Installing cPanel

Unlike some of the tutorials here, this isn't necessarily meant to be expert advice from someone claiming to know what they are doing well. This was largely created as a sort of log of events that occurred during a person's first time installing a cPanel server. (Actually, two servers were being set up simultanously.)

(Some more information about cPanel may also be on this site, at Web Data, section on cPanel.)

Early Prep Steps
  • Determine and document network resources
    • Which IPv4 addresses will be used.
      • At the time of this writing, cPanel Installation Guide - Customize Your Installation (“Configuration values” section) says, “Due to networking requirements, you cannot run an IPv6-only cPanel & WHM server. You must have at least one IPv4 address.” cPanel's documentation specifies IPv4 is required. IPv6 can also be used, but is not required.
      • Actually, this guide is going to be written presuming that a /28 has been reserved for use for the system's main NIC, and that a second NIC exists with a(n internal) IP address for backing up data.
      • This guide recommends using an IPv4 address that you can alter the associated Reverse DNS (“PTR resource record”) data. This is expected to have a notable impact on how much some public E-Mail servers are likely to accccept E-Mail.
      An idea of a sample layout

      Changing the main IPv4 address too many times (which is not a very large number) could lead to the license getting locked, as described a bit further in the Licensing Check info section.

      So, before making any changes, consider your ideal IPv4 address layout. If you have an 16-big address block (IPv4 /28, or IPv6 124) or larger, You might wnat to use something like:

      • First address - “Network ID
      • 2nd address (first “usable” address) - main default gateway
      • 3rd address (second “usable” address) - address for additional gateway (if gateway redundancy is implemented)
      • 4th address (third “usable” address) - one more address for gateways (so gateways can synchronize with each other on a shared IP)
      • 5th address (4th “usable” address) - main cPanel server address (used for license check)
      • 6th address (5th “usable” address) - address for systems using shared hosting
      • 7th address (6th “usable” address) - usable for any customer account that will be using a dedicated IPv4 address
      • Last address of the subnet: IPv4 subnets have the last address reserved as the IPv4broadcast address”.
    • DNS name
    • Any other details needed, like VLANs used by upstream equipment (if you oversee such equipment)
  • Create a license at the cPanel Store.
    • When this tutorial was made, a pre-existing, established account was used. Therefore, this tutorial doesn't cover creating a new account.
    • At the time of this writing, there are multiple packages available. They include “cPanel Solo(R) Cloud (1 Account)”,. “cPanel Admin Cloud (5 Accounts”, “cPanel Pro Cloud (30 Accounts)”, and “cPanel Premier (100 Accounts)”. Upgrading is simple, instaneous, and pro-rated, so it makes sense to use a smaller package unless you know you will have a rather immediate need for soemthing larger, and then simply upgrade when a server is actually within a few accounts of the maximum.
  • Some resources:
  • Plan hardware specs
    • As of 2022-April, what was chosen was:
      • 8 CPU cores (selected in VMware, this could be done by choosing a number of CPUs and number of cores per CPU, like two quad-core CPUs or one octo-core CPU.)
      • At least 4 GB of RAM. (Don't be afraid to bop up to 5 GB or 8 GB)
        • https://docs.cpanel.net/installation-guide/system-requirements-almalinux/ suggests to not use less than 3 GB if using ClamAV
        • Some prior systems, and their actual usage as reported in VMware, include:
          • CentOS 5 systems: 757 MB, 2.04 GB, 2.15 GB;
          • CentOS 6 systems: 1.53 GB, 2.24 GB,
          • CentOS 7 systems: 2.88 GB, 4.64 GB, 2.08 GB
      • Disk space: 700 MB to 1.1 TB recommended. (This is mostly to support some common usage for a number of customers, e.g. maybe about 45-70 customers each, mostly small businesses.)
  • Assemble Hardware
    • In practice, this was actually a VMware virtual machine (running under ESXi
      • If you have vCenter operating, you may want to use a template. (This guide was not based on actually going that route.)
      • Otherwise, have the installation media (a bootable ISO file) stored on the VMware ESXi server's data store.
      • If using AlmaLinux version 8, you can tell VMware that it is CentOS version 8 because that should be relatively close. (VMware ESXi may notice some difference and complain, but this has been advised elsewhere.)
      • 768 GB recommended. This is about how much has been needed for around 60-100 clients. Actually, 1.1 TB might be a better fit, but it turns out that expanding a disk in VMware ESXi is simple, and expanding a disk in an operating system can also be done (with XFS and Ext4), whereas shrinking a disk isn't so easy with VMware ESXi and shrinking an XFS volume may not be so doable...
        • After following some other advice in a version of this guide, the amount for 587G, so apparently 181 GB was used by other partitions or lost to overhead.
      • Expand the “Hard disk 1” section
        • Use Thin Provisioning (which might slow down a bit, but provides us flexibility)
        • Ask for the “Disk Mode”, go ahead and leave it on “Dependent”, which is the default. (This might not be the best, but is default, and was consistent with what had been used before, so that got used when creating this tutorial.) https://4sysops.com/archives/vmware-disk-modes-which-one-is-best/
      • If you want a second NIC (e.g. maybe one dedicated to backups?), then, on the Customize Settings screen, Virtual Hardare tab, click "Add network adapter" so there are two.
      • Set the CD-ROM drive to use a “Datastore ISO File”.
      • Make sure optical drive is connected.
        • This seemed to be a struggle. Perhaps the trick is to specify the CD drive's source as an ISO file, and check the connected box, and click Save, and then wait for a while (maybe even 2 minutes to be safe??) for the change to be actually applied well, before checking whether the Connect box is still connected. It is recommended to then check on the connect box by the drive.
        • For one of the systems, it seemed like it booted with the desired installation media even though the checkbox disappeared from the Connect box.
  • Last minute prep
    • If using ESXi with AlmaLinux's initial version
      • AlmaLinux 8.3 does not support “Secure Boot”. This is suppoedly resolved by AlmaLinux's second release, 8.4. Oddly, the “Secure Boot” setting didn't seem to be available while creating the virtual machine, but it can be set afterwards. Even then, To find this, choose the machine in ESXi, then “Actions”, “Edit Settings”, “VM Optionsrdquo; button, “Boot Options”, and find the checkox next to “Enable UEFI secure boot” (and even closer to the descriptive text, “Whether or not to enable UEFI secure boot for this VM”). (If you just go to “Edit” instead of “Actions”, a trimmed-down version of settings seems to be displayed, and so the Boot Options may not have SecureBoot.) While checking on this, make sure to check that the “Firmware” drop-down box is set to “EFI” (just above the “secure boot” setting), and you may wish to check that the box with the CD drive being connected.
OS Installation
  • Boot
  • Test media is recommended, but may take some time.

For the OS installation Options/process, the details may vary (and be likely to vary) at least a bit depending on which operationg system is being used.

Installing AlmaLInux
Documentation

As you proceed through the OS installation phase, it may be worthwhile to keep reviewing: System Requirements for AlmaLinux OS

Time and Date
  • (Choose correct time zone)
  • It seems that the only impacts this will have is altering which time zone file (under /usr/share/zoneinfo/) the /etc/localtime symlink will point to, and, of course, any other resulting changes. If you somehow skipped this section or chose something wrong, that can be fixed later, relatively easily.
“User Settings”Users
Recommended: Set up passwords for both root and another user. (The first section, “Full Name”, is the display name. After all settings are filled out, you can click “Done” in the upper-left corner, which brings the installation back to the prior screen of options.) Do make the othoer user be an administrator. Then, if you were to check the Advanced options, it should show the user will be added to “wheel”. That will help sudo to work.
“Software Selection”
Chose:
  • Left side
    • Minimal install (recommended by here stated, “We recommend that you use the minimal installer.”
      • Actually, that might be too minimal. While it did come with tmux (perhaps due to some of the additional packages noted), it lacked “traceroute, which can be helpful to troubleshoot installation. Additionally, for an ISP that might offer SSH access as a feature (perhaps optionally, with a cost), having a more typical environment may be preferable.
  • Right side
    • Guest Agents
    • Legacy Unix Compatibility
    • Container Management
    • Development Tools
    • Graphical Administration Tools
    • Headless Management
    • Network Servers
    • RPM Development Tools
    • Security Tools
    • System Tools
“Installation Destination”
Partitioning
  • Some related resources...
  • Know desired iNode info
  • For installation destination, set Storage to Custom. Then, click Done in the upper-left corner, and the installer will come to the “Manual Partitioning” screen.
  • Set to LVN Thin Provisioning, an then press the + button (near-ish lower-left corner) to start assigning amounts of space to partitions.
  • The following were made based on some abundant disk available, and not necessarily trying to minimize usage:
  • / 60 G
    • An old guide recommended 40 GB, but since software ahs often expanded over time, and capacity is larger, 60 G makes sense. Note that /usr/local/ may contain Linux base install, cPanel, and Mailman (if used).
  • /boot 6G (admittedly, may be overkill)
    • (an internal guide at a successful company had recommended 512 MB)
  • /boot/efi 5G
  • /var 20G (recommended for handling logs)
  • /var/lib 60G
    • 40 GB was reocmmanded for handling MariaDB/MySQL/PostgreSQL databases, and if a customer needed more space, to use space other than on the shared cPanel server (possibly in a dedicated machine). However, with larger disk sizes available, 60 GB might be sensible to allow even more buffer room.
  • /tmp: 6G
    • 512 MB has been found to be somewhat small in some cases where customer content might try to use such space
    • 5 GB or 6 GB was selected as a sensible amount to recommend. 5 GB could allow a single-layer, single-sided DVD image to barely fit, although still having a tidbit of room for other minor amounts of data.
    • (Might also be implemented using tmpfs and may be “memory backed”.)
  • /var/tmp
    • This guide is not currently recommending a separate partition, but does note that it seems like some older implemented cPanel installations may have had /var/tmp/ be “union mounted” with /tmp/. (A comment related to /var/tmp said, “watch this, possibly union mount to /tmp like we have on some systems before modern naming scheme...”
  • swap 24G (if available)
  • /backup - not created yet
    • This guide was made in an environment that had /backup/ be mounted via NFS later, according to following precedent. ( https://docs.cpanel.net/installation-guide/system-requirements-almalinux/#filesystems doesn't seem to recomend NFS, but this guide follows pre-existing sample systems that used that setup.) (Related: NFS Share)
    • Related info (for possible reference later) 
       - /backup		n/a - NFS	
rw,soft,intr,tcp,noauto,noacl,nolock 5 5
      
# auto mounted by cpanel backup process
  • /home will be good, but was left off. This was intentionally delayed until later, hoping that would cause /home to be towards the end (and easiest to expand).
    • 200+ GB minimum (actually more like 700 GB to 1.1 TB recommended)

After making the partitions...

