After upgrading to cPanel 11.28, a number of our users indicated that databases were missing from their cPanels, despite the actual databases existing on the server.  There are a number of things that can cause this, including corrupted Perl modules and MySQL not running, but the major cause that I’ve seen is from the new database mapping functionality.  As you may know, cPanel has vastly improved their migration capabilities by recently changing how databases are mapped to user accounts, now allowing database names without user prefixes.  However, this seems to cause an issue when databases exist on the server with invalid names.

Check your /var/lib/mysql folder and see if you maybe have folders in there named incorrectly. On one of my servers, the admin renamed several of the databases to $dbname.bak when making changes, and when the database quota script ran it was erroring out. After you move or remove these folders, run the following commands:

/scripts/update_db_cache

/usr/local/cpanel/bin/setupdbmap

Assuming you’ve removed all the invalid databases from the MySQL folder, you should now be able to see the ones that were previously missing.

The following is a guest post from Gwen Davis of hostingobserver.com.

History

The first cron was written in the early 1970s for Version 7 UNIX as a system service (also known in UNIX as a daemon). The algorithm, invoked from the /etc/inittab location whenever the OS entered a multi-user mode, was simple — every minute, it checked a directory for any files set to be run at the current date/time, and ran any it found under superuser root. The next version of cron, created for the release of UNIX System V, extended capabilities beyond the superuser root to all users.

Cron, ported to BSD, remained unchanged for the life of UNIX System V and its derivatives: Solaris, IRIX, HP-UX, and IBM AIX. Vixie cron (now called ISC Cron) were developed for Linux in 1987, and Redhat Linux has cronie and anacron, all of which have contributed to the growth in Linux server administration.

Cron Hosting Basics

There are three basic characteristics for the best web hosts for Cron, these are Linux hosting, cPanel hosting and unlimited hosting. However, this does not mean that you will never have the ability to run cron jobs if your hosting plan has one or two elements missing. From here on we will discuss the workarounds available for each criteria.

Us administrators eventually come to the realization that when you have a wildcard SSL certificate for 40 subdomains, you can’t practically have separate IPs and cPanel accounts for all of them. If you have a wildcard SSL certificate for all your subdomains, you can easily install the certificate on a single IP address for all the subdomains. For this particular scenario to work:

• All subdomains must be on the same IP and cPanel account
• You must have a wildcard SSL qualifying for *.tld.com

Keep in mind that for a wildcard SSL to work, it really does have to be installed for each subdomain. You can’t install it once and have it automatically work in the fly like wildcard DNS does – Apache just doesn’t work that way.  Luckily, we’ve scripted an easy solution for you.

Create the following files:

• /etc/ssl/certs/tld.crt

This file will contain the actual certificate, and should be named off of your top-level domain. For example, if the certificate is for *.mydomain.com, name the file mydomain.com.crt

• /etc/ssl/certs/tld.cabundle

This file will be the CA bundle for your wildcard certificate, if you have one.  If the certificate is for *.mydomain.com, name the file mydomain.com.cabundle

Now download the install script from here.

This is basically just a bash script that you can use to install a wildcard SSL for a domain. Running it will install the certificate on all subdomains of the domain passed to the script:

chmod 755 wildcardssl.sh

./wildcardssl.sh $domain

After it runs, all you need to do is restart Apache. Please make a copy of /var/cpanel/userdata before running the script for the first time, until you’ve verified that it works on your setup.  Please note that this script would need to be run again if more subdomains are added later on.

The cPanel security team found an issue in Exim that can potentially allow a user on the system to potentially run commands as the root user. Luckily, cPanel has already released a patch which is available for immediate download via their Exim upgrade script. If your system is set to update cPanel automatically, you may already have the patch. To verify, run:

rpm -qa |grep -i exim

The version should be 4.69-25 – if it’s not, you need to upgrade. You can simply run:

/scripts/eximup

Click the link below to read cPanel’s advisory:

http://mail.cpanel.net/pipermail/news_cpanel.net/2010-December/000060.html

cPanel 11.28 introduces an way to easily implement your own RBLs for Exim to perform lookups against.  To get started, log into WHM > Exim Configuration Editor and click on the RBLs tab, then Manage custom RBLs.

From here, enter in the information for your RBL as follows:

The DNS list would be the hostname of the server that Exim will do DNS lookups against, and the info URL is generally what appears in bounceback messages where senders can go to either look up their IP, or find out more information on the RBL.

