Messages

16

SSL / Re: Probelm with renewing SSL certs

« on: May 09, 2025, 01:38:16 AM »

Possibly a bug from CWP.
This happened to me migrating domains from another server.
Once the domain was renewed manually, now the renewing process is automatic again.

Try to create a script, named like 'renew-cert.sh', to renew manually:

Code: [Select]

#!/bin/bash

DOM=${1}
/root/.acme.sh/acme.sh --home /root/.acme.sh/cwp_certs --renew --ecc -d ${DOM} --force

Change permissions:

Code: [Select]

# chmod 700 renew-cert.sh
And run the script (replacing "domain.com" with your domain):

Code: [Select]

# ./renew-cert.sh domain.com
Regards,
Netino

17

Information / Re: check all autoSSL (Lets encrypt) that failed

« on: May 03, 2025, 01:31:27 AM »

Thanks! No way for an integrated feature in the panel? To alert us, etc?

While this feature is not implemented in CWP, you can use this command in cron, to be alerted:

Code: [Select]

# find /etc/pki/tls/certs -type f -name \*.cert -mtime +60 | sed -e 's#^/etc/pki/tls/certs/##g' -e 's#\.cert$##' | xargs -I '{}' bash -c 'echo -e "Domain Cert {} expired.\n.\n" | mail -s "ALERT: Domain Cert {} expired" your-mail@yourdomain.com'
Regards,
Netino

18

CentOS 8 Problems / Re: ImageMagick installation on Almalinux 8

« on: April 29, 2025, 03:12:16 AM »

Hi,

php -v giving error of unable to load dynamic library 'imagick.so'
(...)
but found that following line not working:
ln -s /usr/local/include/ImageMagick-6 /usr/local/include/ImageMagick

On checking, I didnot found any folder /usr/local/include/ImageMagick-6  in my Almalinux ver 8
(...)

I think the right command is:

Code: [Select]

ln -s /usr/include/ImageMagick-6 /usr/local/include/ImageMagick-6
The include library exists in '/usr/include/ImageMagick-6' in AL8.

Regards,
Netino

19

E-Mail / Re: Stop forwarding SPAM emails

« on: April 24, 2025, 02:40:02 AM »

(Adapted from: <https://docs.directadmin.com/other-hosting-services/preventing-spam/outgoing-spam.html#why-forwarders-to-external-mailservers-can-be-dangerous-for-your-server>)

Why forwarders to external mailservers can be dangerous for your server

It's not uncommon for clients to want to forward mail from their own domain to an external email address, say Gmail, for example.

The path of an email sent to the user@domain.com forwarder would be:

Sender -> CWP box: user@domain.com -> External: user@gmail.com
This will work fine, until spam comes into the picture.

The issue with spam is that, if the proper blocks are not in place, your CWP box will happily relay spam to Gmail, which could then cause Gmail to think that the spam is originating from your CWP box, thus getting your IP blacklisted even though the spam came from somewhere else.

Another issue is that, if Gmail then determines that the message is spam, it may be denied at the Gmail server, thus returning it back to your CWP box to figure out what to do with. Since the sender is not from the CWP box, and the final recipient is Gmail (which was denied), Postfix tries to send it back to the original "sender", which with spam, is almost always fake/spoofed (these headers can be spoofed).

This causes "backscatter", where Postfix is trying to return a message to an address that was not the actual sender. This backscatter is also a potential hazard to getting your IP blacklisted.

Solutions:

- Avoid forwarders to external domains whenever possible (it is usually hard to convince users of this).

- For Gmail, as an example, have Gmail pull your POP emails to Gmail, rather than you pushing them via forwarders. See this guide for more info.

- Ensure SpamAssassin is enabled, and set it to drop spam or send to spambox (do not use "deliver to inbox"). At a minimum, use "drop high scoring spam".

- Block bounces from leaving.

- RBL Blocking is a robust way of blocking spam before Postfix even sees the message (realtime IP based block). Some consider RBL blocking to sometimes be too strict in that it may often block entire ISP ranges (send on port 587 with smtp-auth, instead of port 25).

