Install CSF Firewall for Cpanel

CSF firewall commonly known as Config server Security and Firewall has become one of the popular firewalls used for security purpose in the Linux Cpanel servers.

CSF has Login Failure Daemon (lfd) process that runs all the time and periodically (every X seconds) scans the latest log file entries for login attempts against your server that continually fail within a short period of time. Such attempts are often called "Brute-force attacks" and the daemon process responds very quickly to such patterns and blocks offending IP's quickly.

Installation Steps

1. Download the package from CSF  website

wget <<path_of_tgz_file>>

2. Untar it

tar -zxf csf.tar.gz

3. Run the Install script.

sh /csf/install.sh

4. Remove APF or IPTables Firewall
If you have any existing IP tables firewall remove them using uninstall scripts located at /etc/csf. In this case i was running APF firewall and BFD in my server so i have to remove it.

sh /etc/csf/remove_apf_bfd.sh

5. Start the Firewall in Testing Mode
Start the firewall with the following command.

csf -s
// start the firewall
csf -r
// restart the firewall
csf -f
// flush the rules or stop the firewall.

If you are running a VPS plan, then you might get the error like this
"iptables LKM ip_tables missing so this firewall cannot function unless you enable MONOLITHIC_KERNEL in /etc/csf/csf.conf
Error: aborted, at line 156"
To fix:
Open the /etc/csf/csf.conf and look for a line MONOLITHIC_KERNEL = "0" and change to MONOLITHIC_KERNEL = "1"
Thats all! Now restart the firewall.
7. Specify which ports you want to allow.
It is very important to check the firewall on which ports to open and close all remaining port numbers. Open the /etc/csf/csf.conf and edit the following line with port numbers

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,953,993,995,2077,2078,2082,2083,2087"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703"
# Allow incoming UDP ports
UDP_IN = "20,21,53,953"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123,873,953,6277"

21 => FTP
22 => SSH
23 => Telnet
25 => SMTP Mail Transfer
43 => WHOIS service
53 => name server (DNS)
80 => HTTP (Web server)
110 => POP protocol (for email)
443 => HTTP Secure (SSL for https:// )
995 => POP over SSL/TLS
9999 => Urchin
3306 = > MysQL Server
2082 => CPANEL Default
2083 => CPANEL - Secure/SSL
2086 => CPANEL WHM
2087 => CPANEL WHM - Secure/SSL
2095 => cpanel webmail
2096 => cpanel webmail - secure/SSL
8443 =>  Plesk control panel
2222 => Direct admin control panel
1000 => Webmin Control Panel
19638 TCP Ensim Server Control Panel
For more information about commonly used port numbers refer to this article
6. Disable the Testing Mode and Start the Firewall
Remember by default the firewall is running in testing mode. You might want to disable the firewall running in testing mode.

nano /etc/csf/csf.conf

//Look for the first line and set testing mode to "0"
TESTING = "0"

//Now restart the firewall!
csf -r 

Config Files

/etc/csf/csf.conf CSF Firewall configuration file
/etc/csf/csf.allow => Config file to allow IPs
/etc/csf/csf.deny => Config file to deny IPs
/etc/csf/ => Alert files with TXT extension are stored within this directory

Remove the CSF Firewall

Just run the uninstall script located at /etc/csf/ directory

sh /etc/csf/uninstall.sh

 
To look for open ports, just use the following commands in linux and observe which ports are open.

netstat -nap
OR
nmap fuser localhost

 

Update Webalizer stats for a single domain in Cpanel server

cd /home/USER/tmp/
cp -af webalizer webalizer.old
cp -af webalizerftp webalizerftp.old
cd webalizer
/usr/local/cpanel/3rdparty/bin/webalizer /usr/local/apache/domlogs/domainname -n domainname

