Author Archives: M. Pas

The easiest way to update Named

While our Directadmin server is running without problems, there suddenly appears to be a bug in our Named / Bind software. CentOS released an emergency update to fix this bug.
In this post I’m going to update a server with this patch to fix the bug.

More information about the bug can be found at:
https://kb.isc.org/article/AA-00871

When you are running CentOS 5.x or 6.x it is very easy to update Bind. This will not affect your Directadmin installation in any way.

Check if the bind rpm is installed:

rpm -qv bind

Check if the version is the same:

named -v

If it is (which is in most cases) you can safely use yum to update the package: (If not, you have to check if it is a source compile, this will not be covered in this tutorial because this isn’t common at Directadmin installations):

yum clean all
yum update bind

If it returns no errors, check again to see it’s version:

named -v

That’s all! Pretty easy update, isn’t it? If you got any questions, you can ask them by leaving a comment!

If you want to read more, please subscribe and get our newest articles in your mailbox.

Enable IPv6 on your Directadmin server

Internet Protocol version 6 (IPv6) was designed by the Internet Engineering Task Force (the IETF) to expand the amount of IP addresses available. IPv6 addresses are 128-bit addresses, expressed in hexadecimal notation (for example, 2001:DB8:8::260:97ff:fe40:efab). There are 2128 IPv6 addresses, or roughly 340 trillion, trillion, trillion. This huge amount of addresses is expected to accommodate the predicted expansion of the Internet and Internet-related services over the coming years. IPv6 was introduced in 1999 and has been in use since then. This means that the core standards are stable and have been well tested in research and operational contexts.

The later versions of Directadmin have improved in their IPv6 support. In this post we’re going to setup IPv6 on a Directadmin server.

Configuration

1. Start with updating your Directadmin server. Login into your Directadmin server at port 2222 and update the Directadmin version.

Screenshot_1
Screenshot_2

Now grab some coffee, eat a donut and give Directadmin a few minutes to update itself.

2. Once Directadmin is updated, we can tell it to use IPv6. To do this, login with SSH and open the Directadmin configuration.

vi /usr/local/directadmin/conf/directadmin.conf

Check if there is a rule ipv6, add it if it doesn’t exist and make it look like:

ipv6=1

And restart Directadmin:

/etc/init.d/directadmin restart

3. With this option Directadmin can handle IPv6 IPs so let’s add one to the IP Manager. With IPv6, you have to use the prefix notation (like /64).

Screenshot_4

Assign the IP to the reseller where your users are, for example admin.
Screenshot_5

4. You can assign IPs to users just as you do normally. Thanks to the multi-IP system, you can assign an IPv4 and an IPv6 address to an user.

Go the the admin level in Directadmin and click Show all users.
Screenshot_6

Select the user you want to add an IPv6 address to.
Screenshot_7

Click on Modify user %username%.
Screenshot_8

Add the addition IPv6 IP.
Screenshot_9

The end result will look like this.
Screenshot_10

5. Check if your Exim installation has IPv6 compiled in. Login with SSH and type:

exim -bV | grep -i ipv6

If you get output, your Exim installation has IPv6 compiled in. If this isn’t the case, you have to recompile Exim from source. Please use the manual if this is the case.

6. For Dovecot, you have to make a small adjustment. Check the version of Dovecot:

dovecot --version

If your dovecot version is 2.0.0+, change your dovecot.conf.

vi /etc/dovecot.conf

Change this lines:

#IPv4
listen = *

#IPv4 and IPv6:
#listen = *, ::

To:

#IPv4
#listen = *

#IPv4 and IPv6:
listen = *, ::

If your dovecot version is 1.2.x, open up your dovecot.conf.

vi /etc/dovecot.conf

And add this line to the top of the file:

listen = "*, [::]"

The last step is to restart dovecot:

service dovecot restart

7. You are done! Your Directadmin installation is ready for IPv6 and you can add some AAAA records in your DNS to use IPv6. If you got any questions, you can ask them by leaving a comment!

