#!/bin/sh
# OpenSUSE 11.2 Perfect Server ISPConfig script by George Yohng (georgesc#oss3d.com)
# Script Version 1.4
# Do zypper update and reboot before running this script
# Also better change host name (file HOSTNAME) manually before running this script, though looks like it's not necessary
# This script requires two manual actions.
# First - when mysql_secure_install is running. One should type a new mysql password, the same as here
# Second - for ISPConfig3 update. One should type 'svn' when the update type is asked
# For both of scripts, all other options are default, one can just press ENTER.
# Also, please change MYSQLROOTPASS below, and be sure to enter it verbatim
# during the installation of mysql_secure_install.
# Important: When setting an MX entry, point it to mail.yourdomain.com rather than
# just to yourdomain.com, and create a CNAME entry for mail. Otherwise it doesn't
# seem to work somehow.
THIS_PLATFORM=x86_64
MYSQLROOTPASS=098j91r3kx
# Change this to your server name. By default it's configured to server1.mydomain.com
# If your web site hosts a complete domain, such as domain.com, still leave
# something for MY_HOSTNAME. 'server1' or 'host' is a good name.
MY_HOSTNAME=server1
MY_DOMAIN=mydomain.com
# Packages may have been updated, therefore also check the RPM and TARGZ locations below,
# and preferably use the latest versions of everything.
GETMAIL_RPM=http://download.opensuse.org/repositories/server:/mail/openSUSE_11.2/noarch/getmail-4.17.0-1.1.noarch.rpm
MAILDROP_RPM=http://download.opensuse.org/repositories/server:/mail/openSUSE_11.2/$THIS_PLATFORM/maildrop-2.4.0-1.6.$THIS_PLATFORM.rpm
PAM_MYSQL_TARGZ=http://heanet.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.7RC1.tar.gz
SUPHP_RPM=http://download.opensuse.org/repositories/server:/php/openSUSE_11.2/$THIS_PLATFORM/suphp-0.7.1-3.1.$THIS_PLATFORM.rpm
FAIL2BAN_RPM=http://download.opensuse.org/repositories/home:/kolbma/openSUSE_11.1/$THIS_PLATFORM/fail2ban-0.8.4-2.1.$THIS_PLATFORM.rpm
AWSTATS_RPM=http://download.opensuse.org/repositories/network:/utilities/openSUSE_11.2/noarch/awstats-6.95-3.1.noarch.rpm
SQUIRRELMAIL_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.2/noarch/squirrelmail-1.4.20-1.1.noarch.rpm
JAILKIT_TARGZ=http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gz
PHPMYADMIN_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.2/noarch/phpMyAdmin-3.3.3-1.1.noarch.rpm
MYDNS_RPM=http://mydns.bboy.net/download/mydns-mysql-1.1.0-1.i386.rpm
VLOGGER_TARGZ=http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz
RDIFF_BACKUP_TARGZ=http://savannah.nongnu.org/download/rdiff-backup/rdiff-backup-1.2.8.tar.gz
EACCELERATOR_TARGZ=http://bart.eaccelerator.net/source/0.9.6.1/eaccelerator-0.9.6.1.tar.bz2
ISPCONFIG_TAR_GZ=http://downloads.sourceforge.net/ispconfig/ISPConfig-3.0.2.1.tar.gz?use_mirror=
