Setup DirectAdmin with an SSL certificate
source: http://help.directadmin.com/item.php?id=15
If you don't own a certificate, you can create your own:
/usr/bin/openssl req -x509 -newkey rsa:2048 -keyout /usr/local/directadmin/conf/cakey.pem -out /usr/local/directadmin/conf/cacert.pem -days 9000 -nodes chown diradmin:diradmin /usr/local/directadmin/conf/cakey.pem chmod 400 /usr/local/directadmin/conf/cakey.pem
Or... If you already have your own certificate and key, then copy/paste them in the following
Certificate:
vi /usr/local/directadmin/conf/cacert.pem
Key:
vi /usr/local/directadmin/conf/cakey.pem
Once done one of the above, edit your directadmin.conf
vi /usr/local/directadmin/conf/directadmin.conf
Add/change the following--if they don't already exist:
SSL=1 ssl_cipher=SSLv3
Reset MySQL root password
Find out the mysql da_admin password from here (da_admin has root priviledges):
vi /usr/local/directadmin/conf/mysql.conf
Login to mysql
mysql -u da_admin -p
Change the mysql root user password to whatever you want
use mysql
UPDATE mysql.user SET password=PASSWORD('yourpassword') WHERE user='root';
FLUSH PRIVILEGES;
quitNow shutdown all mysqld processes and restart mysqld
killall -9 mysqld_safe; killall -9 mysqld service mysqld start
Optimize MySQL my.cnf
vi /etc/my.conf
Add the following
[mysqld] port = 3306 socket = /var/lib/mysql/mysql.sock skip-external-locking key_buffer_size = 2048M max_allowed_packet = 64M table_open_cache = 1024M sort_buffer_size = 2M read_buffer_size = 2M read_rnd_buffer_size = 8M myisam_sort_buffer_size = 64M thread_cache_size = 16M query_cache_size = 128M query_cache_limit = 128M query_cache_type = 1 # Try number of CPU's*2 for thread_concurrency thread_concurrency = 16 expire_logs_days = 1 max_connections = 500 # see http://duntuk.com/how-raise-ulimit-open-files-and-mysql-openfileslimit open_files_limit = 10240 skip-host-cache skip-name-resolve expire_logs_days = 10 # drupal tweak innodb_buffer_pool_size=8192M # innodb_additional_mem_pool_size=1024M #DEPRECATED innodb_log_file_size = 500M innodb_log_buffer_size=100M innodb_log_buffer_size = 8M innodb_thread_concurrency=16 innodb_flush_log_at_trx_commit=0
Change your SSH port
vi /etc/ssh/sshd_config
Find "Port", and change it (YOURSECRETPORT) to whatever port number you want
Port YOURSECRETPORT
Also, disable UseDNS--this can make your SSH login take very long, resulting will timeout SFTP clients.
UseDNS no
Restart SSH
service sshd restart
Update server via custombuild
Download latest version of custombuild 2.0
cd /usr/local/directadmin mv custombuild custombuild-01 wget http://files.directadmin.com/services/custombuild/2.0/custombuild.tar.gz tar xvzf custombuild.tar.gz cd custombuild ./build
Setup options.conf: Change PHP version to 5.5 (5.5 is stable, if your setup works with 5.3, it will likely work with 5.5), Apache to 2.4, and mysql to 5.6 (plus set it to install)
vi options.conf
now change to the following:
php1_release=5.5 apache_ver=2.4 mysql=5.6 mysql_inst=yes
Here is the entire options.conf
#PHP settings. #Default version of PHP is always php1_release. Possible values for php1/php2_release: 5.3, 5.4, 5.5, no. php1/php2_mode: mod_php, fastcgi, php-fpm or suphp) php1_release=5.5 php2_release=no php1_mode=mod_php php2_mode=php-fpm htscanner=yes php_ini=no php_timezone=PDT #Possible values - production or development php_ini_type=production ioncube=no x-mail-header=yes zend=no #HTTP server. Possible values: apache, nginx webserver=apache #Apache settings #Possible value: 2.4 apache_ver=2.4 mod_ruid2=yes secure_htaccess=no harden-symlinks-patch=yes use_hostname_for_alias=no redirect_host=server.fiwebdns.com redirect_host_https=no #Possible values - 5.1, 5.5, 5.6 mysql=5.6 mysql_inst=yes mysql_backup=yes mysql_backup_dir=/usr/local/directadmin/custombuild/mysql_backups #Web applications phpmyadmin=yes phpmyadmin_ver=4 squirrelmail=yes roundcube=yes #Mail options exim=no eximconf=no clamav=no spamassassin=no dovecot=yes