Monthly Archives: April 2018

Secure SSH with Google Authenticator Two-Factor Authentication on CentOS

It’s a good idea to secure the SSH login with a two-factor authentication method. We will show in this article how to secure SSH with Google Authenticator.

Steps:

  1. Install the Google Authenticator from Google Play
    google authenticator 1

     

  2. Install the Google Authenticator module:
    [root@cwp1 ~]# yum install google-authenticator
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
     * base: mirror.sesp.northwestern.edu
     * epel: mirror.beyondhosting.net
     * extras: bay.uchicago.edu
     * updates: mirror.math.princeton.edu
    Resolving Dependencies
    --> Running transaction check
    ---> Package google-authenticator.x86_64 0:1.04-1.el7 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ========================================================================================================================
     Package                               Arch                    Version                      Repository             Size
    ========================================================================================================================
    Installing:
     google-authenticator                  x86_64                  1.04-1.el7                   epel                   48 k
    
    Transaction Summary
    ========================================================================================================================
    Install  1 Package
    
    Total download size: 48 k
    Installed size: 97 k
    Is this ok [y/d/N]: y
    Downloading packages:
    google-authenticator-1.04-1.el7.x86_64.rpm                                                       |  48 kB  00:00:00
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Installing : google-authenticator-1.04-1.el7.x86_64                                                               1/1
      Verifying  : google-authenticator-1.04-1.el7.x86_64                                                               1/1
    
    Installed:
      google-authenticator.x86_64 0:1.04-1.el7
    
    Complete!
    [root@cwp1 ~]#
    

     

  3. To configure the google-authenticator module use the google-authenticator command. Read the questions and ask according to your needs:
    [root@cwp1 ~]# google-authenticator
    
    Do you want authentication tokens to be time-based (y/n) y
    Warning: pasting the following URL into your browser exposes the OTP secret to Google:
      https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@cwp1%3Fsecret%3DC5ZIEY5TTOX3UNJXESKISMF2GQ%26issuer%3Dcwp1
    ssh qr code
    Your new secret key is: C5ZIEY5TTOX3UNJXESKISMF2GQ
    Your verification code is 604902
    Your emergency scratch codes are:
      92416476
      84187850
      96774355
      80714386
      19340003
    
    Do you want me to update your "/root/.google_authenticator" file? (y/n) y
    
    Do you want to disallow multiple uses of the same authentication
    token? This restricts you to one login about every 30s, but it increases
    your chances to notice or even prevent man-in-the-middle attacks (y/n) y
    
    By default, a new token is generated every 30 seconds by the mobile app.
    In order to compensate for possible time-skew between the client and the server,
    we allow an extra token before and after the current time. This allows for a
    time skew of up to 30 seconds between authentication server and client. If you
    experience problems with poor time synchronization, you can increase the window
    from its default size of 3 permitted codes (one previous code, the current
    code, the next code) to 17 permitted codes (the 8 previous codes, the current
    code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
    between client and server.
    Do you want to do so? (y/n) n
    
    If the computer that you are logging into isn't hardened against brute-force
    login attempts, you can enable rate-limiting for the authentication module.
    By default, this limits attackers to no more than 3 login attempts every 30s.
    Do you want to enable rate-limiting? (y/n) y
    [root@cwp1 ~]#
    

     

  4. Scan the QR code with the Google Authenticator app from your phone:
    google authenticator 2 
  5. Your root@server-name account will be added to Google Authenticator
    google authenticator 3 
  6. Now let’s configure PAM. Edit the file /etc/pam.d/sshd
    [root@cwp1 ~]# nano /etc/pam.d/sshd
    

    And add the line:

    auth required pam_google_authenticator.so
    

    So the top of the file looks like:

    #%PAM-1.0
    auth required pam_google_authenticator.so
    auth       required     pam_sepermit.so
    auth       substack     password-auth
    auth       include      postlogin
    

     

  7. Now we must instruct OpenSSH to permit two-factor authentications. Open the file /etc/ssh/sshd_config :
    [root@cwp1 ~]# nano /etc/ssh/sshd_config
    

    Add the line (or comment out the line if it already exists):

    ChallengeResponseAuthentication yes

     

  8. Restart the sshd server:
    [root@cwp1 ~]# service sshd restart
    Redirecting to /bin/systemctl restart  sshd.service
    [root@cwp1 ~]#
    
    Do NOT close the current SSH connection. Open another SSH connection and check if you are able to connect with the two-factor authentication. If you can’t connect, investigate the cause by checking the SSH log file – /var/log/secure . If you can’t fix the issue, undo the actions from 6.(editing the file /etc/pam.d/sshd) and 7.(editing the file /etc/ssh/sshd_config) to be able to connect only with the password.
  9. Everything is set up at this moment. On the next logins, the system will ask for the verification code.

