Dev {Tricks}

You are here: Home / Archives for Server and Hosting / Web Control Panel / aaPanel

by

aaPanel Security Risk and Solution

Detect whether secure socket layer encryption is used to transmit information to avoid eavesdropping on sensitive information

Test type: Whether to use encrypted remote administration ssh
Risk level: Medium risk

Risk detail: Remote administration of ssh without secure socket encryption

Solution:

1. Add or modify Protocol 2 in [/etc/ssh/sshd_config] file
2. Then run the command systemctl restart sshd to restart the process

Tips: This scheme can enhance the protection of SSH communication and avoid sensitive data leakage.

Check if the command-line interface timeout is set

Test type: Check if the command-line interface timeout is set
Risk level: Medium risk

Risk detail: No command line timeout is configured for exit

Solution:

1. Add tmout=300 in the file [/etc/profile], and the waiting time is not more than 600 seconds
2. Execute source /etc/profile to make the configuration work

Tips: This solution will make the server command line over a certain period of time does not operate automatically shut down, can strengthen the security of the server.

User FTP access security configuration checks

Test type: User FTP access security configuration
Risk level: Medium risk

Risk detail: Currently pure-ftpd is not configured with security access. Modify/add the value of Umask to 177:077 in the [pure-ftpd.conf] file

Solution:

1. In [/www/server/pure-ftpd/etc/pure-ftpd.conf] change the value of Umask to 177:077 in the config file

Tips: This scheme can enhance the protection of FTP server and reduce the risk of server intrusion.

Check important files for suid and sgid permissions

Test type: Check for files with suid and sgid permissions
Risk level: Medium risk

Risk detail: The following files have sid privilege, chmod u-s or g-s remove sid bits: “/usr/bin/chage、/usr/bin/gpasswd、/usr/bin/wall、/usr/bin/chfn、/usr/bin/chsh、/usr/bin/newgrp、/usr/bin/write、/usr/sbin/usernetctl、/bin/mount、/bin/umount、/sbin/netreport”

Solution:

1. Use the chmod u-s/g-s [filename] command to change the permissions of the file

Tips: This scheme removes the special permissions of important files, which can prevent intruders from using these files for privilege escalation.

chmod g-s /usr/bin/chage
chmod u-s /usr/bin/gpasswd
chmod u-s /usr/bin/chfn
chmod u-s /usr/bin/chsh
chmod u-s /usr/bin/newgrp
chmod u-s /bin/mount
chmod u-s /bin/umount

bootloader Configuring permission checks

Test type: bootloader Configuring permissions
Risk level: Medium risk

Risk detail: The following critical file or directory permissions are incorrect:/boot/grub2/grub.cfg Current permissions: 644 : root Security permissions: 600 : root

Solution:

1. Configure secure permissions for grub according to the file suggested by the risk description
2. If grub2, then: chmod 600 /boot/grub2/grub.cfg、chown root /boot/grub2/grub.cfg
3. If grub, then: chmod 600 /boot/grub/grub.cfg、chown root /boot/grub/grub.cfg

Tips: This scheme can strengthen the server grub interface protection, further prevent external intrusion server.

Check if an empty password user exists

Test type: Check if an empty password user exists
Risk level: High risk

Risk detail: Found an empty password user【】

Solution:

1. Log in to server as root, set password for empty password user
2. If you do not know the user’s purpose, you can execute the command [passwd -l (username)] to temporarily block the user.Unlock user command [passwd-fu (username)]

Tips: detects the existence of blank password users, may be hackers reserved backdoor users, if not business needs to suggest setting a password.

sudo awk -F":" '($2 == "") {print $1 ": has no password."}' /etc/shadow

Critical file permission checks

Test type: Critical file permission checks
Risk level: High risk

Risk detail: The following critical files or directories have permission errors:

/etc/shadow Current permissions: 000 : root Suggested changes to: 400 : root
/etc/security Current permissions: 755 : root Suggested changes to: 600 : root
/etc/ssh/sshd_config Current permissions: 600 : root Suggested changes to: 644 : root
/etc/gshadow Current permissions: 000 : root Suggested changes to: 400 : root
/etc/shadow Current permissions: 000 : root Suggested changes to: 400 : root
/etc/gshadow Current permissions: 000 : root Suggested changes to: 400 : root

Solution:

1、On the [File] page, set the correct permissions and owner for the specified directory or file

Detect whether to limit password reuse times

Test type: Check password reuse limit
Risk level: Medium risk

Risk detail: Unlimited password reuse

Solution:

1、Configuration file backup: cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
2、Add or modify remember=5 after [password sufficient] in [/etc/pam.d/system-auth] file

SSH idle timeout detection

Test type: SSH idle timeout detection
Risk level: Medium risk

Risk detail: The current SSH idle timeout time is: 0, it is recommended to set it to 600-900

Solution:

1、Set [ClientAliveInterval] in the [/etc/ssh/sshd_config] file to be between 600 and 900
2、Tip: The recommended SSH idle timeout time is: 600-900

