SPF Record Syntax


SPF Record Syntax

The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery.

“+” Pass
“-“ Fail
“~” SoftFail
“?” Neutral


“v=spf1 -all”If a mechanism results in a hit, its qualifier value is used. The default qualifier is “+“, i.e. “Pass”. For example:

"v=spf1 a -all"

"v=spf1 a mx -all"

"v=spf1 +a +mx -all"

Mechanisms are evaluated in order. If no mechanism or modifier matches, the default result is “Neutral”.

If a domain has no SPF record at all, the result is “None”. If a domain has a temporary error during DNS processing, you get the result “TempError” (called “error” in earlier drafts). If some kind of syntax or evaluation error occurs (eg. the domain specifies an unrecognized mechanism) the result is “PermError” (formerly “unknown”).

Evaluation of an SPF record can return any of these results:

Result Explanation Intended action
Pass The SPF record designates the host to be allowed to send accept
Fail The SPF record has designated the host as NOT being allowed to send reject
SoftFail The SPF record has designated the host as NOT being allowed to send but is in transition accept but mark
Neutral The SPF record specifies explicitly that nothing can be said about validity accept
None The domain does not have an SPF record or the SPF record does not evaluate to a result accept
PermError A permanent error has occured (eg. badly formatted SPF record) unspecified
TempError A transient error has occured accept or reject


The “ip4” mechanism


The argument to the “ip4:” mechanism is an IPv4 network range. If no prefix-length is given, /32 is assumed (singling out an individual host address).


“v=spf1 ip4: -all”

Allow any IP address between and networks



cPanel log locations


cPanel logs

Access logs and user actions                                     /usr/local/cpanel/logs/access_log
Account transfers and misc. logs                             /var/cpanel/logs
Auditing log (account creations, deletions, etc)  /var/cpanel/accounting.log
Backup logs                                                               /usr/local/cpanel/logs/cpbackup
Brute force protection (cphulkd) log /usr/local/cpanel/logs/cphulkd.log
Cpanel dnsadmin dns clustering daemon /usr/local/cpanel/logs/dnsadmin_log
Cpanel taskqueue processing daemon /usr/local/cpanel/logs/queueprocd.log
DBmapping /usr/local/cpanel/logs/setupdbmap_log
EasyApache build logs /usr/local/cpanel/logs/easy/apache/
Error log /usr/local/cpanel/logs/error_log
Installation log /var/log/cpanel
License updates and errors /usr/local/cpanel/logs/license_log
Locale database modifications /usr/local/cpanel/logs/build_locale_database_log
Login errors (CPSRVD) /usr/local/cpanel/logs/login_log
Horde /var/cpanel/horde/log/
RoundCube /var/cpanel/roundcube/log/
SquirrelMail /var/cpanel/squirrelmail/
Panic log /usr/local/cpanel/logs/panic_log
Per account bandwidth history (Cached) /var/cpanel/bandwidth.cache/{USERNAME}
Per account bandwidth history (Human Readable) /var/cpanel/bandwidth/{USERNAME}
Service status logs /var/log/chkservd.log
Tailwatch driver tailwatchd log /usr/local/cpanel/logs/tailwatch_log
Update analysis reporting /usr/local/cpanel/logs/updated_analysis/{TIMESTAMP}.log
Update (UPCP) log /var/cpanel/updatelogs/updated.{TIMESTAMP}.log
WebDisk (CPDAVD) /usr/local/cpanel/logs/cpdavd_error_log
Website statistics log /usr/local/cpanel/logs/stats_log

cPanel access log

Access logs and user actions /usr/local/cpanel/logs/access_log

cPanel apache log

Apache restarts done through cPanel and WHM /usr/local/cpanel/logs/safeapcherestart_log
Domain access logs /usr/local/apache/domlogs/{DOMAIN}
Processing of log splitting /usr/local/cpanel/logs/splitlogs_log
suPHP audit log /usr/local/apache/logs/suphp_log
Web server and CGI application error log /usr/local/apache/logs/error_log
cPanel email log

Delivery and receipt log                                                               /var/log/exim_mainlog
Incoming mail queue                                                                    /var/spool/exim/input/
Log of messages rejected based on ACLS or other policies  /var/log/exim_rejectlog
Unexpected/Fatal error log                                                          /var/log/exim_paniclog
IMAP, POP login attempts, transactions, fatal errors and spam scoring /var/log/maillog /var/log/messages
Mailman                                                                                         /usr/local/cpanel/3rdparty/mailmain/logs
MySQL log

MySQL error log                                                        /var/lib/mysql/{SERVER_NAME}.err
MySQL slow query log (if enabled in my.cnf)     /var/log/slowqueries

How to Install an Apache module without recompiling Easyapache


How to Install an apache module without recompiling (Easyapache)

Login the server

cd /home/cpeasyapache/src/httpd-2.x.x/modules/mappers/

Make sure the module is in uncompiled format (mod_module.c).

