#!/bin/sh
# OpenSUSE 11.4 Perfect Server ISPConfig script by George Yohng (georgesc#oss3d.com) # Script Version 2.2
# Do zypper update and reboot before running this script
# Also better change host name manually with yast2 before running this script.
# This script requires two manual actions.
# First - when mysql_secure_install is running. One should type a new mysql password, the same as here # Second - for ISPConfig3 update. One should type 'svn' when the update type is asked # For both of scripts, all other options are default, one can just press ENTER.
# Also, please change MYSQLROOTPASS below, and be sure to enter it verbatim # during the installation of mysql_secure_install.
# Important: When setting an MX entry, point it to mail.yourdomain.com rather than # just to yourdomain.com, and create a CNAME entry for mail. Otherwise it doesn't # seem to work somehow.
# Platform is x86_64 or i586
THIS_PLATFORM=x86_64
MYSQLROOTPASS=87h4eq2jr2
# Change this to your server name. By default it's configured to server1.mydomain.com
# If your web site hosts a complete domain, such as domain.com, still leave # something for MY_HOSTNAME. 'server1' or 'host' is a good name.
MY_HOSTNAME=server1 MY_DOMAIN=mydomain.com
# Uncomment to use SVN-version of ISP config, and to run update once the installation is finished #ISPCONFIG_SVN=yes
# Packages may have been updated, therefore also check the RPM and TARGZ locations below, # and preferably use the latest versions of everything.
GETMAIL_RPM=http://download.opensuse.org/repositories/server:/mail/openSUSE_11.4/noarch/getmail-4.20.4-11.1.noarch.rpm PAM_MYSQL_TARGZ=http://heanet.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.7RC1.tar.gz SUPHP_RPM=http://download.opensuse.org/repositories/server:/php/openSUSE_11.4/$THIS_PLATFORM/suphp-0.7.1-3.2.$THIS_PLATFORM.rpm
AWSTATS_RPM=http://download.opensuse.org/repositories/network:/utilities/openSUSE_11.4/noarch/awstats-7.0-14.1.noarch.rpm
SQUIRRELMAIL_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.4/noarch/squirrelmail-1.4.22-1.1.noarch.rpm
JAILKIT_TARGZ=http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz
PHPMYADMIN_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.4/noarch/phpMyAdmin-3.4.3.2-15.1.noarch.rpm VLOGGER_TARGZ=http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz
RDIFF_BACKUP_TARGZ=http://savannah.nongnu.org/download/rdiff-backup/rdiff-backup-1.2.8.tar.gz
EACCELERATOR_TARGZ=http://bart.eaccelerator.net/source/0.9.6.1/eaccelerator-0.9.6.1.tar.bz2 #EACCELERATOR_TARGZ=http://www.debiantutorials.com/static/eaccelerator-0.9.6.1.tar.bz2
ISPCONFIG_TAR_GZ=http://downloads.sourceforge.net/ispconfig/ISPConfig-3.0.3.3.tar.gz?use_mirror=
MY_FULLHOSTNAME=$MY_HOSTNAME.$MY_DOMAIN
# Disable apparmor
/etc/init.d/boot.apparmor stop chkconfig -d boot.apparmor
# Install SuSEfirewall
zypper -n install -l SuSEfirewall2 iptables
# Allow ports through firewall
SuSEfirewall2 open EXT TCP 22 SuSEfirewall2 open EXT TCP 21 80 8080 25 143 465 585 993 30000:30500 SuSEfirewall2
