cpanel perms issue with SSH login

Recently I came upon an issue on a cPanel server with suPHP as the handler in that, when the cPanel user SSH’s into the server (or connects via sFTP) any file or directory created will have incorrect permissions.

  • Files: 664
  • Directories 775
  •  
    I found this was due to a setting in /etc/profile that sets the umask value as such
    Continue reading “cpanel perms issue with SSH login”

    CSF, Spamhaus Network Connectivity Issues

    Hi!

    Do you have a client who says that they cannot access their sites/server and insists it’s a network issue, but their IP addresses does not seem to be blocked by csf.deny and their sites are not loading in several parts of the world with a site checker like https://www.site24x7.com/check-website-availability.html or others?

    Well do I have quite the solution for you!

    This morning, we verified an issue regarding a CSF/Spamhaus update in which CSF blocks any IP address that is over 128.0.0.0. This is due to a subnet that does not exist in the official list, 172.103.64.0/1:

    https://www.spamhaus.org/drop/drop.lasso

    Unfortunately, CSF will round the 172.103.64.0/1 down to 128.0.0.0/1 which will block all IP addresses above that range. To remedy this, after verifying the subnet issue is present, remove the SPAMDROP list file:

    rm /var/lib/csf/csf.block.SPAMDROP

    And restart CSF

    csf -r

    Restarting CSF will generate a new (and correct) SPAMDROP list without the wonky subnet.

    Now, verify the sites on the server can load now throughout the world without issue:

    https://www.site24x7.com/check-website-availability.html

    Enjoy!!!

    cPanel PoF Notification errors / emails

    Hi all,

     

    I have been noticing quite a few issues relating to the cPanel p0f service crashing and sending e-mail notices to customers. This appears to be related to a recent cPanel update based on early reports. Fortunately, the fix is quite simple and should only require you to run the following commands:

    /scripts/check_cpanel_rpms --fix
    /scripts/restartsrv_p0f

    What is the PoF service you ask? Well cpanel says this is the Passive OS Fingerprinting Daemon

    If you are on a CentOS7 server, you also need to create an extra entry to the yum.conf excludes, I have checked and confirmed that this fix does work and should be a permanent solution.

    Edit:
    /etc/yum.conf, add p0f*
    to the exclude line. You can add it to the end if you want. It will automatically sort it in alphabetical order.
    Change:
    exclude=courier* dovecot* exim* filesystem httpd* mod_ssl* mydns* mysql* nsd* php* proftpd* pure-ftpd* spamassassin* squirrelmail*
    to
    exclude=courier* dovecot* exim* filesystem httpd* mod_ssl* mydns* mysql* nsd* p0f* php* proftpd* pure-ftpd* spamassassin* squirrelmail*
    and then you can run /scripts/upcp and /scripts/check_cpanel_rpms without triggering the issue again. Otherwise at the next upcp the issue will reoccur again and send out more emails about being broken.

    cPanel’s official fix to this is slightly different. They state:  “The issue happens when the EPEL yum repo is enabled. A yum update installs the p0f package from EPEL instead of the cPanel provided p0f package. To correct this, you should added p0f*.el7.* to the excludes line in /etc/yum.conf, and ran /scripts/check_cpanel_rpms –fix to get the cPanel provided p0f package installed. Then you shouldn’t have this issue again.

    So please add “p0f*.el7.*” to the excludes line instead of just “p0f*” as this will prevent this from ever updating at all, while the former entry “p0f*” should only prevent it from updating from non-cPanel sources.

    New WHM Tweak Settings – Regarding MySQL

    I recently found a specific explanation for why I keep seeing mysql settings being off in my.cnf and causing load issues.
    Recent changes in WHM have added an option to Tweak settings that will allow WHM to determine the “best” settings value. So anytime mysql is restarted from within cpanel, the settings are changed/modified. These settings are on by default.
    • Allow cPanel & WHM to determine the best value for your MySQL open_files_limit configuration?
      This setting’s value defaults to On.
    • Allow cPanel & WHM to determine the best value for your MySQL max_allowed_packet configuration?
      This setting’s value defaults to On.
    • Allow cPanel & WHM to determine the best value for your MySQL innodb_buffer_pool_size configuration?
      This setting’s value defaults to On.
    If you are experiencing load issues of unknown origin, this would be something else to check.
    Documentation can be found at the below link and is current as of Jun 24, 2016

    A friend needs help…

    https://www.gofundme.com/2j8nnw4

    I normally would not do this here but a friend of mine is in a bad spot, working two job, going to school and needs help. Please check it out and drop a $1.00, $2.00, $5.00 or whatever you can to help. She’s a single mom with two small kids who could use a hand and I know this killed her to ask for this… she does not know I am dropping this here…

