标签 DirectAdmin 下的文章

请注意,安装适用于 CustomBuild 2.0

cd /usr/local/directadmin/custombuild
./build update
./build set modsecurity yes
./build set modsecurity_ruleset comodo
./build modsecurity

wordpress后台暴力破解规则

/usr/local/cwaf/tmp/rules/workdir1/rules
新建文件,内容如下,保存后设置所属用户重启apache

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
	# Setup brute force detection.
	# React if block flag has been set.
	SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
	# Setup tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
	SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
	SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
	SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000234
<Locationmatch "/xmlrpc.php">
	# Rate limit requests to xml-rpc
	SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000235,msg:'ip address blocked for 5 minutes, more than 10 attempts in 3 minutes.'"
	# Setup tracking. Whenever it gets a 200 or 405 status code, increase our brute force counter.
	SecRule RESPONSE_STATUS "^(200|405)" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000237"
	SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</Locationmatch>

规则来自:https://github.com/sensson/puppet-directadmin/blob/master/templates/modsecurity/modsec-wordpress.conf.erb

Hello,
update script not part from directadmin.com
**** USE IT YOUR OWN RISKS ****

*****
*****
*****

GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 2006,2007 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Update script made by Wael Isa
H188, R4008, Arad 240, Kingdom of Bahrain
http://www.web4host.net
Version: 1.8.1
Release Date: 1 / 9 / 2006

*****
*****
*****

If you find update script useful, please consider to make a donation to support this freeware.
Please keep in mind that donations are welcome, but in no way required to use and distribute update.script.
You can support update.script by paypal – CLICK HERE

update.script Version: 1.8.1
update script tested in this OS 32bit and 64bit.

  • RedHat Linux
  • RedHat Fedora
  • RedHat Enterprise
  • CentOS
  • Debian
  • OpenSSL (You need to build ssh, apache, php, etc after upgrade)
  • Exim
  • OpenSSH
  • ProFTP
  • ProFTP with mod_clamav
  • phpMyAdmin
  • F-PROT Anti-Virus
  • AVG
  • ClamAV
  • MODclamAV
  • MRTG
  • SquirrelMail
  • SquirrelMail full language pack
  • SpamAssassin
  • MODsecurity 2.x (Apache 2.x Only)
  • ImageMagick
  • GraphicsMagick
  • eAccelerator
  • FFMPEG-php
  • PHP Clamav
  • Webmin control panel (You need to open one port 10000 in your firewall)
  • MailScanner
  • Suhosin
  • NoBody Check

安装

mkdir /usr/local/updatescript
cd /usr/local/updatescript
wget http://tools.web4host.net/update.script
chmod 755 update.script
Run this to read how to use.

运行以下命令查看如何使用

./update.script

查看更多:http://www.web4host.net/update-script/

有些管理员不希望每个IP被封锁都得到DA的通知

brute_force_notice_ip.sh 的触发只发生在DA发送XX IP尝试多少次登入失败通知的时候,现在DA已经添加了一个选项,以防止发送,但brute_force_notice_ip.sh 仍然工作。

该directadmin.conf选项将是:

hide_brute_force_notifications=0

这是默认(选项禁用,发送通知)

如果你想不发通知,但brute_force_notice_ip.sh仍然工作,设置directadmin.conf:
hide_brute_force_notifications=1

为了减少一些误报,我们需要把 Directadmin 的一些值得信赖的服务添加CSF/LFD例外。编辑/etc/csf/csf.pignore 输入以下内容:

