Domain: cpanel.net
Stories and comments across the archive that link to cpanel.net.
Comments · 26
-
Re:Overly aggressive
It's often overkill during development
Chrome considers the loopback interface secure. If you can't use localhost because you're testing a web application on a mobile browser, you can run a private CA with OpenSSL and install its root certificate on your testing devices.
And yeah I know you can use Let's Encrypt... if you're happy to put up with ludicrously short certificate expiration times, or install their software on your server and configure it to work with whatever you're serving your certs with
You don't have to install Certbot (the canonical client recommended by LE) to get a certificate for a host in a domain that you own. Certbot is only one of many ACME clients that LE supports. Some of these clients support a DNS challenge, in which the CA asks you to put a TXT record on your domain's DNS server instead of a file on your host's server. To use the DNS challenge, you just need the ability to update the zone file. Besides, a growing number of VPS administration packages support ACME; in fact, cPanel 58 added it a couple weeks ago:
sudo
/scripts/install_lets_encrypt_autossl_provider -
Re:Help me promote Perl 6
-
Re:Who's using Perl?
CPanel uses perl in its flagship product. Maybe it's not a huge company (and it's not) but it does supply software to a lot of web hosting companies.
-
I don't see any SNI SSL hosting offers
Internet Explorer compatibility is usually not on the list of features unless you're writing a commercial website so SNI is entirely unproblematic if you do decide to get a certificate.
I did a quick Google search for sni ssl web hosting, and all the results on the first page were about theory, not a particular hosting service offer. I got similar results for sni ssl web hosting price. It appears commercial web hosts don't appear to offer SNI SSL web hosting yet, and I can think of two reasons. First, CentOS 5.5 uses OpenSSL 0.9.8e, and SNI didn't land in OpenSSL until 0.9.8f. Second, I imagine that SSL web hosts don't want the expense of handling support calls from web hosting customers complaining that visitors using IE on Windows XP can't get there.
-
Re:cPanel
Whoops, apparently there's just an update released today. With a different fix it seems.
http://forums.cpanel.net/f185/case-45290-exim-0-day-178281.html -
Web host control panels that don't support IPv6
One particular issue is web host control panels - of the major control panels (cPanel, DirectAdmin and Plesk), only DirectAdmin has IPv6 already, and many web hosts aren't willing to deploy a different control panel just to get to IPv6. Hence many websites simply can't go IPv6 easily until the ISP upgrades to the control panel, and in the case of cPanel, which is by far the most popular one, there is not even a roadmap date for v6. Same goes for Plesk apparently.
If you use cPanel, see http://forums.cpanel.net/f145/case-10334-make-cpanel-ipv6-compatible-35453.html and comment if you want to see IPv6.
If you use Plesk, see http://forum.parallels.com/showthread.php?t=102770
-
CentOS at cPanel Con 09?
heheh - if this is still an issue in October, I can only imagine the angry horde in front of their booth. http://www.cpanel.net/2009/06/centos-is-exhibiting-at-cpanel-conference-2009.html
-
Re:The register's older writeup on this ...
Some additional reports from earlier this week and previous...
http://blog.trendmicro.com/e-commerce-sites-invaded/
http://www.scmagazineus.com/Attack-injects-malicious-JavaScript-into-e-commerce-sites/article/104206
http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/
http://www.cpanel.net/security/notes/random_js_toolkit.html
http://isc.sans.org/diary.html?date=2008-01-18
http://isc.sans.org/diary.html?date=2008-01-14
http://www.webhostingtalk.com/showthread.php?p=4902045 -
Re:I'm not sure I buy itthey can't find any evidence of hacking
\begin{snarky}
I'm surprised some of these "admins" can find their servers, let alone moderately well hidden rootkits.
\end{snarky}Many system administrators do not have a deep background in *nix security. If they can install a Linux box, they're apparently qualified. There are many admins who are extremely competent in security matters, but I have not seen anything coming from those people. (Perhaps they weren't infected?) So, I have not heard (read) of anything from anyone describing a good analysis of an infected machine. The best so far is the cPanel note. There they do mention that "[i]t is common to see a short but successful root login via ssh 5-10 minutes before the compromise occurs" which in my mind is already a compromise.
-
Re:Ubuntu as well?
