DirectAdmin, security, backup questions

Discussion in 'Pre-Sales Questions' started by Guest, Aug 9, 2006.

  1. Guest

    Guest Guest

    Hello,

    As is so often stated, you have a good reputation and I'm strongly considering KH as my new VPS provider. I'm moving from a reseller account that only uses the reseller portion to provide hosting for a few friends and family members. The main feature I want out of a VPS is to get full control over my email, to implement a multi-layer spam filtering solution (looking at MailScanner; any comments?). The rest is standard stuff.

    I would like to use DirectAdmin for the folks who have been using that at my current hosting provider, but one issue has been that using SpamAssassin only really works for the main users who have an account under DA (and therefore have Unix usernames). Email addresses added under that domain other than the owner don't get the SpamAssassin treatment, don't have a bayes database, etc. Do you know of a way around this that still preserves the usefulness of DA?

    It may turn out that to get this functionality we must simply forego the use of DA; that's not by any means a show stopper. Just curious if you have any insights into this, as it will help me choose whether to add DA to the package at signup.

    I am told that choosing cPanel results in some specific versions of Apache and PHP being installed, but I don't know if DA has similar restrictions. Can you enlighten me on this?

    As for security, I wonder if you have a set of packages/programs that you can recommend to be added at installation time to provide good security out of the chute? I know I can request things to be installed such as the grsecurity kernel, APF, etc. , and Apache modules that improve upon the default security. I'm just wondering if you have a "Yes, we've been there/done that and can set you up with an environment that has a good track record on our systems" sort of response on this topic. If not, I'll make some choices in this regard, but I wanted to ask you first.

    As to backups, how are they handled? Are they there more for you to perform disaster recovery on an entire server as opposed to getting a snapshot of each individual virtual server? I understand backups fall upon my shoulders as well, but I couldn't tell from the FAQ whether a VPS could be individually restored from backup in case of a security breach (e.g., a rootkit). Just for my info, not a major decision factor.

    Apologies for the wordy questions... thanks in advance. :cool:
     
  2. KH-Paul

    KH-Paul CTO Staff Member

    Leo,

    I, personally, did not (yet?) hear any complains regarding SA management in DirectAdmin and I also failed to find similar problem description on DA forums. I might be missing it, don’t know ;)

    As for software versions - both, cPanel and DA have Apache 1.3.x, PHP 4.4.x and MySQL 4.1.x installed by default. The only difference between these two control panels in regards to underlying application versions is that with DA you can upgrade Apache to 2.x while with cPanel you'll have to stick with 1.3.x (which is not that bad in my personal opinion).
    MySQL and PHP upgrade in cPanel is a very easy task which can be accomplished in just a couple clicks. With DA ways to upgrade difference component versions are described on this forum: http://www.directadmin.com/forum/forumdisplay.php&forumid=29

    Regarding security - we ship VPSs with latest versions of OS-related applications and also do some additional tweaking such as ssh port change, disabling of "unneeded" services which won't be used by 99.5% of customers, etc. As for basic recommendations - yes, APF installation might be a good idea if you're looking for firewall protection. Also might be a good idea to add mod_security (can be done in couple clicks in cPanel) and move / disable such things as wget, etc.

    We create individual nightly backups for every hosted VPS account. VPS backup can be restored at any time either by our support team or by you through the Virtuozzo Power Panel. The only thing to keep in mind that VPS backup will bring your _whole_ VPS to the state where it was at the moment when VPS backup was created. There is no automated way to restore individual file / account / whatever from full VPS backup but in some cases (i.e. you've removed some important file by a mistake) you can open a support ticket with us and team will try to extract specific file / directory from VPS backup as long as you can tell which exact file is needed.

    Regards,
    Paul
     
  3. Guest

    Guest Guest

    Hi Paul,

    I, personally, did not (yet?) hear any complains regarding SA management in DirectAdmin and I also failed to find similar problem description on DA forums. I might be missing it, don’t know ;)

    The problem at my hosting provider (with a slightly older version of DA) was that as you added mail accounts, there was no underlying Unix user created so there was no per-user settings or bayes databases for those users. It may not be an issue on the current version; I'll post over there and see what they say.

