1. Login as root
2. Type “pico /etc/wwwact.conf”
3. Add the following line “DEFMOD Xskin” (replace Xskin with the default theme).
or
Use
1. Login as root
2. Type nano /etc/wwwact.conf
3. Add the following line “DEFMOD Xskin” (replace Xskin with the default theme).
The PHP Max Input Vars is the maximum number of variables your server can use for a single function. To work properly with a modern WordPress theme set this value to 5000. Lower values can create problems such lost data in your Theme Options, Widgets disappear etc.
Like the other values above, you’ll need to access and modify either the php.ini or the .htaccess files. Most hosts won’t grant you full access to modify the PHP.ini file because it affects the whole server and all the websites hosted on it.Please contact your host first to find out if they can adjust it for you.
For advanced users who have their own server setups and full access to the php.ini file, please go ahead and try Method 1 first before the other method. For standard users, we encourage you to try Method 2 instead.
NOTE: many shared hosts prohibit you from having direct access to the PHP.ini file. Only do this method if you have direct access to your PHP.ini file or if you’re on your localhost.
NOTE: make sure to backup your .htaccess file before editing.
This issue is less common, nowadays, but the issue can also occur due to a program called Suhosin which runs on your server. This is a known issue with WordPress and affects both the standard WordPress Menu System.
In most cases, the solution is as simple as asking your host to increase the max_vars variables in your php.ini.
suhosin.post.max_vars = 5000 suhosin.request.max_vars = 5000
The procedure to find os name and version on Linux:
$cat /etc/os-release
$lsb_release -a
$hostnamectl$uname -rUse more command/less command as follows:
$ cat /etc/issue
$ more /etc/issue
$ less /etc/issue
You can also view the manual page on uname using the following command:
$ man hostnamectl
$ man uname
$ man cat
In this article, we are going to see how we can migrate SSL certificates from one server to another. Before we transfer, you should be aware of the components involved with SSL certificates and how it is stored. Let’s have a detailed look on it.
There will be a certificate file. It will have the extension (.crt). Also, there will be a key and it will have the extension (.key). There will also be a CA bundle. We need to copy the files to new server in order to migrate the SSL certificate.
Steps to transfer SSL certificate
1) Login to your WHM.
You could access the WHM with https://server.hostname.tld:2087. This will lead you to the home page of WHM interface.
Now locate the ‘SSL/TLS’ section in WHM and go to ‘SSL Storage Manager’ as shown in the figure.
You will be lead to the next page. There you could find the certificates and keys with the username. Please locate the certificate you wish to transfer.
2) Copy the key
Please refer to the attached screen shot for any clarification.
Now you need to copy the key and paste it on a text file. To view the full content, please click on the lens icon near the key. The key will be starting with —–BEGIN RSA PRIVATE KEY—– and will end up with —–END RSA PRIVATE KEY—–.
3) Copy the Certificate
Now you need to copy the certificate. This also can be done from the previous window. Please click on the lens icon next to the certificate so that you would be able to view and copy the certificate.
Please copy and paste the certificate on a text file. The certificate will be starting with —–BEGIN CERTIFICATE—– and ending with —–END CERTIFICATE—–.
Now you need to install the certificate on the new server. You could install it from the WHM interface and the cPanel interface.
4) Install the certificate on new server
To install the certificate from the WHM, please locate “Install an SSL Certificate on a Domain” under the “SSL/TLS”. Please refer to the screenshot below in case of any doubts.
You need to use the certificate and key copied and saved on the text files earlier. You also could install it from the cPanel interface. To see how to install SSL certificate from the cPanel interface, please follow the guide in the link below.
If you need any further assistance please contact Syed Ashik Mahmud
The Let’s Encrypt allows you to install AutoSSL for the hostname. In this tutorial, I will show you how to install Let’s Encrypt SSL to the hostname. Here are the steps to install the same on hostname.
Install Let’s Encrypt Auto SSL Provider.
Run the following command to install Let’s Encrypt provider.
/scripts/install_lets_encrypt_autossl_provider
Once you have installed Let’s Encrypt provider, change auto SSL provider to Let’s Encrypt from Comodo.
Login to WHM >> Manage AutoSSL.
Install Self-Signed Certificate to Hostname.
1) Login to WHM as a root user.
2) Go to “Service Configuration”.
3) Then select the following services and click on “Browse Certificate”.
