cPanel & WHM Two-Factor Authentication

We’re excited to announce that two-factor (2FA) authentication is now available for all of our cPanel and WHM users! Two factor authentication adds an additional layer of security to your logins by requiring a security code in addition to your username and password to login. This security code is provided by an application on your mobile device once setup on your account.

WHM users can find the “Two-Factor Authentication” link on the left menu under the “Security Center” as seen below.

whm-two-factor-auth

On this page you can go to the “Manage Users” tab to view and modify any cPanel users under your reseller account that have 2FA enabled. You can also go to the “Manage My Account” tab to setup 2FA on your own WHM account. Continue reading

Happy Halloween & Web Hosting Nightmares

We’ve finally made it to the last day of October and we all know what that means, Happy Halloween! Given the timing I thought it would be appropriate to discuss something scary that was discovered earlier this month…

dirtycow

The so eloquently named “Dirty COW” (copy-on-write) vulnerability that came to light a couple of weeks ago is what nightmares are made of when you’re a web host. This vulnerability (CVE-2016-5195) had been lurking in the Linux kernel since 2007 until it was publicized and patched earlier this month. All of our servers were patched within hours of this discovery thanks to CloudLinux’s KernelCare which allows us to apply such hotfixes without rebooting. Continue reading

Behind the Scenes: Server / PHP Upgrades & cPanel 58

It has been a little while since our last “Behind the Scenes” post so here’s another quick update of what’s been happening here at Dathorn. First, we are very happy to announce that we’ve completed the upgrade and migration of all of our hosting servers. Every single client is now on a server utilizing our latest hardware and software packages. This includes items like MariaDB, PHP Selector and, of course, pure SSD RAID 10 storage. The only mechanical drives that we’re using now are solely for backup storage and eventually these will be phased out as SSD capacity continues to grow.

Since all of our servers are now utilizing CloudLinux’s PHP Selector, we no longer have to perform scripted rebuilds of PHP and related dependencies as they are updated. As such, we will no longer be announcing these minor updates on our forums since they really don’t have any impact for our clients to be concerned about. You can always keep an eye on “Alt-PHP” updates on the CloudLinux blog if these items interest you.

Earlier this month we completed the deployment of cPanel version 58 across all of our servers. Most visible among the updates would be the changes made to Paper Lantern which you may have already noticed. There were, however, a number of system changes that aren’t so visible. One that you should be aware of is that the “Trash” folder on email accounts is now included in the email account’s disk usage. Believe it or not, this wasn’t the case before and it just didn’t make much sense. This often created confusion because email accounts would be reported as using far less disk space than they actually were. While this doesn’t change the cPanel account’s disk usage at all, it does allow email disk usage to be more accurately reported and managed, which is long overdue.

Going forward through October, we do still have some internal services that we need to migrate to new servers, such as our primary name server (ns1) and some backup servers. This is necessary as we approach the end of life for RHEL 5 / CentOS 5. We’ll be taking this opportunity to replace some older Adaptec RAID controllers with newer LSI ones as well. This maintenance won’t have any impact on clients but I did want to provide some insight on what we have planned here. That’s all for now, we hope you’re enjoying the cooler Fall weather as we are!

cPanel 58 Paper Lantern

The Paper Lantern cPanel theme has been around for quite a while now and the biggest complaint that we and our clients have had with it is that the account’s usage details aren’t immediately visible upon logging in as seen below.

paper-lantern-54-sidebar

Important usage details can easily be overlooked since it’s no longer the first thing that you see. You have to select the “Statistics” or “Dashboard” tab to view any of this information. Often times clients login only for the purpose of viewing this information, thus adding unnecessary steps. Some clients opted to switch to the “Retro” Paper Lantern style to address this.

Finally, in cPanel 58, the developers have addressed this by reverting to the prior statistics bar view, similar to what was present in the old X3 theme. The only real difference is that this information is now displayed along the right side instead of the left. Continue reading

Feature Spotlight – PHP Selector

As we get close to completing all of our server upgrades, I wanted to go ahead and quickly highlight a feature that is available on the new servers. We’ve permitted clients to change the version of PHP that their site uses for many years now but this has always required a modification to the domain’s .htaccess file. Although this wasn’t particularly difficult, it has been simplified even further with the inclusion of PHP Selector. PHP Selector is a CloudLinux component that sits on top of CageFS and allows each cPanel user to select their desired PHP version.

Once you’ve logged into cPanel you’ll find the “Select PHP Version” option under the “Software” menu group as shown below.

cPanel PHP Selector 1

Continue reading

Reminder: Password Security

As you may have heard, the full database from LinkedIn’s 2012 compromise was posted last month, resulting in more than 150 million additional user logins having been publicized. In light of all these login credentials being leaked from LinkedIn and other services, I wanted to (again) remind everyone of the importance of maintaining secure passwords and also provide some good general guidelines to follow.