If you want to read more, please subscribe and get our newest articles in your mailbox.

Top 10 of best Directadmin plugins

Directadmin is already a very feature-rich control panel. It supports many functions and is delivered with many great tools. But of course not everything can be build-in, and that is where plugins are a great addition. There are many plugin developers and they all offer great plugins. In this post we will show you the top 10 of the best Directadmin plugins available at this moment.

1: Installatron

Installatron is a one-click web application installer that enables blogs, photo galleries, forums, shops, and other top web applications to be instantly installed and effortlessly managed.
More information

2: CSF: ConfigServer Security & Firewall

A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. The reason they have developed the suite is that they have found over the years of providing server services that many of the tools available for the task are either over-complex, not user friendly, or simply aren’t as effective as they could be.
More information

3: Unixy Varnish

Varnish a user mode software proxy that caches requests, and handles them in a sophisticated manner. The Unixy plugin is a script + service which compiles Varnish, modifies the virtual host templates, installs a custom crafted configuration for Varnish and will check for updates automaticly.
More information

4: DeeperAdmin

DeeperAdmin allows you to utilize some features that already exist in DirectAdmin but without a user-friendly interface. This plugin gives you the ability to manage your server “deeper”. Some of it’s functions are already build into Directadmin but it is still a really nice tool to use.
More information

5: DA-PgSQL

DA-PgSQL is a PostgreSQL plugin for DirectAdmin. This plugin provides a feature-rich management interface for PostgreSQL, just like the one for MySQL that comes with DirectAdmin.
More information

6: Rails in DA

Rails in DA (RiD) is a DirectAdmin plugin that allows your users to manage their Ruby on Rails application in a comfort and secure environment. RiD utilizes the Mongrel Lib and provides two powerful, secure and jailed emulational “shells”.
More information

7: IFrame Redirect

This is a very simple plugin, developed by John from Directadmin. It enables the possibility for users to create an iframe redirect instead of a normal redirect.
More information

8: CloudLinux LVE Manager

LVE Manager is a plugin for most popular control panels including cPanel, Plesk, DirectAdmin and ISPmanager (InterWorx coming soon). It allows you to control and monitor limits, and set limits on per package bases.
More information

9: DA for iPhone

DA for iPhone & iPad is designed to work in DirectAdmin® web control panel. The applications works with the API and can take control of many functions on your server. You have overview of account details and can manage your server using the custom built application.
More information

10: DA-Tomcat

DA-Tomcat is an Apache Tomcat Manager plugin for DirectAdmin. This powerful plugin allows admins to manage Tomcat virtual hosts. It also allows users to manage their JSP/Servlet applications without the need of Tomcat Manager privilege. Do all of these just within DirectAdmin!
More information

I hope this post has been informative to you. If you have got any suggestions, feel free to leave a comment!

Also, don’t forgot to subscribe so you can get our latest posts directly in your mailbox.

How to solve quota problems in Directadmin

At our company we are running about 2000 Directadmin servers and we come across quota problems very often. There are some different reasons for this quota problems which all require a different solution. In this blogpost I want to introduce you to the different types of quota problems which can occur at Directadmin servers. After that, I will show you how you can solve these problems.

One user got a quota problem

If you have one user at your server which quota looks incorrect, there can be several issues.

First, there can be other files at the same user ID on your sytem causing this error. They will be added to the usage of the specific user which can lead to a “incorrect” quota.

You can find the files with the find command:

[[email protected]]# id username
uid=510(username) gid=510(username) groups=510(username)
[[email protected]]# find / -uid 510 | more

Once you find the files that shouldn’t belong to the new user, then change the owner of the file (for example to root) so that they no longer belong to the user.

After these changes, you can check the quota for the user again:

quota -v username

If this output is correct, you are good to go. Now update the quota within Directadmin:

echo "action=tally&value=username&type=user" >> data/task.queue

When this value is still bigger then you expected, you can check everything that Directadmin counts to the user quota with:

cd /usr/local/directadmin
echo "action=tally&value=username&type=user" >> data/task.queue
./dataskq d800

All (or most of) my users got a quota problem

If most or all your users got a quota problem, there is probably an issue with your system quota. The solution to this depends on your server itself.

