Cron job not working in CPanel

Description: Cron jobs stopped working suddenly in CPanel Server

Procedure: Below are steps to troubleshoot issue

• Make sure Cron service running 
• check permission in /usr/bin/crontab it should be 4775 if it is different, then change it using below command 

# useradd authuser
# chmod 4775 /usr/bin/crontab

• Check permission in /var/spool/cron it should be as follow:

drwx------. 2 root root 4.0K Jul 8 15:34 .
drwxr-xr-x. 16 root root 4.0K Jul 8 15:23 ..
-rw------- 1 root root 1 May 11 20:53 demosite1
-rw------- 1 root root 1 May 15 12:52 testsite1
-rw------- 1 root root 1.3K Jun 6 21:04 example
-rw------- 1 root root 583 May 27 21:39 democy
-rw------- 1 root root 1 May 11 20:54 demowriterpay
-rw------- 1 root root 1 May 11 20:54 origianl

Tips to secure CPanel server

Description: Server Security is very important to keep your websites and other data secure as new methods of attacks and hacks are popping up almost every day, so it is critically important to keep your servers secure and updated. Here I have explained ways to secure CPanel server.

Procedure: Here are some basic ways to secure Cpanel server

• Strong  Server Password:  Set such password which is not easy to guess. So set password with complexity and lengthy with multiple characters. Also change server password in regular retention.  
• Create Wheel user:  Create new user and disable ssh access for root user. So SSH console will access with that user only. Here are the steps.

# useradd authuser

• Change default ssh port and  disable root ssh access from configuration file 

# vi /etc/ssh/sshd_config

Port 2255
Set PermitRootLogin to 'No'
PermitRootLogin no 

• Updating CPanel: Updating CPanel to the latest version is the best way to keep the system from vulnerabilities and bugs as CPanel releases the bug fixes regularly. 

You can update cPanel via WHM,

WHM >> cPanel >> Upgrade to Latest Version >> Click to upgrade

You can also do this via Command Line

#/scripts/upcp --force

• Install and Config Server Firewall (CSF)

# rm -fv csf.tgz
# wget http://www.configserver.com/free/csf.tgz
# tar -xzf csf.tgz
# cd csf
# sh install.sh
# cd /etc/csf/
# mv csf.conf csf.conf.BKP
# wget http://jarry.web-dns1.com/~heberge/csf.tar.gz
# tar -zxf csf.tar.gz
# rm -rf csf.tar.gz
# csf –r

• Install Maldet Malware Scanner

# cd /usr/src
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar -xzf maldetect-current.tar.gz
# cd maldetect-*
# sh ./install.sh
# maldet –update-ver

• Install ClamAV AntiVirus (From WHM/CPanel)

Log in to WHM
Click on Manage Plugins
Check the ClamAV box
At bottom click Save
Wait for process to finish (It will take approx 15 minutes)

Install Rootkit Hunter

Go to http://downloads.sourceforge.net/project/rkhunter/
and locate the latest version. Copy the URL into source url below.

# wget http://sourceforge.net/projects/rkhu…ar.gz/download
# tar -xvzf rkhunter-*
# cd rkhunter-*
# sh installer.sh –install –layout default
# rkhunter -c
Results are logged to: /var/log/rkhunter.log

Tweaking CPanel and WHM access: It is always best to keep SSL based encryption when you login to CPanel and WHM. For this go to:
WHM >> Server Configuration >> Tweak Settings >> Redirection

• Enable CPHulk Brute Force Protection:

cPHulk is a commonly used tool to protect the server from Brute Force attacks. You can enable cPHulk via:

WHM >> Security Center >> cPHulk Brute Force Protection.

• Apache And PHP Security Tweak.

You can enable ModSecurity in WHM for securing Apache from attacks like code injection etc. There are specific rules defined in the ModSecurity configuration file and any connection not matching the rules will be blocked. You can install ModSecurity via:

WHM >> Plugins >> Mod Security

Configure suPHP as the PHP handler and suEXEC for executing the CGI scripts in the user privilege. You can enable suPHP and suEXCEC via:

WHM >> Service Configuration >> suEXEC

Change the PHP handler to suPHP, Turn Apache suEXEC to ‘ON’ and click Save New Configuration.

