DirectAdmin

How To Install DirectAdmin Control Panel On CentOS 7

DirectAdmin is a leading alternative control panel to cPanel/WHM. This installation guide will outline how to install DirectAdmin control panel on CentOS 7 64bit server.  I will be using a Las Vegas based BuyVM.net 1GB dedicated KVM Slice VPS server  which costs just US$3.50/month as they generously offer free DirectAdmin license with every VPS server.  Seems like the cheapest way to get access to DirectAdmin for testing/learning purposes. The 1GB KVM plan only has 20GB disk space which isn’t suitable for production usage but for purpose of writing this guide and learning on DirectAdmin it should suffice. Otherwise, if you web host doesn’t provide a DirectAdmin license you’d have to buy a DirectAdmin license directly with DirectAdmin. As I am new to DirectAdmin, this guide serves a dual purpose in also documenting my learning and experiences with DirectAdmin installation process. As such this guide will be constantly updated over time so check back regularly.  I’ve added a last updated date timestamp for this very purpose. Update: besides DirectAdmin standard licenses, there are also DirectAdmin Lite & Personal limited license options available. For details of what DirectAdmin limited licenses means, read here.

Reading Time: 61 minutes

The following DirectAdmin installation steps are based on the official DirectAdmin outlined documentation for:

Contents

Step 1. CentOS 7 server preparation

DirectAdmin system requirements guidelines outline specific recommendations. The ones relevant to this DirectAdmin installation are:

  • For CentOS 7, use the xfs quota system. If you use ext4, add use_xfs_quota=0 to the /usr/local/directadmin/conf/directadmin.conf.
  • Swap disk size – for less than 2GB memory based servers, set swap disk size to 2x memory installed. For 2-8GB memory based servers, set swap disk size to same amount as installed memory. For greater than 8GB memory based servers, set swap disk size to at least 4GB.
  • Ensure basic development/compiling tools such as gcc, g++, and perl have been installed
  • Do not install services such as Apache, PHP, MySQL, Ftp, Sendmail, etc as DirectAdmin installation will take care of installation and configuration of such services. Full outline list of what DirectAdmin installs can be found at https://www.directadmin.com/technologies.php
  • At a bare minimum your server must have one static IPv4 IP address. However, for DNS control you will sometimes need at least two (2) IP addresses. With only one IP address you might be forced to use an external DNS service, depending on your registrar. This means web sites you create through the control panel will not propagate automatically. For this DirectAdmin installation guide I’ll be using only one static IPv4 IP address with intention of using Cloudflare for DNS management.
  • Setup and configuration of your DirectAdmin server’s  hostname which should not be the same as the primary domain name. e.g. yourdomain.com is not a good hostname, where server.yourdomain.com or host.yourdomain.com is. If you have signed up with a VPS or dedicated server provider, at order time you would of specified a hostname to label and name your server. This is usually the hostname that the CentOS 7 image will configure out of the box when you log in for the first time and as such may require changing to a hostname that suits your needs.

So within your SSH logged in session as root user, run the following commands to prepare your CentOS 7 server for DirectAdmin installation.

Configuring your hostname for your DirectAdmin server. You can find the current registered hostname for your CentOS 7 server via either of these commands

uname -n
hostname

On BuyVM.net VPS there’s currently a bug in their system which incorrectly populates the hostname as the following instead of your entered hostname at order time. BuyVM folks are aware of this bug and actively working on a fix.

[root@roblifehack ~]# uname -n
roblifehack.com

[root@roblifehack ~]# hostname
roblifehack.com

The bug also appears in the default BuyVM Stallion control panel’s networking PTR configuration field so you will need to adjust those to your desired hostname with the proceeding instructions.

BuyVM PTR

If your desired hostname needs changing you can do that now using command below changing hostname.yourdomain.com to your own desired hostname.

hostnamectl set-hostname hostname.yourdomain.com

You can verify with with above commands used to get current registered hostname or via

hostnamectl status

Then ensure your hostname’s DNS works via DNS A record pointing to DirectAdmin server’s public IP address. This is important for proper mail delivery from the server and for DirectAdmin licensing checks.

Configuring a swap disk. As DirectAdmin does do quite a bit of source compilation, my own experience with Centmin Mod LEMP stack has taught me that on low memory VPS servers, always have adequate swap disk size. So I opted to configure a 3GB swap disk for this 1GB BuyVM KVM VPS server. Below SSH commands create a 3GB swap disk for DirectAdmin to use.

if [ "$(df -hT | grep -w xfs)" ]; then dd if=/dev/zero of=/swapfile bs=1024 count=3072k; else fallocate -l 3G /swapfile; fi
mkswap /swapfile
swapon /swapfile 
chown root:root /swapfile
chmod 0600 /swapfile
swapon -s
echo "/swapfile swap swap defaults 0 0" >> /etc/fstab
mount -a
free -m

BuyVM.net VPS already provisioned a 1GB swap file so this change would increase your total swap available to 4GB

free -ml
              total        used        free      shared  buff/cache   available
Mem:            991          59         412          12         518         757
Low:            991         578         412
High:             0           0           0
Swap:          1023           0        1023

After adding 3GB swap file to existing 1GB swap file = 4GB swap total

free -m
              total        used        free      shared  buff/cache   available
Mem:            991          61         405          12         524         755
Swap:          4095           0        4095

Installing basic development and compiling tools via YUM. I also add the following additional YUM packages:

  • nano – my preferred linux text editor
  • cmake, cmake3 – for compiling other software which may use cmake or version 3 of cmake
  • screen – useful to run lengthy scripts or where you want your SSH session to survive disconnections from SSH
  • sysstat – access to useful system resource gathering tools like sar, pidstat, mpstat, and iostat
  • perl-libwww-perl – required if you want to install CSF Firewall
  • perl-Crypt-SSLeay – required if you want to install CSF Firewall
  • perl-Net-SSLeay – required if you want to install CSF Firewall
  • perl-LWP-Protocol-https – required if you want to install CSF Firewall for CentOS 7
  • GeoIP-devel
  • GeoIP
  • mlocate
  • bc
  • jq – install via EPEL YUM repo
  • nghttp2 – for HTTPS/SSL diagnostics testing and access to h2load HTTP/2 HTTPS load tester
  • redis – install via Remi YUM repo for newer version that CentOS 7 base YUM repo version
  • memcached – install via Remi YUM repo for newer version that CentOS 7 base YUM repo version
  • memcached-devel – install via Remi YUM repo for newer version that CentOS 7 base YUM repo version
  • libmemcached-devel – install via CentOS 7 base YUM repo version
  • libmemcached – install via CentOS 7 base YUM repo version
yum clean all
yum -y install wget gcc gcc-c++ flex bison make bind bind-libs bind-utils libaio libcom_err-devel openssl openssl-devel perl quota libcurl-devel gd zlib-devel zip unzip libcap-devel cronie bzip2 cyrus-sasl-devel perl-ExtUtils-Embed autoconf automake libtool which patch mailx bzip2-devel lsof glibc-headers kernel-devel expat-devel psmisc net-tools systemd-devel libdb-devel perl-DBI perl-Perl4-CoreLibs xfsprogs rsyslog logrotate crontabs file kernel-headers nano cmake cmake3 screen sysstat perl-libwww-perl perl-Crypt-SSLeay perl-Net-SSLeay perl-LWP-Protocol-https GeoIP-devel GeoIP mlocate bc

# EPEL & Remi YUM repo
yum -y install epel-release yum-utils
rpm -ivh https://rpms.remirepo.net/enterprise/remi-release-7.rpm
# disable Remi & EPEL by default and only enable manually when needed
yum-config-manager --disable remi epel
yum -q list jq nghttp2 redis memcached memcached-devel libmemcached-devel libmemcached --enablerepo=epel,remi
yum -y install jq nghttp2 redis memcached memcached-devel libmemcached-devel libmemcached --enablerepo=epel,remi
# mlocate
updatedb

Disabling SELINUX

setenforce 0
sed -i 's|enforcing|disabled|g' /etc/selinux/config

A YUM update and reboot is highly recommended before proceeding to ensure that your Linux Kernel is the latest available patch fixed for Meltdown/Spectre and other vulnerabilities.

yum -y update
reboot

After setting up 3+1 = 4GB swap disks and doing YUM update and package installs, current disk usage is:

df -hT
Filesystem     Type      Size  Used Avail Use% Mounted on
/dev/vda1      ext4       19G  4.8G   13G  27% /
devtmpfs       devtmpfs  486M     0  486M   0% /dev
tmpfs          tmpfs     496M     0  496M   0% /dev/shm
tmpfs          tmpfs     496M  6.7M  489M   2% /run
tmpfs          tmpfs     496M     0  496M   0% /sys/fs/cgroup
tmpfs          tmpfs     100M     0  100M   0% /run/user/0

Step 2. Verify your DirectAdmin license information.

If you didn’t get your DirectAdmin license from your web host but direct with DirectAdmin, sign into your client account at https://www.directadmin.com/clients and

  • Click the “view” link next to your license and make sure that the license is Active and Verified (if it isn’t, then DirectAdmin’s billing system hasn’t processed the order yet).
  • Verify that the server IP address and operating system is correct.

For BuyVM.net they offer free DirectAdmin licenses for their VPS which you can order after your BuyVM VPS has been provisioned and assigned an IP address here. The order form prompts you to provide the IP address of the BuyVM VPS server you intend to install DirectAdmin on, Once ordered you should see your DirectAdmin license listed in services listing. Clicking on the service will reveal the DirectAdmin license id, client id, status and registered IP and OS. Note, for new first time BuyVM VPS customers when you first provision a new VPS, mail ports are blocked by default until you contact their technical support to unblock the mail ports. This is a one time task you need to do.

Directadmin license

Directadmin license

You’ll also receive an email from BuyVM with DirectAdmin license details

DirectAdmin BuyVM Email

Step 3. DirectAdmin Installation

Now to the actual DirectAdmin install which is done as root user in SSH logged in session. You first download the DirectAdmin setup.sh script and give it executable permissions. You can download setup.sh and save anywhere on your server but I generally like to group all my tools in a directory like /root/tools

mkdir -p /root/tools
cd /root/tools
wget -4 https://www.directadmin.com/setup.sh
chmod 755 setup.sh

Next is to actually run the setup.sh script. If you have a flaky SSH connection and do not want SSH disconnections to occur during setup.sh run, you can run setup.sh within a screen session. I also raise the default screen scrollback limit in /root/.screenrc.

You will be prompted for a client ID number, license ID number, and hostname when you run setup.sh as well as ethernet adaptor device name for the public IP address for the server.

  • The hostname should not be the same as the primary domain name and should of been the same one we prepared and configured in step 1 preparation stage e.g. yourdomain.com is not a good hostname, where server.yourdomain.com or host.yourdomain.com is.
  • Having the same host/main domain name will cause e-mail and FTP problems.
  • Also, make sure the hostname resolves once you setup DNS – so ensure a DNS A record for your hostname exists pointing to the DirectAdmin server’s public IP address.
  • You can find the list of your ethernet adaptor’s device name for public IP via command. For BuyVM VPS the public IP is on eth0 device name
    /sbin/ifconfig

Actual DirectAdmin installation commands for running setup.sh or read further below on customising setup.sh runs:

echo "defscrollback 200000" >> /root/.screenrc
screen -dmS directadmin
screen -r directadmin
time ./setup.sh
Pre-configure DirectAdmin Installs

Was only made aware after writing this article that you can customise setup.sh and use preset options.conf prior to actual install via outlined instructions here. You can see this DirectAdmin installations final options.conf file settings in a Gist file here.

So populate these SSH session variables or put into a script the following. Where YOUR_LINK_TO_HOSTED_OPTIONS_FILE would be something like https://yourdomain.com/options.conf where you host the customised options.conf file usually created by DirectAdmin at /usr/local/directadmin/custombuild/options.conf.

clientid=YOUR_CLIENTID
licenseid=YOUR_LICENSEID
hostname=YOUR_HOSTNAME
ip=YOUR_SERVERIP
devicename=YOUR_ETHERNET_DEVICENAME
opturl=YOUR_LINK_TO_HOSTED_OPTIONS_FILE
custombuild_ver=2.0

Also you can pre-configure your DirectAdmin admin email and nameservers in the following files prior to running setup.sh:

  • /root/.email.txt
  • /root/.ns1.txt
  • /root/.ns2.txt

Then you’d change your setup.sh run to

mkdir -p /root/tools
cd /root/tools
wget -4 https://www.directadmin.com/setup.sh
chmod 755 setup.sh

echo "defscrollback 200000" >> /root/.screenrc
screen -dmS directadmin
screen -r directadmin

echo $custombuild_ver > /root/.custombuild
time ./setup.sh $clientid $licenseid $hostname $devicename $ip

If you have a preconfigured options.conf config file you saved from an existing DirectAdmin server location at /usr/local/directadmin/custombuild/options.conf, you can use that too by setting up /usr/local/directadmin/custombuild/options.conf before running setup.sh by downloading your custom options.conf file from remote server or Gist hosted file you defined in above populated variables for $opturl. You can see this DirectAdmin installations final options.conf file settings in a Gist file here.

Downloading preset options.conf to /usr/local/directadmin/custombuild/options.conf

mkdir -p /usr/local/directadmin/custombuild
wget -O /usr/local/directadmin/custombuild/options.conf $opturl

Example using my Gist file to prepopulate options.conf and using sed to replace values for redirect_host (remember to also configure and setup DirectAdmin over HTTPS) and email options:

HOSTNAME='hostname.yourdomain.com'
EMAIL='your_directadmin_email'
mkdir -p /usr/local/directadmin/custombuild
curl -s -4 https://gist.githubusercontent.com/centminmod/62cc0bcdb44977718f98390a93ad8776/raw/options.conf | sed -e "s|^redirect_host=.*|redirect_host=$HOSTNAME|" -e "s|^email=.*|email=$EMAIL|" > /usr/local/directadmin/custombuild/options.conf

The setup.sh has various setup question prompts for you to answer. Once all question prompts have been answered it’s waiting for DirectAdmin installation process to complete. As there’s source compilation involved, how fast DirectAdmin installs will depend on your specific server hardware configuration.

  • The higher the cpu clock frequency, the faster source compilations go.
  • The more cpu threads available, the faster source compilations should go if DirectAdmin makes use of multiple cpu threads during source compilation.
  • The faster the underlying disk storage layer i.e. NVMe SSD vs SSD vs non-SSD, the faster source compilations are.
  • New cpu models are generally clock for clock faster than previous cpu generations.

The BuyVM VPS has 1GB of memory with 1 cpu thread on an Intel Xeon E3-1270v3 Haswell based processor.

lscpu
Architecture:          x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                1
On-line CPU(s) list:   0
Thread(s) per core:    1
Core(s) per socket:    1
Socket(s):             1
NUMA node(s):          1
Vendor ID:             GenuineIntel
CPU family:            6
Model:                 60
Model name:            Intel(R) Xeon(R) CPU E3-1270 v3 @ 3.50GHz
Stepping:              3
CPU MHz:               3499.992
BogoMIPS:              6999.98
Hypervisor vendor:     Microsoft
Virtualization type:   full
L1d cache:             32K
L1i cache:             32K
L2 cache:              4096K
L3 cache:              16384K
NUMA node0 CPU(s):     0
Flags:                 fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid xsaveopt arat umip

Excerpt below:

time ./setup.sh
*** 64-bit OS ***

*****************************************************
*
* DirectAdmin requires certain packages, described here:
* http://help.directadmin.com/item.php?id=354
*
* Would you like to install these required pre-install packages? (y/n): y
*****************************************************

Please enter your Client ID : CLIENTID
Please enter your License ID : LICENSEID
Please enter your hostname (server.domain.com)
It must be a Fully Qualified Domain Name
Do *not* use a domain you plan on using for the hostname:
eg. don't use domain.com. Use server.domain.com instead.
Do not enter http:// or www

Your current hostname is: hostname.yourdomain.com

Enter your hostname (FQDN) : hostname.yourdomain.com
Client ID:  CLIENTID
License ID: LICENSEID
Hostname: hostname.yourdomain.com
Is this correct? (y,n) : y
The following ethernet devices/IPs were found. Please enter the name of the device you wish to use:

eth0       MY_SERVERIP
eth1       

Enter the device name: eth0
Your external IP: MY_SERVERIP
The external IP should typically match your license IP.

Is MY_SERVERIP the IP in your license? (y,n) : y

DirectAdmin will now be installed on: Enterprise 7.6
Is this correct? (must match license) (y,n) : y
You have chosen custombuild 2.0.

Prompts for Apache/PHP setup – I deliberately chose a non-default Apache/PHP setup just to see what options are available for now. Will play with different configurations later down the track.

Would you like the default settings of apache 2.4 with mod_ruid2 and php 7.2 cli? (y/n): n
You have chosen to customize the custombuild options. Please wait while options configurator is downloaded...

Cannot find /usr/local/directadmin/custombuild/options.conf, writing defaults.
Downloading versions.txt...

Would you like to backup the current options.conf? (yes/no): yes
Backup created: /usr/local/directadmin/custombuild/options.conf.20190717054458.backup

Please select webserver you would like to use (apache/nginx/nginx_apache/litespeed/openlitespeed):apache

Please select FTP server you would like to use (proftpd/pureftpd/no):pureftpd

Please select default PHP version you would like to use (5.3/5.4/5.5/5.6/7.0/7.1/7.2/7.3):7.3

Please select default PHP mode you would like to use (php-fpm/fastcgi/suphp/lsphp/mod_php):php-fpm

Would you like to have a second instance of PHP installed? (yes/no): yes

Please select additional PHP version you would like to use (5.3/5.4/5.5/5.6/7.0/7.1/7.2/7.3):7.2

Please select additional PHP mode you would like to use (php-fpm/fastcgi/suphp/lsphp):php-fpm

Would you like to have a third instance of PHP installed? (yes/no): yes

Please select additional PHP version you would like to use (5.3/5.4/5.5/5.6/7.0/7.1/7.2/7.3):5.6

Please select additional PHP mode you would like to use (php-fpm/fastcgi/suphp/lsphp):php-fpm

Would you like to have a fourth instance of PHP installed? (yes/no): no

Please select if you would like to use ionCube (yes/no):no

Please select if you would like to use Zend Guard Loader (yes/no):no

Please select if you would like to use suhosin (yes/no):no

Please select if you would like CustomBuild to manage Exim installation (yes/no):yes

Please select if you would like CustomBuild to manage Dovecot installation (yes/no):yes

Please select if you would like CustomBuild to manage phpMyAdmin installation (yes/no):yes

Please select if you would like CustomBuild to manage SquirrelMail installation (yes/no):yes

Please select if you would like CustomBuild to manage RoundCube installation (yes/no):yes

Would you like to search for the fastest download mirror? (y/n): y

Installation on BuyVM 1GB KVM VPS with 1 cpu thread, took approximately 95 minutes to complete ending with the following message

To login now, follow this link:

http://MY_SERVERIP:2222

and enter your Admin username and password when prompted.

You should now visit http://admin.site-helper.com and http://www.directadmin.com/newinstall.html to learn how to get started.

Thank you for using DirectAdmin. Should you have any questions, don't hesitate to contact us at support@directadmin.com

## REPORT_END
Permissions set

System Security Tips:
http://help.directadmin.com/item.php?id=247

Disk space usage after DirectAdmin install:

df -hT
Filesystem     Type      Size  Used Avail Use% Mounted on
/dev/vda1      ext4       19G  6.2G   12G  35% /
devtmpfs       devtmpfs  486M     0  486M   0% /dev
tmpfs          tmpfs     496M     0  496M   0% /dev/shm
tmpfs          tmpfs     496M  6.7M  489M   2% /run
tmpfs          tmpfs     496M     0  496M   0% /sys/fs/cgroup
tmpfs          tmpfs     100M     0  100M   0% /run/user/0

If you do happen to get disconnected from your SSH session during setup.sh run, you can just SSH login again and reattach the screen session named, directadmin and will see the setup.sh script is still continuing it’s run if it hasn’t finished yet or may see that setup.sh run has completed.

screen -r directadmin

Once DirectAdmin is installed to access the control panel on port 2222, you’d need to whitelist it in CentOS 7’s Firewalld firewall.

firewall-cmd --permanent --zone=public --add-port=2222/tcp

However, on my BuyVM VPS server DirectAdmin install instance, I was able to reach DirectAdmin control panel on port 2222 without whitelisting port 2222 because it seems Firewalld service wasn’t running !

service firewalld status
Redirecting to /bin/systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)

So have to manually start CentOS 7’s Firewalld service which then will block port 2222 access until you run the above firewall-cmd command to whitelist port 2222

service firewalld start

Checking Firewalld

firewall-cmd --state
running

Listing current open public ports before whitelisting port 2222 returns empty for this command as no ports are whitelisted as yet.

firewall-cmd --zone=public --list-ports

Whitelist port 2222 in Firewalld and then recheck public whitelisted ports

firewall-cmd --permanent --zone=public --add-port=2222/tcp
success

firewall-cmd --reload

firewall-cmd --zone=public --list-ports
2222/tcp

Do the same for whitelisting SSH and common service ports. I also added 9418 for Git usage and FTP passive port range 35000-35999. Would be nice if DirectAdmin did this by default for it’s known installed services so out of the box DirectAdmin installations would be protected behind Firewalld initially.

firewall-cmd --permanent --zone=public --add-port=22/tcp
firewall-cmd --permanent --zone=public --add-port=2222/tcp
firewall-cmd --permanent --zone=public --add-port=9418/tcp
firewall-cmd --permanent --zone=public --add-port=35000-35999/tcp
firewall-cmd --permanent --zone=public --add-service=dns
firewall-cmd --permanent --zone=public --add-service=ftp
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --permanent --zone=public --add-service=imap
firewall-cmd --permanent --zone=public --add-service=imaps
firewall-cmd --permanent --zone=public --add-service=pop3
firewall-cmd --permanent --zone=public --add-service=pop3s
firewall-cmd --permanent --zone=public --add-service=smtp
firewall-cmd --permanent --zone=public --add-service=smtps
firewall-cmd --permanent --zone=public --add-service=smtp-submission
firewall-cmd --reload
firewall-cmd --zone=public --list-ports
firewall-cmd --zone=public --list-services

Check port and service listings that are whitelisted now

firewall-cmd --zone=public --list-ports
2222/tcp 22/tcp 35000-35999/tcp 9418/tcp

firewall-cmd --zone=public --list-services               
ssh dhcpv6-client dns ftp http https imaps pop3s smtp imap pop3 smtps smtp-submission

