Скрипт идеального сервера - OpenSUSE 11.4 [ISPConfig 3]

Звезда не активнаЗвезда не активнаЗвезда не активнаЗвезда не активнаЗвезда не активна
 

OpenSUSEПредставляю Вам небольшой скрипт, который автоматизирует задачу создания Идеальный сервер - OpenSUSE 11.4 [ISPConfig 3], и в окончании, он также устанавливает ISPConfig 3. На данный урок имеется виртуальный образ готового сервера, ознакомиться с которым подробней и скачать его можно на форуме Идеальный сервер - OpenSUSE 11.4 [ISPConfig 3] + скачать.

Пожалуйста, обратите внимание, что запуск данного скрипта на уже рабочем сервере может привести к перезаписи существующих файлов конфигурации и сломать работающую систему. Он предназначен только для использования на новой установленной OpenSUSE 11.4.

Если вы устанавливаете системы OpenSUSE 11.2 или OpenSUSE 11.3, пожалуйста, не забудьте использовать другую версию этого скрипта (которые так же доступены www.mini-server.ru).

Есть несколько вещей, отсутствующих в учебнике, который я написал. Я сделал сценарий, основанный на учебнике, который устанавливает систему, и которая состоит из нескольких шагов, не выполнив который Вы оставите систему доделаной.

  • fail2ban уже сконфигурирован
  • SuSEfirewall2 включен
  • Pure-FTPD с измененой конфигурацией (разрешено переименование, изменение пассивных портов и их включение)
  • Postfix сертификат
  • Apache SSL сертификатов, и переключение ISPConfig для HTTPS
  • Fix из NameVirtualHost Apache конфигурации с OpenSUSE (важно для Apache распознавать несколько доменов с ISPConfig)
  • Настройка rdiff-резервное копирование с cron
  • Исправлена конфигурация включения SSL и поддержки совместимого courier
  • Исправлена pam_mysql работа на 64-битной системе
  • Исправлена AMaViS поиск clamd socket
  • Установлен Eaccelerator
  • Исправлены ошибки Apache пользовательских путей
  • Установка и настройка Awstats
  • Настройка Apache и Awstats использовать mod_logio для правильного измерения пропускной способности

Выполним:

  • zypper update

и произведем перезапуск системы:

  • reboot

Перед запуском этого сценария. Также лучше изменении имени хоста (файл HOSTNAME) вручную с yast2 перед запуском этого скрипта, иначе OpenSUSE поставит собственное имя в конфигурации Postfix.

Этот сценарий требует наличия двух ручных действий:

Первый - когда запустится mysql_secure_install. Второй - для обновления ISPConfig3, если SVN обновления выбран один, возможно, придется сказать: y, чтобы включить SSL, а для всех других вариантов - можно выбрать значение по умолчанию, просто нажав клавишу Enter.

Вы должны изменить следующие переменные в сценарий, прежде чем запустить его:

  1. THIS_PLATFORM : или x86_64 или i586 .
  2. MYSQLROOTPASS : пожалуйста измените, и не забудьте ввести его во время установки mysql_secure_install .
  3. MY_HOSTNAME, MY_DOMAIN : измените это имя сервера. По умолчанию программа настроена на server1.mydomain.com. Если Ваш сайт размещен на полном домене, например domain.com, впишите еще что-то для MY_HOSTNAME. server1 например.
  4. ISPCONFIG_TAR_GZ : убедитесь, что ISPCONFIG_TAR_GZ загрузил последнюю доступную версию ISPConfig 3.

Сохранить скрипта на Ваш сервер (например, /root/opensuse_ispconfig3.sh):

  • nano /root/opensuse_ispconfig3.sh
#!/bin/sh

# OpenSUSE 11.4 Perfect Server ISPConfig script by George Yohng (georgesc#oss3d.com)
# Script Version 2.1

# Do zypper update and reboot before running this script

# Also better change host name manually with yast2 before running this script.

# This script requires two manual actions.

# First - when mysql_secure_install is running. One should type a new mysql password, the same as here
# Second - for ISPConfig3 update. One should type 'svn' when the update type is asked
# For both of scripts, all other options are default, one can just press ENTER.


