In the file /etc/csf/csf.conf under CC_IGNORE = "" add your country, example for Croatia
CC_IGNORE = "HR"

You can check for your country code here (two-character code)
https://www.iban.com/country-codes
https://countrycode.org/

after adding your Country you would need to restart the firewall

csf -r
service lfd restart

This will not whitelist or open ports for your country but in the safest way, it will prevent any client from your country to get IP blocked.
We don't recommend having this option enabled for hack-intensive countries like Russia, China, US, and similar.

WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.101.2 Recommended version: 0.103.5
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
main.cld is up to date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
WARNING: getpatch: Can't download daily-26440.cdiff from database.clamav.net
WARNING: getpatch: Can't download daily-26440.cdiff from database.clamav.net
ERROR: getpatch: Can't download daily-26440.cdiff from database.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
ERROR: Can't download daily.cvd from database.clamav.net
Giving up on database.clamav.net...
Update failed. Your network may be down or none of the mirrors listed in /etc/freshclam.conf is working. Check https://www.clamav.net/documents/official-mirror-faq for possible reasons.

Solution:

yum -y --enablerepo=epel update clam*
freshclam

Configuration locations MAIN PHP-CGI
/usr/local/php/php.d/snuffleupagus.ini

Configuration locations PHP-FPM
/opt/alt/php-fpm70/usr/php/php.d/snuffleupagus.ini
/opt/alt/php-fpm71/usr/php/php.d/snuffleupagus.ini
/opt/alt/php-fpm72/usr/php/php.d/snuffleupagus.ini
/opt/alt/php-fpm73/usr/php/php.d/snuffleupagus.ini
/opt/alt/php-fpm74/usr/php/php.d/snuffleupagus.ini
/opt/alt/php-fpm80/usr/php/php.d/snuffleupagus.ini
/opt/alt/php-fpm81/usr/php/php.d/snuffleupagus.ini

Configuration locations PHP-CGI
/opt/alt/php70/usr/php/php.d/snuffleupagus.ini
/opt/alt/php72/usr/php/php.d/snuffleupagus.ini
/opt/alt/php74/usr/php/php.d/snuffleupagus.ini
/opt/alt/php71/usr/php/php.d/snuffleupagus.ini
/opt/alt/php73/usr/php/php.d/snuffleupagus.ini
/opt/alt/php80/usr/php/php.d/snuffleupagus.ini
/opt/alt/php81/usr/php/php.d/snuffleupagus.ini

Configuration files are located in the folder
/usr/local/cwp/.conf/phpdefender

Predefined rules are in the folder
/usr/local/cwp/.conf/phpdefender/rules/

More info about it

https://snuffleupagus.readthedocs.io/

Module file location (depends on the PHP version)
PHP-FPM: /opt/alt/php-fpm72/usr/lib/php/extensions/no-debug-non-zts-20151012/snuffleupagus.so
PHP-CGI: /opt/alt/php72/usr/lib/php/extensions/no-debug-non-zts-20151012/snuffleupagus.so

What is listed in the file that has disabled notifications:

modsec = 1
lfd = 1
hidepid = 1

* This example disables notifications for mod_security, LFD firewall, and hidden processes.

If you want to re-enable notifications just delete that line from the file.

Video instructions

Installation instructions

Install it from cwp.admin by rebuilding the mail server with option policyd
Left Menu->Email->MailServer Manager and select policyd

other options is to do the manual installation over ssh command:

sh /scripts/install_cbpolicyd

* Run this command from the ssh

If needed to set a policy for all currently installed packages, the installer already does that.
Based on the user package this command will set limit per domain:

/scripts/cwp_api account update_policyd_all

The default limit for all incoming and outgoing mail domains is 250 per hour.
Default policy is in use only if the domain has no other policies configured, this policy will be also in use for all incoming emails meaning that you can receive for example only 250 emails per hour from Gmail.