The corresponding whitelisted services’ ports from their profile

echo "ssh dhcpv6-client dns ftp http https imaps pop3s smtp imap pop3 smtps smtp-submission" | xargs -n1 | while read s; do echo -n "/usr/lib/firewalld/services/$s.xml"; grep 'port protocol' /usr/lib/firewalld/services/$s.xml; done
/usr/lib/firewalld/services/ssh.xml <port protocol="tcp" port="22"/>
/usr/lib/firewalld/services/dhcpv6-client.xml <port protocol="udp" port="546"/>
/usr/lib/firewalld/services/dns.xml <port protocol="tcp" port="53"/>
<port protocol="udp" port="53"/>
/usr/lib/firewalld/services/ftp.xml <port protocol="tcp" port="21"/>
/usr/lib/firewalld/services/http.xml <port protocol="tcp" port="80"/>
/usr/lib/firewalld/services/https.xml <port protocol="tcp" port="443"/>
/usr/lib/firewalld/services/imaps.xml <port protocol="tcp" port="993"/>
/usr/lib/firewalld/services/pop3s.xml <port protocol="tcp" port="995"/>
/usr/lib/firewalld/services/smtp.xml <port protocol="tcp" port="25"/>
/usr/lib/firewalld/services/imap.xml <port protocol="tcp" port="143"/>
/usr/lib/firewalld/services/pop3.xml <port protocol="tcp" port="110"/>
/usr/lib/firewalld/services/smtps.xml <port protocol="tcp" port="465"/>
/usr/lib/firewalld/services/smtp-submission.xml <port protocol="tcp" port="587"/>

If you have other services, Firewalld has a profile for some of these services which you can use –add-service=SERVICENAME to whitelist in public zone where appropriate:

ls -alh /usr/lib/firewalld/services/
total 512K
drwxr-xr-x. 2 root root 4.0K May 12 23:10 .
drwxr-xr-x. 8 root root 4.0K May 12 23:09 ..
-rw-r--r--. 1 root root  412 Oct 30  2018 amanda-client.xml
-rw-r--r--. 1 root root  447 Oct 30  2018 amanda-k5-client.xml
-rw-r--r--. 1 root root  320 Oct 30  2018 bacula-client.xml
-rw-r--r--. 1 root root  346 Oct 30  2018 bacula.xml
-rw-r--r--. 1 root root  339 Oct 30  2018 bgp.xml
-rw-r--r--. 1 root root  275 Oct 30  2018 bitcoin-rpc.xml
-rw-r--r--. 1 root root  307 Oct 30  2018 bitcoin-testnet-rpc.xml
-rw-r--r--. 1 root root  281 Oct 30  2018 bitcoin-testnet.xml
-rw-r--r--. 1 root root  244 Oct 30  2018 bitcoin.xml
-rw-r--r--. 1 root root  294 Oct 30  2018 ceph-mon.xml
-rw-r--r--. 1 root root  329 Oct 30  2018 ceph.xml
-rw-r--r--. 1 root root  168 Oct 30  2018 cfengine.xml
-rw-r--r--. 1 root root  260 Oct 30  2018 condor-collector.xml
-rw-r--r--. 1 root root  296 Oct 30  2018 ctdb.xml
-rw-r--r--. 1 root root  305 Oct 30  2018 dhcpv6-client.xml
-rw-r--r--. 1 root root  234 Oct 30  2018 dhcpv6.xml
-rw-r--r--. 1 root root  227 Oct 30  2018 dhcp.xml
-rw-r--r--. 1 root root  346 Oct 30  2018 dns.xml
-rw-r--r--. 1 root root  374 Oct 30  2018 docker-registry.xml
-rw-r--r--. 1 root root  391 Oct 30  2018 docker-swarm.xml
-rw-r--r--. 1 root root  228 Oct 30  2018 dropbox-lansync.xml
-rw-r--r--. 1 root root  338 Oct 30  2018 elasticsearch.xml
-rw-r--r--. 1 root root  836 Oct 30  2018 freeipa-ldaps.xml
-rw-r--r--. 1 root root  836 Oct 30  2018 freeipa-ldap.xml
-rw-r--r--. 1 root root  315 Oct 30  2018 freeipa-replication.xml
-rw-r--r--. 1 root root  629 Oct 30  2018 freeipa-trust.xml
-rw-r--r--. 1 root root  374 Oct 30  2018 ftp.xml
-rw-r--r--. 1 root root  184 Oct 30  2018 ganglia-client.xml
-rw-r--r--. 1 root root  176 Oct 30  2018 ganglia-master.xml
-rw-r--r--. 1 root root  212 Oct 30  2018 git.xml
-rw-r--r--. 1 root root  132 Oct 30  2018 gre.xml
-rw-r--r--. 1 root root  603 Oct 30  2018 high-availability.xml
-rw-r--r--. 1 root root  448 Oct 30  2018 https.xml
-rw-r--r--. 1 root root  353 Oct 30  2018 http.xml
-rw-r--r--. 1 root root  372 Oct 30  2018 imaps.xml
-rw-r--r--. 1 root root  327 Oct 30  2018 imap.xml
-rw-r--r--. 1 root root  454 Oct 30  2018 ipp-client.xml
-rw-r--r--. 1 root root  427 Oct 30  2018 ipp.xml
-rw-r--r--. 1 root root  554 Oct 30  2018 ipsec.xml
-rw-r--r--. 1 root root  255 Oct 30  2018 ircs.xml
-rw-r--r--. 1 root root  247 Oct 30  2018 irc.xml
-rw-r--r--. 1 root root  264 Oct 30  2018 iscsi-target.xml
-rw-r--r--. 1 root root  213 Oct 30  2018 jenkins.xml
-rw-r--r--. 1 root root  182 Oct 30  2018 kadmin.xml
-rw-r--r--. 1 root root  233 Oct 30  2018 kerberos.xml
-rw-r--r--. 1 root root  384 Oct 30  2018 kibana.xml
-rw-r--r--. 1 root root  249 Oct 30  2018 klogin.xml
-rw-r--r--. 1 root root  221 Oct 30  2018 kpasswd.xml
-rw-r--r--. 1 root root  182 Oct 30  2018 kprop.xml
-rw-r--r--. 1 root root  242 Oct 30  2018 kshell.xml
-rw-r--r--. 1 root root  232 Oct 30  2018 ldaps.xml
-rw-r--r--. 1 root root  199 Oct 30  2018 ldap.xml
-rw-r--r--. 1 root root  385 Oct 30  2018 libvirt-tls.xml
-rw-r--r--. 1 root root  389 Oct 30  2018 libvirt.xml
-rw-r--r--. 1 root root  349 Oct 30  2018 managesieve.xml
-rw-r--r--. 1 root root  424 Oct 30  2018 mdns.xml
-rw-r--r--. 1 root root  343 Oct 30  2018 minidlna.xml
-rw-r--r--. 1 root root  237 Oct 30  2018 mongodb.xml
-rw-r--r--. 1 root root  473 Oct 30  2018 mosh.xml
-rw-r--r--. 1 root root  211 Oct 30  2018 mountd.xml
-rw-r--r--. 1 root root  170 Oct 30  2018 mssql.xml
-rw-r--r--. 1 root root  190 Oct 30  2018 ms-wbt.xml
-rw-r--r--. 1 root root  242 Oct 30  2018 murmur.xml
-rw-r--r--. 1 root root  171 Oct 30  2018 mysql.xml
-rw-r--r--. 1 root root  342 Oct 30  2018 nfs3.xml
-rw-r--r--. 1 root root  324 Oct 30  2018 nfs.xml
-rw-r--r--. 1 root root  293 Oct 30  2018 nmea-0183.xml
-rw-r--r--. 1 root root  247 Oct 30  2018 nrpe.xml
-rw-r--r--. 1 root root  389 Oct 30  2018 ntp.xml
-rw-r--r--. 1 root root  335 Oct 30  2018 openvpn.xml
-rw-r--r--. 1 root root  260 Oct 30  2018 ovirt-imageio.xml
-rw-r--r--. 1 root root  343 Oct 30  2018 ovirt-storageconsole.xml
-rw-r--r--. 1 root root  235 Oct 30  2018 ovirt-vmconsole.xml
-rw-r--r--. 1 root root  433 Oct 30  2018 pmcd.xml
-rw-r--r--. 1 root root  474 Oct 30  2018 pmproxy.xml
-rw-r--r--. 1 root root  544 Oct 30  2018 pmwebapis.xml
-rw-r--r--. 1 root root  460 Oct 30  2018 pmwebapi.xml
-rw-r--r--. 1 root root  357 Oct 30  2018 pop3s.xml
-rw-r--r--. 1 root root  348 Oct 30  2018 pop3.xml
-rw-r--r--. 1 root root  181 Oct 30  2018 postgresql.xml
-rw-r--r--. 1 root root  509 Oct 30  2018 privoxy.xml
-rw-r--r--. 1 root root  261 Oct 30  2018 proxy-dhcp.xml
-rw-r--r--. 1 root root  424 Oct 30  2018 ptp.xml
-rw-r--r--. 1 root root  414 Oct 30  2018 pulseaudio.xml
-rw-r--r--. 1 root root  297 Oct 30  2018 puppetmaster.xml
-rw-r--r--. 1 root root  273 Oct 30  2018 quassel.xml
-rw-r--r--. 1 root root  520 Oct 30  2018 radius.xml
-rw-r--r--. 1 root root  268 Oct 30  2018 redis.xml
-rw-r--r--. 1 root root  741 Oct 30  2018 RH-Satellite-6.xml
-rw-r--r--. 1 root root  214 Oct 30  2018 rpc-bind.xml
-rw-r--r--. 1 root root  310 Oct 30  2018 rsh.xml
-rw-r--r--. 1 root root  311 Oct 30  2018 rsyncd.xml
-rw-r--r--. 1 root root  384 Oct 30  2018 samba-client.xml
-rw-r--r--. 1 root root  461 Oct 30  2018 samba.xml
-rw-r--r--. 1 root root  337 Oct 30  2018 sane.xml
-rw-r--r--. 1 root root  283 Oct 30  2018 sips.xml
-rw-r--r--. 1 root root  509 Oct 30  2018 sip.xml
-rw-r--r--. 1 root root  231 Oct 30  2018 smtp-submission.xml
-rw-r--r--. 1 root root  577 Oct 30  2018 smtps.xml
-rw-r--r--. 1 root root  550 Oct 30  2018 smtp.xml
-rw-r--r--. 1 root root  308 Oct 30  2018 snmptrap.xml
-rw-r--r--. 1 root root  342 Oct 30  2018 snmp.xml
-rw-r--r--. 1 root root  405 Oct 30  2018 spideroak-lansync.xml
-rw-r--r--. 1 root root  173 Oct 30  2018 squid.xml
-rw-r--r--. 1 root root  463 Oct 30  2018 ssh.xml
-rw-r--r--. 1 root root  297 Oct 30  2018 syncthing-gui.xml
-rw-r--r--. 1 root root  311 Oct 30  2018 syncthing.xml
-rw-r--r--. 1 root root  496 Oct 30  2018 synergy.xml
-rw-r--r--. 1 root root  444 Oct 30  2018 syslog-tls.xml
-rw-r--r--. 1 root root  329 Oct 30  2018 syslog.xml
-rw-r--r--. 1 root root  393 Oct 30  2018 telnet.xml
-rw-r--r--. 1 root root  301 Oct 30  2018 tftp-client.xml
-rw-r--r--. 1 root root  437 Oct 30  2018 tftp.xml
-rw-r--r--. 1 root root  336 Oct 30  2018 tinc.xml
-rw-r--r--. 1 root root  771 Oct 30  2018 tor-socks.xml
-rw-r--r--. 1 root root  244 Oct 30  2018 transmission-client.xml
-rw-r--r--. 1 root root  264 Oct 30  2018 upnp-client.xml
-rw-r--r--. 1 root root  593 Oct 30  2018 vdsm.xml
-rw-r--r--. 1 root root  475 Oct 30  2018 vnc-server.xml
-rw-r--r--. 1 root root  310 Oct 30  2018 wbem-https.xml
-rw-r--r--. 1 root root  509 Oct 30  2018 xmpp-bosh.xml
-rw-r--r--. 1 root root  488 Oct 30  2018 xmpp-client.xml
-rw-r--r--. 1 root root  264 Oct 30  2018 xmpp-local.xml
-rw-r--r--. 1 root root  545 Oct 30  2018 xmpp-server.xml
-rw-r--r--. 1 root root  314 Oct 30  2018 zabbix-agent.xml
-rw-r--r--. 1 root root  315 Oct 30  2018 zabbix-server.xml

Revisiting DirectAdmin control panel login page on port 2222 now:

DirectAdmin Login Page

 

Check MySQL version installed by default where MySQL root password details are located in

  • /usr/local/directadmin/conf/mysql.conf read by DirectAdmin
  • /usr/local/directadmin/conf/my.cnf read by MySQL server/client
  • /usr/local/directadmin/scripts/setup.txt contents variables logins setup by DirectAdmin

MariaDB 5.5 MySQL server is installed by default it seems according to mysqladmin ver command

mysqladmin --defaults-extra-file=/usr/local/directadmin/conf/my.cnf ver

If you find having to pass –defaults-extra-file path tedious, setup a custom command alias in your ~/.bashrc file

alias mysqladmin='mysqladmin --defaults-extra-file=/usr/local/directadmin/conf/my.cnf'

Output

mysqladmin --defaults-extra-file=/usr/local/directadmin/conf/my.cnf ver
mysqladmin Ver 9.0 Distrib 5.5.63-MariaDB, for Linux on x86_64
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Server version 5.5.63-MariaDB
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /var/lib/mysql/mysql.sock
Uptime: 2 hours 39 min 46 sec

Threads: 1 Questions: 66 Slow queries: 0 Opens: 3 Flush tables: 2 Open tables: 29 Queries per second avg: 0.006

Check Apache version and config installed – Apache 2.4.39 built as Event MPM worker

httpd -V
Server version: Apache/2.4.39 (Unix)
Server built: Jul 17 2019 17:56:35
Server's Module Magic Number: 20120211:84
Server loaded: APR 1.6.5, APR-UTIL 1.6.1
Compiled using: APR 1.6.5, APR-UTIL 1.6.1
Architecture: 64-bit
Server MPM: event
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/httpd"
-D HAVE_SYSTEMD
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG="/var/logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Check which Apache modules loaded into Apache – take note that mod_remoteip (remoteip_module) is loaded. Important if you plan to use Cloudflare in front of your DirectAdmin web sites.

httpd -M
Loaded Modules:
 core_module (static)
 authn_file_module (static)
 authn_dbm_module (static)
 authn_anon_module (static)
 authn_dbd_module (static)
 authn_socache_module (static)
 authn_core_module (static)
 authz_host_module (static)
 authz_groupfile_module (static)
 authz_user_module (static)
 authz_dbm_module (static)
 authz_owner_module (static)
 authz_dbd_module (static)
 authz_core_module (static)
 access_compat_module (static)
 auth_basic_module (static)
 auth_form_module (static)
 auth_digest_module (static)
 allowmethods_module (static)
 file_cache_module (static)
 cache_module (static)
 cache_disk_module (static)
 cache_socache_module (static)
 socache_shmcb_module (static)
 socache_dbm_module (static)
 socache_memcache_module (static)
 socache_redis_module (static)
 so_module (static)
 watchdog_module (static)
 macro_module (static)
 dbd_module (static)
 dumpio_module (static)
 buffer_module (static)
 ratelimit_module (static)
 reqtimeout_module (static)
 ext_filter_module (static)
 request_module (static)
 include_module (static)
 filter_module (static)
 substitute_module (static)
 sed_module (static)
 deflate_module (static)
 http_module (static)
 mime_module (static)
 log_config_module (static)
 log_debug_module (static)
 logio_module (static)
 env_module (static)
 expires_module (static)
 headers_module (static)
 unique_id_module (static)
 setenvif_module (static)
 version_module (static)
 remoteip_module (static)
 proxy_module (static)
 proxy_connect_module (static)
 proxy_ftp_module (static)
 proxy_http_module (static)
 proxy_fcgi_module (static)
 proxy_scgi_module (static)
 proxy_uwsgi_module (static)
 proxy_fdpass_module (static)
 proxy_wstunnel_module (static)
 proxy_ajp_module (static)
 proxy_balancer_module (static)
 proxy_express_module (static)
 proxy_hcheck_module (static)
 session_module (static)
 session_cookie_module (static)
 session_dbd_module (static)
 slotmem_shm_module (static)
 ssl_module (static)
 http2_module (static)
 lbmethod_byrequests_module (static)
 lbmethod_bytraffic_module (static)
 lbmethod_bybusyness_module (static)
 lbmethod_heartbeat_module (static)
 unixd_module (static)
 dav_module (static)
 status_module (static)
 autoindex_module (static)
 info_module (static)
 suexec_module (static)
 cgi_module (static)
 dav_fs_module (static)
 dav_lock_module (static)
 vhost_alias_module (static)
 negotiation_module (static)
 dir_module (static)
 actions_module (static)
 speling_module (static)
 userdir_module (static)
 alias_module (static)
 rewrite_module (static)
 systemd_module (shared)
 mpm_event_module (shared)

Check Apache httpd.conf default include files which are available or commented out/disabled

grep Include /etc/httpd/conf/httpd.conf
Include /etc/httpd/conf/extra/httpd-phpmodules.conf
    # Include some DirectAdmin alias
    Include conf/extra/httpd-alias.conf
Include conf/extra/httpd-includes.conf
Include conf/extra/httpd-directories.conf
Include conf/extra/httpd-nginx.conf
Include conf/extra/httpd-mpm.conf
Include conf/extra/httpd-multilang-errordoc.conf
Include conf/extra/httpd-autoindex.conf
Include conf/extra/httpd-languages.conf
#Include conf/extra/httpd-userdir.conf
Include conf/extra/httpd-info.conf
Include conf/extra/httpd-suphp.conf
#Include conf/extra/httpd-manual.conf
Include conf/extra/httpd-dav.conf
Include conf/extra/httpd-default.conf
Include conf/extra/httpd-ssl.conf
Include conf/extra/httpd-deflate.conf
Include conf/extra/httpd-php-handlers.conf
Include conf/extra/httpd-vhosts.conf
Include conf/extra/directadmin-vhosts.conf

Looks like the /etc/httpd/conf/extra/directadmin-vhosts.conf file contains the DirectAdmin added domain site’s Apache vhost configurations in /usr/local/directadmin/data/users/admin/httpd.conf include file

cat conf/extra/directadmin-vhosts.conf
Include /usr/local/directadmin/data/users/admin/httpd.conf

Within /usr/local/directadmin/data/users/admin/httpd.conf are the domain site’s Apache vhost configurations it seems. Example in Gist posted here.

How DirectAdmin’s Apache was compiled/configured

cat /usr/local/directadmin/custombuild/configure/ap2/configure.apache 
#!/bin/sh
"./configure" \
"--prefix=/etc/httpd" \
"--exec-prefix=/etc/httpd" \
"--bindir=/usr/bin" \
"--sbindir=/usr/sbin" \
"--sysconfdir=/etc/httpd/conf" \
"--enable-so" \
"--enable-dav" \
"--enable-dav-fs" \
"--enable-dav-lock" \
"--enable-suexec" \
"--enable-deflate" \
"--enable-unique-id" \
"--enable-cgi" \
"--disable-cgid" \
"--enable-mods-static=most" \
"--enable-mpms-shared=all" \
"--with-suexec-safedir=/usr/local/safe-bin" \
"--with-suexec-caller=apache" \
"--with-suexec-docroot=/" \
"--with-suexec-gidmin=100" \
"--with-suexec-logfile=/var/log/httpd/suexec_log" \
"--with-suexec-uidmin=100" \
"--with-suexec-userdir=public_html" \
"--with-suexec-bin=/usr/sbin/suexec" \
"--with-included-apr" \
"--with-pcre=/usr/local" \
"--includedir=/usr/include/apache" \
"--libexecdir=/usr/lib/apache" \
"--libdir=/usr/lib/apache" \
"--mandir=/usr/share/man" \
"--datadir=/var/www" \
"--localstatedir=/var" \
"--enable-logio" \
"--enable-ssl" \
"--enable-rewrite" \
"--enable-proxy" \
"--enable-expires" \
"--enable-reqtimeout" \
"--with-ssl=/usr" \
"--disable-md" \
"--enable-headers"

Check PHP command line version – looks like Zend Opcache isn’t installed by default which will result in PHP performance being much lower ! Check the Post-Install steps for using CustomBuild 2.0 to install Zend Opcache.

php -v
PHP 7.3.7 (cli) (built: Jul 17 2019 18:33:55) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.7, Copyright (c) 1998-2018 Zend Technologies

Check if DirectAdmin PHP 7.3 supports Argon2 password hashing algorithm and libsodium – looks like libsodium is supported but missing Argon2 password hashing support. FYI, PHP web apps like Xenforo 2.x support newer Argon2 password hashing algorithm if your PHP version supports it.

php -r 'print_r(get_defined_constants());' | grep -i argon
[SODIUM_CRYPTO_PWHASH_ALG_ARGON2I13] => 1
[SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13] => 2
[SODIUM_CRYPTO_PWHASH_STRPREFIX] => $argon2id$

Usually for PHP 7.3 on my Centmin Mod LEMP 123.09beta01 stack installs I add Argon2 + libsodium support and you should see the following:

php -r 'print_r(get_defined_constants());' | grep -i argon
[PASSWORD_ARGON2I] => 2
[PASSWORD_ARGON2ID] => 3
[PASSWORD_ARGON2_DEFAULT_MEMORY_COST] => 1024
[PASSWORD_ARGON2_DEFAULT_TIME_COST] => 2
[PASSWORD_ARGON2_DEFAULT_THREADS] => 2
[SODIUM_CRYPTO_PWHASH_ALG_ARGON2I13] => 1
[SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13] => 2
[SODIUM_CRYPTO_PWHASH_STRPREFIX] => $argon2id$

