Saturday, June 19, 2010

Server Install: CentOS 5.3 and cPanel

Category: SkyHi @ Saturday, June 19, 2010

Today I helped David Kosmider at HillSeven configure a secure CentOS server with cPanel. Below is a walk-through of how I did it.

Before We Begin

  • Your server’s IP address must be authorized to install cPanel. This can be done when purchasing your license.
  • This post does not cover the CentOS installation. I hope to write on this in the future.
  • Important: I’m assuming you have a fresh/clean install of CentOS 5.3. cPanel requires that you have no other software installed. If you have installed other software, there is a good chance the install may fail.
  • There are many ways to configure a server. This is how I do it. I offer no guarantees that this will work for you.

Let’s begin.

Login As Root

Log into your machine using SSH. Use the ’su’ command to become the root user. You will be prompted for a password.

su
Password: [enter password]

Set Hostname

Open the file /etc/sysconfig/network and change the HOSTNAME= value to mach your Fully Qualified Domain Name (FQDN) host name.

nano /etc/sysconfig/network

HOSTNAME=hostname.domain.com

Change the host associated with your main private IP address in your /etc/hosts file.

nano /etc/hosts

127.0.0.1 localhost
192.168.x.x hostname.domain.com hostname

Finally, run the hostname command, replacing hostname.domain.com with your FQDN.

hostname hostname.domain.com

Update Yum Repositories

Let’s update our YUM packages.

yum update

Press ‘y’ to continue.

Install Perl

Perl needs to be installed. Let’s install that now.

yum install perl

Download cPanel Installation Files

cd ~
wget http://layer1.cpanel.net/latest

Begin cPanel Installation

Let’s now start the installation. This may take several hours to complete. Maybe a good time to see that movie at the theater you’ve been itching to.

sh latest

Logging In

Once completed, you should see:

cPanel Layer 2 Install Complete

Now you can login to your cPanel.

Visiting http://[your_ip_address]:2086 or https://[your_ip_address]:2087 should bring up a login prompt.

Enter root for the user ID and your root password.

Complete cPanel Installation

You should see the cPanel interface now. Go through these steps. Basic networking knowledge is needed to complete this.

Once you’re finished, you have successfully installed cPanel on CentOS Server! Congrats! The last thing is to secure your machine. We will use the iptables firewall in CentOS for this.

Securing CentOS

There are many many ways to secure your server. The important thing is to secure it using something. This is the configuration I used. You may want to add or remove entries as needed. These commands will setup a firewall using iptables and will allow basic service ports to be accessed. I suggest you read up on iptables to gain a better understanding first.

Let’s make sure iptables is installed:

yum install iptables

Enter the commands below to build your firewall:

/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
/sbin/iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 110 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 2082 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 2083 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 2086 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 2087 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 2089 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 2095 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 2096 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state –state NEW –dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
/sbin/iptables -A INPUT -j REJECT
/sbin/iptables -A FORWARD -j REJECT

What did we just do?

You restricted all incoming traffic to the following ports/services:

  • Port 80 – HTTP
  • Port 443 – HTTPS
  • Port 110 – POP3
  • Port 25 – SMTP
  • Port 2082 – cPanel
  • Port 2083 – cPanel
  • Port 2086 – cPanel
  • Port 2087 – cPanel
  • Port 2089 – cPanel Licensing
  • Port 2095 – Webmail
  • Port 2096 – Webmail (Secure)
  • Port 22 – SSH
  • ICMP – Ability to ping server

You can read more on the ports that cPanel uses at http://www.cpanel.net/2007/06/getting-the-most-out-of-your-systems-firewall.html.

If you need to start over, use this command to remove the current iptables:

/sbin/iptables -F

After you are done, save your iptables. If you do not, you will lose your firewall settings on reboot:

/sbin/service iptables save

You’re Done

Admittedly, I am no cPanel expert; however, if you run into difficulty, let me know. I will do my best to help. As always, I would love to hear feedback. Happy installing everyone!

Admittedly, I am no cPanel expert; however, if you run into difficulty, let me know. I will do my best to help. As always, I would love to hear feedback. Happy installing everyone!


To run cPanel on your server without any problem you need to open following ports on your servers in firewall / IPTables.



