June 10, 2014

Multi-domain SSL

Filed under: Miscellaneous — Bella @ 2:04 am

In this article, lets see what is Multi-domain SSL and the steps on how to generate a CSR and installing the multi-domain SSL for various domains in a cpanel server.

What is Multi-domain SSL:

A multi-domain certificate (also known as a SAN certificate or Unified Communications Certificate (UCC)) is a special type of SSL certificate. With a multi-domain certificate you are able to secure one domain name with different domain extensions (e.g. domain.co.uk and domain.es) or multiple domain names (e.g. domain.co.uk and example.com) hosted in a same server using one SSL certificate.

Multi-domain certificates include the standard Subject Name field which supports a single primary service name, as well as an additional entry called the Subject Alternative Name field which supports the additional service names.

How to generate SubjectAltName (SAN/UCC) CSR :

Generating CSR for multi-domain SSL requires :

  • Modifying the openssl configuration file and supplying the extra name information
  • Generate CSR by executing the current openssl configuration file

>> Modifying the openssl configuration file

1. Make a copy of your initial openssl.cnf file

2. Open the configuration file /etc/pki/tls/openssl.cnf

2.a) enable the extensions:

[req]
req_extensions = v3_req
(In the req section, this line should already exist, but be commented out.)

2.b) Add an entry in the v3_req section to collect the alternative names.

Edit the file and add under [v3_req] :

subjectAltName=”DNS:www.domain1.com,DNS:www.domain2.com,DNS:www.domain3.com”

OR

Edit as :

[ v3_req ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = www.domain1.com
DNS.2 = www.domain2.com
DNS.3 = www.domain3.com

You will need to set your alt_names section to the FQDNs you wish to use. If you need more simply add “DNS.4 = otherdomain.com” and so on.
Once you have done that, save the file and then execute openssl!

>> Generate a CSR based on the current configuration file

We could generate CSR from the new OpenSSL configuration file as below :

#openssl req -new -nodes -out myreq.csr -config openssl.cnf

When you run the command, it will ask you a series of questions, like the Country Name, Organization name etc in order to generate the CSR. Once the command is run successfully, we will now have a “myreq.csr” and a “privkey.pem” associated with the CSR.
How to install the certificate in multiple domains:

Now we could purchase the SSL from any trusted third party providers by providing the generated CSR. While purchasing the multidomain SSL from the trusted providers, we will be having the option to provide the primary domain name (www.domain1.com) and the Subject Alternative Names (www.domain2.com, www.domain3.com etc).

Once the multi-domain SSL is issued, we could proceed with the normal procedures for installing the SSL for the accounts from cpanel/WHM

While multi-domain certificates are also useful when used to support unified communications deployments, there are some caveats for their use:

  • Multi-domain certificates do not support use of wildcard characters. For this reason, sub-domain names must be added as a unique domain name entries in the certificate. Each time a new domain name is added or an old one is removed the certificate must be updated and re-deployed to each host server.

Still with the shortage in IPv4 addresses, the solution of using a UCC SSL certificate seems more and more attractive. As it allows you to host multiple SSL domains using only a single IP address.

AddThis Social Bookmark Button

May 13, 2014

Securing a WordPress installation

Filed under: General Topics,Miscellaneous — Bella @ 12:22 am

WordPress is the most popular blogging and CMS system on the Internet which makes it a favorite target for hackers. Having a WordPress site means that you have to take some extra efforts in order to protect your and your visitors data.

Here is a summary of the best practices for securing a WordPress, that will help you do that.

  • Keep your WordPress site and plugins up-to-date
  • Protect your WordPress Admin Area
  • Don’t use the “admin” username
  • Securing wp-admin
  • Add a Unique Database Prefix and Authentication Keys
  • Hide your username from the author archive URL
  • Limit Login Attempts
  • Secure accessing via FTP
  • Wise selection of themes/plugins
  • Ensure your computer is free of viruses and malware
  • Monitoring
  • Keep a backup

>>> Keep your WordPress site and plugins up-to-date

It is really important to keep your core WordPress files and all of your plugins updated to their latest versions. Most of the new WordPress and plugin versions contain security patches. Even if those vulnerabilities cannot be easily exploited most of the times, it is important to have them fixed.
The latest version of WordPress is always available from the main WordPress website at http://wordpress.org. Official releases are not available from other sites — never download or install WordPress from any website other than http://wordpress.org.