# Also, please change MYSQLROOTPASS below, and be sure to enter it verbatim
# during the installation of mysql_secure_install.

# Important: When setting an MX entry, point it to mail.yourdomain.com rather than
# just to yourdomain.com, and create a CNAME entry for mail. Otherwise it doesn't
# seem to work somehow.

# Platform is x86_64 or i586

THIS_PLATFORM=x86_64

MYSQLROOTPASS=87h4eq2jr2

# Change this to your server name. By default it's configured to server1.mydomain.com

# If your web site hosts a complete domain, such as domain.com, still leave
# something for MY_HOSTNAME. 'server1' or 'host' is a good name.

MY_HOSTNAME=server1
MY_DOMAIN=mydomain.com

# Uncomment to use SVN-version of ISP config, and to run update once the installation is finished
#ISPCONFIG_SVN=yes

# Packages may have been updated, therefore also check the RPM and TARGZ locations below,
# and preferably use the latest versions of everything.

GETMAIL_RPM=http://download.opensuse.org/repositories/server:/mail/openSUSE_11.4/noarch/getmail-4.20.3-10.1.noarch.rpm
PAM_MYSQL_TARGZ=http://heanet.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.7RC1.tar.gz
SUPHP_RPM=http://download.opensuse.org/repositories/server:/php/openSUSE_11.4/$THIS_PLATFORM/suphp-0.7.1-3.2.$THIS_PLATFORM.rpm

AWSTATS_RPM=http://download.opensuse.org/repositories/network:/utilities/openSUSE_11.4/noarch/awstats-7.0-14.1.noarch.rpm

SQUIRRELMAIL_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.4/noarch/squirrelmail-1.4.21-1.2.noarch.rpm

JAILKIT_TARGZ=http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz

PHPMYADMIN_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.4/noarch/phpMyAdmin-3.4.1-7.2.noarch.rpm
VLOGGER_TARGZ=http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz

RDIFF_BACKUP_TARGZ=http://savannah.nongnu.org/download/rdiff-backup/rdiff-backup-1.2.8.tar.gz

EACCELERATOR_TARGZ=http://bart.eaccelerator.net/source/0.9.6.1/eaccelerator-0.9.6.1.tar.bz2

ISPCONFIG_TAR_GZ=http://downloads.sourceforge.net/ispconfig/ISPConfig-3.0.3.3.tar.gz?use_mirror=

MY_FULLHOSTNAME=$MY_HOSTNAME.$MY_DOMAIN

# Disable apparmor

/etc/init.d/boot.apparmor stop
chkconfig -d boot.apparmor

# Install SuSEfirewall

zypper -n install -l SuSEfirewall2 iptables

# Allow ports through firewall

SuSEfirewall2 open EXT TCP 22
SuSEfirewall2 open EXT TCP 21 80 8080 25 143 465 585 993 30000:30500
SuSEfirewall2

# Switch off X login (check!)

chkconfig --del xdm
rcxdm stop

# Quota

zypper -n install -l quota

touch /aquota.user /aquota.group
chmod 600 /aquota.*
touch /srv/aquota.user /srv/aquota.group
chmod 600 /srv/aquota.*

# TODO: change fstab here
# Ignore errors from the below commands

mount -o remount /
mount -o remount /srv
mount -o remount /home

quotacheck -avugm
quotaon -avug

# Basic packages

zypper -n install -l mc

zypper -n install -l GeoIP libGeoIP-devel libGeoIP1

geoip-fetch

zypper -n install -l findutils libreadline6 compat-readline4 readline-devel libgcc45 glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget gcc-c++ subversion make vim telnet cron iptables iputils man man-pages nano pico

