How to install DirectAdmin on Centos 8
I decided to install DirectAdmin on Centos8 for my new server. I bought a new license and SSL Certificate too. I have been using DirectAdmin on my Centos 7 server for a few years and I love it. As you know Centos EOL is 2024 it is not soon but still I want to use newer OS system so that is why I choose to install DirectAdmin on Centos 8.
This guide covers general steps to install DirectAdmin on Centos 8. If you have any questions regarding the steps just contact me on discord. (Bottom of the page)
I freshly installed Centos 8 on my VDS server. I set up my hostname during installation still need to check the server hostname.
Command to chek server hostanme
uname -n
hostname
Here is the output from my server:+
Seems right. Lets move on.
Make sure your domain hostname is the same one you got the DirectAdmin license for. If it is not you can change it with this command:
hostnamectl set-hostname hostname.yourdomain.com
After that you can verify if you corrently change it with this command:
hostnamectl status
After that let’s update our Centos 8 Server because we just installed it.
Command to update server
yum update -y
After the update is finished, please follow these steps to add these repositories. We need them for the new version of PHP 7.4 and Memcached extension. Also, you can follow these commands to enable PowerTools On your centos 8 servers.
yum clean all
yum -y install yum-utils wget gcc gcc-c++ flex bison make perl-libwww-perl perl-DBI bind bind-libs bind-utils libaio libcom_err-devel openssl openssl-devel perl quota libcurl-devel gd zlib-devel zip unzip libcap-devel cronie bzip2 cyrus-sasl-devel perl-ExtUtils-Embed autoconf automake libtool which patch mailx bzip2-devel lsof glibc-headers kernel-devel expat-devel psmisc net-tools systemd-devel libdb-devel xfsprogs rsyslog logrotate crontabs file kernel-headers nano cmake cmake3 sysstat mlocate bc
# EPEL & Remi YUM repo
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm
# disable Remi & EPEL by default and only enable manually when needed
yum-config-manager --disable remi epel
yum -q list jq nghttp2 redis memcached memcached-devel libmemcached-devel libmemcached screen GeoIP-devel GeoIP --enablerepo=powertools,epel,remi
yum -y install jq nghttp2 redis memcached memcached-devel libmemcached-devel libmemcached screen GeoIP-devel GeoIP --enablerepo=powertools,epel,remi
updatedb
We installed everything we need. We have to disable the SELINUX:
Command to update server
Disabling SELINUX
setenforce 0
sed -i 's|enforcing|disabled|g' /etc/selinux/config
After all these updates and SELINUX changes we have to reboot our server.
Command to reboot the server
reboot
Our server is ready lets install DirectAdmin on Centos 8
First we need to create a folder to store our install scripts. After that give execution permiosn the script.
mkdir -p /root/tools
cd /root/tools
wget -4 https://www.directadmin.com/setup.sh
chmod 755 setup.sh
Our DirectAdmin install file is ready bu we should to get ready our DirectAdmin Licence Iformatin before starting to install DirectAdmin. Because it will ask us during installation.
Also you have to know your server’s interface name. You can learn with this code:
Command to get server’s entherent interface name
/sbin/ifconfig
Output of the command:
Make sure your hostanme is like subdomain.domain.com otherwise it make things corrupt durinf the installation.
Before it will ask you :
Would you like to install these required pre-install packages? (y/n): y
You can see DirectAdmin asks Client ID, License ID and Hostname. If you don’t have license you should buy one from https://www.directadmin.com/
Also I want to choose php version myself so I said no for the first question
Would you like the default settings of apache and php 7.4 as php-fpm? (yes/no, default): n
Here my answers: (If you see empty answers it means i chose default.)
After all questions finished DirectAdmin installation starts on Centos 8 server. Installiation takes times depends on your server power.
Installation continues in screenmode :
If you disconnected from current SSH connection you can reattached the directadmin install screen with this code:
screen -r directadmin
Get screen ID and Detached
screen -D IDofYourScreen.directadmin
After that,
screen -r directadmin
After installiation finised if you didn’t lost your ssh connection you can use exit command to log out from screen session.
Setup will give you directadmin login information , after it finish. However you can’t connect DirectAdmin panel unless you disable you firewall or enable 2222 port access.
