cPanel and WHM (WebHost Manager) is a popular web hosting control panels that allow server administrators to manage web hosting services efficiently. Among their many features, cPanel offers a handy tool called AutoSSL, which provides free SSL certificates for added security. In this guide, I will show you how to use AutoSSL to secure your server’s hostname.
Step 1: The checkallsslcerts Script
The checkallsslcerts Script is used by cPanel to issue SSL certificates for server hostname. It’s important to note that checkallsslcerts runs as part of the nightly update checks performed on your system. These updates include cPanel’s own update script, upcp (cPanel update script).
Step 2: When to Manually Run AutoSSL
In most cases, checkallsslcerts will take care of securing your server’s hostname during the nightly updates. However, there may be instances when you want to update the SSL certificate manually. This is especially useful if you’ve recently changed your server’s hostname and want to ensure the SSL certificate is updated immediately.
Step 3: Understanding the checkallsslcerts Script
The `/usr/local/cpanel/bin/checkallsslcerts` script is responsible for checking and installing SSL certificates for your server’s hostname. Here’s what the script does:
– It creates a Domain Control Validation (DCV) file. – It performs a DNS lookup for your hostname’s IP address. – It checks the DCV file using HTTP validation (for cPanel & WHM servers). – If needed, it sends a request to Sectigo to issue a new SSL certificate. – It logs the Sectigo requests for validation.
You can learn more about the checkallsslcerts script and it’s usage in this article from cPanel:
Step 4: How to Manually Execute the Script
To manually run the script, use the following command:
/usr/local/cpanel/bin/checkallsslcerts [options]
You can use options like `–allow-retry` and `–verbose` as needed.
Step 5: Troubleshooting and Tips
If you encounter issues with the SSL certificate installation, the script will provide helpful output to troubleshoot the problem. Ensure that your server’s firewall allows access from Sectigo’s IP addresses mentioned in the guide.
Common Issue: Unable to obtain a free hostname certificate due to 404 when DCV check runs in /usr/local/cpanel/bin/checkallsslcerts
After running the /usr/local/cpanel/bin/checkallsslcerts script via SSH, you may see errors similar to the following:
FAILED: Cpanel::Exception/(XID bj6m2k) The system queried for a temporary file at “http://hostname.domain.tld/.well-known/pki-validation/B65E7F11E8FBB1F598817B68746BCDDC.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: Neither HTTP nor DNS DCV preflight checks succeeded!
Description: Encountering errors like “404 Not Found” during the DCV check when running /usr/local/cpanel/bin/checkallsslcerts via SSH? This issue typically arises when the shared IP address doesn’t match the main IP. To resolve it, ensure both IPs match and that the A record for the server’s hostname points to the main/shared IP. Here’s a workaround:
Workaround:
1. Confirm that the main IP and shared IP are identical. 2. Make sure the A record for the server’s hostname points to the main/shared IP. 3. To change the shared IP: Log in to WHM as the ‘root’ user.
Navigate to “Home » Server Configuration » Basic WebHost Manager® Setup.”
Update “The IPv4 address (only one address) to use to set up shared IPv4 virtual hosts” to match the main IP.
Click “Save Changes” and then execute the following via SSH or Terminal in WHM:
This will help resolve issues with obtaining a free hostname certificate in cPanel/WHM.
Conclusion
Securing your cPanel/WHM server’s hostname with a free SSL certificate from AutoSSL is essential for a secure web hosting environment. By following these steps, you can ensure that your server’s hostname is protected with a valid SSL certificate.
Remember to regularly check your SSL certificates to ensure they remain up-to-date and secure.
Best Practices for cPanel Security in 2023: Protecting Your Website and Data
As the world becomes increasingly digital, the need for strong security measures to protect websites and online data has never been more pressing. For websites hosted on cPanel servers, ensuring the security of the cPanel environment is crucial to protecting both the website and the data it hosts. In 2023, the threat of cyber attacks continues to grow, making it more important than ever for website owners and system administrators to implement best practices for cPanel security. In this blog post, we’ll explore the top best practices for cPanel security in 2023, including using strong passwords, enabling two-factor authentication, keeping cPanel up-to-date with the latest security patches, using SSL certificates, and more. By implementing these best practices, website owners and system administrators can help ensure the security and integrity of their cPanel environments, and protect their websites and data from cyber threats.
