Archive for 03/01/2012 - 04/01/2012

SSL sites on shared IP via SNI

SSL Sites On Shared IP via SNI

Days are gone when we needed a dedicated IP for each website with SSL!
With Server Name Indication(SNI) extension of the Transport Layer Security protocol, it is now possible to use authentic SSL certificates for sites hosted on shared IP addresses. If you are on a Linux hosted environment, you could very well reap the benefit of the feature right away.

Key benefits

1. Reduces the cost of adding dedicated IP addresses
2. All domains can have their own SSL certificates installed

How it works!

We all know how SSL works. In normal SSL, when a user types “https” in a browser’s URL field, the encryption is provided by the Transport Layer Security (TLS) protocol. TLS uses a digitally signed certificate that includes the domain name of the site to ensure that the user connects to the correct site requested. Browsers like Internet Explorer, Mozilla, Opera, Google chrome generally accepts the certificate as “trusted” if it is signed by a trusted certification authority.
In the TLS start-up phase, the browser compares the user-entered domain part of the URI with the domain name found in the server’s certificate (CN or subjectAltName). If this comparison fails, a warning is received by the customer.
In TLS encryption, the server must select and send the certificate based on the destination IP address, before it reads the domain name in the HTTP request. Thus when in a virtual hosting environment, it presents the wrong certificate(usually default for the server) and causes the browser to warn the user of a mismatch in name.
An extension to TLS called Server Name Indication(SNI), addresses this issue by sending the name of the virtual domain as part of the TLS negotiation. This enables the server to “switch” to the correct virtual domain early and present the browser with the certificate containing the correct CN (Common Name).

Is it supported by all browsers?

Most browsers, including Internet Explorer 7 or later, Mozilla Firefox, Safari 2.1 or later, Opera 8.0 or later, Google Chrome etc. supports TLS SNI. The complete list can be viewed at
Thus the success of choosing SNI, largely depends on the browsers used by your customer base.

How to implement this feature in my Hosting?

SNI support is included in Parallels Plesk Panel for Linux (versions 10.2 or higher) and allows using different SSL certificates for sites hosted on the same shared IP address. Cpanel is yet to implement this feature and developers are already working on it.

Which Operating system should I choose for this to work?

As per Parallels, this feature is available on the following operating systems:
OpenSuSE Linux 11.3 or later.
Ubuntu Linux 10.4 or later.
Debian Linux 6.0 or later.
RedHat Linux 6.0 or later.
CentOS 5.0 or later (only with Apache and OpenSSL supplied with Panel).
In the near future this will be an effective solution to save the cost on dedicated IP addresses and their availability.






cPanel / WHM Explained

cPanel and WHM Details

                   *******Cpanel Explanation In Detail******* 

Cpanel Introduction

Cpanel Important directories.




*Houses only scripts and binaries which provide installation
and configuration of many cPanel managed services

Notable Contents:


CPSRVD -------access_log, error_log


frontend-------x, x2,xmail,monsoon
webmail-------x, monsoon
3rdparty-------squirrelmail, phpPgAdmin, phpMyAdmin


init -----------start | stop cpsrvd AND start | stop AND start | stop cppop
exim----------cf, perl
ftptemplates ---proftpd
httptemplates --apache1--default, ssldefault
zonetemplates--simple, standard, standardvirtualftp

bin------php, stunnel, analog, awstats, webalizer
etc------php.ini, ixed, ioncube

Houses proprietary configuration data for cPanel, including:
● Primary cPanel configuration
● User configurations
● Reseller configurations
● Accounting, conversion, and update logs
● Bandwidth data
● Customized service templates


updatelogs--bandwidth--zone templates

● The primary cPanel configuration file
● Each variable within influences the way cPanel behaves
● Variables are line delimited, with variables separated by an equal sign
● If file does not exist, cpanel falls back to defaults


Lists each reseller with a comma-delimited list of WHM
resources that reseller has access to.

Contains a list of accounting functions performed through
WHM, including account removal and creation.

● Files contain a list of the bandwidth history for each account.
Each named after their respective user.
● History files are stored in human-readable format, while actual
bandwidth data are stored in round robin databases.


● File name is inherited from the feature list name
● Contains a line delimited list of feature variables and a zero or
one value
● Variables control what cPanel resources are available to users


● Contains a list of packages, named after the packages they represent
● If package belongs to reseller, file name is prefixed with reseller name
● Each of these values determines the values created in cPanel user file


● Contains a list of cPanel user configuration files, named after the user
they pertain to.
● Variables define account resources, themes, domains, etc.

