#!/bin/sh
# OpenSUSE 11.2 Perfect Server ISPConfig script by George Yohng (georgesc#oss3d.com) # Script Version 1.4
# Do zypper update and reboot before running this script
# Also better change host name (file HOSTNAME) manually before running this script, though looks like it's not necessary
# This script requires two manual actions.
# First - when mysql_secure_install is running. One should type a new mysql password, the same as here # Second - for ISPConfig3 update. One should type 'svn' when the update type is asked # For both of scripts, all other options are default, one can just press ENTER.
# Also, please change MYSQLROOTPASS below, and be sure to enter it verbatim # during the installation of mysql_secure_install.
# Important: When setting an MX entry, point it to mail.yourdomain.com rather than # just to yourdomain.com, and create a CNAME entry for mail. Otherwise it doesn't # seem to work somehow.
THIS_PLATFORM=x86_64
MYSQLROOTPASS=098j91r3kx
# Change this to your server name. By default it's configured to server1.mydomain.com
# If your web site hosts a complete domain, such as domain.com, still leave # something for MY_HOSTNAME. 'server1' or 'host' is a good name.
MY_HOSTNAME=server1 MY_DOMAIN=mydomain.com
# Packages may have been updated, therefore also check the RPM and TARGZ locations below, # and preferably use the latest versions of everything.
GETMAIL_RPM=http://download.opensuse.org/repositories/server:/mail/openSUSE_11.2/noarch/getmail-4.17.0-1.1.noarch.rpm MAILDROP_RPM=http://download.opensuse.org/repositories/server:/mail/openSUSE_11.2/$THIS_PLATFORM/maildrop-2.4.0-1.6.$THIS_PLATFORM.rpm PAM_MYSQL_TARGZ=http://heanet.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.7RC1.tar.gz SUPHP_RPM=http://download.opensuse.org/repositories/server:/php/openSUSE_11.2/$THIS_PLATFORM/suphp-0.7.1-3.1.$THIS_PLATFORM.rpm FAIL2BAN_RPM=http://download.opensuse.org/repositories/home:/kolbma/openSUSE_11.1/$THIS_PLATFORM/fail2ban-0.8.4-2.1.$THIS_PLATFORM.rpm
AWSTATS_RPM=http://download.opensuse.org/repositories/network:/utilities/openSUSE_11.2/noarch/awstats-6.95-3.1.noarch.rpm
SQUIRRELMAIL_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.2/noarch/squirrelmail-1.4.20-1.1.noarch.rpm
JAILKIT_TARGZ=http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gz
PHPMYADMIN_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.2/noarch/phpMyAdmin-3.3.3-1.1.noarch.rpm MYDNS_RPM=http://mydns.bboy.net/download/mydns-mysql-1.1.0-1.i386.rpm VLOGGER_TARGZ=http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz
RDIFF_BACKUP_TARGZ=http://savannah.nongnu.org/download/rdiff-backup/rdiff-backup-1.2.8.tar.gz
EACCELERATOR_TARGZ=http://bart.eaccelerator.net/source/0.9.6.1/eaccelerator-0.9.6.1.tar.bz2
ISPCONFIG_TAR_GZ=http://downloads.sourceforge.net/ispconfig/ISPConfig-3.0.2.1.tar.gz?use_mirror=
MY_FULLHOSTNAME=$MY_HOSTNAME.$MY_DOMAIN
# Disable apparmor
/etc/init.d/boot.apparmor stop chkconfig -d boot.apparmor
# Allow ports through firewall
SuSEfirewall2 open EXT TCP 21 80 8080 25 143 465 585 993 30000:30500 SuSEfirewall2