# Host name

echo $MY_FULLHOSTNAME > /etc/HOSTNAME
echo 127.0.0.2 $MY_FULLHOSTNAME $MY_HOSTNAME >> /etc/hosts

export HOST=$MY_FULLHOSTNAME
export HOSTNAME=$MY_FULLHOSTNAME

SuSEconfig

# Postfix, Dovecot, MySQL

zypper -n install -l postfix postfix-mysql mysql-community-server mysql-community-server-client mysql-community-server-tools
zypper -n install -l python cron
zypper -n install -l libmysqlclient-devel pwgen
zypper -n install -l dovecot12 dovecot12-backend-mysql
zypper -n install -l bind

chkconfig --add mysql
chkconfig --add postfix
chkconfig --add dovecot
chkconfig --add named

test -d /lib64 && ln -s /usr/lib64/dovecot/modules /usr/lib/dovecot

/etc/init.d/mysql start
/etc/init.d/postfix start
/etc/init.d/dovecot start
/etc/init.d/named start

# getmail

cd /tmp
rpm -i $GETMAIL_RPM

# pam

if [ "$THIS_PLATFORM" == "x86_64" ]; then
zypper -n install -l pam-devel pam-32bit pam-devel-32bit pam-modules-32bit
fi

if [ "$THIS_PLATFORM" == "i586" ]; then
zypper -n install -l pam-devel pam pam-modules
fi


# pam_mysql

cd /tmp
wget -c $PAM_MYSQL_TARGZ
tar xvfz pam_mysql-*.tar.gz
rm -rf pam_mysql-*.tar.gz
cd pam_mysql-*
./configure
make
make install
cd /tmp
rm -rf /tmp/pam_mysql-*

test -d /lib64 && cp /lib/security/pam_mysql* /lib64/security

# mysql_secure_installation

mysql_secure_installation

#(echo Y; echo $MYSQLROOTPASS; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; )

# amavis, spam asassin, etc

zypper -n install -l spamassassin amavisd-new clamav clamav-db zoo unzip bzip2 unarj perl-DBD-mysql
zypper -n install -l unrar

sa-update

# TODO: change /etc/amavisd.conf

#$mydomain = "$MY_DOMAIN"; # a convenient default for other settings
#$myhostname = "$MY_HOSTNAME";

sed -i 's/\$mydomain = '\''example.com'\'';/\$mydomain='\'$MY_DOMAIN\'';\n\$myhostname='\'$MY_FULLHOSTNAME\'';/g' /etc/amavisd.conf

# Correct a path to clamd socket
sed -i 's,/var/run/clamav/clamd,/var/lib/clamav/clamd-socket,g' /etc/amavisd.conf

chkconfig --add amavis
chkconfig --add clamd
/etc/init.d/amavis start
/etc/init.d/clamd start

# Apache2

zypper -n install -l apache2 apache2-mod_fcgid

zypper -n install -l php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dom php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mysql php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-fastcgi php5-pear php5-sysvmsg php5-sysvshm ImageMagick curl apache2-mod_php5

rpm -i $SUPHP_RPM

a2enmod suexec
a2enmod deflate
a2enmod rewrite
a2enmod ssl
a2enmod actions
a2enmod suphp
a2enmod fcgid
a2enmod logio
chown root:www /usr/sbin/suexec2
chmod 4755 /usr/sbin/suexec2

chkconfig --add apache2
/etc/init.d/apache2 start

# PhpMyAdmin

rpm -i $PHPMYADMIN_RPM

# FTP

zypper -n install -l pure-ftpd quota

chkconfig --add pure-ftpd
/etc/init.d/pure-ftpd start

# VLOGGER, WEBALIZER

cd /tmp
wget -c $VLOGGER_TARGZ
tar xvfz vlogger-*.tar.gz
rm -f vlogger-*.tar.gz
mv vlogger-*/vlogger /usr/sbin/
rm -rf vlogger*

zypper -n install -l webalizer perl-Date-Manip perl-TimeDate

# Fail2ban

zypper -n install -l fail2ban

chkconfig --add fail2ban
service fail2ban start

# Jailkit

cd /tmp
wget -c $JAILKIT_TARGZ
tar xvfz jailkit-*.tar.gz
rm -f jailkit-*.tar.gz
cd jailkit-*
./configure
make
make install
cd /tmp
rm -rf jailkit-*

