Skip to main content

Posts

Showing posts from January, 2019

CWP: How to Increase your Server Security using CSF Firewall on CentOS 7

Access CSF UI on your browser with the specified port and click on "Check Server Security" . CSF will provide you some tips to secure your server . After that now check the report below: # vi /etc/ssh/sshd_config Port 22XX UseDNS no # systemctl restart sshd # vi /etc/my.cnf [mysqld] local-infile=0 # systemctl restart mariadb You can also enable 'RESTRICT_SYSLOG option check, LF_POP3D option check, LF_IMAPD option check, SYSLOG_CHECK option check, RESTRICT_UI option check, Check SSH PasswordAuthentication'.   This option helps prevent brute force attacks on your server services RESTRICT_SYSLOG = "3" LF_POP3D = "3" LF_POP3D_PERM = "1" LF_IMAPD = "3" LF_IMAPD_PERM = "1" SYSLOG_CHECK = "300" Important setting for me : #vi /etc/csf/csf.conf TESTING = "0" Don't Block IP addresses that are in the csf.allow files. IGNORE_ALLOW = "1" ICMP_IN = "1" ICMP_OUT = &qu

CWP: How to Enable GUI for CSF on CentOS 7

CSF Web UI required some of Perl modules to be installed on your system. Use the following commands to check the required modules are installed operating system. If not present please install those packages . # yum info perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN perl-IO-Socket-INET6 perl-Socket6 To enable CSF web UI edit /etc/csf/csf.conf file # vi /etc/csf/csf.conf # 0 = Unrestricted UI # 1 = Restricted UI # 2 = Disabled UI RESTRICT_UI = "0" # 1 to enable, 0 to disable UI = "1" # Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's # to the port using Advanced Allow Filters (see readme.txt) UI_PORT = "1025" # Leave blank to bind to all IP addresses on the server UI_IP = "" # This should be a secure, hard to guess username # This must be changed from the default UI_USER = "admin" # This must be changed from the default UI_PASS = "adminX" edit /etc/csf/ui/ui.allow configurat

CWP: How to Install CSF on CentOS 7 ?

CSF is an application-based firewall for iptables provided for Linux servers. CSF has many features and can support web-based management tools like CWP, cPanel/WHM, DirectAdmin and Webmin. CSF is easy to install and use on the server, it makes security management easier for sysadmins. To add more power to this, it comes with a Login Failure Daemon (LFD) script that runs all the time to scan for failed attempts to login to the server to detect bruteforce-attacks. There are an array of extensive checks that lfd can perform to help alert the server administrator of changes to the server, potential problems and possible compromises. LFD also blocks IPs if a huge number of failed logins are appearing from that IP. The block is temporary. It also allows the admin to view the blocked IP by enabling an email alert service. Some of the features include: Login Tracking Process Tracking Directory Watching Advanced Allow/Deny features Block Reporting Port Flood Protection ....etc Befo

How to hide Nameserver software version on Centos 7 ?

Hide DNS Software Version :  Sometimes a new vulnerability is found in DNS software and script kiddies are scanning the Internet to exploit unpatched systems. It's a best practice to hide software version on your DNS servers, although this is not a real protection it just makes a little harder to find your servers via scanning. Use dig command to find which version is running on your name servers: $ dig +short @ns1.example.com version.bind txt chaos "9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1" Bind To hide version in when using Bind, open named.conf configuration file using your favorite editor, go to options section and set a custom version string using version option. Example: // /etc/named.conf options { // Hide bind version version "unknown"; }; Restart the server (use bind9 instead of named on systems based on Debian): $ sudo service named restart Stopping named: . [ OK ] Starting named:

How to Update ROOT Hints DNS ?

My WebServer DNS root zone file is outdated and it has no information about IPv6 and recently changed root server IP address. How do I update my root hints data file under CentOS 7 Server? Under Red Hat / CentOS / Fedora Linux, default location is /var/named/named.root, enter: # wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /var/named/named.root Reload rndc to update information, enter: # rndc reload Another option is run dig command to fetch information: # dig +bufsize=1200 +norec NS . @a.root-servers.net > /var/named/named.root The root zone's nameservers change over time, don't assume this list is current. Always download a new version of db.cache once or twice year is sufficient. This article based on: Link 1   Link 2

CWP DNS Part 2 : How to Configure DNS properly for CentOS WebPanel on CentOS 7.6

7.Open Main Configuration file # vi /etc/named.conf 12 options { 13 listen-on port 53 { any; }; 14 listen-on-v6 port 53 { ::1; }; 15 directory "/var/named"; 16 dump-file "/var/named/data/cache_dump.db"; 17 statistics-file "/var/named/data/named_stats.txt"; 18 memstatistics-file "/var/named/data/named_mem_stats.txt"; 19 recursing-file "/var/named/data/named.recursing"; 20 secroots-file "/var/named/data/named.secroots"; 21 allow-query { any; }; 33 recursion no; 34 35 dnssec-enable yes; 36 dnssec-validation yes; 54 zone "." IN { 55 type hint; 56 file "named.ca"; 57 }; 58 59 include "/etc/named.rfc1912.zones"; 60 include "/etc/named.root.key"; 61

