自动在OpenSUSE 11.2上安装完美服务器的脚本和安装ISPConfig 3

用于在OpenSUSE 11.2上自动设置完美服务器的脚本并安装ISPConfig 3

作者:George Yohng(georgesc#oss3d.com)
脚本版本:1.4
最后更新日期:2010年8月29日

这里有一个脚本自动执行完美服务器的安装 - OpenSUSE 11.2 x86_64 [ISPConfig 3]的任务,最后还安装了ISPConfig 3。

请注意:不要在已经工作的服务器上执行此脚本,因为此脚本可能会覆盖配置文件并中断正在运行的系统。 它只是用于OpenSUSE 11.2的全新安装。

如果您在OpenSUSE 11.3上安装,请确保使用此脚本的其他版本(也可在www.youcl.com上获得)。

正如我已经找到的,教程中缺少的东西很少。 我根据教程制作了一个脚本,准备一个系统,其中包含几个步骤,如果没有完成,则以某种方式使系统未完成。

值得注意的补充:

  • mydns脚本中的“mysql”依赖项
  • fail2ban配置
  • 不关闭防火墙
  • Pure-ftpd配置更改(允许重命名,更改被动端口和权限)
  • Postfix证书生成
  • 生成Apache SSL证书,并将ISPConfig切换到HTTPS
  • 使用OpenSUSE修复NameVirtualHost apache配置(Apache对于从ISPConfig识别多个域很重要)
  • 用cron设置rdiff-backup
  • 固定回路接收连接
  • 修复pam_mysql在64位系统上工作
  • 修复amavis找到蛤蜊socket
  • 安装的eAccelerator
  • 修复apache自定义错误路径
  • 安装和配置awstats

脚本是不完美的,需要手动输入两次 - 当运行mysql_secure_install时,以及何时运行ispconfig_update_svn 。 (我使用svn ,因为ISPConfig最新的SVN看起来更好,但是也可以在生产系统上打稳定 ,你应该使用stable !)

zypper update

reboot

在运行此脚本之前。

在运行此脚本之前,还可以使用yast2手动更改主机名(文件HOSTNAME),以便OpenSUSE将在Postfix配置中输入正确的名称。

此脚本需要两个手动操作:

首先 - 运行mysql_secure_install时。
第二 - 对于ISPConfig3更新。 当更新类型被询问( 稳定推荐! )时,可以键入svn稳定
所有其他选项都是默认选项,只需按ENTER键即可

在运行脚本之前,您应该更改脚本中的以下变量:

THIS_PLATFORMx86_64i586

MYSQLROOTPASS :请更改MYSQLROOTPASS ,并确保在安装mysql_secure_install期间逐字输入。

MY_HOSTNAME MY_DOMAIN :将其更改为您的服务器名称。 默认情况下,它已配置为server1.mydomain.com 。 如果您的网站托管一个完整的域名(如domain.com),仍然会为MY_HOSTNAME留下一些内容server1host是一个好名字。

ISPCONFIG_TAR_GZ :确保ISPCONFIG_TAR_GZ拥有最新的可用的ISPConfig 3版本。

将脚本保存在服务器上(例如/usr/local/sbin/opensuse_ispconfig3.sh ):

vi /usr/local/sbin/opensuse_ispconfig3.sh
#!/bin/sh

# OpenSUSE 11.2 Perfect Server ISPConfig script by George Yohng (georgesc#oss3d.com)
# Script Version 1.4

# Do zypper update and reboot before running this script

# Also better change host name (file HOSTNAME) manually before running this script, though looks like it's not necessary

# This script requires two manual actions.

# First - when mysql_secure_install is running. One should type a new mysql password, the same as here
# Second - for ISPConfig3 update. One should type 'svn' when the update type is asked
# For both of scripts, all other options are default, one can just press ENTER.


# Also, please change MYSQLROOTPASS below, and be sure to enter it verbatim
# during the installation of mysql_secure_install.