pigeonhole=no #Statistics awstats=no webalizer=yes #FTP options - possible values: proftpd, pureftpd ftpd=pureftpd #Jailed shell jail=no #Autoconf/automake/libtool options autoconf=yes automake=yes libtool=yes curl=yes #versions of zlib, apr_util and libxml2 (experts only) zlib=no new_zlib=no new_xml2=yes new_pcre=no old_apr_util=no #Custombuild options custombuild=2.0 autover=no bold=yes clean=yes cleanapache=no clean_old_tarballs=yes clean_old_webapps=yes downloadserver=files.directadmin.com #Cron settings cron=no cron_frequency=daily [email protected] notifications=yes da_autoupdate=no updates=no webapps_updates=yes #Cloudlinux settings cloudlinux=no cagefs=no
Now do the following:
# this is required if you change options.conf ./build update # this will display everything that will be updated ./build versions # these 3 are required if going from custombuild 1.x; but you should run them if you enable 'php-fpm', or if Apache doesn't work. ./build apache ./build php n ./build rewrite_conf # this will install everything ./build all d
Enable OpCache (part of with PHP 5.5)
vi /usr/local/lib/php.ini
Paste this under your extension_dir
zend_extension=/usr/local/lib/php/extensions/no-debug-non-zts-20121212/opcache.so opcache.memory_consumption=128 opcache.interned_strings_buffer=8 opcache.max_accelerated_files=4000 opcache.revalidate_freq=60 opcache.fast_shutdown=1 opcache.enable_cli=1
Restart Apache and see if it installed correctly
service httpd restart php -v
You should see something like:
PHP 5.5.2 (cli) (built: Aug 19 2013 23:40:32)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2013 Zend Technologies
with Zend OPcache v7.0.3-dev, Copyright (c) 1999-2013, by Zend Technologies
Install ZendOpCache (for PHP 5.3 or 5.4 only)
This url will download the latest version: http://pecl.php.net/get/ZendOpcache
cd /usr/local/src wget http://pecl.php.net/get/ZendOpcache tar xvfz zendopcache-7.x.x.tgz cd zendopcache-7.x.x phpize whereis php-config # set the path below ./configure --with-php-config=/usr/local/bin/php-config make make install # note the install path because you will use it below vi /usr/local/lib/php.ini
Paste this under your extension_dir
zend_extension=/FULL PATH FROM ABOVE/opcache.so opcache.memory_consumption=128 opcache.interned_strings_buffer=8 opcache.max_accelerated_files=4000 opcache.revalidate_freq=60 opcache.fast_shutdown=1 opcache.enable_cli=1
Restart Apache and see if it installed correctly
service httpd restart php -v
You should see something like:
PHP 5.4.16 (cli) (built: Jun 18 2013 04:13:41)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
with Zend OPcache v7.0.2, Copyright (c) 1999-2013, by Zend Technologies
Install CSF (ConfigServer Security & Firewall)
cd /usr/local/src wget http://www.configserver.com/free/csf.tgz tar -xzf csf.tgz cd csf sh install.sh
Now login as Admin into directadmin, and click the link at the bottom left ConfigServer Firewall&Security
You'll probably want to add your WAN IP here--you can find out what it is here: http://www.ip-secrets.com/
Then add your WAN IP into Quick Allow column.
Next click Firewall Configuration and set testing to 0, ti disable testing mode
Testing = 0
And make sure you add your custom SSH port into TCP_IN.
TCP_IN = 20,21,22,25,53,80,110,143,443,465,587,993,995,2222,CUSTOMPORT
You can leave the rest as is. Scroll down to the bottom of the page, and click the Change button to save your changes.
Then after your firewall is up and running, you can click the Check Server Security button, to see what security vulnerabilities your server may have. NOTE: you don't need to fix everything in red (there are some PHP functions that you may rely on) , but you should fix the easy ones like adding noexec,nosuid to your /etc/fstab.
As long as you're in the upper yellow score (70+) you should be fine.
Install memcached and PHP extension PECL/memcached
See the following: How to install memcached on CentOS with memcached PHP extension on CentOS