To create a dummy file of 50MB, we first need to convert the file size into bytes (1024 x 1024 x 50 = 52428800) and then enter the following at the command prompt:

$ dd if=/dev/zero of=yourfilename.test bs=52428800 count=1

*change “yourfilename” to whatever you wish to call the file.

The file will then be created within the folder that you are currently in and the following output will be displayed upon successful creation(time and write speed details will obviously vary slightly):

1+0 records in
1+0 records out
5242880 bytes (50 MB) copied, 0.312 s, 33.6 MB/s

If you want to confirm the file’s creation and size details, just enter the following:

$ ls -lrth yourfilename.test

and then you should get an output that looks similar to below:

-rw-r–r– 1 root root 50M Jan 1 00:00 yourfilename.test

A breakdown of the command elements can be found here.

1) Use Super Strong Passwords

This seems pretty obvious but we are constantly surprised by just how many people still don’t get the strong password message, even when managing hosting servers that are fully accessible from the web.

Using strong passwords is the first level of defence when it comes to protecting your information, and if you’re not willing to take notice then you should give up now and maybe become a gardener or something. A strong password contains at least 8 characters(the more the better) in a combination of upper and lowercase letters, plus numbers, plus symbols.

Bloomberg Businessweek recently posted this information on their website with regards to password strength and how long a password takes to crack:

Most-used passwords: 123456, password, 12345678, qwerty, abc123

Time it takes a hacker’s computer to randomly guess your password:

Average amount it costs a business to field a phone call requesting a password reset: $10
Proportion of help desk calls that are password-related: 30%
Users who choose a common word or simple key combination for a password: 50%

Data: Gartner, Forrester, Duo Security, Imperva, LastBit Software

2) Install ModSecurity and Suhosin

Installing ModSecurity and Suhosin is a must if you are serious about protecting your hosted websites code from exploitation. These two applications essentially provide an application level firewall that prevents both known and unknown vulnerabilities in a website’s code from being executed, therefore stopping a potential hack dead in it’s tracks. This of course does not mean that websites can get away with not updating themselves, but certainly helps along the way.

Both ModSecurity and Suhosin can be easily installed onto your cPanel server using the built-in EasyApache application as part of your initial server setup. Once installed, you should then consider installing Gotroot’s ModSecurity rules, which provide a significantly enhanced level or protection while minimising false positives. You can also use Suhosin to disable the use of custom php.in files, which prevents clients making ill advised and insecure adjustments to the php settings for their account.

3) Install A More Advanced Firewall

While Linux’s included ip tables is a very effective network security tool, the management and configuring of it can be made significantly easier by installing an application called ConfigServer Security&Firewall(CSF), which has a plugin management interface for cPanel. Not only does CSF provide much greater control over how your server handles various intrusion attempts, it also comes with a full security assessment tool that will guide you through various security hardening steps.

Installing ConfigServer applications is pretty simple and can be done in only a few steps. They also offer a few other free applications, such as ModSecurity Control, which can make the day to day management of your security setup much easier.

4) Disable SSH Password Login

Using encrypted SSH keys and disabling SSH password login removes another possible “in” for the wannabe hacker. Once this is configured, only people that have an authorised SSH key will be able to login to the server via SSH. Obviously this then means you need to be very careful of where and how you keep your SSH keys to ensure they are safe from data theives.

5) Changing The Default SSH Port

Now that you’ve disabled SSH password logins, the next thing to do to improve your security is move SSH off the default port which is TCP 22. You can choose whichever port you like, however you need to make sure that no other service is using that port to avoid any conflicts.

To change this on a cPanel server, just open /etc/ssh/sshd_config and change the “Port” value to the port you wish to use. Make sure there is no # in front of that setting, then save the file and restart the SSH service. IMPORTANT: Make sure you have opened the TCP Port in your firewall.

Enable Or Disable Directory Listings

Allowing directory listings is not advised unless you specifically wish people to download files from your web hosting server. to block(-) or allow(+) directory listings, use one of the commands below:

Options -Indexes
Options +Indexes

Redirect Parked Domains To Your Main Domain

When you have multiple domains that you wish to use for your website, most web hosting services will allow you to “park” these domains on your main hosting, which basically means that you can use these extra domains as a domain alias.

