I don’t know about you other cPanel system admins out there, but I find WHM to be very useful for the more advanced and time-consuming tasks, such as installing SSL certificates. However, the easy stuff like changing an account’s package and resetting passwords is a royal pain in the ass as far as convenience is concerned when you have to log into WHM, list accounts, and make whatever change.

I recently became favorable towards the WHM XML API functionality which will let me do a majority of the everyday account-related tasks from command line without ever opening my browser, which is a lot easier when managing thousands of users across multiple servers. Below are a couple scripts I’ve already created using the XML API:

Change account password

Change account package

Both are run via command line, and the arguments passed to the PHP script as variables. For example, to change an account’s password:

./chacctpass myuser mypass1234

Customizing these scripts to perform different functions is easy via the following steps:

- change if ($argc != 3) to the number of command line arguments you wish to pass to the script plus one. In the above example there are two arguments and since the script name counts, add one and that makes 3.

- in the section where the arguments are assigned to variables (like $cpuser, etc), name your variables. The first one should have an array value of 0, then 1, 2, etc.

- edit the usage example, which will come up if the required number of arguments is not provided…you can add any text you like

- if you’re using a hash (which is more secure than user/pass authentication), go fetch your remote access key from WHM and put it in the $hash value within quotes, format intact. Otherwise, put in your WHM user’s username and password

- change the $server variable to your server’s hostname

- change $apipath to the WHM path for the function you are using. You can find a whole list of them here, and most will give you the path to use in the examples sections. In the API path, insert your variable names where the values are suppose to be. For instance:

$apiPath = “/xml-api/passwd?user=myuser&pass=mypass1234″;

Would be:

$apiPath = “/xml-api/passwd?user=$cpuser&pass=$newpass”;

In the header section, uncomment whichever $header .= “Authorization: line that matches your authentication method (user/pass or hash)

Once you’ve configured your API script, chmod to 700 and run from the command line as show in my example. It’s better to lock down the script by changing its ownership only to the user that will be using it, and not giving read, write, or execute permissions to anyone else.

Note: for these scripts to work you have to have PHP compiled with OpenSSL support, otherwise change the socket variables to http over port 2086.

I came across nomao.com today and I must say that it’s probably the best non-social networking site I’ve see so far. It’s basically a website where you sign up and add your favorite hot spots and important locations so your friends can look at your profile and get directions to wherever. It’s kind of like a social map, and it lets you add pictures and video to your locations, schedule events, and recommend your spots to friends. It also has a nice export feature for you to post your map to various blogging platforms. Here’s a map I took of my house:

Well, my 21st birthday is finally here…yay! Of course, all that means to me is that I can now do everything I’ve already been doing for the last four years, only now I’d be doing it legally. So happy birthday to me, I’m getting plastered tonight.

FYI, no pics yet — the party is this Friday the 25th so I’ll have plenty then and I’ll post ‘em here.

I often worry about my PC at work — it’s about 3 or 4 years old now and I’ve already crashed it twice by running Ubuntu updates and not letting them finish. Luckily I have my home drive mounted as a separate partition so reinstalling the OS isn’t a huge inconvenience aside from having to reinstall all my apps.

After doing some googling I came across SBackup, which is a simple backup program to back up whatever on your system to wherever you want to keep your backups — without having to configure a script.

First, install sbackup via apt-get, yum, or whatever other package manager you use:

$ sudo apt-get install sbackup

Then open the backup manager under System > Administration > Simple Backup Config

Now, I used the custom backup settings because I didn’t want to back up everything on my system — all I’m concerned about is everything in my home directory, such as my Documents, email, and porn browser settings. To select what you want backed up, go to the Include tab and Add Directory or Add File to include files and folders in your backups.

Naturally there are some files within your selected folders that you don’t want to back up, like your trash and cache. You can add those under the Exclude tab.

