自动在OpenSUSE 11.4上安装完美服务器的脚本和安装ISPConfig 3

#!/bin/sh

# OpenSUSE 11.4 Perfect Server ISPConfig script by George Yohng (georgesc#oss3d.com)
# Script Version 2.2

# Do zypper update and reboot before running this script

# Also better change host name manually with yast2 before running this script.

# This script requires two manual actions. 

#    First - when mysql_secure_install is running. One should type a new mysql password, the same as here
#    Second - for ISPConfig3 update. One should type 'svn' when the update type is asked
#    For both of scripts, all other options are default, one can just press ENTER.


# Also, please change MYSQLROOTPASS below, and be sure to enter it verbatim
# during the installation of mysql_secure_install.

# Important: When setting an MX entry, point it to mail.yourdomain.com rather than
# just to yourdomain.com, and create a CNAME entry for mail. Otherwise it doesn't
# seem to work somehow.

# Platform is x86_64 or i586

THIS_PLATFORM=x86_64

MYSQLROOTPASS=87h4eq2jr2

# Change this to your server name. By default it's configured to server1.mydomain.com

# If your web site hosts a complete domain, such as domain.com, still leave
# something for MY_HOSTNAME. 'server1' or 'host' is a good name.

MY_HOSTNAME=server1
MY_DOMAIN=mydomain.com

# Uncomment to use SVN-version of ISP config, and to run update once the installation is finished
#ISPCONFIG_SVN=yes

# Packages may have been updated, therefore also check the RPM and TARGZ locations below,
# and preferably use the latest versions of everything.

GETMAIL_RPM=http://download.opensuse.org/repositories/server:/mail/openSUSE_11.4/noarch/getmail-4.20.4-11.1.noarch.rpm            
PAM_MYSQL_TARGZ=http://heanet.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.7RC1.tar.gz
SUPHP_RPM=http://download.opensuse.org/repositories/server:/php/openSUSE_11.4/$THIS_PLATFORM/suphp-0.7.1-3.2.$THIS_PLATFORM.rpm

AWSTATS_RPM=http://download.opensuse.org/repositories/network:/utilities/openSUSE_11.4/noarch/awstats-7.0-14.1.noarch.rpm

SQUIRRELMAIL_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.4/noarch/squirrelmail-1.4.22-1.1.noarch.rpm

JAILKIT_TARGZ=http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz

PHPMYADMIN_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.4/noarch/phpMyAdmin-3.4.3.2-15.1.noarch.rpm
VLOGGER_TARGZ=http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz

RDIFF_BACKUP_TARGZ=http://savannah.nongnu.org/download/rdiff-backup/rdiff-backup-1.2.8.tar.gz

EACCELERATOR_TARGZ=http://bart.eaccelerator.net/source/0.9.6.1/eaccelerator-0.9.6.1.tar.bz2
#EACCELERATOR_TARGZ=http://www.debiantutorials.com/static/eaccelerator-0.9.6.1.tar.bz2

ISPCONFIG_TAR_GZ=http://downloads.sourceforge.net/ispconfig/ISPConfig-3.0.3.3.tar.gz?use_mirror=

MY_FULLHOSTNAME=$MY_HOSTNAME.$MY_DOMAIN

# Disable apparmor

/etc/init.d/boot.apparmor stop
chkconfig -d boot.apparmor

# Install SuSEfirewall

zypper -n install -l  SuSEfirewall2 iptables

# Allow ports through firewall

SuSEfirewall2 open EXT TCP 22
SuSEfirewall2 open EXT TCP 21 80 8080 25 143 465 585 993 30000:30500
SuSEfirewall2

# Switch off X login (check!)

chkconfig --del xdm
rcxdm stop

# Quota

zypper -n install -l  quota

touch /aquota.user /aquota.group
chmod 600 /aquota.*
touch /srv/aquota.user /srv/aquota.group
chmod 600 /srv/aquota.*