This is old news. Its caused by a rootkit: http://www.cpanel.net/security/notes/random_js_toolkit.html
-
Re:Get a real ISP...
With my ISP, all the domains are located under the CPanel account. Whether I have 50 or 100 domains (I currently have two), they're all accessible with one password. Which is why the ISP owner requires a working phone number and charges five bucks for.
-
Re:Bluehost issued a fix.
I am just curious, have you posted any of these issues at http://bugzilla.cpanel.net/ ? While I can understand not wanting to post certain details (i.e if a user uploads a script with these contents "blah blah blah" he gains root access), you can either mark the comment as private or offer to email them to cPanel QA/Dev/Whoever
-
Cpanels patch doesn't work! Read!!
Brent with hostgator.com here again. We have just discovered cpanels patch
/scripts/upcp doesn't do anything. If you think you were autopatched last night or ran upcp your still very hackable. What you need to do is run /scripts/upcp --force A way to confirm our findings is to run http://layer2.cpanel.net/installer/sec092306.pl which is their patch checker. If your not safe it will say "not safe" if your safe it will say "safe" After all this even after running and being told "safe" I don't believe it's truly fixed. We'll all be very lucky if something doesn't spawn off this or another cpanel wrapper exploit doesn't hit the market. Cpanel please provide us with some source so we can help you audit. We're not asking for all of it just parts that we know aren't secure such as wrapper. -
Script Kiddie is 100% dead on.
'Wanna see something *really* scary?' heheh What homeland security doesn't realize is one of the largest threats we have regarding domestic 'cyber terror' is the fleet of hundreds of thousands of compromised web servers residing in places like Texas (ironic, isn't it).
Here's how the process works:
Step 1 - Joe Q Host wanna be goes to The Planet and orders himself a spiffy new server with C-Panel
Step 2 - Joe Q Host spends 10 minutes setting up the server and just assumes its all nice and secure. Builds PHP with everything and gives unrestricted access to 13 fiber rings to anyone who has a PayPal account or credit card.
Step 3 - Joe Q Host gets tons of sign ups, makes bank, and doesn't realize his server is more infested with spam bots, rouge torrent trackers, UDP blasters, IRC bombs .. and moreover doesn't care unless his users make an issue out of it.
Considering the several Million servers re-sold to people vastly underqualified to maintain them, I'd say that constitutes one hell of a DOS network. The scary, scary, scary part? Those bots are controlled centrally, and most places (like The Planet) do *not* watch outgoing traffic.
You are 100% correct , 'script kiddie' is the word, not 'hacker'.
Hosts can't disable that kind of functionality in PHP else their customers will go to someone who allows it, too many things depend on php being able to make shell calls, like image galleries / etc. suexec + php breaks too many things, people don't care about security they want their freebie sourceforge specials to work.
We create the need that creates the opportunity folks. Plain and simple. You need a license to fart in most states (figure of speech), should need some sort of cert to be a provider. That not only increases our domestic IT security, it cuts down on spam drastically.
Food for thought :) -
Perhaps if people learned the OS they use ....
I can't but get a little sick when I see a whole book written on something so incredibly simple.
The reason you see PHP being exploited is not the security of the host OS, not the security of PHP (well almost never) , its the lack of knowledge by the person owning the computer hosting the sites and companies like The Planet who hand them out to literally anyone with a Paypal account or credit card number.
I can in 20 minutes show any experienced Linux system administrator how to run PHP completely wide open as far as functionality is concerned on a shared hosting environment and how to do it relatively safely.
Your average web hosting company is a business person who has money to buy servers with idiot proof (nearly) control panels such as C-Panel / WHM.
They're also likely to come with RHEL, Centos 3 or 4 or Fedora. Very rarely do I see a Debian server used in a shared hosting situation (That should also tell you something).
These boxes are not secure yet they go immediately into production.
SO! To anyone who cares, (and reads this far) here is Tinkertim's checklist :
1 - Egress filtering (firewall the damn box),
2 - Get rid of that fat, bloated leaky modular kernel. Monolithic kernels are too easy to build not to do it. Don't forget to keep iptables, test with your firewall when done.
3 - Seek and loop world writeable directories, or mount them as noexec. Even doing that is not going to save you all of your trouble. As nobody I can run /bin/sh -x /tmp/mybot.sh just fine on most linux distros even if /tmp is noexec. So dammit go toss the 3 lines of code in /bin/sh that keps uid/gid 99 from doing that.