Check whether the current panel port is safe

Test type: Panel port
Risk level: Medium risk

Risk detail: The panel port is the default port (7800), which may cause unnecessary security risks

Solution:

1. Please modify the default panel port on the [Settings] page
2. Note: Servers with [Security Group] should release the new port in the [Security Group] in advance to prevent the new port cannot be opened

SSH password complexity check

Test type: SSH password complexity check
Risk level: Medium risk

Risk detail: 【/etc/security/pwquality.conf】set the minclass setting to 3 or 4 in the file

Solution:

1、【/etc/security/pwquality.conf】 Set password complexity to require 3 or 4 types of characters, such as lowercase letters, uppercase letters, numbers, and special characters. like:
2、minclass=3

/etc/bashrc User default permission check

Test type: [/etc/bashrc] User default permission check
Risk level: Medium risk

Risk detail: umask is not set to 027

Solution:

1、[/etc/bashrc] The umask set in the file is 002, and it is recommended to set it to 027
2、Solution: Modify the /etc/bashrc file permission to 027

Panel login alarm

Test type: Panel login alarm
Risk level: Medium risk

Risk detail: Please enable it in [Settings] – [Notification]

Solution:

1、Enable it in [Settings] – [Notification]

[/etc/csh.cshrc] User default permission check

Test type: [/etc/csh.cshrc] User default permission check
Risk level: Medium risk

Risk detail: umask not set to 027

Solution:

1、[/etc/csh.cshrc] The umask set in the file is 002, which does not meet the requirements. It is recommended to set it to 027
2、The operation is as follows: Modify umask to 027

Check the minimum interval between SSH password changes

Test type: Check the minimum interval between SSH password changes
Risk level: Medium risk

Risk detail: 【/etc/login.defs】In the file, PASS_MIN_DAYS is greater than or equal to 7

Solution:

1、[/etc/login.defs] PASS_MIN_DAYS should be set to be greater than or equal to 7
2、PASS_MIN_DAYS 7 needs to execute the command at the same time to set the expiration time of the root password. The command is as follows: chage –mindays 7 root

Check SSH password expiration time

Test type: Check SSH password expiration time
Risk level: Medium risk

Risk detail: 【/etc/login.defs】Set PASS_MAX_DAYS to between 90-180 in the file

Solution:

1、[/etc/login.defs] Use a non-password login key pair. Please ignore this, and set the PASS_MAX_DAYS parameter to between 90-180 in /etc/login.defs
2、PASS_MAX_DAYS 90 You need to execute the command to set the root password expiration time at the same time. The command is as follows: chage –maxdays 90 root

The panel is not monitoring

Test type: The panel is not monitoring
Risk level: Low risk

Risk detail: Open it in [Monitor] – [System Monitor]

Solution:

1、Open it in [Monitor] – [System Monitor]

Check the website to prevent cross-site

Test type: Website anti-cross-site detection
Risk level: Low risk

Risk detail: The following websites are not enabled for cross-site prevention: …

Solution:

1. On the [WebSite] page, [Settings]-[Site Directory], turn on the [Anti-cross-site attack (open_basedir)] function

PHP version leaked

Test type: PHP version leaked
Risk level: High risk

Risk detail: Risk-free

Suggest:

1. Set [expose_php] in the [php.ini] file and configure it to Off
2. Tips: Set [expose_php] in the [php.ini] file and configure it to Off

Tips: This solution can prevent the disclosure of sensitive information on the website and reduce the possibility of server intrusion.

by

aaPanel Management script

aaPanel Management script

  • Stop
service bt stop
  • Start

service bt start

Restart

service bt restart

Uninstall

service bt stop && chkconfig –del bt && rm -f /etc/init.d/bt && rm -rf /www/server/panel

View current port of control panel

cat /www/server/panel/data/port.pl

Change port of control panel,e.g. 8881(centos 6 Operation System)

echo ‘8881’ > /www/server/panel/data/port.pl && service bt restart iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 8881 -j ACCEPT service iptables save service iptables restart

Change port of control panel,e.g. 8881(centos 7 Operation System)

echo ‘8881’ > /www/server/panel/data/port.pl && service bt restart firewall-cmd –permanent –zone=public –add-port=8881/tcp firewall-cmd –reload

Force to change MySQL manager (root) Password,e.g. 123456

cd /www/server/panel && python tools.py root 123456

Change control Panel login password,e.g. 123456

cd /www/server/panel && python tools.py panel 123456

Site Configuration location

/www/server/panel/vhost

Delete banding domain of control panel

rm -f /www/server/panel/data/domain.conf

Clean login restriction

rm -f /www/server/panel/data/*.login

View control panel authorization IP

cat /www/server/panel/data/limitip.conf

Stop access restriction

rm -f /www/server/panel/data/limitip.conf

View permission domain

cat /www/server/panel/data/domain.conf

Turn off control panel SSL

rm -f /www/server/panel/data/ssl.pl && /etc/init.d/bt restart

View control panel error logs

cat /tmp/panelBoot

View database error log

cat /www/server/data/*.err

Site Configuration directory(nginx)

