Improve the security of your Directadmin server: Part three – Tips and Tweaks

By | July 17, 2013

The security of your Directadmin server is one of the most important, but also one of the hardest things to improve. This is part three of a serie of posts where we will take a look at the security of your Directadmin server and try to bring the security to a next level.

Part 1: The firewall
Part 2: Mod_security
Part 3: Tips and Tweaks
Part 4: Secure email
Part 5: SFTP, FTPS and securing websites

Part three: Tips and Tweaks

In our previous tutorial we hardened the webserver by adding mod_security to it. Unfortunatly, mod_security can’t filter everything and therefor it is needed to tweak and config the system. That will prevent a succesful hack, even if there is a possible way in from the web application.

To get started, we will secure our PHP installation by disabling dangerous PHP functions such as shell_exec. Directadmin has made this easy to do with Custombuild.
Login into your Directadmin server as the user root through SSH. Then use custombuild to secure your PHP installation.

cd /usr/local/directadmin/custombuild
./build update
./build secure_php

Now we are going to secure some binaries to prevent unauthorized access. This is highly recommended in a shared hosting environment:

chmod 700 /usr/bin/c++
chmod 700 /usr/bin/g++
chmod 700 /usr/bin/gcc

chgrp apache /usr/bin/lynx; chmod 705 /usr/bin/lynx
chgrp apache /usr/local/bin/curl; chmod 705 /usr/local/bin/curl
chgrp apache /usr/bin/curl; chmod 705 /usr/bin/curl
chgrp apache /usr/bin/wget; chmod 705 /usr/bin/wget
chmod 700 /bin/uname
chmod 700 /usr/bin/python

You can mount /tmp as noexec to prevent scripts to be run from it:

mount -t tmpfs -o noexec,nosuid tmpfs /tmp/
cp /etc/fstab /etc/fstab.backup
echo "tmpfs      /tmp      tmpfs      noexec,nosuid      0     0" >> /etc/fstab
rm -rf /var/tmp
ln -s /tmp /var/tmp

Next, you can change the directadmin.conf to add some extra security. Open up /usr/local/directadmin/conf/directadmin.conf and make sure the next values are correct:

enforce_difficult_passwords=1
check_subdomain_owner=1

If you have PHP running in CLI mode, then it’s recommended to enable safemode and open_basedir. You can set this settings easily within the Directadmin interface. Just login as admin into Directadmin and click the Php Safemode Config option.

Alright, the security of your Directadmin server has really improved by now! In our next, possible last, part of this guide we will take a look at the possible ways to secure e-mail at your server.

Thank you for reading and don’t forget to subscribe!

2 thoughts on “Improve the security of your Directadmin server: Part three – Tips and Tweaks

  1. Pingback: Improve the security of your Directadmin server: Part five – SFTP, FTPS and securing websites | Directadmin Guru

  2. Pingback: Tăng Tính Bảo Mật Cho Server DirectAdmin: Phần 2 – Mod_security

Leave a Reply

Your email address will not be published. Required fields are marked *