# Important: When setting an MX entry, point it to mail.yourdomain.com rather than
# just to yourdomain.com, and create a CNAME entry for mail. Otherwise it doesn't
# seem to work somehow.

THIS_PLATFORM=x86_64

MYSQLROOTPASS=098j91r3kx

# Change this to your server name. By default it's configured to server1.mydomain.com

# If your web site hosts a complete domain, such as domain.com, still leave
# something for MY_HOSTNAME. 'server1' or 'host' is a good name.

MY_HOSTNAME=server1
MY_DOMAIN=mydomain.com

# Packages may have been updated, therefore also check the RPM and TARGZ locations below,
# and preferably use the latest versions of everything.

GETMAIL_RPM=http://download.opensuse.org/repositories/server:/mail/openSUSE_11.2/noarch/getmail-4.17.0-1.1.noarch.rpm
MAILDROP_RPM=http://download.opensuse.org/repositories/server:/mail/openSUSE_11.2/$THIS_PLATFORM/maildrop-2.4.0-1.6.$THIS_PLATFORM.rpm
PAM_MYSQL_TARGZ=http://heanet.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.7RC1.tar.gz
SUPHP_RPM=http://download.opensuse.org/repositories/server:/php/openSUSE_11.2/$THIS_PLATFORM/suphp-0.7.1-3.1.$THIS_PLATFORM.rpm
FAIL2BAN_RPM=http://download.opensuse.org/repositories/home:/kolbma/openSUSE_11.1/$THIS_PLATFORM/fail2ban-0.8.4-2.1.$THIS_PLATFORM.rpm

AWSTATS_RPM=http://download.opensuse.org/repositories/network:/utilities/openSUSE_11.2/noarch/awstats-6.95-3.1.noarch.rpm

SQUIRRELMAIL_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.2/noarch/squirrelmail-1.4.20-1.1.noarch.rpm

JAILKIT_TARGZ=http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gz

PHPMYADMIN_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.2/noarch/phpMyAdmin-3.3.3-1.1.noarch.rpm
MYDNS_RPM=http://mydns.bboy.net/download/mydns-mysql-1.1.0-1.i386.rpm
VLOGGER_TARGZ=http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz

RDIFF_BACKUP_TARGZ=http://savannah.nongnu.org/download/rdiff-backup/rdiff-backup-1.2.8.tar.gz

EACCELERATOR_TARGZ=http://bart.eaccelerator.net/source/0.9.6.1/eaccelerator-0.9.6.1.tar.bz2

ISPCONFIG_TAR_GZ=http://downloads.sourceforge.net/ispconfig/ISPConfig-3.0.2.1.tar.gz?use_mirror=

MY_FULLHOSTNAME=$MY_HOSTNAME.$MY_DOMAIN

# Disable apparmor

/etc/init.d/boot.apparmor stop
chkconfig -d boot.apparmor

# Allow ports through firewall

SuSEfirewall2 open EXT TCP 21 80 8080 25 143 465 585 993 30000:30500
SuSEfirewall2

# Switch off X login (check!)

chkconfig --del xdm
rcxdm stop

# Quota

yast2 -i quota

touch /aquota.user /aquota.group
chmod 600 /aquota.*
touch /srv/aquota.user /srv/aquota.group
chmod 600 /srv/aquota.*

# TODO: change fstab here

mount -o remount /
mount -o remount /srv
mount -o remount /home

quotacheck -avugm
quotaon -avug

# Basic packages

yast2 -i mc

yast2 -i findutils readline libgcc glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget gcc-c++ subversion make vim telnet cron iptables iputils man man-pages nano pico

