Directadmin – server-<YOUR IP>.da.direct was skipped due to unreachableDirectadmin

I just migrated Directadmin server to a new one. On the new one, there was some temporary hostname, that I guess Directadmin provides. It was http://server-<IP ADDRESS>.da.direct. I changed hostname of machine and did everything, but wasn’t able to generate Letsencrypt certificate for my directadmin server hostname. 

When try to generate certificate I was getting error below. I rewrite configs, run changehostname.sh, did all sort of things, but wasn’t able to get pass this error:

[root@da scripts]# ./letsencrypt.sh request `hostname` 4096
Setting up certificate for a hostname: my.dahostname.com
server-1-1-1-1da.direct was skipped due to unreachable http://server-1-1-1-1.da.direct/.well-known/acme-challenge/ file.
No domains pointing to this server to generate the certificate for.

After an hour, I found this answer from gentleman named “zEitEr”. I guess, when I setup new Directadmin server on temporary IP, acme account for letsencrypt was created with directadmins temporary hostname – server-<MY IP ADDRESS>.da.direct. What I did, was removed all letsencrypt accounts and regenerated them:

[root@da ~]# rm -rf /usr/local/directadmin/data/.lego/*
[root@da scripts]# ./letsencrypt.sh request `hostname` 4096
Setting up certificate for a hostname: my.dahostname.com
2024/02/16 13:31:42 No key found for account admin@my.dahostname.comGenerating a 4096 key.
2024/02/16 13:31:45 Saved key to /usr/local/directadmin/data/.lego/accounts/acme-v02.api.letsencrypt.org/admin@my.dahostname.com/keys/admin@my.dahostname.com.key
2024/02/16 13:31:45 [INFO] acme: Registering account for admin@my.dahostname.com
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/usr/local/directadmin/data/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2024/02/16 13:31:45 [INFO] [my.dahostname.com] acme: Obtaining SAN certificate
2024/02/16 13:31:46 [INFO] [my.dahostname.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/315898412537
...
Certificate for my.dahostname.com has been created successfully!
DirectAdmin certificate has been setup.
Setting up cert for Exim...
...

Hope that helps to save some nerves. Thanks to zEitEr

[SCRIPT] Install mod_security with OWASP ruleset and GeoIP2 NGINX modules with script.

Because I don’t own NGINX plus, I must build mod_security and geoip2 modules manually each time I set up a new server with NGINX. It’s good practice to have both installed, as it can increase security of your web application significantly. I was getting tired of building every time, so I created a script which will do that for you. This script is build for Rocky Linux 8, so it should work on CentOS 8 (Stream), AlmaLInux …

This script will auto-detect your NGINX version and will download source, build extensions and install ModSecurity also. It will also install necessary dependencies which are needed for install.  If you encounter errors, please check for errors on which library you need. It will also install OWASP ruleset for mod_security and configure your NGINX accordingly. Path to extensions will be inserted in your NGINX configuration by script.

You should install and configure geoipupdate and add geoip definitions in your nginx configuration.

I hope this helps you and saves you some time. Feel free to modify and customize the script according to your needs.

Here is the script: build nginx modules script

Find occurrences of the same string between two files with grep

I had this issue many times. Find the same occurrences of string between two different files so that you can pervent duplicates.

You should create foor loop that will take every line from file 1 and compare it to records in file 2.

for i in `file1.txt`; do grep -E "^$i\$" file2.txt; done

This will output only the exact strings that occurres in both files.

Directadmin – install Drush locally – drush: command not found

This is how you can install Drush locally and make drush command localy on specific user.

  • First go to root directory of user and login with this user
    [root@da ~]# cd /home/mydrush/
    [root@da mydrush]# su mydrush
  • Install drush via composer
    [mydrush@da mydrush]$ composer require drush/drush
    Using version ^10.4 for drush/drush
    ./composer.json has been created
    Running composer update drush/drush
    Loading composer repositories with package information
    Updating dependencies
    ...
  • Create alias to drush for this user. Open file .bashrc and add line bellow to it and save. Then run source.
    # User specific environment and startup programs
    export PATH="$HOME/vendor/bin:$PATH"
    
    [mydrush@da mydrush]$ source .bashrc
    
  • This is it
    [mydrush@da mydrush]$ drush version
    Drush version : 10.4.3

Special thanks to Adrian

Directadmin – auto assign custom authorized_keys for newly created users – SSH access

I setup a Directadmin server which was primary for website hosting. Separating every project with new DirectAdmin user is a good practice security vise. If one website/project is hacked, other sites that are with different users are safe. But creating new users and then set up ssh keys that are allowed for every user can be time consumedly. In this case, ssh public keys were the same for every user as only developers were able to ssh connect to user account. I created a simple script that will create .ssh directory and authorized_keys with public keys for every user.