cmd:spamd child
exe:/bin/dbus-daemon
exe:/sbin/ntpd
exe:/usr/bin/dbus-daemon
exe:/usr/bin/dbus-daemon-1
exe:/usr/bin/fetchmail
exe:/usr/bin/freshclam
exe:/usr/libexec/dovecot/anvil
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/imap-login
exe:/usr/libexec/dovecot/managesieve
exe:/usr/libexec/dovecot/managesieve-login
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/gam_server
exe:/usr/libexec/hald-addon-acpi
exe:/usr/libexec/hald-addon-keyboard
exe:/usr/local/bin/clamd
exe:/usr/local/bin/freshclam
exe:/usr/local/bin/pureftpd_uploadscan.sh
exe:/usr/local/directadmin/dataskq
exe:/usr/local/directadmin/directadmin
exe:/usr/local/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/imap-login
exe:/usr/local/libexec/dovecot/pop3
exe:/usr/local/libexec/dovecot/pop3-login
exe:/usr/local/mysql-5.1.54-linux-x86_64/bin/mysqld
exe:/usr/local/php53/bin/php53
exe:/usr/local/php53/bin/php-cgi53
exe:/usr/local/php53/bin/php_uploadscan.sh
exe:/usr/local/php53/sbin/php-fpm53
exe:/usr/local/php54/bin/php54
exe:/usr/local/php54/bin/php-cgi54
exe:/usr/local/php54/bin/php_uploadscan.sh
exe:/usr/local/php54/sbin/php-fpm54
exe:/usr/local/php55/bin/php55
exe:/usr/local/php55/bin/php-cgi55
exe:/usr/local/php55/bin/php_uploadscan.sh
exe:/usr/local/php55/sbin/php-fpm55
exe:/usr/local/php56/bin/php56
exe:/usr/local/php56/bin/php-cgi56
exe:/usr/local/php56/bin/php_uploadscan.sh
exe:/usr/local/php56/sbin/php-fpm56
exe:/usr/local/sbin/nginx
exe:/usr/sbin/exim
exe:/usr/sbin/hald
exe:/usr/sbin/httpd
exe:/usr/sbin/mysqld
exe:/usr/sbin/mysqld_safe
exe:/usr/sbin/named
exe:/usr/sbin/nginx
exe:/usr/sbin/ntpd
exe:/usr/sbin/proftpd
exe:/usr/sbin/pure-ftpd
exe:/usr/sbin/sshd

然后重启LFD:

/etc/init.d/lfd restart

来自:https://www.plugins-da.net/info/csf-lfd-exceptions-for-directadmin-csf.pignore
p.s. Based on this thread: http://forum.directadmin.com/showthread.php?t=49424

如果你想禁用DirectAdmin的da-popb4smtp服务
编辑 /etc/exim.conf
找到: hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts
修改为: hostlist relay_hosts =

重启 exim
/etc/init.d/exim restart # Redhat/Debian
/usr/local/etc/rc.d/exim restart # FreeBSD

来自:http://help.directadmin.com/item.php?id=467

DirectAdmin组件ZendGuardLoader,明明安装了探针却显示红叉叉,是因为一般是根据zend_loader.enable判断的,DA没加这些在php.ini,我们手动加上就好了

编辑php.ini,搜索:zend_extension,在底下加上

zend_loader.enable=1
zend_loader.disable_licensing=0
zend_loader.obfuscation_level_support=3
zend_loader.license_path=

然后 service httpd restart 重启下apache使修改生效
至于DirectAdmin PHP.INI的位置可以参考:http://www.cnweed.com/2743.html

[Sun Sep 21 17:37:10 2014] [emerg] (28)No space left on device: Couldn't create accept lock (/var/log/httpd/accept.lock.8411) (5)

下午收到监控邮件有台DirectAdmin服务器Apache服务无法启动,检查错误日记后,发现如上错误。首先df -h检查硬盘是否饱和,然后ipcs -s检查ipc,发现是ipc不足。如下所示

# ipcs -s 
------ Semaphore Arrays -------- 
key semid owner perms nsems 
0x00000000 19234816 apache 600 1 
0x00000000 19267585 apache 600 1 
0x00000000 19300354 apache 600 1 
0x00000000 19398659 apache 600 1 
0x00000000 19431428 apache 600 1 
0x00000000 19464197 apache 600 1 
0x00000000 19562502 apache 600 1
………………

执行如下命令清除然后重启Apache即可

ipcs -s | grep apache | perl -lane 'print `ipcrm sem $F[1]`'
service httpd restart

引起这个问题的原因可能是apache没有被正确的关闭。写了个简单的shell可以加入crontab定期执行

#!/bin/bash
rm -rf /var/log/weed/ipcs.log
ipcs -s >> /var/log/weed/ipcs.log
ipcslist=`grep -c "" /var/log/weed/ipcs.log`
if [ "$ipcslist" -ge "20" ]; then
ipcs -s | perl -ane '/^0x00000000/ && `ipcrm -s $F[1]`'
echo $(date) "Ipc crowded, clean up" >> /var/log/weed/ipcs_clean.log
fi

Named is not reloading correctly when I add a domain

On some systems, the named boot script provided with the bind rpms don't seem to reliably reload the named program. You can obtain a new named boot script by running the following:

RedHat:

cd /etc/init.d
mv named named.backup
wget -O named http://www.directadmin.com/named
chmod 755 named
/sbin/chkconfig named reset

This boot script uses a more direct method of reloading named.

其他操作系统请访问来源:http://help.directadmin.com/item.php?id=40

  1. 1
  2. 2
  3. 3
  4. 4