# TODO: change fstab here
# Ignore errors from the below commands

mount -o remount /
mount -o remount /srv
mount -o remount /home

quotacheck -avugm
quotaon -avug

# Basic packages

zypper -n install -l  mc

zypper -n install -l  GeoIP libGeoIP-devel libGeoIP1

geoip-fetch

zypper -n install -l  findutils libreadline6 compat-readline4 readline-devel libgcc45 glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget gcc-c++ subversion make vim telnet cron iptables iputils man man-pages nano pico

# Host name

echo $MY_FULLHOSTNAME > /etc/HOSTNAME
echo 127.0.0.2 $MY_FULLHOSTNAME $MY_HOSTNAME >> /etc/hosts

export HOST=$MY_FULLHOSTNAME
export HOSTNAME=$MY_FULLHOSTNAME

SuSEconfig

# Postfix, Dovecot, MySQL

zypper -n install -l  postfix postfix-mysql mysql-community-server mysql-community-server-client mysql-community-server-tools 
zypper -n install -l  python cron
zypper -n install -l  libmysqlclient-devel pwgen 
zypper -n install -l  dovecot12 dovecot12-backend-mysql
zypper -n install -l  bind

chkconfig --add mysql
chkconfig --add postfix
chkconfig --add dovecot
chkconfig --add named

test -d /lib64 && ln -s /usr/lib64/dovecot/modules /usr/lib/dovecot 

/etc/init.d/mysql start
/etc/init.d/postfix start
/etc/init.d/dovecot start
/etc/init.d/named start

# getmail

cd /tmp
rpm -i $GETMAIL_RPM

# pam

if [ "$THIS_PLATFORM" == "x86_64" ]; then 
    zypper -n install -l  pam-devel pam-32bit pam-devel-32bit pam-modules-32bit
fi

if [ "$THIS_PLATFORM" == "i586" ]; then 
    zypper -n install -l  pam-devel pam pam-modules
fi


# pam_mysql

cd /tmp
wget -c $PAM_MYSQL_TARGZ
tar xvfz pam_mysql-*.tar.gz
rm -rf pam_mysql-*.tar.gz
cd pam_mysql-*
./configure
make
make install
cd /tmp
rm -rf /tmp/pam_mysql-*

test -d /lib64 && cp /lib/security/pam_mysql* /lib64/security

# mysql_secure_installation

mysql_secure_installation

#(echo Y; echo $MYSQLROOTPASS; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; ) 

# amavis, spam asassin, etc

zypper -n install -l  spamassassin amavisd-new clamav clamav-db zoo unzip bzip2 unarj perl-DBD-mysql
zypper -n install -l  unrar

sa-update

# TODO: change /etc/amavisd.conf 

#$mydomain = "$MY_DOMAIN";   # a convenient default for other settings
#$myhostname = "$MY_HOSTNAME";

sed -i 's/\$mydomain = '\''example.com'\'';/\$mydomain='\'$MY_DOMAIN\'';\n\$myhostname='\'$MY_FULLHOSTNAME\'';/g' /etc/amavisd.conf

# Correct a path to clamd socket
sed -i 's,/var/run/clamav/clamd,/var/lib/clamav/clamd-socket,g' /etc/amavisd.conf

chkconfig --add amavis
chkconfig --add clamd
/etc/init.d/amavis start
/etc/init.d/clamd start

# Apache2

zypper -n install -l  apache2 apache2-mod_fcgid

zypper -n install -l  php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dom php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mysql php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-fastcgi php5-pear php5-sysvmsg php5-sysvshm ImageMagick curl apache2-mod_php5

rpm -i $SUPHP_RPM

a2enmod suexec
a2enmod deflate
a2enmod rewrite
a2enmod ssl
a2enmod actions
a2enmod suphp
a2enmod fcgid
a2enmod logio
chown root:www /usr/sbin/suexec2
chmod 4755 /usr/sbin/suexec2

chkconfig --add apache2
/etc/init.d/apache2 start

# PhpMyAdmin

rpm -i $PHPMYADMIN_RPM

# FTP

zypper -n install -l  pure-ftpd quota

chkconfig --add pure-ftpd
/etc/init.d/pure-ftpd start

# VLOGGER, WEBALIZER

cd /tmp
wget -c $VLOGGER_TARGZ
tar xvfz vlogger-*.tar.gz
rm -f vlogger-*.tar.gz
mv vlogger-*/vlogger /usr/sbin/
rm -rf vlogger*