Once you’ve saved, go back into the Exim Configuration Editor under RBLs, and select “On” next to your RBL name.

Automation

You can also automate this by using an RBL template, rather than going through WHM. This is particularly useful for server setup scripts, or applying this change across multiple servers.

First, go into /var/cpanel/rbl_info (if the folder doesn’t exist, create it), and create a file called yourdnsbllist.yaml

The YAML file would look something like this:

---
dnslists:
- dns.myrbl.org
name: myrbl
url: http://fakeurl.org/checkmyip.php

Now in /etc/exim.conf.localopts, add the following:

acl_myrbl_rbl=1

Of course, the myrbl part would reflect the name of the actual RBL you created.

To rebuild the Exim config, run /scripts/buildeximconf

This post will explain a simple process for installing a Red5 Flash Media server in a VPS or Dedicated environment.

Install Subversion and Java

yum -y install java-1.6.0-openjdk java-1.6.0-openjdk-devel
yum -y install subversion

Install Ant

cd /opt
wget http://mirrors.kahuki.com/apache/ant/binaries/apache-ant-1.8.1-bin.tar.bz2
tar jxvf apache-ant-1.8.1-bin.tar.bz2
mv apache-ant-1.8.1 ant
ln -s /opt/ant/bin/ant /usr/bin/ant

Result: /opt/ant

Export some variables and add to bashrc:

export ANT_HOME=/opt/ant
export JAVA_HOME=/usr/lib/jvm/java
export PATH=$PATH:/opt/ant/bin
export CLASSPATH=.:$JAVA_HOME/lib/classes.zip

echo 'export ANT_HOME=/opt/ant' >> /etc/bashrc
echo 'export JAVA_HOME=/usr/lib/jvm/java' >> /etc/bashrc
echo 'export PATH=$PATH:/opt/ant/bin' >> /etc/bashrc
echo 'export CLASSPATH=.:$JAVA_HOME/lib/classes.zip' >> /etc/bashrc


Install Red5:

cd /opt
svn co http://red5.googlecode.com/svn/java/server/trunk red5
cd red5
ant prepare
ant dist


Create an init script

By default you have to use red5′s inherent scripts to start/stop, which can be a bit annoying. Create a file called /etc/init.d/red5 and past int he following:

#!/bin/sh
# For RedHat servers
# description: Red5 flash media server
# processname: red5
PROG=red5
RED5_HOME=/opt/red5
DAEMON=$RED5_HOME/$PROG.sh
PIDFILE=/var/run/$PROG.pid
# Source function library
. /etc/rc.d/init.d/functions
[ -r /etc/sysconfig/red5 ] && . /etc/sysconfig/red5
RETVAL=0
case "$1" in
start)
echo -n $"Starting $PROG: "
cd $RED5_HOME
$DAEMON >/dev/null 2>/dev/null &
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
echo $! > $PIDFILE
touch /var/lock/subsys/$PROG
fi
[ $RETVAL -eq 0 ] && success $"$PROG startup" || failure $"$PROG startup"
echo
;;
stop)
echo -n $"Shutting down $PROG: "
killproc -p $PIDFILE
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$PROG
;;
restart)
$0 stop
$0 start
;;
status)
status $PROG -p $PIDFILE
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
RETVAL=1
esac
exit $RETVAL

*Note that WordPress has a strange way of outputting double quotes, so make sure you address those in the script!
Now, chmod 755 /etc/init.d/red5 and run:

chkconfig red5 on

This will run Red5 on startup. With the init script, you can now start, stop, and restart red5 as needed, ex:

service red5 restart

red5 should now run port 5080 and rtmp service on port 1935. You may need to open these ports in your server’s firewall.

Test:

http://hostname:5080/demos/port_tester.swf

Source: Adapted from http://www.sohailriaz.com/how-to-install-red5-server-on-centos-53/

One of the most common problems that hosting providers face is the issue of user email not being delivered to other mail servers.  Not only does it annoy the end user, but it’s extremely frustrating for the server administrator to deal with since there’s not always a clear indication of why email doesn’t get delivered successfully.   In this post I’ll explain a few tips for helping improve the reliability of your mail server, and some tips you can give to your end users that send mailing lists.’

Note: You can’t control the incoming email policies of remote mail servers or RBL’s. However, most email providers will not intentionally inconvenience their own users by blocking legitimate email, so if you continue to have problems, I’d recommend contacting the email administrator of the remote server.

