The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Installed CPanel on FreeBSD 5.4

Discussion in 'E-mail Discussions' started by kaosent, Jul 20, 2005.

  1. kaosent

    kaosent Active Member

    Jul 12, 2005
    Likes Received:
    Trophy Points:
    CPanel on FreeBSD 5.4

    EDIT: I try to updtate this post as I go along, if it is helpful to you feel free to rate the post or reply to it and let me know!!! :) Also, if I have something wrong or missing please please let me know!!!.

    <---original post--->

    I am new to CPanel, and I switched from another software due to recent issues with it and FreeBSD. I must say that I am very very satisfied with CPanel, and despite a few little glitches during the install, it has been a wonderfull experience (so much so that I am buying multiple licenses :D )

    This post is broken into two parts (FreeBSD OS and CPanel, and IPFW and CPanel), and I will apologize in advance because it is quite long. I post this here, for many reasons, I spent countless hours searching for a few of the tidbits in here to fix my problems (and some experimenting), and even more importantly I would like to see what experienced users can tell me about what aspects I may have done wrong along the way!


    Server hardware (in case it is needed): Dual Xeon 2.8Ghz, Dual SATA 160GB RAID 0 w/ 3Ware Escalade PCI RAID 2GB DDR

    Operating system FreeBSD 5.4 STABLE i386 with SMP kernel
    Partitioning: 1G / , 4G Swap, 1G /tmp, 7G /var, 7G /usr, ~135G /home
    Distribution: Developer, full binaries, sources, doc, & Linux compatability lib

    Once SysInstall completed, I logged in and changed /etc/ssh/sshd_config:
    -changed ssh port to a {unique port #} –limited to protocol 2, set to a secondary IP

    Compiled a tweaked multiprocessor kernel:
    SMP, enabled QUOTA, and IPFIREWALL (etc)
    ---note: Tested FreeBSD ULE scheduler in kernel (designed for SMP) no negative effect noted until attempting to install CPanel later, this configuration was the only one of many to cause the configure process (not build) for php4.3.11 to silently terminate, the whole install process stalled completely with no errors, I let it go for two hours and got nothing but an ssh terminal full of periods….repeated twice to be sure. I was only able to get the 4BSD scheduler to work with CPanel install. :confused:

    Configured the rest of the system for quota support:
    edited /etc/fstab to enable quotas on partitions, then used command: quotacheck –a, quotaon /{dir names} to generate necessary quota files.
    Then added enable_quotas=”YES” and check_quotas=”NO” to /etc/rc.conf.
    Installed portsentry, chkrootkit, logcheck (w/ crontab -e for every two minute scan)

    Prepared for MySQL installation into a different partition:
    Made a few directories and simlinks (pre-emptive strike) to move the MySQL db storage location to the home directory: reason for this was that /home was partitioned with a size intended to support our users, which will have unpredictably large databases.
    root@ns1# mkdir /var/db
    root@ns1# mkdir /var/db/mysql
    root@ns1# ln -s /home/mysql_db /var/db

    Unistalled perl-5.6.2 and installed perl-5.8.7 from FreeBSD ports collection:
    I did this when I realized that CPanel would't install with the older perl that the FBSD installation added by default during OS install. I tried to install CPanel several times and it failed until I installed perl 5.8.6 or greater

    Installed CPanel:
    Mkdir and cd to /home/cpins, wget, sh latest, to install CPanel, worked fine, although the CPanel website indicates that an alternate method must be used?
    {another note: Thurs. and Fri. of last week, spamd would fail when installing, and required spamassassin to be installed (on top of current) from ports collection to fix (fix scripts didn’t work). As of this week, spamd installs and runs great right out of the box with no mods needed, thanks for the fix CPanel! :) }

    Install complete with some errors along the way, logged into CPanel via https://IPADDRESS:2087

    Bind install failed, named.root not found:
    File was not in system's desired directory, copied file from /etc/namedb to /var/named/ and then edited /etc/namedb/named.conf to remove the example dns zones (leaving them there on previous installs resulted in a periodic stream of errors stating that the attempt to transfer domain: failed. I thought they were commented out, but alas, nope! Silly me.} Re-activated nameservers: this time bind started due to named.root being found, and finished the config wizard

    Checked the service manager:
    Bind, eximstats, mysql, imap had failed. Bind and imap are actually working, just a 10 min delay in indication as usual after a reboot, no corrective action was necessary for those, but MySQL and EximStats were actually broke.

    To fix MySQL I had to do both:
    Deinstalled mysql40-server, reinstalled from fbsd ports collection, and add mysql_enable="YES" to rc.conf

    To fix EximStats:
    I had to fix MySQL AND run /scripts/upcp

    Graceful reboot, mysql service indicates running, bind, eximstats, imap delayed indication but running. All services seem to be fixed, and the flood of service manager emails has stopped, YAY!
    Added a test account for further testing, add completed with no errors.

