This tutorial assumes that you have purchased a Fantastico license for the server you are installing it on. If you do not have one, you can obtain it from www.netenberg.com

cd /usr/local/cpanel/whostmgr/docroot/cgi
wget -N http://files.betaservant.com/files/free/fantastico_whm_admin.tgz
tar -xzpf fantastico_whm_admin.tgz
rm -rf fantastico_whm_admin.tgz

Now go to WHM, login as root and follow the link WHM -> Add-Ons -> Fantastico De Luxe WHM Admin (scroll down the left menu).

Upon loading, Fantastico De Luxe WHM Admin will auto-update your existing installation (if existing).

As for the setup, usually the defaults work fine for most servers. You will need to manually set up the update cron, notification settings, and phpsuexec option.

Open nameservers allow anyone in the world to perform queries on them, which can often lead to DOS attacks and slower performance. Some system administrators prefer to have their nameservers restricted to only trust parties. To do this kind of setup, you will need to configure your named configuration:
On command line:

pico /etc/named.conf

Look for this line at the top:

include “/etc/rndc.key”;

Now add this right below it:

acl “trusted” {
205.134.252.71;66.117.3.128;127.0.0.1;
};

The IPs should be those of the nameservers…you can add other trusted IPs as well.

Now in the options section right below that, add these lines:

allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };

So your options section will look like this:

options {
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
};

Restart named

/etc/init.d/named restart

Now you can check a service like DNSreport to make sure the changes took.

Some of your resellers may prefer to use their own nameservers instead of yours. This type of setup is more preferable on a VPS setup, and will allow a customer to use ns1.domain.com and ns2.domain.com.

You will need an IP address for each nameserver, as many registrars will not allow more than one nameserver per IP. Once this is done, register the nameservers with the domain registrar.

1 - Log into WHM and enable BIND/Named in both Nameserver Setup and the Service Manager then restart BIND in the Restart Services section.

2 - Add the ns1 and ns2 A-records to the existing zone file for the domain they are being based on. This is assuming that there are only two nameservers…you can technically add up to four.

3 - In the Basic cPanel/WHM Setup section of WHM, locate the nameserver setup and add the nameservers in their corresponding fields. You should not need to click on “Assign IP address.” or “Add A Entry for this Nameserver” as you already did this in the last step.

4 - Now you need to double-check a few things on the server. In /etc/resolv.conf:
Most hosting companies have a standard resolv.conf setup for external lookups, but you can set up the new nameservers instead:

domain domain.com
search domain.com
nameserver 123.456.789.123
nameserver 123.456.789.123

The two nameserver IPs should be the ones you just set up.
You will also want to check these two files:

/etc/wwwacct.conf
/etc/nameserverips

The wwwacct.conf should only be set if you intend on having accounts be set up automatically with the new nameservers. You should also set these nameservers in the user’s reseller configuration to make sure that accounts they create will have these nameservers as well.

5 - Once you’ve verified that everything is set up properly, go back to WHM and set up any necessary trust relationships/clusters applicable to your setup. You can verify your setup in the DNS zone section if you only see the domains in the cluster that you’ve set up.

6 - Once everything is complete, you should reboot the VPS to make sure that all the changes take place. When the VPS starts up again, restart Apache to make sure there are no errors.

7 - Now that the nameservers are set up, you can go back to the domain registrar and point the nameservers. While you are doing this, you will also want to go into WHM and modify the zone files for each domain on the VPS to make sure the NS records are pointing to the new nameservers.

Sometimes you don’t want SSH running on standard port 22. Here are the steps to change it:

It’s VERY important that you leave port 22 open while you are testing the new port, otherwise you may lock yourself out of the server!
SSH into the server normally…

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.root

In the /etc/ssh/sshd_config.root file that you just made, specify a new port number with the Port line:

Port 9670
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

Also, make sure that PermitRootLogin is set to yes or commented out.
Now open /etc/init.d/sshd and locate this section:

# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen

Directly below that, add this line:

OPTIONS=”-f /etc/ssh/sshd_config.root”

Now locate this line:

initlog -c “$SSHD $OPTIONS” && success || failure

Directly ABOVE that add this line:

initlog -c “$SSHD” && success || failure

Now you need to restart sshd (service sshd restart). Before shutting down port 22, make sure that whatever port you created for ssh is either opened in the firewall or has the appropriate IPs added. Make sure to test this in a separate ssh window to make sure you can log in!

Once you’ve verified that you can log in through the new port, you have a couple options for port 22.

• Close it altogether or just open it for specific IPs as usual
• Disable root logins through port 22 (preferred)

To disable root logins, open the original /etc/ssh/sshd_config file and uncomment out PermitRootLogin and set to No. This will essentially allow someone to log in as the user, but not root. You didn’t really change the SSH port, you’re just running a copy of it on another port and making port 22 useless.

If you want to disable port 22 altogether, you can just directly edit the /etc/ssh/sshd_config file and restart SSHD, but you only have one chance to get it right.

