Setup a WHM/CPanel Server

This guide will tell you how to setup WHM/Cpanel on a fresh sever. This guide is specifically for web hosting resellers as it is aim to tune/optimize and secure the server for selling purpose.

  1. SERVER PARTIION SIZE
    Cpanel condition: swap to be 4 GB

Croc Web
Device Mount Point Usage Status
/boot /boot 28% (133,214 of 499,492)
/var/tmp /var/tmp 8% (318,684 of 4,059,840)
/tmp /tmp 8% (318,684 of 4,059,840)
/ / 78% (1,188,088,984 of 1,612,302,348)

All tmp are created by themselves so dedicated server with 32 GB RAM is ordered from WSI with 4GB Swap as recommended by Capnel.

  1. FQDN
    CREATE/UPDATE NAMESERVER
    srv1.fqdn.com

Loginto New Dedi

  1. yum update
  2. nano /etc/ssh/sshd_config
    Port 2244
    reboot
  3. hostname srv1.fqdn.com
  4. Disable NetworkManager (ifconfig -a) for all networks

systemctl stop NetworkManager.service
systemctl disable NetworkManager.service
OR for centos6
service NetworkManager stop

cd /etc/sysconfig/network-scripts
ls
Open the ifcfg-eth0 and ifcfg-lo files with your preferred text editor and, if they exist, set the following keys’ values: /etc/sysconfig/network-scripts/ifcfg-ethX
ifcfg-eth0 and ifcfg-lo OR ifcfg-eno1, ifcfg-eno2(Skipped as on boot was set as no despite being Type Ehternet it was ipv6), ifcfg-lo
NM_CONTROLLED=no
ONBOOT=yes
cp ifcfg-eno1 ifcfg-eno1:0

systemctl enable network.service
systemctl start network.service
systemctl status network

ip a
cd /etc/sysconfig/network-scripts

cd /etc/sysconfig/network-scripts/

Centos7

cp ifcfg-eno1 ifcfg-eno1:0

cp ifcfg-eno1:0 ifcfg-eno1:1
Centos 6

cp ifcfg-eth0 ifcfg-eth0:0 63

cp ifcfg-eth0 ifcfg-eth0:1 64

cp ifcfg-eth0 ifcfg-eth0:2 65

DEVICE=”eth0″
BOOTPROTO=static
ONBOOT=yes
TYPE=”Ethernet”
IPADDR=63.141.238.166
NETMASK=255.255.255.224
GATEWAY=172.16.16.100
HWADDR=00:0C:29:28:FD:4C

DEVICE=”eth0:0″ IMPORTANT
BOOTPROTO=static IMPORTANT
ONBOOT=yes
TYPE=”Ethernet”
IPADDR=172.16.16.126 IMPORTANT
NETMASK=255.255.255.224
GATEWAY=172.16.16.100
HWADDR=00:0C:29:28:FD:4C

/etc/init.d/network restart

https://www.tecmint.com/create-multiple-ip-addresses-to-one-single-network-interface/IPADDR=63.141.238.162IPADDR=63.141.238.163IPADDR=63.141.238.164

  1. cd /home && curl -o latest -L https://securedownloads.cpanel.net/latest && sh latest
    Run the one time url given by cpanel

https://www.cyberciti.biz/faq/howto-setting-rhel7-centos-7-static-ip-configuration/

DNS Zone
Add a DNS ZONE
63.141.238.162 fqdn.com //To resolve Nameserver is not authoritative error

Add a DNS ZONE
63.141.238.163 ns4.fqdn.com
Edit DNS Zone
ns4.fqdn.com

I added A records as well NS A records and NS records inside the DNS of main damain of reseller. then it was resolved.

