Creating the Cpanel account with WHM

Log into your WHMIn the left menu under "Account Functions", click "Create a New Account"
Fill in the details for the new account. Here's a brief outline of the settings you'll be putting in:

• Domain Information
  
  
  
  • Enter the main domain name on the account, set a cPanel username and password for it, and then enter the email address to be associated with the account.
  
  
  
  


• Package
  
  
  
  • WHM allows you to create packages, which make it easier to manage cPanel accounts. For Example, you may have a "Power Plan" package like InMotion Hosting offers. Within that package you could set limits such as the number of addon domains to associate to the account. If you don't have any packages set, select the "Select Options Manually" option and set those limitations now.
  
  
  
  


• Settings
  
  
  
  • Choose the cPanel theme to assign the user (InMotion Hosting currently uses x3) and select the appropriate language for the user.
  
  
  
  


• Reseller Settings
  
  
  
  • If you have the access to create a cPanel account, it means that you have reseller permissions. Decide here if this new account you're creating should have WHM access and be able to create accounts themselves.
  
  
  
  


• DNS Settings
  
  
  
  • Decide how the domain's nameservers should be configured on the server. If the nameservers specified for this domain name are going to be on another server, choose the option "Use the nameservers specified at the Domain's Regsitrar"
  
  
  
  


• Mail Routing Settings
  
  
  
  • Decide how the server handles email for this specific domain. For example, should it attempt to deliver the email locally or should it look at the external MX records and decide? It's recommended to use "Automatically Detect Configuration" if you're not sure about this setting
  
  
  • .
  
  
  
  

After you have filled in all of the details above, click the "Create" button at the bottom of the page.

Congratulations, you have just created a new cPanel account!

Installing cPanel manually

In order to install cpanel/WHM on your VPS ,  you will need to log into your server as root first.

ssh root@server-ip

In above server-ip should be your server's  ip. We should install cpanel/whm only in a fresh system ,configured with a proper yum or apt-get system .

From a windows machine we can use putty to log into the server ...

Minimum Requirements as per cpanel's original site

Processor	266 MHz
Memory	512 MB RAM (1 GB recommended when hosting many accounts)
Disk Space	10 GB hard disk

Removing YUM groups

To obtain a list of yum groups, run the command:

yum grouplist

You should make sure these yum groups are not installed:

• FTP Server


• GNOME Desktop Environment


• KDE (K Desktop Environment)


• Mail Server


• Mono


• Web Server


• X Window System

To remove a yum group, run the command yum groupremove. For example, if you wish to remove Mono and Mail Server, enter:

yum groupremove "Mono" "Mail Server"

Disabling SELinux security features

You should disable SELinux after installing Red Hat Enterprise Linux, CentOS, or CloudLinux. To disable SELinux, you can either:

• Use the graphical interface while configuring your operating system, or


• Edit /etc/selinux/config from the command line and set the SELINUX parameter to disabled using a text editor, such as nano or vi.

If you disable SELinux from the command line, the contents of /etc/selinux/config should resemble:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

Deactivating default firewall and checking for updates

If you are installing a CentOS, Red Hat Enterprise Linux, CloudLinux operating system, you should deactivate the default firewall and check for updates.

To deactivate the firewall, run the commands:

chkconfig iptables off
service iptables stop

To check for updates, run the command:

yum update

change the hostname of the VPS to a valid hostname like "server.domain.com".

Installing cpanel

The installation of cPanel can take a long time and it is better if you install "screen". Depending on your operating system you can install screen running yum or apt-get (yum install screen or apt-get install screen).

Now you will want to download and install cPanel:

screen -S cpanel
cd /home
wget http://layer1.cpanel.net/latest
sh latest

ctrl -A-D ...to detach from screen

screen -ls will list the screens

If you get disconnected, you can ssh back into your server as root, and run: 
screen -r cpanel

After everything is complete, and there are no errors, you should be able to access the WHM control panel by visiting

https://your_ip:2087

Kerberose authentication in rhel

Kerberose authentication

To use kerberose authentication we need to set up server with all the needed principle and their passwords.and we must configure the client to use the proper kerberpse server as needed.

Server Configuration

server:virtual19.virtual.com
IP:192.168.100.19

client:virtual21.virtual.com
IP:192.168.100.21

Packages needed are

yum install -y krb5-server
yum install -y krb5-libs
yum install -y readline-devel

vim /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = VIRTUAL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
VIRTUAL.COM = {
kdc = virtual19.virtual.com
admin_server = virtual19.virtual.com
}

[domain_realm]
virtual19.virtual.com = VIRTUAL.COM
virtual21.virtual.com = VIRTUAL.COM

[appdefault]
validate=true

vim /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88

[realms]
VIRTUAL.COM = {
master_key_type = aes256-cts
default_principle_flags = +preauth
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}

kdb5_util create -r VIRTUAL.COM -s

kadmin.local

kadmin:  listprincs
kadmin:  addprinc root/admin
kadmin:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin

kadmin:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw

kadmin:  addprinc -randkey host/virtual19.virtual.com

kadmin:  ktadd -k /etc/krb5.keytab host/virtual19.virtual.com

vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@VIRTUAL.COM     *

service krb5kdc restart
chkconfig krb5kdc on
service kadmin restart
chkconfig kadmin on