20 FTP TCP inbound and outbound



21 FTP TCP,UDP inbound and outbound



22 SSH inbound



25 SMTP TCP inbound and outbound



26 SMTP TCP inbound and outbound



37 RDATE TCP outbound



43 WHOIS TCP outbound



53 DNS TCP/UDP inbound and outbound



80 HTTP TCP inbound and outbound



110 POP3 TCP inbound



113 IDENT TCP outbound



143 IMAP TCP inbound



443 HTTPS TCP inbound



465 SMTP TLS/SSL TCP/UDP inbound and outbound



873 RSYNC TCP/UDP outbound



993 IMAP SSL TCP inbound



995 POP3 SSL TCP inbound



2082 CPANEL TCP inbound



2083 CPANEL SSL TCP inbound



2086 WHM TCP inbound



2087 WHM SSL TCP inbound



2089 CP LICENCE TCP outbound



2095 WEBMAIL TCP inbound



2096 WEBMAIL SSL TCP inbound



3306 MYSQL TCP


Useful
cPanel Command List

Ever locked yourself out of your Server while making some iptables changes? What about when you change your SSH port and then forget what you set it to? These are common support tickets we receive at RackWire.com. In many cases this is something our customer’s can fix on their own if they are using cPanel on thier VPS/Server.

cPanel comes with a number of “hidden” autofix commands that allow for administrators to fix common problems simply be logging into WHM and going to a special URL. Two of the most useful ones I’ve seen are flushing iptables and restarting SSH in “safe mode” (basically the default settings and port).


Flushing iptables rules http://yourdomain.com:2086/scripts2/doautofixer?autofix=iptablesflush


Restart SSH in safe mode http://yourdomain.com:2086/scripts2/doautofixer?autofix=safesshrestart


Once you hit the URL you will be prompted to log in. Simply enter your root password and cPanel will do the rest. These have definitely saved me on more than one occasion when my attempt to ’secure’ my server worked a little too well. Remember that if you happen to also lock yourself out of WHM through iptables, you will not be able to hit the URL’s I mentioned. In that case, contact support.


Here are some other userful commands as well:


Reset the Firewall Settings https://yourdomain.com:2087/scripts2/doautofixer?autofix=iptablesflush


Reset the SSH Settings http://yourdomain.com:2086/scripts2/doautofixer?autofix=safesshrestart


bsdbindfix http://yourdomain.com:2086/scripts2/doautofixer?autofix=bsdbindfix


Autorepair http://yourdomain.com:2086/scripts2/doautofixer?autofix=autorepair


Compress Zlib http://yourdomain.com:2086/scripts2/doautofixer?autofix=Compress-Zlib-1.42.tar.gz


Compresszlibfix http://yourdomain.com:2086/scripts2/doautofixer?autofix=compresszlibfix


dbdmysql http://yourdomain.com:2086/scripts2/doautofixer?autofix=dbdmysql


Cooldiagnose_apache_conf http://yourdomain.com:2086/scripts2/doautofixer?autofix=diagnose_apache_conf


fpindexfile http://yourdomain.com:2086/scripts2/doautofixer?autofix=fpindexfile


libxml2-2.6.28.tar.gz http://yourdomain.com:2086/scripts2/doautofixer?autofix=libxml2-2.6.28.tar.gz


libxml64fix http://yourdomain.com:2086/scripts2/doautofixer?autofix=libxml64fix


pro* http://yourdomain.com:2086/scripts2/doautofixer?autofix=pro*


spamd_dbm_fix http://yourdomain.com:2086/scripts2/doautofixer?autofix=spamd_dbm_fix


test http://yourdomain.com:2086/scripts2/doautofixer?autofix=test


vfilterfix http://yourdomain.com:2086/scripts2/doautofixer?autofix=vfilterfix


yumduprpmfix http://yourdomain.com:2086/scripts2/doautofixer?autofix=yumduprpmfix


resellerresourceacctounts http://yourdomain.com:2086/scripts2/doautofixer?autofix=resellerresourceacctounts


horde_sqmail_current_fix http://yourdomain.com:2086/scripts2/doautofixer?autofix=horde_sqmail_current_fix


Good Luck, and if you need more help you can always Contact RackWire.com Support!




REFERENCES

http://gaclabs.com/2009/09/server-install-centos-5-3-and-cpanel

http://www.cpanel.net/2007/06/getting-the-most-out-of-your-systems-firewall.html

http://www.webhosting.uk.com/forums/control-panel-questions/4542-open-ports-run-cpanel-behind-iptables.html

http://my.myriadnetwork.com/kb/questions.php?questionid=181

http://blog.rackwire.com/tag/cpanel-commands/