From command prompt run:

/usr/local/apache/bin/apxs -c mod_module.c
Example : /usr/local/apache/bin/apxs -c mod_imagemap.c

This will create the DSO in /home/cpeasyapache/src/httpd-2.x.x/modules/mappers/.libs/ folder.

Copy the mod_module.so file to /usr/local/apache/modules/ file

Load the module and enable it in Apache configuration file.

Check whether module is installed or not by using the below command :

/usr/local/apache/bin/apachectl -t -D DUMP_MODULES

How to Install PHP module without running Easyapache on cPanel


How to Install PHP module without running Easyapache on cPanel

Login the server
Go to path /home/cpeasyapache/src/php-5.x/ext/sqlite

Here I am trying to enable sqlite

# phpize (this will create ./configure command )
# ./configure
# make
# make install

You can find the extension dir path and you need to enter the extension dir path in php.ini as follows :

# ll usr/local/lib/php/extensions/no-debug-non-zts-20060613/

NOTE : You can enable the module if it is available in /home/cpeasyapache/src/php-5.x.x/ext/

How to migrate MySQL to MariaDB + cPanel


How to migrate MySQL to MariaDB + cPanel

With Oracle’s fairly recent acquisition of MySQL, a lot of people are looking to move away from MySQL in fear of Oracle changing the licensing, which could force you to change database back ends. MariaDB was initially forked in January of 2009. We can make this transition quickly, but not without some downtime, as we can’t have both databases working on the same files simultaneously.

If you are running the same major version of MySQL as MariaDB. Currently this means you must be running MySQL 5.5 and intend on moving to MariaDB 5.5.

Next, you need to take all the databases backup. These commands dump every SQL database you have to a single file. Make sure you do this on a partition big enough to hold your data.

# mysqldump –all-databases –routines –triggers > /home/alldata-`date +%F`.sql

First and foremost, shut down the MySQL service.

# service stop mysql

We are now done with MySQL. Use your package manager to remove it. Do not worry about associated libraries, as MariaDB is a drop in replacement. It should remain compatible at the API layer.

# /scripts/update_local_rpm_versions –edit target_settings.MySQL50 uninstalled
# /scripts/update_local_rpm_versions –edit target_settings.MySQL51 uninstalled
# /scripts/update_local_rpm_versions –edit target_settings.MySQL55 uninstalled
# /scripts/update_local_rpm_versions –edit target_settings.MySQL56 uninstalled

Remove the existing MySQL RPMs from your server. This will leave a clean slate for the MariaDB installation.

# /scripts/check_cpanel_rpms –fix –targets=MySQL50,MySQL51,MySQL55,MySQL56

Next, add the MariaDB repositories, and install it.

vi /etc/yum.repos.d/MariaDB.repo

# MariaDB 5.5 CentOS repository list – created 2013-06-23 21:13 UTC
# http://mariadb.org/mariadb/repositories/
name = MariaDB
baseurl = http://yum.mariadb.org/5.5/centos6-amd64


Edit /etc/yum.conf file and remove php* and mysql* from the exclude line. The exclude line in your /etc/yum.conf file may appear similar to the following example:

exclude=bind-chroot courier* dovecot* exim* filesystem httpd* mod_ssl* mydns* mysql* nsd* php* proftpd* pure-ftpd* ruby* spamassassin* squirrelmail* 

Installing the new MariaDB packages.

# yum install MariaDB-server MariaDB-client MariaDB-devel php-mysql

# /etc/init.d/mysql start
# mysql_upgrade
# /etc/init.d/mysql restart

Rebuild EasyApache’s PHP to ensure that all PHP modules remain intact

# /scripts/easyapache –build

If you need to Switching back to MySQL

First you need to removing mariaDB package.

