New Server Checklist for DirectAdmin (2013 edition)

Setup DirectAdmin with an SSL certificate

source: http://help.directadmin.com/item.php?id=15

If you don't own a certificate, you can create your own:

/usr/bin/openssl req -x509 -newkey rsa:2048 -keyout /usr/local/directadmin/conf/cakey.pem -out /usr/local/directadmin/conf/cacert.pem -days 9000 -nodes
chown diradmin:diradmin /usr/local/directadmin/conf/cakey.pem
chmod 400 /usr/local/directadmin/conf/cakey.pem

Or... If you already have your own certificate and key, then copy/paste them in the following

Certificate:

vi /usr/local/directadmin/conf/cacert.pem

Key:

vi /usr/local/directadmin/conf/cakey.pem

Once done one of the above, edit your directadmin.conf

vi /usr/local/directadmin/conf/directadmin.conf

Add/change the following--if they don't already exist:

SSL=1
ssl_cipher=SSLv3

Reset MySQL root password

Find out the mysql da_admin password from here (da_admin has root priviledges):

vi /usr/local/directadmin/conf/mysql.conf

Login to mysql

mysql -u da_admin -p

Change the mysql root user password to whatever you want

use mysql
UPDATE mysql.user SET password=PASSWORD('yourpassword') WHERE user='root';
FLUSH PRIVILEGES;
quit

Now shutdown all mysqld processes and restart mysqld

killall -9 mysqld_safe; killall -9 mysqld
service mysqld start

Optimize MySQL my.cnf

vi /etc/my.conf

Add the following

[mysqld]
port            = 3306
socket          = /var/lib/mysql/mysql.sock
skip-external-locking
key_buffer_size = 2048M
max_allowed_packet = 64M
table_open_cache = 1024M
sort_buffer_size = 2M
read_buffer_size = 2M
read_rnd_buffer_size = 8M
myisam_sort_buffer_size = 64M
thread_cache_size = 16M
query_cache_size = 128M
query_cache_limit = 128M
query_cache_type = 1
# Try number of CPU's*2 for thread_concurrency
thread_concurrency = 16
expire_logs_days = 1
max_connections = 500
# see http://duntuk.com/how-raise-ulimit-open-files-and-mysql-openfileslimit 
open_files_limit = 10240
skip-host-cache
skip-name-resolve

expire_logs_days = 10

# drupal tweak

innodb_buffer_pool_size=8192M
# innodb_additional_mem_pool_size=1024M #DEPRECATED
innodb_log_file_size = 500M
innodb_log_buffer_size=100M
innodb_log_buffer_size = 8M
innodb_thread_concurrency=16
innodb_flush_log_at_trx_commit=0

Change your SSH port

vi /etc/ssh/sshd_config

Find "Port", and change it (YOURSECRETPORT) to whatever port number you want

Port YOURSECRETPORT

Also, disable UseDNS--this can make your SSH login take very long, resulting will timeout SFTP clients.

UseDNS no

Restart SSH

service sshd restart

Update server via custombuild

Download latest version of custombuild 2.0

cd /usr/local/directadmin
mv custombuild custombuild-01
wget http://files.directadmin.com/services/custombuild/2.0/custombuild.tar.gz
tar xvzf custombuild.tar.gz
cd custombuild
./build

Setup options.conf: Change PHP version to 5.5 (5.5 is stable, if your setup works with 5.3, it will likely work with 5.5), Apache to 2.4, and mysql to 5.6 (plus set it to install)

vi options.conf

now change to the following:

php1_release=5.5
apache_ver=2.4
mysql=5.6
mysql_inst=yes

Here is the entire options.conf

#PHP settings.
#Default version of PHP is always php1_release. Possible values for php1/php2_release: 5.3, 5.4, 5.5, no. php1/php2_mode: mod_php, fastcgi, php-fpm or
 suphp)
php1_release=5.5
php2_release=no
php1_mode=mod_php
php2_mode=php-fpm
htscanner=yes
php_ini=no
php_timezone=PDT
#Possible values - production or development
php_ini_type=production
ioncube=no
x-mail-header=yes
zend=no

#HTTP server. Possible values: apache, nginx
webserver=apache

#Apache settings
#Possible value: 2.4
apache_ver=2.4
mod_ruid2=yes
secure_htaccess=no
harden-symlinks-patch=yes
use_hostname_for_alias=no
redirect_host=server.fiwebdns.com
redirect_host_https=no

