newssl_cipher option to force SSLv3
directadmin.conf option called:
default value is internally 'null' (not used).
If anything is set for that variable (has to eb added) then those values are passed to the ssl function:
so as to enforce which versions of ssl are allowed to connect.
The main reason to use this feature is to pass low level security scans which don't like SSLv2.
A sample value for this option would be:
a strict cipher would be (for PCI compliance):
other reported ciphers for PCI compliance (Trustwave):
newOptimization for recusive chown
The previous recursive chown did a lookup of the UID within each recursion, and then each file/directory within that recursion.
The optimization passes the UID/GID values through the recursion so that a lookup is only done once for the entire recursion. This should greatly speed things up during restores where mass chowns are done.
newoption to exclude domains directory from backup
option to exclude domains directory from backup
This can be useful if you want to transfer all config data for a DirectAdmin user over, but don't want the data from /home/user/domains as it may be too large for DA to handle. It would then be up to you to manually copy this data over.
The default internal value in DA will be:
if you wish to have DA not include the /home/user/domains directory for any backup, set the value in your directadmin.conf to be:
newsecure_access_group option for higher user security
This is enabled by default for new installs.
Option that can be added to the directadmin.conf if you which to enable this feature:
where access is the group name to be used.
The internal defaut is null.
If you wish to disable this feature, you must delete it completely from the directadmin.conf.
After enabling this, it applies to any newly created user.
To set it for existing users, run:
echo "action=rewrite&value=secure_access_group" >> /usr/local/directadmin/data/task.queue
What this feature does, is it creates a group called access (assuming you use this value). In this newly created group will be the users apache, nobody and mail. These 3 UID values will be granted permission into the users home directory by means of this access group set on /home/username for Users, and /home/username/domains for Admins and Resellers. The respective path will be set to chmod 710, thus preventing any other user on the system from looking in to that path. Note: If you're running clamd, you must also manually add the clamav user to this group:
usermod -G access clamav
Note that a restart of all services will be required if you change this group for existing users. I have not determined why this is, but appears to be some strange permission caching on the system where is doesn't recognize the new group instantly. After restarting the services, the new group value is recognized. The above echo command will do this automatically, but just something to keep in mind if you get strange permission problems after making this change.
Note, that using this with apache_public_html=1 would be redundant, so set:
in your directadmin.conf.
Note that Admin and Reseller /home/user paths must be chmod to 711. The reason is that backups require full execute access for all Users.
Also implies that any other backup directory for the Admin Backup/Transfer must also be chmod to 711, and chown to admin (or whichever Admin is running the backup)
newImproved checking on chown
Added extra checking on all chown commands called within DA to ensure there are not more than 1 hard link per file. If there are 2 or more hard links on a file, DA will not change the chown value and throw security errors, as well as log info to the security.log about who did it, and on what file.
fixedrestore is setting creation date to restore time
restore is setting creation date to restore time
This fix only applies if the user is being created via the restore.
If you create the user manually, and then restore the backup to it, then the date will remain the date that the user was manually created, and will be ignored from the backup file.
fixedlogs dir to be chmod 700
/home/user/domains/domain.com/logs will be chmod to 700 user:user instead of 755 root:root.
Logs inside it will still be chowned to root.
fixedAdd secure to set-cookie
add the secure flag to the set-cookie header option for https connections. This forces the browser to only use the cookie over ssl connections.
fixedescape characters for \ in exim filter
The \ character was not escaped for the filers. Only $ was.
Now, if you add the \ character to be blocked, DA converts that to \\\\ because the string expansion is done twice, so we have to escape twice.