Представляю Вам небольшой скрипт, который автоматизирует задачу создания Идеальный сервер - OpenSUSE 11.4 [ISPConfig 3], и в окончании, он также устанавливает ISPConfig 3. На данный урок имеется виртуальный образ готового сервера, ознакомиться с которым подробней и скачать его можно на форуме Идеальный сервер - OpenSUSE 11.4 [ISPConfig 3] + скачать.
Пожалуйста, обратите внимание, что запуск данного скрипта на уже рабочем сервере может привести к перезаписи существующих файлов конфигурации и сломать работающую систему. Он предназначен только для использования на новой установленной OpenSUSE 11.4.
Если вы устанавливаете системы OpenSUSE 11.2 или OpenSUSE 11.3, пожалуйста, не забудьте использовать другую версию этого скрипта (которые так же доступены www.mini-server.ru).
Есть несколько вещей, отсутствующих в учебнике, который я написал. Я сделал сценарий, основанный на учебнике, который устанавливает систему, и которая состоит из нескольких шагов, не выполнив который Вы оставите систему доделаной.
- fail2ban уже сконфигурирован
- SuSEfirewall2 включен
- Pure-FTPD с измененой конфигурацией (разрешено переименование, изменение пассивных портов и их включение)
- Postfix сертификат
- Apache SSL сертификатов, и переключение ISPConfig для HTTPS
- Fix из NameVirtualHost Apache конфигурации с OpenSUSE (важно для Apache распознавать несколько доменов с ISPConfig)
- Настройка rdiff-резервное копирование с cron
- Исправлена конфигурация включения SSL и поддержки совместимого courier
- Исправлена pam_mysql работа на 64-битной системе
- Исправлена AMaViS поиск clamd socket
- Установлен Eaccelerator
- Исправлены ошибки Apache пользовательских путей
- Установка и настройка Awstats
- Настройка Apache и Awstats использовать mod_logio для правильного измерения пропускной способности
Выполним:
|
и произведем перезапуск системы:
|
Перед запуском этого сценария. Также лучше изменении имени хоста (файл HOSTNAME) вручную с yast2 перед запуском этого скрипта, иначе OpenSUSE поставит собственное имя в конфигурации Postfix.
Этот сценарий требует наличия двух ручных действий:
Первый - когда запустится mysql_secure_install. Второй - для обновления ISPConfig3, если SVN обновления выбран один, возможно, придется сказать: y, чтобы включить SSL, а для всех других вариантов - можно выбрать значение по умолчанию, просто нажав клавишу Enter.
Вы должны изменить следующие переменные в сценарий, прежде чем запустить его:
- THIS_PLATFORM : или x86_64 или i586 .
- MYSQLROOTPASS : пожалуйста измените, и не забудьте ввести его во время установки mysql_secure_install .
- MY_HOSTNAME, MY_DOMAIN : измените это имя сервера. По умолчанию программа настроена на server1.mydomain.com. Если Ваш сайт размещен на полном домене, например domain.com, впишите еще что-то для MY_HOSTNAME. server1 например.
- ISPCONFIG_TAR_GZ : убедитесь, что ISPCONFIG_TAR_GZ загрузил последнюю доступную версию ISPConfig 3.
Сохранить скрипта на Ваш сервер (например, /root/opensuse_ispconfig3.sh):