MySQL

  1. Upgrage to MariaDB before installing CL MysqlGoverner otherwise run
    To remove MySQL Governor :

$ /usr/share/lve/dbgovernor/mysqlgovernor.py –delete

/usr/share/lve/dbgovernor/mysqlgovernor.py –install

Open Remote Connection Port on MySQL / MariaDB

  1. Feature Manager »Edit Feature ListDocumentation
  2. Install CL
    cd /root
    $ wget https://repo.cloudlinux.com/cloudlinux/sources/cln/cldeploy
    If you have activation key:
    $ sh cldeploy -k
    If you have IP-based license:
    $ sh cldeploy -i
    $ reboot

Run Wizard and install CageFS, LSAPI,MysqlGoverner

  1. MYSQL MYCNF File in Guides folder
    max_connections=150
    service mysql restart

pid-file=/var/run/mysqld/mysqld.pid This one not worked.

  1. Install CLAMAV THEN ConfigServer cxs Script Installer
    cd /usr/src
    rm -f cxs*
    wget https://download.configserver.com/cxsinstaller.tgz
    tar -xzf cxsinstaller.tgz
    perl cxsinstaller.pl ipv4
    rm -fv cxsinstaller.*

Run Wizard
Enable IP Reputation after cSF firewall

You should be able to edit
Code: Select all
/etc/cxs/cxs.ignore
Then add:-
Code: Select all
hdir:/public_html/wp-content/cache/supercache
hdir is relative to the users home folder.

Then restart cxs:-
Code: Select all
service cxswatch restart

  1. ConfigServer Security & Firewall (csf)
    cd /usr/src
    rm -fv csf.tgz
    wget https://download.configserver.com/csf.tgz
    tar -xzf csf.tgz
    cd csf
    sh install.sh

Next, test whether you have the required iptables modules:

perl /usr/local/csf/bin/csftest.pl

Resutl all ok

Enable Firewall
Check Basic Security
Change incoming outgoing TCP_IN & TCP_OUT port as of your ssh port.

  1. Remove All PHP versions from EA4.

Dealing with cPanel’s MultiPHP and CloudLinux’s PHP Selector.
July 8th, 2018 — whplus
If you are using PHP-FPM you cannot use Cloudlinux’s PHP selector so you may want to scrap PHP selector off the bat if that is the case, unless you plan on only using PHP-FPM for some account and not all.

If PHP-FPM isn’t a worry, then what I would recommend you doing is going into:

WHM > EasyApache4

Installed CL+OPCACHE+Modlasapi+All PHP (Then customised ioncube for php)

Then go into

WHM > CloudLinux LVE Manager > Selector

Set your ‘Default php version’ to PHP 7.2(not native).

Then below that, I personally uncheck “native” all together.

at the very bottom click the “Panel Default” option and click “Save”.

This will select all the PHP extensions you chose for the PHP version in EasyApache.

You will want to do this for each PHP version there.

Next, go to

WHM > MultiPHP Manager

Make sure you set “System PHP Version” to EA-PHP70 (or whichever EA version you chose in EasyApache).

Make sure ALL cPanel accounts are set to the inherited version of PHP. This will make sure all cPanel accounts are now only able to use PHP versions from Cloudlinux’s PHP Selector.

I would also go to

WHM > Feature Manager

Edit your default and other feature list’s that you use and disable both the:

MultiPHP INI Editor
MultiPHP Manager


  1. nano /opt/alt/php51/etc/php.ini

Change the already existing options. enable_dl = Off
disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open

We are often asked how to prevent particular php function from being used by all clients. This is especially true about functions like exec, passthru, etc… This is something that can be easily done with php-selector. Your customers are only allowed to modify directives listed in /etc/cl.selector/php.conf file. For example if you want to block system command like ‘exec’ for php53 you have to add ‘disable_functions=exec’ in /opt/alt/php53/etc/php.ini file. As long as this directive is absent in /etc/cl.selector/php.conf file, users will not be able to use ‘exec’ in their scripts.

Do you want a quick check of what directives your users may customize? Execute the following command as root on your server:

grep Directive /etc/cl.selector/php.conf

Yet, trying to secure your hosting with php.ini is wrong approach. It might work for php processes, but it will not work for CGI scripts. The secure environment is already established by CageFS which limits what processes can see or do to only safe actions.

