This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
CentOS 8 Problems / [SOLVED] Re: New CWP Installation Error: The encoded file has expired
« on: June 16, 2024, 08:38:18 AM »
I was able to resolve this by editing cwp-el8-latest and re-installing:
Changed all URL's from "static.cdn-cwp.com/files/cwp/el7" to "static.cdn-cwp.com/files/cwp/el8"
Changed "static.cdn-cwp.com/files/cwp/el8/cwp-el7-0.9.8.?.zip" to "static.cdn-cwp.com/files/cwp/el8/cwp-el7-0.9.8.1179.zip"
I've also made some other tweaks to the installer file. Most notably: fixed expression/arithmatic errors nears lines ~80 thru ~90, added logic to the php-fpm installer to install the latest version (as of Jun-15-2024) of PHP, increased cert bits from 2048 to 4096, changed cert details, disabled pure-ftpd because FTP is lame. My changes can be seen by searching within the installer file for the text "zfk" - each change has been notated.
You can download it here. Pastebin.com will not allow me to provide the installer sourcecode.... sorry.
Changed all URL's from "static.cdn-cwp.com/files/cwp/el7" to "static.cdn-cwp.com/files/cwp/el8"
Changed "static.cdn-cwp.com/files/cwp/el8/cwp-el7-0.9.8.?.zip" to "static.cdn-cwp.com/files/cwp/el8/cwp-el7-0.9.8.1179.zip"
I've also made some other tweaks to the installer file. Most notably: fixed expression/arithmatic errors nears lines ~80 thru ~90, added logic to the php-fpm installer to install the latest version (as of Jun-15-2024) of PHP, increased cert bits from 2048 to 4096, changed cert details, disabled pure-ftpd because FTP is lame. My changes can be seen by searching within the installer file for the text "zfk" - each change has been notated.
2
CentOS 8 Problems / New CWP Installation Error: The encoded file has expired
« on: June 16, 2024, 04:10:42 AM »
I am unable to use CWP at all on new servers. This is a fresh install of AlmaLinux 8.10 and a fresh install of CWP.
https://SERVER-IP:2087 displays a blank page only
The issue is with PHP and ionCube:
tail -n4 /usr/local/cwpsrv/logs/error_log
I have already tried to execute /scripts/update_ioncube. This script completes successfully.
sh /scripts/update_cwp
php -v
php -i
https://SERVER-IP:2087 displays a blank page only
The issue is with PHP and ionCube:
tail -n4 /usr/local/cwpsrv/logs/error_log
Code: [Select]
2024/06/15 23:54:02 [error] 820#0: *1 FastCGI sent in stderr: "PHP message: PHP Fatal error: <br>The encoded file <b>/usr/local/cwpsrv/htdocs/admin/index.php</b> has expired. in Unknown on line 0" while reading response header from upstream, client: REMOVED, server: localhost, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/usr/local/cwp/php71/var/sockets/cwpsrv.sock:", host: "SERVER-IP:2087"
2024/06/15 23:54:18 [error] 820#0: *4 FastCGI sent in stderr: "PHP message: PHP Fatal error: <br>The encoded file <b>/usr/local/cwpsrv/htdocs/admin/index.php</b> has expired. in Unknown on line 0" while reading response header from upstream, client: REMOVED, server: localhost, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/usr/local/cwp/php71/var/sockets/cwpsrv.sock:", host: "SERVER-IP:2087"
2024/06/15 23:54:50 [error] 820#0: *9 open() "/usr/local/cwpsrv/htdocs/admin/favicon.ico" failed (2: No such file or directory), client: REMOVED, server: localhost, request: "GET /favicon.ico HTTP/1.1", host: "SERVER-IP:2087"
I have already tried to execute /scripts/update_ioncube. This script completes successfully.
