刚刚收到警告通知，一台机器的宽带使用率异常。通过top和ps aux等却看不出异常用户，负载正常；且低于常规。通过iftop看到基本都是一个IP在发送数据出去，请求数据的IP（攻击IP）有十多个段，封锁了请求IP后。查了下这些IP是CloudFlare和百度云加速的，很明显是被CC但CloudFlare和百度云加速没过滤掉发送给后端了。

发送数据的IP（被攻击网站IP）是共享的，下面有很多网站，直接封这IP会导致这IP下的所有网站挂掉。所以只能找到具体被攻击的网站和用户进一步操作，一个个看明显是不可能的。

DirectAdmin 用户的每个网站都有单独的apache日记，我们可以根据这特性，把请求数据持续时间相对长、大的ip拿出来，对所有用户的网站日记进行过滤搜索。

[root@****** ~]# grep -c 141.101.98.211 /var/log/httpd/domains/*.log | grep -v :0

/var/log/httpd/domains/****1g.com.log:1
/var/log/httpd/domains/****1g.com.error.log:30
/var/log/httpd/domains/****xv.com.log:12266

[root@****** ~]# grep -c 162.158.88.52 /var/log/httpd/domains/*.log | grep -v :0
/var/log/httpd/domains/****xv.com.log:6385

只拿出2个IP就找到了，很明显的是：****xv.com，然后具体检查该网站日记，发现从凌晨1点30分开始，到50分拒绝百度加速的请求，其实封十几个段还只是部分，这之间GET请求量已经有35万多次了，请求的IP数量未统计，非常之多，尾巴也是特别随机定制为穿透百度CDN的。之后联系到该用户，要求马上把百度云加速CC防护开到最高。然后解除刚刚封锁的IP段恢复该CDN的正常请求。算是解决了。

也许会问为什么服务器本身不能做防护？这次是比较特殊的，用户使用CDN隐藏了后端真实IP，所以攻击者不能直接对我们进行攻击，而是请求CDN，最终导致宽带占用异常的是CDN的IP，同样我们也无法正确获取到攻击者的IP，也无法对真实攻击者ip进行屏蔽，当然有方案可以做到，但我们屏蔽并没有用，CDN还是会放行；除非获取到真实攻击IP后反扑。CDN很多在用，我们肯定是不能封的。即使制定规则丢弃CC请求返回301给CDN，结局也是一样的；因为请求不会因此停止和减少，会继续对301页面请求，因为量大，宽带占用率并不会下降。只能与用户共同处理该问题。

cd /usr/local/directadmin/data/templates
cp virtual_host2*.conf custom
cd custom

完成后执行更新所有用户

echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue

参考来源：http://help.directadmin.com/item.php?id=2

Our PHP-Selector work wtih DirectAdmin only if PHP is running in suphp or fcgi mode. Here is the complete set of commands to enable selector on DA with suphp :

/usr/local/directadmin/custombuild/build set suphp yes
/usr/local/directadmin/custombuild/build set cloudlinux yes
/usr/local/directadmin/custombuild/build update
/usr/local/directadmin/custombuild/build apache
/usr/local/directadmin/custombuild/build php y
/usr/local/directadmin/custombuild/build suphp
/usr/local/directadmin/custombuild/build rewrite_confs
cagefsctl --force-update
cagefsctl --remount-all

Same way for fcgi mode.

http://kb.cloudlinux.com/2014/12/php-selector-and-directadmin/

当我们启用Suhosin，DA的phpmyadmin会报错，如下：

Server running with Suhosin. Please refer to documentation for possible issues.

