So how do you do this?

Simple, configure the backups as per normal in WHM to backup your secondary hard drive or a set partition on your main hard drive. Then just add a script via the shell command line as “/scripts/postcpbackup” (open PuTTY, connect to the server, login, “su” to root if necessary if you didn’t login as root, type “nano -w /scripts/postcpbackup”) and past the following script:

#!/bin/sh
rsync -vrplogDth /backup/cpbackup/* username@backupserver:/backuplocation/


Replacing “/backup/cpbackup/” with the location of your “local backups” if you changed it from the default, “username” with the username of your rSync account, “backupserver” with the hostname/IP address of the backup server and “backuplocation” of the place to store the backups. (It’s CTRL+X to exit nano by the way).

You then just need to make it executable by running “chmod a+x /scripts/postcpbackup” and you are done!

Hope it helps someone!

Basically this allows you to setup your cPanel web hosting account as an additional drive on your machine – making the uploading and publishing of files a lot easier.

However, server administrators will first need to enable the TCP ports 2077 and 2078 in and outbound for this to work correctly (don’t forget to restart/reload the firewall). Once that’s done, your customers should be able to login to their cPanel control panel and either select the new fancy “Getting Started” wizard or “Web Disks->Access Web Disk” to setup a link.

Using cPanel’s handy “Auto configuration” tool is useful – but you may hit the same problem I did when I downloaded the installer .vbs file to my Windows XP machine via Firefox. Attempting to open the file came up with the error “Windows Script Host access is disabled on this machine. Contact your administrator for details”. Needless to say – I am the administrator and if I’ve disabled something like that in the past, it’s probably for a very good reason!

So – how can we manually configure cPanel’s WebDav uploading tool manually if the automatic method fails?….

Manual Secure Method

This is the recommended method and will encrypted your login details and your data as it passes to and from your machine to the server. However, you will need to accept a few security warnings.

1. First access the “My Network Places” option on your Windows machine (it’ll probably show up on your desktop somewhere).
2. Then click “Add Network Place”
3. Click “Next” and it should ask “Where do you want to create this network place?” and provide you with (most probably) a single option labelled “Choose another network location”. Select that option and click Next.
4. In the “Internet or network address” box enter “https://www.example.com:2078/” (where example.com is your domain name) and click Next
5. You may receive a pop up security alert saying “This page requires a secure connection which includes server authentication. The certificate issuer for this site is untrusted or unknown. Do you wish to proceeed?” – click Yes. Basically this means that whilst the connection is encrypted, your computer cannot automatically detect that the server you are connecting to is who it is claming to be for the encryption (but all we care about is that our data is being encrypted).
6. You may then receive another pop up security alert saying “A secure connection with this site cannot be verified. Would you still like to proceed? The certificate you are viewing does not match the name of the site you are trying to view”. Again, just click Yes
7. It’ll then ask you to login – just use your cPanel login details.
8. Add a name for the location and click Next
9. Now if you go to “My Network Places” and click on the icon (and approve the security alerts and maybe login again), you’ll be able to access all your web files as if they were on your hard drive.

Manual Insecure Method

If you don’t mind your login details being sent in “plain text” across the internet and would prefer to skip the security warnings, then follow these steps:

1. First access the “My Network Places” option on your Windows machine (it’ll probably show up on your desktop somewhere).
2. Then click “Add Network Place”
3. Click “Next” and it should ask “Where do you want to create this network place?” and provide you with (most probably) a single option labelled “Choose another network location”. Select that option and click Next.
4. In the “Internet or network address” box enter “http://www.example.com:2077/” (where example.com is your domain name) and click Next
5. It’ll then ask you to login – just use your cPanel login details.
6. Add a name for the location and click Next
7. Now if you go to “My Network Places” and click on the icon (and maybe login again), you’ll be able to access all your web files as if they were on your hard drive.

Hope it helps!

And I bet many of you would like to have been able to upload the archives to the server “as is” (to save decompressing them on your machine and then having to slowly upload each and every file).

But did you know there is actually a “cheat” for this?

