Introduction to Linux file permissions & attributes: chmod

The Linux name is a broad identifier for a variety of operating systems that are based on the Linux kernel; these operating systems are free and open-source, providing a variety of solutions for users of different skill levels. Using Linux-based systems, the user often has more reliance on system commands and command line tools; maintaining file permissions and attributes is one example of this. Linux file permissions, the permissions allowing users to access different system objects, files, and directories, are modified with the chmod command. Maintaining proper file permissions is essential in shared environments where multiple users do not share the same access requirements to files and systems.

chmod

Getting Started

To get started understanding more about file permissions and attributes, you should have a cloud server or dedicated server node running a current version of whichever Linux operating system you choose. For beginners, Linux Ubuntu is a popular distribution providing a user-friendly interface. Research the available options and choose a distribution that works for you.

An Introduction to Linux File Permissions and Attributes: chmod

When using the chmod command to alter your file permissions and attributes, there are different aspects of the command syntax that you may encounter.
For instance, there are implementation options that you may encounter, such as recursive (-R), force (-f), and verbose (-v). The recursive implementation is the most commonly used, and it is used to apply permissions to all the documents within the specified directory. The force implementation can be used when implementation should move forward even if errors occur, while the verbose implementation shows the objects as they’re processed.

An example would be to give read, write, execute access (7) to owner (u) and group (g) , but no access (0) to others (o); using the recursive function (-R) to apply the same level of permissions to all documents contained within /my/directory.

sudo chmod -R 770 /my/directory

The Symbolic Mode

Permissions can be assigned as read (r), write (w), and execute (x) access; this is considered symbolic mode.

When the permissions are displayed, they are displayed in a combination of letters indicating the permissions for the owner, the group, and anyone else. To see an example of the notation in your Linux operating system, open terminal and type ls -l /etc, which will list the content of /etc including permissions.

ls -l /etc

 

An example of this would be “drwxrwx—,” which shows that the owner (drwxrwx—) and those in the group (drwxrwx—) can read, write, and execute; anyone else outside (drwxrwx) of the specified owner and group have no permissions. The dash (-) will occur where a permission is not given.

You can also use the symbolic mode in more specific instances where you want to make changes to specific users. There are four references; owner (u), group (g), others (o), and all (a or ugo).

chmod: Symbolic Mode

The owner is the owner of the file while the group is users that are part of the file’s group membership. The others identifier encompasses users that are neither owner nor group members, and all can be used when the permissions want to be set for all three previous user groups simultaneously.

When adding permissions to these users, the plus sign (+) is used to add the specified mode to the specified class, the minus sign (-) is used to remove the specified mode from the specified class, and the equal sign (=) is used when the specified mode should be the exact mode for the specific class.

An example of this would be “u+w,” which would add write permission to the user.
sudo chmod u+w /my/directory/

Another example would be “g-w,” would remove write permissions for the group.
sudo chmod g-w /my/directory/

The Numeric Mode

Permissions may also be displayed in numeric mode, numbering from 0 to 7. The permissions, in ascending order, are no permission (0), execute (1), write (2), write and execute (3), read (4), read and execute (5), read and write (6), and read, write, and execute (7).

For instance, in the symbolic system, a permission could be displayed as “-rw-r–r–,” which could be translated into the numeric mode as “664”. This would indicate the first two users can read and write in this directory, while the third user can only read in this directory.
sudo chmod -R 644 /my/directory/

chmod symbolic numeric

 

Conclusion

Hopefully, this introduction to Linux file permissions and the chmod command have given you more insight into your Linux operating system. It’s important to learn more about the ins and outs of the Linux system, making changes and updates to your operating system can be accomplished with simple commands, but it’s important to understand what commands you can use and how to utilize the command input systems.

How to encrypt a directory with eCryptfs on Ubuntu 16

Ecryptfs is a powerful but simple to use tool for encrypting directories. Perhaps you are keeping sensitive information in your home directory, and wish to secure those files from an attacker who gains access to your server but not your user credentials. Or maybe your database contains sensitive details that you wish to encrypt at rest. With Ecryptfs, it is easy to secure individual directories in a way that they cannot be accessed without a user logging into the account that owns the key. In this guide, we’ll encrypt the contents of a directory on an Ubuntu 16.04 server.