You need to enable PHP open_basedir protection for preventing PHP scripts from files outside of its home directory.

WHM >> Security Center >> PHP open_basedir Tweak >> check box the option Enable PHP open_basedir Protection >> Click Save.

You need to tweak the PHP configuration to disable some of the PHP functions.

WHM >> Service Configuration >> PHP Configuration Editor >> Select Advanced mode
And set the following parameters.
register_globals: Off
disable_functions: show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen

Then click ‘Save’

• Disable Compiler Access To Users Other Than Root: You can either disable "disable compiler access" to all users or you can enable it for trusted users via:

# WHM >> Security Center >> Compiler Access

• Hardening /Tmp: We can set /tmp partition mounted with the nosuid option because this will force the file in to be executed in its user privilege. cPanel/WHM has a custom script for this and you can simply run the script via Command Line. Here is the script/command.

#/scripts/securetmp

• Checking Suspicious Files And Folders: Files and folders with full permissions and with out user and or groups is always suspicious as it can be accessed by the attackers easily. So we need to find such files and check if it is necessary.

Here is the command to check the suspecias files:

#find / \( -type f -o -type d \) -perm /o+w 2>/dev/null | egrep -v '/(proc|sys)' > suspecius_files.txt

Command to find no owner files and folders is:

#find / -nouser -o -nogroup >> no_owner_files.txt

• Disable Anonymous FTP & Logins: With Root Attackers always tend to upload malicious scripts as the anonymous user. So it is advised to disable Anonymous user and you can do it via:

WHM >> Service Configuration >> FTP Server Configuration

• Disable Recursion In Bind: Enabling Recursion in Bind may lead to DNS amplification attacks, lookups from DNS lookup websites etc. So it is recommended to turn it off.

#vi /etc/named.conf
recursion no

• Most of time Hacker manipulate your index page [index.html, index.php etc..] under public_html directory. So below script is use to find out page by "Hacked by" somewhere or someone. So create script and add in cron scheduler.

#!/bin/sh 
for i in `cat /etc/trueuserdomains| awk {'print $2'}`; 
do grep -rl "Hacked" /home/$i/public_html/index.htm; 
done | mail -s "Infected Files" EmailID

for i in `cat /etc/trueuserdomains| awk {'print $2'}`; 
do grep -rl "Hacked" /home/$i/public_html/index.html; 
done | mail -s "Infected Files" EmailID

for i in `cat /etc/trueuserdomains| awk {'print $2'}`; 
do grep -rl "Hacked" /home/$i/public_html/index.php; 
done | mail -s "Infected Files" EmailID

• To find out malicious script from server you can use below command to find out script from server

# perl <(find2perl /home/*/etc/*/shadow\.* -print )

IP Rotation for EXIM in WHM/CPanel

Description: There are no native features that would allow you to rotate the IP addresses used for sending out email. The option included with CPanel/WHM only allow for the permanent change of the IP addresses used for sending. Below code is use to configure IP rotation.

#!/bin/bash

# Exim Outgoing IP address rotator
# The cPanel Admin 24/10/2017
# Files: /etc/mailipaddrpool: list of IP addresses to use for mail
ipfile=/etc/mailipaddrpool
curip=$(grep "*:" /etc/mailips |awk '{print $2}')
if [[ "$curip" == "" ]] || ! grep $curip $ipfile >/dev/null ; then
 curip=$(tail -1 $ipfile)
fi
nextipct=$(cat $ipfile |grep -A 1 $curip |wc -l)
if [ "$nextipct" == "1" ];then
 nextip=$(head -1 $ipfile)
else
 nextip=$(cat $ipfile |grep -A 1 $curip | tail -1)
fi
sed '/*:/d' -i /etc/mailips
sed '/^$/d' -i /etc/mailips
echo "*: $nextip" >> /etc/mailips

Note: /etc/mailipaddrpool file contains all your IP Addresses as given example:

