cPanel
 
Handy sites for server management:
 
 
 
 
 
 
 
 
 
 
---------------------------------------------
cPanel Log File Locations:
 
 
cPanel Basic Troubleshooting:
 
---------------------------------------------
Error Logs
/usr/local/cpanel/logs/error_log
/usr/local/apache/logs/error_log 
tail -500 /usr/local/apache/logs/error_log
 
--------------------------------------------- 
 
cPanel Config File
/var/cpanel/cpanel.config 
 
cPanel Updates:
/var/cpanel/updatelogs/
 
Restart cPanel:
/etc/init.d/cpanel restart
 
Update cPanel:
/scripts/upcp
/scripts/upcp --force
 
---------------------------------------------
To view the current @INC array paths, run:
perl -V 
 
---------------------------------------------
Plugins » ConfigServer Security & Firewall
/etc/csf/ 
 
Firewall Allow IPs
/etc/csf/csf.allow
 
Check CSF for an IP:
csf -g "116.31.116.23"
 
Check CSF Deny File for an IP:
grep "72.174.251.134" /etc/csf/csf.deny
grep "116.31.116.23" /etc/csf/csf.deny
 
Restart:
csf -r (Restart CSF) ---http://www.linuxbrigade.com/learn-the-csf-command-line-options/---
/etc/csf/csf.pl -r

perl /usr/local/csf/bin/csftest.pl 
 
---------------------------------------------
Login Failure Daemon 
/var/log/lfd.log
 

Check LFD log for an IP:
grep "216.67.172.242" /var/log/lfd.log
 
less /etc/csf/changelog.txt ---CSF was upgraded on 10/14/2015---
grep '^Oct 25 19:' /var/log/lfd.log
grep '72.174.251.134' /var/log/lfd.log
zgrep '^Oct 23 19:' /var/log/lfd.log-20151025.gz

grep '^\[2015-10-23 19' /usr/local/cpanel/logs/error_log
grep '^\[2015-10-23' /var/log/chkservd.log
grep 'Restarting lfd' /var/log/chkservd.log
 
/etc/init.d/lfd start
 
View SSH logins:
cat /var/log/secure
 
FAILED LOGIN ATTAMPTS TO cPanel/WHM:
tail -500 /usr/local/cpanel/logs/login_log
 
Account Access Logs:
ls -lah /home/michaelt/access-logs/
tail -500 /home/michaelt/access-logs/blog.wyorock.com
--------------------------------------------- 

 

 
Find Log Entries for a Day
grep '2015-10-23' /usr/local/cpanel/logs/error_log 
grep '^\[2015-10-23' /usr/local/cpanel/logs/error_log 


Security Center »Host Access Control
/etc/hosts.allow 
 
Apache
/etc/httpd/conf/httpd.conf Or /usr/local/apache/conf/httpd.conf 
 
RESTART APACHE: 
service httpd restart
/etc/init.d/httpd restart 
 
How many processes running: netstat -an | grep :80|wc -l
How many processes are in SYN_RECV state:  netstat -an | grep :80 | grep -i syn | wc -l
How many times IPs connecting: netstat -an|grep :80|grep SYN|awk {'print $5'}|cut -d: -f 1|sort|uniq -c
 

 

 
---------------------------------------------
 
 
Bind – The name server
Default Port : 53
Configuration file : named.conf
Path : /etc/named.conf
Service : named
DB location : /var/named 
 
FTP - proftp
Default Port : 20, 21
Configuration file : proftpd.conf
Path : /etc/proftpd.conf
Service : proftpd 
 
PHP
WHM: Service Configuration -> PHP Configuration Editor
/usr/local/lib/php.ini (php --ini : to find conf location) 
 
Find server's loaded PHP config file:
php -i | grep php.ini
 
Find all php.ini files:
find / -name php.ini 
 
Networking Setup
/etc/sysconfig/network
/etc/hosts - Host entries
/etc/resolv.conf - Resolver Configuration
/etc/nameserverips - Nameserver IPs 
 
 
Other config files:
 