是由于权限问题，Suhosin禁止了phpmyadmin部分操作；我们添加例外即可。执行

php -i | grep "Loaded Configuration File"

查看php.ini文件位置，编辑最底下添加

[PATH=/var/www/html/phpMyAdmin]
suhosin.simulation = On

保存后退出重启apache生效即可

1、关闭DA监控服务

vi /usr/local/directadmin/data/admin/services.status
把exim和dovecot值改为OFF

2、停止服务和禁止开机启动

service exim stop
chkconfig exim off
service dovecot stop
chkconfig dovecots off

3、损坏（重命名）exim目录

mv /usr/sbin/exim /usr/sbin/exim.old

4、清理邮件队列

cd /var/spool  
mv exim exim.old  
mkdir -p exim/input  
mkdir -p exim/msglog  
mkdir -p exim/db  
chown -R mail:mail exim 

64位系统需要安装libunwind

wget http://download.savannah.gnu.org/releases/libunwind/libunwind-1.1.tar.gz
tar zxvf libunwind-1.1-alpha.tar.gz
cd libunwind-1.1-alpha/
CFLAGS=-fPIC ./configure
make CFLAGS=-fPIC
make CFLAGS=-fPIC install

安装TCMalloc

wget http://pkgs.fedoraproject.org/repo/pkgs/gperftools/gperftools-2.4.tar.gz/2171cea3bbe053036fb5d5d25176a160/gperftools-2.4.tar.gz
tar zxvf  gperftools-2.4.tar.gz
cd gperftools-2.4/
./configure
make && make install
echo "/usr/local/lib" > /etc/ld.so.conf.d/usr_local_lib.conf
/sbin/ldconfig

MySQL载入

vi /usr/bin/mysqld_safe
#找到 # executing mysqld_safe，在下面加入：
export LD_PRELOAD=/usr/local/lib/libtcmalloc.so
service mysqld restart
#检查是否生效
lsof -n | grep tcmalloc

优化MySQL配置文件

[mysqld]
# WEED 2015-06-06
#default-storage-engine=MyISAM
open_files_limit=60000
innodb_file_per_table=1
local-infile=0
key_buffer_size = 32M
max_allowed_packet = 128M
max_connections = 150
max_user_connections = 50
wait_timeout=30
interactive_timeout=45
connect_timeout=10
tmp-table-size = 256M
max-heap-table-size = 256M
sort_buffer_size = 1M
read_buffer_size = 2M
read_rnd_buffer_size = 8M
myisam_sort_buffer_size = 64M
thread_cache_size = 8
query_cache_size = 32M
innodb-flush-method = O_DIRECT
innodb-log-files-in-group = 2
innodb-flush-log-at-trx-commit = 1
innodb-buffer-pool-size = 64M
#innodb-buffer-pool-instances = 2
innodb_buffer_pool_instances = 1
join_buffer_size = 32M
table_open_cache=64
innodb_buffer_pool_size=2G
innodb_thread_concurrency=8
tmpdir = /dev/shm

[mysqldump]
quick
max_allowed_packet = 16M

[mysql]
no-auto-rehash

[myisamchk]
key_buffer = 256M
sort_buffer_size = 256M
read_buffer = 2M
write_buffer = 2M

[mysqlhotcopy]
interactive-timeout

该处可参考：http://help.directadmin.com/item.php?id=44

Mod_cache可以缓存常见的静态文件，如：css、js等，提升网页加载速度。

安装

cd /usr/local/directadmin/custombuild/configure/ap2
vi configure.apache

在最底部添加

"--enable-cache" \
"--enable-disk-cache" \
"--enable-mem-cache"

cd /usr/local/directadmin/custombuild
./build apache

配置

cd /etc/httpd/conf/extra/    #进入目录
vi httpd-includes.conf    #编辑配置文件

在配置文件中加入以下内容

<IfModule mod_cache.c>
#CacheForceCompletion 100      #缓存文件数（默认不限制）
CacheDefaultExpire 3600        #缓存默认过期时间（秒）
CacheMaxExpire 86400           #缓存最大过期时间（秒）
CacheLastModifiedFactor 0.1    #缓存时间计算公式，详情请查阅网络资料

<IfModule mod_mem_cache.c>
CacheEnable mem /
MCacheSize 512000            #内存缓冲区大小，根据服务器内存大小调整（单位：kb）
MCacheMaxObjectCount 10000   #缓冲区文件数
MCacheMinObjectSize 1        #缓冲区最小文件（单位：kb）
MCacheMaxObjectSize 51200    #缓冲区最大文件（单位：kb）
</IfModule>
</IfModule>

If you see the error

/usr/local/lib/libz.so.1: no version information available (required by python)

it has to do with the version of libz installed. The reason for the current version has to do with the version of libz that libxml2 requires. A newer version of both will resolve the issue, but due to many reported issues with this update, we reverted to the older version of libz and libxml2. Note that the warning is not going to hurt anything, so it can be ignored.