#Possible values - 5.1, 5.5, 5.6
mysql=5.6
mysql_inst=yes
mysql_backup=yes
mysql_backup_dir=/usr/local/directadmin/custombuild/mysql_backups

#Web applications
phpmyadmin=yes
phpmyadmin_ver=4
squirrelmail=yes
roundcube=yes

#Mail options
exim=no
eximconf=no
clamav=no
spamassassin=no
dovecot=yes
pigeonhole=no

#Statistics
awstats=no
webalizer=yes

#FTP options - possible values: proftpd, pureftpd
ftpd=pureftpd

#Jailed shell
jail=no

#Autoconf/automake/libtool options
autoconf=yes
automake=yes
libtool=yes
curl=yes

#versions of zlib, apr_util and libxml2 (experts only)
zlib=no
new_zlib=no
new_xml2=yes
new_pcre=no
old_apr_util=no

#Custombuild options
custombuild=2.0
autover=no
bold=yes
clean=yes
cleanapache=no
clean_old_tarballs=yes
clean_old_webapps=yes
downloadserver=files.directadmin.com

#Cron settings
cron=no
cron_frequency=daily
email=email@domain.com
notifications=yes
da_autoupdate=no
updates=no
webapps_updates=yes

#Cloudlinux settings
cloudlinux=no
cagefs=no

Now do the following:

# this is required if you change options.conf
./build update

# this will display everything that will be updated
./build versions 

 # these 3 are required if going from custombuild 1.x; but you should run them if you enable 'php-fpm', or if Apache doesn't work.
./build apache
./build php n
./build rewrite_conf

# this will install everything
./build all d 

Enable OpCache (part of with PHP 5.5)

vi /usr/local/lib/php.ini

Paste this under your extension_dir

zend_extension=/usr/local/lib/php/extensions/no-debug-non-zts-20121212/opcache.so
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.revalidate_freq=60
opcache.fast_shutdown=1
opcache.enable_cli=1

Restart Apache and see if it installed correctly

service httpd restart
php -v

You should see something like:

PHP 5.5.2 (cli) (built: Aug 19 2013 23:40:32) 
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2013 Zend Technologies
    with Zend OPcache v7.0.3-dev, Copyright (c) 1999-2013, by Zend Technologies

Install ZendOpCache (for PHP 5.3 or 5.4 only)

This url will download the latest version: http://pecl.php.net/get/ZendOpcache

cd /usr/local/src
wget http://pecl.php.net/get/ZendOpcache
tar xvfz zendopcache-7.x.x.tgz
cd zendopcache-7.x.x
phpize
whereis php-config 
# set the path below
./configure --with-php-config=/usr/local/bin/php-config
make
make install
# note the install path because you will use it below
vi /usr/local/lib/php.ini

Paste this under your extension_dir

zend_extension=/FULL PATH FROM ABOVE/opcache.so
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.revalidate_freq=60
opcache.fast_shutdown=1
opcache.enable_cli=1

Restart Apache and see if it installed correctly

service httpd restart
php -v

You should see something like:

PHP 5.4.16 (cli) (built: Jun 18 2013 04:13:41)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
    with Zend OPcache v7.0.2, Copyright (c) 1999-2013, by Zend Technologies

Install CSF (ConfigServer Security & Firewall)

cd /usr/local/src
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Now login as Admin into directadmin, and click the link at the bottom left ConfigServer Firewall&Security

You'll probably want to add your WAN IP here--you can find out what it is here: http://www.ip-secrets.com/

Then add your WAN IP into Quick Allow column.

Next click Firewall Configuration and set testing to 0, ti disable testing mode

Testing = 0

And make sure you add your custom SSH port into TCP_IN.

TCP_IN = 20,21,22,25,53,80,110,143,443,465,587,993,995,2222,CUSTOMPORT

You can leave the rest as is. Scroll down to the bottom of the page, and click the Change button to save your changes.

Then after your firewall is up and running, you can click the Check Server Security button, to see what security vulnerabilities your server may have. NOTE: you don't need to fix everything in red (there are some PHP functions that you may rely on) , but you should fix the easy ones like adding noexec,nosuid to your /etc/fstab.

As long as you're in the upper yellow score (70+) you should be fine.

Install memcached and PHP extension PECL/memcached

See the following: How to install memcached on CentOS with memcached PHP extension on CentOS