1. Do you look like a spammer?

First of all, if you’re sending out massive mailing lists, whether you consider it spam or not, you’re asking for it.  Out of a list of 100,000 people, you can expect that a couple hundred of them are going to prompt spam complaints to your email provider, especially of the emails are of a “spammy” nature.  If you’re not sure where you sit on the line between spam and email marketing, take a look at this post.

2. Practice proper mailing list etiquette

As a mailing list grows, you’re occasionally going to have email addresses that become invalid, or users that no longer want to receive your email.  Don’t think that by hiding your opt-out link, you’re going to keep a subscriber. The recipient is more likely to mark your email as spam than hunt around for a way to remove their email address from your list, so make things easier by putting your opt-out link at the top with a reminder of why you are sending the email. For example:

You are receiving this newsletter because you purchased a product on mywebsite.com and requested to receive notifications. If you no longer want to be part of this mailing list, please click <here>

That being said, it’s extremely important that you promptly honor opt-out requests, and regularly check for bounced email for addresses that may no longer exist.

In addition to this, when sending email locally, your SMTP hostname should simply be “localhost”.

3. Limit outgoing email

If you’re a hosting provider and aren’t specifically catering to users that do bulk mailing, you may want to limit how much email each users can send, and advise users with large mailing lists to use services like Constant Contact.  Tweaking a mail server to effectively send huge amounts of email without issue can be very difficult, and isn’t something I’d recommend even offering for shared hosting platforms.  In a shared environment where the actions of one user can affect many, outgoing email should be limited and then allowed on a per-case basis. There are two simple ways to do this:

• In WHM > Tweak Settings, set the outgoing mail limit . You can specifically allow domains to send more by adding them to /var/cpanel/maxemails on versions 11.26 and lower, or adding a MAX_EMAIL_PER_HOUR option to /var/cpanel/users/$user for cpanel 11.28 and higher.
• In exim.conf, set the following options:

recipients_max_reject = true

recipients_max = 50

The best way to do this so the change is retained over cPanel and Exim updates is to add the options in /etc/exim.conf.local under @CONFIG@, then run /scripts/buildeximconf

Exim considers each email as one email, regardless of how many recipients are in it.  This may be an inconvenience to some users, but in reality any mailing list should be sent as one recipient per email.  For larger organizations that use mailing lists for discussion, a listserv software like Mailman is a better solution.

4. Tighten up your mail server

If you’ve ever wanted to be the target of a spam hack, allowing PHP nobody mail is the best way to accomplish this.  Hopefully by now you’re running suPHP, but if you’re still running PHP as a DSO, whenever a PHP script uses the mail() function to send email it’s going to do so as the user “nobody”, or whatever user that Apache runs as.  Since the user “nobody” is a system user, it bypasses mailing limitations that you may have already set up via cPanel or exim.conf. This means that a rogue mailing script on your server can send out unlimited amounts of email and cause your server to get blacklisted. You can adjust this setting in WHM > Tweak Settings.

You’ll also want to make sure that SMTP Tweak is turned on:

/scripts/smtpmailgidonly on

It’s also a good idea to require sender verification, which can be enabled in WHM > Exim Configuration Editor

5. Always use SMTP

Similarly, mailing list software should be configured to use SMTP with a valid email address, username, and password. Don’t rely on sendmail or the php/perl mail functions – you need to send as a valid authenticated user.  Most mailing list software supports the use of SMTP, and using PHP or perl it’s very easy to incorporate SMTP authentication.

6. Use DomainKeys and SPF records

You want other mail servers to know that when they get mail from you, it’s actually from your server and not spoofed.  Consider using DKIM and SPF records to allow remote mail servers to authenticate your email. You’ll find that this may instantly improve your email delivery to services like Yahoo, MSN, and Hotmail.

See: Installing DomainKeys and SPF Records

7. Subscribe to Feedback loops

It’s very important for email administrators and hosting provides to subscribe to feedback loops.  Many remote mail and blacklist providers offer them, and they can be a very useful tool for identifying possible spammers on your network, as well as preemptively resolving issues with mailing lists.  If you don’t have an Abuse contact set up your domain and IP addresses, you should do that now – and register your IP(s).   AOL, Hotmail, Yahoo, and Spamcop are excellent ones to be on.  It’s also important to have your abuse@domain.com address set up so people can contact you if they want to report spam from your server or network.

8. Monitor your IPs

As easy as it is to get blacklisted on the various RBL’s out there, you’ll want to be checking if your IPs may be listed and therefore causing your email to bounce.  RBLmon.com is a good way to get started, or you can implement blacklist checking into your existing monitoring solution.  The goal is to know when your IPs are blacklisted as soon as possible.