Other notable /var/cpanel directories

– This directory contains logs from account copies/transfers.
Training Seminar 2006
– Contains the output of each cPanel update executed on the server.
– Named after the respective reseller users they represent, each
contains only the IP address which should be used as that
resellersmain shared ip
– Contains customized DNS zone templates created inWHM


This directory houses a large number of scripts which serve
as building blocks for many cPanel/WHM features.
The scripts can be used to:
● Update cPanel, and many of the services of which it
● Customize account creation routines
● Perform backups of cPanel accounts
● Install and update cPanel managed services

cPanel Services



● cpsrvd is the 'master' process for cPanel.
● Handles and dispatches all requests made through the cPanel,
WHM, and Webmail interfaces.
● Logs to access_log and error_log

cpsrvd and stunnel relationship


SSL Certificates

● Default certificate and key are stored in /
● User installed cert and cabundle are stored in:
– /usr/local/cpanel/etc/mycpanel.pem
– /usr/local/cpanel/etc/mycpanel.cabundle

cPanel Startup

● The following services are controlled by the cPanel
init script
– cpsrvd, both plain and secure
– cPanel POP Services
– cPanel Log Services
– Eximstats
– Chat Services
– Mailman
– Interchange

● Verify if ports are in use
– netstat -lnp | egrep '20(8|9)'

Troubleshooting Startup Issues(SSL)

● If SSL services are not available
– execute /usr/local/cpanel/startstunnel
– check /usr/local/cpanel/3rdparty/bin/stunnel.log
● If cpsrvd is not available
– execute it directly `/usr/local/cpanel/cpsrvd`
– check /usr/local/cpanel/logs/error_log


● License requests are handled by /usr/local/cpanel/cpkeyclt
● Requests are transmitted to over port 2089
● License requests are logged to license_log
● License key is stored at /usr/local/cpanel/cpanel.lisc

A valid license request:
root@server [~]# /
Updating Internal cPanel
root@server [~]#

Troubleshooting License Issues

● Verify if license is active for main server IP at
● Check if server can establish connection to over port 2089
● If the previous steps fail, check license_log for notable errors.
● If license is active, but refused with no notable errors, lodge support request.

root@server [~]# telnet 2089
Connected to (
Escape character is '^]'.
200 cPanel License Service Version 12.0
root@server [~]#

cPanel Requests

cPanel Requests
● Logins are authenticated against the system passwd and shadow files.
● Documents root is /usr/local/cpanel/base
● Theme is defined by RS variable in user's cPanel configuration file.
● Resources are limited by the feature list of assigned to the given user.

WHM Requests

WHM Requests
● Root password will authenticate any reseller user
● Document root is /usr/local/cpanel/whostmgr/docroot/
● Reseller resources are limited by Access Control List
– Defined in WHM > Resellers > Reseller Center > Edit
– Privileges are stored in /var/cpanel/resellers

cPanel Services


Service Monitoring
● Located at /usr/local/cpanel/libexec/chkservd
● chkservd is a scalable connection and process based service monitoring
● Provides monitoring of CPU, Memory, and Disk usage
● chkservd scans services once every eight minutes
– Logs to /var/log/chkservd.log
● Alerts are dispatched to server contact defined in Basic cPanel/WHM

chkservd Configuration

● Monitored services are determined by values stored in /
– Syntax: servicename:0 for no monitoring, servicename:1 for
● Actions, expected responses, and failure events are defined in
service configuration files stored in /etc/chkserv.d/{servicename}
● Status files are stored in /var/run/chkservd/{servicename}
– Plus (+) sign for active, Minus (-) sign for failed


● cpanellogd is responsible for parsing and updating bandwidth logs, and dispatching
statistics generators on each account, per their individual configurations.
● Configured through Statistics Software Configuration and Tweak Settings in WHM
● Statistics are compiled and stored for each account in /home/{username}/tmp, with
each respective statistics application being assigned it's own individual subdirectory.

/home/{username}/tmp ----webalizer, analog, awstats, urchin

● Optional server-wide statistics configurations are stored in /
etc/stats.conf, while user-specific configurations may reside in /home/
● Notable Variables in /etc/stats.conf:
– BLACKHOURS: Comma separated list of numeric values, which
specify hours that logs may not be parsed.
– VALIDUSERS:Users which are allowed to supply their own
combination of statistics generators. By default users are
restricted to the generators defined by the administrator.

