Results 1 to 5 of 5

Thread: DirectAdmin Server Security Questions

  1. #1
    Join Date
    Jul 2019
    Posts
    64

    DirectAdmin Server Security Questions

    I have a handful of questions regarding how DirectAdmin handles its security. To be clear, I am referring to additional security options that I can put in place without breaking DirectAdmin functionality. Now that I've got a couple DirectAdmin servers running, I need to begin locking things down.

    - Can I change the "admin" user to something else? Will the system ever expect a default "admin" login like it may expect a default SSH port?

    - Can I change the DirectAdmin port from 2222? I imagine as DA grows in popularity, scanners will pick up on that port. I'd rather not deal with the noise in my logs.

    - Should the primary "admin" account own a domain name or site? Is it more proper to have your primary DA user void of any sites or emails, and then have another account control the primary domain?

    - Can I configure to put DirectAdmin users in a jail/chroot for HTTP/FTP and SSH? I know CloudLinux has many options, but what about for the default Apache/PHP7 install? Do I just edit some conf paths to tell DA to create a certain way, and set up my jail accordingly?

    - Having easy access to server-status page for quick HTTP monitoring is really important for Apache users with default setup. Is there any chance an addon or something official to easily enable and secure this access? Like an icon "View Apache Live" or something, proper deny/allow settings, etc. I am tempted to create one myself, but I wanted to ask first.

    - There was once an old script called Easy Linux Security (ELS) made by developer(s) here, and while it's no longer being maintained, I need something I can rapidly deploy to different DirectAdmin setups (not just cloning a "good" image of one setup). Do you think anything like this will exist again with the influx of new DirectAdmin migration from cPanel and Plesk users? Is there any official documentation on securing DirectAdmin?



    Thanks,

  2. #2
    Join Date
    Apr 2009
    Posts
    2,298
    I will only try to answer one of your questions, however hopfully others will provide answers for the other ones.

    Quote Originally Posted by Richard8 View Post
    - Having easy access to server-status page for quick HTTP monitoring is really important for Apache users with default setup. Is there any chance an addon or something official to easily enable and secure this access? Like an icon "View Apache Live" or something, proper deny/allow settings, etc. I am tempted to create one myself, but I wanted to ask first.
    Just remember when enabling this, that you put the code in /etc/httpd/conf/extra/httpd-includes.conf because httpd-includes.conf will never be overwritten when you do ./build rewrite_confs, however all the other files in /etc/httpd/conf/ will be overwritten. I have something like this in my httpd-includes.conf file so that only my own IP range an the server IP have access to the status page. The reason I add the server IP, is so that CSF is able to access the apache status page. Because when CSF warn you about high server load, it will access the status page to caputure it and send you in email:

    Code:
    <Location /the-status-url-name-of-your-choice>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from SERVER-IP-HERE
    Allow from MY-OWN-IP-RANGE-HERE.0/24
    </Location>
    ExtendedStatus On
    Edit: I have not heard of addon for this. I don't think anybody has made a addon like that.
    Last edited by ditto; 07-10-2019 at 12:00 PM.

  3. #3
    Join Date
    Jul 2017
    Location
    Murfreesboro
    Posts
    256
    Start here https://forum.directadmin.com/showthread.php?t=58062
    You might find more..

    Can I change the DirectAdmin port from 2222? I imagine as DA grows in popularity, scanners will pick up on that port. I'd rather not deal with the noise in my logs.
    Q: How to make DirectAdmin listen on port 2082 for HTTP requests and port 2083 for HTTPs?

    A: Just set the following settings in /usr/local/directadmin/conf/directadmin.conf and restart DirectAdmin:
    Code:
    port=2082
    ssl_port=2083
    If you would like to let customers use just the SSL on port 2083, set:
    Code:
    ssl=1
    port=2083
    Related: https://help.directadmin.com/item.php?id=2101



    Is there any official documentation on securing DirectAdmin?
    https://help.directadmin.com/item.php?id=247


    For this script you refer to. Are you looking for a one liner or something interactive?

    example

    Would you like to install DA? y/n
    would you like to secure SSH? y/n

    I ask because I have something it's just not a one liner...

    Also point me to the old one ELS..
    Thanks,
    Brent Dacus
    Just a regular guy from Tennessee

    CentOS 7 | DA | CB 2.0 | MariaDB 10.4 | PHP 7.2

    help me...it's HERE or Type "your issue your os directadmin" in google


  4. #4
    Join Date
    Jul 2017
    Location
    Murfreesboro
    Posts
    256
    Quote Originally Posted by ditto View Post
    I will only try to answer one of your questions, however hopfully others will provide answers for the other ones.



    Just remember when enabling this, that you put the code in /etc/httpd/conf/extra/httpd-includes.conf because httpd-includes.conf will never be overwritten when you do ./build rewrite_confs, however all the other files in /etc/httpd/conf/ will be overwritten. I have something like this in my httpd-includes.conf file so that only my own IP range an the server IP have access to the status page. The reason I add the server IP, is so that CSF is able to access the apache status page. Because when CSF warn you about high server load, it will access the status page to caputure it and send you in email:

    Code:
    <Location /the-status-url-name-of-your-choice>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from SERVER-IP-HERE
    Allow from MY-OWN-IP-RANGE-HERE.0/24
    </Location>
    ExtendedStatus On
    Edit: I have not heard of addon for this. I don't think anybody has made a addon like that.

    Oh I like this idea...
    Thanks,
    Brent Dacus
    Just a regular guy from Tennessee

    CentOS 7 | DA | CB 2.0 | MariaDB 10.4 | PHP 7.2

    help me...it's HERE or Type "your issue your os directadmin" in google


  5. #5
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,828
    I copied my httpd-info.conf to /usr/local/directadmin/custombuild/custom/ap2/conf/extra and changed the ip in that file, then do ./build rewrite_confs from custombuild.
    It's the same kind of solution.
    It will be used when ./build rewrite_confs is done and also when apache is updated and the file httpd-info.conf file is changed to what you made it in the custom directory.

    I didn't know about ditto's solution yet, but both are possible for this.
    Greetings, Richard.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •