Script For Automatically Setting Up A Perfect Server On OpenSUSE 11.4 And Installing ISPConfig 3

Want to support HowtoForge? Become a subscriber!
 
Submitted by george_yohng (Contact Author) (Forums) on Mon, 2011-06-20 18:43. :: ISPConfig | SuSE

Script For Automatically Setting Up A Perfect Server On OpenSUSE 11.4 And Installing ISPConfig 3

Author: George Yohng (georgesc#oss3d.com)
Script version: 2.2
Last updated: 26 October 2011

Here's a little script that automates the task of setting up a Perfect Server - OpenSUSE 11.4 x86_64 [ISPConfig 3], and in the end it also installs ISPConfig 3.

Please note: do not execute this script on an already working server, because this script may overwrite configuration files and break the running system. It is only meant to be used on a fresh installation of OpenSUSE 11.4.

If you are installing on OpenSUSE 11.2 or OpenSUSE 11.3, please be sure to use another version of this script (also available on www.howtoforge.com).

There are few things missing from the tutorial, as I have found it. I have made a script, based on the tutorial, that prepares a system, and which contains several steps that, if not done, leave the system unfinished in some way.

Notable additions:

  • fail2ban configuration
  • SuSEfirewall2 enabled
  • Pure-ftpd configuration change (allow renames, change passive ports and permissions)
  • Postfix certificate generation
  • Apache SSL certificate generation, and switching ISPConfig to HTTPS
  • Fix of NameVirtualHost apache config with OpenSUSE (important for Apache to recognize multiple domains from ISPConfig)
  • Setup of rdiff-backup with cron
  • Fixed dovecot configuration to enable SSL and support courier-compatibility
  • Fixed pam_mysql to work on 64-bit systems
  • Fixed amavis to find clamd socket
  • Installed eAccelerator
  • Fixed apache custom errors path
  • Install and configure awstats
  • Configure apache and awstats to use mod_logio for correct bandwidth measurement
  • and more...

The script is imperfect in the fact that it requires manual entries twice - when mysql_secure_install is run, and when ispconfig_update_svn is run. (I use svn, because ISPConfig latest SVN looks much nicer, but one can type stable as well - on production systems, you should use stable!)

Do

zypper update

and

reboot

before running this script.

Also better change host name (file HOSTNAME) manually with yast2 before running this script, so that OpenSUSE will put a proper name into Postfix configuration.

This script requires two manual actions:

First - when mysql_secure_install is run.
Second - for ISPConfig3 update, if SVN update is chosen, one may need to say 'y' to enable SSL, while for all other options - one can choose a default value by just pressing ENTER.

You should change the following variables in the script before you run it:

THIS_PLATFORM: Either x86_64 or i586.

MYSQLROOTPASS: Please change MYSQLROOTPASS, and be sure to enter it verbatim during the installation of mysql_secure_install.

MY_HOSTNAME, MY_DOMAIN: Change this to your server name. By default it's configured to server1.mydomain.com. If your web site hosts a complete domain, such as domain.com, still leave something for MY_HOSTNAME. server1 or host is a good name.

ISPCONFIG_TAR_GZ: Make sure that ISPCONFIG_TAR_GZ holds the latest available ISPConfig 3 version. Beware, that automatic piping to answer all the questions is set up to work with ISPConfig 3.0.3.3, and you may need to change that part of the script, if ISPConfig is of a later version.

Save the script on your server (e.g. /root/opensuse_ispconfig3.sh):

vi /root/opensuse_ispconfig3.sh

#!/bin/sh

# OpenSUSE 11.4 Perfect Server ISPConfig script by George Yohng (georgesc#oss3d.com)
# Script Version 2.2

# Do zypper update and reboot before running this script

# Also better change host name manually with yast2 before running this script.

# This script requires two manual actions.

# First - when mysql_secure_install is running. One should type a new mysql password, the same as here
# Second - for ISPConfig3 update. One should type 'svn' when the update type is asked
# For both of scripts, all other options are default, one can just press ENTER.


