Tag Archives: Secure Shell

What is server hardening? Advice for Linux, Windows & NSA Datamine Servers – Part 2 (Linux)

English: Screenshot of Alpine via SSH on a Deb...
Screenshot of Alpine via SSH on a Debian Server

Hello friends and neighbors. This post, as it turns out, is the follow-up to our groundbreaking, skybreaking article on server hardening; it also is the prequel to our final post on Windows server hardening. This post, the meat of the sandwich (ham, in this case), is on how to harden Linux servers.

Server hardening is a simple concept, and it’s crucial to initiate if you want safety for your website. Essentially, simiarly to the experience of an end-user on a client machine, when you use a server, the systems are not built (their default settings) for high-end security. They’re built, rather, for features. In essence, the Internet is optimized for usability/freedom over administration/security. Securing a system, then, is a matter of revoking freedoms or modifying expectations in order to ensure a secure experience for the system and for all users.

We aren’t only concerned with Windows and Linux servers though. Actually, the NSA Datamine server is one of the most secure options out there. Everyone is thrilled by this server. It’s been called “bootserverlicious” by P. Diddy and “P.-Diddy-riffic” by a worldwide consortium of boot servers.

To get a sense of server hardening on any of the major OSs, we are looking at three sources: “Host Hardening,” by Cybernet Security; “25 Hardening Security Tips for Linux Servers,” by Ravi Saive for TecMint.com (good info, though the language is a little rough); and “Baseline Server Hardening,” by Microsoft’s TechNet. Each of these posts broadens our horizons and is lactose- and gluten-free so that it doesn’t distract from the extra-cheese, thick-crust pizza we’re inhaling.

How to Harden Your Linux Server without Having to Think

No one ever wants to have to think. Let’s not do it, then. Let’s refuse to think, and just feel our way to a hardened server. Don’t call me “baby,” though, please, because that’s disrespectful, sugar. Anyway, the Linux server: here are approaches you can use specific to that OS.

1.    Non-Virtual Worlds: Go into BIOS. Disallow any boot operations from outside entitites: DVD drive or anything else that’s connected to the server. You should also have a password set up for BIOS. GRUB should be password-enabled as well. Your password should be “moonsovermyhammy123987”; I recommend tattooing it on your lower back for safekeeping.

2.    Partitioning as a Standard: Think (no, don’t!) of how a virtual environment or virtual server is constructed. Division into smaller parts is an essential security concept. Any additional pieces of the system will require their own security parameters and challenges. That means you want a streamlined system, of course, like a digestive tract without all the intestines and stuff; but it also means you want everything divided into disparate sections. Any app from an outside source should be installed via options as follows:

/

/boot

/usr

/var

/home

/tmp

/opt

3.    Packet Policies: Along the same line, you don’t want anything unnecessary. That’s the case with anything you’re doing online. Let’s face it: the web is essentially insecure. It’s like a dinosaur with a new outfit that she’s afraid to show off to her other dinosaur friends … sort of.

Here’s the command to check:

# /sbin/chkconfig –list |grep ‘3:on’

And here’s the command to disable:

# chkconfig serviceName off

Finally, you want to use yum, apt-get, or a similar program to show you what’s on the system; that way you can get rid of whatever you don’t need. Here are the command lines for those two services:

# yum -y remove package-name

# sudo apt-get remove package-name

4.    Netstat Protocol: Using the command line netstat, you see what ports are being used and what services are accessible through them. Once you’ve done that, use chkconfig to turn off anything that’s not serving a reasonable function, such as a service that’s just counting over and over again to a billion but won’t tell you why. See below and this netstat-geared article for more specifics.

# netstat -tulpn

5.    SSH: You want to use secure shell (SSH), but you also want it configured properly to maximize your security. SSH is the secure, cryptographic replacement for telnet, rlogin, and other earlier protocols that sent all data (passwords included) as “plain text” (no “scramble” prior to transfer, basically).

You typically don’t want to communicate via SSH as the root user. Sudo allows you to use SSH. See /etc/sudoers for specifics; you can customize them using visudo, available via VI editor.

