Node.js cPanel: How To Deploy An App

node.js cpanel hosting

As JavaScript became one of the most popular programming languages to build web applications, many of our customers have come to love the language.

But to build scalable browser and server applications, they often want to use Node.js.

This rockstar open-source cross-platform environment allows for rapid development of applications, which leads to high productivity, and therefore quicker deployment.

Web Hosting Magic offers elastic web hosting which is often described by our customers as “a great alternative to VPS“.

Our Node.js Selector allows you as a JavaScript developer to have web space and resources needed for your application while still minimizing application management headaches.

How to Install a Node.js Application Using Node.js Selector

Node.js Selector is a CloudLinux component that allows each user to easily create Node.js applications, choose Node.js version and other parameters for applications based on their needs.

With a friendly UI, it unites all of the features in one place and makes it very convenient to manage.

At the time of writing this, Node.js Selector supports Node.js versions 6.x, 8.x, 9.x, 10.x, 11.x and later.

The Node.js Selector has many advantages over manual deployment.

It allows for several different applications to be run under the same user, accessed under the “Setup Node.js App” page in your cPanel account.

Phusion passenger is used for application handoffs, so you won’t need to set up any .htaccess redirects to tell the web server to forward to the applications port.

With Node.js Selector, all these handled for you.

To start, go to cPanelSoftware SectionSelect Node.js Version.

The Web Applications page will be displayed and you will see several columns in the list.

App URI: application URI including the domain.

  • App Root Directory: application root directory relative to the user’s home.
  • Mode: can be production or development.
  • Status: started/stopped — displays if an application is running or not and version of the application.
  • Actions: allows to start, restart, stop, edit, and remove a particular application.

Create A cPanel Account

Before you can access and use cPanel for your Node.js deployments, you must have a cPanel account.

To create a cPanel account, visit https://dashboard.cpanelcontrolpanel.com/cart.php?gid=1, and select a hosting package.

Our system will take you through the process which takes less than 5 minutes for you to get your cPanel logins.

How To Create A Node.js Application

Before you can configure your Node.js application, you will need to get that application to your cPanel server.

You can simply use SFTP to upload the copy of your application to your server.

Or you can also use cPanel’s native Git support to clone the repository onto your server and deploy from there.

The following example used cPanel’s native Git support to clone the application to the server and then deploy it.

Clone The Application

  • Login to cPanel.
  • On the Files pane, you see cPanel’s Terminal interface (cPanel – Home – Advanced – Terminal).
  • Click on it to see where you can create a Git repository.
  • Now go back to Github and clone with HTTPS using the web URL. To keep your application data secure be sure not to clone or upload into the public_html folder since this makes the code itself potentially accessible from the web. Our system strives to keep your data safe, and during deployment, it’s not a requirement that your application data be publicly accessible.

Cloning To A cPanel Server From A Private Github Repo

Private repos require SSH access, you must perform additional steps in order to clone a privately-hosted remote repository.

You can use cPanel’s Terminal interface (cPanel – Home – Advanced – Terminal) to access the command line from within the cPanel interface.

Generate An SSH Key

If you have not already configured one, run the following command to generate an SSH key:

ssh-keygen -t rsa -b 4096 -C "username@example.com"

In this example, “username” represents the cPanel account username and “example.com” represents the domain name.

After you run this command, the system will prompt you to enter a passphrase.

Do not enter a passphrase.

Press Enter to continue.

Verify That The Key Is Available

To confirm that the key exists and is in the correct location, run the following command:

cat ~/.ssh/id_rsa.pub

Register our SSH Key With The Private Repository Host

To register an SSH key with GitHub, perform the following steps:

  • Log in to your GitHub account.
  • Navigate to your private repository.
  • In the top right corner of the page, click Settings. A new page will appear.
  • In the left side menu, click Deploy keys. A new page will appear.
  • In the top right corner of the page, click Add deploy key. A new page will appear.
  • Enter your SSH key data:
  • In the Title text box, enter a display name for the key.
  • In the Key text box, paste the entire SSH key.

If you want to push code from your cPanel account to your GitHub account, select the “Allow write access” checkbox.

If you do not select this checkbox, you can only deploy changes from your GitHub repository to the cPanel-hosted repository.

  • Click Add key.

Do note that some repository hosts do not allow you to configure write access for your access keys.

For information about how to register your SSH key with another private repository host (Bitbucket, GitLab, etc), consult that host’s website or documentation.

Test Out The SSH Key

To test your SSH key, run the following command.

ssh -T git@example.com

where “example.com” represents the private repository’s host – e.g ssh -T git@github.com.
 

Clone The Repo To cPanel

To clone the repository, run the following command on the cPanel account, where “git clone git@example.com:$name/private-repo.git” represents the private repository’s clone URL:

git clone git@example.com:$name/private-repo.git

If you see “Error: The WebSocket handshake failed at …” when you access cPanel’s Terminal interface (cPanel – Home – Advanced – Terminal), recheck your connection.

If you are using VPN, disconnect and use your normal internet connection.

Once you click on “Create” this will bring you back to the repository page showing the full path of the application being deployed.

This page is important, so do save that path for later use.

To recap:

  • Select a Node.js version.
  • Select either “Development” or “Production” for the application mode.
  • Select the application root. This has to be a physical address to your application on a server that corresponds with its URI.
  • Select the Application URL. This is an HTTPS link to your application.
  • Fill the form to point to the Application startup file. You can also add additional Environment variables by clicking on the “Add Variable”.
  • Click Create.

… a more detailed explanation.
 
 

Node.js Application Configuration

With the application files in place on the server, you are ready to configure Node.js to launch that application from the web.

From cPanel on the same account under the “Software” tab, select “Setup Node.js App”.

On this setup screen, you’ll select “Create Application” to bring up the options for choosing the Node.js version as well as whether to use a Development or Production environment.

Development generally has different application hooks in the code of the application, depending on how this environment variable is set.

As a general rule, Production is going to have more levels of caching, as well as minimal logging.

So, for a Development environment set, you can expect the inverse, with fewer levels of application caching, and more verbose logging and error message output.

A typical example would be where in production, you may only see an error page.

In development, you may see a full stack trace on an application error which allows you to figure out exactly where the error took place inside the code.

Since Node.js applications, in general, depend on several environment variables, you can add these using the “Add Variable” button near the bottom right of the page.

The Node.js production or development variable is already set separately in the top section using the “Application Mode”, so it is not necessary to set it again in the Environment variables section.

This same menu is where you can select the version of Node.js that you’d like to use as well as the application’s startup file.

This might be index.js, app.js or any number of variations; it depends on the application.

Once you’ve saved your application, you’ll need to resolve its package dependencies.

The NPM package manager does this automatically based on the package.json file packaged with the application, so all that you’ll need to do here is click on the ‘NPM Install” button.

At this point, you will require your domain to resolve to an IP address, or the installation script will have an error.

If you are using a sub-domain, make sure that this has been created and that you have added all relevant records to your DNS.

You can confirm this by simply running:

$ dig sub-domain.com

NPM will read the contents of the package.json file and install the needed packages into a virtual environment specific to the application.

If you are familiar with the command line, you can follow the instructions at the top of the page to gain access to the “npm” and “node” commands to make additional changes manually, allowing for a great deal of customization.
 

 
Node.js Application Deployment

By this point, you’ll have your application configured and Node.js modules installed, so you’re ready to launch the application.

Our cPanel systems make this very easy.

On the same page where you configured your application, click “Run JS Script

This will execute the application startup file that you defined earlier during setup.

As Node.js applications have several different options, this can bring up another menu with different options to select depending on the application that you’re running.

In general, you’ll want to select the “Start” option next.

Finally, you can select the “Open” option to visit your page, and see your application!

How To Start A Node.js Application

To start a stopped application do the following:

Click Start icon in the Actions column in a stopped application row.

When the action is completed, a Start icon changes to Stop icon.

How To Stop A Node.js Application

To stop a started application do the following:

Click Stop icon in the Actions column in a started application row.

When the action is completed, a Stop icon changes to Start icon.

 
How To Start A Node.js Application

To restart the application do the following:

Click Restart icon in the Actions column in a started application row.

The current row will be blocked and will be unblocked when the process is completed.

 
How To Remove A Node.js Application

To remove the application do the following:

click the “Bin” icon in the Actions column in a particular application row.
in the confirmation, pop-up click Agree to start removing or Cancel to close the pop-up.