----------------------------------------------------------
Client side configuration
----------------------------------------------------------

copy the /etc/krb5.conf from server to client

authconfig-tui

select the kerberised password authentication then they will ask for kdc and krb5 server and releam name to which we need to enter the correct entry .When closing the utils the system will configure itself for connection to kerberose server

Now we need to add that machine to kerberose server database

kadmin
kadmin:  addprinc -randkey host/virtual21.virtual.com
kadmin:  ktadd -k /etc/krb5.keytab host/virtual21.virtual.com

now the client machine is added to server and now the tickets will be issued as normal and to check that
klist to list the tickets got from server

-------------------------------------------------------------------.

Now adding nis user to kerberose

At server make a principle for the nis users and that is it

kadmin.local

kadmin:  addprinc nisuser1

now will be prompted for kerberose password which at client will enable the user to login as user using kerberised security .

NIS server-client configuration

NIS Network Information System is one of the centralized way to use the user through-out the network.

At Server
Install the nis server package

----->yum install -y ypserv

Add the needed users ,make sure that u give an uid that is normally not used ..go for 5000 + uids here i will be using ids at range of 6000 . This is may to avoid confilt with the local user uids

----->useradd -u 60000 nisuser1
----->passwd nisuser1
----->useradd -u 60001 nisuser2
----->passwd nisuser2

Give the nisdoamin name in /etc/sysconfig/network and we can make nis services use the port we say by giving following arguments

---->echo "
    NISDOMAIN=virtual19
    YPSERV_ARGS="-p 900"
    YPPASSWRD_ARGS="-p 901"
    YPXFRD_ARGS="-p 902"
    " >> /etc/sysconfig/network

the -p argument will make the service use that port

Now to make the master nis server
----->service ypserv restart

----->/usr/lib64/yp/ypinit -m

will make the nis server and and make the needed changes

to make those changes permanent

------>make -C /var/yp

------>service ypserv restart

we can check the users by
getent passwd

-----------------------------
AT Client
-----------------------------

we neet to configure the authconfig-tui to nis

------->authconfig-tui

Now a window will be opened and we need to select the nis option,system will automatically start the needed service..you will be asked the nisdomain name and server ip  we should provide that and when the window close the clinet configuration is complete

Now at client side if we do
------->getent passwd

we would be able to see the users...
to just see the nis users we need to use ypcat

------->ypcat passwd
this will only show the nis uses from passwd file

switch to the user just like we switch to normal users

at client ------->su nisuser1

Basically nis is not that much secure we can make its client restriction in file /var/yp/securenets .the ips or network given in that file only will have entry to nis server

To change passwd of the user from client we need to use yppasswdd sevice at server and same command at client side.

More about DNS and Security in Zone sharing

More about DNS

Bogus servers which give wrong information can be blocked or to make our server not to accept any information from them

server IP {bogus yes ;};

we can also create blackhole in dns where the server will not even acknowledge the other ip

blackhole {ips;};

version bind
this can be used to make the details of dns version IE bind version safe from the outsider

version "INFORMATION ....";

chrooting the bind

By installing the bind-chroot the dns configuration file will be moved to space where only root and named group has permission to edit those files

Making DNS Zone sharing safe

we could share a key between slave and master to make sure that update are send to only correct slaves.
This method in called TSIG transaction signature configuration

1.first start from client making the key
----->dnssec-keygen -a hmac-md5 -b 128 -n HOST virtual_key

----->cat Kvirtual_key.+157+56451.private

Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: yzkKqIIa4sUPXm+Oz7VNgg==
Bits: AAA=
Created: 20121022004959
Publish: 20121022004959
Activate: 20121022004959

**copy the key part and create a key file as follows
------->vim /etc/rndc.key
key "virtual_key"
{
algorithm HMAC-MD5;
secret "yzkKqIIa4sUPXm+Oz7VNgg==";
};

------->chgrp named /etc/rndc.key

**inside /etc/named.conf add

include "/etc/rndc.key" ;

server 192.168.100.1 {
keys { virtual_key ; };
};

**and
allow-transfer { key virtul_key ;};

this forces the client to use the key we generate..

Now copy the rndc.key file to server

change the group to named at server

and include the file to /etc/named.conf and give allow-transfer at needed zones to make it more secure

at server /etc/named.conf

include "/etc/rndc.key" ;

allow-transfer { key virtual_key ;};

----------------------------------------------------------------------
master configuration

----------------------------------------------------------------------

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl "example" { 192.168.122.0/24 ; 127/8 ; };
acl "virtual" { 192.168.100.0/24 ; 127/8 ; };

include "/etc/rndc.key" ;

options {
listen-on port 53 { 127.0.0.1; example ; virtual ;};
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; example; virtual; };
allow-transfer { key virtual_key ;};
recursion yes;
# dnssec-enable yes;
# dnssec-validation yes;
# dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

view mixed {
match-clients { 192.168.122.2; 192.168.100.1; };

zone "example.com" IN {
type master;
file "forward.zone";
allow-update { none; };

