DirectAdmin: Improve performance and security

0 163

In this tutorial, I’m going to improve the DirectAdmin environment, make it faster and more secure. I assume that you have installed DirectAdmin on your server (for this guide, I use CentOS 7 64bit). A good understanding of Linux basics is needed to follow this guide. Now we begin:

Use Nginx reverse proxy

Performance can be improved by the reverse proxy handling static content and from application requests. If your web server is not set to this mode, follow the commands below:

cd /usr/local/directadmin/custombuild
./build update
./build set webserver nginx_apache
./build nginx_apache

Enable HTTP/2

HTTP/2 is the latest update to the HTTP protocol with many advancements in efficiency, security and speed. Simply run the commands below to enable HTTP/2:

cd /usr/local/src/
wget ftp://ftp.openssl.org/source/openssl-1.0.2k.tar.gz
tar xzf openssl-1.0.2k.tar.gz
mkdir /usr/local/directadmin/custombuild/custom/
mkdir /usr/local/directadmin/custombuild/custom/nginx_reverse
mkdir /usr/local/directadmin/custombuild/custom/nginx_reverse/conf
cp -p /usr/local/directadmin/custombuild/configure/nginx_reverse/configure.nginx /usr/local/directadmin/custombuild/custom/nginx_reverse/
cp -p /usr/local/directadmin/custombuild/configure/nginx_reverse/conf/nginx-vhosts.conf /usr/local/directadmin/custombuild/custom/nginx_reverse/conf/

Then we edit the configure file:

nano /usr/local/directadmin/custombuild/custom/nginx_reverse/configure.nginx

And add 2 lines:

--with-http_v2_module 
--with-openssl=/usr/local/src/openssl-1.0.2k

Next, we update the nginx-vhosts:

nano /usr/local/directadmin/custombuild/custom/nginx_reverse/conf/nginx-vhosts.conf

Add http2 to all SSL listen like this:

If you have LAN_IP/IPv6, then replace |LINKEDIPSSL| with your IP(s) like below:

listen 172.xxx.xxx.xxx:443 ssl http2;
listen [2600:1f16:5a8:aaaa:aaaa:aaaa:aaaa:aaaa]:443 ssl http2;

Finally, build and restart the service:

cd /usr/local/directadmin/custombuild
./build nginx_apache

Use PHP 7

Up to 2x faster performance and 50% better memory consumption than PHP 5.6.

cd /usr/local/directadmin/custombuild
./build set php1_release 7.0

If you have CloudLinux:

./build set php1_mode lsphp

If you don’t have CloudLinux:

./build set php1_mode php-fpm

Then build php:

./build update
./build php d

Edit php.ini and double those settings: memory_limit, max_execution_time, max_input_time

Enable OpCache

OpCache can improves PHP performance as well, run the following commands:

cd /usr/local/directadmin/custombuild
./build set opcache yes
./build opcache

Use MariaDB

A lot of optimizer enhancements in MariaDB, if your server is not set to use MariaDB, follow this:

cd /usr/local/directadmin/custombuild
./build set mariadb 10.1
./build set mysql_inst mariadb
./build set mysql_backup yes
./build update
./build mariadb

Increase max allowed packet:

nano /etc/my.cnf.d/server.cnf

Set max_allowed_packet = 50M , innodb_log_file_size = 100M and bind-address = 127.0.0.1 in [mysqld] section.

Enable SSL for all services

Assume that your server hostname is server.domain.com. We use “Let’s Encrypt” tool to setup SSL for server hostname and all services, now edit the directadmin.conf file:

nano /usr/local/directadmin/conf/directadmin.conf

set enable_ssl_sni=1
set ssl_redirect_host=server.domain.com
set force_hostname=server.domain.com
set carootcert=/usr/local/directadmin/conf/carootcert.pem
set letsencrypt=1

Next run the following commands:

service directadmin restart
cd /usr/local/directadmin/custombuild
./build update 
./build letsencrypt
cd /usr/local/directadmin/scripts
./letsencrypt.sh request server.domain.com 4096

Now set SSL=1 in directadmin.conf and restart directadmin service again.