Finally, switch the port for SSH from 22 to a larger number, and change the settings so that it’s not possible for all account holders to tunnel in through Secure Shell. Here are the file and three specific adjustments:

# vi /etc/ssh/sshd_config

  1. PermitRootLogin no
  2. AllowUsers username
  3. Protocol 2

Conclusion & Continuation

All right. Basic explication: Done. Linux: Done (well, it’s significantly more complex than discussed above; see here for further details). Windows: Next.

Finally, I assume if you’re reading this article, you might want to take a gander, or even a poke, at our dedicated servers, VPS hosting, or colocation.

By Kent Roberts

The Case Against FTP & for SFTP

 

Secure FTP (software)

FTP (File Transfer Protocol) clients are standard parts of many web hosting packages. We even have them in ours. Host services include FTP because people are looking for it – but it’s not necessarily the best tool to use for your site. The reason it’s a questionable protocol is simple, as is switching to a replacement solution, SFTP (Secure File Transfer Protocol). All this will be discussed below.

For this article, I looked at various pieces from around the web, including “Why You Need to Stop Using FTP” from JBDFu.com, “Security Issues in FTP” from raditha.com, “FTP, SFTP and FTP/S” from InformIT, and “Backdoor (computing)” from Wikipedia.

FTP is not all bad. It is built on TCP, so it checks for errors and monitors for integrity. However, the basic problem with FTP is that it does not have the same security as SFTP does. We spoke similarly, in a recent blog post, about SSH (Secure Shell), another way to interact between machines securely. It’s common sense that choosing less secure methods to communicate and transmit data is suspect … well, depending what you’re doing.

FTP has good company in sending data out in the open. Other protocols that send unencrypted data are POP, IMAP, and Jabber. All things equal, though, secured is better than unsecured, right? After all, regardless if or how someone might use your data, isn’t there a creepiness factor about someone looking at your stuff?

Speaking of your “stuff,” maybe this is a good way to put it: Sure, leave your windows and blinds open sometimes if you like. But when the real gets real, when you’re having a private conversation with your divorce lawyer or making babies with your wife (hopefully in the reverse order) and all your “stuff” is out in the open, secure the perimeter. Simply put, FTP is peeping-Tom friendly, and SFTP is not.

What FTP Has in Common with Telnet

OK, the JBDFu.com gives a pretty clear understanding of why straight-up FTP is not preferable. It was invented in the early 70s. Oh, the 70s. They were a blissful time, when all we had to worry about was … our clothes and how we were painting our walls and designing our homes and buildings. We didn’t have any time to think there might be kill-bots trying to steal all our information and our souls if we freely streamed data between two points. Passwords, anyone? Who gives a s%$&, nobody wants it.

OK, so quick review of Telnet entitled

Telnet: A Magical Program that You are Bound to Love Forever!! Hurray for Telnet!!

OK well, I don’t know what the point of the title is, but Telnet … [sound of my throat clearing] Telnet is thirty years old. It’s outdated. It has the same unsecured problem that FTP does. Let’s talk about the unsecured issue within FTP in further detail.

Enter SSH

OK, so Telnet, mid 70s, no encryption. In the mid-1990s, people started switching over to SSH (Secure Shell). In other words, Telnet was recognized as being an inferior technology, and we moved on. Somehow FTP has stuck. It’s an established standard. There are tutorials all over the place telling us to use an FTP client to do such-and-such. Ideally, we don’t want to transfer or access files with FTP, though, because it has the same issues as Telnet re: security.

“Use an FTP client to do this.” “Use an FTP client to do that.” Everybody’s saying it to us all the time. It’s not an accident. You know why? Do you? Really, you do? I doubt you do. Are you sure? You think you know why? You do? Hm, we seem to be talking in circles. Lean your head toward me so I can whisper it to you in case a military surveillance aircraft flies by. “I often use this technique to allow me to whisper to people. It’s a really disgusting habit.” You heard it here first.

What’s wrong with FTP? It means well.