# Switch off X login (check!)
chkconfig --del xdm rcxdm stop
# Quota
yast2 -i quota
touch /aquota.user /aquota.group chmod 600 /aquota.* touch /srv/aquota.user /srv/aquota.group chmod 600 /srv/aquota.*
# TODO: change fstab here
mount -o remount / mount -o remount /srv mount -o remount /home
quotacheck -avugm quotaon -avug
# Basic packages
yast2 -i mc
yast2 -i findutils readline libgcc glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget gcc-c++ subversion make vim telnet cron iptables iputils man man-pages nano pico
# Host name
echo $MY_FULLHOSTNAME > /etc/HOSTNAME echo 127.0.0.2 $MY_FULLHOSTNAME $MY_HOSTNAME >> /etc/hosts echo 69.46.236.210 mydns.bboy.net >> /etc/hosts
export HOST=$MY_FULLHOSTNAME export HOSTNAME=$MY_FULLHOSTNAME
SuSEconfig
# Postfix, Courier, Saslauthd, MySQL
yast2 -i postfix postfix-mysql mysql mysql-client yast2 -i courier-imap courier-authlib courier-authlib-mysql python cron cyrus-sasl cyrus-sasl-crammd5 yast2 -i cyrus-sasl-digestmd5 cyrus-sasl-gssapi cyrus-sasl-otp cyrus-sasl-plain cyrus-sasl-saslauthd libmysqlclient-devel pwgen
chkconfig --add mysql chkconfig --add postfix chkconfig --add saslauthd chkconfig --add fam chkconfig --add courier-authdaemon chkconfig --add courier-pop chkconfig --add courier-imap chkconfig --add courier-pop-ssl chkconfig --add courier-imap-ssl /etc/init.d/mysql start /etc/init.d/postfix start /etc/init.d/saslauthd start /etc/init.d/courier-pop start /etc/init.d/courier-imap start /etc/init.d/courier-pop-ssl start /etc/init.d/courier-imap-ssl start
# getmail
cd /tmp rpm -i $GETMAIL_RPM rpm --force -i $MAILDROP_RPM
# pam
yast2 -i pam-devel pam-32bit pam-devel-32bit pam-modules-32bit
# pam_mysql
cd /tmp wget -c $PAM_MYSQL_TARGZ tar xvfz pam_mysql-*.tar.gz rm -rf pam_mysql-*.tar.gz cd pam_mysql-* ./configure make make install cd /tmp rm -rf /tmp/pam_mysql-*
test -d /lib64 && cp /lib/security/pam_mysql* /lib64/security
# mysql_secure_installation
mysql_secure_installation
#(echo Y; echo $MYSQLROOTPASS; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; )
# amavis, spam asassin, etc
yast2 -i spamassassin amavisd-new clamav clamav-db zoo unzip unrar bzip2 unarj perl-DBD-mysql
sa-update
# TODO: change /etc/amavisd.conf
#$mydomain = "$MY_DOMAIN"; # a convenient default for other settings #$myhostname = "$MY_HOSTNAME";
sed -i 's/\$mydomain = '\''example.com'\'';/\$mydomain='\'$MY_DOMAIN\'';\n\$myhostname='\'$MY_FULLHOSTNAME\'';/g' /etc/amavisd.conf
# Correct a path to clamd socket sed -i 's,/var/run/clamav/clamd,/var/lib/clamav/clamd-socket,g' /etc/amavisd.conf
chkconfig --add amavis chkconfig --add clamd /etc/init.d/amavis start /etc/init.d/clamd start
# Courier IMAP, listen on external ports
sed -i 's/^ADDRESS=127.0.0.1/ADDRESS=0/g' /etc/courier/imapd
# Apache2
yast2 -i apache2 apache2-mod_fcgid
yast2 -i php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dom php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mysql php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-fastcgi php5-pear php5-sysvmsg php5-sysvshm ImageMagick curl apache2-mod_php5
rpm -i $SUPHP_RPM
a2enmod suexec a2enmod rewrite a2enmod ssl a2enmod actions a2enmod suphp a2enmod fcgid chown root:www /usr/sbin/suexec2 chmod 4755 /usr/sbin/suexec2
chkconfig --add apache2 /etc/init.d/apache2 start
# PhpMyAdmin
rpm -i $PHPMYADMIN_RPM
# FTP
yast2 -i pure-ftpd quota
sed -i 's/NoRename.*yes/NoRename no/g' /etc/pure-ftpd/pure-ftpd.conf sed -i 's/AutoRename.*yes/AutoRename no/g' /etc/pure-ftpd/pure-ftpd.conf sed -i 's/ProhibitDotFilesWrite.*yes/ProhibitDotFilesWrite no/g' /etc/pure-ftpd/pure-ftpd.conf sed -i 's/# PassivePortRange.*30000 50000/PassivePortRange 30000 30500/g' /etc/pure-ftpd/pure-ftpd.conf sed -i 's/^Umask\ *177\:077$/Umask 137:027/' /etc/pure-ftpd/pure-ftpd.conf
chkconfig --add pure-ftpd /etc/init.d/pure-ftpd start
# MyDNS
rpm -ivh --force $MYDNS_RPM