For Argon2 you need newer 1.5+ version of libzip for PHP 7 to compile Argon2. On DirectAdmin PHP 7.3 seems libzip is older 1.1.2 version

php --ri zip

zip

Zip => enabled
Zip version => 1.15.4
Libzip version => 1.1.2

And looks like DirectAdmin default PHP 7.3 configuration is compiled with –without-libzip

php-config
Usage: /usr/local/bin/php-config [OPTION]
Options:
  --prefix            [/usr/local/php73]
  --includes          [-I/usr/local/php73/include/php -I/usr/local/php73/include/php/main -I/usr/local/php73/include/php/TSRM -I/usr/local/php73/include/php/Zend -I/usr/local/php73/include/php/ext -I/usr/local/php73/include/php/ext/date/lib]
  --ldflags           [ -L/usr/local/lib -L/usr/local/icu/lib]
  --libs              [-lcrypt   -lz -lexslt -lresolv -lcrypt -lsodium -lrt -lstdc++ -liconv -lpng -lz -ljpeg -lwebp -lz -lrt -lm -ldl -lnsl  -lsystemd -lxml2 -lz -liconv -lm -ldl -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lssl -lcrypto -lpcre2-8 -lcurl -lxml2 -lz -liconv -lm -ldl -lssl -lcrypto -lfreetype -licui18n -licuuc -licudata -licuio -lxml2 -lz -liconv -lm -ldl -lxml2 -lz -liconv -lm -ldl -lcrypt -lxml2 -lz -liconv -lm -ldl -lxml2 -lz -liconv -lm -ldl -lxml2 -lz -liconv -lm -ldl -lxslt -lxml2 -lz -liconv -ldl -lm -lssl -lcrypto -lcrypt ]
  --extension-dir     [/usr/local/php73/lib/php/extensions/no-debug-non-zts-20180731]
  --include-dir       [/usr/local/php73/include/php]
  --man-dir           [/usr/local/php73/php/man]
  --php-binary        [/usr/local/php73/bin/php73]
  --php-sapis         [ cli fpm phpdbg cgi]
  --configure-options [--prefix=/usr/local/php73 --program-suffix=73 --enable-fpm --with-fpm-systemd --with-config-file-scan-dir=/usr/local/php73/lib/php.conf.d --with-curl --with-gd --with-gettext --with-jpeg-dir=/usr/local/lib --with-freetype-dir=/usr/local/lib --with-libxml-dir=/usr/local/lib --with-kerberos --with-openssl --with-mhash --with-mysql-sock=/var/lib/mysql/mysql.sock --with-mysqli=mysqlnd --with-pcre-regex=/usr/local --with-pdo-mysql=mysqlnd --with-pear --with-png-dir=/usr/local/lib --with-sodium=/usr/local --with-webp-dir=/usr/local/lib --with-xsl --with-zlib --enable-zip --without-libzip --with-iconv=/usr/local --enable-bcmath --enable-calendar --enable-exif --enable-ftp --enable-sockets --enable-soap --enable-mbstring --with-icu-dir=/usr/local/icu --enable-intl]
  --version           [7.3.7]
  --vernum            [70307]
cat /usr/local/directadmin/custombuild/configure/ap2/configure.php73
#!/bin/sh
./configure \
        --with-apxs2 \
        --with-config-file-scan-dir=/usr/local/lib/php.conf.d \
        --with-curl \
        --with-gd \
        --with-gettext \
        --with-jpeg-dir=/usr/local/lib \
        --with-freetype-dir=/usr/local/lib \
        --with-libxml-dir=/usr/local/lib \
        --with-kerberos \
        --with-openssl \
        --with-mhash \
        --with-mysql-sock=/var/lib/mysql/mysql.sock \
        --with-mysqli=mysqlnd \
        --with-pcre-regex=/usr/local \
        --with-pdo-mysql=mysqlnd \
        --with-pear \
        --with-png-dir=/usr/local/lib \
        --with-sodium=/usr/local \
        --with-webp-dir=/usr/local/lib \
        --with-xsl \
        --with-zlib \
        --enable-zip \
        --without-libzip \
        --with-iconv=/usr/local \
        --enable-bcmath \
        --enable-calendar \
        --enable-exif \
        --enable-ftp \
        --enable-sockets \
        --enable-soap \
        --enable-mbstring \
        --with-icu-dir=/usr/local/icu \
        --enable-intl

On Centmin Mod PHP 7.3 builds I deliberately use a newer libzip 1.5 version instead of CentOS 7 provided libzip 1.1.2 for this reason. Example from Centmin Mod 123.09beta01 with PHP 7.3.7

php --ri zip

zip

Zip => enabled
Zip version => 1.15.4
Libzip headers version => 1.5.0
Libzip library version => 1.5.0

Check where DirectAdmin’s PHP command line version is reading settings .ini file directories from

php --ini
Configuration File (php.ini) Path: /usr/local/php73/lib
Loaded Configuration File: /usr/local/php73/lib/php.ini
Scan for additional .ini files in: /usr/local/php73/lib/php.conf.d
Additional .ini files parsed: /usr/local/php73/lib/php.conf.d/50-webapps.ini

Check DirectAdmin’s PHP command line loaded PHP extension modules

php -m
[PHP Modules]
bcmath
calendar
Core
ctype
curl
date
dom
exif
fileinfo
filter
ftp
gd
gettext
hash
iconv
intl
json
libxml
mbstring
mysqli
mysqlnd
openssl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
posix
Reflection
session
SimpleXML
soap
sockets
sodium
SPL
sqlite3
standard
tokenizer
xml
xmlreader
xmlwriter
xsl
zip
zlib

[Zend Modules]

Checking the cpu load and memory usage of DirectAdmin install as sysstat YUM package was installed as part of preparation stage.

cpu load

sar -q | sed -e "s|$(hostname)|hostname|"
Linux 3.10.0-957.21.3.el7.x86_64 (hostname)     07/17/2019      _x86_64_        (1 CPU)

05:10:00 PM       LINUX RESTART

05:20:01 PM   runq-sz  plist-sz   ldavg-1   ldavg-5  ldavg-15   blocked
05:30:01 PM         1        83      0.00      0.00      0.00         0
05:40:01 PM         1        83      0.00      0.00      0.00         0
05:50:01 PM         1        91      0.45      0.16      0.07         0
06:00:02 PM         2       116      1.81      1.57      0.85         0
06:10:02 PM         2       118      1.32      1.45      1.16         0
06:20:01 PM         3       113      1.12      1.39      1.31         0
06:30:02 PM         3       114      1.64      1.56      1.44         0
06:40:01 PM         3       114      1.16      1.44      1.46         0
06:50:02 PM         2       114      1.33      1.46      1.47         0
07:00:01 PM         2       114      1.84      1.62      1.54         0
07:10:01 PM         3       113      2.01      1.84      1.71         1
07:20:01 PM         3       128      1.94      1.77      1.71         0
07:30:01 PM         1       522      0.14      1.08      1.48         0
07:40:01 PM         2       523      0.00      0.15      0.78         0
07:50:01 PM         2       525      0.00      0.02      0.41         0
08:00:01 PM         5       527      0.00      0.01      0.22         0
08:10:01 PM         3       528      0.00      0.01      0.12         0
08:20:01 PM         1       527      0.09      0.07      0.10         0
08:30:01 PM         3       528      0.00      0.02      0.06         0
08:40:01 PM         2       525      0.00      0.01      0.05         0
08:50:01 PM         1       524      0.00      0.01      0.05         0
09:00:01 PM         3       527      0.00      0.01      0.05         0
Average:            2       298      0.68      0.71      0.73         0

memory usage

sar -r | sed -e "s|$(hostname)|hostname|" 
Linux 3.10.0-957.21.3.el7.x86_64 (hostname)     07/17/2019      _x86_64_        (1 CPU)

05:10:00 PM       LINUX RESTART

05:20:01 PM kbmemfree kbmemused  %memused kbbuffers  kbcached  kbcommit   %commit  kbactive   kbinact   kbdirty
05:30:01 PM    857528    157360     15.51     10060     66416    172372      3.31     49376     61324         0
05:40:01 PM    856412    158476     15.62     10124     67356    172372      3.31     49996     61700        16
05:50:01 PM    237420    777468     76.61     13492    582788    265880      5.10    347640    358336     44516
06:00:02 PM     84916    929972     91.63     17932    609740    889168     17.07    392288    443152      7624
06:10:02 PM     68800    946088     93.22      7652    518300   1002412     19.24    400396    443116      6988
06:20:01 PM    343964    670924     66.11     15040    308432    914316     17.55    192084    364012     11372
06:30:02 PM    686800    328088     32.33      7380    187656    889076     17.07     77984    184040      6244
06:40:01 PM     68984    945904     93.20     12516    599196   1052332     20.20    473912    370572      6380
06:50:02 PM    624964    389924     38.42      8748    193772    920440     17.67    109684    197288      6316
07:00:01 PM    201596    813292     80.14     10960    472432   1050972     20.18    393552    318388      8688
07:10:01 PM    381048    633840     62.45     12244    448196    892164     17.13    219448    317064      6560
07:20:01 PM     85520    929368     91.57     11608    726004    900956     17.30    380644    437972     11616
07:30:01 PM    340136    674752     66.49     57184    312992   3813832     73.21    274420    285892         0
07:40:01 PM    339664    675224     66.53     57336    313272   3813832     73.21    274568    286184         0
07:50:01 PM    299644    715244     70.48     58704    322676   3848780     73.88    307624    291068         0
08:00:01 PM    296944    717944     70.74     58940    322980   3852336     73.95    311300    289780        20
08:10:01 PM    292696    722192     71.16     59264    324164   3856300     74.03    313924    290564        60
08:20:01 PM    250300    764588     75.34     60464    366480   3853488     73.97    323220    323740       180
08:30:01 PM    244376    770512     75.92     61368    370316   3856012     74.02    325556    327132        76
08:40:01 PM    247284    767604     75.63     61968    370712   3849488     73.90    323016    327864         0
08:50:01 PM    246944    767944     75.67     62112    370760   3849488     73.90    323040    328040         0
09:00:01 PM    245516    769372     75.81     62268    370804   3852592     73.96    324256    328228         0
09:10:01 PM    246096    768792     75.75     62432    370952   3849488     73.90    323404    328448         0
Average:       328154    686734     67.67     34774    373756   2235569     42.92    283101    302778      5072

Verify DirectAdmin detected OS and environment to ensure CentOS 7 is detected

/usr/local/directadmin/directadmin o

Output

/usr/local/directadmin/directadmin o
Compiled on 'CentOS 7.0 64-Bit'
Compile time: Jul 12 2019 at 09:37:52
Timestamp: '1562945823'
Compiled with IPv6

Step 4. Post-Install DirectAdmin Tasks

Hide DirectAdmin Apache Version header by editing /etc/httpd/conf/extra/httpd-default.conf and to customise Apache default MPM Worker settings edit /etc/httpd/conf/extra/httpd-mpm.conf.

Current Apache defaults show ServerSignature is already set to Off (disabled) but ServerTokens should be changed from Major to Prod.

egrep '^ServerTokens|^ServerSignature' /etc/httpd/conf/extra/httpd-default.conf
ServerTokens Major
ServerSignature Off

Change via sed replacement

sed -i 's|^ServerTokens .*|ServerTokens Prod|' /etc/httpd/conf/extra/httpd-default.conf
sed -i 's|^ServerSignature .*|ServerSignature Off|' /etc/httpd/conf/extra/httpd-default.conf

Verify the changes

egrep '^ServerTokens|^ServerSignature' /etc/httpd/conf/extra/httpd-default.conf 
ServerTokens Prod
ServerSignature Off

Then ensure these changes don’t get overwritten by DirectAdmin

cd /usr/local/directadmin/custombuild/
mkdir -p custom/ap2/conf/extra/
cp -p /etc/httpd/conf/extra/httpd-default.conf /usr/local/directadmin/custombuild/custom/ap2/conf/extra/
cp -p /etc/httpd/conf/extra/httpd-mpm.conf /usr/local/directadmin/custombuild/custom/ap2/conf/extra/

Then test the modified Apache config files

httpd -t
Syntax OK

Then restart Apache service

service httpd restart

Then do a curl header check to ensure DirectAdmin Apache server only reports Server = Apache without any version identifiers.

curl -I localhost
HTTP/1.1 200 OK
Date: Thu, 25 Jul 2019 14:01:18 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Tue, 23 Jul 2019 13:32:29 GMT
ETag: "2c-58e593965e689"
Accept-Ranges: bytes
Content-Length: 44
Vary: User-Agent
Content-Type: text/html

Hide DirectAdmin HTTP Daemon Header for port 2222 non-logged in visitors as per instructions here.

By default HTTP header response for requests over DirectAdmin port 2222 return the full DirectAdmin version number and the full name of the person the DirectAdmin license belongs to:

Server: DirectAdmin Daemon v1.57.5 Registered to FULL NAME - FULL NAME - DirectAdmin License

However, you can disable the more verbose version by setting show_info_in_header=0 in /usr/local/directadmin/conf/directadmin.conf

echo 'show_info_in_header=0' >> /usr/local/directadmin/conf/directadmin.conf
service directadmin restart

Then HTTP Header would return a less verbose version

Server: DirectAdmin Daemon
DirectAdmin Apache server-status configuration

Setup Apache server-status and server-info configured for the server hostname you setup in Step 1 above via modifying Apache Include file /etc/httpd/conf/extra/httpd-info.conf – making sure to change YOUR_ISP_IP_ADDR to your ISP IP address or IP address you want to be able to view /server-status and /server-info statistics from and enable ExtendedStatus.

myisp_ip=YOUR_ISP_IP_ADDR
sed -i "s|Require host .*|Require host $(hostname -f)|g" /etc/httpd/conf/extra/httpd-info.conf
sed -i "s|Require ip .*|Require ip 127\n    Require ip $myisp_ip|g" /etc/httpd/conf/extra/httpd-info.conf
sed -i 's|^#ExtendedStatus On|ExtendedStatus On|' /etc/httpd/conf/extra/httpd-info.conf

Modified contents of /etc/httpd/conf/extra/httpd-info.conf

#
# Get information about the requests being processed by the server
# and the configuration of the server.
#
# Required modules: mod_authz_core, mod_authz_host,
#                   mod_info (for the server-info handler),
#                   mod_status (for the server-status handler)

#
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Change the ".example.com" to match your domain to enable.

<Location /server-status>
    SetHandler server-status
    Require host hostname.yourdomain.com
    Require ip 127
    Require ip YOUR_ISP_IP_ADDR
</Location>

#
# ExtendedStatus controls whether Apache will generate "full" status
# information (ExtendedStatus On) or just basic information (ExtendedStatus
# Off) when the "server-status" handler is called. The default is Off.
#
ExtendedStatus On

#
# Allow remote server configuration reports, with the URL of
#  http://servername/server-info (requires that mod_info.c be loaded).
# Change the ".example.com" to match your domain to enable.
#
<Location /server-info>
    SetHandler server-info
    Require host hostname.yourdomain.com
    Require ip 127
    Require ip YOUR_ISP_IP_ADDR
</Location>

Then restart Apache service

service httpd restart

Then accessing hostname.yourdomain.com/server-status or hostname.yourdomain.com/server-info from the specified YOUR_ISP_IP_ADDR IP address will allow you to see DirectAdmin’s Apache server status and server info pages.

For hostname.yourdomain.com/server-status

For hostname.yourdomain.com/server-info

Setup nightly update notification cronjob as outlined here.

Defaults in /usr/local/directadmin/custombuild/options.conf

#Cronjob Settings
cron=no
cron_frequency=weekly
email=email@domain.com
notifications=yes
da_autoupdate=no
updates=no
webapps_updates=yes

Change to below replacing email with your desired email addresss for notifications

#Cronjob Settings
cron=yes
cron_frequency=weekly
email=email@domain.com
notifications=yes
da_autoupdate=yes
updates=no
webapps_updates=yes

Then type:

./build cron
./build cron
Cronjob is set for MYEMAILADDRESS:
Cronjob frequency: weekly
Automatic notifications: yes
Automatic updates: no

Actual cronjob at /etc/cron.weekly/custombuild

#!/bin/sh
cd /usr/local/directadmin/custombuild
./build update >/dev/null 2>&1
AVAIL_UPDATES="`./build versions_nobold | grep -c -e 'update is available.'`"
if [ "${AVAIL_UPDATES}" -gt 0 ]; then
./build versions_nobold | grep 'update is available.' | mail -s "${AVAIL_UPDATES} updates available for `hostname`" MYEMAILADDRESS
./build update_da
./build update_webapps
fi
exit 0;

Then when you get email notification alerts for updates, run

cd /usr/local/directadmin/custombuild
./build update_versions

Optionally if you need to create alias redirects i.e. create a /mydir alias which redirects users to /var/www/html/directory as per instructions here.

cd /usr/local/directadmin/custombuild
mkdir -p custom
mkdir -p /var/www/html/mydirectory
echo "mydir=mydirectory" >> custom/webapps.list
./build rewrite_confs

Disable /~username access

cd /usr/local/directadmin/custombuild
./build set userdir_access no
./build rewrite_confs

If CustomBuild 2.0 isn’t installed you can install it first. Verify if CustomBuild 2.0 is installed by check build options and updates available:

cd /usr/local/directadmin/custombuild
./build options
./build versions

Build options output

./build options
Apache: 2.4.39
mod_ruid2: no
ModSecurity: no
htscanner: no
Dovecot: 2.3.7
Dovecot configuration: yes
AWstats: no
Exim: 4.92
exim.conf update: yes, release 4.5
BlockCracking: no
Easy Spam Fighter: no
SpamAssassin: no
ClamAV: no
MySQL: no
MySQL backup: yes
MySQL backup directory: /usr/local/directadmin/custombuild/mysql_backups
MySQL compress backups: no
PHP (default): 7.3 as php-fpm
PHP (additional): 7.2 as php-fpm
PHP (additional, 3rd): 5.6 as php-fpm
phpMyAdmin: 4.9.0.1-all-languages
ProFTPD: no
Pure-FTPd: 1.0.49
RoundCube webmail: 1.3.9
Replace "php.ini" with './build all' and './build php_ini': no
Auto updates/notifications: no
Run "clean" every time: yes
Run "clean_old_webapps" every time: yes
Run "clean_old_tarballs" every time: yes
Show texts in bold: yes
SquirrelMail: 1.4.23-20190509_0200
Zend Guard Loader: no
ionCube loader: no
Suhosin: no

Build versions output

./build versions
Latest version of DirectAdmin: 1.57.5
Installed version of DirectAdmin: 1.57.5

Latest version of Let's Encrypt client: 1.1.23
Installed version of Let's Encrypt client: 1.1.23

Latest version of Apache: 2.4.39
Installed version of Apache: 2.4.39

Latest version of Pure-FTPD: 1.0.49
Installed version of Pure-FTPd: 1.0.49

Latest version of libpng: 1.6.37
Installed version of libpng: 1.6.37

Latest version of libwebp: 1.0.2
Installed version of libwebp: 1.0.2

Latest version of nghttp2: 1.39.1
Installed version of nghttp2: 1.39.1

Latest version of libjpeg: 9c
Installed version of libjpeg: 9c

Latest version of ICU4C: 64.1
Installed version of ICU4C: 64.1

Latest version of libsodium: 1.0.17
Installed version of libsodium: 1.0.17

Latest version of libxml2: 2.9.8
Installed version of libxml2: 2.9.8

Latest version of libxslt: 1.1.32
Installed version of libxslt: 1.1.32

Latest version of iconv: 1.15
Installed version of iconv: 1.15

Latest version of PCRE: 8.43
Installed version of PCRE: 8.43

Latest version of PCRE2: 10.32
Installed version of PCRE2: 10.32

Latest version of FreeType: 2.10.1
Installed version of FreeType: 2.10.1

Latest version of dovecot: 2.3.7
Installed version of dovecot: 2.3.7

Latest version of dovecot.conf: 0.3
Installed version of dovecot.conf: 0.3

Latest version of Exim: 4.92
Installed version of Exim: 4.92

Latest version of exim.conf: 4.5.14
Installed version of exim.conf: 4.5.14

Latest version of PHP 5.6: 5.6.40
Installed version of PHP 5.6: 5.6.40

Latest version of PHP 7.2: 7.2.20
Installed version of PHP 7.2: 7.2.20

Latest version of PHP 7.3: 7.3.7
Installed version of PHP 7.3: 7.3.7

Latest version of RoundCube webmail: 1.3.9
Installed version of RoundCube webmail: 1.3.9

Latest version of phpMyAdmin: 4.9.0.1-all-languages
Installed version of phpMyAdmin: 4.9.0.1-all-languages

Latest version of SquirrelMail: 1.4.23-20190509_0200
Installed version of SquirrelMail: 1.4.23-20190509_0200

If you want to update all the available versions run: ./build update_versions

To install CustomBuild 2.0 if nothing or error is returned by build options/versions commands:

cd /usr/local/directadmin
wget -O custombuild.tar.gz http://files.directadmin.com/services/custombuild/2.0/custombuild.tar.gz
tar xvzf custombuild.tar.gz
cd custombuild
./build
./build all d

To see current build options set in options.conf:

cd /usr/local/directadmin/custombuild
./build options

To see what each options.conf setting is related to run:

cd /usr/local/directadmin/custombuild
./build opt_help full

To see what configuration files CustomBuild are using:

cd /usr/local/directadmin/custombuild
./build used_configs

Output for used_configs

./build used_configs
Apache configuration file: /usr/local/directadmin/custombuild/configure/ap2/configure.apache
PHP (default) php.ini file: /usr/local/php73/lib/php.ini
PHP (additional) php.ini file: /usr/local/php72/lib/php.ini
PHP (additional, 3rd) php.ini file: /usr/local/php56/lib/php.ini
PHP (default) configuration file: /usr/local/directadmin/custombuild/configure/fpm/configure.php73
PHP (additional) configuration file: /usr/local/directadmin/custombuild/configure/fpm/configure.php72
PHP (additional, 3rd) configuration file: /usr/local/directadmin/custombuild/configure/fpm/configure.php56
PureFTPD configuration file: /usr/local/directadmin/custombuild/configure/pureftpd/configure.pureftpd
Exim Makefile: http://files2.directadmin.com/services/custombuild/Makefile
Dovecot configuration file: /usr/local/directadmin/custombuild/configure/dovecot/configure.dovecot

If using EXT4 filesystem add use_xfs_quota=0 in /usr/local/directadmin/conf/directadmin.conf. Check if the setting already is populated via grep

grep 'use_xfs_quota' /usr/local/directadmin/conf/directadmin.conf
use_xfs_quota=0

Looks like DirectAdmin install process already setup this variable for us. If it returned empty, then you’d need to add this via command below.

echo 'use_xfs_quota=0' >> /usr/local/directadmin/conf/directadmin.conf

The BuyVM.net KVM VPS server I am using has EXT4 filesystem in place so this modification is needed

df -hT
Filesystem     Type      Size  Used Avail Use% Mounted on
/dev/vda1      ext4       19G  1.5G   17G   9% /
devtmpfs       devtmpfs  486M     0  486M   0% /dev
tmpfs          tmpfs     496M     0  496M   0% /dev/shm
tmpfs          tmpfs     496M   13M  483M   3% /run
tmpfs          tmpfs     496M     0  496M   0% /sys/fs/cgroup
tmpfs          tmpfs     100M     0  100M   0% /run/user/0

Installing AWStats via CustomBuild 2.0

cd /usr/local/directadmin/custombuild
./build set awstats yes
./build awstats

Installing Zend Opcache for better PHP performance via CustomBuild 2.0.

cd /usr/local/directadmin/custombuild
./build update
./build set opcache yes
./build opcache

Output from build opcache

./build opcache
opCache is now installed for PHP 7.3.
opCache is now installed for PHP 7.2.
opCache is now installed for PHP 5.6.
Restarting php-fpm73.
Restarting php-fpm72.
Restarting php-fpm56.