};
zone "122.168.192.in-addr.arpa" IN {
type master;
file "reverse.zone";
allow-update { none; };
};

zone "virtual.com" IN {
type master;
file "forwardvir.zone";

allow-update { none; };
};
zone "100.168.192.in-addr.arpa" IN {
type master;
file "reversevir.zone";
allow-update { none; };
};

};

view internal {
match-clients { example; };
zone "example.com" IN {
type master;
file "forward.zone";
allow-update { none; };
};
zone "122.168.192.in-addr.arpa" IN {
type master;
file "reverse.zone";
allow-update { none; };
};
};

view external {
match-clients { virtual; };
zone "virtual.com" IN {
type master;
file "forwardvir.zone";
allow-update {none; };

};
zone "100.168.192.in-addr.arpa" IN {
type master;
file "reversevir.zone";
allow-update {none ;};
};

};

#include "/etc/named.rfc1912.zones";

----------------------------------------------------------------------------
slave configuration
----------------------------------------------------------------------------
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

include "/etc/rndc.key" ;

server 192.168.100.1 {
keys { virtual_key ; };
};

options {
listen-on port 53 { 127.0.0.1; 192.168.100.0/24 ;};
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost;192.168.100.0/24; };
allow-transfer { key virtul_key ;};
recursion yes;
# dnssec-enable yes;
# dnssec-validation yes;
# dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

view external {
match-clients { 192.168.100.0/24; };
allow-transfer { key virtual_key ;};
zone "virtual.com" IN {
type slave;
file "slaves/forwardvir.zone";
masters {192.168.100.1 ; };
#allow-update {none;};
};
zone "100.168.192.in-addr.arpa" IN {
type slave;

file "slaves/reversevir.zone";
masters {192.168.100.1 ; };
#allow-update {none;};
};

};

DNS Master Slave Configuration

1.Master and slave configuration
2.acl setting
3.view setting

For making the Dns a Master dns server we give the type master and for making that slave we give type slaves. And by defaults in slaves the files will be copied from master to slaves defautl /var/named/slaves/ directory.
 
Acl setting acl setting is used to group a set of networks or individual ip's under a single name.

View setting is used to isolate the dns zones for a specific network as per acl or given ip's.we could give the ip's or network or acl which has access to the view in match-client {;}; option inside the view option .


-----------------------------------------------------------------------------
MASTERS-configuration file
-----------------------------------------------------------------------------
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl "example" { 192.168.122.0/24 ; 127/8 ;  };
acl "virtual" { 192.168.100.0/24 ; 127/8 ;  };
options {
    listen-on port 53 { 127.0.0.1; example ; virtual ;};
#    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { localhost; example; virtual; };
    recursion yes;

#    dnssec-enable yes;
#    dnssec-validation yes;
#    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};


view mixed {
match-clients { 192.168.122.2; 192.168.100.1; };
zone "example.com" IN {
        type master;
        file "forward.zone";
        allow-update { none; };
    
};
 zone "122.168.192.in-addr.arpa" IN {
        type master;
        file "reverse.zone";
        allow-update { none; };
};

zone "virtual.com" IN {
        type master;
        file "forwardvir.zone";
        allow-update { none; };
};
 zone "100.168.192.in-addr.arpa" IN {
        type master;
        file "reversevir.zone";
        allow-update { none; };
};

};

view internal {
match-clients { example; };
zone "example.com" IN {
        type master;
        file "forward.zone";
        allow-update { none; };
};
 zone "122.168.192.in-addr.arpa" IN {
        type master;
        file "reverse.zone";
        allow-update { none; };
};
};

view external {
match-clients { virtual; };
zone "virtual.com" IN {
        type master;
        file "forwardvir.zone";
        allow-update { none; };
};
 zone "100.168.192.in-addr.arpa" IN {
        type master;
        file "reversevir.zone";
        allow-update { none; };
};

};

#i:nclude "/etc/named.rfc1912.zones";



-----------------------------------------------------------------------------
SLAVES-configuration file

In salves the zones will have the entry
-----------------------------------------------------------------------------

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
        listen-on port 53 { 127.0.0.1; 192.168.100.0/24 ;};
#       listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; 192.168.100.0/24 ; };
        recursion yes;

#       dnssec-enable yes;
#       dnssec-validation yes;
#       dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

view external {
match-clients { 192.168.100.0/24; };
zone "virtual.com" IN {
        type slave;
        masters { 192.168.100.1 ; };
        file "slaves/forwardvir.zone";
        allow-update { none; };
};
 zone "100.168.192.in-addr.arpa" IN {
        type slave;
        masters { 192.168.100.1 ; };
        file "slaves/reversevir.zone";
        allow-update { none; };
};

};

Setting sendmail as default

alternatives --display mta
yum install sendmail
service postfix stop
chkconfig postfix off
vim /etc/mail/sendmail.mc
disable the line starting with DEAMON like below
dnl # DEAMON
make -C /etc/mail
alternatives --set Mta /usr/sbin/sendmail
service sendmail start
service sendmail restart
chkconfig sendmail on