# Synchronize system clock
# Remove this, if you are inside XENU

zypper -n install -l ntp

chkconfig --add ntp
/etc/init.d/ntp start


# ============================
# Helper functions

function fix_pureftpd() {

sed -i 's/NoRename.*yes/NoRename no/g' "$1"
sed -i 's/AutoRename.*yes/AutoRename no/g' "$1"
sed -i 's/ProhibitDotFilesWrite.*yes/ProhibitDotFilesWrite no/g' "$1"
sed -i 's/# PassivePortRange.*30000 50000/PassivePortRange 30000 30500/g' "$1"
sed -i 's/LimitRecursion.*2000 8/LimitRecursion 20000 10/g' "$1"
sed -i 's/^Umask\ *.*$/Umask 137:027/' "$1"
sed -i 's/^MaxClientsNumber\ *10$/MaxClientsNumber 256/' "$1"
sed -i 's/^MaxClientsPerIP\ *3$/MaxClientsPerIP 16/' "$1"

}

function fix_dovecot() {

sed -i 's/^#listen =.*/listen = \*/g' "$1"
sed -i 's/^ssl = no/ssl = yes/g' "$1"
sed -i 's,#ssl_cert_file = .*,ssl_cert_file = /etc/ssl/certs/dovecot.pem,g' "$1"
sed -i 's,#ssl_key_file = .*,ssl_key_file = /etc/ssl/private/dovecot.pem,g' "$1"
sed -i 's,#mail_max_userip_connections = .*,mail_max_userip_connections = 32,g' "$1"
sed -i 's/#namespace private/namespace private {\n separator = .\n prefix =\n inbox = yes\n}\n\nnamespace private {\n separator = .\n prefix = INBOX.\n inbox = no\n hidden = yes\n list = no # for v1.1+\n}\n\n# {changed} namespace private/g' "$1"

}

function fix_customlog() {

sed -i 's/ent}i\\\"\" combined_ispconfig/ent}i\\\" %I %O" combined_ispconfig/g' "$1"
sed -i 's/LogFormat \"%v %h/LogFormat \"%v %a/g' "$1"

}

function fix_ispconfig() {

fix_dovecot "$1/install/tpl/opensuse_dovecot.conf.master"
fix_pureftpd "$1/install/tpl/opensuse_pureftpd_conf.master"

fix_customlog "$1/server/conf/apache_ispconfig.conf.master"
fix_customlog "$1/install/tpl/apache_ispconfig.conf.master"
fix_customlog "$1/install/dist/tpl/gentoo/apache_ispconfig.conf.master"


sed -i 's,^awstats_data_dir=.*$,awstats_data_dir=/var/cache/awstats,' "$1/install/tpl/server.ini.master"
sed -i 's,^awstats_pl=.*$,awstats_pl=/srv/www/cgi-bin/awstats.pl,' "$1/install/tpl/server.ini.master"
sed -i 's,^awstats_buildstaticpages_pl=.*$,awstats_buildstaticpages_pl=/usr/share/doc/packages/awstats/examples/awstats_buildstaticpages.pl,' "$1/install/tpl/server.ini.master"

}


# ============================

# ISPCONFIG

cd /tmp
wget -c $ISPCONFIG_TAR_GZ
tar xvfz ISPConfig-*.tar.gz

fix_ispconfig /tmp/ispconfig3_install

cd ispconfig3_install/install/

(echo; echo; echo $MY_FULLHOSTNAME; echo; echo; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; ) | php -q install.php

cd /tmp
rm -rf /tmp/ispconfig3_install
rm -f /tmp/ISPConfig-*.tar.gz

# Squirrelmail

rpm -i $SQUIRRELMAIL_RPM
ln -s /srv/www/htdocs/squirrelmail /usr/local/ispconfig/interface/web/webmail

