Riz Khan on September 28th, 2010

ConfigServer Security & Firewall

When we talk about server security, firewall is an important component.  For hosting server or other servers in general when it comes to free firewalls, there are two popular combinations. One is APF/BFD ( Advanced Policy Firewall/Brute Force Detection) and second is CSF/LFD ( Config Server Firewall / Login Failure Deamon ). The bfd or the lfd part of these installation take care of different brute force login or access attempts and blocks the related IPs/URLs using the firewall.

Both of these combinations are vastly used in industry. CSF/LFD is more popular on cPanel servers as it also provides a GUI access from WHM to manage different features and configurations.

Installing both CSF/LFD and APF/BFD is fairly easy.

In this short article I will list the steps of installation for CSF / LFD

– Login to your server with ‘root’ user and issue below commands :

- Change directory to either /root or /usr/local/src , which ever you normally use for such installations
# cd /usr/local/src
- remove any old source that might be present
# rm -fv csf.tgz
- wget/download the source for installation
# wget http://www.configserver.com/free/csf.tgz
- unzip/untar the source
# tar -xzf csf.tgz
- running installation script
# cd csf
# sh install.sh

Once the installation complete, you can run the below scripts provided by vendor to check if your server/vps has required iptables modules available :

# perl /etc/csf/csftest.pl

Even if it reports some of the modules missing and that you will not be able to run some features it is still fine as long as you do not get any Fatal errors.

If its are fresh installation then you are done with installation and can proceed with configuration. But if you are running some other firewall script then you will need to remove that first, CSF provides the script to remove the other popular combination I talked about above i.e. apf/bfd :

# sh /etc/csf/remove_apf_bfd.sh

The above script will remove apf/bfd from your server/vps.

Now you can either configure the firewall by directly editing the configuration files at /etc/csf/ or you can use WHM to edit the configurations from GUI.
CSF is disabled by default after the installation, so you will need to either enable it from shell or from WHM gui by accessing the configuration file.

I will list below some of very common commands you will need to use manage / use csf firewall :

– enabling the firewall
# csf –enable OR
# csf -e

– disabling the firewall
# csf –disable
# csf -x

– starting firewall / applying rules
# csf –start
# csf -s

– stopping firewall / flushing rules
# csf –stop
# csf -f

– adding an IP in firewall
# csf -d 2.3.4.5 “Reason for blocking the IP”
# csf –deny 2.3.4.5 “Reason for blocking the IP”

where 2.3.4.5 is the IP you want to block.

You can use ‘csf -h’ or ‘csf –help’ to see the complete set of available commands.

CSF provides lot of options for tightening the security on the server , I will mentioned few tweaks that you can apply to your server/ vps :

– Find below parameter in CSF configuration and set it to 1 to enable it. This will block the outbound local connection to port 25, thus help with reducing spam activity on server.

# SMTP_BLOCK = 1

Thee are other parameters like ‘SYNFLOOD’ and ‘PORTFLOOD’ which can help you with controlling/mitigating DOS attacks. See the configuration files and read me files for the CSF for complete details.  Also you can visit the vendor website for more details :

Vendor Websites :

APF/BFD – http://www.rfxnetworks.com/

CSF/LFD – http://www.configserver.com/

Tags: , , , , , , , ,

Riz Khan on September 22nd, 2010

Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. The two major versions of this protocol are referred to as SSH1 and SSH2. It is used primarily on Linux and Unix based systems to access shell accounts.  It was designed as a replacement for Telnet and other insecure remote shells, which send information, notably passwords, in plaintext, rendering them susceptible to packet analysis.
The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet.

SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding TCP ports;  it can transfer files using the associated SFTP or SCP protocols. ssh uses the client-server model and by default use the standard TCP port 22.

It is always recommended to change the default ssh port for security and also disable the direct root logins.  We will see how these changes can be done below. Also note that any change to the ssh configuration file will require the service restart to make the changes effective.

We will go through some basic security updates in this article, i.e port update, protocol update , disable direct root access and creating separate ssh user.

The ssh configuration file is located at /etc/ssh/sshd_config. To change the port open the config file and update the port , its recommended to select a port higher than 1024 which are normally scanned by port scanners applications.

//edit ssh config using vi or you favorite editor
# vi /etc/ssh/sshd_config

//search Port
# Port 22

//update this to your desired port value e.g.
# Port 2629

//For additional security you can update the config to only use ssh2 , search Protocol
# Protocol 2,1

//Update this setting to only use ssh2 as below
# Protocol 2

Now you can disable the direct root access using below steps.

//search for PermitRootLogin
#  PermitRootLogin yes

It is set to yes by default, update it to No


# PermitRootLogin No

Save the config and exit. Do not restart ssh yet.

Now we can add the additional ssh user which will directly login to the server.

//add user using below, you can naming you like
# adduser sshadmin

//set password for the user using below command :
#passwd sshadmin

To allow the user to be able to switch to root user using su command, it will need to be added to wheel group, this can be done using below steps :

//use vigr command
# vigr
// Search wheel in the group file and add sshadmin user there, it will look like this after addition
# wheel:x:10:root,sshadmin

The vigr command will automatically open the group file and group shadow file for editing for you one by one, add sshadmin to wheel group in both. Save both files after changes.