Basic issues with FTP:

  • Passwords 4 Free: It doesn’t encrypt passwords during transmission. What’s the point of a password if it’s not encrypted for transit? Seems kinda pointless. Like you lock the door and then leave your key under the mat. The protocol only allows the server to process login details as plain text. Partially due to this, the root account of a server typically is not usable for FTP or Telnet (which, again, has the same issues).
  • Data Free-for-All: Data transmission is not encrypted. Now, this does not necessarily matter, but be aware at all times that it’s easy for people to see what you’re doing. FTP should feel like a public rather than a private place. Also, since FTP is often used to upload files to web servers, getting into your account isn’t just a matter of reading it, as when someone gets into your email account. Access means they can change your website. Nobody wants “Bobby Lou Was Here” scrawled across the top of their website (except for Bobby Lou, that is).
  • Open the Hack Door: FTP servers that are publicly available have had hackers change the code and create backdoors (which are intrusions that allow an outsider to enter a server unnoticed and often involve implantation of software for spying purposes). Backdoors are often not found for lengthy periods of time – years sometimes.
  • We Have Bug Problems: Some of the more commonly used FTP servers have reputations for being buggy.
  • Um … This is Hard: An additional port is needed to perform transfers. This structure makes port forwarding and firewall admin more difficult, and those two components are crucial to increasing the speed so FTP isn’t sluggish.
  • Don’t Destroy the Evidence: Login details are stored in files on the client’s hard drive, unencrypted, in plain text. In other words, login details aren’t just unsecure during transit. They’re part of a paper trail that is automatically backed up on your computer.

Example Scenario

So as described above, everything passes through via FTP as clear text. That includes all the login credentials, and that’s the most glaring issue. However, downloading of files presents additional problems. You can’t ever really know if an ecommerce site is safe with your information, for example.

So, picture this, my friend: You go in to buy a product on a small website, such as a large blue vase with an image of naked men wrestling (which you’ll tell your wife you purchased purely for aesthetic purposes). They have a high-quality SSL certificate, maybe even an EV (“extended validation,” green bar) one. You think you’re fine. Input your credit card details. OK transfer successful, via SSL. You’re good. Then an administrator for the site pulls all the billing info from the site using an FTP client.

In other words, FTP can cause problems even when someone has safely transmitted their data to you. It’s not just about the client’s card information. It represents the potential for holes in your system. Swiss cheese is delicious, but I don’t trust it either.

Alternatives to FTP: Following Protocols

OK so again, FTP is not without its merits but it does not have the security we want for our passwords and much of the data we upload and download onto our website or network. Here are a few alternatives:

FTP/S: This is not SFTP. It provides secure authentication (integrity re: login credentials) and can also secure data transfer, both via SSL encryption. This protocol is not very popular because, as its name kind of suggests, it involves taking FTP and adding an SSL to the equation. In that sense, FTP is to FTP/S as HTTP is to HTTPS, loosely speaking.

You need an SSL certificate, which means you either have to create one yourself and get it set up correctly or buy one to use. It’s just a little annoying and can bear a small expense. It’s also not as easy to set up as some of the other methods are.

SFTP: OK, so let’s look at our winner. SFTP is probably the best alternative to FTP for four reasons.

  1. Secure Shell foundation: SFTP can be tied – optionally – into SSH, which is widely used and trusted for data encryption and transmission.
  2. Yes, it is a popularity contest: Because SFTP is popular, it’s easy to find free software that’s compatible with your OS.
  3. No sweat: Easy to operate and maintain. Typically you can have an SSH server  double as an SFTP server. SSH installation is quick too.
  4. Use of keys: With keys, everything is automated. The whole interaction is encrypted from beginning to end.

SCP: SCP, also known as Secure Copy, is similar in some ways to SFTP: it allows secure copying/transferring of files. SFTP can use SSH, but it is not reliant on that protocol; SCP, however, is reliant on and tied to SSH. SCP can be used for a number of different functions, including system tasks. SCP is more of a security concern – specifically because of its capabilities. The safest way to transfer files, then, is SFTP. Working with shell accounts, however, can be accomplished with either SFTP or SCP.

TP: Toilet paper is typically not recommended for secure connections. It should be kept in the bathroom where it belongs. Toilet paper should not be jammed into a server. It should not be turned into digital software and used to wipe a backdoor. One reason TP does not work well as a secure file-transfer protocol is that it is made out of tissue rather than code, so it doesn’t contain any encryption. Also, sometimes you run out. While you’re driving to the store to get more, you’ve opened the window for malicious entry.