Manage System Service
service cbpolicyd status
Options: start/stop/restart/status

MySQL Database name
postfix_policyd
* This database is in use for configuration and to track and count emails.

Log file: /var/log/maillog

Example policy status using default package when sending email:

Jul  2 12:13:32 cwp7 cbpolicyd[29870]: module=Quotas, mode=update, host=127.0.0.1, helo=localhost, from=webmail@centos-webpanel.info, to=test@test.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:@centos-webpanel.info, counter=MessageCount, quota=3.87/250 (1.5%)

Example policy status using custom package when sending email:

Jul  2 12:53:58 cwp7 cbpolicyd[30994]: module=Quotas, mode=create, host=127.0.0.1, helo=localhost, from=webmail@centos-webpanel.info, to=test@test.com, reason=quota_create, policy=9, quota=6, limit=7, track=Sender:@centos-webpanel.info, counter=MessageCount, quota=1.00/120 (0.8%)

POLICIES explained
PRIORITY, lower priority is always in use, you can check in policyd module in cwp.admin which policy domain is using.
Default policy: this policy is always in use if the user has no any others configured.

We have 4 levels of email policy:
- the default for all incoming / outgoing (priority:20)
- per package (priority:19)
- per user (priority:18)
- per domain (priority:17)

DEFAULT POLICY
PackageID 0 with the name "Default Server Limit" and priority 20

PACKAGE POLICY
PackageID is the same ID as in the packages module, the name is from packages shown as package_PACKAGE-NAME with priority 19

USER POLICY
user policy has the packageID over 1000 and name starts with user_USERNAME with priority 18

DOMAIN POLICY
domain policy has the packageID over 10000 and name starts with domain_DOMAIN with priority 17

Tracking status per domain:

Jul  2 14:47:05 vps cbpolicyd[4061]: module=Quotas, mode=update, host=209.85.216.66, helo=mail-pj1-f66.google.com, from=recaudacion.satrim2020@gmail.com, to=juanpinto@heladosrizo.com, reason=quota_update, policy=6, quota=3, limit=4, track=Sender:@gmail.com, counter=MessageCount, quota=3.58/250 (1.4%)

You can see here that this is a server default policy by policy ID (policy=6) and status is for domain (track=Sender:@gmail.com) having quota 3.5/250.

Incoming emails for example coming from Gmail will be limited by the default policy per domain.
For example, incoming emails from Gmail will be limited to 250 per hour, and from yahoo, there will be also separated limit on 250 per hour.

Error in the RoundCube when the limit is reached
SMTP Error (450): Failed to add recipient "email@gmail.com" (4.7.1 : Recipient address rejected: 0).

Jul 2 19:34:11 cwp7 cbpolicyd[23990]: module=Quotas, action=defer, host=127.0.0.1, helo=localhost, from=webmail@centos-webpanel.info, to=email@gmail.com, reason=quota_match, policy=28, quota=25, limit=26, track=Sender:@centos-webpanel.info, counter=MessageCount, quota=2.98/1 (298.1%)

Setting the limit to 0 would fully block send/receive email from/to that domain.
This is only possible to be set manually using PHPMyAdmin or custom queries.

ERRORS POLICYD
"postfix / smtpd: NOQUEUE: reject: RCPT from: 450 4.7.1 Recipient address rejected: Access denied"

Check in the policyd module limits set per hour, if the limit for some domain is set to 0 then it will not allow email sending at all.

Checking Policyd REQUIREMENTS

- check that service is working
service cbpolicyd status

- check if the port 10031 is up
netstat -tulpn|grep 10031

- check postfix having active configuration in /etc/postfix/main.cf, starting as:
smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, permit_sasl_authenticated...