Code: [Select]
[root@server htdocs]# sh /scripts/update_ioncube restart
[root@server htdocs]#
sh /scripts/update_cwp
Code: [Select]
PHP Fatal error:
The encoded file /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php has expired.
in Unknown on line 0
php -v
Code: [Select]
PHP 5.6.37 (cli) (built: Jul 20 2018 06:10:33)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
with the ionCube PHP Loader + ionCube24 v13.0.2, Copyright (c) 2002-2023, by ionCube Ltd.
php -i
Code: [Select]
Configure Command => './configure' '--with-zlib' '--enable-soap' '--enable-exif' '--with-config-file-path=/usr/local/php' '--with-config-file-scan-dir=/usr/local/php/php.d' '--enable-phar' '--enable-bcmath' '--enable-calendar' '--with-curl' '--with-iconv' '--with-mysql' '--with-mysqli' '--with-mysql=mysqlnd' '--with-mysqli=mysqlnd' '--with-mcrypt' '--with-imap' '--with-imap-ssl' '--with-gettext' '--with-xmlrpc' '--with-pdo-mysql=mysqlnd' '--enable-posix' '--enable-ftp' '--with-openssl' '--enable-mbstring' '--with-jpeg-dir=/usr' '--with-freetype-dir=/usr' '--with-kerberos' '--with-xsl' '--with-bz2' '--enable-zip' '--with-gd' '--with-libdir=lib64' '--enable-sockets' '--with-pcre-regex' '--with-mysql-sock=/var/lib/mysql/mysql.sock'
Server API => Command Line Interface
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /usr/local/php
Loaded Configuration File => /usr/local/php/php.ini
Scan this dir for additional .ini files => /usr/local/php/php.d
Additional .ini files parsed => /usr/local/php/php.d/ioncube.ini
PHP API => 20131106
PHP Extension => 20131226
Zend Extension => 220131226
Zend Extension Build => API220131226,NTS
PHP Extension Build => API20131226,NTS
Debug Build => no
Thread Safety => disabled
Zend Signal Handling => disabled
Zend Memory Manager => enabled
Zend Multibyte Support => provided by mbstring
IPv6 Support => enabled
DTrace Support => disabled
Registered PHP Streams => https, ftps, compress.zlib, compress.bzip2, php, file, glob, data, http, ftp, phar, zip
Registered Stream Socket Transports => tcp, udp, unix, udg, ssl, sslv3, sslv2, tls, tlsv1.0, tlsv1.1, tlsv1.2
Registered Stream Filters => zlib.*, bzip2.*, convert.iconv.*, mcrypt.*, mdecrypt.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk
This program makes use of the Zend Scripting Language Engine:
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
with the ionCube PHP Loader + ionCube24 v13.0.2, Copyright (c) 2002-2023, by ionCube Ltd.
3
MySQL / Re: phpMyAdmin Bruteforce From 127.0.0.1 ??
« on: December 23, 2022, 02:27:22 AM »/usr/local/cwpsrv/conf/cwp_services.confThank you for reminding me. When I make changes to system files I typically make the file immutable with chattr +i file but I forgot to do it this time and now you have reminded me .
/usr/local/cwpsrv/conf/cwpsrv.conf
I think these files will be reset with every CWP auto update. Double check to see if your edit is still there after an update. If it's not there anymore, you should look into another way of blocking these attempts WITHOUT editing CWP files.
I advice taking a look into fail2ban and its filters or create a filter in fail2ban that works with these attempts. Fail2ban can be told to read a specific log file and take actions based on the activity going on there.I will look into it. Thank you!!
Remember to change fail2ban's ban method to (So it will work correctly in conjunction with CWP firewall manager):
4
SSL / Re: SSL on Hostname
« on: December 17, 2022, 05:18:39 AM »
Make sure DNS is configured properly and then use Change Hostname feature.
Example:
Server1 = 123.0.0.4
vps1.mydomain.com = 123.0.0.4
MyDomain.com = 123.0.0.4
Make sure your DNS is configured correctly (vps1.mydomain.com -> 123.0.0.4 and mydomain.com -> 123.0.0.4)
For best results, also configure reverse DNS for your server IP (123.0.0.4 -> vps1.mydomain.com)
Now change hostname. This will update your SSL certificate from self-signed to "official" Let's Encrypt.
