Author: The Geek Decoder

Subdomains redirecting to primary domain

October 22, 2014 The Geek Decoder No Comments cPanel

Scenario

WordPress is installed for the primary domain. WordPress is installed for a subdomain. Subdomains set up under the primary domain.

Primary domain – domain.com
Subdomain – demo.domain.com

Issue: demo.domain.com redirects to domain.com/demo or domin.com

Check if there is an .htaccess file in the subdomain directory:

If not, create an .htaccess file and include the following:

# nano /home/domain/public_html/demo/.htaccess
# BEGIN WordPress
RewriteEngine On
RewriteBase /demo/
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /demo/index.php [L]
# END WordPress

If needed…Force www. version of domain to be used

RewriteEngine on
RewriteCond %{HTTP_HOST} ^domain.com [NC]
RewriteRule ^(.*)$ http://www.domain.com/$1 [L,R=301,NC]

Change the gateway in CentoS

October 21, 2014 The Geek Decoder No Comments CentOS 6, Networking

Edit the netowrk file

# nano /etc/sysconfig/network

You should see this:

HOSTNAME=host.domain.com
# =============================================================
# Network Script generated by BareMetal
# =============================================================
NETWORKING=yes
NETWORKING_IPV6=no
GATEWAY=216.xx.xx.1

Change the Gateway and save then restart networking

# service  network restart

Changing the primary IP address of a CentOS Server

October 21, 2014 The Geek Decoder No Comments CentOS 6, Networking

ssh to the server.

#nano /etc/sysconfig/network-scripts/ifcfg-eth0

You will find…

# =============================================================
# Network Interface Script generated by BareMetal
# =============================================================
DEVICE=eth0
BOOTPROTO=STATIC
ONBOOT=yes
IPADDR=216.55.xx.xx
NETMASK=255.255.255.0
HWADDR=6C:62:xx:xx:xx:C3

Change this line only to the new IP

IPADDR=216.55.xx.xx

Note: If you are changing to an IP on a different subnet and need to change your default gateway, this can be configured under /etc/sysconfig/network

Save the file and restart

# service network restart

php include path changes

October 21, 2014 The Geek Decoder No Comments cPanel, PHP

Loading a phpinfo file for a domain on a cpanel server, you notice that the “include_path” variable changes.

Resolution:

With PHP PEAR enabled, PEAR is by default configured to include its PHP directory (/home/domina/php in this case). You can disable /home/domain/php from being in the PHP include_path by either removing that directory (/home/freedc/php) or uninstalling PEAR through EasyApache.

PCI-DSS

October 18, 2014 The Geek Decoder No Comments Security

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store ortransmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).

General requirements for compliance

Firewall
Intrusion Drevention Systems
Intrusion Prevention Systems
Dedicated IP addresses
PCI Cage

Migrate MySQL Database on Windows Plesk Server

October 17, 2014 The Geek Decoder No Comments MySQL, Plesk, Windows Server

Migrating MySQL database from one Windows Plesk Server to other Windows Plesk Server

The only condition is that the database Engine should be an INNODB. Create the database , database user and password on the plesk server to which you want to migrate the database. Assume that the database name is demodb . Now login to the server from which you want to move the database . Go to the path of the backup E:Program Files (x86)ParallelsPleskDatabasesMySQLdata. Copy the folder “demodb” and paste it on the other server where you want to move at the path C:Program Files (x86)ParallelsPleskDatabasesMySQLdata.

Login to plesk as admin, go to Database Servers, Local Mysql Server, click on the database name and delete the database user and recreate it .

The Path of MySQL Databases on windows plesk server is C:Program Files (x86)ParallelsPleskDatabasesMySQLdata

SSLv3 Vulnerability (Poodle)

October 15, 2014 The Geek Decoder No Comments Administration, Security

According to The Register, a serious vulnerability in SSL v3 will be disclosed tomorrow on October 15th. Some people are recommending disabling SSL v3 in various daemons until further notice.

A vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker.

SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.

Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today.

Detection (Linux)

The following script can be run against the server in question. The command will return ‘SSL 3.0 enabled’ if vulnerable and ‘SSL 3.0 disabled’ if not.

_______________

#!/bin/bash
ret=$(echo Q | timeout 5 openssl s_client -connect “${1-`hostname`}:${2-443}” -ssl3 2> /dev/null)
if echo “${ret}” | grep -q ‘Protocol.*SSLv3’; then
if echo “${ret}” | grep -q ‘Cipher.*0000’; then
echo “SSL 3.0 disabled”
else
echo “SSL 3.0 enabled”
fi
else
echo “SSL disabled or other error”
fi
_______________

NOTE: This script takes the hostname of the server to check as the first argument and an optional port as the second. By default it will check the local system, port 443.
Resolution

To avoid this vulnerability, Red Hat recommends disabling SSL and using only TLSv1.1 or TLSv1.2. Backwards compatibility can be achieved using TLSv1.0. Many products Red Hat supports have the ability to use SSLv2 or SSLv3 protocols, however it is strongly recommended against.

To mitigate this vulnerability as it affects httpd, set the SSLProtocol directive as follows in /etc/httpd/conf.d/ssl.conf:

Note: This directive must either be located at the topmost level of the configuration file, or inside the default virtual host configuration for an address.

Option 1: Disable SSLv2 and SSLv3 (Enable everything except SSLv2 and SSLv3)
SSLProtocol All -SSLv2 -SSLv3

Option 2: Disable everything except TLSv1.x

On RHEL 7 or RHEL 6.6 and later:
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

On other platforms:
SSLProtocol -All +TLSv1

Then restart httpd:

# service httpd restart

Resources:
For Microsoft
https://technet.microsoft.com/en-us/library/security/3009008.aspx

https://www.openssl.org/~bodo/ssl-poodle.pdf
http://forums.cpanel.net/f185/sslv3-vulnerability-432641.html

http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html
Tests
Test your web server for SSLv2
https://www.ssllabs.com/ssltest/index.html
What you are looking for is:
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No

For Nginx – there are other files to edit:


/usr/local/psa/admin/conf/templates/default/server/nginxVhosts.php
/usr/local/psa/admin/conf/templates/default/nginxDomainVirtualHost.php
/usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php

Rebuild after any changes

# /usr/local/psa/admin/bin/httpdmng --reconfigure-all

Other Resources:

CPanel/WHM
https://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

http://www.cpanelkb.net/fix-poodle-sslv3-vulnerability/
http://thecpaneladmin.com/disabling-support-for-sslv3-on-a-cpanel-server/
Plesk
http://kb.sp.parallels.com/en/123160

http://www.percona.com/blog/2014/10/15/how-to-close-poodle-sslv3-security-flaw-cve-2014-3566/
http://bobcares.com/blog/protecting-your-cpanel-whm-server-from-sslv3-poodle-vulnerability-guide-to-mitigate-cve-2014-3566-by-disabling-ssl-3-0-in-exim-apache-nginx-pure-ftp-proftpd-dovecot-and-courier-imap