First, check which partitions are used:

df -h

If you have a /home partition, then your quota_partition value will be /home. If you have no /home partition, then your quota partition will likely be /. In some cases, you might have a sybolic link from /home to /usr/home, in which case your quota_partition will be /usr.

Check your directadmin.conf to see if it is correct and matches your quota partitions:

grep -i 'quota_partition' /usr/local/directadmin/conf/directadmin.conf

If this is not the case, change this value in the directadmin.conf.

After this, you can run repquota to check the quota for a specific partition. Run it at the correct quota partition:

/usr/sbin/repquota /home

If the “used” column is not showing anything, or users are not in the list, then you’ll need to run the quotacheck program. The command for that depends on your operating system.

Redhat / CentOS / Fedora / Scientific Linux:

/sbin/quotaoff -a; /sbin/quotacheck -avugm; /sbin/quotaon -a;

FreeBSD:

/usr/sbin/quotaoff -a; /sbin/quotacheck -avug; /usr/sbin/quotaon -a;

Most of the time, this command will run correctly. If this is not the case and you get an error running this command, the user and/or group quota is probably not enabled at your server. You can check this in the fstab:

cat /etc/fstab

Now if there is no user quota or group quota enabled at the specific partition, you have to edit your fstab.

vi /etc/fstab

The specific entry you have to add depends on the OS.

Redhat / CentOS / Fedora / Scientific Linux:

usrquota,grpquota

FreeBSD:

userquota,groupquota

The result will be something like:

/dev/sda1             /               ext4 rw,usrquota,grpquota 1       1

Once the repquota program is returning a normal value, then you can run the tally to get the correct usage to show up in DirectAdmin:
When the repquota command outputs the correct value, you can run a tally on the system to update the quotes within Directadmin:

echo "action=tally&value=all" >> /usr/local/directadmin/data/task.queue

How to upgrade your Directadmin server with mod_ruid2

Introduction

In this post I want to introduce you to the Apache module mod_ruid2. Mod_ruid2 is a Apache module for PHP-CLI installations to offer extra security and convenience for customers. In this post we will explain how mod_ruid2 works and how you can install it at your Directadmin server.
When you are using mod_ruid2, the webserver will run under the Apache user, but the files that are executed will run as the Directadmin user. Where in the default PHP-CLI installation everything is executed as the Apache user. Because of this, lower chmod settings are sufficient. Chmod 777 or 666 are never needed with mod_ruid2. Instead, you can use 644 for files and 755 for directories. But permissions can be even lower to make your websites more secure, 600 for files should be possible.

Safety

Mod_ruid2 uses the posix capabilities to switch the Apache child processes to the user id of the Direcadmin user. This method is the reason that mod_ruid2 is so fast compared to other methods such as SuPHP. But this method comes with a security risk. When there is a specific bug within Apache or PHP, it can be possible to be exploid this to swap to the root user. This is only a worst-case scenario, but it is important to prevent it at any moment. Another risk is the user loading a module with the swapping functions, this is why the php function dl() should always be disabled. Luckily, dl() is disabled by default, but it is recommended that you check it, it can be disabled by the enable_dl setting in the php.ini. Another upgrade to the security is to disable PHPs own posix functions, we will explain this in the installation part of this post. Additionally you could disable site access through ip/~user, because mod_ruid2 is not in effect there. If users try to install a CMS there it fill fail.