# Switch off X login (check!)
chkconfig --del xdm rcxdm stop
# Quota
zypper -n install -l quota
touch /aquota.user /aquota.group chmod 600 /aquota.* touch /srv/aquota.user /srv/aquota.group chmod 600 /srv/aquota.*
# TODO: change fstab here # Ignore errors from the below commands
mount -o remount / mount -o remount /srv mount -o remount /home
quotacheck -avugm quotaon -avug
# Basic packages
zypper -n install -l mc
zypper -n install -l GeoIP libGeoIP-devel libGeoIP1
geoip-fetch
zypper -n install -l findutils libreadline6 compat-readline4 readline-devel libgcc45 glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget gcc-c++ subversion make vim telnet cron iptables iputils man man-pages nano pico
# Host name
echo $MY_FULLHOSTNAME > /etc/HOSTNAME echo 127.0.0.2 $MY_FULLHOSTNAME $MY_HOSTNAME >> /etc/hosts
export HOST=$MY_FULLHOSTNAME export HOSTNAME=$MY_FULLHOSTNAME
SuSEconfig
# Postfix, Dovecot, MySQL
zypper -n install -l postfix postfix-mysql mysql-community-server mysql-community-server-client mysql-community-server-tools zypper -n install -l python cron zypper -n install -l libmysqlclient-devel pwgen zypper -n install -l dovecot12 dovecot12-backend-mysql zypper -n install -l bind
chkconfig --add mysql chkconfig --add postfix chkconfig --add dovecot chkconfig --add named
test -d /lib64 && ln -s /usr/lib64/dovecot/modules /usr/lib/dovecot
/etc/init.d/mysql start /etc/init.d/postfix start /etc/init.d/dovecot start /etc/init.d/named start
# getmail
cd /tmp rpm -i $GETMAIL_RPM
# pam
if [ "$THIS_PLATFORM" == "x86_64" ]; then zypper -n install -l pam-devel pam-32bit pam-devel-32bit pam-modules-32bit fi
if [ "$THIS_PLATFORM" == "i586" ]; then zypper -n install -l pam-devel pam pam-modules fi
# pam_mysql
cd /tmp wget -c $PAM_MYSQL_TARGZ tar xvfz pam_mysql-*.tar.gz rm -rf pam_mysql-*.tar.gz cd pam_mysql-* ./configure make make install cd /tmp rm -rf /tmp/pam_mysql-*
test -d /lib64 && cp /lib/security/pam_mysql* /lib64/security
# mysql_secure_installation
mysql_secure_installation
#(echo Y; echo $MYSQLROOTPASS; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; )
# amavis, spam asassin, etc
zypper -n install -l spamassassin amavisd-new clamav clamav-db zoo unzip bzip2 unarj perl-DBD-mysql zypper -n install -l unrar
sa-update
# TODO: change /etc/amavisd.conf
#$mydomain = "$MY_DOMAIN"; # a convenient default for other settings #$myhostname = "$MY_HOSTNAME";
sed -i 's/\$mydomain = '\''example.com'\'';/\$mydomain='\'$MY_DOMAIN\'';\n\$myhostname='\'$MY_FULLHOSTNAME\'';/g' /etc/amavisd.conf
# Correct a path to clamd socket sed -i 's,/var/run/clamav/clamd,/var/lib/clamav/clamd-socket,g' /etc/amavisd.conf
chkconfig --add amavis chkconfig --add clamd /etc/init.d/amavis start /etc/init.d/clamd start
# Apache2
zypper -n install -l apache2 apache2-mod_fcgid
zypper -n install -l php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dom php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mysql php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-fastcgi php5-pear php5-sysvmsg php5-sysvshm ImageMagick curl apache2-mod_php5
rpm -i $SUPHP_RPM
a2enmod suexec a2enmod deflate a2enmod rewrite a2enmod ssl a2enmod actions a2enmod suphp a2enmod fcgid a2enmod logio chown root:www /usr/sbin/suexec2 chmod 4755 /usr/sbin/suexec2
chkconfig --add apache2 /etc/init.d/apache2 start
# PhpMyAdmin
rpm -i $PHPMYADMIN_RPM
# FTP
zypper -n install -l pure-ftpd quota
chkconfig --add pure-ftpd /etc/init.d/pure-ftpd start
# VLOGGER, WEBALIZER
cd /tmp wget -c $VLOGGER_TARGZ tar xvfz vlogger-*.tar.gz rm -f vlogger-*.tar.gz mv vlogger-*/vlogger /usr/sbin/ rm -rf vlogger*
