Updating DNS Records and DNS Propagation Time

The most essential concept to understand in web hosting is the Domain Name System. At its most basic level, DNS determines whether a visitor to your site sees the actual site, or a “Server not found” error. Like a telephone book, DNS matches names (your domain name) to numbers (IP addresses).

If your browser returns a “Server not found” error when visiting a new subdomain or a site you’ve recently created (or moved here), it’s likely that a DNS record has either not yet been created or has not yet had sufficient time to propagate.

When you add a new subdomain, such as store.yourdomainname.com or blog.yourdomainname.com, it’s important to ensure that you have added the appropriate DNS record for the site to resolve. In this case, you would need to add a CNAME for “store” or “blog” to the DNS record for yourdomainname.com.

If you are using Liquid Web nameservers, you can add a record for the new subdomain in your Manage interface by clicking on Domains in the left menu and then selecting the DNS tab. The record for a new subdomain would be entered in the main domain’s zone file.

Likewise, if you have set up a new domain name and chose to use Liquid Web nameservers at the registrar, you’ll want to ensure that a DNS zone has been created for the new domain in your Manage dashboard (under Domains on the DNS tab) and that a DNS “A”  record is present and pointing the site to its assigned IP on your server.

If all the DNS records are in place and the site still is unreachable, it’s possible that the DNS changes are propagating. Typically only a few hours is needed for this, but it technically can take up to 24 hours to 48 hours for a DNS change to fully propagate globally. It’s important to note any time a change is made to a DNS record, regardless of whether it’s adding a new record or changing the value of an existing one, it can take up to that 24 hours to 48 hours before the change is visible worldwide.

One external tool that you can use to confirm the presence of DNS records and track DNS record propagation is What’s My DNS.

As always, a Heroic Support® technician will be happy to help should you need any assistance.

 

A Closer Look at cPanel Notifications

In recent updates, cPanel has modified some of the notification settings for their control panel. As a result, you may find that the priority of certain notification types have changed and you may begin to receive notifications that you previously had not encountered. In particular, the notification options for Security Advisor changed with the release of WHM 56 on April 26, 2016.

The notification changes by cPanel are meant to both help users better manage their servers and also keep them informed of potential security risks, such as those posed by outdated software versions which no longer receive updates.

With some exceptions, many of the notifications are purely informational and not necessarily a cause for alarm. Here are the most common notifications followed up on via support requests:

‘New security advisor notifications with high importance’

WHM’s Security Advisor routinely performs a security scan on the server and alerts you to items it considers potential security risks. For each item flagged, the cPanel notification will clearly explain how to resolve the issue at your convenience. It’s important to note that while some recommendations, such as enabling SMTP Restrictions, Enabling Brute Force Protection, and increasing Password Strength Requirements are worthy of attention in nearly all cases, other recommendations may not be appropriate for your situation. For example, you may prefer not to disable root SSH access or SSH password authentication (and should not unless you have set up and tested SSH keys to connect to your server). To learn more about specific messages, visit our article on cPanel Security Advisor Notices. If you need guidance, feel free to contact Heroic Support®.

‘Your SSL Certificate is now available for download and installation’

Beginning with WHM version 56, cPanel now includes a free signed SSL certificate to cover the hostname (and only the hostname) of the server on which it runs. This feature eliminates warnings and notices associated with using self-signed SSL certificates and protects all connections to server services, such as email and ftp, and is automatically installed and renewed when possible. In order for the automatic installation to occur, however, the server’s hostname must resolve in a browser (that is, it must have a DNS record). Additionally, if you already have purchased an SSL to cover your hostname (either a dedicated SSL or a wildcard) cPanel will not attempt to overwrite it. Only self-signed SSLs installed on the server services (cPanel/WHM, FTP, SMTP, and the Mailserver) will be overwritten. Only if you have a purchased SSL installed on the hostname, and allow it to expire, will cPanel replace it. In any case, no action should be required on your part unless automated installation fails. In that event, you may contact Heroic Support® for assistance.

‘The system will automatically switch the mail server from Courier to Dovecot … in order to continue receiving updates.’

In cPanel/WHM versions up to 11.52, users were able to choose between two mail servers: Courier and Dovecot. Courier was selected by default, and most cPanel users never had reason to switch. However, beginning with cPanel/WHM version 54, Courier has been deprecated. cPanel will no longer support Courier in future releases, and the control panel can not be updated until the mailserver is switched.