Verify Zend Opcache

php -v
PHP 7.3.7 (cli) (built: Jul 17 2019 18:33:55) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.7, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.3.7, Copyright (c) 1999-2018, by Zend Technologies
php --ri 'zend opcache'

Zend OPcache

Opcode Caching => Up and Running
Optimization => Enabled
SHM Cache => Enabled
File Cache => Disabled
Startup => OK
Shared memory model => mmap
Cache hits => 0
Cache misses => 0
Used memory => 8770936
Free memory => 125446792
Wasted memory => 0
Interned Strings Used memory => 450608
Interned Strings Free memory => 5840424
Cached scripts => 0
Cached keys => 0
Max keys => 7963
OOM restarts => 0
Hash keys restarts => 0
Manual restarts => 0

Directive => Local Value => Master Value
opcache.enable => On => On
opcache.use_cwd => On => On
opcache.validate_timestamps => On => On
opcache.validate_permission => On => On
opcache.validate_root => Off => Off
opcache.dups_fix => Off => Off
opcache.revalidate_path => On => On
opcache.log_verbosity_level => 1 => 1
opcache.memory_consumption => 128 => 128
opcache.interned_strings_buffer => 8 => 8
opcache.max_accelerated_files => 4000 => 4000
opcache.max_wasted_percentage => 5 => 5
opcache.consistency_checks => 0 => 0
opcache.force_restart_timeout => 180 => 180
opcache.revalidate_freq => 0 => 0
opcache.file_update_protection => 2 => 2
opcache.preferred_memory_model => no value => no value
opcache.blacklist_filename => no value => no value
opcache.max_file_size => 0 => 0
opcache.protect_memory => 0 => 0
opcache.save_comments => 1 => 1
opcache.optimization_level => 0x7FFEBFFF => 0x7FFEBFFF
opcache.opt_debug_level => 0 => 0
opcache.enable_file_override => On => On
opcache.enable_cli => On => On
opcache.error_log => no value => no value
opcache.restrict_api => no value => no value
opcache.lockfile_path => /tmp => /tmp
opcache.file_cache => no value => no value
opcache.file_cache_only => 0 => 0
opcache.file_cache_consistency_checks => 1 => 1
opcache.huge_code_pages => Off => Of

Installing Imagick via CustomBuild 2.0. DirectAdmin source compiles ImageMagick 7.x. From my experience with my optimise-images.sh script for batch image optimisation, ImageMagick 7.x is actually slower than ImageMagick 6.x for image conversions etc.

cd /usr/local/directadmin/custombuild
./build update
./build set imagick yes
./build imagick

Output

./build set imagick yes
Changed imagick option from no to yes

For ImagicK PHP extension

----------------------------------------------------------------------
Libraries have been installed in:
/usr/local/directadmin/custombuild/imagick-3.4.4/modules

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH' environment variable
during linking
- use the `-Wl,--rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------

Build complete.
Don't forget to run 'make test'.

Make complete
Installing shared extensions: /usr/local/php56/lib/php/extensions/no-debug-non-zts-20131226/
Installing header files: /usr/local/php56/include/php/
find . -name \*.gcno -o -name \*.gcda | xargs rm -f
find . -name \*.lo -o -name \*.o | xargs rm -f
find . -name \*.la -o -name \*.a | xargs rm -f 
find . -name \*.so | xargs rm -f
find . -name .libs -a -type d|xargs rm -rf
rm -f libphp.la modules/* libs/*
Restarting php-fpm73.
Restarting php-fpm72.
Restarting php-fpm56.
imagick 3.4.4 PHP extension has been installed successfully.

Check ImagicK PHP extension info

php --ri imagick

imagick

imagick module => enabled
imagick module version => 3.4.4
imagick classes => Imagick, ImagickDraw, ImagickPixel, ImagickPixelIterator, ImagickKernel
Imagick compiled with ImageMagick version => ImageMagick 7.0.8-46 Q16 x86_64 2019-07-18 https://imagemagick.org
Imagick using ImageMagick library version => ImageMagick 7.0.8-46 Q16 x86_64 2019-07-18 https://imagemagick.org
ImageMagick copyright => © 1999-2019 ImageMagick Studio LLC
ImageMagick release date => 2019-07-18
ImageMagick number of supported formats: => 227
ImageMagick supported formats => 3FR, 3G2, 3GP, A, AAI, AI, ART, ARW, AVI, AVS, B, BGR, BGRA, BGRO, BMP, BMP2, BMP3, BRF, C, CAL, CALS, CANVAS, CAPTION, CIN, CIP, CLIP, CMYK, CMYKA, CR2, CRW, CUBE, CUR, CUT, DATA, DCM, DCR, DCRAW, DCX, DDS, DFONT, DNG, DPX, DXT1, DXT5, EPDF, EPI, EPS, EPS2, EPS3, EPSF, EPSI, ERF, FAX, FILE, FITS, FLV, FRACTAL, FTP, FTS, G, G3, G4, GIF, GIF87, GRADIENT, GRAY, GRAYA, HALD, HDR, HISTOGRAM, HRZ, HTM, HTML, HTTP, HTTPS, ICB, ICO, ICON, IIQ, INFO, INLINE, IPL, ISOBRL, ISOBRL6, JNG, JNX, JPE, JPEG, JPG, JPS, JSON, K, K25, KDC, LABEL, M, M2V, M4V, MAC, MAP, MASK, MAT, MATTE, MEF, MIFF, MKV, MNG, MONO, MOV, MP4, MPC, MPEG, MPG, MRW, MSL, MSVG, MTV, MVG, NEF, NRW, NULL, O, ORF, OTB, OTF, PAL, PALM, PAM, PANGO, PATTERN, PBM, PCD, PCDS, PCL, PCT, PCX, PDB, PDF, PDFA, PEF, PES, PFA, PFB, PFM, PGM, PGX, PICON, PICT, PIX, PJPEG, PLASMA, PNG, PNG00, PNG24, PNG32, PNG48, PNG64, PNG8, PNM, PPM, PS, PS2, PS3, PSB, PSD, PWP, R, RADIAL-GRADIENT, RAF, RAS, RAW, RGB, RGBA, RGBO, RGF, RLA, RLE, RMF, RW2, SCR, SCREENSHOT, SCT, SFW, SGI, SHTML, SIX, SIXEL, SPARSE-COLOR, SR2, SRF, STEGANO, SUN, SVG, SVGZ, TEXT, TGA, THUMBNAIL, TILE, TIM, TTC, TTF, TXT, UBRL, UBRL6, UIL, UYVY, VDA, VICAR, VID, VIFF, VIPS, VST, WBMP, WEBP, WMV, WPG, X3F, XBM, XC, XCF, XPM, XPS, XV, Y, YCbCr, YCbCrA, YUV

Directive => Local Value => Master Value
imagick.locale_fix => 0 => 0
imagick.skip_version_check => 0 => 0
imagick.progress_monitor => 0 => 0

Installing PHP Redis, GeoIP,  Memcached, Memcache extensions via Poralix directadmin-utils script – under /php directory from their article.

mkdir -p /root/tools/poralix
cd /root/tools/poralix
wget -4 https://raw.githubusercontent.com/poralix/directadmin-utils/master/php/php-extension.sh -O php-extension.sh
chmod 750 php-extension.sh
./php-extension.sh install redis
./php-extension.sh install geoip
./php-extension.sh install memcached
./php-extension.sh install memcache

For Redis PHP extension

./php-extension.sh install redis

----------------------------------------------------------------------
Libraries have been installed in:
/usr/local/src/tmp.d5XOaepCUZ/redis-5.0.1/modules

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH' environment variable
during linking
- use the `-Wl,--rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------

Build complete.
Don't forget to run 'make test'.

Installing shared extensions: /usr/local/php73/lib/php/extensions/no-debug-non-zts-20180731/
[OK] Installation of redis for php73 completed!
[OK] Found redis.so. Enabling the extension in /usr/local/php73/lib/php.conf.d/90-custom.ini
redis
Redis Support => enabled
Redis Version => 5.0.1

Check Redis PHP extension info

php --ri redis

redis

Redis Support => enabled
Redis Version => 5.0.1
Available serializers => php, json

Directive => Local Value => Master Value
redis.arrays.algorithm => no value => no value
redis.arrays.auth => no value => no value
redis.arrays.autorehash => 0 => 0
redis.arrays.connecttimeout => 0 => 0
redis.arrays.distributor => no value => no value
redis.arrays.functions => no value => no value
redis.arrays.hosts => no value => no value
redis.arrays.index => 0 => 0
redis.arrays.lazyconnect => 0 => 0
redis.arrays.names => no value => no value
redis.arrays.pconnect => 0 => 0
redis.arrays.previous => no value => no value
redis.arrays.readtimeout => 0 => 0
redis.arrays.retryinterval => 0 => 0
redis.arrays.consistent => 0 => 0
redis.clusters.cache_slots => 0 => 0
redis.clusters.auth => no value => no value
redis.clusters.persistent => 0 => 0
redis.clusters.read_timeout => 0 => 0
redis.clusters.seeds => no value => no value
redis.clusters.timeout => 0 => 0
redis.pconnect.pooling_enabled => 1 => 1
redis.pconnect.connection_limit => 0 => 0
redis.session.locking_enabled => 0 => 0
redis.session.lock_expire => 0 => 0
redis.session.lock_retries => 10 => 10
redis.session.lock_wait_time => 2000 => 2000

For GeoIP PHP extension fails seems GeoIP 1.0.8 installed is too old for PHP 7.3 ?

./php-extension.sh install geoip

/usr/local/src/tmp.8TYhIfRHNY/geoip-1.0.8/geoip.c:583:2: error: 'RETURN_STRING' undeclared (first use in this function)
  RETURN_STRING((char*)timezone, 1);
  ^
make: *** [geoip.lo] Error 1
[ERROR] Installation of geoip for php73 failed
[ERROR] Could not find /usr/local/php73/lib/php/extensions/no-debug-non-zts-20180731/geoip.so. Removing extension from /usr/local/php73/lib/php.conf.d/10-directadmin.ini
[ERROR] Could not find /usr/local/php73/lib/php/extensions/no-debug-non-zts-20180731/geoip.so. Removing extension from /usr/local/php73/lib/php.conf.d/50-webapps.ini
[ERROR] Could not find /usr/local/php73/lib/php/extensions/no-debug-non-zts-20180731/geoip.so. Removing extension from /usr/local/php73/lib/php.conf.d/90-custom.ini

Update: was informed by script author that php-extension.sh can also install beta versions of PHP extensions too

cd /root/tools/poralix
./php-extension.sh install geoip --beta

Excerpt output for GeoIP beta PHP extension install

----------------------------------------------------------------------
Libraries have been installed in:
   /usr/local/src/tmp.Fad76oPvIV/geoip-1.1.1/modules

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH' environment variable
     during linking
   - use the `-Wl,--rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------

Build complete.
Don't forget to run 'make test'.

Installing shared extensions:     /usr/local/php73/lib/php/extensions/no-debug-non-zts-20180731/
[OK] Installation of geoip for php73 completed!
[OK] Found geoip.so. Enabling the extension in /usr/local/php73/lib/php.conf.d/90-custom.ini
geoip
geoip support => enabled
geoip extension version => 1.1.1

php-extensions.sh installed GeoIP 1.1.1 from beta repository

php --ri geoip

geoip

geoip support => enabled
geoip extension version => 1.1.1
geoip library version => 1005000

Directive => Local Value => Master Value
geoip.custom_directory => no value => no value

On Centmin Mod LEMP stacks for PHP 7.3, I usually install GeoIP 1.1.2-dev builds. Example from Centmin Mod LEMP stack CentOS 7 install.

php --ri geoip

geoip

geoip support => enabled
geoip extension version => 1.1.2-dev
geoip library version => 1005000

Directive => Local Value => Master Value
geoip.custom_directory => /usr/share/GeoIP => /usr/share/GeoIP

For Memcached PHP extension

./php-extension.sh install memcached

----------------------------------------------------------------------
Libraries have been installed in:
   /usr/local/src/tmp.757g97rpzB/memcached-3.1.3/modules

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH' environment variable
     during linking
   - use the `-Wl,--rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------

Build complete.
Don't forget to run 'make test'.

Installing shared extensions:     /usr/local/php73/lib/php/extensions/no-debug-non-zts-20180731/
[OK] Installation of memcached for php73 completed!
[OK] Found memcached.so. Enabling the extension in /usr/local/php73/lib/php.conf.d/90-custom.ini
memcached
memcached support => enabled
memcached.compression_factor => 1.3 => 1.3

Check Memcached PHP extension info

php --ri memcached

memcached

memcached support => enabled
Version => 3.1.3
libmemcached version => 1.0.16
SASL support => yes
Session support => yes
igbinary support => no
json support => no
msgpack support => no

Directive => Local Value => Master Value
memcached.sess_locking => On => On
memcached.sess_lock_wait_min => 150 => 150
memcached.sess_lock_wait_max => 150 => 150
memcached.sess_lock_retries => 5 => 5
memcached.sess_lock_expire => 0 => 0
memcached.sess_binary_protocol => Off => Off
memcached.sess_consistent_hash => On => On
memcached.sess_consistent_hash_type => ketama => ketama
memcached.sess_number_of_replicas => 0 => 0
memcached.sess_randomize_replica_read => Off => Off
memcached.sess_remove_failed_servers => Off => Off
memcached.sess_server_failure_limit => 0 => 0
memcached.sess_connect_timeout => 0 => 0
memcached.sess_sasl_username => no value => no value
memcached.sess_sasl_password => no value => no value
memcached.sess_persistent => Off => Off
memcached.sess_prefix => memc.sess.key. => memc.sess.key.
memcached.sess_lock_wait => not set => not set
memcached.sess_lock_max_wait => not set => not set
memcached.compression_type => fastlz => fastlz
memcached.compression_factor => 1.3 => 1.3
memcached.compression_threshold => 2000 => 2000
memcached.serializer => php => php
memcached.store_retry_count => 2 => 2
memcached.default_consistent_hash => Off => Off
memcached.default_binary_protocol => Off => Off
memcached.default_connect_timeout => 0 => 0

For Memcache PHP extension like GeoIP also failed for PHP 7 as it tries to install Memcache 2.2.7 which is very very old and doesn’t support PHP 7

./php-extension.sh install memcache

configure: creating ./config.status
config.status: creating config.h
/bin/sh /usr/local/src/tmp.syOuw7Zz4k/memcache-2.2.7/libtool --mode=compile cc -I/usr/local/php73/include/php -I. -I/usr/local/src/tmp.syOuw7Zz4k/memcache-2.2.7 -DPHP_ATOM_INC -I/usr/local/src/tmp.syOuw7Zz4k/memcache-2.2.7/include -I/usr/local/src/tmp.syOuw7Zz4k/memcache-2.2.7/main -I/usr/local/src/tmp.syOuw7Zz4k/memcache-2.2.7 -I/usr/local/php73/include/php -I/usr/local/php73/include/php/main -I/usr/local/php73/include/php/TSRM -I/usr/local/php73/include/php/Zend -I/usr/local/php73/include/php/ext -I/usr/local/php73/include/php/ext/date/lib  -DHAVE_CONFIG_H  -g -O2   -c /usr/local/src/tmp.syOuw7Zz4k/memcache-2.2.7/memcache.c -o memcache.lo 
mkdir .libs
 cc -I/usr/local/php73/include/php -I. -I/usr/local/src/tmp.syOuw7Zz4k/memcache-2.2.7 -DPHP_ATOM_INC -I/usr/local/src/tmp.syOuw7Zz4k/memcache-2.2.7/include -I/usr/local/src/tmp.syOuw7Zz4k/memcache-2.2.7/main -I/usr/local/src/tmp.syOuw7Zz4k/memcache-2.2.7 -I/usr/local/php73/include/php -I/usr/local/php73/include/php/main -I/usr/local/php73/include/php/TSRM -I/usr/local/php73/include/php/Zend -I/usr/local/php73/include/php/ext -I/usr/local/php73/include/php/ext/date/lib -DHAVE_CONFIG_H -g -O2 -c /usr/local/src/tmp.syOuw7Zz4k/memcache-2.2.7/memcache.c  -fPIC -DPIC -o .libs/memcache.o
/usr/local/src/tmp.syOuw7Zz4k/memcache-2.2.7/memcache.c:40:40: fatal error: ext/standard/php_smart_str.h: No such file or directory
 #include "ext/standard/php_smart_str.h"
                                        ^
compilation terminated.
make: *** [memcache.lo] Error 1
[ERROR] Installation of memcache for php73 failed
[ERROR] Could not find /usr/local/php73/lib/php/extensions/no-debug-non-zts-20180731/memcache.so. Removing extension from /usr/local/php73/lib/php.conf.d/10-directadmin.ini
[ERROR] Could not find /usr/local/php73/lib/php/extensions/no-debug-non-zts-20180731/memcache.so. Removing extension from /usr/local/php73/lib/php.conf.d/50-webapps.ini
[ERROR] Could not find /usr/local/php73/lib/php/extensions/no-debug-non-zts-20180731/memcache.so. Removing extension from /usr/local/php73/lib/php.conf.d/90-custom.ini

Tried beta install but fails too as tries to install Memcache 3.0.8 which doesn’t support PHP 7+

cd /root/tools/poralix
./php-extension.sh install memcache --beta

php-extension.sh install Memcache 3.0.8 beta failure errors

configure: creating ./config.status
config.status: creating config.h
/bin/sh /usr/local/src/tmp.3qxkvT80jB/memcache-3.0.8/libtool --mode=compile cc -I/usr/local/php73/include/php -I. -I/usr/local/src/tmp.3qxkvT80jB/memcache-3.0.8 -DPHP_ATOM_INC -I/usr/local/src/tmp.3qxkvT80jB/memcache-3.0.8/include -I/usr/local/src/tmp.3qxkvT80jB/memcache-3.0.8/main -I/usr/local/src/tmp.3qxkvT80jB/memcache-3.0.8 -I/usr/local/php73/include/php -I/usr/local/php73/include/php/main -I/usr/local/php73/include/php/TSRM -I/usr/local/php73/include/php/Zend -I/usr/local/php73/include/php/ext -I/usr/local/php73/include/php/ext/date/lib  -DHAVE_CONFIG_H  -g -O2   -c /usr/local/src/tmp.3qxkvT80jB/memcache-3.0.8/memcache.c -o memcache.lo 
mkdir .libs
 cc -I/usr/local/php73/include/php -I. -I/usr/local/src/tmp.3qxkvT80jB/memcache-3.0.8 -DPHP_ATOM_INC -I/usr/local/src/tmp.3qxkvT80jB/memcache-3.0.8/include -I/usr/local/src/tmp.3qxkvT80jB/memcache-3.0.8/main -I/usr/local/src/tmp.3qxkvT80jB/memcache-3.0.8 -I/usr/local/php73/include/php -I/usr/local/php73/include/php/main -I/usr/local/php73/include/php/TSRM -I/usr/local/php73/include/php/Zend -I/usr/local/php73/include/php/ext -I/usr/local/php73/include/php/ext/date/lib -DHAVE_CONFIG_H -g -O2 -c /usr/local/src/tmp.3qxkvT80jB/memcache-3.0.8/memcache.c  -fPIC -DPIC -o .libs/memcache.o
In file included from /usr/local/src/tmp.3qxkvT80jB/memcache-3.0.8/php_memcache.h:34:0,
                 from /usr/local/src/tmp.3qxkvT80jB/memcache-3.0.8/memcache.c:30:
/usr/local/src/tmp.3qxkvT80jB/memcache-3.0.8/memcache_pool.h:45:47: fatal error: ext/standard/php_smart_str_public.h: No such file or directory
 #include "ext/standard/php_smart_str_public.h"
                                               ^
compilation terminated.
make: *** [memcache.lo] Error 1
[ERROR] Installation of memcache for php73 failed
[ERROR] Could not find /usr/local/php73/lib/php/extensions/no-debug-non-zts-20180731/memcache.so. Removing extension from /usr/local/php73/lib/php.conf.d/10-directadmin.ini
[ERROR] Could not find /usr/local/php73/lib/php/extensions/no-debug-non-zts-20180731/memcache.so. Removing extension from /usr/local/php73/lib/php.conf.d/50-webapps.ini
[ERROR] Could not find /usr/local/php73/lib/php/extensions/no-debug-non-zts-20180731/memcache.so. Removing extension from /usr/local/php73/lib/php.conf.d/90-custom.ini

On Centmin Mod LEMP stacks for PHP 7+, I usually install Memcache 4.0.4 which supports PHP 7.3 fine. Example:

php --ri memcache

memcache

memcache support => enabled
Version => 4.0.4
Revision => $Revision$

Directive => Local Value => Master Value
memcache.allow_failover => 1 => 1
memcache.max_failover_attempts => 20 => 20
memcache.default_port => 11211 => 11211
memcache.chunk_size => 32768 => 32768
memcache.protocol => ascii => ascii
memcache.hash_strategy => consistent => consistent
memcache.hash_function => crc32 => crc32
memcache.redundancy => 1 => 1
memcache.session_redundancy => 2 => 2
memcache.compress_threshold => 20000 => 20000
memcache.lock_timeout => 15 => 15
memcache.session_prefix_host_key => 0 => 0
memcache.session_prefix_host_key_remove_www => 1 => 1
memcache.session_prefix_host_key_remove_subdomain => 0 => 0
memcache.session_prefix_static_key => no value => no value
memcache.session_save_path => no value => no value
memcache.prefix_host_key => 0 => 0
memcache.prefix_host_key_remove_www => 1 => 1
memcache.prefix_host_key_remove_subdomain => 0 => 0
memcache.prefix_static_key => no value => no value

Enabling pigz multi-threaded gzip compression as outlined here if you have 2 or more cpu threads. There is no point in enabling pigz support if you only have 1 cpu thread.

You can use below command to find out how many cpu threads you have for your server

grep -c "processor" /proc/cpuinfo

Then if the resulting output is a number 2 or more, you can enable pigz support in DirectAdmin

getcpus=$(grep -c "processor" /proc/cpuinfo)
sed -i "s|^pigz=.*|pigz=$getcpus|" /usr/local/directadmin/conf/directadmin.conf

Then run CustomBuild 2.0 to install pigz

cd /usr/local/directadmin/custombuild
./build update
./build pigz

If on VPS server, there are additional steps to properly register the ethernet NIC device name with DirectAdmin. Within /usr/local/directadmin/conf/directadmin.conf edit:

ethernet_dev=devicename

For example, on many vps systems it will be:

ethernet_dev=venet0:0

Other systems where the IP is not the base IP on the device, you’d need to simply set the correct number:

ethernet_dev=eth0:1

Or other systems with the IP on a different device, it might be:

ethernet_dev=eth1

To see what your server’s device name is, type:

/sbin/ifconfig

Replace devicename with the FULL devicename reported by ifconfig. If your VPS system emulates eth0, then you may skip this step.