# MyDNS script
cat > /etc/init.d/mydns <<EOFMARKER #! /bin/sh # Copyright (c) 1995-2004 SUSE Linux AG, Nuernberg, Germany. # All rights reserved. # # Author: Kurt Garloff # Please send feedback to http://www.suse.de/feedback/ # # /etc/init.d/mydns # and its symbolic link # /(usr/)sbin/rcmydns # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Template system startup script for some example service/daemon mydns # # LSB compatible service control script; see http://www.linuxbase.org/spec/ # # Note: This template uses functions rc_XXX defined in /etc/rc.status on # UnitedLinux (UL) based Linux distributions. If you want to base your # script on this template and ensure that it works on non UL based LSB # compliant Linux distributions, you either have to provide the rc.status # functions from UL or change the script to work without them. # ### BEGIN INIT INFO # Provides: mydns # Required-Start: \$syslog \$remote_fs mysql # Should-Start: \$time ypbind sendmail # Required-Stop: \$syslog \$remote_fs # Should-Stop: \$time ypbind sendmail # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: mydns XYZ daemon providing ZYX # Description: Start mydns to allow XY and provide YZ # continued on second line by '#<TAB>' # should contain enough info for the runlevel editor # to give admin some idea what this service does and # what it's needed for ... # (The Short-Description should already be a good hint.) ### END INIT INFO # # Any extensions to the keywords given above should be preceeded by # X-VendorTag- (X-UnitedLinux- X-SuSE- for us) according to LSB. # # Notes on Required-Start/Should-Start: # * There are two different issues that are solved by Required-Start # and Should-Start # (a) Hard dependencies: This is used by the runlevel editor to determine # which services absolutely need to be started to make the start of # this service make sense. Example: nfsserver should have # Required-Start: \$portmap # Also, required services are started before the dependent ones. # The runlevel editor will warn about such missing hard dependencies # and suggest enabling. During system startup, you may expect an error, # if the dependency is not fulfilled. # (b) Specifying the init script ordering, not real (hard) dependencies. # This is needed by insserv to determine which service should be # started first (and at a later stage what services can be started # in parallel). The tag Should-Start: is used for this. # It tells, that if a service is available, it should be started # before. If not, never mind. # * When specifying hard dependencies or ordering requirements, you can # use names of services (contents of their Provides: section) # or pseudo names starting with a \$. The following ones are available # according to LSB (1.1): # \$local_fs all local file systems are mounted # (most services should need this!) # \$remote_fs all remote file systems are mounted # (note that /usr may be remote, so # many services should Require this!) # \$syslog system logging facility up # \$network low level networking (eth card, ...) # \$named hostname resolution available # \$netdaemons all network daemons are running # The \$netdaemons pseudo service has been removed in LSB 1.2. # For now, we still offer it for backward compatibility. # These are new (LSB 1.2): # \$time the system time has been set correctly # \$portmap SunRPC portmapping service available # UnitedLinux extensions: # \$ALL indicates that a script should be inserted # at the end # * The services specified in the stop tags # (Required-Stop/Should-Stop) # specify which services need to be still running when this service # is shut down. Often the entries there are just copies or a subset # from the respective start tag. # * Should-Start/Stop are now part of LSB as of 2.0, # formerly SUSE/Unitedlinux used X-UnitedLinux-Should-Start/-Stop. # insserv does support both variants. # * X-UnitedLinux-Default-Enabled: yes/no is used at installation time # (%fillup_and_insserv macro in %post of many RPMs) to specify whether # a startup script should default to be enabled after installation. # It's not used by insserv. # # Note on runlevels: # 0 - halt/poweroff 6 - reboot # 1 - single user 2 - multiuser without network exported # 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm) # # Note on script names: # http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html # A registry has been set up to manage the init script namespace. # http://www.lanana.org/ # Please use the names already registered or register one or use a # vendor prefix.