Usage: ./webalizer [options] [log file]
-h = print this help message
-v -V = print version information
-d = print additional debug info
-F type = Log type. type= (clf | ftp | squid)
-f = Fold sequence errors
-i = ignore history file
-p = preserve state (incremental)
-q = supress informational messages
-Q = supress _ALL_ messages
-Y = supress country graph
-G = supress hourly graph
-H = supress hourly stats
-L = supress color coded graph legends
-l num = use num background lines on graph
-m num = Visit timout value (seconds)
-T = print timing information
-c file = use configuration file 'file'
-n name = hostname to use
-o dir = output directory to use
-t name = report title 'name'
-a name = hide user agent 'name'
-r name = hide referrer 'name'
-s name = hide site 'name'
-u name = hide URL 'name'
-x name = Use filename extension 'name'
-P name = Page type extension 'name'
-I name = Index alias 'name'
-A num = Display num top agents
-C num = Display num top countries
-R num = Display num top referrers
-S num = Display num top sites
-U num = Display num top URLs
-e num = Display num top Entry Pages
-E num = Display num top Exit Pages
-g num = Group Domains to 'num' levels
-X = Hide individual sites
-D name = Use DNS Cache file 'name'
-N num = Number of DNS processes (0=disable)

Setting the Background color in Linux Shell

1) You can  do the  color settings is in this file: /etc/DIR_COLORS.

2)  Set the code in the line DIR XX;XX     

3) Change the font color using the code below with examples

4) To have the color to have effect in root ,  copy the file to root directory

     cp /etc/DIR_COLORS  /root/.dircolors

5) To have the color to have effect in user account, copy to home directory

     cp /etc/DIR_COLORS  /home/.dircolors

6)  To use customized colors you must use special string combination:

        FILE-TYPE: is file type like DIR (for directories)
  


 Attribute codes:
       
        00=none
        01=bold
        04=underscore
        05=blink
        07=reverse
        08=concealed
Text color codes:
       
        30=black
        31=red
        32=green
        33=yellow
        34=blue
        35=magenta
        36=cyan
        37=white
  
Background color codes:
       
        40=black
        41=red
        42=green
        43=yellow
        44=blue
        45=magenta
        46=cyan
        47=white

For example  entry should look as follows:
DIR 01;36


# vi /etc/DIR_COLORS

Modify DIR entry
From:

DIR 01;36 # default is Magenta

To:

DIR 01;36;40 # default is Magenta with Black background

How to make the files immutable in linux

You can immutable the files using chattr command.


To add Chattr +i  file name


To remove . Chattr -i  file name


To list all the immutable files  lsattr command is used.

Steps to install Trendy Flash and Softaculous

Trendyflash
Go to WHM and click on Tweak Settings and Make sure Ioncube Loaders are installed on the server.

1.wget "http://www.trendyflashdownload.com/installer/cp/trendysitebuilder.sh"
2.chmod 755 trendysitebuilder.sh
3. ./trendysitebuilder.sh

You can view "Trendy Site Builder Icon" under the Software/Services Group in their cPanel.

Softaculous.

1. cd /usr/local/cpanel/whostmgr/docroot/cgi
2. wget -N http://www.softaculous.com/ins/addon_softaculous.php
3. chmod 755 addon_softaculous.php

You can now view it  in  WHM > Plugins > Softaculous

Steps to install fantastico.

Login as root to server via ssh.

1.cd /usr/local/cpanel/whostmgr/docroot/cgi
2.wget -N http://files.betaservant.com/files/free/fantastico_whm_admin.tgz
3.tar -xzpf fantastico_whm_admin.tgz
4.rm -rf fantastico_whm_admin.tgz
5.chmod -R 0755 /usr/local/cpanel/3rdparty/etc/ixed

Go to WHM, login as root and click on Tweak Settings, then you should ensure that both the Ioncube loader is selected for the backend copy of PHP. Save changes.

Now go here:
WHM -> Add-Ons (Plugins on v11.x or higher) -> Fantastico De Luxe WHM Admin (scroll down the left menu).

WHM Sonic shout cast

WHMSonic is a popular WHM/cPanel plugin, intended on making your life easier. WHMSonic's plugins install in seconds and allows you to offer Shoutcast streaming media, AutoDJ, radio reseller from your Dedicated or VPS server without SSH access. Our plugins also support your users cPanel. Users can setup radio from their cPanel and fully control it under your permission.