Once the port is changed you would ssh into the server with the command ssh -p 9670 root@server with 9670 being the port you chose for ssh.

A firewall is essential for the security of any server. Below are the steps to setting up APF on your system to control access:

Download and install APF:

cd /usr/src
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
cd apf-*
./install.sh

You will receive a message saying it has been installed, which will look something like this:

Installing APF 0.9.5-1: Completed.

Installation Details:
Install path:         /etc/apf/
Config path:          /etc/apf/conf.apf
Executable path:      /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path:  /etc/apf/ad/conf.antidos
DShield Client Parser:  /etc/apf/extras/dshield/

Now that APF is installed, it must be configured.

pico /etc/apf/conf.apf

Turn off development mode by setting the value of DEVEL_MODE to “0″

DEVEL_MODE="0"

Now locate this section:

# Common ingress (inbound) TCP ports

Remove the line directly below that starting with IG_TCP_CPORTS=. Copy and paste this line its place:

IG_TCP_CPORTS="20,21,25,53,80,110,113,143,443,465,993,995,2049,2082,2083,2086,2087,2095,2089,2096,3306,6666,30000_35000"

Do the same for these sections (if necessary):

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53,32786,111,2049"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43"

# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"

# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="0"

The above sections determine what inbound ports will be open to the public. If you have any software on your system that requires a certain port to be open, add it to the list.  It is recommended to not open any ports that you don’t need!

This next step is VERY important, or you may find yourself locked out of the server. After you edit the configuration file, you need to open /etc/apf/allow_hosts_rules and add your IPs to the bottom of the file.

Once your IPs are added you can start up the firewall:

/etc/init.d/apf start

If you’ve upgraded MySQL via WebHost manager, the downgrade process is slightly more complex than the upgrade. This tutorial mainly covers a downgrade from 4.1 to 4.0, but also applies to downgrading from 5.x to 4.x.

*Back up all databases before proceeding, as all existing databases will be deleted!

1. Uninstall existing MySQL packages:

rpm -qa | grep -i mysql-

This should return a list of several rpm’s installed. You will need to remove them all with the rpm -e command .

2. Delete the active MySQL directory:

rm -Rfv /var/lib/mysql

3. Get cPanel Ready

Edit /var/cpanel/cpanel.config and change the version to the one that you are downgrading to (4.0, 4.1, etc)

mysql-version=4.0

Make sure that MySQL updates aren’t being skipped:

rm /etc/mysqldisable
rm /etc/mysqlupdisable

4. Install MySQL:

/scripts/mysqlup –force

5. Update the perl module:

/scripts/perlinstaller –force Bundle::DBD::mysql

Finally, recompile Apache and PHP via Web Host Manager.

Sometimes you’ll notice that a certain function of cPanel or WHM was working fine, now all of a sudden you’re getting results that you’ve never seen before. Believe it or not, many problems with cPanel functionality related to processes running off of scripts is because of a perl corruption. To resolve this, usually the first step you should take is running a cPanel update, as this will correct most issues. If the problem persists, you may need to recompile perl from it’s core.

Before we start, here are a few of the most common indicators that there is a perl issue on your server:

• Accounts are not created properly, like missing files
• Frontpage extensions refuse to be installed
• Stats won’t run, result in cryptic perl errors
• Error messages that look like this:

(internal death) Sat Jun 3 21:01:55 2006 [32719] error: List::Util object version 1.14 does not match
 bootstrap parameter 1.18 at /usr/lib/perl5/5.8.7/i686-linux/XSLoader.pm line 92.

==> Starting cpbandwd (bandwidth monitoring for IMAP/POP)
Can't locate Class/Std.pm in @INC (@INC contains: /usr/local/cpanel /usr/lib/perl5/5.8.7/i686-linux
/usr/lib/perl5/5.8.7

BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.7/Unix/PID.pm line 8.
Compilation failed in require at /usr/local/cpanel/bin/cpbandwd line 15.
BEGIN failed--compilation aborted at /usr/local/cpanel/bin/cpbandwd line 15.

In some cases, the error is specific about a perl module missing. If this is the case, look for the perlmod format in the error message. In the above example you can see ‘List::Util’ being referenced, so you can try to reinstall that either manually or from WHM:

/scripts/perlinstaller –force List::Util

If reinstalling the perl module itself does not solve the problem, you can recompile perl. First, do a perl -v from command line to see what version you are running. Then follow these steps:

wget http://layer1.cpanel.net/perl587installer.tar.gz
tar xvzf perl587installer.tar.gz
cd perl587installer
./install

/usr/local/cpanel/bin/checkperlmodules

If you are running 5.8.8, use the installer from:

http://layer1.cpanel.net/perl588installer.tar.gz

The recompile may take as long as 20 minutes to complete.

