cPanel IPv6 Woes

Hello,

cPanel has pushed updates again which re-enables IPv6 on any box greater than 11.40.

This can cause an issue when cPanel starts rebuilding the Apache configuration though because it adds one or both of these lines:

Listen[::]:80
Listen[::]:443

When IPv6 is installed on a server, the Listen directive is set to Listen[::]:80, which listens on all IPv6 addresses on the server. The above config is basically how Apache will listen for IPv6 addresses. So far I think this only works with Apache 2.0+.

When Apache encounters this problem on start/restart it will present an similar error to the following:

httpd not running, trying to start
(98)Address already in use: make_sock: could not bind to address
0.0.0.0:443

To resolve this temporarily just disable the lines that contain the ipv6 listen directives as such:

#Listen[::]:80
or
#Listen[::]:443

This can permanently be resolved by simply forcing EasyApache to rebuild the currently installed apache and php.

/scripts/easyapache --build

(NOTE: Never run easyapache without first making sure you backup current Apache config, php config, php information and installed modules)

From what I hear even this can upgrade your PHP version in certain circumstances when the currently installed version of PHP is no longer an option in EasyApache.

To be 100 percent safe and save yourself some time, always verify your current php version and make sure it is selected in EasyApache. if for any reason this doesn’t happen you may find that EasyApache upgraded the php version and some websites may not be working anymore.

Now that Apache has been covered, MySQL is also now trying to bind to IPv6 addresses. This will require you to add the following directive to the /etc/my.cnf and restart MySQL:

bind-address = 0.0.0.0

This should bind to IPv4, and allow all IPv4 addresses to connect.

+1
This one-liner backups up the current config to a .bak file and makes the needed changes for you…

cp /usr/local/apache/conf/httpd.conf{,.bak.`date +%s`} && sed -i 's/Listen \[::\]:80/\#Listen \[::\]:80/' /usr/local/apache/conf/httpd.conf && sed -i 's/Listen \[::\]:443/\#Listen \[::\]:443/' /usr/local/apache/conf/httpd.conf

You can also append
&& /etc/init.d/httpd restart
to the end if you wish.
Good luck…

CloudFlare Plugin install on cpanel

cloudflare

The CloudFlare cPanel plugin makes it easy to integrate into your hosting control panel. It takes less than 5 minutes to install on a test server and then the service is available to your end customers with two clicks.

Before proceed to install cloudflare plugin, you should get HOST KEY from cloudflare partners 

https://www.cloudflare.com/certified-partners

Continue reading “”

Plesk: Disable DNS Recursion

When you visit a website on the Internet, the computer you use will find the address of the site using a system called DNS. If you are using your home computer to browse the internet, it will request each website address from your Internet Service Provider (ISP).

Dedicated and Virtual Servers are set up to search for this DNS information themselves. This is perfectly normal and is a commonly used feature for office or cloud networks.

There are two types of DNS queries that can be made to your server, which are as follows:

  • Recursive requests: With these requests your server will attempt to find the website in question in its local cache. If it cannot find an answer it will query other DNS servers on your behalf until it finds the address. It will then respond to the original request with the results from each server’s query.
  • Iterative requests: With these requests the DNS server will attempt to find the website in question in its local cache. If it cannot find an answer it will not ask other DNS servers but will reply back to the original request with a single “I don’t know, but you could try asking this server” message.
  •   

    Why are recursive DNS requests not recommended?

    Servers that support this type of request are vulnerable to fake requests from a spoofed IP address (the victim of the attack), the spoofed IP address can get overwhelmed by the number of DNS results it receives and be unable to serve regular internet traffic. This is called an Amplifier attack because this method takes advantage of DNS servers to reflect the attack onto a target while also amplifying the volume of packets sent to the victim. A consequence of this activity is that third party Network administrators who detect these requests may block your IP addresses. Your server could even be placed upon DNS blacklists.

    What happens if I turn off Recursive DNS lookups on my server?

    If your server doesn’t enable recursive DNS lookups, it will simply treat any such requests as an iterative DNS enquiry. It will continue to act as a DNS server, but will no longer be useful to attackers in part of an amplified attack on a victim.

    To turn recursion off on your server, you can login to Plesk and go to
    Tools & Settings -> DNS Template Settings -> DNS Recursion
    and then set the option to localhost. and then click on ‘OK’

    This will turn off the DNS Recursion for the server.

    There is a commandline alternative but Plesk may not like it so use at your own risk:
    perl -pi -e 's/recursion yes/recursion no/g' /etc/named.conf;service named restart