DirectAdmin: Improve performance and security Oct 18, 2016

DirectAdmin Optimized

In this tutorial, I'm going to improve the DirectAdmin environment, make it faster and more secure. I assume that you have installed DirectAdmin on your server (for this guide, I use CentOS 7 64bit). A good understanding of Linux basics is needed to follow this guide. Now we begin:

Use Nginx reverse proxy

Performance can be improved by the reverse proxy handling static content and from application requests. If your web server is not set to this mode, follow the commands below:

cd /usr/local/directadmin/custombuild
./build update
./build set webserver nginx_apache
./build nginx_apache

Restore original visitor IP if come from CloudFlare

nano /etc/nginx/nginx-includes.conf

Add the following lines

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

# use any of the following two
real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;

Enable HTTP/2

UPDATE: DirectAdmin version v1.52+ auto enable http2 if you run OpenSSL 1.0.2 or higher.

HTTP/2 is the latest update to the HTTP protocol with many advancements in efficiency, security and speed. Simply run the commands below to enable HTTP/2:

mkdir /usr/local/directadmin/custombuild/custom/
mkdir /usr/local/directadmin/custombuild/custom/nginx_reverse
mkdir /usr/local/directadmin/custombuild/custom/nginx_reverse/conf
cp -p /usr/local/directadmin/custombuild/configure/nginx_reverse/conf/nginx-vhosts.conf /usr/local/directadmin/custombuild/custom/nginx_reverse/conf/

Next, we update the nginx-vhosts:

nano /usr/local/directadmin/custombuild/custom/nginx_reverse/conf/nginx-vhosts.conf 

Add http2 to all SSL listen like this:
HTTP2

Rewrite conf filres and restart the services:

cd /usr/local/directadmin/custombuild
./build rewrite_confs

Use PHP 7

Up to 2x faster performance and 50% better memory consumption than PHP 5.6.

cd /usr/local/directadmin/custombuild
./build set php1_release 7.1

If you have CloudLinux:

./build set php1_mode lsphp

If you don't have CloudLinux:

./build set php1_mode php-fpm

Then build php:

./build update
./build php d

Edit /usr/local/php71/lib/php.ini and double those settings: memory_limit, max_execution_time, max_input_time

Enable OpCache

OpCache can improves PHP performance as well, run the following commands:

cd /usr/local/directadmin/custombuild
./build set opcache yes
./build opcache

Use MariaDB

A lot of optimizer enhancements in MariaDB, if your server is not set to use MariaDB, follow this:

cd /usr/local/directadmin/custombuild
./build set mariadb 10.2
./build set mysql_inst mariadb
./build set mysql_backup yes
./build update
./build mariadb

Increase max allowed packet:

nano /etc/my.cnf.d/server.cnf 

Set max_allowed_packet = 256M , innodb_log_file_size = 256M and bind-address = 127.0.0.1 in [mysqld] section. Also add max_allowed_packet=256M in [mysqldump] section.

Enable SSL for all services

Assume that your server hostname is server.domain.com. We use "Let's Encrypt" tool to setup SSL for server hostname and all services, now edit the directadmin.conf file:

nano /usr/local/directadmin/conf/directadmin.conf

set enable_ssl_sni=1
set ssl_redirect_host=server.domain.com
set force_hostname=server.domain.com
set carootcert=/usr/local/directadmin/conf/carootcert.pem
set letsencrypt=1

Next run the following commands:

service directadmin restart
cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt
cd /usr/local/directadmin/scripts
./letsencrypt.sh request server.domain.com 4096

Now set SSL=1 in directadmin.conf and restart directadmin service again.

