Ajenti is an open source, web-based control panel that can be used for a large variety of server management tasks. Optionally, an add-on package called Ajenti V allows you to manage multiple websites from the same control panel
Step 1: First make sure that all your system packages are up-to-date sudo apt-get update sudo apt-get upgrade
Step 2: Installing Ajenti Control Panel. wget -O- https://raw.github.com/ajenti/ajenti/1.x/scripts/install-ubuntu.sh | sudo sh
Anjeti will be available on HTTP port 8000 by default. Open your favourite browser and navigate to http://yourdomain.com:8000 or http://server-ip:8000 and enter default username “admin” or “root” and password is “admin”.
Change the password immediately to something secure.
How To Install PHP 7 On A cPanel/WHM Server With EasyApache 3
Latest versions of cPanel come with EasyApache 4 which provides lots of new features like native support for multiple PHP versions, PHP 7 support, very fast, etc. So it is recommended to migrate to EasyApache 4. However, if you cannot migrate EasyApache 4 because of some reason (Example: Tomcat support), you will have to compile the PHP 7 manually from source.
To migrate to EasyApache for, just run the below command. cPanel will try to build a matching PHP setup using EasyApache 4.
/scripts/migrate_ea3_to_ea4 --run
If anything goes wrong during the upgrade process you can always go back with /scripts/migrate_ea3_to_ea4 –revert –run
Manually install PHP 7
Following steps are tested with cPanel 11.64.0.36 and CentOS 6.9 64 bit. The PHP handler should be suphp to get this working.
cd /usr/local/src/
wget http://php.net/distributions/php-7.0.22.tar.gz #Go to php.net site to find the latest version
tar xvf php-7.0.22.tar.gz
You may add any additional parameters required. You can run ./configure --help to see all available options first. Important: Do not forget to set the "--prefix=/usr/local/php70". Otherwise, your existing PHP installation will be lost.
make
make install
If everything is successful, the PHP binaries will be installed in "/usr/local/php70/bin/" directory.
Edit the /opt/suphp/etc/suphp.conf and add below code, at the end of the handlers list to enable PHP7 handler.
;Handler for php-scripts #... existing handlers are here ... put yours below them application/x-httpd-php7="php:/usr/local/php70/bin/php-cgi"
Now add our custom php config file to EasyApache list so that the changes will not be lost future EasyApache builds.
There are two options here. You can either go into WHM and edit the post_virtualhost_global.conf file from there or you just run: vi /usr/local/apache/conf/includes/post_virtualhost_global.conf. Add the line below in that file and you should be all done.
Include /usr/local/apache/conf/php70.conf
Now restart Apache
service httpd restart
Configure a website To Use This new PHP 7 Add following code to .htaccess file(/home/username/public_html/.htaccess) AddType application/x-httpd-php7 .php7 .php
#Open the incoming TCP port 5666 on your firewall. You will have to do this using firewall software, like firewall ufw.
#Update Configuration File The file nrpe.cfg is where the following settings will be defined. It is located:
/usr/local/nagios/etc/nrpe.cfg
allowed_hosts=
At this point NRPE will only listen to requests from itself (127.0.0.1). If you wanted your nagios server to be able to connect, add it's IP address after a comma (in this example it's 10.25.5.2):
allowed_hosts=127.0.0.1,10.25.5.2
The following commands make the configuration changes described above.
sudo sh -c "sed -i '/^allowed_hosts=/s/$/,10.25.5.2/' /usr/local/nagios/etc/nrpe.cfg" sudo sh -c "sed -i 's/^dont_blame_nrpe=.*/dont_blame_nrpe=1/g' /usr/local/nagios/etc/nrpe.cfg"
#Start Service / Daemon
Different Linux distributions have different methods of starting NRPE.
Ubuntu 13.x / 14.x
sudo start nrpe
Ubuntu 15.x / 16.x / 17.x
sudo systemctl start nrpe.service
Test NRPE
Now check that NRPE is listening and responding to requests.
/usr/local/nagios/libexec/check_nrpe -H 127.0.0.1
You should see the output similar to the following: NRPE v3.2.0
If you get the NRPE version number (as shown above), NRPE is installed and configured correctly.
You can also test from your Nagios host by executing the same command above, but instead of 127.0.0.1 you will need to replace that with the IP Address / DNS name of the machine with NRPE running.
Service / Daemon Commands
Different Linux distributions have different methods of starting / stopping / restarting / status NRPE.
NRPE needs plugins to monitor different parameters. T
#Install Latest Nagios plugins
cd /usr/local/src/ wget --no-check-certificate -O nagios-plugins.tar.gz https://github.com/nagios-plugins/nagios-plugins/archive/release-2.2.1.tar.gz tar zxf nagios-plugins.tar.gz cd nagios-plugins-release-2.2.1/ ./tools/setup ./configure --enable-perl-modules make make install
#Test NRPE + Plugins
Using the check_load command to test NRPE: /usr/local/nagios/libexec/check_nrpe -H 127.0.0.1 -c check_load
You should see the output similar to the following: OK - load average: 0.01, 0.13, 0.12|load1=0.010;15.000;30.000;0; load5=0.130;10.000;25.000;0; load15=0.120;5.000;20.000;0;
You can also test from your Nagios host by executing the same command above, but instead of 127.0.0.1 you will need to replace that with the IP Address / DNS name of the machine with NRPE running.