# Also, please change MYSQLROOTPASS below, and be sure to enter it verbatim
# during the installation of mysql_secure_install.

# Important: When setting an MX entry, point it to mail.yourdomain.com rather than
# just to yourdomain.com, and create a CNAME entry for mail. Otherwise it doesn't
# seem to work somehow.

# Platform is x86_64 or i586

THIS_PLATFORM=x86_64

MYSQLROOTPASS=87h4eq2jr2

# Change this to your server name. By default it's configured to server1.mydomain.com

# If your web site hosts a complete domain, such as domain.com, still leave
# something for MY_HOSTNAME. 'server1' or 'host' is a good name.

MY_HOSTNAME=server1
MY_DOMAIN=mydomain.com

# Uncomment to use SVN-version of ISP config, and to run update once the installation is finished
#ISPCONFIG_SVN=yes

# Packages may have been updated, therefore also check the RPM and TARGZ locations below,
# and preferably use the latest versions of everything.

GETMAIL_RPM=http://download.opensuse.org/repositories/server:/mail/openSUSE_11.4/noarch/getmail-4.20.4-11.1.noarch.rpm
PAM_MYSQL_TARGZ=http://heanet.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.7RC1.tar.gz
SUPHP_RPM=http://download.opensuse.org/repositories/server:/php/openSUSE_11.4/$THIS_PLATFORM/suphp-0.7.1-3.2.$THIS_PLATFORM.rpm

AWSTATS_RPM=http://download.opensuse.org/repositories/network:/utilities/openSUSE_11.4/noarch/awstats-7.0-14.1.noarch.rpm

SQUIRRELMAIL_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.4/noarch/squirrelmail-1.4.22-1.1.noarch.rpm

JAILKIT_TARGZ=http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz

PHPMYADMIN_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.4/noarch/phpMyAdmin-3.4.3.2-15.1.noarch.rpm
VLOGGER_TARGZ=http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz

RDIFF_BACKUP_TARGZ=http://savannah.nongnu.org/download/rdiff-backup/rdiff-backup-1.2.8.tar.gz

EACCELERATOR_TARGZ=http://bart.eaccelerator.net/source/0.9.6.1/eaccelerator-0.9.6.1.tar.bz2
#EACCELERATOR_TARGZ=http://www.debiantutorials.com/static/eaccelerator-0.9.6.1.tar.bz2

ISPCONFIG_TAR_GZ=http://downloads.sourceforge.net/ispconfig/ISPConfig-3.0.3.3.tar.gz?use_mirror=

MY_FULLHOSTNAME=$MY_HOSTNAME.$MY_DOMAIN

# Disable apparmor

/etc/init.d/boot.apparmor stop
chkconfig -d boot.apparmor

# Install SuSEfirewall

zypper -n install -l SuSEfirewall2 iptables

# Allow ports through firewall

SuSEfirewall2 open EXT TCP 22
SuSEfirewall2 open EXT TCP 21 80 8080 25 143 465 585 993 30000:30500
SuSEfirewall2

# Switch off X login (check!)

chkconfig --del xdm
rcxdm stop

# Quota

zypper -n install -l quota

touch /aquota.user /aquota.group
chmod 600 /aquota.*
touch /srv/aquota.user /srv/aquota.group
chmod 600 /srv/aquota.*

# TODO: change fstab here
# Ignore errors from the below commands

mount -o remount /
mount -o remount /srv
mount -o remount /home

quotacheck -avugm
quotaon -avug

# Basic packages

zypper -n install -l mc

zypper -n install -l GeoIP libGeoIP-devel libGeoIP1

geoip-fetch

zypper -n install -l findutils libreadline6 compat-readline4 readline-devel libgcc45 glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget gcc-c++ subversion make vim telnet cron iptables iputils man man-pages nano pico

