Author Topic: directadmin improve performance and security  (Read 10712 times)

golfreeze

  • Administrator
  • Hero Member
  • *****
  • Posts: 2145
    • View Profile
    • นั่งสมาธิ สติปัฏฐานสี่ พาเที่ยววัด แนะนำวัด แจกcd ธรรมะฟรี
    • Email

golfreeze

  • Administrator
  • Hero Member
  • *****
  • Posts: 2145
    • View Profile
    • นั่งสมาธิ สติปัฏฐานสี่ พาเที่ยววัด แนะนำวัด แจกcd ธรรมะฟรี
    • Email
Re: directadmin improve performance and security
« Reply #1 on: พฤษภาคม 20, 2017, 08:40:26 AM »
Use Nginx reverse proxy
Performance can be improved by the reverse proxy handling static content and from application requests. If your web server is not set to this mode, follow the commands below:

cd /usr/local/directadmin/custombuild
./build update
./build set webserver nginx_apache
./build nginx_apache
Enable HTTP/2
HTTP/2 is the latest update to the HTTP protocol with many advancements in efficiency, security and speed. Simply run the commands below to enable HTTP/2:

cd /usr/local/src/
wget ftp://ftp.openssl.org/source/openssl-1.0.2k.tar.gz
tar xzf openssl-1.0.2k.tar.gz
mkdir /usr/local/directadmin/custombuild/custom/
mkdir /usr/local/directadmin/custombuild/custom/nginx_reverse
mkdir /usr/local/directadmin/custombuild/custom/nginx_reverse/conf
cp -p /usr/local/directadmin/custombuild/configure/nginx_reverse/configure.nginx /usr/local/directadmin/custombuild/custom/nginx_reverse/
cp -p /usr/local/directadmin/custombuild/configure/nginx_reverse/conf/nginx-vhosts.conf /usr/local/directadmin/custombuild/custom/nginx_reverse/conf/
Then we edit the configure file:

nano /usr/local/directadmin/custombuild/custom/nginx_reverse/configure.nginx
And add 2 lines:

--with-http_v2_module
--with-openssl=/usr/local/src/openssl-1.0.2k
http/2 nginx

Next, we update the nginx-vhosts:

nano /usr/local/directadmin/custombuild/custom/nginx_reverse/conf/nginx-vhosts.conf
Add http2 to all SSL listen like this:
HTTP2

If you have LAN_IP/IPv6, then replace |LINKEDIPSSL| with your IP(s) like below:

listen 172.xxx.xxx.xxx:443 ssl http2;
listen [2600:1f16:5a8:aaaa:aaaa:aaaa:aaaa:aaaa]:443 ssl http2;
Finally, build and restart the service:

cd /usr/local/directadmin/custombuild
./build nginx_apache
Use PHP 7
Up to 2x faster performance and 50% better memory consumption than PHP 5.6.

cd /usr/local/directadmin/custombuild
./build set php1_release 7.0
If you have CloudLinux:

./build set php1_mode lsphp
If you don't have CloudLinux:

./build set php1_mode php-fpm
Then build php:

./build update
./build php d
Edit php.ini and double those settings: memory_limit, max_execution_time, max_input_time

Enable OpCache
OpCache can improves PHP performance as well, run the following commands:

cd /usr/local/directadmin/custombuild
./build set opcache yes
./build opcache
Use MariaDB
A lot of optimizer enhancements in MariaDB, if your server is not set to use MariaDB, follow this:

cd /usr/local/directadmin/custombuild
./build set mariadb 10.1
./build set mysql_inst mariadb
./build set mysql_backup yes
./build update
./build mariadb
Increase max allowed packet:

nano /etc/my.cnf.d/server.cnf
Set max_allowed_packet = 50M , innodb_log_file_size = 100M and bind-address = 127.0.0.1 in [mysqld] section.

Enable SSL for all services
Assume that your server hostname is server.domain.com. We use "Let's Encrypt" tool to setup SSL for server hostname and all services, now edit the directadmin.conf file:

nano /usr/local/directadmin/conf/directadmin.conf
set enable_ssl_sni=1
set ssl_redirect_host=server.domain.com
set force_hostname=server.domain.com
set carootcert=/usr/local/directadmin/conf/carootcert.pem
set letsencrypt=1

Next run the following commands:

service directadmin restart
cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt
cd /usr/local/directadmin/scripts
./letsencrypt.sh request server.domain.com 4096
Now set SSL=1 in directadmin.conf and restart directadmin service again.