If you want to send out a server-wide email or announcement, cPanel has a feature to email everyone who has a valid contact email address set up in their cPanel.  To email everyone:

1.  Log into WebHost Manager

2. Click on ‘Email All Users’

3. Fill in the ‘from’ address, subject, and message you wish to send

4. If you wish to email the customers of your reseller accounts, check the bottom box

5. Hit ’send’, which will bring you to a confirmation page where you will need to hit ’send’ again

This tutorial is taken from our sister site, v-nessa.net

Denial of Service attacks are among the oldest yet most common form of attacking a server. Most system administrators have had to deal with DOS attacks taking down a server, router, or other networking device and know how difficult they can be to prevent.

Mod_evasive is an Apache module that limits the number of Apache connections to the server at once, and blocks an offending IP for a specified amount of time. This tutorial will show you how to install mod_evasive on your system.

1. Install:

wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -xvzf mod_evasive_1.10.1.tar.gz
cd mod_evasive_1.10.1
/usr/local/apache/bin/apxs -cia mod_evasive.c

2. Configure:

Once the module is compiled, add these lines to httpd.conf and stop Apache completely before starting it up again:

<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 6
DOSSiteCount 50
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
</IfModule>

Below is an explanation of these settings:
DOSHashTableSize - Size of the hash table. The greater this setting, the more memory is required - faster

DOSPageCount - Max number of requests for the same page within the ‘DOSPageInterval’ interval

DOSSiteCount - Max number of requests for a given site, uses the ‘DOSSiteInterval’ interval.

DOSPageInterval - Interval for the ‘DOSPageCount’ threshold in second intervals.

DOSSiteInterval- Interval for the ‘DOSSiteCount’ threshold in second intervals.

DOSBlockingPeriod - Blocking period in seconds if any of the thresholds are met. The user will recieve a 403 (Forbidden) when blocked, and the timer will be reset each time the site gets hit when the user is still blocked.

This tutorial is taken from our sister site, v-nessa.net

Note that at the time of this writing, cPanel does not provide support for MySQL 5.1, but a manual upgrade is still possible. This upgrade process has been tested under cPanel 11 EDGE build with Apache 2.2.4.

*Always back up your databases before doing a MySQL upgrade!

1. Copy the MySQL libraries from the server into a temporary location:

mkdir /root/sqlibs
cp /usr/lib/libmysqlclient.* /root/sqllibs

2. Find any installed MySQL packages:

rpm -qa | grep -i mysql-

This should present a list of installed rpm’s…remove them with rpm -e ,but note that some may need to be removed before others. Some people also would remove the /var/lib/mysql directory, but you can leave that there.

3. Download and install the MySQL 5.1.x packages:

Go to:

http://dev.mysql.com/downloads/mysql/5.1.html#linux-x86-32bit-rpms

and download the 5.1 RPM’s and install them:

rpm -i MySQL-client-5.1.20-0.glibc23.i386.rpm
rpm -i MySQL-devel-5.1.20-0.glibc23.i386.rpm
rpm -i MySQL-embedded-5.1.20-0.glibc23.i386.rpm
rpm -i MySQL-test-5.1.20-0.glibc23.i386.rpm
rpm -i MySQL-server-5.1.20-0.glibc23.i386.rpm

4. Prepare cPanel

You’ll want to make sure that cPanel’s updates don’t reset the MySQL version, so you need to run the following commands to force cPanel to skip MySQL updates:

touch /etc/mysqldisable
touch /etc/mysqlupdisable

Now edit /var/cpanel/cpanel.config and change the MySQL version to 5.1

Create the symlink:

ln -s /var/lib/mysql/mysql.sock /tmp

Also, verify that the MySQL version is correct by running mysql -V

root@vps [~]# mysql -V
mysql Ver 14.13 Distrib 5.1.20-beta, for pc-linux-gnu (i686) using readline 5.0

5. Set up MySQL

MySQL should have already been started at this point, so you can attempt to log in as root using mysql -u root . If you are able to log in on the first try, great. If not, you’ll need to reset the MySQL password:

pico /etc/my.cnf

Add this line, and restart MySQL

skip-grant-tables

service mysql restart

Now log into MySQL root and set the password:




mysql -u root
mysql> FLUSH PRIVILEGES;
mysql> GRANT ALL PRIVILEGES ON *.* TO root@localhost IDENTIFIED BY ‘yourpassword’ WITH GRANT OPTION;
mysql> FLUSH PRIVILEGES;
mysql> exit;service mysql restart

When you’re done, remove the skip-grant-tables line from /etc/my.cnf and restart MySQL. Then log into Webhost Manager and reset the password *again*… this is necessary to build a bridge between the linux root user and the MySQL root user, so you can log into MySQL both through WHM’s phpMyAdmin, and SSH without a password when logged into the server as root.

All you need to do now is recompile Apache, but move the MySQL libraries back so easyapache can find them:

mv /root/sqllibs/libmysqlclient.* /usr/lib/mysql/

When you recompile Apache and PHP, make sure to NOT compile with ’system mysql’. Note that the cPanel Apache build does not include MySQL 5.1 php extensions, so the latest will be loaded. This should not cause any problems.