/var/cpanel/users/username cpanel user file
/var/cpanel/resellers For addpkg, etc permissions for resellers.
/var/run/chkservd Main >> Server Status >> Service Status
/etc/chkserv.d Main >> Service Configuration >> Service Manager
/var/log/dcpumon top log process
/root/cpanel3-skel skel directory. Eg: public_ftp, public_html. (Account Functions–>Skeleton Directory )
/etc/wwwacct.conf account creation defaults file in WHM (Basic cPanel/WHM Setup)
/etc/cpupdate.conf Update Config
/etc/ips – ip addresses on the server (except the shared ip) (IP Functions–>Show IP Address Usage )
/etc/ipaddrpool  IP Addresses which are free
/etc/ips.dnsmaster name server ips
/var/cpanel/Counters To get the counter of each users.
/var/cpanel/bandwidth To get bandwith usage of domains
/var/cpanel/bandwidth : rrd files of domains
/var/cpanel/username.accts : reseller accounts are listed in this files
/var/cpanel/packages : hosting packages are listed here
/var/cpanel/root.accts : root owned domains are listed here
/var/cpanel/suspended : suspended accounts are listed here
/var/cpanel/users/ : cpanel user file – theme, bwlimit, addon, parked, sub-domains all are listed in this files
/var/cpanel/zonetemplates/ : dns zone template files are taken from here 
 
 
--------------------------------------------- 
 
 
 
WordPress Installations/Versions:
find /home/*/public_html/ -type f -iwholename "*/wp-includes/version.php" -exec grep -H "\$wp_version =" {} \; 
 
Joomla! Installations/Versions:
find /home/*/public_html/ -type f \( -iwholename '*/libraries/joomla/version.php' -o -iwholename '*/libraries/cms/version.php' -o -iwholename '*/libraries/cms/version/version.php' \) -print0 -exec perl -e 'while (<>) { $release = $1 if m/ \$RELEASE\s+= .([\d.]+).;/; $dev = $1 if m/ \$DEV_LEVEL\s+= .(\d+).;/; } print qq( = $release.$dev\n);' {} \; 
 
Drupal Installations/Versions:
find /home/*/public_html/ -type f -iwholename "*/modules/system/system.info" -exec grep -H "version = \"" {} \; 
 
 
cPanel Ports:
  cPanel 2082
  cPanel - SSL 2083
  WHM 2086
  WHM - SSL 2087
  Webmail 2095
  Webmail - SSL 2096
 
 
---------------------------------------------
 
CSF - ConfigServer Security & Firewall
      LFD - Login Failure Daemon
 
/var/log/secure
/etc/csf/csf.allow
/etc/csf/csf.deny

If CSF/LFD is blocking your IP you should see it in
/var/log/lfd.log
---------------------------------------------
 
iptables (command line)
 
.....
iptables -L -n
iptables -L -n --line-number
iptables -L -n | grep :3306
iptables -L -n | grep :443
iptables -L -n | grep 199.190.154.2
.....
Open Port:
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3306 -j ACCEPT
service iptables save
server iptables restart
.....
Block port:
iptables -A INPUT -p tcp --dport 3306 -j DROP
iptables -A OUTPUT -p tcp --dport 3306 -j DROP
service iptables save
.....
Block IP Address:
iptables -A INPUT -s xx.xx.xx.xx -j DROP
service iptables save
.....
Block a particular PORT for a particular IP:
iptables -A INPUT -s xx.xx.xx.xx -p tcp --destination-port 25 -j DROP
service iptables save
.....
Unblock IP address from block-list:
iptables -D INPUT -s xx.xxx.xx.xx -j DROP
service iptables save
.....
Allow IP address:
iptables -A INPUT -s xx.xxx.xx.xx -j ACCEPT
service iptables save
.....
 
 
---------------------------------------------
 
cPanel Log Files
 
--------------------------------------------- 
 
 
/var/log/messages (logins, FTP attempts, system messages, uploads, downloads)
/var/log/secure
grep 'input_userauth_request' /var/log/secure 
cat /var/log/secure | grep 'refused connect'
cat /var/log/secure | grep '208.74.12' 
 
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/login_log 
 
Apache error log (PHP errors go here  when turned on):
/usr/local/apache/logs/error_log 
 
---------------------------------------------
 
 
 
 
 
Access logs and user actions
(all traffic to WHM, cPanel, and webmail over http)
/usr/local/cpanel/logs/access_log
   