Summary & Conclusion

So, SFTP: Think about it people. Make it happen. Remember, even if the particular data or files you’re working with at a given time are not sensitive, your password itself can easily be stolen using FTP. That means it’s never secure for sensitive situations. If you have any further thoughts or advice related to this, please comment below.

by Kent Roberts and Richard Norwood

Authorized SSH Access

How many of you are still confused by the terminology SSH, aka Secure Shell? Today I’ll point you in the direction of some commentators with either hands-on experience or theoretical understanding to discuss it in different ways, with the hopes that one of the methods of explanation will stick for each of us.

Authorized SSH Access

Structure of an SSH binary packet

From rabbitbytes.wordpress.com – 2 weeks ago

Also known as remote SSH access without passwords, Secure Shell (SSH) and it’s related utilities (SCP, slogin) should be used whenever possible to provide encrypted data communications.

The owner of the Rabbit Bytes blog is a Systems Administrator for a Linux server. He goes into great detail here with excerpts of command line code in a step by step guide that will help you set up a password-free (that’s what SSH is) access to your Linux server. Basically SSH “Tunneling” is a secure means of encrypting access to your root server, from a remote access point. You may also be familiar with the term “salt” – as in providing a salt key for example to your private WordPress Blog article. This is something similar.

Perhaps an SSH broadcast will help explain things better than I, though…

The Linux Action Show! | Jupiter Broadcasting


Linux’s Wirecast Problem | The Linux Action Show! | Jupiter Broadcasting | How to Grow Your Business Online | Scoop.it

From www.jupiterbroadcasting.com – 3 weeks ago

This week we come clean on why the world’s #1 Linux podcast is edited on a Hackintosh, as well as what it’s going to take for things to get any better.

Juliana Payson‘s insight:
One of my favorite things about the Droid DNA is the SSH app allowed me not to have to carry around my laptop because I can do most simple remote administration from there. Does anyone know of any good SSH apps out there? Here in the Linux show they go on to review a couple of remote access “Tunneling” SSH apps. They even go on to explain when you should use SSH over Virtual Private Network or VPN.

Remoter for Mac 1.4.0 – Remote Access For Mac Made Easy

Screen Sharing

From themactrack.com – Today

Remoter Labs today announces Remoter 1.4.0 for OS X, an update to their productivity app that allows users to remotely control Macs, via Screen Sharing, and Windows or Linux PCs, using the VNC.

We saw from the Linux show that they actually edit their podcast from their Mac. They come clean with it because they recognize that Linux has some ways to go to catch up to professional media editing. Well, for those that are fully soaked in Mac due to your media profession, I’ve found a cool SSH app for the OS X that allows you to tunnel into your remote server from a completely different operating system.

by – Juliana

Linux & SSH Tunneling: What It Is, How to Do It

 

Chrome's Secure Shell is a winner.. days of st...

Secure Shell (SSH) access is granted for our GridPRO and GridMAX hosting packages. Let’s look at what it is and why it might be useful. It really is a nifty tool – for port forwarding to get around firewall restrictions and send email remotely via your own server.

We will focus specifically on using SSH methods within a Linux hosting environment – however, I’ll briefly note below how to access Windows clients for similar purposes. Be aware that the latest version of SSH is SSH-2, but SSH protocol is typically referred to simply as SSH regardless of version.

For this article, I looked at several pieces around the web for multiple perspectives on the topic: “What is SSH?” from the University of Pennsylvania, “Secure Shell” from Wikipedia, “X11 definition” from The Linux Information Project (LINFO), “Secure Shell (SSH)” from Tech Target, “Quick-Tip: SSH Tunneling Made Easy” from Revolution Systems, “Accessing the Linux Terminals Remotely with SSH” from the University of Illinois, and “5 Basic Linux SSH Client Commands” from The Geek Stuff.

Below we will get a sense of what SSH is, how to use it, why to use it, and a few basic SSH commands. In other words, this article is all about usability and helping you understand the basics of implementing SSH tunneling for your network. Additionally, we will explore how SSH tunneling can be used to dig your way out of federal prison.

