2012-1
16

“Our lives begin to end the day we become silent about things that matter.”

Category: Uncategorized | No Comments

Wise Words indeed. Happy Martin Luther King Jr Day!

2012-1
9

Happy New Year!

Category: Rants | No Comments

An optimist stays up until midnight to see the New Year in.
A pessimist stays up to make sure the Old Year leaves.

Not sure who the quote is from but I can assure you that the words are not mine! I’ve not had the chance to update the blog for a while, a mixture of work and family commitments made that tricky. Thankfully I can say I had a lovely Christmas, got to see the boys (thanks Ann x) and generally eat and drink more than I should, as we all do.

New Year was lovely too, got to have some quality time relaxing and generally not doing a lot. Of course a return to work has now started, so I will leave the entry there. TTFN

2011-12
8

A word to the wise (or those with cPanel VPS or servers)

Category: Computing | No Comments

I got asked the other day how you’d make a cPanel server more secure and so here’s a few tips that might just help.

1) Use secure passwords!

The use of insecure passwords is the most common weak point in server security. If an account password is insecure and is compromised, sites can be defaced, infected, or deleted. Having decent passwords is therefore very important to having a secure server.

You can edit /etc/login.defs to configure many different password options on your system.

Generally, a password utilising at least 8 characters including alphanumeric and grammatical symbols is usually sufficient. Try not to use passwords based upon dictionary words or significant dates if at all possible. If you are uncertain about the security of a password, then it’s probably best that you choose another password just to be on the safe side.

2) If you don’t need SSH, turn it off! If you do need SSH access then make sure you secure SSH access!

The safest thing to do is to turn SSH off completely and then it can not possibly be compromised. In WHM under “Manage Shell Access” you now have the option to apply ‘No shell to all users’ with just one click!

Consider moving SSH access to a different port. As a rule hackers are looking for port 22 as a possible way to access your VPS or dedicated server. Moving SSH to a different port will add a simple way to deter those without specific knowledge of your server from easily discovering your SSH port.

You can modify the port that SSH runs on within /etc/ssh/sshd_config. Change the line that says Port 22 to a different port such as: Port 2045. Make sure to keep your current SSH session open when testing the new port so you can change back to port 22 if the new port doesn’t work.

You should always use SSHv2 only as SSHv1 is not secure. Make sure to change the line in /etc/ssh/sshd_config that says #Protocol 2,1 to Protocol 2.

You may also wish to set Shell Resource Limits for you users to prevent applications and scripts from using all up your resources and taking down your server. You can configure shell resource limits in /etc/security/limits.conf on most Linux systems.

On top of that you should also consider enabling public key authentication for SSH and disable password authentication and the details on how to do that are available at http://www.cpanel.net/2007/06/using-public-key-authentication-for-ssh-and-transfers.html

3) Secure Apache

The most readily available way to access a web server, is of course, the web server application. It is important to take steps to secure your Apache installation.

One of the best tools for preventing malicious Apache use is mod_security. This can be installed in Addon Modules in the cPanel section of WebHost Manager. You can find information about mod_security at http://www.modsecurity.org/.

When compiling easyapache, you should include suexec to ensure that CGI applications and scripts run as the user that owns / executes them. This will help identify where malicious scripts are and who is running them. It will also enforce permission and environment controls.

We also recommend compiling easyapache + PHP with PHPsuexec. PHPsuexec forces all PHP scripts to run as the user who owns the script. This means that you will be able to identify the owner of all PHP scripts running on your server. If one is malicious, you will be able to find it’s owner quickly and resolve the issue. To compile Apache + PHP with PHPsuexec, select the PHPSuexec option in the easyapache Upgrade interface in WHM or when running /scripts/easyapache from the command line.

You should enable PHP’s open_basedir protection. This protection will prevent users from open files outside of their home directory with PHP. This can be enabled in Tweak Security within WebHost Manager.

You may also wish to include safe_mode for PHP 5.x and below. Safe_mode ensures that the owner of a PHP script matches the owner of any files to be operated on. You can enable safe_mode by changing the safe_mode = line in php.ini to safe_mode = On.

4) Secure your /tmp partition

We recommend that you use a separate partition for /tmp that is mounted with nosetuid. Nosetuid will force a process to run with the privileges of it’s executor. Also, running /scripts/securetmp will mount your /tmp partition to a temporary file for extra security.

5) Upgrade your mail to maildir format

Maildir format adds extra security and extra speed to your mail system. Newer installs use maildir by default. If you’re running an older copy of cPanel, you’ll probably want to upgrade using /scripts/convert2maildir. Make sure to back up your current mail before converting to maildir, this can be done within /scripts/convert2maildir. If you see maildir is enabled when running /scripts/convert2maildir, you are already using maildir, and will not need to convert.

