

You need to change the /etc/nginx/conf.d/vhosts/domain.com.ssl.conf files too, if you use ssl.

Regards,
Netino

4

Nginx / Re: Restrict access to a cwp_service

« on: March 27, 2025, 02:06:15 AM »

(...)
Is there a better way to do this using CWP ?

Create a file /usr/local/cwpsrv/conf/security.conf with the following content:

Code: [Select]

    #...
    satisfy any;

    allow 192.168.1.1/24;
    allow 127.0.0.1;
    deny  all;

    auth_basic           "Restricted access";
    auth_basic_user_file conf/ht_passwd;
Choose yours IP adresses, and/or define additional authentication on cwpsrv.

Create a file '/usr/local/cwpsrv/conf/ht_passwd' with your passwords:

Code: [Select]

# /usr/local/apache/bin/htpasswd /usr/local/cwpsrv/conf/ht_passwd

In file '/usr/local/cwpsrv/conf/cwp_services.conf', change your directive to:

Code: [Select]

location /pma {
    root /usr/local/cwpsrv/var/services;
    index  index.html index.htm index.php;
    include /usr/local/cwpsrv/conf/security.conf;
    (...)
}
...and restart cwp on the panel, or with the command:

Code: [Select]

# /scripts/restart_cwpsrv
Regards,
Netino

5

CSF Firewall / Re: Firewall CFS not enable alma8 - al8 (fixed)

« on: March 25, 2025, 02:45:25 AM »

Did that and CWP install. CWP is showing the firewall is off but when I run the enable from the panel it says the firewall is already running. Will it still handle the tables?

Try to post here the last part of the file /var/log/lfd.log, right after you try to restart csf:

Code: [Select]

tail -50 /var/log/lfd.log

6

CSF Firewall / Re: Firewall CFS not enable alma8 - al8 (fixed)

« on: March 23, 2025, 05:42:15 PM »

Perhaps you check there are a 'install.cwp.sh' script in ./csf directory?

Now, as you did run normal installation script, run 'uninstall.sh' (the normal uninstallation script), and install again, now running 'install.cwp.sh'.

Regards,
Netino

7

E-Mail / Re: sendmail

« on: March 12, 2025, 12:35:39 AM »

I've got my ecommerce platform set to sendmail.  But Im not getting email from the contact page.  Any ideas what may be causing this.  Yes I know I have the smtp option.

CWP is not installed with sendmail, but with postfix.
Postfix have a tool named 'sendmail', but is not for the purpose to be a MTA, mail transfer agent, is just to check mail deliverability.

Sugestions from Deepseek.com:

If your ecommerce platform is set to use sendmail but you're not receiving emails from the contact page, there could be several reasons for this issue. Here are some steps to troubleshoot and resolve the problem:

1. Check the Email Sending Configuration
Ensure that your ecommerce platform is correctly configured to use sendmail and that the sendmail path is correct.

Verify that the "From" email address in the contact form is valid and properly formatted.

2. Test sendmail on the Server
Log in to your server via SSH.

Test sendmail directly from the command line to ensure it’s working:

Code: [Select]

echo "Test email body" | sendmail -f your@email.com recipient@email.com
Replace your@email.com with the sender's email and recipient@email.com with your email address.

Check if you receive the test email. If not, the issue might be with sendmail itself.

3. Check Email Logs
Look at the mail logs to see if the emails are being sent and if there are any errors.

On most Linux systems, you can check the logs using:

Code: [Select]

tail -f /var/log/maillog
or

Code: [Select]

tail -f /var/log/mail.log

Look for errors related to sendmail or email delivery.

4. Check Spam/Junk Folder
Sometimes emails sent via sendmail might be flagged as spam. Check your spam/junk folder to see if the emails are there.

5. Verify PHP Configuration
If your ecommerce platform uses PHP to send emails, ensure that PHP is configured to use sendmail.

Check the php.ini file for the sendmail_path setting:

Code: [Select]

sendmail_path = /usr/sbin/sendmail -t -i
Restart your web server (e.g., Apache or Nginx) after making changes.

