cPanel Security Advisor

[JMGarcía]

Hola,

Tengo cPanel v68.0.28 con centOS 7.4

El cPanel Security Advisor me da estos 2 avisos,... he reinciado 10 veces y todavía me salen esos 2 avisos,... ¿alguna solución?

Gracias.

 

[JMGarcía]

Los avisos son estos:

1 - The system’s core libraries or services have been updated. Reboot the server to ensure the system benefits from these updates.

2 - The system cannot check the KernelCare promotion preferences: Cannot determine company ID.


Gracias.

 

[cPWilliamL]

Hi,

Could you please provide the output of the following commands?

# ls -lahd /var/cpanel/companyid*
# /usr/local/cpanel/cpkeyclt

Thanks,

 

[JMGarcía]

Hi,

I changed from mpm prefork to worker and now all fine,... Security Advisor only show now:

Apache vhosts are not segmented or chroot()ed.
No symlink protection detected

Thanks.

 

[cPWilliamL]

The warning should also produce advice like below:

Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”

mod_ruid2 is enabled in Apache. To ensure that this aids in protecting from symlink attacks, Jailed Apache needs to be enabled. If this not set properly, you should see an indication in Security Advisor (this page) in the sections for “Apache vhosts are not segmented or chroot()ed” and “Users running outside of the jail”. If those are not present, your users should be properly jailed. Review Symlink Race Condition Protection for further information.

Did you have any specific questions about the recommendations?

 

[JMGarcía]

No advice about "Enable “Jail Apache” in the “Tweak Settings” are,...

and also no advice about:

The MySQL service is currently configured to listen on all interfaces: (bind-address=*)

And I don't changed my.cnf or close port 3306,...

About
Apache vhosts are not segmented or chroot()ed.
No symlink protection detected

I read that it's not fundamental to security and may lower the performance,...

What's your opinion?

Thanks.

Output:

[[email protected] ~]# ls -lahd /var/cpanel/companyid*
-rw-r--r-- 1 root root 3 Feb 9 16:10 /var/cpanel/companyid
lrwxrwxrwx 1 root root 3 Feb 9 16:10 /var/cpanel/companyid.fast -> 375
[[email protected] ~]#


[[email protected] ~]# /usr/local/cpanel/cpkeyclt
Updating cPanel license...Done. Update succeeded.
Building global cache for cpanel...Done
[[email protected] ~]#

 

[cPanelMichael]

Hello,

The MySQL service is currently configured to listen on all interfaces: (bind-address=*)

And I don't changed my.cnf or close port 3306,...

If bind-address is set to a non-localhost value and there are no iptables reject/deny rules in place for the MySQL port, then a warning will be issued. Could you let us know the contents of the /etc/my.cnf file on this system?

Apache vhosts are not segmented or chroot()ed.
No advice about "Enable “Jail Apache” in the “Tweak Settings” are,...

Internal case (SWAT-733) open to ensure that specific Security Advisor alert reflects the fact that Mod_Ruid2 is required in order to use the "Jail Apache" option in "WHM >> Tweak Settings".

I read that it's not fundamental to security and may lower the performance,...

We do recommend you protect your system against symlink attacks. We provide a list of available solutions at:

Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation

The system cannot check the KernelCare promotion preferences: Cannot determine company ID.

Can you verify if you still see this message? If so, could you open a support ticket using the link in my signature so we can take a closer look?

Thank you.

 

[JMGarcía]

Hello,

/etc/my.cnf

[mysqld]
log-error=/var/lib/mysql/sv.domain.com.err
default-storage-engine=MyISAM
innodb_file_per_table=1
performance-schema=0
max_allowed_packet=268435456
bind-address=127.0.0.1

Still no message:
The system cannot check the KernelCare promotion preferences: Cannot determine company ID.

Another issue in all my KVM VPS with cenOS7.x with Cpanel:
Always enable SSH Password Authorization Tweak and disable when need connect with SSH,...
Normally when disable can't connect SSH, need first fix SSH with https://ip:2087/scripts2/doautofixer?autofix=safesshrestart
and then connect, after when enable again get this error:

SSH Server...Waiting for “sshd” to start ……Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.
…failed.

Cpanel::Exception::Services::StartError
Service Status

Service Error
(XID 6jfr97) The “sshd” service failed to start.

Startup Log
Feb 13 18:02:21 sv.domain.com systemd[1]: Failed to start OpenSSH server daemon.
Feb 13 18:02:21 sv.domain.com systemd[1]: Unit sshd.service entered failed state.
Feb 13 18:02:21 sv.domain.com systemd[1]: sshd.service failed.

Log Messages
Feb 13 18:02:21 sv sshd[3676]: fatal: Cannot bind any address.
Feb 13 18:02:21 sv sshd[3676]: error: Bind to port 22 on :: failed: Address already in use.
Feb 13 18:02:21 sv sshd[3676]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Feb 13 18:02:10 sv sshd[3659]: fatal: Cannot bind any address.
Feb 13 18:02:10 sv sshd[3659]: error: Bind to port 22 on :: failed: Address already in use.

sshd has failed. Contact your system administrator if the service does not automagically recover.
...Done


but SSH Password Authorization Tweak enabled.
Not really a problem, fix is easy once you know,...

Thanks.

 

[cPanelMichael]

Hello,

bind-address=127.0.0.1

You should be able to remove that entry and restart MySQL to solve that issue.

The system cannot check the KernelCare promotion preferences: Cannot determine company ID.

Could you open a support ticket using the link in my signature so we can take a closer look?

SSH Server...Waiting for “sshd” to start ……Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.

As far as the separate issue with SSH, please open a new thread so we can investigate that separately.

Thank you.

 

[JMGarcía]

Ticket open ID 9296401

Thanks.

 

[cPanelMichael]

Ticket open ID 9296401

Thanks.

Hello,

To update, it looks like we were unable to reproduce the same warning messages upon testing.

Let us know if you have any additional questions.

Thank you.

 

[JMGarcía]

I restart server and warning now don't show.

Thanks.