Skip to main content

Posts

Showing posts from 2019

CWP: How to Allow or Block Traffic by Country in the CSF Firewall

Country-level filtering in CSF uses the Maxmind GeoLite Country database to obtain CIDR (Classless Inter-Domain Routing) ranges for specific countries. Each CIDR range covers all the IP addresses assigned to that country.
There are a number of reasons why a server administrator may wish to block traffic from a specific country, with reducing bandwidth, minimizing exposure to security risks, and ensuring that a site’s content is viewable only in geographic locations where it is permitted among the most common. However, there are several important factors to consider before choosing to filter traffic at the country level:
A small percentage of unwanted traffic still may get through, and a small percentage of desired traffic could be blocked, because:
the CIDR range lists used for country-level blocks are not 100 percent accurate.some Internet Service Providers and web services use non-geographic IP addresses for their clients.proxy services and virtual private networks can be used to mas…

CWP: Rate Limit Incoming Traffic using CSF Connection Tracking Option

CSF – How to limit the number of connections per IP address (Rate Limit Incoming Traffic By CSF Connection Tracking):
The first thing that can be done to mitigate the effects of an incoming attack is to limit the number of connections per IP address. When properly configured, CSF will track the number of connections from IP address hitting the server and block IP addresses at the firewall level should they exceed a defined limit.
It’s important not to set the limit too low, as protocols such as FTP, IMAP, and even HTTP all legitimately make multiple connections. Also, remember that most companies as well as homes and public hotspots may have many different computers on their internal network which all share a single public IP address. To set the limit on connections per IP address, scroll down to the Connection Tracking section of the Firewall Configuration page and set CT_LIMIT to the desired value.
1. If you want use 150 connections per IP address as an upper limit. You may find that…

How to Build Postfix + Dovecot Mail Server with Anti-Spam Solutions on CWP Server ?

By Default CWP server comes with Postfix + Dovecot + AntiSpam Solutions. We need to do some modifications on Postfix + Dovecot , for better security and high performance. In this series tutorials , We will learn how to build Postfix + Dovecot with AntiSpam Solutions .

Build CWP Mail Server
1. At first, We must have a valid FQDN with DNS Records (A & PTR). To generate new FQDN , Go to Server Settings >> Change Hostname .
We will 2048 key Size which is default or you can use 4096 key Size which is slower than 2048 key Size .
2. Build Postfix mail Server with AntiSpam/AntiVirus and  DKIM & SPF . Go to Email >> Mail Server Manager . Provide the FQDN and Domain then click on "Rebuild Mail Server"

3. Enable SPF & DKIM for parent Domain: Go to Email >> DKIM Manager 
Check also below the directory:
   TruestedHosts File Location: /etc/opendkim/TrustedHosts
   SigningTable File Location: /etc/opendkim/SigningTable
   KeyTable File Location: /etc/opendkim/KeyTa…

How to Configure autodiscover information for mail clients to setup pop/imap/smtp settings automatically on CentOS WebPanel?

Some mail clients will use a system called "Autodiscover" to figure out which settings to use for the pop/imap/smtp settings. You can set this up if you'd like, it basically requires a subdomain and a SRV record. You can add the SRV record into any domain you want to use these settings for.
If you've got a global SSL certificate in Postfix/dovecot for your hostname, this would be a good way to ensure clients use the correct value, so they don't get SSL certificate errors.
Let's assume you're going to have your clients with datahead.biz connect to host.datahead.biz for both IMAP and SMTP. So we have a subdomain called host.datahead.biz to store the XML, where host.datahead.biz is a Server FQDN . 
1.Setup a SRV record in the datahead.biz DNS zone:
_autodiscover._tcp.datahead.biz. 3600 IN SRV 10 10 443 host.datahead.biz.2.Next, Creat a file named autodiscover.php on /usr/local/apache/htdocs/
# vi /usr/local/apache/htdocs/autodiscover.php Now Fix the permission
# …

How to install OpenVZ Web panel to Managing OpenVZ Containers Graphically?