  • (When you proceed, the first row/option may say the step is “Destroy format” and to have that appear to have red. That is normal.)
Network
  • Fill out host name, and click Apply.
    • have the host name be at least 3 parts. (cPanel seemed to complain with just 2 parts??)
  • Chances are that you may want to assign multiple sequential IP addresses to the cPanel server. That might be easiest to do after WebHost Manager (which comes with cPanel) is installed, as a whole range of addresses can be added at once. So, this guide recommends just focusing on having one working address for the moment.
  • Customize settings:
    • IPv4 settings
    • Manual
    • Add. (Might be unneeded to press the Add button?)
    • Add the IPv4 address, NetMask, and Gateway. For DNS servers, enter them (hopefully multiple) separated by a comma.
      • If using a /28, the netmask is 255.255.255.240
        • VLSM Chart, “Last 8 bits as decimal” row, /28 column, is 240, which matches the last octet of the subnet mask.
    • On the prior screen (where the hostname was typed), flip the power button for the Ethernet connection to On. By doing this last, it should flip to On and also show the connection settings.
    • You can try to enter for multiple devices, but it seems like configuring might flip the "on" switch to off. Maybe this is just easiest to take care of post-install.
First Boot / Early Activity
  • Boot / login / escalate (sudo)
  • After boot:
    • Remove ISO from CD
    • login
    • sudo bash
    Make sure Internet access is working
    connectivity

    Chances are that you may want to assign multiple sequential IP addresses to the cPanel server. That might be easiest to do after WebHost Manager (which comes with cPanel) is installed, as a whole range of addresses can be added at once. So, this guide recommends just focusing on having one working address for the moment. (This guide will cover adding more IP addresses later.)

    Immediate changes
    ip addr
     ip addr add 192.0.2.100/24 dev ens192 ip link set ens192 up ip addr add 198.51.100.3/24 dev ens224 ip addr add 198.51.100.4/24 dev ens224 # A second address can be added ip link set ens224 up ip route
    • ip route add default via 198.51.100.2 # specify default gateway to route through
    • ip route delete # Typo/mistake when adding a route before? Not a problem.
    • ip route add default via 198.51.100.1 # specify default gateway to route through

    Notes:

    Long term setup
    • cd /etc/sysconfig/network-scripts/
    • backup existing files
      • (as a standard practice, backup files before changing)
      • sudo cp -pi /etc/sysconfig/network-scripts/ifcfg-ens192 /etc/sysconfig/network-scripts/backup-orig-ifcfg-ens192 sudo cp -pi /etc/sysconfig/network-scripts/ifcfg-ens224 /etc/sysconfig/network-scripts/backup-orig-ifcfg-ens224
    • Edit files as follows:
      • Make sure BOOTPROTO=none
      • ensure each interface has this, if desired: ONBOOT=yes
        • experience suggests maybe a first interface defaults to ONBOOT=yes and a second interface defaults to ONBOOT=no.
      • IPADDR=192.0.2.10
        • Customize that as needed
      • PREFIX=28
        • If using an IPv4 /28
      • For only the first NIC's configuration file:
        • DEFROUTE=yes
        • GATEWAY=192.0.2.1
          • Customize that as needed
        • DNS1=8.8.8.8
        • DNS2=8.8.4.4
      • Possible: NM_CONTROLLED=no may be in the files.
        • In the short term, there seems to be no reason to feel hurried into adding such a line to the file. However, System Requirements for AlmaLinux OS, section titled “Networking Requirements” (near the bottom fo the section, just above “Hradware Requirements” the guide notes, “the cPanel & WHM installer will automatically disable the Network Manager service and enable the network.service service.” So, such a line might get added to the file rather automatically when cPanel gets installed.
      • test it:
        • Warning: This doesn't seem to work:
          • nmcli networking off
             reboot fixed things right up.

        • HOW TO RESTART NETWORK IN ALMALINUX AND CENTOS 8 says, “In AlmaLinux, it is advised to not restart NetworkManager (systemctl restart NetworkManager). The respective daemon is always running.”

          Not until installing old scripts?? Maybe: /etc/init.d/network restart

    Check on DNS

    Ensure DNS is working well.

    • If DNS is not working, then:
      • backup /etc/resolv.conf
      • Replace
        # Generated by NetworkManager
        with
        # Generated by NetworkManager
         search example.com
         nameserver 8.8.8.8
         nameserver 8.8.4.4
    can SSH in?

    If you can SSH in, you might want to use a public key file. That simplifies logins (possibly eliminating the need to use a password, if sudo also gets configured that way). To install an SSH public key:

    • Some of this example doesn't make sense. If a file shows up by ls then you don't need to mkdir the parent after that. If you just made a directory with mkdir then you don't need to try to back up a file from that directory immediately after that. If you follow these literally, you are likely to generate some rather harmless error messages.
    • If you are root:
      • be careful of ~
    • ls -l ~/.ssh
    • mkdir -l ~/.ssh
    • cp -pi ~/.ssh/authorized_keys ~/.ssh/backup-orig-authorized_keys
    • cat | tee -a ~/.ssh/authorized_keys
    • chmod go-r,g-w ~/.ssh/ ~/.ssh/authorized_keys
    • chmod go-x ~/.ssh/
    • If you're root, chown the ~/.ssh/ directory and the ~/.ssh/authorized_keys file, and possibly ~/ as well.
    Misc
    • Maybe can restart with: /etc/init.d/network restart
Install some early packages
  • not a lot - most can be installed after cPanel. But enough to maybe be a bit more comfortable...
  • dnf update -y
  • echo ${?}

(That may take a bit...)

  • dnf install epel-release -y
  • dnf install network-scripts -y
  • dnf install nano -y
  • dnf install -y traceroute
  • dnf install -y tcpdump
Handle escalation

If you are non-root, you can type:

groups username (where "username") is customized In AlmaLinux, if you chose to make the user an adminstrator in the installer, the administrator may already be part of the group named “wheel”.

You may wish to back up /etc/sudoers and modify it. There is likely a comment line that contains sample text of giving %wheel the ability to escalate using NOPASSWD. Just duplicate that line, and then for one of the copies (probably the second one would look cleaner), eliminate the first part of the line that makes it a comment. (If you want to do that with vi, using “ddpp” may cut a line, and then paste it twice, which may be a bit helpful.)

set up /home/
  • need Internet working so yum/dnf can install parted
  • Backup/move anything already on /home/
    • ls -l /home
       mkdir /homeback
       mv -v /home/* /homeback/.
  • dnf install -y parted
  • Related: ][CyberPillar][ File System info: section on growing a filesystem for details including running parted and pvresize and so forth. That guide is a bit more generalized, and it could be that the following steps in this guide are just largely going to be redundant with that one. (Although, the list of steps in this guide might be a bit more direct, and shorter.)
  • Documented steps:
    • Check various possible drive names. See if you can find the one with the Linux LVM. e.g. fdisk -l /dev/sda
    • fdisk -l /dev/sdb
    • for x in /dev/sd? ; do echo ${x} ; fdisk -l ${x} ; done | less

    In this example, only /dev/sda had a “Linux LVM” type, which was /dev/sda3.

    parted /dev/sda
    print free
     resizepart 3 100%
     print free
     quit
  • Typically unneeded:
    • Commonly, this process doesn't involve needing to add a new item into the volume group. If you did just add a drive that you wanted to add into an existing group, could use something like:
      • pvdisplay
      • vgextend vgname /dev/sda3
        • Customize that. The vgname is what appears from pvdisplay | grep -i "VG Name”
        • The disk device to grow should be the name showing up from pvdisplay | grep -i "PV Name”
  • Extend PV:
    • vgs
    • pvdisplay | grep -i "PV Name”
    • pvresize /dev/sda3
    • vgs
    • Extend logical...
      • See what partitions exist:
        • lvs
        • lvdisplay | grep -i "LV Path”
        • (If you want even more info, lvdisplay | less )
      • If no LV Path partition exists for /home/ yet...
        • make it: lvcreate -l +100%FREE -n home almalinux
          • that is a lowercase L before the plus sign
          • (an uppercase L would be used instead if we were seeking to specify an exact size using a unit measurement, like “-L 32G”.)
      • or, if it exists:
        • Optional (as needed), gather some info to help with next command:
          • lvdisplay | grep -i "VG Name"
          • lvdisplay | grep -i "LV Name"
          • lvdisplay | grep -i "LV Path"
        • lvextend -l +100%FREE /dev/vgname/lvname
          • that is a lowercase L before the plus sign
          • (an uppercase L would be used instead if we were seeking to specify an exact size using a unit measurement, like “-L 32G”.)
          • customize pvname and lvname as appropriate. For instance, depending on what is already set up, it could be something like:
            • lvextend -l +100%FREE /dev/mapper/home
            • or: lvextend -l +100%FREE /dev/almalinux/home
    • Check:
      • See what partitions exist:
        • lvs
        • lvdisplay | grep -i "LV Path”
      • mkfs.xfs /dev/vgname/lvpath
        • e.g.: mkfs.xfs /dev/almalinux/home
      • Add to fstab
        • back up fstab
        • echo /dev/almalinux/home /home xfs defaults,uquota 0 0 | tee -a /etc/fstab
      • Confirm large mount
      • mount /home/
         df -h /home/
      • Restore moved/copied data
        • Presuming that the earlier instructions were followed...
        mv /homeback/* /home/.
         rmdir /homeback/
Older Notes: set up /home/

(References at bottom are likely useful: much else might just be rather redundant with some of the text just above...)

Fix /etc/fstab
  • For /tmp, replace defaults with: defaults,mode=1777,nodev,noexec,nosuid,rw,size=512m
    • some internal documetnation involved using bind as a parameter?
  • for /home anything special?
  • optional: create line for /backup (using NFS)...
    • even if NFS isn't set up yet, the noauto will likely prevent too many problems... although if you think that /backup might mount then you could also hold off for later so you don't end up with slowness cuased by stale NFS
Additional Steps Before cPanel

Much/all of this is done due to: System Requirements for AlmaLinux OS

Run a terminal multiplexor

Run a terminal multiplexor

cPanel Installation Guide recommends using the program named screen, but tmux may be pre-installed and many people prefer that newer software anyway. Related: Terminal Multiplexing

Disabling SELinux

cPanel Installation Guide: System Requirements for AlmaLinux, section to “Disable SELinux” specifies this as a clear requirement for cPanel. “You must disable SELinux to make your system compatible with cPanel & WHM.”

sudo cp -pi /etc/selinux/config /etc/selinux/backup-orig-config
 cat /etc/selinux/config
# This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values:
 #     enforcing - SELinux security policy is enforced.
 #     permissive - SELinux prints warnings instead of enforcing.
 #     disabled - No SELinux policy is loaded.
 SELINUX=enforcing
 # SELINUXTYPE= can take one of these three values:
 #     targeted - Targeted processes are protected,
 #     minimum - Modification of targeted policy. Only selected processes are protected.
 #     mls - Multi Level Security protection.
 SELINUXTYPE=targeted

$ sed -i s/^SELINUX=enforcing$/SELINUX=disabled/ /etc/selinux/config
 $ cat /etc/selinux/config

Note: that sed command is more specific than needed. Manually check to ensure that the desired change occurred.

check for incompatible software/yum groups

cPanel Installation Guide: Customizing an Installation, section Exclusion of Packages mentions some packages that cPanel will apparently remove from availability. It isn't clear whether this is expected to be done manually, but checking this over seems sensible.

Then, cPanel Installation Guide: Customizing an Installation, directions to Remove yum groups says to run “yum grouplist”. Actually, the following might be a simple implementation for those who can easily copy-and-paste a documented command line:

yum grouplist | grep -iE FTP\|"Desktop Environment"\|Mail\|Mono\|Web\|"X Window"

If that outputs anything, cPanel Installation Guide: Customizing an Installation, directions to Remove yum groups shows using groupremove in the following example which appears to remove two named packages:

yum groupremove "Mono" "Mail Server"

Note: You aren't requested to manually perform the following, but it is probably/believed-to-be done during cPanel's installation:

Install PERL

Install PERL, as it is needed for cPanel.

sudo yum -y install perl
 echo ${?}

The actual intallation guide had this listed as a later step, just before installation, but there didn't seem to be any reason why this needed to be delayed.