1. Use Strong Passwords
One of the simplest and most effective ways to improve cPanel security is by using strong passwords. Weak passwords can be easily cracked by hackers, giving them access to your cPanel environment and all the websites and data hosted on it. By using strong passwords, you can help ensure that only authorized users have access to your cPanel environment, and protect your website and data from cyber threats.
To create strong passwords, it’s important to use a mix of uppercase and lowercase letters, numbers, and symbols. Avoid using dictionary words, common phrases, or personal information like your name or birthdate, as these can be easily guessed by hackers using brute-force attacks. Instead, use a combination of random characters that are difficult to guess.
Additionally, it’s recommended that users use a unique password for each account they have, rather than reusing the same password across multiple accounts. This can help prevent a single compromised password from giving hackers access to multiple accounts.
For users who find it difficult to remember multiple strong passwords, password managers can be a helpful tool. Password managers generate and store strong passwords for each account, so users don’t have to remember them all. Additionally, many password managers include features like two-factor authentication and password auditing, which can further improve cPanel security.
2. Enable Two-Factor Authentication Two-factor authentication (2FA) is an extra layer of security that requires users to provide two forms of authentication in order to access an account. Typically, this involves entering a username and password (the first factor), and then providing a second form of authentication, such as a security code sent to a mobile device or email (the second factor).
By enabling 2FA in cPanel, users can add an extra layer of security to their accounts, making it more difficult for hackers to gain access to their cPanel environment, even if they have obtained the user’s password through a data breach or other means.
To enable 2FA in cPanel, users can follow these steps:
1. Log in to WHM panel 2. Click on the “Two-Factor Authentication” icon under the “Security Center” section 3. Follow the prompts to set up 2FA using one of the available methods, such as Google Authenticator or Microsoft authenticator.
By enabling 2FA, users can add an extra layer of security to their cPanel accounts, helping to protect their websites and data from unauthorized access.
3. Keep cPanel Up-to-Date
Keeping cPanel up-to-date with the latest security patches and fixes is essential for maintaining the security of your cPanel environment. As new vulnerabilities are discovered, cPanel releases updates that address these issues, making it more difficult for hackers to exploit these vulnerabilities to gain access to your cPanel account.
To update cPanel, users can follow these steps:
1. Log in to WHM (Web Host Manager) 2. Click on the “cPanel” button under the “Account Information” section 3. Click on the “Upgrade to Latest Version” button 4. Follow the prompts to update cPanel to the latest version.
It’s important to test updates before deploying them to production to ensure that they do not cause any compatibility issues or other problems that could negatively impact your website or data.
4. Secure SSH SSH (Secure Shell) is a network protocol that allows users to securely connect to a remote server. In cPanel, SSH can be accessed through the Terminal feature. It’s important to secure SSH to prevent unauthorized access and protect your server from potential attacks.
Here are some best practices for securing SSH in cPanel:
Use strong SSH passwords: As with all passwords, it’s essential to use strong, complex passwords for SSH. Use a mix of uppercase and lowercase letters, numbers, and symbols. Avoid using easily guessable passwords such as “password” or “123456.”
Use SSH keys: SSH keys are a more secure way to authenticate than passwords. They use public-key cryptography to authenticate users and are not vulnerable to brute-force attacks. Consider using SSH keys instead of passwords for SSH authentication.
Change the default SSH port: By default, SSH uses port 22. Changing the default port to a non-standard port can make it harder for attackers to find your server and attempt to gain unauthorized access. Choose a high port number between 1024 and 65535.
Disable root login: By default, the root user is allowed to log in via SSH. However, this can be a security risk as attackers often target the root user. Consider disabling root login and using a separate, non-root user for SSH access.
5. Control access to services by IP Address
One of the best ways to improve cPanel security is to limit access to it only to those who need it. Unauthorized access can compromise your website and put sensitive data at risk. One effective method to limit access is by using WHM’s Host Access Control interface.
WHM’s Host Access Control interface is a front-end tool that allows you to configure the /etc/hosts.deny and /etc/hosts.allow files. These files are used by the TCP wrappers facility to restrict access to services such as cPanel, WHM, SSH, FTP, SMTP, and more.
