Choosing Your Cloud Sites Technology Setup

Reading Time: 2 minutes

Standing behind our Liquid Web Cloud Sites product, are server racks full of both powerful and stable Linux and Windows servers which power well over 100,000 sites and applications. Every Windows-based package is served from these clusters that are built and optimized especially for Windows. All Linux-based packages are also served from these same brawny server clusters created and specifically optimized for Linux. We use advanced load balancing technologies to automatically detect the type of technology you are running and route each request to the proper pool of servers.

Continue reading “Choosing Your Cloud Sites Technology Setup”

How to Install Pip on Ubuntu 16.04 LTS

Reading Time: 2 minutesArguably one of the easiest tools to use for installing and managing Python packages, Pip has earned its notoriety by the number of applications utilizing this tool. Fancied for its capabilities in handling binary packages over the easy_installed packages manager, Pip enables 3rd party package installations. Though Python does sometimes come with Pip as a default, this tutorial will show how to install, check its version as well as some basic commands for using Pip on Ubuntu 16.04. Continue reading “How to Install Pip on Ubuntu 16.04 LTS”

Installing WordPress using WP-CLI

Reading Time: 3 minutes

WordPress has a great GUI-based installation process however some use cases call for CLI! Or, maybe you just feel more at home in a terminal, either way this article will show you how to get your WordPress site setup with just a terminal, using WP-CLI, and maybe a sprinkle of SSH.

In order to be able to install WordPress manually using WP-CLI you will first need to create a new database for the WordPress install. You will need to know how to find your SSH credentials as well as being used to using Terminal or Putty and WP-CLI.

Continue reading “Installing WordPress using WP-CLI”

Top 15 Server Security Practices for 2020

Reading Time: 16 minutes

In this article, we will denote the security best practices for 2020 and beyond. Because security is such a challenging subject for many, it often goes unheeded, and as such, many are caught unaware when an issue arises. By following these best practices, you can significantly lower your risk of being compromised by a malicious actor.

Continue reading “Top 15 Server Security Practices for 2020”

Top Ten 2019 Password Security Standards

Reading Time: 4 minutes 

Here are the top ten password security standards and specification for 2019. Use these tips to increase your overall security and remember, your server is only as secure as your weakest password or point of authentication.

Follow these top 10 best practices for 2019 to better protect all of your information.

Continue reading “Top Ten 2019 Password Security Standards”

The Best Settings for Configuring FastCGI

Reading Time: 5 minutesIn our last tutorial, we showed you how to install Apache’s mod_fcgid and provided Linux scripts to assist in transitioning from mod_php. In this next section, we’ll be discussing how to configure a baseline setting for PHP optimization. Continue reading “The Best Settings for Configuring FastCGI”

How to Install Mod Fcgid on cPanel’s EasyApache 4 with CloudLinux

Reading Time: 6 minutesWhen it comes to PHP execution, mod_fcgid (also called FCGI) is one of the heavyweight contenders. There are a few rival handlers, like PHP-FPM or mod_lsapi, which come close to matching its execution speed, but they generally leave something to be desired when it comes to fine-tuning and resource consumption. FCGI is built for speed and includes a myriad of Apache directives that can be leveraged for resource regulation. This article will cover installing mod_fcgid followed by basic configuration in a separate article. The article applies to any cPanel servers running the following operating systems:
  • CloudLinux 6x/7x
The article will not cover EasyApache 3 (EA3). Due to the End-of-Fife (EOL) status of EA3, it is imperative that any systems running EA3 upgrade to EA4 as soon as possible. To avoid conflicts, upgrading to EA4 should be handled as an entirely separate procedure from installing mod_fcgid. If you need assistance with upgrading from EA3 to EA4, please feel free to contact our support team. If you’re running a Liquid Web Fully Managed cPanel VPS server, our team will perform the entire upgrade procedure for you.

Expectations: Downtime & Performance

Downtime – Please plan ahead as this operation may cause downtime. While installing an Apache module and enabling a baseline configuration should only require an Apache restart, there may be unforeseen circumstances that require troubleshooting. This can lead to sites becoming unresponsive and/or slow.
Note:
Always plan for more downtime than expected and always have a reversion plan. Allot extra time for troubleshooting, testing, and reverting all changes if necessary.
Performance – While FCGI provides superior PHP execution time, it is not a blanket fix for performance. For server optimization, there will be an adjustment period for configuration tweaking. This period can take hours to weeks as it must account for the unique warnings with the specific server hardware, software, traffic habits, and many other unpredictable variables.
Note:
Optimization is an ongoing, perceptual process. There is no one-size-fits-all optimized configuration. Traffic & resource usages continually change over time on all servers. Periodic evaluation and configuration adjustment are necessary to stay ahead of the curve.