# Check for missing binaries (stale symlinks should not happen) # Note: Special treatment of stop for LSB conformance MYDNS_BIN=/usr/sbin/mydns test -x \$MYDNS_BIN || { echo "\$mydns_BIN not installed"; if [ "\$1" = "stop" ]; then exit 0; else exit 5; fi; }
# Check for existence of needed config file and read it #MYDNS_CONFIG=/etc/sysconfig/mydns #test -r \$MYDNS_CONFIG || { echo "\$mydns_CONFIG not existing"; # if [ "\$1" = "stop" ]; then exit 0; # else exit 6; fi; }
# Read config #. \$MYDNS_CONFIG
# Source LSB init functions # providing start_daemon, killproc, pidofproc, # log_success_msg, log_failure_msg and log_warning_msg. # This is currently not used by UnitedLinux based distributions and # not needed for init scripts for UnitedLinux only. If it is used, # the functions from rc.status should not be sourced or used. #. /lib/lsb/init-functions
# Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v be verbose in local rc status and clear it afterwards # rc_status -v -r ditto and clear both the local and overall rc status # rc_status -s display "skipped" and exit with status 3 # rc_status -u display "unused" and exit with status 3 # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num> # rc_reset clear both the local and overall rc status # rc_exit exit appropriate to overall rc status # rc_active checks whether a service is activated by symlinks . /etc/rc.status
# Reset status of this service rc_reset
# Return values acc. to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - user had insufficient privileges # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl) # # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signaling is not supported) are # considered a success.
case "\$1" in start) echo -n "Starting mydns " ## Start daemon with startproc(8). If this fails ## the return value is set appropriately by startproc. startproc \$MYDNS_BIN
# Remember status and be verbose rc_status -v ;; stop) echo -n "Shutting down mydns " ## Stop daemon with killproc(8) and if this fails ## killproc sets the return value according to LSB.
killproc -TERM \$MYDNS_BIN
# Remember status and be verbose rc_status -v ;; try-restart|condrestart) ## Do a restart only if the service was active before. ## Note: try-restart is now part of LSB (as of 1.9). ## RH has a similar command named condrestart. if test "\$1" = "condrestart"; then echo "\${attn} Use try-restart \${done}(LSB)\${attn} rather than condrestart \${warn}(RH)\${norm}" fi \$0 status if test \$? = 0; then \$0 restart else rc_reset # Not running is not a failure. fi # Remember status and be quiet rc_status ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. \$0 stop \$0 start
# Remember status and be quiet rc_status ;; force-reload) ## Signal the daemon to reload its config. Most daemons ## do this on signal 1 (SIGHUP). ## If it does not support it, restart.
echo -n "Reload service mydns " ## if it supports it: killproc -HUP \$MYDNS_BIN #touch /var/run/mydns.pid rc_status -v
## Otherwise: #\$0 try-restart #rc_status ;; reload) ## Like force-reload, but if daemon does not support ## signaling, do nothing (!)
# If it supports signaling: echo -n "Reload service mydns " killproc -HUP \$MYDNS_BIN #touch /var/run/mydns.pid rc_status -v
## Otherwise if it does not support reload: #rc_failed 3 #rc_status -v ;; status) echo -n "Checking for service mydns " ## Check status with checkproc(8), if process is running ## checkproc will return with exit status 0.