zypper -n install -l webalizer perl-Date-Manip perl-TimeDate
# Fail2ban
zypper -n install -l fail2ban
chkconfig --add fail2ban service fail2ban start
# Jailkit
cd /tmp wget -c $JAILKIT_TARGZ tar xvfz jailkit-*.tar.gz rm -f jailkit-*.tar.gz cd jailkit-* ./configure make make install cd /tmp rm -rf jailkit-*
# Synchronize system clock # Remove this, if you are inside XENU
zypper -n install -l ntp
chkconfig --add ntp /etc/init.d/ntp start
# ============================ # Helper functions
function fix_pureftpd() {
sed -i 's/NoRename.*yes/NoRename no/g' "$1" sed -i 's/AutoRename.*yes/AutoRename no/g' "$1" sed -i 's/ProhibitDotFilesWrite.*yes/ProhibitDotFilesWrite no/g' "$1" sed -i 's/# PassivePortRange.*30000 50000/PassivePortRange 30000 30500/g' "$1" sed -i 's/LimitRecursion.*2000 8/LimitRecursion 20000 10/g' "$1" sed -i 's/^Umask\ *.*$/Umask 137:027/' "$1" sed -i 's/^MaxClientsNumber\ *10$/MaxClientsNumber 256/' "$1" sed -i 's/^MaxClientsPerIP\ *3$/MaxClientsPerIP 16/' "$1"
}
function fix_dovecot() {
sed -i 's/^#listen =.*/listen = \*/g' "$1" sed -i 's/^ssl = no/ssl = yes/g' "$1" sed -i 's,#ssl_cert_file = .*,ssl_cert_file = /etc/ssl/certs/dovecot.pem,g' "$1" sed -i 's,#ssl_key_file = .*,ssl_key_file = /etc/ssl/private/dovecot.pem,g' "$1" sed -i 's,#mail_max_userip_connections = .*,mail_max_userip_connections = 32,g' "$1" sed -i 's/#namespace private/namespace private {\n separator = .\n prefix =\n inbox = yes\n}\n\nnamespace private {\n separator = .\n prefix = INBOX.\n inbox = no\n hidden = yes\n list = no # for v1.1+\n}\n\n# {changed} namespace private/g' "$1"
}
function fix_customlog() {
sed -i 's/ent}i\\\"\" combined_ispconfig/ent}i\\\" %I %O" combined_ispconfig/g' "$1" sed -i 's/LogFormat \"%v %h/LogFormat \"%v %a/g' "$1"
}
function fix_ispconfig() {
fix_dovecot "$1/install/tpl/opensuse_dovecot.conf.master" fix_pureftpd "$1/install/tpl/opensuse_pureftpd_conf.master"
fix_customlog "$1/server/conf/apache_ispconfig.conf.master" fix_customlog "$1/install/tpl/apache_ispconfig.conf.master" fix_customlog "$1/install/dist/tpl/gentoo/apache_ispconfig.conf.master"
sed -i 's,^awstats_data_dir=.*$,awstats_data_dir=/var/cache/awstats,' "$1/install/tpl/server.ini.master" sed -i 's,^awstats_pl=.*$,awstats_pl=/srv/www/cgi-bin/awstats.pl,' "$1/install/tpl/server.ini.master" sed -i 's,^awstats_buildstaticpages_pl=.*$,awstats_buildstaticpages_pl=/usr/share/doc/packages/awstats/examples/awstats_buildstaticpages.pl,' "$1/install/tpl/server.ini.master"
}
# ============================
# ISPCONFIG
cd /tmp wget -c $ISPCONFIG_TAR_GZ tar xvfz ISPConfig-*.tar.gz
fix_ispconfig /tmp/ispconfig3_install
cd ispconfig3_install/install/
(echo; echo; echo $MY_FULLHOSTNAME; echo; echo; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; ) | php -q install.php
cd /tmp rm -rf /tmp/ispconfig3_install rm -f /tmp/ISPConfig-*.tar.gz
# Squirrelmail
rpm -i $SQUIRRELMAIL_RPM ln -s /srv/www/htdocs/squirrelmail /usr/local/ispconfig/interface/web/webmail
# Symlink
ln -s /srv/www/htdocs/phpMyAdmin /usr/local/ispconfig/interface/web/phpmyadmin
sed -i 's/\"en_US\.UTF-8/\"en_US\.ISO-8859-1/g' /etc/sysconfig/language
sed -i 's/x\-httpd\-php\=\"php\:\/usr\/bin\/php\-cgi5\"/x-httpd-php="php:\/usr\/bin\/php-cgi5"\nx-httpd-suphp="php:\/usr\/bin\/php-cgi5"/g' /etc/suphp.conf
SuSEconfig
