Our system will take you through the process which takes less than 5 minutes for you to get your cPanel logins.
How To Create A Node.js Application
Before you can configure your Node.js application, you will need to get that application to your cPanel server.
You can simply use SFTP to upload the copy of your application to your server.
Or you can also use cPanel’s native Git support to clone the repository onto your server and deploy from there.
The following example used cPanel’s native Git support to clone the application to the server and then deploy it.
Clone The Application
Login to cPanel.
On the Files pane, you see cPanel’s Terminal interface (cPanel – Home – Advanced – Terminal).
Click on it to see where you can create a Git repository.
Now go back to Github and clone with HTTPS using the web URL. To keep your application data secure be sure not to clone or upload into the public_html folder since this makes the code itself potentially accessible from the web. Our system strives to keep your data safe, and during deployment, it’s not a requirement that your application data be publicly accessible.
Cloning To A cPanel Server From A Private Github Repo
Private repos require SSH access, you must perform additional steps in order to clone a privately-hosted remote repository.
You can use cPanel’s Terminal interface (cPanel – Home – Advanced – Terminal) to access the command line from within the cPanel interface.
Generate An SSH Key
If you have not already configured one, run the following command to generate an SSH key:
In this example, “username” represents the cPanel account username and “example.com” represents the domain name.
After you run this command, the system will prompt you to enter a passphrase.
Do not enter a passphrase.
Press Enter to continue.
Verify That The Key Is Available
To confirm that the key exists and is in the correct location, run the following command:
Register our SSH Key With The Private Repository Host
To register an SSH key with GitHub, perform the following steps:
Log in to your GitHub account.
Navigate to your private repository.
In the top right corner of the page, click Settings. A new page will appear.
In the left side menu, click Deploy keys. A new page will appear.
In the top right corner of the page, click Add deploy key. A new page will appear.
Enter your SSH key data:
In the Title text box, enter a display name for the key.
In the Key text box, paste the entire SSH key.
If you want to push code from your cPanel account to your GitHub account, select the “Allow write access” checkbox.
If you do not select this checkbox, you can only deploy changes from your GitHub repository to the cPanel-hosted repository.
Click Add key.
Do note that some repository hosts do not allow you to configure write access for your access keys.
For information about how to register your SSH key with another private repository host (Bitbucket, GitLab, etc), consult that host’s website or documentation.
Test Out The SSH Key
To test your SSH key, run the following command.
ssh -T email@example.com
where “example.com” represents the private repository’s host – e.g ssh -T firstname.lastname@example.org.
Clone The Repo To cPanel
To clone the repository, run the following command on the cPanel account, where “git clone email@example.com:$name/private-repo.git” represents the private repository’s clone URL:
git clone firstname.lastname@example.org:$name/private-repo.git
If you see “Error: The WebSocket handshake failed at …” when you access cPanel’s Terminal interface (cPanel – Home – Advanced – Terminal), recheck your connection.
If you are using VPN, disconnect and use your normal internet connection.
Once you click on “Create” this will bring you back to the repository page showing the full path of the application being deployed.
This page is important, so do save that path for later use.
Select a Node.js version.
Select either “Development” or “Production” for the application mode.
Select the application root. This has to be a physical address to your application on a server that corresponds with its URI.
Select the Application URL. This is an HTTPS link to your application.
Fill the form to point to the Application startup file. You can also add additional Environment variables by clicking on the “Add Variable”.
… a more detailed explanation.
Node.js Application Configuration
With the application files in place on the server, you are ready to configure Node.js to launch that application from the web.
From cPanel on the same account under the “Software” tab, select “Setup Node.js App”.
On this setup screen, you’ll select “Create Application” to bring up the options for choosing the Node.js version as well as whether to use a Development or Production environment.
Development generally has different application hooks in the code of the application, depending on how this environment variable is set.
As a general rule, Production is going to have more levels of caching, as well as minimal logging.
So, for a Development environment set, you can expect the inverse, with fewer levels of application caching, and more verbose logging and error message output.
A typical example would be where in production, you may only see an error page.
In development, you may see a full stack trace on an application error which allows you to figure out exactly where the error took place inside the code.
Since Node.js applications, in general, depend on several environment variables, you can add these using the “Add Variable” button near the bottom right of the page.
The Node.js production or development variable is already set separately in the top section using the “Application Mode”, so it is not necessary to set it again in the Environment variables section.
This same menu is where you can select the version of Node.js that you’d like to use as well as the application’s startup file.
This might be index.js, app.js or any number of variations; it depends on the application.
Once you’ve saved your application, you’ll need to resolve its package dependencies.
The NPM package manager does this automatically based on the package.json file packaged with the application, so all that you’ll need to do here is click on the ‘NPM Install” button.
At this point, you will require your domain to resolve to an IP address, or the installation script will have an error.
If you are using a sub-domain, make sure that this has been created and that you have added all relevant records to your DNS.
You can confirm this by simply running:
$ dig sub-domain.com
NPM will read the contents of the package.json file and install the needed packages into a virtual environment specific to the application.
If you are familiar with the command line, you can follow the instructions at the top of the page to gain access to the “npm” and “node” commands to make additional changes manually, allowing for a great deal of customization.
Node.js Application Deployment
By this point, you’ll have your application configured and Node.js modules installed, so you’re ready to launch the application.
Our cPanel systems make this very easy.
On the same page where you configured your application, click “Run JS Script”
This will execute the application startup file that you defined earlier during setup.
As Node.js applications have several different options, this can bring up another menu with different options to select depending on the application that you’re running.
In general, you’ll want to select the “Start” option next.
Finally, you can select the “Open” option to visit your page, and see your application!
How To Start A Node.js Application
To start a stopped application do the following:
Click Start icon in the Actions column in a stopped application row.
When the action is completed, a Start icon changes to Stop icon.