Regards,
Netino

20

Updates / Re: New problems with updates

« on: April 24, 2025, 02:22:09 AM »

To be blunt and honest, there is no reasonable reason to keep a system like Centos7, whose support has been out of date for almost a year, and therefore subject to security holes. Upgrade as soon as you can, if you don't want to make yourself and your client victims of cyber attacks. Right now Centos7 may already be subject to flaws that you don't know about, for the simple reason that they haven't been disclosed for almost a year, and they won't be disclosed anymore.

Regards,
Netino

21

CentOS-WebPanel Bugs / Re: Lost access to CWPpro after a server restart

« on: April 15, 2025, 03:23:20 AM »

Hey,

I've opened a ticket on this already and will update this thread with more information. I logged into CWP web panel and was greeted by this:

(...)


(...)
Everything else is working perfectly fine, I haven't changed my default SSH ports but I don't think that'd be causing it.

I ordered CWPpro and used the "sh /scripts/update_cwp" command to force and update to enable CWPpro, but after a recent restart due to Vultr's London datacenter maintenance, this warning starting showing up. My IP address is the exact same.

Check if you have some firewall block to 'centos-webpanel.com' or to IP adress [158.69.227.165].
These are used to update the system.

Regards,
Netino

22

Other / Re: Varnish 7 Installation & Configuration

« on: April 10, 2025, 01:18:09 AM »

Has anyone successfully installed Varnish 7 on CWP yet?

I've tried a couple of times now but still get 503 when testing. Has anyone figured out the correct changes for the varnish.service file?

Yes.
You already install it?

After install, you need to change the line in file '/usr/lib/systemd/system/varnish.service' of default installation, from:

Code: [Select]

ExecStart=/usr/sbin/varnishd -a :6081 -f /etc/varnish/default.vcl -s malloc,256m
to:

Code: [Select]

ExecStart=/usr/sbin/varnishd -a :82 -f /etc/varnish/default.vcl -s malloc,256m
After that, run:

Code: [Select]

# systemctl daemon-reload

23

Apache / Re: How to stop malicious scans

« on: March 30, 2025, 12:57:22 AM »

I don't know what header you talking about, I copied the original code from the access_log and didn't change them.

I use Nginx & Apache.
(...)

The useragent header is the HTTP header that identifies the navigator acessing you HTTP server.

Does this affect Googlebot and Bingbot crawling pages?

No.

Is there any other way to stop it?

Yes.
Googlebot and Bing use honest useragents, so if you want to block them, you can simply block the "Googlebot" and "bingbot" useragents directly:

Code: [Select]

if ($http_user_agent ~* "(Googlebot|bingbot)") {
    return 403;
}

You can choose too any other useragent:

Code: [Select]

if ($http_user_agent ~* "(Googlebot|bingbot|Android|iPhone|iPod|Symbian|BlackBerry|Windows Phone|Mobile|J2ME)") {
    return 403;
}

You can install the "Nginx Ultimate Bad Blocker" to block hundreds other useragents:
https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker

24

Nginx / Re: How to update NGINX version to version 1.26.2

« on: March 27, 2025, 02:48:11 AM »

My Approach to Upgrading Nginx Without a Full Reinstallation

In my experience, the optimal strategy is to update Nginx directly using the official stable repository, rather than removing it entirely. This approach helps maintain your current configuration and avoids the hassle of extensive reconfiguration.

(...)

No only the package installation, but nginx have modules too, and you need to follow up and maintain updated the modules too.
This is much more easy to do with AlmaLinux modules.

A manual installation would impose to you build the module packages, this is not good.
For this reason, I do "module" installation.

To check available modules:

Code: [Select]

# dnf module list nginx

There are only nginx version 1.24 available to install.

Code: [Select]

# dnf -y module enable nginx:1.24

Installing nginx and modules ..."

Code: [Select]

# dnf -y module install nginx

Changing permissions to directory /var/lib/nginx :

Code: [Select]

# chmod +x -R /var/lib/nginx

Changing ownership of directory /var/lib/nginx :

Code: [Select]

# chown nobody -R /var/lib/nginx/

Ps.: the downside is that AlmaLinux modules do not have such up-to-date versions. But the current nginx version (1.24) is good to work.