# Generate certificates
openssl genrsa -passout pass:0passphrase$MYSQLROOTPASS -des3 -out /etc/apache2/ssl.key/server.key 4096 (echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -passin pass:0passphrase$MYSQLROOTPASS -new -key /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.csr/server.csr openssl x509 -passin pass:0passphrase$MYSQLROOTPASS -req -days 3650 -in /etc/apache2/ssl.csr/server.csr -signkey /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.crt/server.crt openssl rsa -passin pass:0passphrase$MYSQLROOTPASS -in /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.key/server.key.insecure mv /etc/apache2/ssl.key/server.key /etc/apache2/ssl.key/server.key.secure mv /etc/apache2/ssl.key/server.key.insecure /etc/apache2/ssl.key/server.key a2enmod ssl
sed -i 's/.VirtualHost _default_\:8080./\<VirtualHost _default_\:8080\>\nSSLEngine On\nSSLCertificateFile \/etc\/apache2\/ssl.crt\/server.crt\nSSLCertificateKeyFile \/etc\/apache2\/ssl.key\/server.key/g' /etc/apache2/sites-available/ispconfig.vhost
sed -i 's/DirectoryIndex index.html index.html.var/DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php5 index.php4 index.php3 index.pl index.html.var index.aspx default.aspx/g' /etc/apache2/httpd.conf
# enable named hosts sed -i 's/^#NameVirtualHost \*\:80$/NameVirtualHost *:80/g' /etc/apache2/listen.conf
sed -i 's,^Alias /error/,#Alias /error/,' /etc/apache2/errors.conf
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/apache2/php.ini sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/cli/php.ini sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/fastcgi/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/apache2/php.ini sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/cli/php.ini sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/fastcgi/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/apache2/php.ini sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/cli/php.ini sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/fastcgi/php.ini
sed -i 's/^error_reporting = .*/error_reporting = E_ALL \& ~E_DEPRECATED \& ~E_NOTICE/' /etc/php5/apache2/php.ini sed -i 's/^error_reporting = .*/error_reporting = E_ALL \& ~E_DEPRECATED \& ~E_NOTICE/' /etc/php5/cli/php.ini sed -i 's/^error_reporting = .*/error_reporting = E_ALL \& ~E_DEPRECATED \& ~E_NOTICE/' /etc/php5/fastcgi/php.ini
rcapache2 restart
# postfix certificate
(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -new -key /etc/postfix/smtpd.key -out /etc/postfix/smtpd.csr openssl x509 -req -days 3650 -in /etc/postfix/smtpd.csr -signkey /etc/postfix/smtpd.key -out /etc/postfix/smtpd.cert
chmod o-rwx /etc/postfix/smtpd.csr chmod o-rwx /etc/postfix/smtpd.cert
# rdiff-backup
zypper -n install -l python-devel librsync
cd tmp wget -c $RDIFF_BACKUP_TARGZ tar xfz rdiff-backup-*.tar.gz rm -f rdiff-backup-*.tar.gz cd rdiff-backup-* ./setup.py install cd /tmp rm -rf rdiff-backup-*
zypper -n install -l iptraf iftop
# create backup script
mkdir /backup chown root:root /backup
mkdir /srvbackup_do chown root:root /srvbackup_do chmod og-rwx /srvbackup_do
cat > /srvbackup_do/dobackup.sh <<EOFMARKER2 #!/bin/bash
cd /srvbackup_do sync mysqladmin -p$MYSQLROOTPASS refresh mysqlcheck -p$MYSQLROOTPASS -A --auto-repair
# backup into a single file # mysqldump -p$MYSQLROOTPASS --all-databases >mysqldump.sql # chmod og-rw mysqldump.sql
# backup into multiple files rm -rf mysql mkdir mysql chown root:root mysql chmod og-rwx mysql
for i in /var/lib/mysql/*/; do dbname=\`basename \$i\`
echo >mysql/\$dbname.sql chown root:root mysql/\$dbname.sql chmod og-rwx mysql/\$dbname.sql
mysqldump -p$MYSQLROOTPASS \$dbname >mysql/\$dbname.sql chown root:root mysql/\$dbname.sql chmod og-rwx mysql/\$dbname.sql done