# Host name

echo $MY_FULLHOSTNAME > /etc/HOSTNAME
echo 127.0.0.2 $MY_FULLHOSTNAME $MY_HOSTNAME >> /etc/hosts

export HOST=$MY_FULLHOSTNAME
export HOSTNAME=$MY_FULLHOSTNAME

SuSEconfig

# Postfix, Dovecot, MySQL

zypper -n install -l postfix postfix-mysql mysql-community-server mysql-community-server-client mysql-community-server-tools
zypper -n install -l python cron
zypper -n install -l libmysqlclient-devel pwgen
zypper -n install -l dovecot12 dovecot12-backend-mysql
zypper -n install -l bind

chkconfig --add mysql
chkconfig --add postfix
chkconfig --add dovecot
chkconfig --add named

test -d /lib64 && ln -s /usr/lib64/dovecot/modules /usr/lib/dovecot

/etc/init.d/mysql start
/etc/init.d/postfix start
/etc/init.d/dovecot start
/etc/init.d/named start

# getmail

cd /tmp
rpm -i $GETMAIL_RPM

# pam

if [ "$THIS_PLATFORM" == "x86_64" ]; then
zypper -n install -l pam-devel pam-32bit pam-devel-32bit pam-modules-32bit
fi

if [ "$THIS_PLATFORM" == "i586" ]; then
zypper -n install -l pam-devel pam pam-modules
fi


# pam_mysql

cd /tmp
wget -c $PAM_MYSQL_TARGZ
tar xvfz pam_mysql-*.tar.gz
rm -rf pam_mysql-*.tar.gz
cd pam_mysql-*
./configure
make
make install
cd /tmp
rm -rf /tmp/pam_mysql-*

test -d /lib64 && cp /lib/security/pam_mysql* /lib64/security

# mysql_secure_installation

mysql_secure_installation

#(echo Y; echo $MYSQLROOTPASS; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; )

# amavis, spam asassin, etc

zypper -n install -l spamassassin amavisd-new clamav clamav-db zoo unzip bzip2 unarj perl-DBD-mysql
zypper -n install -l unrar

sa-update

# TODO: change /etc/amavisd.conf

#$mydomain = "$MY_DOMAIN"; # a convenient default for other settings
#$myhostname = "$MY_HOSTNAME";

sed -i 's/\$mydomain = '\''example.com'\'';/\$mydomain='\'$MY_DOMAIN\'';\n\$myhostname='\'$MY_FULLHOSTNAME\'';/g' /etc/amavisd.conf

# Correct a path to clamd socket
sed -i 's,/var/run/clamav/clamd,/var/lib/clamav/clamd-socket,g' /etc/amavisd.conf

chkconfig --add amavis
chkconfig --add clamd
/etc/init.d/amavis start
/etc/init.d/clamd start

# Apache2

zypper -n install -l apache2 apache2-mod_fcgid

zypper -n install -l php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dom php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mysql php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-fastcgi php5-pear php5-sysvmsg php5-sysvshm ImageMagick curl apache2-mod_php5

rpm -i $SUPHP_RPM

a2enmod suexec
a2enmod deflate
a2enmod rewrite
a2enmod ssl
a2enmod actions
a2enmod suphp
a2enmod fcgid
a2enmod logio
chown root:www /usr/sbin/suexec2
chmod 4755 /usr/sbin/suexec2

chkconfig --add apache2
/etc/init.d/apache2 start

# PhpMyAdmin

rpm -i $PHPMYADMIN_RPM

# FTP

zypper -n install -l pure-ftpd quota

chkconfig --add pure-ftpd
/etc/init.d/pure-ftpd start

# VLOGGER, WEBALIZER

cd /tmp
wget -c $VLOGGER_TARGZ
tar xvfz vlogger-*.tar.gz
rm -f vlogger-*.tar.gz
mv vlogger-*/vlogger /usr/sbin/
rm -rf vlogger*

zypper -n install -l webalizer perl-Date-Manip perl-TimeDate

# Fail2ban

zypper -n install -l fail2ban

chkconfig --add fail2ban
service fail2ban start

# Jailkit

cd /tmp
wget -c $JAILKIT_TARGZ
tar xvfz jailkit-*.tar.gz
rm -f jailkit-*.tar.gz
cd jailkit-*
./configure
make
make install
cd /tmp
rm -rf jailkit-*

