Securing Directadmin Server

ssh

If possible, don’t allow user login ssh to the server. Also disable root user login and use sudo to gain root access.

[root@directadmin]# nano -w /etc/ssh/sshd_config

Change:

PermitRootLogin no

Restart ssh server!

[root@directadmin]# /etc/init.d/sshd restart

Note: Make sure you installed sudo and sudoers to your user!

Filesystem

You can prevent and hide access certain folders and files.

cd /
chmod 751 .
chmod 751 /etc
chmod 751 /home
chmod 751 /boot
chmod 751 /usr/local
chmod 751 /usr/local/bin
chmod 751 /usr/local/directadmin

chmod 751 /bin
chmod 751 /usr/bin

chmod 750 /usr/bin/users
chmod 750 /usr/bin/top
chmod 750 /usr/bin/who
chmod 750 /usr/bin/lspci
chmod 750 /usr/bin/ftp

chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links

php.ini

There are certain functions in PHP that we don’t want users to use because of the danger they are. Even if you know your users aren’t utilizing certain functions it is wise to completely disable them so an attacker can’t use them. This security precaution is especially effective at stopping an attacker who has somehow managed to upload a PHP script, write one to the filesystem, or even include a remote PHP file. By disabling functionality you ensure that you can limit the effectiveness of these types of attacks.

Depend your configuration, edit php.ini and disable dangerous functions. Depend your server and php module configuration (mod_php, php-fastcgi, PHP-FPM, suPHP, lsphp):

/usr/local/lib/php.ini
/usr/local/etc/php5/cgi/php.ini
/usr/local/etc/php6/cgi/php.ini
/usr/local/etc/php7/cgi/php.ini

Change disable_functions to bellow:

disable_functions = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname

Install Clamav Scanner

[root@directadmin]# cd /usr/local/directadmin/custombuild

Edit options.conf and change to:

clamav=yes
clamav_exim=yes
[root@directadmin]# ./build clamav

Clamav Signatures

Edit Freshclam.conf file:

[root@directadmin]# nano -w /etc/freshclam.conf

Add these line end of file:

DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.fp

Restart Freshclam

[root@directadmin]# /etc/init.d/freshclam restart

Extra Signatures

if you want use more signatures to clamav, i suggest install Linux Malware Detect – from www.rfxn.com

If you dont wanna install itself software, you can tweak and use only signatures to clamav. Add freshclam.conf end of file:

DatabaseCustomURL http://cdn.rfxn.com/downloads/rfxn.ndb
DatabaseCustomURL http://cdn.rfxn.com/downloads/rfxn.hdb

Install ModSecurity

[root@directadmin]# cd /usr/local/directadmin/custombuild

Edit options.conf file:

modsecurity=yes
modsecurity_ruleset=none

Build ModSecurity with custombuild:

[root@directadmin]# ./build modsecurity
[root@directadmin]# ./build modsecurity_rules

ModSecurity Scan Uploads with Clamav

Scan all uploaded files to server with modsecurity rules.

Edit options.conf file:

modsecurity_uploadscan=yes

Install Runav.conf ModSecurity Rules:

[root@directadmin]# mkdir /usr/local/directadmin/custombuild/custom
[root@directadmin]# mkdir /usr/local/directadmin/custombuild/custom/modsecurity
[root@directadmin]# mkdir /usr/local/directadmin/custombuild/custom/modsecurity/conf

Generate runav.conf file with content:

SecRule FILES_TMPNAMES "@inspectFile /usr/local/bin/runav.pl" \
        "phase:2,t:none,block,msg:'Virus found in uploaded file',id:'399999'"

Update rules modifications:

[root@directadmin]# ./build modsecurity_rules

Check rules installed in /etc/modsecurity.d folder!