How To Stop A Node.js Application
To stop a started application do the following:
Click Stop icon in the Actions column in a started application row.
When the action is completed, a Stop icon changes to Start icon.
How To Start A Node.js Application
To restart the application do the following:
Click Restart icon in the Actions column in a started application row.
The current row will be blocked and will be unblocked when the process is completed.
How To Remove A Node.js Application
To remove the application do the following:
click the “Bin” icon in the Actions column in a particular application row.
in the confirmation, pop-up click Agree to start removing or Cancel to close the pop-up.
When the action is completed, an application will be removed from the Web Applications table and a confirmation pop-up displayed.
How To Edit Your Node.js Application
To edit application do the following:
Click Pencil icon in the Actions column in a particular application row.
An application tab will be open.
At the moment, you can:
restart application – click Restart button.
stop Node.js — click Stop Node.js button.
remove application — click Delete button and confirm the action in a pop-up.
change Node.js version — choose Node.js version from a drop-down.
change Application mode — choose application mode from a drop-down. Available modes are Production and Development.
specify Application root — specify in a field a physical address to the application on a server that corresponds with its URI.
specify Application URL — specify in a field an HTTP/HTTPS link to the application.
specify Application startup file — specify as NAME.js file.
run npm install command — click Run npm install button to install the package(s) described in the package.json file.
add Environment variables — click Add Variable and specify a name and a value.
How To Debug Errors On Your Node.js Application
Directives such as PassengerFriendlyErrorPages and PassengerAppEnv are available for use from a .htaccess file.
This allows cPanel users to debug a Node.js application during development.
For example, if you add one of the following lines to the .htaccess file on the application page and there is an error, you will see the error listed:
WP-CLI v2.2.0 is scheduled to be released for Wednesday, April 24th, 2019.
WP-CLI is a set of command-line tools for managing WordPress installations.
You can update plugins, set up multisite installs and much more, without using a web browser.
The maintainers said that they have a list of already accepted features that are just waiting for some adventurous soul to implement them and a list of known bugs that need to be turned into non-bugs.
And as WordPress bumps the minimum PHP version requirement to 5.6 and MySQL version requirement to be 5.5, WP-CLI says it “staying as low as possible” with its own PHP minimum requirement,.
According to the team, they are adopting this approach as to not to randomly break support for people stuck on lower PHP versions.
The delay is meant to allow site owners still using WP-CLI to migrate their old sites over to newer servers.
If you choose to remain on 5.5 or below, you may still receive security updates and possibly bug fixes, but would not be able to upgrade to the latest major WordPress version until you upgraded to a supported version of PHP.
At Web Hosting Magic, we offer PHP 7.2 and 7.3 as default though customers wishing to use old PHP versions can do that using our HardenedPHP.
To update WP-CLI, run:
wp cli update or sudo wp cli update
When you run wp cli update, you’ll be prompted to confirm that you wish to update with a message similar to the following:
You have version 0.21.1. Would you like to update to 0.23.1? [y/n]
After you accept, you should see a success message:
Success: Updated WP-CLI to 0.23.1
If you’re already running the latest version of WP-CLI, you’ll see this message:
The iOS app inadvertently exposed account tokens to third-party sites.
The issue has the possibility of exposing security credentials to third-party websites and only affected private websites with images hosted externally (e.g., with a service like Flickr) that were viewed or composed with the app.
Typically when a WordPress.com site had a post or a page with an image hosted on Flickr, the app would send along a WordPress.com account token to Flickr when fetching the image.
In the unpatched version of the app, the account tokens could appear in the logs of third-party companies.
In the hands of malicious individuals, this could be used to target such WordPress.com account.
While WordPress hasn’t said how many customers were affected, Sensor Tower indicates that the app was installed 9.3 million times on iOS since 2012, with about 1.3 million installs last year.
WordPress has reset all password for iOS users but it is still advisable to update your password.
The Android app self-hosted WordPress installations are not affected.
To start using the app again, do make sure you’ve updated WordPress iOS to 11.9.1 or greater.
You can check for updates in the App Store on your device and tap the “more” button to see the release notes, which list the version number.
Once you’ve updated, launch the app.
You may notice errors about not being authorized and data will not load, or be prompted to log in.
If you’re not prompted to log in, visit the Me tab and tap Log Out, then sign back in.
As a website owner, there will come a time when you may need to transfer your domain or a number of domains from one registrar to another.
And given that your business depends on its ability to stay online, here is how to move a domain name with minimal impact to the website uptime.
Transfer Requirements for Top-Level Domains
Expired or suspended domain names cannot be transferred. However, if the domain expires after the transfer has been completed at the new registrar, then the old registrar is not allowed to deny the transfer for non-renewal.
If the registration for a domain name expired and had to be restored, it must have been restored at least 60 days ago.
You must have either registered the domain with the current registrar or transferred registration for the domain to the current registrar at least 60 days ago.
If the current registrar for the domain has outstanding administrative action against the domain, you cannot transfer it until the matter ha been resolved.
In some cases, renewing the domain for the required one additional year causes the domain to exceed the maximum registration period. In these cases, you must wait until renewing for one year does not extend the total registration period beyond the maximum allowed.
The domain cannot have any of the following domain name status codes: clientTransferProhibited,pendingDelete, pendingTransfer, redemptionPeriod, serverTransferProhibited.
Some registries may not allow transfer of a domain name until changes such as changes to the domain owner are completed.
Unlock the Domain
A locked domain cannot be transferred to another registrar or account.
Whenever you need to make changes to a domain’s settings, such as updating nameservers or contact information, we automatically unlock and re-lock the domain name.
To transfer your domain name, you must first unlock it.
Disable WHOIS Privacy
While it may be possible to transfer domains with this enabled, double check to ensure that you can accept emails from the private email address before initiating a domain transfer.
Time to live (TTL) determines how long a DNS cache server can serve a DNS record before reaching out to the authoritative DNS server and getting a new copy of the record.