Just upload the files to your webspace via FTP (or via the cPanel File Manager) as per usual. Then login to your cPanel control panel and select “File Manager” (if you are running on the new x3 theme with cPanel 11, it doesn’t matter if you select “File Manager” or “Legacy File Manager”). Select the archive you uploaded, and then click “Decompress” from the top menu (on the new file manager) or “Extract from Archive” from the right hand menu (on the old file manager) and there you go.

Your files are now decompressed on the server quickly and simply!

As the notes state, the script isn’t pretty, it isn’t efficient, but it works.

Comments/feedback are appreciated.
Coppermine Gallery Outdated installation checker v0.01

Set $disableandemail to 1 to disable the scripts and email the users.


#!/usr/bin/perl
# Coppermine Gallery Outdated installation checker
# Suitable for cPanel servers
# Checks for unpatched files covered in
# http://coppermine-gallery.net/forum/index.php?topic=31671.0 and
# http://coppermine-gallery.net/forum/index.php?topic=32413.0
#
# Written by Richard Chiswell. http://www.rac.me.uk
# 11-Aug-2006.
# Script revision: 0.01 (it works, but it ain't pretty or efficient)
#
print "Searching for coppermine files...\n";
$disableandemail=0;
while(@PW=getpwent()) {
if (-d "$PW[7]/public_html" && -e "/var/cpanel/users/$PW[0]") {
$username=$PW[0];$path=$PW[7];
system("find ".$path."/public_html/ -type f -name usermgr.php -print > /root/coppermine.txt");
open(VA,"< /root/coppermine.txt") || die("Unable to open /root/coppermine.txt");
while (<VA>) {
$filename=$_;$linecount=0;$found=0;$revision=0;
open(FILE,"< $filename") || die("Unable to open $filename");
while ($linecount<20 && $found==0) {
$line=<FILE>;
if ($line=~/\$Revision: ([0-9\.]+)/) { $revision=$1;$found=1; }
$linecount++;
}
close(FILE);
$filename=~s/(\n|\r)//g;
if ($found==1) {
if ($revision<3116) {
$scriptpath=$filename;
$scriptpath=~s/$path//;
sendwarning($username,$path,$scriptpath,$revision,$filename,$disableandemail);
}
}
}
close(VA);
# check for other vunerability
system("find ".$path."/public_html/ -type f -name functions.inc.php -print > /root/coppermine.txt");
open(VA,"< /root/coppermine.txt") || die("Unable to open /root/coppermine.txt");
while (<VA>) {
$filename=$_;$found=0;$vunerable=1;$ver='';
if (!($filename=~/include\/functions.inc.php/)) { print "Not match\n";next; }
open(FILE,"< $filename") || die("Unable to open $filename");
while (<FILE>) {
$line=$_;
# do a few checks to see if we have found coppermine
if ($line=~/Coppermine version: 1\.([0-9\.][0-9\.][0-9\.])/) { $found+=1;$ver=$1; }
if ($line=~/Coppermine Photo Gallery 1\./) { $found+=1; }
if ($line=~/get_meta_album_set_data/) { $found+=1; }
if ($line=~/Coppermine critical error/) { $found+=1; }
if ($line=~/obscure, misdocumented/) { $vunerable=0; }
}
close(FILE);
$filename=~s/(\n|\r)//g;
if ($found>4) {
if ($vunerable==1) {
$scriptpath=$filename;
$scriptpath=~s/$path//;
sendwarning($username,$path,$scriptpath,$ver,$filename,$disableandemail);
}
} # close found>4 loop
} # close va loop
close(VA);
}
}