# Symlink

ln -s /srv/www/htdocs/phpMyAdmin /usr/local/ispconfig/interface/web/phpmyadmin

sed -i 's/\"en_US\.UTF-8/\"en_US\.ISO-8859-1/g' /etc/sysconfig/language

sed -i 's/x\-httpd\-php\=\"php\:\/usr\/bin\/php\-cgi5\"/x-httpd-php="php:\/usr\/bin\/php-cgi5"\nx-httpd-suphp="php:\/usr\/bin\/php-cgi5"/g' /etc/suphp.conf

SuSEconfig

# Generate certificates

openssl genrsa -passout pass:0passphrase$MYSQLROOTPASS -des3 -out /etc/apache2/ssl.key/server.key 4096
(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -passin pass:0passphrase$MYSQLROOTPASS -new -key /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.csr/server.csr
openssl x509 -passin pass:0passphrase$MYSQLROOTPASS -req -days 3650 -in /etc/apache2/ssl.csr/server.csr -signkey /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.crt/server.crt
openssl rsa -passin pass:0passphrase$MYSQLROOTPASS -in /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.key/server.key.insecure
mv /etc/apache2/ssl.key/server.key /etc/apache2/ssl.key/server.key.secure
mv /etc/apache2/ssl.key/server.key.insecure /etc/apache2/ssl.key/server.key
a2enmod ssl

sed -i 's/.VirtualHost _default_\:8080./\<VirtualHost _default_\:8080\>\nSSLEngine On\nSSLCertificateFile \/etc\/apache2\/ssl.crt\/server.crt\nSSLCertificateKeyFile \/etc\/apache2\/ssl.key\/server.key/g' /etc/apache2/sites-available/ispconfig.vhost

sed -i 's/DirectoryIndex index.html index.html.var/DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php5 index.php4 index.php3 index.pl index.html.var index.aspx default.aspx/g' /etc/apache2/httpd.conf

# enable named hosts
sed -i 's/^#NameVirtualHost \*\:80$/NameVirtualHost *:80/g' /etc/apache2/listen.conf

sed -i 's,^Alias /error/,#Alias /error/,' /etc/apache2/errors.conf

sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/apache2/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/cli/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/fastcgi/php.ini

sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/apache2/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/cli/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/fastcgi/php.ini

sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/apache2/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/cli/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/fastcgi/php.ini

sed -i 's/^error_reporting = .*/error_reporting = E_ALL \& ~E_DEPRECATED \& ~E_NOTICE/' /etc/php5/apache2/php.ini
sed -i 's/^error_reporting = .*/error_reporting = E_ALL \& ~E_DEPRECATED \& ~E_NOTICE/' /etc/php5/cli/php.ini
sed -i 's/^error_reporting = .*/error_reporting = E_ALL \& ~E_DEPRECATED \& ~E_NOTICE/' /etc/php5/fastcgi/php.ini

rcapache2 restart

# postfix certificate

(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -new -key /etc/postfix/smtpd.key -out /etc/postfix/smtpd.csr
openssl x509 -req -days 3650 -in /etc/postfix/smtpd.csr -signkey /etc/postfix/smtpd.key -out /etc/postfix/smtpd.cert

chmod o-rwx /etc/postfix/smtpd.csr
chmod o-rwx /etc/postfix/smtpd.cert

# rdiff-backup

zypper -n install -l python-devel librsync

cd tmp
wget -c $RDIFF_BACKUP_TARGZ
tar xfz rdiff-backup-*.tar.gz
rm -f rdiff-backup-*.tar.gz
cd rdiff-backup-*
./setup.py install
cd /tmp
rm -rf rdiff-backup-*

zypper -n install -l iptraf iftop

# create backup script

mkdir /backup
chown root:root /backup

mkdir /srvbackup_do
chown root:root /srvbackup_do
chmod og-rwx /srvbackup_do

cat > /srvbackup_do/dobackup.sh <<EOFMARKER2
#!/bin/bash

cd /srvbackup_do
sync
mysqladmin -p$MYSQLROOTPASS refresh
mysqlcheck -p$MYSQLROOTPASS -A --auto-repair