Installation
Login in to root via ssh
1.cd /root/
2.wget http://www.whmsonic.com/setupr/installr.sh
3.chmod +x installr.sh
4. ./installr.sh

uninstall

cd /root/; wget http://www.whmsonic.com/setupr/uninstall.sh; chmod +x uninstall.sh; ./uninstall.sh 

Steps to install Cpanel & WHM

Steps to install cpanel

A valid cpanel  cpanel licenese you will need to obtain for your IP address before starting the cpanel installation. You can also get the trail and paid license from cpanel.You can use Red hat Linux or Cent OS to install the cpanel. (SELinux should be disabled in /etc/selinux/config ).

ssh into root
ping google.com

1.check the free memory -df -l
2.check the ram speed -free -m
Both i386 (32-bit) and x86-64 (64-bit) architectures will work with cPanel.
512 MB of RAM (1 GB minimum is recommended when hosting many accounts). -arch
10 GB free hard drive space (More is required to host multiple accounts).
3.check the hostname
4.service httpd status " active " yum remove httpd
   service iptables stop
5.uname -a
6.cat /etc/redhat-release
7.cd /home
8.wget -N http://httpupdate.cpanel.net/latest
9.screen
10.sh latest

If licensing has failed (due to a strict firewall or changed IP), execute the following command to activate your license:
  /usr/local/cpanel/cpkeyclt
=================================================

Email limiting in cpanel

1.You can set this in the WebHost Manager by editing the setting for Max hourly emails in Main >> Server Configuration >> Tweak Settings.
You can change the maximum number of emails allowed for a particular domain to a different number than the system default using the
file /var/cpanel/maxemails.

Just add an entry like ‘domain.com = 200″. which means 200 is the maximum email per hour limit for domain.com.

after that execute /scripts/build_maxemails_config

If you are using csf firewall - There is an option "RT_LOCALRELAY_LIMIT" which limits the amount of emails sent locally.
vi /etc/csf/csf.conf


2.  Check email account disk quotas

cat ~username/.cpanel/email_accounts.yaml
---
domain.tld:
  accounts:
      user:
      diskquota: '0'
      diskused:'0'
      mtime: '0'
  disk_mtime: '0'
  mtime: ' '
  quota_mtime: ' '

If needing to modify e-mail account disk quotas please do so via cPanel to ensure all pertinent files are properly updated:

    cPanel: Main >> Mail >> Email Accounts

3.If you copy e-mail accounts manually to another server, you will want to move /$HOME/$USER/.cpanel/email_accounts.yaml and /$HOME/$USER/.cpanel/email_accounts.cache so that they will be regenerated the next time you log into cPanel as the account user. Moving the files will force cPanel to re-read the passwd and shadow file for the account and correctly populate the email_accounts.yaml file.

4. In this case, you have to manually remove the email account entries for domain yourdomain.com from the existing account.

The files you need to remove the entries from are

/home/user/etc/yourdomain.com/passwd

/home/user/etc/yourdomain.com/shadow

/home/user/.cpanel/email_accounts.yaml

The directory that need to be removed is

/home/user/mail/yourdomain.com

where, ‘user’ is the cPanel username of yourdomain.com.

Awstats update now button is not showing in cPanel for the domains

1. You can enable awstats for all the domains using
WHM Main >> Server Configuration >> Tweak Settings >>stats Program>> Enable Awstats stats to on
status.
2. You can enable the awstats for one particular domain by
 1).. Login to your server via SSH as root
 2) . cd /home/username/tmp/awstats/
 3) Edit awstats config file of domain. For example awstats.domain.com.conf using following command:
   vi awstats.domain.com.conf
4) Search for  / Allow To Update Stats From Browser.
5) Assign the value “1” as shown below:

AllowToUpdateStatsFromBrowser= 1

6) Save the file and exit.


The statistics page is available now for a particular domain

How to configure Linux Server to send email Alert on Root Login

1. Login to the server via SSH using as root ID.
2. Ensure that you’re at home directory of root. The open up the .bashrc for editing using pico or vi by typing one of the following commands at command shell line:

vi .bashrc

3. Scroll down to the end of the file and add the following line:

echo ‘ALERT – Root Shell Access on:’ `date` `who` | mail -s “Alert: Root Access from `who | cut -d”(” -f2 | cut -d”)” -f1`” user@example.com

Replace user@example.com with the actual email account address that you want to the root access alert notification been sent to. Note that you can even change the text content in the email alert. The text starting with first ALERT is written as email body, and you can add in other info such as host name or change the wordings. The second Alert is the email body.
Now log out and login again as root, you should receive an email alert at your inbox.