Unique Passwords

Never re-use passwords for any reason. Every login that you setup must use an entirely unique password otherwise a compromise of one service compromises your logins for other services. This is becoming more of an issue as these incidents continue to occur. The last thing you want is for an online community compromise to result in the compromise of your email or bank logins.

Limit Access

Do not share your login information with others if it can be avoided. Doing so increases the risk of a compromise significantly since you have no control over how or where that login might be used. If you must provide your login information to a 3rd party you should set a temporary password and then reset it once the 3rd party no longer needs access. Continue reading

Behind the Scenes: Billing Migration & ImageTragick

We have successfully completed the migration of all clients from our old billing system (Ubersmith) to our new one that is integrated within our existing portal. For some of you, tomorrow will be the first time you’ll experience the new system when your service renews. We would love to hear any feedback you might have!

Being able to integrate our billing into our existing support mechanisms has been a tremendous help in simplifying processes both for us and our clients. We look forward to growing the available feature set going forward, including the ability for you to manage hosting plan changes without our intervention.

imagetragick

Earlier this month you may have heard of a new vulnerability in ImageMagick named “ImageTragick“. ImageMagick is a software suite used to create or edit many different types of images. One of the most common use cases involves their “convert” utility which is used to convert images from one type to another and resize them. cPanel, for instance, uses it as do a number of image gallery related scripts, shopping carts, etc. Because of this, the potential impact of ImageTragick was quite high.

Although it is fairly trivial to create a policy file or simply update ImageMagick to address the issues, care had to be taken to make sure all instances of ImageMagick were addressed. In many cases, our servers had two or three different versions of ImageMagick that needed to be taken care of. It’s not uncommon for it to be installed on the server as a general package in addition to the versions that both cPanel and CloudLinux provide. As always, you can rest assured that we’ve taken all possible steps to address these new attack vectors and will continue to monitor for further issues going forward.

cPanel 56 & 58

The cPanel development cycle is constantly bringing us new features and changes that are often only visible to server administrators. Over the next couple of versions, though, there will be a couple of new features that you should be aware of as an end user. cPanel 56 was just pushed to the “Release” tier so in a few weeks it should be pushed to the “Stable” tier and shortly thereafter installed on all of our servers. Version 56 will include a utility for automating the process of converting an addon domain to its own cPanel account.

convert-addon-domain

Continue reading

Behind the Scenes: SRS, Billing Migration & Server Upgrades

The Sender Policy Framework (SPF) is a great tool to help validate email senders and detect email spoofing. We recommend that all domains have a proper SPF record configured for this reason. However, SPF has long caused problems with forwarders and this is now no longer an issue. As of cPanel 54, which was installed on all servers earlier this month, Sender Rewriting Scheme (SRS) is fully supported out of the box. Previously some forwarded emails would get rejected by the destination mail server due to the SPF check failing. SRS now automatically rewrites the envelope sender such that forwarded emails will still pass SPF checks. You don’t need to do anything to activate SRS, it was enabled on all servers on March 9th.

Last week another batch of clients was migrated to our new billing system that is built-in to our existing portal. The response has been overwhelmingly positive as it eliminates a lot of unnecessary confusion with having a separate billing system. We hope to have all of our clients migrated within the next month or two and appreciate any feedback you might have.

Lastly, we will be resuming our server upgrades in the upcoming month (April). These took a backseat while we finished up our billing system and continued evaluating the servers that had already been upgraded. Thus far we are very pleased with these upgrades and, like you, we can’t wait to have everything migrated to pure SSD environments. You’ll receive a notification when your server is scheduled to be upgraded if it hasn’t been already. We expect to have all remaining servers upgraded by the end of August.

Billing Migration

Over the next few months we will be migrating all clients to our new billing system that is now built-in to our existing portal. This will eliminate the need for you to login to a separate billing system to view invoices, update your credit card information, etc. All of this will now be easily accessible from within our portal.

You will receive an email and ticket notification with further details once your account has been migrated. The first batch of migrations were completed yesterday and another batch will go out around the 21st of each month until every client has been migrated. We expect this to take approximately 4 months in total.

As part of this migration there are two important items to take note of:

  • Your credit card information will need to be re-entered. Your card information is currently, and will continue to be, stored in a very secure manner that cannot be retrieved. As such, it cannot be migrated automatically and you’ll need to login to our portal to re-enter it once you receive a migration notification.
  • Texas residents will now pay sales tax as required. For the past several years we’ve been paying this out-of-pocket because our old billing system couldn’t properly accommodate this.

We greatly appreciate your cooperation and apologize for any inconvenience during this process. Ultimately this will be a vast improvement over our old, separate billing system. If you have any questions or concerns about this migration please submit a ticket via our portal and we’ll be happy to address them. We just wanted to post this quick update so that you would not be caught off guard or worried about phishing when the time comes for your account to be migrated.