192.168.0.1

192.168.0.2

192.168.0.3

192.168.0.4

• Then setup a cron job with the above script to run as your requirement. As it is kind of bash command and mailips file will be written on every cron action, set up the crontab as superuser root by command line with following commands

#crontab -e (this command will open/create crontab file in edit mode to enter add/edit/remove cron task)

/bin/bash /etc/scripts/yourscriptfile

• Prior to run bash command, change file permission to execution like chmod filename 777

Migrate Mailbox from Cpanel to Zimbra

Procedure

• First step to find list of mail accounts, to find lists you need to install firebug addins in Firefox
• After install firebug Open Cpanel and select Email Accounts tab in Firefox Browser as showing in screen shot

• Select Result per page maximum you can select 100 as given in screen shot. If result more than 100 you need to below exercise multiple time.

• Open Firebug in the website and go into Console>Show command editor, and paste the next code in the right window, and press run.

   var rows = $("#table_email_accts tr.dt_info_row"),

   returnString = "";

   rows.each(function(i, item){

   var tdList = [];

   $(item).find('td:eq(0)').each(function(s, subItem){

   tdList.push($(subItem).text());

   });

   returnString += tdList + "\n";

   });

   console.log(returnString);

• After paste above code in firebug you need to select result per page to 100 you will get result all mail accounts you need to copy it to notepad. Please keep it for we will use in future reference.

Creating the  XML files

Account migration tool in Zimbra server work on two .xml files for bulk migrate accounts.

1. The first xml is for the Account provision
2. The second xml is for the IMAP data import

First xml is for account provision,  Which used to provision multiple email account without importing email

<?xml version="1.0" encoding="UTF-8"?>

<ZCSImport>

<ImportUsers>

<User>

<sn>Sample</sn>

<givenName>Sam</givenName>

<displayName>Sam Sample</displayName>

<RemoteEmailAddress>ssample@example.com</RemoteEmailAddress>

<password>test123</password>

<zimbraPasswordMustChange>TRUE</zimbraPasswordMustChange>

</User>

<User>

<sn>Zackry</sn>

<givenName>Zak</givenName>

<displayName>Zak Zackry</displayName>

<RemoteEmailAddress>zzackry@example.com</RemoteEmailAddress>

<password>test123</password>

<zimbraPasswordMustChange>TRUE</zimbraPasswordMustChange>

</User>

</ImportUsers>

</ZCSImport>

Save this xml file as Cpanel-IMAP-User.xml

The second xml is for import emails.

<?xml version="1.0" encoding="UTF-8"?>

<ZCSImport>

<IMAPHost>imap.gmail.com</IMAPHost>

<IMAPPort>143</IMAPPort>

<ConnectionType>cleartext</ConnectionType>

<UseAdminLogin>0</UseAdminLogin>

<ImportUsers>

<User>

<sn>Sample</sn>

<givenName>Sam</givenName>

<displayName>Sam Sample</displayName>

<RemoteEmailAddress>sam@example.com</RemoteEmailAddress><RemoteIMAPLogin>sam@example.com</RemoteIMAPLogin><remoteIMAPPassword>test123</remoteIMAPPassword>

</User>

<User>

<sn>Zackry</sn>

<givenName>Zak</givenName>

<displayName>Zak Zackry</displayName>

<RemoteEmailAddress>zzackry@example.com</RemoteEmailAddress><RemoteIMAPLogin>sam@example.com</RemoteIMAPLogin><remoteIMAPPassword>test123</remoteIMAPPassword>

</User>

</ImportUsers>

</ZCSImport>

Note: Instead of imap.gmail.com you need to set server address of Domain mail server in above script

After save both xml files open account migration tool from Zimbra admin console from Home>Tools>Migration>Account Migration

• After completed this it shows like this if any error not occurred

Block Domain to Send Mail in CPanel

Description: If any domain send huge spam then you can block domain to send mail
Procedure:

• Open SSH console using root user
• Check /etc/blockeddomains file exists or not
• Add domain name in this file that you want to block using below command
• # echo "thedomain.com" > /etc/blockeddomains
• After add it set permission on this file using below command
• # chown root.mail  /etc/blockeddomains
• # chmod 644 /etc/blockeddomains
• Login WHM and go to “EXIM Configuration Manager”
• WHM - Service Configuration - Exim Configuration Manager - Advance Editor
• Search for "Add additional configuration setting" This can be located by fourth of the way of scroll down