zypper -n install -l  webalizer perl-Date-Manip perl-TimeDate

# Fail2ban

zypper -n install -l  fail2ban

chkconfig --add fail2ban
service fail2ban start

# Jailkit

cd /tmp
wget -c $JAILKIT_TARGZ
tar xvfz jailkit-*.tar.gz
rm -f jailkit-*.tar.gz
cd jailkit-*
./configure
make
make install
cd /tmp
rm -rf jailkit-*

# Synchronize system clock
# Remove this, if you are inside XENU

zypper -n install -l  ntp 

chkconfig --add ntp
/etc/init.d/ntp start


# ============================
# Helper functions

function fix_pureftpd() {

sed -i 's/NoRename.*yes/NoRename no/g' "$1"
sed -i 's/AutoRename.*yes/AutoRename no/g' "$1"
sed -i 's/ProhibitDotFilesWrite.*yes/ProhibitDotFilesWrite no/g' "$1"
sed -i 's/# PassivePortRange.*30000 50000/PassivePortRange 30000 30500/g' "$1"
sed -i 's/LimitRecursion.*2000 8/LimitRecursion 20000 10/g' "$1"
sed -i 's/^Umask\ *.*$/Umask 137:027/' "$1"
sed -i 's/^MaxClientsNumber\ *10$/MaxClientsNumber 256/' "$1"
sed -i 's/^MaxClientsPerIP\ *3$/MaxClientsPerIP 16/' "$1"

}

function fix_dovecot() {

sed -i 's/^#listen =.*/listen = \*/g' "$1"
sed -i 's/^ssl = no/ssl = yes/g' "$1"
sed -i 's,#ssl_cert_file = .*,ssl_cert_file = /etc/ssl/certs/dovecot.pem,g' "$1"
sed -i 's,#ssl_key_file = .*,ssl_key_file = /etc/ssl/private/dovecot.pem,g' "$1"
sed -i 's,#mail_max_userip_connections = .*,mail_max_userip_connections = 32,g' "$1"
sed -i 's/#namespace private/namespace private {\n    separator = .\n    prefix =\n    inbox = yes\n}\n\nnamespace private {\n    separator = .\n    prefix = INBOX.\n    inbox = no\n    hidden = yes\n    list = no   # for v1.1+\n}\n\n# {changed} namespace private/g'  "$1"

}

function fix_customlog() {

sed -i 's/ent}i\\\"\" combined_ispconfig/ent}i\\\" %I %O" combined_ispconfig/g' "$1"
sed -i 's/LogFormat \"%v %h/LogFormat \"%v %a/g' "$1"

}

function fix_ispconfig() {

    fix_dovecot "$1/install/tpl/opensuse_dovecot.conf.master"
    fix_pureftpd "$1/install/tpl/opensuse_pureftpd_conf.master"

    fix_customlog "$1/server/conf/apache_ispconfig.conf.master"
    fix_customlog "$1/install/tpl/apache_ispconfig.conf.master"
    fix_customlog "$1/install/dist/tpl/gentoo/apache_ispconfig.conf.master"


    sed -i 's,^awstats_data_dir=.*$,awstats_data_dir=/var/cache/awstats,' "$1/install/tpl/server.ini.master"
    sed -i 's,^awstats_pl=.*$,awstats_pl=/srv/www/cgi-bin/awstats.pl,' "$1/install/tpl/server.ini.master"
    sed -i 's,^awstats_buildstaticpages_pl=.*$,awstats_buildstaticpages_pl=/usr/share/doc/packages/awstats/examples/awstats_buildstaticpages.pl,' "$1/install/tpl/server.ini.master"