6. Check Contact Form Code
Ensure that the contact form is correctly passing the email address and message to the sendmail function.

Look for any errors in the form submission process, such as missing fields or validation issues.

7. Test with SMTP Instead
If sendmail continues to fail, consider switching to SMTP for sending emails. Most ecommerce platforms support SMTP, which is often more reliable.

Use an SMTP service like Gmail, SendGrid, or your hosting provider's SMTP server.

8. Check Server Firewall and Ports
Ensure that your server’s firewall is not blocking outgoing email traffic (port 25 for sendmail).

If you’re using SMTP, ensure the appropriate ports (e.g., 465 for SSL, 587 for TLS) are open.

9. Contact Your Hosting Provider
Some hosting providers block sendmail or restrict its usage to prevent spam. Contact your hosting provider to confirm if sendmail is allowed on your server.

10. Debugging Tools
Use debugging tools or plugins provided by your ecommerce platform to trace email sending issues.

For example, in WordPress, you can use plugins like WP Mail Logging or Check Email to debug email delivery.

Regars,
Netino

8

Backup / Re: external backup of mysql database to linux server using bash

« on: February 24, 2025, 02:56:21 AM »

Hi

is it possible to access mysql database with out going in the control panel for the user. i have a user who wants to backup his mysql database to his home linux server using a bash script. we dont need help with the script but wondering if i can access myphpadmin without logging in to the users control panel

Hope this makes sense.

Thanks
Dave

Yes, it is possible do it with a script.
But not without a little added complexity.

1) Open the 3306 port remotely to your user.
If your user have a fixed IP address, open just for that IP in CSF firewall.
If your user haven't a fixed IP address, you can use a portknocking scheme, in CSF firewall.

2) Allow the MariaDB user to remotely access directly the database:
in file /etc/my.cnf.d/server.cnf, change the line (just uncomment it):

Code: [Select]

#bind-address=0.0.0.0
to

Code: [Select]

bind-address=0.0.0.0

3) May be you prefer to create a new user do just remote backups (a readonly user, with just SELECT permission):
You can create a new user account that will only connect from the remote host (fixed IP remote_server_ip) with the following command:

Code: [Select]

MariaDB [(none)]> CREATE USER 'new_user'@'remote_server_ip' IDENTIFIED BY 'password';

Then grant the new user the appropriate privileges for your particular needs. I recomment a readonly user, with:

Code: [Select]

MariaDB [(none)]> GRANT SELECT on `Database_name`.* TO 'sammy'@'remote_server_ip' WITH GRANT OPTION;
Replace Database_Name with the backuped database name, and remote_server_ip with a FIX IP address.

But, if it have a dynamic IP (CAUTION: using ONLY with portknocking scheme) use:

Code: [Select]

MariaDB [(none)]> CREATE USER 'new_user'@'%' IDENTIFIED BY 'password';
MariaDB [(none)]> GRANT SELECT on `Database_name`.* TO 'sammy'@'%' WITH GRANT OPTION;

After changes of privileges in MariaDB, run:

Code: [Select]

MariaDB [(none)]> FLUSH PRIVILEGES;

One more word of caution: open your port 3306 to the internet only to someone with a fixed IP address, or don't open it at all without using the portknocking scheme.

To your user access with portknocking, your customer can install 'nmap' program, and use:

Code: [Select]

#!/bin/bash
remotehost=12.23.34.45
for x in 555 111 444 333; do sudo nmap -p $x $remotehost > /dev/null; done
where 12.23.34.45 is the IP of the your main server, and 555, 111, 444 and 333 are the ports numbers used in your portknocking scheme.
CAUTION: Do not use these ports numbers, change it to your taste.

After the port are opened, your user can install and use mariadb-dump, mariadb-backup or mysqldump programs to make their backups.