The device name would be the one linked to your public IPv4 address. You can find your public IPv4 address usually with below curl command:

curl -4s https://ipinfo.io/ip

For BuyVM VPS device name is eth0 and seems to be already the default in Directadmin configuration

grep ethernet /usr/local/directadmin/conf/directadmin.conf 
ethernet_dev=eth0

If you need to later change the DirectAdmin hostname setup in Step 1, follow guide outlined here including updating your new hostname’s DNS records.

Further customisation of DirectAdmin setup can be made via editing settings in /usr/local/directadmin/conf/directadmin.conf.  This old guide lists some of the options available.

# change max username length from default to 10 to 16
# https://www.directadmin.com/features.php?id=189
# https://www.directadmin.com/features.php?id=2294
sed -i 's|^max_username_length=10|max_username_length=16|' /usr/local/directadmin/conf/directadmin.conf

After editing /usr/local/directadmin/conf/directadmin.conf, you need to restart DirectAdmin

cd /usr/local/directadmin
echo "action=directadmin&value=restart" >> /usr/local/directadmin/data/task.queue; /usr/local/directadmin/dataskq d2000

Verify that DirectAdmin is using the updated /usr/local/directadmin/conf/directadmin.conf settings. The command should return the values matching the parameters passed via egrep.

/usr/local/directadmin/directadmin c | egrep '^max_username_length=|^force_hostname=|^ssl_redirect_host=|^use_xfs_quota=|^pigz='

This is the default output before above changes

/usr/local/directadmin/directadmin c | egrep '^max_username_length=|^force_hostname=|^ssl_redirect_host=|^use_xfs_quota=|^pigz=' 
max_username_length=10
use_xfs_quota=0
ssl_redirect_host=
force_hostname=
pigz=0

Install and configure Linux Malware Detect (Maldet) on DirectAdmin as outlined here but first install ClamAV so that Maldet can use ClamAV’s scanning engine which allows you to speed up Maldet scans dramatically. Without ClamAV engine, Maldet scans will be very slow in comparison.

Install ClamAV using CustomBuild 2.0 with Exim ClamAV support,

cd /usr/local/directadmin/custombuild
./build update
./build set clamav yes
./build set clamav_exim yes
./build set exim yes
./build set eximconf yes
./build set eximconf_release 4.5
./build clamav
./build exim
./build exim_conf

Looks like build updates download files from plain text non-HTTPS locations

./build update
--2019-07-17 21:36:08-- http://files2.directadmin.com/services/custombuild/2.0/custombuild.tar.gz
Resolving files2.directadmin.com (files2.directadmin.com)... 208.167.226.3
Connecting to files2.directadmin.com (files2.directadmin.com)|208.167.226.3|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 226253 (221K) [application/x-gzip]
Saving to: './custombuild.tar.gz'

100%[================================================================================================================================================================================================================>] 226,253 491KB/s in 0.4s

2019-07-17 21:36:09 (491 KB/s) - './custombuild.tar.gz' saved [226253/226253]

Extracting custombuild.tar.gz...

Then

./build set clamav yes
Changed clamav option from no to yes

./build set clamav_exim yes
Changed clamav_exim option from yes to yes

./build set exim yes
Changed exim option from yes to yes

./build set eximconf yes
Changed eximconf option from yes to yes

./build set eximconf_release 4.5
Changed eximconf_release option from 4.5 to 4.5

Actual ClamAV build which is source compiled

./build clamav
Downloading             clamav-0.101.2.tar.gz...
--2019-07-17 21:40:03--  http://files2.directadmin.com/services/custombuild/clamav-0.101.2.tar.gz
Resolving files2.directadmin.com (files2.directadmin.com)... 208.167.226.3
Connecting to files2.directadmin.com (files2.directadmin.com)|208.167.226.3|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21722932 (21M) [application/x-gzip]
Saving to: '/usr/local/directadmin/custombuild/clamav-0.101.2.tar.gz'

100%[================================================================================================================================================================================================================>] 21,722,932  1.21MB/s   in 19s    

Enabling clamd in systemd...
Created symlink from /etc/systemd/system/multi-user.target.wants/clamd.service to /etc/systemd/system/clamd.service.
Enabling freshclam in systemd...
Created symlink from /etc/systemd/system/multi-user.target.wants/freshclam.service to /etc/systemd/system/freshclam.service.
Current working dir is /usr/local/share/clamav
ClamAV update process started at Wed Jul 17 21:44:33 2019
Using IPv6 aware code
Max retries == 3
Querying current.cvd.clamav.net
TTL: 153
Software version from DNS: 0.101.2
Retrieving http://database.clamav.net/main.cvd
Trying to download http://database.clamav.net/main.cvd (IP: 104.16.218.84)
Downloading main.cvd [100%]
Loading signatures from main.cvd
Properly loaded 4566249 signatures from new main.cvd
main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Querying main.58.102.1.0.6810DA54.ping.clamav.net
Can't query main.58.102.1.0.6810DA54.ping.clamav.net
Retrieving http://database.clamav.net/daily.cvd
Trying to download http://database.clamav.net/daily.cvd (IP: 104.16.218.84)
Downloading daily.cvd [100%]
Loading signatures from daily.cvd
Properly loaded 1659025 signatures from new daily.cvd
daily.cvd updated (version: 25513, sigs: 1659025, f-level: 63, builder: raynman)
Querying daily.25513.102.1.0.6810DA54.ping.clamav.net
Can't query daily.25513.102.1.0.6810DA54.ping.clamav.net
Retrieving http://database.clamav.net/bytecode.cvd
Trying to download http://database.clamav.net/bytecode.cvd (IP: 104.16.218.84)
Downloading bytecode.cvd [100%]
Loading signatures from bytecode.cvd
Properly loaded 94 signatures from new bytecode.cvd
bytecode.cvd updated (version: 330, sigs: 94, f-level: 63, builder: neo)
Querying bytecode.330.102.1.0.6810DA54.ping.clamav.net
Can't query bytecode.330.102.1.0.6810DA54.ping.clamav.net
Database updated (6225368 signatures) from database.clamav.net (IP: 104.16.218.84)
Restarting freshclam.
Restarting clamd.
Restarting exim.
Done ClamAV.

Actual Exim build

./build exim

>>> exim binary built

make[1]: Leaving directory `/usr/local/directadmin/custombuild/exim-4.92/build-Linux-x86_64'

Installation directory is /usr/sbin

cp exim /usr/sbin/exim-4.92-5
/bin/chown root /usr/sbin/exim-4.92-5
chmod a+x /usr/sbin/exim-4.92-5
chmod u+s /usr/sbin/exim-4.92-5
creation of symlink omitted
(NO_SYMLINK is specified in Local/Makefile)
cp /usr/sbin/exim_dumpdb /usr/sbin/exim_dumpdb.O
cp exim_dumpdb /usr/sbin
cp /usr/sbin/exim_fixdb /usr/sbin/exim_fixdb.O
cp exim_fixdb /usr/sbin
cp /usr/sbin/exim_tidydb /usr/sbin/exim_tidydb.O
cp exim_tidydb /usr/sbin
cp /usr/sbin/exinext /usr/sbin/exinext.O
cp exinext /usr/sbin
cp /usr/sbin/exiwhat /usr/sbin/exiwhat.O
cp exiwhat /usr/sbin
cp /usr/sbin/exim_dbmbuild /usr/sbin/exim_dbmbuild.O
cp exim_dbmbuild /usr/sbin
cp /usr/sbin/exicyclog /usr/sbin/exicyclog.O
cp exicyclog /usr/sbin
cp /usr/sbin/exigrep /usr/sbin/exigrep.O
cp exigrep /usr/sbin
cp /usr/sbin/eximstats /usr/sbin/eximstats.O
cp eximstats /usr/sbin
cp /usr/sbin/exipick /usr/sbin/exipick.O
cp exipick /usr/sbin
cp /usr/sbin/exiqgrep /usr/sbin/exiqgrep.O
cp exiqgrep /usr/sbin
cp /usr/sbin/exiqsumm /usr/sbin/exiqsumm.O
cp exiqsumm /usr/sbin
cp /usr/sbin/exim_lock /usr/sbin/exim_lock.O
cp exim_lock /usr/sbin
cp /usr/sbin/exim_checkaccess /usr/sbin/exim_checkaccess.O
cp exim_checkaccess /usr/sbin

Configuration file /etc/exim.conf already exists

Exim installation complete
Moving exim binary.
Enabling exim in systemd...
Exim 4.92 Installed.
Restarting exim.

Actual Exim Conf build

./build exim_conf

--2019-07-17 21:51:12-- http://files2.directadmin.com/services/SpamBlocker/4.5.14/exim.conf-SpamBlockerTechnology-v4.5.14.txt
Resolving files2.directadmin.com (files2.directadmin.com)... 208.167.226.3
Connecting to files2.directadmin.com (files2.directadmin.com)|208.167.226.3|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 32137 (31K) [text/plain]
Saving to: '/etc/exim.conf.cb20'

100%[================================================================================================================================================================================================================>] 32,137 --.-K/s in 0.1s

2019-07-17 21:51:13 (245 KB/s) - '/etc/exim.conf.cb20' saved [32137/32137]

--2019-07-17 21:51:13-- http://files2.directadmin.com/services/custombuild/system_filter.exim
Resolving files2.directadmin.com (files2.directadmin.com)... 208.167.226.3
Connecting to files2.directadmin.com (files2.directadmin.com)|208.167.226.3|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10489 (10K)
Saving to: '/etc/system_filter.exim'

100%[================================================================================================================================================================================================================>] 10,489 --.-K/s in 0s

2019-07-17 21:51:13 (119 MB/s) - '/etc/system_filter.exim' saved [10489/10489]

--2019-07-17 21:51:13-- http://files2.directadmin.com/services/SpamBlocker/4.5.14/exim.strings.conf
Resolving files2.directadmin.com (files2.directadmin.com)... 208.167.226.3
Connecting to files2.directadmin.com (files2.directadmin.com)|208.167.226.3|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2076 (2.0K) [text/plain]
Saving to: '/etc/exim.strings.conf.cb20'

100%[================================================================================================================================================================================================================>] 2,076 --.-K/s in 0s

2019-07-17 21:51:13 (123 MB/s) - '/etc/exim.strings.conf.cb20' saved [2076/2076]

--2019-07-17 21:51:13-- http://files2.directadmin.com/services/SpamBlocker/4.5.14/exim.variables.conf.default
Resolving files2.directadmin.com (files2.directadmin.com)... 208.167.226.3
Connecting to files2.directadmin.com (files2.directadmin.com)|208.167.226.3|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 924 [text/plain]
Saving to: '/etc/exim.variables.conf.cb20'

100%[================================================================================================================================================================================================================>] 924 --.-K/s in 0s

2019-07-17 21:51:13 (148 MB/s) - '/etc/exim.variables.conf.cb20' saved [924/924]

--2019-07-17 21:51:14-- http://files2.directadmin.com/services/exim.pl.24
Resolving files2.directadmin.com (files2.directadmin.com)... 208.167.226.3
Connecting to files2.directadmin.com (files2.directadmin.com)|208.167.226.3|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17716 (17K)
Saving to: '/etc/exim.pl.cb20'

100%[================================================================================================================================================================================================================>] 17,716 --.-K/s in 0.06s

2019-07-17 21:51:14 (276 KB/s) - '/etc/exim.pl.cb20' saved [17716/17716]

Restarting exim.

Then install Maldet

cd /usr/local/src
wget -4 http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -zxvf maldetect-current.tar.gz
cd $(ls -1d maldetect-*/ | tail -1)
./install.sh

Install output

./install.sh
Created symlink from /etc/systemd/system/multi-user.target.wants/maldet.service to /usr/lib/systemd/system/maldet.service.
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks <proj@r-fx.org>
(C) 2019, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(1291): {sigup} performing signature update check...
maldet(1291): {sigup} local signature set is version 201907043616
maldet(1291): {sigup} new signature set 2019071622063 available
maldet(1291): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(1291): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(1291): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(1291): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(1291): {sigup} verified md5sum of maldet-clean.tgz
maldet(1291): {sigup} unpacked and installed maldet-clean.tgz
maldet(1291): {sigup} signature set update completed
maldet(1291): {sigup} 15542 signatures (12730 MD5 | 2035 HEX | 777 YARA | 0 USER)

Edit Maldet config file at /usr/local/maldetect/conf.maldet and set scan_clamscan=”1″ to enable ClamAV scanner if it isn’t already set to 1

# If installed, use ClamAV clamscan binary as default scan engine which
# provides improved scan performance on large file sets. The clamscan
# engine is used in conjunction with native ClamAV signatures updated
# through freshclam along with LMD signatures providing additional
# detection capabilities.
# [ 0 = disabled, 1 = enabled ]
scan_clamscan="1"

Add support for Malware.Expert definitions

echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb" >> /etc/freshclam.conf
echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb" >> /etc/freshclam.conf
echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb" >> /etc/freshclam.conf
echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.fp" >> /etc/freshclam.conf
service freshclam restart
ls -la /usr/local/share/clamav/malware.expert.* /var/lib/clamav/malware.expert.*

resulting databases are in directory at /usr/local/share/clamav/

ls -la /usr/local/share/clamav/malware.expert.* /var/lib/clamav/malware.expert.*
ls: cannot access /var/lib/clamav/malware.expert.*: No such file or directory
-rw-r--r-- 1 clamav clamav   2744 Jul 17 21:57 /usr/local/share/clamav/malware.expert.fp
-rw-r--r-- 1 clamav clamav  29852 Jul 17 21:57 /usr/local/share/clamav/malware.expert.hdb
-rw-r--r-- 1 clamav clamav  20550 Jul 17 21:57 /usr/local/share/clamav/malware.expert.ldb
-rw-r--r-- 1 clamav clamav 134358 Jul 17 21:57 /usr/local/share/clamav/malware.expert.ndb

Malware.Expert outlines what those databases contain:

Pay attention to malware.expert.ndb database it may contain false positive alert/alarms due to normal PHP code having legit use for specific PHP patterns i.e. eval/base64 so you will need to bare that in mind and inspect manually the files it reports as malware.

Example scan with extended ClamAV signature databases

time freshclam
time clamscan -ri /home
time clamscan -ri /var/www

freshclam

time freshclam
ClamAV update process started at Wed Jul 17 21:59:02 2019
malware.expert.ndb is up to date (version: custom database)
malware.expert.hdb is up to date (version: custom database)
malware.expert.ldb is up to date (version: custom database)
malware.expert.fp is up to date (version: custom database)
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
daily.cvd is up to date (version: 25513, sigs: 1659025, f-level: 63, builder: raynman)
bytecode.cvd is up to date (version: 330, sigs: 94, f-level: 63, builder: neo)

real    0m0.182s
user    0m0.015s
sys     0m0.015s

clamscan

time clamscan -ri /home

----------- SCAN SUMMARY -----------
Known viruses: 6232930
Engine version: 0.101.2
Scanned directories: 18
Scanned files: 14
Infected files: 0
Data scanned: 0.01 MB
Data read: 0.01 MB (ratio 1.00:1)
Time: 90.304 sec (1 m 30 s)

real 1m30.332s
user 1m11.138s
sys 0m1.705s
time clamscan -ri /var/www

----------- SCAN SUMMARY -----------
Known viruses: 6232930
Engine version: 0.101.2
Scanned directories: 1117
Scanned files: 8708
Infected files: 0
Data scanned: 155.67 MB
Data read: 85.73 MB (ratio 1.82:1)
Time: 267.519 sec (4 m 27 s)

real    4m27.539s
user    3m38.392s
sys     0m9.880s

Then manually can run maldet on public web root directories of which there are currently none that exist on fresh DirectAdmin installation

time maldet -a /home?/?/domains/?/public_html

output

time maldet -a /home?/?/domains/?/public_html
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks <proj@rfxn.com>
(C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(2102): {scan} signatures loaded: 15542 (12730 MD5 | 2035 HEX | 777 YARA | 0 USER)
maldet(2102): {scan} building file list for /home?/?/domains/?/public_html, this might take awhile...
maldet(2102): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(2102): {scan} scan returned empty file list; check that path exists and contains files in scope of configuration.

real 1m25.958s
user 0m0.235s
sys 0m0.119s

or add -b flag to run in background

maldet -b -a /home?/?/domains/?/public_html

Step 5. DirectAdmin HTTPS / SSL Configuration

Next step is to setup HTTPS and SSL certificate to access DirectAdmin control panel over port 2222 and is from DirectAdmin documentation and requires that you have a working DNS A record for the hostname for your DirectAdmin server which you setup in in Step 1. This is because Letsencrypt SSL certificate domain validation needs for you to verify your intended domain name you want to issue a free Letsencrypt SSL certificate for.

By default looks like DirectAdmin’s Letsencrypt script defaults to generating RSA 4096bit SSL certificates. While more secure than RSA 2048bit SSL certificates, using RSA 4096bit SSL certs on Apache/Nginx site will severely tank web server performance under HTTPS compared to RSA 2048bit or better performing ECC 256bit (ECDSA) SSL certificates !

grep -in 4096 /usr/local/directadmin/scripts/letsencrypt.sh 
29: DEFAULT_KEY_SIZE=4096
214:if [ ${KEY_SIZE} -ne 2048 ] && [ ${KEY_SIZE} -ne 4096 ]; then
215: echo "Wrong key size. It must be 2048 or 4096. Exiting..."

Letsencrypt steps:

  1. First, enable Letsencrypt on your system
  2. Then setup the LetsEncrypt certificate for your hostname.

Enabling Letsencrypt on DirectAdmin

  1. Verify if SNI and Letsencrypt are already enabled and set to 1, if not follow the addition steps to enable. The egrep command will report values 1 if enabled.
    egrep 'enable_ssl_sni=|letsencrypt=' /usr/local/directadmin/conf/directadmin.conf

    this BuyVM installation shows that Letsencrypt is already enabled and there’s no enable_ssl_sni option set

    egrep 'enable_ssl_sni=|letsencrypt=' /usr/local/directadmin/conf/directadmin.conf
    letsencrypt=1
  2. Enable and allow SNI.
    sed -i 's|enable_ssl_sni=.*|enable_ssl_sni=1|' /usr/local/directadmin/conf/directadmin.conf
  3. Enable the letsencrypt=1 option in the /usr/local/directadmin/conf/directadmin.conf if not set. Can skip this for this BuyVM install:
    sed -i 's|letsencrypt=.*|letsencrypt=1|' /usr/local/directadmin/conf/directadmin.conf
  4. Restart DirectAdmin:
    echo "action=directadmin&value=restart" >> /usr/local/directadmin/data/task.queue; /usr/local/directadmin/dataskq d2000
  5. Add the /.well-known Alias if Letsencrypt wasn’t already enabled:
    cd /usr/local/directadmin/custombuild
    ./build rewrite_confs
  6. Install the most recent version of the script if Letsencrypt wasn’t already enabled:
    cd /usr/local/directadmin/custombuild
    ./build update
    ./build letsencrypt

Once enabled, users should then be able to see the LetsEncrypt option in their ‘Enhanced’ skin via User Level -> SSL Certificates or when you add a new domain setup and see Secure SSL check box.

Now that Letsencrypt support is enabled in DirectAdmin, you can setup a free Letsencrypt SSL certificate and HTTPS access point for your DirectAdmin control panel’s configured hostname (from Step 1 above) over port 2222 as outlined here. Replace your.hostname.com with your setup hostname from Step 1 above and should be same hostname used to answer the initial DirectAdmin setup.sh script’s hostname prompt which will also populate the servername option in /usr/local/directadmin/conf/directadmin.conf.

To verify servername value in /usr/local/directadmin/conf/directadmin.conf

grep -w 'servername' /usr/local/directadmin/conf/directadmin.conf

Then to run letsencrypt.sh script to obtain a free Letsencrypt SSL certificate. Replace hostname.yourdomain.com with your setup hostname from Step 1 above. Using RSA 4096bit SSL for DirectAdmin control panel should be fine, though you’d want RSA 2048bit for normal web site SSL certificates for better HTTPS performance.

cd /usr/local/directadmin/scripts
dahostname=hostname.yourdomain.com
./letsencrypt.sh request_single $dahostname 4096

The command will also install the new cert/key/ca files in all respective global places for Apache, Dovecot, Exim, ftp, and DirectAdmin.

dahostname=hostname.yourdomain.com
./letsencrypt.sh request_single $dahostname 4096
Setting up certificate for a hostname: hostname.yourdomain.com
Generating 4096 bit RSA key for let's encrypt account...
openssl genrsa 4096 > "/usr/local/directadmin/conf/letsencrypt.key"
Generating RSA private key, 4096 bit long modulus
.................................++
............................................................................................................................................................++
e is 65537 (0x10001)
Account has been registered.
Requesting new certificate order...
Processing authorization for hostname.yourdomain.com...
Waiting for domain verification...
Challenge is valid.
Challenge is valid.
Generating 4096 bit RSA key for hostname.yourdomain.com...
openssl genrsa 4096 > "/usr/local/directadmin/conf/cakey.pem.new"
Generating RSA private key, 4096 bit long modulus
..................................++
........................................++
e is 65537 (0x10001)
Checking Certificate Private key match... Match!
DirectAdmin certificate has been setup.
Setting up cert for Exim...
Setting up cert for WWW server...
Setting up cert for FTP server...
The services will be restarted in about 1 minute via the dataskq.
Certificate for hostname.yourdomain.com has been created successfully!

Next step is to then turn on SSL in DA and tell DA to use the carootcert, as well as force the hostname for SSL – again replace hostname.yourdomain.com with your setup hostname from Step 1 above. Note since DirectAdmin 1.58 RC releases, SSL=1 has been replaced with ssl=1.:

cd /usr/local/directadmin/conf
dahostname=hostname.yourdomain.com
# check directadmin.conf before changes
egrep '^SSL=|^carootcert=|^force_hostname=|^ssl_redirect_host=' directadmin.conf
perl -pi -e 's/SSL=0/ssl=1/' directadmin.conf
perl -pi -e 's/ssl=0/ssl=1/' directadmin.conf
echo "carootcert=/usr/local/directadmin/conf/carootcert.pem" >> directadmin.conf

# force hostname when using HTTPS
# https://www.directadmin.com/features.php?id=917
echo "force_hostname=$dahostname" >> directadmin.conf

# force hostname when using HTTPS # https://www.directadmin.com/features.php?id=917 
echo "ssl_redirect_host=$dahostname" >> directadmin.conf
service directadmin restart

Checking directadmin.conf before changes

egrep -i '^SSL=|^carootcert=|^force_hostname=|^ssl_redirect_host=' /usr/local/directadmin/conf/directadmin.conf
ssl=0

Checking directadmin.conf after changes

egrep -i '^SSL=|^carootcert=|^force_hostname=|^ssl_redirect_host=' /usr/local/directadmin/conf/directadmin.conf
ssl=1
carootcert=/usr/local/directadmin/conf/carootcert.pem
force_hostname=hostname.yourdomain.com
ssl_redirect_host=hostname.yourdomain.com

You can also verify DirectAdmin’s Letsencrypt option settings via command

/usr/local/directadmin/directadmin c | grep letsencrypt

Output shows renewal for Letsencrypt SSL certificates happens at 60 day mark with renewal failure notifications after 5 attempts and the Letsencrypt SSL certificates covers the hostname as well as letsencrypt_list entries for www, mail, ftp, pop and smtp.

