JMGarcía

Member
Oct 11, 2016
15
1
3
Spain
cPanel Access Level
Root Administrator
Hola,

Tengo cPanel v68.0.28 con centOS 7.4

El cPanel Security Advisor me da estos 2 avisos,... he reinciado 10 veces y todavía me salen esos 2 avisos,... ¿alguna solución?

Gracias.
 

JMGarcía

Member
Oct 11, 2016
15
1
3
Spain
cPanel Access Level
Root Administrator
Los avisos son estos:

1 - The system’s core libraries or services have been updated. Reboot the server to ensure the system benefits from these updates.

2 - The system cannot check the KernelCare promotion preferences: Cannot determine company ID.


Gracias.
 

JMGarcía

Member
Oct 11, 2016
15
1
3
Spain
cPanel Access Level
Root Administrator
Hi,

I changed from mpm prefork to worker and now all fine,... Security Advisor only show now:

Apache vhosts are not segmented or chroot()ed.
No symlink protection detected

Thanks.
 

cPWilliamL

cP Technical Analyst II
Staff member
May 15, 2017
258
30
103
America
cPanel Access Level
Root Administrator
The warning should also produce advice like below:
Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux

mod_ruid2 is enabled in Apache. To ensure that this aids in protecting from symlink attacks, Jailed Apache needs to be enabled. If this not set properly, you should see an indication in Security Advisor (this page) in the sections for “Apache vhosts are not segmented or chroot()ed” and “Users running outside of the jail”. If those are not present, your users should be properly jailed. Review Symlink Race Condition Protection for further information.
Did you have any specific questions about the recommendations?
 

JMGarcía

Member
Oct 11, 2016
15
1
3
Spain
cPanel Access Level
Root Administrator
No advice about "Enable “Jail Apache” in the “Tweak Settings” are,...

and also no advice about:

The MySQL service is currently configured to listen on all interfaces: (bind-address=*)

And I don't changed my.cnf or close port 3306,...

About
Apache vhosts are not segmented or chroot()ed.
No symlink protection detected

I read that it's not fundamental to security and may lower the performance,...

What's your opinion?

Thanks.

Output:

[[email protected] ~]# ls -lahd /var/cpanel/companyid*
-rw-r--r-- 1 root root 3 Feb 9 16:10 /var/cpanel/companyid
lrwxrwxrwx 1 root root 3 Feb 9 16:10 /var/cpanel/companyid.fast -> 375
[[email protected] ~]#


[[email protected] ~]# /usr/local/cpanel/cpkeyclt
Updating cPanel license...Done. Update succeeded.
Building global cache for cpanel...Done
[[email protected] ~]#
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello,

The MySQL service is currently configured to listen on all interfaces: (bind-address=*)

And I don't changed my.cnf or close port 3306,...
If bind-address is set to a non-localhost value and there are no iptables reject/deny rules in place for the MySQL port, then a warning will be issued. Could you let us know the contents of the /etc/my.cnf file on this system?

Apache vhosts are not segmented or chroot()ed.
No advice about "Enable “Jail Apache” in the “Tweak Settings” are,...
Internal case (SWAT-733) open to ensure that specific Security Advisor alert reflects the fact that Mod_Ruid2 is required in order to use the "Jail Apache" option in "WHM >> Tweak Settings".

I read that it's not fundamental to security and may lower the performance,...
We do recommend you protect your system against symlink attacks. We provide a list of available solutions at:

Symlink Race Condition Protection - EasyApache 4 - cPanel Documentation

The system cannot check the KernelCare promotion preferences: Cannot determine company ID.
Can you verify if you still see this message? If so, could you open a support ticket using the link in my signature so we can take a closer look?

Thank you.
 

JMGarcía

Member
Oct 11, 2016
15
1
3
Spain
cPanel Access Level
Root Administrator
Hello,

/etc/my.cnf

[mysqld]
log-error=/var/lib/mysql/sv.domain.com.err
default-storage-engine=MyISAM
innodb_file_per_table=1
performance-schema=0
max_allowed_packet=268435456
bind-address=127.0.0.1

Still no message:
The system cannot check the KernelCare promotion preferences: Cannot determine company ID.

Another issue in all my KVM VPS with cenOS7.x with Cpanel:
Always enable SSH Password Authorization Tweak and disable when need connect with SSH,...
Normally when disable can't connect SSH, need first fix SSH with https://ip:2087/scripts2/doautofixer?autofix=safesshrestart
and then connect, after when enable again get this error:

SSH Server...Waiting for “sshd” to start ……Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.
…failed.

Cpanel::Exception::Services::StartError
Service Status

Service Error
(XID 6jfr97) The “sshd” service failed to start.

Startup Log
Feb 13 18:02:21 sv.domain.com systemd[1]: Failed to start OpenSSH server daemon.
Feb 13 18:02:21 sv.domain.com systemd[1]: Unit sshd.service entered failed state.
Feb 13 18:02:21 sv.domain.com systemd[1]: sshd.service failed.

Log Messages
Feb 13 18:02:21 sv sshd[3676]: fatal: Cannot bind any address.
Feb 13 18:02:21 sv sshd[3676]: error: Bind to port 22 on :: failed: Address already in use.
Feb 13 18:02:21 sv sshd[3676]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Feb 13 18:02:10 sv sshd[3659]: fatal: Cannot bind any address.
Feb 13 18:02:10 sv sshd[3659]: error: Bind to port 22 on :: failed: Address already in use.

sshd has failed. Contact your system administrator if the service does not automagically recover.
...Done


but SSH Password Authorization Tweak enabled.
Not really a problem, fix is easy once you know,...

Thanks.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello,

bind-address=127.0.0.1
You should be able to remove that entry and restart MySQL to solve that issue.

The system cannot check the KernelCare promotion preferences: Cannot determine company ID.
Could you open a support ticket using the link in my signature so we can take a closer look?

SSH Server...Waiting for “sshd” to start ……Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.
As far as the separate issue with SSH, please open a new thread so we can investigate that separately.

Thank you.