With myself regularly recommending dedicated server owners to Foggys Ensim checklist on EV1 i thought it would be a good idea to setup something similar for DirectAdmin users.

Hopefully this will come in useful for both experienced users and beginners with DirectAdmin servers

Thats all i need to say, so i will leave you to read the rest :)



IMPORTANT
Disclaimer

Before you try any how-to guides listed below, please remember that i do not take responsibilty for any problems, that may occur whilst using them or setting them up.



Linux basics
New to Linux? These guides may help you out

-> Using SSH on windows OS (http://forum.ev1servers.net/showthread.php?s=&threadid=19599)
-> Using SSH on MAC OS (http://forums.rackshack.net/showthread.php?threadid=13879)
-> Using VI text editor (http://forum.ev1servers.net/showthread.php?s=&threadid=10976)
-> Directory of linux commands (http://www.oreillynet.com/linux/cmd/)
-> Linux resource websites (http://forum.ev1servers.net/showthread.php?s=&threadid=17732)
->



DirectAdmin Installation
Useful advice for setting up your server

-> [URL=http://www.directadmin.com/forum/showthread.php?s=&threadid=116]DirectAdmin server setup guide (]Beginners guide to SSH[/URL)



Server Updates

-> Update Kernel using UP2DATE (http://forum.ev1servers.net/showthread.php?s=&threadid=12622)
-> Update kernel on dual processor servers (http://forum.ev1servers.net/showthread.php?s=&threadid=25297) (normal kernel update wont work)
-> Update PHP (4.3.4) using DA custom apache build system (http://www.directadmin.com/forum/showthread.php?s=&postid=5086#post5086)
-> Update apache (1.3.29) Using DA custom apache build system (http://www.directadmin.com/forum/showthread.php?s=&postid=5086#post5086)
-> Update Mod_SSL (2.8.16) Using DA custom apache build system (http://www.directadmin.com/forum/showthread.php?s=&postid=5086#post5086)

ModSSL, Apache and PHP updates above are all upgraded together using the custom apache build system



Server Security
The best software i have found to secure your server Please note that only 1 firewall should be installed)

-> APF Firewall (http://forum.ev1servers.net/showthread.php?s=&threadid=20209) (make sure you allow port 2222 for DirectAdmin to work)
-> KISS My Firewall 2.0 (http://forums.ev1servers.net/showthread.php?s=&threadid=36733)(make sure you allow port 2222 for DirectAdmin to work)
-> Disable Direct Root Login (http://forum.ev1servers.net/showthread.php?s=&threadid=18437)
-> Disable Telnet (http://forum.ev1servers.net/showthread.php?threadid=20870)
-> Mask apache server & services version numbers (http://forum.ev1servers.net/showthread.php?s=&threadid=13679)
-> CHKROOTKIT (http://forum.ev1servers.net/showthread.php?s=&postid=44747)
-> Upgrade OpenSSH to fix recent exploit (http://www.directadmin.com/forum/showthread.php?s=&threadid=574)
-> Upgrade ProFTPd to fix recent exploit (http://www.directadmin.com/forum/showthread.php?s=&postid=3343#post3343)
-> Configure POP3S (Secure POP3) with xinetd (http://directadmin.com/forum/showthread.php?s=&threadid=278)
-> Change Shell Passwords - Below

Admin:

/usr/bin/passwd
(set new password)

Root:

su -
/usr/bin/passwd
(set new password)

Other Users:

su - <username>
/usr/bin/passwd
(set new password)

Go back to root:

exit



Software & Service Updates
How-To upgrade software on your server such as PHP, MySQL & Perl

-> Upgrading OpenSSH (http://www.directadmin.com/forum/showthread.php?s=&threadid=166)
-> Upgrading OpenSSL (http://www.directadmin.com/forum/showthread.php?s=&threadid=163)
-> Custom Apache build system (http://www.directadmin.com/forum/showthread.php?s=&threadid=104)



General Server Setup
The simple things that you need to do with your server

-> Control panel login under https (secure space) (http://www.directadmin.com/forum/showthread.php?s=&threadid=63)
-> Change Host Name (http://forum.ev1servers.net/showthread.php?s=&threadid=10744) (change "server name" under admin settings - admin control panel)
-> Setup Default Nameservers (http://www.directadmin.com/forum/showthread.php?s=&threadid=130)
-> Provide personal nameservers without using additional IP addresses (http://www.directadmin.com/forum/showthread.php?s=&threadid=76)
-> Set Date & Time (http://forum.ev1servers.net/showthread.php?s=&threadid=5446)
-> Remove logging of Lame-Server (http://forum.ev1servers.net/showthread.php?s=&threadid=6203)