When the action is completed, an application will be removed from the Web Applications table and a confirmation pop-up displayed.
 
 

How To Edit Your Node.js Application

To edit application do the following:

Click Pencil icon in the Actions column in a particular application row.

An application tab will be open.

At the moment, you can:

restart application – click Restart button.

  • stop Node.js — click Stop Node.js button.
  • run JavaScript script — click Run JS Script button to run a command specified in the Scripts section of the package.json file. Specify the name of the script to run plus any parameters then click Ok.
  • remove application — click Delete button and confirm the action in a pop-up.
  • change Node.js version — choose Node.js version from a drop-down.
  • change Application mode — choose application mode from a drop-down. Available modes are Production and Development. 
    specify Application root — specify in a field a physical address to the application on a server that corresponds with its URI.
  • specify Application URL — specify in a field an HTTP/HTTPS link to the application.
  • specify Application startup file — specify as NAME.js file.
  • run npm install command — click Run npm install button to install the package(s) described in the package.json file.
  • add Environment variables — click Add Variable and specify a name and a value.

 
 
How To Debug Errors On Your Node.js Application

Directives such as PassengerFriendlyErrorPages and PassengerAppEnv are available for use from a .htaccess file.

This allows cPanel users to debug a Node.js application during development.

For example, if you add one of the following lines to the .htaccess file on the application page and there is an error, you will see the error listed:

PassengerAppEnv development

or

PassengerFriendlyErrorPages on

New WP-CLI Scheduled For April 24th Release

WP-CLI

WP-CLI v2.2.0 is scheduled to be released for Wednesday, April 24th, 2019.

WP-CLI is a set of command-line tools for managing WordPress installations.

You can update plugins, set up multisite installs and much more, without using a web browser.

The maintainers said that they have a list of already accepted features that are just waiting for some adventurous soul to implement them and a list of known bugs that need to be turned into non-bugs.

And as WordPress bumps the minimum PHP version requirement to 5.6 and MySQL version requirement to be 5.5, WP-CLI says it “staying as low as possible” with its own PHP minimum requirement,.

According to the team, they are adopting this approach as to not to randomly break support for people stuck on lower PHP versions.

The delay is meant to allow site owners still using WP-CLI to migrate their old sites over to newer servers.

If you choose to remain on 5.5 or below, you may still receive security updates and possibly bug fixes, but would not be able to upgrade to the latest major WordPress version until you upgraded to a supported version of PHP.

At Web Hosting Magic, we offer PHP 7.2 and 7.3 as default though customers wishing to use old PHP versions can do that using our HardenedPHP.

To update WP-CLI, run:

wp cli update or sudo wp cli update

When you run wp cli update, you’ll be prompted to confirm that you wish to update with a message similar to the following:

You have version 0.21.1. Would you like to update to 0.23.1? [y/n]

After you accept, you should see a success message:

Success: Updated WP-CLI to 0.23.1

If you’re already running the latest version of WP-CLI, you’ll see this message:

WP-CLI is at the latest version.

For more information about wp cli update, including flags and options that can be used, read the full docs page on the update command.

WordPress iOS App Credentials May Have Been Compromised

wordpress iOS app

If you are using the WordPress iOS app, do update it at once as the old version exposes your security credentials to third-party websites.

WordPress says that recently uncovered an issue with the WordPress iOS application with how it handles security credentials.

The iOS app inadvertently exposed account tokens to third-party sites.

The issue has the possibility of exposing security credentials to third-party websites and only affected private websites with images hosted externally (e.g., with a service like Flickr) that were viewed or composed with the app.

Typically when a WordPress.com site had a post or a page with an image hosted on Flickr, the app would send along a WordPress.com account token to Flickr when fetching the image.

In the unpatched version of the app, the account tokens could appear in the logs of third-party companies.

In the hands of malicious individuals, this could be used to target such WordPress.com account.

While WordPress hasn’t said how many customers were affected, Sensor Tower indicates that the app was installed 9.3 million times on iOS since 2012, with about 1.3 million installs last year.

WordPress has reset all password for iOS users but it is still advisable to update your password.

The Android app self-hosted WordPress installations are not affected.

To start using the app again, do make sure you’ve updated WordPress iOS to 11.9.1 or greater.

You can check for updates in the App Store on your device and tap the “more” button to see the release notes, which list the version number.

Once you’ve updated, launch the app.

You may notice errors about not being authorized and data will not load, or be prompted to log in.

If you’re not prompted to log in, visit the Me tab and tap Log Out, then sign back in.

You can download the Mac app from https://apps.wordpress.com/desktop/.

For the mobile app, visit https://apps.wordpress.com/mobile/.

How to Transfer A Domain With Minimal Downtime

How To Transfer A Domain To 2cPanel Web Hosting Magic

As a website owner, there will come a time when you may need to transfer your domain or a number of domains from one registrar to another.

And given that your business depends on its ability to stay online, here is how to move a domain name with minimal impact to the website uptime.

Transfer Requirements for Top-Level Domains

  • Expired or suspended domain names cannot be transferred. However, if the domain expires after the transfer has been completed at the new registrar, then the old registrar is not allowed to deny the transfer for non-renewal.
  • If the registration for a domain name expired and had to be restored, it must have been restored at least 60 days ago.
  • You must have either registered the domain with the current registrar or transferred registration for the domain to the current registrar at least 60 days ago.
  • If the current registrar for the domain has outstanding administrative action against the domain, you cannot transfer it until the matter ha been resolved.
  • In some cases, renewing the domain for the required one additional year causes the domain to exceed the maximum registration period. In these cases, you must wait until renewing for one year does not extend the total registration period beyond the maximum allowed.
  • The domain cannot have any of the following domain name status codes: clientTransferProhibited, pendingDelete, pendingTransfer, redemptionPeriod, serverTransferProhibited.
  • Some registries may not allow transfer of a domain name until changes such as changes to the domain owner are completed.

Unlock the Domain

A locked domain cannot be transferred to another registrar or account.

Whenever you need to make changes to a domain’s settings, such as updating nameservers or contact information, we automatically unlock and re-lock the domain name.

To transfer your domain name, you must first unlock it.

Disable WHOIS Privacy

While it may be possible to transfer domains with this enabled, double check to ensure that you can accept emails from the private email address before initiating a domain transfer.

Reduce TTL

Time to live (TTL) determines how long a DNS cache server can serve a DNS record before reaching out to the authoritative DNS server and getting a new copy of the record.


Set the TTL times on your DNS to a short value (something like 300 seconds) 12-24 hrs before DNS changes.

Transfer DNS Service

If the registrar for your domain is also the DNS service provider for the domain, transfer your DNS service to our DNS systems before you continue with the process to transfer the domain registration.

If you don’t transfer DNS service to us, your website, email, and the web applications associated with the domain might become unavailable.

EPP Authorization Code

EPP Code (also known as Transfer secret) is a randomly generated complex code that contains numbers, letters and special characters.

Domain name registrars are only permitted to provide the code to the registered owner of the domain as it appears on a WHOIS query.

The code helps identify the domain name holder; it does not constitute transfer approval.

If the code is not provided, then those domains generally cannot be transferred.

Request and get your EPP authorization code (a string of characters) from your registrar’s dashboard.

You can see this feature under your domain’s management section.

Initiate Domain Transfer

Visit https://dashboard.cpanelcontrolpanel.com/cart.php?a=add&domain=transfer.

domain transfer to 2cPanel


Enter in your domain name to transfer, followed by the EPP Authorization Code and click “Add To Cart“.


Follow the process to completion.

Approve The Domain Transfer

We will confirm that the domain is eligible for transfer, and send an email to the registrant contact for the domain to request authorization to transfer the domain.

Click the link to initiate/approve the transfer.

If the domain registration is not available for transfer, our system will list the reasons.

Do contact your registrar for information about how to resolve the issues that prevent you from transferring the registration.

Verify The Domain Transfer

Check to verify that the transfer has been initiated.

If the registrant contact authorizes the transfer, we start to work with your current registrar to transfer your domain.

This step might take up to ten days, depending on the TLD for your domain:

  • Generic Top-Level Domains – take up to seven days
  • Geographic Top-Level Domains (also known as country code top-level domains) – take up to ten days

Complete Domain Transfer

Manage Domain Name At 2cPanel

Once all messaging between us and your old registrar is completed, our system will send you an email informing of a successful transfer.