If you receive following error while logging to the Plesk panel, that means there is a IP based restriction to access Plesk admin panel and your current IP is not allowed to access.
“Unable to log into Plesk: Access for administrator from address xx.xx.xx.xx is restricted in accordance with IP Access restriction policy currently applied”
Cause Plesk IP access policy was configured in such a way so that Plesk could not be accessed from the certain IP.
Resolution
Method 1. To enable Plesk access, you need to log into the Plesk from another IP and change the IP access policy:
Tools and Settings > Restrict Administrative Access Add your IP to the whitelist
Method 2. Updating the database directly
If you cannot login to the panel, then you can connect to the server using SSH and correct this through database queries. Plesk database records regarding the access policy need to be corrected.
To retrieve the current policy and the restricted/allowed IPs, the following commands can be used:
Linux
#MYSQL_PWD=`cat /etc/psa/.psa.shadow` mysql -u admin psa
mysql> select * from cp_access;
mysql> select * from misc where param='access_policy';
Windows
"%plesk_bin%\dbclient" --direct-sql --sql="select * from cp_access"
"%plesk_bin%\dbclient" --direct-sql --sql="select * from misc where param='access_policy'";
If you wish to clear the access policy settings, remove all records from “cp_access” and set the policy to “allow”:
Linux
# MYSQL_PWD=`cat /etc/psa/.psa.shadow` mysql -u admin psa
mysql> delete from cp_access;
mysql> update misc set val="allow" where param='access_policy';
Windows
"%plesk_bin%\dbclient" --direct-sql --sql="delete from cp_access";
"%plesk_bin%\dbclient" --direct-sql --sql="update misc set val='allow' where param='access_policy'";
To whitelist the IP manually
bash# mysql -uadmin -p`cat /etc/psa/.psa.shadow ` psa
insert into cp_access values ("", "deny", "x.x.x.", "255.255.255.255"); //change the IP address to your public IP.
Then you should be able to connect to the Plesk control panel from the new IP address.
Nagios provides complete URL monitoring of HTTP and HTTPS servers and protocols as well as full URL transaction monitoring.
Benefits
Implementing effective URL monitoring with Nagios offers the following benefits: * Increased server, services, and application availability * Fast detection of network outages and protocol failures * Monitor user experience when accessing URLs * Web server performance monitoring * Web transaction monitoring * URL monitoring
URL monitoring
By using the ‘check_http’ nagios command, we can monitor a specific url rather than checking the Apache service is up or not. This method is helpful to identify if the website is hacked and url is injected with malicious codes or there is some Apache or php errors and page is throwing an error instead. The normal Apache service check will return successful results in the above case. We can check for a specific keyword string on the webpage. If that string not present, an error will be returned.
Here is an real example
define service{
use urlmonitoring-service
host_name server.linuxwebhostingsupport.in
service_description url_check
check_command check_http!-H linuxwebhostingsupport.in -t 30 -R "Cpanel and WHM" -f follow
}
The above will check for the keyword “Cpanel and WHM” on the page “linuxwebhostingsupport.in”. If the keyword is missing or the page is not responding nagios will retun and error.
URL monitoring +SSL
You can refer to below example if the web page has SSL/TLS enabled.
By default postfix run on port 25 and 587(TLS). However some ISPs block port 25. In that case you can configure the postfix mail server to listen on addional ports too, for example port 26 or some random 5125.
This configuration is done in the master.cf configuration file. Edit it in your editor of choice.
If you are getting following error while FTP directory listing, follow the solution provided below
———- ftp> ls 227 Entering Passive Mode (108,61,169,245,167,161). ftp: connect: No route to host ———-
Solution
Edit /etc/sysconfig/iptables-config and add this line:
IPTABLES_MODULES=”ip_conntrack_ftp”
Save it and restart iptables. That’s because passive mode use non standard ports to communicate, so you need to keep trak of the ftp connections and iptables will allow them when necessary.
However, you will need to do this every time you reboot your RedHat server. Thus as a more permanent solution you can persistently load this module after each reboot by creating executable shell script within /etc/sysconfig/modules/ directory. Create file /etc/sysconfig/modules/iptables.modules with the following content:
If you are getting the below error while updating the Plesk versions or installing the microupdates
—- ERROR: Unable to download the MD5 sum for the new Parallels Installer binary. Not all packages were installed. Please, contact product technical support. —-
Solution —– Remove cache from /var/cache/parallels_installer/ and start autoinstaller again. /usr/local/psa/admin/sbin/autoinstaller –select-product-id plesk –select-release-current –reinstall-patch –install-component base —–
Unified Communications (UC) Certificates (also called SAN Certificates) use Subject Alternative Names o secure multiple sites (e.g. fully qualified domain names) with one certificate. Four SANs are included in the base price of the UC Certificate, but you can purchase additional names at any time during the lifetime of the certificate.
