Messages

1

E-Mail / Re: Spamassassin Error: cannot create user preferences file //.spamassassin/user_pre

« on: May 15, 2025, 11:29:52 PM »

Run these commands:

Code: [Select]

# ls -alF /var/lib/spamassassin

Code: [Select]

# grep spamassassin /etc/postfix/master.cf | grep pipe | sed -r 's/^spamassassin.*pipe user=(\S+).*/\1/'
and post here.

Regards,
Netino

2

SSL / Re: Probelm with renewing SSL certs

« on: May 14, 2025, 02:20:06 AM »

Ah but the website is in other server that I dont adimistrate. How can I to change the comprobation mode?

You simply can't get certificates via LetsEncrypt in apache mode if you can't save tokens in a specific are of the web server.
But with another app (certbot) in DNS mode, you could.
You manage the DNS server of these sites?

3

E-Mail / Re: How to enforce strong passwords when creating email accounts in CWP

« on: May 09, 2025, 01:56:56 AM »

The process of forcing the creation of stronger passwords can be seen here:
https://docs.redhat.com/en-us/documentation/red_hat_enterprise_linux/7/html-single/security_guide/index#sec-Forcing_Strong_Passwords

However, this reinforcement is done at the operating system level through the Linux kernel PAM module.

At the CWP application level, this choice is not offered to the user when creating/changing the password, and I have never tested whether, if the password is not accepted by the operating system, CWP will recognize it and request the password again. You will only find out by running a test.

Regards,
Netino

4

SSL / Re: Probelm with renewing SSL certs

« on: May 09, 2025, 01:38:16 AM »

Possibly a bug from CWP.
This happened to me migrating domains from another server.
Once the domain was renewed manually, now the renewing process is automatic again.

Try to create a script, named like 'renew-cert.sh', to renew manually:

Code: [Select]

#!/bin/bash

DOM=${1}
/root/.acme.sh/acme.sh --home /root/.acme.sh/cwp_certs --renew --ecc -d ${DOM} --force

Change permissions:

Code: [Select]

# chmod 700 renew-cert.sh
And run the script (replacing "domain.com" with your domain):

Code: [Select]

# ./renew-cert.sh domain.com
Regards,
Netino

5

Information / Re: check all autoSSL (Lets encrypt) that failed

« on: May 03, 2025, 01:31:27 AM »

Thanks! No way for an integrated feature in the panel? To alert us, etc?

While this feature is not implemented in CWP, you can use this command in cron, to be alerted:

Code: [Select]

# find /etc/pki/tls/certs -type f -name \*.cert -mtime +60 | sed -e 's#^/etc/pki/tls/certs/##g' -e 's#\.cert$##' | xargs -I '{}' bash -c 'echo -e "Domain Cert {} expired.\n.\n" | mail -s "ALERT: Domain Cert {} expired" your-mail@yourdomain.com'
Regards,
Netino

6

CentOS 8 Problems / Re: ImageMagick installation on Almalinux 8

« on: April 29, 2025, 03:12:16 AM »

Hi,

php -v giving error of unable to load dynamic library 'imagick.so'
(...)
but found that following line not working:
ln -s /usr/local/include/ImageMagick-6 /usr/local/include/ImageMagick

On checking, I didnot found any folder /usr/local/include/ImageMagick-6  in my Almalinux ver 8
(...)

I think the right command is:

Code: [Select]

ln -s /usr/include/ImageMagick-6 /usr/local/include/ImageMagick-6
The include library exists in '/usr/include/ImageMagick-6' in AL8.

Regards,
Netino

7

E-Mail / Re: Stop forwarding SPAM emails

« on: April 24, 2025, 02:40:02 AM »

(Adapted from: <https://docs.directadmin.com/other-hosting-services/preventing-spam/outgoing-spam.html#why-forwarders-to-external-mailservers-can-be-dangerous-for-your-server>)

Why forwarders to external mailservers can be dangerous for your server

It's not uncommon for clients to want to forward mail from their own domain to an external email address, say Gmail, for example.