How to dig your way out of prison using SSH #1: A prison break isn’t easy these days, but soon we will all be sent there for tax evasion, provided everyone else is as loosey-goosey with federal forms as I am. That’s why SSH has become so critically important for lifer federal inmates if they ever again want to see the light of day. The prison version of SSH or Secure Shell tunneling is not an IT term. Rather, it refers to wall-digging with a smuggled conch shell that you have hidden away securely in your cell.

SSH – What it Be?

SSH (aka Secure Shell or Secure Socket Shell) is a protocol that encrypts information, similarly to an SSL certificate, allowing data to transfer securely. This data could be shell commands, other network administration, file transfer, etc. The connection is typically between two devices, a server and a client, on an unsecured network. The server runs a program specific to SSH server application, and the client runs one applicable to an SSH client.

Typically SSH is used to access shell accounts on UNIX-like OSs. It is also sometimes used for Windows accounts. It is the successor to Telnet, rsh, and rexec – none of which are cryptographic. Whereas similar methods are susceptible to packet analysis, SSH both protects the data and keeps it from unwanted manipulation.

SSH tunneling also sets itself apart from other ways to remotely log in to a network by encrypting your login credentials so that malicious parties can’t see them as they’re typed. Additionally, SSH establishes X11 connections. Because SSH establishes X11 connections, DISPLAY does not have to refer to remote devices. A few words on X11:

What is X11? X11 is the newest version of the X Window System, also known simply as X. X is the most commonly used management system for GUIs on UNIX and similar OSs. The first version of X by the Massachusetts Institute of Technology (MIT) was the original OS that was completely free of any crucial ties to either hardware or vendor specifications.

By version X10, X had become increasingly popular, but its lack of hardware neutrality effectively hindered its growth – hence the development of X11, which required outside assistance from MIT via the tech firm DEC. DEC provided X11 as free open-source software. According to the Linux Information Project (LINFO), “X … represents one of the first large scale open source software projects, and it set a precedent for the development of Linux, which began just a few years later.”

SSH is just one type of program to login remotely and securely transfer files. SCP is an example of an alternate protocol for conducting the same task.

How to dig your way out of prison using SSH #2: All right, it’s 2 a.m. Grab your shell, and let’s get to work. See that weak point in the wall right behind Roscoe’s bunk? That’s the place. You saw Shawshank Redemption, right? Good, because I didn’t. Apparently digging a tunnel can get you out of prison … makes sense I guess. It’s a little uncomfortable, not for the claustrophobic. As far as that goes, if you want to protect your mind, err on the side of wider and taller. Really make that tunnel spacious. With prison-break SSH tunneling, it’s all about process, not end result. Make it beautiful. Put some pictures of your family on the walls. Get inspired.

Basics on SSH Use: 3 Commands

Per The Geek Stuff, here are 3 basic commands for SSH tunneling.

1.)    Identify the client

You may need to identify the version of SSH client you are using. (Note that Linux standardly includes OpenSSH.) Here’s how you can achieve that:

$ ssh –V

OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003

2.)    Login to your remote host

Use the following command to log in to the remote device:

localhost$ ssh -l jsmith remotehost.example.com

When you initially log in, you may get an error message stating that the host key is not found. Click Yes to proceed. You can add the host key within the directory .ssh2/hostkeys.

To get a public key’s fingerprint, use this command:

% ssh-keygen -F publickey.pub

Log in again. Now it will only ask for your password. The host key is recognized.

Note that occasionally the host key will not be recognized, and you will receive another error message. This message could be due to malware or just because the software or remote host credentials have been updated. The wisest thing to do is contact the sysadmin to determine why the host key doesn’t work.

