Updated SPF Requirement

A couple years ago, we published a post on the proper configuration of SPF records when sending emails through our servers. Although not a default configuration, this is very important when you’re enforcing validation of SPF using “-all”. Due to some internal changes, the required entry has changed a little. Previously, you needed to add an A record for spf.gzo.com (+a:spf.gzo.com) and now you’ll need to simply include spf.gzo.com (+include:spf.gzo.com). A screenshot of this entered correctly in cPanel is shown below.

For those with DNS hosted by us, your SPF record has already been updated with this change. If you’re not hosting your DNS with us, the existing A record will continue to function normally in the short term, but please be sure to make the necessary change. If you have any questions or concerns, please submit a ticket and we’ll be happy to assist.

Behind the Scenes: Security Patches & Private Network Updates

It has been a little while since we posted an update on what we’re working on behind the scenes here at Dathorn, so I wanted to take a quick moment to share. While it is easy to notice new features or see us working on your helpdesk tickets, much of our work goes completely unnoticed. That is, after all, our goal. We try to perform all updates, maintenance, etc. without any impact to your service.

While software patches and security updates are an ongoing battle, there have been a few noteworthy items as of late. You may have already heard about “Stack Clash”, a local privilege escalation vulnerability present in most Linux and BSD systems. Fortunately, we were able to quickly protect our servers against this without any service interruption, thanks to KernelCare. Traditionally, such kernel updates would require a reboot of each server but that has long been a thing of the past for us.

A few security issues have also been addressed in OpenVPN, including a remote code execution vulnerability. While serious, all of our instances were patched immediately and the severity of this particular issue for us was much lower since we only use OpenVPN internally for accessing certain private resources, such as IPMI on our servers. This had a much greater impact on VPN providers. Continue reading

Adding Office 365 DNS Records via WHM or cPanel

Office 365 has quickly become a popular option for clients requiring Exchange hosted email. As a result, we frequently see tickets seeking help with setting up the required DNS records. Even if you’re familiar with editing DNS zones, the required SRV records may throw you off.

Microsoft does provide a general guide for all of the necessary DNS records here but it doesn’t specifically address adding them via WHM or cPanel. If you have WHM access, using the “Edit DNS Zone” link under “DNS Functions” on the left menu will be the easiest option. From there you can add the necessary records at the bottom of the page. You will have to do this in batches since there aren’t enough fields to add all of the records in at once. Once you’re done, the added records should look like this:

You’ll notice we’re using “dathornexample.com” as the domain there. Your own records will instead use your own domain. The “msXXXXXXXX” value is provided by Microsoft to verify your domain, yours will have numbers instead of the placeholder X’s. When editing DNS records via WHM, you should always put quotes around TXT values, as can be seen in the SPF record above. You’ll notice the other “MS=” TXT record doesn’t have quotes shown, that’s because they were automatically removed since they were not needed in that case. With WHM, you’re best off putting quotes around the TXT values and letting WHM decide what to do. Continue reading

Official cPanel iOS App

Back in January, cPanel released their official iOS app and have subsequently released a few updates since then. In its current form it is still rather basic but it can be useful nonetheless. Upon running the app for the first time you’re prompted to enter server and login information for cPanel, WHM or Webmail.

You’ll notice the ability to enable TouchID. This is particularly handy so that you don’t have to re-enter login information again, you can simply use TouchID to authenticate just as many other apps already take advantage of. Unfortunately, that’s pretty much the extent of this app. When you connect to WHM you’ll see the standard web interface which is not mobile friendly. Continue reading

Important Linux Kernel & WordPress 4.7 Updates

A rather serious Linux kernel vulnerability (CVE-2017-6074) was publicized on Wednesday (2/22). This vulnerability has been present since 2006 so it affects a large number of systems and distributions, many of which are no longer maintained. Thanks to KernelCare, our servers were all patched within a few hours of this having been published without any service impact.

If you use or manage any other Linux systems, hosting related or otherwise, you should make sure that they have been patched as well. This vulnerability could ultimately result in a local user compromising the entire system. Likewise, if you’re using devices or operating systems that aren’t being maintained and thus won’t be patched at all, now would be a good time to upgrade.

While on the topic of security updates, I do also want to mention the critical WordPress 4.7.2 update that was released about a month ago. If you are running WordPress 4.7 and have some how managed to not upgrade to 4.7.2 by now, you should do so immediately.

As always, we will continue to stay on top of these security updates, keeping you safe and informed.

Behind the Scenes: CentOS 5, LVE Stats 2, PHP 7.1 & EA 4

There’s been a lot happening here under the radar over the past month, so this gives us a great opportunity to post another of our “Behind the Scenes” updates. To start, we completed migration of all remaining CentOS 5 servers due to its end of life date, March 31st, quickly approaching. One of these servers was our primary DNS server (ns1) which was seamlessly migrated to a new CentOS 7 server without any service interruption.

CloudLinux’s LVE Stats 2 made its way out in a stable release, completely overhauling how system resource usage data is recorded on our servers. CPU and RAM usage is now recorded with much greater precision but perhaps most important is the new snapshot functionality. Now, when a CPU or RAM usage fault occurs, a snapshot of the account’s running processes is recorded. This allows you to go back and see what was running when a fault occurred, which is very helpful in identifying what caused it. Previously, no such information was available unless you actively witnessed the fault occurring.