Command to disable fireall
firewall-cmd --permanent --zone=public --add-port=2222/tcp
Check the firewall status :
service firewalld status
if its active and you just allow 2222 port lets see if it works:
firewall-cmd --zone=public --list-ports
if you get empty after this command you need to reload the firewall to apply changes
firewall-cmd --reload After that you can see the port is allowed
Output:
[[email protected] ~]# firewall-cmd --zone=public --list-ports
2222/tcp
Lets enable other ports and services with firewall-cmd
firewall-cmd --permanent --zone=public --add-port=22/tcp
firewall-cmd --permanent --zone=public --add-port=2222/tcp
firewall-cmd --permanent --zone=public --add-port=9418/tcp
firewall-cmd --permanent --zone=public --add-port=35000-35999/tcp
firewall-cmd --permanent --zone=public --add-service=dns
firewall-cmd --permanent --zone=public --add-service=ftp
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --permanent --zone=public --add-service=imap
firewall-cmd --permanent --zone=public --add-service=imaps
firewall-cmd --permanent --zone=public --add-service=pop3
firewall-cmd --permanent --zone=public --add-service=pop3s
firewall-cmd --permanent --zone=public --add-service=smtp
firewall-cmd --permanent --zone=public --add-service=smtps
firewall-cmd --permanent --zone=public --add-service=smtp-submission
firewall-cmd --reload
firewall-cmd --zone=public --list-ports
firewall-cmd --zone=public --list-services
You can check if you can access your direct admin panel : http://subdomain.domain.com:2222
Post-Install DirectAdmin Configuration
Our DirectAdmin Server is ready but we need to do some tweaks for better security and performance.
First, Apache settings ServerSignature is already set to Off so nothing to change. ServerTokens should be changed from Major to Prod. Follow the commands.
Check Apache settings:
egrep '^ServerTokens|^ServerSignature' /etc/httpd/conf/extra/httpd-default.conf
ServerTokens Major
ServerSignature Off
Replace the settings :
sed -i 's|^ServerTokens .*|ServerTokens Prod|' /etc/httpd/conf/extra/httpd-default.conf
sed -i 's|^ServerSignature .*|ServerSignature Off|' /etc/httpd/conf/extra/httpd-default.conf
After that verify the changes in Apache settings:
egrep '^ServerTokens|^ServerSignature' /etc/httpd/conf/extra/httpd-default.conf
ServerTokens Prod
ServerSignature Off
DirectAdmin overwrites config files after every updates. Thus, we need to crate a custom folder for extra config files to prevet DirectAdmin overwrite our custom settings.
cd /usr/local/directadmin/custombuild/
mkdir -p custom/ap2/conf/extra/
cp -p /etc/httpd/conf/extra/httpd-default.conf /usr/local/directadmin/custombuild/custom/ap2/conf/extra/
cp -p /etc/httpd/conf/extra/httpd-mpm.conf /usr/local/directadmin/custombuild/custom/ap2/conf/extra/
Let’s test our config file if it is free from any syntax error:
httpd -t
Syntax OK
Don’t forget to restart the Apache service
service httpd restart
Apache version information is hidden now:
lets set up directadmin notifications for updates:
options.conf includes cron settings for notifications. File is under /usr/local/directadmin/custombuild
Open with editor:
nano /usr/local/directadmin/custombuild/options.conf
Change settings as you wish. Don’t forget to change email.
#Cronjob Settings
cron=yes
cron_frequency=weekly
[email protected]
notifications=yes
da_autoupdate=yes
updates=no
webapps_updates=yes
after made changes, type:
./build cron
It will write your settings.
Example output:
Cronjob is set for MYEMAILADDRESS:
Cronjob frequency: weekly
Automatic notifications: yes
Automatic updates: no
Directadmin we need to disable username access for security. ( Disable /~username access )
Use CustomBuild 2.0 for that. Follow the commands:
cd /usr/local/directadmin/custombuild
./build set userdir_access no
./build rewrite_confs
We can install many addons with CustomBuild 2.0. For exmaple ClamAV, maldet, AWStats or php modules..
Security if most important thing and Directadmin files are important to keep clean. Thus, We will install scaning modules.