Getting Started

You’ll need the following in place before we begin:
• 1 server (Cloud Server or Dedicated Server), running a fresh installation of Ubuntu 16.04.
• Root access

Tutorial

Begin by installing the necessary packages.

apt-get install ecryptfs-utils -y

File encryption is a powerful tool, but its capabilities and limitations need to be understood before it is used for serious tasks. For purposes of illustration, we’ll create a test directory in /home so you can get a sense for how your encrypted filesystem will work.

mkdir /home/globotech

Now we’ll encrypt the contents of the globotech directory we’ve just made.

mount -t ecryptfs /home/globotech/ /home/globotech/

You’ll be prompted to choose a password, and to set an encryption type.

With these set, check if the contents of the directory are encrypted.

mount

[...]
cpu,cpuacct on /run/lxcfs/controllers/cpu,cpuacct type cgroup (rw,relatime,cpu,cpuacct,nsroot=/)
devices on /run/lxcfs/controllers/devices type cgroup (rw,relatime,devices,nsroot=/)
blkio on /run/lxcfs/controllers/blkio type cgroup (rw,relatime,blkio,nsroot=/)
name=systemd on /run/lxcfs/controllers/name=systemd type cgroup (rw,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd,nsroot=/)
lxcfs on /var/lib/lxcfs type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
tmpfs on /run/user/0 type tmpfs (rw,nosuid,nodev,relatime,size=101628k,mode=700)
/home/globotech on /home/globotech type ecryptfs (rw,relatime,ecryptfs_sig=9cff1b579bb64c22,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)

Next we’ll add a file with test content to this directory.

touch /home/globotech/file.txt
echo "Good Morning" > /home/globotech/file.txt

Unmount the encrypted globotech directory.

umount /home/globotech

With the directory unmounted, try to read the file you’ve just created.

cat /home/globotech/file.txt

z6<"3DUfw`M\`
W_65"I??_aO?EXgd+?+-   RK[a+?`,[-+=?Mec8 Td8Y  ?IV-[2d!fXMQYeQS+?!-SB
g7?%?¼hH+H?'F\++}H.+I;?2-/I!P[KE)
E
DFL'|Ug{_:4?2T0G-\H:
1q?X    vfq?,Xy*e~ox<lI619q2?~<   Q6):O%8 _&+)sMYW0lS!;0?n%#??5ÿ?D}F?j_sWNv
B
ZakBD
;T?t[IZlAOs]0??Q)N~Pp&hIbG@,?f
[...]

You’ll notice that the file is encrypted and the content is inaccessible. Without the password, an attacker cannot gain access to the file you’ve just made.

If you’d like access to your file again, run the same command you ran previously:

mount -t ecryptfs /home/globotech/ /home/globotech/

Use the same password to access your files. Please keep this password safe. If it is lost, no one will be able to regain access to your files, not even your service provider.

cat /home/globotech/file.txt

Good Morning

Conclusion

Encryption is a powerful way to protect your files in the event of a compromised server or stolen laptop. Everyone should encrypt their sensitive data, so share this article with anyone who may not know how easy encrypting directories can be. If you found this article helpful, feel free to share it with your friends and let us know in the comments below!

How to install and use Linux Malware Detect (LMD) with ClamAV on Ubuntu 16

Though Linux is a less targeted operating system, it’s still important to monitor for malware. One of the best tools out there for doing so is Linux Malware Detect, which uses a variety of metrics to identify and remove malware. When used in conjunction with ClamAV, the well known antivirus solution for Linux (as well as Mac and Windows), Linux Malware Detect provides a very good defense against malicious software.

Getting Started

The steps of this guide requires you to have the following:
• 1 server (Cloud Server or Dedicated Server) running Ubuntu 16.
• Root access to the server

Tutorial

In order to install Linux Malware Detect, you’ll first need to download the installation tarball from the project’s web site. You can find it at this address.