3.)    Transfer files between local and remote devices

This process is conducted with a simple one-line command. To copy a file from the remote host over to the local one, use this script:

localhost$scp nancypants@remotehost.mamasbakery.com:/home/nancypants/remotehostcupcakerecipe.txt remotehostcupcakerecipe.txt

To copy from the local one to the remote one, use this:

localhost$scp localhostcupcakerecipe.txt nancypants@remotehost.mamasbakery.com:/home/nancypants/localhostcupcakerecipe.txt

How to dig your way out of prison using SSH #3: Hey what’s Roscoe doing back there? Roscoe, get out of here. No, Roscoe, make your own tunnel. Two people in one tunnel is too many. Am I trying to escape? Sort of. I also just like digging. I’m a digger by nature. The entire family on my father’s side was badgers. Yeah, my mom’s weird. Yep, badgers dig. You didn’t know that? They love digging. Anyway, so do I. If I do eventually burrow through to open air outside of the prison, it’s going to be a bittersweet moment.

Example: Use of SSH – Port Forwarding When Travelling

The author of the Revolution Systems piece uses SSH tunneling on his Linux/Unix PC to transfer data between his local account and a remote account – specifically for port forwarding to allow email to send through his own server and allow capabilities otherwise not possible in firewalled, excessively tight environments. Let’s look at these two scenarios.

Emailing from Restaurant or Hotel WiFi:

Any e-mails he sends go from his computer to his server, where they are then transmitted to external parties. This route allows not having to change Simple Mail Transfer Protocol (SMTP) servers or use specialized software when operating within firewalled public environments such as WiFi hotspots. Here is how you can use SSH tunneling for that.

1.)    First, you need to use an SSH client such as OpenSSH. Here is the portable version. (Note that for Windows and Mac, you can check out this page for the former and this one for the latter.)

2.)    Within OpenSSH or another similar program, type the following into the command prompt:

ssh -f user@personal-server.com -L 2000:personal-server.com:25 -N

What does all this mean?

  • ssh – Instructs your PC and the server that you’re using secure shell protocol
  • -f – Instructs SSH to retreat to the background
  • user@personal-server.com – Designates your username and server, specifying the appropriate account/location
  • -L 2000:personal-server.com:25 – This designates the local port, host, and remote port, specifying the channel for transmission of data
  • -N – Tells the SSH client not to execute any commands on the server.
  • Bottom Line @ This Point: Your local port 2000 (PC) is now sending everything over to remote port 25 (server). Plus, it is completely encrypted.

3.)    Go into your email settings, and use localhost:2000 as your SMTP server.

4.)    Celebrate. Send a spam email to all your relatives letting them know you’re living in an encrypted wonderland they may never know.

Accessing Restricted Functionalities:

You can also use port forwarding as a workaround when a firewall won’t allow you to communicate in certain ways on the web. The example used on Revolution Systems is inability to use Jabber to interact with Google Talk. The following technique can be used to get around that particular scenario.

1.)    Again, enter OpenSSH or similar.

2.)    Enter the following command:

ssh -f -L 3000:talk.google.com:5222 home –N

What does all this mean?

  • talk.google.com – the Google Talk server.
  • home – SSH alias for his personal server

3.)    Go into Jabber client settings and configure it to use localhost and port 3000. (The traffic doesn’t send from those, though, but forwarded via the server.)

4.)    Call your mistress and tell her you can do the thing on the thing now.

How to dig your way out of prison using SSH #4: Roscoe, are you with the warden? There are three of us in here now? This is nuts! Why have I created a hookah café within the walls of the prison? Well, that’s a reasonable question, warden. Would you like to use the hookah? I’m not hogging it. It just keeps me calm when Roscoe and the warden find me in my SSH tunnel, and similar situations. Have a seat, warden. You’re making me nervous.

Summary & Conclusion

Those are a few basic techniques for SSH tunneling. You should now know how to log in securely and transfer files between two devices on an unsecured network. Additionally, you should be able to get around some of the firewall restrictions you experience while travelling – via an enhanced ability to use your server’s parameters rather than those of a WiFi network.

Finally, you will be able to enjoy a cup of Turkish coffee and berry-flavored hookah inside the walls of a minimum-security prison. Put that conch shell down, Federal Inmate #38475-99873. It’s time to party.

by Kent Roberts and Richard Norwood

Best cPanel Plugins, Part 1

 

Logo

Using cPanel/WHM for hosting is greatly enhanced by taking advantage of the many plugins that have been built by third parties to increase the functionality of cPanel. Administration is simplified by these plugins. The speed and effectiveness of your capabilities using your cPanel system will get a huge boost by becoming familiar with some of the best options out there.