Server Monitoring
The software applications and script listed below will help you view your servers status

-> SIM - System intergrity monitor (http://www.directadmin.com/forum/showthread.php?s=&threadid=347)
-> RPM based MRTG installation (http://www.directadmin.com/forum/showthread.php?s=&threadid=1179) Only install 1 MRTG, do not follow both guides
-> MRTG manually compile, configure and run (http://www.directadmin.com/forum/showthread.php?s=&threadid=632)
-> Domain Monitoring Tool - (CPU usage monitor for individual domains) (http://www.directadmin.com/forum/showthread.php?s=&threadid=1650)



Optimization
Install either Zend Optimzer OR PHPAccelerator, the 2 will not work together

-> Zend Optimizer (http://forum.ev1servers.net/showthread.php?s=&threadid=24638)
-> PHPAccelerator (http://forum.ev1servers.net/showthread.php?s=&threadid=13278)
-> Install Mod_GZIP (http://www.directadmin.com/forum/showthread.php?s=&threadid=126)
-> Optimize MySQL 4 (http://www.directadmin.com/forum/showthread.php?s=&threadid=132)



Statistics
Find out how many visitors your website is going and much more information with the following

-> Fresh install of Urchin 5 (http://www.directadmin.com/forum/showthread.php?s=&threadid=592)
-> Urchin V4 > Urchin V5 Upgrade (http://www.directadmin.com/forum/showthread.php?s=&postid=3235#post3235)
-> Automate Urchin V5 (http://www.directadmin.com/forum/showthread.php?s=&postid=8471&highlight=csrlist%3D%24DOMAIN#post8471)
-> AWStats For all Domains (http://www.directadmin.com/forum/showthread.php?s=&threadid=1151)
-> MailScanner MRTG guide (http://www.directadmin.com/forum/showthread.php?s=&threadid=1522)



Add-ons & advice
Hidden secrets in DirectAdmin along with some useful advice and other extras

-> Adding a login form from your website (http://www.directadmin.com/forum/showthread.php?s=&threadid=168)
-> SubDomain Secret >> (make sub.sub.sub.domain.com) (http://www.directadmin.com/forum/showthread.php?s=&threadid=66)
-> Setting up an SSL certificate for the server (http://www.site-helper.com/ssl.html#shared)
-> Generating a self signed SSL certificate (http://www.site-helper.com/ssl.html#self)
-> Requirements to install an SSL certificate (http://www.site-helper.com/ssl.html#requirements)
-> Ensim -> DirectAdmin conversion script (http://www.directadmin.com/forum/showthread.php?s=&threadid=102&highlight=ensim)
-> Read mail sent to root@localhost (http://forum.ev1servers.net/showthread.php?s=&threadid=10132)
-> Site-Helper (DirectAdmin Information website) (http://site-helper.com/)
-> Reset MySQL Password (http://forum.ev1servers.net/showthread.php?s=&threadid=15570)
-> Install PRM (process resource monitor) (http://forum.ev1servers.net/showthread.php?s=&threadid=25376)
-> Install Bandwidth Bar (http://forum.ev1servers.net/showthread.php?s=&threadid=8981)
-> Mask apache server & services version numbers (http://forum.ev1servers.net/showthread.php?s=&threadid=13679)
-> Install Darwin streaming server (http://forum.ev1servers.net/showthread.php?s=&threadid=23283)
-> Provide a MySQL user with an additional database (http://www.directadmin.com/forum/showthread.php?s=&threadid=706)
-> Backup or Transfer MySQL Databases without shell or phpMyAdmin access (http://www.directadmin.com/forum/showthread.php?s=&threadid=510)
-> Script to convert users to resellers & vice versa (http://www.directadmin.com/forum/showthread.php?s=&threadid=1220)
-> MailScanner 4.24 for Exim 4.24 (http://www.directadmin.com/forum/showthread.php?s=&threadid=1187)
-> Full (unofficial) DirectAdmin backup guide / software (http://www.directadmin.com/forum/showthread.php?s=&threadid=1489)


To reset the MySQL password with DA, you have to additionally edit: /usr/local/directadmin/conf/mysql.conf to reflect your new da_admin password. also replace "root" with "da_admin"



Known problems / bugs & fixes [NEW]
Found a bug or problem? see if there is already a fix!

