WyoRock

/var/cpanel/users/username cpanel user file
/var/cpanel/resellers For addpkg, etc permissions for resellers.
/var/run/chkservd Main >> Server Status >> Service Status
/etc/chkserv.d Main >> Service Configuration >> Service Manager
/var/log/dcpumon top log process
/root/cpanel3-skel skel directory. Eg: public_ftp, public_html. (Account Functions–>Skeleton Directory )
/etc/wwwacct.conf account creation defaults file in WHM (Basic cPanel/WHM Setup)
/etc/cpupdate.conf Update Config
/etc/ips – ip addresses on the server (except the shared ip) (IP Functions–>Show IP Address Usage )
/etc/ipaddrpool IP Addresses which are free
/etc/ips.dnsmaster name server ips
/var/cpanel/Counters To get the counter of each users.
/var/cpanel/bandwidth To get bandwith usage of domains
/var/cpanel/bandwidth : rrd files of domains
/var/cpanel/username.accts : reseller accounts are listed in this files
/var/cpanel/packages : hosting packages are listed here
/var/cpanel/root.accts : root owned domains are listed here
/var/cpanel/suspended : suspended accounts are listed here
/var/cpanel/users/ : cpanel user file – theme, bwlimit, addon, parked, sub-domains all are listed in this files
/var/cpanel/zonetemplates/ : dns zone template files are taken from here

---------------------------------------------

WordPress Installations/Versions:

find /home/*/public_html/ -type f -iwholename "*/wp-includes/version.php" -exec grep -H "\$wp_version =" {} \;

Joomla! Installations/Versions:

find /home/*/public_html/ -type f $ -iwholename '*/libraries/joomla/version.php' -o -iwholename '*/libraries/cms/version.php' -o -iwholename '*/libraries/cms/version/version.php' $ -print0 -exec perl -e 'while (<>) { $release = $1 if m/ \$RELEASE\s+= .([\d.]+).;/; $dev = $1 if m/ \$DEV_LEVEL\s+= .(\d+).;/; } print qq( = $release.$dev\n);' {} \;

Drupal Installations/Versions:

find /home/*/public_html/ -type f -iwholename "*/modules/system/system.info" -exec grep -H "version = \"" {} \;

cPanel Ports:

	cPanel	2082
	cPanel - SSL	2083
	WHM	2086
	WHM - SSL	2087
	Webmail	2095
	Webmail - SSL	2096

---------------------------------------------

CSF - ConfigServer Security & Firewall

LFD - Login Failure Daemon

/var/log/secure
/etc/csf/csf.allow
/etc/csf/csf.deny

If CSF/LFD is blocking your IP you should see it in
/var/log/lfd.log

---------------------------------------------

iptables (command line)

.....
iptables -L -n
iptables -L -n --line-number
iptables -L -n | grep :3306
iptables -L -n | grep :443
iptables -L -n | grep 199.190.154.2
.....
Open Port:
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3306 -j ACCEPT
service iptables save
server iptables restart

.....
Block port:
iptables -A INPUT -p tcp --dport 3306 -j DROP
iptables -A OUTPUT -p tcp --dport 3306 -j DROP
service iptables save
.....
Block IP Address:
iptables -A INPUT -s xx.xx.xx.xx -j DROP
service iptables save
.....
Block a particular PORT for a particular IP:
iptables -A INPUT -s xx.xx.xx.xx -p tcp --destination-port 25 -j DROP
service iptables save
.....
Unblock IP address from block-list:
iptables -D INPUT -s xx.xxx.xx.xx -j DROP
service iptables save
.....
Allow IP address:
iptables -A INPUT -s xx.xxx.xx.xx -j ACCEPT
service iptables save
.....

