Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
76
Information / Re: IP Access restriction
« on: June 20, 2019, 09:12:58 PM »
Just buy/rent a static IP address for your home/office internet connection from your internet service provider.
Here in my country it costs me $10/month for one.
Solves the problem.
Here in my country it costs me $10/month for one.
Solves the problem.
77
Information / Re: ssh disable root login
« on: June 14, 2019, 09:43:24 AM »
I may be misunderstanding the question...if so forgive me.
The object of the exercise as far as my limited knowledge of web servers goes is this...
1. having ssh logins for users, in general, is a terrible idea for most web servers. That means, no user should be given ssh login ability unless you are prepared to spend a good deal of time making sure you are both capable and willing to really lock down the web server.
2. If the ssh login is just for a single user, or small group who you have excellent control over, then it's by far one of the most secure forms of communication between yourself and your server!
So the above two scenarios at first glance seem to completely contradict each other, however, that is not exactly a good illustration of the problem. The problem is that one of the most secure forms of communication (ssh) is potentially the most catastrophic to the server should it get hacked! Some of the issues are:
- users being able to see files that dont belong to them
- users potentially running dangerous commands
- ssh can still be brute forced
Whilst all of the above are not beyond fixing, i dont allow any SSH access to my webservers for anyone else but myself. If clients have use of filemanager, or even cms such as wordpress, i dont see any good reason why they need ssh/sftp access (or alternatively, ftp/ftps for that matter).
Now, in terms of root user access from terminal...
the reason we are told to disable "root user" ssh or shell access is
1. just in case the root account gets hacked! Such a scenario would be catastrophic to your web server!
2. so you cant stuff your system so easily when playing around on a live production system!
So the recommended alternative is to create a sudoer user...which has rights similar to root for most things, however, does not have access to high-level directories that can be used to completely destroy the server either intentionally or unintentionally.
sudoer should not be able to edit/write to root owned directories unless group permissions have been assigned that allow such access!
short and curly...create a sudoer administrator user and provide access to ssh for that user. Usually one then disables direct access to ssh by root.
Should you be in command shell via programs such as putty for example, then in order to gain root access, you then elevate your sudo user to temporarily gain root access using a few different methods...
1. sudo
2. sudo -i
3. su
4 sudo -s
I also am able on one of my systems change an existing user to root by typing "su root"
I also do not see any great advantage in using private key files either. Sure it makes brute forcing the server account directly almost impossible, if someone gets access to your keyfiles on your desktop pc (because home computers have such great reputations for getting viruses and trojans etc)....
Finally, i think there is some misconception about the "Control Panel" root user access, and normal shell/command prompt access. Disabling the root user shell access doesnt mean the control panel is going to stop functioning!
this is my understanding of the why and how.
The object of the exercise as far as my limited knowledge of web servers goes is this...
1. having ssh logins for users, in general, is a terrible idea for most web servers. That means, no user should be given ssh login ability unless you are prepared to spend a good deal of time making sure you are both capable and willing to really lock down the web server.
2. If the ssh login is just for a single user, or small group who you have excellent control over, then it's by far one of the most secure forms of communication between yourself and your server!
So the above two scenarios at first glance seem to completely contradict each other, however, that is not exactly a good illustration of the problem. The problem is that one of the most secure forms of communication (ssh) is potentially the most catastrophic to the server should it get hacked! Some of the issues are:
- users being able to see files that dont belong to them
- users potentially running dangerous commands
- ssh can still be brute forced
Whilst all of the above are not beyond fixing, i dont allow any SSH access to my webservers for anyone else but myself. If clients have use of filemanager, or even cms such as wordpress, i dont see any good reason why they need ssh/sftp access (or alternatively, ftp/ftps for that matter).
Now, in terms of root user access from terminal...
the reason we are told to disable "root user" ssh or shell access is
1. just in case the root account gets hacked! Such a scenario would be catastrophic to your web server!
2. so you cant stuff your system so easily when playing around on a live production system!
So the recommended alternative is to create a sudoer user...which has rights similar to root for most things, however, does not have access to high-level directories that can be used to completely destroy the server either intentionally or unintentionally.
sudoer should not be able to edit/write to root owned directories unless group permissions have been assigned that allow such access!
short and curly...create a sudoer administrator user and provide access to ssh for that user. Usually one then disables direct access to ssh by root.