MY_FULLHOSTNAME=$MY_HOSTNAME.$MY_DOMAIN
# Disable apparmor
/etc/init.d/boot.apparmor stop
chkconfig -d boot.apparmor
# Allow ports through firewall
SuSEfirewall2 open EXT TCP 21 80 8080 25 143 465 585 993 30000:30500
SuSEfirewall2
# Switch off X login (check!)
chkconfig --del xdm
rcxdm stop
# Quota
yast2 -i quota
touch /aquota.user /aquota.group
chmod 600 /aquota.*
touch /srv/aquota.user /srv/aquota.group
chmod 600 /srv/aquota.*
# TODO: change fstab here
mount -o remount /
mount -o remount /srv
mount -o remount /home
quotacheck -avugm
quotaon -avug
# Basic packages
yast2 -i mc
yast2 -i findutils readline libgcc glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget gcc-c++ subversion make vim telnet cron iptables iputils man man-pages nano pico
# Host name
echo $MY_FULLHOSTNAME > /etc/HOSTNAME
echo 127.0.0.2 $MY_FULLHOSTNAME $MY_HOSTNAME >> /etc/hosts
echo 69.46.236.210 mydns.bboy.net >> /etc/hosts
export HOST=$MY_FULLHOSTNAME
export HOSTNAME=$MY_FULLHOSTNAME
SuSEconfig
# Postfix, Courier, Saslauthd, MySQL
yast2 -i postfix postfix-mysql mysql mysql-client
yast2 -i courier-imap courier-authlib courier-authlib-mysql python cron cyrus-sasl cyrus-sasl-crammd5
yast2 -i cyrus-sasl-digestmd5 cyrus-sasl-gssapi cyrus-sasl-otp cyrus-sasl-plain cyrus-sasl-saslauthd libmysqlclient-devel pwgen
chkconfig --add mysql
chkconfig --add postfix
chkconfig --add saslauthd
chkconfig --add fam
chkconfig --add courier-authdaemon
chkconfig --add courier-pop
chkconfig --add courier-imap
chkconfig --add courier-pop-ssl
chkconfig --add courier-imap-ssl
/etc/init.d/mysql start
/etc/init.d/postfix start
/etc/init.d/saslauthd start
/etc/init.d/courier-pop start
/etc/init.d/courier-imap start
/etc/init.d/courier-pop-ssl start
/etc/init.d/courier-imap-ssl start
# getmail
cd /tmp
rpm -i $GETMAIL_RPM
rpm --force -i $MAILDROP_RPM
# pam
yast2 -i pam-devel pam-32bit pam-devel-32bit pam-modules-32bit
# pam_mysql
cd /tmp
wget -c $PAM_MYSQL_TARGZ
tar xvfz pam_mysql-*.tar.gz
rm -rf pam_mysql-*.tar.gz
cd pam_mysql-*
./configure
make
make install
cd /tmp
rm -rf /tmp/pam_mysql-*
test -d /lib64 && cp /lib/security/pam_mysql* /lib64/security
# mysql_secure_installation
mysql_secure_installation
#(echo Y; echo $MYSQLROOTPASS; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; )
# amavis, spam asassin, etc
yast2 -i spamassassin amavisd-new clamav clamav-db zoo unzip unrar bzip2 unarj perl-DBD-mysql
sa-update
# TODO: change /etc/amavisd.conf
#$mydomain = "$MY_DOMAIN"; # a convenient default for other settings
#$myhostname = "$MY_HOSTNAME";
sed -i 's/\$mydomain = '\''example.com'\'';/\$mydomain='\'$MY_DOMAIN\'';\n\$myhostname='\'$MY_FULLHOSTNAME\'';/g' /etc/amavisd.conf
# Correct a path to clamd socket
sed -i 's,/var/run/clamav/clamd,/var/lib/clamav/clamd-socket,g' /etc/amavisd.conf
chkconfig --add amavis
chkconfig --add clamd
/etc/init.d/amavis start
/etc/init.d/clamd start
# Courier IMAP, listen on external ports
sed -i 's/^ADDRESS=127.0.0.1/ADDRESS=0/g' /etc/courier/imapd
# Apache2
yast2 -i apache2 apache2-mod_fcgid
yast2 -i php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dom php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mysql php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-fastcgi php5-pear php5-sysvmsg php5-sysvshm ImageMagick curl apache2-mod_php5
rpm -i $SUPHP_RPM
a2enmod suexec
a2enmod rewrite
a2enmod ssl
a2enmod actions
a2enmod suphp
a2enmod fcgid
chown root:www /usr/sbin/suexec2
chmod 4755 /usr/sbin/suexec2
chkconfig --add apache2
/etc/init.d/apache2 start
# PhpMyAdmin
rpm -i $PHPMYADMIN_RPM
# FTP
yast2 -i pure-ftpd quota
sed -i 's/NoRename.*yes/NoRename no/g' /etc/pure-ftpd/pure-ftpd.conf
sed -i 's/AutoRename.*yes/AutoRename no/g' /etc/pure-ftpd/pure-ftpd.conf
sed -i 's/ProhibitDotFilesWrite.*yes/ProhibitDotFilesWrite no/g' /etc/pure-ftpd/pure-ftpd.conf
sed -i 's/# PassivePortRange.*30000 50000/PassivePortRange 30000 30500/g' /etc/pure-ftpd/pure-ftpd.conf