Next, update Roundcube config for SSL connection:

nano /var/www/html/roundcube/plugins/password/config.inc.php

set $config['password_directadmin_host'] = 'ssl://localhost';

Testing SSL by running the following commands, one by one:

openssl s_client -connect 127.0.0.1:465
openssl s_client -connect 127.0.0.1:993
openssl s_client -connect 127.0.0.1:2222
openssl s_client -connect 127.0.0.1:443
openssl s_client -connect 127.0.0.1:21 -starttls ftp

Make sure you can see the Certificate in the result like this:

Then we make new domains to use a private_html link that pointing to public_html, we do this by creating this custom script:

/usr/local/directadmin/scripts/custom/domain_create_post.sh

then add the following code and chmod the script to 755:

#!/bin/sh
D=/home/$username/domains/$domain
PH=$D/private_html

if [ -d $PH ]; then
   rm -rf $PH
   ln -s public_html $PH
   chown -h $username:$username $PH
fi
exit 0;

Use hostname for alias

cd /usr/local/directadmin/custombuild
./build update
./build set use_hostname_for_alias yes
./build set redirect_host_https yes
./build rewrite_confs

Enable DKIM

Enable this feature will help you keep emails sending from your server out of the Spam folder, download the dkim.conf file:

cd /etc
wget -O exim.dkim.conf http://files.directadmin.com/services/exim.dkim.conf

Edit your /etc/exim.conf, and find the code:

remote_smtp:
 driver = smtp

Then change it to look like:

remote_smtp: 
  driver = smtp
  .include_if_exists /etc/exim.dkim.conf

If you don’t want to see the hostname in user’s emails “on behalf of”:

untrusted_set_sender = *
no_local_from_check

Then restart exim:

service exim restart

Finally, update directadmin.conf file:

nano /usr/local/directadmin/conf/directadmin.conf

set dkim=1 dns_spf=1 hide_outlook=1 and then restart DirectAdmin

Now we can create DKIM for the server hostname:

cd /usr/local/directadmin/scripts
./dkim_create.sh server.domain.com

Now go to DirectAdmin > DNS Administration and click on your server hostname to check and DKIM key, and update your SPF record (for IPv6).

Enable IP Blocking

We will use BFM and CSF:

yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch
cd /usr/local/src
wget https://download.configserver.com/csf.tgz
tar -zxvf csf.tgz
cd ./csf
./install.directadmin.sh

Download config fires:

cd /usr/local/directadmin/scripts/custom/
wget -O block_ip.sh http://files.plugins-da.net/dl/csf_block_ip.sh.txt
wget -O unblock_ip.sh http://files.plugins-da.net/dl/csf_unblock_ip.sh.txt
wget -O show_blocked_ips.sh http://files.plugins-da.net/dl/csf_show_blocked_ips.sh.txt
wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/all/brute_force_notice_ip.sh
chmod 700 block_ip.sh unblock_ip.sh show_blocked_ips.sh brute_force_notice_ip.sh
echo "hide_brute_force_notifications=1" >> /usr/local/directadmin/conf/directadmin.conf

Create the empty block list and exempt list files:

touch /root/blocked_ips.txt
touch /root/exempt_ips.txt

Open ports 465, 2525, 35000:35999 in CSF:

Admin Level -> ConfigServer Firewall&Security -> Firewall Configuration: 
IPv4 Port Settings -> TCP_IN: Add: 35000:35999 
IPv4 Port Settings -> TCP_OUT: Add: 465, 2525
IPv6 Port Settings -> TCP6_IN: Add: 35000:35999
IPv6 Port Settings -> TCP_OUT: Add: 465, 2525

Enable and start the firewall. Edit /etc/csf/csf.conf:

TESTING = "0"
LF_TRIGGER = "0"
LF_SSHD = "0"
LF_FTPD = "0"
LF_SMTPAUTH = "0"
LF_EXIMSYNTAX = "0"
LF_POP3D = "0"
LF_IMAPD = "0"
LF_HTACCESS = "0"
LF_MODSEC = "0"
LF_DIRECTADMIN = "0"

Update Settings in Directadmin like below:

Now you have an excellent hosting server! If you need any help please let me know.

You might also like More from author

Leave A Reply

Your email address will not be published.