Should you be in command shell via programs such as putty for example, then in order to gain root access, you then elevate your sudo user to temporarily gain root access using a few different methods...
1. sudo
2. sudo -i
3. su
4 sudo -s
I also am able on one of my systems change an existing user to root by typing "su root"
I also do not see any great advantage in using private key files either. Sure it makes brute forcing the server account directly almost impossible, if someone gets access to your keyfiles on your desktop pc (because home computers have such great reputations for getting viruses and trojans etc)....
Finally, i think there is some misconception about the "Control Panel" root user access, and normal shell/command prompt access. Disabling the root user shell access doesnt mean the control panel is going to stop functioning!
this is my understanding of the why and how.
78
Information / How to change Apache mpm-prefork to mpm-Event
« on: June 14, 2019, 09:21:38 AM »
Hi guys,
what is the procedure in CWP for changing the default apache multi-processing module from mpm-prefork to mpm-event?
what is the procedure in CWP for changing the default apache multi-processing module from mpm-prefork to mpm-event?
79
E-Mail / Re: CentOS WebPanel with Digital Ocean droplet: Setting up Email
« on: June 13, 2019, 05:18:12 AM »
also remember, some mail spam detection software require DMARC dns records in addition to your existing reverse ptr/spf and DKIM.
So dont forget to also create _DMARC and add this to your dns zone.
So dont forget to also create _DMARC and add this to your dns zone.
80
SSL / Re: Hostname Change due to CWP not reflecting hostname assigned VPS Provider console
« on: June 12, 2019, 11:45:59 PM »
thanks for that.
i was logged in as root user...when enterring code as shown i got an error...
[root@host1 ~]# sh/scripts/generate_hostname_ssl
-bash: sh/scripts/generate_hostname_ssl: No such file or directory
instead, i entered the following (without the "sh")
[root@server4 ~]# /scripts/generate_hostname_ssl
Which then executed the script without any problem.
I am assuming this is ok as Dovecot now starts without issue.
i was logged in as root user...when enterring code as shown i got an error...
[root@host1 ~]# sh/scripts/generate_hostname_ssl
-bash: sh/scripts/generate_hostname_ssl: No such file or directory
instead, i entered the following (without the "sh")
[root@server4 ~]# /scripts/generate_hostname_ssl
Which then executed the script without any problem.
I am assuming this is ok as Dovecot now starts without issue.
81
CentOS Configuration / Re: cwpsrv not starting also apachectl not starting
« on: June 12, 2019, 11:41:53 PM »
late update on this, but its best not to leave an important part of the problem unanswered for users who may come across this...
I note the last post has the following result...
"sh: /scripts/generate_hostname_ssl: No such file or directory"
that is because you have to not include "sh" at the front of the command. So it should be entered as follows from root user for example:
[root@hostname ~]# /scripts/generate_hostname_ssl
hope this helps others in the future as this is a common mistake even i regularly make (ie just copying code directly from answer.)
I note the last post has the following result...
"sh: /scripts/generate_hostname_ssl: No such file or directory"
that is because you have to not include "sh" at the front of the command. So it should be entered as follows from root user for example:
[root@hostname ~]# /scripts/generate_hostname_ssl
hope this helps others in the future as this is a common mistake even i regularly make (ie just copying code directly from answer.)
82
CentOS 7 Problems / Re: All emails out getting connection refused
« on: June 12, 2019, 04:58:12 AM »
ok, i just reread your first post.
What i did notice about mine is that on a fresh install, the hostname was still default to my vps service provider (ie guest.vultr.com).
This was strange because i was sure i had already assigned the correct hostname in Vultr console before i installed CWP. Anyway, here is the other thread about this...http://forum.centos-webpanel.com/ssl/hostname-change-due-to-cwp-not-reflecting-hostname-assigned-vps-provider-console/
When i changed the hostname, i noticed that the host1.mydomain.com SSL record is not appending to the SSL certs directory (see another post i have made about this yesterday). I expected it should/would.
So now, Dovecot on my system fails to start because the SSL cert is obviously missing from the certs directory.