Support hardware
  • If you are using a virtual machine, there might be some support software worth installing.
    • e.g., for VMware, there is some software called “VMware Tools” that can improve networking and have other niceties.
      • https://cloudlinuxtech.com/how-to-install-almalinux/#How_to_install_VMware_Tools_on_AlmaLinux_8 says “You generally don't need to install VMware tools in AlmaLinux, because you get it by default after installation.” You can check this:
        which vmware-toolbox-cmd
         vmware-toolbox-cmd -v
        If the software is installed (and in your PATH as normal, then the first command should reveal the location of that executable file, and the second should show you the version number of VMware Tools that is installed.
  • On Dell systems, something like OpenManage software might be helpful?
Preparation Focused On The Installer
Download the Installer
cd /home/ && curl -o latest -L https://securedownloads.cpanel.net/latest
 echo ${?}
Decide options for installer

Although this guide does not specify to actually run the installer won't be run until after disabling the firewall, go ahead and determine now what options you will run. That way, actions can occur more quickly after the firewall's defenses are lowered.

Some relevant documentatino may include:

Disabling Default Firewall

System Requirements for AlmaLinux OS says, “Even though the installer attempts to open the necessary ports during the installation process, we recommend that you disable OS firewalls before you run the cPanel & WHM installation. When the installation process finishes, we recommend that you then configure a firewall with a third-party client.” (Followed by “Important:” “AlmaLinux OS distributions allow you to disable the firewall for the operating system’s installation configuration. We strongly recommend that you use this method.”

(If you expect to later be using APF Firewall or CSF (&dquo;ConfigServer Firewall”, cPanel's instructions for that (part of cPanel KB: Additional Security Software actually specify to use yum to remove (uninstall) the default firewalld firewall. So, if it is going to be uninstalled, stopping it seems like an even less severe action to take.)

So...

Back up old rules
sudo iptables-save | tee -a ~/firewall.rules
 sudo cp -pi ~/firewall.rules ~root/
End Execution of firewalld
systemctl stop firewalld.service
 systemctl disable firewalld.service

Those two commands may ask for a password three times (presuming all goes well, e.g. no typos that prevent authentication from working during part of the process). As an example:

$ systemctl stop firewalld.service
 ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
 Authentication is required to stop 'firewalld.service'.
 Authenticating as: AcctDisplayName (username)
 Password:PasswordNotVisibleWhileTyped
 ==== AUTHENTICATION COMPLETE ====
 $ echo ${?}
 0
 $ systemctl disable firewalld.service
 ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-unit-files ====
 Authentication is required to manage system service or unit files.
 Authenticating as: AcctDisplayName (username)
 Password:PasswordNotVisibleWhileTyped
 ==== AUTHENTICATION COMPLETE ====
 Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
 ==== AUTHENTICATING FOR org.freedesktop.systemd1.reload-daemon ====
 Authentication is required to reload teh systemd state.
 Authenticating as: AcctDisplayName (username)
 Password:PasswordNotVisibleWhileTyped
 ==== AUTHENTICATION COMPLETE ====
$ echo ${?}
 0

But, all those lines that start with = or Authentication or Password don't show up if run as root (perhaps if using sudo). Just the two lines starting with “Removed” show up.

old firewall notes
(These may be ignored, and will likely be removed after some further verification...) Maybe disable firewall, or, if you can ssh in, not yet...

Recommendation: Okay, now that this advice from cPanel has been followed, let's try to proceed through remaining steps rather quickly, at least until we can get a replacement Firewall softare up and operational nicely.

cPanel Installation & Follow-up
Run installer

An earlier step of this guide recommended using a terminal multiplexor. If you haven't started one yet, this might be the best time.

An earlier step of this guide showed downloading the installer to /home/ so let's go there.

cd /home/
 ls -l latest

This guide shows a slightly more elaorate process than the official installation guide, which helps to record the process.

  • Adjust the following example in order to include any command line parameters you want to the install script.
    • (A prior step discussed selecting installatino options, including providing some documentation references of such potential options.)
    • In the following example, --skip-cloudlinux was used to prevent the installer from converting AlmaLinux into CloudLinux, but if that is a process that you want to do instead of skip, then, natually, don't specify such an option.
    • date -| tee -a ~/cpinst.log
     time sudo sh latest --skip-cloudlinux 2>&1 | tee -a ~/cpinst.log
     echo ${?} ; date

    In 2022-April, on a commercial production server, this took about 24-34 minutes.

    If needed, here is a potential resource to help: cPanel Installation Guide: Troubleshoot Your Installation.

    Sample ending of log
    [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] (DEBUG):   - ssystem [END]
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO): Completed execution of â/usr/bin/sy
     stemctl start cpcleartaskqueueâ
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO): Flushing the task queue
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO): cPanel install finished in 20 minut
     es and 0 seconds!
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO): Congratulations! Your installation 
     of cPanel & WHM 11.102 is now complete. The next step is to configure your serve
     r.
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO):
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO): Before you configure your server, e
     nsure that your firewall allows access on port 2087.
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO):
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO): After ensuring that your firewall a
     llows access on port 2087, you can configure your server.
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO):
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO): 1. Open your preferred browser
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO):
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO): 2. Navigate to the following url us
     ing the address bar and enter this one-time autologin url:
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO):
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO): https://thissample.example.org:2087
     /cpsess2345678923/login/?session=root%3aC3Wv6gktM58kabzr%3acreate_user_session%2
     ce55fc8b8f9a7903ee6e39e35a776079c
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO):
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO): After the login url expires you gen erate a new one using the 'whmlogin' command or manually login at:
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO):
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO): https://198.51.100.130:2087
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO):
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO): Visit https://go.cpanel.net/whminit  for more information about first-time configuration of your server.
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO):
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO): Visit http://support.cpanel.net or  https://go.cpanel.net/allfaq for additional support
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO):
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( INFO): Thank you for installing cPanel & W
     HM 11.102!
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( WARN): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( WARN): Your system kernel may have been up dated.
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( WARN): Current kernel (4.18.0-240.el8.x86_ 64) has been changed to: 4.18.0-348.20.1.el8_5.x86_64
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( WARN): Before rebooting the system, please  ensure that the installed kernel version is compatible with your deployment.
     [YYYY-MM-DD hh:mm:ss -TZ00] [PID##] ( WARN): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
     !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    real    20m46.684s
     user    4m1.763s
     sys     0m39.471s
     # echo ${?} ; date
     0
     [...]

    (In another example, the installation took 27m39.275s+4m1.545s+0m38.931s=32 minutes 19.751 seconds, but was claimed to be 27 minutes 39 seconds, a difference of 4 minutes 53 seconds. So when the example cited here took 20m46.684+4m1.763s+39.471s=25min27.918s, a difference of that and the reported time of 5min27seconds seems within what may actually be reported. So when the report claimed a very round-looking time of 20 minutes and 0 seconds, that appears to have been the real results of an actual calculation that occurred.)

    Follow-up

    Visit the URL it states, ending with :2087, in order to log into WHM using the password for the system's “root” account.

    Upon logging in, after seeing:

    “cPanel & WHM”
    “The Hosting Platform of Choice”

    the web browser redicts to a path that looks something like: /cpsess2345678923/scripts3/initial_setup_wizard1/legal

    After seeing:

    You get to see a EULA. You can click “Print or Save” to, naturally, print or save. Yeah, yeah, yeah, we all know EULAs are boring, but if any legal issue arose, wouldn't you like to have a copy of what was legally agreed to? So, if you do choose to “Print or Save”, a pop-up window will appear which will provide what appears to be an easy way to print, but not clear way to save other than perhaps using the operating system's local printer object to save a PDF file. You can even “right-click” to show a menu with a Save option that is... not available. However, if you do press Ctrl-S, then that may actually cause a web browser client to proceed to download the EULA in HTML format (instead of printing to a PDF file).

    Upon accepting, you are asked to:

    • Enter preferred contact E-Mail address
      • It appears that what gets entered here will go into a data field that can later be accessed from WebHost Manager (“WHM”), “Server Configuration”, “Basic WebHost Manager® Setup”, on either the “All” tab or the “Contact Information” tab, first text box.
    • You can specify nameservers as DNS names. As you type, a message may show, “! A fully qualified domain name must contain at last 3 parts.” e.g., subdomain.example.org

    • Upon continuing, you may then get redirected to a version of the URL with the legal text, except not including /scripts3/initial_setup_wizard1/legal as part of that URL.

      At some point, perhaps now (and/or perhaps when looking at the EULA), you may see a sliding bar on the right asking about data collection. You may be able to help the vendors of software you use by agreeing.

      You may then see “Important Next Steps” with an “X Dismiss” to the right of that title.

      The steps are:

    • Provide Contact Inforamtion
    • Customize Ethernet Device
    • Customize Nameservers
    • DNS Cluster

    However, this does not appear to be anything that needs to be done immediately.

    Note: WHM uses the operating system's “root” account for logging in. So changing the password in WHM will change the operating system's “root” password (and vice versa).

    Setting Security Further ANDamp; Web Server Tweaking

    cPanel KB: Additional Security Software lists several options.

    CSF

    ConfigServer Firewall (“CSF”) and Login Failure Daemon (“LFD”)

    As root:

    yum remove firewalld

    ... because cPanel KB: Additional Security Software says to.

    Then, run:

    sudo bash # root seems needed for the next command...
     cd ~root
     wget https://download.configserver.com/csf.tgz
     tar -xzf csf.tgz
     cd csf
     ./install.cpanel.sh
     perl etc/csf/csftest.pl

    Installation ought to be fast.

    https://download.configserver.com/csf/readme.txt recommends running the csftest.pl file “Before configuring and starting csf for the first time”.

    CSF is implemented as a WHM plug-in. To configure further, log into WHM or re-load a WHM page. (Some older instructions indicated a reboot may be needed. Maybe that was accurate with older versions of some software, like older CSF and/or older operating systems?) Then, in search field, you can search for “Firewall” and then (under “Plugins”) “ConfigServer Security & Firewall” should show up.

    After going there, find the “Firewall Configuration” button on either that main “All” tab, or on the tab named “csf”.

    On that page, toggle the value of “TESTING” to “Off”. Scroll down to the very bottom of that long pgae, and click “Change”.

    This will lead to a button to restart both the CSF software and the LFD software. You can also do this from the command line by running “ sudo csf -ra ”.

    That's it, unless you have some special configuration that you might want to use, such as whitelisting specific authorized servers to be able to access specific TCP ports (as an example).

    Whitelist

    In WHM, (search for and then) visit “cPHulk Brute Force Protection”. It may show a pop-up: “Your current IP address: "192.0.2.135" is not on the whitelist.”, and provide a “Add to Whitelist” button. If you are using an IP address that you always want to be able to access WHM, then, by all means, do add that IP address. You can then edit the entry to add a comment for that address.

    EasyApache 4

    Visit “EasyApache 4” in WHM.

    That will show the currnet profile. (The URL ends with /scripts7/EasyApache4/profile)

    MPM

    From the EasyApache 4 profile page, in the “Current Installed Packages” section, choose “Customize”.

    In the second frame on the left, on the “Apache MPM” page (which is the default), you may find the default selected of “mod_mpm_prefork”. That is a choice that helps maximize cPanel's compatibility somewhat (minimally), but may have a significant impact on performance. There may also have been some concerns about stability of mod_mpm_event with older versions of the software, but this should be sufficiently stable in production with the latest versions of cPanel.