-> TroubleShooting Section (http://www.directadmin.com/forum/forumdisplay.php?s=&forumid=13)
-> Webmail gives errors on a fresh install (http://www.directadmin.com/forum/showthread.php?s=&threadid=721)
-> Fatal error: Call to undefined function: mail() (http://www.directadmin.com/forum/showthread.php?s=&threadid=705)
-> Mail & POP3 errors on a fresh installation (http://www.directadmin.com/forum/showthread.php?s=&threadid=671)
-> Exim fails to start - Exim configuration error (http://www.directadmin.com/forum/showthread.php?s=&threadid=713)
-> Webalizer binary not found (http://www.directadmin.com/forum/showthread.php?s=&threadid=205)
-> Apache fails to start (http://www.directadmin.com/forum/showthread.php?s=&postid=5661#post5661)



Skins
you have DirectAdmin, now time to get that new look!

-> DirectAdmin skinning guide (http://www.directadmin.com/skins.html)



Skins coming soon:
-> DirectSkin (default skin) - [Developer: DirectSkins (http://directskins.com)]
-> DA-3D - [Developer: DirectSkins (http://directskins.com)]
-> Florida Sun - [Developer: MindLash (http://www.directadmin.com/forum/member.php?s=&action=getinfo&userid=131)]



Skins currently available:
-> LoopX (http://www.directadmin.com/forum/showthread.php?s=&threadid=97) - [Developer: LoopForever (http://www.directadmin.com/forum/member.php?s=&action=getinfo&userid=14)] [Status: Unsupported]
-> Hermes (http://www.directadmin.com/forum/showthread.php?s=&threadid=1078) - [Developer: CyberAlien (http://www.directadmin.com/forum/member.php?s=&action=getinfo&userid=354)] [Status: Active]


Skinning Extras
Get some extra features in your skins

-> Bandwidth graphs (percentage used) - can be easily modified for disk space also (http://www.directadmin.com/forum/showthread.php?s=&threadid=99)



Have a how-to you want listed here
To get your DirectAdmin How-to guides listed here, contact me using the link below

-> E-Mail me :) (chris@prowebuk.com)

Regards
Chris

At the moment i do not have a server running DirectAdmin to test these, although as soon as we have the servers i will get all of them tried and tested.

If you have followed any of the guides please leave a message here with the status, if it worked or if it failed.

Also feel free to contact me to have how-to guides added to the list. You can post a reply here or email me using the link in the above message

Regards
Chris

MRTG removed, RPM will be made by me soon.

Also, John / Mark, if you read this can you please contact me with the details i asked for in the main post if possible, thanks :).

Chris

[John / Mark, is there a page with the default versions of software included with DA?]

http://www.directadmin.com/install.html

Anything else? :) Sorry I missed the thread before. Busy busy busy.

Mark

Originally posted by DirectAdmin Sales
Anything else? :)

Think thats all i need to know ;) , theres 1 here though > http://www.directadmin.com/forum/showthread.php?s=&threadid=70 :D

Originally posted by DirectAdmin Sales
Anything else? :) Sorry I missed the thread before. Busy busy busy.

No problemo, was in no rush, just the default versions will obviously help with what upgrades i should put here :)

Chris

The following HOWTO, tried and tested:

-> Provide personal nameservers without using additional IP addresses

Enjoy ;)

Chris

This will really help out alot of people. Maybe it could be made sticky so it doesn't get lost?

sticky :D

Chris

-> PHPAccelerator

:) That's one of my HOW-TOs :) (I'm MattDH ;))

I'll be writing HOW-TOs for DA once all my current DA projects are complete. Keep your eyes open ;)!

Didnt realise you were MattDH, well count yourself lucky, being in the DA server checklist before you were even known as MattDH here :D

Good to see you here as another of DA Groupies :)

Chris

How to setup the servers main nameservers added to the list :)

HOWTO Install MOD_GZIP added

Remote login forms updated to a new page with some different styles :cool:

Chris

Upgrading openSSH and openSSL added to the Software & Service Updates section

added an instal guide, updated APF link due to old one being deleted or moved, added custom apache build system also, added how to do bandwidth graphs under a new skiining how-to section ;)

Chris

Now added a list of skins and will have any skinning sites for DA listed there ;)

Chris

How comes your weedling lil checklist that ain't even been checked to see if it works yet got made sticky and my big one with lots of how-tos and stuff all tested on my DA server didn't :(

lots of this how-to is tested on a few red hat servers of ours, plesk and ensim are the main ones, there are hundreds i could of got from rackshack for servers although im not *sure* if they would work so i have left them out, if any one comes across a problem with these, most have uninstall and remove procedures available if needed. Basically everything *should* work on that list. There is a section of this checlist that allows you to add new howto guides if you want them added which you could have done :)

Chris

Changing the hostname wouldn't be complete without updating 'Server Name' under Administrator Settings in the Admin Panel :)

Thanks for notifiying me of that, "Change Host Name" has now been updated on the listing :)

Chris

A few updates:

-> Disable Telnet
-> Mask apache server & services version numbers
-> CHKROOTKIT
-> Read mail sent to root@localhost
-> Reset MySQL Password
-> Site-Helper (directadmin information website)

Great list. But a lot to print out to have a definitive guide, with many posts not necessary to the instructions.

