7

Security by default


A
artichoke

Security by default.

I got a message that 7250 emails had been sent yesterday by a user. System daily limit is 1000 total, 200 per user. Quite likely I missed something when configuring DirectAdmin.

That bring me to this feature request. Currently, DirectAdmin provides us many ways of preventing spam and misuse. If we look through all the documentation, and follow many different instructions, we will likely end up with a more secure system.

The problem here is that the default is for the system to be open. E.g., http to port 2222, few limits on email, no spam filtering, no virus filtering, etc.

I think there should be one global switch allowing a choice between a secure and insecure system. Either at install time, or later, or both.

If at install time we pick the secure option, then everything will by default be secure. E.g., https to port 2222 will be required, email limits set, spam-filtering enabled, virus-checking enabled, and anything else that is possible.

If any security precaution is left out, the system will refuse to operate until we fix that.

If no spam filtering, then no email at all, until we fix that.

If no virus filtering, then no email at all, until we fix that.

No http on port 2222, ever. Only ssh access until https is properly enabled on port 2222.

And so on.

Instead of searching through the documentation for hints to make the system secure, we would have to search through the documentation looking for ways to relax the security.

I think a lot of people would pick the more secure option.

A

Activity Newest / Oldest

S

sufiyan shaikh

I will say it's a bad idea to block the functions until they are secured.
For most people, the current default setting is best.

I personally think that going through 'Documentation' is good rather than having services blocked due to security options.
If you are a normal user, I am sure you won't face such spamming or security issues.
If you are a System Admin or hosting provider, I will suggest modifying settings according to your needs and going through the software documentation.

What if I am in a hurry to get a server Live due to a disaster and my sites or mail or ssh is not working until I secure them?
The result will be on my 'clients' because it will take time for me to get the sever secured first and then the server will work properly.

I am not against your suggestions but it's about "All" and not about a single person.