You will now be able to see the domain under My Domains at https://dashboard.cpanelcontrolpanel.com/clientarea.php?action=domains.

Click to manage.

That’s it, folks!

How To Add SSH Key For cPanel SSH Access

how to set-up cpanel ssh access

As a cPanel user, you will often need to manage your website or application files either through SSH or FTP.

Here is a way to do this securely through the SSH key feature that comes with cPanel natively.

The first question probably is, why enforce key authentication instead of the normal password authentication for these tasks?

Passwords remain the most used form of online authentication.

This is mostly because they are simple and inexpensive to implement on most infrastructures.

However, it is generally agreed that passwords are the weakest link and poorest form of protection when it comes to online security.

And as technology evolves, tools available to malicious hackers & intruders to crack your online credentials evolve too gaining more speed and sophistication.

Compounding the problem is also the fact that users are often given the ability to create their own passwords when creating new online identities.

Humans are not known as the most patient of nature’s creatures and so, they often go for passwords that are easily guessable & hackable.

This is why whenever there is a password dump, you will often find that the most commonly used passwords are “password,” “1234,”, “birth dates” or “pass”.

Most folks will also re-use the same password for multiple sites.

So when one site is compromised, so is every other website that the user has an account on.

As a cPanel user, what then should you use for SFTP/SSH authentication – SSH keys or passwords?

Of course, the answer will be a key-based SSH.

SSH keys are an excellent way to stay secure provided that you use best practice to generate, store, manage, and remove them.

While you certainly can use password authentication for SSH, it doesn’t protect against weak passwords even when they run encrypted over the network.

If a malicious user is able to guess or obtain your password of a legitimate user, the malicious user can then authenticate and pose as you.

On our web hosting platform, we don’t allow SSH password authentication.

There are several advantages to this among which is:

  • malicious hackers cannot brute-force key-based login
  • in an event that a server is compromised, a malicious attacker will not be able to access your server even when he or she has gained control of the password.
  • and because a password isn’t required at login, you are able to able to log in to servers from within scripts or automation tools that you need to run unattended.

Instead, we expect customers that want to use SFTP/SSH to use public key authentication.

With SSH, a cryptographic key that consists of two parts is generated :

  • a private key usually named id_rsa that is stored on your local computer.
  • a public key usually named id_rsa.pub that will be placed on the server that you will be logging in to.

This tutorial is meant to show you how easy it is, to get this done.

How To Generate Your Key And Add It To CPanel

Mac

Pull up your Terminal.

Paste something like the text below:

$ ssh-keygen -t rsa -b 4096 -C "$identifier"

where $identifier is either your email address or something else.

When you’re prompted to “Enter a file in which to save the key,” press Enter.

This accepts the default file location.

At the prompt, type a secure passphrase.

Now create a ~/.ssh/config file to automatically load keys into the ssh-agent and store passphrases in your keychain.

touch ~/.ssh/config

Start the ssh-agent in the background.

$ eval "$(ssh-agent -s)"

Modify the file you created earlier:

cd .ssh && vi ~/.ssh/config

Add this to the file:

Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa

Add your SSH private key to the ssh-agent and store your passphrase in the keychain.

$ ssh-add -K ~/.ssh/id_rsa

Confirm the key existence:

$ ls -al ~/.ssh

Now copy the generated public key you will add to the cPanel server:

$ cat .ssh/id_rsa.pub

Windows

Windows has a different workflow but these will help:

Generate a Key Pair with PuTTY

Download PuTTYgen (puttygen.exe) and PuTTY (putty.exe) from the official site at http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.

Launch puttygen.exe.

The RSA key type at the bottom of the window is selected by default for an RSA key pair but ED25519 (EdDSA using Curve25519) is a comparable option if your remote machine’s SSH server supports DSA signatures.

Increase the RSA key size from 2048 bits to 4096 and click Generate

PuTTY uses the random input from your mouse to generate a unique key.

Once key generation begins, keep moving your mouse until the progress bar is filled.

When finished, PuTTY will display the new public key.

Right-click on it and select Select All, then copy the public key into a text editor: Sublime Text, Atom or even Notepad.

Save the public key as a .txt file.

This is important because a rich text format such as .rtf or .doc can add extra formatting characters and then your private key won’t work.

Enter a passphrase for the private key in the Key passphrase and Confirm passphrase text fields.

Click Save private key.

Choose a file name and location in Explorer while keeping the .ppk file extension.

Remember the location of the private key file for future use.

If you plan to create multiple key pairs for different servers, be sure to give them different names so that you don’t overwrite old keys with new.

Convert The Public Key Into The OpenSSH Format

Now open your private key in PuTTYGen.

Click Load.

Select your private key that ends in .ppk and then click “Open”.

Look at the top menu and select “Conversions” -> “Export OpenSSH key”.

Save the new OpenSSH key when prompted.

The public key will be under public key for pasting into cPanel.

New Windows has a better approach to this and you may want to take a look at the following links:

Once you have generated your keys, login to cPanel

Scroll down to Security >> SSH Access.

To import an existing SSH key, perform the following steps:

Click Manage SSH Keys.

Click Import Key and copy the id_rsa.pub you generated.

To use a custom key name, enter the key name in the Choose a name for this key (defaults to id_dsa) text box.

Paste the public and private keys into the appropriate text boxes.

Click Import.

You must authorize new keys before you attempt to use them.

So go back and click Manage to manage authorization for the key. A new interface will appear.

Click Authorize to authorize the key or Deauthorize when you need to revoke authorization for the key.

Protecting Your SSH Public Keys:

  • if you are an organization or shares SSH logins with other people or someone else, have a centralized way of managing all your SSK keys.
  • passphrase your keys and do not use the same passphrase with multiple keys (with each key granting access to a different server).
  • actively rotate SSH keys by forcing users to generate keys on a regular basis.
  • never share a private key between physical devices.
  • if possible tie each SSH key to an individual, rather than just to an account that can be accessed by multiple users.
  • use a bastion host. Bastion hosts allow you to create a firewall rule that allows SSH traffic only to a single instance.
  • set up alerts to notify you when some successfully SSH or logs in.

Struggling with key management?

These tools below make SSH key management a breeze.

They surely will give you a way to consolidate and securely access your systems, apps, networks, and file servers – regardless of platform, protocol, provider, or location.

When it comes to your digital assets (website, databases, crypto-currencies, etc), using password should be regarded as a doorway to a communal bar.

However, these below can be considered password best practices and may be able to help mitigate the risk involved with passwords:

Password Best Practices

  • don’t use any personal identifying information as part of your password: yours, spouse’s, significant other’s, children’s, friend’s, or pet’s name, date of birth, license plate number, telephone number, social security number, make of your automobile, house address, etc.
  • don’t use a word contained in English or foreign language dictionaries, spelling lists, acronym or abbreviation lists, or other lists of words.
  • don’t share your password with another person for any reason.
  • don’t write your passwords on paper.
  • don’t re-use the same (or similar) password on two websites.
  • ensure that the password you are using or generating has mixed-case characters, non-alphabetic characters/symbols and is at least, 20 characters in length.
  • make it a habit to use two-factor authentication along with any password you have.
  • and periodically or every 90-120 days, change every password that you own.

Addon Domain cPanel: How To Host Additional Domains

addon domain cpanel

One of the cPanel’s best features is the absolute control that it gives any cPanel user to manage his or her domains in one place, even when you own thousands of domain names.

After you have gotten your cPanel login and have gained access to cPanel, you may desire to add more domains than the one that the account was originally provisioned with or to an existing cPanel account.

When this is your goal, you will need to use cPanel’s addon domain feature.

This interface can be found at cPanel >> Home >> Domains >> Addon Domains.

What is an add-on domain?

An addon domain is a domain that is hosted inside the same cPanel account that you own but treated as a completely different website.

Why is this useful?

Well, let’s say you have 5 domain names that you consider prime online properties.

As with any physical asset, you would want to monetize these since you don’t want them lying around without generating cash for you.

So instead of creating additional cPanel hosting accounts to host these domains, you simply add these as addon domains to 1 cPanel account and split your existing account’s resources among these.

This not only save you tons of money but also it is the best way to manage multiple domains without requiring logging into multiple cPanel logins.