Many hackers will intentionally target older versions of WordPress with known security issues, so keep an eye on your Dashboard notification area and don’t ignore those ‘Please update now’ messages.

>>> Protect your WordPress Admin Area

It is important to restrict the access to your WordPress admin area only to people that actually need access to it.
If your site does not support registration or front-end content creation, your visitors should not be able to access your /wp-admin/ folder or the wp-login.php file. The best you can do is to get our home IP address and add these lines to the .htaccess file in your WordPress admin folder replacing xx.xxx.xxx.xxx with your IP address.

<Files wp-login.php>
order deny,allow
Deny from all
Allow from xx.xxx.xxx.xxx
</Files>

In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another Allow from xx.xxx.xxx.xxx statement on a new line.

>>> Don’t use the “admin” username

Most of the attackers will assume that your admin username is “admin”. You can easily block a lot of brute-force and other attacks simply by naming your admin username differently. If you’re installing a new WordPress site, you will be asked for username during the WordPress installation process.

If you already have a WordPress site, you can follow the below instructions to modify the admin username :
1. Enter the WordPress MySQL database (If using cpanel, you could access the database using the option ‘PhpMyAdmin )
2. Choose the _users table from the WordPress database.
3. You will see a list of all the registered users in your site. Locate the admin username and click on the Edit button on that line.
4. Now, you will see all the fields for this username. Locate the user_login field and replace its value from admin to your new preferred WordPress login name and hit the Go button at the bottom of the page.

If you don’t have access to the database via the PhpMyAdmin utility, you could just create another administrator user and then login as new administrator user and delete “admin” user.

>>> Securing wp-admin

Adding server-side password protection (such as BasicAuth) to /wp-admin/ adds a second layer of protection around your blog’s admin area, the login screen, and your files. This forces an attacker or bot to attack this second layer of protection instead of your actual admin files.
Now lets see how to password protect your WordPress admin (wp-admin) directory.
If the account is hosted with cPanel as the control panel, proceed as :
1. Login to your cPanel. Scroll down till you see the Security Tab. Click on the “Password Protect Directories” icon.
2. When you click on that, a lightbox popup will show up asking for directory location. Just click on web root. Once you are there, navigate to the folder where your WordPress is hosted. Then click on the /wp-admin/ folder.
3. In the next box, simply check the box to password protect the directory. Then create a user for the directory. That is it.

>>> Add a Unique Database Prefix and Authentication Keys

Leaving your wp-config.php file only with database information and no other configuration is a security issue.
Make sure to generate authentication keys by visiting https://api.wordpress.org/secret-key/1.1/salt/ and copy-paste the randomly-created keys into the file.

Note that you should also change the default WordPress database table prefix. This is to secure your installation against hacks. Visit random.org to generate a random prefix string which you’ll need to set as the $table_prefix in wp-config.php. In addition, make sure to add an underscore at the end of the prefix.
>>> Hide your username from the author archive URL

Another way an attacker can potentially gain access to your username is via the author archive pages on your site.

By default WordPress displays your username in the URL of your author archive page. e.g. if your username is ‘jess’, your author archive page would be something like http://yoursite.com/author/jess

This is less than ideal, for the same reasons explained above for the “admin” username, so it’s a good idea to hide this by changing the user_nicename entry in your database as described below:
There is a field in your WordPress database called user_nicename, which is found in the wp_users table. user_nicename is populated with the login username as the user is created.

By changing user_nicename to something very different from your actual login username, it becomes more difficult for hackers to figure out what the login username is.

For example, by changing user_nicename to “testuser”, the URL to username‘s author archive page becomes http://yoursite.com/author/testuser. This way, the login actual ‘jess’ is not revealed in the URL anymore.

Since user_nicename cannot be updated via WordPress Dashboard, you will have to make the change in the database directly. You will need access to your WordPress database and to be able make changes to the data (for example, using phpMyAdmin).

>>> Limit Login Attempts

In the case of a hacker or a bot attempting a brute-force attack to crack your password, it can be useful to limit the number of failed login attempts from a single IP address.

Limit Login Attempts does just that, allowing you to specify how many retries will be allowed, and how long an IP will be locked out for after too many failed login attempts.

There are ways around this, as some attackers will use a large number of different IP addresses, but it’s still worth doing as an additional precaution.

>>> Secure accessing via FTP

When connecting to your server you should use SFTP encryption if your web host provides it. If you are unsure if your web host provides SFTP or not, just ask them.

