Getting rid of cPanel IP Check errors

On Linux servers behind NAT you will start getting emails warning that the DNS setup is broken.

cPanel states that the panel does not work behind NAT and the boxes need public ip addresses.

It seems that apart from this warning the panel and services function fine behind NAT (as expected) and while I wouldn’t recommend it, sometimes you have no choice.

The email you get though is something like the following:

[ipcheck] Problem with DNS setup on myserver.local

IMPORTANT: Do not ignore this email.

The hostname (myserver.local) resolves to 10.0.0.1. It should resolve to 192.168.0.1.
Please be sure to correct /etc/hosts as well as the 'A' entry in zone file for the domain.

Some are all of these problems can be caused by /etc/resolv.conf being setup incorrectly.
Please check this file if you believe everything else is correct.

The best way I find of “fixing” this is to just disable the “Ip address dns check” option in the contact manager.

You could alternatively comment out the check in /scripts/maintenance, however this will be lost in updates.

Force PECL to install 64bit modules

To ensure PECL installs 64bit modules you need to install the 64bit php-devel package.

On a RHEL system perform the following:

  1. pecl uninstall
  2. yum remove php-devel.i386
  3. yum install php-devel.x86_64
  4. pecl install

Any further modules will now be 64bit.

Fixing iptables for passive FTP

To make passive FTP work with iptables you need to enable the “ip_conntrack_ftp” module. This is done by editing the /etc/sysconfig/iptables-config and changing

IPTABLES_MODULES=""

To include the ip_conntrack_ftp module, like so:

IPTABLES_MODULES="ip_conntrack_ftp"

Once this is done, restart iptables and it should play nicely with passive FTP.

Exim SMTP with multiple IPs and different HELO identifiers

To enable different helo commands on multiple IPs we need to utilize the Exim router and transport settings, these are available in Exim 4+.

The first thing we need to create is a custom Router, all the options are listed here and here.

An example router:

myrouter:
 driver = dnslookup
 senders = *@mydomain.com, *@*.mydomain.com
 transport = mytransport

The senders option is a CSV list of addresses to match in the From header. These can contain regex which makes matching whole domains really easy.

The transport option is a reference to your custom transport (see below).

Next we need to create a custom Transport, all the options are listed here and here.

An example transport is:

mytransport:
 driver = smtp
 interface = 192.168.0.1
 helo_data = mail.mydomain.com

The interface setting is the IP address this transport should be used on and the helo_data is the command to send.

This makes Exim an awesome platform for shared mail servers. It is very simple to offer whitelisting and protection against spammers.

Common PCI compliance issues - cPanel

It is quite common for companies running cPanel to attempt to gain PCI compliance. Here are a few common things to do before submitting a scan request.

1) Setup a firewall - PCI love to moan about ports that are not secure. Sometimes they don’t even header check what is running, they just assume based on IANA assignments what is running.

For ports that ARE secure but PCI refuse to believe (self signed certs, cPanel/WHM ports) etc there is a quick and dirty solution. Restrict access to those ports from your office IP.

If the PCI scanner can’t access the port it can’t complain. Also fixes any real security issue - who wants to leave a panel that uses system logins open to the public!

Make sure things like MySQL are blocked off - yes, they have ACLs but the scanner is like a nazi at a blond, jewish party.

2) Fix SSL by disabling v2 and some weaker encryption methods.

In the httpd.conf (or just the SSL vhosts) add the following:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

In the /usr/lib/courier-imap/etc/pop3d-ssl and /usr/lib/courier-imap/etc/imapd-ssl files add the following:

TLS_CIPHER_LIST="ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH"

In the exim.conf file add the following:

tls_require_ciphers = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2

3) Update the server (you should be doing this already).

/scripts/upcp
yum update

4) Disable mod_userdir. You can disable this in WHM under Security -> Apache -> mod_userdir tweak.

5) Tell apache to reveal nothing much about its self. In httpd.conf add the following:

ServerSignature Off
ServerTokens Prod
FileETag None

Also disable the TRACE method. To do this go into WHM -> Service configuration -> Apache -> Global configuration and set TraceEnable to off.

Notes: Passing a PCI scan does not mean your server is secure. It means you have passed the very small set of tests they have available.

You should take some major steps to harden the server against local users as well as remote attacks.