Set the TTL times on your DNS to a short value (something like 300 seconds) 12-24 hrs before DNS changes.
Transfer DNS Service
If the registrar for your domain is also the DNS service provider for the domain, transfer your DNS service to our DNS systems before you continue with the process to transfer the domain registration.
If you don’t transfer DNS service to us, your website, email, and the web applications associated with the domain might become unavailable.
EPP Authorization Code
EPP Code (also known as Transfer secret) is a randomly generated complex code that contains numbers, letters and special characters.
Domain name registrars are only permitted to provide the code to the registered owner of the domain as it appears on a WHOIS query.
The code helps identify the domain name holder; it does not constitute transfer approval.
If the code is not provided, then those domains generally cannot be transferred.
Request and get your EPP authorization code (a string of characters) from your registrar’s dashboard.
You can see this feature under your domain’s management section.
Add your SSH private key to the ssh-agent and store your passphrase in the keychain.
$ ssh-add -K ~/.ssh/id_rsa
Confirm the key existence:
$ ls -al ~/.ssh
Now copy the generated public key you will add to the cPanel server:
$ cat .ssh/id_rsa.pub
Windows has a different workflow but these will help:
Generate a Key Pair with PuTTY
Download PuTTYgen (puttygen.exe) and PuTTY (putty.exe) from the official site at http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.
The RSA key type at the bottom of the window is selected by default for an RSA key pair but ED25519 (EdDSA using Curve25519) is a comparable option if your remote machine’s SSH server supports DSA signatures.
Increase the RSA key size from 2048 bits to 4096 and click Generate
PuTTY uses the random input from your mouse to generate a unique key.
Once key generation begins, keep moving your mouse until the progress bar is filled.
When finished, PuTTY will display the new public key.
Right-click on it and select Select All, then copy the public key into a text editor: Sublime Text, Atom or even Notepad.
Save the public key as a .txt file.
This is important because a rich text format such as .rtf or .doc can add extra formatting characters and then your private key won’t work.
Enter a passphrase for the private key in the Key passphrase and Confirm passphrase text fields.
Click Save private key.
Choose a file name and location in Explorer while keeping the .ppk file extension.
Remember the location of the private key file for future use.
If you plan to create multiple key pairs for different servers, be sure to give them different names so that you don’t overwrite old keys with new.
Convert The Public Key Into The OpenSSH Format
Now open your private key in PuTTYGen.
Select your private key that ends in .ppk and then click “Open”.
Look at the top menu and select “Conversions” -> “Export OpenSSH key”.
Save the new OpenSSH key when prompted.
The public key will be under public key for pasting into cPanel.
New Windows has a better approach to this and you may want to take a look at the following links:
When it comes to your digital assets (website, databases, crypto-currencies, etc), using password should be regarded as a doorway to a communal bar.
However, these below can be considered password best practices and may be able to help mitigate the risk involved with passwords:
Password Best Practices
don’t use any personal identifying information as part of your password: yours, spouse’s, significant other’s, children’s, friend’s, or pet’s name, date of birth, license plate number, telephone number, social security number, make of your automobile, house address, etc.
don’t use a word contained in English or foreign language dictionaries, spelling lists, acronym or abbreviation lists, or other lists of words.
don’t share your password with another person for any reason.
don’t write your passwords on paper.
don’t re-use the same (or similar) password on two websites.
ensure that the password you are using or generating has mixed-case characters, non-alphabetic characters/symbols and is at least, 20 characters in length.
make it a habit to use two-factor authentication along with any password you have.
and periodically or every 90-120 days, change every password that you own.
One of the cPanel’s best features is the absolute control that it gives any cPanel user to manage his or her domains in one place, even when you own thousands of domain names.
After you have gotten your cPanel login and have gained access to cPanel, you may desire to add more domains than the one that the account was originally provisioned with or to an existing cPanel account.
When this is your goal, you will need to use cPanel’s addon domain feature.
This interface can be found at cPanel >> Home >> Domains >> Addon Domains.
What is an add-on domain?
An addon domain is a domain that is hosted inside the same cPanel account that you own but treated as a completely different website.
Why is this useful?
Well, let’s say you have 5 domain names that you consider prime online properties.
As with any physical asset, you would want to monetize these since you don’t want them lying around without generating cash for you.
So instead of creating additional cPanel hosting accounts to host these domains, you simply add these as addon domains to 1 cPanel account and split your existing account’s resources among these.
This not only save you tons of money but also it is the best way to manage multiple domains without requiring logging into multiple cPanel logins.
How To Create An Addon Domain In cPanel
Before you start, there are a couple of things you must do to avoid seeing errors.
Ensure that your cPanel hosting package allows you to add an additional domain to your hosting account.
If your hosting package is set to “0”, you will not be able to complete an addon domain creation.
If this is not done, you may see this error:
your addon domain limit of 0 addon domains has been reached.
Ensure that the DNS records for the additional domains you want to add are pointing to your hosting provider’s DNS cluster before attempting this.
If this is not done, you will see the following error:
sorry, the domain is already pointed to an IP address that does not appear to use DNS servers associated with this server .
While the server can be tweaked to allow the creation of parked domains (aliases) and addon domains that resolve to other servers so that you can get this done, it is highly discouraged as this cause will serious security issues down the line.
So once these conditions are met, it is time to proceed to the next stage of the process.
To create an addon domain, perform the following steps:
Login to cPanel and scroll down to Domains.
Click on Addon Domains. A new page will open.
Enter the new addon domain’s name in the New Domain Name text box. When you enter the domain name, cPanel automatically populates the Subdomain and Document Root text boxes.
To create multiple addon domains with the same username and different extensions (for example, domain_name.com and domain_name.net ), manually enter a unique username in the Subdomain text box.