Calendar, cPanel, WebDisk, Webmail, and WHM Services
Dovecot Mail Server
Exim (SMTP) Server
FTP Server
4) Select hostname and click on “Use Certificates”.
5) Then click on “Install”.
Replace Self Signed Certificates with Valid Let’s Encrypt Certificates.
Once you have installed the self-signed certificate, run the following command to check SSL certificates
/usr/local/cpanel/bin/checkallsslcerts
The Self signed SSL certificates will be replaced with a valid Let’s Encrypt certificate while running above command.
Once it is completed, you can access WHM with the hostname https://hostname:2087
If you need any further assistance please contact Syed Ashik Mahmud
After you upgrade MySQL, there is no supported way to downgrade to the previous version. There will be downtime of the MySQL service during the upgrade process. You should take a backup of the existing database system before you proceed.
In order to upgrade MySQL version from WHM panel, you have to login as root in your WHM and type in the search bar: MySQL.
You will see MySQL Upgrade in the Software section.
After you click on this tab you will be able to review the current version of the MySQL and select the next version, which is available to upgrade. In the screenshot below for example, you can see that the current database version – 5.5 – can be upgraded to 5.6. The screen lists all the important features in the latest version giving you an overview that should help you decide if upgrading the database is worthwhile or not. You should click “Next”
At the next screen the system warns you that you should take a backup of the existing database system. Second, it instructs you that there is no way to downgrade a MySQL database framework from a higher version two a lower one. If this is acceptable for you, you have to tick off two checkboxes indicating that you fully understand the risks of upgrading your database and click continue as shown below:
The next step is information about the upgrade of apache and PHP. Not all MySQL upgrades require them to be rebuilt. In this test example, the system recommends a partial upgrade without an Apache/PHP rebuild – If you upgrade from MySQL 5.5 or 5.6, you do not need to rebuild Apache because the client libraries are compatible.
Once you have choose the proper option for you, you should click on continue and the process will begin. This can take quite a while. All the while, you can check the output in the box below to see the progress.
When the upgrade is done you will see a screen like the image below:
Source : mochasupport.com
Log files are the records that Linux stores for administrators to keep track and monitor important events about the server, kernel, services, and applications running on it. In this post, we’ll go over the top Linux log files server administrators should monitor.
What are Linux log files
Log files are a set of records that Linux maintains for the administrators to keep track of important events. They contain messages about the server, including the kernel, services and applications running on it.
Linux provides a centralized repository of log files that can be located under the /var/log directory.
The log files generated in a Linux environment can typically be classified into four different categories:
Why monitor Linux log files
Log management is an integral part of any server administrator’s responsibility.
By monitoring Linux log files, you can gain detailed insight on server performance, security, error messages and underlying issues by. If you want to take a proactive vs. a reactive approach to server management, regular log file analysis is 100% required.
In short, log files allow you to anticipate upcoming issues before they actually occur.
How to read log files by SSH
cat /var/log/messages
Which Linux log files to monitor
Monitoring and analyzing all of them can be a challenging task.
The sheer volume of logs can sometimes make it frustrating just to drill down and find the right file that contains the desired information.
To make it a little easier for you, we will introduce you to some of the most critical Linux log files that you must be monitoring.
1. /var/log/messages
2. /var/log/auth.log
Suspect that there might have been a security breach in your server? Notice a suspicious javascript file where it shouldn’t be? If so, then find this log file asap!
3. /var/log/secure
RedHat and CentOS based systems use this log file instead of /var/log/auth.log.
4. /var/log/boot.log
5. /var/log/dmesg
6. /var/log/kern.log
This is a very important log file as it contains information logged by the kernel.
7. /var/log/faillog
This file contains information on failed login attempts.
It can be a useful log file to find out any attempted security breaches involving username/password hacking and brute-force attacks.
8. /var/log/cron
This log file records information on cron jobs.
9. /var/log/yum.log
It contains the information that is logged when a new package is installed using the yum command.
Suppose your server is behaving unusually and you suspect a recently installed software package to be the root cause for this issue. In such cases, you can check this log file to find out the packages that were installed recently and identify the malfunctioning program.
10. /var/log/maillog or /var/log/mail.log
All mail server related logs are stored here.