    • Recommendation Review: At this point, the minimal benefit in increased compatibility from the simpler mod_mpm_prefork may be less likely to help than using mod_mpm_event so that the server isn't having problems from being overloaded (although the “overload” may largely be eliminated by simply increasing efficiently significantly, by not using mod_mpm_prefork, but instead using mod_mpm_event).

    This guide was written with some positive experience from mod_mpm_event which was chosen for improved performance. (mod_mpm_itk also looks interesting.)

    Switching from mod_mpm_prefork to mod_mpm_event may remove: mod_mpm_prefork and mod_ruid2 and mod_cgi and may add mod_cgid and mod_mpm_event

    Also, mod_mpm_itk may sound interesting, but may not be as performant as mod_mpm_event and some of the security that mod_mpm_itk probably introduces is probably also able to be implemented using mod_mpm_event with mod_suexec and mod_suphp

    ModSecurity

    There's a multi-part process to getting this going, as described by cPanel Documentation: ModSecurity®

    • In WHM, under EasyApache 4, when customizing, the second frame on the left has “Apache Modules”. If you search for mod_sec then you may find that mod_security2 is installed.
    • In WHM, search for “Feature Manager” and then (under “Packages”), choose to edit a package (e.g. the default package). Enable the “Modsecurity™ Domain Manager” feature. (While you're at it, go ahead and also enable “Zone Editor (AAAA, CAA, DMARC, SRV, TXT)” in addition to the probably-already-enabled “Zone Editor (A, CNAME, MX)”).
    More Modules for security
    mod_suexec
    install
    mod_suphp
    install

    These were desired to force processes that are run through a server, but which belong to a user, to actually run as the user ID. Some internal documentation at an ISP noted, “This also creates some pain for CGI and PHP develoepers.” “.htaccess tells the web server to do powerful things, and that just cannot be allowed.”

    Files and directories should be the right permissions. Directory permissions of 755 are preferred, although some guides may indicate 775 may be needed. File permissions of 644 are preferred, although some guides may indicate using 775.

    Items with incorrect permissions will not run when these modules are installed. That limitation is desired, for security.

    If people want the PHP extension instead of the HTML file to be loaded, due to a rule in .htaccess, then the following:
    RewriteEngine on
     RewriteRule ^(.*)\.html $1.php
    may be better than another popular approach that could wipe out a site:
    AddType text/x-server-parsed-html?? .html
     AddType application/x-httpd-php?? .html

    Ad
    https://forums.cpanel.net/threads/disable-litespeed-advertising-in-webhost-manager.659237/
    More Modules
    More Apache Extensions

    In addition to whatever was specified by the MPM and/or above instructions, the following was recommended (after going to WHM, EasyApache 4, Customize, Apache Modules)

    • mod_auth_digest
      • it asked about "breakpoint", so listed some others to install. chose "mod_authn_anon" (and select Continue), and then (after that Continue button was pressed for mod_authn_anon), "mod_authnz_ldap" (and select Continue)
    • mod_authn_dbd
    • mod_authn_dbm
    • mod_authz_dbm
    • mod_authz_owner
    • mod_http2 (not historically used, but recommended)
    • mod_imagemap
    • mod_mime_magic
    Others may be likley to be pre-chosen: including mod_bw_limited (described as "Provides cPanel's way of disabling bandwidth exceeders", and so not likely on non-cPanel systems), mod_cgid (or mod_cgi, likely affected by the chosen MPM), mod_dbd, mod_deflate, mod_expires, mod_headers, mod_ldap, mod_proxy, mod_proxy_fcgi, mod_proxy_http, mod_proxy_wstunnel, mod_security2, mod_ssl, mod_unique_id
    PHP

    For each installed version of PHP, maybe:

    • php##-libc-client (not on oldest)
      • (This package was not seen on oldest systems, but was used on newer systems.)
    • php##-pear
      • php73-php-bcmath (not on oldest)
      • php73-php-bz2 (not on oldest)
      • php73-php-calendar (not on oldest)
    • php##-php-cli
    • php##-php-common
    • php##-php-curl
    • php##-php-devel
    • php##-php-fileinfo
    • php73-php-fpm (wasn't on oldest???!!!)
    • php##-php-ftp
    • php##-php-gd
      • php73-php-gettext (not on oldest)
      • php73-php-gmp (not on oldest)
      • php73-php-iconv (not on oldest)
      • php73-php-imap (not on oldest)
      • php73-php-intl (not on oldest)
    • php##-php-lightspeed (although, might want to uninstall if the LiteSpeed Web Server isn't being paid for on this cPanel server??)
      • php73-php-mbstring (not on oldest)
    • php##-php-mysqlnd
    • php##-php-pdo
    • php##-php-posix
      • php73-php-pspell (not on oldest)
        • adding php##-php-snmp
      • php73-php-soap (not on oldest)
      • php73-php-sockets (not on oldest)
    • php##-php-xml
      • php73-php-xmlrpc (not on oldest) (available for PHP 7, maybe not PHP 8)
    • php##-php-zip
    • php##-runtime

    When customizing the profile, the “Next&dquo; buttons will move to the next item in the second frame on the left. On the last item of that frame, “Review”, you can use the blue “Provision” button.

    ClamAV for cPanel

    While ClamAV is the name of some software that may be (and probably is more commonly) stand-alone, there is an add-on for cPanel called “ClamAV for cPanel”.

    cPanel documentation: WHM Plugins: Configure ClamAV Scanner says, “For cPanel & WHM version 88 and later, we recommend using ImunifyAV instead of ClamAV.” (Before installing this, you might want to check if ImunifyAV is already installed.)

    This will scan E-Mail messages and will scan files uploaded with cPanel's File Manager.

    However, post by “johnpc at xs4all” as preserved by the Wayback Machine @ Archive.org stated (quite a while ago, in 2008), “Leaving the Phishing.Heuristics.* enabled causes a staggering amount of false positives that, in my opinion, are certainly not worth the tiny fraction of phishes that manage to come through, combined with all other filters we have.” So, this is recommended to be disabled.

    Installation:

    • On the WHM site, search for “Manage Plugins”.
    • Search for ClamAV (or “ClamAV for cPanel”)
      • If you do see a “Pro” version of the Plug-in, that has been noted as being preferred. It does seem that may not be available, perhaps depending on what version of cPanel is being used. (A CentOS 5 system didn't have that, and nor did AlmaLinux 8, but apparently CentOS 6 systems might have?)
    • Click the button labelled, “Install "ClamAV for cPanel"”.
    • Consider disabling Phishing, if that isn't already done.
      • Find the configuration file. e.g., maybe /usr/local/cpanel/3rdparty/etc/clamd.conf (or, according to some older documentation, perhaps /etc/clamd.conf)
      • See what it says. As an example:
        # With this option enabled ClamAV will try to detect phishing attempts by using
         # HTML.Phishing and Email.Phishing NDB signatures.
         # Default: yes
         PhishingSignatures no
         # With this option enabled ClamAV will try to detect phishing attempts by
         # analyzing URLs found in emails using WDB and PDB signature databases.
         # Default: yes
         PhishingScanURLs no

      • If that is what it looks like, then no changes are recommended here. If the file lacks a line that effectively turns off PhishingScanURLs, then back up the configuration file and modify it, and then restart ClamAV.
    • Test this:
      • If you have set up an E-Mail account on the server yet, then verify AV scanning is working by sending an EICAR test message to someone on the server. Then search (where? Mail logs that show the portion of SMTP communications that informs what the results were?) for the text “rejected after DATA: This message contains a virus or other harmful content”.
    Password Strength Configuration
    • May want to enforce password strength
      • in cPanel WHM, choose “Password Strength Configuration”
    • 50 is the default. Some discussion at an ISP recommended 100.
      • “easy to get a score of 50 with an extremely weak password (one lowercase word plus 3 digits) because adding each digit gives you about 12 points (even if sequential and adjacent).” 70 is “Easily reached with only lowercase, a digit or two, plus a symbol. Conscientious users should try to get this to 100.”
        • More discussion noted, “DoD minimum requirement passwords are rarely lower than 100. To lower the number of instances we get of compromised passwords, enforcing this would be an easy, albeit slightly annoying, requirement for our users.”
    SSH Password Authorization Tweak
    If you wish to disable passwords site-wide, and require SSH keys, that may be doable here. Note that passwords are far easier to type in, in the event that SSH keys are not easy to use (due to some networking troubles that still allow SSH, or lost keys, and probably some more various other potentail reasons).
    Add IP addresses

    Add a new IP address

    If using a /28, with first being the default gateway, then you may want a total of 13 IPv4 addresses, one of which is probably already working. (So, you'll end up with one of 16 addresses being the “network ID” and another one of the 16 being the “broadcast address”, both of which are widely implemented as “unusable” in IPv4. One other address is presumably used up for another device which serves as a “default gateway”. That leaves 13 addresses, one of which will be the server's primary address, and 12 additional addresses the server could use as well.)

    If an IPv4 /28, the equivalent subnet mask is 255.255.255.240 (Use ][CyberPillar]['s VLSM Chart if it helps.)

    Although, you likelyi don't need the subnet mask. You can add a group, e.g. 192.0.2.128/28. You can take that “network ID” and “prefix size” in CIDR notation, and type that directly in the “IP Range” field, the first field. Then just ignore the subnet mask field.

    Then, it will likekly skip the one that is the default gateay, conveniently adding just the IP addresses that are desired.

    If you add something undesirable, there is a "Show or Delete Current IP Addresses" option in WHM that can be used if needed.

    After adding the IP addresses, it may also be helpful to search for, and then choose, the option/area in WHM named “Rebuild the IP Address Pool”.

    Other great common steps

    Ensure that what you want whitelisted, is. e.g., in cPhulk, and also in the firewall (e.g. if you installed CSF).

    If you have some defined packages / Reseller accounts/etc., such customizations may be appropriate.

    Recommended Enhancements

    e.g., more excellent packages...

    dnf -y install ncdu
     dnf -y install pv
     dnf -y install p7zip
     dnf -y install atop
     dnf -y install iotop
     dnf -y install htop
     dnf -y install mytop
     dnf -y install nfs-utils
     dnf -y install screen

    Some people may prefer a machine identify itself, while others may prefer less sharing in order to maximize a sense of privacy. If you are in the former group and would like to use LLDP, then:

    dnf -y install lldpd
    • Some thoughts about expanding this section...
      • Is atop records being taken automatically, or does that need to be set up?
      • Is LLDP implemented right away, or does a manual action need to be taken to ensure that gets started (and will continue to do so automatically)?
      • About NFS:
        • Some older documentation said to use “yum install nfs-utils nfs-utils-lib”. The nfs-utils-lib didn't seem to exist in AlmaLinux, but maybe some older operating system versions/releases had such a package which was useful?
        • not needed? yum install rpcbind, chkconfig rpcbind on && service rpcbind start
      • What software helps to implement s/key / opie? (Uses PAM?)
        • Maybe Google Authenticator??
    Let's Encrypt (SSL Certifications)

    Regardless of whether you have any immediate need for using Let's Encrypt, this guide recommends installing it. Sometimes cPanel's preferred vendor of Sectigo has been known to seemingly get hung up on a renewal. Using Let's Encrypt, at least temporarily, could help resolve that. However, the installation of Let's Encrypt has been known to move, requiring an updated installer (bundled with cPanel/WHM updates). In some scenarios, just having the software installed may provide some more flexibility than if it wasn't installed yet.