sub sendwarning {
my ($username,$userpath,$path,$version,$filename,$send)=@_;
open CONTACTEMAIL , "<".$userpath."/.contactemail";
chomp(my $user_email = <CONTACTEMAIL>);
close CONTACTEMAIL;
if ($send==1) {
open SENDMAIL, "|/usr/sbin/sendmail -t";
print SENDMAIL "To: <$user_email>\n";
print SENDMAIL "From: security\@$hostname\n";
print SENDMAIL "Subject: Vulnerable Coppermine Gallery Warning!\n\n";
print SENDMAIL "*** DO NOT REPLY TO THIS EMAIL: YOUR REPLY WILL *NOT* BE READ ***\n\n";
print SENDMAIL "Hello,\n\n";
print SENDMAIL "A recent server security scan revealed that your site has a vunerable Coppermine Photo \n";
print SENDMAIL "Gallery file at $path . According to this automated scan, this file is revision/version $version \n";
print SENDMAIL "which is known to have security vunerabilities.\n";
print SENDMAIL "To help ensure the security of the server we are asking you to update your Coppermine insall\n";
print SENDMAIL "to the latest version.\n";
print SENDMAIL "To protect against this being abused, the file at $path has been disabled.\n";
print SENDMAIL "The latest known version of Coppermine is version 1.4.8 . Please upgrade\n";
print SENDMAIL "*** DO NOT REPLY TO THIS EMAIL: YOUR REPLY WILL *NOT* BE READ ***\n\n";
close SENDMAIL;
system("chmod a-rx $filename");
} else {
print "Would have sent to $user_email ($username) about version $revision at $path (filename $filename)\n";
}
}


It’ll then clear down the /var/named/ folder totally (the multiple rm commands are there because you could have several thousand files there: yes, I know this could be cleared up by using find . -type f -name... style syntax: but it was a “quickly hacked together” script). It then copies all the files from /root/newzones to /var/named ready for you to rebuild /etc/named.conf !


#!/usr/bin/perl
system("rm -rf /root/newzones");
system("rm -rf /root/oldzones");
system("mkdir /root/oldzones");
system("rsync -ar /var/named/ /root/oldzones/");
system("mkdir /root/newzones");
open(VA,"< /etc/localdomains") || die("Unable to open /etc/localdomains");
$zonecount=0;
while (<VA>) {
$filename=$_;
$filename=~s/\n//g;
$filename=$filename.'.db';
$source='/var/named/'.$filename;
$dest='/root/newzones/'.$filename;
$command="cp $source $dest";
system($command);
$zonecount++;
}
close (VA);
open(VA,"< /etc/remotedomains") || die("Unable to open /etc/remoteldomains");
$zonecount=0;
while (<VA>) {
$filename=$_;
$filename=~s/\n//g;
$filename=$filename.'.db';
$source='/var/named/'.$filename;
$dest='/root/newzones/'.$filename;
$command="cp $source $dest";
system($command);
$zonecount++;
}
close (VA);
open(VA,"< /etc/secondarymx") || die("Unable to open /etc/secondarymx");
$zonecount=0;
while (<VA>) {
$filename=$_;
$filename=~s/\n//g;
$filename=$filename.'.db';
$source='/var/named/'.$filename;
$dest='/root/newzones/'.$filename;
$command="cp $source $dest";
system($command);
$zonecount++;
}
close (VA);
print "Zones:$zonecount\n";
system("rm -rf /var/named/a*.db");
system("rm -rf /var/named/b*.db");
system("rm -rf /var/named/c*.db");
system("rm -rf /var/named/d*.db");
system("rm -rf /var/named/e*.db");
system("rm -rf /var/named/f*.db");
system("rm -rf /var/named/g*.db");
system("rm -rf /var/named/h*.db");
system("rm -rf /var/named/i*.db");
system("rm -rf /var/named/j*.db");
system("rm -rf /var/named/k*.db");
system("rm -rf /var/named/l*.db");
system("rm -rf /var/named/m*.db");
system("rm -rf /var/named/n*.db");
system("rm -rf /var/named/o*.db");
system("rm -rf /var/named/p*.db");
system("rm -rf /var/named/q*.db");
system("rm -rf /var/named/r*.db");
system("rm -rf /var/named/s*.db");
system("rm -rf /var/named/t*.db");
system("rm -rf /var/named/u*.db");
system("rm -rf /var/named/v*.db");
system("rm -rf /var/named/w*.db");
system("rm -rf /var/named/x*.db");
system("rm -rf /var/named/y*.db");
system("rm -rf /var/named/z*.db");
system("rm -rf /var/named/0*.db");
system("rm -rf /var/named/1*.db");
system("rm -rf /var/named/2*.db");
system("rm -rf /var/named/3*.db");
system("rm -rf /var/named/4*.db");
system("rm -rf /var/named/5*.db");
system("rm -rf /var/named/6*.db");
system("rm -rf /var/named/7*.db");
system("rm -rf /var/named/8*.db");
system("rm -rf /var/named/9*.db");
system("rm -rf /var/named/a*.bak");
system("rm -rf /var/named/b*.bak");
system("rm -rf /var/named/c*.bak");
system("rm -rf /var/named/d*.bak");
system("rm -rf /var/named/e*.bak");
system("rm -rf /var/named/f*.bak");
system("rm -rf /var/named/g*.bak");
system("rm -rf /var/named/h*.bak");
system("rm -rf /var/named/i*.bak");
system("rm -rf /var/named/j*.bak");
system("rm -rf /var/named/k*.bak");
system("rm -rf /var/named/l*.bak");
system("rm -rf /var/named/m*.bak");
system("rm -rf /var/named/n*.bak");
system("rm -rf /var/named/o*.bak");
system("rm -rf /var/named/p*.bak");
system("rm -rf /var/named/q*.bak");
system("rm -rf /var/named/r*.bak");
system("rm -rf /var/named/s*.bak");
system("rm -rf /var/named/t*.bak");
system("rm -rf /var/named/u*.bak");
system("rm -rf /var/named/v*.bak");
system("rm -rf /var/named/w*.bak");
system("rm -rf /var/named/x*.bak");
system("rm -rf /var/named/y*.bak");
system("rm -rf /var/named/z*.bak");
system("rm -rf /var/named/0*.bak");
system("rm -rf /var/named/1*.bak");
system("rm -rf /var/named/2*.bak");
system("rm -rf /var/named/3*.bak");
system("rm -rf /var/named/4*.bak");
system("rm -rf /var/named/5*.bak");
system("rm -rf /var/named/6*.bak");
system("rm -rf /var/named/7*.bak");
system("rm -rf /var/named/8*.bak");
system("rm -rf /var/named/9*.bak");
system("rm -rf /var/named/*.bak");
system("rm -rf /var/named/*.db");
system("rsync -arv /root/newzones/ /var/named/");