11. var/log/httpd/
12. /var/log/mysqld.log or /var/log/mysql.log
Final Speech
While monitoring and analyzing all the log files generated by the system can be a difficult task, you can make use of a centralized log monitoring tool to simplify the process.
Some of our customers take advantage of using Nagios Log Server to manage their server logs. There are many opensource options available if that’s out of the budget. Needless to say though, monitoring Linux logs manually is hard.
So if you want to take a truly proactive approach to server management, investing in a centralized log collection and analysis platform which allows you to view log data in real-time and set up alerts to notify you when potential threats arise.
Source :
EuroVPS Article.
Spam is not just annoying, but often a security threat. Cleaning up cluttered mailboxes is time-consuming and messages are often laced with virus attachments or malicious links.
The best webmasters prevent spam, not just clean it up!
1. How to Prevent Spam in cPanel and Plesk
Use SpamAssassin + spam filter
Both cPanel and Plesk have SpamAssassin (SA) preinstalled and integrated into the local mail server. When enabled, SA scans all incoming email and rates them on various factors.
For example, does the email have images and no text?
If the rating exceeds the allowed score, the email is marked as spam or deleted (as based on your preferences).
Both panels also offer other filters, allow you to redirect or even delete emails based on keywords.
For example, the word “Viagra” in the subject line. These filters, in combination with SpamAssassin detections, create a very powerful anti-spam mechanism on the server.
How to enable SA in cPanel
How to enable SA in Plesk
2. Enable DKIM and SPF checks
DKIM is the second revision of the DomainKeys authentication system. It checks whether an email is from the domain it claims to have been sent from.
If the message fails this check, it gets rejected by the server as spam.
DKIM is two-way. Any email you send must be signed in order to not be discarded or bounced by another server. And then you can instruct your server to reject or black hole as well.
This process involves many steps, and a great guide for these panels can be found here. Plesk has a dedicated DKIM selection area, while cPanel leverages DKIM checking via custom SpamAssassin mail filtering rules.
3. Disable catchall email
The catch-all (or catchall), aka the domain default email account, will accept all messages to non-existent accounts on a server when enabled.
Spammers blast spam to sites, whether or not they know an address.
For example, sales@ is a common spam message sent to all sites. If sales@ does not exist, and a catchall does, it’s diverted to this mailbox. So never enable the catchall address!
Doing so wastes server space, can consume CPU and RAM, and can allow malware onto the system.
While it can be useful for senders who mistyped the email address, it’s not worth it. Either set the address to either blackhole (discard) or reject (bounce) the messages.
To enable in cPanel
To enable in Plesk
Source :
EuroVPS Article.
Linux VPS servers have their advantages. In fact, Linux VPS are much more secure when compared to other operating systems like Windows because of Linux’s security model (LSM). But they’re not perfect, and definitely not invulnerable. In this post we’ll go over 20 ways you can secure your VPS and protect it from hackers.
Linux’s default security is pretty good, and better than that of most of its competitors, but it still has weaknesses.
These techniques don’t need to take a huge amount of time and effort, but a certain level of administrative experience is required.
If you need any help then don’t be afraid to get in touch – we’ll be happy to help.
Let’s get started, here are 20 ways to keep your VPS secure.
1. Disable root logins
Want a secure VPS? Then you should never log in as the root user.
By default, every Linux VPS has “root” as a username, and so hackers try brute force attacks to crack the password and gain access. Disabling logins from the “root” username adds another layer of security, as it stops hackers from simply guessing your user credentials.
Instead of logging in as the root user, you’ll need to create another username and use the “sudo” command to execute root level commands.
Sudo is a special access right that can be given to authorized users so that they can run administrative commands, and it eliminates the need for root access.
Be sure to create your non-root user and to give it the appropriate levels of authorization before you disable the “root” account.
When you’re ready, go ahead by opening up /etc/ssh/sshd_config in nano or vi and finding the “PermitRootLogin” parameter.
By default, this will say “yes”.
Change it to “no” and save the changes.
2. Change the SSH port
It’s hard for people to hack SSH when they can’t find it. Changing the SSH port number can prevent malicious scripts from directly connecting to the default port (22).
To do this, you’ll need to open up /etc/ssh/sshd_config and to change the appropriate setting.
Be sure to double check whether the chosen port number is being used by any other services – you don’t want to create a clash!
3. Keep server software updated
It isn’t difficult to update your server’s software.