Using the Host Access Control interface, you can easily add or remove IP addresses or ranges that are allowed or denied access to cPanel and other services. This provides an additional layer of security for your server by preventing unauthorized access attempts from specific IP addresses.
To access the Host Access Control interface, log in to WHM and navigate to the “Security Center” section. From there, click on “Host Access Control.” You can then configure the settings according to your needs.
By taking advantage of WHM’s Host Access Control interface, you can ensure that only authorized users are allowed access to cPanel and other services on your server, significantly reducing the risk of unauthorized access and potential security breaches.
6. Use strong Firewall A firewall is a network security tool that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between your server and the outside world, preventing unauthorized access and blocking malicious traffic. A firewall can also help mitigate the impact of DDoS attacks by filtering out unwanted traffic before it reaches your server.
To implement a firewall on a cPanel server, you can use third-party software such as ConfigServer Security & Firewall (CSF) or Advanced Policy Firewall (APF). These firewall solutions are designed specifically for cPanel and offer an easy-to-use interface for managing firewall rules. They support a variety of configuration options and can be customized to suit your specific needs.
Both CSF and APF do not support firewalld, so you may need to disable firewalld and install iptables before installing them. Once installed, you can configure firewall rules to limit access to specific ports and protocols, block known malicious IPs, and prevent unauthorized access to your server. You can also set up alerts to be notified when a security event occurs, such as when a blocked IP tries to access your server.
While firewalld is a popular firewall solution for many Linux systems, csf and apf have some advantages that make them better suited for cPanel servers. Here are a few reasons why:
Integration with cPanel: Both csf and apf are specifically designed to work with cPanel, meaning they integrate seamlessly with the control panel’s user interface and make it easier to manage firewall rules.
User-friendly interface: Both csf and apf offer a simple, easy-to-use interface for managing firewall rules, making it easier for cPanel users with little or no experience in server administration to set up and manage their firewall.
Advanced features: Both csf and apf offer advanced features such as connection rate limiting, port scanning detection, and real-time blocking, which can help to further improve server security.
Community support: csf and apf have been around for many years and have active communities of users and developers, which means that they are well-supported and regularly updated with the latest security features and bug fixes.
Overall, while firewalld is a good option for general Linux servers, csf and apf are more tailored to cPanel and offer advanced features and integration that make them better suited for cPanel servers. You should only installone of them.
7. Enable Brute Force Protection Brute force attacks are a type of cyber attack in which an attacker attempts to gain access to a system by repeatedly guessing usernames and passwords until the correct combination is found. These attacks can be particularly harmful for cPanel servers, as they can potentially give attackers access to sensitive data and website files.
To protect against brute force attacks, cPanel offers built-in brute force protection tools that can be enabled by the server administrator. These tools work by blocking IP addresses that repeatedly fail login attempts within a certain timeframe.
To enable brute force protection in cPanel, follow these steps:
1. Log in to WHM as the root user. 2. Navigate to Home > Security Center > cPHulk Brute Force Protection. 3. Click the “Enable” button to enable brute force protection. 4. Configure the settings to suit your needs, such as the number of login attempts allowed before blocking an IP address and the duration of the block.
It’s important to note that enabling brute force protection can sometimes result in false positives, such as when legitimate users mistype their passwords. To avoid these situations, consider adding IP addresses to a whitelist of trusted users who should not be blocked by the brute force protection tool. For more detailed instructions on how to enable and configure cPanel’s brute force protection tool, refer to the cPanel documentation below: https://docs.cpanel.net/whm/security-center/cphulk-brute-force-protection/
8. Regularly Back Up Website and cPanel Data Regularly backing up website and cPanel data is crucial to ensuring the availability and integrity of your data. A backup is essentially a copy of your data that you can restore in case of data loss, corruption, or other unexpected events. Without a backup, you risk losing your data permanently, which can have serious consequences for your business or personal website.
Creating an effective backup strategy involves several key considerations. Here are some tips:
1. Choose a backup solution: cPanel comes with its own built-in backup solution that allows you to create full or partial backups of your cPanel account, including your website files, databases, email accounts, and settings. It’s essential to use a reliable backup solution that can handle your data size and is compatible with your hosting environment.
2. Determine backup frequency: The backup frequency depends on the frequency of changes to your website and data. For example, if you make frequent changes to your website or store sensitive data, you may need to back up your data daily or weekly. You may also consider backing up before making significant changes to your website or software.