Install a Node.js application
yum install lvemanager lve-utils ea-apache24-mod-alt-passenger

  1. Install Imunify AV
    wget https://repo.imunify360.cloudlinux.com/defence360/imav-deploy.sh
    bash imav-deploy.sh
  2. Installation using an SSH client such as Terminal or Putty
    HOST_API_KEY will look similar to 56yt8x9s987dfy4324bnv.
    ‘YOUR_COMPANY_NAME’ should be wrapped in quotes like so ‘Awesome Hosting’
    bash<(curl -s https://raw.githubusercontent.com/Clouflare/Cloudflare-Cpanel/master/cloudflare.install.sh) -k 0ed0828a859f2de15fbd2d5c3bedf391 -n ‘Host Mayo’

bash <(curl -s https://raw.githubusercontent.com/cloudflare/CloudFlare-CPanel/master/cloudflare.install.sh) -k 0ed0828a859f2de15fbd2d5c3bedf391 -n ‘Host Mayo’

  1. Nginx
    cd /; rm -f engintron.sh; wget –no-check-certificate https://raw.githubusercontent.com/engintron/engintron/master/engintron.sh; bash engintron.sh install
  2. Apache Optimisation
    curl -sL https://raw.githubusercontent.com/richardforth/apache2buddy/master/apache2buddy.pl | sudo perl
    curl -sL apachebuddy.pl | perl Not working on nginx
    Max Request Workers 200 (Dont know why but error under apache log AH00286: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting

We had the same problem on Apache 2.4.6. After monitoring the server and adjusting the setting for several hours it appears to us that Apache may have a bug. What appears to happen is that the server processes occasionally goes into the G state (Gracefully finishing) and restarts to accept new requests, that’s normal. What is not normal is that for some reason this can take up to a few minutes to restart. If you only have a few server process running and they all go into the G state at the same time then your scoreboard fills up and you won’t be able to server any more requests.

What we did was increase the number of servers so there is a less of a chance that they will all go into the G state at the same time. Also make sure you allocate at least 25 threads (MaxRequestWorkers) for each server process because that appears to be the default (i.e. if 5 Servers x 25 ThreadsPerChild = 125 MaxRequestWorkers). You can change ThreadsPerChild if you like, we left it at default. If you don’t allocate enough threads the additional servers will not start. We left MinSpareThreads at the default value which is 25 and the default for MaxSpareThreads which is 75. If you do modify these settings, the value for MaxSpareThreads must be greater than or equal to the sum of MinSpareThreads and ThreadsPerChild. Also MaxRequestWorkers must be equal to or less than the ServerLimit.

  1. I change apache from event mpm to worker mpm and my server problem solved.
  2. Switch to MPM Prefork
    mod_mpm_event

Apache MPMs – Prefork vs Worker vs Event
By default, Apache servers typically have 3 threads available:

Prefork

Implements a non-threaded, pre-forking web server.
The default one, most stable and also compatible with older software. Unfortunately, also the slowest.
I’m guessing it’s called that because it’s the original version before they forked off into the other versions.
You will almost always find this one installed by default as many companies are too lazy to reconfigure hundreds of their servers. There’s also a shady skepticism that they don’t want your server to perform that well since they want to upsell you to a bigger server sooner.
Worker

Multi-Processing Module implementing a hybrid multi-threaded multi-process web server.
Faster than prefork and can handle more visitors.
Event

A variant of the worker MPM with the goal of consuming threads only for connections with active processing.
The fastest MPM and considered least stable…although fine for most people in real-world practices.
Uses the least resources and can handle the most visits.

An effective method used by the administrators is the reverse proxying method.
Here Nginx is served as a static web server front and Apache processing the back end utilizing the advantages of two web servers to great effect.
Nginx acts as a web traffic proxy serving all static contents like CSS, JS, images etc. by default.
This significantly reduces the CPU/RAM resources consumed by Apache. Apache serves the dynamic contents like PHP, PERL, etc.

Q. Will it work with CloudFlare?
A. Yes, but there is a minor gotcha. You need to adjust your “custom_rules” Nginx configuration file a bit.
When you open that file via Engintron’s WHM app, you’ll see examples of the rules to add for Engintron to work seamlessly with CloudFlare.
To briefly explain the process, you need to set your server’s shared (main) IP and/or any additional dedicated IPs matching certain domains
(everything is documented with examples in there).