You can simply use the rpm/yum package manager (CentOS/RHEL) or apt-get (Ubuntu/ Debian) to upgrade to newer versions of installed software, modules, and components.
You can even configure the operating system to send yum package update notifications via email. This makes it easy to keep track of what’s changing. And, if you’re happy to automate the task, you can set up a cronjob to apply all available security updates on your behalf.
If you’re using a panel, such as Plesk or cPanel, then you’ll need to update that, too. Most panels can be set to update themselves automatically, and cPanel uses EasyApache for most package updates.
Finally, you’ll want to apply security patches as quickly as possible. The longer you wait, the more likely you are to succumb to a malicious attack.
4. Disable unused network ports
Open network ports and unused network services are easy targets for hackers, and you’ll want to protect yourself against exploitation.
Use the “netstat” command to see all currently open network ports and their associated services.
Consider setting up “iptables” to close all open ports or using the “chkconfig” command to disable unwanted services. And if you use a firewall like CSF, you can even automate the iptables rules.
5. Remove unwanted modules/packages
It’s unlikely that you’ll need all of the packages and services that came bundled with your Linux distribution. Every service that you remove is one less weakness to worry about, so make sure that you’re only running services that you’re actually using.
On top of that, avoid installing unnecessary software, packages, and services to minimize potential threats. It has the welcome side-effect of streamlining your server’s performance, too!
6. Disable IPv6
IPv6 has several advantages over IPv4, but it’s unlikely that you’re using it – few people are.
Not using IPv6? Disable it!
But it is used by hackers, who often send malicious traffic via IPv6, and leaving the protocol open can expose you to potential exploits. To combat the problem, edit /etc/sysconfig/ network and update the settings so that they read NETWORKING_ IPV6=no and IPV6INIT=no.
7. Use GnuPG encryption
Hackers often target data while it’s in transit over a network. That’s why it’s vital to encrypt transmissions to your server using passwords, keys and certificates. One popular tool is GnuPG, a key-based authentication system that’s used to encrypt communications. It uses a “public key” that can only be decrypted by a “private key” that’s available only to the intended recipient.
8. Have a strong password policy
Weak passwords always have been – and always will be – one of the largest threats to security. Don’t allow user accounts to have empty password fields, or to use simple passwords like “123456”, “password”, “qwerty123” or “trustno1”.
You can boost security by requiring all passwords to mix lower and upper case, to avoid the use of dictionary words and to include numbers and symbols. Enable password aging to force users to change old passwords at regular intervals, and consider restricting the re-use of previous passwords.
Also use the “faillog” command to set a login failure limit and to lock user accounts after repeated failed attempts to protect your system from brute force attacks.
9. Configure a firewall
Simply put, you need a firewall if you want a truly secure VPS.
Luckily, there are plenty to choose from. NetFilter is a firewall that comes integrated with the Linux kernel, and you can configure it to filter out unwanted traffic. With the help of NetFilter and iptables, you can fight against distributed denial of service (DDos) attacks.
TCPWrapper is another useful application, a host-based access control list (ACL) system that’s used to filter network access for different programs. It offers host name verification, standardized logging and spoofing protection, all of which can help to beef up your security.
Other popular firewalls include CSF and APF, both of which offer plugins for popular panels like cPanel and Plesk.
10. Use disk partitioning
For added security, it’s a good idea to partition your disk to keep operating system files away from user files, tmp files and third-party programs. You can also disable SUID/SGID access (nosuid) and disable the execution of binaries (noexec) on the operating system partition.
11. Make /boot read-only
On Linux servers, all kernel-specific files are stored inside the “/boot” directory.
But the default access level for the directory is “read-write”. To prevent unauthorized modification of the boot files – which are critical to the smooth running of your server – then it’s a good idea to change the access level to “read only”.
To do this, simply edit the /etc/fstab file and add LABEL=/boot /boot ext2 defaults, ro 1 2 to the bottom. And, if you need to make changes to the kernel in the future, you can simply revert back to “read-write” mode. Then you can make your changes and set it back to “read only” when you’ve finished.
12. Use SFTP, not FTP
File transfer protocol (FTP) is outdated and no longer safe, even when using “FTP over TLS” (FTPS) encrypted connections.
Both FTP and FTPS are still vulnerable to packet sniffing, when a computer program intercepts and logs the traffic that’s passing over your network. FTP is fully “in the clear” and FTPS file transfers are also “in the clear”, which means that only the credentials are encrypted.
