Messages

61

E-Mail / Re: How to change MX record to subdomain?

« on: March 10, 2022, 05:24:35 PM »

MX records should be as follows
@ IN MX 0 [and domain/sub that points to the server].  << Don't forget the period at the end

@ = domain
0 =  mailserver priority

This surely only applies when writing the DNS record manually into the file, right?

62

DNS / Re: DNS/NS Set up

« on: March 10, 2022, 03:45:53 PM »

The original poster had the problem of slow DNS propagation. So, like @rcschaff said. If you just added an A record for those ns domains, then it can take up to 72 hours to resolve everywhere in the world

63

DKIM / Re: No records in DKIM & SPF Manager

« on: March 10, 2022, 03:34:41 PM »

Well... there is currently a visual bug with that DKIM page. I have 34 records. When selecting view 5, 10 or 25 items, the list shows up with several pages, but if I select 50 or 100, which is higher than the amount of records I have, it will show as empty.

Just like what's happening in your list. You have 8 records, but because the lowest filter you can choose is 10, you won't see them there. To be sure if there is a DKIM record, check the DNS records section in the "List DNS zones"

Testing with
dig txt default._domainkey.casavalenthina.com.br
you don't seem to have one at this moment
Edit: Seems to be there now. Did you just add it again?


If the DKIM service is running fine, (the warning you're getting is possibly a false positive), then run the rebuild of all DNS zones to generate new DKIM and SPF:

Code: [Select]

/usr/local/cwp/php71/bin/php /etc/opendkim.conf

64

CSF Firewall / Re: How to make WireGuard work?

« on: March 09, 2022, 05:31:16 PM »

- You cant have php-fpm without a pro license.

- To open port in firewall; Edit /etc/csf/csf.conf
Find TCP_IN, TCP_OUT, UDP_IN, UDP_OUT and put the port there depending on if the port is TCP/UDP or if it should be in input or output, then restart the firewall.

- Check in Admin CP if the scripts are getting blocked by Mod_security:
Security - Security Center - Security incidents tab.

65

PHP / Re: Php mail havent permission to phpmail.log

« on: March 08, 2022, 12:38:33 PM »

Permission for this file on my system is:
-rw-rw-rw-. root root

66

PHP / Re: Update issue

« on: March 08, 2022, 01:22:46 AM »

Convinced him to buy the license

I found out that he had for some reason httpd installed in /etc/httpd forcing the use of port 80 and conflicting with nginx. Took some time figuring this one out :p

67

Postfix / Re: Spam Filtering by Subject Line

« on: March 07, 2022, 10:12:56 AM »

I don't think spammers cares about the Reject status, because most of the times it's bots. Same for the greylisting. Most of them won't try again after a 4.x.x response.

So, greylisting (a bit aggressive for my taste) + spamassassin + spamhaus/blacklist checks = The best spam protection without false positives.

You can't have 100% spam protection without false positives.

Hi,
does CWP have greylisting?
Is it possible to activate it?
I think that this should solve many of spam problems, I am currently facing.

Thx

You are going to need to manually install it.
https://wiki.centos.org/HowTos/postgrey?action=fullsearch&context=180&value=spf

68

Updates / Re: Changed local IP address but vhost config files still use old one

« on: March 07, 2022, 10:09:41 AM »

Good read. You got some points there. Something new to learn

69

Updates / Re: Changed local IP address but vhost config files still use old one

« on: March 07, 2022, 01:36:00 AM »

Hi @iraqiboy90, many thanks for the pointer - the Navigation > CWP Settings > Edit Settings page was the place I needed to be - not sure how I missed it as it's at the very top of the list after Dashboard!

It wasn't entirely straightforward to correct the vhost configurations.  The "NAT Local IP" setting was already showing 192.168.1.202 (I guess it picked it up from the "ifconfig" info for the active ethernet port) so rebuilding the web server configs still had no effect.  In the end I unticked "Activate NAT-ed network configuration", rebuilt the config files (so they now had my external public IP address), then re-ticked the box and rebuilt the configs again.  This time they had the correct IP address - 192.168.1.202.  Many thanks!!

Glad I could help.