Using SFTP is the same as FTP, except your password and other data is encrypted as it is transmitted between your computer and your website. This means your password is never sent in the clear and cannot be intercepted by an attacker.

>>> Wise selection of themes/plugins

First of all, make sure your plugins are always updated. Also, if you are not using a specific plugin, delete it from the system. Try to avoid Free themes.
The main reason for this is that free themes can often contain things like base64 encoding, which may be used to sneakily insert spam links into your site, or other malicious code that can cause all sorts of problems.

If you really need to use a free theme, you should only use those developed by trusted theme companies, or those available on the official WordPress.org theme repository.

Note: The same logic applies to plugins. Only use plugins that are listed on WordPress.org, or built by a well-established developer.

Also there are tons of plugins you can use to tighten your site’s security and reduce the likelihood of being hacked.

Here are a handful of popular options:

http://wordpress.org/plugins/better-wp-security/ – offers a wide range of security features.
http://wordpress.org/plugins/bulletproof-security/ – protects your site via .htaccess.
http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ – adds a firewall to your site.
http://wordpress.org/plugins/sucuri-scanner/ – scans your site for malware etc.
http://wordpress.org/plugins/wordfence/ – full-featured security plugin.
http://wordpress.org/plugins/websitedefender-wordpress-security/ – comprehensive security tool.
http://wordpress.org/plugins/exploit-scanner/ – searches your database for any suspicious code.
>>> Ensure your computer is free of viruses and malware

If your computer is infected with virus or a malware software, a potential attacker can gain access your login details and make a valid login to your site bypassing all the measures you’ve taken before.
This is why it is very important do have an up-to-date antivirus program and keep the overall security of all computers you use to access your WordPress site on a high level.

>>> Monitoring

Sometimes prevention is not enough and you may still be hacked. That’s why intrusion detection/monitoring is very important. It will allow you to react faster, find out what happened and recover your site.

When an attack happens, it always leave traces. Either on the logs or on the file system (new files, modified files, etc)
If the attacker tries to deface your site or add malware, you can also detect these changes by using a web-based integrity monitor solution.
This comes in many forms today, use your favorite search engine and look for Web Malware Detection and Remediation and you’ll likely get a long list of service providers.

>>> Keep a backup

Back up your data regularly, including your MySQL databases.
Even with the best security measures at your disposal, you never know when something unexpected could happen that might leave your site open to an attack.

It is important to mention that these measures don’t guarantee a 100% protection against hacking attempts, mostly because a 100% secure website doesn’t exist, but they will protect you against the majority of attacks.

AddThis Social Bookmark Button

Installation Of PECL_HTTP extension from source code in custom PHP in Cloudlinux

Filed under: General Topics,Server Tweaking — Bella @ 12:17 am

 

Suppose that your linux server has PHP version selector installed and configured.

As you know alternative php5.x (while using PHP version selector) versions should load /opt/alt/php5x/etc/php.ini file and scan /opt/alt/php5x/etc/php.d directory for modules::

====
Configuration File (php.ini) Path /opt/alt/php5x/etc
Loaded Configuration File /opt/alt/php5x/etc/php.ini
Scan this dir for additional .ini files /opt/alt/php5x/etc/php.d
additional .ini files parsed /opt/alt/php5x/etc/php.d/alt_php.ini
====
Those are default locations for alt-php.

Steps in installing pecl http package in cloudlinux platform:

1. Download the pecl_http package from pecl website http://pecl.php.net/package/pecl_http and compile it.

#wget http://pecl.php.net/get/pecl_http-2.0.4.tgz

2. Extract the package
#tar -xvzf pecl_http-2.0.4.tgz

3. Now run the ‘phpsize’ command. The phpize command is used to prepare the build environment for a PHP extension

#phpize

4. Proceed with the installation of the module as below:

#./configure –with-php-config=/opt/alt/php53/usr/bin/php-config ;
# make && make install

Once the above steps are completed, the package pecl-http will be available in the server and we would need to load the extension.

Inorder to load the Http php extension, proceed as below:

1. Create a custom http.ini at location /opt/alt/php5x/etc/php.d.all and add the following lines inside that file:

#cd /opt/alt/php5x/etc/php.d.all

#vi http.ini

; Enable http extension module
extension=http.so

2. The module is loaded via /opt/alt/php53/etc/php.d in the cagefs. (CageFS is a virtualized file system and a set of tools to contain each user in its own ‘cage’. Each customer will have its own fully functional CageFS, with all the system files, tools, etc.)