How To Create An Addon Domain In cPanel

Before you start, there are a couple of things you must do to avoid seeing errors.

Ensure that your cPanel hosting package allows you to add an additional domain to your hosting account.

If your hosting package is set to “0”, you will not be able to complete an addon domain creation.

If this is not done, you may see this error:

your addon domain limit of 0 addon domains has been reached.

Ensure that the DNS records for the additional domains you want to add are pointing to your hosting provider’s DNS cluster before attempting this.

If this is not done, you will see the following error:

sorry, the domain is already pointed to an IP address that does not appear to use DNS servers associated with this server .

While the server can be tweaked to allow the creation of parked domains (aliases) and addon domains that resolve to other servers so that you can get this done, it is highly discouraged as this cause will serious security issues down the line.

OK!

So once these conditions are met, it is time to proceed to the next stage of the process.

To create an addon domain, perform the following steps:

  • Login to cPanel and scroll down to Domains.
  • Click on Addon Domains. A new page will open.
  • Enter the new addon domain’s name in the New Domain Name text box. When you enter the domain name, cPanel automatically populates the Subdomain and Document Root text boxes.
  • To create multiple addon domains with the same username and different extensions (for example, domain_name.com and domain_name.net ), manually enter a unique username in the Subdomain text box.
  • While the commonest document root for most addon domain is often /home/username/addon-domain/, you can specify the precise location that you want each of the addon domain to be hosted in when adding it. So to choose a document root other than the one that was automatically created for you, manually enter the directory name in the Document Root text box.
  • If you need to create an FTP account for the new addon domain, select the Create an FTP account associated with this Addon Domain check-box.
  • Click Add Domain.

That’s it!

Your add-on domain now has a new home and you can use it as you would, with a full-fledged cPanel hosting account.

If you see any error, please re-visit the conditions-that-must-met above and try again.

If you want to add files to the addon domain’s home directory, go back to cPanel and click File Manager.

If you want to disable or enable redirection of an addon domain, perform the following steps:

  • click Manage Redirection for the addon domain that you wish to manage.
  • to redirect the domain, enter the link to which you wish to redirect the addon domain.
  • click Save, or, to disable the redirection, click Disable Redirection.

If you want to remove an addon domain, perform the following steps:

  • click Remove for the addon domain that you wish to remove.
  • click Yes.

If you want to create an email account on an addon domain, use cPanel’s Email Accounts interface (cPanel >> Home >> Email >> Email Accounts).

How To Configure Your cPanel Firewall In The Cloud

cpanel firewall

Learn how to configure cPanel firewall in most cloud platforms or use other security tools to harden and protect your cPanel server from malicious attacks.

Imagine that after the initial erection of the walls for this new house has been completed, the house is left with no roof to shield its occupants from the elements nor doors to keep them safe from wild animals that will want to gobble them up for dinner.

The above analogy is often what happens when a server administrator deploys a server and then forgets the most fundamental aspect of the process: security.

The cloud has given server administrators the ability to rustle up any kind of server in less than 55 seconds.

The problem with that is that often, server administrators tend the forget the most fundamental aspect of the process: security.

While most of the biggest cloud system we have come to embrace have in-built measures designed to keep us from becoming victims of our human nature, it hasn’t changed that fact that when you deploy a system and didn’t from its conception design it to be secure, you will face a hard road down the line.

The fact is that 98% of most of the attacks that a system connected online will face are opportunistic in nature rather than targeted.

When a malicious user tries his or her luck with a system and finds it robustly protected, he or she will move on to easier targets.

With an unprotected server, the story will be different as anyone with malicious intent will immediately see the box as a low-hanging ripe for the picking.

An unprotected server also shouldn’t be online, not only because it goes against everything a good admin should be, but because it makes the internet more insecure.

What is Firewalls In Computing?

What is Firewalls In Computing?

In computing infrastructure designing, the internet is always treated as an untrusted external network.

A firewall monitors and controls incoming and outgoing network traffic based on predetermined security rules.

Just as any well-designed building should have a wall intended to contain fire within a building, designated entry & exit points and rules about who should be allowed access and who should be turned back, a well-implemented firewall enables a system administrator to define what inbound and outbound communication is allowed from a server and also the ability to mitigate threats within a set parameter.

As a system administrator, the standard place to start when it comes to security is to:

  • be aware that any software can be exploited including cPanel.
  • understand & treat every user input is potentially hostile& malicious
  • apply good security practices to defend an infrastructure
  • avoid rolling out any security solution that you do not understand as in understanding.
  • log all suspicious behavior if and when it is needed to forensic
  • design a system in such a way that it will enable you to restore the infrastructure to its pre-compromise state.
  • go beyond port firewalling to hide insecure protocols but relying on the security of the protocols that you use to defend your infrastructure.
  • provide the minimal privilege needed to complete an operation successfully but nothing more than what is needed.

How To Set Up A cPanel Firewall For Mitigation

So how does one go about securing, for example, a public-facing cPanel web server in order to and lower the chances of it being compromised?

Let’s start with the basics when installing a new cPanel server.

Remove all existing rules

Just as you wouldn’t start building a building on top of what someone has already created, it is always better to rip out any existing firewall rules before implementing a new one.

Doing so gives you a clear, coherent idea of what you are allowing and blocking on your system, a piece of information you would want to have in your head when dealing with an ongoing threat.

When installing cPanel on a new machine, you should deactivate the firewall before running the installation script with:

iptables-save > ~/firewall.rules
systemctl stop firewalld.service
systemctl disable firewalld.service

where ~/firewall.rules represents the firewall rules file.

The same command will work on CentOS, Red Hat® Enterprise Linux, CloudLinux™, and Amazon® too.

When the installation process finishes, you can then select and configure a firewall from any of the options below.

Disable SELinux

SELinux (Security-Enhanced Linux) in enforcing mode is purposely built to make your web server a fortress but frankly, it takes a lot of work to configure SELinux even a basic Linux machine.

And while cPanel & WHM may be able to function with SELinux in permissive mode, it generates a large number of log entries which you wouldn’t want.

It is highly recommended that you disable SELinux and reboot the system before installing cPanel on any system.

To disable SELinux security features, use one of the following methods:

Pull up your Terminal and run:

$ sudo cp /etc/selinux/config /etc/selinux/config.backup
$ sudo vi /etc/selinux/config

The /etc/selinux/config file allows you to set the SELINUX parameters that you want the server to run.

When it opens, you will see something like this:

This file controls the state of SELinux on the system.
SELINUX= can take one of these three values:
enforcing - SELinux security policy is enforced.
permissive - SELinux prints warnings instead of enforcing.
disabled - No SELinux policy is loaded.
SELINUX=enabled
SELINUXTYPE= can take one of these two values:
targeted - Only targeted network daemons are protected.
strict - Full SELinux protection.
SELINUXTYPE=targeted

The parameter you are looking for is “SELINUX=enable”

All you have to do is to replace the word “enabled” with “disabled“.

Save the file by running “:wq” and exit.

Reboot the server:

sudo systemctl reboot

systemctl is a command line utility and primary tool to manage the systemd daemons/services such as (start, restart, stop, enable, disable, reload & status).

You can now start your cPanel installation and once that is done, it will be time to start the security configuration.

What Kind Of Firewall Can You Use With cPanel?

The kind of firewall you will use with cPanel will largely depend on two things:

  • the deployment environment (on-premise or cloud-based)
  • your level of familiarity with the tools you want to use

Implementing cPanel Firewall On The Cloud

If you are using a public cloud such as AWS, Google Cloud Platform, Microsoft Azure, Alibabacloud and host of others, you can do everything you want to from the datacenter level.

But this requires being able to create a VPC (the datacenter in cloud-speak) and while the topographical interfaces and naming convention on each of these platforms are different, it all boils down to one thing: being able to determine what ingress and egress traffic you want to give access to.

This often requires figuring out what ports that the server will be to perform optimally and then allowing inbound access to these.

There are other optional layers of security such Network ACLs (which by default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic.) that acts as a firewall for controlling traffic in and out of one or more subnets.

But we will stick with the basic at this time.

Security Groups

In the cloud, a security group acts as a virtual firewall that controls the traffic for one or more instances and provides security at the protocol and port access level.

When you launch an instance, you can specify one or more security groups; otherwise, we use the default security group.

You can add rules to each security group that allows traffic to or from its associated instances.