---------------------------------------------

cPanel Log Files

---------------------------------------------

/var/log/messages (logins, FTP attempts, system messages, uploads, downloads)

/var/log/secure

grep 'input_userauth_request' /var/log/secure

cat /var/log/secure | grep 'refused connect'

cat /var/log/secure | grep '208.74.12'

/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/login_log

Apache error log (PHP errors go here when turned on):
/usr/local/apache/logs/error_log

---------------------------------------------

Access logs and user actions (all traffic to WHM, cPanel, and webmail over http)	/usr/local/cpanel/logs/access_log

Account transfers and misc. logs	/var/cpanel/logs
Auditing log (account creations, deletions, etc)	/var/cpanel/accounting.log
Backup logs	/usr/local/cpanel/logs/cpbackup
Brute force protection (cphulkd) log	/usr/local/cpanel/logs/cphulkd.log
Cpanel dnsadmin dns clustering daemon	/usr/local/cpanel/logs/dnsadmin_log
Cpanel taskqueue processing daemon	/usr/local/cpanel/logs/queueprocd.log
DBmapping	/usr/local/cpanel/logs/setupdbmap_log
EasyApache build logs	/usr/local/cpanel/logs/easy/apache/
Error log	/usr/local/cpanel/logs/error_log
Installation log	/var/log/cpanel
License updates and errors	/usr/local/cpanel/logs/license_log
Locale database modifications	/usr/local/cpanel/logs/build_locale_database_log
Login errors (CPSRVD)	/usr/local/cpanel/logs/login_log
Horde	/var/cpanel/horde/log/
Notification Templates	/usr/local/cpanel/etc/icontact_templates/
RoundCube	/var/cpanel/roundcube/log/
SquirrelMail	/var/cpanel/squirrelmail/
Panic log	/usr/local/cpanel/logs/panic_log
Per account bandwidth history (Cached)	/var/cpanel/bandwidth.cache/{USERNAME}
Per account bandwidth history (Human Readable)	/var/cpanel/bandwidth/{USERNAME}
Service status logs	/var/log/chkservd.log
Tailwatch driver tailwatchd log	/usr/local/cpanel/logs/tailwatch_log
Update analysis reporting	/usr/local/cpanel/logs/updated_analysis/{TIMESTAMP}.log
Update (UPCP) log	/var/cpanel/updatelogs/updated.{TIMESTAMP}.log
WebDisk (CPDAVD)	/usr/local/cpanel/logs/cpdavd_error_log
Website statistics log	/usr/local/cpanel/logs/stats_log

cPanel access log

Access logs and user actions	/usr/local/cpanel/logs/access_log

cPanel apache log

Apache restarts done through cPanel and WHM	/usr/local/cpanel/logs/safeapacherestart_log

Domain access logs	/usr/local/apache/domlogs/<username>/<domain name> /home/<username>/access-logs/ --> /usr/local/apache/domlogs/<username>

Processing of log splitting	/usr/local/cpanel/logs/splitlogs_log
suPHP audit log	/usr/local/apache/logs/suphp_log
Web server and CGI application error log	/usr/local/apache/logs/error_log
all http requests	/usr/local/apache/logs/access_log

*************************************************************

GET LOGIN ATTEMPTS:

cat /var/log/secure

FAILED LOGIN ATTAMPTS TO cPanel/WHM:
/usr/local/cpanel/logs/login_log

ACCESS LOGS:
/home/<username>/access-logs/ --> /usr/local/apache/domlogs/<username>
/usr/local/apache/domlogs/<username>/<domain name>

/usr/local/apache/domlogs/michaelt/blog.wyorock.com
/usr/local/apache/domlogs/wyorock/wyorock.com
grep index.php /usr/local/apache/domlogs/wyorock/wyorock.com
grep 199.190.154.2 /usr/local/apache/domlogs/wyorock/wyorock.com | tail

COUNT HITS ON WORDPRESS wp-login.php:
cat /usr/local/apache/domlogs/michaelt/blog.wyorock.com | grep "wp-login.php" | wc -l
cat /usr/local/apache/domlogs/michaelt/blog.wyorock.com | grep "POST .*wp-login.php" | wc -l

GET COUNT OF HITS ON WORDPRESS wp-login.php BY IP AND MAIL RESULTS:
egrep "POST .*wp-login.php" /usr/local/apache/domlogs/michaelt/blog.wyorock.com | awk '{print $1,$4,$5,$6,$7,substr($0, index($0,$12))}' | awk '{print $1}' | sort -n | uniq -c | sort -n | sed 's/[ ]*//' | mail -s "Report" michael@wyoming.com

*************************************************************

MySQL log

MySQL error log	/var/lib/mysql/{SERVER_NAME}.err
MySQL slow query log (if enabled in my.cnf)	/var/log/slowqueries