Important configuration is: check_policy_service inet:127.0.0.1:10031

To disable policyd simply remove the following from /etc/postfix/main.cf
check_policy_service inet:127.0.0.1:10031

Another option is also limit in the /etc/postfix/main.cf

# Limit 500 emails per hour per email address
anvil_rate_time_unit = 3600s
smtpd_client_message_rate_limit = 500

* info: http://www.postfix.org/postconf.5.html
The maximal number of message delivery requests that any client is allowed to make to this service per time unit, regardless of whether or not Postfix actually accepts those messages. The time unit is specified with the anvil_rate_time_unit configuration parameter.

WARNING: The purpose of this feature is to limit abuse. It must not be used to regulate legitimate mail traffic.

Change Default policy limit

Example for setting default policy limit to 500 emails per hour:

mysql postfix_policyd --defaults-extra-file=/root/.my.cnf -e 'UPDATE `quotas_limits` SET `CounterLimit` = '500' WHERE `quotas_limits`.`ID` = 4;'

Uninstall policyd
* We recommend to use uninstall option from MailServer Manager in cwp

/scripts/install_cbpolicyd remove

Reinstall policyd
* this will do a clean install of policyd files and database.

/scripts/install_cbpolicyd reinstall

KernelCare works in both, live and staging environments, and for servers located behind the firewall, there is an ePortal to help you manage it.

KernelCare is compatible with 64-bit versions of CloudLinuxOS/CentOS/RHEL 6,7 and 8, Oracle Linux 6 and 7, Amazon Linux 1 and 2, Virtuozzo/PCS/OpenVZ 2.6.32, Debian 8,9 and 10, Proxmox VE 5 and 6, Virt-SIG/Xen4CentOS 6 and 7, Ubuntu 14.04, 15.04 and 16.04 kernels.

The list of compatible kernels can be found on the following link:

https://patches.kernelcare.com

To check current kernel compatibility with KernelCare, use the following script by running:

curl -s -L https://kernelcare.com/checker | python

You can try KernelCare absolutely free for 30 days on an unlimited number of servers. After the trial period is over, you can purchase licenses through CloudLinux Network (CLN) by logging in to cln.cloudlinux.com.

To install KernelCare run:

curl -s -L https://kernelcare.com/installer | bash

or:

wget -qq -O - https://kernelcare.com/installer | bash

If you are using IP-based license, nothing else required to be done.

If you are using a key-based license, run:

/usr/bin/kcarectl --register KEY

KEY is the registration key code string provided when you sign up for purchase or trial of the product.
If you are experiencing Key limit reached error after the end of the trial period you should first unregister the server by running:

kcarectl --unregister

To check if patches applied run:

/usr/bin/kcarectl --info

The software will automatically check for new patches every 4 hours.
If you would like to run update manually:

/usr/bin/kcarectl --update

Video instructions

Example of cgroups in action on CWP servers

Dedicated Servers Limits Available
- CPU, Memory, Disk

VPS: KVM Limits Available
- CPU, Memory, Disk

VPS: OpenVZ Limits Available
- Memory

Please note that some Cloud/VPS providers have a custom kernel that doesn't work with cgroups or some limits are no supported.

Requirements
- Default CentOS 7 kernel 3.10, possible to work with some others
- CloudLinux is NOT supported

Limit range: 1 ~ (Number of cores) x 100, example for 4 cores: 1~400.
Result: User websites might have a slower response if the user has higher demanding scripts.

RMEM (Real Memory RAM)
RAM limit in MB, the value of 1024 MB will limit shared RAM for the user to 1GB.

VMEM (Virtual Memory = RAM + swap)
Swap limit in MB, the value of 2048 MB will limit swap for the user to 2GB.
It's recommended to have swap (VMEM) higher than RAM (RMEM).

Result: When the ram limit is reached system will kill the most memory demanding process.
In case of killed script webserver could return server error 5xx on the active process.

Disk Limit (read / write)
Set the limit in KB per second, you can monitor this limit with iotop.

Result: User websites might have a slower response if the user has higher demanding scripts.