However, it has long been debated that having the same content across multiple domain names can negatively affect the ranking of your site in search engines such as Google and Bing. Therefore, if you have multiple domains you wish to register and use with your site, the most sensible option is to choose one of the domains as your primary domain and then redirect all other domains to that primary domain. This can include forcing people to the non www version of your domain, which ultimately will result in all search engines returning results for only one domain for your content.

To redirect your parked domains to your main domain, add something along the lines of the following example to your .htaccess files:

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www.parkeddomain.com
RewriteRule ^(.*)$ http://www.maindomain.com/$1 [R=301,L]

For multiple domains and to force remove the www’s, use [OR] with and without the www.

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.parkeddomain1.com$ [OR]
RewriteCond %{HTTP_HOST} ^parkeddomain1.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.parkeddomain2.com$ [OR]
RewriteCond %{HTTP_HOST} ^parkeddomain2.com$
RewriteRule ^(.*)$ http://maindomain.com/$1 [R=301,L]

Redirect Your Domain To A Subfolder

Redirecting to a subfolder can be a very handy trick, particularly if you wish to use one of your parked domains to show different content from your main domain without needing a separate web hosting account. However, you do need to bear in mind that if you wish to use SEO urls on these site, this redirection may conflict with the code required for your SEO url functionality, so it is best used on static HTML based sites and not dynamic sites such as WordPress or Joomla.

RewriteEngine on
RewriteCond %{HTTP_HOST} ^(www.)?example.com$ [NC]
RewriteCond %{REQUEST_URI} !^/subfolder/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /subfolder/$1
RewriteCond %{HTTP_HOST} ^(www.)?example.com$ [NC]
RewriteRule ^(/)?$ subfolder/index.html [L]

Use A Custom Home Page

Using a custom home page simply means that you are able to define the exact filename your website’s homepage will use.

redirect 301 /index.html http://www.yourdomain.com/home.html

Using Custom Error Pages

Using your own custom error pages allows you to create more attract error pages that can contain details instructions on what the visitor should do if they end up on one of these error pages. You can use a custom error page for any error, as long as you know its number (e.g. 404 for page not found). Just add the following to your .htaccess file:

ErrorDocument errornumber /file.html

For example, to redirect a 404 “Page Not Found” error to a custom 404.html in your root directory, you would use the entry below:

ErrorDocument 404 /404.html

If the custom error page is located in a subdirectory, just add the subdirectory path as follows:

ErrorDocument 404/subdirectory/404.html

These are some of the most common errors:

401 – Authorization Required
400 – Bad request
403 – Forbidden
500 – Internal Server Error
404 – Page Not Found

Restrict Directory/Site Access by IP Address

Restricting directory access or website access to specific ip addresses can be a very effective way to protect sensitive directories on your website(e.g. administration sections). Any directory in your public_html folder can be protected in this way. If a visitor to your site attempts to browse to a protected directory from a an IP Address that is not specified, they will simply get served a 403 Forbidden error.

In the directory you wish to protect, open/create your .htaccess file, and then add the following code to it, replacing 100.100.100.100 in the example with the static IP address you wish to allow:

Order Deny,Allow
Deny from all
Allow from 100.100.100.100

Optional: You can enter partial IP Addresses, e.g. 100.100.100, which will allow all end IP addresses in that ip range.
Optional: You can add multiple addresses by separating them with comma’s, e.g. 100.100.100.101, 100.100.100.102

NOTE: some web hosting environments limit the folder depth that the server will allow .htaccess to operate from so you may need to check with your provide if this is the case on their servers.

If you are running a cPanel server, you may be aware that cPanel provides a script to easily install ImageMagick, however our experience has shown that this script is not the best method to use to install ImageMagick as it comes with a number of limitations, such as slow update releases and no easy upgrade script. Therefore we have found that a manual installation of ImageMagick is still the best solution, regardless of whether you are running cPanel or not.

At the time of writing this guide, the current version of ImageMagick was 6.6.9-8. Using the instructions below, the latest version of ImageMagick will be installed. If you wish to check the version you will be installing, head over to the ImageMagick FTP site to check the current version number. You can then adjust the details below accordingly if you wish to install an older version. This guide also assumes that you are running the current version of cPanel, which at the time of writing was 11.28.xx.