    First, simply run:

    /usr/local/cpanel/scripts/install_lets_encrypt_autossl_provider

    Once that complete's successfully:

    • in WHM, go to “Manage AutoSSL”
    • On the (default tab, named the) “Providers” tab, look to see what is currently selected. (Remember that.)
    • On the (default tab, named the) “Providers” tab, choose “Let's Encrypt™”.
    • Carefully review the referenced “terms of service” document with all of the due diligence that such an activity deserves. (e.g. https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf has been used, at least as late as 2022-April)
    • Check the box stating “I agree to these terms of service.”
    • You might want to leave the checkbox named “Recreate my current registration with “Let's Encrypt™” in the unchecked state.
    • Click “Save”, which saves the fact that these terms have been accepted.
    • Good job. Now, consider which provider you'd really like to use. Perhaps you want to go back to the prior selection (e.g., “cPanel (powered by Sectigo)”)

    Related documentation:

  • cPanel Company Blog: How to Configure and Manage Let’s Encrypt in cPanel
  • cPanel KB: Third Party: The Let's Encrypt Plugin
    • SSL Certificates

    You may find that you don't need to worry about SSL certificates until after the server is installed. If you do need to renew/apply an SSL certificate for the server (even after installation), here are some quick tips:

    • For a site, you may wish to check out:
      • The customer's account, as shown by “List Accounts” (This is similar to what a customer can see when logging into TCP port 2083.)
      • Ensure the server has a good certificate.
        • From the customer's account as shown by (“List Accounts” in WHM, or logging in using TCP port 2083), choose “SSL/TLS”. (For this step of checking things out, the hyperlink is just labelled “SSL/TLS”, not “SSL/TLS Status” or any other icon that might have a similar name.)
          • In the right frame, under “CERTIFICATES (CRT)”, click the hyperlink that says “Generate, view, upload, or delete SSL certificates.”
            • Here, you can see what certificates exist, and upload information about a new certificate if needed.
          • In the right frame (back under the “SSL/TLS” hyperlink), under the section titled “INSTALL AND MANAGE SSL FOR YOUR SITE (HTTPS)”, choose “Manage SSL sites.”
            • If a site is going to be working,
      • Ensure site SSL sittings are good
        • From the customer's account as shown by (“List Accounts” in WHM, or logging in using TCP port 2083), choose “SSL/TLS”. (For this step of checking things out, the hyperlink is just labelled “SSL/TLS”, not “SSL/TLS Status” or any other icon that might have a similar name.)
          • In the right frame, under “INSTALL AND MANAGE SSL FOR YOUR SITE (HTTPS)”, click the hyperlink that says “Manage SSL sites.”
            • This may bring you to s URL that includes “https://” and “:2083/cpsess (followed by 10 digits) followed by /frontend/paper_lantern/ssl/install.html
            • From here, you'll want to see the domain name listed in the “FQDN” column, and showing green. The “Certificate Expiration” should be a date which is not in the past.
            • If you don't see that, you may wish to check AutoSSL settings (as noted below), and/or starting to use a new certificate. To start using a new certificate, the “Browse Certificates” button may help. If you only have partial information, the “Autofill by Domain” button may help (and even if you have full information, using that button may be able to speed things up). If you lack the certificate (CRT) or the “Private Key”, then you may need to generate a new key, then generate a CSR that is related to that key, and then get a new certificate. (Many registrars will do this for free if you recently purchased/renewed a certificate and report that you can't get that certificate to work, and if you supply a new CSR to them. CSR files are only good when using the key that the CSR file was made from.)
      • If using Auto-SSL, check on that:
        • From the customer's account as shown by (“List Accounts” in WHM, or logging in using TCP port 2083), choose “SSL/TLS Status”.
        • If a domain isn't working, ensure that the DNS name server (“NS record”) is pointing to the cPanel server. (AutoSSL won't work for that domain until that is done, although if the DNS name server (“NS record”) setting points elsewhere, you may wish to check why. Often, if the DNS name server (“NS record”) is pointing somewhere esle for a domain that has been getting actively used, then there is a reason for that and the plan is to not be having this cPanel server provide AutoSSL certificates for that specific (sub-)domain.
    • For the server itself, you may wish to check out:
      • In WHM, choose “Manage Service SSL Certificates”.
        • This may bring you to s URL that includes “https://” and “:2087/cpsess (followed by 10 digits) followed by /scripts2/manageservicecrts
        • Choose the “Browse Certificates” button.
          • To find the right certificate, you might need to choose “Browse account” and choose “root” from the drop-down box, or choose “Browse Apache”.
          • If the certificate is going to be one by cPanel's default AutoSSL provider, which is Sectigo, then choose the one from Sectigo (e.g., may show a domain name, or a “wildcard” domain name like “*.example.org”)
          • Click Use Certificate,
        • check the boxes,
          • Calendar, cPanel, WebDisk, Webmail, and WHM Services
          • Dovecot Mail Server
          • Exim (SMTP) Server
          • FTP Server
    Initial Quota Setup
    • If you want to have quotas per user on disk space, enforced at the operating system level, go ahead and install quotas.
    • If you have XFS installed, this will require a reboot afterward.
    Handle /tmp/ preferred setup

    Note: Maybe you want to skip these instructions entirely. Next to these instructions, there was a note to hold off on this until verifying impact on security.

    However, some directions seemed to specify just the part of /etc/fstab's line for /tmp, which led to the system booting into Emergency Mode.

    • umount /tmp
    • ls -lR /tmp/
    • ls -ld /tmp/
    • ls -lR /var/tmp/
    • ls -ld /var/tmp/
    • Remove all contents of /var/tmp
      • Maybe: (test in safe spot first...) do not: rm -rf /var/tmp/* # rm -rf is very dangerous so always be careful when using it, e.g. double-check no typos
      • do not: rm -rf /var/tmp # rm -rf is very dangerous so always be careful when using it, e.g. double-check no typos
        • That will remove the directory. Also don't rm -rf the .* from within there, as you don't want to rm -rf the .. directory. Be careful on this...
    • mkdir /var/tmp
    • chmod 1777 /var/tmp
    • backup /etc/fstab, edit /etc/fstab
      • If there is any reference to /usr/tmpDSK (probably created by cPanel) then comment that out
      • Comment out any line related to /tmp or /var/tmp or /dev/shm so you can instead use the following lines.
      • Add the following lines:
        • tmpfs
          /dev/shm
          tmpfs
          defaults
          0
          0
           tmpfs
          /tmp
          tmpfs
          mode=1777,nodev,noexec,nosuid,rw,size=1536m
          0
          0
           /tmp/
          /var/tmp
          xfs
          bind,mode=1777,nodev,noexec,nosuid,rw
          0
          0
      • mount /tmp/
      • mount /var/tmp
    Reboot

    You can use “systemctl reboot”, or from WHM choose “Graceful reboot”.

    Make sure everything looks well. (e.g., did all desired IP addresses get assigned?

    Show/Reserve IPs
    • In WHM, choose “Show/Edit Reserved IPs”.
      • It will show you a list of addresses that cPanel may consider using.
    • See if there are any addresses that you want to make sure are not used by cPanel to use for a customer account.
      • e.g., if you have an IP address for backups
      • (cPanel probably won't bother to show any Loopback address like IPv4 127/8 on a device with a name starting with “lo” optionally followed by a number).
    Backups

    There are various methods to create backups. Back in the day, cPanel took a working backup system and renamed it to “Legacy Backup”, alongside a newer Backup option. Legacy Backup was known to use less resources (hogging up less disk I/O and network backwidth/“I/O”). Eventually Legacy Backup got dropped from newer installations.

    This guide does not try to specify all of the backup details, but just has some advice to consider.

    About NFS in cPanel

    This guide has some tips about using NFS. That isn't necessarily meant as a recommendation to use NFS. (This guide was made with some precedent in mind.) cPanel doesn't officially support NFS. (That statement deserves some clarification. The software may work with NFS, but the cPanel company doesn't want to officially be obligated to provide technical support for NFS.

    Mentions of non-support include: https://docs.cpanel.net/installation-guide/system-requirements-almalinux/#filesystems https://support.cpanel.net/hc/en-us/articles/360050039814-Can-I-use-NFS-mounts-for-backups- https://support.cpanel.net/hc/en-us/articles/1500007697561-Does-cPanel-support-Network-File-Systems- https://features.cpanel.net/topic/real-nfs-support-for-legacy-and-new-backup-systems

    In particular, know that if a backup server goes down, that can be problematic with NFS. Any machine with an NFS client that thinks it is connected will wait for that backup server. This has been known to lead to some extreme slowdown and high “load” values being reported. The msot effective solutions may be to resetore the NFS server and hope things get better quickly, or to do something like a lazy unmount which is widely discouraged due to potential or real problems that can result from that (and problems with data are not good things), or forcing an unmount by doing an entire reboot of a server. With such unpleasantness, it may be best to look into some other option like rsync.

    Some steps:

    • Make sure the NFS drive can be mounted.
      • sample mount options to consider using: rw,soft,intr,tcp,noauto,noacl,nolock
      • sample mount options to consider using: rsize=32768,wsize=32768,noatime,rw,soft,intr,tcp,noauto,noacl,nolock
      • in /etc/fstab, specifying “ 5 5” after the mount options seemed preferable (based on some pre-existing installations on older machines that had actual production use)
    • auto mounted by cpanel backup process
    • Set up backups in cPanel
      • cPanel has had multiple backup implementations. Not all of them are going to be oducmented much here.
        • cPanel KB: cPanel Deprecation, 2022-March-22 update, specified: “WHM’s Restore a Full Backup/cpmove File interface” (deprecated cP/WHM 88 and removed cP/WHM 90)
          • Recommended instead: “Use WHM’s Transfer or Restore cPanel Account interface (WHM >> Home >> Transfers >> Transfer or Restore a cPanel Account).”
          • “Legacy Backups” were deprecated since cP/WHM 64, and not installed with newer cPanel installations since then. The recommendation instead was “Use WHM's Backup Configuration interface (WHM >> Home >> Backup >> Backup Configuration”
    • Enable backup activity (default is unchecked, so change that). Global settings: Uncomrpessed Incremental might sound recommended. (Reduces unnecessary wear and tear.) But if you do select this, cPanel says, “You can only use the Rsync transport with incremental backups.” Since the maker of this guide wasn't using that, incremental was not chosen. Days to back up
      • Recommended: everyday (even though default was just Sunday, Tuesday, Thursday, Saturday)
      • Recommended amounts, if you can afford the space: 8 daily (not 5), 6 weekly (not 4, although weekly is not enabled by default), 3 monthly (not the default of 1, although weekly is not enabled by default). For monthly, if you have at least 2, can choose both 1st and 15th of month (not just first, which is default). These recommended defaults for daily and monthly were to makme sure we keep some until the next higher backup teir (even, for example, in a month with 5 Tuesdays). Maybe the numbers are higher than they need to be for that goal.
    • Do backup suspended accounts, and access logs. SQL default is "Per Account Only", but do "Per Account and Entire MySQL Directory"
    • Do check “Mount Backup Drive as Needed”. With this checked, it seems cPanel will check if the backup drive is a mount, and if it is unmounted, will try to mount before a backup, and if mounting fails, will not back up. If this is unchecked, if memory recalls, cPanel just backups up without checking if it is mounted (so this could potentially fill / and then if /backup/ were to be mounted later, the data in /backup/ before the mount ends up being rather hidden until /backup/ gets unmounted.)
      • Choosing this will disable the “File and Direcotry Restoration” option (as noted by the “File and Directory Restoration” section/item in WHM).
    • Note, if you then use the “Save Configuration” button, and then choose the “Additional Destinations” tab, and then go back to the default “Backup Settings” tab, it will look like no changes took effect. Howver, if you go to another section in WHM, and then back to the “Backup Configuration” section, then you will see the desired changes did, indeed,
    Backscatter reduction
    • Rationale:
      • Apparently the value which is desired (by experienced technician(s) who oversaw multiple servers at an ISP, perhaps for decades) concluded that the best value for “nobody” was to a path, /dev/null
      • Avoid using WHM for this
        • Apparently WHM has contained JavaScript that prevents a path from being entered, and prefers a destination which may be an E-Mail address or a name (like an account name) which may be treated as an E-Mail address.
        • Advice was to try editing files, or disable JavaScript.
          • However, disabling JavaScript is too unpleasant. The way to do that likely differs between browsers, and even browser versions. As a result, implementing such a rarely-used technique may often take as much effort as just editing the file another way. (Plus, disabling JavaScript was, and still is, quite simply, still untested at the time of this writing.)
    • Actions:
      • Backup /etc/aliases
      • Edit /etc/aliases
      • find the line that says:
        nobody: 
        root

        and change it to say:

        nobody: 
        /dev/null

        (Naturally, save the desired change to the file.)