CWP DNS Part 1 : How to Configure DNS properly for CentOS WebPanel on CentOS 7.6

After hosting my parent domain on CWP7.admin, I am getting dns error and i'm not able access my server using my server FQDN but i can access using my server IP. So what can i do for that problem ? Yes, you have to fix the error . Environment Details: Distro Name: CentOS Linux release 7.6.1810 (Core) CentOS-Web Panel version: CWP7.admin CWP version: 0.9.8.757 WebServer: Apache Only FQDN: host.datahead.biz IP: 192.120.10.3 1.Change Hostname Permanently: # hostnamectl set-hostname host.datahead.biz # hostnamectl Static hostname: host.datahead.biz Icon name: computer-vm Chassis: vm Machine ID: 7400071490ea4f7d931374824ad4b52c Boot ID: 6e1f2d76495d4b318c25c4a1195aa130 Virtualization: vmware Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-862.14.4.el7.x86_64 Architecture: x86-64 It also writes this information to the /etc/hostname file as well. # ca

Part 2: CWP Basic Configuration after Fresh Installation

7. After hosting our first parent domain, We will restart the following service and observe the output # systemctl restart cwpsrv # systemctl restart httpd # systemctl restart named Job for named.service failed because the control process exited with error code. See "systemctl status named.service" and "journalctl -xe" for details. That's why my parent domain and below the link is not accessible : 8. Now We will fix the DNS ,  Go to DNS Functions >> List DNS Zones  >> Now click on the "Rebuild Zone" of Parent Domain 9.Now We will create A records for our Server FQDN & Name Server as like below: 10.Please restart the following : 11. Now our Parent domain and all the links are accessible, Please check 12.Restart the following services # systemctl restart cwpsrv # systemctl restart httpd # systemctl restart named 13.After Hosting your Parent domain, Don’t forget to fix the permission Go to User Account >&g

Part 1: CWP Basic Configuration after Fresh Installation

I am very impressed that you have successfully installed CWP on your system. Now you have to configure some basic configuration on it . So Lets get started . 1. At first you need to setup "Root Email"  To Set Root Email for alert & Shared IP :  Goto CWP Settings >> Edit Settings 2. I 'm going to use Apache WebServer only. Select From the left menu, WebServer Settings >> Select WebServers >> Apache Only For High Performance WebServer, Select Nginx + Virnish + Apache Now Click on Save & Rebuild Configuration 3.SetUp NameServers : Goto DNS Functions >> Edit Nameserver IPs 4.Create a Hosting Package :  Goto Packages >> Add a Package 5.Host your Parent domain that related to server FQDN :  Goto User Accounts >> New Account 6. Follow Part 2

How to Install CentOS WebPanel (CWP7.admin ) on CentOS 7.6

1.Requirements Before the Initialization of CentOS Web Panel (CWP) installer: a). Only support static IP addresses and Does not support dynamic, sticky, or internal IP addresses. b). CWP does not provide an uninstaller. After you install CWP, you must reinstall the server to remove it. c). Only install CWP on a freshly installed operating system without any configuration changes. Make Sure that you have performed Step 1 successfully 2.Software Requirements You must have a clean/fresh installation of supported operating systems: CentOS 6, RedHat 6 or CloudLinux 6, MINIMAL installation and English version only! CentOS 7 is also supported, we recommend minimal version. 3.Hardware Requirements 32 bit operating systems require a minimum of 512 MB RAM 64 bit operating systems require a minimum of 1024 MB RAM (recommended) Recommended System: 4 GB+ RAM so you would have the full functionality such as Anti-virus scan of emails. 4.Preparing Server : Let’s install required pac

Installation Perquisite for EFA/Cpanel/CWP7/VestaCP: Part 7 Install Latest EPEL Release

First, update your Base Repository for Cpanel/CWP7/VestaCP installation, then install latest EPEL # yum update -y Reboot The Machine # reboot # rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY* # yum -y install epel-release Run Update again & Check # yum update -y # yum repolist If you have getting any error then run: # yum clean all # rm -rf /var/cache/yum # yum update -y # yum repolist Don't need to install latest EPEL before EFA installation. We will install EPEL after EFA installation.