Each security group – working much the same way as a firewall – contains a set of rules that filter traffic coming into and out of an instance.

There are no ‘Deny’ rules.

Rather, if there is no rule that explicitly permits a particular data packet, it will be dropped.

You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group.

When we decide whether to allow traffic to reach an instance, we evaluate all the rules from all the security groups that are associated with the instance.

On Microsoft Azure, this is called Network Security Groups (NSG).

Google Cloud Platform calls its own just Firewall Rules (Networking >>> VPC network).

GCP firewalls apply to a single VPC network but are considered a global resource because packets can reach them from other networks.

AWS & Alibabacloud calls their’s Security Groups.

Things To Keep In Mind:

Security should be part of your initial architecture design, not an after-thought.

While you can always go back and assign a newly created security group to an instance, always create your VPC with its subnet, route, firewalls, and everything ahead even before you launch your first virtual machine.

That way when you are deploying the instance, you can simply select an existing security group, re-check all the ports before hitting deploying.

Be aware that on each of these platforms, you are limited to a certain number of security groups per VPC.

You can always request that an increases to the limit, but you may notice a network performance impact.

Also, ensure that your firewall rules match the way in which you use cPanel & WHM’s services.

Creating Security Groups

AWS

To create a security group using the AWS console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

In the navigation pane, choose Security Groups.

Choose Create Security Group.

Enter the name of the security group (for example, cpanel_security_group) and provide a description.

Select the ID of your VPC from the VPC menu and choose Yes, Create.

You can also use:

aws ec2 create-security-group --group-name MySecurityGroup --description "My security group" --vpc-id vpc-1a2b3c4d

On the Inbound Rules tab, choose Edit.

Select an option for a rule for inbound traffic for Type, and then fill in the required information.

Specify a value for Source as 0.0.0.0/0.

Optionally provide a description for each rule, and then choose Save.

Microsoft Azure

From Azure Security Center you will be able to see a list of the network security group (NSG) and Access Control List (ACL) rules that allow or deny network traffic to your VM instances in a Virtual Network.

When an NSG is associated with a subnet, the ACL rules apply to all the VM instances in that subnet.

Microsoft Azure has a longer form with more fields to fill.

But it is relatively simple and does the exact the same thing you will see on the other cloud platforms.

To create a network security group on Microsoft Azure,

In the top-left corner of the portal, select + Create a resource.

Select Networking, then select the network security group.

Enter a Name for the network security group, select your Subscription, create a new Resource group, or select an existing resource group, select a Location, and then select Create.

In the search box at the top of the portal, enter network security groups in the search box.

When network security groups appear in the search results, select it.
Select the network security group you want to change.

Select Inbound security rules under SETTINGS.

Several existing rules are listed.

When a network security group is created, several default security rules are created in it.

You can’t delete default security rules, but you can override them with rules that have a higher priority.

To learn more about default security rules, visit https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules.

Select + Add.

Select or add values for the following settings:

  • Source (Any, Application security group, IP Addresses, or Service Tag)
  • Source port ranges (0.0.0.0/0)
  • Destination (Any, Application security group, IP addresses, or Virtual Network)
  • Destination port ranges
  • Protocol (Any, TCP, or UDP)
  • Action (Allow or Deny)
  • Priority (100-4096 – the lower the number, the higher the priority. Leave a gap between priority numbers when creating rules, such as 100, 200, 300. Leaving gaps makes it easier to add rules in the future that you may need to make higher or lower than existing rules.)
    Name
  • Optional Description

Select OK.

Alibabacloud

Log on to the ECS console.

In the left-side navigation pane, select Networks and Security > Security Groups.

Select the target region.

Find the security group to add authorization rules and then, in the Actions column, click Add Rules.

On the Security Group Rules page, click Add Security Group Rule.

In the dialog box, set the following parameters:

Rule Direction:

  • Outbound: ECS instances access other ECS instances over intranet networks, or through Internet resources.
  • Inbound: Other ECS instances in the intranet and Internet resources access the ECS instance.

Action:

  • Select Allow or Forbid.
  • Protocol Type and Port Range
  • Authorization Type and Authorization Object
  • Priority: The value range is 1-100. Remember, the smaller the value, the higher the priority.

Click OK.

Google Cloud Platform

On Google Cloud Platform, every VPC network functions as a distributed firewall.

While firewall rules are defined at the network level, connections are allowed or denied on a per-instance basis.

You can think of the GCP firewall rules as existing not only between your instances and other networks but between individual instances within the same network.

When you create a GCP firewall rule, you specify a VPC network and a set of components that define what the rule will do.

The components enable you to target certain types of traffic, based on the traffic’s protocol, ports, sources, and destinations

Unlike AWS, GCP firewall rules only support IPv4 traffic.

When specifying a source for an ingress rule or a destination for an egress rule by address, you can only use an IPv4 address or IPv4 block in CIDR notation.

Remember that you have to create a custom network before you can make this happen.

Products & services > VPC network > VPC networks

Click + CREATE VPC NETWORK.

Do the following, leaving all other fields with their default values:

Specify the subnets

Click Create.

Visit Products & services > VPC network > Firewall rules

Click on the network you created.

You will notice that no default firewall rules were created for the custom network.

You will have to manually add default rules in the next step.

Click + CREATE FIREWALL RULE.

Enter the following, leaving all other fields with their default values:

Property                         Value
Name: allow-ssh-icmp-rdp-learncustom
Network: learncustom
Direction of traffic: Ingress
Action on match: Allow
Targets: cpanel
Target tags: cpanel, cloudlinux
Source filter: IP ranges
Source IP ranges: 0.0.0.0/0
Protocols and ports: Specified protocols and ports
type: icmp; tcp:22; tcp:25; tcp:53; tcp:80; tcp:110; tcp:143; tcp:443; tcp:465; tcp:587; tcp:993; tcp:995; tcp:2078; tcp:2080; tcp:2083; tcp:2087; tcp:2096; udp:53; udp:123; udp:465; udp:783; udp:873; udp:6277; udp:24441

Make sure that the source filter address includes the final ‘/0’.

If you specify 0.0.0.0 instead of 0.0.0.0/0, the filter will default to 0.0.0.0/32 — an exact host address that doesn’t exist.

Click Create.

cPanel Services Firewall Ports

Here are the ports that cPanel & WHM uses, and the services that use each of these ports.

We have removed all non-SSL services since using these allows attackers to intercept sensitive information, such as login credentials.

We reckon you already know what a port is.

But if you don’t know, let’s take a quick look at what a port is in networking.

In the OSI networking model, ports are mostly part of the transport layer (but can also be part of the network layer and even session layer, depending on the initiating machine (source port) and the service being called upon (destination port + IP) and who you asked) and deals with end-to-end communication between different services and applications.

A port number is a 16-bit unsigned integer, thus ranging from 0 to 65535.

For TCP, port number 0 is reserved and cannot be used, while for UDP, the source port is optional and a value of zero means no port.

For example, HTTP has port 80 assigned to it.

So, when a client wants to contact an HTTP server, it uses the destination port of 80 and a source port unique to the process making the request.

This allows the receiving host to send any received packets with a destination of port 80 to the processes “listening” for those packets, which if there is one, would normally be an HTTP server process.

When the HTTP server responds, it uses the client’s source port as the reply destination port and it might use port 80 for the reply packet’s source port.

This allows the original client to forward the port quickly to the process that made the request.

At the moment, cPanel ports range from “1” (CPAN) to “24441” (Pyzor).

PortServiceTCPUDPInboundOutbound
1CPAN
22SSH/SFTP
25SMTP
26SMTP
37rdate
43whois
53bind
80httpd
110pop3
113ident
143IMAP
443httpd
465SMTP, SSL/TLS
579cPHulk
783Apache Spam
873rsync
993IMAP SSL
995POP3 SSL
2703Razor
2078WebDAV SSL
2080CalDAV and CardDAV (SSL)
2083cPanel SSL
2087WHM SSL
2089cPanel Licensing
2096Webmail SSL
2195APNs
6277DCC
24441Pyzor

The most important of this process is the inbound ports.

