: Multiple domains under 1 IP, cPanel and mail black listing This likely wont sound like the most elegant way of doing things, but in order to ask my question I need to explain how we currently
This likely wont sound like the most elegant way of doing things, but in order to ask my question I need to explain how we currently have things set-up.
The company I work for hosts a number of e-commerce sites on an expensive large WHM/cPanel based box, it's convenient because having WHM allows us to manage each of the domains easily, and it means we can provide stable hosting for our clients instead of pushing them towards a cheaper less reliable self hosting option. Recently though we have been having issues with the one IP that hosts all of these sites getting mail server black listed because either a site was compromised through exploits etc... or a client chooses a very weak email password and gets hacked.
On the security side we have been working hard to nip things in the butt, and on that side we are being fairly successful, but the human factor is really killing us.
The question is, is it possible to find a way to avoid other domains being hit when one site on an IP is compromised without having each site have it's own IP (very expensive and something we want to avoid)?
Steve
More posts by @Steve110
2 Comments
Sorted by latest first Latest Oldest Best
Take a look at CloudLinux and CageFS. This basically segregates all of your hosting accounts into their own instances. You can limit resource usga eper account and if one site uses all that it has been allocated, no more is given, leaving a fair amount for everybody else.
Blacklisting has no option but to block by IP address. Blocking by domain is incomplete because it is not always/generally a domain name that is the problem. Think about it this way- your SMTP server hosts e-mail for several domains. If the system is compromised, how can a blacklist determine where the problem is? It cannot. All it knows is the domain name that is in the envelope and the server that is doing the handshake. Addresses can be easily spoofed in a plain text mechanism such as e-mail so any information there is always suspect and unreliable. But the server name and IP cannot be spoofed on handshake as easily. It is a simple matter of practicality.
I am not sure how you are handling your user account creation. I used to be a webhost before cPanel and the like really existed and even then, there were account password enforcement tools that would require password changes and strong passwords even for Linux. This may be something you need to figure out.
But then again, I am not sure that is your problem necessarily.
You will need to log all outgoing e-mail for a period to see what is going on. When I was a webhost, I had an anti-spam/anti-virus gateway, Exchange Server used for logging and analysis, and the various SMTP servers on each machine. All outgoing SMTP traffic went from the hosting servers to the Exchange Server through the gateway then out. Incoming e-mail would be the reverse of this. Why did I do this? For control. I could capture and log and resend (if required) any e-mail sent or received. Your set-up does not have to be this elaborate, but you do need enough control over your e-mail server to be able to see exactly what is going on. Unfortunately, most SMTP installs do not allow this by default. But it is achievable. You may not want it on all the time of course. I used to purge logged and captured e-mail older than 1 year because I had plenty of disk space. You could do something similar with a shorter period of time. But the point is the same, you cannot really know what is going on without thorough analysis. I suggest starting there.
Also as a webhost, I created a tool what monitored the web space of each client. It would examine the space for any application install, try and figure out if it is a safe version according to my database and disable the application and flag me immediately if there was a problem. Of course this will not be available to you, but you can monitor each customer web space for changes and then quickly examine the changes to see if there appears to be a problem. This was not only good for determining if a vulnerable application was installed, but if a virus got through. You may want to create simple directory/file change monitors that can e-mail you. I am sure this is available through cPanel. I know it is using VirtualMin. This may help and can be a part of your daily routine. It can really pay dividends. Using my tool never overwhelmed my daily workload. in fact, I hardly got notices at all. Most changes were rather predicable and not flagged. It maybe that monitoring web space for changes could be just as simple for you too. I suggest trying this for a period to see if it at least helps nail down any compromises or issues with users.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.