Email Alerts for Pureftpd on WHM

WHM show the service as down.

Primary IP Address 69.xx.xx.xx
Service Name ftpd
Service Status failed
Notification The service ?ftpd? appears to be down.
Service Check Method The system?s command to check or to restart this service failed.
Number of Restart Attempts 258
Startup Log 

Do the following…

# cd /var/run
# mv

Restart ftpd in WHM under Service

Find and disable specific ModSecurity rules

ModSecurity uses can help block potential attack attempts from malicious users, but sometimes it can also block legitimate requests.

Note: Using SecRuleEngine Off in your modsecurity configuration, you won’t want to put that in your ModSecurity configuration file. As that completely turns off ModSecurity. The SecRuleRemoveById setting is used instead to only disable one specific rule.

If you are seeing errors in you apache log files for a domain such as:

[Sat Jul 25 16:34:57 2015] [error] [client ??.7.??.??] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "111"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"][severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname ""] [uri "/skin/frontend/base/default/js/cadence/lib/jquery.cookie.js"] [unique_id "VbQdIdg3u9IAAB9DPQkAAAAH"]

Mod _security is doing its job. If this is a valid script, you can make a change and allow it.
Run the following from ssh:

# grep ModSecurity /usr/local/apache/logs/error_log | sed -e 's#^.*\[id "\([0-9]*\).*hostname "\([a-z0-9\-\_\.]*\)"\].*uri "#\1 \2 #' | cut -d\" -f1 | sort -n | uniq -c | sort -n

The results will look like this:

 # 100 1234123404 /skin/frontend/base/default/js/cadence/lib/jquery.cookie.js

ModSecurity rule ID 1234123404 has been triggered at least 100 times when accessing /skin/frontend/base/default/js/cadence/lib/jquery.cookie.js file.

In order to disable just the specific ModSecurity rule for the 1234123404 rule, run the following command:

# echo "SecRuleRemoveById 1234123404" >> /usr/local/apache/conf/userdata/std/2/userna5/

You can also search for the rule in WHM/cPanel at Home »Security Center »ModSecurity™ Tools » Rules List

Note the error in the log file – the ID:

# [id "1234123404"]

This is the rule. Search for this at Home »Security Center »ModSecurity™ Tools » Rules List.


You can click disable to allow the script.


Set Domain CPU and Memory cpanel Resource Limits

In WHM, there are some limits on the resources you can appply at Home » Service Configuration » Apache Configuration » Memory Usage Restrictions.

There is also some information on how to further customize the settingsin the cpanel forums:

Private Nameservers in WHM

1. Assign the Nameserver IP Addresses in WHM

In WHM, navigate to the left hand menu option “Basic cPanel/WHM Setup” and do the following:

Set the Primary Nameserver to
Then click Assign IP Address.
Repeat this for the Secondary Nameserver section, using
On the bottom of the page, click Save.

2. Setup the Nameserver a Records in WHM

While still in the “Basic cPanel/WHM Setup” section, do the following:

Beside the Primary Nameserver entry, click the “Add an A record entry for this nameserver” button
Repeat this for the Secondary Nameserver section

If you have already created a hosting account on your cPanel server for the domain you are using for your nameservers, performing the A record creation steps above should just create an entry for each nameserver in the existing DNS zone for the domain. However, if you have not yet(or do not intend to) set up a hosting account for the nameserver domain, the steps above will create individual DNS zones for each nameserver you have setup.

NOTE: If you are not hosting the main domain used for the nameservers on the same server, you will need to ensure you have added A records for the nameservers into the DNS zone for the domain with the domain hosting provider.
3. Restart the DNS Service

You should now just be able to restart the DNS service by doing the following:

Navigate to the “Restart Services” section in the left hand men;
Select “DNS Server (BIND/NSD)”
Hit the yes button in the right hand frame.

4. Register Your Nameserver Hosts with Your Domain Registrar

Before the nameservers we’ve just set up in WHM will work, you need to make sure that the correct details have been configured with your domain registrar. Each registrar handles the setting up of private nameservers differently so you should contact them to determine the method they use. Some let you control the setup from your domain control panel, however some require their administrators to create the nameserver entries for.

The most important point to make when contacting your registrar is that you wish to create private nameserver hosts to use with your own hosting server(some refer to these as child nameservers or domain hosts). Occasionally you will strike level 1 support staff who do not fully understand what you wish to do and may provide you incorrect instruction unless you specify this.

Once you know how they do it, you just need to set up the nameservers in their system as below:

Enter the names you would like to use; e.g. and
Enter the corresponding ip addresses details from your server that you wish to use.

Done!…Hopefully you now have working nameservers attached to your own domain.

The backup was not able to be completed because timed out…cPanel

cPanel default backup system may fail to create and save backup of your server and send you following message:
The backup was not able to be completed because timed out waiting for /bin/backup to finish

Possible cause of the problem

Any old backup process is still running in background on the server.

Login to your server as root via SSH and execute following command

# /usr/local/cpanel/bin/backup --force

Most probably it will show you following type message:

Backup process currently running. Pid: 5378
Backup log file: /usr/local/cpanel/logs/cpbackup/1377934812.log


We need to kill the current running backup process. Note the Pid from above and run following command. Change xxxx to Pid number that you have got from above.

# kill -9 xxxx

cPanel backup should now run normally. You can force to start a new fresh backup process using below command:

# /usr/local/cpanel/bin/backup --force

Number of failed recipients exceeded. Come back in a few hours.

Sending email with WHM/cPanel and the error is:

Number of failed recipients exceeded. Come back in a few hours.

Check WHM Settings

Login to WHM and go to Home » Server Configuration » Tweak Settings. Click the Mail tab. Find “Number of failed or deferred messages a domain may send before protections can be triggered [?]”

Change to a higher number and save.

Home » Service Configuration » Exim Configuration Manager » ACL Options

Ratelimit incoming connections with only failed recipients [?]
Ratelimit incoming SMTP connections that have only sent to failed recipients five separate connection times in the last hour.

Try turning off or if you are sending to multiple emails , verify the emails as this will be usually when multiple emails fail.

Also, check tweak settings

Home » Server Configuration » Tweak Settings
Also – there is this:


Deleting this file fixed the problem immediately. I’m guessing that the system should have deleted (or updated?) this file at some point, but didn’t.


You can modify the “Maximum Hourly Email by Domain Relayed” and “Maximum percentage of failed or deferred messages a domain may send per hour.” values for an account via:

“WHM Home » Account Functions » Modify an Account”

Exim locked

# service exim restart
Shutting down clamd:                                       [FAILED]
Shutting down exim:                                        [FAILED]
Shutting down spamd:                                       [FAILED]

# service exim status
exim dead but subsys locked

There may be 2 issues to check.

-The presence of /etc/eximdisable, just move this file to eximdisable-bak and restart exim

# mv /etc/eximdisable /etc/eximdisable-bak
# service exim restart
Shutting down clamd:                                       [FAILED]
Shutting down exim:                                        [FAILED]
Shutting down spamd:                                       [  OK  ]
Starting clamd:                                            [  OK  ]
Starting exim:                                             [  OK  ]
0 processes (antirelayd) sent signal 9
/usr/local/cpanel/scripts/update_sa_rules: running in background

-The server being out of disk space and/or inodes, use ‘df -h’ and ‘df -i’ to confirm.