If you want to switch the mail server yourself, you can follow our guide. Should you prefer not to switch to Dovecot and would like to continue to use Courier, you will need to change your cPanel update preferences and select the LTS (long-term support) release tier. cPanel will continue to send daily emails until one of these two actions have been taken. If you do not take any action, cPanel will automatically switch the mailserver at the time indicated in the email.

‘The server has POP3 before SMTP enabled’

This means that SMTP authentication is not being strictly enforced on the server. Effectively, any user who has successfully logged in to receive mail is treated as authenticated to also send mail from the same IP address for an hour after their successful incoming login.

The important thing to note is that it allows the IP address from which a successful email login was made to access the SMTP server, not just the specific user or device from which the successful login was made. In a modern home or office environment, a single public IP address typically is shared by many devices on that network. That’s also the case when you’re connected to a public wireless network, such as at a local coffee shop or shopping center.

With POP Before SMTP (also referred to as POP3 Before SMTP) enabled, it’s possible that a malicious user or compromised device connected to the same network — regardless of how well-secured your personal computer, workstation or mobile device may be — could relay mail through your server. Mitigating that potential security risk would be the primary reason for disabling POP Before SMTP on your server.

However, you should be aware that disabling POP Before SMTP means that any email account would be required to use SMTP authentication, and that would need to be configured in each individual mail client used with each email account in order for the account to be able to send mail.

While all modern mail clients such as recent versions of Outlook, Mac Mail and Thunderbird and any recent smartphone have that ability, the setting may not be enabled by default. If that’s the case, the account configuration would need to be adjusted in the email client.

For assistance configuring email clients, see How To Set Up Any Email Client.

‘The server has unmonitored services’/’The service has failed’

Through its ChkServd service, cPanel is able to monitor enabled services and automatically restart them when necessary. This is separate from, and unrelated to, Sonar Monitoring services which you can configure in your Manage dashboard.

While this is not a new capability, cPanel recently began notifying users of it, along with a list of any enabled cPanel services which were not configured already for monitoring. It is recommended, though completely optional, to enable monitoring for all active cPanel services to improve stability and ensure that services can be recovered as quickly as possible. You can enable monitoring in WebHost Manager at Service Manager, under the Service Configuration section in the left menu.

One thing to keep in mind is that cPanel will alert you to any service it has found to be down and automatically restarted via ChkServd, even if the service intentionally was stopped, such as during an update or a required restart of another service upon which it is dependent.

What that means is that you should not immediately assume the worst any time you receive a “Service Failed” or “Service Recovered” alert from cPanel. If you receive only a single notification of a service restarted, and not multiple alerts for the same service over an extended period of time, there generally is no cause for concern. However, should you receive multiple such alerts for a service, or should the alert indicate that the service could not automatically be restarted, please do not hesitate to contact us so that we may investigate.

‘Altered RPMs found’

While the message subject can sound somewhat ominous, it should not automatically be cause for alarm. Typically this message is generated when cPanel performs an update check and discovers that local files are out of date, have become corrupted or have been updated outside of cPanel. Occasionally, it also can occur when both the 32- and 64-bit versions of a service have been installed.

This message will contain the filename of the package it found to be incomplete, corrupted or otherwise broken; running the command referenced in the message (/usr/local/cpanel/scripts/check_cpanel_rpms –fix) should result in it re-downloading the file successfully.

Please note that anytime updates are pushed to your server outside of cPanel, for example when an important security patch is applied to multiple servers simultaneously, this notice also can be triggered. The issue can be easily rectified by updating cPanel’s operating system packages, which support is happy to help with if you’re unable to run the command specified in the cPanel notification.

‘The cPanel & WHM update process failed’

WebHost Manager/cPanel by default checks for updates to its control panel each day. Due the number of servers running cPanel, there can be times when too many servers are checking in with cPanel’s update server simultaneously, causing the request to time out. And occasionally, the cPanel update server itself may be unreachable.

Whenever that happens, cPanel will alert you and automatically try again the next day. You can, however, manually force it to check for updates (and automatically install the update, if one is available) should you prefer not to wait.