Like you, I also have my main domain on another server (ie i have host1.mydomain.com, host2.mydomain.com, host4.mydomain.com) and the mydomain.com website is not on this VPS.
What i did notice about mine is that on a fresh install, the hostname was still default to my vps service provider (ie guest.vultr.com).
This was strange because i was sure i had already assigned the correct hostname in Vultr console before i installed CWP. Anyway, here is the other thread about this...http://forum.centos-webpanel.com/ssl/hostname-change-due-to-cwp-not-reflecting-hostname-assigned-vps-provider-console/
When i changed the hostname, i noticed that the host1.mydomain.com SSL record is not appending to the SSL certs directory (see another post i have made about this yesterday). I expected it should/would.
So now, Dovecot on my system fails to start because the SSL cert is obviously missing from the certs directory.
Like you, I also have my main domain on another server (ie i have host1.mydomain.com, host2.mydomain.com, host4.mydomain.com) and the mydomain.com website is not on this VPS.
83
SSL / Hostname Change due to CWP not reflecting hostname assigned VPS Provider console
« on: June 11, 2019, 10:56:38 AM »
HAving setup a VPS, i realised that for some reason, the CWP install did not assign the hostname as expected. Instead it applied the default from VPS service provider "guest.domain.com" (
i thought i had changed the service providers default hostname.fqdn to "host1.mydomain.com" before install, however, i now suspect i must have not done this.
ok, so I have changed my system hostname as follows:
Dashboard>Server Settings>Change Hostname>New Hostname (host1.mydomain.com)
I then "Rebuild Mail Server" with new hostname
Postfix now reflects the change...
current settings in postfix
domain= "mydomain.com"
hostname = "host1.mydomain.com"
Dovecot fails to start...displaying an error because the SSL certificate for the new hostname "host1.mydomain.com" is not being appended to /etc/pki/tls/certs.
Isnt CWP supposed to automatically append new certificate to the "etc/pki/tls/certs/ file when hostname is changed? (i would imagine CWP should at least add a self signed cert here)
Did i miss something?
i thought i had changed the service providers default hostname.fqdn to "host1.mydomain.com" before install, however, i now suspect i must have not done this.
ok, so I have changed my system hostname as follows:
Dashboard>Server Settings>Change Hostname>New Hostname (host1.mydomain.com)
I then "Rebuild Mail Server" with new hostname
Postfix now reflects the change...
current settings in postfix
domain= "mydomain.com"
hostname = "host1.mydomain.com"
Dovecot fails to start...displaying an error because the SSL certificate for the new hostname "host1.mydomain.com" is not being appended to /etc/pki/tls/certs.
Quote
warning: TLS library problem: 32545:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/tls/certs/host1.mydomain.com.crt','r'):
Isnt CWP supposed to automatically append new certificate to the "etc/pki/tls/certs/ file when hostname is changed? (i would imagine CWP should at least add a self signed cert here)
Did i miss something?
84
CentOS 7 Problems / Re: All emails out getting connection refused
« on: June 11, 2019, 05:57:44 AM »
oh ok.
try testing at https://www.mail-tester.com/
I have not even used my mail server on CWP...so it is just default after installation of cwp.
I just added a new domain, created an email account and sent an email to the above address. The email was recieved no problem. Spam assassin and Spamhause had no issues at all and the score on both of these fronts was fine.
Obviously in a default as installed configuraiton, my overall score was 2 out of 10. However, that is because i have not yet configured:
DMARC
SPF
DKIM
HELO
RPTR is currently pointing at the host instead of the actual domain i sent email from
I dont actually even have an MX record at my registrar for the domain.com i just sent the test email from (so server is using its own mx record)
I also sent myself an email from hotmail to CWP server. It received within 15 seconds with no issues even considering the above.
The above are all extremely simple fixes and will up my score much closer to 10 almost immediately, like mine, yours should at the very least be sending email to the above website straight out of the box (even with errors)
I would not go playing with the mail server at this point...i have found that doing that almost always ends up stuffing a configuration that is quite likely working and doesnt have anything wrong with it. Please do the above first before playing with server configuration.
If you are willing to let someone else into your server I would be happy to take a closer look but honestly, i think with some written advice here you should be able to get it working just fine.