# backup into a single file
# mysqldump -p$MYSQLROOTPASS --all-databases >mysqldump.sql
# chmod og-rw mysqldump.sql

# backup into multiple files
rm -rf mysql
mkdir mysql
chown root:root mysql
chmod og-rwx mysql

for i in /var/lib/mysql/*/; do
dbname=\`basename \$i\`

echo >mysql/\$dbname.sql
chown root:root mysql/\$dbname.sql
chmod og-rwx mysql/\$dbname.sql

mysqldump -p$MYSQLROOTPASS \$dbname >mysql/\$dbname.sql
chown root:root mysql/\$dbname.sql
chmod og-rwx mysql/\$dbname.sql
done

/usr/local/bin/rdiff-backup --preserve-numerical-ids --exclude /tmp --exclude /backup --exclude /mnt --exclude /proc --exclude /dev --exclude /sys --exclude /var/lib/ntp/proc --exclude /media --exclude /var/tmp / /backup/$MY_FULLHOSTNAME
EOFMARKER2

chown root:root /srvbackup_do/dobackup.sh
chmod og-rwx /srvbackup_do/dobackup.sh
chmod u+x /srvbackup_do/dobackup.sh

echo '51 3 * * * /srvbackup_do/dobackup.sh >> /var/log/backuplog 2>&1' >>/var/spool/cron/tabs/root

# Fail2ban config

cat > /etc/fail2ban/filter.d/dovecot-pop3imap.conf <<EOFMARKER4
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =
EOFMARKER4


cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.def
cat > /etc/fail2ban/jail.conf <<EOFMARKER3
# Fail2Ban configuration file

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/messages
maxretry = 5

[ssh-ddos-iptables]

enabled = true
filter = sshd-ddos
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/messages
maxretry = 5


[proftpd-iptables]

enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
logpath = /var/log/messages
maxretry = 6

[pure-ftpd-iptables]

enabled = true
filter = pure-ftpd
action = iptables[name=PureFTPD, port=ftp, protocol=tcp]
logpath = /var/log/messages
maxretry = 6

[courier-imap-iptables]

enabled = true
filter = courierlogin
action = iptables[name=CourierIMAP, port=ftp, protocol=tcp]
logpath = /var/log/messages
maxretry = 6

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap,pop3s,imaps", protocol=tcp]
logpath = /var/log/mail
maxretry = 6


# This jail forces the backend to "polling".

[sasl-iptables]

enabled = true
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
logpath = /var/log/mail

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled = true
filter = sshd
action = hostsdeny
ignoreregex = for myuser from
logpath = /var/log/messages

[ssh-ddos-tcpwrapper]

enabled = true
filter = sshd-ddos
action = hostsdeny
ignoreregex = for myuser from
logpath = /var/log/messages


# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled = true
filter = apache-auth
action = hostsdeny
logpath = /var/log/apache2/error_log
maxretry = 6

# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.

[postfix-tcpwrapper]

enabled = true
filter = postfix
action = hostsdeny
logpath = /var/log/mail
bantime = 300

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled = true
filter = apache-badbots
action = iptables[name=BadBots1, port=http, protocol=tcp]
iptables[name=BadBots2, port=https, protocol=tcp]
logpath = /var/log/apache2/access_log
bantime = 172800
maxretry = 1

[php-url-fopen]

enabled = false
port = http,https
filter = php-url-fopen
logpath = /var/log/apache2/access_log
maxretry = 1