  • In php.ini, make sure enable_dl is set to Off
  • Comment out or remove both AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2 lines in /etc/httpd/conf/extra/httpd-vhosts.conf
  • Disable posix in php by excluding it at compiling

Installation

Disable posix in php by excluding it at compiling.

cd /usr/local/directadmin/custombuild
mkdir -p custom/ap2/
cp configure/ap2/configure.php5 custom/ap2/
vi custom/ap2/configure.php5

and add –disable-posix in there, e.g. at the end:

       --enable-sockets \
       --enable-mbstring \
       --disable-posix

Then recompile php to make the posix change live:

./build php n

Next, install all the dependencies.
Under CentOS, Redhat, Fedora or Scientific Linux you can use:

yum install libcap-devel

And for Debian based systems such as Ubuntu and Debian itself:

apt-get install libcap-dev

Download the latest version of mod_ruid2.

cd /usr/local/src
wget http://downloads.sourceforge.net/project/mod-ruid/mod_ruid2/mod_ruid2-0.9.8.tar.bz2

Unpack it (change the version if needed).

tar xvjf mod_ruid2-0.9.8.tar.bz2
cd mod_ruid2-0.9.8
apxs -a -i -l cap -c mod_ruid2.c

If it installed correctly, it should say it added a line to the httpd.conf. You can easily check if it’s indeed there by the following command.

grep mod_ruid2 /etc/httpd/conf/httpd.conf

It should output something similar as:

LoadModule ruid2_module       /usr/lib/apache/mod_ruid2.so

Then you need to modify two config files. The first one is the main httpd.conf.
With the following command, we insert RUidGid apache access into the config file in a convenient place.

sed -i 's|\(Group apache\)|

# Mod_ruid
RMode config
RUidGid apache access|g' /etc/httpd/conf/httpd.conf

The second config file we edit, is to make sure web apps like RoundCube/SquirrelMail/phpMyAdmin are being executed as webapps.

vi /etc/httpd/conf/extra/httpd-directories.conf

Look for the <Directory “/var/www/html”> block, and insert the following line:

RUidGid webapps webapps

For example it could look like this:

<Directory "/var/www/html">
    Options -Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all

        suPHP_Engine On
        suPHP_UserGroup webapps webapps
        SetEnv PHP_INI_SCAN_DIR

   RUidGid webapps webapps

Then httpd needs to be restarted, so changes we just made are in effect. A good practice is to first run /etc/init.d/httpd configtest, so you can then restart httpd after being sure there will be no config errors.

/etc/init.d/httpd configtest
/etc/init.d/httpd restart

Now we can test if it really works with a php script.
Create a file, e.g. ruid.php in a public_html, and insert the following:

<?php
 mkdir(‘modruid2′);
 file_put_contents(‘modruid2/test.txt’, ‘Hello World’);
?>

Run the script by accessing it through the browser and see if the directory ruidtest and the test.txt file are being made. The owner of the dir/file should be the Directadmin user. You could also try to install a CMS like WordPress and install some plugins, it should all be possible automatically without having to change the chmod.

Converting an existing envoirment

If you want to convert an existing environment, and have users with apache owned files, you can run the following lines to reset all permissions correctly.

cd /usr/local/directadmin/scripts && ./set_permissions.sh user_homes
find /home/*/domains/*/public_html -type d -print0 | xargs -0 chmod 755
find /home/*/domains/*/public_html -type f -print0 | xargs -0 chmod 644
find /home/*/domains/*/public_html -type f -name '*.cgi*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pl*' -exec chmod 755 {} \;
find /home/*/domains/*/public_html -type f -name '*.pm*' -exec chmod 755 {} \;
cd /usr/local/directadmin/data/users && for i in `ls`; do { chown -R $i:$i /home/$i/domains/*/public_html;}; done;
chown -R webapps:webapps /var/www/html/squirrelmail/data

The ultimate guide to installing Directadmin

In this tutorial we are going to show you how to install Directadmin onto different operating systems. This tutorial will include:

Directadmin installation on FreeBSD

First, ensure you have the correct OS.
Supported operating systems are:

  • FreeBSD 5.x, 6.x, 7, 7 64-bit, 8 64-bit, 9 64-bit (7.3 and 9 may require an exim recompile)

Ensure you have at least one external IP address. It is not possible to use NAT or LAN based network.
You can see your network with the following command.

ifconfig

Then install some requirements with yum, these tools are required to install Directadmin correctly.

pkg_add -r gmake perl wget bison flex gd cyrus-sasl2

Download the setup file from Directadmin.

wget http://www.directadmin.com/setup.sh

Set execute permissions to the file.

chmod 755 setup.sh

Start the installer.