You can find instructions for manually updating cPanel at How To Upgrade and Patch cPanel and WHM.

Should a manual update also fail, or should you receive consecutive update failure messages, please do not hesitate to contact our Heroic Support® team.

‘System integrity checking detected a modified system file’

The default notification preferences beginning in WHM/cPanel version 54 can cause this notification to be sent immediately following an update to cPanel/WHM itself.

This notification may alert you to “FAILED” md5sum comparison tests on any server software (and usually on several components at a time), but should not immediately be cause for alarm.

The server message is triggered any time a core file is changed, and makes it clear that it may be the result of an OS update or application upgrade. If you have automatic updates enabled in WHM, have manually updated cPanel/WHM, or have requested that it be updated for you, then you can safely ignore this message. If you don’t have automatic updates enabled and have not recently updated cPanel, please do not hesitate to contact our Heroic Support® team.

Disabling cPanel Notifications or Changing Alert Settings

You can configure settings for all the cPanel alerts you receive in WHM under Contact Manager in the Server Contacts section of the left menu.

The first tab, Communication Type, allows you to set the alert level that will trigger a notification to each of the communication methods: AIM, email, ICQ, Post to a URL, Pushbullet, or SMS.

The second tab, Notifications, allows you to set the minimum priority for each type of event, such as Service failures (ChkServd), Unmonitored Services, or Backup Successful, which will trigger a notification. You also can disable notifications for each event type using the dropdown menu under the Importance category.
 

Is the Server Down? I Can’t Log in or Connect

Are you unable to connect to your cPanel server to send or receive email, log into cPanel or WHM, or make an FTP or SSH connection?

Are you able to view your website in your browser? If not, and the connection simply times out, it’s possible that your IP address has been blocked by the server’s firewall. Typically, this is the result of too many failed logins (through cPanel, SSH, FTP, email, etc.) in too short a period of time.

To confirm whether that may be the case, you can test your site via a web service such as Down For Everyone Or Just Me (enter the URL of your website into the search field on the page) to see whether the site appears down for everyone else, or try to visit your website via another network, such as from a phone or tablet over its cellular connection after disabling wifi on the device.

If an IP block is suspected, it can easily be removed. If you have a Dedicated, Storm, or VPS server, and your server is running the CSF firewall, you can unblock the IP address directly from your Manage dashboard. If not, we can log into the server on your behalf, search the firewall for your IP address, and unblock it. Similarly if you’re able to confirm that your IP is not blocked, we can search the server logs for any specific errors associated with your connection attempt, or investigate any possible network issues between your physical location and the server’s that could be preventing you from accessing it.

To speed up that process, when opening a ticket, calling, or chatting in with your support request, please try to include your public IPV4 IP address (which you can obtain here) so that a support technician can help resolve the issue as quickly as possible. Please also include any error messages displayed in your browser (or email, FTP or SSH client) when attempting to connect.

Most Common Support Requests

As you might expect, most support requests on managed cPanel servers fall into a few basic categories. What you might be surprised to discover is that many common problems can be resolved by following a few simple steps.

None of the common cPanel support requests listed here are server-critical issues that require an experienced system administrator to troubleshoot and resolve, and we recognize that many of our customers are curious about their servers and actively engaged in learning more about cPanel server administration.

To that end, we’ve gathered together some of our Most Common Support Requests, and we’re sharing them with you here — along with their solutions.

Should you find yourself experiencing one of these common issues, you’ll know exactly what to expect when contacting our Heroic Support® team. And while you certainly are welcome to try to resolve the issue yourself, remember that we are here to assist you 24 hours a day, seven days a week, 365 days a year.

These articles should hold the answers to a number of common questions and, if you are so inclined, provide you with the tools and resources to resolve some non-critical issues on your own. And should you ever find yourself in need of assistance with any issue, please do not hesitate to contact Heroic Support®.

How to Open a Port in CSF with WHM/cPanel

The Config Server Firewall offers several advantages over the Advanced Policy Firewall, including more robust protection against Denial of Service, SYN flood and other common attacks.

But one of its most appealing features is its plugin for WebHost Manager that allows you to quickly access firewall settings and common tasks through a graphical interface.