Other considerations you might bring to bear are:

  • allow free access to the loopback interface. Unlike external interfaces, binding your process to localhost is usually good for security, and therefore restricting access to the loopback interface causes more harm than benefit. This does leave you open to an attack from a local user, but that’s a risk you have to balance for yourself.
  • don’t restrict all Internet Control Message Protocol (ICMP) traffic. Allowing ICMP is critical for the Internet to work; routers and hosts use it to communicate critical information like service availability, packet sizes, and host existence. Types 3 and 4, Destination Unreachable and Source Quench, are critical, and restricting them may cause more harm than gain in the future.

Other Available Firewall Options

Firewall For cPanel Script

New versions of cPanel & WHM includes the cpanel service, which manages all of the rules in the /etc/firewalld/services/cpanel.xml file.

This allows TCP access for the server’s ports.

To replace your existing iptables rules with the rules in the /etc/firewalld/services/cpanel.xml file, perform the following steps:

  • run the yum install firewalld command to ensure that your system has firewalld installed.
  • run the systemctl start firewalld.service command to start the firewalld service.
  • run the systemctl enable firewalld command to start the firewalld service when the server starts.
  • run the iptables-save > backupfile command to save your existing firewall rules.
  • run the /usr/local/cpanel/scripts/configure_firewall_for_cpanel script. This also clears all existing entries from the iptables application. I
  • run the iptables-restore < backupfile command to incorporate your old firewall rules into the new firewall rules file.

By default, firewall-cmd commands apply to runtime configuration but using the –permanent flag will establish a persistent configuration.

So if you need to add additional ports, add the rule (port or service) to both the permanent and runtime sets:

You can use these examples below:

sudo firewall-cmd --zone=public --add-port=45000/tcp --permanent
sudo firewall-cmd --zone=public --permanent --add-service=ssh --permanent
sudo firewall-cmd --zone=public --permanent --add-service=ssh
sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --add-service=http
sudo firewall-cmd --zone=public --permanent --add-service=https --permanent
sudo firewall-cmd --zone=public --permanent --add-service=https
sudo firewall-cmd --reload


Firewalld

Every server that runs CentOS 7, CloudLinux 7, and RHEL 7 operating systems will have the firewalld daemon pre-installed but often inactive.

FirewallD is a firewall service daemon.

It replaces the iptables interface and connects to the netfilter kernel code.

Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed.

Firewalld uses the concepts of zones and services, that simplify traffic management.

Zones are predefined sets of rules.

Network interfaces and sources can be assigned to a zone.

The traffic allowed depends on the network your computer is connected to and the security level this network is assigned.

Firewall services are predefined rules that cover all necessary settings to allow incoming traffic for a specific service and they apply within a zone.

To check Firewalld status, type:

systemctl status firewalld

or

firewall-cmd --state

To start the service and enable FirewallD on boot:

sudo systemctl start firewalld

sudo systemctl enable firewalld

To stop and disable it:

sudo systemctl stop firewalld

sudo systemctl disable firewalld

To view the default available services:

sudo firewall-cmd --get-services

Configuration files are located in two directories:

  • /usr/lib/FirewallD holds default configurations like default zones and common services. Avoid updating them because those files will be overwritten by each firewalld package update.
  • /etc/firewalld holds system configuration files. These files will overwrite a default configuration.

You can read at:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using_firewalls#sec-Introduction_to_firewalld
https://firewalld.org/
https://fedoraproject.org/wiki/FirewallD
https://www.unix.com/man-page/centos/1/firewall-cmd/

CSF

ConfigServer is a free, well-trusted Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection for Linux servers and probably one of the easiest tools that you can use to protect your cPanel server.

It has native integration with cPanel/WHM, DirectAdmin and Webmin with a front-end to both CSF and LFD (Login Failure Daemon) that is accessible by the root account.

From this interface, you can modify the configuration files and stop, start and restart the applications and check their status.

This makes configuring and managing the firewall very simple indeed.

CSF installation for cPanel and DirectAdmin is preconfigured to work on those
servers with all the standard ports open.

It auto-configures your SSH port on installation where it’s running on a non-
standard port.

CSF auto-whitelists your connected IP address where possible on installation.

To install CSF, run the following commands as the root user:

cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf && ./install.sh

To configure CSF, visit WHM’s ConfigServer & Firewall interface at (Home >> Plugins >> ConfigServer & Firewall).

Please note that it is not really advisable to run multiple firewalls on one system.

This rule though is not applicable to Imunify360 since it is possible to run and enable CSF when Imunify360 is already running.

All IP addresses from Imunify360 White List will be exported to CSF ignore list.

If you have Imunify360 installed, then install CSF, Imunify360 switches to CSF Integration mode.

To check if CSF integration is enabled go to Imunify360Firewall tabWhite List section and check if there is a warning message “CSF is enabled. Please manage IPs whitelisted in CSF using CSF user interface or config file“.

It means that CSF and Imunify360 integration processed successfully.

If you are using CSF alone, it is often better to use it along with ConfigServer ModSecurity Control (CMC) which provides you with an interface to the cPanel mod_security implementation from within WHM.

With ConfigServer ModSecurity Control you can:

  • disable mod_security rules that have unique ID numbers on a global, per cPanel user or per hosted domain level
  • disable mod_security entirely, also on a global, per cPanel user or per hosted domain level
  • edit files containing mod_security configuration settings in /usr/local/apache/conf
  • view the latest mod_security log entries

To read about how Imunify360 works with ConfigServer Security & Firewall (CSF), visit https://docs.imunify360.com/ids_integration/#csf-integration.

To read how to configure CSF with all its available options, visit https://download.configserver.com/csf/readme.txt.

To see how to install ConfigServer ModSecurity Control, visit https://download.configserver.com/cmc/INSTALL.txt

To see how to install ConfigServer ModSecurity Control, visit https://download.configserver.com/cmc/INSTALL.txt

APF

APF acts as a front-end interface for the iptables application and allows you to open or close ports without the use of the iptables syntax.

The following example includes two rules that you can add to the /etc/apf/conf.apf file in order to allow HTTP and HTTPS access to your system:

Common ingress (inbound) TCP ports
IG_TCP_CPORTS="80,443″# Common egress (outbound) TCP ports
EG_TCP_CPORTS="80″

Fail2ban

Fail2ban is an intrusion prevention software and log-parsing application that monitors system logs for symptoms of an automated attack on your cPanel server.

When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the IP address of the attacker, either for a set amount of time or permanently.

Fail2ban can also alert you through email that an attack is occurring.

It isn’t the most choice for a cPanel server since its function is primarily focused on SSH attacks and what it does is almost the same as cPHulk Brute Force Protection.

cPHulk is included as part of all cPanel & WHM installations and can be used to monitor and block all login attempts made to cPanel, WHM, FTP, email, and SSH.

It provides administrators with a variety of ways to combat brute force attacks both automatically and manually, and cPHulk can even be used to block malicious IP addresses in your firewall.

Blocks of malicious logins can be issued in different durations from a temporary ban to a one-day or even permanent ban.

The highly configurable cPHulk system allows for a great deal of control.

You can specify the number of failed login attempts before an IP address is blocked, define additional actions to execute upon triggering of an automatic block, and even enable notifications to server administrators as specific events occur.

But you can further also use failban and configure it to work for any service that uses log files and can be subject to a compromise.

Ensure your system is up to date and install the EPEL repository:

yum update && yum install epel-release

Install Fail2Ban:

yum install fail2ban

Start and enable Fail2ban:

systemctl start fail2ban
systemctl enable fail2ban

If you see the error “no directory /var/run/fail2ban to contain the socket file /var/run/fail2ban/fail2ban.sock”, create the directory manually:

mkdir /var/run/fail2ban

Fail2ban reads .conf configuration files first, then .local files override any settings.

Because of this, all changes to the configuration are generally done in .local files, leaving the .conf files untouched.

Configure fail2ban.local

fail2ban.conf contains the default configuration profile.

The default settings will give you a reasonable working setup.

If you want to make any changes, it’s best to do it in a separate file, fail2ban.local, which overrides fail2ban.conf.

Rename a copy fail2ban.conf to fail2ban.local.

cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

Configure jail.local Settings

The jail.conf file will enable Fail2ban for SSH by default for Debian and Ubuntu, but not CentOS.