EOFMARKER3

# Ensure fail2ban recreates a socket file
# Because otherwise after a server crash, fail2ban won't restart

sed -i 's/-q start/-x -q start/' /etc/init.d/fail2ban

# Fix pure-ftpd regexp

sed -i 's/[)][?]: [(][.][+][?]@<HOST>[)] \\\[/)\?: \\(.+?@<HOST>\\) \\[/' /etc/fail2ban/filter.d/pure-ftpd.conf

service fail2ban restart

# Fix getmail user to allow running from cron

sed -i 's/getmail:[!]:/getmail:*:/' /etc/shadow

# Install AWSTATS

rpm -ivh $AWSTATS_RPM

chmod og+w /var/cache/awstats

cp /etc/awstats/awstats.web.conf /etc/awstats/awstats.conf
sed -i 's,^<IfDefine,#<IfDefine,' /etc/apache2/conf.d/awstats.conf
sed -i 's,^</IfDefine,#</IfDefine,' /etc/apache2/conf.d/awstats.conf

rcapache2 restart

mysqladmin -p$MYSQLROOTPASS refresh

# Old code for fixing awstats path directly in the database
# Now it's fixed in server.ini.master before the installation of ISPConfig
#
#mysqldump -u root -p$MYSQLROOTPASS dbispconfig server >/tmp/server.sql
#sed -i 's,\\nawstats_data_dir=[^\\]*\\n,\\nawstats_data_dir=/var/cache/awstats\\n,' /tmp/server.sql
#sed -i 's,\\nawstats_pl=[^\\]*\\n,\\nawstats_pl=/srv/www/cgi-bin/awstats.pl\\n,' /tmp/server.sql
#sed -i 's,\\nawstats_buildstaticpages_pl=[^\\]*\\n,\\nawstats_buildstaticpages_pl=/usr/share/doc/packages/awstats/examples/awstats_buildstaticpages.pl\\n,' /tmp/server.sql
#mysql -u root -p$MYSQLROOTPASS dbispconfig </tmp/server.sql
#rm -rf /tmp/server.sql

#sed -i 's,^#LoadPlugin=\"geoipfree\",LoadPlugin=\"geoipfree\",' /etc/awstats/awstats.conf
sed -i 's,^Max\([^=]*\)= 10$,Max\1= 25,' /etc/awstats/awstats.conf
sed -i 's,^StyleSheet=\"[^\"]*\",StyleSheet=\"\",' /etc/awstats/awstats.conf


# Install eAccelerator

zypper -n install -l php5-devel

cd /tmp
wget $EACCELERATOR_TARGZ
tar xvfj eaccelerator-*.bz2
rm -rf eaccelerator-*.bz2
cd eaccelerator-*
phpize
# the flag is specified to prevent openbasedir limitations with ispconfig
./configure --without-eaccelerator-use-inode
make
make install

cd ..
rm -rf eaccelerator-*

cat > /etc/php5/conf.d/eaccelerator.ini <<EOFMARKER4
extension="eaccelerator.so"
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/var/cache/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
EOFMARKER4

mkdir -p /var/cache/eaccelerator
chmod 0777 /var/cache/eaccelerator

rcapache2 restart

# adjust postfix interfaces

sed -i 's/^inet_interfaces = localhost/inet_interfaces = all/g' /etc/postfix/main.cf
sed -i 's/^#tlsmgr/tlsmgr/g' /etc/postfix/master.cf

rcpostfix restart

# Fix squirrelmail

sed -i 's/^\$default_folder_prefix.*/$default_folder_prefix = '\'\'';/' /srv/www/htdocs/squirrelmail/config/config.php


# ==============

if [ "$ISPCONFIG_SVN" == "yes" ]; then
# Update ISPConfig from SVN

cd /tmp
svn export svn://svn.ispconfig.org/ispconfig3/trunk/ ispconfigsvn

fix_ispconfig /tmp/ispconfigsvn

# Run update
php -q update.php
cd /tmp
rm -rf /tmp/ispconfigsvn

fi


# =========================================================================
# Fix configuration files, overwritten by ISPConfig update
# Re-run these lines after ISP-Config update

# Pure-ftpd

fix_pureftpd /etc/pure-ftpd/pure-ftpd.conf

rcpure-ftpd restart

# Dovecot

fix_dovecot /etc/dovecot/dovecot.conf

cd /usr/share/doc/packages/dovecot

cat >./mkcert.sh <<EOFMARKER5
#!/bin/sh

# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.