/usr/local/directadmin/directadmin c | grep letsencrypt
letsencrypt=1
letsencrypt_renewal_days=60
letsencrypt_renewal_failure_notice_after_attempt=5
letsencrypt_disable_renew_after_renew_failure=0
letsencrypt_max_requests_per_week=100
letsencrypt_multidomain_cert=2
letsencrypt_renewal_success_notice=0
letsencrypt_renewal_notice_to_admins=1
letsencrypt_renewal_error_to_users=1
renew_letsencrypt_on_suspended_domain=0
letsencrypt_account_email=0
letsencrypt_list=www:mail:ftp:pop:smtp
letsencrypt_list_selected=www

Step 6. Access DirectAdmin Control Panel

DirectAdmin can be accessed at either:

  • http://server.ip.address:2222 — use the Admin username/password specified in the /usr/local/directadmin/scripts/setup.txt file in your scripts directory.
  • or  if using HTTPS/SSL at https://server.ip.address:2222 — use the Admin username/password specified in the /usr/local/directadmin/scripts/setup.txt file in your scripts directory.

Step 7. Switching DirectAdmin From Firewalld To CSF Firewall

CentOS 7 uses Firewalld wrapper to IPTables, however I prefer using CSF Firewall so the following steps are required to switch DirectAdmin over from Firewalld to using CSF Firewall. Also read further below for instructions on installing IPSET to allow handling large sets of blocked IP addresses if your server’s Linux Kernel supports IPSET.

There seems to be 2 ways of installing CSF Firewall

  1. Via http://files.directadmin.com/services/all/csf/csf_install.sh
  2. Via Poralix’s csf-bfm-install.sh installer

However, none of the scripts properly address CentOS 7’s default Firewalld usage which needs to be disable and for iptables-service YUM package to be installed via commands below. It is mentioned though in Poralix’s original article. It is how I have configured Centmin Mod’s CSF Firewall implementation ever since CentOS 7 was released. CSF Firewall is basically a wrapper to interface with IPTables.

systemctl disable firewalld
systemctl stop firewalld
yum -y install iptables-services
systemctl start iptables
systemctl start ip6tables
systemctl enable iptables
systemctl enable ip6tables

The CSF Firewall installation instructions which is also based off of Poralix’s csf-bfm-install.sh script as well:

wget -4 http://files.directadmin.com/services/all/csf/csf_install.sh
/bin/sh ./csf_install.sh

Alternatively, another method of installing CSF Firewall is via Poralix’s script in their Github repository to allow you to install CSF Firewall and also configure DirectAdmin Brute Force Monitor (BFM) to work with CSF Firewall. This script seems more extensive and thorough.

To install CSF Firewall with BFM support run the csf-bfm-install.sh script

mkdir -p /root/tools/poralix
cd /root/tools/poralix
wget -4 -O csf-bfm-install.sh https://raw.githubusercontent.com/poralix/directadmin-bfm-csf/master/install.sh
chmod 700 csf-bfm-install.sh
./csf-bfm-install.sh

To upgrade using Poralix’s script:

mkdir -p /root/tools/poralix
cd /root/tools/poralix
wget -4 -O csf-bfm-update.sh https://raw.githubusercontent.com/poralix/directadmin-bfm-csf/master/update.sh
chmod 700 csf-bfm-update.sh
./csf-bfm-update.sh

Example of csf-bfm-install.sh run output

./csf-bfm-install.sh
[NOTICE] CSF/LFD was not found on your server! Going to install it...
[OK] CSF/LFD check passed, going further with installation...

Selecting installer...

Running csf DirectAdmin installer

Installing csf and lfd

Check we're running as root

mkdir: created directory ‘/etc/csf’
‘install.txt’ -> ‘/etc/csf/install.txt’
Checking Perl modules...
Using configuration defaults
...Perl modules OK

And looks like testing mode is enabled in CSF so one extra manual step to do yourself.

‘/etc/csf/csf.conf’ -> ‘/var/lib/csf/backup/1563443139_pre_v13_03_upgrade’

*** USE_CONNTRACK Enabled

*** IPV6 Enabled

TCP ports currently listening for incoming connections:
21,22,25,53,110,111,143,465,587,993,995,3306

UDP ports currently listening for incoming connections:
53,68,111,679

Note: The port details above are for information only, csf hasn't been auto-configured.

Don't forget to:
1. Configure the following options in the csf configuration to suite your server: TCP_*, UDP_*
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall, lfd will not run until you do so

Adding current SSH session IP address to the csf whitelist in csf.allow:
Adding MYIP to csf.allow only while in TESTING mode (not iptables ACCEPT)
*WARNING* TESTING mode is enabled - do not forget to disable it in the configuration

Final output segment

Installation Completed

[OK] Updating a list of trusted binaries in /etc/csf/csf.pignore
cmd:spamd child
exe:/bin/dbus-daemon
exe:/lib/systemd/systemd-resolved
exe:/lib/systemd/systemd-timesyncd
exe:/sbin/ntpd
exe:/usr/bin/curl
exe:/usr/bin/dbus-daemon
exe:/usr/bin/dbus-daemon-1
exe:/usr/bin/fetchmail
exe:/usr/bin/freshclam
exe:/usr/bin/gzip
exe:/usr/bin/lsmd
exe:/usr/bin/ncftpput
exe:/usr/bin/python3.6
exe:/usr/bin/redis-server
exe:/usr/bin/tar
exe:/usr/bin/top
exe:/usr/bin/wget
exe:/usr/libexec/dovecot/anvil
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/imap-login
exe:/usr/libexec/dovecot/lmtp
exe:/usr/libexec/dovecot/managesieve
exe:/usr/libexec/dovecot/managesieve-login
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/dovecot/stats
exe:/usr/libexec/gam_server
exe:/usr/libexec/hald-addon-acpi
exe:/usr/libexec/hald-addon-keyboard
exe:/usr/libexec/openssh/sftp-server
exe:/usr/lib/polkit-1/polkitd
exe:/usr/local/bin/clamd
exe:/usr/local/bin/freshclam
exe:/usr/local/bin/pureftpd_uploadscan.sh
exe:/usr/local/directadmin/dataskq
exe:/usr/local/directadmin/directadmin
exe:/usr/local/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/imap-login
exe:/usr/local/libexec/dovecot/pop3
exe:/usr/local/libexec/dovecot/pop3-login
exe:/usr/local/libexec/dovecot/stats
exe:/usr/local/mysql-5.1.54-linux-x86_64/bin/mysqld
exe:/usr/local/sbin/nginx
exe:/usr/local/varnish/sbin/varnishd
exe:/usr/sbin/apache2
exe:/usr/sbin/chronyd
exe:/usr/sbin/exim
exe:/usr/sbin/hald
exe:/usr/sbin/httpd
exe:/usr/sbin/mysqld
exe:/usr/sbin/mysqld_safe
exe:/usr/sbin/named
exe:/usr/sbin/nginx
exe:/usr/sbin/nscd
exe:/usr/sbin/ntpd
exe:/usr/sbin/proftpd
exe:/usr/sbin/pure-ftpd
exe:/usr/sbin/rpcbind
exe:/usr/sbin/sshd
exe:/usr/sbin/varnishd
pcmd:/usr/bin/perl -T -w /usr/bin/sa-learn.*
pexe:/usr/local/mariadb-..-linux-x86_64/bin/mysqld
pexe:/usr/local/mysql-..-linux-x86_64/bin/mysqld
pexe:/usr/local/php../bin/php..
pexe:/usr/local/php../bin/php-cgi..
pexe:/usr/local/php../bin/php_uploadscan.sh
pexe:/usr/local/php../sbin/php-fpm..
user:munin
user:mysql
[NOTICE] CSF/LFD was installed! Configuration file can be found under /etc/csf/csf.conf

[OK] Installing block_ip.sh into /usr/local/directadmin/scripts/custom/
[OK] Installing unblock_ip.sh into /usr/local/directadmin/scripts/custom/
[OK] Installing show_blocked_ips.sh into /usr/local/directadmin/scripts/custom/
[OK] Installing brute_force_notice_ip.sh into /usr/local/directadmin/scripts/custom/
[OK] Disabling emails from CSF/LFD about temporary blocks of an IP brute-forcing server
[OK] Disabling emails from CSF/LFD about temporary blocks of an IP attacking Apache
[OK] Disabling email from CSF/LFD about permament blocks of an IP
[OK] Disabling CSF/LFD from scanning logs, Directadmin will do it instead
[OK] Opening passive ports for FTP incoming connections
[OK] Opening passive ports for outgoing connections
[OK] Enabling CSF/LFD

[IMPORTANT] Your SSH PORT is 22, it should be listed below as allowed

[OK] A list of opened ports in firewall
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2222,35000:35999"
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,2222,35000:65535"
UDP_IN = "20,21,53"
UDP_OUT = "20,21,53,113,123"
TCP6_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2222,35000:35999"
TCP6_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,2222,35000:65535"
UDP6_IN = "20,21,53"
UDP6_OUT = "20,21,53,113,123"

[OK] Setting bruteforce to 1 in /usr/local/directadmin/conf/directadmin.conf
bruteforce=1
[OK] Setting brute_force_log_scanner to 1 in /usr/local/directadmin/conf/directadmin.conf
[OK] Setting brute_force_scan_apache_logs to 2 in /usr/local/directadmin/conf/directadmin.conf
brute_force_scan_apache_logs=2
[OK] Setting brute_force_time_limit to 1200 in /usr/local/directadmin/conf/directadmin.conf
brute_force_time_limit=1200
[OK] Setting clear_brute_log_time to 48 in /usr/local/directadmin/conf/directadmin.conf
clear_brute_log_time=48
[OK] Setting hide_brute_force_notifications to 1 in /usr/local/directadmin/conf/directadmin.conf
hide_brute_force_notifications=1
[OK] Setting ip_brutecount to 30 in /usr/local/directadmin/conf/directadmin.conf
ip_brutecount=30
[OK] Setting unblock_brute_ip_time to 2880 in /usr/local/directadmin/conf/directadmin.conf
unblock_brute_ip_time=2880
[OK] Setting user_brutecount to 30 in /usr/local/directadmin/conf/directadmin.conf
user_brutecount=30
[OK] Scripts installed!

[INFO] Installed settings in Directadmin:
bruteforce=1
brute_force_log_scanner=1
brute_force_scan_apache_logs=2
brute_force_time_limit=1200
clear_brute_log_time=48
hide_brute_force_notifications=1
ip_brutecount=30
unblock_brute_ip_time=2880
user_brutecount=30

You can change them in Directadmin interface at admin level or in directadmin.conf

Installation complete!

CSF Firewall is installed and testing mode is disable at the end of the install process, so CSF Firewall is live and running.

grep '^TESTING =' /etc/csf/csf.conf
TESTING = "0"

Inspecting whitelisted CSF Firewall ports

egrep '^TCP_|^TCP6_|^UDP_|^UDP6_' /etc/csf/csf.conf
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2222,35000:35999"
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,2222,35000:65535"
UDP_IN = "20,21,53"
UDP_OUT = "20,21,53,113,123"
TCP6_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2222,35000:35999"
TCP6_OUT = "20,21,22,25,53,80,110,113,443,587,993,995,2222,35000:65535"
UDP6_IN = "20,21,53"
UDP6_OUT = "20,21,53,113,123"

Make sure to backup the CSF Firewall current configuration profile so you can restore if needed

csf --profile backup after-csf-bfm-install
csf --profile backup after-csf-bfm-install
Creating backup...
‘/etc/csf/csf.conf’ -> ‘/var/lib/csf/backup/1563444098_after-csf-bfm-install’

Seems csf-bfm-install also made a CSF Firewall profile backup

csf --profile list

Configuration Profiles
======================
block_all_perm
block_all_temp
disable_alerts
protection_high
protection_low
protection_medium
reset_to_defaults

Configuration Backups
=====================
1563444098_after-csf-bfm-install (Thu Jul 18 03:01:38 2019)
1563443139_pre_v13_03_upgrade (Thu Jul 18 02:45:39 2019)

Finally ensure, CSF Firewall and LFD daemon starts up on server reboots

chkconfig lfd on
chkconfig csf on
chkconfig lfd on
Note: Forwarding request to 'systemctl enable lfd.service'.
chkconfig csf on
Note: Forwarding request to 'systemctl enable csf.service'.

Double check CSF Firewall works via csftest.pl

perl /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

With csf-bfm-install.sh method, DirectAdmin will search for brute-force attacks in logs and tell CSF to block them. CSF Firewall will work as normally just it will ignore AUTH failed attempts and reply on DirectAdmin Brute Force Monitor to do that leg work. You can of course configure CSF Firewall do that job too as outlined here by editing CSF Firewall config file /etc/csf/csf.conf and ensure the following settings are enabled as:

LF_TRIGGER = "1"
LF_SSHD = "1"
LF_FTPD = "1"
LF_SMTPAUTH = "1"
LF_EXIMSYNTAX = "1"
LF_POP3D = "1"
LF_IMAPD = "1"
LF_HTACCESS = "1"
LF_MODSEC = "1"
LF_DIRECTADMIN = "1"

You can also change the script’s default settings by editing /root/directadmin-bfm-csf.conf. Add the lines which you want to change with your values.

Whenever you need to change the defaults in /root/directadmin-bfm-csf.conf:

USE_PORT_SELECTED_BLOCK="1";
CSF_GREP_API_CALL="0";
DEBUG="0";
FTP_PORTS="20 21";
SSH_PORTS="22";
WEB_PORTS="80 443";
EXIM_PORTS="25 465 587";
DOVECOT_PORTS="110 143 993 995";
DIRECTADMIN_PORTS="2222";

For example if you run DirectAdmin on a custom port, and you should add the line (change 1345 with your value) in /root/directadmin-bfm-csf.conf:

DIRECTADMIN_PORTS="1345";

If you want to block access for an offensive IP to all ports on your server, then add in /root/directadmin-bfm-csf.conf:

USE_PORT_SELECTED_BLOCK="0";

To further optimise CSF Firewall’s ability to handle larger sets of blocked IP addresses without slowing down your server, you should install IPSET (only if your Linux Kernel supports IPSET). I borrowed this partial snippet of code from my Centmin Mod LEMP installer which defaults to using an optimised CSF Firewall configuration for CentOS systems.

CSF Firewall defaults to IPSET support disabled

grep -w '^LF_IPSET' /etc/csf/csf.conf
LF_IPSET = "0"

The the below csf_ipset.sh script checks your Linux Kernel if it supports IPSET with exclusion check for Linode’s custom Kernels which bake IPSET support in natively and if system is non-OpenVZ6 (OpenVZ7/Virtuozzo use newer 3.10 Kernel which support IPSET too) and will install IPSET via YUM if the Linux Kernel supports it and will enable IPSET support in CSF Firewall.

Save the below code into script named csf_ipset.sh and give it executable permissions (chmod +x) and run it.

#!/bin/bash
#####################################################
# CSF Firewall IPSET configuration for DirectAdmin
# routine partially borrowed from centminmod.com 
# CSF Firewall setup
######################################################
KERNEL_NUMERICVER=$(uname -r | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }')
ipset_setup() {
  if [[ ! -f /usr/sbin/ipset ]]; then
    # CSF now has ipset support to offload large IP address numbers 
    # from iptables so uses less server resources to handle many IPs
    # does not work with OpenVZ VPS so only implement for non-OpenVZ
    yum -q -y install ipset ipset-devel
    sed -i 's/LF_IPSET = \"0\"/LF_IPSET = \"1\"/' /etc/csf/csf.conf
  elif [[ -f /usr/sbin/ipset ]]; then
    sed -i 's/LF_IPSET = \"0\"/LF_IPSET = \"1\"/' /etc/csf/csf.conf
  fi
}
if [[ ! -f /proc/user_beancounters ]] && [[ "$(uname -r | grep linode)" || "$(find /lib/modules/`uname -r` -name 'ipset')" ]]; then
  ipset_setup
elif [[ -f /proc/user_beancounters && "$KERNEL_NUMERICVER" -ge '3000000000' ]]; then
  # openvz7's 3.10 linux kernels support IPSET
  ipset_setup
fi

After running csf_ipset.sh, check LF_IPSET setting is enabled = 1

grep -w '^LF_IPSET' /etc/csf/csf.conf
LF_IPSET = "1"

Then once IPSET is installed and enabled in CSF Firewall, raise the CSF Firewall deny permanent and temporarily IP address limits from their defaults as CSF Firewall can now handle large IP data sets with IPSET.

sed -i 's/^DENY_IP_LIMIT = .*/DENY_IP_LIMIT = \"3000\"/' /etc/csf/csf.conf
sed -i 's/^DENY_TEMP_IP_LIMIT = .*/DENY_TEMP_IP_LIMIT = \"3000\"/' /etc/csf/csf.conf

Then restart CSF Firewall

csf -ra
DirectAdmin & Cloudflare Configuration via csfcf.sh

If you plan to use Cloudflare in front of DirectAdmin added domain site accounts, you’d need to whitelist Cloudflare’s IP addresses. As CSF Firewall is now in place, I can borrow my csfcf.sh script from Centmin Mod LEMP stack which can be setup as a cronjob to auto add Cloudflare’s IP addresses into the whitelisted allowed set. Update: instead of using csf option, use auto-apache option.

mkdir -p /root/tools
cd /root/tools
wget -4 -O /root/tools/csfcf.sh https://github.com/centminmod/centminmod/raw/123.09beta01/tools/csfcf.sh
chmod 700 /root/tools/csfcf.sh
# run once to whitelist CF IPs
/root/tools/csfcf.sh csf

Output

/root/tools/csfcf.sh csf
--------------------------------------------
Add Cloudflare IP list to CSF
from: https://www.cloudflare.com/ips-v4/
from: https://www.cloudflare.com/ips-v6/
--------------------------------------------

--------------------------------------------
Add to /etc/csf/csf.allow
--------------------------------------------
Adding 173.245.48.0/20 to csf.allow and iptables ACCEPT...
csf: IPSET adding [173.245.48.0/20] to set [chain_ALLOW]
Adding 103.21.244.0/22 to csf.allow and iptables ACCEPT...
csf: IPSET adding [103.21.244.0/22] to set [chain_ALLOW]
Adding 103.22.200.0/22 to csf.allow and iptables ACCEPT...
csf: IPSET adding [103.22.200.0/22] to set [chain_ALLOW]
Adding 103.31.4.0/22 to csf.allow and iptables ACCEPT...
csf: IPSET adding [103.31.4.0/22] to set [chain_ALLOW]
Adding 141.101.64.0/18 to csf.allow and iptables ACCEPT...
csf: IPSET adding [141.101.64.0/18] to set [chain_ALLOW]
Adding 108.162.192.0/18 to csf.allow and iptables ACCEPT...
csf: IPSET adding [108.162.192.0/18] to set [chain_ALLOW]
Adding 190.93.240.0/20 to csf.allow and iptables ACCEPT...
csf: IPSET adding [190.93.240.0/20] to set [chain_ALLOW]
Adding 188.114.96.0/20 to csf.allow and iptables ACCEPT...
csf: IPSET adding [188.114.96.0/20] to set [chain_ALLOW]
Adding 197.234.240.0/22 to csf.allow and iptables ACCEPT...
csf: IPSET adding [197.234.240.0/22] to set [chain_ALLOW]
Adding 198.41.128.0/17 to csf.allow and iptables ACCEPT...
csf: IPSET adding [198.41.128.0/17] to set [chain_ALLOW]
Adding 162.158.0.0/15 to csf.allow and iptables ACCEPT...
csf: IPSET adding [162.158.0.0/15] to set [chain_ALLOW]
Adding 104.16.0.0/12 to csf.allow and iptables ACCEPT...
csf: IPSET adding [104.16.0.0/12] to set [chain_ALLOW]
Adding 172.64.0.0/13 to csf.allow and iptables ACCEPT...
csf: IPSET adding [172.64.0.0/13] to set [chain_ALLOW]
Adding 131.0.72.0/22 to csf.allow and iptables ACCEPT...
csf: IPSET adding [131.0.72.0/22] to set [chain_ALLOW]
Adding 2400:cb00::/32 to csf.allow and iptables ACCEPT...
csf: IPSET adding [2400:cb00::/32] to set [chain_6_ALLOW]
Adding 2606:4700::/32 to csf.allow and iptables ACCEPT...
csf: IPSET adding [2606:4700::/32] to set [chain_6_ALLOW]
Adding 2803:f800::/32 to csf.allow and iptables ACCEPT...
csf: IPSET adding [2803:f800::/32] to set [chain_6_ALLOW]
Adding 2405:b500::/32 to csf.allow and iptables ACCEPT...
csf: IPSET adding [2405:b500::/32] to set [chain_6_ALLOW]
Adding 2405:8100::/32 to csf.allow and iptables ACCEPT...
csf: IPSET adding [2405:8100::/32] to set [chain_6_ALLOW]
Adding 2a06:98c0::/29 to csf.allow and iptables ACCEPT...
csf: IPSET adding [2a06:98c0::/29] to set [chain_6_ALLOW]
Adding 2c0f:f248::/32 to csf.allow and iptables ACCEPT...
csf: IPSET adding [2c0f:f248::/32] to set [chain_6_ALLOW]

Setup a cronjob to run every 12 hrs

23 */12 * * * /root/tools/csfcf.sh csf >/dev/null 2>&1
csfcf.sh auto-apache option

I have since updated csfcf.sh to support DirectAdmin’s Apache’s mod_remoteip module setup as well with 2 additional options

/root/tools/csfcf.sh apache
/root/tools/csfcf.sh auto-apache

apache option creates 2 Apache files

  • /etc/httpd/conf/extra/httpd-includes-remoteip.conf which is automatically populated with relevant Apache mod_remoteip directives for RemoteIPHeader and automatic insertion of the latest obtained list of Cloudflare known IP addresses for setting RemoteIPTrustedProxy directives.
  • /etc/httpd/conf/extra/cloudflare_customips.conf is an Apache Include file inserted into the first created file at /etc/httpd/conf/extra/httpd-includes-remoteip.conf. It’s purpose is to allow you to manually add custom RemoteIPTrustedProxy specified IP addresses other than automatically inserted Cloudflare IPs which persist and do not get overriden by csfcf.sh apache or auto-apache automated Cloudflare IP insertion/configuration.

auto-apache option

  • does what apache option does just also gets the latest known Cloudflare IP list both IPv4 and IPv6 and adds them to CSF Firewall whitelisting and does conditional inspection of whether the server supports IPv6 networking. If server doesn’t support IPv6, then Cloudflare’s IPv6 IP addresses are commented out/disabled. If server does support IPv6, then Cloudflare’s IPv6 IPs are enabled/uncommented.