All other protocols and configurations (HTTP, FTP, etc.) are commented out. If you want to change this, create a jail.local for editing:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Since we are using CentOS, you will need to change the backend option in jail.local from auto to systemd.

sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo systemctl status -l fail2ban

To learn more about failban, here are the documentation and manual:

FAQ: https://www.fail2ban.org/wiki/index.php/FAQ
HOWTO: https://www.fail2ban.org/wiki/index.php/HOWTOs)
Official Fail2ban Documentation: https://www.fail2ban.org/wiki/index.php/Manual
Failban Configuration: https://www.fail2ban.org/wiki/index.php/Category:Configuration

Checking Your cPanel Ports

For a Linux instance, follow these steps to verify the security group rule:

Connect to a Linux instance by using a password.

Then, run the following command:

sudo netstat -plunt

To check whether TCP 80 (replace “80” with any port) is being listened.

sudo netstat -an | grep 80

You can also use nmap which probably is the most commonly used network mapper in the infosec world.

Nmap can be used to:

  • create a complete computer network map.
  • find remote IP addresses of any hosts.
  • get the OS system and software details.
  • detect open ports on local and remote systems.
  • audit server security standards.
  • find vulnerabilities on remote and local hosts.

You should run nmap ONLY on servers that you own or in situations where you’ve notified the owners.

The reason is that why you as a network administrator might be using nmap to look for possible vulnerabilities to help prevent such attacks, your action can interpreted as “malicious cracking attempts” and most security tools and cloud providers frowns on this.

CentOS

sudo yum install nmap

To install nmap on Red Hat Enterprise Linux 8 execute the following dnf command:

sudo dnf install nmap

To install nmap on an Ubuntu or Debian machine by entering:

sudo apt-get update
sudo apt-get install nmap

Use the –version option to check the installed nmap version and correctness of the actual nmap installation. For example:

nmap -version

Basic Nmap Scan against IP or host

nmap 1.1.1.1

Now, if you want to scan a hostname, simply replace the IP for the host, as you see below:

nmap cloudflare.com

These kinds of basic scans are perfect for your first steps when starting with Nmap.

Scan specific ports or scan entire port ranges on a local or remote server

nmap -p 1-65535 localhost

In this example, we scanned all 65535 ports for the localhost.

IntelliJ IDEA Gives Developers Ability To Use Custom Themes

IntelliJ-IDEA_theme

Developers using the IntelliJ IDEA can now design their own themes and add color to their IDEs.

IntelliJ IDEA is a Java integrated development environment (IDE) for developing computer software developed by JetBrains (formerly known as IntelliJ), and available as an Apache 2 Licensed community edition and in a proprietary commercial edition.

Been able to customized the theme has been one of the most sought after request and now, you can tweak the entire IDE appearance, including icon colors, radio buttons, arrows, the color scheme, and everything else you can think of.

The team behind the product has created a few brand new themes to get you started which you can download by visiting https://plugins.jetbrains.com/ or selecting it as your new Theme in the Appearance settings.

To do that:

  1. Go to Settings/Preferences | Plugins and install Dark Purple theme plugin.
  2. Restart the IDE.
  3. Go to Settings/Preferences | Appearance & Behavior
  4. Select the theme you want from the drop-down list of the theme options.

You read a detailed tutorial about how to create your own custom Theme or this blog post about creating custom themes for IntelliJ Platform.

 

CKEditor 5 v12.0.0 is now out.

This latest release features a new CKEditor 5 inspector tool that developers can use to inspect the mode, tree structures, the list of commands, and more.

It also comes with distraction-free writing, inline widgets and various other updates, which you can read about in the CKEditor post.

 

Node v11.11.0 is out.

It implements napi_create_date() as well as napi_is_date() to allow developers to work with JavaScript Date objects.

You can see the change log here.

Ruby 2.5.5 is now available.

This latest release includes a bug fix for the deadlock in the multi-thread+multi-process applications.

This past week, Ruby also released a series of security updates fixing vulnerabilities in RubyGems, as well as issues in ActionView and Rail Development Mode.

 

 

 

Unlimited Hosting As In Web Hosting Explained

Peeling back the myth behind unlimited bandwidth and unlimited hosting in the web hosting industry

unlimited hosting

When you are looking for a web hosting service to use, you will often come across words such as “unlimited bandwidth” or “unlimited disk space”.

But what is unlimited hosting?

Unlimited web hosting is a web hosting package designed to provide a web hosting customer a way to host his or her website without the system suspending or terminating the account for excessive resource usages.

Why write about?

Well, our sales team sometimes get asked by potential customers how we can stay in business while offering disk space, bandwidth as unmetered, and anti-malware, backups, and other features free.

We also have come across blog posts telling customers to see this is a red flag and a sign that a web host should not be trusted.

To us, the last response is something we must address as we believe it does a great disservice to new website owners who simply want the best web hosting deal they can get for their website.

For most seasoned website administrators, the following points are part of the decision process when deciding the best hosting package to use:

  • daily traffic to the website
  • resources (bandwidth mostly) that will be needed for traffic spikes
  • the level of technical support & expertise needed
  • security requirements for the website
  • speed and performance (often determined by the amount RAM & CPU)
  • and of course, the monthly budget

This is not a piece of information that a new website admin will have in his or her disposal readily know or have available.

So coming across a hosting plan that takes away the burden of this decision from him or her, is helpful in every conceivable way.

Actually, the concept of “unlmited hosting” is really new to the web hosting industry.

Not long ago (that is before the advent of cloud computing and cloud hosting), web hosting packages are mostly determined by two things:

  • the amount of disk space or web space per month
  • the amount of egress bandwidth you are allowed monthly

This changed a lot with the advent of the cloud and drastically changed the market dynamics.

For web hosting companies that embraced the public cloud, reaping the benefits of such move brought with it: faster innovation, flexible resources, and economies of scale.

On-demand computing let you pay for computing capacity by the hour or second (minimum of 60 seconds) with no long-term commitments.

This frees companies (web hosting companies included) from the costs and complexities of planning, purchasing, and maintaining hardware.

It also transformed what are commonly large fixed costs into much smaller variable costs.

Instead of buying hardware and software, setting up and running on-site datacenters which often leads to over-capacity planning, embracing the cloud means starting off with the right amount of computing power, storage, bandwidth.

These can be scaled up if and when needed, and from the right geographic location.

So what does this have to do with “unlimited hosting” and how does web host stay in business?

The fact is that most hosting companies offering the unlimited web hosting option operate on the assumption that most users on a system will not use all the resources (disk space & bandwidth) that their hosting package has access to.

If every tenant in a shared web server insists or try to use all the “unlimited” resources, the web host will simply go out of business … fast.

A typical website with approximately 667 visitors per day and with each visitor visiting 5 web-pages with an average size of 2MB will probably need about 5GB of bandwidth per month to function effectively.

And this is even on the high end since most PHP websites online are WordPress which may need just 20% of the above to stay online.

So as you can see, it is possible to sustain the unlimited data space and unlimited bandwidth offering.

Seeing “unlimited disk space” or “unlimited bandwidth” on a hosting pricing box or table is not a marketing ploy and shouldn’t disssuade you from using the web host especially if this goes hand-in-hand with great hosting platform/support.

For instance on Web Hosting Magic infrastructure, instead of having 9-12 hosting packages, we decided to differentiate our web hosting packages with the amount of RAM and CPU each has access.

To us, it was a great way to make our hosting packages easy for those that may not know exactly the kind of resources their website might need.

At this stage, you may be wondering what might be the best hosting plan for your website.

The fact is that this depends on the kind of website you are trying to host online.

But on average, a good web hosting plan is one that:

  • offers enough storage space & bandwidth for your web pages, applications, and additional files
  • is scalable enough to meet any traffic surge & for the future growth
  • satisfies the system requirements of your web software
  • gives you the right balance between control and ease-of-use
  • is reliable enough that your site is 99.5% up and running at any given time

The general rule of thumb is that if you have a site with low or medium traffic, just go for any hosting package as long as these conditions above are met.

As your need grows, a good web hosting package will be able to accommodate that growth since it must be capable of allowing you to scale up the resources whenever required.

A really good and legit web hosting company (not a hosting reseller that is offering web hosting from his or her own resources) will always be able to offer this unlimited hosting option without much of an issue to the company’s bottom line.

So if you are lucky to come across a web host that offer these resources as “unlimited”, it is an opportunity you should grab at once before the dynamics change.

Webmail: Using GSuite MX Records With cPanel

Webmail allows you to access your email accounts through any browser & here is how to edit your MX in cPanel when you want to use Google’s GSuite MX records.