Regards,
Netino

25

Apache / Re: How to stop malicious scans

« on: March 27, 2025, 02:20:43 AM »

Seems all accesses are being without user access header, isn't?
These are bad bots, wasting you bandwidth and machine resources.

You are using nginx?

I did the following, in file '/etc/nginx/conf.d/vhosts/domain.com.conf', change before "location / {" directive, including the following:

Code: [Select]

if ($http_user_agent = "") { return 444; }

...like in the following:

Code: [Select]

server {
        listen 11.22.33.44:80;       
        server_name domain.com  www.domain.com;
        (...)
        if ($http_user_agent = "") { return 444; }

        location / {
        (...)
}

You need to change the /etc/nginx/conf.d/vhosts/domain.com.ssl.conf files too, if you use ssl.

Regards,
Netino

26

Nginx / Re: Restrict access to a cwp_service

« on: March 27, 2025, 02:06:15 AM »

(...)
Is there a better way to do this using CWP ?

Create a file /usr/local/cwpsrv/conf/security.conf with the following content:

Code: [Select]

    #...
    satisfy any;

    allow 192.168.1.1/24;
    allow 127.0.0.1;
    deny  all;

    auth_basic           "Restricted access";
    auth_basic_user_file conf/ht_passwd;
Choose yours IP adresses, and/or define additional authentication on cwpsrv.

Create a file '/usr/local/cwpsrv/conf/ht_passwd' with your passwords:

Code: [Select]

# /usr/local/apache/bin/htpasswd /usr/local/cwpsrv/conf/ht_passwd

In file '/usr/local/cwpsrv/conf/cwp_services.conf', change your directive to:

Code: [Select]

location /pma {
    root /usr/local/cwpsrv/var/services;
    index  index.html index.htm index.php;
    include /usr/local/cwpsrv/conf/security.conf;
    (...)
}
...and restart cwp on the panel, or with the command:

Code: [Select]

# /scripts/restart_cwpsrv
Regards,
Netino

27

CSF Firewall / Re: Firewall CFS not enable alma8 - al8 (fixed)

« on: March 25, 2025, 02:45:25 AM »

Did that and CWP install. CWP is showing the firewall is off but when I run the enable from the panel it says the firewall is already running. Will it still handle the tables?

Try to post here the last part of the file /var/log/lfd.log, right after you try to restart csf:

Code: [Select]

tail -50 /var/log/lfd.log

28

CSF Firewall / Re: Firewall CFS not enable alma8 - al8 (fixed)

« on: March 23, 2025, 05:42:15 PM »

Perhaps you check there are a 'install.cwp.sh' script in ./csf directory?

Now, as you did run normal installation script, run 'uninstall.sh' (the normal uninstallation script), and install again, now running 'install.cwp.sh'.

Regards,
Netino

29

E-Mail / Re: sendmail

« on: March 12, 2025, 12:35:39 AM »

I've got my ecommerce platform set to sendmail.  But Im not getting email from the contact page.  Any ideas what may be causing this.  Yes I know I have the smtp option.

CWP is not installed with sendmail, but with postfix.
Postfix have a tool named 'sendmail', but is not for the purpose to be a MTA, mail transfer agent, is just to check mail deliverability.

Sugestions from Deepseek.com:

If your ecommerce platform is set to use sendmail but you're not receiving emails from the contact page, there could be several reasons for this issue. Here are some steps to troubleshoot and resolve the problem:

1. Check the Email Sending Configuration
Ensure that your ecommerce platform is correctly configured to use sendmail and that the sendmail path is correct.

Verify that the "From" email address in the contact form is valid and properly formatted.

2. Test sendmail on the Server
Log in to your server via SSH.

Test sendmail directly from the command line to ensure it’s working:

Code: [Select]

echo "Test email body" | sendmail -f your@email.com recipient@email.com
Replace your@email.com with the sender's email and recipient@email.com with your email address.

Check if you receive the test email. If not, the issue might be with sendmail itself.

3. Check Email Logs
Look at the mail logs to see if the emails are being sent and if there are any errors.

On most Linux systems, you can check the logs using:

Code: [Select]

tail -f /var/log/maillog
or

Code: [Select]

tail -f /var/log/mail.log

Look for errors related to sendmail or email delivery.

