If you add a new partition (or change existion one), fdisk complains about device busy:

# fdisk /dev/sdb

WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table.
The new table will be used at the next reboot.
Syncing disks.

Sollution is to unmount any other mounted partitions from the same drive (/dev/sdb in my case). Then try again to write partitions.

ConfigServer eXploit Scanner (cxs for firends) is a new security tool from ConfigServer, special designed for cPanel, that performs active scanning of files as they are uploaded to the server. Is good for keeping viruses out of a hosting server.

http://www.configserver.com/cp/cxs.html

I found a list of (fixed) security bugs in cPanel and other hosting-related software. It’s a good starting point when you want to audit a hosting system. http://webhostsecurity.com/bugs/index.shtml

Acording to SecurityFocus, PHP versions 5.2.10 and lower have multiple vulnerabilities that can be exploited local or remote. Latest PHP version, 5.2.11 fix these problems. No mention about 5.3.

ConfigServer, well-know by cPanel admins for their excellent firewall, csf, is preparing a new product, an exploit scanner that tries to stop virus spreading on websites. Details here.

The <iframe> problem exists for more than a year, but no bullet-proof sollution is available. We currently use an in-house script that limit FTP connections to a group of countries, but in the latest days it seems that virus spreading across all the countries and our script cannot block all atempts. This happens because of insecure client’s computers without a proper security solution. FTP/cPanel passwords are stoled by trojans then used by automatic programms to infect websites with <iframe>.

Very interesting blog post on HostGator, written by Brent Oxley (CEO), about their company history:
http://blog.hostgator.com/2009/09/10/200000-web-hosting-clients-and-climbing/

Few quotes:

When HostGator had just started, I hated resellers because they required a large amount of relatively technical service.  [..] There was very few employees at first and nothing but empty space. Many people that I met had no idea what web hosting was and were convinced that I was a drug dealer. They believed this because I was so young, successful, and living in an empty building with a bunch of young adults in what resembled a frat house.

Because in cPanel, Apache web server is compiled from sources and install in a custom location, you need to configure logrotate to split and compress logs. To do this, create a file /etc/logrotate.d/httpd with this content:

/usr/local/apache/logs/*log {
    create 0640 root root
    rotate 4
    daily
    compress
    postrotate
        /sbin/service httpd restart > /dev/null 2>/dev/null || true
    endscript
}

then force logrotate to rotate logs: 

logrotate -fv /etc/logrotate.d/httpd

If you have munin installed from cPanel, you need to make similar settings for it. Munin logs are saved in /var/log/munin and usually grow fast.

Usually, cPanel display lower disk space usage than real. This happens from two reasons: first, mysql databases are not counted (because quota on mysql may corrupt data) and second, all files created from PHP are owned by nobody user (if PHP is compiled as apache module and without SuPHP – but this is by default). So, if you want to see how much space an reseller use for all his accounts, use the script below. Input parameter is reseller username.

#!/bin/bash
if [ -d "/home/$1" ]
then
sum=0
for i in `grep -l $1 /var/cpanel/users/* | sed "s/\/var\/cpanel\/users\///"`; do
du=`du -sk /home/$i /var/lib/mysql/$i* 2>/dev/null | awk '{sum+=$1}END{print sum}'`
let sum=$sum+$du
echo -e "$du\t$i"
done
echo "-----------------------------"
echo -ne "TOTAL:\t"
echo $sum | awk '{sum+=$1}END{hum[1024**3]="T";hum[1024**2]="G";hum[1024]="M";for (x=1024**3; x>=1024; x/=1024){ if (sum>=x) { printf "%.2f%s\n",sum/x,hum[x];break } }}'
else
echo "User $1 not found"
fi

Save it as a file, for example real-reseller-usage.sh make it executable chmod +x real-reseller-usage.sh and call it with the reseller username as parameter. The result will be similar to this:

root@s1 [~]# ./real-reseller-usage.sh reseller1
9376    user1
108892  user2
...
470108  user99
-----------------------------
TOTAL:  8.14G

I asume you have a server with WHM/cPanel and you’ve already installed clamav (if not, do it from WHM -> Manage Plugins -> clamavconnector). Sometimes cPanel delay updating ClamAV to the latest version, so if you want to manually upgrade it, this is what to do:

First, set the update location to one near you:

replace 'DatabaseMirror database.clamav.net' 'DatabaseMirror db.US.clamav.net' -- /etc/freshclam.conf
freshclam

If you receive complains about an obsolate clamav version, you shoul upgrade to latest one. Let’s say you have 0.95.2 and the latest is 0.95.3

cd /usr/local/cpanel/modules-install/clamavconnector-Linux-x86_64/
cd /usr/local/cpanel/modules-install/clamavconnector-Linux-i686/
replace 'AVV=0.95.2' 'AVV=0.95.3' -- install
wget http://downloads.sourceforge.net/clamav/clamav-0.95.3.tar.gz
./install

That’s all!

Updated on Sep, 6 2009 – links updated to latest clamav version

CSF is a free linux firewall that works great with cPanel. (Actually, is more than a firewall, but I want to talk about something else).

cPanel have an option for users to define IP addresses from where they want to remote access MySQL on hosting server. In order to work, server should have MySQL port (3306) open in firewall. In CSF, you just add 3306 in /etc/csf/csf.conf  TCP_IN list.

Recently, I found something that looks like a denial-of-service attack on MySQL on several servers so I decide to block the external MySQL port (3306) and only allow connections from clients, based on their settings from cPanel.

This is an one line bash script that search for IP addresses configured by clients in their own cPanel for MySQl remote access and create a set of rules for CSF:

mysql mysql -e "select Host,User from user where Host!='localhost' group by Host;" | awk {'print "tcp:in:d=3306:s=" $1 "\t# " $2'} | sed "s/\%//g" | egrep "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | grep -v "127.0.0.1" | sort | uniq

You have to mannual add the resulting lines in /etc/csf/csf.allow and restart csf.