    I’ve been here long enough to know how generous, kind and awesome my fellow g33k’s are in helping those who have hit a rough spot in life…

    Thanks for anything you can do to help in advance…

    (p.s. she’s an awesome mom and deserves a break!)

    https://www.gofundme.com/2j8nnw4

    Nss Bug

    The Problem:

    There is an issue on CloudLinux 6.8 and CentOS 6.8 servers with the nss package version numbered 3.21.0-8. In general, if you see either:
    curl https://google.com > /dev/null
    Illegal instruction (core dumped)

    or
    rhn_check
    Illegal instruction (core dumped)

    In both cases, the fix that is being advised amounts to downgrading the nss packages to version 3.21.0-0.3.
    The instructions are different between CloudLinux and CentOS.
     

    CloudLinux

    The older package is still in CloudLinux’s repositories, so this is easy. Run the following command and check that you are going to 3.21.0-0.3
    NSS_DISABLE_HW_GCM=1 yum downgrade nss nss-util nss-tools nss-sysinit
    Then edit the
    vim /etc/yum.conf
    file adding nss* to the end of the exclude= line like so

    exclude=courier* dovecot* exim* filesystem httpd* mod_ssl* mydns* mysql* nsd* php* proftpd* pure-ftpd* spamassassin* squirrelmail* nss*

    Then, check your work with the following command
    curl https://google.com > /dev/null

     

    CentOS

    CentOS is a bit more difficult, since everything just upgraded to CentOS 6.8 and the older package is not in the system repositories.

    Create the file
    touch /etc/yum.repos.d/nss-fix.repo
    with the following contents:
    [nss-fix] name=repository used solely to fix nss
    baseurl=http://vault.centos.org/6.7/updates/x86_64/
    enabled=0
    includepkgs=nss*
    #gpgcheck=1
    priority=3

    Then, run the following command and check that you are going to 3.21.0-0.3
    yum --enablerepo=nss-fix downgrade nss nss-sysinit nss-util nss-tools
    Next, change

    vim /etc/yum.conf

    adding nss* to the end of the exclude= line like so

    exclude=courier* dovecot* exim* filesystem httpd* mod_ssl* mydns* mysql* nsd* php* proftpd* pure-ftpd* spamassassin* squirrelmail* nss*

    Check your work with the following command
    curl https://google.com > /dev/null

    Cpanel – SSL’s hostnames are required to have DNS entries

    tl;dr

    • When cPanel starts up, if it doesn’t have a valid SSL (now valid properly signed SSL) it reissues it’s own SSL, or panics if it cannot.
    • cPanel is now requiring a valid hostname check (similar to Let’s Encrypt) as a part of that check.
    • Therefore, a server’s hostname now has to point at the server or cPanel not start.
    • You will receive an email every day if the hostname doesn’t line up.
    • You’ve have to touch a file to disable this, and then run the script and then it should be set.

    Due to cPanel’s recent change to their self-signed SSL’s, hostnames are required to have DNS entries. If this is not in place, they will not get a valid SSL and therefore cPanel will start and cpsrvd will immediately fail. To correct this we basically need to fix the DNS entry for the server’s hostname and then run /usr/local/cpanel/bin/checkallsslcerts

    Error from the /usr/local/cpanel/logs/error_log:
    cpsrvd: Setting up native SSL support ... Could not load ssl libraries or certificate from /var/cpanel/ssl/cpanel/ at cpsrvd.pl line 554.
    [root@host] cpanel:/usr/local/cpanel/bin/checkallsslcerts
    The system failed to acquire a signed certificate from the cPanel Store because of an error: (XID y4txyq) “host.domain.com” does not resolve to any IPv4 addresses on the internet.

    Updating DNS for the hostname and then running the check again will resolve the issue. If you do not have access to the customer’s DNS, this will require them to modify the DNS entries at the registrar and cPanel/WHM will remain down until that change is made.

    Additionally, this may be a concern when DNS can not change (or should not be changed for some reason). When this is the case, you can skip the cPanel signed SSL. If you touch this file,
    /var/cpanel/ssl/disable_auto_hostname_certificate
    the system will no longer order, download, and install a free cPanel-signed hostname certificate.
    https://documentation.cpanel.net/display/ALD/Manage+>Service+SSL+Certificates has more information on this. After touching this file, you can run a
    /usr/local/cpanel/bin/checkallsslcerts
    for a selfsigned ssl on the services.

    p.s. You must restart Cpanel after updating the SSL Certs.