# Synchronize system clock
# Remove this, if you are inside XENU

zypper -n install -l ntp

chkconfig --add ntp
/etc/init.d/ntp start


# ============================
# Helper functions

function fix_pureftpd() {

sed -i 's/NoRename.*yes/NoRename no/g' "$1"
sed -i 's/AutoRename.*yes/AutoRename no/g' "$1"
sed -i 's/ProhibitDotFilesWrite.*yes/ProhibitDotFilesWrite no/g' "$1"
sed -i 's/# PassivePortRange.*30000 50000/PassivePortRange 30000 30500/g' "$1"
sed -i 's/LimitRecursion.*2000 8/LimitRecursion 20000 10/g' "$1"
sed -i 's/^Umask\ *.*$/Umask 137:027/' "$1"
sed -i 's/^MaxClientsNumber\ *10$/MaxClientsNumber 256/' "$1"
sed -i 's/^MaxClientsPerIP\ *3$/MaxClientsPerIP 16/' "$1"

}

function fix_dovecot() {

sed -i 's/^#listen =.*/listen = \*/g' "$1"
sed -i 's/^ssl = no/ssl = yes/g' "$1"
sed -i 's,#ssl_cert_file = .*,ssl_cert_file = /etc/ssl/certs/dovecot.pem,g' "$1"
sed -i 's,#ssl_key_file = .*,ssl_key_file = /etc/ssl/private/dovecot.pem,g' "$1"
sed -i 's,#mail_max_userip_connections = .*,mail_max_userip_connections = 32,g' "$1"
sed -i 's/#namespace private/namespace private {\n separator = .\n prefix =\n inbox = yes\n}\n\nnamespace private {\n separator = .\n prefix = INBOX.\n inbox = no\n hidden = yes\n list = no # for v1.1+\n}\n\n# {changed} namespace private/g' "$1"

}

function fix_customlog() {

sed -i 's/ent}i\\\"\" combined_ispconfig/ent}i\\\" %I %O" combined_ispconfig/g' "$1"
sed -i 's/LogFormat \"%v %h/LogFormat \"%v %a/g' "$1"

}

function fix_ispconfig() {

fix_dovecot "$1/install/tpl/opensuse_dovecot.conf.master"
fix_pureftpd "$1/install/tpl/opensuse_pureftpd_conf.master"

fix_customlog "$1/server/conf/apache_ispconfig.conf.master"
fix_customlog "$1/install/tpl/apache_ispconfig.conf.master"
fix_customlog "$1/install/dist/tpl/gentoo/apache_ispconfig.conf.master"


sed -i 's,^awstats_data_dir=.*$,awstats_data_dir=/var/cache/awstats,' "$1/install/tpl/server.ini.master"
sed -i 's,^awstats_pl=.*$,awstats_pl=/srv/www/cgi-bin/awstats.pl,' "$1/install/tpl/server.ini.master"
sed -i 's,^awstats_buildstaticpages_pl=.*$,awstats_buildstaticpages_pl=/usr/share/doc/packages/awstats/examples/awstats_buildstaticpages.pl,' "$1/install/tpl/server.ini.master"

}


# ============================

# ISPCONFIG

cd /tmp
wget -c $ISPCONFIG_TAR_GZ
tar xvfz ISPConfig-*.tar.gz

fix_ispconfig /tmp/ispconfig3_install

cd ispconfig3_install/install/

(echo; echo; echo $MY_FULLHOSTNAME; echo; echo; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; ) | php -q install.php

cd /tmp
rm -rf /tmp/ispconfig3_install
rm -f /tmp/ISPConfig-*.tar.gz

# Squirrelmail

rpm -i $SQUIRRELMAIL_RPM
ln -s /srv/www/htdocs/squirrelmail /usr/local/ispconfig/interface/web/webmail