4 - Don't even THINK about using apache/proxy on a shared hosting setup. Thats just incredibly stupid and self destructive.
5 - Look around in /dev ... make sure you took ALL the tools away that helps people get bad code onto your box in the first place. /dev/tcp is just as lethal as leaving wget available on a fedora / RHEL installation. Use mknod and make them safe. Same with /dev/udp .. remake them.
6 - Get rid of what you don't need. Rename what you do and use scripts to help govern them. Lynx / wget / POST / GET (and everything else RHEL/Centos comes with) can be used to do dastardly things. Take advantage of user / group ownership that is found in Unix.
7 - lsof is your friend. Write a script to check for open accepting inet sockets that don't belong.
8 - (finally) VERIFY YOUR ORDERS ... stop making instant setup hosting accounts. Use fraud screening services. Remember a security hole is only a problem if you sell space to someone who's intention is to exploit it.
Web hosts are the scurge of the planet. I know , I am one :) But I do things a bit differently than most. There's things you (yourself) can do if your stuck on shared hosting to ensure and nudge your host into securing their boxes.
I may just re-post later or re submit with that list too. I'm off the soap box now. My point is this. We (shared web hosts) made this problem. We have a responsibility to admit it and stop it. I'll work on some checklists and scripts to do it for the lazy bastards and GPL them. Tired of people getting rich writing books making hype about what (should be) a very trivial issue. -
Re:Why MySQL and not PostgreSQL?
Both of my friends, who run CPanel cheap webhosting companies, offer PostgreSQL. For free. It's a little elephant icon right next to the MySQL icon in CPanel. I can assure you, they do exist. A quick check in the CPanel user manual shows a whole section devoted to PostgreSQL. As to how hard it is to set up from scratch - I couldn't say. But here's one way multiple users can use it extremely easily and quickly.
-
Re:CPanel is very isp friendlySo, if it is true, why don't we see more ISPs using cPanel with PostgreSQL ?
It seems you're not completely correct about the real reasons, since cPanel does include PostgreSQL configuration tools...
-
Re:Mysql is very isp friendly
ISPs install MySQL using root.
Cpanel just configures it. It doesn't install apache, mysql and so.
BTW, cPanel didn't forget PostgreSQL -
Webhosting Control Panel? cPanel?
...Imagine Google being able to offer a one click method of adding tools such as adsense/google search/etc to user sites.
It'd be an easy method of google pushing any of their new features/etc to users and making it easier for joe-blow-site-owner to do things like add adsense to the site. http://www.cpanel.net/?
Seems like a valid buyout for google for the right price, though definitely not cheap -
CentOS better then cAos
I've been FC2 when it got released but I got tired of it so I got RHEL clone, CentOS. I remember back then when CentOS was hosted by the cAos community. By the way cPanel added support for cAos 2 -> cPanel?
-
Re:Dang!
Don't get me wrong, Webmin is great, it's at the top of my list fer shure, but that's not the be-all and end-all of systems management!! What about actual convenient tools like MRTG, Novell's eDirectory, RedCarpet, etc. etc.?
Huh? I'm not that familiar with eDirectory or RedCarpet, but MRTG isn't an all in one configuration interface like webmin. I though the only webmin alternatives were commercial products like:
Ensim
Plesk
Cpanel
Are there free software uber-configuration products other than Webmin? I tend to stick to the command line over ssh myself. -
blackhole.mydomain.com
I've got my own domain, hosted on a server running cPanel. I initially created blackhole@mydomain.com, which cPanel lets me conviently 'forward' to
:blackhole: (ie, the mail goes nowhere at all). Eventually, I realized some places (ie, AOL IM signup pages) limited how many times you could use the same address, so I created the whole subdomain of blackhole.mydomain.com.
All my friends know that mail sent there goes nowhere, so several of us use it for mail when we *know* it will serve no legitimate purpose.
I also have a catchall at my main domain (not blackhole.), so mail to any non-existant address works its way to me. This way I can give companies e-mails like amazon@mydomain.com; if they start getting spam, it's obvious where they're coming from, and then I just set up a 'redirect' again to either :fail: or :blackhole: the mail.