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Take your tarball and extract it into /usr/src/. Change into the resulting directory.

cd /usr/src
tar -xvf maldetect-current.tar.gz
cd maldetect*

An installation script is available for you to install LMD. Run it using this command:

./install.sh

Now let’s configure our Linux Malware Detect installation. We’ll need to make a few basic modifications to the default configuration file, so go ahead and open it in a text editor:

nano /usr/local/maldetect/conf.maldet

Here are the settings as they should look:

email_alert="1"
email_addr="youremail@localhost"
quarantine_hits="1"
quarantine_clean="1"
quarantine_suspend_user="1"
scan_clamscan="1"

Next, we’ll be installing ClamAV, so that Linux Malware Detect can use it as its antivirus engine.

apt-get install clamav -y
freshclam

You can do a lot with Linux Malware Detect. Here’s a sample of some commands you may find useful.

To update the library of malware detection signatures:

maldet -u

To update Linux Malware Detect’s malware versions:

maldet -d

To scan all the files residing in a specific directory:

maldet -a /path

To put all threats that Linux Malware Detect has identified into quarantine:

maldet -q SCANID

To restore files from quarantine:

maldet –s SCANID

Conclusion

With Linux Malware Detect and ClamAV, you can rest easy knowing that you’ve got one of the premiere antimalware and antivirus solutions available for Linux. If you found this article helpful, feel free to share it with your friends and let us know in the comments below!

How to change SSH port on CentOS 6

SSH is a useful program for remotely logging in to a computer over the internet or a network. It creates a secure connection so powerful commands and tools can be safely used. In order to do this it needs a ‘port’: a number on the server that identifies which program can connect. However, two programs trying to use the same port can cause network conflicts. And although the default port is usually fine, sometimes the way other programs are set up stop it from working properly.

The following guide explains how to change the port SSH connects to on a CentOS 6 server.

Getting Started

Confirm that you have the following before you follow this guide:
• 1 Node (Cloud Server or Dedicated Server) running CentOS 6.
• Root access to the node.

Tutorial

In order to change the port, the first step is editing the config file for ‘sshd’, which is the SSH daemon. Use this command to edit it:

nano /etc/ssh/sshd_config

The default port for SSH is 22. Change this number to whatever you need, but be sure to avoid ports already in use by the server which are commonly used by other programs. This means most ports below 1024, but be sure to check what is in use to avoid conflicts later.

[...]
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22 <----------------------------------------------- You need to remove the comment (#) and change the value by the port you want #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: [...]

After the config file has been edited and saved, the SSH daemon needs to be restarted for the changes to take effect. Use this:

service sshd restart

Or this:

/etc/init.d/sshd restart

If SELinux is enabled on the server, its security features will block the connection unless the port is also added there. Use this command, and insert the port number that was set in the sshd config file:

semanage port -a -t ssh_port_t -p tcp xxxx

Finally, the firewall will also need to be modified to allow the port through. If you used SSH for this guide, logging out before this last step will mean you can't log back in! Use this command, again substituting the port number used in the sshd config:

-A INPUT -m state --state NEW -m tcp -p tcp --dport xxxx -j ACCEPT

Conclusion

You can now securely connect to the server with SSH on the chosen port. If this guide was useful to you, share it with your friends!

How to change SSH port on Ubuntu 14

If you administer a remote server, then you’re doubtlessly familiar with Secure Shell, or SSH. It’s a protocol that was first designed in 1995 and is still the gold standard for secure remote login and monitoring of systems. The current version is SSH-2, which fixed many vulnerabilities present in the original SSH-1 protocol.

Because SSH is so ubiquitous, it’s also a common vector of attack for intruders. There are many methods for improving SSH security, including disabling password login (using a key instead) and disabling login as root. One can also use the obfuscation technique of simply changing your SSH port from the default 22 to something else. This has the added benefit of cutting down on the amount of automated bot attacks that clutter up your logs.

This guide will walk you through the process of changing the SSH port on a server running Ubuntu 14.

Getting Started

Confirm that you have the following before you follow this guide:
• 1 Node (Cloud Server or Dedicated Server) running a fresh installation of Ubuntu 14.
• Root access to the node.