    SQL
    MySQL
    In WHM, choose “MySQL Root Password”
    PostgreSQL
    see if ~root/.pgpass exists. see if /var/lib/pgsql/data/pg_hba.conf exists. (back up either) sudo cp -pi /var/lib/pgsql/data/pg_hba.conf /var/lib/pgsql/data/.backup-orig-pg_hba.conf in WHM... (in the left frame, within “SQL Services”) choose “Configure PostgreSQL”, and choose “Install Config”. Also enter a password (recommended; and record it)
    Security Advisor

    In WHM, go to “Security Advisor”.

    About some specific issues:

    “Important” (Red background)
    Apache vhosts are not segmented or chroot()ed.
    • mod_ruid2 may be disabled due to the cPanel MPM chosen, e.g. if choosing the high-performance “mod_mpm_event”. If that is the cause, then don't worry about it, because mod_suexec and mod_suphp may be considered to sufficiently provide some similar protection (if they are both installed.
    • Although, do go ahead and click on “Manage Shell Access” and see if there are any users listed that aren't using the “Jailed Shell” (This has been known to be blank under the “User”/“Domain”/“Jailed shell”/etc. section.)
    Kernel does not support the prevention of symlink ownership attacks.
    If you see this, look to see if there is another item called “Add KernelCare’s Free Symlink Protection.”. If so, ignore this for now, and follow the below documentation about how to handle the item named “Add KernelCare’s Free Symlink Protection.” Doing so is likely to make this look resolved as well.
    Add KernelCare’s Free Symlink Protection.
    • If red, the description may look like this: “This free patch set protects your system from symlink attacks. Add KernelCare’s Free Patch Set. Add KernelCare’s Free Symlink Protection. NOTE: This is not the full KernelCare product and service.&lrdquo; “You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs.”
      • The “Add KernelCare’s Free Symlink Protection” hyperlink may go to scripts13/add_kernelcare_free_symlink_protection underneath the current WHM login session URL start (under something like http://example.com:2087/cpsess##########/).
        • If you run that, you may:
          • briefly see: “Ensuring that KernelCare is installed ...” “The free symlink protection patch is being enabled. You will be redirected to SecurityAdvisor when this is complete.”
          • See a new issue: “Detected 1 service that is running outdated executables: httpd.service”. Follow the instructions (except use sudo as needed, so, run “sudo systemctl restart httpd.service”.) Then click the “Scan Again” button on the “cPanel Security Advisor” page, or re-load the “cPanel Security Advisor” page, and see if that more recent notification went away nicely.
      • The description hyperlink goes to a redirection to https://docs.cpanel.net/ea4/apache/symlink-race-condition-protection/ (which apparently documents multiple possible fixes).
    • The easy fix: This can be addressed by clicking on the link that appears in the description when this is a problem, which is labelled “Add KernelCare’s Free Symlink Protection”
    • https://forums.cpanel.net/threads/free-symlink-protection-from-kernelcare-post-5-000-lol.681945/ makes it sound like this might just not be available for some kernels (e.g. perhaps new kernels?) until a patched version gets made. So maybe this will occur with updates? https://forums.cpanel.net/threads/can-not-install-kernelcares-free-patch.666129/ makes it look like this can be installed using “yum install kernelcare” or “curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash” and when someone asked, “Does need kernelcare paid license key for Add KernelCare’s Free Symlink Protection”, the answer was, “No, you do not.”
    “SSH password authentication is enabled.”
    But using SSH password authentication may be nice in situations where an SSH key is not conveniently available. Admittedly, using password authentication may be a less secure approach, but may still be sufficiently secure and good in some situations (which might help recover from some downtime scenarios more quickly).
    SSH direct root logins are permitted.
    The advice provided should be not-too-terribly-painful to implement if you have another, less standardized and therefore hopefully-more-secret account name that can be logged into, and if that account can use sudo to effectively become the “root” account (preferrably without a password, to reduce annoyance and increase some compatibility, although that may potentially be less secure). Or, perhaps instead of sudo, that user account could have an SSH key that can become root if root is set to “without password”. So, in general, this may be a good idea to remedy (if handled right, although handling this may take a bit of effort).
    Recommendtions (Yellow)
    /etc/shadow has non default permissions. Expected: 0200 0600, Actual: 0000.
    Ha! AlmaLinux has this set to zero? That's somewhat senseless (because it might require some workaround to make that file usable), but actually even more secure! If AlmaLinux defaults to that, don't feel a need to change that on the grounds of security. Ignore this senseless recommendation.
    WHM's “Tweak Settings”

    WHM's “Tweak Settings”

    • gzip compression level
      • default is 6. Ugh. Use 9
        • Rationale: gnu.org: gzip documentation (referred to by http://gzip.org/, and seemingly the basis for man pages)says, “The default compression level is -6 (that is, biased towards high compression at expense of speed).” That might sound good, but this is based on compression/speed trade-offs decided on a long time ago. RFC 1952: GZip is dated May of 1996. Even -9 is typically fast by modern standards.
    • pigz
      • default is 1. Let's set to at least 2 to enable some multi-processor usage.
    • “Display File Usage information in the cPanel stats bar (inode count)” : Default off. Recommended to set to On if it doesn't cause too much slowdown.
    • Number of accounts per page: Set to All if your cPanel server is likely to be serving less than 150 accounts. This probably won't cause too much slowdown, but eliminates some need for additional human interaction.
    • Allow unregistered domains: Recommended to flip from default (Off) to On. (Speculation on reason why: It might help new domains propogate faster, or maybe deal with DNS offloaded onto another system?)
    • “Thunderbird and Outlook autodiscover and autoconfig support (enables service subdomain and SRV record creation)” recommended to leave off. Choose:
      • On: Experience involved “a bad interaction with Outlook autodiscover for customers with their own mail servers” (using cPanel for websites), so if you want to be diligent about turning off such an SRV record for such customers, this might be a time-saving option.
    • “Initial default/catch-all forwarder destination” flip from default “System account” to “Fail”.
    • “Mail authentication via domain owner password” flip from default Off to On.
    • “Enable SpamAssassin Spam Box delivery for messages marked as spam (user configurable)” Commentary: “This is not a recommended feature since it dumps all users' spam into one folder for the whole cpanel account, but they can use if it they want to.”
    • “Notify admin or reseller when disk quota reaches “warn” state” Flip from default “Off” to “On”
    • cPanel PHP Loader: might want to check an option (e.g. “ioncube”)
    • “Allow users to update Awstats from cPanel” : flip to “On” if “"Delete each domain’s access logs after stats run”, an option below, is on.
    • “Awstats reverse DNS resolution&Rdquo; Flip to On
    • “Delete each domain’s access logs after stats run” might be good to turn off
    • “Display documentation links in cPanel interface" defautls to Off. (Flipped to On.)
    • “The interval, in days, to retain Exim stats in the database (Minimum: 1; Maximum: 365,000)” Recommended: 15. Old documentation stated a default of 30, but newer default appears to be 10. Some documentation also described why not to use 30: “to reduce MySQL DB size on all servers, for some reason this DB creates excessive load when backing up.” (That may be with rather old software versions, e.g. the “Legacy” backup code cPanel used.)
    • One option in newer cPanel is called "I/O priority level at which dovecot_maintenance is run" whereas some older documentation had called this "email_archive_maintenance" instead of "dovecot_maintenance". (Customizing may be worthwhile, but this guide is not mentioning any specific recommendations.)
    • “Use cPanel® jailshell by default?”
      • An idea is to flip to yes. That might break things, but if a user wants functionality that this doesn't support, perhaps the user's shell could be changed as a documented exception, or perhaps it may be good to have the user switch to a custom private virtual machine instead of using a cPanel machine (which is often implementing by shariung resources between multiple customer accounts).
    Other Items to Consider

    (These may not have been fully validated yet... Documetnation might be admittedly sparse, needing clean-up (including scratch notes being converted to HTML code), etc.)

    Unfinished/unvalidated

    (Determine which of these to do...)

    Web server optimizing

    It is advised not to blindly count on many of the avaiable online guides that describe how to make things faster by changing some settings from default. After all, the software creators/designers/developers/manufacturers/distributors often have quite a good understanding of how software works, and may be able to determine what is commonly good behavior better than a guide that might have been written by a quite unqualified person years ago.

    With that warning out of the way...

    MultiPHP settings
    After switching to MPM-Event, the following also helped:
    1. WHM
    2. MultiPHP Manager
    3. Next to PHP-FPM, “Manage Settings”
    4. Change settings:
      • Max requests: change from 20 (cPanel Default) or 40 (which was apparently still being problematic when this value had been used) to 55
      • Max children: 5 to 7
        • (cPanel Support: 503 says, “We recommend incrementing in values of 5 to 10 to ensure that PHP-FPM does not get overloaded.7rdquo; Although that text was mentioned after &dlquo;Max Children” and “Max Requests”, so it might have been referring more to “Max Requests”.)
      • Process idle timeout: from 10 (cPanel Default) or 15 (which was apparently still being problematic when this value had been used) to 20
    N. Torga's guide

    Northon Torga's “Tuning/Optimizing Apache on cPanel Servers” (with some text highlighted) says that “Each Apache process will load PHP and Perl libraries. That's a waste of resources for serving static content.” The recommended solution is to utilize nginx.