Also Check /usr/local/bin/runav.pl file:

#!/usr/bin/perl
#
# runav.pl
# Copyright (c) 2004-2011 Trustwave
#
# This script is an interface between ModSecurity and its
# ability to intercept files being uploaded through the
# web server, and ClamAV


$CLAMDSCAN = "/usr/local/bin/clamdscan";

if ($#ARGV != 0) {
    print "Usage: runav.pl <filename>\n";
    exit;
}

my ($FILE) = shift @ARGV;

$cmd = "$CLAMDSCAN --stdout --no-summary $FILE";
$input = `$cmd`;
$input =~ m/^(.+)/;
$error_message = $1;

$output = "0 Unable to parse clamscan output [$1]";

if ($error_message =~ m/: Empty file\.?$/) {
    $output = "1 empty file";
}
elsif ($error_message =~ m/: (.+) ERROR$/) {
    $output = "0 clamscan: $1";
}
elsif ($error_message =~ m/: (.+) FOUND$/) {
    $output = "0 clamscan: $1";
}
elsif ($error_message =~ m/: OK$/) {
    $output = "1 clamscan: OK";
}

Malware Expert – ModSecurity Rules

[root@directadmin]# cd /usr/local/directadmin/custombuild
[root@directadmin]# mkdir custom
[root@directadmin]# mkdir custom/modsecurity
[root@directadmin]# mkdir custom/modsecurity/conf

Add file malware_expert.conf to custom/modsecurity/conf folder and replace (serial key):

SecRemoteRules (serial key) https://rules.malware.expert/download.php?rules=generic

If you dont have Licence, Buy now!

Add file rbl.conf to custom/modsecurity/conf folder

SecRule REQUEST_METHOD         "POST"          "id:'400010',phase:1,t:none,chain,drop,noauditlog,msg:'Malware host detected by rbl.malware.expert'"
SecRule REMOTE_ADDR            "@rbl rbl.malware.expert"

NOTE! Make sure you update custombuild:

[root@directadmin]# ./build modsecurity_rules

And check custombuild add malware_expert.conf to /etc/modsecurity.d/malware_expert.conf

httpd-modsecurity.conf (Depend Server Configuration)

Also apache modsecurity configuration need little modifications, because clamav need scan uploaded files.

These working with Apache 2.4 / mod_php / mod_ruid2:

[root@directadmin]# cd /usr/local/directadmin/custombuild
[root@directadmin]# mkdir custom
[root@directadmin]# mkdir custom/ap2
[root@directadmin]# mkdir custom/ap2/conf
[root@directadmin]# mkdir custom/ap2/extra

Add custom/ap2/extra/httpd-modsecurity.conf file with these modifications:

LoadFile /usr/local/lib/libxml2.so
LoadModule security2_module /usr/lib/apache/mod_security2.so
<IfModule mod_security2.c>
    # Default recommended configuration
    SecRuleEngine On
    SecRequestBodyAccess On
    SecDefaultAction "phase:1,deny,log,status:406"
    SecDefaultAction "phase:2,deny,log,status:406"
    SecRemoteRulesFailAction Warn
    SecRequestBodyLimitAction ProcessPartial
    SecResponseBodyLimitAction ProcessPartial
    SecRequestBodyLimit 268435456
    SecRequestBodyNoFilesLimit 268435456

    SecPcreMatchLimit 250000
    SecPcreMatchLimitRecursion 250000

    SecCollectionTimeout 600

    SecDebugLog /var/log/httpd/modsec_debug.log
    SecDebugLogLevel 0
    SecAuditEngine RelevantOnly

    SecAuditLogDirMode 1733 
    SecAuditLogFileMode 0550 
    SecAuditLogType Concurrent
    SecAuditLogStorageDir /var/log/modsec_audit

    SecAuditLog /var/log/httpd/modsec_audit.log
    SecUploadDir /tmp
    SecTmpDir /tmp
    SecDataDir /tmp
    SecUploadFileMode 0644

    SecTmpSaveUploadedFiles on

    # ModSecurity Core Rules Set and Local configuration
    IncludeOptional /etc/modsecurity.d/*.conf.main
    IncludeOptional /etc/modsecurity.d/*.conf
</IfModule>

Rebuild configurations

[root@directadmin]# ./build rewrite_confs

Activate rules and modifications:

[root@directadmin]# ./build modsecurity_rules