These will be just teething problems that often happen as a result of getting used to a particular system and control panel.
try testing at https://www.mail-tester.com/
I have not even used my mail server on CWP...so it is just default after installation of cwp.
I just added a new domain, created an email account and sent an email to the above address. The email was recieved no problem. Spam assassin and Spamhause had no issues at all and the score on both of these fronts was fine.
Obviously in a default as installed configuraiton, my overall score was 2 out of 10. However, that is because i have not yet configured:
DMARC
SPF
DKIM
HELO
RPTR is currently pointing at the host instead of the actual domain i sent email from
I dont actually even have an MX record at my registrar for the domain.com i just sent the test email from (so server is using its own mx record)
I also sent myself an email from hotmail to CWP server. It received within 15 seconds with no issues even considering the above.
The above are all extremely simple fixes and will up my score much closer to 10 almost immediately, like mine, yours should at the very least be sending email to the above website straight out of the box (even with errors)
I would not go playing with the mail server at this point...i have found that doing that almost always ends up stuffing a configuration that is quite likely working and doesnt have anything wrong with it. Please do the above first before playing with server configuration.
If you are willing to let someone else into your server I would be happy to take a closer look but honestly, i think with some written advice here you should be able to get it working just fine.
These will be just teething problems that often happen as a result of getting used to a particular system and control panel.
85
E-Mail / Re: Test Message from outlook fails: The server responded: 450 4.7.1 Client host rej
« on: June 10, 2019, 08:59:02 PM »
Can you post the full error message...the crucial part for someone to help problem solve this is missing..
What does the message say after "reg"?
Is it something like " rejected: unverified address " ?
What does the message say after "reg"?
Is it something like " rejected: unverified address " ?
86
CentOS 7 Problems / Re: All emails out getting connection refused
« on: June 10, 2019, 08:40:14 PM »
I'm in bed looking at this with mobile phone, so forgive me if I misread..
Our system has detected that this 550-5.7.1 message does not meet IPv6 sending guidelines
"Emails without authentication often get email blocked or marked as spam to protect recipients from phishing scams. Unauthenticated emails with attachments might get completely rejected for security reasons.
To ensure Gmail can authenticate you:
Send from the same IP addressKeep valid reverse DNS records your IP address that point to your domainChoose the same address in the 'From:' header for every bulk messageOther recommendationsSign messages with DKIM. We don't authenticate messages signed with keys that use fewer than 1024 bits.Publish a SPF record.Publish a DMARC policy." From Google
That is your problem...It wouldn't matter if you used cpanel or any other panel...it has nothing to do with that, it's a mail server anti-spam issue.
Start from scratch with dns records....
I used mxtollbox.com and create a reverse ptr record using their "spf" generator for ipv6 protocol.
Copy that record into your dns
Do the same for DMARC (don't just rely on dkim)
Otherwise, disable ipv6 and just use ipv4 only (still need reverse ptr spf for ipv4 btw)
Google search mxtollbox DMARC generator for the url for creating this in mxtollbox.
Hope this helps
Kind regards
Adam
Our system has detected that this 550-5.7.1 message does not meet IPv6 sending guidelines
"Emails without authentication often get email blocked or marked as spam to protect recipients from phishing scams. Unauthenticated emails with attachments might get completely rejected for security reasons.
To ensure Gmail can authenticate you:
Send from the same IP addressKeep valid reverse DNS records your IP address that point to your domainChoose the same address in the 'From:' header for every bulk messageOther recommendationsSign messages with DKIM. We don't authenticate messages signed with keys that use fewer than 1024 bits.Publish a SPF record.Publish a DMARC policy." From Google
That is your problem...It wouldn't matter if you used cpanel or any other panel...it has nothing to do with that, it's a mail server anti-spam issue.
Start from scratch with dns records....
I used mxtollbox.com and create a reverse ptr record using their "spf" generator for ipv6 protocol.
Copy that record into your dns
Do the same for DMARC (don't just rely on dkim)
Otherwise, disable ipv6 and just use ipv4 only (still need reverse ptr spf for ipv4 btw)
Google search mxtollbox DMARC generator for the url for creating this in mxtollbox.