While the commonest document root for most addon domain is often /home/username/addon-domain/, you can specify the precise location that you want each of the addon domain to be hosted in when adding it. So to choose a document root other than the one that was automatically created for you, manually enter the directory name in the Document Root text box.
If you need to create an FTP account for the new addon domain, select the Create an FTP account associated with this Addon Domain check-box.
Click Add Domain.
Your add-on domain now has a new home and you can use it as you would, with a full-fledged cPanel hosting account.
If you see any error, please re-visit the conditions-that-must-met above and try again.
If you want to add files to the addon domain’s home directory, go back to cPanel and click File Manager.
If you want to disable or enable redirection of an addon domain, perform the following steps:
click Manage Redirection for the addon domain that you wish to manage.
to redirect the domain, enter the link to which you wish to redirect the addon domain.
click Save, or, to disable the redirection, click Disable Redirection.
If you want to remove an addon domain, perform the following steps:
click Remove for the addon domain that you wish to remove.
If you want to create an email account on an addon domain, use cPanel’s Email Accounts interface (cPanel >> Home >> Email >> Email Accounts).
Learn how to configure cPanel firewall in most cloud platforms or use other security tools to harden and protect your cPanel server from malicious attacks.
Imagine that after the initial erection of the walls for this new house has been completed, the house is left with no roof to shield its occupants from the elements nor doors to keep them safe from wild animals that will want to gobble them up for dinner.
The above analogy is often what happens when a server administrator deploys a server and then forgets the most fundamental aspect of the process: security.
The cloud has given server administrators the ability to rustle up any kind of server in less than 55 seconds.
The problem with that is that often, server administrators tend the forget the most fundamental aspect of the process: security.
While most of the biggest cloud system we have come to embrace have in-built measures designed to keep us from becoming victims of our human nature, it hasn’t changed that fact that when you deploy a system and didn’t from its conception design it to be secure, you will face a hard road down the line.
The fact is that 98% of most of the attacks that a system connected online will face are opportunistic in nature rather than targeted.
When a malicious user tries his or her luck with a system and finds it robustly protected, he or she will move on to easier targets.
With an unprotected server, the story will be different as anyone with malicious intent will immediately see the box as a low-hanging ripe for the picking.
An unprotected server also shouldn’t be online, not only because it goes against everything a good admin should be, but because it makes the internet more insecure.
What is Firewalls In Computing?
What is Firewalls In Computing?
In computing infrastructure designing, the internet is always treated as an untrusted external network.
A firewall monitors and controls incoming and outgoing network traffic based on predetermined security rules.
Just as any well-designed building should have a wall intended to contain fire within a building, designated entry & exit points and rules about who should be allowed access and who should be turned back, a well-implemented firewall enables a system administrator to define what inbound and outbound communication is allowed from a server and also the ability to mitigate threats within a set parameter.
As a system administrator, the standard place to start when it comes to security is to:
be aware that any software can be exploited including cPanel.
understand & treat every user input is potentially hostile& malicious
apply good security practices to defend an infrastructure
avoid rolling out any security solution that you do not understand as in understanding.
log all suspicious behavior if and when it is needed to forensic
design a system in such a way that it will enable you to restore the infrastructure to its pre-compromise state.
go beyond port firewalling to hide insecure protocols but relying on the security of the protocols that you use to defend your infrastructure.
provide the minimal privilege needed to complete an operation successfully but nothing more than what is needed.
How To Set Up A cPanel Firewall For Mitigation
So how does one go about securing, for example, a public-facing cPanel web server in order to and lower the chances of it being compromised?
Let’s start with the basics when installing a new cPanel server.
Remove all existing rules
Just as you wouldn’t start building a building on top of what someone has already created, it is always better to rip out any existing firewall rules before implementing a new one.
Doing so gives you a clear, coherent idea of what you are allowing and blocking on your system, a piece of information you would want to have in your head when dealing with an ongoing threat.
When installing cPanel on a new machine, you should deactivate the firewall before running the installation script with:
The /etc/selinux/config file allows you to set the SELINUX parameters that you want the server to run.
When it opens, you will see something like this:
This file controls the state of SELinux on the system. SELINUX= can take one of these three values: enforcing - SELinux security policy is enforced. permissive - SELinux prints warnings instead of enforcing. disabled - No SELinux policy is loaded. SELINUX=enabled SELINUXTYPE= can take one of these two values: targeted - Only targeted network daemons are protected. strict - Full SELinux protection. SELINUXTYPE=targeted
The parameter you are looking for is “SELINUX=enable”
All you have to do is to replace the word “enabled” with “disabled“.
Save the file by running “:wq” and exit.
Reboot the server:
sudo systemctl reboot
systemctl is a command line utility and primary tool to manage the systemd daemons/services such as (start, restart, stop, enable, disable, reload & status).
You can now start your cPanel installation and once that is done, it will be time to start the security configuration.
What Kind Of Firewall Can You Use With cPanel?
The kind of firewall you will use with cPanel will largely depend on two things:
the deployment environment (on-premise or cloud-based)
your level of familiarity with the tools you want to use
Implementing cPanel Firewall On The Cloud
If you are using a public cloud such as AWS, Google Cloud Platform, Microsoft Azure, Alibabacloud and host of others, you can do everything you want to from the datacenter level.
But this requires being able to create a VPC (the datacenter in cloud-speak) and while the topographical interfaces and naming convention on each of these platforms are different, it all boils down to one thing: being able to determine what ingress and egress traffic you want to give access to.
This often requires figuring out what ports that the server will be to perform optimally and then allowing inbound access to these.
There are other optional layers of security such Network ACLs (which by default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic.) that acts as a firewall for controlling traffic in and out of one or more subnets.
But we will stick with the basic at this time.
In the cloud, a security group acts as a virtual firewall that controls the traffic for one or more instances and provides security at the protocol and port access level.
When you launch an instance, you can specify one or more security groups; otherwise, we use the default security group.