OPENSSL=\${OPENSSL-openssl}
SSLDIR=\${SSLDIR-/etc/ssl}
OPENSSLCONFIG=\${OPENSSLCONFIG-dovecot-openssl.cnf}

CERTDIR=\$SSLDIR/certs
KEYDIR=\$SSLDIR/private

CERTFILE=\$CERTDIR/dovecot.pem
KEYFILE=\$KEYDIR/dovecot.pem

if [ ! -d \$CERTDIR ]; then
echo "\$SSLDIR/certs directory doesn't exist"
exit 1
fi

if [ ! -d \$KEYDIR ]; then
echo "\$SSLDIR/private directory doesn't exist"
exit 1
fi

if [ -f \$CERTFILE ]; then
echo "\$CERTFILE already exists, won't overwrite"
exit 1
fi

if [ -f \$KEYFILE ]; then
echo "\$KEYFILE already exists, won't overwrite"
exit 1
fi

\$OPENSSL req -new -x509 -nodes -config \$OPENSSLCONFIG -out \$CERTFILE -keyout \$KEYFILE -days 365 || exit 2
chmod 0600 \$KEYFILE
echo
\$OPENSSL x509 -subject -fingerprint -noout -in \$CERTFILE || exit 2

EOFMARKER5

cat >./dovecot-openssl.cnf <<EOFMARKER6
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
#C=FI

# State or Province Name (full name)
#ST=

# Locality Name (eg. city)
#L=Helsinki

# Organization (eg. company)
#O=Dovecot

# Organizational Unit Name (eg. section)
OU=IMAP server

# Common Name (*.example.com is also possible)
CN=imap.example.com

# E-mail contact
emailAddress=Этот адрес электронной почты защищён от спам-ботов. У вас должен быть включен JavaScript для просмотра.

[ cert_type ]
nsCertType = server

EOFMARKER6


sh ./mkcert.sh
cd /

rcdovecot restart
rcpostfix restart

# CustomLog

fix_customlog /etc/apache2/sites-available/ispconfig.conf
fix_customlog /usr/local/ispconfig/server/conf/apache_ispconfig.conf.master
sed -i 's,^LogFormat=.*,LogFormat = "%host %other %logname %time1 %methodurl %code %other %refererquot %uaquot %other %bytesd",' /etc/awstats/awstats.conf
a2enmod logio

rcapache2 restart

Теперь Вы можете запустить его следующим образом:

  • sh /root/opensuse_ispconfig3.sh

На данный урок имеется виртуальный образ готового сервера, ознакомиться с которым подробней и скачать его можно на форуме Идеальный сервер - OpenSUSE 11.4 [ISPConfig 3] + скачать.


Обмениваться, хранить, передавать Ваши файлы стало просто как никогда.
yandex-disk

Читать подробнее: для чего Yandex-Диск проекту Mini-Server. Практика установки, настройки и использования сетевого хранилища на Ubuntu server LTS 12.04 в статье Резервное копирование сервера Ubuntu на Яндекс Диск.

>> Ubuntu 12.04 + Nginx Скачать сервер
>> Fedora 15 Скачать сервер
>> Простой Debian 6.0.6 Скачать сервер
>> CentOS 6.0 и
+ (5.6) другой
Скачать сервер
>> OpenSUSE 11.4
MAX
Скачать сервер

Вход на сайт

ВНИМАНИЕ!

Регистрация на сайте только по согласованию с администратором ресурса. Обращаться через форму обратной связи.