Linux Servers cPanel webhosting blog » Server Security

How to block referrer from single domain and multiple domains

Gunjan — Sun, 08 Jan 2012 00:59:46 +0000

Use the following rewrite rule to block the referrer from single domain/web site.

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} test\.com [NC]
RewriteRule .* – [F]

Similarly you can block the referrer from the multiple sites by using the following rewrite rule in the .htaccess file.

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} test\.com [NC,OR]
RewriteCond %{HTTP_REFERER} test123\.com
RewriteRule .* – [F]

Set alternative SMTP port in Plesk Linux server

Gunjan — Sat, 10 Dec 2011 10:19:00 +0000

Some time local ISP blocked default SMTP port 25 in the local network therefore we have to configure the alternative smtp port for SMTP service, so that SMTP will work on default port 25 as well as other new port. For example we are configuring the SMTP service on port 2626. Refer to the following steps to configure SMTP service on another port.

Change directory to the /etc/xinetd.d

root@server [~]#cd /etc/xinetd.d

Now copy the current working smtp_psa file to the new file smtp_psa_new

root@server [/etc/xinetd.d]#cp -p smtp_psa smtp_psa_new

open the file smtp_psa_new and change the value in the first line

From

service smtp
to
service smtp_psa_new

Save the file and add the new smpt port in the /etc/services file

For example we want to set new smtp port 2626, you can change the port as per your requirement

smtp_psa_new 2626/tcp mail
smtp_psa_new 2626/udp mail

Save the file and restart the xinetd service

root@server [/etc/xinetd.d]#/etc/init.d/xinetd restart

Make sure that you have opened new port in the server firewall and then try to telenet the new SMTP port

root@server [/etc/xinetd.d]#telnet localhost 2626

It will show you the SMTP service banner

Critical: exim security update

Gunjan — Sat, 11 Dec 2010 23:46:34 +0000

To resolve exim vulnerability issue exim upgraded to latest version but its throwing following error message aftre restarting exim service.

root@server [/tmp]# /etc/init.d/exim restart
Shutting down exim:                                        [ OK ]
Shutting down spamd:                                       [FAILED]
Starting exim:                                             [ OK ]
Starting exim alt spool: exim: -D is not available in this Exim binary [FAILED]
To resolve above error simply run following command from shell.

root@server [/tmp]#/usr/mscpanel/msswitch.pl inout

How to turn off CGI execution server wide

Gunjan — Thu, 02 Sep 2010 06:08:33 +0000

Most servers owners do not allow there clients to run cgi. We can disable the cgi by using following code in server main Apache configuration file.

Options -ExecCGI

Save file and restart the Apache web server.

Horde Failed to connect to localhost:25 error message

Gunjan — Fri, 06 Aug 2010 06:02:26 +0000

On Shared server as well as on Dedicated server some time we are facing large connection issue to SMTP port 25 at that time mostly we disable SMTP port 25 and enable any other port for SMTP but after changing SMTP port mostly we receive following error message in Horde webmail.

There was an error sending your message: Failed to connect to localhost:25 [SMTP: Invalid response code received from server (code: 421, response: Too many concurrent SMTP connections; please try again later.)]

To resolve above error simply change SMTP port from 25 to new SMTP port in following file.

root@server [/usr/local/cpanel/base/horde/imp/config]# Pico servers.php

And change following line

From

‘smtpport’ => 25,

‘smtpport’ => 26,

We have taken new port as 26 for example you can use any port as per your requirement.

Similar problem with “Squirrelmail” then refer following steps.

root@server [/usr/local/cpanel/base/3rdparty/squirrelmail/config]#pico config_default.php

Change following line

From

$smtpPort = 25;

$smtpPort = 26;

Save file and exit and now open the webmail.

How to disable root login and enable key authentication on Dedicated server?

Gunjan — Sun, 11 Jul 2010 23:00:12 +0000

How to disable root login and enable key authentication on Dedicated server?

Refer following steps to disable direct root login.

1. SSH into your server as root user.

2. Open file sshd_config in your favorite editor

pico /etc/ssh/sshd_config

3. Find the line

Protocol 2, 1

4. Uncomment line and change it to look like

Protocol 2

5. Now find the line
PermitRootLogin yes

6. And Uncomment libe and make it look like as
PermitRootLogin no

7. Save the file sshd_config file,

8. Restart SSH service
/etc/rc.d/init.d/sshd restart

Once root login disabled on server generate authentication key by using following steps.