Run commands as root/su:

Disable telnet
Modify /etc/xinetd.d/telnet (could also be /etc/xinetd.d/telnet and change disable=no to disable=yes

Disable code compilation
Add compiler group: /usr/sbin/groupadd compiler
Move to correct directory: cd /usr/bin
Make most common compilers part of the compiler group chgrp compiler *cc*
chgrp compiler *++*
chgrp compiler ld
chgrp compiler as

Set access on mysqlaccess chgrp root mysqlaccess
Set permissions chmod 750 *cc*
chmod 750 *++*
chmod 750 ld
chmod 750 as
chmod 755 mysqlaccess
To add users to the group, modify /etc/group and change compiler:x:123: to compiler:x:123:username1,username2 (’123′ will be different on your installation)

Disable direct root login: SSH
Modify /etc/ssh/sshd_config.
Ensure the Protocol line is not commented out and reads Protocol 2 (increases the encryption level)
Modify PermitRootLogin yes to PermitRootLogin no
Restart SSHD /etc/rc.d/init.d/sshd restart

Disable direct root login: ProFTP
Modify /etc/proftpd.conf
Add RootLogin off
Restart ProFTP /sbin/service proftpd stop
/sbin/service proftpd start

Restrict access to Inet services
Modify /etc/hosts.allow
Suggested format:
# Approved IP addresses
ALL: 192.168.0.1
ALL: 192.168.5.2
# CSV uploader machine
proftpd: 10.0.0.5
# pop3 from anywhere
ipop3: ALL
Modify /etc/hosts.deny
ALL:ALL EXCEPT localhost:DENY

Mount /tmp as being not executable
(not recommended for Cpanel servers)
cd /dev
Create 100Mb (the “count”) storage file: dd if=/dev/zero of=tmpMnt bs=1024 count=100000
Make an extended filesytem /sbin/mke2fs /dev/tmpMnt (answer yes to “…is not a block special device. continue?”)
Backup existing temp files cp -R /tmp/ /tmp_backup
Mount new file system with noexec mount -o loop,rw,nosuid,noexec /dev/tmpMnt /tmp
chmod 0777 /tmp
Copy the backup files back: cp -R /tmp_backup/* /tmp/
Remove backups rm -rf /tmp_backup
Modify /etc/fstab to add the following to ensure the mount point is recreated on boot up/dev/tmpMnt /tmp ext2 loop,rw,nosuid,noexec 0 0 (spaces are tabs)