OpenVZ Web Panel is a GUI web-based frontend for controlling of the hardware and virtual servers with the OpenVZ virtualization technology.Very simple, just to make the OpenVZ management more easier. Working on command line might be tedious to new and intermediate users. Using openVZ Web panel, anyone can easily create, delete, manage VMs via a web browser in minutes without having to know all OpenVZ commands.
1. Install the required dependency first: # yum groupinstall 'Development Tools' # reboot # yum install rubygems ruby git -y # cd /usr/local/src/ # wget http://download-ib01.fedoraproject.org/pub/epel/6/x86_64/Packages/r/rubygem-sqlite3-ruby-1.2.4-5.el6.x86_64.rpm # wget http://download-ib01.fedoraproject.org/pub/epel/6/x86_64/Packages/r/ruby-sqlite3-1.2.4-5.el6.x86_64.rpm # rpm -ivh rubygem-sqlite3-ruby-1.2.4-5.el6.x86_64.rpm # rpm -ivh ruby-sqlite3-1.2.4-5.el6.x86_64.rpm 2. Installation The most simple way to install OpenVZ Web Panel is to run the following command (un…

How to install OpenVZ on CentOS 6.10 ?

Virtuozzo leverages OpenVZ as its core of a virtualization solution offered by Virtuozzo company. OpenVZ is a container-based virtualization solution for Linux. Since it uses operating system level virtualization technology, unlike other virtualization methods such as VirtualBox, KVM, and Vmware, the guest systems uses the same kernel of the host system. Each virtual machine will efficiently share the CPU, Memory, Disk space, and network of your Physical server.  It allows a physical server to run multiple isolated operating system instances, called containers, virtual private servers (VPSs), or virtual environments (VEs). OpenVZ is similar to Solaris Containers and LXC.
While virtualization technologies such as VMware, Xen and KVM provide full virtualization and can run multiple operating systems and different kernel versions where OpenVZ uses a single Linux kernel and therefore can run only Linux. All OpenVZ containers share the same architecture and kernel version. This can be a disad…

How to Secure CWP Postfix and Dovecot with Lets Encrypt SSL Certificate ?

Postfix architecture is modular and contains different daemons each specifically handling only a few tasks. The most important daemons are the following:
master is the main daemon that starts all the other daemons.smtpd is the SMTP server daemon handling incoming connections to receive emails from another mail server or client.smtp is the SMTP client handling outgoing connections to send email out to another mail server.local is the local delivery agent responsible for delivering email to the local server.qmgr processes and controls all messages in the mail queue. Maps are used in postfix to control email routing. Such maps are used to accept or reject email, inform postfix about local recipients and more.

The main configuration files are main.cf which is the global configuration for all daemons and the master.cf which defines the runtime environment for the daemons. The master.cf configuration thereby overrides the configuration options from the main.cf.
Lets Secure Postfix First 
# vi …

How to Secure/Harden CWP Nginx Server ( Admin, Client & Webmail Panel ) with Strong Ciphers ?

By Default CWP Server is using Modified Nginx server which is called CWP server and It is used for Admin, Client & Webmail Panel Login. I am also using Let's Encrypt SSL for my CWP Admin, Client & Webmail Panel .
Follow This Article : ( Part 1)
CWP: How to Configure Let's Encrypt SSL Certificate for your server Hostname/FQDN on CWP7.admin
N.B: I am using the below cipherlist
https://cipherli.st/
https://mozilla.github.io/server-side-tls/ssl-config-generator/
https://wiki.mozilla.org/Security/Server_Side_TLS
https://ssl-config.mozilla.org/#server=apache&server-version=2.4.39&config=intermediate&openssl-version=1.0.2k-fips
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://ssldecoder.org/

CWP Admin Panel Link (by hostname)
CWP Admin Panel Link: http://server1.datahead.biz:2030
CWP Admin Panel Link: http://server1.datahead.biz:2086
CWP Admin Panel SSL Link: https://server1.datahead.biz:2031
CWP Admin Panel SSL Link: https://server1.da…

How to Enable logging of Email’s Subject Line in Postfix Maillog ?