Wildcard SSL

A wildcard ssl basically allows you to use unlimited subdomains on a given domain name with one SSL certificate.  A user will need to purchase a wildcard SSL from a vendor that supplies them.

Similar to having multiple certificates installed on a server, each subdomain containing the certificate needs its own IP as well.  Wildcard SSL’s do not work like Wildcard DNS – you really do have to specifically install the certificate on each subdomain. Here are two methods to setting up Wildcard certificates for a domain.

Multiple Accounts

In this scenario, you’d have each subdomain hosted as a separate cPanel account, and each of those cPanel accounts will have its own IP address.

   1. Generate the Certificate Signing Request (CSR) in WHM, using *.domain.com
   2. Assign each account its own IP address by change website site  ip iption in the whm or update  in the    httpd   configuration file (virtual host) and run /scripts/rebuildhttpdconf command
    You can also simply edit /var/cpanel/userdata/username/sub.domain.com and /var/cpanel/userdata/username/sub.domain.com_SSL files to provide a different IP there, then you can edit the DNS zone in WHM > Edit DNS Zone for the addon domain and subdomain to have it use that other IP.

    3.When you’re obtained the certificate,go to WHM > Install a SSL Certificate and Setup the Domain and paste in the CRT and CA Bundle for *.domain.com
    4.The fields should auto-populate, in which case you need to make sure the IP is correct, then change the SSL hostname from *.domain.com to the target subdomain
    5.Click install to install the certificate

One Account

This method may be best for users that are not resellers or that are on shared hosting servers, where having multiple cpanel accounts may not be ideal. In this case, you’d have one cPanel account and assign multiple IPs to its subdomains.

   1.  Generate the Certificate Signing Request (CSR) in WHM, using *.domain.co
   2. Same as above. 
   3  When you’re obtained the certificate,go to WHM > Install a SSL Certificate and Setup the Domain and paste in the CRT and CA Bundle for *.domain.com
   4.The fields should auto-populate, in which case you need to make sure the IP is correct, then change the SSL hostname from *.domain.com to the target subdomain
   5.Click install to install the certificate

Cpanel back end files

Apache
=======
/usr/local/apache
+ bin- apache binaries are stored here - httpd, apachectl, apxs
+ conf - configuration files - httpd.conf
+ cgi-bin
+ domlogs - domain log files are stored here
+ htdocs
+ include - header files
+ libexec - shared object (.so) files are stored here - libphp4.so,mod_rewrite.so
+ logs - apache logs - access_log, error_log, suexec_log
+ man - apache manual pages
+ proxy -
+ icons -

Init Script :/etc/rc.d/init.d/httpd - apache start script
Cpanel script to restart apache - /scripts/restartsrv_httpd
========================================================== 

Exim
=====
Conf : /etc/exim.conf - exim main configuration file
/etc/localdomains - list of domains allowed to relay mail
Log : /var/log/exim_mainlog - incoming/outgoing mails are logged here
/var/log/exim_rejectlog - exim rejected mails are reported here
/exim errors are logged here
Mail queue: /var/spool/exim/input
Cpanel script to restart exim - /scripts/restartsrv_exim
Email forwarders and catchall address file - /etc/valiases/domainname.com
Email filters file - /etc/vfilters/domainname.com
POP user authentication file - /home/username/etc/domainname/passwd
catchall inbox - /home/username/mail/inbox
POP user inbox - /home/username/mail/domainname/popusername/inbox
POP user spambox - /home/username/mail/domainname/popusername/spam
Program : /usr/sbin/exim (suid - -rwsr-xr-x 1 root root )
Init Script: /etc/rc.d/init.d/exim
=========================================================== 