Useful commands
cgdelete cpu:USERNAME (delete cpu limit for USERNAME)
cgdelete memory:USERNAME (delete memory limit for USERNAME)
cgdelete blkio:USERNAME (delete disk IO limit for USERNAME)

PHP switcher :

echo "disable_functions = exec, system, popen, proc_open, shell_exec, passthru, show_source" > /usr/local/php/php.d/disabled_function.ini

PHP-CGI selector :

echo "disable_functions = exec, system, popen, proc_open, shell_exec, passthru, show_source" > /opt/alt/php53/usr/php/php.d/disabled_function.ini

echo "disable_functions = exec, system, popen, proc_open, shell_exec, passthru, show_source" > /opt/alt/php54/usr/php/php.d/disabled_function.ini

echo "disable_functions = exec, system, popen, proc_open, shell_exec, passthru, show_source" > /opt/alt/php55/usr/php/php.d/disabled_function.ini

echo "disable_functions = exec, system, popen, proc_open, shell_exec, passthru, show_source" > /opt/alt/php56/usr/php/php.d/disabled_function.ini

echo "disable_functions = exec, system, popen, proc_open, shell_exec, passthru, show_source" > /opt/alt/php70/usr/php/php.d/disabled_function.ini

echo "disable_functions = exec, system, popen, proc_open, shell_exec, passthru, show_source" > /opt/alt/php71/usr/php/php.d/disabled_function.ini

echo "disable_functions = exec, system, popen, proc_open, shell_exec, passthru, show_source" > /opt/alt/php72/usr/php/php.d/disabled_function.ini

echo "disable_functions = exec, system, popen, proc_open, shell_exec, passthru, show_source" > /opt/alt/php73/usr/php/php.d/disabled_function.ini

PHP_FPM Selector :
** Don't forget to restart php-fpm after changes

echo "disable_functions = exec, system, popen, proc_open, shell_exec, passthru, show_source" > /opt/alt/php-fpm53/usr/php/php.d/disabled_function.ini && service php-fpm53 restart

echo "disable_functions = exec, system, popen, proc_open, shell_exec, passthru, show_source" > /opt/alt/php-fpm54/usr/php/php.d/disabled_function.ini && service php-fpm54 restart

echo "disable_functions = exec, system, popen, proc_open, shell_exec, passthru, show_source" > /opt/alt/php-fpm55/usr/php/php.d/disabled_function.ini && service php-fpm55 restart

echo "disable_functions = exec, system, popen, proc_open, shell_exec, passthru, show_source" > /opt/alt/php-fpm56/usr/php/php.d/disabled_function.ini && service php-fpm56 restart

echo "disable_functions = exec, system, popen, proc_open, shell_exec, passthru, show_source" > /opt/alt/php-fpm70/usr/php/php.d/disabled_function.ini && service php-fpm70 restart

echo "disable_functions = exec, system, popen, proc_open, shell_exec, passthru, show_source" > /opt/alt/php-fpm71/usr/php/php.d/disabled_function.ini && service php-fpm71 restart

echo "disable_functions = exec, system, popen, proc_open, shell_exec, passthru, show_source" > /opt/alt/php-fpm72/usr/php/php.d/disabled_function.ini && service php-fpm72 restart

echo "disable_functions = exec, system, popen, proc_open, shell_exec, passthru, show_source" > /opt/alt/php-fpm73/usr/php/php.d/disabled_function.ini && service php-fpm73 restart

To enable it back, simply delete disabled_function.ini file for the PHP version you want and restart apache/php-fpm.

Configuration files:
/usr/local/etc/suphp.conf (Detailed suPHP configuration)
/usr/local/apache/conf.d/suphp.conf (suPHP configuration for Apache)

There is also suphp configuration in the vhost files for each vhost.
/usr/local/apache/conf.d/vhosts/DOMAIN.COM.conf
/usr/local/apache/conf.d/vhosts/DOMAIN.COM.ssl.conf

If you don't want to allow users to modify and use custom php.ini per folder you can do that by placing an empty php.ini file into users home folder. The empty file will use default server php.ini and will not allow users to load any custom changes and other php.ini files.