    The same site recommends using MPM-Event but then describes that some of the default settings are designed for MPM-Prefork. What appears to be the key advice is:

    • StartServers: 3
    • Minimum Spare Servers: 3
    • Maximum Spare Servers: 16
    • ServerLimit: 16
    • Max Request Workers: 400 (ServerLimit vs ThreadsPerChild)
    • N. Torga recommends first setting ServerLimit to 512 so it is over the Max REquest WOrkers of 400, and after re-compiling, then reducing ServerLimit to 16, to work around a bug where certain values wouldn't update.
    • N. Torga's guide exaplains rationale: “With a ServerLimit of 16 servers running with 64 threads (ThreadLimit) each, you are able to set Apache to be able to handle 1024 requests (lifetime), which is for most servers, more than enough.” (Naturally, if your server is not like “most servers”, then make adjustments.) One nice thing about N. Torga's guide is that it doesn't just blindly provide recommendations, but also cites official documentation to back up the explained reasoning of the changes.
    Contact Manager “Communication Type” (default) tab: e.g., set E-Mail to “High and Medium only” (not “All”) “Notifications” tab check by desired checkboxes. e.g. account creation/remove, suspend/unsuspend
    snmpd
    yum -y install net-snmp
     sudo cp -pi /etc/snmp/snmpd.conf /etc/snmp/backup-orig-snmpd.conf
     nano -w /etc/snmp/snmpd.conf
    • (Make similar to other standard configs...)
      • The following is something of an example. It is recommended that you first back up the file. Perhaps there should be a system running some specific type of software at the agentaddress location. This guide does not elaborate on the details of this section, and recommends checking out the process yourself...
    agentaddress 192.0.2.116
     agentuser root
     agentgroup wheel
     syscontact support@example.com
     sysdescr CP123-vmware
     syslocation cty/o/vmware
     rocommunity abcd2e34f5
     smuxsocket 127.0.0.1
     ignoredisk /dev
     trapcommunity abcd2e34f5
    The following is probably from older CentOS and may need modification: chkconfig snmpd on
     service snmpd start
    sshd_config_alt
    • If you want to have another SSH serve, consider:
      • sudo cp -pi /etc/ssh/sshd_config /etc/ssh/sshd_config_alt
      • echo Port 2222 | sudo -n tee -a /var/run/sshd_config_alt
      • echo PidFile /var/run/sshd_alt.pid | sudo -n tee -a /var/run/sshd_config_alt
      • cp /usr/lib/systemd/system/sshd.service /etc/systemd/system/sshd_alt.service
      • Set as follows: Description=OpenSSH server daemon on alternate port
         Remove Type=forking (if seen) PIDFile=/var/run/sshd_alt.pid
         ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd_config_alt $OPTIONS
         (The reason to remove Type=forking has to do with the usage of the -D parameter in ExecStart.) systemctl enable sshd_alt systemctl start sshd_alt
    • Make sure that any sofware firewall on the system will allow traffic on the port.
    PostgreSQL
    Install Postgres (if needed?) https://docs.cpanel.net/knowledge-base/sql/install-or-update-postgresql-on-your-cpanel-server/ covers a process of backing up databases and using the installer to install or upgrade PostgreSQL. First, back up any existing PostgreSQL databases (covered in tutorial). Second, if a PostgreSQL file already exists, it will soon be overwritten, so before proceeding further, back up any such configuration file (the file is mentioned by cPanel's PostgreSQL guide, but not by name.) provides the installer command: The guide provides the name of the installer: /usr/local/cpanel/scripts/installpostgres Part of installer's output text:


    The PostgreSQL packages successfully installed. To configure PostgreSQL,
     set your password, and enable PostgreSQL for user accounts, navigate to
     WHM's Configure PostgreSQL interface (Home >> SQL Services >> Configure PostgreSQL).
    Setting a random password for the PostgreSQL database user.

    You might wish to run a test at https://www.ssllabs.com/ssltest/ although it looks like results may be somewhat public (showing up on that page).

    (should /etc/ips.remotedns contain a list of DNS servers (1 per line)??)

    PureFTP info
    Set Port Range
    cp -pi /var/cpanel/conf/pureftpd/main /var/cpanel/conf/pureftpd/backup-orig-main
     grep -i PassivePortRange: /var/cpanel/conf/pureftpd/main
     sed -i "s/^PassivePortRange: 49152 65534$/PassivePortRange: 5500 5550/g" /var/cpanel/conf/pureftpd/main
     grep -i PassivePortRange: /var/cpanel/conf/pureftpd/main
     /usr/local/cpanel/scripts/setupftpserver pure-ftpd --force
    PureFTP?? https://docs.cpanel.net/whm/service-configuration/ftp-server-configuration/86/ k9webops.com Blog: cPanel/WHM – Unable to start PureFtpd !
    maybe unneeded: fix SpamAssassin behavior to be more compatible with more clients: back up /etc/mail/spamassassin/local.cf then visit: https://web.archive.org/web/20140215070915/http://www.toao.net/506-fixing-spamassassin-spamham-reports-on-cpanel-servers

    ImageMagick https://support.cpanel.net/hc/en-us/articles/360037048673-How-to-Install-ImageMagick-for-EA-PHP-and-ALT-PHP

    More recommendations

    These were recommended. This guide is not recommending them.... yet...

    Maybe these are ideas that still need to have an implementation identified...

    Check on Reverse DNS?
    Go to “Module Installers”. May wish to view “PHP Extensions and Applications Package” (which, sensibly or not, has been known to be abbreviated as “PEAR”), and click “Manage” and review. Then, if you go to “Perl Module”, it will be the same as choosing “Install a Perl Module”
    Service Configuration
    SSL Cipher Suite (Multiple Spots)

    In WHM, the left frame has a category called “Service Configuration”, with different sections/pages/tools listed under that. For instance, the first (top) item in the “Service Configuration” section is called “Mailserver Configuration”.

    SSL Cipher Suite

    These details also apply to “cPanel Web Disk Configuration” and “cPanel Web Services Configuration” and “FTP Server Configuration” and “Apache Configuration”.

    You might or might not be interested in changing the SSL Cipher Suite. (For instance, at least at one time, a default value of “ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP”, although a variation intended for (better) PCI-DSS compliance was “ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kED”, but a report from https://www.ssllabs.com/ssltest/ preferred a change like “ALL:!aNULL:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP”.

    This guide has no specific recommendation, as it is believed this guide is likely to be updated less often than defaults that are likely to be updated as the security landscape keeps changing. However, if you are interested in determining a preferred value, you will probably want to see some details from mod_ssl docs for SSLCipherSuite in order to understand this string.

    TLS/SSL Protocols

    The modern default disables both SSLv2 and SSLv3, which helps protect against the well-known “Padding Oracle On Downgraded Legacy Encryption” (“POODLE”) attack. This does completely break the server's ability to communicate with Microsoft Internet Explorer 6, the last version of Microsoft Internet Explorer that could work on Windows 95, 98, 98SE, and Millineum Edition.

    Apache Configuration
    Max Request Workers

    Before Apache 2.4, the setting which did the same thing was called “MaxClients”, but in Apache 2.4 the setting is now called “Max Request Workers”. The default of 150 was considered too high on some older machines, due to having lower RAM.

    After making changes to a section, remember to jump to the bottom of that section and press the “Save” button before moving onto another section.

    Exim Config
    • “Send mail from account’s dedicated IP address” (default off, flip to on to reduce impact of any specific IP address being blacklisted)
    • “Send mail from account’s dedicated IP address”: recommended to flip to off because it was too aggressive, blocking .eml (E-Mail message) attachments and URLs (hyperlinks).
    • Turn on: “Log sender rates in the exim mainlog. This can be helpful for tracking problems and/or spammers.”
    • Perhaps turn on?? “Sender Verification Callouts” (“Use callouts to verify the existence of email senders. Exim will connect to the mail exchanger for a given address to verify it exists before accepting mail from it.”)
    • For RBLs, by “Manage Custom RBLs”, clicking on “Manage” will pop open a new browser tab. In that tab, you can add one like:
      • RBL Name: barracuda
      • RBL Info URL: http://www.barracudacentral.org/
      • DNS List: b.barracudacentral.org
    • bl.spamcop.net not recommended because: “big email providers (Google, Yahoo) having so many accounts that they nearly always have some compromised ones. SpamCop RBL will still add to the SpamAssassin spam scores, but shouldn't be used for rejecting outright.”
    • zen.spamhaus.org not used because they require ISPs to pay. (They used to not, but then they did start requiring that.)
    • “Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server.” - this is believed to help improve security of server when on, while potentially reducing some compatibility. So, one may wish to change the default (which used to be Off, but is On by default with newer versions).
    • “Scan messages for malware from authenticated senders (exiscan).”: Flip on, perhaps partiulcarly if using ClamAV.
    • “Scan outgoing messages for malware”: Flip on, perhaps partiulcarly if using ClamAV.
    • “SpamAssassin™: Forced Global ON” - you might want this on, to take some control away from end users. Note that SpamAssassin shouldn't be too terrible, as it can be configured to not add a visible tag, and mail decisions don't need to be made from its usage.
    • “Scan outgoing messages for spam and reject based on SpamAssassin® internal spam_score setting” might want to be on?
    • “Scan outgoing messages for spam and reject based on defined SpamAssassin® score (Minimum: 0.1; Maximum: 99.9)” (“Scan and reject mail bound for non-local domains that SpamAssassin® classifies as spam.”) -- some commentary made was that this setting “would need testing. Want to ensure that spammer who stole a user's password is not actually told his mail is being rejected, but that his mail is silently accepted and then discarded and a notice goes to” administrative staff instead. (Actually, captured would be better than discarded, to deal with potential mis-detects. If a customer sent something, we don't want to tell them that it was tossed out and no copy preserved, so that they might need to re-create whatever it was.)
    FTP Server Configuation

    A new server might initially hide these options, until after a server is selected. So, in that case, first, visit the “FTP Server Selection” section (described below).

    • TLS Encryption Support
      • Flip from “Optional” to “Required (Command/Data)”. People can just use FTPeS (a method of FTP secured with TLS/SSL). In a commercial Internet Service Provider, there had been no requests by users to support older software. (Sometimes they couldn't find the option right away, but that was resolved.) The security benefits are significant enough that this guide does recommended people use this (or another protocol like SFTP, SCP, or somehow with HTTPS like the file manager built into cPanel) instead of older variations.
    FTP Server Selection
    Set to Pure-FTPd, and then after saving, the “FTP Server Configuration” section will begin to appear just above the “FTP Server Selection” option.
    Mail Server configuration
    • Proceeded to check the checkboxes for IMAPS and POP3S (already had IMAP and POP3 and LMTP checked). LTMP is greyed out, forced on. IMAP is reportedly required for WebMail. (Some older versions simply didn't have IMAPS or POP3S as separate checkboxes.)
    • Enabling “Compress Messages”, and setting compression to 9. Compress Messages is noted that it “will compress recently created and delivered messages.” (Comprssion level of 6 is suspected to be gzip, so 9 is likely more sensible on modern hardware.)
      • (It's too bad we don't have an option to just compress messages as they cross a threshold like 30 days or 180 days old. Messages that people read and delete from the server don't take up space long-term on the server...)
    Service Manager
    Might want to enable pretty much everything, including:
    • Monitoring for “PHP-FPM service for cPanel Daemons”
    • “cPanel Greylisting Daemon”
      • This may be good to educate potential users about. If this becomes an issue for any specific user, a customer's cPanel interface may have a “Configure Greylisting” icon that can have that be turned off for that user. (Note that the term “customer” basically means “account holder”, which might be a key representative for an organization, and that may be something not available for users of individual E-Mail addresses.)
    • Maybe “Exim Mail Server (on another port)”?
    • Older recommendations
      • For Cron...
        • Here was a recommendation: “Set permissions so the user's cpanel UI can view or modify crontabs:” “chmod 4755 /usr/bin/crontab”. When checked (on AlmaLinux 8.x) checked after cPanel was installed, that was already set that way.
    (DNS Zone Templates might be worthwhile to implement? (Creating some maybe worthwhile at some point. If an organization has some, then implementing them may be a worthwhile step to do with each new server...) (In an organization, it may be worthwhile to check internal documentation about DNS Zone Templates for cPanel to see if any pre-created internal ones are available.) (e.g., specifying SPF might be good?) Synchronizing DNS between servers may be worthwhile. This guide does not elaborate on this point. (When this guide was being implemented as it was being made, cu stom solution was implemented.) “Spamd Startup Configuration” “Maximum Children” apparently defaults to 2. Higher may be recommended (e.g., 3). (Although there was a recommendation of 3, this wasn't solidly decided on. e.g., no documented reasoning was given.) Basic Web Host Setup may want to set caching time for lookups, may want to drop from 14400 to 3600
    [#cpnlichk]: Licensing Check info

    If you want to change which IP address a cPanel installation is using, there are some items to consider.