A mail exchanger (MX) entry is like a zip code that determines which mail server receives emails for your domain name.

While you may be able to send emails without the MX record configured for your domain name, but you will not be able to receive emails without it or if it is incorrectly pointed to the wrong location.

Changes you make to a domain’s MX (Mail Exchanger) specifies where the system delivers email for a domain.

A MX record will typically consist of two parts: priority and domain name.

For example depending on what company is hosting your email, yours might might be:

0 mail.domain_name.com OR 0 domain_name.com

‘0’ is the priority or preference.

The lower the number, the higher is the priority.

The “mail.domain_name.com” or “domain_name.comare the mail servers to which it connects.

Outgoing email servers connect to the MX servers in order of priority.

If you use more than one MX record and both have the same priority, it picks one at random.

If you have two MX records with the same priority, the server with the higher preference number will be contacted only if the servers with lower preference number are unavailable (this is typically used for backup mail servers).

What is Webmail?

cpanel webmail

Part of the DNS records that cPanel automatically creates when a new cPanel hosting account is provisioned is what is known as MX record.

Each hosting account also gets a cPanel Webmail.

Webmail allows you to access your email accounts through any browser.

You can use cPanel Webmail to check your email by navigating to https://domain_name.com:2096, or https://webmail.domain_name.com where domain_name.com represents your email address’s domain.

To access Webmail via the cPanel interface and navigate to cPanel’s Email Accounts interface (cPanel >> Home >> Email >> Email Accounts).

Then, in the Email Accounts tab, locate the email account in the list and click Access Webmail.

The Webmail interface will open in a new browser tab.

What Is GSuite?

gsuite

GSuite is Google’s productivity and collaboration tools that comprise of Gmail, Hangouts, Calendar, Drive for storage; Docs, Sheets, Slides, Forms, and Sites for collaboration.

As part of G Suite, Gmail comes with features designed for business use, including email addresses with the customer’s domain name (@domain_name.com) and support for third-party apps/add-ons from the G Suite Marketplace.

Sometimes our enterprise cPanel customers with GSuite account will prefer Google mail infrastructure to Webmail that comes when a new cPanel hosting account is provisioned.

For privacy-minded individuals though, using GSuite means that you are trusting Google completely when it states that “we do not collect, scan or use your G Suite data for advertising purposes and do not display ads in G Suite, Education, or Government core services“.

You might want to weigh this with the benefits that this will give you or your organization if you opt to go with GSuite.

How To Use GSuite MX Records With cPanel Webmail

Before you start, you must make sure that you have secured a GSuite account.

You can do this by visiting https://gsuite.google.com.

As the administrator for your G Suite account, you manage all your G Suite services, settings, and users.

Once your account is ready, sign in to your Google Admin console and follow the setup steps.

Click on Domains.

This is the place where you manage your domains and add/remove domains you trust to your GSuite account.

Add a new domain or click on the domain that you wish to change its MX records.

Google will give you a new set of MX records that you’ll need to add that will look like this:

MX server addressPriority
ASPMX.L.GOOGLE.COM.1
ALT1.ASPMX.L.GOOGLE.COM.5
ALT2.ASPMX.L.GOOGLE.COM.5
ALT3.ASPMX.L.GOOGLE.COM.10
ALT4.ASPMX.L.GOOGLE.COM.10

These are the G Suite mail servers and include multiple servers in case one fails or requires maintenance.

To edit your server’s MX entries, perform the following steps:

Log back into cPanel and visit Domains >> Zone Editor.

From the Choose a Domain to Edit menu, select the name of the domain you have added to GSuite for which you wish to configure MX entries.

Click Edit.

A new interface will appear.

Once you the Zone Editor has listed the DNS records, find the one that says:

domain_name.com. MX 0 domain_name.com. 

While Google may ask you to delete this record, doing that might disrupt your domain’s ability to receive emails.

It might be better to do this after adding all Google’s MX records and confirming that they have been added correctly before deleting it.

To add those new set of MX records that you got from Google, click on Add an MX Record dialog box.

In the Priority text box, type a priority.

For example, to add the first line:

Type in “1”.

Then add the “MX server address” as:

aspmx.l.google.com.

Repeat the same for the other four (4) remaining records.

If you make a mistake after adding a record, you can correct it by clicking Edit.

Email Routing In cPanel

Login to cPanel and visit Email >> Email Routing.

This interface allows you to configure how the system routes a domain’s incoming mail.

To configure how your server routes mail for a domain, perform the following steps:

Select the desired domain from the menu.

Select “Automatically Detect Configuration” as the Email Routing setting that you wish to use.

Enter the desired settings for each MX entry in the MX Entries section.

Click Change.

cPanel will modify the MX record.

Once this is completed, visit https://developers.google.com/speed/public-dns/cache.

At this URL, you clear any cache record for that domain.

This helps speed up propagation.

Return to the G Suite Setup Wizard.

Click through any confirming steps in the wizard.

Click “I have completed these steps” to tell Google to look for your new MX records.

Congratulations!

Your business email for your domain is now directed to the G Suite mail servers.

Do note that the records may take several hours to update, so you might not immediately get new email messages in Gmail.

Until then, you’ll continue to receive messages at your old email provider if the previous settings are still in place.

If you see the MX records setup validation in progress message in the Admin console for more than a few hours, make sure you entered the MX address records and priorities correctly in the DNS records stored with your host.

If you still need help changing your MX records, contact G Suite suppor.

Post MX Edit Actions

We really suggest that you use the DomainKeys Identified Mail (DKIM) option to help prevent email spoofing on outgoing messages.

Email spoofing is when email content is changed to make the message appear from someone or somewhere other than the actual source.

Spoofing is a common unauthorized use of email, so some email servers require DKIM to prevent email spoofing.

DKIM adds an encrypted signature to the header of all outgoing messages by using a pair of keys, one private and one public, to verify messages.

A private domain key adds an encrypted header to all outgoing messages sent from your Gmail domain.

A matching public key is added to the Domain Name System (DNS) record for your Gmail domain. Email servers that get messages from your domain use the public key to decrypt message headers and verify the message source.

Email servers that get these messages use DKIM to decrypt the message header and verify the message was not changed after it was sent.

To do that, log back into your GSuite Admin.

Click on App, then GSuite.

Select Gmail from the list available apps.

Scroll down until you see “Authenticate email“.

Select the domain that will use the DKIM (DomainKeys Identified Mail) protocol for authenticating outgoing emails.

Generate the domain key for your domain.

This will be named something like “google._domainkey“.

Add the public key to both cPanel using “TXT” in the Zone Editor and also to your domain’s DNS records.

Email servers can use this key to read message DKIM headers.

Turn on DKIM signing to start adding a DKIM signature to all outgoing messages.

It might take up to 48 hours for DNS changes to fully propagate.

Check Email Deliverability

One of the best features that cPanel 78 came with is the ability

This interface found at cPanel >> Home >> Email >> Email Deliverability helps cPanel users identify problems with your mail-related DNS records for one or more of your domains.

The system uses these records to verify that other servers can trust it as a sender.

It is advisable to use this to verify that everything about your mail DNS records is good and fully functional.

Troubleshooting MX REcord

If you notice that you are having issues with receiving emails or not entirely sure if you have gotten this right, follow the steps within Troubleshoot MX records to fix your DNS setup.

You can also use browser-based tools such as https://mxtoolbox.com.

If you are on Mac OS X, click Applications, Utilities, and select Terminal.

You can also pull this up by using “Command-Space” bar and search for “Terminal“.

Run a simple “dig” command:

dig domain_name.com OR dig MX domain_name.com

If you are on Linux, open a terminal window.

At the command prompt, type the following command. Replace example.com with the domain that you want to test:

$ host -t MX domain_name.com
$ dig -t mx domain_name.com

If you are on Windows:

Go to Start > Run and type cmd.

At a command prompt, use nslookup $domain_name.com.

where the $domain_name.com is the name of your domain, and then press Enter.

The MX record for the domain you entered should be displayed.

If the MX record is not displayed, DNS is not configured properly.

You can also simply type:

$ nslookup -q=MX DOMAIN_NAME

Looking to host your email and be able to send professional email from your business web address like sales@yourcompany.com?

Web Hosting Magic offers cPanel Webmail with an SLA of 99.9% guaranteed uptime and security options like 2-step verification, PGP and TLS.

Our pricing is also really affordable.