You can add rules to each security group that allows traffic to or from its associated instances.
Each security group – working much the same way as a firewall – contains a set of rules that filter traffic coming into and out of an instance.
There are no ‘Deny’ rules.
Rather, if there is no rule that explicitly permits a particular data packet, it will be dropped.
You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group.
When we decide whether to allow traffic to reach an instance, we evaluate all the rules from all the security groups that are associated with the instance.
On Microsoft Azure, this is called Network Security Groups (NSG).
Google Cloud Platform calls its own just Firewall Rules (Networking >>> VPC network).
GCP firewalls apply to a single VPC network but are considered a global resource because packets can reach them from other networks.
AWS & Alibabacloud calls their’s Security Groups.
Things To Keep In Mind:
Security should be part of your initial architecture design, not an after-thought.
While you can always go back and assign a newly created security group to an instance, always create your VPC with its subnet, route, firewalls, and everything ahead even before you launch your first virtual machine.
That way when you are deploying the instance, you can simply select an existing security group, re-check all the ports before hitting deploying.
Be aware that on each of these platforms, you are limited to a certain number of security groups per VPC.
You can always request that an increases to the limit, but you may notice a network performance impact.
Also, ensure that your firewall rules match the way in which you use cPanel & WHM’s services.
Select an option for a rule for inbound traffic for Type, and then fill in the required information.
Specify a value for Source as 0.0.0.0/0.
Optionally provide a description for each rule, and then choose Save.
From Azure Security Center you will be able to see a list of the network security group (NSG) and Access Control List (ACL) rules that allow or deny network traffic to your VM instances in a Virtual Network.
When an NSG is associated with a subnet, the ACL rules apply to all the VM instances in that subnet.
Microsoft Azure has a longer form with more fields to fill.
But it is relatively simple and does the exact the same thing you will see on the other cloud platforms.
To create a network security group on Microsoft Azure,
In the top-left corner of the portal, select + Create a resource.
Select Networking, then select the network security group.
Enter a Name for the network security group, select your Subscription, create a new Resource group, or select an existing resource group, select a Location, and then select Create.
In the search box at the top of the portal, enter network security groups in the search box.
When network security groups appear in the search results, select it. Select the network security group you want to change.
Select Inbound security rules under SETTINGS.
Several existing rules are listed.
When a network security group is created, several default security rules are created in it.
You can’t delete default security rules, but you can override them with rules that have a higher priority.
Source (Any, Application security group, IP Addresses, or Service Tag)
Source port ranges (0.0.0.0/0)
Destination (Any, Application security group, IP addresses, or Virtual Network)
Destination port ranges
Protocol (Any, TCP, or UDP)
Action (Allow or Deny)
Priority (100-4096 – the lower the number, the higher the priority. Leave a gap between priority numbers when creating rules, such as 100, 200, 300. Leaving gaps makes it easier to add rules in the future that you may need to make higher or lower than existing rules.)
Log on to the ECS console.
In the left-side navigation pane, select Networks and Security > Security Groups.
Select the target region.
Find the security group to add authorization rules and then, in the Actions column, click Add Rules.
On the Security Group Rules page, click Add Security Group Rule.
In the dialog box, set the following parameters:
Outbound: ECS instances access other ECS instances over intranet networks, or through Internet resources.
Inbound: Other ECS instances in the intranet and Internet resources access the ECS instance.
Select Allow or Forbid.
Protocol Type and Port Range
Authorization Type and Authorization Object
Priority: The value range is 1-100. Remember, the smaller the value, the higher the priority.
Google Cloud Platform
On Google Cloud Platform, every VPC network functions as a distributed firewall.
While firewall rules are defined at the network level, connections are allowed or denied on a per-instance basis.
You can think of the GCP firewall rules as existing not only between your instances and other networks but between individual instances within the same network.
When you create a GCP firewall rule, you specify a VPC network and a set of components that define what the rule will do.
The components enable you to target certain types of traffic, based on the traffic’s protocol, ports, sources, and destinations
Unlike AWS, GCP firewall rules only support IPv4 traffic.
When specifying a source for an ingress rule or a destination for an egress rule by address, you can only use an IPv4 address or IPv4 block in CIDR notation.
Remember that you have to create a custom network before you can make this happen.
Products & services > VPC network > VPC networks
Click + CREATE VPC NETWORK.
Do the following, leaving all other fields with their default values:
You will notice that no default firewall rules were created for the custom network.
You will have to manually add default rules in the next step.
Click + CREATE FIREWALL RULE.
Enter the following, leaving all other fields with their default values:
Property Value Name: allow-ssh-icmp-rdp-learncustom Network: learncustom Direction of traffic: Ingress Action on match: Allow Targets: cpanel Target tags: cpanel, cloudlinux Source filter: IP ranges Source IP ranges: 0.0.0.0/0 Protocols and ports: Specified protocols and ports type: icmp; tcp:22; tcp:25; tcp:53; tcp:80; tcp:110; tcp:143; tcp:443; tcp:465; tcp:587; tcp:993; tcp:995; tcp:2078; tcp:2080; tcp:2083; tcp:2087; tcp:2096; udp:53; udp:123; udp:465; udp:783; udp:873; udp:6277; udp:24441
Make sure that the source filter address includes the final ‘/0’.
If you specify 0.0.0.0 instead of 0.0.0.0/0, the filter will default to 0.0.0.0/32 — an exact host address that doesn’t exist.
cPanel Services Firewall Ports
Here are the ports that cPanel & WHM uses, and the services that use each of these ports.
We have removed all non-SSL services since using these allows attackers to intercept sensitive information, such as login credentials.
We reckon you already know what a port is.
But if you don’t know, let’s take a quick look at what a port is in networking.
In the OSI networking model, ports are mostly part of the transport layer (but can also be part of the network layer and even session layer, depending on the initiating machine (source port) and the service being called upon (destination port + IP) and who you asked) and deals with end-to-end communication between different services and applications.