# Symlink

ln -s /srv/www/htdocs/phpMyAdmin /usr/local/ispconfig/interface/web/phpmyadmin

sed -i 's/\"en_US\.UTF-8/\"en_US\.ISO-8859-1/g' /etc/sysconfig/language

sed -i 's/x\-httpd\-php\=\"php\:\/usr\/bin\/php\-cgi5\"/x-httpd-php="php:\/usr\/bin\/php-cgi5"\nx-httpd-suphp="php:\/usr\/bin\/php-cgi5"/g' /etc/suphp.conf

SuSEconfig

# Generate certificates

openssl genrsa -passout pass:0passphrase$MYSQLROOTPASS -des3 -out /etc/apache2/ssl.key/server.key 4096
(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -passin pass:0passphrase$MYSQLROOTPASS -new -key /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.csr/server.csr
openssl x509 -passin pass:0passphrase$MYSQLROOTPASS -req -days 3650 -in /etc/apache2/ssl.csr/server.csr -signkey /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.crt/server.crt
openssl rsa -passin pass:0passphrase$MYSQLROOTPASS -in /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.key/server.key.insecure
mv /etc/apache2/ssl.key/server.key /etc/apache2/ssl.key/server.key.secure
mv /etc/apache2/ssl.key/server.key.insecure /etc/apache2/ssl.key/server.key
a2enmod ssl

sed -i 's/.VirtualHost _default_\:8080./\<VirtualHost _default_\:8080\>\nSSLEngine On\nSSLCertificateFile \/etc\/apache2\/ssl.crt\/server.crt\nSSLCertificateKeyFile \/etc\/apache2\/ssl.key\/server.key/g' /etc/apache2/sites-available/ispconfig.vhost

sed -i 's/DirectoryIndex index.html index.html.var/DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php5 index.php4 index.php3 index.pl index.html.var index.aspx default.aspx/g' /etc/apache2/httpd.conf

# enable named hosts
sed -i 's/^#NameVirtualHost \*\:80$/NameVirtualHost *:80/g' /etc/apache2/listen.conf

sed -i 's,^Alias /error/,#Alias /error/,' /etc/apache2/errors.conf

sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/apache2/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/cli/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/fastcgi/php.ini

sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/apache2/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/cli/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/fastcgi/php.ini

sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/apache2/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/cli/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/fastcgi/php.ini

sed -i 's/^error_reporting = .*/error_reporting = E_ALL \& ~E_DEPRECATED \& ~E_NOTICE/' /etc/php5/apache2/php.ini
sed -i 's/^error_reporting = .*/error_reporting = E_ALL \& ~E_DEPRECATED \& ~E_NOTICE/' /etc/php5/cli/php.ini
sed -i 's/^error_reporting = .*/error_reporting = E_ALL \& ~E_DEPRECATED \& ~E_NOTICE/' /etc/php5/fastcgi/php.ini

rcapache2 restart

# postfix certificate

(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -new -key /etc/postfix/smtpd.key -out /etc/postfix/smtpd.csr
openssl x509 -req -days 3650 -in /etc/postfix/smtpd.csr -signkey /etc/postfix/smtpd.key -out /etc/postfix/smtpd.cert

chmod o-rwx /etc/postfix/smtpd.csr
chmod o-rwx /etc/postfix/smtpd.cert

# rdiff-backup

zypper -n install -l python-devel librsync

cd tmp
wget -c $RDIFF_BACKUP_TARGZ
tar xfz rdiff-backup-*.tar.gz
rm -f rdiff-backup-*.tar.gz
cd rdiff-backup-*
./setup.py install
cd /tmp
rm -rf rdiff-backup-*

zypper -n install -l iptraf iftop

# create backup script

mkdir /backup
chown root:root /backup

mkdir /srvbackup_do
chown root:root /srvbackup_do
chmod og-rwx /srvbackup_do

cat > /srvbackup_do/dobackup.sh <<EOFMARKER2
#!/bin/bash

cd /srvbackup_do
sync
mysqladmin -p$MYSQLROOTPASS refresh
mysqlcheck -p$MYSQLROOTPASS -A --auto-repair