/usr/local/bin/rdiff-backup --preserve-numerical-ids --exclude /tmp --exclude /backup --exclude /mnt --exclude /proc --exclude /dev --exclude /sys --exclude /var/lib/ntp/proc --exclude /media --exclude /var/tmp --exclude /var/lib/named --exclude /var/lib/nfs/rpc_pipefs / /backup/$MY_FULLHOSTNAME
#/usr/local/bin/duplicity \ #--include /etc \ #--include /srv \ #--include /srvbackup_do \ #--include /var/vmail \ #--include /var/lib/mysql \ #--include /var/log \ #--include /usr/local \ #--include /var/spool/amavis \ #--include /var/spool/cron \ #--include /home \ #--exclude '**' \ #--no-encryption \ #--ssh-options="-oProtocol=2 -oIdentityFile=/etc/ssh/ssh_host_dsa_key" \ #/ scp://user@backuphost/my.server.com
EOFMARKER2
chown root:root /srvbackup_do/dobackup.sh chmod og-rwx /srvbackup_do/dobackup.sh chmod u+x /srvbackup_do/dobackup.sh
echo '51 3 * * * /srvbackup_do/dobackup.sh >> /var/log/backuplog 2>&1' >>/var/spool/cron/tabs/root
# Fail2ban config # TODO: patch fail2ban to include delays into iptables script, # as otherwise it frequently fails
cat > /etc/fail2ban/filter.d/dovecot-pop3imap.conf <<EOFMARKER4 [Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex = EOFMARKER4
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.def cat > /etc/fail2ban/jail.conf <<EOFMARKER3 # Fail2Ban configuration file
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1
# "bantime" is the number of seconds that a host is banned. bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600
# "maxretry" is the number of failures before a host get banned. maxretry = 3
# "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". This option can be overridden in # each jail too (use "gamin" for a jail and "polling" for another). # # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin # is not installed, Fail2ban will use polling. # polling: uses a polling algorithm which does not require external libraries. # auto: will choose Gamin if available and polling otherwise. backend = auto
# This jail corresponds to the standard configuration in Fail2ban 0.6. # The mail-whois action send a notification e-mail with a whois request # in the body.
[ssh-iptables]
enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] logpath = /var/log/messages maxretry = 5
[ssh-ddos-iptables]
enabled = true filter = sshd-ddos action = iptables[name=SSH, port=ssh, protocol=tcp] logpath = /var/log/messages maxretry = 5
[proftpd-iptables]
enabled = true filter = proftpd action = iptables[name=ProFTPD, port=ftp, protocol=tcp] logpath = /var/log/messages maxretry = 6
[pure-ftpd-iptables]
enabled = true filter = pure-ftpd action = iptables[name=PureFTPD, port=ftp, protocol=tcp] logpath = /var/log/messages maxretry = 6
[courier-imap-iptables]
enabled = true filter = courierlogin action = iptables[name=CourierIMAP, port=ftp, protocol=tcp] logpath = /var/log/messages maxretry = 6
[dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap,pop3s,imaps", protocol=tcp] logpath = /var/log/mail maxretry = 6
# This jail forces the backend to "polling".
[sasl-iptables]
enabled = true filter = sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] logpath = /var/log/mail
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is # used to avoid banning the user "myuser".
[ssh-tcpwrapper]
enabled = true filter = sshd action = hostsdeny ignoreregex = for myuser from logpath = /var/log/messages
[ssh-ddos-tcpwrapper]
enabled = true filter = sshd-ddos action = hostsdeny ignoreregex = for myuser from logpath = /var/log/messages
# This jail demonstrates the use of wildcards in "logpath". # Moreover, it is possible to give other files on a new line.