Next set your timing — I did ‘precisely’ every day at 5pm when I won’t be here to experience the extreme lag of my 14G home directory being tarred up. As for the Purging options, I chose Logarithmic so that I don’t have old backups that I don’t need — I only need the backups in case my PC crashes and I lose everything, so I don’t care about backups from two weeks ago.

The destination part is where you want your backups to go. The default is /var/backup, but if your PC crashes, that isn’t going to be very convenient for you. Therefore one of the two options should be the one you go with:

- Custom local directory: If you have a floppy disk (which I pray you do not) or a USB drive, you can usually find those in the /media directory and have those mounted to copy your backups

- Remote directory: If you have FTP or SSH access to a remote server, you can have your backups uploaded. The syntax is simple:

ssh://user:password@serverip:/remote/dir

After you have everything configured, save your settings and hit Backup Now! to run a test and make sure everything is working.

My phrase last week was “sexual chocolate” — I have no idea where I heard it from or why I had such an urge to repeat it and linger on the laughter and dirty looks. I though it was something like chocolate that you use during, um, relations, but it appears that I was sooooo wrong as there are many meanings:

Meaning 1: A band in the movie “Coming to America”

Sexual Chocolate is the name of a Melbourne, AU cover band that performs in night clubs, not to be confused with the name of Eddie Murphy’s band in the 1988 movie “Coming to America” that performed Whitney Houston’s single “Greatest Love of All.”

Meaning 2: A song by Cee-lo with the following chorus:

They call it the - sexual chocolate
Eh, good God y’all - sexual chocolate
Ho, take it easy now - sexual chocolate
Hey, eh-eyyyy now now - sexual chocolate
Oooh, and they call it the - sexual chocolate
Ho, good God y’all - sexual chocolate
Huh, take it easy now - sexual chocolate
Ahhhh-hah hah-ahhhh-ahhhh - sexual chocolate

Meaning 3: A 60’s and 70’s term used to describe gay, black men.

Meaning 4: What this guy from Sparrows Point, Maryland calls himself on MySpace

Meaning 5: Something like 2girls1cup.com  (sorry, no link because it’s against our TOS)

Meaning 6: A sexy person dipped in chocolate

“Give me a piece of that sexual chocolate!”

However, The definition that won the prize was given quite bluntly on urbandictionary.com as  “chocolate that happens to be sexual”

Thank you, urbandictionary.com, for being so politically correct in a time of crisis.

Those of you who are server admins or use certain merchant services know what I’m taking about — it’s that dreaded security scan that picks apart your server to tell you everything that it thinks is wrong, assuming you have the knowledge or access to fix it: yes, the PCI scan. PCI compliancy is a somewhat new procedure used by security companies and financial institutions to measure the security of a webserver that collects and stores sensitive information. The reasons for getting a scan vary, but are most commonly for legal reasons or just the assurance that your server is subject to certain vulnerabilities.

After dealing with 2-3 PCI scans a week for the last year, I’ve put together a common procedure for how to make your server compliant to current PCI standards. Note that each scan company is different and may report other issues, and if you’re using ControlScan then, well, I feel sorry for you. I’m also assuming that you are on a Linux server running cPanel and LAMP.

Step 1: Make sure you have a firewall

PCI scans are nazis about unjustified open ports, so only open the ones that you need in order for services to run effectively. Manually configuring iptables is a pain in the ass, so I recommend using APF or CSF (if you have cPanel) and then configuring the allow rules to only allow ports for active services.

Note that both indicate the opening of cPanel ports 2082, 2095, and 2086, but some scans will complain about these being nonsecure. If that is the case you can configure within WHM to only use the secure ports, then remove the nonsecure ones from the firewall so they can’t be accessed. You should also close MySQL port 3306 for external hosts and allow them on a per-IP basis to anyone other than localhost has to be allowed.

Step 2: Update your system

This is an obvious one, but you’d be surprised how many people still have old packages installed on the server. With cPanel, running /scripts/upcp will usually update the vital system software as long as you have your update configuration in WHM set to allow it, but otherwise I would recommend doing a yum update, up2date, or whatever else you use to manage packages to make sure everything is up to date.