SFTP is “FTP over SSH” (also known as “secure FTP”), and it fully encrypts all data – including both the credentials and the files that are being transferred.
13. Use a firewall
Your firewall is the gatekeeper that either allows or denies access to the server, and it’s your first line of defense against hackers.
Installing and configuring a firewall should be one of the first things that you do when setting up and securing a VPS or bare metal server.
Check here Installing and configuring ConfigServer Security & Firewall (CSF) Tutorial
14. Install antimalware/antivirus software
A firewall’s main job is to deny access to any sources of known malicious traffic, and it effectively acts as your first line of defense. But no firewall is fool-proof and harmful software can still slip through, which is why you need to protect yourself further.
Too many novice server admins fail to install anti-malware software, and that’s a mistake. The most common reason for this isn’t laziness – it’s actually because they don’t want to spend money on security software.
As a rule, the paid solutions are usually the best, because their revenue stream allows them to hire talented programmers and researchers who can help the software to stay relevant.
But if budget is an option then it’s a good idea to look at some of the free alternatives.
ClamAV and Maldet are two open-source applications that can scan your server and score potential threats. That’s why we install both of them as part of the VPS security hardening process for our managed hosting customers.
Check here How to Install and Configure Linux Malware Detect (LMD) Tutorial
15. Turn on CMS auto-updates
Hackers are constantly trying to locate security loopholes – especially in your website’s content management system (CMS). Popular CMS providers include Joomla, Drupal and WordPress, which powers nearly 20% of the web.
Most CMS developers regularly release security fixes, as well as new features.
Much more allow you to automatically update the CMS so that the fix is applied as soon as a new version is released. WordPress was late to the game with auto-updates, and if you’re running an older site then it might be disabled by default. Be sure to check the setting and to enable auto-updates where possible.
Remember that your website’s content is your responsibility, and not your host’s. It falls to you to ensure that it’s regularly updated, and it’s a good idea to take regular backups, too.
16. Enable cPHulk in WHM
As well as offering a firewall, cPanel also has “cPHulk” brute force protection.
Firewalls aren’t infallible, and “good” traffic that slips through can turn out to be bad. These false positives are due to the firewall’s settings, and tweaks might be needed to offer additional protection.
In the meantime, cPHulk acts like a secondary firewall, preventing brute-force attacks (from repeated attempts to guess the password) on the server.
We often find that cPHulk blocks the login ability first and that the firewall later catches up, banning the entire IP. To enable it, you’ll need to go to the WHM Security Center and select cPHulk Brute Force Protection. This is another step in the security hardening process that we use on our managed VPS and dedicated servers.
17. Prevent anonymous FTP uploads
cPanel and Plesk both disable anonymous FTP uploads by default but other setups can come with it pre-enabled.
Allowing anonymous users to upload via FTP is a massive security risk, because it allows anyone to upload anything they want to your web server. As you can imagine, it’s not recommended – it’s a bit like giving your keys to a burglar.
To disable anonymous uploads, edit your server’s FTP configuration settings.
18. Install a rootkit scanner
One of the most dangerous pieces of malware is the rootkit.
It exists at the operating system (OS) level, below other normal security software, and it can allow undetected access to a server. Luckily, you can use “chrootkit”, an open-source tool, to find out whether your server is infected. But rootkits aren’t always easy to remove, and the best way to fix the issue is often to reinstall the OS.
19. Take regular backups
Too many people forget to take regular backups – and then they regret it when something goes wrong and they don’t have a copy of their data. No matter how careful you are, and no matter how secure your server is, there’s always a chance that something could go wrong.
Don’t take unnecessary risks by failing to take backups, and don’t rely on your host to do it either. Taking backups of your own is recommended, even if your hosting provider says that they do it on your behalf. Store copies of it in different locations and consider using the cloud so that your backup can be accessed from anywhere.
20. Use a strong password
We know, we know – we’ve already said this.
But a strong password policy is absolutely vital, and so it’s always worth repeating. Poor passwords are still the number one threat to security. And the same applies for when securing windows servers as well!
Password protocol is often misunderstood. Complexity is important, but so is length. While it’s a good idea to use a mixture of capital and lower case letters, numbers and special characters, you should also make it as long as is realistically possible.
Source : Internet Collection
© 2020 Coders Tent
