Tag Archives: cpanel

Alternative’s to Cpanel: Webmin

I’m going to start a mini series of posts here called Alternatives to Cpanel, first you might ask why not Cpanel and its worth pointing out that Cpanel is arguably one of the most popular and most comprehensive control panel solutions for web hosting out there, it might not be good for some people or some use cases the first of which that comes off the top of my head is using Nginx (pronounce it Engine-X) instead of Apache. granted there are now plugins that allow you to run Nginx in front of Apache on Cpanel, both a paid and free option, both still don’t eliminate Apache completely like Litespeed can do (that’s perhaps content for another blog post)

Today I am going to talk about Webmin, I’m going to briefly recommend install instructions for Debian and talks about some of its strengths and weaknesses. Firstly I should point out that Webmin out of the box is not a web hosting control panel like Cpanel, if you want that level of functionality you need to install the Virtualmin addon package (GPL or paid) which totally extends Webmin into a hosting system. on its own Webmin allows you to just about tweak any setting on your Linux, Windows or even Mac computer – yes I did just say mac, I run it on my local mac to manage Apache vhosts rather than have to pay to use MAMP Pro.

If you have CentOS/Red Hat or Debian/Ubuntu, installing Webmin is actually pretty simple, the install instructions are here: Debian, CentOS, there is one caveat though regarding Debian install instructions, the developer recommends adding both mirror servers to your apt sources list, while there’s arguments for both sides I don’t recommend it purely due to the possibility of the mirrors becoming out of sync and potentially giving out of date information, CentOS and YUM handle this much much better by using the idea of a mirror list and it tests on the fly for the best mirror and uses that one unless there is a problem, as of yet Debian and APT don’t have such a feature. here are the quick Debian install instructions:

edit the /etc/apt/sources.list file on your system and add the lines :

deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib

NOTE: I have used only one server despite the instructions saying add both, I would recommend testing the speed of each and picking the fastest for your needs

You should also fetch and install the GPG key with which the repository is signed, with the commands :

cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc

You will now be able to install with the commands :

apt-get update
apt-get install webmin

All dependencies should be resolved automatically and webmin installed with your root username and password being the default user.

once you have installed you will get a login screen like this if you navigate to yoursiteip:10000 in a browser

 

 

 

 

 

What webmin is really powerful with and what makes it brilliant for more advanced server administrators is that it generally parses config files on the fly and writes back to config files on the fly, it doesnt attempt to “take control” of config files like Cpanel and some other Control panel solutions do, which means if you make a command line edit, it will show up in webmin and vice versa, you wont end up fighting ping pong between the 2 if you want to make a change.

there are quite a lot of plugins for webmin as well and its possibly very likely that if it isnt in the core setup that there is possibly a module for that ftp server you use (like vsftpd) however at this time there isnt really a reliable nginx plugin available yet which is a shame because the 2 would go hand in hand with building a very lean production webserver we live in hope for it to mature though, initial work has been done here but needs someone to take it forward.

Another advantage of Webmin is that it runs its own mini-server (originally called miniserv.pl) now normally i wouldnt recommend spending extra resources if you can avoid it but in this case i make the exception purely because Webmin does use so little resources, and its also another way to access your server if you break ssh or something (note, breaking network settings breaks all services not just ssh!)

I use webmin on most servers i setup that aren’t cpanel purely because the firewall system CSF&LFD (another post another day) has a great webmin module which makes managing your firewall and brute force protection much much easier on non cpanel servers – CSF was originally written for cpanel but then they made it work generically on all linux systems and even wrote the webmin module.

one of the biggest pros of webmin is that its 100% free which is great if your building servers on a budget too

I’ll leave this post here for now, but I would love to hear your comments about Webmin, also I’d love to hear of recommendations for other alternatives to Cpanel

Linux Securing your /tmp directory

its recently been noted that lots of people having there servers hacked because they were running vulnerable versions of PHPMyAdmin. obviously the best advice to fix this is to upgrade your PMA install to the latest version or to otherwise protect it with passwords etc (apache passwords not just the db passwords). however this may not always be totally feasible or possible (i am looking at ISPManager Pro installs on debian here mostly)

this is a very short guide that will help you secure your server by locking down the tmp directory more thoroughly and thus hopefully effectively eliminating the access point that this exploit uses.

DISCLAIMER – this does not close the exploit that PMA is open to, it just closes the access point for it, there is still possiblity for it to gain access via other as yet unknown means.
ALSO – messing up your fstab file can lead to an unbootable system, you should make a system backup before making such a change or be able to boot into some form of recovery enviroment to be able to re edit the file to fix

the fix is pretty simple to implement and involves making your server’s tmp directory get mounted with no executable permissions (noexec) or no sticky user id bit settings (nosuid) which is where the exploit does its damage – it executes code from the tmp directory which normally has global write access of some sort, this guide is tested to work with debian systems (with or without ispmanager pro) and should also work on CentOS systems with no issues, see my caveats at the bottom for cpanel servers.

firstly login to your server as root via ssh (or console) if you dont ssh as root, connect as you normally do and get to root level access (you may need to add sudo to the beginning of your commands) – i am assuming you have root access from now on and nano (choose your own text editor if you are more comfortable with it eg vi)

we need to edit fstab to make the temp directory noexec and nosuid, we do this by editing the fstab and using a bind mount to effectively remount a directory as a partition (this is used to often remount folders and make them accessible from different points eg making the folder /bob available at /bobby as a partition (not just a folder/symlink) to do this:

nano /etc/fstab

your text editor will come up now, if you are familiar with the syntax it goes:

<device> <mountpoint> <filesystemtype><options> <dump> <fsckorder>

if you have a line that has /tmp in the second collumn, see my caveats below, otherwise add the following line to your fstab file:

/tmp  /tmp  bind  nosuid,noexec,bind  0  0

this effectively makes the /tmp folder on / (the root partition) available as a partition mounted at /tmp – you can do lots of cool things by mounting other directories over others but thats way beyond the scope of this guide

to make this take effect you can either reboot your server with:

reboot

or whatever command/process you do to reboot

or if you are happy to unmount and remount (i dont normally reccomend this for safety sake)

umount /tmp
mount -a

Caveats

if your fstab file already has a line with /tmp in the second collumn (eg most reasonably up to date cpanel servers) then just simply adding this line will most likely cause issues, you should simply edit the existing line and add the options

noexec,nosuid

to the flags section

eg a default cpanel temp dir line may look like this:

/usr/tmpDSK  /tmp  ext3  defaults,noauto  0 0

just add the flags to make it look similar to:

/usr/tmpDSK  /tmp  ext3  defaults,noauto,noexec,nosuid  0 0

NOTE: nano tends to wrap text when you edit if your window is small and the fstab file is very very sensitive to this and will cause problems if each non commented line is not a fully syntactically correct line. To avoid this issue, either maximise your shell window or load nano in non wrapping mode (-w) eg

nano -w /etc/fstab

again unmounting and remounting or rebooting your server will pickup these new settings