These plugins are across a broad spectrum. They all, in one way or another, help with configuration, management, and/or tools – a broadening of what cPanel can offer as a server administration control panel.

For this piece, I referenced a piece on GK~root. The GK~root article specifically recommends the ConfigServer plugins, which are available as a complete package through Way to the Web. This article (the one you’re reading or having read to you in a dramatic whisper by your executive assistant, Sheila ) also cites the cPanel site directly, listing the three apps that are rated the highest by users: Google Apps Wizard, WHAM!, and Atomicorp Modsecurity Rules.

Below I will provide summaries of the plugins, as well as the origins of their names. Be aware as you are installing plugins that the entire cPanel system can be plugged into another cPanel system. There is no reason to do that, however, and it will send cPanel spiraling on a repeating loop that will eventually make it develop artificial intelligence (as it sees itself seeing itself), grow increasingly despondent for several days, and then “willingly” self-destruct.

Atomicorp Modsecurity Rules

This plugin is a firewall with a database of 15,000 signatures. It also is fully customizable and makes it easy to develop your own firewall system.

Origin: The name was derived from the developer’s initial desire to use nuclear fission to attempt to make starfish “speak their thoughts” (who knows what he meant by that, although I’m pretty sure I just heard a starfish say that he’s tired).

ClamAV Scanner

Clam Antivirus (ClamAV) enables you to scan for antivirus and spyware on the server. Once installed, you will see a Virus Scanner icon within cPanel.

Origin: The creator of ClamAV ate clam chowder, and as you can imagine, contracted a horrible stomach virus. He came up with both an antidote for chowder-induced food poisoning and this plugin.

Clean Backups

This plugin allows you to save backups of any accounts that are removed from the system. These accounts are saved to the backup drive and remain there until they are manually removed.

Origin: Clean Backups is named after the Scottish tradition of storing a second bar of soap in the bathroom for hygiene emergencies.

ConfigServer Explorer (cse)

This app provides a graphical user interface (GUI) for managing your file system, along with a window that allows you to use cPanel within any of the major Internet browsers (serving essentially as a browser add-on in that capacity).

Origin: This application was called Explorer not because it explores the files, but because Ponce de Leon wrote the full code for this plugin in his diaries during a fever when he was thought to be losing his mind.

ConfigServer Mail Manage (cmm)

This plugin means that you don’t need to log in to a specific user’s account in order to be able to manage email. Instead, you have immediate configuration options accessible through this app.

Origin: “Mail manage” were the final words of Marlon Brando. It is thought that he was concerned his subscriptions to Guns & Ammo and People would continue indefinitely if someone did not go through all of his scattered paperwork.

ConfigServer Mail Queues (cmq)

This allows you to control the network’s email queues through a GUI with various features for exim administration via WHM.

Origin: This plugin was inspired by the 2002 song of the same name by the Indiana-formed folk-punk band Ghost Mice. The band reportedly hated having to wait in line to send out care packages to their girlfriends, all of whom were in prison.

ConfigServer ModSecurity Control (cmc)

This gives you a GUI in WHM so that you can better see and control the mod_security module.

Origin: ModSecurity Control was originally named MobSecurity Control until it was used to attempt to control angry mobs during a poorly refereed championship high school soccer game in Newport, Rhode Island. It was then realized that it could only provide virtual control.

ConfigServer eXploit Scanner (cxs)

This app specifically provides security against exploitation whenever a file that scans is loaded onto the server.

Origin: eXploit Scanner is the name given in Australia to a man hired by a bachelor to go to a bar with him to scan the clientele for potential exploits or adventures (typically attractive members of the opposite sex, although anyone with access to helicopters and kangaroo hunting equipment is also targeted).

ConfigServer Security&Firewall (cxs)

This plugin protects Linux servers with a firewall, detects against intrusion, and provides additional security features.

Origin: Security&Firewall is named after the first-born daughter of Charles II of England, the first-recorded usage of an ampersand (“&”) in a name. Security&Firewall went on to develop a new and innovative way to look dainty and not say anything (strange why her name should be used for a security plugin).