Tutorial

sshd is the daemon that runs SSH on Linux. Its configuration file has many options that you can tweak to alter the daemon’s behavior on your machine. Open the file and edit it with the text editor of your choosing.

nano /etc/ssh/sshd_config

It’s a simple matter to change the Port 22 default to your port of choice.

[...]
# What ports, IPs and protocols we listen for
Port 22 <----------------------------------------------------------------------- Change this value (22) by the port you want # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes [...]

Of course, you'll have to make sure not to use a port that's already in use by the server. Additionally, avoid the well-known ports 0-1023 and the registered ports 1024-49151, as they are generally reserved for other protocols and services. 49152 through 65535 are your best bet for a new port for your SSH service.

Now, restart the SSH daemon so it will reflect the changes you've made.

service ssh restart

or

/etc/init.d/ssh restart

Naturally, you'll need to verify that the port is allowed in your firewall. Otherwise, as soon you log out, if the firewall is set to port 22 you won't be able to log back in again.

ufw allow xxxx/tcp

Make sure xxxx is the port you set in the ssh config file.

Conclusion

Now that you have changed SSH's default port, you can rest assured that your server is more secure. Remember to define the new port with the 'p' flag the next time you log into your server. If this guide was useful to you, share it with your friends!

How To Migrate Iptables Firewall Rules to a New Server

This guide will go over the basic steps you should take in order to transfer firewall rules from one server to another.

Getting started

You’ll need the following in place before getting started with this guide:
• 2 Node (Cloud Server or Dedicated Server)

You’ll be transferring rules from one to another, so if you like, make sure they each have different firewall rules before beginning the guide so as to demonstrate its effectiveness.

Tutorial

First, check current iptables rules on server1.

iptables -S

Output Sample:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -j DROP

You have the option to save server1’s iptables rules to a file. This is the command to do so.

iptables-save > iptables-rules-file

Now you can copy the file from server1 to server2. This is really all you’ll need to reinstate the rules on the other server.

scp iptables-rules-file root@ip.of.server.2:/root

Restore the rules on server2 from the file you just transferred.

iptables-restore < /root/iptables-rules-file

Review your iptables rules on server2 to make sure that they were indeed copied over.

iptables -S

Here's a sample of the output you should expect to see.

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -j DROP

Conclusion

With that, you should now have successfully migrated your iptables rules from one server to another. Refer to the man pages for iptables to get an idea of what else you can do with this versatile program. If you liked this KB article, please share it with your friends.

How to update an Ubuntu server using apt-get

Security in the cloud is paramount, and so it’s important to keep your server up to date. If you don’t regularly apply the latest security fixes and patches to your machine, then you run the risk of your server being compromised due to an easily preventable exploit.

When you’re running Ubuntu, the primary method to keep your server updated is by using apt-get, a package manager included with Ubuntu. apt-get makes it easy to grab the latest updates to any installed package.

Getting Started

Confirm that you have the following before you follow this guide:
• 1 Node (Cloud Server or Dedicated Server) running Ubuntu.

Additionally, it’s important to remember to backup your server and data on a regular basis, especially before making any substantial updates or upgrades to your system.

Tutorial

Basic commands

apt-get has a number of subcommands that you may find useful during server administration tasks. The following are the most common ones that you’ll use.

apt-get update
This command will inform your system of the latest packages extant in the repository. It downloads all lists of packages from any repositories installed on your system and then uses them to update your local copy. This will give your system information on the newest versions of packages and their dependencies.

apt-get upgrade
This command is the simplest way to update your system. It will check your package lists and download any detected new versions of packages existing on the machine. One caveat is that you have to have used apt-get update first.

apt-get dist-upgrade
Similar to the above, except this command will also intelligently handle dependencies. It has the ability to remove obsolete packages and add new ones.

Before you upgrade, apt-get will show all the packages that will be upgraded and ask for a confirmation. Simply press Y to confirm. If you’d like to see the full history of upgraded packages, point your text editor to /var/log/apt/history.log.