9. Use different IPs for email

By default, when you send email your email will go out on the main IP of the server. For sites that send large amounts of email, consider putting them on separate IPs so that they don’t affect the mail delivery of other users on the server, or the network in general.

See: Changing Exim’s Sending IP

10. Set up your DNS properly

It should go without saying that whatever IP you use to send mail should have a proper reverse DNS record, and the forward DNS of that PTR should match. For example, if your mail server is named mail.mydomain.com and points to 5.6.7.8, then the PTR for 5.6.7.8 should also be mail.mydomain.com.  Ideally these records should match the EHLO/HELO name given by your MTA (Exim). This name can be altered in /etc/mailhelo if you have this option checked in WHM > Exim Configuration Editor.

You asked for them!  Click below to download the PDF version of the slides use in my presentation during the 2010 cPanel Conference.

File: Automating Server Setups (331.70KB) Added: 10/07/2010 Downloads: 1098 Description: cPanel Conference 2010 presentation slides

I love waking up in on a nice Saturday morning to find out that one of my servers was rooted.

A two-year-old kernel issue in Redhat distributions has surfaced in the form of a nasty exploit byAc1db1tch3z.  Basically, a 32-bit binary is compiled and loaded to the server, and when run by any users (even non-root users), it uses a bug in the 32/64-bit compatibility layer to open a root shell.  Here’s a copy and paste of one that I ran on a test server:

user1@server [~]# ./badscript
Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y
$$$ Kallsyms +r
$$$ K3rn3l r3l3as3: 2.6.18-194.11.3.el5
??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d
$$$ L00k1ng f0r kn0wn t4rg3tz..
$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t...
$$$ selinux_ops->ffffffff80327ac0
$$$ dummy_security_ops->ffffffff804b9540
$$$ capability_ops->ffffffff80329380
$$$ selinux_enforcing->ffffffff804bc2a0
$$$ audit_enabled->ffffffff804a7124
$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d
$$$ Prepare: m0rn1ng w0rk0ut b1tch3z
$$$ Us1ng st4nd4rd s3ash3llz
$$$ 0p3n1ng th3 m4giq p0rt4l
$$$ bl1ng bl1ng n1gg4 :PppPpPPpPPPpP
# whoami
root

Scary, eh?  And to think, Redhat has still not released a fix for this, and it’s been two days.  Therefore, if you’re running a 64-bit CentOS or RHEL 5 server, you may be a sitting duck. All it takes is one site on your server to be prone to remote file injection, and the hack is in.

No reason to fret, though, you have a couple options.

1. Download a working patch from here, and install the kernel, kernel-devel, and kernel-headers RPMs, then reboot
2. Ksplice really came through on this one, and by nature, provided an update that does not require a reboot. Take a look at their post here, and download their diagnostic tool to any of your 64-bit servers running CentOS or RHEL 5, to make sure they haven’t been compromised. They are also offering a 30-day trial so you can secure your servers.  $4/mo is a worthy investment, and I’m 100% sure that you’ll be happy with your results.

Update: on 9/12, Redhat released a patch for 64-bit RHEL systems: https://rhn.redhat.com/errata/RHSA-2010-0704.html, and a similar one exists now for CentOS: http://bugs.centos.org/view.php?id=4518

You’ll probably often see hosts that have a ton of extra icons in their cPanel for various items. When you’re customizing cPanel, it’s useful to be able to be able to add icon groups for features that either need to be grouped together, or that don’t fit into other categories.  cPanel 11 makes it very easy to customize how icons are presented.

Create the Group

First, you’ll want to create your icon group.  The group will contain features/plugins that you create and assign to the group. Here’s a very basic example of a Twitter plugin that was created as part of a separate group called “Extras”:

First, we’re going to create the “Extras” group:

If you’re using the x3 theme, go into /usr/local/cpanel/base/frontend/x3/dynamicui . Create a file based on your new menu, prefaced with dynamicui, and ending in .conf. For example, I’m creating a group of icons that I want to be under a group called “extras”, so the file I create will be called dynamicui_extras.conf .

In the dynamicui_extras.conf file, all on one line, I’ll add the properties for my group, making sure everything is on one line:

groupdesc=>Extras,description=>extra icons,grouporder=>-100,group=>extras_menu,
imgtype=>icon,subtype=>img,type=>image,file=>extras,height=>32,width=>32