}


# ============================

# ISPCONFIG

cd /tmp
wget -c $ISPCONFIG_TAR_GZ
tar xvfz ISPConfig-*.tar.gz

fix_ispconfig /tmp/ispconfig3_install

cd ispconfig3_install/install/

(echo; echo; echo $MY_FULLHOSTNAME; echo; echo; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; ) | php -q install.php

cd /tmp
rm -rf /tmp/ispconfig3_install
rm -f /tmp/ISPConfig-*.tar.gz

# Squirrelmail 

rpm -i $SQUIRRELMAIL_RPM
ln -s /srv/www/htdocs/squirrelmail /usr/local/ispconfig/interface/web/webmail

# Symlink

ln -s /srv/www/htdocs/phpMyAdmin /usr/local/ispconfig/interface/web/phpmyadmin

sed -i 's/\"en_US\.UTF-8/\"en_US\.ISO-8859-1/g' /etc/sysconfig/language

sed -i 's/x\-httpd\-php\=\"php\:\/usr\/bin\/php\-cgi5\"/x-httpd-php="php:\/usr\/bin\/php-cgi5"\nx-httpd-suphp="php:\/usr\/bin\/php-cgi5"/g' /etc/suphp.conf

SuSEconfig

# Generate certificates

openssl genrsa -passout pass:0passphrase$MYSQLROOTPASS -des3 -out /etc/apache2/ssl.key/server.key 4096
(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -passin pass:0passphrase$MYSQLROOTPASS -new -key /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.csr/server.csr
openssl x509 -passin pass:0passphrase$MYSQLROOTPASS -req -days 3650 -in /etc/apache2/ssl.csr/server.csr -signkey /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.crt/server.crt
openssl rsa -passin pass:0passphrase$MYSQLROOTPASS -in /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.key/server.key.insecure
mv /etc/apache2/ssl.key/server.key /etc/apache2/ssl.key/server.key.secure
mv /etc/apache2/ssl.key/server.key.insecure /etc/apache2/ssl.key/server.key
a2enmod ssl

sed -i 's/.VirtualHost _default_\:8080./\<VirtualHost _default_\:8080\>\nSSLEngine On\nSSLCertificateFile \/etc\/apache2\/ssl.crt\/server.crt\nSSLCertificateKeyFile \/etc\/apache2\/ssl.key\/server.key/g' /etc/apache2/sites-available/ispconfig.vhost

sed -i 's/DirectoryIndex index.html index.html.var/DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php5 index.php4 index.php3 index.pl index.html.var index.aspx default.aspx/g' /etc/apache2/httpd.conf

# enable named hosts
sed -i 's/^#NameVirtualHost \*\:80$/NameVirtualHost *:80/g' /etc/apache2/listen.conf

sed -i 's,^Alias /error/,#Alias /error/,' /etc/apache2/errors.conf

sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/apache2/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/cli/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/fastcgi/php.ini

sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/apache2/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/cli/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/fastcgi/php.ini

sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/apache2/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/cli/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/fastcgi/php.ini

sed -i 's/^error_reporting = .*/error_reporting = E_ALL \& ~E_DEPRECATED \& ~E_NOTICE/' /etc/php5/apache2/php.ini
sed -i 's/^error_reporting = .*/error_reporting = E_ALL \& ~E_DEPRECATED \& ~E_NOTICE/' /etc/php5/cli/php.ini
sed -i 's/^error_reporting = .*/error_reporting = E_ALL \& ~E_DEPRECATED \& ~E_NOTICE/' /etc/php5/fastcgi/php.ini

rcapache2 restart

# postfix certificate

(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -new -key /etc/postfix/smtpd.key -out /etc/postfix/smtpd.csr
openssl x509 -req -days 3650 -in /etc/postfix/smtpd.csr -signkey /etc/postfix/smtpd.key -out /etc/postfix/smtpd.cert

chmod o-rwx /etc/postfix/smtpd.csr
chmod o-rwx /etc/postfix/smtpd.cert

# rdiff-backup

zypper -n install -l  python-devel librsync

cd tmp
wget -c $RDIFF_BACKUP_TARGZ
tar xfz rdiff-backup-*.tar.gz
rm -f rdiff-backup-*.tar.gz
cd rdiff-backup-*
./setup.py install
cd /tmp
rm -rf rdiff-backup-*

zypper -n install -l  iptraf iftop

# create backup script

mkdir /backup
chown root:root /backup

mkdir /srvbackup_do
chown root:root /srvbackup_do
chmod og-rwx /srvbackup_do

cat > /srvbackup_do/dobackup.sh <<EOFMARKER2
#!/bin/bash

cd /srvbackup_do
sync
mysqladmin -p$MYSQLROOTPASS refresh
mysqlcheck -p$MYSQLROOTPASS -A --auto-repair