Next, update Roundcube config for SSL connection:

nano /var/www/html/roundcube/plugins/password/config.inc.php

set $config['password_directadmin_host'] = 'ssl://localhost';

Testing SSL by running the following commands, one by one:

openssl s_client -connect 127.0.0.1:465
openssl s_client -connect 127.0.0.1:993
openssl s_client -connect 127.0.0.1:2222
openssl s_client -connect 127.0.0.1:443
openssl s_client -connect 127.0.0.1:21 -starttls ftp

Make sure you can see the Certificate in the result like this:
SSL test

Then we make new domains to use a private_html link that pointing to public_html, we do this by creating this custom script:

/usr/local/directadmin/scripts/custom/domain_create_post.sh

then add the following code and chmod the script to 755:

#!/bin/sh
D=/home/$username/domains/$domain
PH=$D/private_html

if [ -d $PH ]; then
   rm -rf $PH
   ln -s public_html $PH
   chown -h $username:$username $PH
fi
exit 0;

Use hostname for alias

cd /usr/local/directadmin/custombuild
./build update
./build set use_hostname_for_alias yes
./build set redirect_host_https yes
./build rewrite_confs

Enable DKIM

Enable this feature will help you keep emails sending from your server out of the Spam folder, download the dkim.conf file:

cd /etc
wget -O exim.dkim.conf http://files.directadmin.com/services/exim.dkim.conf

Edit your /etc/exim.conf, and find the code:

remote_smtp:
 driver = smtp

Then change it to look like:

remote_smtp: 
  driver = smtp
  .include_if_exists /etc/exim.dkim.conf

Update your exim.conf with CustomBuild:

cd /usr/local/directadmin/custombuild
./build update
./build set eximconf yes
./build set eximconf_release 4.5
./build set blockcracking yes
./build set easy_spam_fighter yes
./build set spamassassin yes
./build set exim yes
./build exim
./build set dovecot_conf yes
./build dovecot_conf
./build spamassassin
./build update
./build exim_conf

Then restart exim:

service exim restart

Finally, update directadmin.conf file:

nano /usr/local/directadmin/conf/directadmin.conf

set dkim=1 hide_outlook=1 and then restart DirectAdmin

Now we can create DKIM for the server hostname:

cd /usr/local/directadmin/scripts
./dkim_create.sh server.domain.com

Now go to DirectAdmin > DNS Administration and click on your server hostname to check and DKIM key, and update your SPF record (for IPv6).

Check your /etc/hosts file, we don't want to see localhost on the ::1 line (localhost6 and other "6" variants are fine) "localhost" should only be on the 127.0.0.1 line.

Enable Auto Update

Install yum-cron:

yum -y install yum-cron
sed -ie 's/apply_updates = no/apply_updates = yes/' /etc/yum/yum-cron.conf

Start yum-cron service:

systemctl start yum-cron.service

Enable DA cron:

nano /usr/local/directadmin/custombuild/options.conf

Then set the following values:

cron=yes
cron_frequency=monthly
email=your@email.com
notifications=yes
da_autoupdate=yes
updates=yes
webapps_updates=yes

Finally, build cron:

cd /usr/local/directadmin/custombuild/
./build cron

Enable IP Blocking

Run the following commands

yum -y install iptables-services
systemctl enable iptables
cd /usr/libexec/iptables
mv iptables.init iptables.init.backup
wget -O iptables.init http://files.directadmin.com/services/all/block_ips/2.2/iptables
chmod 755 iptables.init
systemctl reload iptables

cd /usr/local/directadmin/scripts/custom
wget -O block_ip.sh http://files.directadmin.com/services/all/block_ips/2.2/block_ip.sh
wget -O show_blocked_ips.sh http://files.directadmin.com/services/all/block_ips/2.2/show_blocked_ips.sh
wget -O unblock_ip.sh http://files.directadmin.com/services/all/block_ips/2.2/unblock_ip.sh
chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh

touch /root/blocked_ips.txt
touch /root/exempt_ips.txt

cd /usr/local/directadmin/scripts/custom
wget -O brute_force_notice_ip.sh http://files.directadmin.com/services/all/block_ips/2.2/brute_force_notice_ip.sh
chmod 700 brute_force_notice_ip.sh

echo "hide_brute_force_notifications=1" >> /usr/local/directadmin/conf/directadmin.conf

Note: sometime iptables.init is overwritten by system update, chattr +i iptables.init to prevent this.

Update Settings in Directadmin like below:

DirectAdmin Settings

Now you have an excellent hosting server! If you need any help please let me know.

 

Advertisement

Latest Updates