6) Lock down your system’s compilers

Most users do not require the use of C and C++ compilers. You can use the Compilers Tweak within Tweak Security in WebHost Manager to turn off use of the compilers for all unprivileged users, or to disable them for specific users only. Many pre-packaged exploits require working compilers. Disabling compilers will help protect against many exploits.

7) Turn off unused services and daemons

Any service or daemon that allows a connection to be established to your server is away for hackers to gain access. To reduce security risks, you should disable all services and daemons that are not being used.

For Daemons on Linux:

Check /etc/xinetd.conf for services you are not using. For example, cupsd (printing daemon) and nfs/statd (network file system daemons) are not used on many systems.

For Services:

Go to the Service Manager in the Service Configuration section of WHM and disable any services that you are not using.

8) Monitor your system

This is where things get a little complicated, so this one is really for advanced users. It is important to be up to date on what is going on with your system. Make sure that you know when accounts are being created, what software is being installed, when software needs updates, etc.

Check your system frequently to ensure it is functioning in the way you expect. Make sure to check things like:

netstat -anp : Look for programs attached to ports that you did not install / authorize

find / \( -perm -a+w \) ! -type l >> world_writable.txt : Look at world_writable.txt to see all world writable files and directories. This will reveal locations where an attacker can store files on your system. NOTE: Fixing permissions on some PHP/CGI scripts that are not properly coded will break them.

find / -nouser -o -nogroup >> no_owner.txt : Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.

ls /var/log/: There are many different logs on your system which can be valuable resources. Check your system logs, apache logs, mail logs, and other logs frequently to make sure your system is functioning as expected.

There are many readily available utilities to monitor your system and to detect rootkits, backdoors, etc. Here are some commonly available utilities:

Tripwire – Monitors checksums of files and reports changes.
http://tripwire.com or http://sourceforge.net/projects/tripwire
Chrookit – Scans for common rootkits, backdoors, etc.

http://www.chkrootkit.org

Rkhunter – Scans for common rootkits, backdoors, etc.

http://www.rootkit.nl/projects/rootkit_hunter.html

Logwatch – Monitors and reports on daily system activity.

http://logwatch.org

9) Enable a Firewall

Installing a firewall to limit access to your server is useful. Removing all unused software on your system is more useful. Before you have the chance to remove all unused services and daemons, or the chance to figure out which services / daemons are unused, you can enable a firewall to prevent unwanted access.

The following will show the ports cPanel and WHM need open to function properly and what the port is used for:

http://docs.cpanel.net/twiki/bin/view/AllDocumentation/AllFAQ/WHMsFAQ#I_use_the_APF_firewall_rules_on

Please note that these ports are for all services that can be used by cPanel and WHM, you may or may not be using all of these services or other services and should adjust your rules accordingly.

Remember to set a cron job to disable your firewall every 5 minutes when testing your rules, or you may be locked out of your server.

10) Stay up to date

It is important to make sure that you are running the latest stable versions of the software on your system to ensure that it has been patched of any security issues that past versions may be susceptible to. Make sure to keep on top of updates for:

Kernel
cPanel and WHM
User Applications (bulletin boards, CMS, blog engines, etc)**
System Software

cPanel and WHM and other system software can be set to automatically updated in WebHost Manager under Update Config in the Server Configuration section. User Applications can be upgraded through Manage cPAddons in the cPanel section of WebHost Manager.

2011-12
6

Enjoy!

Category: Uncategorized | No Comments

2011-12
1

Loneliness is about the scariest thing there is.

Category: Rants | No Comments

“The most terrible poverty is loneliness, and the feeling of being unloved.” – Mother Teresa

Readers will be aware that I am not at my best. That’s a massive understatement actually, but hey ho. Today I’m going to write about something I genuinely hope no reader actually understands. I’m going to be more open on this entry and in a way I seldom do here and I do so in the hope that no one gets what I’m trying to say, as I would not wish these feelings on anyone.

There’s an emptiness I feel almost all the time and it’s far worse when I am alone. Some people hate their work and I’d be the first to see that sometimes work is not perfect but it does allow to be around people. Hearing some voices, the odd bit of banter, the hustle and bustle of the office, they all distract me while I’m working.

The real problems start when I can’t stay at work. In truth Ann has been very good and allowed me loads of time to see both Chris and Jack at her place and under the difficult circumstances, I can not thank her enough for her patience and understanding, but I can not hide there either. It’s when I go back to ‘base camp’ that it’s at its worst. Just me, four walls and my thoughts.

Please don’t get me wrong, I am very lucky to have a lot of excellent friends, but most of them have commitments or families or live a long way way and so I’m often left without anyone to talk to, and so I sit alone, watching the clock, hoping for the night to end so I can go to work in the morning just be around another person.