# Host name

echo $MY_FULLHOSTNAME > /etc/HOSTNAME
echo 127.0.0.2 $MY_FULLHOSTNAME $MY_HOSTNAME >> /etc/hosts
echo 69.46.236.210 mydns.bboy.net >> /etc/hosts

export HOST=$MY_FULLHOSTNAME
export HOSTNAME=$MY_FULLHOSTNAME

SuSEconfig

# Postfix, Courier, Saslauthd, MySQL

yast2 -i postfix postfix-mysql mysql mysql-client
yast2 -i courier-imap courier-authlib courier-authlib-mysql python cron cyrus-sasl cyrus-sasl-crammd5
yast2 -i cyrus-sasl-digestmd5 cyrus-sasl-gssapi cyrus-sasl-otp cyrus-sasl-plain cyrus-sasl-saslauthd libmysqlclient-devel pwgen

chkconfig --add mysql
chkconfig --add postfix
chkconfig --add saslauthd
chkconfig --add fam
chkconfig --add courier-authdaemon
chkconfig --add courier-pop
chkconfig --add courier-imap
chkconfig --add courier-pop-ssl
chkconfig --add courier-imap-ssl
/etc/init.d/mysql start
/etc/init.d/postfix start
/etc/init.d/saslauthd start
/etc/init.d/courier-pop start
/etc/init.d/courier-imap start
/etc/init.d/courier-pop-ssl start
/etc/init.d/courier-imap-ssl start

# getmail

cd /tmp
rpm -i $GETMAIL_RPM
rpm --force -i $MAILDROP_RPM

# pam

yast2 -i pam-devel pam-32bit pam-devel-32bit pam-modules-32bit

# pam_mysql

cd /tmp
wget -c $PAM_MYSQL_TARGZ
tar xvfz pam_mysql-*.tar.gz
rm -rf pam_mysql-*.tar.gz
cd pam_mysql-*
./configure
make
make install
cd /tmp
rm -rf /tmp/pam_mysql-*

test -d /lib64 && cp /lib/security/pam_mysql* /lib64/security

# mysql_secure_installation

mysql_secure_installation

#(echo Y; echo $MYSQLROOTPASS; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; )

# amavis, spam asassin, etc

yast2 -i spamassassin amavisd-new clamav clamav-db zoo unzip unrar bzip2 unarj perl-DBD-mysql

sa-update

# TODO: change /etc/amavisd.conf

#$mydomain = "$MY_DOMAIN"; # a convenient default for other settings
#$myhostname = "$MY_HOSTNAME";

sed -i 's/\$mydomain = '\''example.com'\'';/\$mydomain='\'$MY_DOMAIN\'';\n\$myhostname='\'$MY_FULLHOSTNAME\'';/g' /etc/amavisd.conf

# Correct a path to clamd socket
sed -i 's,/var/run/clamav/clamd,/var/lib/clamav/clamd-socket,g' /etc/amavisd.conf

chkconfig --add amavis
chkconfig --add clamd
/etc/init.d/amavis start
/etc/init.d/clamd start

# Courier IMAP, listen on external ports

sed -i 's/^ADDRESS=127.0.0.1/ADDRESS=0/g' /etc/courier/imapd

# Apache2

yast2 -i apache2 apache2-mod_fcgid

yast2 -i php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dom php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mysql php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-fastcgi php5-pear php5-sysvmsg php5-sysvshm ImageMagick curl apache2-mod_php5

rpm -i $SUPHP_RPM

a2enmod suexec
a2enmod rewrite
a2enmod ssl
a2enmod actions
a2enmod suphp
a2enmod fcgid
chown root:www /usr/sbin/suexec2
chmod 4755 /usr/sbin/suexec2

chkconfig --add apache2
/etc/init.d/apache2 start

# PhpMyAdmin

rpm -i $PHPMYADMIN_RPM

# FTP

yast2 -i pure-ftpd quota


sed -i 's/NoRename.*yes/NoRename no/g' /etc/pure-ftpd/pure-ftpd.conf
sed -i 's/AutoRename.*yes/AutoRename no/g' /etc/pure-ftpd/pure-ftpd.conf
sed -i 's/ProhibitDotFilesWrite.*yes/ProhibitDotFilesWrite no/g' /etc/pure-ftpd/pure-ftpd.conf
sed -i 's/# PassivePortRange.*30000 50000/PassivePortRange 30000 30500/g' /etc/pure-ftpd/pure-ftpd.conf
sed -i 's/^Umask\ *177\:077$/Umask 137:027/' /etc/pure-ftpd/pure-ftpd.conf