A port number is a 16-bit unsigned integer, thus ranging from 0 to 65535.
For TCP, port number 0 is reserved and cannot be used, while for UDP, the source port is optional and a value of zero means no port.
For example, HTTP has port 80 assigned to it.
So, when a client wants to contact an HTTP server, it uses the destination port of 80 and a source port unique to the process making the request.
This allows the receiving host to send any received packets with a destination of port 80 to the processes “listening” for those packets, which if there is one, would normally be an HTTP server process.
When the HTTP server responds, it uses the client’s source port as the reply destination port and it might use port 80 for the reply packet’s source port.
This allows the original client to forward the port quickly to the process that made the request.
At the moment, cPanel ports range from “1” (CPAN) to “24441” (Pyzor).
CalDAV and CardDAV (SSL)
The most important of this process is the inbound ports.
Other considerations you might bring to bear are:
allow free access to the loopback interface. Unlike external interfaces, binding your process to localhost is usually good for security, and therefore restricting access to the loopback interface causes more harm than benefit. This does leave you open to an attack from a local user, but that’s a risk you have to balance for yourself.
don’t restrict all Internet Control Message Protocol (ICMP) traffic. Allowing ICMP is critical for the Internet to work; routers and hosts use it to communicate critical information like service availability, packet sizes, and host existence. Types 3 and 4, Destination Unreachable and Source Quench, are critical, and restricting them may cause more harm than gain in the future.
Other Available Firewall Options
Firewall For cPanel Script
New versions of cPanel & WHM includes the cpanel service, which manages all of the rules in the /etc/firewalld/services/cpanel.xml file.
This allows TCP access for the server’s ports.
To replace your existing iptables rules with the rules in the /etc/firewalld/services/cpanel.xml file, perform the following steps:
run the yum install firewalld command to ensure that your system has firewalld installed.
run the systemctl start firewalld.service command to start the firewalld service.
run the systemctl enable firewalld command to start the firewalld service when the server starts.
run the iptables-save > backupfile command to save your existing firewall rules.
run the /usr/local/cpanel/scripts/configure_firewall_for_cpanel script. This also clears all existing entries from the iptables application. I
run the iptables-restore < backupfile command to incorporate your old firewall rules into the new firewall rules file.
By default, firewall-cmd commands apply to runtime configuration but using the –permanent flag will establish a persistent configuration.
So if you need to add additional ports, add the rule (port or service) to both the permanent and runtime sets:
ConfigServer is a free, well-trusted Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection for Linux servers and probably one of the easiest tools that you can use to protect your cPanel server.
It has native integration with cPanel/WHM, DirectAdmin and Webmin with a front-end to both CSF and LFD (Login Failure Daemon) that is accessible by the root account.
From this interface, you can modify the configuration files and stop, start and restart the applications and check their status.
This makes configuring and managing the firewall very simple indeed.
CSF installation for cPanel and DirectAdmin is preconfigured to work on those servers with all the standard ports open.
It auto-configures your SSH port on installation where it’s running on a non- standard port.
CSF auto-whitelists your connected IP address where possible on installation.
To install CSF, run the following commands as the root user:
cd /usr/src rm -fv csf.tgz wget https://download.configserver.com/csf.tgz tar -xzf csf.tgz cd csf && ./install.sh
To configure CSF, visit WHM’s ConfigServer & Firewall interface at (Home >> Plugins >> ConfigServer & Firewall).
Please note that it is not really advisable to run multiple firewalls on one system.
This rule though is not applicable to Imunify360 since it is possible to run and enable CSF when Imunify360 is already running.
All IP addresses from Imunify360 White List will be exported to CSF ignore list.
If you have Imunify360 installed, then install CSF, Imunify360 switches to CSF Integration mode.
To check if CSF integration is enabled go to Imunify360 → Firewall tab → White List section and check if there is a warning message “CSF is enabled. Please manage IPs whitelisted in CSF using CSF user interface or config file“.
It means that CSF and Imunify360 integration processed successfully.
If you are using CSF alone, it is often better to use it along with ConfigServer ModSecurity Control (CMC) which provides you with an interface to the cPanel mod_security implementation from within WHM.
With ConfigServer ModSecurity Control you can:
disable mod_security rules that have unique ID numbers on a global, per cPanel user or per hosted domain level
disable mod_security entirely, also on a global, per cPanel user or per hosted domain level
edit files containing mod_security configuration settings in /usr/local/apache/conf
APF acts as a front-end interface for the iptables application and allows you to open or close ports without the use of the iptables syntax.
The following example includes two rules that you can add to the /etc/apf/conf.apf file in order to allow HTTP and HTTPS access to your system:
Common ingress (inbound) TCP ports IG_TCP_CPORTS="80,443″# Common egress (outbound) TCP ports EG_TCP_CPORTS="80″
Fail2ban is an intrusion prevention software and log-parsing application that monitors system logs for symptoms of an automated attack on your cPanel server.
When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the IP address of the attacker, either for a set amount of time or permanently.
Fail2ban can also alert you through email that an attack is occurring.
It isn’t the most choice for a cPanel server since its function is primarily focused on SSH attacks and what it does is almost the same as cPHulk Brute Force Protection.
cPHulk is included as part of all cPanel & WHM installations and can be used to monitor and block all login attempts made to cPanel, WHM, FTP, email, and SSH.
It provides administrators with a variety of ways to combat brute force attacks both automatically and manually, and cPHulk can even be used to block malicious IP addresses in your firewall.
Blocks of malicious logins can be issued in different durations from a temporary ban to a one-day or even permanent ban.
The highly configurable cPHulk system allows for a great deal of control.
You can specify the number of failed login attempts before an IP address is blocked, define additional actions to execute upon triggering of an automatic block, and even enable notifications to server administrators as specific events occur.