[apache-tcpwrapper]
enabled = true filter = apache-auth action = hostsdeny logpath = /var/log/apache2/error_log maxretry = 6
# The hosts.deny path can be defined with the "file" argument if it is # not in /etc.
[postfix-tcpwrapper]
enabled = true filter = postfix action = hostsdeny logpath = /var/log/mail bantime = 300
# Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered.
[apache-badbots]
enabled = true filter = apache-badbots action = iptables[name=BadBots1, port=http, protocol=tcp] iptables[name=BadBots2, port=https, protocol=tcp] logpath = /var/log/apache2/access_log bantime = 172800 maxretry = 1
[php-url-fopen]
enabled = false port = http,https filter = php-url-fopen logpath = /var/log/apache2/access_log maxretry = 1
EOFMARKER3
# Ensure fail2ban recreates a socket file # Because otherwise after a server crash, fail2ban won't restart
sed -i 's/-q start/-x -q start/' /etc/init.d/fail2ban
# Fix pure-ftpd regexp
sed -i 's/[)][?]: [(][.][+][?]@<HOST>[)] \\\[/)\?: \\(.+?@<HOST>\\) \\[/' /etc/fail2ban/filter.d/pure-ftpd.conf
service fail2ban restart
# Fix getmail user to allow running from cron
sed -i 's/getmail:[!]:/getmail:*:/' /etc/shadow
# Install AWSTATS
rpm -ivh $AWSTATS_RPM
chmod og+w /var/cache/awstats
cp /etc/awstats/awstats.web.conf /etc/awstats/awstats.conf sed -i 's,^<IfDefine,#<IfDefine,' /etc/apache2/conf.d/awstats.conf sed -i 's,^</IfDefine,#</IfDefine,' /etc/apache2/conf.d/awstats.conf
rcapache2 restart
mysqladmin -p$MYSQLROOTPASS refresh
# Old code for fixing awstats path directly in the database # Now it's fixed in server.ini.master before the installation of ISPConfig # #mysqldump -u root -p$MYSQLROOTPASS dbispconfig server >/tmp/server.sql #sed -i 's,\\nawstats_data_dir=[^\\]*\\n,\\nawstats_data_dir=/var/cache/awstats\\n,' /tmp/server.sql #sed -i 's,\\nawstats_pl=[^\\]*\\n,\\nawstats_pl=/srv/www/cgi-bin/awstats.pl\\n,' /tmp/server.sql #sed -i 's,\\nawstats_buildstaticpages_pl=[^\\]*\\n,\\nawstats_buildstaticpages_pl=/usr/share/doc/packages/awstats/examples/awstats_buildstaticpages.pl\\n,' /tmp/server.sql #mysql -u root -p$MYSQLROOTPASS dbispconfig </tmp/server.sql #rm -rf /tmp/server.sql
#sed -i 's,^#LoadPlugin=\"geoipfree\",LoadPlugin=\"geoipfree\",' /etc/awstats/awstats.conf sed -i 's,^Max\([^=]*\)= 10$,Max\1= 25,' /etc/awstats/awstats.conf sed -i 's,^StyleSheet=\"[^\"]*\",StyleSheet=\"\",' /etc/awstats/awstats.conf
# Install eAccelerator
zypper -n install -l php5-devel
cd /tmp wget $EACCELERATOR_TARGZ tar xvfj eaccelerator-*.bz2 rm -rf eaccelerator-*.bz2 cd eaccelerator-* phpize # the flag is specified to prevent openbasedir limitations with ispconfig ./configure --without-eaccelerator-use-inode make make install
cd .. rm -rf eaccelerator-*
cat > /etc/php5/conf.d/eaccelerator.ini <<EOFMARKER4 extension="eaccelerator.so" eaccelerator.shm_size="16" eaccelerator.cache_dir="/var/cache/eaccelerator" eaccelerator.enable="1" eaccelerator.optimizer="1" eaccelerator.check_mtime="1" eaccelerator.debug="0" eaccelerator.filter="" eaccelerator.shm_max="0" eaccelerator.shm_ttl="0" eaccelerator.shm_prune_period="0" eaccelerator.shm_only="0" eaccelerator.compress="1" eaccelerator.compress_level="9" EOFMARKER4