# Return value is slightly different for the status command: # 0 - service up and running # 1 - service dead, but /var/run/ pid file exists # 2 - service dead, but /var/lock/ lock file exists # 3 - service not running (unused) # 4 - service status unknown :-( # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
# NOTE: checkproc returns LSB compliant status values. checkproc \$MYDNS_BIN # NOTE: rc_status knows that we called this init script with # "status" option and adapts its messages accordingly. rc_status -v ;; probe) ## Optional: Probe for the necessity of a reload, print out the ## argument to this init script which is required for a reload. ## Note: probe is not (yet) part of LSB (as of 1.9)
test /etc/mydns/mydns.conf -nt /var/run/mydns.pid && echo reload ;; *) echo "Usage: \$0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit EOFMARKER
chmod 755 /etc/init.d/mydns chkconfig --add mydns
# VLOGGER and WEBALIZER
cd /tmp wget -c $VLOGGER_TARGZ tar xvfz vlogger-*.tar.gz rm -f vlogger-*.tar.gz mv vlogger-*/vlogger /usr/sbin/ rm -rf vlogger*
yast2 -i webalizer perl-DateManip
# Fail2ban
rpm -i $FAIL2BAN_RPM
chkconfig --add fail2ban service fail2ban start
# Jailkit
cd /tmp wget -c $JAILKIT_TARGZ tar xvfz jailkit-*.tar.gz rm -f jailkit-*.tar.gz cd jailkit-* ./configure make make install cd /tmp rm -rf jailkit-*
# Synchronize system clock
yast2 -i xntp
chkconfig --add ntp /etc/init.d/ntp start
# ISPCONFIG
cd /tmp wget -c $ISPCONFIG_TAR_GZ tar xvfz ISPConfig-*.tar.gz cd ispconfig3_install/install/
(echo; echo; echo $MY_FULLHOSTNAME; echo; echo; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; ) | php -q install.php
cd /tmp rm -rf /tmp/ispconfig3_install rm -f /tmp/ISPConfig-*.tar.gz
# Squirrelmail
rpm -i $SQUIRRELMAIL_RPM ln -s /srv/www/htdocs/squirrelmail /usr/local/ispconfig/interface/web/webmail
# Symlink
ln -s /srv/www/htdocs/phpMyAdmin /usr/local/ispconfig/interface/web/phpmyadmin
sed -i 's/\"en_US\.UTF-8/\"en_US\.ISO-8859-1/g' /etc/sysconfig/language
sed -i 's/x\-httpd\-php\=\"php\:\/usr\/bin\/php\-cgi5\"/x-httpd-php="php:\/usr\/bin\/php-cgi5"\nx-httpd-suphp="php:\/usr\/bin\/php-cgi5"/g' /etc/suphp.conf
SuSEconfig
/usr/local/bin/ispconfig_update_from_svn.sh
openssl genrsa -passout pass:0passphrase$MYSQLROOTPASS -des3 -out /etc/apache2/ssl.key/server.key 4096 (echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -passin pass:0passphrase$MYSQLROOTPASS -new -key /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.csr/server.csr openssl x509 -passin pass:0passphrase$MYSQLROOTPASS -req -days 3650 -in /etc/apache2/ssl.csr/server.csr -signkey /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.crt/server.crt openssl rsa -passin pass:0passphrase$MYSQLROOTPASS -in /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.key/server.key.insecure mv /etc/apache2/ssl.key/server.key /etc/apache2/ssl.key/server.key.secure mv /etc/apache2/ssl.key/server.key.insecure /etc/apache2/ssl.key/server.key a2enmod ssl
sed -i 's/.VirtualHost _default_\:8080./\<VirtualHost _default_\:8080\>\nSSLEngine On\nSSLCertificateFile \/etc\/apache2\/ssl.crt\/server.crt\nSSLCertificateKeyFile \/etc\/apache2\/ssl.key\/server.key/g' /etc/apache2/sites-available/ispconfig.vhost
sed -i 's/DirectoryIndex index.html index.html.var/DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php5 index.php4 index.php3 index.pl index.html.var index.aspx default.aspx/g' /etc/apache2/httpd.conf
# enable named hosts sed -i 's/^#NameVirtualHost \*\:80$/NameVirtualHost *:80/g' /etc/apache2/listen.conf
sed -i 's,^Alias /error/,#Alias /error/,' /etc/apache2/errors.conf
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/apache2/php.ini sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/cli/php.ini sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/fastcgi/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/apache2/php.ini sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/cli/php.ini sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/fastcgi/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/apache2/php.ini sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/cli/php.ini sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/fastcgi/php.ini
rcapache2 restart