Installing ClamAV with CustomBuild 2.0. Also for emails, we will add Exim ClamAV support.
cd /usr/local/directadmin/custombuild
./build update
./build set clamav yes
./build set clamav_exim yes
./build set exim yes
./build set eximconf yes
./build set eximconf_release 4.5
./build clamav
./build exim
./build exim_conf
After that, we can install Maldet
cd /usr/local/src
wget -4 http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -zxvf maldetect-current.tar.gz
cd $(ls -1d maldetect-*/ | tail -1)
./install.sh
Add support for Malware. Expert definitions
echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb" >> /etc/freshclam.conf
echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb" >> /etc/freshclam.conf
echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb" >> /etc/freshclam.conf
echo "DatabaseCustomURL http://cdn.malware.expert/malware.expert.fp" >> /etc/freshclam.conf
service freshclam restart
ls -la /usr/local/share/clamav/malware.expert.* /var/lib/clamav/malware.expert.*
Web analytics is an open-source analytic tool so Installing AWStats on DirectAdmin with CustomBuild 2.0 follow these steps:
cd /usr/local/directadmin/custombuild
./build set awstats yes
./build awstats
Image conversions are very popular due to new webp converter plugins for wordpress recommened it a lot. Installing Imagick with CustomBuild on DirectAdmin is very easy.
cd /usr/local/directadmin/custombuild
./build update
./build set imagick yes
./build imagick
If you used DirectAdmin before you might heard poralix before. They provide custom scripts for DirectAdmin.
If you use centos 7 or 8 you need to modify poralix settings becase defaults one now work with newer centos version.
We will install Memcached, Memcache extensions, GeoIP, PHP Redis
Install Memcache PHP Extensions for Memcached on Centos 8 follow these commands: (This is for DirectAdmin – Install Memcached for DirectAdmin)
Follow theesse commands:
mkdir -p /root/tools/poralix
cd /root/tools/poralix
wget -4 https://raw.githubusercontent.com/poralix/directadmin-utils/master/php/php-extension.sh -O php-extension.sh
chmod 750 php-extension.sh
./php-extension.sh install redis
./php-extension.sh install geoip --beta
./php-extension.sh install memcached
./php-extension.sh install memcache --beta
If you get any error about libmemcached like :
- Error: Unable to find a match: libmemcached-devel
- memcached support requires libmemcached
- Unable to find memcached.h under /usr/include/libmemcached
- configure: error: no, libmemcached sasl support is not enabled. Run configure with –disable-memcached-sasl to disable this check
Please re-install pre-requirements on the first paragrapfh.
If your server has more than 2 cpu you shoul definitly enable pigz support for DirectAdmin. It will use all CPU threads when you
backup folders. It is very hand and time saver.
First, check you server CPU Threads with this command :
grep -c "processor" /proc/cpuinfo
If it is CPU thread is above 2 you can enable pigz support in DirectAdmin
As always we will use CustomBuild 2.0 for enabling pigz:
cd /usr/local/directadmin/custombuild
./build update
./build pigz
If you planning to use Letsencrypt in your DirectAdmin you have to add additional settings for DirectAdmin.
Firstly, you have to Verify SNI and Letsencrypt are enabled or not. if not please follow these commands:
Check current settings:
egrep 'enable_ssl_sni=|letsencrypt=' /usr/local/directadmin/conf/directadmin.conf
if it gets onyl letsencrypt entry, We need to enable both of them.
Before making changes lets copy our conf file:
cp /usr/local/directadmin/conf/directadmin.conf /usr/local/directadmin/conf/directadmin.conf.bak
Add enable_ssl_sni end of the DirectAdmin conf file :
echo "enable_ssl_sni=1" >> /usr/local/directadmin/conf/directadmin.conf
lets check again :
egrep 'enable_ssl_sni=|letsencrypt=' /usr/local/directadmin/conf/directadmin.conf
chown diradmin:diradmin /usr/local/directadmin/conf/directadmin.conf
if you want wildcard domain SSL certificate support via Let’s Encryptopen in new window, ensure dns_ttl=1 is set in the directadmin.conf.
echo "dns_ttl=1" >> /usr/local/directadmin/conf/directadmin.conf
We need to apply changes so lets restart DirectAdmin:
echo "action=directadmin&value=restart" >> /usr/local/directadmin/data/task.queue; /usr/local/directadmin/dataskq d2000
Add the /.well-known Alias with custombuild:
cd /usr/local/directadmin/custombuild
./build rewrite_confs
Install the most recent version of the Letsencrypt with these commands :
cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt
I have own a paid SSL certificate so i upload my SLL files to : /usr/local/directadmin/conf
and edit directadmin.conf
nano /usr/local/directadmin/conf/directadmin.conf
this is my ssl settings with cutom SSL Certificate
ssl=1
force_hostname=webhosting.domain.com
ssl_redirect_host=webhosting.domain.com
cacert=/usr/local/directadmin/conf/server.crt
cakey=/usr/local/directadmin/conf/server.key
carootcert=/usr/local/directadmin/conf/server.ca
After that restart directadmin
service directadmin restart
you can use directadmin with SSL
Phpmyadmin ssl settings on DirectAdmin
Phpmyadmin use SSL files with Apache so Install your SSL files in /etc/httpd/conf/
/etc/httpd/conf/ssl.crt/server.ca
/etc/httpd/conf/ssl.crt/server.crt
/etc/httpd/conf/ssl.crt/server.crt.combined
/etc/httpd/conf/ssl.key/server.key
Inside of the ssl.crt folder dhparams.pem should be there. It is default so don’t delete it.