Install ImageMagick

1. Login to your server via SSH as root and download the latest version:

wget ftp://ftp.imagemagick.org/pub/ImageMagick/ImageMagick.tar.gz

2. Unpack the downloaded files

tar xvfz ImageMagick.tar.gz

3. Configure and compile the installation files:

To first check the version number that was installed, just enter ls at the command prompt and you will see the folder with appropriate version number in its name.

cd ImageMagick-6.6.9-8
./configure
make

4. As long as ImageMagick compiled without any errors, install it onto your system:

make install

5. For a quick  check that ImageMagick is installed and running correctly, enter the following:

/usr/local/bin/convert logo: logo.gif

6. For a more advanced check on your ImageMagick installation, run the command below which will perform a full test on the installation and should result in a “all tests passed”.

make check

Bind ImageMagick Into PHP

For your new ImageMagick installation to work with your web php scripts, you now need to bind it into PHP. To do this, just follow the steps below.

1. Login to WHM and navigate to the “Module Installers” option under “Software” in the left hand menu

2. On the following page, select the “Manage” link beside the PHP Pecl language option

3. Enter imagick into the “Install a PHP Pecl” field and then click the install button.

Test Your Installation

All things going well, you should now have a running installation of ImageMagick. The best way to test this is to install one of the many free PHP gallery applications (e.g. Gallery 2, Coppermine) and configure the application to use ImageMagick. If all is working as it should be, these applications should enable this feature with no complaint and the gallery should function correctly on the front end.

The GotRoot rules compiled by Atomicorp are a fantastic alternative and dramatically improve ModSecurity’s effectiveness while reducing false positives. Atomicorp provide a free release of these rules(delayed by at least 90 days) which are relatively easy to install on your cPanel Server.

Login to your server via SSH as root and then perform the following steps

1. First create required directories

mkdir /etc/httpd/modsecurity.d
mkdir /var/asl
mkdir /var/asl/tmp
mkdir /var/asl/data
mkdir /var/asl/data/msa
mkdir /var/asl/data/audit
mkdir /var/asl/data/suspicious

2. Change permissions for folders(cPanel)

chown nobody.nobody /var/asl/data/msa
chown nobody.nobody /var/asl/data/audit
chown nobody.nobody /var/asl/data/suspicious
chmod o-rx -R /var/asl/data/*
chmod ug+rwx -R /var/asl/data/*

3. Upload rules to /etc/httpd/modsecurity.d – (include the .conf files listed below as well as .txt files)

Include /etc/httpd/modsecurity.d/05_asl_exclude.conf
Include /etc/httpd/modsecurity.d/10_asl_antimalware.conf
Include /etc/httpd/modsecurity.d/10_asl_rules.conf
Include /etc/httpd/modsecurity.d/11_asl_data_loss.conf
Include /etc/httpd/modsecurity.d/20_asl_useragents.conf
Include /etc/httpd/modsecurity.d/30_asl_antispam.conf
Include /etc/httpd/modsecurity.d/50_asl_rootkits.conf
Include /etc/httpd/modsecurity.d/60_asl_recons.conf
Include /etc/httpd/modsecurity.d/61_asl_recons_dlp.conf
Include /etc/httpd/modsecurity.d/99_asl_jitp.conf

4. Add the following lines to the user configuration file - (/usr/local/apache/conf/modsec2.user.conf)

SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecAuditLogRelevantStatus “^(?:5|4(?!04))”
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator “&”
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial
SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 5000
Include /etc/httpd/modsecurity.d/*.conf

Add the following to the php.ini file to avoid PCRE errors:

pcre.backtrack_limit = 50000
pcre.recursion_limit = 50000

When you have Mod suPHP installed, you can configure your server to force the use of the main server wide php.ini file and disable the use of custom php.ini files to adjust certain php settings. To do this:

1. Login to your server as root via SSH

2. Open the following file:

nano /opt/suphp/etc/suphp.conf

3. Search for [phprc_paths] and then uncomment (remove the ; from the front) the following lines:

;application/x-httpd-php=/usr/local/lib/
;application/x-httpd-php4=/usr/local/php4/lib/
;application/x-httpd-php5=/usr/local/lib/

Save the file, exit the editor, and then restart Apache

Important Note

Some popular modern php applications require quite generous php resource allowances(memory, to function, so it you enable this limitation, you need to make sure you have configured your default, server wide php.ini with settings that will these applications to run without issues.