By default Postfix MTA only capture ‘From’ and ‘To’ details in the log file (/var/log/maillog). There are some scenarios where we want that email’s subject should be capture in the maillog. This will very useful for email administrators when performing troubleshooting of problems related with email. There are simple steps to enable logging of the email subject in postfix maillog.

We are assuming that postfix is already up and running and will make below changes.
Step:1 Edit ‘/etc/postfix/main.cf’ file & uncomment below line:
#header_checks = regexp:/etc/postfix/header_checksStep:2 Append the below line in ‘/etc/postfix/header_checks’ [at the bottom]
/^Subject:/ WARNStep:3 Run postmap to apply the new configuration in /etc/postfix/header_checks
[root@server1 ~]# postmap /etc/postfix/header_checksStep:4 Restart or Reload the postfix server
[root@server1 ~]# systemctl restart postfix [root@server1 ~]# postfix reloadStep:5 Login to your Roundcube webmail and send an test with the subj…

CWP: How to install CSF Webmin module on CWP in CentOS 7 ?

This perl module is required for Statistical Graphs available from the csf UI. It is dependent on graphical libraries being installed for your OS (e.g. libgd, libpng, etc. which is beyond the scope of this document)

The perl module itself can be installed in a variety of ways, e.g.:

RedHat/CentOS/CloudLinux:
# yum install perl-GDGraph

Direct from cpan.org:
# perl -MCPAN -e shell
cpan> install GD::Graph

Webmin Module Installation/Upgrade
Webmin > Webmin Configuration > Webmin Modules >
From local file > /usr/local/csf/csfwebmin.tgz > Install Module


Uninstallation : Removing csf and lfd is even more simple:
# cd /etc/csf
# sh uninstall.s

The Article Based on:
https://download.configserver.com/csf/install.txt

PostfixAdmin: Invalid query: Table 'postfix.vacation_notification' doesn't exist,

Bug Fix: After login, click on “Fetch email” I got error “Invalid query: FUNCTION postfix.FROM_BASE64 does not exist” To fix it, edit /home/username/public_html/postfixadmin/model/PFAHandler.php at line 572:
# vi /home/datahead/public_html/postfixadmin/model/PFAHandler.php $base64_decode = "###KEY###"; Unable to Delete any Email Address:When I am trying to delete any email address, I'm getting below the error
Login to PhpMyAdmin using root user  and select the postfix database from left side and Select SQL and paste the below code then click on go button .
CREATE TABLE `vacation_notification` ( `on_vacation` varchar(255) NOT NULL, `notified` varchar(255) NOT NULL, `notified_at` timestamp NOT NULL default CURRENT_TIMESTAMP, PRIMARY KEY (`on_vacation`,`notified`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 COMMENT='Postfix Admin - Virtual Vacation Notifications';

Helpful Link:
Link 1
Link 2

CWP: How to Integrate Postfix Admin 3.1 with CentOS WebPanel on CentOS 7

Postfix Admin is a web based interface which allows users to configure and manage a Postfix based email server. With Postfix Admin you can create and manage multiple virtual domains, users and aliases and many more.

I have installed CWP7.admin on CentOS 7 and It's working fine with Postfix but i want to use PostfixAdmin with CentOS WebPanel .
Login to your user panel : https://host.datahead.biz:2083/ and create a sub-domain like postfixadmin.datahead.biz . Go to Domains >> Sub Domains >> Add a New SubDomain

Now Restart Apache & DNS server from your admin panel. If you get any error or unable browse your subdomian then fix the permission (Go to User Accounts >> Fix Permission) . Install AutoSSL for that subdomain. Now Login to your server using SSH
# cd /usr/local/src/ # VERSION=3.1 # wget -q https://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-${VERSION}/postfixadmin-${VERSION}.tar.gz # tar xzf postfixadmin-${VERSION}.tar.gz # mv po…

How to Secure MariaDB for VestaCP and CWP ?

