The security of your Directadmin server is one of the most important, but also one of the hardest things to improve. This is part three of a serie of posts where we will take a look at the security of your Directadmin server and try to bring the security to a next level.
Part three: Tips and Tweaks
In our previous tutorial we hardened the webserver by adding mod_security to it. Unfortunatly, mod_security can’t filter everything and therefor it is needed to tweak and config the system. That will prevent a succesful hack, even if there is a possible way in from the web application.
To get started, we will secure our PHP installation by disabling dangerous PHP functions such as shell_exec. Directadmin has made this easy to do with Custombuild.
Login into your Directadmin server as the user root through SSH. Then use custombuild to secure your PHP installation.
cd /usr/local/directadmin/custombuild ./build update ./build secure_php
Now we are going to secure some binaries to prevent unauthorized access. This is highly recommended in a shared hosting environment:
chmod 700 /usr/bin/c++ chmod 700 /usr/bin/g++ chmod 700 /usr/bin/gcc chgrp apache /usr/bin/lynx; chmod 705 /usr/bin/lynx chgrp apache /usr/local/bin/curl; chmod 705 /usr/local/bin/curl chgrp apache /usr/bin/curl; chmod 705 /usr/bin/curl chgrp apache /usr/bin/wget; chmod 705 /usr/bin/wget chmod 700 /bin/uname chmod 700 /usr/bin/python
You can mount /tmp as noexec to prevent scripts to be run from it:
mount -t tmpfs -o noexec,nosuid tmpfs /tmp/ cp /etc/fstab /etc/fstab.backup echo "tmpfs /tmp tmpfs noexec,nosuid 0 0" >> /etc/fstab rm -rf /var/tmp ln -s /tmp /var/tmp
Next, you can change the directadmin.conf to add some extra security. Open up /usr/local/directadmin/conf/directadmin.conf and make sure the next values are correct:
If you have PHP running in CLI mode, then it’s recommended to enable safemode and open_basedir. You can set this settings easily within the Directadmin interface. Just login as admin into Directadmin and click the Php Safemode Config option.
Alright, the security of your Directadmin server has really improved by now! In our next, possible last, part of this guide we will take a look at the possible ways to secure e-mail at your server.
Thank you for reading and don’t forget to subscribe!