Installation of mod_fcgid

The following steps should be followed as close to the examples as possible. Things will vary slightly depending on CentOS/CloudLinux versions, and a few other factors. The article will denote the differences where they are expected.  

Step 1: Liquid Web Servers Only – Disable Mod_Zeus & Other EA3 Modules

Older Liquid Web cPanel servers with EasyApache 3 who upgraded to EA4 may find residual configs on the system that can cause conflicts in the Apache configuration. This step will help make sure these older configs are disabled. The following sed one-liner will take care of disabling the inclusion line for these modules. These modules are stored in the /usr/local/lp/configs/httpd/conf.d/ directory. This directory is typically mentioned in the /etc/apache2/conf.d/includes/post_virtualhost_global.conf config file. The sed code looks for and comments out the specific include statement for this file. sed -i -e 's/[^#]+\(Include [/]usr[/]local[/]lp[/]configs[/]httpd[/]\)/#\1/g' /etc/apache2/conf.d/includes/post_virtualhost_global.conf To confirm the change, print the contents of the post_virtualhost_global.conf file using cat: cat /etc/apache2/conf.d/includes/post_virtualhost_global.conf The output should be blank or have a commented out inclusion line like below: #Include /usr/local/lp/configs/httpd/conf.d/*.conf

Step 2: Disable Litespeed

FCGI is not compatible with Litespeed, which uses its mod_lsapi module to process PHP using lsphp. Disabling Litespeed in this way does not remove it from the server; it merely enables Apache as the default web server. /usr/local/lsws/admin/misc/cp_switch_ws.sh apache

Step 3: Install mod_fcgid

The following yum command will install the necessary module: yum install ea-apache24-mod_fcgid -y Once completed, confirm Apache has the fcgid_module loaded: httpd -M | grep 'expires\|version\|fcgid' Example output: fcgid_module (shared)

Step 4: CloudLinux Only – Configure CageFS Map for FCGI

The following snippet will create the necessary directories needed by mod_fcgid to execute correctly. It will then add those directory entries into the /etc/cagefs/cagefs.mp file, allowing user-level access to said directories from within their caged environment. Finally, it forces cagefs to remount all user directories for access to the new directory on all sites. mkdir -p /var/run/mod_fcgid /usr/share/cagefs-skeleton/var/run/mod_fcgid /run/mod_fcgid cp -p /etc/cagefs/cagefs.mp{,.lwbak.$(date +%F_%H%M%S)} cat <<EOF>>/etc/cagefs/cagefs.mp /var/run/mod_fcgid /run/mod_fcgid /usr/local/cpanel/cgi-sys/ EOF cagefsctl -M

Step 5: [OPTIONAL] Remove Unnecessary Writable Permission

Due to security restrictions, any website files or directories with group-writable or other-writable permissions will be denied and a 500 Internal Server Error will be displayed. The following awk one-liner uses the find command to search all DocumentRoot directories configured on the server. It is advised to run this process in a screen session as it may take an hour or more depending on the size of the file system in question. The code takes care to use nice and ionice commands to run the process as a low priority so there will be minimal impact on server load or disk I/O. All changed files and their previous permissions are recorded in the /var/log/fixperms.log file.

Step 5a: Create & Attach to a Screen Session

screen -dmS fixperms; screen -x fixperms

Step 5b: Run the One-Liner

nice -n 15 ionice -c2 -n7 awk '/DocumentRoot/{DR[$NF]=$NF}END{for (e in DR) {x="find \""e"\" \\( -type f -or -type d \\) -and -perm /g+w,o+w -printf \"%M %y %m %p\\n\" -exec chmod g-w,o-w {} +"; while(x|getline) {print $0;print strftime("%F %T %Z"),$0 >> "/var/log/fixperms.log"} close(x)}}' /etc/apache2/conf/httpd.confExit screen by holding CTRL/CMD then pressing A, then D.  

Step 6: [OPTIONAL] Disable mod_php Directives in .htaccess Files

Another common precaution to take when switching to FCGI is that any existing mod_php related directives inside any .htaccess file are not compatible with mod_fcgid and will cause the site to throw a 500 Internal Server Error. So, these entries need to be located and disabled or removed.  The following awk one-liner checks all configured DocumentRoot directories for .htaccess files, and if they contain a php_value or php_admin_value entry, it will disable by commenting the line out. First, an in-place backup is created of the original file. The backup is named .htaccess.bak.YYYY-MM-DD_HHMMSS. All changed files and their previous permissions are logged in the /var/log/fixhtaccess.log file.