How to update OS version from a Ubuntu server using apt-get

First, you must make sure that your server packages are up to date. You can do this by running the command apt-get update && apt-get upgrade.

do-release-upgrade
This command will start the upgrade process of the server. Conveniently for those running the system update over an ssh session, the server will provide you a new ssh port and connection in case you lose the initial connection.

reboot
Once the update process is ended, you will be prompted to reboot your server in order to apply the new kernel and any final modifications.

How to Install and Use Linux Malware Detect (LMD) with ClamAV on CentOS 7

There is less risk of malevolent software on Linux and Unix systems compared to other operating systems, but they are not necessarily immune to the threat of malware and viruses. Linux Malware Detect (LMD) is a free, open source malware scanner for Linux designed especially for mitigating malware risks in a shared hosting environment. It is often used in conjunction with ClamAV as an antivirus engine. LMD itself is licensed under the GNU General Public License, version 2, and the source is hosted on Github.

Getting started

In order to follow this guide, you will need the following:
• 1 Node (Cloud Server or Dedicated Server) running a clean installation of CentOS 7.
• Root access to the server

Tutorial

The first step is to install LMD. You will need to install it from source, so download the installation tarball from the project’s web site.

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Extract the tarball into your /usr/src/ folder, and then make it your current working directory.

cd /usr/src
tar -xvf maldetect-current.tar.gz
cd maldetect*

You can complete the installation by using the installation script.

./install.sh

Configuring Linux Malware Detect (LMD)

LMD’s configuration is stored in conf.maldet. We’ll need to make some changes to the default setup, so open this file in an editor.

nano /usr/local/maldetect/conf.maldet

Into the file, modify these following sections:
#!/bin/bash
#
##
# Linux Malware Detect vX.X.X
[...]
# [ EMAIL ALERTS ]
##
# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert=1

# The subject line for email alerts
email_subj="maldet alert from $(hostname)"

# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr="your@email.com"

# Ignore e-mail alerts for reports in which all hits have been cleaned.
# This is ideal on very busy servers where cleaned hits can drown out
# other more actionable reports.
email_ignore_clean="0"
[...]
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quar_hits=0

# Try to clean string based malware injections
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = clean]
quar_clean=0

# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = suspend account]
quar_susp=0
[...]
# [ SCAN OPTIONS ]
##
[...]
# [ 0 = disabled, 1 = enabled; enabled by default ]
clamav_scan=1

And these are the most important settings to be configured:

email_alert=1
email_addr=youremail@localhost
email_subj="Malware alerts for $HOSTNAME - $(date +%Y-%m-%d)"
quar_hits=1
quar_clean=1
quar_susp=1
clam_av=1

The next task is to install ClamAV and have LMD use it as the antivirus engine. To install ClamAV, you will need to add a repository to your system. Create a repo file at /etc/yum.repos.d called dag.repo.

nano /etc/yum.repos.d/dag.repo

Then copy the following into dag.repo.

[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag/
gpgcheck=1
gpgkey=http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
enabled=1

Once you’re done setting up the new repository, you can install clamd using yum.

yum update && yum install clamd

Conclusion

You’re now done with the installation process, and can use LMD with ClamAV to detect malware on your server. If this guide was helpful to you, kindly share it with others who may also be interested.

Here are a few commands you may find useful:

To update the LMD malware detection signatures:

maldet -u

To update the LMD malware version:

maldet -d

To scan all files located in a specific directory:

maldet -a /path

To put all detected threats into quarantine:

maldet -q SCANID

To restore files from quarantine:

maldet –s SCANID

How To Create a Sudo User on CentOS 7

If you’re manually provisioning a server, you should never connect directly as root. Rather, you should create separate users with sudo capabilities, always accessing the server as the non-root user and running root commands with sudo. This setup has several key advantages. First, users can be limited on what commands they run, or what actions are taken when root. You can also audit actions, as well as easily revoke root access without rotating keys or changing a root password to which everyone has access.

Getting Started

To complete this guide, you will need the following:
• 1 Node (Cloud Server or Dedicated Server) with a clean CentOS 7 installed.

When finished, you’ll have a regular user who can elevate privileges to root.