  • First, create script  user_create_post.sh inside /usr/local/directadmin/scripts/custom/.
  • Create template file with all ssh  public keys that should be assign to every new user. I created file /usr/local/directadmin/data/custom-authorized_keys
  • Add this content to the script:
    #!/bin/sh

    mkdir /home/$username/.ssh
    chown $username:$username /home/$username/.ssh
    cp /usr/local/directadmin/data/custom-authorized_keys /home/$username/.ssh/authorized_keys
    chown $username:$username /home/$username/.ssh/authorized_keys
    chmod 600 /home/$username/.ssh/authorized_keys

    echo "SSH keys added!"

    exit 0;
  • Give this script execution rights
    chmod +x /usr/local/directadmin/scripts/custom/user_create_post.sh

That is it. Every time a new user is created, .ssh directory with authorized_keys will be created inside user’s home account.

Disable OPcache for specific PHP script. Exclude from OPcache.

Sometimes accelerating with opcache can cause some problems with your application scripts. In those cases, when your script shouldn’t be accelerated, you can specify those scripts with opcache’s blacklist which will exclude this files from acceleration. Example bellow is done on CentOS 7.

First, find configuration file for your opcache php extension. You can do something like this:

[root@meow php.d]# php -i | grep opcache | grep ini
Additional .ini files parsed => /etc/php.d/10-opcache.ini,

Open 10-opcache.ini and you should see something like bellow. Path to opcache’s blacklist file.

; The location of the OPcache blacklist file (wildcards allowed).
; Each OPcache blacklist file is a text file that holds the names of files
; that should not be accelerated.
opcache.blacklist_filename=/etc/php.d/opcache*.blacklist

Close 10-opcache.ini and open file named opcache-default.blacklist which should be in same directory. If not, create one. This file will contain a list of php scripts which should be ignored by opcache. 

[root@meow php.d]# cat opcache-default.blacklist
; The blacklist file is a text file that holds the names of files
; that should not be accelerated. The file format is to add each filename
/path/to/ignored/script/ignoreThis.php
/path/to/another/ignored/script/ignoreThisToo.php
...

Get SSL certificate expiry date quickly and easily with ckcrt script

SSL certificates are daily routine of my work, so there was regular practice to check expiry date of live certificate through Chrome browser -> Developer tools. It is quite time-consuming and annoying work if you have to repeat it. So I made this very simple bash script with which you can check expiry date and some other certificate information quickly, from your terminal. This will work on osx or linux machines. Of corse, you must have OpenSSL installed on your machine in order to use this script.

Continue Reading

Icinga/Nagios plugin for http brute force detection

When dealing with web servers where there are a lot of web sites, especially WordPresses, Joomlas etc., it is very common problem to dealing with flood/brute force attacks. One of most common for example, is generating massive requests on wp-login.php, or xmlrpc.php. With brute force, attackers goal is usually gaining access to administration. This is the simplest kind of method to gain access. Idea is very simple, attacker tries with a lot of different passwords and usernames, until it gets it right. Those operations of course, are automated by bots, scripts.

This can be very damaging for your server as it consumes a lot of memory. Every request means that someone just visited your website. When there is a script with bad intentions visiting your site, that means a lot of requests. Most modern web pages, every request like this, also makes database query. In most cases, server will become unresponsive, system will run out of memory, swap will fill up, mysql will stop responding.. This also means, that all websites on your server will stop working. In many cases, you’ll have to reboot your server to make it responsive again. Of course, there are systems that don’t allow this, like Cloud Linux with its LVE. One of great practices is to lock your administration to some static IP. There different ways.

Continue Reading

Scan your cPanel/Directadmin for excessive files

When dealing with cPanel/Directadmin that contains a lot of users, you need some control of what those users are uploading. Web hosting accounts should be used just for that, hosting websites, and not as data storage – in most cases. Sometimes you even offer packets with unlimited disk capacity but you don’t want that users are storing movies and all kind of other unnecessary files that don’t belong on web hosting account. From web hosting perspective, in most cases, any single file that exceeds 100M is usually not part of website and is just laying there, wasting your precious disk space. In cases like this, account is used as backup service. You’ll be able to find all kind of files. Movies, music, applications, archives …

So you may want to have some reports on regular basis that gives you list of all files that exceed some maximum allowed file size limit – defined by you. Personaly, I scan on interval of 7 days for all files that exceed size of 300M. I created a simple script that will do just that. It will check your /home directory for all files that exceed size that you defined. At the end, report will be sent to your email. You can also scan other directory beside /home if you wish.

Continue Reading

Generate NGINX virtual hosts script

I created simple script for creating NGINX virtual hosts so that you don’t have to do it manualy for every new website. Script was created for Linux – CentOS 7 – operating system but it should work on other distributions too. It is written in bash. You will also need wget and tar installed for script to work – wordpress install option.

What it does is pretty straightforward. On input side it will ask you for domain name, SSL option and WordPress installation. You can choose between http and https virtual host definition. By default it will create document root for your domain and NGINX configuration file for that domain. If you choose option for WordPress installation, then it will also download latest wordpress version and unpack files to your newly created document root. You’ll still need to create database manually and finish WordPress installation. This script is suitable for basic NGINX website configurations

Just download script here and template files. Put script createsite to your /usr/sbin/ directory and make it executable. Of corse you can change virtual host templates according to your needs too.

Continue Reading

© 2024 geegkytuts.net
Hosted by SIEL


About author