chkconfig --add pure-ftpd
/etc/init.d/pure-ftpd start

# MyDNS

rpm -ivh --force $MYDNS_RPM


# MyDNS script

cat > /etc/init.d/mydns <<EOFMARKER
#! /bin/sh
# Copyright (c) 1995-2004 SUSE Linux AG, Nuernberg, Germany.
# All rights reserved.
#
# Author: Kurt Garloff
# Please send feedback to http://www.suse.de/feedback/
#
# /etc/init.d/mydns
# and its symbolic link
# /(usr/)sbin/rcmydns
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# Template system startup script for some example service/daemon mydns
#
# LSB compatible service control script; see http://www.linuxbase.org/spec/
#
# Note: This template uses functions rc_XXX defined in /etc/rc.status on
# UnitedLinux (UL) based Linux distributions. If you want to base your
# script on this template and ensure that it works on non UL based LSB
# compliant Linux distributions, you either have to provide the rc.status
# functions from UL or change the script to work without them.
#
### BEGIN INIT INFO
# Provides: mydns
# Required-Start: \$syslog \$remote_fs mysql
# Should-Start: \$time ypbind sendmail
# Required-Stop: \$syslog \$remote_fs
# Should-Stop: \$time ypbind sendmail
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: mydns XYZ daemon providing ZYX
# Description: Start mydns to allow XY and provide YZ
# continued on second line by '#<TAB>'
# should contain enough info for the runlevel editor
# to give admin some idea what this service does and
# what it's needed for ...
# (The Short-Description should already be a good hint.)
### END INIT INFO
#
# Any extensions to the keywords given above should be preceeded by
# X-VendorTag- (X-UnitedLinux- X-SuSE- for us) according to LSB.
#
# Notes on Required-Start/Should-Start:
# * There are two different issues that are solved by Required-Start
# and Should-Start
# (a) Hard dependencies: This is used by the runlevel editor to determine
# which services absolutely need to be started to make the start of
# this service make sense. Example: nfsserver should have
# Required-Start: \$portmap
# Also, required services are started before the dependent ones.
# The runlevel editor will warn about such missing hard dependencies
# and suggest enabling. During system startup, you may expect an error,
# if the dependency is not fulfilled.
# (b) Specifying the init script ordering, not real (hard) dependencies.
# This is needed by insserv to determine which service should be
# started first (and at a later stage what services can be started
# in parallel). The tag Should-Start: is used for this.
# It tells, that if a service is available, it should be started
# before. If not, never mind.
# * When specifying hard dependencies or ordering requirements, you can
# use names of services (contents of their Provides: section)
# or pseudo names starting with a \$. The following ones are available
# according to LSB (1.1):
# \$local_fs all local file systems are mounted
# (most services should need this!)
# \$remote_fs all remote file systems are mounted
# (note that /usr may be remote, so
# many services should Require this!)
# \$syslog system logging facility up
# \$network low level networking (eth card, ...)
# \$named hostname resolution available
# \$netdaemons all network daemons are running
# The \$netdaemons pseudo service has been removed in LSB 1.2.
# For now, we still offer it for backward compatibility.
# These are new (LSB 1.2):
# \$time the system time has been set correctly
# \$portmap SunRPC portmapping service available
# UnitedLinux extensions:
# \$ALL indicates that a script should be inserted
# at the end
# * The services specified in the stop tags
# (Required-Stop/Should-Stop)
# specify which services need to be still running when this service
# is shut down. Often the entries there are just copies or a subset
# from the respective start tag.
# * Should-Start/Stop are now part of LSB as of 2.0,
# formerly SUSE/Unitedlinux used X-UnitedLinux-Should-Start/-Stop.
# insserv does support both variants.
# * X-UnitedLinux-Default-Enabled: yes/no is used at installation time
# (%fillup_and_insserv macro in %post of many RPMs) to specify whether
# a startup script should default to be enabled after installation.
# It's not used by insserv.
#
# Note on runlevels:
# 0 - halt/poweroff 6 - reboot
# 1 - single user 2 - multiuser without network exported
# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm)
#
# Note on script names:
# http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html
# A registry has been set up to manage the init script namespace.
# http://www.lanana.org/
# Please use the names already registered or register one or use a
# vendor prefix.