The CSR generation process is little different for creating an UCC certificates. We will have to create a Openssl based configuration file and then create private key and CSR from it.
Step 1: Create a custom OpenSSL Conf file.
The following is an example conf file that can be used for creation of a SAN/UCC cert. Save it as multissl.conf
———– [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name req_extensions = req_ext # The extentions to add to the self signed cert
[ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Iowa localityName = Locality Name (eg, city) localityName_default = Iowa City organizationName = Organization Name (eg, company) organizationName_default = The University of Iowa organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Domain Control Validated commonName = Common Name (eg, YOUR SSL domain name) commonName_max = 64
The alt_names section (DNS.1, DNS.2, ….) are the list of all other domain names you wish to secure with this cert. Additional can be added such as DNS.4, etc. The following examples assume that you name the above config file file multissl.conf (if it is named differently you must adjust the filename in the below examples accordingly. Step 2: Generate the Private key and CSR with OpenSSL
* Replace “serverfqdn” with the fully qualified domain name of the server (ie: sample.server.uiowa.edu). Note: it may also be helpful to add a year to the filename.
You will then see output and be prompted for configuration as seen in the following example. Enter your details accordingly.
—————————————— $ openssl req -nodes -newkey rsa:2048 -keyout serverfqdn.key -out multidomain.csr -config multissl.conf Generating a 2048 bit RSA private key ………………………………….+++ …………………………………………………………+++ writing new private key to ‘serverfqdn.key’ —– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [US]:US State or Province Name (full name) [Iowa]:Iowa Locality Name (eg, city) [Iowa City]:Iowa City Organization Name (eg, company) [The University of Iowa]:My Company name Organizational Unit Name (eg, section) [Domain Control Validated]:IT SUPPORT Common Name (eg, YOUR SSL domain name) []:www.linuxwebhostingsupport.in ——————————————
Note: Replace www.linuxwebhostingsupport.in with the “primary” domain name you want secured with this certificate (likely, but not necessarily the hostname of the machine).
At this point you should have the new key file, and CSR. Save the key file in a secure place, it will be needed to apply the new certificate. The CSR can now be submitted to request the SSL Cert.
Let’s start with your digital certificate, which is at the core of HTTPS. The certificate enables clients to verify the identity of servers, through a chain of trust from your server’s certificate through intermediate certificates and up to a root certificate trusted by users’ browsers. Your server certificate should be 2048 bits in length. Using 4096 bit certificate is more secure however it require more computation times and hence slow compared to 2048 bit certs.
Basic HTTPS Setup
Here are basic SSL configurations, first for Apache:
In Nginx, the ssl_certificate parameter is confusing. It expects your certificate plus any necessary intermediate certificates, concatenated together.
Make sure all of these files are at least mode 0444, except your private key, which should be 0400.
Software versions
On the server side you should update your OpenSSL to 1.0.1c+ so you can support TLS 1.2, GCM, and ECDHE as soon as possible. Fortunately that’s already the case in Ubuntu 12.04 and later.
On the client side the browser vendors are starting to catch up. As of now, Chrome 30, Internet Explorer 11 on Windows 8, Safari 7 on OS X 10.9, and Firefox 26 all support TLS 1.2.
Cipher Suite Configuration
The recommended cipher suites for Apache are follows
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
The recommended cipher suite for backwards compatibility (IE6/WinXP):
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
SSLHonorCipherOrder on
If your version of OpenSSL is old, unavailable ciphers will be discarded automatically. Always use the full ciphersuite above and let OpenSSL pick the ones it supports.
The ordering of a ciphersuite is very important because it decides which algorithms are going to be selected in priority. The recommendation above prioritizes algorithms that provide perfect forward secrecy.
Prioritization logic
ECDHE+AESGCM ciphers are selected first. These are TLS 1.2 ciphers and not widely supported at the moment. No known attack currently target these ciphers. PFS ciphersuites are preferred, with ECDHE first, then DHE. AES 128 is preferred to AES 256. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks. In the backward compatible ciphersuite, AES is preferred to 3DES. BEAST attacks on AES are mitigated in TLS 1.1 and above, and difficult to achieve in TLS 1.0. In the non-backward compatible ciphersuite, 3DES is not present. RC4 is removed entirely. 3DES is used for backward compatibility
Protocol Support: SSL or no SSL
To prevent downgrade attacks and poodle attack, we will also disable old SSL protocols
For Apache:
SSLProtocol all -SSLv2 -SSLv3
For Nginx:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
This disables all versions of SSL, enabling only TLS 1.0 and up. All versions of Chrome and Firefox support at least TLS 1.0.