Tutorial

We’ll begin by creating a normal user. In this case, the user is named “globotech.”

adduser globotech

Set the user’s password so it can connect and authenticate.

passwd globotech

By default, all members of the “wheel” group get sudo privileges. This enables group members to run commands as the root user. Let’s add our user to this group.

usermod -aG wheel globotech

The content of /root is normally not visible to regular users. To test out our setup, let’s connect as globotech.

su -l globotech

Next, use the sudo command to gain root privileges. Sudo accepts another command that is run as root. In this case, we run the command to list the /root directory, but do so as the root user. You’ll be prompted for a password, which should be the globotech password you set up previously.

sudo ls /root

You can now log in as globotech and run any command as root. Just remember to prepend “sudo” to any command you wish to run with administrative privileges.

Conclusion

You now have a secure system which lets individual users gain administrative privileges. While this example lets users run specific commands, it is also possible to limit access to certain command types. You might, for instance, let some users run all commands, others only manipulate files, and still others install and remove packages. With sudo, you can create arbitrarily rich administrative access control lists for any use case you can imagine. If this guide was helpful to you, kindly share it with others who may also be interested.

A self-signed SSL certificate is an easy way to secure communication between a client and server without spending money, or without the hassle of setting up Let’s Encrypt. While it has the major disadvantage of lacking browser support, it can be set up and deployed in minutes.

Getting Started

To complete this guide, you will need the following:
• 1 Node (Cloud Server or Dedicated Server) running a clean Linux installation and cPanel.

We’ll set up a self-signed certificate so your communication with cPanel-managed domains are secure.

Tutorial

Begin by logging into your cPanel installation.

In the Security section of the cPanel home screen, click on SSL/TLS Manager.

cpanel

Now look under Private Keys (KEY). Here you’ll click the button labeled Generate, view, upload, or delete your private keys. You’re now on the Private Keys page.

cpanel2

Confirm that the key size is set to 2048 bits under the section labeled Generate a New Private Key.

cpanel 3

Give the key a meaningful description, like “Self-signed certificate.” You may later wish to replace this with an official certificate, so it’s helpful to know which key should be removed in that instance.

Now click Generate. You’ll be shown your certificate’s private key.

cpanel2

Next click the link labeled Return to SSL Manager.

We need to generate a certificate for our private key. Under the section labeled Certificates (CRT), click Generate, View, Upload or Delete SSL Certificates. You’re now on the Certificates page.

Under Generate a New Certificate, select the private key description in the key list box.

cpanel 5

In the Domains field, type the domain you wish to secure, such as test.example.com. This must match exactly.

Complete the remaining fields on this screen.

Make sure you use the correct two-letter country code (for example, US or FR). For a complete list of these codes, please visit http://www.iso.org/iso/country_codes/iso_3166_code_lists/country_names_and_code_elements.htm

Now click Generate. cPanel will generate and display your new self-signed SSL certificate.

Now click Return to SSL Manager.

We’ve created our private key and SSL certificate. Now we need to install it on the site we wish to protect. From the SSL/TLS Manager page, under Install and Manage SSL for your site (HTTPS), click Manage SSL sites. The Manage SSL Hosts page is now displayed.

cpanel2

In the Install an SSL Website section, click Browse Certificates. You should see the certificate you just created. Select it and click Use Certificate. Notice that cPanel fills in the certificate details for you.

Because this is a self-signed certificate, the Certificate Authority Bundle (CABUNDLE) field remains blank.

cpanel 7

Now select the domain you wish this certificate to secure.

cpanel 8>

Finally click Install Certificate. cPanel automatically handles this process, inserting the key and certificate correctly. When complete, you’ll receive a message telling you that the certificate was successfully installed.

cpanel 9

Click OK. You can now access this domain securely via an HTTPS URL, though you’ll also have to accept the self-signed certificate in your browser.

Conclusion

Despite their drawbacks, self-signed certificates are a great and quick way to secure your connections. With a self-signed certificate in place, you can safely transmit passwords and other sensitive data without worrying about interception and compromise. If this guide was helpful to you, kindly share it with others who may also be interested.