Can we plead someone to edit the thread to have a complete post and that's all, as some kind of how-to?

I guess I can do it if no one else can, but I can't delete the old thread or move mine to "sticky" status.

Jeff

i could make a PDF lisiting everything in this how to and keep a permanently updated copy of it on the main post ;)

If you want that done i will get it sorted as soon as im not quite so busy (hopefully in 2/3 days)

Chris

Well, I'm "Jeff", not Don.

But yes, I'd like to see that; I could print it out and put it in my "setup" book.

Jeff

sorry was late here ;) , was suppost to be "done"

Chris :)

Originally posted by ProWebUK
MRTG removed, RPM will be made by me soon.Chris, did you ever prepare an MRTG RPM specific to our use of DA?

Jeff

At the moment, no it has not been made, sorry.

I hope to release it soon though but i want to get a DA box to test it on before i release it... and it still needs to be made ;)

Chris

Originally posted by ProWebUK
I hope to release it soon though but i want to get a DA box to test it on before i release it... and it still needs to be made ;)Chris, if you can do it remotely, let me know; I can give you a box to test it on; I've got a running DA test box at my home on a static IP.

You can send me an email with your phone number and I can call you to discuss any issue involved in you using the server, or you can call me. But since I pay only us$0.05/minute for calls to the U.K. (I use voip) I certainly don't mind calling you.

Jeff

Ok, thanks Jeff.

Once its complete, if i still have no test box i will give you a shout :)

Thanks
Chris

SIM has been added :)

In addtion to the "Reset MySQL Password" guide:

To reset the MySQL password with DA, you have to additionally edit: /usr/local/directadmin/conf/mysql.conf to reflect your new da_admin password ("root" is not the username used).

note added

Updates have been made to the statistics section, also the skins section has been updated

Chris

kernel upgrades for single and dual processor servers has been added under server upgrades

over the last 2 days i have added these:

-> Update PHP (4.3.3) using DA custom apache build system
-> Install PRM (process resource monitor)
-> Install Bandwidth Bar
-> Mask apache server & services version numbers
-> Install Darwin streaming server

enjoy them ;) any problems please post here or in the appropriate forums :)

Chris

Originally posted by ProWebUK
over the last 2 days i have added these:

-> Update PHP (4.3.3) using DA custom apache build system
Does this automagically get done when I follow the new installation instructions, which include adding the apache build system, or do I have to do it again with some new source?
-> Install PRM (process resource monitor)
-> Install Bandwidth Bar
Where do I find these, please? Pretty please (I'm up to my elbows in alligators and need all the help I can get today).
-> Mask apache server & services version numbers
Would you consider giving us the config directive that does that; my books and I are separated by miles today :( .
-> Install Darwin streaming server
I thought the multimedia files can be streamed through http? If so, why would you want to use the server?

My recollection (from a few years ago) is that when we rebuilt a server for a client we installed neither Darwin nor Real Server because we found we didn't need them; our clients could use http streaming.

Am I just flat out not remembering correctly, or would there be a reason to install Darwin anyway?

Thanks.

Jeff

Originally posted by jlasman
Does this automagically get done when I follow the new installation instructions, which include adding the apache build system, or do I have to do it again with some new source?

I am assuming you just run the system and it updates php itself... nearly 100% certain thats it :) , you will obviously need to restart apache after its done (unless the script does that)

Originally posted by jlasman
Where do I find these, please? Pretty please (I'm up to my elbows in alligators and need all the help I can get today).

There are download links on the guides :)

Originally posted by jlasman
Would you consider giving us the config directive that does that; my books and I are separated by miles today :( .

again, everything you need along with the locations should be there. Its all default apache, if you cant find a particular file use the locate command ;)

Originally posted by jlasman
I thought the multimedia files can be streamed through http? If so, why would you want to use the server?

My recollection (from a few years ago) is that when we rebuilt a server for a client we installed neither Darwin nor Real Server because we found we didn't need them; our clients could use http streaming.

Am I just flat out not remembering correctly, or would there be a reason to install Darwin anyway?

Thanks.