Calling cpanellogd

● cpanellogd is started with the cPanel service, but can be executed
directly with:
– No Argument: Daemonize, and wait for a suitable time to scan
– One Argument (username): Execute an immediate statistics run
for the specified user, and exit once completed.
● Two scripts are available to provide these functions as well:
– /scripts/runlogsnow - Execute a full log run immediately
– /scripts/runweblogs {username} - Execute a log run for a single

Bandwidth Statistics

● Bandwidth statistics are accumulated from a combination of the
following cPanel managed services:
● Bandwidth data is logged to /usr/local/apache/domlogs/*bytes_log
● Parsed bandwidth data is stored in /var/cpanel/bandwidth

● Bandwidth parsing is taking an exceedingly long time to complete
– First check the size of the logs being parsed. Excessively large
log files can and typically will take a long time to complete.
– Additionally, if RRDtool is not installed, bandwidth parsing
performance will drop signifigantly.
● RRDtool can be installed by executing `/scripts/rrdtoolinstall`

Log Processing

● Statistics are parsed for each child domain of the given account.
● Will be influenced by variables in /var/cpanel/cpanel.config
– Skip statistics generator
● skip{generator_name}
– Logs will be retained or deleted based on
● keeplogs – keep logs at the end of the month.
● dumplogs – dump logs after parsing

Common cpanellogd Issues

● Statistics are stalling, or are taking unreasonable amounts of
– Usually indiates that the server load average is consistently
exceeding the defined load limit.
● Limit is defined as 'extracpus' in /var/cpanel/cpanel.config
– Restrictive BLACKHOUR definitions in WHM > Statistics Software
– All other issues should be present in /

cPanel Backups

● Backup configuration is performed in WHM > Backup > Configure
● cPanel backups are performed by /scripts/cpbackup, which is
configured by default to execute at 1:00 AM in the root crontab.
● Backup archives are created using the /scripts/pkgacct utility, and
may be restored using /scripts/restorepkg respectfully.
● Uses CPU resource limits based upon extracpus definition in

Backup Configuration

● Backup script can be configured to operate in daily, weekly, and monthly intervals.
● Each interval is given it's own respective directory within the backup root.
● Backup intervals are executed when the current time minus the last modification time
of the interval directory is less than or equal to zero.

Three backup methods are available:
● Standard: This method entails archiving the accounts, and storing
them at the specified path/mount point. This is the default method
used by the backup script.
● Incremental: This method uses rsync to incrementally backup user
data. This option will only operate locally, storing the data at the
specified path/mount point.
● Remote: This method transmits account archives to a specified ftp
server. Remote backups are typically more time consuming, and
more error prone when transmitting large accounts.

Common Backup Issues

● Backup intervals are not executed when expected.
– Modification times are incorrect or not functional
– System time is incorrect.
– Backups have not been defined to run on that day.
● Backups stall, or take an exceedingly long time to complete.
– Verify that the transmission rate to remote server is suitable
– Verify that server load average has not exceeded defined
resource limit.

● Can't call method "login" on an undefined value
This indicates the host or passive setting is not properly
defined for remote backups.
● Unable to login to remote FTP server.
This indicates that either the username and password
were not specified, or are incorrect in the backup configuration.
● Can't call method "prepare" on an undefined value
The password stored for the root mysql user in /root/.my.cnf is
incorrect. Reset or correct this password, and re-execute the backup


● The eximstats daemon is responsible for harvesting bandwidth
information from exim transactions.
● Continually monitors the exim_mainlog, and stores information in the
eximstats database, including host and sender information, message
size, and transaction times.
● Is started with the cPanel service, but can be called directly at /

● Heavily mysql dependent
– data is stored in the 'eximstats' database.
● 'eximstats' mysql user password is stored in /var/cpanel/eximstatspass.
– password is generated by /usr/local/cpanel/bin/eximstatspass
● Database can be installed by running /

cPanel Maintenance
● Update configuration
● Update scripts
● Applying updates

● By default, cPanel applies nightly updates at 2:13AM in the root crontab.
● /scripts/upcp dispatches these updates, using the following key
– /scripts/updatenow - synchronize /scripts directory
– /scripts/sysup - updates cPanel managed rpms
– /scripts/rpmup - all other system updates
● Updates are logged to timestamped files in /var/cpanel/updatelogs
● Update configuration is stored in /etc/cpupdate.conf.