# backup into a single file
# mysqldump -p$MYSQLROOTPASS --all-databases >mysqldump.sql
# chmod og-rw mysqldump.sql

# backup into multiple files
rm -rf mysql
mkdir mysql
chown root:root mysql
chmod og-rwx mysql

for i in /var/lib/mysql/*/; do
    dbname=\`basename \$i\`

    echo >mysql/\$dbname.sql
    chown root:root mysql/\$dbname.sql
    chmod og-rwx mysql/\$dbname.sql

    mysqldump -p$MYSQLROOTPASS \$dbname >mysql/\$dbname.sql
    chown root:root mysql/\$dbname.sql
    chmod og-rwx mysql/\$dbname.sql
done

/usr/local/bin/rdiff-backup --preserve-numerical-ids --exclude /tmp --exclude /backup --exclude /mnt --exclude /proc --exclude /dev --exclude /sys --exclude /var/lib/ntp/proc --exclude /media --exclude /var/tmp --exclude /var/lib/named --exclude /var/lib/nfs/rpc_pipefs / /backup/$MY_FULLHOSTNAME

#/usr/local/bin/duplicity \
#--include /etc \
#--include /srv \
#--include /srvbackup_do \
#--include /var/vmail \
#--include /var/lib/mysql \
#--include /var/log \
#--include /usr/local \
#--include /var/spool/amavis \
#--include /var/spool/cron \
#--include /home \
#--exclude '**' \
#--no-encryption \
#--ssh-options="-oProtocol=2 -oIdentityFile=/etc/ssh/ssh_host_dsa_key" \
#/ scp://user@backuphost/my.server.com


EOFMARKER2

chown root:root /srvbackup_do/dobackup.sh
chmod og-rwx /srvbackup_do/dobackup.sh
chmod u+x /srvbackup_do/dobackup.sh

echo '51 3 * * * /srvbackup_do/dobackup.sh >> /var/log/backuplog 2>&1' >>/var/spool/cron/tabs/root

# Fail2ban config
# TODO: patch fail2ban to include delays into iptables script,
# as otherwise it frequently fails

cat > /etc/fail2ban/filter.d/dovecot-pop3imap.conf <<EOFMARKER4
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =
EOFMARKER4


cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.def
cat > /etc/fail2ban/jail.conf <<EOFMARKER3
# Fail2Ban configuration file

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/messages
maxretry = 5

[ssh-ddos-iptables]

enabled  = true
filter   = sshd-ddos
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/messages
maxretry = 5


[proftpd-iptables]

enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
logpath  = /var/log/messages
maxretry = 6

[pure-ftpd-iptables]

enabled  = true
filter   = pure-ftpd
action   = iptables[name=PureFTPD, port=ftp, protocol=tcp]
logpath  = /var/log/messages
maxretry = 6

[courier-imap-iptables]

enabled  = true
filter   = courierlogin
action   = iptables[name=CourierIMAP, port=ftp, protocol=tcp]
logpath  = /var/log/messages
maxretry = 6

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap,pop3s,imaps", protocol=tcp]
logpath = /var/log/mail
maxretry = 6


# This jail forces the backend to "polling".

[sasl-iptables]

enabled  = true
filter   = sasl
backend  = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
logpath  = /var/log/mail

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled     = true
filter      = sshd
action      = hostsdeny
ignoreregex = for myuser from
logpath     = /var/log/messages

[ssh-ddos-tcpwrapper]

enabled     = true
filter      = sshd-ddos
action      = hostsdeny
ignoreregex = for myuser from
logpath     = /var/log/messages


# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled  = true
filter	 = apache-auth
action   = hostsdeny
logpath  = /var/log/apache2/error_log
maxretry = 6

# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.