|
#!/bin/sh
# OpenSUSE 11.4 Perfect Server ISPConfig script by George Yohng (georgesc#oss3d.com)
# Script Version 2.1
# Do zypper update and reboot before running this script
# Also better change host name manually with yast2 before running this script.
# This script requires two manual actions.
# First - when mysql_secure_install is running. One should type a new mysql password, the same as here
# Second - for ISPConfig3 update. One should type 'svn' when the update type is asked
# For both of scripts, all other options are default, one can just press ENTER.
# Also, please change MYSQLROOTPASS below, and be sure to enter it verbatim
# during the installation of mysql_secure_install.
# Important: When setting an MX entry, point it to mail.yourdomain.com rather than
# just to yourdomain.com, and create a CNAME entry for mail. Otherwise it doesn't
# seem to work somehow.
# Platform is x86_64 or i586
THIS_PLATFORM=x86_64
MYSQLROOTPASS=87h4eq2jr2
# Change this to your server name. By default it's configured to server1.mydomain.com
# If your web site hosts a complete domain, such as domain.com, still leave
# something for MY_HOSTNAME. 'server1' or 'host' is a good name.
MY_HOSTNAME=server1
MY_DOMAIN=mydomain.com
# Uncomment to use SVN-version of ISP config, and to run update once the installation is finished
#ISPCONFIG_SVN=yes
# Packages may have been updated, therefore also check the RPM and TARGZ locations below,
# and preferably use the latest versions of everything.
GETMAIL_RPM=http://download.opensuse.org/repositories/server:/mail/openSUSE_11.4/noarch/getmail-4.20.3-10.1.noarch.rpm
PAM_MYSQL_TARGZ=http://heanet.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.7RC1.tar.gz
SUPHP_RPM=http://download.opensuse.org/repositories/server:/php/openSUSE_11.4/$THIS_PLATFORM/suphp-0.7.1-3.2.$THIS_PLATFORM.rpm
AWSTATS_RPM=http://download.opensuse.org/repositories/network:/utilities/openSUSE_11.4/noarch/awstats-7.0-14.1.noarch.rpm
SQUIRRELMAIL_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.4/noarch/squirrelmail-1.4.21-1.2.noarch.rpm
JAILKIT_TARGZ=http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz
PHPMYADMIN_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.4/noarch/phpMyAdmin-3.4.1-7.2.noarch.rpm
VLOGGER_TARGZ=http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz
RDIFF_BACKUP_TARGZ=http://savannah.nongnu.org/download/rdiff-backup/rdiff-backup-1.2.8.tar.gz
EACCELERATOR_TARGZ=http://bart.eaccelerator.net/source/0.9.6.1/eaccelerator-0.9.6.1.tar.bz2
ISPCONFIG_TAR_GZ=http://downloads.sourceforge.net/ispconfig/ISPConfig-3.0.3.3.tar.gz?use_mirror=
MY_FULLHOSTNAME=$MY_HOSTNAME.$MY_DOMAIN
# Disable apparmor
/etc/init.d/boot.apparmor stop
chkconfig -d boot.apparmor
# Install SuSEfirewall
zypper -n install -l SuSEfirewall2 iptables
# Allow ports through firewall
SuSEfirewall2 open EXT TCP 22
SuSEfirewall2 open EXT TCP 21 80 8080 25 143 465 585 993 30000:30500
SuSEfirewall2
# Switch off X login (check!)
chkconfig --del xdm
rcxdm stop
# Quota
zypper -n install -l quota
touch /aquota.user /aquota.group
chmod 600 /aquota.*
touch /srv/aquota.user /srv/aquota.group
chmod 600 /srv/aquota.*
# TODO: change fstab here
# Ignore errors from the below commands
mount -o remount /
mount -o remount /srv
mount -o remount /home
quotacheck -avugm
quotaon -avug
# Basic packages
zypper -n install -l mc
zypper -n install -l GeoIP libGeoIP-devel libGeoIP1
geoip-fetch
zypper -n install -l findutils libreadline6 compat-readline4 readline-devel libgcc45 glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget gcc-c++ subversion make vim telnet cron iptables iputils man man-pages nano pico
# Host name
echo $MY_FULLHOSTNAME > /etc/HOSTNAME
echo 127.0.0.2 $MY_FULLHOSTNAME $MY_HOSTNAME >> /etc/hosts
export HOST=$MY_FULLHOSTNAME
export HOSTNAME=$MY_FULLHOSTNAME
SuSEconfig
# Postfix, Dovecot, MySQL
zypper -n install -l postfix postfix-mysql mysql-community-server mysql-community-server-client mysql-community-server-tools
zypper -n install -l python cron
zypper -n install -l libmysqlclient-devel pwgen
zypper -n install -l dovecot12 dovecot12-backend-mysql
zypper -n install -l bind
chkconfig --add mysql
chkconfig --add postfix
chkconfig --add dovecot
chkconfig --add named