mkdir -p /var/cache/eaccelerator chmod 0777 /var/cache/eaccelerator
rcapache2 restart
# adjust postfix interfaces
sed -i 's/^inet_interfaces = localhost/inet_interfaces = all/g' /etc/postfix/main.cf sed -i 's/^#tlsmgr/tlsmgr/g' /etc/postfix/master.cf sed -i 's/^#smtps/465/g' /etc/postfix/master.cf
rcpostfix restart
# Fix squirrelmail
sed -i 's/^\$default_folder_prefix.*/$default_folder_prefix = '\'\'';/' /srv/www/htdocs/squirrelmail/config/config.php
# ==============
if [ "$ISPCONFIG_SVN" == "yes" ]; then # Update ISPConfig from SVN
cd /tmp svn export svn://svn.ispconfig.org/ispconfig3/trunk/ ispconfigsvn
fix_ispconfig /tmp/ispconfigsvn
# Run update php -q update.php cd /tmp rm -rf /tmp/ispconfigsvn
fi
# ========================================================================= # Fix configuration files, overwritten by ISPConfig update # Re-run these lines after ISP-Config update
# Pure-ftpd
fix_pureftpd /etc/pure-ftpd/pure-ftpd.conf
rcpure-ftpd restart
# Dovecot
fix_dovecot /etc/dovecot/dovecot.conf
cd /usr/share/doc/packages/dovecot
cat >./mkcert.sh <<EOFMARKER5 #!/bin/sh
# Generates a self-signed certificate. # Edit dovecot-openssl.cnf before running this.
OPENSSL=\${OPENSSL-openssl} SSLDIR=\${SSLDIR-/etc/ssl} OPENSSLCONFIG=\${OPENSSLCONFIG-dovecot-openssl.cnf}
CERTDIR=\$SSLDIR/certs KEYDIR=\$SSLDIR/private
CERTFILE=\$CERTDIR/dovecot.pem KEYFILE=\$KEYDIR/dovecot.pem
if [ ! -d \$CERTDIR ]; then echo "\$SSLDIR/certs directory doesn't exist" exit 1 fi
if [ ! -d \$KEYDIR ]; then echo "\$SSLDIR/private directory doesn't exist" exit 1 fi
if [ -f \$CERTFILE ]; then echo "\$CERTFILE already exists, won't overwrite" exit 1 fi
if [ -f \$KEYFILE ]; then echo "\$KEYFILE already exists, won't overwrite" exit 1 fi
\$OPENSSL req -new -x509 -nodes -config \$OPENSSLCONFIG -out \$CERTFILE -keyout \$KEYFILE -days 3650 || exit 2 chmod 0600 \$KEYFILE echo \$OPENSSL x509 -subject -fingerprint -noout -in \$CERTFILE || exit 2
EOFMARKER5
cat >./dovecot-openssl.cnf <<EOFMARKER6 [ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no
[ req_dn ] # country (2 letter code) #C=FI
# State or Province Name (full name) #ST=
# Locality Name (eg. city) #L=Helsinki
# Organization (eg. company) #O=Dovecot
# Organizational Unit Name (eg. section) OU=IMAP server
# Common Name (*.example.com is also possible) CN=$MY_FULLHOSTNAME
# E-mail contact [email protected]
[ cert_type ] nsCertType = server
EOFMARKER6
# TODO: add this script to cron cat >/usr/bin/dovecot-check.sh <<EOFMARKER7 #!/bin/sh if (/usr/bin/lsof -Pni :143 | grep "143 (LISTEN)" 2>&1 >/dev/null); then echo >/dev/null else /etc/init.d/dovecot restart fi EOFMARKER7
sh ./mkcert.sh cd /
rcdovecot restart rcpostfix restart
# CustomLog
fix_customlog /etc/apache2/sites-available/ispconfig.conf fix_customlog /usr/local/ispconfig/server/conf/apache_ispconfig.conf.master sed -i 's,^LogFormat=.*,LogFormat = "%host %other %logname %time1 %methodurl %code %other %refererquot %uaquot %other %bytesd",' /etc/awstats/awstats.conf a2enmod logio
rcapache2 restart
|