sed -i 's/^Umask\ *177\:077$/Umask 137:027/' /etc/pure-ftpd/pure-ftpd.conf
chkconfig --add pure-ftpd
/etc/init.d/pure-ftpd start
# MyDNS
rpm -ivh --force $MYDNS_RPM
# MyDNS script
cat > /etc/init.d/mydns <<EOFMARKER
#! /bin/sh
# Copyright (c) 1995-2004 SUSE Linux AG, Nuernberg, Germany.
# All rights reserved.
#
# Author: Kurt Garloff
# Please send feedback to http://www.suse.de/feedback/
#
# /etc/init.d/mydns
# and its symbolic link
# /(usr/)sbin/rcmydns
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# Template system startup script for some example service/daemon mydns
#
# LSB compatible service control script; see http://www.linuxbase.org/spec/
#
# Note: This template uses functions rc_XXX defined in /etc/rc.status on
# UnitedLinux (UL) based Linux distributions. If you want to base your
# script on this template and ensure that it works on non UL based LSB
# compliant Linux distributions, you either have to provide the rc.status
# functions from UL or change the script to work without them.
#
### BEGIN INIT INFO
# Provides: mydns
# Required-Start: \$syslog \$remote_fs mysql
# Should-Start: \$time ypbind sendmail
# Required-Stop: \$syslog \$remote_fs
# Should-Stop: \$time ypbind sendmail
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: mydns XYZ daemon providing ZYX