But you can further also use failban and configure it to work for any service that uses log files and can be subject to a compromise.
Ensure your system is up to date and install the EPEL repository:
For a Linux instance, follow these steps to verify the security group rule:
Connect to a Linux instance by using a password.
Then, run the following command:
sudo netstat -plunt
To check whether TCP 80 (replace “80” with any port) is being listened.
sudo netstat -an | grep 80
You can also use nmap which probably is the most commonly used network mapper in the infosec world.
Nmap can be used to:
create a complete computer network map.
find remote IP addresses of any hosts.
get the OS system and software details.
detect open ports on local and remote systems.
audit server security standards.
find vulnerabilities on remote and local hosts.
You should run nmap ONLY on servers that you own or in situations where you’ve notified the owners.
The reason is that why you as a network administrator might be using nmap to look for possible vulnerabilities to help prevent such attacks, your action can interpreted as “malicious cracking attempts” and most security tools and cloud providers frowns on this.
sudo yum install nmap
To install nmap on Red Hat Enterprise Linux 8 execute the following dnf command:
sudo dnf install nmap
To install nmap on an Ubuntu or Debian machine by entering:
sudo apt-get update
sudo apt-get install nmap
Use the –version option to check the installed nmap version and correctness of the actual nmap installation. For example:
Basic Nmap Scan against IP or host
Now, if you want to scan a hostname, simply replace the IP for the host, as you see below:
These kinds of basic scans are perfect for your first steps when starting with Nmap.
Scan specific ports or scan entire port ranges on a local or remote server
nmap -p 1-65535 localhost
In this example, we scanned all 65535 ports for the localhost.
Developers using the IntelliJ IDEA can now design their own themes and add color to their IDEs.
IntelliJ IDEA is a Java integrated development environment (IDE) for developing computer software developed by JetBrains (formerly known as IntelliJ), and available as an Apache 2 Licensed community edition and in a proprietary commercial edition.
Been able to customized the theme has been one of the most sought after request and now, you can tweak the entire IDE appearance, including icon colors, radio buttons, arrows, the color scheme, and everything else you can think of.
The team behind the product has created a few brand new themes to get you started which you can download by visiting https://plugins.jetbrains.com/ or selecting it as your new Theme in the Appearance settings.
To do that:
Go to Settings/Preferences | Plugins and install Dark Purple theme plugin.
Restart the IDE.
Go to Settings/Preferences | Appearance & Behavior
Select the theme you want from the drop-down list of the theme options.
Peeling back the myth behind unlimited bandwidth and unlimited hosting in the web hosting industry
When you are looking for a web hosting service to use, you will often come across words such as “unlimited bandwidth” or “unlimited disk space”.
But what is unlimited hosting?
Unlimited web hosting is a web hosting package designed to provide a web hosting customer a way to host his or her website without the system suspending or terminating the account for excessive resource usages.
Why write about?
Well, our sales team sometimes get asked by potential customers how we can stay in business while offering disk space, bandwidth as unmetered, and anti-malware, backups, and other features free.
We also have come across blog posts telling customers to see this is a red flag and a sign that a web host should not be trusted.
To us, the last response is something we must address as we believe it does a great disservice to new website owners who simply want the best web hosting deal they can get for their website.
For most seasoned website administrators, the following points are part of the decision process when deciding the best hosting package to use:
daily traffic to the website
resources (bandwidth mostly) that will be needed for traffic spikes
the level of technical support & expertise needed
security requirements for the website
speed and performance (often determined by the amount RAM & CPU)
and of course, the monthly budget
This is not a piece of information that a new website admin will have in his or her disposal readily know or have available.
So coming across a hosting plan that takes away the burden of this decision from him or her, is helpful in every conceivable way.
Actually, the concept of “unlmited hosting” is really new to the web hosting industry.
Not long ago (that is before the advent of cloud computing and cloud hosting), web hosting packages are mostly determined by two things:
the amount of disk space or web space per month
the amount of egress bandwidth you are allowed monthly
This changed a lot with the advent of the cloud and drastically changed the market dynamics.
For web hosting companies that embraced the public cloud, reaping the benefits of such move brought with it: faster innovation, flexible resources, and economies of scale.
On-demand computing let you pay for computing capacity by the hour or second (minimum of 60 seconds) with no long-term commitments.
This frees companies (web hosting companies included) from the costs and complexities of planning, purchasing, and maintaining hardware.
It also transformed what are commonly large fixed costs into much smaller variable costs.
Instead of buying hardware and software, setting up and running on-site datacenters which often leads to over-capacity planning, embracing the cloud means starting off with the right amount of computing power, storage, bandwidth.
These can be scaled up if and when needed, and from the right geographic location.
So what does this have to do with “unlimited hosting” and how does web host stay in business?
The fact is that most hosting companies offering the unlimited web hosting option operate on the assumption that most users on a system will not use all the resources (disk space & bandwidth) that their hosting package has access to.
If every tenant in a shared web server insists or try to use all the “unlimited” resources, the web host will simply go out of business … fast.
A typical website with approximately 667 visitors per day and with each visitor visiting 5 web-pages with an average size of 2MB will probably need about 5GB of bandwidth per month to function effectively.
And this is even on the high end since most PHP websites online are WordPress which may need just 20% of the above to stay online.
So as you can see, it is possible to sustain the unlimited data space and unlimited bandwidth offering.
Seeing “unlimited disk space” or “unlimited bandwidth” on a hosting pricing box or table is not a marketing ploy and shouldn’t disssuade you from using the web host especially if this goes hand-in-hand with great hosting platform/support.
For instance on Web Hosting Magic infrastructure, instead of having 9-12 hosting packages, we decided to differentiate our web hosting packages with the amount of RAM and CPU each has access.
To us, it was a great way to make our hosting packages easy for those that may not know exactly the kind of resources their website might need.
At this stage, you may be wondering what might be the best hosting plan for your website.