Nowadays old versions of MySQL, PHP, and Apache are no longer squeezing through either, so you need to upgrade to at least MySQL 4.1.22, PHP 5.2.5, and Apache 1.3.39 (some scans will want Apache 2.0.x).

Step 3: FIx OpenSSL

If you did a package update this was probably already taken care of, but if you installed via source you need to make sure you’re using at least 0.9.7j, which is the oldest version that most PCI scans allow. You can get your sources from here, and it may require a recompile of Apache and other services that use it. To check your OpenSSL version, type ‘openssl‘ from your SSH prompt and then type ‘version‘.

Note to Redhat/Fedora/CentOS users: If you’re running a somewhat recent version of your OS your openSSL version probably is something like 0.9.7a, but due to Redhat backporting this may be a false-positive. If you’re on any Redhat-based distribution, just tell your scan company and they’ll bypass OpenSSL checks.

Step 4: Check your SSL certificates

In order to pass a PCI scan your server must have at least one SSL certificate signed by a recognized certificate authority, and any services using SSL need to be using a certificate as well. Go cough up $30-$100 and buy a decent 264-bit SSL certificate and install it not just for Apache, but also for all of your active services. WebHost Manager has a section for installing service SSL certificates to make this process easier.

Step 5: Disable SSLv2 and other weak encryption methods

This one always gets me, because there is no way to disable SSLv2 for everything at once, at least not one that I know of. What makes this part the worse is that not all services support the choosing of SSL protocols and ciphers, but luckily unless you are using ControlScan the ones that don’t are probably not going to show up. Here’s how you do it for common services that are reported:

Apache:

Add these lines to your httpd.conf (you may to add them to each secure vhost as well):

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

POP3 and IMAP:

Edit the following files:

/usr/lib/courier-imap/etc/pop3d-ssl
/usr/lib/courier-imap/etc/imapd-ssl

Comment out the existing TLS_CIPHER_LIST line and replace it with the following and restart courier-imap:

TLS_CIPHER_LIST=”ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH”

Exim:

Add the following to exim.conf:

tls_require_ciphers = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2

For other services that might be on your system, take a look at this guide.

Step 6: Disable mod_userdir (or whatever cPanel is calling it nowadays)

If you are able to go to http://yourserverip/~yourusername, then you have mod_userdir enabled and the scan will probably complain. You can disable this in WHM under Security Center > Apache mod_userdir Tweak, or in httpd.conf add “userdir disabled user1 user2 user3 …etc”

Step 7: Put Apache in incognito mode and disable the bad stuff

If you try to get an Apache error (like a 404 error), the footer of that page probably contains more information that you may want to share about your Apache setup. You can disable this in your httpd.conf by adding these lines:

ServerSignature Off
ServerTokens Prod
FileETag None

You can read more about these here.

Another thing that some scans report is the use of 413 errors. You should add this line to httpd.conf as a workaround:

ErrorDocument 413 /index.php (or any other file)

Just about all scans will complain if the ‘trace’ and ‘track’ apache methods are enabled on your server. You can fix this by adding these lines to your Virtualhost entries or .htaccess files:

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)$ [NC]
RewriteRule ^.*$ - [F]

You should also disable directory indexes, which can be done most easily in your cPanel’s index manager. Directory indexes allow the listing of files inside folders that do not have an index page. You can also disable these in your .htaccess files:

Options All -Indexes

Ending notes

Really, it doesn’t matter how secure your server is if your web application scan is poorly programmed, so your server should not be the ending point in security. Some PCI scan companies are able to detect common vulnerabilities in web applications, but you should take the extra steps to stay ahead of the game and update your site software on a regular basis.