    As for software versions - both, cPanel and DA have Apache 1.3.x, PHP 4.4.x and MySQL 4.1.x installed by default. The only difference between these two control panels in regards to underlying application versions is that with DA you can upgrade Apache to 2.x while with cPanel you'll have to stick with 1.3.x (which is not that bad in my personal opinion).

    Great, I'm more familiar with Apache 2 which would be about all I would change there.

    Regarding security - we ship VPSs with latest versions of OS-related applications and also do some additional tweaking such as ssh port change, disabling of "unneeded" services which won't be used by 99.5% of customers, etc.

    Seems reasonable. I'll compile a list of any additional security-related changes for the initial install.

    We create individual nightly backups for every hosted VPS account.

    That's great -- definitely gives some peace of mind regarding recovery from a major security breach.

    Thanks for the info!
     
  4. ppc

    ppc Moderator

    would you mind sharing that list, i would be very appreciated as i need some direction on securing my VPS
     
  5. Guest

    Guest Guest

    would you mind sharing that list, i would be very appreciated as i need some direction on securing my VPS

    Actually, it's probably best I don't; don't want to make public my lack of experience. Any set of security-minded steps I take are bound to be lacking in some regard, and I'd hate to foist that upon others as if it was somehow robust.

    I can tell you that there are a number of security-related posts over at WebHostingTalk. Check out the VPS Tutorials forum. Also search for things like "linux server hardening", etc. using your favorite search engine and several great sites show up.

    That's all I'm doing. Not going to go crazy, just want to be a little better than the other guys, ya know?
     
  6. Guest

    Guest Guest

    Just a couple of follow-up question regarding DirectAdmin.

    1. As installed by KH, does DA have the reseller functionality enabled? I'm not looking to be a reseller, but for the people I give hosting to I just want to know if the setup will be the same for them and me as it is at the provider I'm with now with my reseller account.

    2. If I add DA to my VPS, does that effectively impose other restrictions on how I administer the server? I assume DA has its own way of doing things, and any manual changes to settings had better be in consideration of that. Just a supposition on my part, not having the ability to make manual config changes on my reseller hosting.

    Thanks again for the information.
     
  7. KH-Paul

    KH-Paul CTO Staff Member

    Leo,

    Yes, DA have reseller functionality enabled by default. Actually all features, listed at http://www.directadmin.com/features.html will be available for you.

    And yes again - as any other control panel DA will assume that configuration in done in certain way. While DA is pretty flexible you still have to follow general configuration customization restrictions to keep configuration in sync with DA and to be able to continue managing accounts through DA.

    Regards,
    Paul
     
  8. ryan.tourge

    ryan.tourge New Member

    Leo,

    out of the box the KH DA VPs is really really good. The only adition I would make (and it's already been mentioned) is APF firewall and Mode_security for Apache.

    I have install scripts for both if you need it...

    Ryan
     
  9. ryan.tourge

    ryan.tourge New Member

    oh... Zend Optimizer should be installed also...

    but that is really simple.

    cd /usr/local/directadmin/customeapache
    ./build zend
     
  10. Leomania

    Leomania New Member

    Indeed Ryan, they're both on my list. I've been spending some "quality time" with APF on CentOS installation at home, and hopefully having KH install it and do the initial configuration will bypass some of the issues I have encountered. I know how to fix them, but no sense reinventing the wheel if KH already has it covered.

    If this was a dedicated server, I'd be installing grsecurity and probably apf. But given that the kernel isn't under my control, it's harder to know what holes aren't plugged in the kernel that is in use. Do you know which kernel is used?

    I'll take any further discussion VPS security out of the pre-sales area once I get my VPS set up. As always, that's "real soon now". ;-)
     
  11. ryan.tourge

    ryan.tourge New Member

    Just a few more things...

    beingthat KH setups up ssh access on port 2200 this may not be needed but it does work with other services.

    http://www.rfxnetworks.com/bfd.php

    It works with APF to detect and add offenders to the deny_hosts.rules file and restarts apf
     
  12. Leomania

    Leomania New Member

    I've used denyhosts for this purpose on my home server, and while it works I'm more in favor of an ip_tables-based approach. I think that's more robust to just kill access from the attacker's IP address, but as with everything I'm sure there are trade-offs to be considered.

    Which, as you might guess, means I don't know what they are. ;)
     

Share This Page