The fact is that this depends on the kind of website you are trying to host online.
But on average, a good web hosting plan is one that:
offers enough storage space & bandwidth for your web pages, applications, and additional files
is scalable enough to meet any traffic surge & for the future growth
satisfies the system requirements of your web software
gives you the right balance between control and ease-of-use
is reliable enough that your site is 99.5% up and running at any given time
The general rule of thumb is that if you have a site with low or medium traffic, just go for any hosting package as long as these conditions above are met.
As your need grows, a good web hosting package will be able to accommodate that growth since it must be capable of allowing you to scale up the resources whenever required.
A really good and legit web hosting company (not a hosting reseller that is offering web hosting from his or her own resources) will always be able to offer this unlimited hosting option without much of an issue to the company’s bottom line.
So if you are lucky to come across a web host that offer these resources as “unlimited”, it is an opportunity you should grab at once before the dynamics change.
Webmail allows you to access your email accounts through any browser & here is how to edit your MX in cPanel when you want to use Google’s GSuite MX records.
A mail exchanger (MX) entry is like a zip code that determines which mail server receives emails for your domain name.
While you may be able to send emails without the MX record configured for your domain name, but you will not be able to receive emails without it or if it is incorrectly pointed to the wrong location.
Changes you make to a domain’s MX (Mail Exchanger) specifies where the system delivers email for a domain.
A MX record will typically consist of two parts: priority and domain name.
For example depending on what company is hosting your email, yours might might be:
0 mail.domain_name.com OR 0 domain_name.com
‘0’ is the priority or preference.
The lower the number, the higher is the priority.
The “mail.domain_name.com” or “domain_name.com” are the mail servers to which it connects.
Outgoing email servers connect to the MX servers in order of priority.
If you use more than one MX record and both have the same priority, it picks one at random.
If you have two MX records with the same priority, the server with the higher preference number will be contacted only if the servers with lower preference number are unavailable (this is typically used for backup mail servers).
What is Webmail?
Part of the DNS records that cPanel automatically creates when a new cPanel hosting account is provisioned is what is known as MX record.
Webmail allows you to access your email accounts through any browser.
You can use cPanel Webmail to check your email by navigating to https://domain_name.com:2096, or https://webmail.domain_name.com where domain_name.com represents your email address’s domain.
To access Webmail via the cPanel interface and navigate to cPanel’s Email Accounts interface (cPanel >> Home >> Email >> Email Accounts).
Then, in the Email Accounts tab, locate the email account in the list and click Access Webmail.
The Webmail interface will open in a new browser tab.
What Is GSuite?
GSuite is Google’s productivity and collaboration tools that comprise of Gmail, Hangouts, Calendar, Drive for storage; Docs, Sheets, Slides, Forms, and Sites for collaboration.
As part of G Suite, Gmail comes with features designed for business use, including email addresses with the customer’s domain name (@domain_name.com) and support for third-party apps/add-ons from the G Suite Marketplace.
Sometimes our enterprise cPanel customers with GSuite account will prefer Google mail infrastructure to Webmail that comes when a new cPanel hosting account is provisioned.
For privacy-minded individuals though, using GSuite means that you are trusting Google completely when it states that “we do not collect, scan or use your G Suite data for advertising purposes and do not display ads in G Suite, Education, or Government core services“.
You might want to weigh this with the benefits that this will give you or your organization if you opt to go with GSuite.
How To Use GSuite MX Records With cPanel Webmail
Before you start, you must make sure that you have secured a GSuite account.
At this URL, you clear any cache record for that domain.
This helps speed up propagation.
Return to the G Suite Setup Wizard.
Click through any confirming steps in the wizard.
Click “I have completed these steps” to tell Google to look for your new MX records.
Your business email for your domain is now directed to the G Suite mail servers.
Do note that the records may take several hours to update, so you might not immediately get new email messages in Gmail.
Until then, you’ll continue to receive messages at your old email provider if the previous settings are still in place.
If you see the MX records setup validation in progress message in the Admin console for more than a few hours, make sure you entered the MX address records and priorities correctly in the DNS records stored with your host.
Email spoofing is when email content is changed to make the message appear from someone or somewhere other than the actual source.
Spoofing is a common unauthorized use of email, so some email servers require DKIM to prevent email spoofing.
DKIM adds an encrypted signature to the header of all outgoing messages by using a pair of keys, one private and one public, to verify messages.
A private domain key adds an encrypted header to all outgoing messages sent from your Gmail domain.
A matching public key is added to the Domain Name System (DNS) record for your Gmail domain. Email servers that get messages from your domain use the public key to decrypt message headers and verify the message source.
Email servers that get these messages use DKIM to decrypt the message header and verify the message was not changed after it was sent.
To do that, log back into your GSuite Admin.
Click on App, then GSuite.
Select Gmail from the list available apps.
Scroll down until you see “Authenticate email“.
Select the domain that will use the DKIM (DomainKeys Identified Mail) protocol for authenticating outgoing emails.
Generate the domain key for your domain.
This will be named something like “google._domainkey“.
Add the public key to both cPanel using “TXT” in the Zone Editor and also to your domain’s DNS records.
Email servers can use this key to read message DKIM headers.
Turn on DKIM signing to start adding a DKIM signature to all outgoing messages.
It might take up to 48 hours for DNS changes to fully propagate.
Check Email Deliverability
One of the best features that cPanel 78 came with is the ability
This interface found at cPanel >> Home >> Email >> Email Deliverability helps cPanel users identify problems with your mail-related DNS records for one or more of your domains.
The system uses these records to verify that other servers can trust it as a sender.
It is advisable to use this to verify that everything about your mail DNS records is good and fully functional.
Troubleshooting MX REcord
If you notice that you are having issues with receiving emails or not entirely sure if you have gotten this right, follow the steps within Troubleshoot MX records to fix your DNS setup.