The path of an email sent to the user@domain.com forwarder would be:

Sender -> CWP box: user@domain.com -> External: user@gmail.com
This will work fine, until spam comes into the picture.

The issue with spam is that, if the proper blocks are not in place, your CWP box will happily relay spam to Gmail, which could then cause Gmail to think that the spam is originating from your CWP box, thus getting your IP blacklisted even though the spam came from somewhere else.

Another issue is that, if Gmail then determines that the message is spam, it may be denied at the Gmail server, thus returning it back to your CWP box to figure out what to do with. Since the sender is not from the CWP box, and the final recipient is Gmail (which was denied), Postfix tries to send it back to the original "sender", which with spam, is almost always fake/spoofed (these headers can be spoofed).

This causes "backscatter", where Postfix is trying to return a message to an address that was not the actual sender. This backscatter is also a potential hazard to getting your IP blacklisted.

Solutions:

- Avoid forwarders to external domains whenever possible (it is usually hard to convince users of this).

- For Gmail, as an example, have Gmail pull your POP emails to Gmail, rather than you pushing them via forwarders. See this guide for more info.

- Ensure SpamAssassin is enabled, and set it to drop spam or send to spambox (do not use "deliver to inbox"). At a minimum, use "drop high scoring spam".

- Block bounces from leaving.

- RBL Blocking is a robust way of blocking spam before Postfix even sees the message (realtime IP based block). Some consider RBL blocking to sometimes be too strict in that it may often block entire ISP ranges (send on port 587 with smtp-auth, instead of port 25).

Regards,
Netino

8

Updates / Re: New problems with updates

« on: April 24, 2025, 02:22:09 AM »

To be blunt and honest, there is no reasonable reason to keep a system like Centos7, whose support has been out of date for almost a year, and therefore subject to security holes. Upgrade as soon as you can, if you don't want to make yourself and your client victims of cyber attacks. Right now Centos7 may already be subject to flaws that you don't know about, for the simple reason that they haven't been disclosed for almost a year, and they won't be disclosed anymore.

Regards,
Netino

9

CentOS-WebPanel Bugs / Re: Lost access to CWPpro after a server restart

« on: April 15, 2025, 03:23:20 AM »

Hey,

I've opened a ticket on this already and will update this thread with more information. I logged into CWP web panel and was greeted by this:

(...)


(...)
Everything else is working perfectly fine, I haven't changed my default SSH ports but I don't think that'd be causing it.

I ordered CWPpro and used the "sh /scripts/update_cwp" command to force and update to enable CWPpro, but after a recent restart due to Vultr's London datacenter maintenance, this warning starting showing up. My IP address is the exact same.

Check if you have some firewall block to 'centos-webpanel.com' or to IP adress [158.69.227.165].
These are used to update the system.

Regards,
Netino

10

Other / Re: Varnish 7 Installation & Configuration

« on: April 10, 2025, 01:18:09 AM »

Has anyone successfully installed Varnish 7 on CWP yet?

I've tried a couple of times now but still get 503 when testing. Has anyone figured out the correct changes for the varnish.service file?

Yes.
You already install it?

After install, you need to change the line in file '/usr/lib/systemd/system/varnish.service' of default installation, from:

Code: [Select]

ExecStart=/usr/sbin/varnishd -a :6081 -f /etc/varnish/default.vcl -s malloc,256m
to:

Code: [Select]

ExecStart=/usr/sbin/varnishd -a :82 -f /etc/varnish/default.vcl -s malloc,256m
After that, run:

Code: [Select]

# systemctl daemon-reload

11

Apache / Re: How to stop malicious scans

« on: March 30, 2025, 12:57:22 AM »

I don't know what header you talking about, I copied the original code from the access_log and didn't change them.

I use Nginx & Apache.
(...)

The useragent header is the HTTP header that identifies the navigator acessing you HTTP server.

Does this affect Googlebot and Bingbot crawling pages?

No.

Is there any other way to stop it?