For Memcache
chmod +x /usr/local/src/engintron/utilities/install_memcached_in_cpanel_ea4.sh
/usr/local/src/engintron/utilities/install_memcached_in_cpanel_ea4.sh

Edit your custom_rules for Nginx
set $PROXY_DOMAIN_OR_IP “63.141.238.162”; # Use your cPanel’s shared IP address

* If your server has a single shared IP ONLY and you wish to use CloudFlare for any (or all) of your sites you will have to specify this shared IP address below otherwise you’ll get errors from CloudFlare. This change will simply tell Nginx to skip DNS resolving and simply forward traffic to the shared IP.

Within your “Custom Rules” file, add the following line if all your sites on the shared (main) IP of your server are on CloudFlare:

set $PROXY_DOMAIN_OR_IP “XXX.XXX.XXX.XXX”; # Use your cPanel’s shared IP address here

set $PROXY_DOMAIN_OR_IP “63.141.238.162”; # Use your cPanel’s shared IP address
Only using one ip lets see.

Restrict access to ports 8080 & 8443 used by Apache only for Nginx

(originally posted by Engintron user @speegs in Engintron’s Issues)

To restrict access to ports 8080 & 8443 used by Apache only for Nginx, follow these steps:

  1. Install ConfigServer Firewall (CSF) from https://configserver.com/cp/csf.html – it’s the best IPTables GUI for cPanel (and not only)!
  2. Edit the file /etc/csf/csf.allow (either via terminal or via CSF’s WHM app) and append these lines:(Fireweall Allow ips)
tcp|in|d=8080|s=127.0.0.1 # The loopback address
tcp|in|d=8080|s=63.141.238.162 # Replace 1.2.3.4 with your server's shared IP - if you have multiple IPs, clone this line and edit the IP
tcp|in|d=8080|s=63.141.238.163 # Replace 1.2.3.4 with your server's shared IP - if you have multiple IPs, clone this line and edit the IP

tcp|in|d=8443|s=127.0.0.1 # The loopback address
tcp|in|d=8443|s=63.141.238.162 # Replace 1.2.3.4 with your server's shared IP - if you have multiple IPs, clone this line and edit the IP
tcp|in|d=8080|s=63.141.238.163 # Replace 1.2.3.4 with your server's shared IP - if you have multiple IPs, clone this line and edit the IP
  1. Edit /etc/csf/csf.deny (either via terminal or via CSF’s WHM app) and append this line: (Fireweall deny ips)
# Block all connections to port 8080 except those already allowed in csf.allow
tcp|in|d=8080|s=0.0.0.0/0 # do not delete
# Block all connections to port 8443 except those already allowed in csf.allow
tcp|in|d=8443|s=0.0.0.0/0 # do not delete

EXCESSIVE PROCESSES
CT_LIMIT = 150 Default: 0 [0 or 10-1000]
CT_PERMANENT = ON
PT_USERMEM = 1024 Default: 256 [0-1024]

NFS for file sharing. No harm in disabling but dont need to as per cpanel special due to quota but I disabled it
You can disable them by running the following commands as root:

systemctl disable rpcbind

Mailman Excessive Resources
added the following to csf.pignore

pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner.*
pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl.*

Also add (tHE BELOW ONE I FOUND OK) ALREADY IN CSF.PGINORE FILE
pcmd:/usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl.*
pcmd:/usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner.*
cmd:spamd child

ADD THIS FOR Memcache
exe:/usr/bin/memcached

NFS for file sharing
rpcbind is a close analog of BIND I think WP uses this for remote procedure calls using xml. Anyways looks a legit processor so disabling its execution alert.
pcmd:/sbin/rpcbind.*

For NodeJS10
exe:/opt/alt/alt-nodejs10/root/usr/bin/node
or exe/home/thereapn/.nvm/versions/node/v13.12.0/bin/node

If you use Cpanel & easy apache 3 then the location is the second set. If you use easy apache 4 then it is the first set