ProFTPD
========
Program :/usr/sbin/proftpd
Init Script :/etc/rc.d/init.d/proftpd
Conf: /etc/proftpd.conf
Log: /var/log/messages, /var/log/xferlog
FTP accounts file - /etc/proftpd/username - all ftp accounts for the domain are listed here
=========================================================

Pure-FTPD
=========
Program : /usr/sbin/pure-ftpd
Init Script :/etc/rc.d/init.d/pure-ftpd
Conf: /etc/pure-ftpd.conf
Anonymous ftp document root - /etc/pure-ftpd/ip-address
==========================================================

Frontpage Extensions
=================
Program - (Install): /usr/local/frontpage/version5.0/bin/owsadm.exe
Uninstall and then install for re-installations
FP files are found as _vti-bin, _vti-pvt, _vti-cnf, vti-log inside the public_html
==========================================================

Mysql
=======
Program : /usr/bin/mysql
Init Script : /etc/rc.d/init.d/mysql
Conf : /etc/my.cnf, /root/.my.cnf
Data directory - /var/lib/mysql - Where all databases are stored.
Database naming convention - username_dbname (eg: john_sales)
Permissions on databases - drwx 2 mysql mysql
Socket file - /var/lib/mysql/mysql.sock, /tmp/ mysql.sock
===========================================================

SSHD
======
Program :/usr/local/sbin/sshd
Init Script :/etc/rc.d/init.d/sshd
/etc/ssh/sshd_config
Log: /var/log/messages
=========================================================

Perl
====
Program :/usr/bin/perl
Directory :/usr/lib/perl5/5.6.1/
=======================================================

PHP
====
Program :/usr/local/bin/php, /usr/bin/php
ini file: /usr/local/lib/php.ini - apache must be restarted after any change to this file
php can be recomplied using /scripts/easyapache
=========================================================

Named(BIND)
============
Program: /usr/sbin/named
Init Script: /etc/rc.d/init.d/named
/etc/named.conf
db records:/var/named/
/var/log/messages
========================================================

Cpanel installation directory structure
=============================
/usr/local/cpanel
+ 3rdparty/ - tools like fantastico, mailman files are located here
+ addons/ - AdvancedGuestBook, phpBB etc
+ base/ - phpmyadmin, squirrelmail, skins, webmail etc
+ bin/ - cpanel binaries
+ cgi-sys/ - cgi files like cgiemail, formmail.cgi, formmail.pl etc
+ logs/ - cpanel access log and error log
+ whostmgr/ - whm related files

WHM related files
===============
/var/cpanel - whm files
+ bandwidth/ - rrd files of domains
+ username.accts - reseller accounts are listed in this files
+ packages - hosting packages are listed here
+ root.accts - root owned domains are listed here
+ suspended - suspended accounts are listed here
+ users/ - cpanel user file - theme, bwlimit, addon, parked, sub-domains all are listed in this files
+ zonetemplates/ - dns zone template files are taken from here


Important cpanel/whm files
====================
/etc/httpd/conf/httpd.conf - apache configuration file
/etc/exim.conf - mail server configuration file
/etc/named.conf - name server (named) configuration file
/etc/proftpd.conf - proftpd server configuration file
/etc/pure-ftpd.conf - pure-ftpd server configuration file
/etc/valiases/domainname - catchall and forwarders are set here
/etc/vfilters/domainname - email filters are set here
/etc/userdomains - all domains are listed here - addons, parked,subdomains along with their usernames
/etc/localdomains - exim related file - all domains should be listed here to be able to send mails
/var/cpanel/users/username - cpanel user file
/var/cpanel/cpanel.config - cpanel configuration file ( Tweak Settings )*
/etc/cpbackup-userskip.conf -
/etc/sysconfig/network - Networking Setup*
/etc/hosts -
/var/spool/exim -
/var/spool/cron -
/etc/resolv.conf - Networking Setup--> Resolver Configuration
/etc/nameserverips - Networking Setup--> Nameserver IPs ( FOr resellers to give their nameservers )
/var/cpanel/resellers - For addpkg, etc permissions for resellers.
/etc/chkserv.d - Main >> Service Configuration >> Service Manager *
/var/run/chkservd - Main >> Server Status >> Service Status *
/var/log/dcpumon - top log process
/root/cpanel3-skel - skel directory. Eg: public_ftp, public_html. (Account Functions-->Skeleton Directory )*
/etc/wwwacct.conf - account creation defaults file in WHM (Basic cPanel/WHM Setup)*
/etc/cpupdate.conf - Update Config *
/etc/cpbackup.conf - Configure Backup*
/etc/clamav.conf - clamav (antivirus configuration file )
/etc/my.cnf - mysql configuration file
/usr/local/Zend/etc/php.ini OR /usr/local/lib/php.ini - php configuration file
/etc/ips - ip addresses on the server (except the shared ip) (IP Functions-->Show IP Address Usage )*
/etc/ipaddrpool - ip addresses which are free
/etc/ips.dnsmaster - name server ips
/var/cpanel/Counters - To get the counter of each users.
/var/cpanel/bandwidth - To get bandwith usage of domain
==========================================================