I do try to reach out to people but I find that some either ignore me (or being more generous perhaps they choose not to reply) or can’t find it within themselves to reply. I’ve always tried to be there for others no matter what, but I accept that other people can not reciprocate like that. Perhaps sometimes I try to hard to be there for people, I’ll accept that but having had times in my life where I have been less than accepted (not to mention being perhaps a pariah to some) but I do so as I fear loneliness more than anything.

Most people are not so alone, they have partners or children, lovers or whatever and so they won’t realise just how soul destroying it can be not to have someone to say hello to, not to have somebody to hold their hand, to care for, to cherish. I envy them and when I’m lucky enough to spend some time with Jack and Christopher, I feel so much better just by having them around, but then you always feel better when you’re with the people you love I suppose.

Right now I can try to communicate with some people but not know whether I’ll get a reply or not, often not. I can try to care for people but they do not wish me to do so. Instead I’m often along and forgotten. I’m out of sight and out of mind for many I suspect, I get the impression from some that they’d just prefer me to just go away and the way I’m feeling right now, they may well get their wish.

A very long time ago, I lived in a place on Birkin Avenue which I shared. It was no palace, but it was warm and comfortable and became a home for me at a time in my life when I badly needed one. One of the people I shared with was an old chap called Len. he had his dog and they pottered about the place and over the months I got to know him a little. He lived alone and mostly saw no one apart from his work at a launderette and a few other old men he’d see at the pub once a week. By his own admission, he was sad and alone, and I remember thinking how I’d hate to end up like him. In reality I can see myself doing just that, and I’d rather remove myself from the gene pool than allow that to happen. I’ve never had such dark thoughts before, I hope no reader ever has them, but right now I’m not sure how much longer I can cope with being in such a low dark and dismal place. I’d rather put an end to feeling this way, no matter what it took.

2011-11
23

Still searching for the silver lining……

Category: Rants | No Comments

As some of you might already know, I am not at my best right now. Frankly I’m a bit of a mess really, and often find myself when alone just crying and crying and crying. I just can’t seem to stop myself. The sadness of solitude filling my soul. The thought occurred when not crying for once that all this crying might not be doing me a lot of good. Turns out I was wrong and there does seem to be a reason why we cry and that it can be good for us. In fact there seems to be five good reasons why crying might be beneficial

1. Crying Relieves Stress
Because unalleviated stress can increase our risk for heart attack and damage certain areas of our brain, the human ability to cry has survival value.

2. Crying Lowers Blood Pressure
Crying has been found to lower blood pressure, pulse rate, and body immediately following therapy sessions during which they cried and raged.

3. Tears Remove Toxins
Tears actually remove toxins from the body. Is that they may be removing, in their tears, chemicals that build up during emotional stress.

4. Crying Reduces “Manganese”
The simple act of crying also reduces the body’s manganese level, a mineral which affects mood and is found in up to 30 times greater concentration in tears than in blood serum.

5. Emotional Crying Means You’re Human
While the eyes of all mammals are moistened and soothed by tears, only human beings shed tears in response to emotional stress. Emotional expression acknowledges the feelings you’re having. Emotions motivate us to empathize, coordinate and work as a unit to best survive.

So next time you feel those tears welling up or that lump in your throat, go ahead, have a good cry. I might even join you.

2011-11
23

Indeed.

Category: Uncategorized | No Comments

2011-11
18

All things end…..

Category: Rants | No Comments

Life for us all is full of turning points, places and times where people and things enter and leave our lives. It happens to us all from time to time, such is the nature of existence. Last night was one of those moments for me. When other people are concerned, when I write a blog entry I try whenever possible to respect those other persons right to privacy and so I will not go into detail which could cause issue or harm. Whether that is the right thing to do or not is for others to judge, but it’s a plan and it’s the best plan I’ve got. In truth as of now, it’s the only plan I’ve got.

At times like these, one could try to vent and rant about various things and I suspect I will do so in a private non-visible blog entry in due course, but I will not do so here. I’m choosing to remember the positive and let go of the negative. Be thankful for what I have and not be concerned about what I have lost. Cherish the good times and not reflect on the bad.

I am reminded of the Greek legend of Icarus. I flew too high, trying to touch the sky, and crashed and burnt as a result. I am a victim of my misplaced hubris perhaps, taking on more than I deserve, aspiring to be more than I can be. It is likely I will not update this for a while, I have some emotional and other wounds that need to heal and I do not know how long that might take. I wish any readers of this well and hope to return to life in due course.

2011-11
15

Hang on to yourself …..

Category: Uncategorized | No Comments

2011-11
6

Are you gonna stand around till 2012 A.D.?

Category: Uncategorized | No Comments