● The following variables are available in cpupdate.conf:
– CPANEL = [ manual- ] stable | release | current | edge
This variable controls which update branch is used for
cPanel updates, and controls whether the updates are applied
manually or automatically (Default value: release)
– SYSUP = never (all other values are assumed true)
– RPMUP = never (all other values are assumed true)


● cPanel updates can be called outside of the regularly scheduled cron
time simply by executing /scripts/upcp.
● If cPanel components are missing or corrupted that were not replaced
with the regular cPanel update, they can be replaced by executing /
scripts/upcp –force

Components of upcp

● /scripts/cpanelsync
● /scripts/updatenow
● /scripts/sysup
● /scripts/rpmup

● /scripts/cpanelsync is called upon by /scripts/updatenow and /
● Provides md5sum based synchronization with update servers
● md5sum table is stored in /destination_directory/.cpanelsync
● Accepts three arguments host, remote path, local path :
/scripts/cpanelsync ''
'/cpanelsync/RELEASE/scripts' '/scripts'


Calls cpanelsync to update contents of scripts
directory, which then stores it's md5sum table
at /scripts/.cpanelsync
● Should only be run from upcp, but can be
executed from command line when '--fromupcp'
is passed.
● Is the first update script called upon from /scripts/upcp



● Calls the underlying package manager to apply system package
● The package manager which is used is determined by the presence
– /var/cpanel/useup2date (Redhat)
– /var/cpanel/useyum (CentOS,Fedora)
– /var/cpanel/useapt (Debian)
– /var/cpanel/useswup (Trustix)
– /var/cpanel/userug (SuSE)

cPanel Updates

● After updatenow, sysup, and rpmup complete, cpanelsync is used to
complete the cPanel updates based on md5sum table stored at /
● If any special configurations are required on server after updates,
they can be applied in /scripts/postupcp, which is executed if such a
file exists and is executable.
● Once updates complete, all cPanel services are restarted for changes
to take effect

cPanel Scripts

● Account Management
● Package Management
● Service Update and Configuration
– Exim
– Named
– Apache
● cPanel and System

Account Management Scripts

● /scripts/wwwacct (account creation)
Accounts can be created via the command line using the following
syntax: /scripts/wwwacct username password 0
x n
● /scripts/killacct (account termination)
Takes a single argument of the user to terminate.
● /scripts/suspendacct (account suspension)
Will suspend an account from accessing all cPanel managed
● /scripts/unsuspendacct
Will reinstate any account suspended via suspendacct

● /scripts/addpop (Create pop account)
Handles creation of virtual mail accounts. Accepts either no
arguments, or two arguments consisting of the e-mail address and
● /scripts/updateuserdomains
Updates the user:owner and user:domain tables stored in:
– /etc/userdomains
– /etc/trueuserdomains
– /etc/trueuserowners
– These tables are used to enumerate and keep track of accounts
and their owners.

Package Management

● /scripts/ensurerpm
Takes argument list of rpms, which are then passed to the
underlying package manager
● /scripts/ensurepkg
The equivalent of ensurerpm for FreeBSD. Updates specified
packages from ports.
● /scripts/realperlinstaller
Takes argument list of perl modules to install via CPAN
● Each of the aforementioned scripts can accept an argument of '--force'
to force package installations.

● /scripts/mysqlup
Can be called to apply MySQL updates independent of upcp
● /scripts/cleanupmysqlprivs
Will clean up the default MySQL privilege tables, by installing
a more restrictive privilege schema.
● /scripts/mysqlconnectioncheck
Will verify that mysql is accessible with password stored in /root/.my.cnf,
and force a reset with a random 16 character string if inaccessible.
● /scripts/restartsrv_mysql

● /scripts/eximup
Can be called to apply exim updates independent of upcp
● /scripts/buildeximconf
Will rebuild exim.conf, and merge local, distribution, and cPanel
● /scripts/restartsrv_exim

● /scripts/rebuildnamedconf
Rebuild named.conf based on existing zone files
● /scripts/restartsrv_bind

● /scripts/easyapache
Download, extract, and execute apache build script
● /scripts/rebuildhttpdconf
Rebuilds httpd.conf based on DNS entries found in each
cPanel user configuration
● /scripts/restartsrv_httpd

cPanel Scripts

Useful Scripts – cPanel and System
● /scripts/restartsrv_{servicename}
The majority of cPanel managed service can be scripts named
● /scripts/makecpphp
Will rebuild the PHP interpreter used internally by cpsrvd
● /usr/local/cpanel/bin/checkperlmodules
Will scan for and install any Perl modules required by cPanel.
● /scripts/fullhordereset
Updates horde and resets the horde mysql user password
● /scripts/fixquotas
Will attempt to rebuild quota database per information stored in /