Next, update Roundcube config for SSL connection:

nano /var/www/html/roundcube/plugins/password/config.inc.php
set $config['password_directadmin_host'] = 'ssl://localhost';

Testing SSL by running the following commands, one by one:

openssl s_client -connect 127.0.0.1:465
openssl s_client -connect 127.0.0.1:993
openssl s_client -connect 127.0.0.1:2222
openssl s_client -connect 127.0.0.1:443
openssl s_client -connect 127.0.0.1:21 -starttls ftp
Make sure you can see the Certificate in the result like this:
SSL test

Then we make new domains to use a private_html link that pointing to public_html, we do this by creating this custom script:

/usr/local/directadmin/scripts/custom/domain_create_post.sh
then add the following code and chmod the script to 755:

#!/bin/sh
D=/home/$username/domains/$domain
PH=$D/private_html

if [ -d $PH ]; then
   rm -rf $PH
   ln -s public_html $PH
   chown -h $username:$username $PH
fi
exit 0;
Use hostname for alias
cd /usr/local/directadmin/custombuild
./build update
./build set use_hostname_for_alias yes
./build set redirect_host_https yes
./build rewrite_confs
Enable DKIM
Enable this feature will help you keep emails sending from your server out of the Spam folder, download the dkim.conf file:

cd /etc
wget -O exim.dkim.conf http://files.directadmin.com/services/exim.dkim.conf
Edit your /etc/exim.conf, and find the code:

remote_smtp:
 driver = smtp
Then change it to look like:

remote_smtp:
  driver = smtp
  .include_if_exists /etc/exim.dkim.conf
If you don't want to see the hostname in user's emails "on behalf of":

untrusted_set_sender = *
no_local_from_check
Then restart exim:

service exim restart
Finally, update directadmin.conf file:

nano /usr/local/directadmin/conf/directadmin.conf
set dkim=1 dns_spf=1 hide_outlook=1 and then restart DirectAdmin

Now we can create DKIM for the server hostname:

cd /usr/local/directadmin/scripts
./dkim_create.sh server.domain.com
Now go to DirectAdmin > DNS Administration and click on your server hostname to check and DKIM key, and update your SPF record (for IPv6).

Enable Auto Update
Install yum-cron:

yum -y install yum-cron
sed -ie 's/apply_updates = no/apply_updates = yes/' /etc/yum/yum-cron.conf
Start yum-cron service:

systemctl start yum-cron.service
Enable DA cron:

nano /usr/local/directadmin/custombuild/options.conf
Then set the following values:

cron=yes
cron_frequency=weekly
email=your@email.com
notifications=yes
da_autoupdate=yes
updates=yes
webapps_updates=yes
Finally, build cron:

cd /usr/local/directadmin/custombuild/
./build cron
Enable IP Blocking
We will use BFM and CSF:

yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch
cd /usr/local/src
wget https://download.configserver.com/csf.tgz
tar -zxvf csf.tgz
cd ./csf
./install.directadmin.sh
Download config fires:

cd /usr/local/directadmin/scripts/custom/
wget -O block_ip.sh http://files.plugins-da.net/dl/csf_block_ip.sh.txt
wget -O unblock_ip.sh http://files.plugins-da.net/dl/csf_unblock_ip.sh.txt
wget -O show_blocked_ips.sh http://files.plugins-da.net/dl/csf_show_blocked_ips.sh.txt
wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/all/brute_force_notice_ip.sh
chmod 700 block_ip.sh unblock_ip.sh show_blocked_ips.sh brute_force_notice_ip.sh
echo "hide_brute_force_notifications=1" >> /usr/local/directadmin/conf/directadmin.conf
Create the empty block list and exempt list files:

touch /root/blocked_ips.txt
touch /root/exempt_ips.txt
Open ports 465, 2525, 35000:35999 in CSF:

Admin Level -> ConfigServer Firewall&Security -> Firewall Configuration:
IPv4 Port Settings -> TCP_IN: Add: 35000:35999
IPv4 Port Settings -> TCP_OUT: Add: 465, 2525
IPv6 Port Settings -> TCP6_IN: Add: 35000:35999
IPv6 Port Settings -> TCP_OUT: Add: 465, 2525
Enable and start the firewall. Edit /etc/csf/csf.conf:

TESTING = "0"
LF_TRIGGER = "0"
LF_SSHD = "0"
LF_FTPD = "0"
LF_SMTPAUTH = "0"
LF_EXIMSYNTAX = "0"
LF_POP3D = "0"
LF_IMAPD = "0"
LF_HTACCESS = "0"
LF_MODSEC = "0"
LF_DIRECTADMIN = "0"
Update Settings in Directadmin like below:

golfreeze

  • Administrator
  • Hero Member
  • *****
  • Posts: 2145
    • View Profile
    • นั่งสมาธิ สติปัฏฐานสี่ พาเที่ยววัด แนะนำวัด แจกcd ธรรมะฟรี
    • Email
Re: directadmin improve performance and security
« Reply #2 on: พฤษภาคม 30, 2017, 08:36:43 AM »
ปรับเพิ่ม IP Blocking ใน Directadmin