    Tested webmail:
    SQUIRRELMAIL very broken:

    >>touch /usr/local/cpanel/base/3rdparty/squirrelmail/functions/../config/config.php fixed part of it, SQUIRREL login page now shows, but after login the errors state imap directory cannot be found… giving up, disabling SQUIRREL until I find out which piece of the puzzle is missing.

    HORDE Seems broken as well:
    Upon initial login the left side menu displays php warnings for 3 failed fopens(), refreshing the browser window makes these errors disappear and the program works just fine for rest of session=>only show on initial login.

    Everything else seems to work perfectly, and I find that I am exceedingly happy with CPanel, and have now aquired a full license and will be dropping this new box off in the co-location rack tonight.

    Thanks again for your feedback and hopefully some insight to the webmail issues that I still currently have! I will post my IPFW rant as a reply to this.....

    EDIT: Horde & Squirrel (7/25): Horde issue was caused by enabling phpSuEXEC, required that /tmp/horde_1003.log be re-owned#>> chown cpanel:cpanel /tmp/horde_1003.log.
    Horde works without issue now. :) Squirrelmail simply required that /usr/local/cpanel/base/3rdparty/squirrelmail/config/config.php be created from default file and proper settings applied.
    EDIT: GD Lib and Disk Usage/Bandwidth Images in WHM (7/27): An issue exists with the gd installation on FBSD 5.4 w/ CPanel-stable that prevents the diskusage.cgi generated pie graphs and bandwidth pie graphs from being generated, a simple compile flag difference that prevents png functionality. This issue is reported to be fixed in edge. (special thanks to B. Vincent: for this manual fix that I applied):
    >> cd /usr/ports/graphics/gd
    >> make deinstall
    >> cd /usr/ports/graphics/p5-GD
    >> make
    >> make deinstall
    >> cd /usr/ports/graphics/p5-GD/work/GD-2.23/
    >> cd /usr/ports/graphics/gd
    >> make install
    and.... fixed.
    EDIT: Zend Optimizer (7/29): The script /scripts/installzendopt is broken due to a change on the website. To fix this (thanks to Mike2Own), edit /scripts/installzendopt and change line 8 From:
    'FreeBSD 5.x' => '',
    'FreeBSD 5.x' => '',
    Install process worked,
    EDIT: PortSentry (7/29): I needed PortSentry to startup at reboot, so I added portsentry_enable="YES" to /etc/rc.conf and then made the startup script (copied from a FBSD 5.0 book long ago) and saved it as /usr/local/etc/rc.d/ and set chmod u+x
    case "$1" in
    ${PORTSENTRY} -tcp && echo "Starting PortSentry TCP Mode..."
    ${PORTSENTRY} -udp && echo "Starting PortSentry UDP Mode..."
    killall `basename ${PORTSENTRY}`
    echo " "
    echo "Usage: `basename $0` { start | stop }"
    echo " "
    EDIT: ClamAV and Email Scanning (7/30): ClamAV isn't capable of scanning incoming email with the default installation provided by the cpanel pro and clamav connector modules. To enable this: option i.
    #1 kaosent, Jul 20, 2005
    Last edited: Jul 30, 2005
  2. kaosent

    kaosent Active Member

    Jul 12, 2005
    Likes Received:
    Trophy Points:
    IPFW and CPanel... revisited

    As for this, I have tested it on my current box (above) and it works great...
    But that doesn't mean that I did it correctly, please let me know (PM asap) if you see something incredibly wrong, and I hope to hear some suggestions as to how I can make it leaner, faster, and more secure. PLUS (and very importantly) have I done anything here that may break a CPanel Feature?


    # IPFW Config.... I hope this works...
    # Flush out the list before we begin.
    # crontab -e w/ */3 * * * * /sbin/ipfw -q flush; while testing!!!!!!!!!

    ipfw -q -f flush

    # Set rules command prefix
    cmd="ipfw -q add"
    pif="fxp0" # public interface name of NIC
    # facing the public Internet