To force SMTP authentication on your cPanel server, login to SSH as root and issue the following command:

/usr/local/cpanel/bin/tailwatchd –disable=Cpanel::TailWatch::Antirelayd

If you would like to undo this at any stage, just enter the following:

/usr/local/cpanel/bin/tailwatchd –disable=Cpanel::TailWatch::Antirelayd

ConfigServer

Below is a list of the free applications that we will be providing the simple installation instructions for:

1. CSF - this is an advanced firewall system utilising Linux ip tables
2. Mail Manage – allows you to adjust mail settings, such as hourly limits and email forwarders, on a per account basis
3. Mail Queues – easily manage your email queues with the ability to force run the queue and delete stuck messages
4. ModSecurity Control – if you have installed ModSecurity on your cPanel Server, this provide an advanced management interface
5. Explorer – This is a file system explorer web interface which allows you to also run basic shell commands within folders – WARNING: While this utility can be very useful it is also very dangerous indeed. You can easily render your server inoperable and unrecoverable by performing ill advised actions. No warranty or guarantee is provided with the product that protects against system damage.

NOTE: All of the installations below require you to be logged into SSH as root.

Install ConfigServer Security & Firewall

rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Remove installation files:

cd ..
rm -Rfv csf/ csf.tgz

Install ConfigServer Mail Manage

rm -fv cmm.tgz
wget http://www.configserver.com/free/cmm.tgz
tar -xzf cmm.tgz
cd cmm
sh install.sh

Remove installation files:

cd ..
rm -Rfv cmm/ cmm.tgz

To uninstall:

rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmm.cgi
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmmversion.txt
rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmm/

Install ConfigServer Mail Queues

rm -fv cmq.tgz
wget http://www.configserver.com/free/cmq.tgz
tar -xzf cmq.tgz
cd cmq
sh install.sh

Remove installation files:

cd ..
rm -Rfv cmq/ cmq.tgz

To uninstall:

rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmq.cgi
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmqversion.txt
rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmq/

Install ConfigServer ModSecurity Control

rm -fv cmc.tgz
wget http://www.configserver.com/free/cmc.tgz
tar -xzf cmc.tgz
cd cmc
sh install.sh

Remove installation files:

cd ..
rm -Rfv cmc/ cmc.tgz

To uninstall:

rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmc.cgi
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmcversion.txt
rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmc/

Install ConfigServer Explorer

rm -fv cse.tgz
wget http://www.configserver.com/free/cse.tgz
tar -xzf cse.tgz
cd cse
sh install.sh

Remove installation files:

cd ..
rm -Rfv cse/ cse.tgz

To uninstall:

rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cse.cgi
rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cseversion.txt

If you run into any issue with the install, just head over to the ConfigServer forums and you’ll find plenty of people who can assist you.

Before you start setting up your nameservers in WHM, you need to make sure that the correct details have been configured with your domain registrar. Each registrar handles the setting up of private nameservers differently so you should contact them to determine the method they use. Ssome let you control the setup from your domain control panel, however some require their administrators to create the nameserver entries for.

The most important point to make when contacting your registrar is that you wish to create private nameserver details to use with your own hosting server(some refer to these as child nameservers). Occasionally you will strike level 1 support staff who do not fully understand what you wish to do and may provide you incorrect instruction unless you specify this.

Once you know how they do it, you just need to set up the nameservers in their system as below:

1. Enter the names you would like to use; e.g. ns1.yourdomain.com and ns2.yourdomain.com
2. Enter the corresponding ip addresses details from your server that you wish to use.

1. Setup The Nameservers In WHM

In WHM, navigate to the left hand menu option “Basic cPanel/WHM Setup” and do the following:

1. Set the Primary Nameserver to ns1.yourdomain.com.
2. Then click Assign IP Address.
3. Repeat this for the Secondary Nameserver section, using ns2.yourdomain.com.
4. On the bottom of the page, click Save.

Note: the IP addresses will most likely not get set correctly so we will rectify this by changing the nameserverip file via SSH.

2. Modify The Nameserver IPs Via SSH

SSH into your server as root and open the following file:

nano /etc/nameserverips

You should edit the file to look something like the example below:

IP1=ns1.yourdomain.com
IP2=ns2.yourdomain.com

Save the file and exit the editor.

