Installation

Clone this repository into /var/cpanel/easy/apache/custom_opt_mods/ like so:


# cd /var/cpanel/easy/apache/custom_opt_mods/
# git clone https://github.com/thecpaneladmin/EA-PhalconPHP.git .
# /scripts/easyapache

Git on cpanel is at

# /usr/local/cpanel/3rdparty/bin/git

Or use the .zip:


# cd /usr/src
# wget https://github.com/thecpaneladmin/EA-PhalconPHP/archive/master.zip
# unzip -d /var/cpanel/easy/apache/custom_opt_mods/ master.zip
# /scripts/easyapache

Make sure that the path is


/var/cpanel/easy/apache/custom_opt_mods]# ls -la

drwxr-xr-x 4 root root  4096 Sep  2 20:26 ./
drwxr-xr-x 9 root root  4096 Sep  2 20:38 ../
drwxr-xr-x 3 root root  4096 Sep  2 20:26 Cpanel/
-rw-r--r-- 1 root root   606 Sep  2 20:32 error_log
drwxr-xr-x 7 root root  4096 Sep  2 20:26 .git/
-rw-r--r-- 1 root root 18025 Sep  2 20:26 LICENSE
-rw-r--r-- 1 root root   834 Sep  2 20:26 README.md

Or it will not show up in easy apache.

From here, select Phalcon from the list of PHP modules. The module will be loaded from /usr/local/lib/php.ini.

There is no max file size limit that can be sent and received, however, cPanel defaults the limit to 50mb. You can change this in cPanel.

To change this do the following,

Login to cPanel as admin
Under Service Configuration, Click “exim Configuration Manager”
Click “Advanced Editor”
Scroll down and Click “Add additional Configuration Setting”
Find “message_size_limit” in pull-down list and choose
Enter limit that you want to change to
Scroll to bottom and click “save”

WHM show the service as down.


Server domain.com
Primary IP Address 69.xx.xx.xx
Service Name ftpd
Service Status failed
Notification The service ?ftpd? appears to be down.
Service Check Method The system?s command to check or to restart this service failed.
Number of Restart Attempts 258
Startup Log 

Do the following…

# cd /var/run
# mv pure-ftpd.pid pure-ftpd.pid.bk

Restart ftpd in WHM under Service

Roundcube error:
Roundcube – Database error: Connection failed!

Exim log

Aug 17 01:52:44 206-225-82-31 dovecot: auth: Error: Cpanel::MailAuth: Failed to lookup domain owner of domain.com
Aug 17 01:57:44 206-225-82-31 dovecot: master: Warning: Killed with signal 15 (by pid=24147 uid=0 code=kill)"

Run:

# /usr/local/cpanel/bin/update-roundcube --force
[Tue Aug 18 16:28:04 2015] [error] [client 65.47.199.226] ModSecurity: Audit log: Failed to create subdirectories: /usr/local/apache/logs/modsec_audit/exclusi3/20150818/20150818-1628 (Read-only file system) [hostname "exclusivityllc.net"] [uri "/index.php"] [unique_id "VdOjZNg3iukAAFLEtGYAAAAH"]
If I disable mod security on the account, then I get Mod ruid errors

Disable mod security


[Tue Aug 18 16:29:49 2015] [error] [client 209.92.131.130] SecurityException in Application.cpp:186: Do not have root privileges. Executable not set-uid root?
[Tue Aug 18 16:29:49 2015] [error] [client 209.92.131.130] Premature end of script headers: index.php

I had to disable modsecurity and then uncheck “EXPERIMENTAL: Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell” enabled under the “Security” tab in “WHM >> Tweak Settings”.

ModSecurity uses can help block potential attack attempts from malicious users, but sometimes it can also block legitimate requests.

Note: Using SecRuleEngine Off in your modsecurity configuration, you won’t want to put that in your ModSecurity configuration file. As that completely turns off ModSecurity. The SecRuleRemoveById setting is used instead to only disable one specific rule.

If you are seeing errors in you apache log files for a domain such as:


[Sat Jul 25 16:34:57 2015] [error] [client ??.7.??.??] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "111"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"][severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "domain.com"] [uri "/skin/frontend/base/default/js/cadence/lib/jquery.cookie.js"] [unique_id "VbQdIdg3u9IAAB9DPQkAAAAH"]

Mod _security is doing its job. If this is a valid script, you can make a change and allow it.
Run the following from ssh:

# grep ModSecurity /usr/local/apache/logs/error_log | sed -e 's#^.*\[id "\([0-9]*\).*hostname "\([a-z0-9\-\_\.]*\)"\].*uri "#\1 \2 #' | cut -d\" -f1 | sort -n | uniq -c | sort -n

The results will look like this:

 # 100 1234123404 www.domain.com /skin/frontend/base/default/js/cadence/lib/jquery.cookie.js

ModSecurity rule ID 1234123404 has been triggered at least 100 times when accessing /skin/frontend/base/default/js/cadence/lib/jquery.cookie.js file.

In order to disable just the specific ModSecurity rule for the 1234123404 rule, run the following command:


# echo "SecRuleRemoveById 1234123404" >> /usr/local/apache/conf/userdata/std/2/userna5/domain.com/modsec.conf

You can also search for the rule in WHM/cPanel at Home »Security Center »ModSecurity™ Tools » Rules List

Note the error in the log file – the ID:

# [id "1234123404"]

This is the rule. Search for this at Home »Security Center »ModSecurity™ Tools » Rules List.

rules

You can click disable to allow the script.

disable