Well, I disagree. I have a few Brazilian websites hosted on USA which ranks better than websites for same niche hosted here in Brazil. So, final assumptions:

1. have you ever seen a Google crawler from 200.x (“local” ip address)?!
2. we are not talking about domain names, and local TLD’s will rank better. For example, Google.com.br will always be more friendly to .com.br domain names, but
3. focus on website speed because it improves user experience -  Google loves that! This is the reason we’ve moved to a new server: four weeks ago my name dropped to 5th page on Google results, but now everything is right: first page, first spot, and will always be there

Given you have this scenario:

Let me explain… Customers will always go for support system when they have problems and almost no one will loose time to say “thank you! all my services are up and running and you over delivered what I’ve paid for”. Some may scale a ticket only when troubles  are not solved immediately – because they don’t know how to solve it or don’t have enough access to make needed modifications.

WDCP means World Domination Control Panel, and personally I think it’s the biggest project I’ve worked on until now. Solve all your problems from only one point with a few clicks, bypass any access restriction – so you  don’t have to scale anything because you don’t have access. Will be great to integrate some kind of wiki/knowledgebase too.

I’d like to write everything about WDCP but cannot do it right now. Finally, I need to say thank you for Jimmy Lu, BLABLABLA’s Director of Operations - I’ve bought a cheap VPS to write WDCP (something around five bucks) and they lost all my data twice.

I’ll only develop my applications locally since last data loss using some cheap virtual server provider – I’ve lost all my data twice with this provider. So I went ahead and created a local server for cPanel but its license was disabled today, and now it shows there is no license for my address:

root@opsbox [~]# /usr/local/cpanel/cpkeyclt
Updating cPanel license...Done. Update Failed!
Error message:
The cPanel license server said that there was no license for your IP address.
For more information visit: http://www.cpanel.net/lic.html
 
The exact message was: No license entry found for your machine (187.x.x.x)!
 
Building global cache for cpanel...Done

I’ve bought a valid license on www.buycpanel.com for some random server with static/valid ip address and downloaded tsocks from repoforge.org. To get my licensed activated, I must log into validserver (ssh session will acts as socks server):

perseverance ~ $ ssh validserver -D 31313
...

Instruct tsocks on opsbox to use this socks proxy:

root@opsbox [~]# cat /etc/tsocks.conf 
local = 10.x.x.x/255.255.255.255
server = 10.x.x.x
server_type = 5
server_port = 31313

And update my license information:

root@opsbox [~]# /usr/local/cpanel/cpkeyclt
Updating cPanel license...Done. Update Failed!
Error message:
The cPanel license server said that your license has been expired.
For more information visit: http://www.cpanel.net/lic.html
 
The exact message was: The license is expired. (187.x.x.x)!
 
Building global cache for cpanel...Done
root@opsbox [~]# tsocks /usr/local/cpanel/cpkeyclt
Updating cPanel license...Done. Update succeeded.
Building global cache for cpanel...Done
root@opsbox [~]# tsocks lynx -dump http://www.cpanel.net/showip.cgi
00:13:00 libtsocks(17585): Call to connect received on completed request 3
 
   69.x.x.x

It’s time to re-invest and scale things up.

The cPanel’s Security Policy is a framework which let you improve you security or practices. For example take the test server tnt.ruyrocha.com and its root password 3Y6Nn5CW44bY0F?5F}gHoWDy:KFzAGtp Go ahead and try to access it: https://tnt.ruyrocha.com:2087/login/?user=root&pass=3Y6Nn5CW44bY0F?5F}gHoWDy:KFzAGtp

TNT will be available until next Friday, 02/09, so feel free to give it a try. I don’t want anyone being able to access it from home, just from office’s ip address. The RestrictRoot security policy module must be included in /usr/local/cpanel/Cpanel/SecurityPolicy as follows:

package Cpanel::SecurityPolicy::RestrictRoot;
 