Jeff

im not 100% sure on this, we installed it and it does look pretty good, i dont think it supports MP3 or the real format, i think its for live streaming as it does mention connecting a mic to the computer / server... that could be quite a difficult task for some ;)

please note that im not sure on the uninstall for darwin; im guessing just kill the process block the port and remove all files although i cant guarantee that will work.

Chris

Chris, I believe you only need Darwin and/or Real Server if you're going to do live streaming.

Obviously most of us in the hosting business aren't going to do live streaming... to offer live streaming you have to have a live show come in on a small amount of bandwidth and go out on lots of bandwidth.

There are a few companies that specialize in this kind of hosting; you could either pass up the business (and probably lose less than you would if you tried to do it yourself), or you could refer to someone else or resell someone else.

One of our website clients produces radio shows. Even though she doesn't serve them in realtime, she still uses a company that specializes in doing radio show streaming.

Jeff

I know what you mean... most wont use it although it could come in handy for doing company announcements for a host or similar ;)

I had a play with the one currently on one of our servers and you can make a "playlist" where you put the locations of files, it then plays them. I have not yet tested how you stream the files although im almost sure you just connect to http://IP:PORT :)

I will leave it there if anyone wants it anyway.

Chris

Anybody have a full list of ports to keep open when installing a firewall with DA (including UDP)? The how-to is intended for Ensim ;)

FTP, SSH, SMTP, DNS, HTTP, POP3, IMAP, HTTPS and DirectAdmin#

FTP - 21
SSH - 22
Telnet (if you have it on) - 23
SMTP - 25
HTTP - 80
HTTPS: 443
POP3 - 110
IMAP - 143
DNS - 53
DirectAdmin - 2222

Passive FTP (information in post below)
49151
49152
49153
49154
49155
49156
49157
49158
49159
49160
49161

I think thats all directadmin needs open, any problems leave a message here :)



Chris

Here's my /etc/sysconfig/ipchains file (if you use iptables you'll have to do the conversion yourself)...

(and if you keep reading afterwards I'll tell you what all those ports from 49152 through 49161 are for)...

-A input -s 0/0 -d 0/0 143 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 110 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 53 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 53 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 113 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 113 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 443 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 443 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 2222 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 2222 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 123 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 0/0 53 -d 0/0 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 66 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 66 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 49152 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49153 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49154 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49155 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49156 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49157 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49158 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49159 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49160 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49161 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
-A input -s 0/0 -d 0/0 -p udp -j REJECT

Those ports from 49151 through 49162 are left open for proftpd to be able to do passive ftp...

And here's the code you need to put into /etc/proftpd.conf to tell proftpd to use these open ports (I put it right after the Port line):

##### added to make passive transfer work
# use part of the IANA registered ephemeral port range
PassivePorts 49152 49161
####


Jeff

a few of them most users wont require, one i noticed on yours that is enabled on most firewalls although not required is

identd - 113

Chris

I visited the port 113 issue a few weeks ago and decided to leave it in for now. I don't run identd, though.

I don't see any others that are even questionable. Do you?

Jeff

i believe its not necessary to open port 123... apart from that it seems ok for the remainder of all DA users ;)

Chris

Port 123 is the network time protocol... you need it if you're going to synchronize for a time-server.

Some of these I've opened for both tcp and for udp, because I simply wasn't sure if both were needed or not.

Jeff

Fresh Install of Urchin web analytics software V5 added under statistics section.

just added:
-> Upgrade ProFTPd to fix recent exploit

added this a while back but forgot to put a notice up!
-> Upgrade OpenSSH to fix recent exploit

Chris

MRTG compile, configure and run now added, the list also tidied up a bit :)

Chris

added:

-> Provide a MySQL user with an additional database

under:

Add-ons & advice

added / updated the following:

-> Update PHP (4.3.4) using DA custom apache build system
-> Update apache (1.3.29) Using DA custom apache build system
-> Update Mod_SSL (2.8.16) Using DA custom apache build system

all 3 are updated using the same method (just follow 1 of the links) :D

new section been added to the list:

Known problems / bugs & fixes

Added the 'florida sun' skin from mindlash under the skins coming soon section

Maybe the link to the APF Howto should be updated, Gpan's rpm is not the latest one and APF's author has setup its own forum:
http://forums.rfxnetworks.com/viewforum.php?f=9

I will try and get a fresh HOWTO for APF over the next few days, i am currently working on a pre configured firewall for DirectAdmin.

Nice! =)

Hermes skin added under available skins section

AWStats for all domains added :)

RPM based MRTG installation added under monitoring

Script to convert users to resellers & vice versa // added to add-ons and advice section.