# yum remove MariaDB*

Install the MySQL RPM targets

# /scripts/update_local_rpm_versions –edit target_settings.MySQL50 installed
# /scripts/update_local_rpm_versions –edit target_settings.MySQL51 installed
# /scripts/update_local_rpm_versions –edit target_settings.MySQL55 installed
# /scripts/update_local_rpm_versions –edit target_settings.MySQL56 installed

Installing MySQL package

# /scripts/check_cpanel_rpms –fix –targets=MySQL50,MySQL51,MySQL55,MySQL56

Restoring the MySQL databases

# mysql < /home/db_dump/alldb.sql backup in (/home/alldb-`date +%F`.sql)


# /etc/init.d/mysql stop
# mv /var/lib/mysql /var/lib/mysql_mariadb-`date +%F`
# cp -p -r /var/lib/mysql_mysql_date /var/lib/mysql
# /etc/init.d/mysql start
# mysql_upgrade

After that check the MySQL logs also revert the my.cnf file.

How do we know that the server is under DDOS attack?


DDOS attack measures

How do we know that the server is under DDOS attack?

We can confirm it by checking the result of netstat command:

netstat -an|awk ‘/tcp/ {print $6}’|sort|uniq -c

This will show the states and number of connections at that time. The different states that are visible mostly in servers are:

1. ESTABLISHED – This will be legitimate connections established to the server
2. SYN_SENT – The client will be actively attempting to establish a connection.
3. SYN_RECV – A connection request has been received from the network.
4. FIN_WAIT – The socket is closed, and the connection is shutting down.
5. TIME_WAIT – The socket is waiting after close to handle packets still in the network.
6. LISTEN – The socket is listening for incoming connections.
7. LAST_ACK – The remote end has shut down, and the socket is closed. Waiting for acknowledgement.

If the number of connections in SYN_SENT, SYN_RECV, TIME_WAIT, FIN_WAIT are very large in the rate of 1000s then the server is surely under attack.

As a first step we can tweak the values set for SYN_SENT, SYN_RECV, TIME_WAIT, FIN_WAIT in the file /etc/sysctl.conf. Reduce the value of net.ipv4.tcp_fin_timeout to 3 or 5. Normally it will be set to 120 as default. Make the following changes in /etc/sysctl.conf

# Enable TCP SYN cookie protection
net.ipv4.tcp_syncookies = 1

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 3

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

Then execute the command :

sysctl -p

Then we will have to find out how the attack is being performed, is it from any particular IP or from large number of IP addresses to the server. If it is from any particular IP to the server, then we can fix it by blocking the IP in the firewall. If it is from a large number of IP with one or 2 connections then we will have to find more details to stop it. But will will not be able to completely stop the DDOS attack, we will have to tweak some settings in the server so that the number of connections can be reduced.

Once we reach the result that the server is under attack by checking the number of connections in different state, we need to find to which port the attack is being done. Suppose the number of connections in state SYN_RECV is large. Then we can get the details using the following command:

netstat -lpan | grep SYN_RECV | awk ‘{print $4}’ | cut -d: -f2 | sort | uniq -c | sort -nk 1

The result will be the number of connections and the port open in the server. If the second field is 80 then the attack is to apache port.

In addition to the netstat command, you can use tcpdump command to find out if there is dos attack to a particular port.

tcpdump -nn -tttt -i any port 80

Similarly you can give different ports to find out to which port attack is being done. For example, port 53, 25 etc.

Once you understand the port you need to figure out is the attack done on a particular domain or IP. Suppose the attack is done on port 80, then we can tweak the apache settings as follows:

1. Increase the MaxClients so that we can prevent the condition of apache reaching its limit, since apache could not serve new requests. MaxClients can be set to a max value of the limit set in ServerLimit
2. Set KeepAlive on to set the KeepAliveTimeout
3. KeepAliveTimeout value to be reduced to 3 or 5

So the settings will be as follows:

MaxClients 500
KeepAlive On
KeepAliveTimeout 3

/etc/init.d/httpd restart

In order to narrow down the issue, we need to find out if the attack is on any particular IP in the server. This can be found using the following command:

netstat -lpan | grep SYN_RECV | awk ‘{print $4}’ | cut -d: -f1 | sort | uniq -c | sort -nk 1

After confirming the attack to the IP, we need to find out if the attack is made to a particular domain in that IP or to the IP as a whole. For that, you can check the apache error logs or top command. If in the apache error logs, you are finding the errors for a particular domain, then you will have to perform steps to prevent attack to the domain. For that we can perform the following steps:

1. We can block the connections to the domain using modsecurity. CSF is connected to modsecurity so that if we write rule to block a domain, the IP from which connections to the domain are made will be blocked. Since it is DDOS attack, there will be many IPs connecting to the server and blocking high number of IP addresses can cause load in the server and thus server can go down. In order to prevent that, you will have to first block the checking of modsecurity in lfd.