phpmyadmin use apache conf you can check this config file:
nano /etc/httpd/conf/extra/httpd-ssl.conf
server.crt.combined and server.crt are the same file bot different name. Directadmin creates user’s nginx file
and point their ssl settins : server.crt.combined. Thats why I have both file different name.
Also Apache use /etc/httpd/conf/ssl.crt/server.crt.combined on created new httpd.conf file for domains. I’dont know why.
/etc/httpd/conf/ssl.crt/server.crt.combined contains in order:
SSL CERTIFICATE.txt
AlphaSSL Intermediate CA.txt
Root Certificates.txt
it is same as server.crt
https://forum.directadmin.com/threads/ssl-location-is-different-apache-cant-restart.64932/
After all settings set up :
service httpd restart
service directadmin.service restart
Install CSF Firewall for DirectAdmin
CSF Firewall is easy to use rather than Firewalld. Thus, We will remove Firewalld and install CSF Firewall on Centos 8.
removing firewalld:
systemctl disable firewalld
systemctl stop firewalld
Install iptables:
yum -y install iptables-services
systemctl start iptables
systemctl start ip6tables
systemctl enable iptables
systemctl enable ip6tables
We will use CSF Firewall with Brute Force Monitor (BFM). We need to add BFM support to CSF Firewall in order to use that.
You rememver poralix right? Lets use their csf-bfm-install.sh script to install it :
mkdir -p /root/tools/poralix
cd /root/tools/poralix
wget -4 -O csf-bfm-install.sh https://raw.githubusercontent.com/poralix/directadmin-bfm-csf/master/install.sh
chmod 700 csf-bfm-install.sh
./csf-bfm-install.sh
To upgrade using Poralix’s script:
mkdir -p /root/tools/poralix
cd /root/tools/poralix
wget -4 -O csf-bfm-update.sh https://raw.githubusercontent.com/poralix/directadmin-bfm-csf/master/update.sh
chmod 700 csf-bfm-update.sh
./csf-bfm-update.sh
check if testing is neabled ?
grep '^TESTING =' /etc/csf/csf.conf
also check the ports
Inspecting whitelisted CSF Firewall ports
egrep '^TCP_|^TCP6_|^UDP_|^UDP6_' /etc/csf/csf.conf
Output:
Check CSF Firewall profile backup
csf --profile list
create a backup
csf --profile backup after-csf-bfm-install
Check CSF Firewall profile backup again
csf --profile list
Finally ensure, CSF Firewall and LFD daemon starts up on server reboots
chkconfig lfd on
chkconfig csf on
Double check CSF Firewall works via csftest.pl
perl /etc/csf/csftest.pl
after installing it
check the config file :
cat /root/directadmin-bfm-csf.conf
If it is not created, create one:
nano /root/directadmin-bfm-csf.conf
USE_PORT_SELECTED_BLOCK="1";
CSF_GREP_API_CALL="0";
DEBUG="0";
FTP_PORTS="20 21";
SSH_PORTS="22";
WEB_PORTS="80 443";
EXIM_PORTS="25 465 587";
DOVECOT_PORTS="110 143 993 995";
DIRECTADMIN_PORTS="2222";
If you change the default DirectAdmin port don’t forget to change it with your own port number.