# postfix certificate
(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -new -key /etc/postfix/smtpd.key -out /etc/postfix/smtpd.csr openssl x509 -req -days 3650 -in /etc/postfix/smtpd.csr -signkey /etc/postfix/smtpd.key -out /etc/postfix/smtpd.cert
chmod o-rwx /etc/postfix/smtpd.csr chmod o-rwx /etc/postfix/smtpd.cert
# rdiff-backup
yast2 -i python-devel librsync
cd tmp wget -c $RDIFF_BACKUP_TARGZ wget -c http://savannah.nongnu.org/download/rdiff-backup/rdiff-backup-1.2.8.tar.gz tar xfz rdiff-backup-*.tar.gz rm -f rdiff-backup-*.tar.gz cd rdiff-backup-* ./setup.py install cd /tmp rm -rf rdiff-backup-*
yast2 -i iptraf iftop
# create backup script
mkdir /backup chown root:root /backup
mkdir /srvbackup_do chown root:root /srvbackup_do chmod og-rwx /srvbackup_do
cat > /srvbackup_do/dobackup.sh <<EOFMARKER2 #!/bin/bash
cd /srvbackup_do sync mysqladmin -p$MYSQLROOTPASS refresh mysqlcheck -p$MYSQLROOTPASS -A --auto-repair mysqldump -p$MYSQLROOTPASS --all-databases >mysqldump.sql chmod og-rw mysqldump.sql /usr/local/bin/rdiff-backup --preserve-numerical-ids --exclude /tmp --exclude /backup --exclude /mnt --exclude /proc --exclude /dev --exclude /sys --exclude /var/lib/ntp/proc --exclude /media --exclude /var/tmp / /backup/$MY_FULLHOSTNAME EOFMARKER2
chown root:root /srvbackup_do/dobackup.sh chmod og-rwx /srvbackup_do/dobackup.sh chmod u+x /srvbackup_do/dobackup.sh
echo '51 3 * * * /srvbackup_do/dobackup.sh >> /var/log/backuplog 2>&1' >>/var/spool/cron/tabs/root
# Fail2ban config
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.def cat > /etc/fail2ban/jail.conf <<EOFMARKER3 # Fail2Ban configuration file
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1
# "bantime" is the number of seconds that a host is banned. bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600
# "maxretry" is the number of failures before a host get banned. maxretry = 3
# "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". This option can be overridden in # each jail too (use "gamin" for a jail and "polling" for another). # # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin # is not installed, Fail2ban will use polling. # polling: uses a polling algorithm which does not require external libraries. # auto: will choose Gamin if available and polling otherwise. backend = auto
# This jail corresponds to the standard configuration in Fail2ban 0.6. # The mail-whois action send a notification e-mail with a whois request # in the body.
[ssh-iptables]
enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] logpath = /var/log/messages maxretry = 5
[ssh-ddos-iptables]
enabled = true filter = sshd-ddos action = iptables[name=SSH, port=ssh, protocol=tcp] logpath = /var/log/messages maxretry = 5
[proftpd-iptables]
enabled = true filter = proftpd action = iptables[name=ProFTPD, port=ftp, protocol=tcp] logpath = /var/log/messages maxretry = 6
[pure-ftpd-iptables]
enabled = true filter = pure-ftpd action = iptables[name=PureFTPD, port=ftp, protocol=tcp] logpath = /var/log/messages maxretry = 6
[courier-imap-iptables]
enabled = true filter = courierlogin action = iptables[name=CourierIMAP, port=ftp, protocol=tcp] logpath = /var/log/messages maxretry = 6
# This jail forces the backend to "polling".
[sasl-iptables]
enabled = true filter = sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] logpath = /var/log/mail
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is # used to avoid banning the user "myuser".
[ssh-tcpwrapper]
enabled = true filter = sshd action = hostsdeny ignoreregex = for myuser from logpath = /var/log/messages
[ssh-ddos-tcpwrapper]
enabled = true filter = sshd-ddos action = hostsdeny ignoreregex = for myuser from logpath = /var/log/messages
# This jail demonstrates the use of wildcards in "logpath". # Moreover, it is possible to give other files on a new line.
[apache-tcpwrapper]
enabled = true filter = apache-auth action = hostsdeny logpath = /var/log/apache2/error_log maxretry = 6
# The hosts.deny path can be defined with the "file" argument if it is # not in /etc.
[postfix-tcpwrapper]
enabled = true filter = postfix action = hostsdeny logpath = /var/log/mail bantime = 300
# Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered.