# backup into a single file
# mysqldump -p$MYSQLROOTPASS --all-databases >mysqldump.sql
# chmod og-rw mysqldump.sql

# backup into multiple files
rm -rf mysql
mkdir mysql
chown root:root mysql
chmod og-rwx mysql

for i in /var/lib/mysql/*/; do
dbname=\`basename \$i\`

echo >mysql/\$dbname.sql
chown root:root mysql/\$dbname.sql
chmod og-rwx mysql/\$dbname.sql

mysqldump -p$MYSQLROOTPASS \$dbname >mysql/\$dbname.sql
chown root:root mysql/\$dbname.sql
chmod og-rwx mysql/\$dbname.sql
done

/usr/local/bin/rdiff-backup --preserve-numerical-ids --exclude /tmp --exclude /backup --exclude /mnt --exclude /proc --exclude /dev --exclude /sys --exclude /var/lib/ntp/proc --exclude /media --exclude /var/tmp --exclude /var/lib/named --exclude /var/lib/nfs/rpc_pipefs / /backup/$MY_FULLHOSTNAME

#/usr/local/bin/duplicity \
#--include /etc \
#--include /srv \
#--include /srvbackup_do \
#--include /var/vmail \
#--include /var/lib/mysql \
#--include /var/log \
#--include /usr/local \
#--include /var/spool/amavis \
#--include /var/spool/cron \
#--include /home \
#--exclude '**' \
#--no-encryption \
#--ssh-options="-oProtocol=2 -oIdentityFile=/etc/ssh/ssh_host_dsa_key" \
#/ scp://user@backuphost/my.server.com


EOFMARKER2

chown root:root /srvbackup_do/dobackup.sh
chmod og-rwx /srvbackup_do/dobackup.sh
chmod u+x /srvbackup_do/dobackup.sh

echo '51 3 * * * /srvbackup_do/dobackup.sh >> /var/log/backuplog 2>&1' >>/var/spool/cron/tabs/root

# Fail2ban config
# TODO: patch fail2ban to include delays into iptables script,
# as otherwise it frequently fails

cat > /etc/fail2ban/filter.d/dovecot-pop3imap.conf <<EOFMARKER4
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =
EOFMARKER4


cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.def
cat > /etc/fail2ban/jail.conf <<EOFMARKER3
# Fail2Ban configuration file

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/messages
maxretry = 5

[ssh-ddos-iptables]

enabled = true
filter = sshd-ddos
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/messages
maxretry = 5


[proftpd-iptables]

enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
logpath = /var/log/messages
maxretry = 6

[pure-ftpd-iptables]

enabled = true
filter = pure-ftpd
action = iptables[name=PureFTPD, port=ftp, protocol=tcp]
logpath = /var/log/messages
maxretry = 6

[courier-imap-iptables]

enabled = true
filter = courierlogin
action = iptables[name=CourierIMAP, port=ftp, protocol=tcp]
logpath = /var/log/messages
maxretry = 6

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap,pop3s,imaps", protocol=tcp]
logpath = /var/log/mail
maxretry = 6


# This jail forces the backend to "polling".

[sasl-iptables]

enabled = true
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
logpath = /var/log/mail

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled = true
filter = sshd
action = hostsdeny
ignoreregex = for myuser from
logpath = /var/log/messages

[ssh-ddos-tcpwrapper]

enabled = true
filter = sshd-ddos
action = hostsdeny
ignoreregex = for myuser from
logpath = /var/log/messages


# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled = true
filter = apache-auth
action = hostsdeny
logpath = /var/log/apache2/error_log
maxretry = 6

# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.