For those really sick of e-mail nightmares, spending $6.49 a year, plus a few bucks for hosting, is definitely worth it. -
PHPMyChat
PHpMyChat comes with CPanel which is an extremely popular web hosting management package, so you might have it available and not even know it. PHPMyChat is also freely available and totally customizeable. After editing the css files I was able to make the window very small and nearly borderless so it is very lowkey for my wife whose boss treats all the employees like children.
You can create users and private rooms and and all kinds of other stuff. Just type
/help for a popup window with commands and instructions. -
Marginally Off-topic Suggestions
This doesn't pertain to whether you should use DSL or Ethernet, but rather is a few things I've always thought ISPs should do. (I've had this almost life-long goal of starting an ISP for some reason...)
I own a domain, and use it primarily for the unlimited mail aliases. Every site I go to gets sitename@mydomain.com, which just forwards to my main address. If they start spamming, I can tell exactly who it is, and redirect (or block entirely) the mail. Why not give each customer a subdomain (customer.condo.com) where they get, say, 5 POP boxes, but unlimited aliases? Used effectively, this could *really* fight spam. (This is venturing more offtopic, but Cpanel seems to be the most popular web-based control panel; you could provide customers with some webspace and e-mail access. It's easy to use, but even great for geeks. You can get licenses for like $40/month, or possibly less.)
Another thing I've always thought ISPs should offer was NAT access. Rather than getting an external IP, they'd get an internal one and use your proxy. It'd save you from needing as many IPs, and it gives them great security -- unless you go out of your way to set it up, no one can connect to them. Of course you shouldn't force this upon people, but some people might *want* NAT. Offer it as a 'privacy' plan. (Heh, you could probably even charge extra, lol)
Something like Squid could really speed things up, especially if you only have a T1.
The last "If I ran an ISP..." item regards DNS. Maybe it's because Adelphia is so crappy (they have like 5 DNS servers, and whatever you have as primary ALWAYS goes down, so you're re-ordering the nameservers several times a week to make it work at all...), but I ended up using OpenNIC, which essentially is a 'democratic' TLD assigner; they have a lot of new TLDs not supported by 'real' DNS. (And, of course, lookups for regular TLDs work, too.) Not sure if you want to make it standard, but I'd be way impressed if an ISP gave me the choice of 'regular' DNS or OpenNIC DNS servers to use.
Oh! Don't forget to do your part and setup a good firewall. Another seemingly uncommon thing I've always thought ISPs should do was to do *good* egress filtering: filter traffic *leaving* your network too. I start to rant about this idea every time I read about a big DoS attack; if ISPs were more careful about what leaves their network, a lot of DoS attacks would simply get dropped at the attacker's ISP. -
Re:And as a Slashback recommendation...
$200 for an entry level server with 30GB/mo. Great web-admin if you want it, and their customer management portal is awesome as well.
They kick ass.
How about $249/month for a more powerful server with 300 GB/month?
http://www.assortedinternet.com/hosting/economy-d
e dicated.jspOr perhaps $349/month for the same server with CPanel and Web Hosting Manager installed.
http://www.assortedinternet.com/hosting/silver-de
d icated.jspOh, and all servers are actively monitored, so if anything should go wrong, they will be fixed automatically. Most providers, including Rackspace don't actively monitor servers. They just fix them when you call and tell them its crashed.
:-)Take care,
Brian
-
Re:Never trusted control panels
Wow, I don't know how many of these types of messages I've seen on slashdot. The good-ol toungue-in-cheek stab at some large company while trying to remain anonymous. "I my from a company that will remain nameless, except that i'll blatantly hint to who it actually is. And BOY, does their SUCK!"
Come on, man... just because you got shafted doesn't mean there's not decent software out there. My hosting provider uses Cpanel, which has options for configuring just about anything. The UI could use a little work in some areas, but for the most part it's pretty damn good. It lets you do basic filesystem management, uploading, enabling of certain features, etc. I use the web-based tools for managing the mailing lists and mail aliases, because they're pretty slick- even though I managed to find the files that control it all myself.
The fact of the matter is, not everyone who's gonna use web hosting is going to be able to telnet to the box and administer it from there. There has to be a middle ground that provides the functionality you need without being too limiting.
Themed Cpanel example
Apparently you license the stuff from cpanel; there's more info on their site.