The good people over at blogged.com ranked me at an 8.2 out of 10. I never even heard of blogged.com until I got an email from one of their editors yesterday stating:

“We evaluated your blog based on the following criteria: Frequency of
Updates, Relevance of Content, Site Design, and Writing Style.
After carefully reviewing each of these criteria, your site was given its 8.2 score.”

Looking over the site it looks like it has a nice directory of blogs in there, as each one is rated on a scale of 1 to 10 based on their quality and are hand-picked by the editors. Users have the ability to rank your blog too but according to the FAQ’s it doesn’t significantly affect your rating because the editors rate all of the blogs. Either way, I feel like I’m back in high school again trying to run a popularity contest. So ummm…vote for me.

We get a TON of requests for the PHP APC pecl module because after having adopted suPHP into our configuration, eAccelerator is worthless. It’s quick to install, and especially if you’re running suPHP or phpsuexec, each user can maintain their own settings within their local php.ini without me having to do anything — basically the best thing that a lazy system admin can ask for.

Soooo, here’s how you install it:


wget http://pecl.php.net/get/APC-3.0.17.tgz
tar -xvzf APC-3.0.17.tgz
phpize
./configure && make && make install


Then just add “extension=/apc.so” to your php.ini and you’re done. With PHP under Apache this will load the APC module for everyone, but for suPHP users you’ll need to add it to their php.ini which will also allow them to modify their own APC settings. These are the ones I recommend using:

apc.enabled = 1

apc.shm_segments = 1

apc.shm_size = 30

apc.optimization = 0

apc.ttl = 7200

apc.user_ttl = 7200

apc.num_files_hint = 1000

apc.mmap_file_mask = /tmp/apc.XXXXXX

Now, if you want to get even sexier with it I came across this little tool that monitors the performance of APC on your server.

I knew something was fishy when I got an IM from my ex whom I haven’t spoken to in over a year:

hey How are you???? this is ur pic rite?! http://www.msn-gallery.com/gallery.php?user=blue_butterfly21.jpg

Worse enough I can’t believe I clicked on that shit.. I thought maybe it was one of those pictures from the amateur night at JB’s Gallery of Girl back in 2004 that caught up with me. But no, as soon as I clicked on it my PC (which unfortunately is the one that runs Windows XP) froze up for a good minute during which time it was sending the same message to all 158 people in my MSN friends list.

Arrrggg…anywho, the virus — which is the Backdoor.Generic3.SAT – is pretty harmless as far as your PC is concerned but you’ll probably get  kicked every time you open an MSN window. So, close your MSN and go here and here to read about how you get cure the internet STD’s you’ve probably just spread around to all your friends. It’s like the 70’s all over again only the free clinic isn’t as crowded.

My house is right in front of the Tallwood woodlands so it’s not uncommon for me to wake up to find possums, squirrels, and raccoons in my garage or upstairs where they come in through the attic. There’s also the rare occasion of snakes on the patio and in the trash cans. Really, none of those bother me because I love animals but the two things I’m deathly afraid of are spiders and rats. Luckily we don’t have a big spider infestation around here but I am 100% sure of the fact that a couple of rats have made my house into their personal condo and playground. I bring forth the following evidence:

Exhibit #1: Bachelor pads under the washing machine and behind the furniture:

We’re having the plumbing and floors redone on one side of the house and when the boys moved the furniture they found nests of fiberglass, dog food, and rat poop in the corner

Exhibit #2: Suspicious hole behind the toilet in one of the master bathrooms

I know that this wasn’t here before because this bathroom was just remodeled. Take note of the wood shavings on the floor and the telltale chew marks on the wall.

Exhibit #3:

This really has nothing to do with the rat situation but I saw this box at my dad’s house and I think it looks kinda like boobs.

I should also mention that on three occasions we’ve seen the dogs go nuts and start chasing an unidentified moving object around the house.

So either the rats start paying rent and contributing to the $90 a month I spend on dog food, or they can have a date with the hot A-Active guy (who, by the way, is welcome to come over with his hose any time).