1. Add user for example we will add user support

useradd support

2.Assigne user support in wheel group.

usermod -G wheel support

3. Set correct permission for sudoers files.

chmod 644 /etc/sudoers

4. Now open sudoers file and set followings line in sudoers file.

pico /etc/sudoers

# User privilege specification
root ALL=(ALL) ALL

# Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL

5. Make sure that sudo file binery file is secure.

chmod 4111 /usr/bin/sudo

If you are not sure about sudo binery path then run commamd to confirm the path.

which sudo

6.Now create .ssh directory in support users home directory.

cd /home/support

mkdir .ssh

cd .ssh

7. Now generate the key by using PuTTYgen software and save the key on your local machine as support.ppk file.

8. Create authorized_keys file in .ssh directory and copy content from file support.ppk to authorized_keys file.

9. Confirm permission and ownership for files.

cd /home

ll | grep support

The ownership shuold be

drwx—— 7 support support 4096 Jul 10 03:44 support

cd /home/support

ll | grep .ssh

drwxr-xr-x 2 root root 4096 Jul 12 3:34 .ssh/

cd /home/support/.ssh

The ownership shoud be

drwxr-xr-x 2 root root 4096 Jul 12 03:22 ./
drwx—— 7 support support 4096 Jul 12 03:44 ../
-rw-r–r– 1 root root 224 Jul 12 03:40 authorized_keys

Note : Do not close current Shell until you are able to access server with the support.ppk key.

SuExec server permission issue?

Gunjan — Sat, 03 Jul 2010 21:56:09 +0000

After enabling SuExec on server most users getting “500 Internal Server Error” at that time refer following steps.

1st) Correct cPanel users files/directories ownership.

——

for i in `cat /etc/trueuserdomains | awk ‘{print $2}’`
do
chown $i.$i /home/$i -R;
chown $i.mail /home/$i/etc -R;
chown $i.nobody /home/$i/public_html;
done;

—–

2nd) Correct permission for files and directories for cPanel users from shell but make sure that you logged in as root user and running following command in /home partition.

—–

find . -type d -perm 777 -exec chmod 755 {} \;

find . -type f -perm 644 -exec chmod 755 {} \;

—–

“unauthenticated user” problem in mysql logs?

Gunjan — Wed, 30 Jun 2010 19:54:11 +0000

While running following command.

mysqladmin -i3 pr

We are getting result.

056 | unauthenticated user | localhost | | Connect | | Reading from net |

To avoid such problem add following lines in /etc/my.cnf file to avoid access for unauthenticated user.

root@server [~]# pico /etc/my.cnf

skip-networking
skip-name-resolve
skip-host-cache
skip-locking

Now restart the mysql service and check mysql process logs again.

Secure server from WHM?

Gunjan — Thu, 03 Jun 2010 10:16:02 +0000

We can secure Server from WHM by making following changes from WHM.

Tweak Settings :
Number (or all) of accounts to display per page in list accounts == 30
Disable : Allow users to park subdomains of the server’s hostname main domain
Disable : Allow users to Park/Addon Domains on top of domains owned by other users.
Disable : Allow users to Park/Addon Domains on top of domains owned by other users.
Disable : Allow resellers to create accounts with subdomains of the server’s hostname main domain
Disable : Allow Creation of Parked/Addon Domains that are not registered
Disable : When adding a new domain, automatically create A entries for the registered nameservers if they would be contained in the zone
Enable : Prevent users from parking/adding on common internet domain

Enable : Silently Discard all FormMail-clone requests with a bcc: header in the subject line
Set Default Mail to FAIL.
Disable : Track the origin of messages sent though the mail server by adding the X-Source headers.
The maximum each domain can send out per hour = 300

Prevent the user “nobody” from sending out mail to remote addresses : Disable should enabled on server with phpsuexec.
Disable : BoxTrapper Spam Trap
Disable : Add the mail. prefix for mailman urls

Disable : Send passwords in plaintext over email when creating a new acccount

Disable : Awstats Reverse Dns Resolution
Disable : Analog
Disable : Allow users to update Awstats from cPanel
Number of days between processing log files and bandwidth usage = 1
Enable : Delete each domain’s access logs after stats run
The load average above the number of cpus at which logs file processing should be suspended = 10
Enable : Keep Stats Log between cPanel restarts

Disable : Allow Perl updates from RPM based linux vendors
Enable : Use jailshell as the default shell for all new accounts and modified accounts
Disable : Allow cPanel users to reset their password via email
Enable : Spamassasssin

Tweak Security :
Enable PHP open_basedir Protection.
Enable mod_userdir Protection.
Enable SMTP Tweak
Disable Compilers for unprivileged users.

Install clamAV?

Gunjan — Thu, 13 May 2010 18:24:45 +0000

We can install clamAV by using following three options.

First Download ClamAV from www.clamav.net in default locations under /usr/local/[bin,man,share]
Run following from shell.

root@server[]perl -MCPAN -e shell
root@server[]install Parse::RecDescent
root@server[]install Inline
root@server[]install Mail::ClamAV

Second option run /scripts/perlinstaller from shell

root@server[]/scripts/perlinstaller Net::CIDR Archive::Zip Compress::Zlib Convert::BinHex Inline::C
or

root@server[]/scripts/perlinstaller Mail::ClamAV

Third you can install ClamAV from WHM

Select Main >> Software >> Install a Perl Module from WHM .

install perl module:-
search for Mail::clamAV
install it

We can also enabled virus scanner feature to cPanel user from WHM >> Main >> cPanel>> Manage Plugins

Select “Name: clamavconnector” from list and install it.