Essential Security and Optimization Tips for Your Print

  • 0

Title: Essential Security and Optimization Tips for Your VPS with DirectAdmin, AlmaLinux 8.6/CentOS, and CSF

After purchasing a VPS from with DirectAdmin and CSF pre-installed, there are additional steps you can take to ensure your server is secure and optimized for a shared hosting environment without CloudLinux. In this article, we'll discuss factors to check, securing PHP, installing Cockpit, whitelisting ports in CSF, and other considerations for shared web hosting providers with multiple websites.

1. Optimize PHP Settings:
To enhance security and performance, consider adjusting the following PHP settings:

  • Disable dangerous PHP functions like `exec`, `shell_exec`, `system`, and `passthru`.
    - Set appropriate `upload_max_filesize` and `post_max_size` limits.
    - Configure `max_execution_time`, `max_input_time`, and `memory_limit` according to your requirements.
    - Enable PHP error logging and set the log file path.

Here's how to configure the suggested PHP settings, enable `open_basedir`, and install ModSecurity:

1. Set `expose_php` to 'Off':
Edit the `php.ini` file for your PHP version (e.g., `/usr/local/php74/lib/php.ini` for PHP 7.4). Find the line containing `expose_php` and set it to 'Off':

expose_php = Off

2. Enable `open_basedir`:
In the `php.ini` file, find the line containing `open_basedir` and set it to the desired directory path:

open_basedir = "/path/to/your/allowed/directory"

3. Disable dangerous PHP functions:
Find the line containing `disable_functions` in the `php.ini` file and add the dangerous functions:

disable_functions = "exec, shell_exec, system, passthru"

4. Configure PHP settings:
Find and modify the following lines in the `php.ini` file according to your requirements:

upload_max_filesize = 64M
post_max_size = 64M
max_execution_time = 120
max_input_time = 120
memory_limit = 256M

5. Enable PHP error logging:
In the `php.ini` file, find and modify the following lines:

log_errors = On
error_log = "/path/to/your/php_error.log"

6. Install and Configure ModSecurity:
For Apache:

a. Install ModSecurity:

sudo yum install mod_security

b. Configure ModSecurity by editing the configuration file (e.g., `/etc/httpd/conf.d/mod_security.conf`):

SecRuleEngine On
Include modsecurity.d/*.conf

c. Restart Apache:

sudo systemctl restart httpd

For Nginx, you need to compile it with ModSecurity support. Please follow the official ModSecurity documentation for Nginx:

After applying these changes, restart your web server (Apache or Nginx) and the PHP-FPM service to apply the new settings:

sudo systemctl restart httpd
sudo systemctl restart php-fpm

Replace `httpd` with `nginx` if you are using Nginx instead of Apache.

2. Install and Configure Cockpit:
Cockpit is a web-based server management tool that makes it easy to monitor and manage your VPS. To install Cockpit, follow these steps:

a. Install Cockpit:

sudo yum install cockpit

b. Enable and start the Cockpit service:

sudo systemctl enable --now cockpit.socket

c. Open the necessary ports in CSF by adding `9090` to the `TCP_IN` and `TCP_OUT` sections in `/etc/csf/csf.conf`. Then, restart CSF:

sudo csf -r

d. Access Cockpit by navigating to `https://your_server_ip:9090` in your browser. Log in using your VPS credentials.

3. Harden DirectAdmin and User Accounts:
Take the following steps to ensure your DirectAdmin control panel and user accounts are secure:

- Enable SSL/TLS for the control panel and enforce HTTPS connections.
- Use strong passwords for admin and user accounts.
- Keep the control panel and its plugins up-to-date.
- Restrict access to sensitive directories.
- Enable ModSecurity and configure custom rules.

4. Secure Web Applications:
Ensure that all web applications hosted on your VPS are regularly updated and secured. Follow best practices like:

- Removing unused plugins and themes.
- Using strong passwords and two-factor authentication.
- Regularly backing up data and configurations.
- Ensuring file and directory permissions are set correctly.

5. Enable Secure PHP with CustomBuild in DirectAdmin:

To enable secure PHP settings, follow these steps:

a. Navigate to the CustomBuild directory:

cd /usr/local/directadmin/custombuild/

b. Run the build script to enable secure PHP:

./build secure_php

c. Customize the `disable_functions` list by creating a custom configuration file:

echo "exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname" > custom/php_disable_functions
./build secure_php

d. Confirm the `disable_functions` for all PHP versions:

grep disable_functions /usr/local/php*/lib/php.ini

6. Set up an Nginx Reverse Proxy:

A reverse proxy is a server that retrieves resources from another server on behalf of a client, effectively acting as an intermediary. Nginx can be used as a reverse proxy in front of your Apache server, providing improved performance and additional security features. This setup is especially beneficial for serving static assets and handling SSL/TLS connections.

To set up an Nginx reverse proxy for your DirectAdmin VPS, follow these steps:

a. Install Nginx:

sudo yum install nginx

b. Configure Nginx as a reverse proxy by editing the `/etc/nginx/nginx.conf` file. Add the following lines inside the `http` block:

# Set up proxy settings
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=cache:10m max_size=1g;
proxy_temp_path /var/tmp;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_cache_valid 200 302 60m;
proxy_cache_valid 404 1m;

# Add a server block for the reverse proxy
server {
listen 80;
server_name; # Replace with your domain name

location / {
proxy_pass; # Forward requests to Apache
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

c. Restart Nginx:

sudo systemctl restart nginx

d. Configure Apache to listen on port 8080 (or another port of your choice) by editing the `/etc/httpd/conf/httpd.conf` file. Change the `Listen` directive to:

Listen 8080

e. Restart Apache:

sudo systemctl restart httpd

f. Update the DirectAdmin configuration to use the new Apache port by editing the `/usr/local/directadmin/conf/directadmin.conf` file. Change the `apache_port` setting:


g. Restart DirectAdmin:

sudo systemctl restart directadmin

Now, Nginx will handle incoming HTTP requests and pass them to Apache, which listens on port 8080. This configuration provides an additional layer of security and performance optimization for your VPS.

Remember to open the necessary ports in your firewall and configure SSL/TLS for your Nginx reverse proxy to ensure secure connections.


7. Monitor Logs and Traffic:
Regularly review server logs to detect potential security threats and identify any issues. Keep an eye on logs such as:

- DirectAdmin logs: `/var/log/directadmin`
- Apache logs: `/var/log/httpd`
- CSF logs: `/var/log/lfd.log`


Also, monitor your VPS traffic for unusual activity, and set up alerts for potential security incidents.


Was this answer helpful?
« Back