DirectAdmin
DirectAdmin is a web hosting control panel that supports various Linux distributions as well as FreeBSD.
Feature-wise, this product is slightly limited when compared to cPanel. Features that I found lacking includes:
- No replacement for EasyApache
- ACME/Let's Encrypt not enabled by default
- Non-intuitive UI. The whole vue.js thing with their new theme is absolutely annoying to use.
However, this is a huge step up from InterWorx. There is no ridiculous encoded-PHP-scripts-as-system-scripts everywhere. It allows for custom apache/PHP setups with the CustomBuild system. While the new modern web interface is a little non-intuitive, it's still functional.
Installation
On a clean install of RHEL 8 (such as Rocky Linux, Alma Linux, etc.), run
# bash <(curl -Ss https://www.directadmin.com/setup.sh || wget -O - https://www.directadmin.com/setup.sh) auto
After the initial setup is finished, you should be able to log in to DirectAdmin on port 2222. The credentials are printed out in the install log messages, but can also be obtained from /usr/local/directadmin/scripts/setup.txt
.
The initial setup will also kick off the first CustomBuild in the background which you can follow by tailing /usr/local/directadmin/custombuild/install.txt
. This process can take some time (on a slow VPS, it can nearly an hour). Don't reboot while this is going on otherwise you will need to build CustomBuild manually.
Review /usr/local/directadmin/conf/directadmin.conf
and ensure that the ethernet_dev
value is correct.
Plugins
CustomBuild 2.0
CustomBuild is DirectAdmin's way of managing the software running on the server. There should be a CustomBuild 2.0 section in the admin panel. If you don't see this, make sure that CustomBuild isn't already being installed (it takes some time for it to appear after the initial DA installation). If you still don't see it, you will need to install it manually.
To install CustomBuild manually, follow the commands below (which were taken from: https://forum.directadmin.com/threads/custombuild-2-0-faq-directadmin-1-46-or-later-is-recommended.44743/)
## Pre-installation stuff.
## On low memory systems (~1GB), you might want to enable a swap file because this process will compile a bunch of stuff.
# dd if=/dev/zero of=/swapfile bs=1M count=2048
# mkswap /swapfile
# chmod 600 /swapfile
# swapon /swapfile
## Install CustomBuild
# cd /usr/local/directadmin
# wget -O custombuild.tar.gz http://files.directadmin.com/services/custombuild/2.0/custombuild.tar.gz
# tar -xzf custombuild.tar.gz
# cd custombuild
# ./build all
Managing CustomBuild
The primary configuration file is located at /usr/local/directadmin/custombuild/options.conf
and can be edited either from the web interface or directly via SSH.
Softaculous
Installation is super fast.
# wget -N http://files.softaculous.com/install.sh
# chmod 755 install.sh
# ./install.sh
See: https://www.softaculous.com/docs/admin/installing-softaculous-in-directadmin/
AWStats
To enable AWstats over webalizer.
## Download and enable awstats
cd /usr/local/directadmin/scripts
./awstats.sh
## Trigger a tally
# echo 'action=tally&value=all' >> /usr/local/directadmin/data/task.queue
# /usr/local/directadmin/dataskq d800 | tee /usr/local/directadmin/dataskq.out
## Verify that awstats=1 is set
/usr/local/directadmin/conf/directadmin.conf
Enable SSL using Let's Encrypt
See: https://help.directadmin.com/item.php?id=629
But basically, you just need to run this script:
# cd /usr/local/directadmin/scripts
# ./letsencrypt.sh request_single `hostname` 4096
If you get an invalid email error message like the one below, you will need to correct the email address for the admin account. You can change this by editing /usr/local/directadmin/data/users/admin/user.conf
.
## If you get an error:
# ./letsencrypt.sh request_single `hostname` 4096
2022/01/18 19:24:46 [INFO] acme: Registering account for admin@localhost.localdomain
2022/01/18 19:24:46 Could not complete registration
acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:invalidEmail :: Error creating new account :: contact email "admin@localhost.localdomain" has invalid domain : Domain name does not end with a valid public suffix (TLD)
## change email=admin@valid-domain.com for the admin account
# vi /usr/local/directadmin/data/users/admin/user.conf
cPanel Migration
Clone the git repository at https://github.com/danitfk/cPanel-to-DirectAdmin-Migration. Create a import
and export
directory. Edit the default.conf
and ensure that your IP address, nameservers, Plan/Package, and other account attributes are set to your liking.
Backups can be created using the /scripts/pkgacct <username>
script on the cPanel server. Copy cPanel backups to the import
directory. Run the conversion script and move the resulting file to the admin's user_backups
directory.
# perl da.cpanel.import.pl
## Answer that you acknowledge what the script does
## Then the conversion happens
~fin
# cp export/*gz /home/admin/user_backups/
To restore the converted backup file, navigate into the Reseller view and click "Manage User Backups". Restore the backup file.
Backups
Backups are configured under 'Admin Backup/Transfer' on the admin panel. Backups can only be stored locally at /home/admin/admin_backups
or via FTP.
Backup restores can be done by the user if they upload a backup to their ~/backups
directory.
Blocking ports by country
If you know that your server only has users in a particular country, you could improve security by blocking ports based on country code. By default, the following ports are left open by a standard DirectAdmin install: 20,21,22,25,53,80,110,143,443,465,587,993,995,2222,35000:35999
, which includes FTP, SSH, SMTP, DNS, HTTP, HTTPS, SMTP, IMAP, POP3, DirectAdmin, and the passive transfer ports. We should really just leave the public services open to the world to limit the amount of brute force attacks that we will receive.
To do so:
- Go to 'ConfigServer Security & Firewall'
- Click 'Firewall configuration'
- Set:
CC_ALLOW_PORTS_UDP=20,21
TCP_IN=25,53,80,443,465,587
TCP6_IN=25,53,80,443,465,587
(If you do this and your customers use IPv6, you need to make sure your CC lists also include ipv6)CC_ALLOW_PORTS=US,CA
CC_ALLOW_PORTS_TCP=20,21,22,110,143,993,995,2222,35000:35999
- Click Change, then restart csf+lfd.
This will remove FTP (20, 21, 35000-35999), SSH (22), POP3 (110, 995), IMAP (143, 993), DirectAdmin (2222) from being accessed by anywhere other than USA and Canada while still allowing through SMTP (25, 465, 587), DNS (53), and HTTP (80, 443) by anyone.
We are still allowing SMTP and attackers can still brute force on your SMTP server. If you want to mitigate this, look at the SMTPAUTH_RESTRICT
and CC_ALLOW_SMTPAUTH
options.
|