Example:

touch /home/USERNAME/php.ini

Now secure it so users can't change/disable it

chown root.root /home/USERNAME/php.ini
chmod 555 /home/USERNAME/php.ini

Default php.ini
/usr/local/php/php.ini

Note that each version of PHP in PHP selector has a different php.ini file.
You can edit php.ini files for each version from the php selector in cwp.admin

We have two options
- global config, one config file in the include folder /usr/local/php/php.d/ and in PHP selector include folders
- per-user config, the securest option as it restricts the user to his /home/USERNAME folder and also disables users from using custom php.ini files.

Global Configuration
The securest method do this correctly and to prevent users from overriding this is to place the config into the include file. Please note that if you set this into /usr/local/php/php.ini then custom user php.ini will be able to disable it. Please note that global config allows full /home folder access while per user restricts users to /home/USERNAME folder which is much more secure.

One line command to create a file and config:

echo "open_basedir = /home:/tmp:/var/tmp:/usr/local/lib/php/" > /usr/local/php/php.d/open_basedir.ini

You can also do it by yourself by creating a file: /usr/local/php/php.d/open_basedir.ini with the following content:

open_basedir = /home:/tmp:/var/tmp:/usr/local/lib/php/

To enable it for other php versions from the PHP selector you can create this config files with the same content:

/opt/alt/php44/usr/php/php.d/open_basedir.ini
/opt/alt/php52/usr/php/php.d/open_basedir.ini
/opt/alt/php53/usr/php/php.d/open_basedir.ini
/opt/alt/php54/usr/php/php.d/open_basedir.ini
/opt/alt/php55/usr/php/php.d/open_basedir.ini
/opt/alt/php56/usr/php/php.d/open_basedir.ini
/opt/alt/php70/usr/php/php.d/open_basedir.ini
/opt/alt/php71/usr/php/php.d/open_basedir.ini
/opt/alt/php72/usr/php/php.d/open_basedir.ini
/opt/alt/php7/usr/php/php.d/open_basedir.ini

Testing:
Create a phpinfo file on some account/domain/subdomain ... and open it with a browser.
open_basedir value should show info from the config

PHP info file example phpinfo.php

<?php phpinfo(); ?>

Per User open_basedir
To enable per-user open_basedir you can create a php.ini file in the users /home folder.
Example: /home/USERNAME/php.ini ,make sure the file is owned by root so that the user can't disable it.

echo "open_basedir = /home/USERNAME:/tmp:/var/tmp:/usr/local/lib/php/" > /home/USERNAME/php.ini
chown root.root /home/USERNAME/php.ini
chmod 555 /home/USERNAME/php.ini

** Don't forget to replace the USERNAME.

Please note that this option will also disable all further custom users php.ini files per folder, for example: /home/USERNAME/public_html/php.ini will not be loaded.

You can also place it into public_html folder but then users will be able to run custom php.ini files per folder and they can disable open_basedir.

RECOMMENDATION
We recommend using the per-user configuration of open_basedir as it will provide much higher security and isolate each client.

under fastcgi_param add one more line and reload/restart nginx

fastcgi_param   PHP_ADMIN_VALUE "open_basedir =/home/USERNAME:/tmp:";

** Note that manual editing of the webserver vhost files is not recommended as those files get rebuilt from the template on each change.
Try checking the instructions here for the custom template build.

ls -la /opt/alt/php-fpm*/usr/etc/php-fpm.d/users/USERNAME.conf

Add at the bottom

php_admin_value[open_basedir] = /home/USERNAME:/tmp

** Note that editing any of those files requires to restart php-fpm version you edited.

** Note that manual editing of the webserver vhost files is not recommended as those files get rebuilt from the template on each change.
Try checking the instructions here for the custom template build.