# Description: Start mydns to allow XY and provide YZ
# continued on second line by '#<TAB>'
# should contain enough info for the runlevel editor
# to give admin some idea what this service does and
# what it's needed for ...
# (The Short-Description should already be a good hint.)
### END INIT INFO
#
# Any extensions to the keywords given above should be preceeded by
# X-VendorTag- (X-UnitedLinux- X-SuSE- for us) according to LSB.
#
# Notes on Required-Start/Should-Start:
# * There are two different issues that are solved by Required-Start
# and Should-Start
# (a) Hard dependencies: This is used by the runlevel editor to determine
# which services absolutely need to be started to make the start of
# this service make sense. Example: nfsserver should have
# Required-Start: \$portmap
# Also, required services are started before the dependent ones.
# The runlevel editor will warn about such missing hard dependencies
# and suggest enabling. During system startup, you may expect an error,
# if the dependency is not fulfilled.
# (b) Specifying the init script ordering, not real (hard) dependencies.
# This is needed by insserv to determine which service should be
# started first (and at a later stage what services can be started
# in parallel). The tag Should-Start: is used for this.
# It tells, that if a service is available, it should be started
# before. If not, never mind.
# * When specifying hard dependencies or ordering requirements, you can
# use names of services (contents of their Provides: section)
# or pseudo names starting with a \$. The following ones are available
# according to LSB (1.1):
# \$local_fs all local file systems are mounted
# (most services should need this!)
# \$remote_fs all remote file systems are mounted
# (note that /usr may be remote, so
# many services should Require this!)
# \$syslog system logging facility up
# \$network low level networking (eth card, ...)
# \$named hostname resolution available
# \$netdaemons all network daemons are running
# The \$netdaemons pseudo service has been removed in LSB 1.2.
# For now, we still offer it for backward compatibility.
# These are new (LSB 1.2):
# \$time the system time has been set correctly
# \$portmap SunRPC portmapping service available
# UnitedLinux extensions:
# \$ALL indicates that a script should be inserted
# at the end
# * The services specified in the stop tags
# (Required-Stop/Should-Stop)
# specify which services need to be still running when this service
# is shut down. Often the entries there are just copies or a subset
# from the respective start tag.
# * Should-Start/Stop are now part of LSB as of 2.0,
# formerly SUSE/Unitedlinux used X-UnitedLinux-Should-Start/-Stop.
# insserv does support both variants.
# * X-UnitedLinux-Default-Enabled: yes/no is used at installation time
# (%fillup_and_insserv macro in %post of many RPMs) to specify whether
# a startup script should default to be enabled after installation.
# It's not used by insserv.
#
# Note on runlevels:
# 0 - halt/poweroff 6 - reboot
# 1 - single user 2 - multiuser without network exported
# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm)
#
# Note on script names:
# http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html
# A registry has been set up to manage the init script namespace.
# http://www.lanana.org/
# Please use the names already registered or register one or use a
# vendor prefix.
# Check for missing binaries (stale symlinks should not happen)
# Note: Special treatment of stop for LSB conformance
MYDNS_BIN=/usr/sbin/mydns
test -x \$MYDNS_BIN || { echo "\$mydns_BIN not installed";
if [ "\$1" = "stop" ]; then exit 0;
else exit 5; fi; }
# Check for existence of needed config file and read it
#MYDNS_CONFIG=/etc/sysconfig/mydns
#test -r \$MYDNS_CONFIG || { echo "\$mydns_CONFIG not existing";
# if [ "\$1" = "stop" ]; then exit 0;
# else exit 6; fi; }
# Read config
#. \$MYDNS_CONFIG
# Source LSB init functions
# providing start_daemon, killproc, pidofproc,
# log_success_msg, log_failure_msg and log_warning_msg.
# This is currently not used by UnitedLinux based distributions and
# not needed for init scripts for UnitedLinux only. If it is used,
# the functions from rc.status should not be sourced or used.
#. /lib/lsb/init-functions
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v be verbose in local rc status and clear it afterwards
# rc_status -v -r ditto and clear both the local and overall rc status
# rc_status -s display "skipped" and exit with status 3
# rc_status -u display "unused" and exit with status 3
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num>
# rc_reset clear both the local and overall rc status
# rc_exit exit appropriate to overall rc status
# rc_active checks whether a service is activated by symlinks
. /etc/rc.status
# Reset status of this service
rc_reset
# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - user had insufficient privileges
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
# 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl)
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signaling is not supported) are
# considered a success.
case "\$1" in
start)
echo -n "Starting mydns "
## Start daemon with startproc(8). If this fails
## the return value is set appropriately by startproc.
startproc \$MYDNS_BIN
# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down mydns "
## Stop daemon with killproc(8) and if this fails
## killproc sets the return value according to LSB.
killproc -TERM \$MYDNS_BIN
# Remember status and be verbose
rc_status -v
;;
try-restart|condrestart)
## Do a restart only if the service was active before.
## Note: try-restart is now part of LSB (as of 1.9).
## RH has a similar command named condrestart.
if test "\$1" = "condrestart"; then
echo "\${attn} Use try-restart \${done}(LSB)\${attn} rather than condrestart \${warn}(RH)\${norm}"
fi
\$0 status
if test \$? = 0; then
\$0 restart
else
rc_reset # Not running is not a failure.
