DirectAdmin

From Leo's Notes
Last edited on 19 January 2022, at 06:37.

DirectAdmin is a web hosting control panel that supports various Linux distributions as well as FreeBSD.

Feature-wise, this product is slightly limited when compared to cPanel. Features that I found lacking includes:

  • No replacement for EasyApache
  • ACME/Let's Encrypt not enabled by default
  • Non-intuitive UI. The whole vue.js thing with their new theme is absolutely annoying to use.

However, this is a huge step up from InterWorx. There is no ridiculous encoded-PHP-scripts-as-system-scripts everywhere. It allows for custom apache/PHP setups with the CustomBuild system. While the new modern web interface is a little non-intuitive, it's still functional.

Installation

On a clean install of RHEL 8 (such as Rocky Linux, Alma Linux, etc.), run

# bash <(curl -Ss https://www.directadmin.com/setup.sh || wget -O - https://www.directadmin.com/setup.sh) auto

After the initial setup is finished, you should be able to log in to DirectAdmin on port 2222. The credentials are printed out in the install log messages, but can also be obtained from /usr/local/directadmin/scripts/setup.txt.

The initial setup will also kick off the first CustomBuild in the background which you can follow by tailing /usr/local/directadmin/custombuild/install.txt. This process can take some time (on a slow VPS, it can nearly an hour). Don't reboot while this is going on otherwise you will need to build CustomBuild manually.

Review /usr/local/directadmin/conf/directadmin.conf and ensure that the ethernet_dev value is correct.

Plugins

CustomBuild 2.0

CustomBuild is DirectAdmin's way of managing the software running on the server. There should be a CustomBuild 2.0 section in the admin panel. If you don't see this, make sure that CustomBuild isn't already being installed (it takes some time for it to appear after the initial DA installation). If you still don't see it, you will need to install it manually.

To install CustomBuild manually, follow the commands below (which were taken from: https://forum.directadmin.com/threads/custombuild-2-0-faq-directadmin-1-46-or-later-is-recommended.44743/)

## Pre-installation stuff.
## On low memory systems (~1GB), you might want to enable a swap file because this process will compile a bunch of stuff.
# dd if=/dev/zero of=/swapfile bs=1M count=2048
# mkswap /swapfile
# chmod 600 /swapfile
# swapon /swapfile

## Install CustomBuild
# cd /usr/local/directadmin
# wget -O custombuild.tar.gz http://files.directadmin.com/services/custombuild/2.0/custombuild.tar.gz
# tar -xzf custombuild.tar.gz
# cd custombuild
# ./build all
Managing CustomBuild

The primary configuration file is located at /usr/local/directadmin/custombuild/options.conf and can be edited either from the web interface or directly via SSH.

Softaculous

Installation is super fast.

# wget -N http://files.softaculous.com/install.sh
# chmod 755 install.sh
# ./install.sh

See: https://www.softaculous.com/docs/admin/installing-softaculous-in-directadmin/

AWStats

To enable AWstats over webalizer.

## Download and enable awstats
cd /usr/local/directadmin/scripts
./awstats.sh

## Trigger a tally
# echo 'action=tally&value=all' >> /usr/local/directadmin/data/task.queue
# /usr/local/directadmin/dataskq d800 | tee /usr/local/directadmin/dataskq.out

## Verify that awstats=1 is set
/usr/local/directadmin/conf/directadmin.conf

Enable SSL using Let's Encrypt

See: https://help.directadmin.com/item.php?id=629

But basically, you just need to run this script:

# cd /usr/local/directadmin/scripts
# ./letsencrypt.sh request_single `hostname` 4096

If you get an invalid email error message like the one below, you will need to correct the email address for the admin account. You can change this by editing /usr/local/directadmin/data/users/admin/user.conf.

## If you get an error:
# ./letsencrypt.sh request_single `hostname` 4096
2022/01/18 19:24:46 [INFO] acme: Registering account for admin@localhost.localdomain
2022/01/18 19:24:46 Could not complete registration
        acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:invalidEmail :: Error creating new account :: contact email "admin@localhost.localdomain" has invalid domain : Domain name does not end with a valid public suffix (TLD)

## change email=admin@valid-domain.com for the admin account
# vi /usr/local/directadmin/data/users/admin/user.conf

cPanel Migration

Clone the git repository at https://github.com/danitfk/cPanel-to-DirectAdmin-Migration. Create a import and export directory. Edit the default.conf and ensure that your IP address, nameservers, Plan/Package, and other account attributes are set to your liking.

Backups can be created using the /scripts/pkgacct <username> script on the cPanel server. Copy cPanel backups to the import directory. Run the conversion script and move the resulting file to the admin's user_backups directory.

# perl da.cpanel.import.pl
## Answer that you acknowledge what the script does
## Then the conversion happens
~fin

# cp export/*gz /home/admin/user_backups/

To restore the converted backup file, navigate into the Reseller view and click "Manage User Backups". Restore the backup file.

Backups

Backups are configured under 'Admin Backup/Transfer' on the admin panel. Backups can only be stored locally at /home/admin/admin_backups or via FTP.

Backup restores can be done by the user if they upload a backup to their ~/backups directory.

Blocking ports by country

If you know that your server only has users in a particular country, you could improve security by blocking ports based on country code. By default, the following ports are left open by a standard DirectAdmin install: 20,21,22,25,53,80,110,143,443,465,587,993,995,2222,35000:35999, which includes FTP, SSH, SMTP, DNS, HTTP, HTTPS, SMTP, IMAP, POP3, DirectAdmin, and the passive transfer ports. We should really just leave the public services open to the world to limit the amount of brute force attacks that we will receive.

To do so:

  1. Go to 'ConfigServer Security & Firewall'
  2. Click 'Firewall configuration'
  3. Set:
    1. CC_ALLOW_PORTS_UDP=20,21
    2. TCP_IN=25,53,80,443,465,587
    3. TCP6_IN=25,53,80,443,465,587 (If you do this and your customers use IPv6, you need to make sure your CC lists also include ipv6)
    4. CC_ALLOW_PORTS=US,CA
    5. CC_ALLOW_PORTS_TCP=20,21,22,110,143,993,995,2222,35000:35999
  4. Click Change, then restart csf+lfd.


This will remove FTP (20, 21, 35000-35999), SSH (22), POP3 (110, 995), IMAP (143, 993), DirectAdmin (2222) from being accessed by anywhere other than USA and Canada while still allowing through SMTP (25, 465, 587), DNS (53), and HTTP (80, 443) by anyone.

We are still allowing SMTP and attackers can still brute force on your SMTP server. If you want to mitigate this, look at the SMTPAUTH_RESTRICT and CC_ALLOW_SMTPAUTH options.