Increase server security using Linux Malware Detect ( LMD )

Linux Malware Detector(LMD)

LMD or the Linux Malware detect is yet another useful software application form RfxNetworks , it has been prepared keeping the specific share hosting requirements and malware scenario in mind.
RfxNetworks Defines is at follows :

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.
The author of LMD declares the limited availability of existing open source free tools for Linux system that focus on malware detection as the driving force behind making this software.
The shared hosting environment has its own dynamics and LMD targets this specific environment considering the specific features of shared hosting.
There are so many new malware coming every day and these reside mostly in user level files which are not checked by most of the common antivirus software that mainly focus on server level vulnerabilities.
Installation and Configuration
In this article we will look into its installation and some basic configurations and usage details. Lets start with the installation.

tar -xzvf maldetect-current.tar.gz
cd maldetect-*
After running the install script , the installation will complete with in seconds and you will be provided with successful installation output, in this information some of the main configuration and usage related information provided is   below :

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
As you can see from above output the main configuration file for malware detect is located at below path :
The main cron is located at /etc/cron.daily/maldet
Before we move on to look into usage of this binary, LMD provide some ignore optionsthat provide you a better control on what you want to do accordingly to your specific environment.
There are three ignore files available in LMD , below are their paths and usage details :

This is a line spaced file for paths that are to be execluded from search results
This is a line spaced file for signatures that should be removed from file scanning
This is a line spaced file for paths that are to be excluded from inotify monitoring
The main configuration file is fully commented so you can easily make setup most options by looking at the comments, below are some main options that you should set  :
This is a top level toggle for the e-mail alert system, this must be turned on if you want to receive alerts.
This is a comma spaced list of e-mail addresses that should receive alerts.
This tells LMD that it should move malware content into the quarantine path and strip it of all permissions. Files are fully restorable to original path, owner and permission using the –restore FILE option.
This tells LMD that it should try to clean malware that it has cleaner rules for, at the moment base64_decode and gzinflate file injection strings can be cleaned. Files that are cleaned are automatically restored to original path, owner and permission.
Using this option allows LMD to suspend a user account that malware is found residing under. On CPanel systems this will pass the user to /scripts/suspendacct and add a comment with the maldet report command to the report that caused the users suspension (e.g: maldet –report SCANID). On non-cpanel systems, the users shell will be set to /bin/false.
This is the minimum user id that will be evaluated for suspension, the default should be fine on most systems.
The rest of the options in conf.maldet can be left as defaults unless you clearly understand what they do and how they may influence scan results and performance.
Manual Scan and real-time monitoring
For complete details of commands you can check the command help using below :
maldet –help
If you are looking to scan all the public_html directories for all the users on the server then you can achieve this using below command  :
maldet –scan-all /home?/?/public_html
Note : Please note that LMD use ‘?’ as wild card instead of ‘*’ , thus the use of  ’?’ in above command.
There are more options like –scan-recent which you can use to scan only recent files/changes and you have the option to mention number of days at the end of command which helps you scan for a recent time period.
Also there are other option parameters related to quarantine and cleanup, however please note that the quarantine option is disabled with default installation of LMD , if you want you can enable it from the main config.
There is also a real-time monitoring supported by LMD , however it will not work with CentOS4/RHEL4 as it requires inotify kernel parameter which is available in CentOS5/RHEL5 only.
Below is the help section related to real-time monitoring :
-m, –monitor USERS|PATHS|FILE
Run maldet with inotify kernel level file create/modify monitoring
If USERS is specified, monitor user homedirs for UID's > 500
If FILE is specified, paths will be extracted from file, line spaced
If PATHS are specified, must be comma spaced list, NO WILDCARDS!
e.g: maldet --monitor users
e.g: maldet --monitor /root/monitor_paths
e.g: maldet --monitor /home/mike ,/home/rohit
You can initiate to monitoring for any user account as follows :
maldet –monitor /home/rohit
And the monitoring will continue to run in background and the resultant logs will be reported in below log file :
The daily scans through cron
The cronjob which is installed by LMD is located at path /etc/cron.daily/maldet as I mentioned earlier in the post and this cron is used to perform a daily update of signatures, keep the session, temp and quarantine data to no more than 14d old and run a daily scan of recent file system changes.
The above information should be enough to get your started !
You can find more details on the official site for this RfxNetwork project at below link :