[apache-badbots]
enabled = true filter = apache-badbots action = iptables[name=BadBots1, port=http, protocol=tcp] iptables[name=BadBots2, port=https, protocol=tcp] logpath = /var/log/apache2/access_log bantime = 172800 maxretry = 1
[php-url-fopen]
enabled = false port = http,https filter = php-url-fopen logpath = /var/log/apache2/access_log maxretry = 1
EOFMARKER3
# Ensure fail2ban recreates a socket file # Because otherwise after a server crash, fail2ban won't restart
sed -i 's/-q start/-x -q start/' /etc/init.d/fail2ban
# Fix pure-ftpd regexp
sed -i 's/[)][?]: [(][.][+][?]@<HOST>[)] \\\[/)\?: \\(.+?@<HOST>\\) \\[/' /etc/fail2ban/filter.d/pure-ftpd.conf
service fail2ban restart
# Install AWSTATS
rpm -ivh $AWSTATS_RPM
cp /etc/awstats/awstats.web.conf /etc/awstats/awstats.conf sed -i 's,^<IfDefine,#<IfDefine,' /etc/apache2/conf.d/awstats.conf sed -i 's,^</IfDefine,#</IfDefine,' /etc/apache2/conf.d/awstats.conf
rcapache2 restart
mysqladmin -p$MYSQLROOTPASS refresh
mysqldump -u root -p$MYSQLROOTPASS dbispconfig server >/tmp/server.sql
sed -i 's,\\nawstats_data_dir=[^\\]*\\n,\\nawstats_data_dir=/var/cache/awstats\\n,' /tmp/server.sql sed -i 's,\\nawstats_pl=[^\\]*\\n,\\nawstats_pl=/srv/www/cgi-bin/awstats.pl\\n,' /tmp/server.sql sed -i 's,\\nawstats_buildstaticpages_pl=[^\\]*\\n,\\nawstats_buildstaticpages_pl=/usr/share/doc/packages/awstats/examples/awstats_buildstaticpages.pl\\n,' /tmp/server.sql
mysql -u root -p$MYSQLROOTPASS dbispconfig </tmp/server.sql
rm -rf /tmp/server.sql
#sed -i 's,^#LoadPlugin=\"geoipfree\",LoadPlugin=\"geoipfree\",' /etc/awstats/awstats.conf sed -i 's,^Max\([^=]*\)= 10$,Max\1= 25,' /etc/awstats/awstats.conf sed -i 's,^StyleSheet=\"[^\"]*\",StyleSheet=\"\",' /etc/awstats/awstats.conf
# Install eAccelerator
yast2 -i php5-devel
cd /tmp wget $EACCELERATOR_TARGZ tar xvfj eaccelerator-*.bz2 rm -rf eaccelerator-*.bz2 cd eaccelerator-* phpize # the flag is specified to prevent openbasedir limitations with ispconfig ./configure --without-eaccelerator-use-inode make make install
cd .. rm -rf eaccelerator-*
cat > /etc/php5/conf.d/eaccelerator.ini <<EOFMARKER4 extension="eaccelerator.so" eaccelerator.shm_size="16" eaccelerator.cache_dir="/var/cache/eaccelerator" eaccelerator.enable="1" eaccelerator.optimizer="1" eaccelerator.check_mtime="1" eaccelerator.debug="0" eaccelerator.filter="" eaccelerator.shm_max="0" eaccelerator.shm_ttl="0" eaccelerator.shm_prune_period="0" eaccelerator.shm_only="0" eaccelerator.compress="1" eaccelerator.compress_level="9" EOFMARKER4
mkdir -p /var/cache/eaccelerator chmod 0777 /var/cache/eaccelerator
rcapache2 restart
# adjust postfix interfaces
sed -i 's/^inet_interfaces = localhost/inet_interfaces = all/g' /etc/postfix/main.cf
rcpostfix restart
# enable maildrop filters
ln -s /usr/local/ispconfig/server/plugins-available/maildrop_plugin.inc.php /usr/local/ispconfig/server/plugins-enabled/maildrop_plugin.inc.php
|