I would just like to point out while im still updating the thread :D

If you have any ideas for new howto guides, want to request a howto, or have written a new howto / released a new tool for DirectAdmin it would be great to see them posted here :)

Also, if you have found a how to guide elsewhere on the internet feel free to post up a link and if appropriate, I will link it up from the main checklist post.

Chris

All links updated from rackshack.net to ev1servers.net, KISS my fiewall updated to v2.0 which seems to be a huge improvement on the already brilliant V1 :)

Chris

Ok, I've got an absolutely STUPID question...

Where is the box admin e-mail address setup? New box won't send the creator duplicate welcome e-mails, but the client gets theirs.

Thanks guys.

Joe

Do you mean root@localhost / root@your.hostname.com?

Chris

Yes, I believe thats where the creator duplicates are going - haven't checked - is that set in httpd.conf or through the panel?

I changed it in httpd.conf - is there someplace else?

under add-ons & advice:

-> Read mail sent to root@localhost

Chris

Still not getting them Chris

/var/log/exim/mainlog shows:

2003-11-28 20:16:50 1APtj8-0008Mh-SC <= admin@www10.hostpc.com U=admin P=local S=1699
2003-11-28 20:16:50 1APtj8-0008Mj-V7 <= admin@www10.hostpc.com U=admin P=local S=1734
2003-11-28 20:16:51 1APtj8-0008Mj-V7 => admin <admin@www10.hostpc.com> R=localuser T=local_delivery
2003-11-28 20:16:51 1APtj8-0008Mj-V7 Completed


where is that e-mail address set?

hmm.... don't kill meh for this but... would it be possible to have a freeBSD server checklist as well? :-)

I'm not 100% with FreeBSD since i have never used it, although I could grab a few guides there would not really be a way i could guarantee they would work. In other words, the BSD checklist may not be a good idea coming from me :p

Chris

A how to on updateing mod_perl to the newest which i think is 5.8.2 would be nice to see, i have been needing to reinstall perl to fix a problem for a while but im not as sure on how to do this.

Thanks
Justin

use up2date :D

Chris

I'm running 5.8.0 and up2date won't help us =)

Im looking back now, 5.8.2 is actually not the latest release, 5.9.0 is. RHN is providing 5.6.1 so being unavailable to you could be for a number of reasons.

If you want newer verions and its now showing up with up2date I suggest you simply download the rpm from http://rpmfind.net/linux/rpm2html/search.php?query=perl compatable with your system and run:

rpm -Uvh perl<version_info>.rpm

Chris

I want the latest bug free and secure version. Maybe I'll stay with 5.8.0 ;)

But can't perl also be update with CPAN? At least it would check if the modules won't break.

Here's the skinny on what up2date will give us:

RedHat sticks to a version number throughout the life of a distribution; they do that to make sure compatibility won't become an issue.

They occasionally backport features and always backport security fixes, into the version they support for a given distribution, but they don't upgrade the distribution.

So if RH is providing 5.6.1, then that's what they'll provide throughout the life of your distribution number.

They might or might not backport the features from 5.8.x into it.

If you want to upgrade of what RH supports officially for your distribution, you're on your own.

Jeff

I'm using this command to check if I don't have uneeded RPMs and if the ones I have are not corrupted :

rpm -Va > rpmcheck.txt

Just added the following:

-> Optimize MySQL 4
-> Automate Urchin V5
-> MailScanner MRTG guide
-> MailScanner 4.24 for Exim 4.24
-> Full (unofficial) DirectAdmin backup guide / software

Also added a while back and not mentioned:

-> Script to convert users to resellers & vice versa

While im posting in the thread again i'd like to point out more time, if your looking for a how-to guide of absolutely anything related to directadmin or linux feel free to make a request here :)

Chris

Chris,

Drop me a PM possibly we and work togather in putting a FreeBSD guide...


Originally posted by ProWebUK
I'm not 100% with FreeBSD since i have never used it, although I could grab a few guides there would not really be a way i could guarantee they would work. In other words, the BSD checklist may not be a good idea coming from me :p

Chris

Im probably not your man when it comes to FBSD, i have no experience with it at all..... the only thing it would be worth me doing would be add guides you provide :)

If you have any ideas or suggestions how we could work something out like this for FBSD you are free to post here, email me or PM me at any time and i will do my best to help out :)

Chris

Just wanted to say a big massive thanks for this. This should really be linked to from the admin-helper site.

-> Domain Monitoring Tool - (CPU usage monitor for individual domains)

by lordphi has been added :)

Chris

Just been added:

-> Configure POP3S (Secure POP3) with xinetd

Chris

After installing Kiss it seems DNS lookups are refused.

