cPanel

From Leo's Notes
Last edited on 14 June 2020, at 23:50.


Features[edit | edit source]

Initial Quota Setup[edit | edit source]

Ensures that quota support is enabled in kernel and userspace utils are installed., then it updates the quota files 

# /sbin/quotacheck --create-files --user --group --verbose --force --use-first-dquot --no-remount --format=vfsv0 /dev/vda1

It then resets quotas for each user.

Server Profile[edit | edit source]

Can set the server to be one of: Standard, database, DNS, or Mail nodes. Change can only happen if no accounts have been created.

Server Time[edit | edit source]

Timezone configuration

Statistics Software Configuration[edit | edit source]

Configures statistics generator access for users and scheduled processing frequency. Supports Analog, Awstats, Webalizer.

Like all other tools, these are located in /usr/local/cpanel/3rdparty/bin

Tweak Settings[edit | edit source]

cPanel specific settings and also site-specific ones. Notable ones are listed below.

Domains:

  • Allowing creation of accounts using subdomains across accounts
  • Allowing remote domains that do not resolve to this server
  • Allowing unregistered domains
  • Allowing resellers to create accounts with subdomains of the server hostname
  • Preventing users from using common domain names listed in /var/cpanel/commondomains
  • Check DNS zones syntax and owners
  • Enabke EKIM and SPF on domains for new accounts
  • Enable creation of service subdomains (for cpanel, webmail, webdisk, cpaclendars, cpcontacts, whm).
  • AutoSSL renewal with Global DCV Passthrough. Enables global rewrite rules for DCV filenames to ensure renewals work without requring additional .htaccess rules but may suffer slight performance penalty for all HTTP requests.

Email:

  • Max hourly emails per domain, and system alerts when a threshold is reached
  • The percentage of email messages (above the account’s hourly maximum) to queue and retry for delivery.
  • Mailbox storage format: mdbox or maildir
  • Initial default/catch-all destination: system account, fail, blackhole
  • Mail authentication via domain owner password. Does this allow both account passwords to work?
  • Email delivery retry time, time between mail server queue runs
  • Track email origin via X-Source email headers
  • Spam detection by tracking number of unique recipients, number of failed or deferred messages, and what to do (no action, hold outgoing, reject outgoing)
  • Prevent "nobody" from sending mail. Only really applicable if using mod_php or suexec disabled
  • Enable BoxTrapper spam trap
  • Enable Horde, Roundcube, SpamAssassin, SpamAssassin Spam Box delivery
  • Default email account quotas

Notifications:

  • System disk usage alerts (enabled, warning, critical)
  • System memory warnings
  • Account disk usage alerts (enabled, warning, critical percentages)
  • Bandwidth alerts
  • SSL certificate expiry

cPanel:

  • cPanel PHP settings (exec time, max post size, max upload size, PHP loaders ioncube and sourceguardian
  • cPanel max memory, max ser vice handlers,
  • cPanel Jailshell configuration
  • Jailed /proc, /bin, /usr/bin

Change Hostname[edit | edit source]

  • Changes the system hostname by editing /etc/hostname, /etc/sysconfig/network, /etc/hosts
  • Updates apache config
  • Renews any SSL certs using the old hostname
  • Restarts cPanel, exim, mysql, apache.

ModSecurity[edit | edit source]

https://github.com/SpiderLabs/ModSecurity

Security Advisor[edit | edit source]

Runs a bunch of tests for security issues.

Shell Fork Bomb Protection[edit | edit source]

Sets a ulimit value for users

Apache[edit | edit source]

Can edit:

  • Global configs in httpd.conf
  • DirectoryIndex
  • Include Editor
  • RLimitMEM
  • Log rotation for access_log, error_log, suexec_log, modsec_debug.log. /etc/apache2/logs will be rotated into /etc/apache2/logs/archive based on the threshold size set in server settings


System[edit | edit source]

Users start from UID 1002.

mailman:x:209:mailman dovecot:x:97: dovenull:x:994: mailnull:x:47: mailtrap:x:993:

mysql:x:27:

Additional groups are added: cpanel:x:201: cpanellogin:x:202: cpaneleximfilter:x:203: cpaneleximscanner:x:204: cpanelconnecttrack:x:205: cpanelanalytics:x:206: cpanelcabcache:x:207: cpanelroundcube:x:208: cpanelphpmyadmin:x:992: cpanelphppgadmin:x:991: cpses:x:990:cpses cpaneldemo:x:1000: cpanelsuspended:x:1001: compiler:x:989:cpanel

SSHD[edit | edit source]

Edits /etc/ssh/sshd_config DenyGroups cpaneldemo cpanelsuspended UseDNS no

Dovecot[edit | edit source]

The dovecot configuration file is templated at /var/cpanel/templates/dovecot2.3/main.default with /var/cpanel/conf/dovecot/main. Template customizations can be made to /var/cpanel/templates/dovecot2.3/main.local

Exim[edit | edit source]

Configuration templates are located at /usr/local/cpanel/etc/exim

Various Linux Notes
Linux Tools and Utilites
Package Management
Linux Distributions
Networking
Containers
Web Related