Block wp-login and xmlrpc brute force attacks with CSF / cPanel

Another great counter attack to “flooders” on your WordPress installations. This time with CSF firewall. I had massive brute force attacks on WordPress installations on some cPanel server which were causing very high server loads.¬† Here is great way to block abusers with CSF firewall. Here is how.

First, create custom log from which CSF will be able to search for wp-login.php and xmlrpc.php requests. Edit your /etc/csf/csf.conf like bellow:

CUSTOM2_LOG = "/var/log/apache2/domlogs/*/*"

Because majority of those attacks are from some very well known country’s that are causing problems, you may want to white list country’s from which users shouldn’t be blocked. Add list of white list country’s in CC_IGNORE.

Then you must create custom functions for CSF so it will be able to block those attacks. Add this to your /usr/local/csf/bin/regex.custom.pm file. If it’s not there, create one. Then add this:

# XMLRPC
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","5","80,443","1");
}

# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","5","80,443","1");
}

Restart CSF and check if LFD is doing his new job. On success you should see something like this:

May 10 11:33:16 cp lfd[589350]: (WPLOGIN) WP Login Attack 4.4.4.4 (PL/Poland/s1.hekko.net.pl): 5 in the last 600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]
May 10 11:33:36 cp lfd[589587]: (WPLOGIN) WP Login Attack 5.5.5.5 (TR/Turkey/5.5.5.5.linuxhosting.com.tr): 5 in the last 600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]
May 10 11:34:24 cp lfd[590012]: (WPLOGIN) WP Login Attack 6.6.6.6 (DE/Germany/static.6.6.6.6.clients.your-server.de): 5 in the last 600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]83247]: (WPLOGIN) WP Login Attack 7.7.7.7 (VN/Vietnam/-): 5 in the last 600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]
...

Requests for ignored country’s should look like this:

May 10 11:45:36 cp lfd[591718]: WP Login Attack 1.1.1.1 - ignored
May 10 11:45:41 cp lfd[591718]: WP Login Attack 2.2.2.2 - ignored
...

I hope this helps. ūüôā

CSF – whitelist user from SMTP_BLOCK

CSF features great option SMTP_BLOCK which block outgoing SMTP for all users except root, exim and mailman. I had a problem with one user which was using MailChimp as mass mailing within their application. Because of SMTP_BLOCK it wasn’t working. Disabling SMTP_BLOCK globally is not recommended, you can white list users for which you would like to allow sending.

Go to your CSF settings and find SMTP_ALLOWUSER. Then add user which should be allowed (users separated with coma). Don’t forget to restart CSF.

cPanel email problem – (13): Permission denied: failed to chdir to /home/username

I had this weird issue on one of our production cpanel servers where user’s email stopped working without any reason. Only error that was available was:

T=dovecot_virtual_delivery defer (13): Permission denied: failed to chdir to /home/username

From time to time users document root permissions were set to user nobody and execution privileges were removed. Because of this, email wasn’t working and I couldn’t find out why.

After a lot of headache I googled across this thread. Permissions were altered by cPanel’s File Protect. Somehow file protect recognized this accounts permissions weren’t right. After checking in users account, there was sub-domain created for which document root was set to “/”. This is not valid document root, and because of this, file protect altered users permissions.

I changed document root for this sub-domain and problem was solved. You should also correct user’s permissions on document root after fixing issue with file protect:

chmod +x /home/username
chown username:username /home/username

You should make sure that user accounts permissions are absolutely correct.

Hope this saves some sleep ūüôā

cPanel’s Awstats: There are no domains which have awstats stats to display

One client had issue with Awstats statistics. They stoped working. When he tried to add new domain and check Awstats in cPanel, this message was shown:

There are no domains which have awstats stats to display

Awstats were configured correctly, cron was executed. I then discovered that there were no active access log in /usr/local/apache/domlogs/domainname.com. So I tried to tail this log while visit web site, no access log was generating.

A while ago I enabled cPanels option “Piped Log Configuration” which was suggested to enable to speed up cPanel control panel experience. When this was disabled, access log per domain started to working again.

 

cPanel/CloudLinux – Composer not working with cPanel user

I had a problem when publishing project via composer as cPanel user. When trying to execute composer via cpanel user with ssh access, composer returned nothing. This was on CloudLinux with alt-php (PHP Selector) and cPanel.