I just tested it with one of my domains. From my PC I started an NSLookup and put in one of my domains names...it timed out. In my SSH window I stopped kiss. I requeried in NSLookup and the domain returned an address.

I do have port 53 open inbound tcp/udp. Is there something else I should have enabled?

Try changing:


##############################################################################
# Uncomment to allow DNS zone transfers
#
#$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT


To:


##############################################################################
# Uncomment to allow DNS zone transfers
#
$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT


Take a read through: http://forum.ev1servers.net/showthread.php?s=&threadid=36733 for a bit of information on this particular issue (it was discussed there previously) - I will update the script with the area uncommented later tonight or possibly tomorrow.

Chris

That did the trick...thanks!

I've decided to restrict SSH access to one "non-public" IP address and thought it might be good to add to this checklist?

By "non-public" I mean an address that doesn't have any domains pointing to it. In my case this is the server address. I created my reseller accounts using two addresses each so I have a total of five addresses, including the "non-public" one.

My thinking is that someone trying to hack into your system with a specific domain name might not take the time to scan other IPs in your range. I realize this isn't a huge security measure as there are those that will just scan ranges of IPs, but it may prevent an attack from someone who is angry with a website hosted by you.

You'll need to edit the sshd_config file in /etc/ssh. I generally use vi.

vi /etc/ssh

Look for the line that says
#ListenAddress 0.0.0.0

You can get down to that line by hitting the j key until you are at the pound sign. If you go too far, kit the k key to go up.

Once at the #, hit x to delete the pound sign.

Then hit the l key to get over to the first 0. Again if you go too far, hit h to back up.

Now hit R (has to be capital) and type in your "non-public" address. When you're done hit the ESCape key. Then save your work by typing a colon and then wq and hit return (:wq).

Now restart sshd by issuing the command:
service sshd restart.

Of course you will have to begin using your "hidden IP" within putty to connect or you can add a DNS entry for your hidden IP though I think that is somewhat less secure.

Originally posted by RTKS
You can get down to that line by hitting the j key until you are at the pound sign. If you go too far, kit the k key to go up.

Once at the #, hit x to delete the pound sign.

Then hit the l key to get over to the first 0. Again if you go too far, hit h to back up.

Now hit R (has to be capital) and type in your "non-public" address. When you're done hit the ESCape key. Then save your work by typing a colon and then wq and hit return (:wq).


or even easier:

vi /etc/ssh/sshd_config

scroll down to the line ListenAddress using the down arrow on your keyboard

Press "i" to go into insert mode

Edit it as noted in the guide

press esc to exit insert mode

to save and exit type

:x <enter>

(<enter being a tap on your enter / return key :))

Chris

Originally posted by RTKS
I've decided to restrict SSH access to one "non-public" IP address and thought it might be good to add to this checklist?


If you really want to be anal, move the port for the ssh listener deamon to something like 8022 and then throw a portsentry listener on port 22 that would immediately firewall all unauthorized access. This will stop an attacker immediately from proceeding onto other vulnerable ports because portsentry will issue an iptables drop rule against the attempted connectors IP address. Of course you will want to add your home/office IP's to the exclude list because you WILL accidentally try to connect to the original port yourself once and a while out of habit.

Originally posted by thuskey
If you really want to be anal, move the port for the ssh listener deamon to something like 8022 and then throw a portsentry listener on port 22 that would immediately firewall all unauthorized access. This will stop an attacker immediately from proceeding onto other vulnerable ports because portsentry will issue an iptables drop rule against the attempted connectors IP address. Of course you will want to add your home/office IP's to the exclude list because you WILL accidentally try to connect to the original port yourself once and a while out of habit.

So what happens if I spoof my source address a few thousand times using the network admins ISP or even worse you office IP block or something? :)

Just a question, portsentry etc is not of any use in a proper production environment. Thats my opinion now.

Paul

Nowhere in the New Server Checklist do I see anything about installing SpamAssassin.

But it's now become more a requirement than an option, due to the recent addition to the skins.

So I urge Chris to add some information about SpamAssassin to the original post.

It appears that we'll all need to follow the steps here (http://help.directadmin.com/item.php?id=36), and some of us perhaps the steps here (http://help.directadmin.com/item.php?id=38) as well.

Jeff

Are any more Optimizations possible? Apache perhaps?

Thanks

Hi, where i can found the last full checklist?

The last full checklist is at the top of this thread; it's always edited when changed.

Jeff

May I kindly suggest the addition of CHMODing wget to 700 for added protection.

Thanks,
-drmike

If it works for you and your clients, go for it.

Personally, I do the same for the compiler system, and I only allow it for root.

But that's me.