3. Store backups in multiple locations: Storing backups in multiple locations is essential to ensure that you can restore your data in case of a disaster or outage. You can store backups locally on your server, but it’s also recommended to store backups remotely, such as in cloud storage or an offsite location.
4. Automate backups: Manually creating backups can be time-consuming and error-prone, which is why it’s recommended to automate backups. You can use cPanel’s built-in backup solution to schedule backups automatically or use third-party backup solutions like JetBackup to create automated backups.
For advanced backup options, you may consider using JetBackup, which offers features like incremental backups, remote backups, and backup retention policies. JetBackup is an excellent option for those who require more customization and configuration options than what is available with cPanel’s built-in backup system. Their FAQ is a useful resource for anyone looking to learn more about JetBackup’s features and capabilities. https://docs.jetbackup.com/manual/whm/FAQ/FAQ.html
By implementing an effective backup strategy, you can ensure the availability and integrity of your data, and quickly restore your website and cPanel account in case of a disaster or data loss event.
9. Secure Apache Securing Apache on cPanel is an essential step in protecting your website and data. Here are some ways to do it:
Use ModSecurity: ModSecurity is an open-source web application firewall that can help protect your website from a wide range of attacks. It can also help block malicious traffic before it reaches your server. WHM’s ModSecurity® Vendors interface allows you to install the (OWASP) Core Rule Set (CRS), which is a set of rules designed to protect against common web application attacks.
Use suEXEC module: suEXEC is a module that allows scripts to be executed under their own user ID instead of the default Apache user. This provides an additional layer of security by limiting the impact of a compromised script to the user’s home directory instead of the entire server.
Implement symlink race condition protection: Symlink race condition vulnerabilities can allow attackers to gain access to files that they should not have access to. Implementing symlink race condition protection helps prevent these vulnerabilities by denying access to files and directories that have weak permissions.
Implementing these measures can help secure Apache on cPanel and protect your website and data from potential security breaches.
10. Disable unused services and daemons Disabling unused services and daemons is an important step in ensuring the security of your cPanel server. Any service or daemon that allows connections to your server may also allow hackers to gain access, so disabling them can greatly reduce the risk of a security breach. To disable unused services and daemons in cPanel, you can use the Service Manager interface in WHM. This interface allows you to view a list of all the services and daemons running on your server and disable the ones that you do not need.
To access the Service Manager interface, log in to WHM and navigate to Home » Service Configuration » Service Manager. Here, you will see a list of all the services and daemons running on your server, along with their status (either Enabled or Disabled).
To disable a service or daemon, simply click the Disable button next to its name. You can also use the checkboxes at the top of the page to select multiple services or daemons and disable them all at once.
11. Monitor your system It is important to regularly monitor your server and review logs to ensure that everything is functioning as expected and to quickly identify any potential security threats. You can set up alerts and notifications to stay informed about any issues that arise.
To effectively monitor your system, you can use various tools and software solutions. Some popular ones include:
Tripwire: This tool monitors checksums of files and reports changes. It can be used to detect unauthorized changes to critical system files. Chkrootkit: This tool scans for common vulnerabilities and rootkits that can be used to gain unauthorized access to your system. Rkhunter: Similar to Chkrootkit, this tool scans for common vulnerabilities and rootkits, and can help detect potential security threats. Logwatch: This tool monitors and reports on daily system activity, including any unusual or suspicious events that may require further investigation. ConfigServer eXploit Scanner: This tool scans your system for potential vulnerabilities and provides detailed reports on any security issues found. ImunifyAV: This is a popular antivirus solution for cPanel servers, which can scan your system for malware and other security threats. Linux Malware Detect: This is another popular malware scanner for Linux servers, which can detect and remove malicious files.
12. Use SSL Certificates whenever possible SSL certificates are digital certificates that provide secure communication between a website and its visitors by encrypting the data transmitted between them. They help protect against eavesdropping and data theft by making sure that the data being exchanged is not intercepted and read by any third party.
To obtain and install an SSL certificate in cPanel, you can either purchase one from a trusted certificate authority or use free SSL provider. To install a certificate, you’ll need to generate a certificate signing request (CSR) and then use it to obtain the SSL certificate. Once you have the certificate, you can install it through cPanel’s SSL/TLS Manager interface.