fi
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
\$0 stop
\$0 start
# Remember status and be quiet
rc_status
;;
force-reload)
## Signal the daemon to reload its config. Most daemons
## do this on signal 1 (SIGHUP).
## If it does not support it, restart.
echo -n "Reload service mydns "
## if it supports it:
killproc -HUP \$MYDNS_BIN
#touch /var/run/mydns.pid
rc_status -v
## Otherwise:
#\$0 try-restart
#rc_status
;;
reload)
## Like force-reload, but if daemon does not support
## signaling, do nothing (!)
# If it supports signaling:
echo -n "Reload service mydns "
killproc -HUP \$MYDNS_BIN
#touch /var/run/mydns.pid
rc_status -v
## Otherwise if it does not support reload:
#rc_failed 3
#rc_status -v
;;
status)
echo -n "Checking for service mydns "
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
# Return value is slightly different for the status command:
# 0 - service up and running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running (unused)
# 4 - service status unknown :-(
# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
# NOTE: checkproc returns LSB compliant status values.
checkproc \$MYDNS_BIN
# NOTE: rc_status knows that we called this init script with
# "status" option and adapts its messages accordingly.
rc_status -v
;;
probe)
## Optional: Probe for the necessity of a reload, print out the
## argument to this init script which is required for a reload.
## Note: probe is not (yet) part of LSB (as of 1.9)
test /etc/mydns/mydns.conf -nt /var/run/mydns.pid && echo reload
;;
*)
echo "Usage: \$0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit
EOFMARKER
chmod 755 /etc/init.d/mydns
chkconfig --add mydns
# VLOGGER and WEBALIZER
cd /tmp
wget -c $VLOGGER_TARGZ
tar xvfz vlogger-*.tar.gz
rm -f vlogger-*.tar.gz
mv vlogger-*/vlogger /usr/sbin/
rm -rf vlogger*
yast2 -i webalizer perl-DateManip
# Fail2ban
rpm -i $FAIL2BAN_RPM
chkconfig --add fail2ban
service fail2ban start
# Jailkit
cd /tmp
wget -c $JAILKIT_TARGZ
tar xvfz jailkit-*.tar.gz
rm -f jailkit-*.tar.gz
cd jailkit-*
./configure
make
make install
cd /tmp
rm -rf jailkit-*
# Synchronize system clock
yast2 -i xntp
chkconfig --add ntp
/etc/init.d/ntp start
# ISPCONFIG
cd /tmp
wget -c $ISPCONFIG_TAR_GZ
tar xvfz ISPConfig-*.tar.gz
cd ispconfig3_install/install/
(echo; echo; echo $MY_FULLHOSTNAME; echo; echo; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; ) | php -q install.php
cd /tmp
rm -rf /tmp/ispconfig3_install
rm -f /tmp/ISPConfig-*.tar.gz
# Squirrelmail
rpm -i $SQUIRRELMAIL_RPM
ln -s /srv/www/htdocs/squirrelmail /usr/local/ispconfig/interface/web/webmail
# Symlink
ln -s /srv/www/htdocs/phpMyAdmin /usr/local/ispconfig/interface/web/phpmyadmin
sed -i 's/\"en_US\.UTF-8/\"en_US\.ISO-8859-1/g' /etc/sysconfig/language
sed -i 's/x\-httpd\-php\=\"php\:\/usr\/bin\/php\-cgi5\"/x-httpd-php="php:\/usr\/bin\/php-cgi5"\nx-httpd-suphp="php:\/usr\/bin\/php-cgi5"/g' /etc/suphp.conf
SuSEconfig
/usr/local/bin/ispconfig_update_from_svn.sh
openssl genrsa -passout pass:0passphrase$MYSQLROOTPASS -des3 -out /etc/apache2/ssl.key/server.key 4096
(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -passin pass:0passphrase$MYSQLROOTPASS -new -key /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.csr/server.csr
openssl x509 -passin pass:0passphrase$MYSQLROOTPASS -req -days 3650 -in /etc/apache2/ssl.csr/server.csr -signkey /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.crt/server.crt
openssl rsa -passin pass:0passphrase$MYSQLROOTPASS -in /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.key/server.key.insecure
mv /etc/apache2/ssl.key/server.key /etc/apache2/ssl.key/server.key.secure
mv /etc/apache2/ssl.key/server.key.insecure /etc/apache2/ssl.key/server.key
a2enmod ssl
sed -i 's/.VirtualHost _default_\:8080./\<VirtualHost _default_\:8080\>\nSSLEngine On\nSSLCertificateFile \/etc\/apache2\/ssl.crt\/server.crt\nSSLCertificateKeyFile \/etc\/apache2\/ssl.key\/server.key/g' /etc/apache2/sites-available/ispconfig.vhost
