DirectAdmin | New Server Checklist

[ProWebUK]

FTP, SSH, SMTP, DNS, HTTP, POP3, IMAP, HTTPS and DirectAdmin#

FTP - 21
SSH - 22
Telnet (if you have it on) - 23
SMTP - 25
HTTP - 80
HTTPS: 443
POP3 - 110
IMAP - 143
DNS - 53
DirectAdmin - 2222

Passive FTP (information in post below)
49151
49152
49153
49154
49155
49156
49157
49158
49159
49160
49161

I think thats all directadmin needs open, any problems leave a message here



Chris

 

[nobaloney]

Here's my /etc/sysconfig/ipchains file (if you use iptables you'll have to do the conversion yourself)...

(and if you keep reading afterwards I'll tell you what all those ports from 49152 through 49161 are for)...

-A input -s 0/0 -d 0/0 143 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 110 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 53 -p udp   -j ACCEPT
-A input -s 0/0 -d 0/0 53 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 113 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 113 -p udp   -j ACCEPT
-A input -s 0/0 -d 0/0 443 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 443 -p udp   -j ACCEPT
-A input -s 0/0 -d 0/0 2222 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 2222 -p udp   -j ACCEPT
-A input -s 0/0 -d 0/0 123 -p udp   -j ACCEPT
-A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 0/0 53 -d 0/0 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 66 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 66 -p udp  -j ACCEPT
-A input -s 0/0 -d 0/0 49152 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49153 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49154 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49155 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49156 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49157 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49158 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49159 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49160 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49161 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
-A input -s 0/0 -d 0/0 -p udp -j REJECT

Those ports from 49151 through 49162 are left open for proftpd to be able to do passive ftp...

And here's the code you need to put into /etc/proftpd.conf to tell proftpd to use these open ports (I put it right after the Port line):

##### added to make passive transfer work
# use part of the IANA registered ephemeral port range
PassivePorts 49152 49161
####

Jeff

 

[ProWebUK]

a few of them most users wont require, one i noticed on yours that is enabled on most firewalls although not required is

identd - 113

Chris

 

[nobaloney]

I visited the port 113 issue a few weeks ago and decided to leave it in for now. I don't run identd, though.

I don't see any others that are even questionable. Do you?

Jeff

 

[ProWebUK]

i believe its not necessary to open port 123... apart from that it seems ok for the remainder of all DA users

Chris

 

[nobaloney]

Port 123 is the network time protocol... you need it if you're going to synchronize for a time-server.

Some of these I've opened for both tcp and for udp, because I simply wasn't sure if both were needed or not.

Jeff

 

[ProWebUK]

Fresh Install of Urchin web analytics software V5 added under statistics section.

 

[ProWebUK]

just added:
-> Upgrade ProFTPd to fix recent exploit

added this a while back but forgot to put a notice up!
-> Upgrade OpenSSH to fix recent exploit

Chris

 

[ProWebUK]

MRTG compile, configure and run now added, the list also tidied up a bit

Chris

 

[ProWebUK]

added:

-> Provide a MySQL user with an additional database

under:

Add-ons & advice

 

[ProWebUK]

added / updated the following:

-> Update PHP (4.3.4) using DA custom apache build system
-> Update apache (1.3.29) Using DA custom apache build system
-> Update Mod_SSL (2.8.16) Using DA custom apache build system

all 3 are updated using the same method (just follow 1 of the links)

 

[ProWebUK]

new section been added to the list:

Known problems / bugs & fixes

 

[ProWebUK]

Added the 'florida sun' skin from mindlash under the skins coming soon section

 

[interfasys]

Link to APF

Maybe the link to the APF Howto should be updated, Gpan's rpm is not the latest one and APF's author has setup its own forum:
http://forums.rfxnetworks.com/viewforum.php?f=9

 

[ProWebUK]

I will try and get a fresh HOWTO for APF over the next few days, i am currently working on a pre configured firewall for DirectAdmin.

 

[interfasys]

Nice! =)

 

[ProWebUK]

Hermes skin added under available skins section

 

[ProWebUK]

AWStats for all domains added

 

[ProWebUK]

RPM based MRTG installation added under monitoring

 

[ProWebUK]

Script to convert users to resellers & vice versa // added to add-ons and advice section.