We do not recommend using the options below.

If you still wish to update libz and libxml2 to their newer versions to avoid the message, type:

cd /usr/local/directadmin/custombuild
./build update
./build set new_zlib yes
./build update_data
./build zlib
./build libxml2
./build php n

If you host a large database that can't be split up, and your server doesnt have the resources to handle it, you can setup mysql to be run on an external server. This shouldn't be needed too often, as usually, you can just move entire user accounts to another server to ease the load. But in the case of one large database using up the whole server, then you dont' have much choice.

Note that this guide does not transfer any databases over. It's generally a good idea to do this before you add users. Also, mysql will continue to run on your local DA.. so existing databases and scripts should continue to function, but users will not be able to control them through DA.

1)The first step is to install mysql onto the remote server. DA is not require on this server, as it is just used for mysql and nothing else. I won't go into the detail on how to do this (use google).

2) The next step is to setup a user that DA can connect to on the remote mysql server. The default DA uses is da_admin, so staying with that name is a good idea, but not required.
You can use this guide to setup the da_admin user on your server: help.directadmin.com/item.php?id=45. The username and password you setup have to be set in the /usr/local/directadmin/conf/mysql.conf file for DA to use.
On a related note, if the remote server is on a LAN IP, and the connecting IP to that remote server will not be your server IP, but rather some other IP such as a 192.168.x.x type of IP then you can use this guide to add an access host by default instead of the server IP: directadmin.com/features.php?id=818.

Note that the above guide will only grants da_admin on the "localhost", meaning you have to already be on that remote mysql server to use the account. We'll need to add another acccess hsot (ip) to allow the DA server to connect to it. Basically, you just run the "GRANT ALL PRIVILEGES ON *.* TO da_admin@localhost" command again, but you change localhost to the IP of your DA server,

GRANT ALL PRIVILEGES ON *.* TO da_admin@1.2.3.4 WITH GRANT OPTION;
FLUSH PRIVILEGES;

we don't need the "identified by 'pass'" again, because the password is already from adding it the first time.

3) At this point.. the remote mysql database should be setup and ready to accept DA to use it. Test it out by logging into your DA machine via ssh, and type:

mysql -uda_admin -p --host=4.3.2.1

where 4.3.2.1 is the IP of your mysql server. If you can't connect, go back over your settings again.. also make sure that port 3306 is open on the remote box.

4)Now.. the easier part is to tell DA to use the remote server. Edit:
/usr/local/directadmin/conf/mysql.conf
add the line:
host=4.3.2.1
where 4.3.2.1 is the IP of your remote server. Make sure there is a newline character at the end of the line.. (Eg, press enter)

5) That should be it. Go into DA and check the mysql section of your user level to see if you get any errors. If not, try adding a database to make sure it works.

6) The only cleanup task would then be to fix up phpMyAdminto also connect to the remote host.
Edit /var/www/html/phpMyAdmin/config.inc.php
Find this line:

$cfg['Servers'][$i]['host']          = 'localhost'; // MySQL hostname or IP address

and change it to

$cfg['Servers'][$i]['host']          = '4.3.2.1'; // MySQL hostname or IP address

官方文档：http://help.directadmin.com/item.php?id=140

Capri是一套商務的DirectAdmin主題，用的人應該不少，我個人也相當喜歡。
前段時間，作者已經將這套主題放到github開源了，並且去掉了function.php的license認證機制。
所以現在算是免費提供使用了，就如上圖所示，當然顯示的license就是github version的。
github地址：https://github.com/Terrorhawk/Capri

wget -O capri.sh http://localserver.flaxe.eu/Capri-install/capri.sh
chmod +x capri.sh
./capri.sh

相關詳情請查看：
https://forum.directadmin.com/showthread.php?t=51079

转载：http://www.guyusoftware.com/2015-05-16-5921.html