I wouldn't want to limit everyone that way.

Jeff

Maybe a section for *suggested* security items? I'd be happy to write up a small FAQ with the addition of a section as to why this would be a good idea as well as disadvantages.

-drmike

No one's stopping you, drmike :) .

You can post it in the How-To Guides forum.

Security is a very important part of our business and our business philosophy, and I've been doing Unix security since the early 80s, so be prepared for some real scrutiny.

Of course you may teach me a lot, and I look forward to your contributions.

Jeff

Question how do you add these codes to the server using SSH? sorry for the newbie questions, I using DA on Centos server.

Thanks

Rocky

Originally posted by jlasman
Here's my /etc/sysconfig/ipchains file (if you use iptables you'll have to do the conversion yourself)...

(and if you keep reading afterwards I'll tell you what all those ports from 49152 through 49161 are for)...

-A input -s 0/0 -d 0/0 143 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 110 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 53 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 53 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 113 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 113 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 443 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 443 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 2222 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 2222 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 123 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 0/0 53 -d 0/0 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 66 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 66 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 49152 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49153 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49154 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49155 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49156 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49157 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49158 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49159 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49160 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49161 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
-A input -s 0/0 -d 0/0 -p udp -j REJECT

Those ports from 49151 through 49162 are left open for proftpd to be able to do passive ftp...

And here's the code you need to put into /etc/proftpd.conf to tell proftpd to use these open ports (I put it right after the Port line):

##### added to make passive transfer work
# use part of the IANA registered ephemeral port range
PassivePorts 49152 49161
####


Jeff

These won't work on a CentOS system, since CentOS uses iptables, and not ipchains.

The good news is that iptables will automatically allow passive ftp if you use the kiss firewall (see that thread, and the recent thread about the changes required for CentOS4 and latest Fedora releases).

Jeff

Any possibility of weeding out the scripts that don't work/out of date and the ones that do?

Yep, I'm actually working on an install script now to make life easier for everyone.

Should have it ready in a day or so

I don't have time to go through the thread; if anyone else wants to create a new thread we can close this and mark it obsolete.

Jeff

I'm interested in going through this thread and making a new one. I'm not a moderator, though. How would we get this one closed and the new one stickied? Do we need approval?

Thanks for your willingness to contribute to the community. We value your help :) .

You create it. I'll check it carefully. I'll discuss with you any changes that I believe need to be made. We'll leave the file open for comments and not sticky until it's right. Once it's right I can mark it sticky and remove the old one.

However please don't attempt this unless you're sure you can do it justice; it's going to have to be right before I'm willing to mark it as sticky and get rid of the old one.

Thanks again.

Jeff

OK, I've created it. Take a look (http://www.directadmin.com/forum/showthread.php?s=&threadid=16481). Thanks.

Replied in a PM.

Jeff

We have been using centos without any problems.

Here are the steps we take when setting up a new centos server.

We first install centos.
1. We wipe the HD and use the OS's default config.
2. We then choose to install server version
3. When prompted with all the packages the only thing we select is Development Tools
4. Click Install
When it reboots make sure to add your ip's, gateways, etc.
Also Configure your firelwall.
Wala thats it! Your server is now ready for a fresh Direct Admin Install!

Use the direct admin guide located here:
http://www.directadmin.com/installguide.html

-confirm kernel is similar to other systems if you comparables
-if it's a production system, set yum or apt to notify you of updates, NOT to install
-check cron for unknown jobs. decide if they're pertinent
-add users to the /etc/passwd and /etc/groups so your UID/GIDs are synchronized
-test CPU with F@H
-test IO somehow
-reboot the system about 20 times to see if you can blow a component(confirm kernel changes, routing tables, etc are persistent)
-confirm your disk layout corellates to what you're paying for, including block sizes, fsck upon boot, etc.
-if networked with other systems consider updating hosts file
-schedule an external security scan
-schedule log rotations
-check for SUID/SGID files, no-owner files and world writable files
-check TCP/IP hardening
-if you can check RAID status from software then schedule it to notify you
-ensure root pwd is needed for entering single user mode and that ctrl-alt-del is disabled.

Thanks,
Dan
http://www.danieljdoughty.com

It's quite an old thread with very old information and many dead links. Does it really needs to be sticky? :)

Maybe it is a good idea to rewrite this topic?

You're welcome to do that :) I'm sure Jeff or John will make it sticky if it will be helpful.

I think my english isn't good enough, it takes many weeks to rewrite it in Englisch, i can do it in Dutch and German :D

I'd love to see a new New Server Checklist to replace this one.

I agree it's time to unstick this one.

Jeff