You’ll then manually insert as an Include file in /etc/httpd/conf/extra/httpd-includes.conf

Include /etc/httpd/conf/extra/httpd-includes-remoteip.conf

Verify if config is ok

httpd -t
Syntax OK

Then restart Apache

service httpd restart

If you had followed above instructions to configure DirectAdmin’s Apache /server-status and /server-info access, you can also then inspect mod_remoteip configuration at https://hostname.yourdomain.com/server-info/#mod_remoteip.c which shows the following information.

Module Name: mod_remoteip.c
Content handlers: none
Configuration Phase Participation: Create Server Config, Merge Server Configs
Request Phase Participation: Pre-Connection, Post-Read Request
Module Directives:
RemoteIPHeader - Specifies a request header to trust as the client IP, e.g. X-Forwarded-For
RemoteIPProxiesHeader - Specifies a request header to record proxy IP's, e.g. X-Forwarded-By; if not given then do not record
RemoteIPTrustedProxy - Specifies one or more proxies which are trusted to present IP headers
RemoteIPInternalProxy - Specifies one or more internal (transparent) proxies which are trusted to present IP headers
RemoteIPTrustedProxyList - The filename to read the list of trusted proxies, see the RemoteIPTrustedProxy directive
RemoteIPInternalProxyList - The filename to read the list of internal proxies, see the RemoteIPInternalProxy directive
RemoteIPProxyProtocol - Enable PROXY protocol handling ('on', 'off')
RemoteIPProxyProtocolExceptions - Disable PROXY protocol handling for this list of networks in CIDR format
Current Configuration:
In file: /etc/httpd/conf/extra/cloudflare_customips.conf
   1: RemoteIPInternalProxy 127.0.0.1
In file: /etc/httpd/conf/extra/httpd-includes-remoteip.conf
   3: RemoteIPTrustedProxy 173.245.48.0/20
   4: RemoteIPTrustedProxy 103.21.244.0/22
   5: RemoteIPTrustedProxy 103.22.200.0/22
   6: RemoteIPTrustedProxy 103.31.4.0/22
   7: RemoteIPTrustedProxy 141.101.64.0/18
   8: RemoteIPTrustedProxy 108.162.192.0/18
   9: RemoteIPTrustedProxy 190.93.240.0/20
  10: RemoteIPTrustedProxy 188.114.96.0/20
  11: RemoteIPTrustedProxy 197.234.240.0/22
  12: RemoteIPTrustedProxy 198.41.128.0/17
  13: RemoteIPTrustedProxy 162.158.0.0/15
  14: RemoteIPTrustedProxy 104.16.0.0/12
  15: RemoteIPTrustedProxy 172.64.0.0/13
  16: RemoteIPTrustedProxy 131.0.72.0/22
  24: RemoteIPHeader CF-Connecting-IP

Example of auto-apache run where no new Cloudflare know IPs were detected, so not output for CSF Firewall whitelisting insertions into /etc/csf/csf.allow but the Apache Include file /etc/httpd/conf/extra/httpd-includes-remoteip.conf was created.

/root/tools/csfcf.sh auto-apache 
--------------------------------------------
Add Cloudflare IP list to CSF
from: https://www.cloudflare.com/ips-v4/
from: https://www.cloudflare.com/ips-v6/
--------------------------------------------

--------------------------------------------
Add to /etc/csf/csf.allow
--------------------------------------------

created /etc/httpd/conf/extra/httpd-includes-remoteip.conf include file

Contents of /etc/httpd/conf/extra/httpd-includes-remoteip.conf on BuyVM VPS server with DirectAdmin Apache installed where VPS does not support IPv6.

Include /etc/httpd/conf/extra/cloudflare_customips.conf
RemoteIPTrustedProxy 173.245.48.0/20
RemoteIPTrustedProxy 103.21.244.0/22
RemoteIPTrustedProxy 103.22.200.0/22
RemoteIPTrustedProxy 103.31.4.0/22
RemoteIPTrustedProxy 141.101.64.0/18
RemoteIPTrustedProxy 108.162.192.0/18
RemoteIPTrustedProxy 190.93.240.0/20
RemoteIPTrustedProxy 188.114.96.0/20
RemoteIPTrustedProxy 197.234.240.0/22
RemoteIPTrustedProxy 198.41.128.0/17
RemoteIPTrustedProxy 162.158.0.0/15
RemoteIPTrustedProxy 104.16.0.0/12
RemoteIPTrustedProxy 172.64.0.0/13
RemoteIPTrustedProxy 131.0.72.0/22
#RemoteIPTrustedProxy 2400:cb00::/32
#RemoteIPTrustedProxy 2606:4700::/32
#RemoteIPTrustedProxy 2803:f800::/32
#RemoteIPTrustedProxy 2405:b500::/32
#RemoteIPTrustedProxy 2405:8100::/32
#RemoteIPTrustedProxy 2a06:98c0::/29
#RemoteIPTrustedProxy 2c0f:f248::/32
RemoteIPHeader CF-Connecting-IP

In which case you can change the csfcsf.sh cronjob to use auto-apache option now.

23 */12 * * * /root/tools/csfcf.sh auto-apache >/dev/null 2>&1

And DirectAdmin control panel CSF GUI interface – similar to cPanel/WHM CSF GUI.

CSF GUI

Step 8. DirectAdmin Skin Customisations

DirectAdmin forums has a forum dedicated to DirectAdmin Skin releases.

If using DirectAdmin default Evolution skin, you can use Poralix directadmin-utils script under /core directory to update DirectAdmin Evolution skin as outlined here.

mkdir -p /root/tools/poralix
cd /root/tools/poralix
wget https://raw.githubusercontent.com/poralix/directadmin-utils/master/core/update_evolution.sh -O update_evolution.sh
chmod 755 update_evolution.sh
./update_evolution.sh

Step 9.  DirectAdmin Mail Handling

Note, for new first time BuyVM VPS customers when you first provision a new VPS, mail ports are blocked by default until you contact their technical support to unblock the mail ports. This is a one time task you need to do.

By default DirectAdmin seems to prevent Exim from sending emails to the root user account i.e. root@hostname.yourdomain.com. I see in Exim /var/log/exim/mainlog log the following:

 User 0 set for local_delivery transport is on the never_users list

So you need to decide which email address you want to use to receive root user destined system/server emails from. Then you can either setup a /root/.forward file and place that email address in the file. Or use /etc/aliases and setup root user to send emails to your desired email address.

Edit /etc/aliases

find

#root: marc

change to

root: your@email.com

If your desired email address for receiving root user destined emails supports alias usernames like Google GSuite/Gmail, then you can use a specific alias for your server so you can setup email filters to oragnise emails by labels or folders etc.

root: your+alias@email.com

If you want to change DirectAdmin email sending domain from @hostname.yourdomain.com to @yourdomain.com, check out Poralix’s article. Where you login and go to Account Manager > List Administrators and click on admin username and under Actions drop down menu select, Show User Data and go to Info tab to change the sending email domain.

Change DirectAdmin sending domain email

Change DirectAdmin sending domain email

There are various additional steps to ensure that DirectAdmin sent emails do not end up in users spam/junk mail boxes. These include setting proper reverse PTR, SPF/TXT, DKIM and DMARC records for the sending domains. I wrote a guide for my Centmin Mod LEMP stack users regarding this where the steps in a general sense would apply to DirectAdmin as well. Both Centmin Mod LEMP stack and DirectAdmin have similar structure in that there’s a main hostname that is setup DNS wise to be the sending domain for emails originating from the server and are separate from individual site domains so that both main hostname and individual domain names require their own set of reverse PTR, SPF/TXT, DKIM and DMARC records. However, the manner in how you go about setting them all up may differ.

To ensure your site/server sent emails do not end up in users’ spam inboxes, you need proper SPF/TXT, DKIM, DMARC and reverse PTR DNS records setup for your domain and server’s main hostname (the one setup in Step 1 above).

There is a distinction between your site domain and server’s main hostname:

  1. server’s main hostname – If you use a web app like WordPress, Xenforo, IP.Board, Magento, etc to send emails. Then emails can either be sent as is via DirectAdmin’s Exim MTA server via @hostname.yourdomain.com where receiving email servers would evaluate the SPF, DKIM, DMARC and PTR DNS records for sending domain @hostname.yourdomain.com. If server’s main hostname i.e. hostname.yourdomain.com has valid SPF, DKIM, DMARC and PTR DNS records, then email will be less likely sent to spam box or being rejected by receiving email server.
  2. your domain – If your web app allows you to set a from email field and you sent emails from say user@domain.com, then receiving email servers would evaluate the SPF, DKIM, DMARC and PTR DNS records for sending domain @domain.com so your domain.com would need to have those SPF, DKIM, DMARC and PTR DNS records setup. If you use a 3rd party @domain.com provider like Google Gsuite, Outlook, Zoho etc, then those services will have instructions for setting up SPF, DKIM, DMARC and PTR DNS records.
DirectAdmin SPF TXT setup for outbound emails via Exim MTA

Simple as setting up a SPF TXT DNS record for your hostname i.e. hostname.yourdomain.com change SERVER_IP to your server’s public primary IP address

v=spf1 a mx ip4:SERVER_IP ~all
DirectAdmin DKIM setup for outbound emails via Exim MTA

DirectAdmin outlines DKIM setup instructions here.

First check if DKIM is configured and enabled in DirectAdmin

/usr/local/directadmin/directadmin c | grep dkim
dkim=0
dkim_selector=x

If dkim=0, then need to follow instructions by first downloading the exim.dkim.conf to /etc directory

wget -4 -O /etc/exim.dkim.conf http://files.directadmin.com/services/exim.dkim.conf

The /etc/exim.conf modification set to add reference to /etc/exim.dkim.conf isn’t required as it seems it’s already added on this DirectAdmin installation

grep -A7 'remote_smtp:' /etc/exim.conf 
remote_smtp:
  driver = smtp
  headers_add = "${if def:authenticated_id{X-Authenticated-Id: ${authenticated_id}}}"
  interface = <; ${if exists{/etc/virtual/domainips}{${lookup{$sender_address_domain}lsearch*{/etc/virtual/domainips}}}}
  helo_data = ${if exists{/etc/virtual/helo_data}{${lookup{$sending_ip_address}iplsearch{/etc/virtual/helo_data}{$value}{$primary_hostname}}}{$primary_hostname}}
  hosts_try_chunking =
.include_if_exists /etc/exim.dkim.conf

Then restart Exim service

service exim restart

Then set dkim=1 in /usr/local/directadmin/conf/directadmin.conf and verify it is set

grep -i dkim /usr/local/directadmin/conf/directadmin.conf
echo 'dkim=1' >> /usr/local/directadmin/conf/directadmin.conf
grep -i dkim /usr/local/directadmin/conf/directadmin.conf
/usr/local/directadmin/directadmin c | grep dkim

Verify

/usr/local/directadmin/directadmin c | grep dkim 
dkim=1
dkim_selector=x

From this point any new domains created/added via DirectAdmin will have DKIM keys generated and DNS zones updated.

For existing domains, you can either enable it individually for each domain, one-by-one – for DirectAdmin hostname created in Step 1, you’d replace domain.com with your hostname.yourdomain.com:

cd /usr/local/directadmin/scripts
./dkim_create.sh domain.com
or you can enable it for all of your domains like this:

echo "action=rewrite&value=dkim" >> /usr/local/directadmin/data/task.queue

You’ll find the created DKIM keys on the server at /etc/virtual/domain.com/ or hostname at /etc/virtual/hostname.yourdomain.com/

ls -lah /etc/virtual/hostname.yourdomain.com/
total 16K
drwxr-xr-x 2 mail mail 4.0K Jul 19 02:35 .
drwxr-xr-x 5 mail mail 4.0K Jul 19 02:38 ..
-rw------- 1 mail mail 1.7K Jul 19 02:35 dkim.private.key
-rw------- 1 mail mail  451 Jul 19 02:35 dkim.public.key

and the created DKIM TXT DNS record in your DirectAdmin control panel’s DNS management zone section for the domain or you can create it from your  /etc/virtual/hostname.yourdomain.com/dkim.public.key replacing below hostname.yourdomain.com with your domain name and use selector = x._domainkey for domain.com or = x._domainkey.hostname for hostname.yourdomain.com.

dkim_domain=hostname.yourdomain.com
dkim_prefix="v=DKIM1; k=rsa; p=$(grep -v 'PUBLIC KEY' /etc/virtual/$dkim_domain/dkim.public.key | tr -d \\n)"
echo $dkim_prefix

Important: If any of your domains are hosted using an external DNS server  i.e. Cloudflare DNS, Amazon AWS Route53 or domain registrar provider’s DNS management that DirectAdmin does not control, you MUST manually add the TXT records to the remote domain DNS zones. You can copy them over as needed. If the DNS does not have the records, but your emails are signed, this may increase the spam score of those emails, which is the opposite of what you want.

DirectAdmin DMARC Record setup for outbound Exim MTA

Once DKIM and SPF TXT records are properly setup, you can optionally add DMARC DNS records via various DMARC generators or services:

Then use a service like mail-tester.com to test your SPF/DKIM/DMARC configuration for your server hostname and domain names.

Using Amazon SES SMTP For Outbound Exim MTA

DirectAdmin’s Exim mail server can also be configured to use a remote SMTP server for sending outbound emails. I usually use Amazon SES SMTP transactional email services for better email deliverability. DirectAdmin has instructions for configuring Exim for using a remote SMTP server outlined here.

You would of already configured and setup your Amazon SES SMTP username/password credentials and setup the domain’s SPF/DKIM records and verified your domain and email addresses and requested via Amazon SES support to get out of SES sandbox mode.

Then in SSH session type these commands and replace with your appropriate Amazon SES SMTP username/password and AWS SES region’s SMTP server and then download as per DirectAdmin guide, the three Exim config files. Then use sed replacements to modify the three downloaded Exim config files and finally restart Exim

ses_username='YOUR_SES_SMTP_Username'
ses_password='YOUR_SES_SMTP_Password'
ses_smtp='email-smtp.us-east-1.amazonaws.com'
wget -4 -O /etc/exim.routers.pre.conf http://files.directadmin.com/services/SpamBlocker/smart_route/exim.routers.pre.conf
wget -4 -O /etc/exim.transports.pre.conf http://files.directadmin.com/services/SpamBlocker/smart_route/exim.transports.pre.conf
wget -4 -O /etc/exim.authenticators.post.conf http://files.directadmin.com/services/SpamBlocker/smart_route/exim.authenticators.post.conf
sed -i "s|your@email.com|$ses_username|" /etc/exim.authenticators.post.conf
sed -i "s|: yourpass|: $ses_password|" /etc/exim.authenticators.post.conf
sed -i "s|smtp.yourisp.com|${ses_smtp}::587|" /etc/exim.routers.pre.conf
sed -i 's|port = 25|port = 587|' /etc/exim.transports.pre.conf
service exim restart

Then use mail-tester.com again to test outbound Exim email sending again.

The resulting contents for the three downloaded Exim files

/etc/exim.transports.pre.conf

auth_relay:
driver = smtp
port = 587
hosts_require_auth = $host_address
hosts_require_tls = $host_address

/etc/exim.authenticators.post.conf

auth_login:
driver = plaintext
public_name = LOGIN
#replace your@email and yourpass
hide client_send = : YOUR_SES_SMTP_Username : YOUR_SES_SMTP_Password

/etc/exim.routers.pre.conf

smart_route:
driver = manualroute
domains = ! +local_domains
ignore_target_hosts = 127.0.0.0/8
condition = "${perl{check_limits}}"

#use remote_smtp only if you do not need smtp-auth.
#transport = remote_smtp

#use auth_relay if you do need to set the remote smtpauth
transport = auth_relay

route_list = * email-smtp.us-east-1.amazonaws.com::587
no_more

Step 10. DirectAdmin Optimisations

Adding your own system service status display to DirectAdmin service status page GUI as per instructions here, you can edit /usr/local/directadmin/data/admin/services.status. On current DirectAdmin installation made in this guide, the /usr/local/directadmin/data/admin/services.status file contains the following:

da-popb4smtp=ON
directadmin=ON
dovecot=ON
exim=ON
httpd=ON
mysqld=ON
named=ON
php-fpm72=ON
php-fpm73=ON
pure-ftpd=ON
sshd=ON
clamd=ON
freshclam=ON
lfd=ON
php-fpm56=ON
  • ON means the dataskq will monitor it
  • OFF means it won’t.
  • If you click “Stop” from within DirectAdmin, it set to OFF so that the dataskq doesn’t try to start it.
  • If you click “Start”, DirectAdmin will set it to ON in the service.status file and will start to monitor it.

DirectAdmin Service Monitor

Some SSHD tweaks

cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
echo -e "\n" >> /etc/ssh/sshd_config
echo "ClientAliveInterval 3600" >> /etc/ssh/sshd_config
echo "ClientAliveCountMax 120" >> /etc/ssh/sshd_config
echo "UseDNS no" >> /etc/ssh/sshd_config
echo 'KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' >> /etc/ssh/sshd_config
sed -i 's/#TCPKeepAlive yes/TCPKeepAlive yes/g' /etc/ssh/sshd_config
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv -f /etc/ssh/moduli.tmp /etc/ssh/moduli
/usr/sbin/sshd -t
service sshd restart

Modifying and updating DirectAdmin SSL ciphers as outlined here. Lets check existing defaults first

Apache default SSL ciphers which you can modify using instructions here.

grep '^SSL' /etc/httpd/conf/extra/httpd-ssl.conf | sort -u
SSLCACertificateFile /etc/httpd/conf/ssl.crt/server.ca
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLEngine on
SSLHonorCipherOrder On
SSLPassPhraseDialog builtin
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLSessionCache shmcb:/var/log/httpd/ssl_scache(512000)
SSLSessionCacheTimeout 300

Dovecot

cat /etc/dovecot/conf/ssl.conf
ssl_cert = </etc/exim.cert
ssl_key = </etc/exim.key
ssl_dh = </etc/dovecot/dh.pem

ssl_min_protocol = TLSv1
ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

or

cat /usr/local/directadmin/custombuild/dovecot.conf | grep ssl 
#ssl_cert_file = /etc/exim.cert
#ssl_key_file = /etc/exim.key
ssl_cert_file = /etc/httpd/conf/ssl.crt/server.crt
ssl_key_file = /etc/httpd/conf/ssl.key/server.key
ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP

or

cat /usr/local/directadmin/custombuild/configure/dovecot/conf/ssl.conf 
ssl_cert = </etc/exim.cert
ssl_key = </etc/exim.key
ssl_dh = </etc/dovecot/dh.pem

ssl_min_protocol = TLSv1
ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

CSF Firewall’s GUI security check feature flags Dovecot’s default SSL ciphers with message but looks like CSF Firewall security check isn’t reading the right Dovecot files.

Mail Check
Check dovecot weak SSL/TLS Ciphers (ssl_cipher_list)
Cipher list []. Due to weaknesses in the SSLv2 cipher you should /etc/dovecot.conf and set ssl_cipher_list to explicitly exclude it. For example:
ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

Setup /etc/dovecot/conf.d/10-ssl.conf with overriding ssl_cipher_list and ssl_min_protocol settings according to RedHat 7.

ssl_min_protocol = TLSv1.2
ssl_cipher_list = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
ssl_prefer_server_ciphers = yes

Or use CustomBuild custom Dovecot config – modifying custom/dovecot/conf/ssl.conf

cat custom/dovecot/conf/ssl.conf
ssl_cert = </etc/exim.cert
ssl_key = </etc/exim.key
ssl_dh = </etc/dovecot/dh.pem

ssl_min_protocol = TLSv1.2
ssl_cipher_list = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
ssl_prefer_server_ciphers = yes
cd /usr/local/directadmin/custombuild
mkdir -p custom/dovecot/conf
cp -a configure/dovecot/conf/ssl.conf custom/dovecot/conf/ssl.conf
./build dovecot_conf
./build dovecot_conf
Updating dovecot configuration files...
ensuring ssl_dh
Restarting dovecot.
Dovecot configuration files have been updated successfully.

Restart Dovecot service

service dovecot restart

OpenSSL test

echo -n | openssl s_client -crlf -connect 127.0.0.1:993 2>&1 | egrep -i 'cipher|protocol'
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384

Exim

egrep 'ssl_|cipher' /etc/exim.variables.conf 
openssl_options=+no_sslv2 +no_sslv3
tls_require_ciphers=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

Other mail SSL config checks

echo -n | openssl s_client -showcerts -connect localhost:993
echo -n | openssl s_client -showcerts -connect localhost:995
echo -n | openssl s_client -showcerts -connect localhost:465
echo -n | openssl s_client -starttls smtp -showcerts -connect localhost:25
echo -n | openssl s_client -starttls smtp -showcerts -connect localhost:587

Pure-ftpd

grep -i ssl /usr/local/directadmin/custombuild/configure/pureftpd/pure-ftpd.conf
# 0: disable SSL/TLS encryption layer (default).
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

Step 11. Switching MySQL Server Versions – Oracle vs MariaDB MySQL

To upgrade MySQL server versions use the outlined instructions here which also recommend recompiling PHP with each update.

I generally use MariaDB 10.3 MySQL server these days. I suggest folks not upgrade to MariaDB 10.4 unless you are fully aware of the breaking changes compared to previous MariaDB 10.3 and lower versions – these changes are drastic enough to deem MariaDB 10.4 as no longer being drop-in compatible with Oracle MySQL versions so essentially are a one way upgrade to MariaDB 10.4 with no way going back to lower versions without restoring from a MariaDB 10.3 or earlier full MySQL backup you would of made prior to upgrading.