Remove unused RPMs
Create a file called “cleardown” with the following contents:
#!/bin/bash
# Remove unneeded RPMs
# by jd_waverly
# Please read this script completely before executing to verify that you are
# not using any of these rpms

echo Removals complete
exit
Run using /bin/bash cleardown

Firewall ports
A firewall in necessary and I quite like Cheetaweb’s “APF”/iptables based one.
This can be downloaded from http://download.cheetaweb.com/apf-0.8.7-1.i386.rpm and installed using rpm -Uvh apf-0.8.7-1.i386.rpm.
You’ll need to modify /etc/apf/conf.apf to use the correct ports for the web server software you are using:
Cpanel servers: TCP_CPORTS=”21,22,53,80,110,443,2082,2083,2086,2087,2095,2096″
Ensim/Ensim Pro servers:
TCP_CPORTS=”21,22,25,53,80,110,143, 443, 19638″
# Common UDP Ports
UDP_CPORTS=”53″
Run on reboot: /sbin/chkconfig --level 2345 apf on

Hide Apache Information
Show only that you are running Apache: no details of any of the modules or version numbers.
Modify /etc/httpd/conf/httpd.conf
Change the ServerSignature line to:
ServerSignature Off
and add/amend:
ServerTokens ProductOnly
Restart Apache: /sbin/service httpd restart
Cpanel users: This may break the “Needs upgrade” display on WHM.

Hide PHP information
Modify php.ini (locations vary) from:
expose_php=On
to:
expose_php=Off
You may need to restart Apache.

Install ChkRootKit
Download ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
Unpack it tar xvzf chkrootkit.tar.gz
Compile it: cd chkrootkit*
make sense
Remove the install file rm ../chkrootkit.tar.gz
Find out “full path” pwd
Add cronjob to run daily by adding a file called “chkrootkit” to /etc/cron.daily with: #!/bin/bash
/"full path"/./chkrootkit -q | mail -s "[servername] chkrootkit Output" youremailaddress@example.com
Chmod it chmod 755 /etc/cron.daily/chkrootkit

Installed System Integrity Monitor
See http://www.r-fx.net/sim.php for full information.

Why Cpanel? Well, Ensim tries to “control” your server a bit too much for my liking: you’ve got to be especially careful what you upgrade/install and if you make any changes to the Apache configuration by hand – then it can really screw things up (and the next restart of Ensim will mean it’ll try and “correct” your amendments). Cpanel, on the other hand, seems to act as a control panel should – it’ll allow me to go right in and forcible change settings without having to worry too much about it overriding my settings.

Plus, the whole system seems lot more “open” then Ensim’s compiled Python mess: which means if I feel like writing an extension to Cpanel, then I’m free to do so. And, it comes with some nifty “one click install” style items – I’ve disabled most of them, but at least if I ever want to have a quick play with – say OsCommerce – I won’t even have to bother loading an FTP client to upload the files! Oh – and it’s support of anti-spam systems looks perfect (my current real email/spam ratio is around 1:500 – yes, I get around 500 spams for every proper email! I deleted 3,500 of them so far today)

On the slightly negative side: I’m having real difficulties disabling FrontPage on the server. I absolutely detest that b–ardised system: it’s a little bit of a web design package, a little bit of “PHP/Perl scripting” and a strange FTP client all muddled together and pulled out incorrectly. FrontPage would have been so much better if it used standard FTP uploads and server admins didn’t have to worry about getting the darn FrontPage extensions to work correctly. 75%+ of our technical support calls are about FrontPage (but, to be fair, some of our customers are such numbskulls that I have to talk them through how to start FrontPage’s inbuilt help system: I wish I was joking ).

Anyway, once I’ve got the new server stabilised and ready, I’m going to be moving everything to it – it’ll take me a while though as my current server has a few “exotic” settings made to it which I’ll need to take into account.