To answer you're question about using Port Forwarding instead of DMZ, the latter is essentially a NAT rule that redirects ALL incoming requests arriving at the public interface of your broadband router (other than the ones explicitly Port-Forwarded) to a nominated server on your LAN, so really it's a massive catch-all Port-Forward rule.  It's dangerous to redirect all external requests to a server because that leaves it wide open to attack from outside, protected only by its own internal firewalls rules, which might be buggy or not present at all.  It's much safer to forward just the requests you're expecting the server to receive as there's less scope for surprises.  Furthermore, selective redirection means you can redirect other traffic to other servers on your LAN - for example, you could have separate machines running email, video conferencing, etc.  The DMZ setting is only really safe to use when you point it at a dedicated firewall/router, which it how my own LAN is set up.

As for setting the server to auto-DHCP its address from the router, this is a very bad idea.  It means your server could be allocated a new IP address at the whim of the router, moving it away from the DMZ or Port-Forward address configured in your router and totally breaking your CWP's ability to receive incoming requests.  No, you must fix the local address in the server configuration and use that fixed address in your router's Port-Forward settings (and not the DMZ settings because that's unsafe).

Yeah, I know how DMZ works. All servers not hosted on local home routers (i.e. Blue Host), they are running on the same "DMZ" principle. So, saying that DMZ is dangerous is only true if you don't know what you are doing. A linux server's firewall should not be buggy or "not present" if configured correctly.

But, you have a point regarding port forwarding other ports to other IP addresses. I've thought of this point while writing my previous post, but I thought it to be irrelevant since I understood from your first post that you were using a simple home router, but it seems like you have yourself a custom router/firewall setup. Are you running everything with just one public IP address?

In regards to Auto DHCP; That's not true. I said that if you tell your router to manually assign a specific IP address (which in your case is 192.168.1.202) to your server and lock it, then the router wont have a whim to change it. I'm afraid with your way, the router may try to assign a new IP address to the server when the Lease Time has expired, but the server won't accept it because you told the server to not use anything else.

70

Postfix / Re: Spam Filtering by Subject Line

« on: March 06, 2022, 02:58:21 PM »

I don't think spammers cares about the Reject status, because most of the times it's bots. Same for the greylisting. Most of them won't try again after a 4.x.x response.

So, greylisting (a bit aggressive for my taste) + spamassassin + spamhaus/blacklist checks = The best spam protection without false positives.

You can't have 100% spam protection without false positives.

71

Updates / Re: Changed local IP address but vhost config files still use old one

« on: March 06, 2022, 11:56:46 AM »

Why are you not using DMZ instead of port forwarding?

If your vhost files are using the IP that you had before, then it means that your "Shared IP" aka public IP was set to 192.168.0.202, but I think this is the wrong way doing it.
You should make your now new local IP a DMZ, then tell the panel the NAT Local IP is now 192.168.1.202 and the Shared IP to be your public IP (https://whatismyipaddress.com) and put a check in "Active NAT-ed network configuration".

Here: CWP Settings - Edit Settings
then remember to rebuild all your vhost files with the new IP by putting a check in "Rebuild All WebServers vHosts with the new IP changes" and Save Changes

Here's one more thing:
tell your server to use auto DHCP so the router decides the IP. Then tell the router to assign the IP you want for the MAC address of the server. This way, you don't end up editing server network files and complicate things.

When using DMZ, all port configurations should be done within the server's firewall.

72

CentOS 7 Problems / Re: .htaccess: Option All not allowed here

« on: March 05, 2022, 08:47:56 PM »

Any news on whether or not you got it fixed?

I have some comments for your htaccess file.
- It's filled with junk # notes that will slow every apache request because it has to read this file every time.
- "ServerSignature Off" should be put in the top of the /usr/local/apache/conf/httpd.conf file.
- "Options -Indexes" is not needed because it's already enabled on the default vhost apache configuration for your domain, unless you changed it.
- Same with "DirectoryIndex index.php index.html /index.php"

Either way, your htaccess file should look like this after removing 70 lines of junk code and comments slowing down every apache request:

Code: [Select]

ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
ErrorDocument 404 /404.php
ErrorDocument 405 /wp-content/plugins/bulletproof-security/405.php
ErrorDocument 410 /wp-content/plugins/bulletproof-security/410.php
# DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$
# WP-ADMIN/INCLUDES
# Use BPS Custom Code to remove this code permanently.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
RewriteRule ^wp-includes/theme-compat/ - [F]
# WP REWRITE LOOP START
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
# REQUEST METHODS FILTERED
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
But it seems like you have a wordpress plugin controlling your htaccess file, so those junk lines may get re-added.