In documentation is stated that for composer to work, we need PHP library’s¬†Phar,¬†Iconv,¬†Mbstring. This can be done easily with PHP Selector in your user interface. Documentation also says that we need to have enabled¬†allow_url_fopen which is also specified as possible security issue so it shouldnt be enabled globally. And lastly, if you use suhosin, which you should, you have to whitelist Phar. You should do all of this so that is only affecting php.ini for specific user and not globally. Also, you’ll want to increase memory_limit as composer needs it. In my case, I temporary increase it to 1G. First, enable all necessary php library’s through PHP Selector in you cpanel control panel. Then follow steps bellow.

Login in users CageFS like this:

root@server [~]# cagefsctl -e

Then go to your alt-php configuration directory:

root@cpanel [~]# cd /etc/cl.php.d/alt-php<desired version>/

Inside of this directory you should see file alt_php.ini, open it and add this to end of the file:

;>=== Start of PHP Selector Custom Options ===
memory_limit=1G
suhosin.executor.include.whitelist=phar
;<=== End of PHP Selector Custom Options =====

Save this settings and exit user CageFS. You don’t need to restart apache. Then SSH with your cpanel user and try to run composer.

Composer should now work with your cPanel user:

thisisme@server [/]# composer --version
Composer version 1.6.2 2018-01-05

 

cPanel: Your server does not support the connection encryption type you have specified

If you’re¬†getting message like¬†“Your server does not support the connection encryption type you have specified” when try to set up email in your Outlook, then chances are that your cPanel mail server has disabled some needed encryption types.

By default, cPanel disables all those protocols: SSLv2, SSLv3, TLSv1, TLSv1.1. SSL2 and SSL3 should be disabled at all costs, but you may not get away with TLS 1.1 or even TLS 1 being disabled.

To enable TLS 1 and TLS 1.1 in your Exim, login as admin in your cpanel and then: Home -> Service Configuration -> Exim Configuration Manager. Select second option so you can insert your own directives and add this:

 +no_sslv2 +no_sslv3

Block bad bots on cPanel globally with Apache

A lot of traffic from bad bots, crawling your sites can cause problems such as high server load and unstable server. You should use mod_security on cPanel servers that should do the job, but if you want to block specific bots globally, on apache level, then bellow solution is for you. This syntax is for Apache version 2.4.

On cPanel servers you can’t just edit httpd.conf file, it will be rewrited. You can edit it through whm easily. Just login on your cpanel -> Apache Configuration ->¬†Include Editor -> go to “Pre Main Include” -> select your apache version (or all versions) -> then insert code bellow and click Update and then restart apache.

In Directory section, you should specify right path to location where websites are. On cpanel servers this is /home by default.

Here is my example:

<Directory "/home">
   SetEnvIfNoCase User-Agent "MJ12bot" bad_bots
   SetEnvIfNoCase User-Agent "AhrefsBot" bad_bots
   SetEnvIfNoCase User-Agent "SemrushBot" bad_bots
   SetEnvIfNoCase User-Agent "Baiduspider" bad_bots
  <RequireAll>
     Require all granted
     Require not env bad_bots
  </RequireAll>
</Directory>

cPanel – create directory alias on domain

Creating aliases on cpanel server is easy – for domains. But when you want to create directory alias for files¬†outside of document root, there is no quick/click option in control panel. By directory alias I mean for example, http://mydomain.com/something. Where¬†/something is directory that is outside of your document root – public_html of domain. Another example, you have domain¬†mydomain.com and you want phpmyadmin¬†to be¬†accessible on http://mydomain.com/phpmyadmin, but phpmyadmin is installed outside of document root of¬† mydomain.com.¬†You’ll need directory alias. Here is quick way to do it.

Continue Reading

cPanel Webmail: internal server error 500 user is over quota cpanel

This user cpanel account¬†reached¬†disk quota limit and mail stopped working. User deleted about 4G of emails and released some disk space. Problem was that¬†he still wasn’t able to login to webmail. This error was shown:

internal server error 500 user is over quota cpanel

It didn’t make sense since he¬†released his disk space. Cpanels quota was showing new value, but login to webmail was still impossible.

What you have to do is remove cpanels overquota file manually. Let’s say that user user4 is having issue described above.

root@cpanel [~]# cd /var/cpanel/overquota/
root@cpanel [/var/cpanel/overquota]# ls
./  ../  user1  user2  user3  user4 
root@cpanel [/var/cpanel/overquota]# rm user4

After I deleted /var/cpanel/overquota/user4, webmail was started to working again.

© 2019 geegkytuts.net
Hosted by Hosterdam


About author