- Start BIND server
service named start
- Stop BIND server
service named stop
- Restart BIND server
service named restart
- Reload BIND server to reload zone file or config file changes
service named reload
- Current status of BIND server
service named status
ConfigServer Security & Firewall, CSF basic commands, advanced configurations and settings
Basic CSF commands
- Enable CSF
csf -e
- Disable CSF
csf -x
- Start CSF
csf -s
- Flush/Stop CSF
csf -f
- Reload CSF
csf -r
- Allow an IP and add it to csf.allow – /etc/csf/csf.allow
csf -a 162.162.1.219
- Remove and delete an IP from csf.allow – /etc/csf/csf.allow
csf -ar 162.162.1.209
- Place an IP on temporary deny list in /var/lib/csf/csf.tempban
csf -td
- Remove an IP from the temporary IP ban or allow list
csf -tr 162.162.1.209
- Flush all IPs from the temporary IP entries
csf -tf
- Deny an IP and add to csf.deny
csf -d 162.162.1.209
- Remove and Unblock an IP from csf.deny
csf -dr 162.162.1.209
- Remove and Unblock all entries from csf.deny
csf -df
- Search for a pattern match on iptables e.g : IP, CIDR, Port Number
csf -g 152.167.1.118
Advanced Configuration to csf.conf at /etc/csf/csf.conf
- Add root and admin notification email addresses at /etc/aliases.
root: root@domain.com admin: admin@domain.com
- Add email address to get all notifications – /etc/csf
(csf > firewall configuration > Reporting Settings > LF_ALERT_TO = alert@domain.com)LF_ALERT_TO = "alert@domain.com"
- Stop or disable “excessive resource usage” change PT_USERTIME = 0
PT_USERTIME = "0"
Under Process Tracking at /etc/csf
- Don’t Block IP addresses that are in the csf.allow files
IGNORE_ALLOW = "1"
- Allow Incoming and Outgoing ICMP
ICMP_IN = "1"
ICMP_OUT = "1"
- Block Certain Countres
CC_DENY = "CA,CN,US"
CC_ALLOW = "IN,ME,DE"
- Send the Su and SSH Login log by Email
LF_SSH_EMAIL_ALERT = "1"
LF_SU_EMAIL_ALERT = "1"
- Get alert or notification
LF_ALERT_TO = "email@domain.tld"
Warning in CSF
- SYSLOG_CHECK option check
(This option helps prevent brute force attacks on your server services)- Open /etc/csf/csf.conf
- Search for “SYSLOG_CHECK”
- Put value between 300 and 3600 seconds
SYSLOG_CHECK = "600"
- Restart CSF firewall
#csf -r
-
Check for DNS recursion restrictions
(You have a local DNS server running but do not appear to have any recursion restrictions set. This is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only)- Add following options to /etc/named.conf
options { allow-recursion { localhost; };
- Restart named
service named restart
- Add following options to /etc/named.conf
- Check for cxs
(You should consider using cxs to scan web script uploads and user accounts for exploits uploaded to the server)ConfigServer eXploit Scanner (cxs) - from $60/server
https://configserver.com/cp/cxs.html
- Check for osm
(You should consider using osm to provide protection from spammers exploiting the server)Outgoing Spam Monitor (osm) - $40/server
https://www.configserver.com/cp/osm.html
- Check for swap file
(The server appears to have no swap file. This is usually considered a stability and performance risk. You should either add a swap partition, or create one via a normal file on an existing partition) -
SSH/Telnet Check
-
Check SSH PasswordAuthentication
(You should disable PasswordAuthentication and only allow access using PubkeyAuthentication to improve brute-force SSH security) -
Check SSH UseDNS
(You should disable UseDNS by editing /etc/ssh/sshd_config. Otherwise, lfd will be unable to track SSHD login failures successfully as the log files will not report IP addresses)UseDNS no
-
How to install VNC in CentOS 8 ?
Step by Step Guide to Install VNC Server on Centos 8
Step 1) Install GNOME Desktop environment
dnf groupinstall "workstation"
Centos 8 with DirectAdmin installation checklist
- Purchase VPS, VDS or Dedicated server
- Purchase DirectAdmin License. You must have to have valid server IP.
- Login to server with root
- Begin Installation : DirectAdmin
wget https://www.directadmin.com/setup.sh
- Change setup.sh permission : setup.sh
chmod 755 setup.sh
- Run the script :
./setup.sh auto
You may run manual installation script as follows:
./setup.sh
- You will be asked “Would you like to install these required pre-install packages?” Write “Y”
- Then put Client ID, License ID and Hostname.
- Put ethernet devices
- Select your desired apache/php setup. Option 1 is recommended. But CentOS 8 does not support ruid2! So you have to select option 4
- DirectAdmin server is ready now! Collect login info from installation terminal. Login DirectAdmin using your IP.
For example, 122.124.25.211:2222 - If you face problem connecting server, check ethernet device name at /usr/local/directadmin/conf/directadmin.conf and edit if needed. (to see ethernet device name type /sbin/ifconfig
ethernet_dev=eth1
This may be eth0, venet0:0, eth0:1, eth1 etc.