[postfix-tcpwrapper]

enabled = true
filter = postfix
action = hostsdeny
logpath = /var/log/mail
bantime = 300

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled = true
filter = apache-badbots
action = iptables[name=BadBots1, port=http, protocol=tcp]
iptables[name=BadBots2, port=https, protocol=tcp]
logpath = /var/log/apache2/access_log
bantime = 172800
maxretry = 1

[php-url-fopen]

enabled = false
port = http,https
filter = php-url-fopen
logpath = /var/log/apache2/access_log
maxretry = 1

EOFMARKER3

# Ensure fail2ban recreates a socket file
# Because otherwise after a server crash, fail2ban won't restart

sed -i 's/-q start/-x -q start/' /etc/init.d/fail2ban

# Fix pure-ftpd regexp

sed -i 's/[)][?]: [(][.][+][?]@<HOST>[)] \\\[/)\?: \\(.+?@<HOST>\\) \\[/' /etc/fail2ban/filter.d/pure-ftpd.conf

service fail2ban restart

# Fix getmail user to allow running from cron

sed -i 's/getmail:[!]:/getmail:*:/' /etc/shadow

# Install AWSTATS

rpm -ivh $AWSTATS_RPM

chmod og+w /var/cache/awstats

cp /etc/awstats/awstats.web.conf /etc/awstats/awstats.conf
sed -i 's,^<IfDefine,#<IfDefine,' /etc/apache2/conf.d/awstats.conf
sed -i 's,^</IfDefine,#</IfDefine,' /etc/apache2/conf.d/awstats.conf

rcapache2 restart

mysqladmin -p$MYSQLROOTPASS refresh

# Old code for fixing awstats path directly in the database
# Now it's fixed in server.ini.master before the installation of ISPConfig
#
#mysqldump -u root -p$MYSQLROOTPASS dbispconfig server >/tmp/server.sql
#sed -i 's,\\nawstats_data_dir=[^\\]*\\n,\\nawstats_data_dir=/var/cache/awstats\\n,' /tmp/server.sql
#sed -i 's,\\nawstats_pl=[^\\]*\\n,\\nawstats_pl=/srv/www/cgi-bin/awstats.pl\\n,' /tmp/server.sql
#sed -i 's,\\nawstats_buildstaticpages_pl=[^\\]*\\n,\\nawstats_buildstaticpages_pl=/usr/share/doc/packages/awstats/examples/awstats_buildstaticpages.pl\\n,' /tmp/server.sql
#mysql -u root -p$MYSQLROOTPASS dbispconfig </tmp/server.sql
#rm -rf /tmp/server.sql

#sed -i 's,^#LoadPlugin=\"geoipfree\",LoadPlugin=\"geoipfree\",' /etc/awstats/awstats.conf
sed -i 's,^Max\([^=]*\)= 10$,Max\1= 25,' /etc/awstats/awstats.conf
sed -i 's,^StyleSheet=\"[^\"]*\",StyleSheet=\"\",' /etc/awstats/awstats.conf


# Install eAccelerator

zypper -n install -l php5-devel

cd /tmp
wget $EACCELERATOR_TARGZ
tar xvfj eaccelerator-*.bz2
rm -rf eaccelerator-*.bz2
cd eaccelerator-*
phpize
# the flag is specified to prevent openbasedir limitations with ispconfig
./configure --without-eaccelerator-use-inode
make
make install

cd ..
rm -rf eaccelerator-*

cat > /etc/php5/conf.d/eaccelerator.ini <<EOFMARKER4
extension="eaccelerator.so"
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/var/cache/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
EOFMARKER4

mkdir -p /var/cache/eaccelerator
chmod 0777 /var/cache/eaccelerator

rcapache2 restart

# adjust postfix interfaces

sed -i 's/^inet_interfaces = localhost/inet_interfaces = all/g' /etc/postfix/main.cf
sed -i 's/^#tlsmgr/tlsmgr/g' /etc/postfix/master.cf
sed -i 's/^#smtps/465/g' /etc/postfix/master.cf

rcpostfix restart

# Fix squirrelmail

sed -i 's/^\$default_folder_prefix.*/$default_folder_prefix = '\'\'';/' /srv/www/htdocs/squirrelmail/config/config.php