The command cagefsctl –rebuild-alt-php-ini rebuilds customers alt_php.ini files,

# Cagefsctl –rebuild-alt-php-ini
The location of the file will be /opt/alt/php53/etc/php.d/alt_php.ini

4. Finally, inorder to enable the module, restart the webserver

#service httpd restart

5. Also ensure to enable our ‘http’ module from WHM as below:

1. Login to WHM and proceed to
Home >>Server Configuration>>CloudLinux LVE Manager

2. Select the ‘Selector’ tab

3. Enable the checkbox near the ‘http’ module, after selecting the appropriate PHP version from the drop down menu near ‘Choose default modules for’

Now the PHP-HTTP extension will be available for the PHP version 5.x and we could test the same by creating a sample phpinfo page in any account that uses the php5.x version.

AddThis Social Bookmark Button

April 10, 2014

Login to server using PuTTY without password

Filed under: General Topics,Linux Basics — Bella @ 8:53 pm

    SSH is a network protocol that provides secure access to a computer. When we need to connect to a remote computer via SSH, that computer should have a SSH server running on it. There are different ways a client can authenticate itself to the server. A typical authentication mode will be to enter a password when logging into a remote system.

Using the below mentioned steps we can directly login to Linux server without password authentication step.

First we will need to download PuTTY and PuTTYgen.

  • PuTTY: the Telnet and SSH client itself.
  • PuTTYgen: an RSA and DSA key generation utility.

>> Download the latest version of putty.exe and puttygen.exe and start puttygen.exe.

>> We need to generate a key for this process. Puttygen window will appear. Leave the default ‘SSH-2 RSA’ selection. Select the option “Generate”.

>> Select “Save private key” and save the file in a suitable location. Then open the file and select the key written under “Public-Lines 6:”

>> Open putty and type the IP of Linux server and enter into the server using password.

>> Then go to home directory and create a file “authorised_keys” using vi editor in “~/.ssh” directory and paste the key in the file.

>> Change the permission of the file using the command “chmod 600 ~/.ssh/authorized_keys”.

>> Open putty.exe type the IP and then select the option “Connection >> Data”. Type the “Auto-login username” (the username we user for login)

 >> Select the option “SSH >>Auth” and browse the key file.

>> Select open.

Finally we will be able to login without using password.

AddThis Social Bookmark Button

April 9, 2014

Webmail loading blank page OR not able to login

Filed under: Technical Articles — Bella @ 2:08 am

Issue :

While accessing Webmail via Squirrelmail, Horde or Roundcube if you are receiving a blank screen or if all the three mail clients tells that the login failed because of wrong user or password, please have a check with the below steps:

Solution :

1. Run the following command in root SSH:

#/scripts/whoowns domain.com

Where domain.com is the domain name in question.

2. If it doesn’t show any ownership, then move the following files:

#cd /etc

#mv userdomains userdomains.bak

#mv domainusers domainusers.bak

#mv trueuserdomains trueuserdomains.bak

At that point, run the following script and recheck ownership for the domain:

#/scripts/updateuserdomains

#/scripts/whoowns domain.com

If instead of showing no ownership, the domain showed the wrong ownership, you’d have to edit the /var/cpanel/users/username file that is improperly owning the domain to remove the DNS line that it has for that domain, then run the above move and updateuserdomains commands.

If after running the command /scripts/whoowns domain.com, you are receiving the below error:

=========

warn [updateuserdomains] Unable to read /etc/trueuserdomains: No such file or directory

warn [updateuserdomains] Unable to read /etc/userdomains: No such file or directory

== WORKAROUND ENABLED ==

Serious Problem — This should never happen!!

The hostname (domain.tld) is owned by the user <username>

== WORKAROUND ENABLED ==

==========

the error will be due to the conflict between hostname and the account.

You’ve set your hostname for the machine to the same domain as this cPanel account. Since the hostname is owned by nobody, it cannot also be owned by username.

Please go to WHM > Change Hostname area and change your hostname to server.domain.tld instead of domain.tld.

After you’ve changed the hostname to be a subdomain off the main domain rather than the main domain itself, then re-do the steps I noted to move those files again and run /scripts/updateuserdomains at that point.

The ownership should be properly set after you get the hostname off your main domain name.

AddThis Social Bookmark Button
Next Page »

Powered by WordPress