DIRECTADMIN_PORTS="you port number";
You will get a lot of IP attacks so If you want to block a IP to access your all ports enable this command :
USE_PORT_SELECTED_BLOCK="0";
A large number of attacker IPs will consume your server’s power. We will use IPSET to lower that consumption. IPSET support is disabled on directAdmin. If your Linux server kernel version support IPSET you should follow these steps:
Check IPSET settings:
grep -w '^LF_IPSET' /etc/csf/csf.conf
LF_IPSET = "0"
Here a script to check If your server’s Linux Kernel supports IPSET.
nano csf_ipset.sh
#!/bin/bash
#####################################################
# CSF Firewall IPSET configuration for DirectAdmin
# routine partially borrowed from centminmod.com
# CSF Firewall setup
######################################################
KERNEL_NUMERICVER=$(uname -r | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }')
ipset_setup() {
if [[ ! -f /usr/sbin/ipset ]]; then
# CSF now has ipset support to offload large IP address numbers
# from iptables so uses less server resources to handle many IPs
# does not work with OpenVZ VPS so only implement for non-OpenVZ
yum -q -y install ipset ipset-devel
sed -i 's/LF_IPSET = \"0\"/LF_IPSET = \"1\"/' /etc/csf/csf.conf
elif [[ -f /usr/sbin/ipset ]]; then
sed -i 's/LF_IPSET = \"0\"/LF_IPSET = \"1\"/' /etc/csf/csf.conf
fi
}
if [[ ! -f /proc/user_beancounters ]] && [[ "$(uname -r | grep linode)" || "$(find /lib/modules/`uname -r` -name 'ipset')" ]]; then
ipset_setup
elif [[ -f /proc/user_beancounters && "$KERNEL_NUMERICVER" -ge '3000000000' ]]; then
# openvz7's 3.10 linux kernels support IPSET
ipset_setup
fi
chmod +x csf_ipset.sh
./csf_ipset.sh
Lets check LF_IPSET setting is enabled = 1 or not :
grep -w '^LF_IPSET' /etc/csf/csf.conf
LF_IPSET = "1"
As the image shows we enabled IPSET on our server. We can now increse CSF Firewall IP address limits because it is now handle much more IP datas.
sed -i 's/^DENY_IP_LIMIT = .*/DENY_IP_LIMIT = \"3000\"/' /etc/csf/csf.conf
sed -i 's/^DENY_TEMP_IP_LIMIT = .*/DENY_TEMP_IP_LIMIT = \"3000\"/' /etc/csf/csf.conf
After these settings restart your CSF Firewall
csf -ra
Cloudflare Settings in DirectAdmin
If you use Cloudflare as much as I do, You should follow these steps. We need to whitelist Cloudflare’s IP addresses so CSF Firewall doesn’t block them. We will use the Centmin Mod LEMP stack script for this. The script will fetch Cloudflare latest IPs and add them to Whitelist.
Follow these steps:
mkdir -p /root/tools
cd /root/tools
wget -4 -O /root/tools/csfcf.sh https://github.com/centminmod/centminmod/raw/123.09beta01/tools/csfcf.sh
chmod 700 /root/tools/csfcf.sh
# run once to whitelist CF IPs
/root/tools/csfcf.sh apache /root/tools/csfcf.sh auto-apache
Script creates httpd-includes-remoteip.conf file that contains cloudfalre IPs.We need to manually add that config for apache settings.
Open /etc/httpd/conf/extra/httpd-includes.conf :
nano /etc/httpd/conf/extra/httpd-includes.conf
add this line:
Include /etc/httpd/conf/extra/httpd-includes-remoteip.conf
After that check, if everything is ok:
httpd -t
Syntax OK
Then don’t forget to restart Apache
service httpd restart
Also add a crontab for regular check new CloudFlare IP Addresses.
23 */12 * * * /root/tools/csfcf.sh auto-apache >/dev/null 2>&1
Also I regularly back up my directadmin backups:
DirectAdmin Backup Remover
#!/bin/sh
backup_directory="/home/admin/admin_backups" # No trailing /
backup_time="1" # Remove backups how many days old? Number variable only!
#### Commands ####
find_files=$(find $backup_directory/* -maxdepth 0 -mtime +$backup_time)
#### Begin Script ####
##
echo ""
echo "Looking for old backups... Older then $backup_time days old."
echo "----"
if [ -z "$find_files" ]; then
echo "None Found!"
else
echo "$find_files"
fi
echo "----"
echo ""
echo "If any folders were found they have deleted."
find $backup_directory/* -maxdepth 0 -mtime +$backup_time -exec rm -rv {} +
echo ""
echo "Done."
echo ""
Create a Cronjob :
5 0 * * * /root/backup_remover.sh > /var/logs/backup_remover_`date +\%d-\%m-\%Y_\%H-\%M`.log 2>&1
It will output logs in /var/logs/
If you have any questions just ask.
Resources:
George from https://centminmod.com/ Thank you.