# ==============

if [ "$ISPCONFIG_SVN" == "yes" ]; then
# Update ISPConfig from SVN

cd /tmp
svn export svn://svn.ispconfig.org/ispconfig3/trunk/ ispconfigsvn

fix_ispconfig /tmp/ispconfigsvn

# Run update
php -q update.php
cd /tmp
rm -rf /tmp/ispconfigsvn

fi


# =========================================================================
# Fix configuration files, overwritten by ISPConfig update
# Re-run these lines after ISP-Config update

# Pure-ftpd

fix_pureftpd /etc/pure-ftpd/pure-ftpd.conf

rcpure-ftpd restart

# Dovecot

fix_dovecot /etc/dovecot/dovecot.conf

cd /usr/share/doc/packages/dovecot

cat >./mkcert.sh <<EOFMARKER5
#!/bin/sh

# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.

OPENSSL=\${OPENSSL-openssl}
SSLDIR=\${SSLDIR-/etc/ssl}
OPENSSLCONFIG=\${OPENSSLCONFIG-dovecot-openssl.cnf}

CERTDIR=\$SSLDIR/certs
KEYDIR=\$SSLDIR/private

CERTFILE=\$CERTDIR/dovecot.pem
KEYFILE=\$KEYDIR/dovecot.pem

if [ ! -d \$CERTDIR ]; then
echo "\$SSLDIR/certs directory doesn't exist"
exit 1
fi

if [ ! -d \$KEYDIR ]; then
echo "\$SSLDIR/private directory doesn't exist"
exit 1
fi

if [ -f \$CERTFILE ]; then
echo "\$CERTFILE already exists, won't overwrite"
exit 1
fi

if [ -f \$KEYFILE ]; then
echo "\$KEYFILE already exists, won't overwrite"
exit 1
fi

\$OPENSSL req -new -x509 -nodes -config \$OPENSSLCONFIG -out \$CERTFILE -keyout \$KEYFILE -days 3650 || exit 2
chmod 0600 \$KEYFILE
echo
\$OPENSSL x509 -subject -fingerprint -noout -in \$CERTFILE || exit 2

EOFMARKER5

cat >./dovecot-openssl.cnf <<EOFMARKER6
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
#C=FI

# State or Province Name (full name)
#ST=

# Locality Name (eg. city)
#L=Helsinki

# Organization (eg. company)
#O=Dovecot

# Organizational Unit Name (eg. section)
OU=IMAP server

# Common Name (*.example.com is also possible)
CN=$MY_FULLHOSTNAME

# E-mail contact
emailAddress=postmaster@example.com

[ cert_type ]
nsCertType = server

EOFMARKER6

# TODO: add this script to cron
cat >/usr/bin/dovecot-check.sh <<EOFMARKER7
#!/bin/sh
if (/usr/bin/lsof -Pni :143 | grep "143 (LISTEN)" 2>&1 >/dev/null); then
echo >/dev/null
else
/etc/init.d/dovecot restart
fi
EOFMARKER7

sh ./mkcert.sh
cd /

rcdovecot restart
rcpostfix restart

# CustomLog

fix_customlog /etc/apache2/sites-available/ispconfig.conf
fix_customlog /usr/local/ispconfig/server/conf/apache_ispconfig.conf.master
sed -i 's,^LogFormat=.*,LogFormat = "%host %other %logname %time1 %methodurl %code %other %refererquot %uaquot %other %bytesd",' /etc/awstats/awstats.conf
a2enmod logio

rcapache2 restart



You can now run it like this:

sh /root/opensuse_ispconfig3.sh

 

Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.