sed -i 's/DirectoryIndex index.html index.html.var/DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php5 index.php4 index.php3 index.pl index.html.var index.aspx default.aspx/g' /etc/apache2/httpd.conf
# enable named hosts
sed -i 's/^#NameVirtualHost \*\:80$/NameVirtualHost *:80/g' /etc/apache2/listen.conf
sed -i 's,^Alias /error/,#Alias /error/,' /etc/apache2/errors.conf
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/apache2/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/cli/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/fastcgi/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/apache2/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/cli/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/fastcgi/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/apache2/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/cli/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/fastcgi/php.ini
rcapache2 restart
# postfix certificate
(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -new -key /etc/postfix/smtpd.key -out /etc/postfix/smtpd.csr
openssl x509 -req -days 3650 -in /etc/postfix/smtpd.csr -signkey /etc/postfix/smtpd.key -out /etc/postfix/smtpd.cert
chmod o-rwx /etc/postfix/smtpd.csr
chmod o-rwx /etc/postfix/smtpd.cert
# rdiff-backup
yast2 -i python-devel librsync
cd tmp
wget -c $RDIFF_BACKUP_TARGZ
wget -c http://savannah.nongnu.org/download/rdiff-backup/rdiff-backup-1.2.8.tar.gz
tar xfz rdiff-backup-*.tar.gz
rm -f rdiff-backup-*.tar.gz
cd rdiff-backup-*
./setup.py install
cd /tmp
rm -rf rdiff-backup-*
yast2 -i iptraf iftop
# create backup script
mkdir /backup
chown root:root /backup
mkdir /srvbackup_do
chown root:root /srvbackup_do
chmod og-rwx /srvbackup_do
cat > /srvbackup_do/dobackup.sh <<EOFMARKER2
#!/bin/bash
cd /srvbackup_do
sync
mysqladmin -p$MYSQLROOTPASS refresh
mysqlcheck -p$MYSQLROOTPASS -A --auto-repair
mysqldump -p$MYSQLROOTPASS --all-databases >mysqldump.sql
chmod og-rw mysqldump.sql
/usr/local/bin/rdiff-backup --preserve-numerical-ids --exclude /tmp --exclude /backup --exclude /mnt --exclude /proc --exclude /dev --exclude /sys --exclude /var/lib/ntp/proc --exclude /media --exclude /var/tmp / /backup/$MY_FULLHOSTNAME
EOFMARKER2
chown root:root /srvbackup_do/dobackup.sh
chmod og-rwx /srvbackup_do/dobackup.sh
chmod u+x /srvbackup_do/dobackup.sh
echo '51 3 * * * /srvbackup_do/dobackup.sh >> /var/log/backuplog 2>&1' >>/var/spool/cron/tabs/root
# Fail2ban config
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.def
cat > /etc/fail2ban/jail.conf <<EOFMARKER3
# Fail2Ban configuration file
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto
# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/messages
maxretry = 5
[ssh-ddos-iptables]
enabled = true
filter = sshd-ddos
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/messages
maxretry = 5
[proftpd-iptables]
enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
logpath = /var/log/messages
maxretry = 6
[pure-ftpd-iptables]
enabled = true
filter = pure-ftpd
action = iptables[name=PureFTPD, port=ftp, protocol=tcp]
logpath = /var/log/messages
maxretry = 6
[courier-imap-iptables]
enabled = true
filter = courierlogin
action = iptables[name=CourierIMAP, port=ftp, protocol=tcp]
logpath = /var/log/messages
maxretry = 6
# This jail forces the backend to "polling".
[sasl-iptables]
enabled = true
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
logpath = /var/log/mail
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".
[ssh-tcpwrapper]
enabled = true
filter = sshd
action = hostsdeny
ignoreregex = for myuser from
logpath = /var/log/messages
[ssh-ddos-tcpwrapper]
enabled = true
filter = sshd-ddos
action = hostsdeny
ignoreregex = for myuser from
logpath = /var/log/messages
# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.