Pre-Flight Check

  • These instructions are intended specifically for opening (and closing) ports in the CSF firewall via WHM.
  • If you want to open or close a port in APF or CSF from the command line over SSH, see http://www.liquidweb.com/kb/opening-ports-in-your-firewall/.
  • If your server currently uses APF but you’d prefer CSF, contact Heroic Support® and request a switch. There is no charge, it typically takes only a few minutes, and the only service that needs to be restarted as a result is the firewall itself. Our support technicians also can port your existing APF rules to CSF. If requesting an upgrade, please be sure to indicate whether your server uses the Guardian backup service so that its rules also can be configured.

Step #1: Open the Firewall Management Page

  1. Once logged in to WHM, you will find the CSF interface under the Plugins section in the left menu.
  2. Click on ConfigServer Security&Firewall or begin typing “firewall” into WHM’s search box at the top left to quickly locate the link.

Step #2: Open Firewall Settings

  1. On the ConfigServer Security & Firewall page, click the Firewall Configuration button to enter advanced settings.

csfeditconfig

Step #3: Manage Ports

    1. On the Firewall Configuration screen, scroll down to the IPv4 Port Settings section.
    2. You will be editing the fields in the Allow incoming TCP ports and Allow outgoing TCP ports sections.

ports2

    • To allow incoming connections to a port, add the number to the TCP_IN = field.
    • To block incoming connections to a port, remove the port number from the TCP_IN = field.
    • To allow outgoing connections from a port, add the port number to the TCP_OUT = field.
    • To block outgoing connections from a port, remove the port number from the TCP_OUT = field.

Step #4: Save Changes and Restart the Firewallrestartcsf

  1. Scroll all the way to the bottom of the Firewall Configuration page and click the Change button to save the settings.
  2. After saving the settings, you will be given the option of restarting the firewall or returning to the settings page to continue editing. Since your changes will not take effect until the firewall is restarted, you will need to click the Restart csf+lfd button to apply the new settings.

Tip: Also Check Storm® Firewall Settings

Storm® Dedicated and VPS customers also have access to a separate Storm® Firewall.

If you are using the Storm® Firewall and have configured it to use advanced settings, you will want to ensure that the ports you’ve changed in WHM also are changed there.

  1. You can access your Storm® Firewall settings from Manage. After clicking on your server name, navigate to the Network section and select the Firewall tab.
  2. If it’s active and using advanced settings, you will need to replicate your port rule in the Storm® Firewall interface to ensure traffic can reach the port.
  3. Find more information and detailed instructions for managing the Storm® Firewall at How to Configure a Storm Firewall.

Find Detailed Information in Our Knowledge Base

To learn how to unblock an IP address via the command line, visit:

 

How to Manage the CSF Firewall in WHM/cPanel

Should you discover (or suspect) that a client or customer’s IP address has been blocked in the firewall, or you just need to open (or close) a port on your cPanel server, you may be able to quickly resolve the issue yourself if you have access to WebHost Manager and the ConfigServer Firewall (CSF).

If your server is using CSF, you will find its interface listed in WHM as ConfigServer Security&Firewall under the Plugins section in the left menu. You also can begin typing “firewall” into the search box at the top left to narrow down the choices.

Note: Should you find no such listing in WHM, feel free to request an upgrade from the APF firewall when contacting support. There is no charge, it typically takes only a few minutes and the only service that needs to be restarted as a result is the firewall itself. Our support technicians also can port your existing APF rules to CSF. If requesting an upgrade, please be sure to indicate whether your server uses the Guardian backup service so that its rules also can be configured.

Unblocking an IP Address in CSF

To determine whether an IP address is blocked, you can use the Search for IP button on the ConfigServer Security&Firewall page. Simply enter the IP address into the search field and click the button.

csfsearchforip

If the IP address is blocked, the reason for the block will be listed and an unlocked padlock icon will appear to the right of the blocked IP address. Clicking the padlock icon will unblock the IP in the firewall.

csfunblock

 

Allowing (Whitelisting) an IP Address

It is important to note that there are two components to the csf firewall, the firewall itself and the Login Failure Daemon (lfd).

To whitelist an IP address in the firewall (csf.allow), you can enter the IP address into the Quick Allow section, along with an optional comment for the allow (such as “Office network”), and click the Quick Allow button.

csfallow

When an IP address is whitelisted in CSF, it still can become blocked by lfd for abusive behavior such as multiple failed logins or repeated violation of certain modsecurity rules. This helps to mitigate the sort of brute-force attacks that could occur should a computer or device on the same network as a whitelisted IP address become compromised or infected with malware.