Now you are ready with your basic security hardening for ssh. Restart the ssh service using below command :

# service sshd restart
//or depending on your server
# /etc/init.d/sshd restart

And you are done.

Now you can ssh to the server using new user sshadmin and its password and using the new port you have set in the configuration. Once login you can use below command to switch to root user :

# su root

It will ask for root user password, providing which you will be login as root user. At both stages you can verify that with which privileges/user you are logged in using below command :

# whoami

Also make sure you open the related TCP port (i.e. the one you have used in the ssh config) in the firewall you are running on your server if any.

You can further tweak and harden the ssh security by measures like allowing access only from specific IPs, specific users or only through ssh keys etc. I will not go to those details in this article.

Tags: , , , , , , ,

Riz Khan on September 15th, 2010

Many times you may notice a time drift problem on the server. It is common with some of the AMD server series as well.  In most cases its impact is not very high and it can be controlled by setting up a cron to run each minute to make sure the time remains close to accurate.

e.g. you can setup below cron in either root cron file at /var/spool/cron or in /etc/crontb


*/1 * * * * rdate -s rdate.cpanel.net

This basically syncs the time using rdate, you can use Cpanel’s rdate server or any of other public rdate servers.

Another way to fix it is by setting up ntpd (Network Time Protocol Daemon) on the server and is a method to achieve more accurate results.

You can install ntp using following simple commands :

yum install ntp
#edit /etc/ntp.conf for choice of your server
vi /etc/ntp.conf
#The default timer servers should work too , or you can update them as per your liking.

The service can be controlled using below simple/standard commands :

service ntpd start
service ntpd stop
service ntpd restart

There are more detail configuration settings as well like drift etc, but for normal use the default settings should be fine. I will cover the details for ntp installation and configuration in some other post.

Another reason for time drift ( usually a crazy one ) can be kernel specific problem. That is in this case the time drifts forward and background with a jump of 20 / 30 seconds, and this becomes a serious problem resulting in failure of different services, one server I handled had both imap and ftp services failing on it.
This was a Cpanel server with courier throwing below error :

“BYE Clock skew detected. Check the clock on the file server”

And ftp was also failing with such a time drift as was not able to do the initial connection session.

This was resolved by installing the latest CentOS5 kernel on the related sever.

So for resolving a time drift issue, your sequence would be from rdate cron, ntpd to kernel upgrade , depending on what exactly is the problem and how severe it is.

If you have to choose between cron and ntpd then ntpd solution is preferred.

Tags: , , ,

You may come across this error after server upgrades or server migrations. This may appear while loading WHM or you may experience this while running easyapache script or /scripts/rebuildhttpdconf

The exact error that comes in easy apache case with few preceding lines is below :


Updating Apache configuration
Distilled successfully
read error at /usr/local/cpanel/Cpanel/Locale/Utils.pm line 126

This is usually caused by corruption or problems with /var/cpanel/locale and can be fixed be renaming the locale folder followed by upgrade cpanel script. i.e. you can fixed it by issuing below commands :


mv /var/cpanel/locale /var/cpanel/locale.old
/scripts/upcp --force

Once the upcp script finishes the problem should be solved.

Tags: , , , ,

Riz Khan on June 16th, 2010

Different type of logs keep growing on server and should be set to rotate else they can cause issue, one is that when any log file reaches 2Gb size it can commonly result in apache service failure or in general they can occupy very large disk space.

To resolve this issue , Cpanel servers provide the option to set rotation for the logs from WHM gui. For Cpanel logs the rotation for logs located at /usr/local/cpanel/logs can be setup using below link in WHM :


Main >> Service Configuration >> cPanel Log Rotation Configuration

Similarly for Apache logs located at /usr/local/apache/logs the rotation can be setup from below link in WHM :


Main >> Service Configuration >> Apache Configuration >> Log Rotation

And for both of these the threshold for the log file size can be set using below link in WHM (the default size is 300Mb ):

Main >> Server Configuration >> Tweak Settings

the exact section and option under Tweak Settings is :

Stats and Logs >> Threshold in megabytes above which cpanellogd will rotate log files configured for log rotation. (Minimum 10MB)

Post Sponsor : Excellent cPanel backup script by Backup Smart !

Tags: , , ,

Riz Khan on June 5th, 2010

On Cpanel servers the exim smtp some time report below error in the exim logs :

T=remote_smtp defer (-53): retry time not reached for any host

If exim logs report this error then the most likely cause for this issue is corruption of exim databases, specially if it reports this error for each email. To resolve this issue following steps can be done using one of exim database tools ‘exim_tidydb’ :


/usr/sbin/exim_tidydb -t 1d /var/spool/exim retry > /dev/null
/usr/sbin/exim_tidydb -t 1d /var/spool/exim reject > /dev/null
/usr/sbin/exim_tidydb -t 1d /var/spool/exim wait-remote_smtp > /dev/null

After performing above steps, reinstall courier and exim using Cpanel scripts :


/scripts/courierup -- force
/scripts/eximup --force

This should resolve the problem for you, if it continues to report the same error then deeper investigation would be required into the issue.

Tags: , , , , , ,