Regards,
Netino

9

Suggestions / Re: :):):) Comodo WAF rules update required :):):)

« on: January 28, 2025, 10:28:35 PM »

The defaults are:
(...)
What's weird is that the OWASP old ruleset works OK, but if you select OWASP latest it breaks everything.
You still see it stop attacks if your view the ModSecurity log.

What is your corerulet version, ModSecurity version, and ModSecurity-nginx version?

(...)
Just added "/usr/local/cwpsrv/logs/*_log" to CUSTOM3_LOG, which was empty.
Will see if that works.

Must be noted here too, that the OWASP rules I have posted will work with CWP because is based in 'nginx' server(see the path is /usr/local/cwpsrv/logs/), that will work only with ModSecurity 3.0.x and ModSecurity-nginx connector v1.0.3-24-gef64996. I have placed an issue in ModSecurity-nginx website, because for some reason, it is not working with newer versions, and that bug is opened up to this date.

Also have a virtual meeting with Xcitium (company who bought Comodo) next week, to find out what there plans are for the future of that ruleset.
Because of right now it's dead.

Hopefully this will get resolved.

I'm not sure about anyone else, but this simple thing has turned into a large cluster.

Very, very good.
This is what we need, a few simple impressions for that company, to not begin a coding marathon to workaround the problem.

10

Suggestions / Re: :):):) Comodo WAF rules update required :):):)

« on: January 27, 2025, 10:36:31 PM »

I've tried different ways, just can't get OWASP to talk to CSF, even using the documentation.
It 'should' work, I see it in the logs, but CSF refuses to add the IP's and send notifications.

Are you referring to the lfd rules?
It may just be a matter of getting the regex right.

Here are some rules that work for me:
In file '/etc/csf/csf.conf':

Code: [Select]

CUSTOM4_LOG = "/usr/local/cwpsrv/logs/*_log"
In file '/usr/local/csf/bin/regex.custom.pm':

Code: [Select]

if (($lgfile eq $config{CUSTOM4_LOG}) and ($line =~ /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+\-\s+\-\s+\[\S+\/\S+\/\S+:\S+:\S+\s+\-\d{4}\].*\/login\/index\.php\?login\=failed/)) {
$ip = $1; $ip =~ s/:\w+//;
return ("Login Failed access of forbidden resource",$ip,"forbiddenmatch","5","80,82,443,8181,8443","1");
}

# CWP Failed Login Protection
if (($lgfile eq $config{CUSTOM4_LOG}) and ($line =~ /^\d{4}\/\d{2}\/\d{2}\s([0-1][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\s\[error\]\s\d+#\d+:\s\*\d+\suser\s\"\w+\":\spassword\smismatch,\sclient:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),\sserver:\slocalhost,\srequest:\s\"(POST|GET)\s.*/)) {
$ip = $2; $ip =~ s/:\w+//;
return ("Login Failed access of forbidden resource",$ip,"forbiddenmatch","5","80,82,443,8181,8443","1");
}

## CWP Failed Login Protection
if (($lgfile eq $config{CUSTOM4_LOG}) and ($line =~ /^\d{4}\/\d{2}\/\d{2}\s([0-1][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]\s\[error\]\s\d+#\d+:\s\*\d+\suser\s\"\w+\"\swas\snot\sfound\sin\s\"\/usr\/local\/cwpsrv\/conf\/htpasswd\",\sclient:\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),\sserver:\slocalhost,\srequest:\s\"(POST|GET)\s.*/)) {
$ip = $2; $ip =~ s/:\w+//;
return ("Login Failed access of forbidden resource",$ip,"forbiddenmatch","5","80,82,443,8181,8443","1");
}


11

Suggestions / Re: :):):) Comodo WAF rules update required :):):)

« on: January 26, 2025, 04:55:45 PM »

I tried that juggling, and it didn't work.

There is a problem with the OWASP latest ruleset that I've notified CWP about.

I've only found 2 semi-good replacements, but both are paid:

https://malware.expert/

https://atomicorp.com/modsecurity-rules/

And then there is course the company who bought Comodo, Xcitium. But their website doesn't even work

There is a possibility, for those who use nginx<->*<->Apache.
You can install Comodo on Apache, in normal operation mode, and OWASP on nginx, in log-only mode.
I haven't tested it yet, but it's an idea, and I'll test it very soon.