./setup.sh

That’s it, the installer will ask you some questions about the setup of your system and will install Directadmin for you.
After the install, you will have your FreeBSD server with the Directadmin control panel.


Directadmin installation on Debian / Ubuntu / Linux Mint

First, ensure you have the correct OS.

cat /etc/debian_version

Supported operating systems are:

  • Debian 4.0, 5.0, 6.0. 64-bit: 5.0, 6.0

Ensure you have at least one external IP address. It is not possible to use NAT or LAN based network.
You can see your network with the following command.

ifconfig

Then install some requirements with yum, these tools are required to install Directadmin correctly.

apt-get update
apt-get install gcc g++ make flex bison openssl libssl-dev perl perl-base perl-modules libperl-dev libaio1 libaio-dev zlib1g zlib1g-dev libcap-dev bzip2 automake autoconf libtool

Download the setup file from Directadmin.

wget http://www.directadmin.com/setup.sh

Set execute permissions to the file.

chmod 755 setup.sh

Start the installer.

./setup.sh

That’s it, the installer will ask you some questions about the setup of your system and will install Directadmin for you.


Directadmin installation on CentOS / Redhat / Fedora / Scientific Linux

First, ensure you have the correct OS.

cat /etc/issue

Supported operating systems are:

  • Fedora 7, 8 (not supporting future versions)
  • RedHat Enterprise / CentOS 4.x, 5.x, 6.x (64-bit: 4.1 – 4.5, 5.x, 6.x)

Ensure you have at least one external IP address. It is not possible to use NAT or LAN based network.
You can see your network with the following command.

ifconfig

Then install some requirements with yum, these tools are required to install Directadmin correctly.

yum install wget gcc gcc-c++ flex bison make bind bind-libs bind-utils openssl openssl-devel perl quota libaio libcom_err-devel libcurl-devel gd zlib-devel zip unzip libcap-devel cronie bzip2 db4-devel cyrus-sasl-devel perl-ExtUtils-Embed autoconf automake libtool

Download the setup file from Directadmin.

wget http://www.directadmin.com/setup.sh

Set execute permissions to the file.

chmod 755 setup.sh

Start the installer.

./setup.sh

That’s it, the installer will ask you some questions about the setup of your system and will install Directadmin for you.

Improve the security of your Directadmin server: Part five – SFTP, FTPS and securing websites

The security of your Directadmin server is one of the most important, but also one of the hardest things to improve. This is part fiveof a serie of posts where we will take a look at the security of your Directadmin server and try to bring the security to a next level.

Part 1: The firewall
Part 2: Mod_security
Part 3: Tips and Tweaks
Part 4: Secure email
Part 5: SFTP, FTPS and securing websites

Part five: SFTP, FTPS and securing websites

In this last part of our tutorials about securing the Directadmin server we’re going to explain why FTP is not recommended. We’re also going to look at any possible ways to prevent website hacking, at a non- system administrator level.

The biggest disadvantage of the FTP protocol is a real security issue, it can only handle usernames and passwords in plain text. That’s why we don’t recommend using FTP at all. Instead, you can instruct your clients to use SFTP or FTPS, depending on your choice.

SFTP
SFTP is the most secure way of using FTP. It is FTP over SSH and therefor really secure. We would recommend the use of SFTP for security reasons, but wouldn’t recommend it in a shared hosting environment at this moment. The reason for this is that it is hard to explain your clients to use a different FTP client and also you have to enable SSH access for your Directadmin users to enable SFTP. Therefore we aren’t going into details about SFTP. If you want to configure it, you can use the guide from Directadmin:
http://help.directadmin.com/item.php?id=439

FTPS
FTPS, or FTP over TLS is a protocol that encrypts the login of your FTP session to prevent your FTP login to be stolen in a man-in-the-middle attack. FTPS is easy to use for your clients, almost every FTP program will allow you to connect over TLS.