test -d /lib64 && ln -s /usr/lib64/dovecot/modules /usr/lib/dovecot
/etc/init.d/mysql start
/etc/init.d/postfix start
/etc/init.d/dovecot start
/etc/init.d/named start
# getmail
cd /tmp
rpm -i $GETMAIL_RPM
# pam
if [ "$THIS_PLATFORM" == "x86_64" ]; then
zypper -n install -l pam-devel pam-32bit pam-devel-32bit pam-modules-32bit
fi
if [ "$THIS_PLATFORM" == "i586" ]; then
zypper -n install -l pam-devel pam pam-modules
fi
# pam_mysql
cd /tmp
wget -c $PAM_MYSQL_TARGZ
tar xvfz pam_mysql-*.tar.gz
rm -rf pam_mysql-*.tar.gz
cd pam_mysql-*
./configure
make
make install
cd /tmp
rm -rf /tmp/pam_mysql-*
test -d /lib64 && cp /lib/security/pam_mysql* /lib64/security
# mysql_secure_installation
mysql_secure_installation
#(echo Y; echo $MYSQLROOTPASS; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; )
# amavis, spam asassin, etc
zypper -n install -l spamassassin amavisd-new clamav clamav-db zoo unzip bzip2 unarj perl-DBD-mysql
zypper -n install -l unrar
sa-update
# TODO: change /etc/amavisd.conf
#$mydomain = "$MY_DOMAIN"; # a convenient default for other settings
#$myhostname = "$MY_HOSTNAME";
sed -i 's/\$mydomain = '\''example.com'\'';/\$mydomain='\'$MY_DOMAIN\'';\n\$myhostname='\'$MY_FULLHOSTNAME\'';/g' /etc/amavisd.conf
# Correct a path to clamd socket
sed -i 's,/var/run/clamav/clamd,/var/lib/clamav/clamd-socket,g' /etc/amavisd.conf
chkconfig --add amavis
chkconfig --add clamd
/etc/init.d/amavis start
/etc/init.d/clamd start
# Apache2
zypper -n install -l apache2 apache2-mod_fcgid
zypper -n install -l php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dom php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mysql php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-fastcgi php5-pear php5-sysvmsg php5-sysvshm ImageMagick curl apache2-mod_php5
rpm -i $SUPHP_RPM
a2enmod suexec
a2enmod deflate
a2enmod rewrite
a2enmod ssl
a2enmod actions
a2enmod suphp
a2enmod fcgid
a2enmod logio
chown root:www /usr/sbin/suexec2
chmod 4755 /usr/sbin/suexec2
chkconfig --add apache2
/etc/init.d/apache2 start
# PhpMyAdmin
rpm -i $PHPMYADMIN_RPM
# FTP
zypper -n install -l pure-ftpd quota
chkconfig --add pure-ftpd
/etc/init.d/pure-ftpd start
# VLOGGER, WEBALIZER
cd /tmp
wget -c $VLOGGER_TARGZ
tar xvfz vlogger-*.tar.gz
rm -f vlogger-*.tar.gz
mv vlogger-*/vlogger /usr/sbin/
rm -rf vlogger*
zypper -n install -l webalizer perl-Date-Manip perl-TimeDate
# Fail2ban
zypper -n install -l fail2ban
chkconfig --add fail2ban
service fail2ban start
# Jailkit
cd /tmp
wget -c $JAILKIT_TARGZ
tar xvfz jailkit-*.tar.gz
rm -f jailkit-*.tar.gz
cd jailkit-*
./configure
make
make install
cd /tmp
rm -rf jailkit-*
# Synchronize system clock
# Remove this, if you are inside XENU
zypper -n install -l ntp
chkconfig --add ntp
/etc/init.d/ntp start
# ============================
# Helper functions
function fix_pureftpd() {
sed -i 's/NoRename.*yes/NoRename no/g' "$1"
sed -i 's/AutoRename.*yes/AutoRename no/g' "$1"
sed -i 's/ProhibitDotFilesWrite.*yes/ProhibitDotFilesWrite no/g' "$1"
sed -i 's/# PassivePortRange.*30000 50000/PassivePortRange 30000 30500/g' "$1"
sed -i 's/LimitRecursion.*2000 8/LimitRecursion 20000 10/g' "$1"
sed -i 's/^Umask\ *.*$/Umask 137:027/' "$1"
sed -i 's/^MaxClientsNumber\ *10$/MaxClientsNumber 256/' "$1"
sed -i 's/^MaxClientsPerIP\ *3$/MaxClientsPerIP 16/' "$1"
}
function fix_dovecot() {
sed -i 's/^#listen =.*/listen = \*/g' "$1"
sed -i 's/^ssl = no/ssl = yes/g' "$1"
sed -i 's,#ssl_cert_file = .*,ssl_cert_file = /etc/ssl/certs/dovecot.pem,g' "$1"
sed -i 's,#ssl_key_file = .*,ssl_key_file = /etc/ssl/private/dovecot.pem,g' "$1"
sed -i 's,#mail_max_userip_connections = .*,mail_max_userip_connections = 32,g' "$1"
sed -i 's/#namespace private/namespace private {\n separator = .\n prefix =\n inbox = yes\n}\n\nnamespace private {\n separator = .\n prefix = INBOX.\n inbox = no\n hidden = yes\n list = no # for v1.1+\n}\n\n# {changed} namespace private/g' "$1"
}
function fix_customlog() {
sed -i 's/ent}i\\\"\" combined_ispconfig/ent}i\\\" %I %O" combined_ispconfig/g' "$1"
sed -i 's/LogFormat \"%v %h/LogFormat \"%v %a/g' "$1"
}
function fix_ispconfig() {
fix_dovecot "$1/install/tpl/opensuse_dovecot.conf.master"
fix_pureftpd "$1/install/tpl/opensuse_pureftpd_conf.master"