/var/cpanel
accounting.log - Contains a list of accounting functions performed such as account removal and creation
cpanel.config – Tweak settings for whm can be done in this file
mainip – Main ip of the server is specified in this file
maxemail - Maximum emails per hour for a domain can be specified here The format is like the following domainname=number


Run the script /scripts/build_maxemails_config after editing this file This will create a file named after the corresponding domain name inside the directory maxemailsperdomain with the value specified in it.
Maxemailsperhour - Server wide maximum emails per hour can be set in this file. It applies to the whole domains in the server. You only need to insert the corresponding value in the file. A value of zero means unlimited.
Resellers-nameservers – This file gives you the name of the nameservers used by reseller users
resellers – This file lists the privileges of different reseller users
packages/ - This directory contains files for all the packages created under the WHM and the corresponding files will give all the details related to that package
suspended/ – This directory contains files for all the suspended users. You can get the
reason for suspension from the corresponding user file.
Users/ – This directory contains cpanel user files which contain all the information related to a cpanel account.
Zonetemplates/ - This directory contains templates for zone files, which will be used for creating zone file for a particular domain when a user is created
bandwidth/ - This directory contains files named after the domain names which give separate http and all bandwidth usages for a particular day
datastore/ - This directory contains sub directories named after the cpanel user name which contains two files named mysql-db-count and mysql-disk-usage .These files give you the number of databases a user have and the total disk space used by all these databases respectively.
=========================================================

/etc
localdomains – This file contains domains which are using the local mail server.
remotedomains - This file contains domains which are using a remote mail server instead of the local mail server
userdomains - All the domains of users are listed in this file including the addon, parked and subdomains along with their username.
trueuserdomains - The main domains of all cpanel uesrs are listed in this file along with their username
trueuserowners – All cpanel users along with their owners are listed in this file
wwwacct.conf - This is the default file used in cpanel account creation Information from this file is taken when an account is created
mailips - The ip which should be used for sending mails can be specified in this file Different ips can be set for different domains for sending mails and that can be specified in the file like the following domainname: ip address
ips – This file lists all the ips in the file except the main shared ip
ips.dnsmaster – This file lists all the ips of nameservers used by different domains
ipaddrpool – Lists the ip addresses in the server which are free
cpupdate.conf - Cpanel updation configuration can be done in this file Once you edit this file do not forgot to run the script /scripts/upcp
cpbackup.conf - Cpanel backup configuration can be done in this file You can enable or disable cpanel backup using this file.
Valiases/ - Email forwarders and catchall for a domain can be specified in the corresponding file inside this directory.
The format is like the following *: accountname
vfilters - Email filters can be specified in the corresponding file inside this directory.
========================================================== /usr/local/cpanel
bin/ – Cpanel binaries are located in this directory
version – You can get cpanel version from this file
logs/ - All log files of cpanel are located inside this directory.
error_log – cpanel logs any error it incurs in this file
license_log – All cpanel license update attempts are logged in this file stats_log – The stats daemon logs the output from all the status generators like awstats, webalizer.
access_log – General information pertaining to cPanel requests is logged in this file
base/ – Files of phpmyadmin, webmail etc are located in this directory
3rdparty/ – Files of mailman, fantastico etc are located in this directory
==========================================================