It is recommended to whitelist IPs only as necessary and, for a long-term solution, focus on resolving the issue which led to the block (such as incorrect login credentials). However, as a temporary measure while troubleshooting or otherwise working to correct the underlying issue, you can prevent an IP address from being blocked by lfd by adding it to the ignore list (csf.ignore).

That can be done using the Quick Ignore button on the ConfigServer Security&Firewall page.

csfquickignore

Blocked IP? Don’t Forget to Check cPHulk

WebHost Manager also includes the cPHulk Brute Force Protection module which, like the Login Failure Daemon component of the ConfigServer firewall, can block IP addresses (independently of the firewall) when they have repeated failed login attempts.

If you’re trying to unblock an IP address but no block is to be found in the firewall, you will want to check cPHulk as well. In WHM, you’ll find cPHulk Brute Force Protection listed under the Security Center section of the left menu.

On cPHulk’s History Reports tab, you can search for failed logins, blocked users, blocked IP addresses, or one-day blocks.

Removing a block is as easy as clicking the Remove Blocks and Clear Reports button.

cphulkclearblocksYou also can whitelist IP addresses, with an optional comment, under the Whitelist Management tab.

Please be aware that whitelisting an IP address here means that the IP address always will be able to attempt to log into the server. That could potentially present a security risk in the event that a computer or device on the same local network as the whitelisted IP becomes compromised or infected and uses brute force to try to gain protected access. For this reason, IP address whitelisting in cPHulk should be used sparingly and with caution.

Opening and Closing Ports in the Firewall

port1On the ConfigServer Security & Firewall page in WebHost Manager, click on the Firewall Configuration button to enter advanced settings.

On the Firewall Configuration screen, scroll down to the IPv4 Port Settings section, and locate the Allow incoming TCP ports and Allow outgoing TCP ports sections.

ports2

You will need to add the necessary port to the appropriate list (or remove a listed port to block it), then scroll all the way to the bottom of the page and click the Change button to save your settings and restart the firewall.

Port Still Unreachable? Check Your Storm® Firewall

If you have a Storm® server, you have access to an additional firewall which can be accessed via your Manage interface by clicking on your server’s dashboard.

You’ll find your Storm® Firewall settings under the Network section, on the Firewall tab. If you’ve enabled it with advanced settings, you will want to ensure you’ve opened the port there as well.

stormfw

To open a port when using the Advanced Firewall Configuration, click the Add Rule link, give it a Label and set the Destination Port, Protocol, and Action, then click the green button.

Repeat for any additional ports you’re opening (or closing) and then click the Apply Firewall Settings button to apply the settings and restart the firewall.

Find Detailed Information in Our Knowledge Base

 

Error: Login without a password is forbidden by configuration (see AllowNoPassword) [SOLVED]

This error relates to logging into phpMyAdmin, an open source tool used for the administration of MySQL.

Once in awhile, perhaps on a Development server, MySQL won’t be setup with a root password. The aforementioned configuration is generally thought of as against best practices however, if it is what you’re dealing with, then it could also interfere with phpMyAdmin.

Pre-Flight Check

  • These instructions are intended specifically for solving the error: Login without a password is forbidden by configuration (see AllowNoPassword).
  • I’ll be working from a Liquid Web Self Managed Ubuntu 15.04 server, and I’ll be logged in as root.

The Error

The error will read “Login without a password is forbidden by configuration (see AllowNoPassword)” as shown below.

Error Login without a password is forbidden by configuration (see AllowNoPassword) [SOLVED]

Continue reading “Error: Login without a password is forbidden by configuration (see AllowNoPassword) [SOLVED]”

Error: 500 OOPS: vsftpd: refusing to run with writable root inside chroot() [SOLVED]

Pre-Flight Check
  • These instructions are intended specifically for solving the error: 500 OOPS: vsftpd: refusing to run with writable root inside chroot().
  • I’ll be working from a Liquid Web Self Managed Fedora 20 server, and I’ll be logged in as root.

Continue reading “Error: 500 OOPS: vsftpd: refusing to run with writable root inside chroot() [SOLVED]”