/www/server/panel/vhost/nginx

Site Configuration directory(apache)

/www/server/panel/vhost/apache

Site default directory

/www/wwwroot

Database backup directory

/www/backup/database

Site backup directory

/www/backup/site

Site logs

/www/wwwlogs

 

Nginx

nginx installation directory

/www/server/nginx

Start

service nginx start

Stop

service nginx stop

Restart

service nginx restart

Reload

service nginx reload

nginx Configuration

/www/server/nginx/conf/nginx.conf

 

Apache

apache installation directory

/www/server/httpd

Start

service httpd start

Stop

service httpd stop

Restart

service httpd restart

Reload

service httpd reload

apache Configuration

/www/server/apache/conf/httpd.conf

 

MySQL

mysql installation directory

/www/server/mysql

phpmyadmin installation directory

/www/server/phpmyadmin

Data storage directory

/www/server/data mysql

Start

service mysqld start

Stop

service mysqld stop

Restart

service mysqld restart

Reload

service mysqld reload

mysql Configuration

/etc/my.cnf

 

FTP

ftp installation directory

/www/server/pure-ftpd

Start

service pure-ftpd start

Stop

service pure-ftpd stop

Restart

service pure-ftpd restart

ftp Configuration

/www/server/pure-ftpd/etc/pure-ftpd

 

PHP

php installation directory

/www/server/php

Start (Please modify by PHP version, e.g. service php-fpm-54 start)

servicephp-fpm-{52|53|54|55|56|70|71|72|73|74|80|81} start

Stop(Please modify by PHP version, e.g. service php-fpm-54 stop)

service php-fpm-{52|53|54|55|56|70|71|72|73|74|80|81} stop

Restart(Please modify by PHP version, e.g. service php-fpm-54 restart)

service php-fpm-{52|53|54|55|56|70|71|72|73|74|80|81} restart

Reload(Please modify by PHP version, e.g. service php-fpm-54 reload)

service php-fpm-{52|53|54|55|56|70|71|72|73|74|80|81} reload

Configuration(Please modify by PHP version, e.g. /www/server/php/52/etc/php.ini)

/www/server/php/{52|53|54|55|56|70|71|72|73|74|80|81}/etc/php.ini

 

Redis

redis installation directory

/www/server/redis

Start

service redis start

Stop

service redis stop

redis Configuration

/www/server/redis/redis.conf

 

Memcached

memcached installation directory

/usr/local/memcached

Start

service memcached start

Stop

service memcached stop

Restart

service memcached restart

Reload

service memcached reload

by

How to install aaPanel web hosting control panel on CentOS 7 or Ubuntu or Debian

Server Requirements:

Memory:
512M or more, 768M or more is recommended (Pure panel for about 60M of system memory)

Hard disk:
More than 100M available hard disk space (Pure panel for about 20M disk space)

System:

  • CentOS 7.1+
  • Ubuntu 20.04
  • Debian 10

Linux Panel Installation Command
aaPanel is developed based on Centos, we recommend using Centos to install it

Centos

yum install -y wget && wget -O install.sh http://www.aapanel.com/script/install_6.0_en.sh && bash install.sh aapanel

Ubuntu/Deepin

wget -O install.sh http://www.aapanel.com/script/install-ubuntu_6.0_en.sh && sudo bash install.sh aapanel

Debian

wget -O install.sh http://www.aapanel.com/script/install-ubuntu_6.0_en.sh && bash install.sh aapanel

Notice: Ensure that it is a clean operating system, there is no other environment with Apache/Nginx/php/MySQL installed (the existing environment can not be installed)

WARNING: You are using pip version 20.3.3; however, version 23.3.1 is available.
You should consider upgrading via the ‘/www/server/panel/pyenv/bin/python3.7 -m pip install –upgrade pip’ command.

/www/server/panel/pyenv/bin/python3.7 -m pip install --upgrade pip

It is recommended to use Chrome, Firefox, and edge browsers to access the panel login address

The main difference between NGINX and Apache web servers is that NGINX has event-driven architecture handling multiple requests within a single thread, while Apache is process-driven creating a thread per each request. Thus, allowing NGINX to have generally better performance.

 

aaPanel Security Risk and Solution

aaPanel Management script

aaPanel Error and Solutions

 

by

Changing the partition layout of your VPS and VDS after installation | Linux

  • How to easily change your partition layout on your VPS or VDS.

Backup of all important data before proceeding! Changes to the partition table always bear the risk of complete data loss.

  • Boot your VPS / VDS into the rescue-system
  • Now connect through VNC (How to use VNC to connect to your VPS and VDS)
  • Login as “root”
  • To perform changes on the partition easily use gparted
  • To start the GUI type “startxfce4” within VNC console and wait a few seconds until the graphical interface appears
  • On the upper left side you will see “Applications”, open it and select “Run Program”
  • Type “gparted” within the application finder and the app should start immediately
  • Now you can resize and create new partition with unallocated space.