73

PHP / Re: Update issue

« on: March 05, 2022, 08:31:56 PM »

In my vhost configuration file I have this address associated with php /usr/local/cwp/php71

You are looking at the wrong vhost file.

but in my panel it says that I am running version 7.4 which is not true because wordpress is mentioning that I have an old one

The version 7.4 you are mentioning in the picture cannot be used because you disabled it from being used by forcing PHP-FPM feature, which is set at 7.3 as a default version for all websites, unless the website is told to use something else (not the 7.4 in the picture).

Not sure how you got to forcing PHP-FPM without knowing what it means, and if you did just follow instructions blindly, then your wordpress would be running with 7.3, not 7.2.

There is something wrong somewhere in your configurations.

Step one

Option one:
Find out what your PHP version really is through the website:
- Open the file browser and navigate to the content of the wordpress website. In the main folder for your domain/wordpress site, create a file named info.php.
- Put this code it in

Code: [Select]

<?php
phpinfo();
?>- Save the file and open it normally with the browser. http://your_wordpress_domain.com/info.php
- Take a screenshot of what in there without scrolling it and post it here.
- Delete the info.php file, as it can be a security issue if left publicly accessible.

Option two
Find out what your PHP version really is through CWP:
- In CWP admin panel. Go to WebServer Settings - WebServer Conf Editor - Click on the Apache tab - Click on /usr/local/apache/conf.d/vhosts/ tab - Find the .conf file for your wordpress site - Click on edit - Scroll down to <IfModule proxy_fcgi_module>
- there should be a code there looking like this:

Code: [Select]

<IfModule proxy_fcgi_module>
<FilesMatch \.php$>
SetHandler "proxy:unix:/opt/alt/php-fpm74/usr/var/sockets/user.sock|fcgi://localhost"
</FilesMatch>
</IfModule>- Take a screenshot of it and post it here.
- DON'T edit anything in there.

Step two

- In CWP admin panel - Go to WebServer Settings - WebServers Domain Conf - Select the user that has the wordpress site
- Does the button under Actions for your wordpress site say "Create Configuration" or "View/Edit Configuration"?
- Take a screenshot of the list and post it here anyways...

74

E-Mail / Tips/Tricks - Daily mail server report

« on: March 05, 2022, 11:17:34 AM »

Hello

I think this could be very useful to keep a lookout on your mail server in order to keep track of possible spam attempt.
This service will email you a report after looking at the entire previous day's log and give you a short and detailed info on what got rejected, which email client sent emails and which email address sent email to your server.

You'll need:

- pflogsumm 1.1.3 (the service that give you the report)
- mailx (Optional: to send email from server to the server email administrator)

Download pflogsumm into /usr/local/sbin/

Code: [Select]

cd /usr/local/sbin/
wget https://raw.githubusercontent.com/KTamas/pflogsumm/5184ce744d549b83e336ce1c1a899ad42138304e/pflogsumm.pl
chmod +x pflogsumm.pl
Install mailx

Code: [Select]

yum install mailx
Configure pflogsumm to send the daily report to your local email

Code: [Select]

crontab -e
0 3 * * * /usr/local/sbin/pflogsumm -d yesterday /var/log/maillog --problems_first --rej_add_from --verbose_msg_detail | mail -s 'Postfix Report' yourEMAIL@address
You can test the command in SSH:

Code: [Select]

/usr/local/sbin/pflogsumm -d yesterday /var/log/maillog --problems_first --rej_add_from --verbose_msg_detail

75

SSL / Re: AUTOSLL problem fixed by disabling IPV6

« on: March 01, 2022, 10:59:51 PM »

I dont know how you complicated the method of disabling IPv6, but here's how you do it easily and fast:

- Edit your network adapter settings (check adapter name with ifconfig)
/etc/sysconfig/network-scripts/ifcfg-****
Change to IPV6INIT=no

- Disable ipv6 for named if you are running a DNS server
/etc/sysconfig/named
add this: OPTIONS="-4"

- Edit this:
/etc/sysctl.conf
add this:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

and then restart server anyways