You asked for them!  Click below to download the PDF version of the slides use in my presentation during the 2010 cPanel Conference.

File: Automating Server Setups (331.70KB) Added: 10/07/2010 Downloads: 1098 Description: cPanel Conference 2010 presentation slides

I love waking up in on a nice Saturday morning to find out that one of my servers was rooted.

A two-year-old kernel issue in Redhat distributions has surfaced in the form of a nasty exploit byAc1db1tch3z.  Basically, a 32-bit binary is compiled and loaded to the server, and when run by any users (even non-root users), it uses a bug in the 32/64-bit compatibility layer to open a root shell.  Here’s a copy and paste of one that I ran on a test server:

user1@server [~]# ./badscript
Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y
$$$ Kallsyms +r
$$$ K3rn3l r3l3as3: 2.6.18-194.11.3.el5
??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d
$$$ L00k1ng f0r kn0wn t4rg3tz..
$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t...
$$$ selinux_ops->ffffffff80327ac0
$$$ dummy_security_ops->ffffffff804b9540
$$$ capability_ops->ffffffff80329380
$$$ selinux_enforcing->ffffffff804bc2a0
$$$ audit_enabled->ffffffff804a7124
$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d
$$$ Prepare: m0rn1ng w0rk0ut b1tch3z
$$$ Us1ng st4nd4rd s3ash3llz
$$$ 0p3n1ng th3 m4giq p0rt4l
$$$ bl1ng bl1ng n1gg4 :PppPpPPpPPPpP
# whoami
root

Scary, eh?  And to think, Redhat has still not released a fix for this, and it’s been two days.  Therefore, if you’re running a 64-bit CentOS or RHEL 5 server, you may be a sitting duck. All it takes is one site on your server to be prone to remote file injection, and the hack is in.

No reason to fret, though, you have a couple options.

1. Download a working patch from here, and install the kernel, kernel-devel, and kernel-headers RPMs, then reboot
2. Ksplice really came through on this one, and by nature, provided an update that does not require a reboot. Take a look at their post here, and download their diagnostic tool to any of your 64-bit servers running CentOS or RHEL 5, to make sure they haven’t been compromised. They are also offering a 30-day trial so you can secure your servers.  $4/mo is a worthy investment, and I’m 100% sure that you’ll be happy with your results.

Update: on 9/12, Redhat released a patch for 64-bit RHEL systems: https://rhn.redhat.com/errata/RHSA-2010-0704.html, and a similar one exists now for CentOS: http://bugs.centos.org/view.php?id=4518

I’m excited to announce that this year I will be speaking at the  cPanel conference, so if you haven’t yet registered, make sure you do it soon!  The conference will be held in cPanel’s hometown of Houston, TX at the Westin Oaks Hotel between Oct 4-6,2010.

My topic specifically will be covering full server automation from start to finish, essentially showing you how to deploy fully-configured cPanel servers with even touching a bash prompt.  You’ll learn where cPanel stores it configuration files, how to configure services using cPanel’s service templates, and what scripts will save you time by automating simple tasks.

Hope to see everyone there!

Update: Use the code cpanel-twitter to get 25% off your registration fee!

It was announced by cPanel on April 14, 2010 that cPanel 11.25.1 will include a new database mapping feature that’s been long requested: the removal of cPanel username prefixes from the database names.  This is a non-reversible, opt-in feature that some hosts may find very valuable. But is it a feature that you need?

Who is this feature for?

• Hosts migrating entire servers from other control panels like Plesk or Ensim
• Single-customer environments

Who is this feature not for?

• Shared hosting providers
• Larger-scale hosts

The concerns that are initially raised is in regards to shared hosting servers. With the new database mapping feature turned on, if one user takes a database name, no one else on the server can use it. Additionally, you’re creating a conflict if you move that user from one server to another, where the recipient server already has a user with that database name.  For these reasons alone, I would not advise this option being enabled for the general shared hosting provider, if the end users are going to be allowed to pick database names.

One of the advantages of cPanel is that you can move accounts between cPanel servers, even those from other hosts. If one host has the new mapping feature enabled, and one doesn’t (or has an older version of cPanel), you’re likely going to have a problem. For hosts with high conversion rates, this can be a deal breaker if the ease of moving cPanel accounts from other hosts isn’t there anymore.  This feature also creates a break in the standardization that all cPanel servers inherently have.  Most users by now that have already used cPanel know about the current database naming scheme, so enabling this feature without any technical justification can also create confusion among users that are familiar with and have been using cPanel for a long time.

Update: A rep from cPanel added this comment:

As cPanel 11.25.0 builds 46057 and higher, accounts transferred from a cPanel 11.25.1 system will preserve the YAML mapping file. Any databases and database users that lack the old-style prefix will not be manageable in the 11.25.0 cPanel interface, but the information is at least retained for later use (e.g. if a system with such an account is later upgraded to cPanel 11.25.1+ then the pre-existing YAML file will be updated and the databases and user will be manageable in the cPanel interface).

On the other hand, this feature is extremely valuable for hosts converting from other control panels or fulfilling requirements of single-customer environments. Other control panels do not prefix usernames to the database name, so large transfers would be especially painful for a cPanel host that acquires a non-cPanel host. The new mapping feature will help eliminate downtime due to incorrect database connection parameters and the need for mass reconfiguration.

Finally, for hosts that offer VPS and Dedicated hosting to single-customer environments, it’s nice to finally be able to remove the prefix that annoys web developers and IT people in charge of moving their customer sites.

So while this new feature is exciting, it’s opt-in for a reason – and that doesn’t mean it’s right for your hosting setup.

Additional Information:

http://www.cpanel.net/blog/integration/2010/04/a-general-overview-of-database-mapping.html
http://www.cpanel.net/2010/05/backwards-incompatible.html
http://www.cpanel.net/blog/integration/2010/05/more-details-about-db-mapping.html

cPanel is giving away FREE cPanel log posters. All you have to do is sign up on their site below:

http://www.cpanel.net/signupform.html

Here’s what the poster looks like:

http://www.cpanel.net/images/loglocationsposter.jpg

I received an email from cPanel yesterday:
————————————————
The cPanel team is pleased to present “cPanel 11.25 Unveiled” via a technical webinar. Over the past 12 months we have worked hard to produce a major release that focuses on enhanced security, reliable performance, and new features.

For administrators, this webinar will provide a top level overview of new features. We hope this webinar will allow you to explore and understand what 11.25 has to offer.

More Information on 11.25: http://www.cpanel.net/releases/1125/

David Grega will lead the 11.25 technical webinar. The webinar will also feature a technical Q&A session. We intend for administrators, sales engineers, and organizations that rely on cPanel/WHM for Linux web hosting automation to attend the webinar.

Date: Thursday, January 14, 2010
Time: 9:00 AM – 11:00 AM CST

After registering you will receive a confirmation email containing information about joining the webinar.
——————————————–

Cpanel confirmed via email and on their site that SpamAssassin has a bug:

“The Quality Assurance team discovered a bug within the SpamAssassin ruleset that will mark messages sent in the year 2010 (that’s today) and beyond with a higher spam score than expected. This bug can result in legitimate mail being flagged as spam.”

You can read more about this on their website here:

http://www.cpanel.net/2010/01/spam-assassin-ruleset-bug.html

However, the fix is quite simple if you don’t already have auto cpanel updates enabled:

/scripts/autorepair spamd_y2010_fix