Step 6a: Create & Attach to a Screen Session

screen -dmS fixhtaccess; screen -x fixhtaccess

Step 6b: Run the One-Liner

nice -n 15 ionice -c2 -n7 awk '/DocumentRoot/{DR[$NF]=$NF}END{for (e in DR) { x="find "e" -name .htaccess -exec grep -iEl \"^([^#]*php_(admin_)?value)\" {} +"; s="sed -i.bak.$(date +%F_%H%M%S) \047s/^\\([^#]*php_\\(admin_\\)\\?value\\)/#\\1/gi\047 2>&1"; while(x|getline) {print $0; print s,$0; print strftime("%F %T %Z"),s,$0 >> "/var/log/fixhtaccess.log"; while(s" "$0|getline y) { print y; print strftime("%F %T %Z"),y >> "/var/log/fixhtaccess.log" } close(s" "$0)} close(x)}}' /etc/apache2/conf/httpd.conf

Step 7: Rebuild the Apache Config (Troubleshoot Any Errors)

The following command checks the system httpd.conf file for syntax error and if none are found, runs the cPanel httpd.conf rebuild script. Fix any syntax errors, until a clean rebuild is completed without error. httpd -t && /scripts/rebuildhttpdconf

Step 8: CloudLinux ONLY – Setup PHP Selector

The PHP Selector feature of CloudLinux is only compatible with the inherit PHP versions in the cPanel MultiPHP Manager interface. All sites should be using the inherited version of PHP or PHP Selector will not function for that site. This only applies to CloudLinux servers.

Step 8a: Force All Sites to Use Inherited Version of PHP in MultiPHP Selector

The following command uses cPanel’s whmapi1 system to force all sites onto the inherited version of PHP in MultiPHP Manager. /usr/sbin/whmapi1 php_get_vhost_versions | awk  -F'[: ]+' '$2~/vhost/{x="/usr/sbin/whmapi1 php_set_vhost_versions version=inherit vhost-0="$3;print x;system(x);close(x)}'

Step 8b: Disable MultiPHP Manager & MultiPHP INI Editor

The following uses the cPanel whmapi1 system to add MultiPHP Manager/INI Editor to the disabled features list. /usr/sbin/whmapi1 update_featurelist featurelist=disabled multiphp=1 multiphp_ini_editor=1 ; /usr/sbin/whmapi1 update_featurelist featurelist=disabled multiphp_ini_editor=1

Step 9: Switch All PHP Handlers over to FCGI

The following will convert all installed PHP Handlers to using FCGI. These handlers are viewable through the Handlers tab of WHM’s MultiPHP Manager interface or by running the cPanel rebuild_phpconf script. /usr/local/cpanel/bin/rebuild_phpconf --current | awk 'NR>1{x="/usr/local/cpanel/bin/rebuild_phpconf --"$1"=fcgi"; print x; system(x); close(x)}' To confirm the changes, run: /usr/local/cpanel/bin/rebuild_phpconf --current Example Output: DEFAULT PHP: ea-php71 ea-php54 SAPI: fcgi ea-php55 SAPI: fcgi ea-php56 SAPI: fcgi ea-php70 SAPI: fcgi ea-php71 SAPI: fcgi ea-php72 SAPI: fcgi

Step 10: Perform a Full Stop & Restart of Apache

The following script will stop Apache (gracefully if possible), and kill any unresponsive Apache & PHP processes before starting the Apache service again. It will also verify the Apache configuration syntax and will only perform the restart procedure if the syntax returns ok. This technique is handy as it is common for Apache processes to get stuck from time to time on busy servers.  This snippet deals with those scenarios after performing the humane stop request first. httpd -t && (/scripts/restartsrv_apache stop; sleep 3; killall httpd php lsphp php-cgi; sleep 3; killall -9 httpd php lsphp php-cgi; /scripts/restartsrv_apache start) || echo Fix Apache Config and try again.
Note
Toss this snippet into an alias called apache_rescue which you can add to your ~/.bashrc for easy access to this code. Below is a one-liner that will create this alias for you and load the modified profile in your current session. Once this alias is installed, it will always be available on that server by typing apache_rescue. cat <<'EOF'>>~/.bashrc && source ~/.bashrc
alias apache_rescue='httpd -t && (/scripts/restartsrv_apache stop; sleep 3; killall httpd php lsphp php-cgi; sleep 3; killall -9 httpd php lsphp php-cgi; /scripts/restartsrv_apache start) || echo Fix Apache Config and try again.'
EOF
This concludes our process for installing mod_fcgid onto your cPanel system.  It’s recommended to adjust FCGI settings from their default settings. Tune into our next tutorial where we’ll be advising on how to optimize FCGI for various environments.

Troubleshooting: Locked Out of RDP

Reading Time: 4 minutes

How Do I Get Back Into RDP?