One way to obtain a free SSL certificate is through cPanel’s AutoSSL feature, which can automatically provision and renew SSL certificates for domains hosted on the server. Let’s Encrypt and Sectigo are two SSL providers that are supported by AutoSSL.
Enforcing and using SSL for cPanel services, like webmail and cPanel itself, is also important for security. You can require SSL for cPanel services by enabling the “Force HTTPS Redirect” option in cPanel’s “SSL/TLS” interface. Additionally, you can use the “Require SSL” option to require SSL connections for specific cPanel services, like webmail or FTP.
Summary Securing your cPanel server is crucial to protect your website and data from cyber attacks. In this blog post, we discussed some best practices for cPanel security in 2023, including:
1. Updating cPanel and its components regularly to ensure the latest security patches. 2. Creating strong passwords and enabling two-factor authentication. 3. Limiting access to cPanel to only those who need it and using WHM’s Host Access Control interface to restrict access. 3. Implementing a firewall like csf or apf to protect against cyber attacks. 4. Enabling brute force protection and regularly backing up website and cPanel data. 5. Securing Apache with ModSecurity and suEXEC module, and disabling unused services and daemons. 6. Monitoring your system with various tools like Tripwire, chkrootkit, Rkhunter, Logwatch, ConfigServer eXploit Scanner, ImunifyAV, and Linux Malware Detect. 7. Using SSL certificates to encrypt data in transit, and enforcing SSL for cPanel services using the “Require SSL” feature.
By following these best practices, you can significantly improve the security of your cPanel server and protect your website and data from cyber threats. Remember, security is an ongoing process, so it’s essential to stay vigilant and regularly monitor your system for any vulnerabilities or suspicious activity.
How to remove or compress huge MySQL general and query log table
If you have enabled MySQL general or slow logging, it can create quite big log, depending upon your MySQL usage/queries. So we may have to periodically clear them to save space.
Please note that MySQL can save logs to either table or files. This document assumes you are using table as log output.
Files: slow_log.CSV and general_log.CSV (The location and the name of the file can be different)
By default, logging is to CSF file.
MYSQL supports run time clearing of these logs. So no need to restart the MySQL service. Never delete the CSV file directly. It can crash MySQL.
Slow query log
SET GLOBAL slow_query_log='OFF';
DROP TABLE IF EXISTS slow_log2;
CREATE TABLE slow_log2 LIKE slow_log;
RENAME TABLE slow_log TO slow_log_backup, slow_log2 TO slow_log;
gzip /var/db/mysql/mysql/slow_log_backup.CSV
DROP TABLE slow_log_backup;
SET GLOBAL slow_query_log = 'ON';
General log
USE mysql;
SET GLOBAL general_log = 'OFF';
DROP TABLE IF EXISTS general_log2;
CREATE TABLE general_log2 LIKE general_log;
RENAME TABLE general_log TO general_log_backup, general_log2 TO general_log;
gzip /var/db/mysql/mysql/general_log_backup.CSV
DROP TABLE general_log_backup;
What we did is create new log table, move current log file to a backup copy and compress the backup and remove it.
How To Install PHP 7 On A cPanel/WHM Server With EasyApache 3
Latest versions of cPanel come with EasyApache 4 which provides lots of new features like native support for multiple PHP versions, PHP 7 support, very fast, etc. So it is recommended to migrate to EasyApache 4. However, if you cannot migrate EasyApache 4 because of some reason (Example: Tomcat support), you will have to compile the PHP 7 manually from source.
To migrate to EasyApache for, just run the below command. cPanel will try to build a matching PHP setup using EasyApache 4.
/scripts/migrate_ea3_to_ea4 --run
If anything goes wrong during the upgrade process you can always go back with /scripts/migrate_ea3_to_ea4 –revert –run
Manually install PHP 7
Following steps are tested with cPanel 11.64.0.36 and CentOS 6.9 64 bit. The PHP handler should be suphp to get this working.
cd /usr/local/src/
wget http://php.net/distributions/php-7.0.22.tar.gz #Go to php.net site to find the latest version
tar xvf php-7.0.22.tar.gz
You may add any additional parameters required. You can run ./configure --help to see all available options first. Important: Do not forget to set the "--prefix=/usr/local/php70". Otherwise, your existing PHP installation will be lost.
make
make install
If everything is successful, the PHP binaries will be installed in "/usr/local/php70/bin/" directory.