    First, the cPanel software checks with a “license server”. If an undesirable result is reported by the “license server”, cPanel shuts down some services, including the WebHost Manager which may often be helpful in resolving a situation where some setting may be set undesirably. (It might be true that this license server may reach out to TCP port 2089 to help perform a license check on the server that is running cPanel.)

    When performing innocent IPv4 changes through the established interface a rather small number of times (perhaps 3-8 times), that seemed to trigger a lockdown of the usablity of IPv4 addresses. When reaching out to cPanel as requested, part of the response from cPanel stated:

    the license issue you are experiencing. After some investigation, this I= P Address appeared to be locked.

    As this is the 1st instance of a locked license on this server, I have unlocked the license. For the changes to take effect you will need to update your local license file using the "root" level script below via SSH:

    /usr/local/cpanel/cpkeyclt

    Moving forward, should you have additional instances of a locked license, a Technical Analyst will require access to the server to investigate what is causing the license to become locked. Access to the server will be required before the license can be unlocked.
    The locked license message that is received is vague, as our licensing is proprietary. The license check performs several different checks and common causes of locked license errors are -

    • -Numerous Hostname changes.
    • -NAT usage (multiple hosts behind a single IP address sending license update requests)
    • -The server runs out of disk space then cpkeyclt is unable to write a new license to disk.
    • -Too many server reboots.
    • -Too many installation attempts/processes.
    • -Transferring the license between multiple servers.

    These behaviors cause the servers' cPanel & WHM licenses to lock due to the unique changes for that server's cPanel & WHM license. A locked license disables a cPanel & WHM server until cPanel Customer Service has had an opportunity to review the license history and error message provided.

    The author of this text respects there can be a desire to not have misuse occurring, and that proprietary measures with secretive details may help the effectiveness of efforts to ensure proper operation. While tht is true, it still seems like a good thing for server administrators to know that too many reboots, or running out of disk space (which is understandably a problem that may be likely to cause additional painful effects), are things that may lead to the cPanel company shutting down the usability of an IP address, likely until they get contacted and their staff reviews things, even though a website (includng the store) may claim that the license is valid.

    You'll likely prefer to avoid seeing results like this if the “license check” software runs:

    [root@hostname ~]# /usr/local/cpanel/cpkeyclt
     Updating cPanel license...Done. Update Failed!
     Error message:
     The cPanel license server replied that the license has been activated on too man
     y machines (600).
     Please contact billing@cpanel.net

    The exact message was: The license has been activated too many times on differen
     t machines. (203.0.113.52)
    [root@hostname ~]#

    (If the “license check” software reports such output, then you'll likely also see that message when logging into WebHost Manager, instead of seeing an interface that lets you perform administrative functions on the server.)

    Read over: cPanel How-To: “How do I change the primary IP of my cPanel server?” The fact that you can change the IP address in the store, and then they have documented what to do on the server, makes it seem all okay to do. But beware. Changing too much, too quickly, is probably going to run the risk of getting the cPanel server's IP address locked. The author of this document had this happen during night, when cPanel's technical support wasn't even responding to new tickets. (The workaround was to use another address, and purchase a new license.) back up, and then edit: nano -w /etc/wwwacct.conf sample:
    HOST fqdn.example.org
     HOMEDIR /home
     ETHDEV eth0
     NS ns1.example.org
     NS2 ns2.example.org
     HOMEMATCH home
     NSTTL 14400
     NS4
     TTL 3600
     ADDR 203.0.113.52
     DEFMOD paper_lantern
     SCRIPTALIAS y
     CONTACTPAGER
     MINUID 500
     NS3 ns3.example.org
     CONTACTEMAIL user@example.org
     LOGSTYLE combined
     DEFWEBMAILTHEME paper_lantern

    Make sure the “HOST” and “ADDR” values have the right, desired, “new” settings in that file. Make sure that host name points to the desired new IPv4 address.

    Note old details:

    • Make note of the old, undesired IPv4 address and its size (CIDR-style prefix length or IPv4 subnet mask).
    • Make note of the “default gateway” route that has been taken with the old IPv4 address.
    • (You shouldn't need this information ever, but it is simply good recommended habit to have such details readily available in case there is any desire to revert.)

    Make sure that the system has the desired new IPv4 and can use ICMP (using ping) to communicate with the desired new default gateway.

    That may be about all you can do in preparation, before any steps that may be likely to cause at least some downtime...

    • Recommended: update DNS
    • Add the new IPv4 address
    • Make sure it can ping the default gateway.
    • Remove the old default gateway.
      • This will break things. If you are using some sort of remote protocol like SSH to make these changes, make sure the disconnection won't prevent you from successfully running the next command, due to your login shell closing. It may be helpful to use a terminal multiplexor like tmux or screen
      • e.g.: route delete default
    • Add new default gateway
      • e.g.: route add default gw 203.0.113.139 eth0
    • Remove the old, undesired IPv4 address.
      • e.g., ip addr del 203.0.113.105/29
      • This is needed, because otherwise you may see:
        # /scripts/mainipcheck
         warn [mainipcheck] https://myip.cpanel.net/v1.0/ detects system IP as 203.0.113. 142 and system local IP detected as 203.0.113.105. Please verify your network co nfiguration.

        (The new IPv4 address was the first one mentioned.)

      • Sample: “ip addr” (review current settings, including prefix length), “ip addr del 203.0.113.105/29 dev eth0

    Then, before trying to update the license on the server, make sure the license info will reach the cPanel servers by going out the desired new IPv4 address. That can be done with:

    curl https://myip.cpanel.net

    Make sure the license is pointing at the desired new IPv4 address, on the cPanel store site (https://store.cpanel.net/my/).

    Then, and perhaps only then, run the following:

    cat /var/cpanel/mainip
     /scripts/mainipcheck
     cat /var/cpanel/mainip

    Note that this text file does not contain and EOL (“end of line” character sequence) so your next prompt may be on the same line as the output.

    Did that work well? e.g.:

    prompt# cat /var/cpanel/mainip
     203.0.113.105prompt# /scripts/mainipcheck
     info [mainipcheck] The Server's main IP address has changed from 203.0.113.105 t o 203.0.113.142.
     cat /var/cpanel/mainip
     203.0.113.142prompt#

    Then, back up /etc/ips and /etc/hosts

    /etc/ips has been known to be a blank file and if so, that seemed fine. However, if it contains a list of IPv4 addresses (one per line), then make sure it includes the desired new IPv4 addresses. (At least, include the main one!)

    nano /etc/ips
    cat /etc/hosts
     /scripts/fixetchosts
     cat /etc/hosts
     /usr/local/cpanel/cpkeyclt
    • Desired output from that last command:
      Updating cPanel license...Done. Update succeeded.
       Building global cache for cpanel...Done

    Did results look desirable? If so, the next recommended steps are:

    • Run this: service cpanel restart
    • (Run this, though it might be unnecessary if the prior command does it...) httpd graceful
    • Log into WHM
      • (Using incognito mode may reduce usage of cached information like old DNS results...)
    • Then, log into WHM and change any DNS entries still needing changing.
    • Make sure the system's IPv4 addresses are right.
      • You may wish to check /etc/ips and, in WHM, each of: the “Add a New IP Address” and “Rebuild the IP Address Pool” and “Show IP Address Usage” and “Change Multiple Sites' IP Addresses” (or “Change Site's IP Address”) and “Show or Delete Current IP Addresses” and then, after deleting any unused addresses, once again “Rebuild the IP Address Pool”.
    • By now, any “downtime” should be rectified (at least once DNS is propogated well). You may wish to reboot to make sure that the system doesn't fail to auto-configure itself to use the new IPv4 address and default gateway (under the premise that if there is a problem, it might be easier to fix now since you have an idea of what changes may have led to the problem).
    Some Misc Notes about cPanel

    cPanel documentation on Product Versions and Release Process describes details such as:

    • It seems there are four parts to a version number.
      • The first part has been 11 since version 11.52, and so cPanel & WHM will typically report the second part first, and leave the first part unreported. (“You will usually only see this in configuration files, API function output, and package files.&requo;)
      • The next part of the version number is the main release build. For cPanel releases that are not part of “EDGE” (basically, the tier for testing and not recommended for production use) will only be using even numbers.
        • Sample approximate release dates (when viewed in October of the year 2022)
          • 102 (LTS version for the year 2022), February
          • 104 April (2 months later)
          • 106 June (2 months later)
          • 108 September (3 months later)
          • 110: was listed as the next LTS version (so probably to be released in 2022)?
    • Some FTP notes:
      • Transferring files: FTPS can be used. (That includes FTPeS, which is FTPS using “Explicit” encryption, which may be TLS encryption or SSL encryption.) The login name used is set up in the “FTP Accounts” option (not the “FTP Connections” option, which may be the only other common FTP-related option listed in the main cPanel account web interface). cPanel tends to just call these “FTP Accounts” (which is different than the “FTP COnnections” option/hyperlink), even when FTPS is used. The login name is typically looking like an E-Mail address (containing a username, an @, and then a domain name which is supported by the cPanel account), although this is independent of any E-Mail address.
        • There has been some problem/issue with being able to use the web interface to set an FTP(S) account's password to a value which is then not accepted by the FTP(S) server. If memory serves right, maybe it was a hyphen/“minus sign”/dash that wasn't accepted. If you're having troubles with a password, consider seeing if it works without some/all of the punctuation being used. Changing the password may be necessary to resolve an unusable password.
      • To test: use "yum install lftp", and then "left -u login@domain site.example.com"
      • Note: After installing a server with above directions. The following helped:
        • Check for a file named /var/cpanel/conf/pureftpd/local
        • Otherwise, the PureFTP file may be /etc/pureftpd.conf
        • grep -i Range file
        • /usr/local/cpanel/scripts/setupftpserver pure-ftpd --force
        • Check /etc/csf/csf.conf
        • Make sure the range of ports (colon-separated, e.g. 7200:7290) is listed on both TCP_IN and TCP_OUT
        • Make sure there are enough ports for the connections. (See: WHM, "FTP Server Configuration", "Maximum Connections"
        • csf -r

    “The Horde webmail application has been removed in cPanel & WHM version 108. All Horde email, contacts, and calendars will be automatically migrated to Roundcube. For more information, read our cPanel Deprecation Plan documentation.” The hyperlinked web page explained, “Horde relies on PHP 7.4, which reaches End-of-Life on November 28, 2022. Because of this, we have removed the Horde webmail interface.” This was deprecated as of “cPanel & WHM version 106”, and slated for “Removal” with “cPanel & WHM version 112”,