DirectAdmin Server Security Questions

Richard8

Verified User
Joined
Jul 4, 2019
Messages
73
Location
USA
I have a handful of questions regarding how DirectAdmin handles its security. To be clear, I am referring to additional security options that I can put in place without breaking DirectAdmin functionality. Now that I've got a couple DirectAdmin servers running, I need to begin locking things down.

- Can I change the "admin" user to something else? Will the system ever expect a default "admin" login like it may expect a default SSH port?

- Can I change the DirectAdmin port from 2222? I imagine as DA grows in popularity, scanners will pick up on that port. I'd rather not deal with the noise in my logs.

- Should the primary "admin" account own a domain name or site? Is it more proper to have your primary DA user void of any sites or emails, and then have another account control the primary domain?

- Can I configure to put DirectAdmin users in a jail/chroot for HTTP/FTP and SSH? I know CloudLinux has many options, but what about for the default Apache/PHP7 install? Do I just edit some conf paths to tell DA to create a certain way, and set up my jail accordingly?

- Having easy access to server-status page for quick HTTP monitoring is really important for Apache users with default setup. Is there any chance an addon or something official to easily enable and secure this access? Like an icon "View Apache Live" or something, proper deny/allow settings, etc. I am tempted to create one myself, but I wanted to ask first.

- There was once an old script called Easy Linux Security (ELS) made by developer(s) here, and while it's no longer being maintained, I need something I can rapidly deploy to different DirectAdmin setups (not just cloning a "good" image of one setup). Do you think anything like this will exist again with the influx of new DirectAdmin migration from cPanel and Plesk users? Is there any official documentation on securing DirectAdmin?



Thanks,
 
I will only try to answer one of your questions, however hopfully others will provide answers for the other ones.

- Having easy access to server-status page for quick HTTP monitoring is really important for Apache users with default setup. Is there any chance an addon or something official to easily enable and secure this access? Like an icon "View Apache Live" or something, proper deny/allow settings, etc. I am tempted to create one myself, but I wanted to ask first.

Just remember when enabling this, that you put the code in /etc/httpd/conf/extra/httpd-includes.conf because httpd-includes.conf will never be overwritten when you do ./build rewrite_confs, however all the other files in /etc/httpd/conf/ will be overwritten. I have something like this in my httpd-includes.conf file so that only my own IP range an the server IP have access to the status page. The reason I add the server IP, is so that CSF is able to access the apache status page. Because when CSF warn you about high server load, it will access the status page to caputure it and send you in email:

Code:
<Location /the-status-url-name-of-your-choice>
SetHandler server-status
Order deny,allow
Deny from all
Allow from SERVER-IP-HERE
Allow from MY-OWN-IP-RANGE-HERE.0/24
</Location>
ExtendedStatus On

Edit: I have not heard of addon for this. I don't think anybody has made a addon like that.
 
Last edited:
Start here https://forum.directadmin.com/showthread.php?t=58062
You might find more..

Can I change the DirectAdmin port from 2222? I imagine as DA grows in popularity, scanners will pick up on that port. I'd rather not deal with the noise in my logs.

Q: How to make DirectAdmin listen on port 2082 for HTTP requests and port 2083 for HTTPs?

A: Just set the following settings in /usr/local/directadmin/conf/directadmin.conf and restart DirectAdmin:
Code:
port=2082
ssl_port=2083
If you would like to let customers use just the SSL on port 2083, set:
Code:
ssl=1
port=2083
Related: https://help.directadmin.com/item.php?id=2101



Is there any official documentation on securing DirectAdmin?

https://help.directadmin.com/item.php?id=247


For this script you refer to. Are you looking for a one liner or something interactive?

example

Would you like to install DA? y/n
would you like to secure SSH? y/n

I ask because I have something it's just not a one liner...

Also point me to the old one ELS..
 
I will only try to answer one of your questions, however hopfully others will provide answers for the other ones.



Just remember when enabling this, that you put the code in /etc/httpd/conf/extra/httpd-includes.conf because httpd-includes.conf will never be overwritten when you do ./build rewrite_confs, however all the other files in /etc/httpd/conf/ will be overwritten. I have something like this in my httpd-includes.conf file so that only my own IP range an the server IP have access to the status page. The reason I add the server IP, is so that CSF is able to access the apache status page. Because when CSF warn you about high server load, it will access the status page to caputure it and send you in email:

Code:
<Location /the-status-url-name-of-your-choice>
SetHandler server-status
Order deny,allow
Deny from all
Allow from SERVER-IP-HERE
Allow from MY-OWN-IP-RANGE-HERE.0/24
</Location>
ExtendedStatus On

Edit: I have not heard of addon for this. I don't think anybody has made a addon like that.


Oh I like this idea...
 
I copied my httpd-info.conf to /usr/local/directadmin/custombuild/custom/ap2/conf/extra and changed the ip in that file, then do ./build rewrite_confs from custombuild.
It's the same kind of solution.
It will be used when ./build rewrite_confs is done and also when apache is updated and the file httpd-info.conf file is changed to what you made it in the custom directory.

I didn't know about ditto's solution yet, but both are possible for this.
 
Back
Top