Edit the /opt/suphp/etc/suphp.conf and add below code, at the end of the handlers list to enable PHP7 handler.
;Handler for php-scripts #... existing handlers are here ... put yours below them application/x-httpd-php7="php:/usr/local/php70/bin/php-cgi"
Now add our custom php config file to EasyApache list so that the changes will not be lost future EasyApache builds.
There are two options here. You can either go into WHM and edit the post_virtualhost_global.conf file from there or you just run: vi /usr/local/apache/conf/includes/post_virtualhost_global.conf. Add the line below in that file and you should be all done.
Include /usr/local/apache/conf/php70.conf
Now restart Apache
service httpd restart
Configure a website To Use This new PHP 7 Add following code to .htaccess file(/home/username/public_html/.htaccess) AddType application/x-httpd-php7 .php7 .php
From version 56, cPanel provides API support to disable email service for domain or email accounts. Please note this limit cannot be override by the user from their cPanel. This can be very helpful if there is any spamming activity and you just want to disable the email service feature for the domain for the time being.
You can run the below commands through SSH console
To suspend email service for a the cPanel user “aacenyor”
whmapi1 suspend_outgoing_email user=aacenyor
For unsuspending the account, please run the below command:
whmapi1 unsuspend_outgoing_email user=aacenyor
If you are not comfortable with SSH, you can also call these through browser XML.
Example:
To suspend https://hostname.example.com:2087/cpsess##########/xml-api/suspend_outgoing_email?api.version=1&user=aacenyor
where replace hostname.example.com with your hostname replace cpsess########## with WHM session id.
To un suspend https://hostname.example.com:2087/cpsess##########/xml-api/unsuspend_outgoing_email?api.version=1&user=aacenyor
For older versions cPanel, you may refer to this below forum from cPanel. There is a workaround
If you are getting following error while FTP directory listing, follow the solution provided below
———- ftp> ls 227 Entering Passive Mode (108,61,169,245,167,161). ftp: connect: No route to host ———-
Solution
Edit /etc/sysconfig/iptables-config and add this line:
IPTABLES_MODULES=”ip_conntrack_ftp”
Save it and restart iptables. That’s because passive mode use non standard ports to communicate, so you need to keep trak of the ftp connections and iptables will allow them when necessary.
However, you will need to do this every time you reboot your RedHat server. Thus as a more permanent solution you can persistently load this module after each reboot by creating executable shell script within /etc/sysconfig/modules/ directory. Create file /etc/sysconfig/modules/iptables.modules with the following content:
Unified Communications (UC) Certificates (also called SAN Certificates) use Subject Alternative Names o secure multiple sites (e.g. fully qualified domain names) with one certificate. Four SANs are included in the base price of the UC Certificate, but you can purchase additional names at any time during the lifetime of the certificate.
The CSR generation process is little different for creating an UCC certificates. We will have to create a Openssl based configuration file and then create private key and CSR from it.
Step 1: Create a custom OpenSSL Conf file.
The following is an example conf file that can be used for creation of a SAN/UCC cert. Save it as multissl.conf
———– [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name req_extensions = req_ext # The extentions to add to the self signed cert
[ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Iowa localityName = Locality Name (eg, city) localityName_default = Iowa City organizationName = Organization Name (eg, company) organizationName_default = The University of Iowa organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Domain Control Validated commonName = Common Name (eg, YOUR SSL domain name) commonName_max = 64
The alt_names section (DNS.1, DNS.2, ….) are the list of all other domain names you wish to secure with this cert. Additional can be added such as DNS.4, etc. The following examples assume that you name the above config file file multissl.conf (if it is named differently you must adjust the filename in the below examples accordingly. Step 2: Generate the Private key and CSR with OpenSSL
* Replace “serverfqdn” with the fully qualified domain name of the server (ie: sample.server.uiowa.edu). Note: it may also be helpful to add a year to the filename.
You will then see output and be prompted for configuration as seen in the following example. Enter your details accordingly.