- Install default domain from user panel > Account Manager > Domain Setup (Optional)
- Special Note
- If you face problem connecting server, check ethernet device name at /usr/local/directadmin/conf/directadmin.conf and edit if needed. (to see ethernet device name type /sbin/ifconfig
ethernet_dev=eth1
This may be eth0, venet0:0, eth0:1, eth1 etc.
- Setup SSL Certificates : LetsEncrypt (may be already installed during installation process)
- Enable LetsEncrypt in /usr/local/directadmin/conf/directadmin.conf
letsencrypt=1
- Restart DirectAdmin Service with command:
service directadmin restart
- Add the /.well-known Alias:
cd /usr/local/directadmin/custombuild ./build rewrite_confs
- Install the most recent version of the script:
cd /usr/local/directadmin/custombuild ./build update ./build letsencrypt ./build rewrite_confs
- Enable LetsEncrypt in /usr/local/directadmin/conf/directadmin.conf
- Install SSL certicate for server hostname. For example, server.hostname.com
- LetsEncrypt free certificate
cd /usr/local/directadmin/scripts ./letsencrypt.sh request_single server.hostname.com 4096
- Check whether SSL is enabled at /usr/local/directadmin/conf/directadmin.conf. Make it
ssl=1
- Now server.hostname.com is secured with https.
- LetsEncrypt free certificate
- If you face problem connecting server, check ethernet device name at /usr/local/directadmin/conf/directadmin.conf and edit if needed. (to see ethernet device name type /sbin/ifconfig
- Other Security measures:
- Install CSF (Config Server Firewall) with BFM (Brute Force Monitor) [Follow this]
- Change DirectAdmin port from 2222 to your choice. [Follow this]
- Change SSH port
- Open sshd_config file at /etc/ssh/sshd_config
- Change Port 22 to your desired port. For example, Port 231
- Restart SSHD service
systemctl restart sshd.service
- Disable direct access to root user. [Follow this]
- Change web apps alias (optional)
- Create custombuild “custom” directory
cd /usr/local/directadmin/custombuild mkdir -p custom/ap2 cp -Rp configure/ap2/conf custom/ap2
- Then go to the file at /usr/local/directadmin/custombuild/custom/ap2/conf or /usr/local/directadmin/custombuild/custom/ap2/conf/extra
- To edit httpd alias we have to edit alias at /usr/local/directadmin/custombuild/custom/ap2/conf/extra/httpd-alias.conf
- Change alias to your choice. Original httpd-alias.conf is as below
Alias /.well-known/acme-challenge /var/www/html/.well-known/acme-challenge Alias /config /var/www/html/redirect.php Alias /roundcube /var/www/html/roundcube Alias /webmail /var/www/html/roundcube Alias /phpMyAdmin /var/www/html/phpMyAdmin Alias /phpmyadmin /var/www/html/phpMyAdmin Alias /pma /var/www/html/phpMyAdmin
You can change the bold word(s) and also delete any line if you don’t need.
- Restart Apache
sudo systemctl restart httpd.service
- Rewrite config
cd /usr/local/directadmin/custombuild ./build update ./build rewrite_confs
- Create custombuild “custom” directory
- Other settings and configurations
- Increase file upload size from 10 mb to your desired size at Server Manager > Administrator Setting > Server Settings (tab) > Max Request / Upload Size
- DirectAdmin allows 4 active php (Can also be done with CustomBuild Build Software)
cd /usr/local/directadmin/custombuild ./build update ./build set php1_release 7.1 ./build set php2_release 5.6 ./build set php3_release 7.0 ./build set php4_release 7.3 ./build set php1_mode php-fpm ./build set php2_mode php-fpm ./build set php3_mode php-fpm ./build set php4_mode php-fpm ./build php n ./build rewrite_confs
User can select PHP version on their “Domain Setup”.
- Install ClamAV from DirectAdmin Build Software. Edit Options and Build.
- If ClamAV not functioning or down, follow quick fix
perl -pi -e 's|nofork|foreground|g' /etc/systemd/system/clamd.service systemctl daemon-reload systemctl restart clamd.service
- If ClamAV not functioning or down, follow quick fix
- Install SpamAssassin
-
yum install spamassassin chkconfig spamassassin on service spamassassin start
- Login to DirectAdmin and enable it from user panel.
-
- Create One-Click login to RoundCube and phpMyAdmin [Follow this]
- Enable firewall SELinux
- Need Partition? [Follow this]
- View Directory Tree Structure In Linux [Follow this]
- Host name instead ip address
- This can be easily done by creating a default domain.
- This domain will be used in send email too.
File edited: directadmin.conf, csf.conf, sshd_config
Important command line
DirectAdmin Status
systemctl status directadmin.service
DirectAdmin Restart
systemctl restart directadmin.service
or
service directadmin restart
Restart CSF firewall
csf -r
Restart httpd
sudo systemctl restart httpd.service
or
systemctl restart sshd.service
How to move domain between DirectAdmin user accounts ?
Moving domain between user accounts can be done with following command,
cd /usr/local/directadmin/scripts ./move_domain.sh domain olduser newuser
Here,
domain = the domain name you want to move
olduser = current user
newuser = new user of the domain