    $cmd 0010 allow all from any to any via lo0
    $cmd 0030 check-state
    #general web services
    # Shell etc
    $cmd 0040 allow tcp from me to any out via $pif setup keep-state uid root
    $cmd 0041 allow tcp from any to me {port#} in via $pif setup keep-state
    $cmd 0042 allow tcp from any to any 22 out via $pif setup keep-state
    # HTTP
    $cmd 0050 allow tcp from any to me 80 in via $pif setup keep-state
    $cmd 0051 allow tcp from any to any 80 out via $pif setup keep-state
    # HTTPS
    $cmd 0060 allow tcp from any to me 443 in via $pif setup keep-state
    $cmd 0061 allow tcp from any to any 443 out via $pif setup keep-state
    # MySQL
    $cmd 0070 allow tcp from any to me 3306 in via $pif setup keep-state
    $cmd 0071 allow tcp from any to any 3306 out via $pif setup keep-state
    # Email
    $cmd 0080 allow tcp from any to me 110 in via $pif setup keep-state
    $cmd 0081 allow tcp from any to any 110 out via $pif setup keep-state
    # Email
    $cmd 0090 allow tcp from any to me 143 in via $pif setup keep-state
    # DNS
    $cmd 0100 allow ip from any to me 53 in via $pif keep-state
    $cmd 0100 allow ip from any to any 53 out via $pif keep-state
    # FTP
    $cmd 0110 allow ip from any to me 20 in via $pif keep-state
    $cmd 0111 allow ip from any to any 20 out via $pif keep-state
    $cmd 0120 allow ip from any to me 21 in via $pif keep-state
    $cmd 0121 allow ip from any to any 21 out via $pif keep-state
    # Email
    $cmd 0130 allow tcp from any to me 25 in via $pif setup keep-state
    $cmd 0131 allow tcp from any to any 25 out via $pif setup keep-state
    # Email
    $cmd 0150 allow ip from any to me 465 in via $pif keep-state
    $cmd 0151 allow ip from any to any 465 out via $pif keep-state
    # Email
    $cmd 0160 allow tcp from any to me 993 in via $pif setup keep-state
    $cmd 0161 allow tcp from any to any 993 out via $pif setup keep-state
    # Email
    $cmd 0170 allow tcp from any to me 995 in via $pif setup keep-state
    $cmd 0171 allow tcp from any to any 995 out via $pif setup keep-state
    #cpanel and related
    $cmd 0180 allow tcp from any to me 2082 in via $pif setup keep-state
    $cmd 0190 allow tcp from any to me 2083 in via $pif setup keep-state
    $cmd 0200 allow tcp from any to me 2086 in via $pif setup keep-state
    $cmd 0210 allow tcp from any to me 2087 in via $pif setup keep-state
    $cmd 0220 allow tcp from any to me 2095 in via $pif setup keep-state
    $cmd 0230 allow tcp from any to me 2096 in via $pif setup keep-state
    $cmd 0240 allow tcp from any to me 6666 in via $pif setup keep-state
    $cmd 0241 allow tcp from any to me 2084 in via $pif setup keep-state
    $cmd 0250 allow tcp from any to me 2089 in via $pif setup keep-state
    $cmd 0251 allow tcp from any to any 2089 out via $pif setup keep-state

    # other items
    $cmd 0260 allow udp from any to me 873 in via $pif keep-state
    $cmd 0261 allow udp from any to any 873 out via $pif keep-state

    $cmd 0270 allow icmp from any to me in via $pif icmptypes 3,5,8,11,0,30
    $cmd 0271 allow icmp from any to any out via $pif

    $cmd 0280 allow tcp from any to any 37 out via $pif setup keep-state
    $cmd 0281 allow tcp from any to any 43 out via $pif setup keep-state
    # allow 49999 in to trigger portsentry, 5000-51000 for passive ftp.
    $cmd 0282 allow tcp from any to me 49999-51000 in via $pif setup keep-state
    $cmd 0283 allow tcp from any to any 50000-51000 out via $pif setup keep-state
    # if they got this far, we don't want em?
    $cmd 0500 deny log all from any to any
    #2 kaosent, Jul 20, 2005
    Last edited: Jul 29, 2005
  3. mosthost

    mosthost Member

    Apr 12, 2005
    Likes Received:
    Trophy Points:
    Thanks for this, I've printed it out now to save incase I need to reinstall one day.

    I'm running freebsd5.4 on a 4 processor Dell poweredge 6450 so the same for me with the kernel remake for smp.

    Post here any other problems you get and I'll do the same so we can track them.
  4. mosthost

    mosthost Member

    Apr 12, 2005
    Likes Received:
    Trophy Points:
    For the horde issue it's

    chown cpanel:cpanel /tmp/horde_1003.log


    chmod cpanel:cpanel /tmp/horde_1003.log
  5. kaosent

    kaosent Active Member

    Jul 12, 2005
    Likes Received:
    Trophy Points:

    In my haste I did write chmod in the edit not chown... good catch!!!! Thanks!!!!
    It is written correctly now. :D
  6. kaosent

    kaosent Active Member

    Jul 12, 2005
    Likes Received:
    Trophy Points:
    PortSentry Trap

    I could use a little advise on this one, since I am certain that there are guru's on the boards that have ample experience in fending off attackers, more so than I.

    I have endured a variety of port scans that preceed obscure port communication attempts, clearly hostile visitors. These port scans seem rather script-kiddish, in that they either start at a low port and sequentially move upward, or start very high and move down.

    Given that the ports I really need to protect from these bots are between 20 and 3000, would setting a firewall trap on two ports be a bad idea?

    Here's what I mean, if I intentionally leave (hypothetically) ports 8 and 49999 open in my firewall, and leave PortSentry processes there to catch them and create firewall rules to block them upon receipt, am I opening up a serious security issue? My biggest concerns are protecting standard service ports and CPanel ports from obvious 'malicious' users, can anybody provide me with a good reason NOT to do this?

    Thanks in advance.

Share This Page