[apache-tcpwrapper]
enabled = true
filter = apache-auth
action = hostsdeny
logpath = /var/log/apache2/error_log
maxretry = 6
# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.
[postfix-tcpwrapper]
enabled = true
filter = postfix
action = hostsdeny
logpath = /var/log/mail
bantime = 300
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables[name=BadBots1, port=http, protocol=tcp]
iptables[name=BadBots2, port=https, protocol=tcp]
logpath = /var/log/apache2/access_log
bantime = 172800
maxretry = 1
[php-url-fopen]
enabled = false
port = http,https
filter = php-url-fopen
logpath = /var/log/apache2/access_log
maxretry = 1
EOFMARKER3
# Ensure fail2ban recreates a socket file
# Because otherwise after a server crash, fail2ban won't restart
sed -i 's/-q start/-x -q start/' /etc/init.d/fail2ban
# Fix pure-ftpd regexp
sed -i 's/[)][?]: [(][.][+][?]@<HOST>[)] \\\[/)\?: \\(.+?@<HOST>\\) \\[/' /etc/fail2ban/filter.d/pure-ftpd.conf
service fail2ban restart
# Install AWSTATS
rpm -ivh $AWSTATS_RPM
cp /etc/awstats/awstats.web.conf /etc/awstats/awstats.conf
sed -i 's,^<IfDefine,#<IfDefine,' /etc/apache2/conf.d/awstats.conf
sed -i 's,^</IfDefine,#</IfDefine,' /etc/apache2/conf.d/awstats.conf
rcapache2 restart
mysqladmin -p$MYSQLROOTPASS refresh
mysqldump -u root -p$MYSQLROOTPASS dbispconfig server >/tmp/server.sql
sed -i 's,\\nawstats_data_dir=[^\\]*\\n,\\nawstats_data_dir=/var/cache/awstats\\n,' /tmp/server.sql
sed -i 's,\\nawstats_pl=[^\\]*\\n,\\nawstats_pl=/srv/www/cgi-bin/awstats.pl\\n,' /tmp/server.sql
sed -i 's,\\nawstats_buildstaticpages_pl=[^\\]*\\n,\\nawstats_buildstaticpages_pl=/usr/share/doc/packages/awstats/examples/awstats_buildstaticpages.pl\\n,' /tmp/server.sql
mysql -u root -p$MYSQLROOTPASS dbispconfig </tmp/server.sql
rm -rf /tmp/server.sql
#sed -i 's,^#LoadPlugin=\"geoipfree\",LoadPlugin=\"geoipfree\",' /etc/awstats/awstats.conf
sed -i 's,^Max\([^=]*\)= 10$,Max\1= 25,' /etc/awstats/awstats.conf
sed -i 's,^StyleSheet=\"[^\"]*\",StyleSheet=\"\",' /etc/awstats/awstats.conf
# Install eAccelerator
yast2 -i php5-devel
cd /tmp
wget $EACCELERATOR_TARGZ
tar xvfj eaccelerator-*.bz2
rm -rf eaccelerator-*.bz2
cd eaccelerator-*
phpize
# the flag is specified to prevent openbasedir limitations with ispconfig
./configure --without-eaccelerator-use-inode
make
make install
cd ..
rm -rf eaccelerator-*
cat > /etc/php5/conf.d/eaccelerator.ini <<EOFMARKER4
extension="eaccelerator.so"
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/var/cache/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
EOFMARKER4
mkdir -p /var/cache/eaccelerator
chmod 0777 /var/cache/eaccelerator
rcapache2 restart
# adjust postfix interfaces
sed -i 's/^inet_interfaces = localhost/inet_interfaces = all/g' /etc/postfix/main.cf
rcpostfix restart
# enable maildrop filters
ln -s /usr/local/ispconfig/server/plugins-available/maildrop_plugin.inc.php /usr/local/ispconfig/server/plugins-enabled/maildrop_plugin.inc.php
|