—————————————— $ openssl req -nodes -newkey rsa:2048 -keyout serverfqdn.key -out multidomain.csr -config multissl.conf Generating a 2048 bit RSA private key ………………………………….+++ …………………………………………………………+++ writing new private key to ‘serverfqdn.key’ —– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [US]:US State or Province Name (full name) [Iowa]:Iowa Locality Name (eg, city) [Iowa City]:Iowa City Organization Name (eg, company) [The University of Iowa]:My Company name Organizational Unit Name (eg, section) [Domain Control Validated]:IT SUPPORT Common Name (eg, YOUR SSL domain name) []:www.linuxwebhostingsupport.in ——————————————
Note: Replace www.linuxwebhostingsupport.in with the “primary” domain name you want secured with this certificate (likely, but not necessarily the hostname of the machine).
At this point you should have the new key file, and CSR. Save the key file in a secure place, it will be needed to apply the new certificate. The CSR can now be submitted to request the SSL Cert.
Let’s start with your digital certificate, which is at the core of HTTPS. The certificate enables clients to verify the identity of servers, through a chain of trust from your server’s certificate through intermediate certificates and up to a root certificate trusted by users’ browsers. Your server certificate should be 2048 bits in length. Using 4096 bit certificate is more secure however it require more computation times and hence slow compared to 2048 bit certs.
Basic HTTPS Setup
Here are basic SSL configurations, first for Apache:
In Nginx, the ssl_certificate parameter is confusing. It expects your certificate plus any necessary intermediate certificates, concatenated together.
Make sure all of these files are at least mode 0444, except your private key, which should be 0400.
Software versions
On the server side you should update your OpenSSL to 1.0.1c+ so you can support TLS 1.2, GCM, and ECDHE as soon as possible. Fortunately that’s already the case in Ubuntu 12.04 and later.
On the client side the browser vendors are starting to catch up. As of now, Chrome 30, Internet Explorer 11 on Windows 8, Safari 7 on OS X 10.9, and Firefox 26 all support TLS 1.2.
Cipher Suite Configuration
The recommended cipher suites for Apache are follows
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
The recommended cipher suite for backwards compatibility (IE6/WinXP):
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
SSLHonorCipherOrder on
If your version of OpenSSL is old, unavailable ciphers will be discarded automatically. Always use the full ciphersuite above and let OpenSSL pick the ones it supports.
The ordering of a ciphersuite is very important because it decides which algorithms are going to be selected in priority. The recommendation above prioritizes algorithms that provide perfect forward secrecy.
Prioritization logic
ECDHE+AESGCM ciphers are selected first. These are TLS 1.2 ciphers and not widely supported at the moment. No known attack currently target these ciphers. PFS ciphersuites are preferred, with ECDHE first, then DHE. AES 128 is preferred to AES 256. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks. In the backward compatible ciphersuite, AES is preferred to 3DES. BEAST attacks on AES are mitigated in TLS 1.1 and above, and difficult to achieve in TLS 1.0. In the non-backward compatible ciphersuite, 3DES is not present. RC4 is removed entirely. 3DES is used for backward compatibility
Protocol Support: SSL or no SSL
To prevent downgrade attacks and poodle attack, we will also disable old SSL protocols
For Apache:
SSLProtocol all -SSLv2 -SSLv3
For Nginx:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
This disables all versions of SSL, enabling only TLS 1.0 and up. All versions of Chrome and Firefox support at least TLS 1.0.
To fix the bug, disable SSLv3 and use a secure cipherlist. SSL v2 is also insecure, so we need to disable it too.
So edit the Apache config file and add following
SSLProtocol All -SSLv2 -SSLv3
All is a shortcut for +SSLv2 +SSLv3 +TLSv1 or – when using OpenSSL 1.0.1 and later – +SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively. The above line enables everything except SSLv2 and SSLv3
And then restart the Apache service
service httpd restart
cPanel/WHM
If you have a cPanel server, you should not edit Apache configurations directly, instead you can do this from WHM.