12

Suggestions / Re: :):):) Comodo WAF rules update required :):):)

« on: January 26, 2025, 04:50:54 PM »

i switched back to OWASP latest rules but they are not blocking malicious attempts . i can see in logs its detecting but attempt is not blocked 

on the other hand comodo waf rules keeps blocking everything  before last update everything was fine and comodo waf rules were the best

Yea, there is a bug CWP has been made aware of with the OWASP latest not working.

To avoid this, you can use the OWASP ruleset in "Anomaly Scoring Mode". Instead of blocking each rule individually, as is done in Comodo, a set of rules is evaluated and, if it reaches a certain score, only then is it blocked. This is a very powerful way of blocking. Even so, you should always analyze the ruleset, starting at level 1, the most secure in terms of no false positives, and increasing the level as you add whitelists.
There are plugins for phpMyAdmin, Roundcube and Wordpress, but they need to be tested and adapted for each case. However, it is much less work than building the exceptions from scratch.

From OWASP page:

Code: [Select]

https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.3/dev/crs-setup.conf.example
"
The CRS can run in two modes:
#
# -- [[ Anomaly Scoring Mode (default) ]] --
# In CRS3, anomaly mode is the default and recommended mode, since it gives the
# most accurate log information and offers the most flexibility in setting your
# blocking policies. It is also called "collaborative detection mode".
# In this mode, each matching rule increases an 'anomaly score'.
# At the conclusion of the inbound rules, and again at the conclusion of the
# outbound rules, the anomaly score is checked, and the blocking evaluation
# rules apply a disruptive action, by default returning an error 403.
#
# -- [[ Self-Contained Mode ]] --
# In this mode, rules apply an action instantly. This was the CRS2 default.
# It can lower resource usage, at the cost of less flexibility in blocking policy
# and less informative audit logs (only the first detected threat is logged).
# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc).
# The first rule that matches will execute this action. In most cases this will
# cause evaluation to stop after the first rule has matched, similar to how many
# IDSs function.
"

13

Suggestions / Re: :):):) Comodo WAF rules update required :):):)

« on: January 25, 2025, 03:17:58 AM »

I agree that it is dead. But the problem with Comodo being dead is that it forces most of us who use free rulesets to migrate to the only known free alternative, which is the OWASP rules.
And that certainly can't be done overnight.
And whoever wants to take on this challenge will have to do some digital juggling to get both rulesets working, putting OWASP in a log-only (no blocks) state while collecting logs and statistics to include its whitelists.
It's a medium-term problem, but it's a very serious problem, and must be worked since now.

14

Information / CentOS CWP vs cPanel comparison

« on: January 10, 2025, 02:00:11 AM »

"CentOS CWP is ranked #1, while cPanel is ranked #2. CentOS CWP holds a 19.2% mindshare in WHCP, compared to cPanel’s 18.9% mindshare."

Mindshare is this presence in the mind. It is occupying a prominent place in the consumer's mind. It is being remembered by him in some way.
I couldn't download the report, but the information is on that site.
https://www.peerspot.com/products/comparisons/centos-cwp_vs_cpanel

15

CentOS 7 Problems / Re: My CWP websites are not loading after i changed my webservers to Ningx + Apache

« on: January 03, 2025, 02:16:42 AM »

Here are all the screenshots
Apache is running but the connection refused

https://ibb.co/88ZhN3K
https://ibb.co/WpTc2KK
https://ibb.co/1LKGY00
My httpd.conf
https://codepen.io/sohailfarooq356/pen/raBYBwb

Are you using CWPPro..?!
Your domain is not resolving here, and is not registered: thcwebiner.com
As a consequence, your domain does not resolve here, nor panel.thcwebiner.com
Are using really ns1 and ns2.centos-webpanel.com as you nameservers?

Regards,
Netino