Note: you do not need to make the hostname different, you can keep the same hostname.. if your hostname is already "vps1.mydomain.com" you can still use "vps1.mydomain.com" again)
Now you can access https://vps1.mydomain.com without errors
Example:
Server1 = 123.0.0.4
vps1.mydomain.com = 123.0.0.4
MyDomain.com = 123.0.0.4
Make sure your DNS is configured correctly (vps1.mydomain.com -> 123.0.0.4 and mydomain.com -> 123.0.0.4)
For best results, also configure reverse DNS for your server IP (123.0.0.4 -> vps1.mydomain.com)
Now change hostname. This will update your SSL certificate from self-signed to "official" Let's Encrypt.
Note: you do not need to make the hostname different, you can keep the same hostname.. if your hostname is already "vps1.mydomain.com" you can still use "vps1.mydomain.com" again)
- Log in to Server1 CWP via https://123.0.0.4:2087/
- Use Server Settings - Change Hostname
- Set New Hostname = vps1.mydomain.com
- Set Key Size = 4096
- Set checkmark for all boxes
- Click Change Hostname
Now you can access https://vps1.mydomain.com without errors
5
Installation / Re: What distro to go for..
« on: December 17, 2022, 05:00:02 AM »
I chose AlmaLinux 8.7 and have been very happy with my choice.
I could be wrong, but I think AlmaLinux is maintained by a nonprofit org; Rocky Linux is maintained by a for-profit group. Make your choice. They are very similar.
I could be wrong, but I think AlmaLinux is maintained by a nonprofit org; Rocky Linux is maintained by a for-profit group. Make your choice. They are very similar.
6
Installation / Re: Outgoing attacks to randomIPs "After clean cwp insallation"
« on: December 17, 2022, 04:58:13 AM »
Attacks are extremely common. The moment your server goes online you can expect to start receiving limitless non-stop attacks. Configure your firewall properly and make sure to keep your software up-to-date and you should be fine. Don't forget to use strong passwords.
7
MySQL / [SOLVED] Re: phpMyAdmin Bruteforce From 127.0.0.1 ??
« on: December 13, 2022, 06:29:21 AM »
I've put the following config into the http{} block of /usr/local/cwpsrv/conf/cwpsrv.conf
and the following config into the location /pma {} block of /usr/local/cwpsrv/conf/cwp_services.conf
Note that I've added $http_x_real_ip to the log_format line as /etc/nginx/proxy.inc contains "proxy_set_header X-Real-IP $remote_addr;" and the connections are being proxied (ie: proxy_pass http://127.0.0.1:2031) via /etc/nginx/conf.d/<SERVERIP>.conf (which is why they are showing up as originating from 127.0.0.1 in /var/log/secure)
So now I have a log, specifically for PMA bruteforce attempts, containing the attacker's IP the next time it happens. I can then probably use LFD to automatically block the attack in realtime.
Code: [Select]
log_format pma '[$time_local] $remote_addr, $http_x_real_ip, $http_x_forwarded_for - "$request" ($status) "$http_user_agent"';
and the following config into the location /pma {} block of /usr/local/cwpsrv/conf/cwp_services.conf
Code: [Select]
access_log /usr/local/apache/domlogs/pma-access.log pma;
Note that I've added $http_x_real_ip to the log_format line as /etc/nginx/proxy.inc contains "proxy_set_header X-Real-IP $remote_addr;" and the connections are being proxied (ie: proxy_pass http://127.0.0.1:2031) via /etc/nginx/conf.d/<SERVERIP>.conf (which is why they are showing up as originating from 127.0.0.1 in /var/log/secure)
So now I have a log, specifically for PMA bruteforce attempts, containing the attacker's IP the next time it happens. I can then probably use LFD to automatically block the attack in realtime.
8
Too small a community and too many forum sections / subsections, IMO.... But at the same time, I'm kind of surprised because CWP feels like it should be extremely popular. Although, maybe it is "extremely popular" and the majority of users just simply can't be assed to contribute?
9
MySQL / [SOLVED] Re: phpMyAdmin Bruteforce From 127.0.0.1 ??
