ClamAV is an popular open source anti-virus toolkit for *nix, and while many people don’t find much value in using antivirus software on Unix, it is very useful for email scanning.  cPanel’s implementation allows end users to run scans on their home folders, public FTP folders, mail, and public_html.

It’s really hard to install ClamAV on cPanel – if you’re too lazy to click a couple buttons.  Simply go to WHM > Manage Plugins and enable the ClamAV Connector, and you’re good to go.

After this is done, you can go to WHM > Configure ClamAV Scanner and set scanning options for the entire server or specific users:

You should now see a Virus Scanner option in cPanel. If you don’t, you may need to enable it in Feature Manager.

From here, cPanel users can run scans on any permitted items.

For administrators, here are a few quick commands that may be useful:

Update antivirus database:

freshclam

Scan a directory and print out infected files:

clamav -ri /home

Scan a directly and remove infected files and emails:

clamav -ri –remove /home

This article will not go into detailed technicalities on identifying, troubleshooting, tracing, and fixing hacks. These topics are far too broad to cover in a single article, and is outside the scope of this article’s intent. This guide is to help you, the system admin, come up with a plan to handle situations involving breached security.

FTP hacks seem to be on the rise nowadays, with viruses like Gumblar stealing FTP passwords and farming them out to hackers so they can upload malicious code into user files. What you end up with is a flood of complaints from users about errors on their site and being flagged by Google for malicious content.  And as you know, when  things like this happen the first person the customer tends to blame is the hosting provider.

While it’s really not something you as the hosting provider can control, there are measures you can take to secure your server against FTP hacks.

Lately FTP has been a problem for a lot of hosting providers. Especially since the recent influx of Gumblar-related attacks and FTP exploits, some hosting providers are now considering changing their FTP ports as an added measure of security. If you’re on a cPanel server you have a couple extra steps to go through, but it’s a rather easy change.

Pure-FTP

1) Edit /etc/pure-ftpd.conf and look for the following line:

Bind <addr> <port>

Where <addr> is a publically routable IP.  The default example, 127.0.0.1, will cause the socket to bind locally but then this connection won’t serve externally. <port> is the new port you wish to put the service on.

2) If necessary, add the new FTP port to your server’s firewall

3) Edit /etc/chkserv.d/ftpd and change the port, which is the first comma-separated entry to the right of ‘=’ on the line in the file, to match the port you put the service on.

Finally:

/etc/init.d/pure-ftpd restart
/etc/init.d/cpanel restart (restarts tailwatchd/chkservd)

ProFTP

Edit /etc/proftpd.conf and change:

Port 21

Then make sure to test to make sure FTP is working before notifying your users!

DomainKeys (DKIM) and SPF records are becoming a common, and annoying, demand among email providers, mainly Yahoo and Hotmail. In short, both are methods of email authentication designed to verify email integrity, by linking a sender to a specific server or hostname. In other words, DomainKeys and SPF records specify what servers can send email on behalf of a domain name.

You’ll want DomainKeys and SPF records if your users have trouble sending email to certain providers, or they are having issues with spoofed (forged) email. CPanel currently allows two easy ways for you or your users to set up email verification. This is supported at least from cPanel 11.18 onward.