To allow only connections with FTP over TLS there is a change you have to make to your ProFTPd configuration. Backup the configuration and change one line with sed:

cp -p /etc/proftpd.conf /etc/proftpd.conf.non-tls.backup
sed -i 's/TLSRequired off/TLSRequired on/g' /etc/proftpd.conf

Now restart ProFTPd to load the changes:

service proftpd restart

Try to connect to your server without TLS and the server will give you an error:

550 SSL/TLS required on the control channel

Prevent website hacks
Last but not least, we’re going to give you some tips to prevent websites from being hacked. We already secured the system to prevent most of the common hacks, but there is still room for improvement on another level.

This is one of the hardest parts of the security because you have to motivate your clients to act! You’re not really in control but you can motivate your clients to take action. It is important that your client tries to do:

  • Choose a strong password and keep it safe
  • Keep the software scripts up to date
  • Keep the PC virus free
  • Use 777 permissions for folders with extreme caution
  • Backup the website

As a server administrator, you can help your clients to do this. Some tips to help your clients are:

  • Create a clear welcome message when you setup their hosting package, including some basic tips and tricks to be secure.
  • Make great tutorials, with pictures or videos, to explain your clients how to make backups, how to keep their PC virus free, how to use 777 permission, and more. Make the tutorials easy to follow and place them at a commonly used place in your client portal, website or controlpanel.
  • Scan your servers to check for outdated installations of a CMS, such as Joomla, WordPress and Drupal. Notify your clients about their outdated installation, the risks of the installation and provide them a small tutorial about updating the installation.
  • Send out an email when there is news about a known vulnerability for a common used CMS.

When you take these steps and try to inform your clients they will be more satisfied with your services and your servers will contain less outdated installations which increases the security of your servers.

This was the last part of the five part series about securing a Directadmin server. We hope you enjoyed reading it and would like to know if you got any questions or comments.

Thank you for reading and don’t forget to subscribe!

Improve the security of your Directadmin server: Part three – Tips and Tweaks

The security of your Directadmin server is one of the most important, but also one of the hardest things to improve. This is part three of a serie of posts where we will take a look at the security of your Directadmin server and try to bring the security to a next level.

Part 1: The firewall
Part 2: Mod_security
Part 3: Tips and Tweaks
Part 4: Secure email
Part 5: SFTP, FTPS and securing websites

Part three: Tips and Tweaks

In our previous tutorial we hardened the webserver by adding mod_security to it. Unfortunatly, mod_security can’t filter everything and therefor it is needed to tweak and config the system. That will prevent a succesful hack, even if there is a possible way in from the web application.

To get started, we will secure our PHP installation by disabling dangerous PHP functions such as shell_exec. Directadmin has made this easy to do with Custombuild.
Login into your Directadmin server as the user root through SSH. Then use custombuild to secure your PHP installation.

cd /usr/local/directadmin/custombuild
./build update
./build secure_php

Now we are going to secure some binaries to prevent unauthorized access. This is highly recommended in a shared hosting environment:

chmod 700 /usr/bin/c++
chmod 700 /usr/bin/g++
chmod 700 /usr/bin/gcc

chgrp apache /usr/bin/lynx; chmod 705 /usr/bin/lynx
chgrp apache /usr/local/bin/curl; chmod 705 /usr/local/bin/curl
chgrp apache /usr/bin/curl; chmod 705 /usr/bin/curl
chgrp apache /usr/bin/wget; chmod 705 /usr/bin/wget
chmod 700 /bin/uname
chmod 700 /usr/bin/python