• Add entry : domainlist blocked_domains = lsearch;/etc/blockeddomains

• Search for "ROUTERSTART"  and add following entry
• reject_domains:
  driver = redirect
  domains = +blocked_domains
  allow_fail
  data = :fail: Connection rejected: SPAM source $domain is manually blacklisted.
• Restart exim service after make changes
• If you want to add more domain then add entry it in  /etc/blockeddomains
   

Optimization Of Cpanel

Description: Here I have define various optimizations in Cpanel like Apache, MySQL, CSF Firewall, Mail and PHP.

1> Apache Web Server: Change the apache setting using below steps using  WHM » Service Configuration » Apache Configuration » “Global Configuration”

• Timeout :- This setting determines how long Apache will wait for a visitor to send a request. In busy servers, we set it up to 120 seconds, but it is best to keep this value as low as possible to prevent resource wastage.
• KeepAlive :-When “KeepAlive” is set to “On”, Apache uses a single connection to transfer all the files to load a page. This saves time in establishing a new connection for each file.
• MaxKeepAliveRequests :-This setting determines how many files can be transferred via a KeepAlive connection. Unless there’s a reason not to (like resource constrains), this setting can be set to “0”, that is, “unlimited”.
• KeepAliveTimeout :-This setting makes sure that a KeepAlive connection is not abused. It says how long should Apache wait for a new request before it resets the connection. In heavily loaded servers, we’ve found 10 Sec. to be a good limit.
• MaxClients :-This setting tells Apache how many visitors can be served simultaneously. In busy servers (such as shared servers), we’ve found 512 to be a good value. However, note that setting it too high will cause resource wastage, and setting it too low will result in lost visitors.
• MinSpareServers & MaxSpareServers :-Apache keeps a few “workers” on stand-by to handle a sudden surge of requests. If your site is prone to visit spikes, configure these variables. In heavily loaded servers, we’ve found MinSpareServers value of 10 and MaxSpareServers value of 15 to be a good limit.
• HostnameLookups:-Apache can try to find out the hostname of every IP that connects to it, but that would be a wastage of resources. To prevent that, set HostnameLookups to “0”.

2> MYSQL Optimization : You can optimize SQL server depends on Hardware configuration of server [CPU and RAM]. So below are some my.cnf settings as per CPU and RAM
 
Below SQL Settings for having 2 Core CPU and 4 GB Memory


Open my.cnf and use below settings. 
[mysqld]
local-infile = 0
max_connections = 250
key_buffer = 64M
myisam_sort_buffer_size = 64M
join_buffer_size = 1M
read_buffer_size = 1M
sort_buffer_size = 2M
max_heap_table_size = 16M
table_cache = 5000
thread_cache_size = 286
interactive_timeout = 25
wait_timeout = 7000
connect_timeout = 15
max_allowed_packet = 16M
max_connect_errors = 10
query_cache_limit = 2M
query_cache_size = 32M
query_cache_type = 1
tmp_table_size = 16M
open_files_limit=25280
performance_schema=0


[mysqldump]
max_allowed_packet = 16M


[myisamchk]
key_buffer = 64M
sort_buffer = 64M
read_buffer = 16M
write_buffer = 16M


Below SQL Settings for having 8 Core CPU and 16+ GB Memory
[mysqld]
local-infile=0
max_connections = 600
max_user_connections=1000
key_buffer_size = 512M
myisam_sort_buffer_size = 64M
read_buffer_size = 1M
table_open_cache = 5000
thread_cache_size = 384
wait_timeout = 20
connect_timeout = 10
tmp_table_size = 256M
max_heap_table_size = 128M
max_allowed_packet = 64M
net_buffer_length = 16384
max_connect_errors = 10
concurrent_insert = 2
read_rnd_buffer_size = 786432
performance_schema=0
bulk_insert_buffer_size = 8M
query_cache_limit = 5M
query_cache_size = 128M
query_cache_type = 1
query_prealloc_size = 262144
query_alloc_block_size = 65535
transaction_alloc_block_size = 8192
transaction_prealloc_size = 4096
max_write_lock_count = 8
external-locking=FALSE
open_files_limit=50000
[mysqldump]
max_allowed_packet = 16M
[isamchk]
key_buffer = 384M
sort_buffer = 384M
read_buffer = 256M
write_buffer = 256M
[myisamchk]
key_buffer = 384M
sort_buffer = 384M
read_buffer = 256M
write_buffer = 256M