Important Log Files
================
Apache
/usr/local/apache/logs – It is the main log for apache
/usr/local/apache/domlogs/ – Domain specific logs are located inside this directory
/usr/local/apache/logs/access_log – This log records all requests processed by the server

Exim
/var/log/exim_mainlog - An entry is created inside this log every time a message is received or delivered
/var/log/exim_rejectlog - An entry is created inside this log every time a message is rejected based on either ACLs or other policies
/var/log/exim_paniclog - An entry is created inside this log when exim doesn’t know how to handle an error
/var/log/messages – General information and login attempts of FTP are logged here
/var/log/secure - General information and login attempts of SSHD are logged here
/var/log/maillog - The IMAP, POP, and SpamAssassin services all log here. This includes all general logging information (login attempts, transactions, spam scoring), along with fatal errors.
/var/log/mysqld.log ; /var/lib/mysql/$(hostname).err – Mysql general informations and errors are logged in either of these two files
/var/log/chkservd.log - The service monitoring daemon (chkservd) logs all service checks here. Failed services are represented with a [-], and active are represented with
/var/log/cron – An entry is created in this file when a cron is executed
/var/log/messages - General informations and errors of named are logged in this File
/var/log/dcpumon/toplog.[timestamp] - This log lists the top processes running Each five minute a new log is created
/usr/local/apache/logs/suexec_log - This log file contains auditing information reported by suexec each time a CGI application is executed.
/var/log/cpanel*install* – These log files contain verbose logs of the cPanel installation.
/var/cpanel/updatelogs/update-[timestamp.log] – It is the log file for upcp. Log entries are created when upcp runs

Cpanel scripts

Common CPanel scripts
===================
cpanel/whm Scripts are located in /scripts/
+ addns - add a dns zone
+ addfpmail - Add frontpage mail extensions to all domains without them
+ addfpmail2 -Add frontpage mail extensions to all domains without them
+ addnetmaskips - Add the netmask 255.255.255.0 to all IPs that have no netmask
+ addnobodygrp - Adds the gorup nobody and activates security
+ addpop - add a pop account
+ addservlets - Add JSP support to an account (requires tomcat)
+ addstatus - (Internal use never called by user)
+ adduser - Add a user to the system
+ bandwidth - (OLD)
+ betaexim - Installs the latest version of exim
+ biglogcheck - looks for logs nearing 2 gigabytes in size
+ bsdcryptoinstall - Installs crypto on FreeBSD
+ bsdldconfig - Configures the proper lib directories in FreeBSD
+ bsdpkgpingtest - Tests the connection speed for downloading FreeBSD packages
+ buildbsdexpect - Install expect on FreeBSD
+ builddomainaddr - (OLD)
+ buildeximconf - Rebuilds exim.conf
+ buildpostgrebsd-dev - Installs postgresql on FreeBSD.
+ chcpass - change cpanel passwords
+ easyapache - recompile/upgrade apache and/or php
+ exim4 - reinstall exim and fix permissions
+ fixcommonproblems - fixes most common problems
+ fixfrontpageperm - fixes permission issues with Front Page
+ fixmailman - fixes common mailman issues
+ fixnamed - fixes common named issues
+ fixndc - fixes rndc errors with named
+ fixquotas - fixes quota problems
+ fullhordereset - resets horde database to a fresh one - all previous user data are lost
+ initquotas - initializes quotas
+ installzendopt - installs zend optimizer
+ killacct - terminate an account - make sure you take a backup of the account first
+ mailperm - fixes permission problems with inboxes
+ park - to park a domain
+ pkgacct - used to backup an account
+ restartsrv - restart script for services
+ restorepkg - restores an account from a backup file ( pkgacct file)
+ runlogsnow - update logs of all users
+ runweblogs - update stats for a particular user
+ securetmp - secures /tmp partition with options nosuexec and nosuid
+ suspendacct - suspends an account
+ unsuspendacct - unsuspends a suspended account
+ upcp - updates cpanel to the latest version
+ updatenow - updates the cpanel scripts
+ updateuserdomains - updates userdomain entries