# cpanel - Cpanel/SecurityPolicy/RestrictRoot.pm
#
# Copyright (c) 2011 Ruy Rocha 
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in the
# Software without restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,
# and to permit persons to whom the Software is furnished to do so, subject to the
# following conditions:
#
# The above copyright notice and this permission notice shall be included in all copies
# or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
# PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
# USE OR OTHER DEALINGS IN THE SOFTWARE.
#
 
my $priority = 20;
 
sub check {
  my ( $acctref, $sec_ctxt, $cpconf_ref, $cookie_ref ) = @_;
 
  if ( $sec_ctxt->{'appname'} eq 'whostmgrd' && $acctref->{'user'} eq 'root' ) {
    return _ip_passes($sec_ctxt->{'remoteip'});
  }
 
  return 0;
}
 
# Return true if this address is valid, false otherwise.
sub _ip_passes {
  my $remote_ip = shift;
 
  my @allowed_ips = ('187.x.x.x', '17.x.x.x');
 
  if ( !$remote_ip ) {
    Carp::confess("I am missing the users remote ip.  Security Policy requires exec termination.");
  }
 
  return $priority if !grep(/$remote_ip$/, @allowed_ips);
 
  return 0;
 
}
 
1;

Save the code to /usr/local/cpanel/Cpanel/SecurityPolicy/RestrictRoot.pm and activate the module on WHM.

• Mapeamento De Bancos De Dados: os bancos de dados criados seguiam o padrão conta_nomedobanco; agora é possível especificar somente o banco, por exemplo, e também especificar em qual servidor a base de dados está
• É possível fugir do trio RoundCube, Horde IMP e Squirrelmail e usar um webmail alternativo
• Uso de senhas com MD5 (ao invés de crypt) está disponível, o que melhora a segurança até certo ponto
• Tokens de segurança estão habilitados na instalação padrão
• Otimização do script pkgacct
• Restauração de contas através da API
• Security Policies
• Novo caminho dos scripts: /scripts -> /usr/local/cpanel/scripts
• LTS (long term support) + EOL (end of life)
• /etc/cpanelsync.exclude: lista dos arquivos que não precisam de atualização (like immutable files)
• /etc/cpanelsync.no_chmod: arquivos contidos aqui não terão suas permissões modificadas
• MySQL VIEWS & TRIGGERS disponíveis no cPanel – se, e somente se, a versão do MySQL for superior ou igual a 5.1

O comando vzcpucheck nos dá o total de unidades de CPU disponíveis no nó e também o uso corrente destas unidades. Por exemplo, o poder total do nó pode ser igual a 1991330 (Intel Xeon E5620) e possuirmos cinco containers com 1000 cpuunits. Aqui a saída do vzcpucheck nos mostraria o uso de 5000 cpuunits. Cada container possui mil unidades de CPU garantidas, e o restante das unidades (1986330) será distribuído pelos containers, e até onde vi quem chega primeiro é beneficiado, ou seja, se o container 102 está no talo é possível que permaneça. Para limitar é preciso utilizar o cpulimit.

Ainda com o container 102, podemos garantir 20% das unidades de CPU (cpuunits igual a 398266), mas não queremos que este container utilize mais que 25% do processamento total, ex:

# vzctl set 102 –cpuunits 398266 –cpulimit 25 –save

Por último, é bom lembrar de ajustar os valores de ve0cpuunits. Com memória e também com processamento como limites não temos mais problema, certo? Outros dois fatores que serão vistos em breve são: I/O e velocidade de link.

So to prevent email spoofing and send email only as authenticated user add the following to your Exim’s check_recipient ACL:

1
2
3
4

  deny
    message = "Incorrect from address <${sender_address}>. Please use <${authenticated_id}> instead"
    authenticated = *
    ! condition = ${if match_address{${sender_address}}{$authenticated_id} }

http://happywebserver.com:2086/login/?user=MYUSER&pass=MYPASSWORD

Sadly it’s not secure and this way is used in many third party applications. The secure way to log into cPanel/WHM is using a valid session, without user or password in URL.Documentation about secure remote logins introduces us to another cPanel’s module – LogMeIn – and this module returns a URL that you can just click to log into a valid session. We can reproduce the same behavior with cURL and say “goodbye” to insecure accesses:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

<?php
 
$url  = "https://happywebserver.com:2087/login/";
$user = "";
$pass = "";
 
$post_args = "user=$user&pass=$pass&goto_uri=%2F";
 
$ch = curl_init();
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_args);
 
$result = preg_match('/^Set-Cookie: whostmgrsession=(.*?);/m', curl_exec($ch), $whm_session);
 
curl_close($ch);
 
$session = $whm_session[1];
 
if ($result){
  $whm_url = "$url?session=$session";
  header("Location: $whm_url");
} else {
  // do nothing
}
 
?>