# Check for missing binaries (stale symlinks should not happen)
# Note: Special treatment of stop for LSB conformance
MYDNS_BIN=/usr/sbin/mydns
test -x \$MYDNS_BIN || { echo "\$mydns_BIN not installed";
if [ "\$1" = "stop" ]; then exit 0;
else exit 5; fi; }

# Check for existence of needed config file and read it
#MYDNS_CONFIG=/etc/sysconfig/mydns
#test -r \$MYDNS_CONFIG || { echo "\$mydns_CONFIG not existing";
# if [ "\$1" = "stop" ]; then exit 0;
# else exit 6; fi; }


# Read config
#. \$MYDNS_CONFIG

# Source LSB init functions
# providing start_daemon, killproc, pidofproc,
# log_success_msg, log_failure_msg and log_warning_msg.
# This is currently not used by UnitedLinux based distributions and
# not needed for init scripts for UnitedLinux only. If it is used,
# the functions from rc.status should not be sourced or used.
#. /lib/lsb/init-functions

# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v be verbose in local rc status and clear it afterwards
# rc_status -v -r ditto and clear both the local and overall rc status
# rc_status -s display "skipped" and exit with status 3
# rc_status -u display "unused" and exit with status 3
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num>
# rc_reset clear both the local and overall rc status
# rc_exit exit appropriate to overall rc status
# rc_active checks whether a service is activated by symlinks
. /etc/rc.status

# Reset status of this service
rc_reset

# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - user had insufficient privileges
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
# 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl)
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signaling is not supported) are
# considered a success.

case "\$1" in
start)
echo -n "Starting mydns "
## Start daemon with startproc(8). If this fails
## the return value is set appropriately by startproc.
startproc \$MYDNS_BIN

# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down mydns "
## Stop daemon with killproc(8) and if this fails
## killproc sets the return value according to LSB.

killproc -TERM \$MYDNS_BIN

# Remember status and be verbose
rc_status -v
;;
try-restart|condrestart)
## Do a restart only if the service was active before.
## Note: try-restart is now part of LSB (as of 1.9).
## RH has a similar command named condrestart.
if test "\$1" = "condrestart"; then
echo "\${attn} Use try-restart \${done}(LSB)\${attn} rather than condrestart \${warn}(RH)\${norm}"
fi
\$0 status
if test \$? = 0; then
\$0 restart
else
rc_reset # Not running is not a failure.
fi
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
\$0 stop
\$0 start

# Remember status and be quiet
rc_status
;;
force-reload)
## Signal the daemon to reload its config. Most daemons
## do this on signal 1 (SIGHUP).
## If it does not support it, restart.

echo -n "Reload service mydns "
## if it supports it:
killproc -HUP \$MYDNS_BIN
#touch /var/run/mydns.pid
rc_status -v

## Otherwise:
#\$0 try-restart
#rc_status
;;
reload)
## Like force-reload, but if daemon does not support
## signaling, do nothing (!)

# If it supports signaling:
echo -n "Reload service mydns "
killproc -HUP \$MYDNS_BIN
#touch /var/run/mydns.pid
rc_status -v

## Otherwise if it does not support reload:
#rc_failed 3
#rc_status -v
;;
status)
echo -n "Checking for service mydns "
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.