1. Visit your server’s WHM Panel ( https://<yourserversip>:2087 ) 2. Navigate to the Apache Configuration Panel of WHM. 3. Scroll down to the ‘Include Editor’ Section of the Apache Configuration. 4. Click ‘Pre Main Include’, which will jump to the corresponding section. Via the drop-down selector, choose ‘All Versions’. 5. An empty dialogue box will appear allowing you to input the needed configuration updates. In this box, copy and paste the following:
SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On
For Nginx
If you’re running an NGINX web server that currently uses SSLv3, you need to edit the NGINX configuration (nginx.conf). You will need to add the following line to your server directive:
The POODLE attack requires the client to retry connecting several times in order to downgrade to SSLv3, and typically only browsers will do this. Mail Clients are not as susceptible to POODLE. However, users who want better security should switch to Dovecot until we upgrade Courier to a newer version.
For cpsrvd:
1. Go to WHM => Service Configuration => cPanel Web Services Configuration 2. Make sure that the “TLS/SSL Protocols” field contains “SSLv23:!SSLv2:!SSLv3”. 3. Select the “Save” button at the bottom.
For cpdavd:
1. Go to WHM => Service Configuration => cPanel Web Disk Configuration 2. Make sure that the “TLS/SSL Protocols” field contains “SSLv23:!SSLv2:!SSLv3”. 3. Select the “Save” button at the bottom.
For Dovecot:
1. Go to WHM => Service Configuration => Mailserver Configuration. 2. SSL Protocols should contain “!SSLv2 !SSLv3”. If it does not, replace the text in this field. 3. Go to the bottom of the page, and select the Save button to restart the service.
For Courier:
Courier has released a new version to mitigate this as of 10/22, until we have an opportunity to review, test, and publish the new version of Courier please switch to Dovecot for enhanced security.
For Exim:
1. Go to Home » Service Configuration » Exim Configuration Manager 2. Under Advanced Editor, look for ‘openssl_options’. 3. Make sure the field contains “+no_sslv2 +no_sslv3”. 4.Go to the bottom of the page, and select the Save button to restart the service.
For Lighttpd:
Lighttpd releases before 1.4.28 allow you to disable SSLv2 only.
If you are running at least 1.4.29, put the following lines in your configuration file:
To make sure services on your server are not accepting SSLv3 connections, you can run the openssl client on your server against the SSL ports. This command is run as follows:
A new vulnerability has been found that potentially affects most versions of the Linux and Unix operating systems, in addition to Mac OS X. Known as the “Bash Bug” or “ShellShock,” the GNU Bash Remote Code Execution Vulnerability could allow an attacker to gain control over a targeted computer if exploited successfully. And because Bash is everywhere on Linux and UNix-like machines and interacts with all parts of the operating system, everyone anticipates that it will have lot of repercussions.
How does Shellshock work?
Shellshock exploits a flaw in how Bash parses environment variables; Bash allows functions to be stored in environment variables, but the issue is Bash will execute any code placed after the function in the environment variable value.
For example, an environment variable setting of VAR=() { ignored; }; /bin/id will execute /bin/id when the environment is imported into the bash process.
I am vulnerable?
You can check if you’re vulnerable by running the following lines in your default shell.
If you see the word “vulnerable” echo’d back , then you’re at risk.
How Shellshock is Impacting the Web
The most likely route of attack is through Web servers utilizing CGI (Common Gateway Interface), the widely-used system for generating dynamic Web content. An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. The attacker is able to inject environment variables inside all bash process spawned by a web server under the CGI specification. This will occur directly if the CGI script is programmed in bash or indirectly by system calls inside other types of CGI scripts since the environment will propagate to the sub-shell. The vulnerability will automatically be triggered at the shell process instantiation. Furthermore if specific headers are used as attack points, the payload may not appear in the webserver logs, letting a compromise occur with virtually no trace of the intrusion.
Example:
CGI stores the HTTP headers in environment variables. Let’s say the example.com is running a CGI application written in Bash script.
We can modify the HTTP headers such that it will exploit the shellshock vulnerability in the target server and executes our code.
Here, the curl is sending request to the target website with the User-Agent containing the exploit code. This code will create a file “Hacked.txt” in the “/tmp” directory of the server.
What can I do to protect myself?
Major operating software vendors including RedHaT, CentOS, etc are already released a initial patch for this bug.
If a patch is unavailable for a specific distribution of Linux or Unix, it is recommended that users switch to an alternative shell until one becomes available.
Need expert assistanace?
I can help you to patch your server against this bug and make sure you and your customers are secure. Mail me at therealfreelancer[at]gmail[dot]com.