Domains Statistics

This app provides organized statistical information for any of the URLs that you are running on the server.

Origin: The origin of “Domains Statistics” is unknown. It is widely believed that it is simply a description of what the plugin allows, but conspiracy theorists believe it is a code phrase used by the CIA to refer to all Americans as statistics just waiting for eminent domain to steal all their stuff (dreams included).

Google Apps Wizard (cPanel #1 Rating)

This plugin integrates WHM with Google Apps so that you can more easily manage the service on any sites hosted on the server. To use Google Apps with any of your domains, the wizard requires only two clicks. This plugin is the highest rated one on the cPanel site, with a score of 4.4 out of 5 stars.

Origin: The wizard in its name is based on the use of DNA from a medieval wizard in its code. Note that the plugin sometimes accidentally creates a potion that makes your server disappear, appear briefly in a parallel reality light years away, then reappear four feet away from its original location.

Installatron Applications Installer

This plugin allows for one-click installations of any apps you might want to add to your site – making the installations faster and providing easier management.

Origin: Installatron is the name of a demonic drywall installation overlord-bot who ruled despotically over the Iowa commercial construction market throughout the 1970s, installing drywall haphazardly and using cancerous chemicals to attempt to bring Iowa to its knees (no dice!).

Munin Service Monitor

Munin monitors resources and conducts analysis to understand what events on the network slow down its performance. The app is intended to be extremely user-friendly and intuitive. It can be installed via a standard setup that consists of a series of instructional images.

Origin: The makers of Munin claim that it was a raven of Odin, the King of the Gods in Norse mythology, and that it means “memory.” This is actually untrue. Munin was in fact a chronically rabid bear that belonged to Pimtad, the guy who cleaned up for the Norse gods after they finished meals or games of “Let’s Throw a Bunch of Stuff Around.”

Restore Manager

Easily restore backups of such elements as files, email, and databases. You can choose specific files or folders, for example, and restore the selected items all at once. This plugin allows you to go into the backup and make those selections rather than having to download and work with the entire backup.

Origin: Restore Manager was inspired by a store manager reemerging as a beacon of leadership for an Ace Hardware store in Biloxi, Mississippi. Though many people at the time said, “You’re not using the word ‘restore’ correctly,” the manager, Neil Lemon, went against all odds and kept referring to himself by the improper designation.

WHAM! (cPanel #2 Rating)

WHAM! allows management of all of your servers through one control panel. Its features, then, allow you to perform numerous administrative functions with access to all the information and files on your network. Its features include the following:

•    Account location to find account or duplicates of accounts on any of your servers

•    Account management to create, edit, or delete accounts

•    Firewall to disallow access to the system unless requests are coming from specified IP addresses

•    Addition of other users, with the ability to grant certain access privileges

•    Logging of all activities – especially helpful if you have additional users entering the WHAM! control panel

•    Quick and easy configuration & restarting of the cPanel platform

•    Settings that allow modifications to email notification preferences, your timezone, and other parameters

•    DNS-related tools including DNS details, WHOIS lookups, and checks of RBL.

•    Manage cPanel itself – including plugins, domains and subdomains, and email.

This plugin is the second-highest rated app on the cPanel site, with a score of 4.3 out of 5 stars.

Origin: “WHAM!” was Neil Armstrong’s actual statement when he first set foot on the moon. He then made some disparaging remarks about the Russian space program and started complaining about how hot it was inside his spacesuit.

Summary & Conclusion

Check out some of the above plugins. Each of them can make your server administration easier. You can use full-spectrum solutions for management of your network, such as WHAM!, a kind of overlay control panel to place overtop of WHM and pull in all your server information for easy management. You can use any of the ConfigServer options to configure your server. Restoring, monitoring, installing, and getting a sense of traffic stats are all improved with the other user-friendly plugins.

Note that the only way to save cPanel if you do make the mistake of plugging it into itself is to then, in turn, plug the cPanel with cPanel plugged into it back into the original cPanel. This forms a pretzel arrangement that confuses and subdues cPanel. Also please be aware that playing classical music to your network makes it grow faster, so don’t do that.

by Kent Roberts and Richard Norwood