Secure login the standard install

[IT_Architect]

This is the first thing that go my attention after the install of DA. The first thing that crosses one's mind at that point is, "This looks like a minor league player." That sets the color of the glasses for what people see when evaluating DA.

 

[nobaloney]

There's neither a question nor a statement of a problem in the body of your post.

Are you asking why a secure login isn't standard for port 2222 installs after the DA login?

There are reasons why people won't want it. I do want it.

I follow the Install Guide here.

If you do, you'll get a secure port 2222 login for DirectAdmin.

Jeff

 

[IT_Architect]

There's neither a question nor a statement of a problem in the body of your post.

True. What I meant to request was make the default install of DirectAdmin to use secure login.

Thanks!

 

[jmstacey]

Edit: Does it really matter?

No since you usually install a certificate anyway. Thus you would have to perform most of the same steps as if it had been left alone.

 

[IT_Architect]

>Does it really matter?<

I think it does. When someone gets a dedicated server setup for them by a web host, they expect to be able to move in. I haven't worked with all of the control panels, but the two that I have came with out of the box that way. At the moment, I'm reading through a How-to, to implement it.

Thanks!

 

[nobaloney]

The easiest way to implement it is in the link I posted; that gives you a self-signed cert.

If DA was to include the code, what would you want them to do for a certificate? Us the default snakeoil cert? Or install a self-signed cert for the hostname?

If installing a self-signed cert for the hostname, what would you want it to use for all the information required for the CSR?

Jeff

 

[IT_Architect]

I have it done using the How-To guide.

 

[gbjbaanb]

I think DA should be more secure out of the box, partly because its good practise on the web today, but also because I will go through making the changes and I'd rather have it done for me. (not just because I'm lazy, but because I worry about forgetting something)

The same applies to open_basedir setup, and the default user file ownership setting.

The self-signed cert: Plesk gives one out, it says plesk all over it. Why not have a default cert signed by 'DirectAdmin' with all the other fields blank. Most hosts will change that to their own pretty sharpish anyway simply due to the certificate acceptance popup at login.

Once upon a time I had a site on a shared hosting with a company (they used Ensim). One day I woke up to find my site had been replaced with 'hacked by sir l33t hax0r', as had every other site on the server. I wasn't happy, and the company never managed to restore my backups properly. I (and a load of others) quit them and never went back - something I think some hosts who install DA without changing the security settings would do well to ponder. Especially if you consider the fact that a default DA install allows anyone to replace any file on any other domain using a simple bit of PHP code (search this forum for details)

 

[nobaloney]

When someone gets a dedicated server setup for them by a web host, they expect to be able to move in.

And when the get a dedicated server from us and a lot of other full-service suppliers, they do. We ask them whether they want a self-signed or commercial cert, and we ask them what they want in it.

I think it's great that we full-service providers can differentiate ourselves .

Jeff