4. Check Spam/Junk Folder
Sometimes emails sent via sendmail might be flagged as spam. Check your spam/junk folder to see if the emails are there.

5. Verify PHP Configuration
If your ecommerce platform uses PHP to send emails, ensure that PHP is configured to use sendmail.

Check the php.ini file for the sendmail_path setting:

Code: [Select]

sendmail_path = /usr/sbin/sendmail -t -i
Restart your web server (e.g., Apache or Nginx) after making changes.

6. Check Contact Form Code
Ensure that the contact form is correctly passing the email address and message to the sendmail function.

Look for any errors in the form submission process, such as missing fields or validation issues.

7. Test with SMTP Instead
If sendmail continues to fail, consider switching to SMTP for sending emails. Most ecommerce platforms support SMTP, which is often more reliable.

Use an SMTP service like Gmail, SendGrid, or your hosting provider's SMTP server.

8. Check Server Firewall and Ports
Ensure that your server’s firewall is not blocking outgoing email traffic (port 25 for sendmail).

If you’re using SMTP, ensure the appropriate ports (e.g., 465 for SSL, 587 for TLS) are open.

9. Contact Your Hosting Provider
Some hosting providers block sendmail or restrict its usage to prevent spam. Contact your hosting provider to confirm if sendmail is allowed on your server.

10. Debugging Tools
Use debugging tools or plugins provided by your ecommerce platform to trace email sending issues.

For example, in WordPress, you can use plugins like WP Mail Logging or Check Email to debug email delivery.

Regars,
Netino

30

Backup / Re: external backup of mysql database to linux server using bash

« on: February 24, 2025, 02:56:21 AM »

Hi

is it possible to access mysql database with out going in the control panel for the user. i have a user who wants to backup his mysql database to his home linux server using a bash script. we dont need help with the script but wondering if i can access myphpadmin without logging in to the users control panel

Hope this makes sense.

Thanks
Dave

Yes, it is possible do it with a script.
But not without a little added complexity.

1) Open the 3306 port remotely to your user.
If your user have a fixed IP address, open just for that IP in CSF firewall.
If your user haven't a fixed IP address, you can use a portknocking scheme, in CSF firewall.

2) Allow the MariaDB user to remotely access directly the database:
in file /etc/my.cnf.d/server.cnf, change the line (just uncomment it):

Code: [Select]

#bind-address=0.0.0.0
to

Code: [Select]

bind-address=0.0.0.0

3) May be you prefer to create a new user do just remote backups (a readonly user, with just SELECT permission):
You can create a new user account that will only connect from the remote host (fixed IP remote_server_ip) with the following command:

Code: [Select]

MariaDB [(none)]> CREATE USER 'new_user'@'remote_server_ip' IDENTIFIED BY 'password';

Then grant the new user the appropriate privileges for your particular needs. I recomment a readonly user, with:

Code: [Select]

MariaDB [(none)]> GRANT SELECT on `Database_name`.* TO 'sammy'@'remote_server_ip' WITH GRANT OPTION;
Replace Database_Name with the backuped database name, and remote_server_ip with a FIX IP address.

But, if it have a dynamic IP (CAUTION: using ONLY with portknocking scheme) use:

Code: [Select]

MariaDB [(none)]> CREATE USER 'new_user'@'%' IDENTIFIED BY 'password';
MariaDB [(none)]> GRANT SELECT on `Database_name`.* TO 'sammy'@'%' WITH GRANT OPTION;

After changes of privileges in MariaDB, run:

Code: [Select]

MariaDB [(none)]> FLUSH PRIVILEGES;

One more word of caution: open your port 3306 to the internet only to someone with a fixed IP address, or don't open it at all without using the portknocking scheme.

To your user access with portknocking, your customer can install 'nmap' program, and use:

Code: [Select]

#!/bin/bash
remotehost=12.23.34.45
for x in 555 111 444 333; do sudo nmap -p $x $remotehost > /dev/null; done
where 12.23.34.45 is the IP of the your main server, and 555, 111, 444 and 333 are the ports numbers used in your portknocking scheme.
CAUTION: Do not use these ports numbers, change it to your taste.

After the port are opened, your user can install and use mariadb-dump, mariadb-backup or mysqldump programs to make their backups.

Regards,
Netino