Enable IP Blocking
We will use BFM and CSF:

yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch
cd /usr/local/src
wget https://download.configserver.com/csf.tgz
tar -zxvf csf.tgz
cd ./csf
./install.directadmin.sh
Download config fires:

cd /usr/local/directadmin/scripts/custom/
wget -O block_ip.sh http://files.plugins-da.net/dl/csf_block_ip.sh.txt
wget -O unblock_ip.sh http://files.plugins-da.net/dl/csf_unblock_ip.sh.txt
wget -O show_blocked_ips.sh http://files.plugins-da.net/dl/csf_show_blocked_ips.sh.txt
wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/all/brute_force_notice_ip.sh
chmod 700 block_ip.sh unblock_ip.sh show_blocked_ips.sh brute_force_notice_ip.sh
echo "hide_brute_force_notifications=1" >> /usr/local/directadmin/conf/directadmin.conf
Create the empty block list and exempt list files:

touch /root/blocked_ips.txt
touch /root/exempt_ips.txt
Open ports 465, 2525, 35000:35999 in CSF:

Admin Level -> ConfigServer Firewall&Security -> Firewall Configuration:
IPv4 Port Settings -> TCP_IN: Add: 35000:35999
IPv4 Port Settings -> TCP_OUT: Add: 465, 2525
IPv6 Port Settings -> TCP6_IN: Add: 35000:35999
IPv6 Port Settings -> TCP_OUT: Add: 465, 2525
Enable and start the firewall. Edit /etc/csf/csf.conf:

TESTING = "0"
LF_TRIGGER = "0"
LF_SSHD = "0"
LF_FTPD = "0"
LF_SMTPAUTH = "0"
LF_EXIMSYNTAX = "0"
LF_POP3D = "0"
LF_IMAPD = "0"
LF_HTACCESS = "0"
LF_MODSEC = "0"
LF_DIRECTADMIN = "0"
Update Settings in Directadmin like below:


« Last Edit: พฤษภาคม 30, 2017, 11:50:30 AM by golfreeze »

golfreeze

  • Administrator
  • Hero Member
  • *****
  • Posts: 2145
    • View Profile
    • นั่งสมาธิ สติปัฏฐานสี่ พาเที่ยววัด แนะนำวัด แจกcd ธรรมะฟรี
    • Email
Re: directadmin improve performance and security
« Reply #3 on: พฤษภาคม 30, 2017, 11:04:25 AM »
ถ้าในกรณี ปรับเพิ่ม CSF ใน directadmin ไปแล้ว ไม่สามารถใช้คำสั่ง whois ได้

#whois domain.com
[Unable to connect to remote host] whois allow port

ให้ทำการปรับเพิ่ม IPV4 ของ TCP_OUT เพิ่ม port 43 ลงไปด้วยครับ

TCP_OUT = 20,21,22,25,53,80,110,113,443,43

เท่านี้ก็จะสามารถ whois domain.com ได้ละครับผม

golfreeze

  • Administrator
  • Hero Member
  • *****
  • Posts: 2145
    • View Profile
    • นั่งสมาธิ สติปัฏฐานสี่ พาเที่ยววัด แนะนำวัด แจกcd ธรรมะฟรี
    • Email
Re: directadmin improve performance and security
« Reply #4 on: ธันวาคม 22, 2019, 10:50:10 AM »
ใน debian จะมีการใช้งาน csf ที่เป็น csf - ConfigServer & Security Firewall
ในกรณีจะ ติดต่อไปยัง ssh port ปลายทาง (destination) แปลกๆ ต้องอนุญาต port ใน csf.conf ด้วยดังนี้
TCP_OUT="99xx"

# Allow incoming TCP ports
TCP_IN =  “20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096”
# Allow outgoing TCP ports
TCP_OUT = “20,21,22,25,26,37,43,53,80,110,113,443,465,873,2087,2089,2703”

แล้วในส่วนของ
TCP_IN ต้องดูข้อมูลจาก /var/log/message ด้วยแล้วทำการแอดลงเป็นช่วงเช่น 49955:50050  เป็นต้น

แล้วทำการ restart csf service
#service csf restart
« Last Edit: ธันวาคม 22, 2019, 11:03:00 AM by golfreeze »