Hope this helps
Kind regards
Adam
87
CentOS-WebPanel Bugs / Re: Difference between CWP and free -m
« on: June 09, 2019, 11:17:11 AM »
Cwp pro is so cheap why not get pro...it makes life a lot easier
88
Installation / Re: WHMCS new module - 404
« on: June 09, 2019, 11:02:21 AM »
I was of the understanding that the port you set for cwp is what whmcs uses when provisioning.
So when configuring the cwp module and products in whmcs you assign domain.com:port and ipaddress:port
So whatever port your cwp uses is the same one you enter into whmcs.
(Perhaps i am confusing this with Virtualmin module) I will check mine tomorrow and post back if you haven't got a solution by then.
So when configuring the cwp module and products in whmcs you assign domain.com:port and ipaddress:port
So whatever port your cwp uses is the same one you enter into whmcs.
(Perhaps i am confusing this with Virtualmin module) I will check mine tomorrow and post back if you haven't got a solution by then.
89
Installation / Re: Newbie Question: Can't Create User Fail
« on: June 09, 2019, 10:47:34 AM »
I strongly advise you to start from scratch...trying to use an O/S that has already been configured by another proprietary control panel will almost certainly cause you ongoing problems.
There are very few control panels that simply sit on top of an operating system and don't alter it in some way.
Save yourself many hours of heartache and start with a fresh VPS.
There are very few control panels that simply sit on top of an operating system and don't alter it in some way.
Save yourself many hours of heartache and start with a fresh VPS.
90
Addons / Re: open source billing system like WHMCS
« on: June 08, 2019, 11:20:59 PM »
I have both Blesta and WHMCS and both work very well provisioning CWP packages.
Having said that, at present i have had both programs installed on an independant Virtualmin system and use them to provision CWP, VestaCP and Virtualmin packages.
It should not make any difference where its installed, if you go to the knowledge base part of this website, they have a document on how to install it. http://wiki.centos-webpanel.com/whmcs-module-for-cwp-api
I found that so long as you carefully setup the API access and ports, the WHMCS module works quite well.
Can i just say in passing, the difference in price between WHMCS and Blesta is only a few dollars per month. however, the difference in support, quality and capability is 10 times greater than that (WHMCS wins out hands down). Blesta actually is a rip off at its current price when compared with WHMCS...its not worth half what they charge for it. I have recently removed Blesta and no longer subscribe to it.
Reasons for my change...
1. WHMCS far far superior and better value for money (indeed the cost of 1 cheap cup of coffee per month difference)
2. WHMCS has far superior support and knowledge base
3. WHMCS immediately after install is very well configured in almost every area (Blesta has a lot of work to be done by user for email templates, invoice templates and so on)
4. WHMCS has a much better and more configurable client area and admin interface)
The BIG downside of WHMCS...everything is Ioncube protected. So you cant go into modules or any code to figure anything out when troubleshooting (a huge pain in the ass).
Overall though, WHMCS is currently the better option by a long way. Blesta is obviously a newer product and will improve over time, but not worth it right now for me.
Having said that, at present i have had both programs installed on an independant Virtualmin system and use them to provision CWP, VestaCP and Virtualmin packages.
It should not make any difference where its installed, if you go to the knowledge base part of this website, they have a document on how to install it. http://wiki.centos-webpanel.com/whmcs-module-for-cwp-api
I found that so long as you carefully setup the API access and ports, the WHMCS module works quite well.
Can i just say in passing, the difference in price between WHMCS and Blesta is only a few dollars per month. however, the difference in support, quality and capability is 10 times greater than that (WHMCS wins out hands down). Blesta actually is a rip off at its current price when compared with WHMCS...its not worth half what they charge for it. I have recently removed Blesta and no longer subscribe to it.
Reasons for my change...
1. WHMCS far far superior and better value for money (indeed the cost of 1 cheap cup of coffee per month difference)
2. WHMCS has far superior support and knowledge base
3. WHMCS immediately after install is very well configured in almost every area (Blesta has a lot of work to be done by user for email templates, invoice templates and so on)
4. WHMCS has a much better and more configurable client area and admin interface)
The BIG downside of WHMCS...everything is Ioncube protected. So you cant go into modules or any code to figure anything out when troubleshooting (a huge pain in the ass).
Overall though, WHMCS is currently the better option by a long way. Blesta is obviously a newer product and will improve over time, but not worth it right now for me.