# Return value is slightly different for the status command:
# 0 - service up and running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running (unused)
# 4 - service status unknown :-(
# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)

# NOTE: checkproc returns LSB compliant status values.
checkproc \$MYDNS_BIN
# NOTE: rc_status knows that we called this init script with
# "status" option and adapts its messages accordingly.
rc_status -v
;;
probe)
## Optional: Probe for the necessity of a reload, print out the
## argument to this init script which is required for a reload.
## Note: probe is not (yet) part of LSB (as of 1.9)

test /etc/mydns/mydns.conf -nt /var/run/mydns.pid && echo reload
;;
*)
echo "Usage: \$0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit
EOFMARKER

chmod 755 /etc/init.d/mydns
chkconfig --add mydns

# VLOGGER and WEBALIZER

cd /tmp
wget -c $VLOGGER_TARGZ
tar xvfz vlogger-*.tar.gz
rm -f vlogger-*.tar.gz
mv vlogger-*/vlogger /usr/sbin/
rm -rf vlogger*

yast2 -i webalizer perl-DateManip

# Fail2ban

rpm -i $FAIL2BAN_RPM

chkconfig --add fail2ban
service fail2ban start

# Jailkit

cd /tmp
wget -c $JAILKIT_TARGZ
tar xvfz jailkit-*.tar.gz
rm -f jailkit-*.tar.gz
cd jailkit-*
./configure
make
make install
cd /tmp
rm -rf jailkit-*

# Synchronize system clock

yast2 -i xntp

chkconfig --add ntp
/etc/init.d/ntp start

# ISPCONFIG

cd /tmp
wget -c $ISPCONFIG_TAR_GZ
tar xvfz ISPConfig-*.tar.gz
cd ispconfig3_install/install/

(echo; echo; echo $MY_FULLHOSTNAME; echo; echo; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; ) | php -q install.php

cd /tmp
rm -rf /tmp/ispconfig3_install
rm -f /tmp/ISPConfig-*.tar.gz

# Squirrelmail

rpm -i $SQUIRRELMAIL_RPM
ln -s /srv/www/htdocs/squirrelmail /usr/local/ispconfig/interface/web/webmail

# Symlink

ln -s /srv/www/htdocs/phpMyAdmin /usr/local/ispconfig/interface/web/phpmyadmin

sed -i 's/\"en_US\.UTF-8/\"en_US\.ISO-8859-1/g' /etc/sysconfig/language

sed -i 's/x\-httpd\-php\=\"php\:\/usr\/bin\/php\-cgi5\"/x-httpd-php="php:\/usr\/bin\/php-cgi5"\nx-httpd-suphp="php:\/usr\/bin\/php-cgi5"/g' /etc/suphp.conf

SuSEconfig

/usr/local/bin/ispconfig_update_from_svn.sh

openssl genrsa -passout pass:0passphrase$MYSQLROOTPASS -des3 -out /etc/apache2/ssl.key/server.key 4096
(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -passin pass:0passphrase$MYSQLROOTPASS -new -key /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.csr/server.csr
openssl x509 -passin pass:0passphrase$MYSQLROOTPASS -req -days 3650 -in /etc/apache2/ssl.csr/server.csr -signkey /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.crt/server.crt
openssl rsa -passin pass:0passphrase$MYSQLROOTPASS -in /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.key/server.key.insecure
mv /etc/apache2/ssl.key/server.key /etc/apache2/ssl.key/server.key.secure
mv /etc/apache2/ssl.key/server.key.insecure /etc/apache2/ssl.key/server.key
a2enmod ssl

sed -i 's/.VirtualHost _default_\:8080./\<VirtualHost _default_\:8080\>\nSSLEngine On\nSSLCertificateFile \/etc\/apache2\/ssl.crt\/server.crt\nSSLCertificateKeyFile \/etc\/apache2\/ssl.key\/server.key/g' /etc/apache2/sites-available/ispconfig.vhost

sed -i 's/DirectoryIndex index.html index.html.var/DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php5 index.php4 index.php3 index.pl index.html.var index.aspx default.aspx/g' /etc/apache2/httpd.conf

