as i have stated in another post all i have heared about DirectAdmin are good comments.

I was wondering about the security on the control panel.

1 -> is there any software / script that you recommend for security, any special security updates on the software firewalls etc.

2 -> I am assuming that your software does not have any problems running firewalls like cpanel does is this correct?

3 -> are there any ports that need to be open apart from the normal ones - (80, 21, 22, etc etc...) i guess the control panel requires its own port, although is there anything else?

Regards
Chris

You should have these ports open if you are running a firewall:

20/21 proftpd
22 sshd
25 smtp
53 nameserver
80 apache
110 pop3
143 imap (not used at the momment, but eventually)
443 apache secure
2222 DirectAdmin

DirectAdmin needs to get out in order to contact our system, but having a firewall shouldn't cause you any difficulty assuming the correct ports are open.

I'll get Support to answer your other question about security software/scripts.

Mark

1 -> is there any software / script that you recommend for security, any special security updates on the software firewalls etc.
2 -> I am assuming that your software does not have any problems running firewalls like cpanel does is this correct?


We don't recommend anything in particular, but a good iptables script is never a bad idea. Just be sure not to block the incoming ports mentioned above, and to allow for outgoing port, as DirectAdmin needs to call home now and then.

This would be a good time for anyone to mention their favorite software/script.

John

Thanks for the answers :)

Originally posted by DirectAdmin Support
This would be a good time for anyone to mention their favorite software/script.

Firewalls used on current servers:

APF Firewall
KISS My Firewall

one or two precautions i just feel like listing :P

Telnet disabled
Shell direct login disabled

Regards
Chris

Originally posted by DirectAdmin Sales
You should have these ports open if you are running a firewall:

20/21 proftpd
22 sshd
25 smtp
53 nameserver
80 apache
110 pop3
143 imap (not used at the momment, but eventually)
443 apache secure
2222 DirectAdmin

Mark
Don't forget to open ports for passive ftp, and to make some changes to the /etc/proftpd.conf file to allow for passive ftp through your firewall.

While I don't recommend cutting-and-pasting for your firewall needs, I can post an ipchains file that's worked for us for about 50 systems for about four months now. And I can also post a few lines to cut-and-paste into your /etc/proftpd.conf file to allow for passive ftp through the resulting firewall.

Jeff

Originally posted by DirectAdmin Sales

23 sshd

This is actually incorrect, SSHd runs on port 22. Telnet runs on 23, therefore it is advisable to keep this port blocked.

Just thought I'd clear that up :).

That's what I get for not paying attention. Above messages have been edited.

Mark

Originally posted by loopforever
This is actually incorrect, SSHd runs on port 22. Telnet runs on 23, therefore it is advisable to keep this port blocked.

Just thought I'd clear that up :).

We've had, on occasion, ssh crash. If that happens to a system in colocation, it could be a disaster, costing you either lots of money or a trip, and definitely lots of downtime.

So I'd recommend that if you either shut down telnet or close off port 23, you have some backdoor method of turning it back on.

We implement a backdoor that consists of an email we can send to a certain address that will run a program to turn telnet back on and rewrite the firewall rules to allow the telnet access.

(We also have one to restart ssh; we do try that one first.)

It's quite easy to do with sendmail; I don't know how easy it is or isn't to run a program from an email using exim.

But it's got to be doable; that's how majordomo works.

Jeff

Alot of dedicated suppliers will get the SSH restarted or restart the server within 3/4 minutes if you give them a call or submit a trouble ticket, or atleast in our case thats how it works, theres no way i could make a 9 hour flight costing £100's to restart SSH on 1 server :-S

Check my checklist in this forum. It has many security programs, etc. that you should use and also how to update things such as your kernel.