You may be working from a local machine that has an IP that is not scoped on that RDP port, making it impossible for you to gain remote access to add the IP address to the RDP rule’s scope. Do not fret; there is a simple and quick way to add your IP to the RDP scoping (or any other entities such as MySQL or MSSQL) right through your Plesk interface in your local browser. You can watch this video, or scroll down for step-by-step directions.

For security purposes, it is always recommended that you scope off your Remote Desktop Protocol (RDP) connection on your server. Putting a scope on the RDP rule in the Windows Firewall will allow only the indicated  IP addresses to gain access to the server through Remote Desktop Protocol. The issue is that many of us do not have static IP addresses, but rather Dynamic IP addresses. This means that while once our IP address may be 120.32.111.01, it may change to something like 95.42.121.01 later. So if you were to add 120.32.111.01 to the RDP firewall for a customer or a system administrator, then you may need to add another rule for a different IP address.

Adding Your IP in Plesk

Step 1: Log in to Plesk

First, we need to make sure we know how to get to that Plesk login page. By default, the Plesk login page is https://<YourServerIP>:8443. For example, https://127.0.0.1:8443

We should arrive at a page with this in the center. Go ahead and type in Admin for the username and your password for Plesk. Usually, that password is set up by our team and is the default Server Administrator Password. Sometimes the username is Administrator, depending on a few variables. But one of the two user names should be fine.

Plesk login

Step 2: Tools & Settings

The first thing we need to do after we log into Plesk through the previous page is to navigate to the Firewall Rules. Go ahead and click on Tools & Settings. It will be located in the right sidebar near the bottom as shown below.

plesk tools and settings

Step 3: Firewall

Once we pull up Tools & Settings go ahead and click on our destination, Firewall. You will find that option under the Security section. It will be the second option, just under Security Policy.

firewall tools and settings

Step 4: Firewall Rules

After we are in the Firewall management, go ahead and click on Firewall Rules. This is where we will add the rule to allow a certain IP address to gain RDP access.

firewall management

Step 5: Add a Firewall Rule

Under Tools, after going into the Firewall Rules, we will see the option labeled Add Firewall Rule. Go ahead and click on that, bringing us to our next step.

firewall add rule

Step 6: Add Detail the New Rule

This is the page that we see after clicking on Add Firewall Rule. It can seem to be complicated and intimidating for some beginner level System Administrators, but it is simple.

add a new firewall rule
firewall profiles

If you or your client are not sure what that IP address that needs RDP access is, Liquid Web has a great site to visit that will display your IP address.

Note:

Here is an example of what you will find at https://ip.liquidweb.com.

While this particular example IP will not be the one that the customer or the System Administrator will see, (when visited on the local machine) the page will display the IP address that needs to be added to the rule for this RDP session to connect. That will be the only information that will be displayed on this page. Simply copy that IP address and use it in the instructions below.
ip address

remote ip address

Once you enter the IP address into the text box under Remote addresses, you do need to click the ADD button before clicking on OK.

remote ip address example

As mentioned above, after clicking the ADD button while the IP address is entered into the Add an IP address or a network text box, it will be placed into the left text box. After that step, you will then be able to click OK to apply this rule to the firewall for the server.

 

Step 7: Connect to RDP

The individual at that IP address can now access the server via RDP. If you would like to review an article explaining how to use Remote Desktop Connection, or if you need further assistance, you can locate more info at our internal help center after logging into your Liquid Web account.

rdp connection login screen

Congratulations! You now know how to add an IP address to an RDP rule that will allow a user to connect if the RDP is scoped off to the public. This can be done many times. Although Plesk does not allow you to edit the rule, you will have to create a new one each time. But this shouldn’t cause any issues. Also, keep in mind that this method can be used for any port, including MySQL and MSSQL.

The Most Helpful Humans In Hosting™

We pride ourselves on being The Most Helpful Humans In Hosting™! Our support staff is always available to assist with any Dedicated, Cloud, or VPS server issues 24 hours a day, 7 days a week 365 days a year.

We are available, via our ticketing systems at support@liquidweb.com, by phone (at 800-580-4986) or via a LiveChat for whatever method you prefer. We work hard for you so you can relax.

WordPress GDPR Plugin Exploit – All You Need To Know

Reading Time: 2 minutesAs of November 9, 2018, the WP GDPR Compliance plugin has been exploited by hackers. This plugin aids e-commerce site owners in compliance with European privacy standards. Since the very nature of GDPR is to protect the personal data and privacy of EU citizens, it should be tended to as soon as possible to avoid a costly cleanup. WP GDPR Compliance is also known for working in conjunction with many forms including Contact Form 7, Gravity Forms, and WordPress Comments. Continue reading “WordPress GDPR Plugin Exploit – All You Need To Know”