Account transfers and misc. logs /var/cpanel/logs
Auditing log (account creations, deletions, etc) /var/cpanel/accounting.log
Backup logs /usr/local/cpanel/logs/cpbackup
Brute force protection (cphulkd) log /usr/local/cpanel/logs/cphulkd.log
Cpanel dnsadmin dns clustering daemon /usr/local/cpanel/logs/dnsadmin_log
Cpanel taskqueue processing daemon /usr/local/cpanel/logs/queueprocd.log
DBmapping /usr/local/cpanel/logs/setupdbmap_log
EasyApache build logs /usr/local/cpanel/logs/easy/apache/
Error log /usr/local/cpanel/logs/error_log
Installation log /var/log/cpanel
License updates and errors /usr/local/cpanel/logs/license_log
Locale database modifications /usr/local/cpanel/logs/build_locale_database_log
Login errors (CPSRVD) /usr/local/cpanel/logs/login_log
Horde /var/cpanel/horde/log/
Notification Templates /usr/local/cpanel/etc/icontact_templates/
RoundCube /var/cpanel/roundcube/log/
SquirrelMail /var/cpanel/squirrelmail/
Panic log /usr/local/cpanel/logs/panic_log
Per account bandwidth history (Cached) /var/cpanel/bandwidth.cache/{USERNAME}
Per account bandwidth history (Human Readable) /var/cpanel/bandwidth/{USERNAME}
Service status logs /var/log/chkservd.log
Tailwatch driver tailwatchd log /usr/local/cpanel/logs/tailwatch_log
Update analysis reporting /usr/local/cpanel/logs/updated_analysis/{TIMESTAMP}.log
Update (UPCP) log /var/cpanel/updatelogs/updated.{TIMESTAMP}.log
WebDisk (CPDAVD) /usr/local/cpanel/logs/cpdavd_error_log
Website statistics log /usr/local/cpanel/logs/stats_log

 

cPanel access log
Access logs and user actions /usr/local/cpanel/logs/access_log

 

cPanel apache log
Apache restarts done through cPanel and WHM /usr/local/cpanel/logs/safeapacherestart_log
   
Domain access logs /usr/local/apache/domlogs/<username>/<domain name>
/home/<username>/access-logs/ --> /usr/local/apache/domlogs/<username>
   
Processing of log splitting /usr/local/cpanel/logs/splitlogs_log
suPHP audit log /usr/local/apache/logs/suphp_log
Web server and CGI application error log /usr/local/apache/logs/error_log
all http requests /usr/local/apache/logs/access_log
 
 
 
*************************************************************
************************************************************* 
 
GET LOGIN ATTEMPTS:
cat /var/log/secure 
 
FAILED LOGIN ATTAMPTS TO cPanel/WHM:
/usr/local/cpanel/logs/login_log 
 
ACCESS LOGS:
/home/<username>/access-logs/ --> /usr/local/apache/domlogs/<username>
/usr/local/apache/domlogs/<username>/<domain name>
/usr/local/apache/domlogs/michaelt/blog.wyorock.com
/usr/local/apache/domlogs/wyorock/wyorock.com
grep index.php /usr/local/apache/domlogs/wyorock/wyorock.com
grep 199.190.154.2 /usr/local/apache/domlogs/wyorock/wyorock.com | tail


COUNT HITS ON WORDPRESS wp-login.php:
cat /usr/local/apache/domlogs/michaelt/blog.wyorock.com | grep "wp-login.php" | wc -l
cat /usr/local/apache/domlogs/michaelt/blog.wyorock.com | grep "POST .*wp-login.php" | wc -l

GET COUNT OF HITS ON WORDPRESS wp-login.php BY IP AND MAIL RESULTS:
egrep "POST .*wp-login.php" /usr/local/apache/domlogs/michaelt/blog.wyorock.com | awk '{print $1,$4,$5,$6,$7,substr($0, index($0,$12))}' | awk '{print $1}' | sort -n | uniq -c | sort -n | sed 's/[ ]*//' | mail -s "Report" michael@wyoming.com
 
*************************************************************
************************************************************* 
 

MySQL log

MySQL error log /var/lib/mysql/{SERVER_NAME}.err
MySQL slow query log (if enabled in my.cnf) /var/log/slowqueries