« on: December 12, 2022, 05:08:38 AM »
The solution dawned on me today when I saw another attack... I found the attacker by cat'ing /usr/local/apache/domlogs/<server-ip>.log
They're using PMA (of course) but the IP is being reported as 127.0.0.1 because nginx is proxy_pass'ing the connection.
cat /usr/local/apache/domlogs/*.log | grep pma
They're using PMA (of course) but the IP is being reported as 127.0.0.1 because nginx is proxy_pass'ing the connection.
cat /usr/local/apache/domlogs/*.log | grep pma
Code: [Select]
...
93.86.160.221 - - [11/Dec/2022:23:56:17 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:17 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:18 -0500] "POST /pma/index.php HTTP/1.1" 200 4798 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:18 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4680 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:18 -0500] "POST /pma/index.php HTTP/1.1" 200 4796 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:18 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:18 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:19 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4677 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:19 -0500] "POST /pma/index.php HTTP/1.1" 200 4799 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:19 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:20 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:20 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:20 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:20 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:20 -0500] "POST /pma/index.php HTTP/1.1" 200 4795 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:21 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:21 -0500] "POST /pma/index.php HTTP/1.1" 200 4797 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:21 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:21 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:22 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4677 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:22 -0500] "POST /pma/index.php HTTP/1.1" 200 4796 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:22 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:22 -0500] "POST /pma/index.php HTTP/1.1" 200 4792 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:23 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4680 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:23 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:23 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4679 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:23 -0500] "POST /pma/index.php HTTP/1.1" 200 4799 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:23 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4679 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:24 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:24 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4680 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:24 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:24 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4679 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:25 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:25 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4680 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:25 -0500] "POST /pma/index.php HTTP/1.1" 200 4801 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:25 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
...
10
DNS Manager / Re: Slave DNS Server & Manager without ioncube to php7
« on: December 01, 2022, 11:53:05 AM »
bump
11
DNS Manager / Re: AXFR vulnerability/ restrict zone transfer
« on: December 01, 2022, 11:52:29 AM »Hello,
What is best solution for fixing this?
Atm my named.conf for domain looks like this:Code: [Select]// zone domain.com
zone "domain.com" {type master; file "/var/named/domain.com.db";};
// zone_end domain.com
Does it need to look like this or is there any other solution?Code: [Select]acl trusted-servers {
ip1; //ns1
ip2; //ns2
};
zone domain.com {
type master;
file "/var/named/domain.com.db";
allow-transfer { trusted-servers; };
};
Thank you in advance
Yes that looks correct to me. I have done similar in my slave DNS config:
Code: [Select]
options {
allow-query { any; };
recursion yes;
/* mixedtribute - disable VERSION.BIND response
* https://kb.isc.org/docs/aa-00359 */
version none;
/* Slave DNS Config :: https://wiki.centos-webpanel.com/slave-dns-server-manager-download-version */
allow-transfer { DNSMASTERIP; };
allow-recursion { DNSMASTERIP; };
notify yes;
also-notify { DNSMASTERIP; };
masterfile-format text;
};
12
MySQL / phpMyAdmin Bruteforce From 127.0.0.1 ??
« on: September 30, 2022, 07:33:39 AM »
I have paid for 10x CWP Pro licenses and I am the only user of my servers but I occasionally see this in /var/log/secure:
At first I thought my server may have been compromised, but I do not think it is compromised because I see these failed login attempts on all of my servers occasionally. I have recently re-installed CWP. My systems are fully up-to-date as well.... I do not have anyone else using my servers.
When I try to replicate the issue using incorrect password on https://tiberion.mydomain.com:2087/pma I see this:
How am I seeing failed login attempts from 127.0.0.1?? I am the ONLY user of my servers, no customers, no one else uses the servers.
Code: [Select]
....