# enable named hosts
sed -i 's/^#NameVirtualHost \*\:80$/NameVirtualHost *:80/g' /etc/apache2/listen.conf

sed -i 's,^Alias /error/,#Alias /error/,' /etc/apache2/errors.conf

sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/apache2/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/cli/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/fastcgi/php.ini

sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/apache2/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/cli/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/fastcgi/php.ini

sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/apache2/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/cli/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/fastcgi/php.ini

rcapache2 restart

# postfix certificate

(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -new -key /etc/postfix/smtpd.key -out /etc/postfix/smtpd.csr
openssl x509 -req -days 3650 -in /etc/postfix/smtpd.csr -signkey /etc/postfix/smtpd.key -out /etc/postfix/smtpd.cert

chmod o-rwx /etc/postfix/smtpd.csr
chmod o-rwx /etc/postfix/smtpd.cert

# rdiff-backup

yast2 -i python-devel librsync

cd tmp
wget -c $RDIFF_BACKUP_TARGZ
wget -c http://savannah.nongnu.org/download/rdiff-backup/rdiff-backup-1.2.8.tar.gz
tar xfz rdiff-backup-*.tar.gz
rm -f rdiff-backup-*.tar.gz
cd rdiff-backup-*
./setup.py install
cd /tmp
rm -rf rdiff-backup-*

yast2 -i iptraf iftop

# create backup script

mkdir /backup
chown root:root /backup

mkdir /srvbackup_do
chown root:root /srvbackup_do
chmod og-rwx /srvbackup_do

cat > /srvbackup_do/dobackup.sh <<EOFMARKER2
#!/bin/bash

cd /srvbackup_do
sync
mysqladmin -p$MYSQLROOTPASS refresh
mysqlcheck -p$MYSQLROOTPASS -A --auto-repair
mysqldump -p$MYSQLROOTPASS --all-databases >mysqldump.sql
chmod og-rw mysqldump.sql
/usr/local/bin/rdiff-backup --preserve-numerical-ids --exclude /tmp --exclude /backup --exclude /mnt --exclude /proc --exclude /dev --exclude /sys --exclude /var/lib/ntp/proc --exclude /media --exclude /var/tmp / /backup/$MY_FULLHOSTNAME
EOFMARKER2

chown root:root /srvbackup_do/dobackup.sh
chmod og-rwx /srvbackup_do/dobackup.sh
chmod u+x /srvbackup_do/dobackup.sh

echo '51 3 * * * /srvbackup_do/dobackup.sh >> /var/log/backuplog 2>&1' >>/var/spool/cron/tabs/root

# Fail2ban config

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.def
cat > /etc/fail2ban/jail.conf <<EOFMARKER3
# Fail2Ban configuration file

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/messages
maxretry = 5

[ssh-ddos-iptables]

enabled = true
filter = sshd-ddos
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/messages
maxretry = 5


[proftpd-iptables]

enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
logpath = /var/log/messages
maxretry = 6

[pure-ftpd-iptables]

enabled = true
filter = pure-ftpd
action = iptables[name=PureFTPD, port=ftp, protocol=tcp]
logpath = /var/log/messages
maxretry = 6

[courier-imap-iptables]

enabled = true
filter = courierlogin
action = iptables[name=CourierIMAP, port=ftp, protocol=tcp]
logpath = /var/log/messages
maxretry = 6


# This jail forces the backend to "polling".

[sasl-iptables]

enabled = true
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
logpath = /var/log/mail

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled = true
filter = sshd
action = hostsdeny
ignoreregex = for myuser from
logpath = /var/log/messages

[ssh-ddos-tcpwrapper]

enabled = true
filter = sshd-ddos
action = hostsdeny
ignoreregex = for myuser from
logpath = /var/log/messages


# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled = true
filter = apache-auth
action = hostsdeny
logpath = /var/log/apache2/error_log
maxretry = 6

# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.