3. Complete the WHM Nameserver Setup

In WHM, navigate back to the left hand menu option “Basic cPanel/WHM Setup” and perform the following steps:

1. Double check the primary nameserver field contains your ns1.yourdomain.com entry;
2. Click “Assign IP Address” which should now show you the correct IP address;
3. Click “Add an A entry for this nameserver”;
4. Repeat this for the Secondary Nameserver section using ns2.yourdomain.com.

On the bottom of the page, click Save. If you now select the left hand menu option “Manage Nameserver IPs”, you should see the correct nameserver details with the corresponding ips.

4. Restart The DNS Service

You should now just be able to restart the DNS service by doing the following:

1. Navigate to the “Restart Services” section in the left hand men;
2. Select “DNS Server (BIND/NSD)”
3. Hit the yes button in the right hand frame.

Done!…Hopefully you now have working nameservers attached to your own domain.

To Start

By default, iStat uses TCP port 5109 to communicate on. You can of course change this in the config file which we will highlight a bit furhter into this tutorial, however whichever you decide to use, you will need to make sure you have opened it up in your firewall for the iStat iPhone app to be able to communicate with the server app.

Download iStat Server

iStat server for Linux can be downloaded from github and in the example below we are using version 0.5.7. To ensure you are installing the latest version, you should head over to github and then adjust the version below accordingly if an update iStat server version has been released:

wget https://github.com/downloads/tiwilliam/istatd/istatd-0.5.7.tar.gz

note: if you get a certificate error, use the following link:

wget –no-check-certificate https://github.com/downloads/tiwilliam/istatd/istatd-0.5.7.tar.gz

Once you’ve downloaded iStat server, we just need to extract the files and then we’re ready to do the install:

tar -zxvf istatd-*.tar.gz
cd istatd-*

Install iStat Server

Configure iStat for your server:

./configure

Compile and install:

make
make install

Add an istat user and create a directory to store istat.pid:

useradd istat
mkdir /var/run/istat
chown istat /var/run/istat

Adjust iStat Server Configuration

Before you start using iStat server, you will first need to modify the configuration file for your system:

nano /usr/local/etc/istat.conf

Adjust the server_code(this is your login pin) and anything else you wish to change, e.g. network_port number. You may also want to adjust the monitor_disk settings to add additional mounted disks you wish to check, e.g. backup.

#
# /etc/istat.conf: Configuration for iStat server
#
# network_addr           127.0.0.1
# network_port           5109
server_code              12345
# server_user            istat
# server_group           istat
# server_socket          /tmp/istatd.sock
# server_pid             /var/run/istat/istatd.pid
# cache_dir              /var/cache/istat

# Note: Only support for one network interface, limited by client.
monitor_net              ( eth0 )

# Array of disks to monitor. Specify mount path or device name.
# monitor_disk             ( / /home )
monitor_disk             ( / )

# Set to 1 if you want to use mount path as label instead of the device name.
disk_mount_path_label    0

# Try to probe the filesystem for disk label, will override the mount path label.
disk_filesystem_label    1

# Set custom disk label. Will override all other labels.
# disk_rename_label        /dev/sda1  ”root”
# disk_rename_label        /home      ”home”

# End of file

Start iStat Server

Now that  you’ve configured iStat server, your ready to launch the iStat daemon:

/usr/local/bin/istatd -d

Install iStat iPhone Application

Now you can head over to Bjango’s site to check out the iPhone application and download it using iTunes. Once you’ve installed it on your iPhone, just add your server ip address and enter the server_code from your configuration file when prompted.

Launch iStat Server at startup

So that iStat Server loads automatically if the server is restarted, it’s a good idea to it to the rc.local file which will take care of that for you:

nano /etc/rc.d/rc.local

Add the following to the bottom of the file and then close and save.

/usr/local/bin/istatd -d

Prevent iStat Server daemon being shutdown

If you have any process tracking applications running on your server that may shut down the iStat daemon (e.g. ConfigServer Security & Firewall), you may want to exempt the daemon in the appropriate settings section for that application.

For example, in CSF you would open the lfd.pignore file and add the following entry:

exe:/usr/local/bin/istatd

Hopefully you now have a running installation of iStat Server for linux and can enjoy easy monitoring on the go.