[postfix-tcpwrapper]

enabled  = true
filter   = postfix
action   = hostsdeny
logpath  = /var/log/mail
bantime  = 300

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled  = true
filter   = apache-badbots
action   = iptables[name=BadBots1, port=http,  protocol=tcp]
           iptables[name=BadBots2, port=https, protocol=tcp]
logpath  = /var/log/apache2/access_log
bantime  = 172800
maxretry = 1

[php-url-fopen]

enabled = false
port    = http,https
filter  = php-url-fopen
logpath = /var/log/apache2/access_log
maxretry = 1

EOFMARKER3

# Ensure fail2ban recreates a socket file
# Because otherwise after a server crash, fail2ban won't restart

sed -i 's/-q start/-x -q start/' /etc/init.d/fail2ban

# Fix pure-ftpd regexp

sed -i 's/[)][?]: [(][.][+][?]@<HOST>[)] \\\[/)\?: \\(.+?@<HOST>\\) \\[/' /etc/fail2ban/filter.d/pure-ftpd.conf

service fail2ban restart

# Fix getmail user to allow running from cron

sed -i 's/getmail:[!]:/getmail:*:/' /etc/shadow

# Install AWSTATS

rpm -ivh $AWSTATS_RPM

chmod og+w /var/cache/awstats

cp /etc/awstats/awstats.web.conf /etc/awstats/awstats.conf
sed -i 's,^<IfDefine,#<IfDefine,'  /etc/apache2/conf.d/awstats.conf
sed -i 's,^</IfDefine,#</IfDefine,'  /etc/apache2/conf.d/awstats.conf

rcapache2 restart

mysqladmin -p$MYSQLROOTPASS refresh

# Old code for fixing awstats path directly in the database
# Now it's fixed in server.ini.master before the installation of ISPConfig
#
#mysqldump -u root -p$MYSQLROOTPASS dbispconfig server >/tmp/server.sql
#sed -i 's,\\nawstats_data_dir=[^\\]*\\n,\\nawstats_data_dir=/var/cache/awstats\\n,' /tmp/server.sql
#sed -i 's,\\nawstats_pl=[^\\]*\\n,\\nawstats_pl=/srv/www/cgi-bin/awstats.pl\\n,' /tmp/server.sql
#sed -i 's,\\nawstats_buildstaticpages_pl=[^\\]*\\n,\\nawstats_buildstaticpages_pl=/usr/share/doc/packages/awstats/examples/awstats_buildstaticpages.pl\\n,' /tmp/server.sql
#mysql -u root -p$MYSQLROOTPASS dbispconfig </tmp/server.sql
#rm -rf /tmp/server.sql

#sed -i 's,^#LoadPlugin=\"geoipfree\",LoadPlugin=\"geoipfree\",' /etc/awstats/awstats.conf
sed -i 's,^Max\([^=]*\)= 10$,Max\1= 25,' /etc/awstats/awstats.conf
sed -i 's,^StyleSheet=\"[^\"]*\",StyleSheet=\"\",' /etc/awstats/awstats.conf


# Install eAccelerator

zypper -n install -l  php5-devel

cd /tmp
wget $EACCELERATOR_TARGZ
tar xvfj eaccelerator-*.bz2
rm -rf eaccelerator-*.bz2
cd eaccelerator-*
phpize
# the flag is specified to prevent openbasedir limitations with ispconfig
./configure --without-eaccelerator-use-inode 
make
make install

cd ..
rm -rf eaccelerator-*

cat > /etc/php5/conf.d/eaccelerator.ini <<EOFMARKER4
extension="eaccelerator.so"
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/var/cache/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
EOFMARKER4

mkdir -p /var/cache/eaccelerator
chmod 0777 /var/cache/eaccelerator

rcapache2 restart

# adjust postfix interfaces

sed -i 's/^inet_interfaces = localhost/inet_interfaces = all/g' /etc/postfix/main.cf
sed -i 's/^#tlsmgr/tlsmgr/g' /etc/postfix/master.cf
sed -i 's/^#smtps/465/g' /etc/postfix/master.cf

rcpostfix restart

# Fix squirrelmail

sed -i 's/^\$default_folder_prefix.*/$default_folder_prefix = '\'\'';/' /srv/www/htdocs/squirrelmail/config/config.php