[postfix-tcpwrapper]

enabled = true
filter = postfix
action = hostsdeny
logpath = /var/log/mail
bantime = 300

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled = true
filter = apache-badbots
action = iptables[name=BadBots1, port=http, protocol=tcp]
iptables[name=BadBots2, port=https, protocol=tcp]
logpath = /var/log/apache2/access_log
bantime = 172800
maxretry = 1

[php-url-fopen]

enabled = false
port = http,https
filter = php-url-fopen
logpath = /var/log/apache2/access_log
maxretry = 1

EOFMARKER3

# Ensure fail2ban recreates a socket file
# Because otherwise after a server crash, fail2ban won't restart

sed -i 's/-q start/-x -q start/' /etc/init.d/fail2ban

# Fix pure-ftpd regexp

sed -i 's/[)][?]: [(][.][+][?]@<HOST>[)] \\\[/)\?: \\(.+?@<HOST>\\) \\[/' /etc/fail2ban/filter.d/pure-ftpd.conf

service fail2ban restart

# Install AWSTATS

rpm -ivh $AWSTATS_RPM

cp /etc/awstats/awstats.web.conf /etc/awstats/awstats.conf
sed -i 's,^<IfDefine,#<IfDefine,' /etc/apache2/conf.d/awstats.conf
sed -i 's,^</IfDefine,#</IfDefine,' /etc/apache2/conf.d/awstats.conf

rcapache2 restart

mysqladmin -p$MYSQLROOTPASS refresh

mysqldump -u root -p$MYSQLROOTPASS dbispconfig server >/tmp/server.sql

sed -i 's,\\nawstats_data_dir=[^\\]*\\n,\\nawstats_data_dir=/var/cache/awstats\\n,' /tmp/server.sql
sed -i 's,\\nawstats_pl=[^\\]*\\n,\\nawstats_pl=/srv/www/cgi-bin/awstats.pl\\n,' /tmp/server.sql
sed -i 's,\\nawstats_buildstaticpages_pl=[^\\]*\\n,\\nawstats_buildstaticpages_pl=/usr/share/doc/packages/awstats/examples/awstats_buildstaticpages.pl\\n,' /tmp/server.sql

mysql -u root -p$MYSQLROOTPASS dbispconfig </tmp/server.sql

rm -rf /tmp/server.sql

#sed -i 's,^#LoadPlugin=\"geoipfree\",LoadPlugin=\"geoipfree\",' /etc/awstats/awstats.conf
sed -i 's,^Max\([^=]*\)= 10$,Max\1= 25,' /etc/awstats/awstats.conf
sed -i 's,^StyleSheet=\"[^\"]*\",StyleSheet=\"\",' /etc/awstats/awstats.conf

# Install eAccelerator

yast2 -i php5-devel

cd /tmp
wget $EACCELERATOR_TARGZ
tar xvfj eaccelerator-*.bz2
rm -rf eaccelerator-*.bz2
cd eaccelerator-*
phpize
# the flag is specified to prevent openbasedir limitations with ispconfig
./configure --without-eaccelerator-use-inode
make
make install

cd ..
rm -rf eaccelerator-*

cat > /etc/php5/conf.d/eaccelerator.ini <<EOFMARKER4
extension="eaccelerator.so"
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/var/cache/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
EOFMARKER4

mkdir -p /var/cache/eaccelerator
chmod 0777 /var/cache/eaccelerator

rcapache2 restart

# adjust postfix interfaces

sed -i 's/^inet_interfaces = localhost/inet_interfaces = all/g' /etc/postfix/main.cf

rcpostfix restart

# enable maildrop filters

ln -s /usr/local/ispconfig/server/plugins-available/maildrop_plugin.inc.php /usr/local/ispconfig/server/plugins-enabled/maildrop_plugin.inc.php

使其可执行:

chmod 755 /usr/local/sbin/opensuse_ispconfig3.sh

你现在可以这样运行:

/usr/local/sbin/opensuse_ispconfig3.sh

链接

赞(52) 打赏
未经允许不得转载:优客志 » 系统运维
分享到:

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