Related KB articles:
How to install nano editor with yum
Change the default SSH server port number

Share this post:

How to setup CWP module for WHMCS

We will show you here how to configure the CWP module for WHMCS. This module is offered for free by CWP.

Notice that WHMCS is not free and you should purchase a license from whmcs.com or from a partner. Licenses from whmcs.com start at $15.95/month.  

Steps on how to install the module:

  1. Download the CWP WHMCS module.
    Login to your CWP installation and go to Billing->WHMCS from the left menu.
    cwp whmcs module 1Follow the link, download the zip archive and extract it. There is only one file in the archive – /cwp7/cwp7.php
  2. Upload the file cwp7.php to WHMCS_directory/modules/servers/cwp7/cwp7.php
  3. Generate an API key to allow WHMCS to connect to your CWP server.
    For this go to CWP->CWP Settings-> API Manager
    cwp whmcs module 2
    Enter a name for the key, the IP of the server where you have WHMCS installed, click the Generate button and select the API permissions as:
    – for accounts: add, upd, dell, susp, unsp
    – for packages: add, upd, del, list
  4. Click the Create button to add the key to the system.
    Take notice of the CWP message: For the correct operation of this tool you must open port 2304 in the firewall
  5. Now go to WHMCS->Setup->Products/Services->+Add New Server.  Enter:
    – Name, Hostname, IP address
    – Primary and Secondary Nameserver with their IPs
    – at Server Details: select server type as Cwp7, enter root username and password and paste the access key.
    cwp whmcs module 3
  6. Click the Save Changes button. You will now be able to create/delete new user accounts in WHMCS.
Share this post:

Add cron jobs in CWP

This KB article is for CentOS Web Panel for shared hosting (end-users).

Cron jobs are commands that will tell the server to run specific PHP files at specific time intervals. There are many web scripts that need cron jobs to run properly.

cwp cron jobs

 

To create cron jobs in CWP:

  1. We assume you are logged on 
  2. Look for CWP Settings->Crontab
  3. Here you have three sections to add a cron job.
    In the first one, choose a common time setting (for example every minute) and the command and click the Save changes button.
    In the second one choose time interval details from drop-down lists. Enter the command and click the Save changes button.
    In the third one, you have full control, and you can customize the time interval as you wish. As in previous two cases, click the Save changes button in the end.

CWP tells you how the command should look like:

# Example of job definition:
# .---------------- minutes (0 - 59)
# |  .------------- Hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7)
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed

The video tutorial for this KB article:

Share this post:

Create/restore backups in CentOS Web Panel

This KB article is for CentOS Web Panel for shared hosting (end-users).

It’s a good practice to download site backups from time to time to your computer. With CWP you can easily accomplish this.

cwp user backups

To download backups to your computer in CWP:

  1. Login to your CWP account
  2. Navigate to File Management->Backup->Download a backup copy  tab
  3. Here you have some options:
    Download a full website backup – this action will create and you will be able to download a full backup for your site. It’s very useful if you want to transfer the site to another server or to restore it in case of an issue.
    Home Directory – download an archive containing your home directory
    All Mysql – download a backup of all your MySQL/MariaDB databases
    All Account Email – backup of all your email accounts.

To restore a backup of your computer in CWP:

  1. Login to your CWP account
  2. Navigate to File Management->Backup->Restore a backup copy  tab
  3. Upload a home directory backup or a MySQL database backup.
At the time of writing this article, the “restore a backup” function seems not to work. We recoomend to restore files via FTP and MySQL databases via phpMyAdmin.

The video tutorial for this KB article:

Share this post:

CWP File System Lock

This KB article is for CentOS Web Panel for shared hosting (end-users).

File System Lock is a very interesting feature that CWP has. It’s a unique feature in the web hosting control panels world.

The CWP gives some details about it:

Info: File System Lock will lock all files and folders from any changes, this will also block all uploads, file modifications and even backup restore. This will secure your website almost 100%, and it’s very useful if you are the only one who modifies website. If you need to modify your website or upload new files then you need to temporary unlock your files.

File System Lock will block ANY file activities in the /public_html/ folder. As the CWP notice says, this will protect your site from malicious scripts that want to modify your files.

cwp file system lock

To enable File System Lock in CentOS Web Panel:

  1. Log in to CWP
  2. Go to File Management->File System Lock
  3. Click the button Files Unlocked, click to Lock.
  4. You will see the button turning green and text being Files Locked, click to Unlock. 
    Also, a message will appear on your dashboard: The file system is locked, this can cause several tasks to not work correctly

The video tutorial for this KB article:

Share this post:
Page 2 of 7
1 2 3 4 7