Sep 29 06:04:27 tiberion phpMyAdmin[122141]: user denied: dev (mysql-denied) from 127.0.0.1
Sep 29 06:04:29 tiberion phpMyAdmin[122141]: user denied: blog (mysql-denied) from 127.0.0.1
Sep 29 06:04:30 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:31 tiberion phpMyAdmin[122141]: user denied: nas (mysql-denied) from 127.0.0.1
Sep 29 06:04:34 tiberion phpMyAdmin[122141]: user denied: wordpress (mysql-denied) from 127.0.0.1
Sep 29 06:04:34 tiberion phpMyAdmin[122141]: user denied: root (empty-denied) from 127.0.0.1
Sep 29 06:04:35 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:36 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:36 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:37 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:38 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:38 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:39 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:40 tiberion phpMyAdmin[122141]: user denied: db (mysql-denied) from 127.0.0.1
Sep 29 06:04:54 tiberion phpMyAdmin[122141]: user denied: wordspress (mysql-denied) from 127.0.0.1
Sep 29 06:04:54 tiberion phpMyAdmin[122141]: user denied: shopdb (mysql-denied) from 127.0.0.1
Sep 29 06:04:55 tiberion phpMyAdmin[122141]: user denied: blog (mysql-denied) from 127.0.0.1
Sep 29 06:04:56 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:56 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:04:57 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:58 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:58 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:59 tiberion phpMyAdmin[122141]: user denied: database (mysql-denied) from 127.0.0.1
Sep 29 06:04:59 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:00 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:01 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:01 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:02 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:03 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:03 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:04 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:05:05 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:05 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:05:06 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:06 tiberion phpMyAdmin[122141]: user denied: pma (mysql-denied) from 127.0.0.1
Sep 29 06:05:07 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:08 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:05:08 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:09 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:10 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:10 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:11 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:12 tiberion phpMyAdmin[122141]: user denied: dbs (mysql-denied) from 127.0.0.1
Sep 29 06:05:12 tiberion phpMyAdmin[122141]: user denied: wordpress (mysql-denied) from 127.0.0.1
Sep 29 06:05:13 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:14 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:14 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:15 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:05:15 tiberion phpMyAdmin[122141]: user denied: user (mysql-denied) from 127.0.0.1
Sep 29 06:05:16 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:17 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:17 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:18 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:19 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:19 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:20 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:21 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:21 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:22 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:05:22 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:23 tiberion phpMyAdmin[122141]: user denied: nas (mysql-denied) from 127.0.0.1
Sep 29 06:05:24 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:24 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:25 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:26 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:26 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:27 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:28 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:28 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:29 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:30 tiberion phpMyAdmin[122141]: user denied: wordpress (mysql-denied) from 127.0.0.1
Sep 29 06:05:30 tiberion phpMyAdmin[122141]: user denied: wordpress (mysql-denied) from 127.0.0.1
Sep 29 06:05:31 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:31 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:32 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:33 tiberion phpMyAdmin[122141]: user denied: wp (mysql-denied) from 127.0.0.1
Sep 29 06:05:33 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:34 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:35 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:35 tiberion phpMyAdmin[122141]: user denied: dev (mysql-denied) from 127.0.0.1
Sep 29 06:05:36 tiberion phpMyAdmin[122141]: user denied: wp (mysql-denied) from 127.0.0.1
Sep 29 06:05:37 tiberion phpMyAdmin[122141]: user denied: shopdb (mysql-denied) from 127.0.0.1
Sep 29 06:05:37 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:05:38 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:38 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:39 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:40 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:40 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:41 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:42 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:42 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:43 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:44 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:44 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:45 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:45 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:46 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:47 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:47 tiberion phpMyAdmin[122141]: user denied: wp (mysql-denied) from 127.0.0.1
Sep 29 06:05:48 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:49 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:49 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:50 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:51 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:51 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:52 tiberion phpMyAdmin[122141]: user denied: sql (mysql-denied) from 127.0.0.1
Sep 29 06:05:53 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:53 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:54 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
....
At first I thought my server may have been compromised, but I do not think it is compromised because I see these failed login attempts on all of my servers occasionally. I have recently re-installed CWP. My systems are fully up-to-date as well.... I do not have anyone else using my servers.
When I try to replicate the issue using incorrect password on https://tiberion.mydomain.com:2087/pma I see this:
Code: [Select]
Sep 30 02:25:41 tiberion phpMyAdmin[1199600]: user denied: root (mysql-denied) from X.X.X.X
X.X.X.X is my home IP address .....How am I seeing failed login attempts from 127.0.0.1?? I am the ONLY user of my servers, no customers, no one else uses the servers.
Pages: [1]