You can mount /tmp as noexec to prevent scripts to be run from it:

mount -t tmpfs -o noexec,nosuid tmpfs /tmp/
cp /etc/fstab /etc/fstab.backup
echo "tmpfs      /tmp      tmpfs      noexec,nosuid      0     0" >> /etc/fstab
rm -rf /var/tmp
ln -s /tmp /var/tmp

Next, you can change the directadmin.conf to add some extra security. Open up /usr/local/directadmin/conf/directadmin.conf and make sure the next values are correct:

enforce_difficult_passwords=1
check_subdomain_owner=1

If you have PHP running in CLI mode, then it’s recommended to enable safemode and open_basedir. You can set this settings easily within the Directadmin interface. Just login as admin into Directadmin and click the Php Safemode Config option.

Alright, the security of your Directadmin server has really improved by now! In our next, possible last, part of this guide we will take a look at the possible ways to secure e-mail at your server.

Thank you for reading and don’t forget to subscribe!

Improve the security of your Directadmin server: Part two – Mod_security

The security of your Directadmin server is one of the most important, but also one of the hardest things to improve. This is part two of a serie of posts where we will take a look at the security of your Directadmin server and try to bring the security to a next level.

Part 1: The firewall
Part 2: Mod_security
Part 3: Tips and Tweaks
Part 4: Secure email
Part 5: SFTP, FTPS and securing websites

Part two: mod_security

In the last tutorial we restricted the access to our Directadmin server with a decent dynamic firewall. Today we are going to implement mod_security. Mod_security is an Apache module which will prevent high-risk webscripts to be executed. It tries to shield web applications from attacks such as SQL injection, cross-site scripting, and many more. The module adds a security layer to the webserver and is very useful in a hosting environment because of all the different web applications used. We are going to install mod_security with the standard ruleset.

Login into your Directadmin server as the user root through SSH. Then prepare the Apache configuration for mod_security.

sed -i 's/ServerTokens Major/ServerTokens Full/' /etc/httpd/conf/extra/httpd-default.conf
sed -i 's/ServerSignature Off/ServerSignature On/' /etc/httpd/conf/extra/httpd-default.conf
sed -i 's/ServerSignature EMail/ServerTokens On/' /etc/httpd/conf/extra/httpd-default.conf

After that adjustment we can use the following commands to download and install mod_security:

cd /usr/local/src
mkdir modsecurity2
cd !$
wget https://www.modsecurity.org/tarball/2.7.4/modsecurity-apache_2.7.4.tar.gz
tar xzf modsecurity-apache*
cd modsecurity-apache*
./configure
make
make install

Mod_security2 is now installed, but doesn’t has a ruleset to operate from. We will install a good default ruleset in the next steps:

mkdir /etc/modsecurity2
cd !$
wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/master.zip
unzip master
mv owasp-modsecurity-crs-master/* .
rm -rf master owasp-modsecurity-crs-master
mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
ln -s /etc/modsecurity2test/modsecurity_crs_10_setup.conf /etc/modsecurity2test/activated_rules/modsecurity_crs_10_setup.conf
for f in `ls base_rules/` ; do sudo ln -s /etc/modsecurity2test/base_rules/$f activated_rules/$f ; done
for f in `ls optional_rules/ | grep comment_spam` ; do sudo ln -s /etc/modsecurity2test/optional_rules/$f activated_rules/$f ; done

You can list all the activated rules in the actived_rules directory:

ls -l /etc/modsecurity2/activated_rules/

Now, open up the /etc/httpd/conf/httpd.conf file and add the following lines under the other LoadModule lines:

LoadFile /usr/local/lib/libxml2.so
LoadModule security2_module /usr/lib/apache/mod_security2.so

Don’t close the file yet, you still have to add the rules to the httpd.conf. Add these lines at the end of the file


        Include /etc/modsecurity2/activated_rules/*.conf

That was it, a little bit more difficult to install compared to CSF but it adds a great security layer to any webserver. In the next tutorial we will dig a little deeper and do some basic server security by editing a few configurations and hardening some processes.

Thank you for reading and don’t forget to subscribe!