PHP 7.1 was officially released and shortly thereafter available on all of our servers via CloudLinux’s PHP Selector. Our servers now offer PHP versions 5.4, 5.5, 5.6, 7.0 and 7.1. Version 5.6 is the default on new cPanel accounts and this can easily be changed via the “Select PHP Version” link in cPanel. Continue reading

Critical PHPMailer & SwiftMailer Security Updates

Although the PHPMailer vulnerability was posted to our Script Security Forum a couple days ago, the widespread and critical nature of these warrants a post here as well. PHPMailer and SwiftMailer are both libraries used for sending emails. A very large number of scripts use one of these two libraries, including WordPress, Drupal, SugarCRM, Joomla and many others. Both libraries contain similar remote code execution vulnerabilities that can be exploited under certain circumstances.

It is very important that you make sure all instances of these libraries are updated. This will, unfortunately, be difficult to pinpoint in some cases since many plugins also include these libraries. Every core script, plugin and theme that you use should be investigated to determine whether or not these libraries are included and require updating.

All instances of PHPMailer must be updated to 5.2.21 or higher, which can be downloaded here.

All instances of SwiftMailer must be updated to 5.4.5 or higher, which can be downloaded here.

This would also be a good time to examine your plugins and themes to make sure they are all being actively maintained. As a general rule, if they haven’t received any updates within 6 months you should be concerned. If they haven’t received any updates within the past year, they probably shouldn’t be used at all.

The ongoing use of abandoned projects are one of the bigger risks that face websites like those powered by WordPress. While such a plugin may appear to be all good and up-to-date from within the WordPress admin panel, the developers may not have touched it in years and the project page may no longer even exist. As such, a regular audit of these is a very good idea and in general you should stick to more popular options when possible.

If you run into any issues with updating or have any questions please feel free to post a comment here, post on our forums or submit a ticket via our portal.

cPanel & WHM Two-Factor Authentication

We’re excited to announce that two-factor (2FA) authentication is now available for all of our cPanel and WHM users! Two factor authentication adds an additional layer of security to your logins by requiring a security code in addition to your username and password to login. This security code is provided by an application on your mobile device once setup on your account.

WHM users can find the “Two-Factor Authentication” link on the left menu under the “Security Center” as seen below.

whm-two-factor-auth

On this page you can go to the “Manage Users” tab to view and modify any cPanel users under your reseller account that have 2FA enabled. You can also go to the “Manage My Account” tab to setup 2FA on your own WHM account. Continue reading

Happy Halloween & Web Hosting Nightmares

We’ve finally made it to the last day of October and we all know what that means, Happy Halloween! Given the timing I thought it would be appropriate to discuss something scary that was discovered earlier this month…

dirtycow

The so eloquently named “Dirty COW” (copy-on-write) vulnerability that came to light a couple of weeks ago is what nightmares are made of when you’re a web host. This vulnerability (CVE-2016-5195) had been lurking in the Linux kernel since 2007 until it was publicized and patched earlier this month. All of our servers were patched within hours of this discovery thanks to CloudLinux’s KernelCare which allows us to apply such hotfixes without rebooting. Continue reading

Behind the Scenes: Server / PHP Upgrades & cPanel 58

It has been a little while since our last “Behind the Scenes” post so here’s another quick update of what’s been happening here at Dathorn. First, we are very happy to announce that we’ve completed the upgrade and migration of all of our hosting servers. Every single client is now on a server utilizing our latest hardware and software packages. This includes items like MariaDB, PHP Selector and, of course, pure SSD RAID 10 storage. The only mechanical drives that we’re using now are solely for backup storage and eventually these will be phased out as SSD capacity continues to grow.

Since all of our servers are now utilizing CloudLinux’s PHP Selector, we no longer have to perform scripted rebuilds of PHP and related dependencies as they are updated. As such, we will no longer be announcing these minor updates on our forums since they really don’t have any impact for our clients to be concerned about. You can always keep an eye on “Alt-PHP” updates on the CloudLinux blog if these items interest you.

Earlier this month we completed the deployment of cPanel version 58 across all of our servers. Most visible among the updates would be the changes made to Paper Lantern which you may have already noticed. There were, however, a number of system changes that aren’t so visible. One that you should be aware of is that the “Trash” folder on email accounts is now included in the email account’s disk usage. Believe it or not, this wasn’t the case before and it just didn’t make much sense. This often created confusion because email accounts would be reported as using far less disk space than they actually were. While this doesn’t change the cPanel account’s disk usage at all, it does allow email disk usage to be more accurately reported and managed, which is long overdue.

Going forward through October, we do still have some internal services that we need to migrate to new servers, such as our primary name server (ns1) and some backup servers. This is necessary as we approach the end of life for RHEL 5 / CentOS 5. We’ll be taking this opportunity to replace some older Adaptec RAID controllers with newer LSI ones as well. This maintenance won’t have any impact on clients but I did want to provide some insight on what we have planned here. That’s all for now, we hope you’re enjoying the cooler Fall weather as we are!