If you are using VestaCP or CentOS Webpanel then this tutorial will guide you through some basic steps you can take to secure your MariaDB or MySQL databases, and ensure that they are not an open door into your VPS. However, like most software, these tools can be security liabilities if they are configured incorrectly.

For the sake of simplicity and illustration, we will use the MariaDB 10.1 server on a CentOS 7.6 VPS instance.
Now run the script called "mysql_secure_installation". This will guide us through some procedures that will remove some defaults that are dangerous to use in a production environment.
# mysql_secure_installation
It will first prompt you for the root password you set up during installation. Immediately following, you will be asked a series of questions, beginning with if you'd like to change the root password.

This is another opportunity to change your password to something secure if you have not done so already.
You should answer "Y" (for…

How to find out & Change VestaCP MySQL/MariaDB root Password ?

If you forget the MySQL/MariaDB root password, no worries to find out the mysql root password.
The password is stored at: /usr/local/vesta/conf/mysql.conf and /root/.my.cnf
Before do anything , create a backup file.
# cp /usr/local/vesta/conf/mysql.conf /usr/local/vesta/conf/mysql.conf.bak # cp /root/.my.cnf /root/.my.cnf.bak Use this syntax to change MySQL/MariaDB root password
# mysqladmin -u root -pOLDPASSWORD password 'NEWPASSWORD' Change the root password
# mysqladmin -u root -pgX7wlY5V3F password 'gR7wlY6V9A' Now Update the newly changed password
# vi /usr/local/vesta/conf/mysql.conf HOST='localhost' USER='root' PASSWORD='gR7wlY6V9A' CHARSETS='UTF8,LATIN1,WIN1250,WIN1251,WIN1252,WIN1256,WIN1258,KOI8' MAX_DB='500' U_SYS_USERS='admin,datahead' U_DB_BASES='3' SUSPENDED='no' TIME='15:10:16' DATE='2019-04-17' # vi /root/.my.cnf [client] password='gR7wlY6V9A'

CWP: How to Add Let's Encrypt SSL to Monit on CentOS 7.6

I have installed Let's Encrypt SSL certificate for Server FQDN and that certificate i will use for monit. So In this tutorial we are going to show you, how to add Let's Encrypt SSL certificate for Monit along with CentOS Webpanel on CentOS 7.

Prerequisites:
To complete this tutorial, you will need:
1. CentOS Linux release 7.6.1810 (Core)
2. CWP7.admin , CWP version: 0.9.8.772
3. CSF Firewall
4. Let's Encrypt SSL Certificate (Installed)

Step 1:
Install HTTP client library
# yum install python-httplib2 To enable Let's Encrypt SSL for Monit's HTTP GUI, Open Monit Configuration File and uncomment the below line
# vi /etc/monitrc set ssl { version : TLSV12 verify : enable } with ssl { pemfile: /etc/ssl/certs/monit.pem } Check Monit syntax for error
# monit -t Control file syntax OK Create a file with touch command
# touch /etc/ssl/certs/monit.pem
Step 2:
Let's Encrypt SSL location for your SERVER_FQDN: /etc/letsencrypt…

How To Add Swap Space on CentOS 7?

We are using high performance SSD VPS where we don't have any SWAP Partition. This can cause you to lose unsaved data or experience downtime. To ensure reliable data access, some applications require swap to function. I have purchase a SSD VPS from Upcloud and get five months Free using Promo Code: AQX767 

My VPS Details:
OS: CentOS Linux release 7.7.1908 (Core)
CPU Model: Intel(R) Xeon(R) Gold 6136 CPU @ 3.00GHz
RAM: 1 GB
Storage: SSD 25 GB
Start Your Free Trial for 5 Months, Use Promo Code: AQX767 Swap space can take the form of either a dedicated swap partition or a swap file. In most cases when running CentOS on a virtual machine a swap partition is not present so the only option is to create a swap file. In this guide, we will cover how to create and enable a swap file on a CentOS 7 server.
Before You Begin Display a summary of swap usage
# swapon --show If nothing is returned by the command, then the summary was empty and no swap file exists.
Another way of checking for swap space
#…