  1. Install Comodo WAF
    https://waf.comodo.com/user/cwaf_revisions
    cd /root
    wget https://waf.comodo.com/cpanel/cwaf_client_install.sh
    bash /root/cwaf_client_install.sh Check : http://www.rustcollegesports.com/?a=b%20AND%201=1
  2. Install clamav
  3. Install Solr
  4. Why Mod_lsapi
    https://www.cloudlinux.com/mod-lsapi Better than suexe
    drop-in replacement for SuPHP, FCGID, RUID2, and ITK.
    Doesn’t suffer from stability issues in process management like PHP FPM and mod_fcgid.
    Includes the full benefits of opcode caching.
    PHP-FPM not only provides better security than suPHP, but it also processes PHP scripts much more efficiently than suPHP
    DSO(mod_php)>suPHP>FastCGI (FCGI)>PHP-FPM>Mod_lsapi
  5. Installing Softaculous
    Step 1: Enable IonCube
    wget -N http://files.softaculous.com/install.sh
    chmod 755 install.sh
    ./install.sh
    WHM > Plugins (Add-Ons on older versions than 11) > Softaculous – Instant Installs
    Tweak Settings enable ioncube’

Bult profitl for EA for CL+Mod_lsapi+OPCACHE+IONCE10 php7,71,72,+NodeJS

  1. Install Kernel Monitor by CL and sys-snap.pl script Both to see reason for server crashing.

Imunify MYSQL NGINX MEMCACHE Softaculous cloudflare

ERROR: INSTALL COMODO FIREWALL BEFORE NGINX
ERROR 2: RESELLER ACL TO BE CREATED AND SET AGAIN UNDER RESELLER PRIVILEGES

  1. Stop CPhulk
    display_errors = off
    allow_url_fopen = On
    asp_tags = off
    display_errors = off
    enable_dl = on
    file_uploads = on
    max_execution_time 30 default 90
    max_input_time = -1
    memory_limit = 128
    post_max_size = 8M
    safe_mode = on

register_argc_argv = OFF instead of on
serialize_precision = 100 instead of -1
ereg not enabled
gmp
mcrypt The PHP developers deprecated mcrypt in version 7.1, and removed support in version 7.2. Applications should use either sodium or openssl for encryption needs.

mhash

sslv3 not enabled due to poodle attack
Registered Stream Filters: mcrypt., mdecrypt.

  1. Stop email notification of Expired SSL of Users.
    Home »SSL/TLS »Manage AutoSSLDocumentation memory_limit = 1024M
    post_max_size = 512M
    upload_max_filesize = 256M
    max_execution_time = 300. max_input_vars = 3000 Not set Its depend on server settings but there is one thing always remember while setting upload_max_filesize <= post_max_size if you are not doing that will be throws an error.

For example, Your configuration allows user to upload 50MB file but you post_max_size is 20MB.That mean you request doesn’t fullfill because you can post only 20MB for single request.

Recommandations

To upload large files, post_max_size value must be larger than upload_max_filesize.
memory_limit should be larger than post_max_size
Guide line of PHP offical site

http://php.net/manual/en/ini.core.php#ini.post-max-size
Sets max size of post data allowed. This setting also affects file upload. To upload large files, this value must be larger than upload_max_filesize.
Generally speaking, memory_limit should be larger than post_max_size.

I think it is unlikely that your email account is currently compromised. (But keep checking, anything can happen in the future 😀 )

You can use the Exim Blacklist to refuse all SMTP traffic from an IP
WHM >> Service Configuration >> Exim Configuration Manager
Basic Editor
Access Lists
Blacklisted SMTP IP addresses (IP addresses from which SMTP connections are dropped unconditionally)

Install SSL for other domains
vps.fqdn.com CAA 1 issue “letsencrypt.org”

For any questions please ask in the comment section or in our forum.

Install Softaculous

wget -N http://files.softaculous.com/install.sh
chmod 755 install.sh
./install.sh


Security
Change SSH port from 22 to 2233 or anything else in centos.
[root@srv ~]# nano /etc/ssh/sshd_config
Spread the love
0 0 votes
Article Rating
Subscribe
Notify of
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback

[…] There are three popular solutions right now which can help you fight malicious content/viruses for web hosting servers. This article is part of our series in setting up WHM server. […]