3> Security and Limit Resources in Cpanel: Configuration of CSF for securing server

1.  Go to WHM » Plugins » ConfigServer Security & Firewall » “Check Server Security” And pass on what appears as required to repair:
2. Go to WHM » Plugins » ConfigServer Security & Firewall » “Firewall Configuration” and set the parameters according to your needs:

• PT_USERMEM=180
• PT_USERTIME=180
• PT_USERKILL=1
• PT_USERKILL_ALERT=1 (Optional)

Below are some Tweak Settings that increase server performance:

• Tweak settings open using: Main >> Server Configuration >> Tweak Settings
• Email delivery retry time: The default is a retry every hour - but you may want to extend this so the server is less strained with larger queues.
• Max Hourly Emails: By default, this is unlimited. Our shared servers have a limit of 1000 per hour to avoid abuse or spamming.
• BoxTrapper spam trap: This can help prevent spam, but consumes a lot of memory. We recommend disabling it.
•  Mailman mailing lists: It's easier on the server to use a program like PHPList (installable through Softaculous). We recommend disabling this.
• Webmail clients: By default there are three mail clients running. Use just one for better performance - we recommend RoundCube

4> PHP:  Below are some PHP settings that increase server performance

• Max Execution Time: The default is 90 seconds, but this could be dropped lower if certain scripts are over consuming resources.
• PHP Max Upload Size: The default is 50 megabytes or MB, but this can be reduced to prevent large files from overloading the server during upload.

Disk Quota Issue in WHM/Cpanel

Description: Disk usage shows wrong in WHM
Procedure: Perform below steps in  SSH console

1. Run /scripts/fixquotas script to fix the quota
2. Check fstab entry it seems to like as follow:
    
   /dev/md7        /home   ext3    defaults,usrquota       1       1
    
3. Make sure backup setting in legacy need to change from /backup to original drive.
4. Check disk quota from list account in WHM

Default Cron Jobs of Cpanel

Description: By Default some cron jobs available with Cpanel installation. So if you have deleted them by mistakenly you just need to paste it as follow:

root@localhost # crontab –e

[Open crontab using above command and paste below crons]

 

0 6 * * * /usr/local/cpanel/scripts/exim_tidydb > /dev/null 2>&1

30 5 * * * /usr/local/cpanel/scripts/optimize_eximstats > /dev/null 2>&1

2,58 * * * * /usr/local/bandmin/bandmin

0 0 * * * /usr/local/bandmin/ipaddrmap

19 2 * * * /usr/local/cpanel/scripts/upcp --cron

0 1 * * * /usr/local/cpanel/scripts/cpbackup

0 2 * * * /usr/local/cpanel/bin/backup

35 * * * * /usr/bin/test -x /usr/local/cpanel/bin/tail-check && /usr/local/cpanel/bin/tail-check

45 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_mailman_cache && /usr/local/cpanel/scripts/update_mailman_cache

30 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_db_cache && /usr/local/cpanel/scripts/update_db_cache

45 */8 * * * /usr/bin/test -x /usr/local/cpanel/bin/optimizefs && /usr/local/cpanel/bin/optimizefs

30 */2 * * * /usr/local/cpanel/bin/mysqluserstore >/dev/null 2>&1

15 */2 * * * /usr/local/cpanel/bin/dbindex >/dev/null 2>&1

15 */6 * * * /usr/local/cpanel/scripts/autorepair recoverymgmt >/dev/null 2>&1

*/5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1

8 0 * * * /usr/local/cpanel/whostmgr/docroot/cgi/cpaddons_report.pl --notify

2,17,32,47 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1