Installation Perquisite for EFA/Cpanel/CWP7/VestaCP: Part 6 Set-Up Time Zone

Server Time Zone is very important for any Internet Services. My Time Zone is Asia/Dhaka . Follow the steps to configure your Time Zone. # timedatectl list-timezones # timedatectl list-timezones | grep Asia # mv /etc/localtime /root/localtime.old # ln -s /usr/share/zoneinfo/Asia/Dhaka /etc/localtime # timedatectl set-ntp yes # timedatectl set-timezone Asia/Dhaka # systemctl restart systemd-timedated.service # timedatectl Local time: Wed 2018-10-31 11:15:50 +06 Universal time: Wed 2018-10-31 05:15:50 UTC RTC time: Wed 2018-10-31 05:15:50 Time zone: Asia/Dhaka (+06, +0600) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: n/a # hwclock Wed 31 Oct 2018 11:21:37 AM +06 -0.084209 seconds

Installation Perquisite for EFA/Cpanel/CWP7/VestaCP: Part 5 Install Chrony and Configure NTP server

Accurate time keeping is important for a number of reasons in IT. This setup is the best practice that helps with problem diagnosis and informal server monitoring. I am living in Asia that's why i'm using this pool. Install Chrony and Configure The NTP server . # yum -y install chrony ( for rpm based ) # apt install chrony ( for debian based ) # vi /etc/chrony.conf ( for rpm based ) # vi /etc/chrony/chrony.conf ( for debian based ) #server 0.centos.pool.ntp.org iburst #server 1.centos.pool.ntp.org iburst #server 2.centos.pool.ntp.org iburst #server 3.centos.pool.ntp.org iburst server 0.asia.pool.ntp.org iburst server 1.asia.pool.ntp.org iburst server 2.asia.pool.ntp.org iburst server 3.asia.pool.ntp.org iburst add the network range you allow to receive requests allow 127.0.0.1 or allow your network cidr :x (save & quit) Reminder: We have disabled firewalld, So we will add the port 123/udp after the CWP installation using CSF firewall.  Start the services and e

Installation Perquisite for EFA/Cpanel/CWP7/VestaCP: Part 4 Disable Network Manager & Setup Static IP

This Tutorial describes how to disable the Network Manager service. The Network Manager service automates the network's settings and disrupts connections to the IP addresses that reside in the ipaliases module. We recommend that you disable the Network Manager service and enable the network.service service before you install EFA/Cpanel/CWP7/VestaCP. # systemctl stop NetworkManager # systemctl disable NetworkManager # nmcli device status # systemctl list-unit-files | grep NetworkManager # systemctl enable network.service # systemctl restart network.service Reboot The Machine # reboot I have two NIC in my VPS, So Add the below parameter in /etc/sysconfig/network-scripts/ifcfg-eXXX of interfaces that are managed by NetworkManager to make it unmanaged. NM_CONTROLLED="no“ # vi /etc/sysconfig/network-scripts/ifcfg-ens33 BOOTPROTO=static NM_CONTROLLED=no ONBOOT=yes #DOMAIN=datahead.biz HOSTNAME=host.datahead.biz :x (save & quit) # vi /etc/sysconfig/network-scripts/if

Installation Perquisite for EFA/Cpanel/CWP7/VestaCP: Part 3 Setup Hostname Permanently

A computer hostname represents a unique name that gets assigned to a computer in a network in order to uniquely identify that computer in that specific network. The hostname is set at the time when the CentOS operating system is installed or if you are spinning up a virtual machine it is dynamically assigned to the instance at startup. The hostname is used by many of the networking programs (such as sendmail, Apache servers) to identify the machine. By default, your server is started with the server’s given name as the hostname. Some software, such as cPanel, CWP requires a valid Fully Qualified Domain Name (FQDN) for the hostname. Types of hostnames (The hostname can be configured as follows): Static host name assigned by sysadmin. For example, “server1”, “wwwBot2”, or “host.datahead.biz”. Transient/dynamic host name assigned by DHCP or mDNS server at run time. Pretty host name assigned by sysadmin/end-users and it is a free-form UTF8 host name for presentation to the user.

Installation Perquisite for EFA/Cpanel/CWP7/VestaCP: Part 2 Disable Firewalld

CentOS 7 comes with firewalld by default. So disable firewalld because Cpanel & CWP uses CSF Firewall & LFD with IPTables. Here CSF - ConfigServer Security & Firewall LFD - Login Failure Daemon # systemctl stop firewalld.service # systemctl disable firewalld.service Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. # systemctl mask firewalld.service Created symlink from /etc/systemd/system/firewalld.service to /dev/null. Reboot your server so that all updates can take affect and then check your Firewalld Status. # reboot # systemctl status firewalld In EFA , FirewallD & Fail2Ban Intrusion Detector comes with by default. But I prefer to use CSF. So i will disable firewalld services.  

Installation Perquisite for EFA/Cpanel/CWP7/VestaCP: Part 1 Disable SeLinux

SELinux is an acronym for Security-enhanced Linux. It is a security feature of the Linux kernel. It is designed to protect the server against misconfigurations and/or compromised daemons. In the Linux kernel, SELinux relies on mandatory access controls (MAC) that restrict users to rules and policies set by the system administrator. MAC is a higher level of access control than the standard discretionary access control (DAC) , and prevents security breaches in the system by only processing necessary files that the administrator pre-approves. SELinux was initially released as a collaborative between Red Hat and the National Security Agency . SELinux receives periodic updates and additions as new Linux distributions are released. SELinux modes There are three modes of SELinux: Enforcing, Permissive and Disabled. Enforcing mode is the default mode at installation of SELinux. It will enforce the policies on the system, deny access and log actions. Permissive mode is the most com