In /etc/csf/csf.conf, set the following:

= “0”

csf -r

Then, in the modsecurity configuration file, you can add the following:


2. You can block the acesses to port 80 of the domain in the firewall using the following command:

iptables -I INPUT -p tcp –dport 80 -m string –string “domain.com” –algo bm -j DROP

3. If the connections are still not getting reduced, then you can limit the number of connections to the domain using bandwidth module as follows:

/scripts/setbwlimit –domain=domain.com –limit=256000

4. If nothing helped, you can nullroute the IP using the command:

iptables -I INPUT -d XX.XX.XX.XX -p tcp –dport port -j DROP

If the domain is having dedicated IP, then there is no need of above steps, you can directly make the IP down, by deleting the IP from the /etc/ips and restarting ipaliases. But in case of main shared IP, this cannot be done. We will have to reduce the TTL of the domains and change all the domains except the domain to which attack is being made to a free IP after 4 hours and then make the IP down after that so that the attack will be there for only 4 hours. But in such cases there will be issue with cpanel license etc. We will also have to make sure of the name server setting of the domain to which attack is being made. If the domain is using remote name servers, then we cant change any DNS setting of the domain in the server.

In order to prevent this in future, you can add the following commands:

iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP

How to Install NixTree PHP Selector in CloudLinux cPanel server


How to Install NixTree PHP Selector in CloudLinux cPanel server

NixTree PHP Selector plugin allows a domain user to select preferred PHP version per directory on the same domain.
Note :This plugin requires SuPHP on the system; it will not work with any other PHP handlers for now.

To install ntPHPselector, run the following commands:

cd /usr/local/src
wget -N http://nixtree.com/download/free/ntphpselector_manage.sh
sh ntphpselector_manage.sh install

To recompile php in ntPHPselector, run the following command:
sh ntphpselector_manage.sh recompile <option>

— option
2 for 5.2
3 for 5.3
4 for 5.4
5 for 5.5

eg: recompile php5.2
sh ntphpselector_manage.sh recompile 2

For uninstalling the plugin:
sh ntphpselector_manage.sh uninstall


How to change cPanel password from command line


How to change cPanel password from command line

1. Login to your server as root via SSH.

2. Execute the following script from the command line.

Replace [username] with the cPanel user name of the domain & [password] with the new password.
/scripts/chpass [username] [password]

If you are facing this error, please use the following command and reset.

warn [realchpass] Insecure passing of password on ARGV.
ERROR: /usr/local/cpanel/scripts/realchpass
interface. You can force a password
change through this script by setting
the environment variable


3. Synchronizing the new password with FTP password;

In cPanel/WHM servers, whenever a new account is created in WHM, by default a FTP account is created. The cPanel password and FTP password are synchronized. Use the following command to synchronize the new password with FTP password.


How to change the FTP user’s path in cPanel


How to change the FTP user path in cPanel

By default cPanel does not allow you to change the FTP path for your main account or sub-accounts, after creating the domain. But you can easily change it from the FTP user configuration files. Each cPanel user has a file in /etc/proftpd (yes, even if you use pure-ftp)

# cat /etc/proftpd/user

As you can see, /etc/proftpd contains a file for each of the accounts on the server. Edit the file for the domain, and change the home directory.


After editing save the file and then restart your pure-ftpd service

How do we configure another /home directory partition on a cPanel server


How do we configure another /home directory partition on a cPanel server

1. Add the new hard-drive to the server

2. Format it and mount it as /home2.

3. There are two options to utilize /home2 partition in cPanel.

Edit /etc/wwwacct.conf and set HOMEDIR as /home2.


Edit /etc/wwwacct.conf and set HOMEMATCH as /home*.

Afterwards all the new accounts will be created on /home or /home2 depending upon the amount of the free space.