Switch straight from MariaDB 5.5 to MariaDB 10.3 and automatically run MySQL backup in the process:

cd /usr/local/directadmin/custombuild
./build set mariadb 10.3
./build set mysql_inst mariadb
./build set mysql_backup yes
./build update
./build mariadb

or do my usual recommended incremental major version updates from MariaDB 5.5 to 10.0 to 10.1 to 10.2 to 10.3

cd /usr/local/directadmin/custombuild
./build update
./build set mysql_inst mariadb
./build set mysql_backup yes
./build set mariadb 10.0
./build mysql
./build set mariadb 10.1
./build mysql
./build set mariadb 10.2
./build mysql
./build set mariadb 10.3
./build mysql

Then recompile PHP

./build php n

Example output

./build set mariadb 10.3
Changed mariadb option from 10.0 to 10.3

./build set mysql_inst mariadb
Changed mysql_inst option from no to mariadb

./build set mysql_backup yes
Changed mysql_backup option from yes to yes

Building MariaDB 10.3 straight from MariaDB 5.5 – full log available via Gist and except below

./build mariadb
        Dumping database da_roundcube 
        Dumping database mysql 

Stopping mysqld ...
Upgrading MariaDB 5.5.63 to 10.3.16
Preparing packages...
MariaDB-client-5.5.63-1.el7.centos.x86_64
Preparing packages...
MariaDB-compat-5.5.63-1.el7.centos.x86_64
Preparing packages...
MariaDB-server-5.5.63-1.el7.centos.x86_64
warning: file /etc/init.d/mysql: remove failed: No such file or directory
Preparing packages...
MariaDB-devel-5.5.63-1.el7.centos.x86_64
Preparing packages...
MariaDB-common-5.5.63-1.el7.centos.x86_64
Preparing packages...
MariaDB-shared-5.5.63-1.el7.centos.x86_64
warning: MariaDB-client-10.3.16-1.el7.centos.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 1bb943db: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:MariaDB-compat-10.3.16-1.el7.cent################################# [ 14%]
   2:MariaDB-common-10.3.16-1.el7.cent################################# [ 29%]
   3:MariaDB-client-10.3.16-1.el7.cent################################# [ 43%]
   4:MariaDB-server-10.3.16-1.el7.cent################################# [ 57%]
   5:MariaDB-devel-10.3.16-1.el7.cento################################# [ 71%]
   6:MariaDB-shared-10.3.16-1.el7.cent################################# [ 86%]
   7:MariaDB-backup-10.3.16-1.el7.cent################################# [100%]
Failed to execute operation: File exists
Removed symlink /etc/systemd/system/multi-user.target.wants/mysqld.service.
Removed symlink /etc/systemd/system/mariadb.service.
Failed to execute operation: Too many levels of symbolic links
Ensuring local-infile is disabled for security reasons in MySQL configuration file...
Giving mysqld a few seconds to start up...
Phase 1/7: Checking and upgrading mysql database
Processing databases
mysql
mysql.columns_priv                                 OK
mysql.db                                           OK
mysql.event                                        OK
mysql.func                                         OK
mysql.help_category                                OK
mysql.help_keyword                                 OK
mysql.help_relation                                OK
mysql.help_topic                                   OK
mysql.host                                         OK
mysql.ndb_binlog_index                             OK
mysql.plugin                                       OK
mysql.proc                                         OK
mysql.procs_priv                                   OK
mysql.proxies_priv                                 OK
mysql.servers                                      OK
mysql.tables_priv                                  OK
mysql.time_zone                                    OK
mysql.time_zone_leap_second                        OK
mysql.time_zone_name                               OK
mysql.time_zone_transition                         OK
mysql.time_zone_transition_type                    OK
mysql.user                                         OK
Upgrading from a version before MariaDB-10.1
Phase 2/7: Installing used storage engines
Checking for tables with unknown storage engine
Phase 3/7: Fixing views
Phase 4/7: Running 'mysql_fix_privilege_tables'
Phase 5/7: Fixing table and database names
Phase 6/7: Checking and upgrading tables
Processing databases
da_roundcube
da_roundcube.cache                                 OK
da_roundcube.cache_index                           OK
da_roundcube.cache_messages                        OK
da_roundcube.cache_shared                          OK
da_roundcube.cache_thread                          OK
da_roundcube.contactgroupmembers                   OK
da_roundcube.contactgroups                         OK
da_roundcube.contacts                              OK
da_roundcube.dictionary                            OK
da_roundcube.identities                            OK
da_roundcube.searches                              OK
da_roundcube.session                               OK
da_roundcube.system                                OK
da_roundcube.users                                 OK
information_schema
performance_schema
Phase 7/7: Running 'FLUSH PRIVILEGES'
OK
cp: '/usr/lib/libmysqlclient.so' and '/usr/lib/mysql/libmysqlclient.so' are the same file
Restarting MySQL.
Installation completed.

Verify MariaDB 10.3 version upgrade

mysqladmin --defaults-extra-file=/usr/local/directadmin/conf/my.cnf ver 
mysqladmin Ver 9.1 Distrib 10.3.16-MariaDB, for Linux on x86_64
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Server version 10.3.16-MariaDB
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /var/lib/mysql/mysql.sock
Uptime: 4 min 35 sec

Threads: 7 Questions: 3 Slow queries: 0 Opens: 17 Flush tables: 1 Open tables: 11 Queries per second avg: 0.010

Inspecting default Character set and collation – seems latin1 is the default. I would switch to utf8 default as a bare minimum. For some utf8mb4 might be better if your web application needs the support i.e. Invision Board or Xenforo 2 with emoji support would require utf8mb4. But you’d have to be careful with running up against Innodb max key  prefix length errors such as Index column size too large. The maximum column size is 767 bytes. Though MariaDB has settings to overcome this which I already deploy on my Centmin Mod LEMP stack’s MariaDB 10 installations – so will be looking at replicating this on DirectAdmin installations.

mysqladmin --defaults-extra-file=/usr/local/directadmin/conf/my.cnf var | tr -s ' ' | egrep 'char|collation'
| character_set_client | latin1 |
| character_set_connection | latin1 |
| character_set_database | latin1 |
| character_set_filesystem | binary |
| character_set_results | latin1 |
| character_set_server | latin1 |
| character_set_system | utf8 |
| character_sets_dir | /usr/share/mysql/charsets/ |
| collation_connection | latin1_swedish_ci |
| collation_database | latin1_swedish_ci |
| collation_server | latin1_swedish_ci |
| session_track_system_variables | autocommit,character_set_client,character_set_connection,character_set_results,time_zone |

Where does DirectAdmin save MariaDB MySQL settings ?

ls -lah /etc/my.cnf.d
total 32K
drwxr-xr-x 2 root root 4.0K Jul 18 07:09 .
drwxr-xr-x. 79 root root 12K Jul 18 07:09 ..
-rw-r--r-- 1 root root 295 Jun 14 15:25 client.cnf
-rw-r--r-- 1 root root 763 Jun 14 15:25 enable_encryption.preset
-rw-r--r-- 1 root root 232 Jun 14 15:25 mysql-clients.cnf
-rw-r--r-- 1 root root 1.1K Jul 18 07:09 server.cnf

The client.cnf defaults but I switch to utf8 character set via default-character-set=utf8

cat /etc/my.cnf.d/client.cnf 
#
# These two groups are read by the client library
# Use it for options that affect all clients, but not the server
#
[client]
default-character-set=utf8

# This group is not read by mysql client library,
# If you use the same .cnf file for MySQL and MariaDB,
# use it for MariaDB-only client options
[client-mariadb]

The server.cnf defaults aren’t optimal at all – but under [mysqld] I switch from latin1 to utf8 default character set and collations via character-set-server=utf8 as well as a few extra settings under [mariadb-10.3] group.

#
# These groups are read by MariaDB server.
# Use it for options that only the server (but not clients) should see
#
# See the examples of server my.cnf files in /usr/share/mysql/
#

# this is read by the standalone daemon and embedded servers
[server]

# this is only for the mysqld standalone daemon
[mysqld]
character-set-server=utf8
local-infile = 0

#
# * Galera-related settings
#
[galera]
# Mandatory settings
#wsrep_on=ON
#wsrep_provider=
#wsrep_cluster_address=
#binlog_format=row
#default_storage_engine=InnoDB
#innodb_autoinc_lock_mode=2
#
# Allow server to accept connections on all interfaces.
#
#bind-address=0.0.0.0
#
# Optional setting
#wsrep_slave_threads=1
#innodb_flush_log_at_trx_commit=0

# this is only for embedded server
[embedded]

# This group is only read by MariaDB servers, not by MySQL.
# If you use the same .cnf file for MySQL and MariaDB,
# you can put MariaDB-only options here
[mariadb]

# This group is only read by MariaDB-10.3 servers.
# If you use the same .cnf file for MariaDB of different versions,
# use this group for options that older servers don't understand
[mariadb-10.3]
innodb_default_row_format = dynamic
innodb_file_per_table = 1
performance_schema=OFF
innodb_stats_on_metadata=OFF
innodb_sort_buffer_size=2M

Restart MariaDB MySQL 10.3 – there’s more optimal configuration defaults that can be applied but for now just testing to see if the config files edited are the ones reflected on MySQL restart settings wise.

service mysqld restart

Recheck character set and collation defaults and yup the client.cnf and server.cnf are correct in changing MariaDB 10.3 from latin1 to utf8 defaults.

mysqladmin --defaults-extra-file=/usr/local/directadmin/conf/my.cnf var | tr -s ' ' | egrep 'char|collation'
| character_set_client | utf8 |
| character_set_connection | utf8 |
| character_set_database | utf8 |
| character_set_filesystem | binary |
| character_set_results | utf8 |
| character_set_server | utf8 |
| character_set_system | utf8 |
| character_sets_dir | /usr/share/mysql/charsets/ |
| collation_connection | utf8_general_ci |
| collation_database | utf8_general_ci |
| collation_server | utf8_general_ci |
| session_track_system_variables | autocommit,character_set_client,character_set_connection,character_set_results,time_zone |

Step 12. DirectAdmin Log Locations

Installation isn’t complete without inspecting DirectAdmin logs to ensure that what has been installed is working correctly. For this you need to inspect DirectAdmin’s logs. Being new to DirectAdmin, you maybe a little lost as to knowing where the logs are located. Knownhost has a great wiki entry outlining all the DirectAdmin log locations.

DirectAdmin specific logs

  • /var/log/directadmin/error.log – General errors for DirectAdmin’s service (directadmin.service)
  • /var/log/directadmin/errortaskq.log – DirectAdmin’s internal task queue errors
  • /var/log/directadmin/system.log – System-service reloads, quota tallies, Let’s Encrypt status, etc. are logged here
  • /var/log/directadmin/login.log – Admin, Reseller, and User level successful and failed logins to the panel
  • /var/log/directadmin/security.log – Execution of DirectAdmin’s plugins
  • /var/log/directadmin/install.log – Seems to be a record of the ending initial DirectAdmin installation report log which also includes your DirectAdmin admin username, password and email

Apache Webserver logs

  • /var/log/httpd/error_log – General Apache Error Logs
  • /var/log/httpd/access_log – General Access Logs
  • /var/log/httpd/suexec_log – SuEXEC Logs
  • /var/log/httpd/fpexec_log – FpExec1) Logs
  • /var/log/httpd/domains/yourdomain.com.log – Domain-Specific Access Logs
  • /var/log/httpd/domains/yourdomain.com.error.log – Domain-Specific Error Logs

CustomBuild log

  • /usr/local/directadmin/custombuild/custombuild.log

PHP-FPM logs

  • /usr/local/phpXX/var/log/php-fpm.log – PHP-FPM logs: each version of PHP will have it’s own logs. Where XX is PHP version i.e. 56, 72, 73 etc
  • /usr/local/php73/var/log/php-fpm.log – PHP-FPM logs for PHP 7.3
  • /var/log/php-fpm73.log – This is a symbolic link to the above file – useful as a shortcut!

Nginx logs

  • /var/log/nginx/access_log – General Nginx access logs
  • /var/log/nginx/error_log – General Nginx error logs
  • /var/log/nginx/modsec_audit.log – ModSecurity rule-processing2)
  • /var/log/nginx/domains/yourdomain.com.log – Nginx logs for specific domains are logged on this path
  • /var/log/nginx/domains/yourdomain.com.error.log – Nginx error logs for specific domains are logged on this path

FTP logs

  • /var/log/messages – General FTPd errors are logged in the system’s main log
  • /var/log/pureftpd.log – PureFTPd general logs
  • /var/log/proftpd/access.log – If ProFTP is installed, this is where general access is logged
  • /var/log/proftpd/auth.log – If ProFTP is installed, this is where login attempts are logged

Dovecot IMAP/POP3 logs

  • /var/log/maillog – POP3/IMAP logins
  • var/log/dovecot-lmtp.log – Delivery of emails to local accounts
  • /var/log/dovecot-lmtp-errors.log – Errors with delivery of local email (i.e. mailbox is over quota)

Exim SMTP MTA logs

  • /var/log/exim/mainlog – Main delivery and receipt log
  • /var/log/exim/paniclog – Unexpected/Fatal error log
  • /var/log/exim/processlog – Process logs
  • /var/log/exim/rejectlog – Incoming-email Rejection logs

Named DNS logs

  • /var/log/messages – BIND (named.service) logs to the main system log

Cron Job logs

  • /var/log/cron – Cron daemon logs

MariaDB/MySQL logs

  • /var/lib/mysql/hostname.yourdomain.com.err – MySQL startup and error log which is the same hostname you setup in above Step 1.  Note for CentOS 7 and systemd systems, MySQL/MariaDB may also have logging accessible via journalctl.
    journalctl -u mariadb --no-pager

CSF Firewall / LFD Daemon logs

  • /var/log/lfd.log

Firewalld logs

  • /var/log/firewalld

Step 13. Updating DirectAdmin

cd /usr/local/directadmin/custombuild 
./build update
./build versions
./build update_versions

Step 14. Speeding Up DirectAdmin Compile Times

DirectAdmin’s installation and update routines and CustomBuild 2.0 rely heavily on source compilation and from my experience with cPanel/WHM and my own Centmin Mod LEMP development and optimizations, there is a huge room for improvement for DirectAdmin compilation speed. The main method is leveraging ccache for compiler caching on subsequent recompiles of same software versions etc (rebuilds). The performance improvement on recompiles can be as much as 30-80% faster in some cases for Nginx and PHP-FPM compilations !

To put this theory to the test, I whipped up a quick wrapper script, directadmin-compiler-bench.sh to time and benchmark DirectAdmin’s Apache, PHP-FPM and Apache + PHP-FPM software via Custombuild 2.0. The script can also dynamically enable compiler optimisations I usually do for Centmin Mod’s Nginx and PHP-FPM source compilation routines – these include using ccache compiler caching and also using newer GCC 8.3 compiler instead of CentOS 7’s native GCC 4.8.5. The ccache compiler cache speeds up source recompilations of the same versions while GCC 8.3 usage would potentially improve the software’s resulting Apache, PHP-FPM binary’s performance – especially for newer cpu models newer than Intel Xeon Broadwell like the newer Intel Xeon Skylake and AMD EPYC based processors.

directadmin-compiler-bench.sh wrapper script’s usage options

./directadmin-compiler-bench.sh 

Usage:

./directadmin-compiler-bench.sh allon
./directadmin-compiler-bench.sh alloff
./directadmin-compiler-bench.sh gccon
./directadmin-compiler-bench.sh gccoff
./directadmin-compiler-bench.sh ccon
./directadmin-compiler-bench.sh ccoff
./directadmin-compiler-bench.sh install
./directadmin-compiler-bench.sh update
./directadmin-compiler-bench.sh bench apache
./directadmin-compiler-bench.sh bench php
./directadmin-compiler-bench.sh bench apache-php
./directadmin-compiler-bench.sh bench apache allon
./directadmin-compiler-bench.sh bench php allon
./directadmin-compiler-bench.sh bench apache-php allon
./directadmin-compiler-bench.sh bench apache gccon
./directadmin-compiler-bench.sh bench php gccon
./directadmin-compiler-bench.sh bench apache-php gccon
./directadmin-compiler-bench.sh bench apache ccon
./directadmin-compiler-bench.sh bench php ccon
./directadmin-compiler-bench.sh bench apache-php ccon
./directadmin-compiler-bench.sh bench apache alloff
./directadmin-compiler-bench.sh bench php alloff
./directadmin-compiler-bench.sh bench apache-php alloff
./directadmin-compiler-bench.sh bench apache gccoff
./directadmin-compiler-bench.sh bench php gccoff
./directadmin-compiler-bench.sh bench apache-php gccoff
./directadmin-compiler-bench.sh bench apache ccoff
./directadmin-compiler-bench.sh bench php ccoff
./directadmin-compiler-bench.sh bench apache-php ccoff

I ran directadmin-compiler-bench.sh just for CustomBuild 2.0 Apache build and recorded the compilation times for 3 configurations on the this BuyVM KVM VPS Slice 1 cpu, 1GB memory server which has fair share 1 cpu allocation:

  • bench apache = without ccache compiler cache. Compile time = 200.293 seconds
  • bench apache ccon run 1 = with ccache compiler cache 1st run which is uncached and populates the cache ready for 2nd run use. Compile time = 231.493 seconds which is 15.58% slower than without ccache for 1st uncached compile run.
  • bench apache ccon run 2 = with ccache compiler cache 2nd run which can use ccache’s cache to speed up subsequent recompiles of same versions. Compile time = 159.888 seconds which is 20.17% faster than without ccache and 30.93% faster than with ccache’s uncached 1st run.
./directadmin-compiler-bench.sh bench apache
./directadmin-compiler-bench.sh bench apache ccon
./directadmin-compiler-bench.sh bench apache ccon

The first uncached compilation with ccache compiler caching will also be slower than without ccache due to the need to do the caching populating etc. Usually, you will do the first compiles with ccache disabled and enable ccache for subsequent recompilations.

I used ccache 3.7.2 latest release for the below tests and here’s the ccache cache statistics after the 2nd run with ccache enabled. There’s a 50.72% cache hit rate for 2nd ccache enabled recompilation of DirectAdmin’s Apache build using CustomBuild 2.0. You’ll see the cache hit rate rise as you do more recompiles over time.

ccache -s
cache directory /home/.ccache
primary config /home/.ccache/ccache.conf
secondary config (readonly) /usr/local/etc/ccache.conf
stats updated Mon Jul 22 07:10:07 2019
cache hit (direct) 628
cache hit (preprocessed) 5
cache miss 615
cache hit rate 50.72 %
called for link 44
called for preprocessing 280
compile failed 58
preprocessor error 78
bad compiler arguments 8
autoconf compile/link 414
no input file 24
cleanups performed 0
files in cache 1224
cache size 7.4 MB
max cache size 2.8 GB

Next I ran directadmin-compiler-bench.sh just for CustomBuild 2.0 PHP-FPM build which compiles 3x PHP versions, 7.3.7, 7.2.20 and 5.6.40 with ImagicK and Zend Opcache extensions and recorded the compilation times for 3 configurations on the this BuyVM KVM VPS Slice 1 cpu, 1GB memory server which has fair share 1 cpu allocation:

  • bench php = without ccache compiler cache. Compile time = 4509.820 seconds
  • bench php ccon run 1 = with ccache compiler cache 1st run which is uncached and populates the cache ready for 2nd run use. Compile time = 5141.003 seconds which is ~14% slower than without ccache for 1st uncached compile run.
  • bench php ccon run 2 = with ccache compiler cache 2nd run which can use ccache’s cache to speed up subsequent recompiles of same versions. Compile time = 1439.342 seconds which is 68.1% faster than without ccache and ~72% faster than with ccache’s uncached 1st run.
./directadmin-compiler-bench.sh bench php
./directadmin-compiler-bench.sh bench php ccon
./directadmin-compiler-bench.sh bench php ccon

And ccache stats with 58.93% cache hit rate after PHP recompiles which reflects cummulative results of all source compilations which have had ccache cache compiler enabled for.

ccache -s
cache directory                     /home/.ccache
primary config                      /home/.ccache/ccache.conf
secondary config      (readonly)    /usr/local/etc/ccache.conf
stats updated                       Tue Jul 23 10:05:55 2019
cache hit (direct)                  8514
cache hit (preprocessed)              41
cache miss                          5961
cache hit rate                     58.93 %
called for link                      178
called for preprocessing            1206
compile failed                       342
preprocessor error                   338
bad compiler arguments                84
autoconf compile/link               3164
no input file                        176
cleanups performed                     0
files in cache                     11905
cache size                         219.3 MB
max cache size                       2.8 GB

Next I ran directadmin-compiler-bench.sh just for CustomBuild 2.0 Dovecot build as DirectAdmin update cron notified me there was a Dovecot version upgrade and recorded the compilation times for 3 configurations on the this BuyVM KVM VPS Slice 1 cpu, 1GB memory server which has fair share 1 cpu allocation:

  • bench dovecot = without ccache compiler cache. Compile time = 879.963 seconds
  • bench dovecot ccon run 1 = with ccache compiler cache 1st run which is uncached and populates the cache ready for 2nd run use. Compile time = 976.800 seconds which is ~11% slower than without ccache for 1st uncached compile run.
  • bench dovecot ccon run 2 = with ccache compiler cache 2nd run which can use ccache’s cache to speed up subsequent recompiles of same versions. Compile time = 363.582 seconds which is ~58.7% faster than without ccache and ~62.8% faster than with ccache’s uncached 1st run.
./directadmin-compiler-bench.sh bench dovecot
./directadmin-compiler-bench.sh bench dovecot ccon
./directadmin-compiler-bench.sh bench dovecot ccon

So just for DirectAdmin Apache + PHP 7.3/7.2/5.6 + Dovecot recompile builds via CustomBuild 2.0 called from my directadmin-compiler-bench.sh wrapper script resulted in total compile times as follows:

  • total without ccache compiler cache = Compile time = 200.293 + 4509.820 + 879.963 = 5590.076seconds 
  • total run 1 with ccache compiler cache 1st run which is uncached and populates the cache ready for 2nd run use = Compile time = 231.493 + 5141.003 + 976.800 = 6349.296 seconds which is ~13.6% slower than without ccache for 1st uncached compile run.
  • total run 2 with ccache compiler cache 2nd run which can use ccache’s cache to speed up subsequent recompiles of same versions = Compile time = 159.888 + 1439.342 + 363.582 = 1962.812 seconds which is ~64.9% faster than without ccache and ~69.1% faster than with ccache’s uncached 1st run.

I will be doing more advanced DirectAdmin optimisation tuning (including newer GCC compiler tests) and benchmarks as I learn more about DirectAdmin’s internals and about CustomBuild routines.

Summary

The above guide illustrates how you can install DirectAdmin on CentOS 7 server. I will be writing more DirectAdmin related guides as my experience with DirectAdmin grows. This was literally my first ever DirectAdmin installation and first 14+ hrs experience with DirectAdmin and with DirectAdmin using source compilation for the majority of it’s software, I can see endless possibilities for me to put my own spin on the installation routines with optimisations I can bring over from my 16+ yrs in using cPanel/WHM and 8+ yrs in developing Centmin Mod LEMP stack (which has a mix of sourced compiled routines for Nginx and PHP-FPM with YUM repositories usage).

As DirectAdmin source compiles alot, there’s a definite benefit of using ccache for compiler caching on subsequent recompiles of same software versions etc (rebuilds). Centmin Mod LEMP has been using ccache for years and Nginx and PHP-FPM source recompilations are up to 80% faster than without ccache! It would be a huge speed up for DirectAdmin source compilation routines i.e. CustomBuild.

I’d like to thank smtalk and bdacus01 on DirectAdmin forums for their answers to my questions and wonderful and insightful replies and knowledge provided by zEitEr on the DirectAdmin forums and his Poralik site. You can find me on the DirectAdmin forums as eva2000.

If you like this guide and want to try DirectAdmin out, checkout BuyVM.net’s dedicated KVM Slice VPS servers which bundle in a free DirectAdmin license ! Using my BuyVM.net referral link would also be much appreciated.