# ==============

if [ "$ISPCONFIG_SVN" == "yes" ]; then
# Update ISPConfig from SVN

    cd /tmp
    svn export svn://svn.ispconfig.org/ispconfig3/trunk/ ispconfigsvn

    fix_ispconfig /tmp/ispconfigsvn

    # Run update
    php -q update.php
    cd /tmp
    rm -rf /tmp/ispconfigsvn

fi


# =========================================================================
# Fix configuration files, overwritten by ISPConfig update
# Re-run these lines after ISP-Config update

# Pure-ftpd

fix_pureftpd /etc/pure-ftpd/pure-ftpd.conf

rcpure-ftpd restart

# Dovecot

fix_dovecot /etc/dovecot/dovecot.conf

cd /usr/share/doc/packages/dovecot

cat >./mkcert.sh <<EOFMARKER5
#!/bin/sh

# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.

OPENSSL=\${OPENSSL-openssl}
SSLDIR=\${SSLDIR-/etc/ssl}
OPENSSLCONFIG=\${OPENSSLCONFIG-dovecot-openssl.cnf}

CERTDIR=\$SSLDIR/certs
KEYDIR=\$SSLDIR/private

CERTFILE=\$CERTDIR/dovecot.pem
KEYFILE=\$KEYDIR/dovecot.pem

if [ ! -d \$CERTDIR ]; then
  echo "\$SSLDIR/certs directory doesn't exist"
  exit 1
fi

if [ ! -d \$KEYDIR ]; then
  echo "\$SSLDIR/private directory doesn't exist"
  exit 1
fi

if [ -f \$CERTFILE ]; then
  echo "\$CERTFILE already exists, won't overwrite"
  exit 1
fi

if [ -f \$KEYFILE ]; then
  echo "\$KEYFILE already exists, won't overwrite"
  exit 1
fi

\$OPENSSL req -new -x509 -nodes -config \$OPENSSLCONFIG -out \$CERTFILE -keyout \$KEYFILE -days 3650 || exit 2
chmod 0600 \$KEYFILE
echo 
\$OPENSSL x509 -subject -fingerprint -noout -in \$CERTFILE || exit 2

EOFMARKER5

cat >./dovecot-openssl.cnf <<EOFMARKER6
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
#C=FI

# State or Province Name (full name)
#ST=

# Locality Name (eg. city)
#L=Helsinki

# Organization (eg. company)
#O=Dovecot

# Organizational Unit Name (eg. section)
OU=IMAP server

# Common Name (*.example.com is also possible)
CN=$MY_FULLHOSTNAME

# E-mail contact
emailAddress=postmaster@example.com

[ cert_type ]
nsCertType = server

EOFMARKER6

# TODO: add this script to cron
cat >/usr/bin/dovecot-check.sh <<EOFMARKER7
#!/bin/sh
if (/usr/bin/lsof -Pni :143 | grep "143 (LISTEN)" 2>&1 >/dev/null); then
    echo >/dev/null
else
    /etc/init.d/dovecot restart
fi
EOFMARKER7

sh ./mkcert.sh
cd /

rcdovecot restart
rcpostfix restart

# CustomLog

fix_customlog /etc/apache2/sites-available/ispconfig.conf
fix_customlog /usr/local/ispconfig/server/conf/apache_ispconfig.conf.master
sed -i 's,^LogFormat=.*,LogFormat = "%host %other %logname %time1 %methodurl %code %other %refererquot %uaquot %other %bytesd",' /etc/awstats/awstats.conf
a2enmod logio

rcapache2 restart