Yes.
Googlebot and Bing use honest useragents, so if you want to block them, you can simply block the "Googlebot" and "bingbot" useragents directly:

Code: [Select]

if ($http_user_agent ~* "(Googlebot|bingbot)") {
    return 403;
}

You can choose too any other useragent:

Code: [Select]

if ($http_user_agent ~* "(Googlebot|bingbot|Android|iPhone|iPod|Symbian|BlackBerry|Windows Phone|Mobile|J2ME)") {
    return 403;
}

You can install the "Nginx Ultimate Bad Blocker" to block hundreds other useragents:
https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker

12

Nginx / Re: How to update NGINX version to version 1.26.2

« on: March 27, 2025, 02:48:11 AM »

My Approach to Upgrading Nginx Without a Full Reinstallation

In my experience, the optimal strategy is to update Nginx directly using the official stable repository, rather than removing it entirely. This approach helps maintain your current configuration and avoids the hassle of extensive reconfiguration.

(...)

No only the package installation, but nginx have modules too, and you need to follow up and maintain updated the modules too.
This is much more easy to do with AlmaLinux modules.

A manual installation would impose to you build the module packages, this is not good.
For this reason, I do "module" installation.

To check available modules:

Code: [Select]

# dnf module list nginx

There are only nginx version 1.24 available to install.

Code: [Select]

# dnf -y module enable nginx:1.24

Installing nginx and modules ..."

Code: [Select]

# dnf -y module install nginx

Changing permissions to directory /var/lib/nginx :

Code: [Select]

# chmod +x -R /var/lib/nginx

Changing ownership of directory /var/lib/nginx :

Code: [Select]

# chown nobody -R /var/lib/nginx/

Ps.: the downside is that AlmaLinux modules do not have such up-to-date versions. But the current nginx version (1.24) is good to work.

Regards,
Netino

13

Apache / Re: How to stop malicious scans

« on: March 27, 2025, 02:20:43 AM »

Seems all accesses are being without user access header, isn't?
These are bad bots, wasting you bandwidth and machine resources.

You are using nginx?

I did the following, in file '/etc/nginx/conf.d/vhosts/domain.com.conf', change before "location / {" directive, including the following:

Code: [Select]

if ($http_user_agent = "") { return 444; }

...like in the following:

Code: [Select]

server {
        listen 11.22.33.44:80;       
        server_name domain.com  www.domain.com;
        (...)
        if ($http_user_agent = "") { return 444; }

        location / {
        (...)
}

You need to change the /etc/nginx/conf.d/vhosts/domain.com.ssl.conf files too, if you use ssl.

Regards,
Netino

14

Nginx / Re: Restrict access to a cwp_service

« on: March 27, 2025, 02:06:15 AM »

(...)
Is there a better way to do this using CWP ?

Create a file /usr/local/cwpsrv/conf/security.conf with the following content:

Code: [Select]

    #...
    satisfy any;

    allow 192.168.1.1/24;
    allow 127.0.0.1;
    deny  all;

    auth_basic           "Restricted access";
    auth_basic_user_file conf/ht_passwd;
Choose yours IP adresses, and/or define additional authentication on cwpsrv.

Create a file '/usr/local/cwpsrv/conf/ht_passwd' with your passwords:

Code: [Select]

# /usr/local/apache/bin/htpasswd /usr/local/cwpsrv/conf/ht_passwd

In file '/usr/local/cwpsrv/conf/cwp_services.conf', change your directive to:

Code: [Select]

location /pma {
    root /usr/local/cwpsrv/var/services;
    index  index.html index.htm index.php;
    include /usr/local/cwpsrv/conf/security.conf;
    (...)
}
...and restart cwp on the panel, or with the command:

Code: [Select]

# /scripts/restart_cwpsrv
Regards,
Netino

15

CSF Firewall / Re: Firewall CFS not enable alma8 - al8 (fixed)

« on: March 25, 2025, 02:45:25 AM »

Did that and CWP install. CWP is showing the firewall is off but when I run the enable from the panel it says the firewall is already running. Will it still handle the tables?

Try to post here the last part of the file /var/log/lfd.log, right after you try to restart csf:

Code: [Select]

tail -50 /var/log/lfd.log