fix_customlog "$1/server/conf/apache_ispconfig.conf.master"
fix_customlog "$1/install/tpl/apache_ispconfig.conf.master"
fix_customlog "$1/install/dist/tpl/gentoo/apache_ispconfig.conf.master"
sed -i 's,^awstats_data_dir=.*$,awstats_data_dir=/var/cache/awstats,' "$1/install/tpl/server.ini.master"
sed -i 's,^awstats_pl=.*$,awstats_pl=/srv/www/cgi-bin/awstats.pl,' "$1/install/tpl/server.ini.master"
sed -i 's,^awstats_buildstaticpages_pl=.*$,awstats_buildstaticpages_pl=/usr/share/doc/packages/awstats/examples/awstats_buildstaticpages.pl,' "$1/install/tpl/server.ini.master"
}
# ============================
# ISPCONFIG
cd /tmp
wget -c $ISPCONFIG_TAR_GZ
tar xvfz ISPConfig-*.tar.gz
fix_ispconfig /tmp/ispconfig3_install
cd ispconfig3_install/install/
(echo; echo; echo $MY_FULLHOSTNAME; echo; echo; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; ) | php -q install.php
cd /tmp
rm -rf /tmp/ispconfig3_install
rm -f /tmp/ISPConfig-*.tar.gz
# Squirrelmail
rpm -i $SQUIRRELMAIL_RPM
ln -s /srv/www/htdocs/squirrelmail /usr/local/ispconfig/interface/web/webmail
# Symlink
ln -s /srv/www/htdocs/phpMyAdmin /usr/local/ispconfig/interface/web/phpmyadmin
sed -i 's/\"en_US\.UTF-8/\"en_US\.ISO-8859-1/g' /etc/sysconfig/language
sed -i 's/x\-httpd\-php\=\"php\:\/usr\/bin\/php\-cgi5\"/x-httpd-php="php:\/usr\/bin\/php-cgi5"\nx-httpd-suphp="php:\/usr\/bin\/php-cgi5"/g' /etc/suphp.conf
SuSEconfig
# Generate certificates
openssl genrsa -passout pass:0passphrase$MYSQLROOTPASS -des3 -out /etc/apache2/ssl.key/server.key 4096
(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -passin pass:0passphrase$MYSQLROOTPASS -new -key /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.csr/server.csr
openssl x509 -passin pass:0passphrase$MYSQLROOTPASS -req -days 3650 -in /etc/apache2/ssl.csr/server.csr -signkey /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.crt/server.crt
openssl rsa -passin pass:0passphrase$MYSQLROOTPASS -in /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.key/server.key.insecure
mv /etc/apache2/ssl.key/server.key /etc/apache2/ssl.key/server.key.secure
mv /etc/apache2/ssl.key/server.key.insecure /etc/apache2/ssl.key/server.key
a2enmod ssl
sed -i 's/.VirtualHost _default_\:8080./\<VirtualHost _default_\:8080\>\nSSLEngine On\nSSLCertificateFile \/etc\/apache2\/ssl.crt\/server.crt\nSSLCertificateKeyFile \/etc\/apache2\/ssl.key\/server.key/g' /etc/apache2/sites-available/ispconfig.vhost
sed -i 's/DirectoryIndex index.html index.html.var/DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php5 index.php4 index.php3 index.pl index.html.var index.aspx default.aspx/g' /etc/apache2/httpd.conf
# enable named hosts
sed -i 's/^#NameVirtualHost \*\:80$/NameVirtualHost *:80/g' /etc/apache2/listen.conf
sed -i 's,^Alias /error/,#Alias /error/,' /etc/apache2/errors.conf
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/apache2/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/cli/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/fastcgi/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/apache2/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/cli/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/fastcgi/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/apache2/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/cli/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/fastcgi/php.ini
sed -i 's/^error_reporting = .*/error_reporting = E_ALL \& ~E_DEPRECATED \& ~E_NOTICE/' /etc/php5/apache2/php.ini
sed -i 's/^error_reporting = .*/error_reporting = E_ALL \& ~E_DEPRECATED \& ~E_NOTICE/' /etc/php5/cli/php.ini
sed -i 's/^error_reporting = .*/error_reporting = E_ALL \& ~E_DEPRECATED \& ~E_NOTICE/' /etc/php5/fastcgi/php.ini
rcapache2 restart
# postfix certificate
(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -new -key /etc/postfix/smtpd.key -out /etc/postfix/smtpd.csr
openssl x509 -req -days 3650 -in /etc/postfix/smtpd.csr -signkey /etc/postfix/smtpd.key -out /etc/postfix/smtpd.cert
chmod o-rwx /etc/postfix/smtpd.csr
chmod o-rwx /etc/postfix/smtpd.cert
# rdiff-backup
zypper -n install -l python-devel librsync
cd tmp
wget -c $RDIFF_BACKUP_TARGZ
tar xfz rdiff-backup-*.tar.gz
rm -f rdiff-backup-*.tar.gz
cd rdiff-backup-*
./setup.py install
cd /tmp
rm -rf rdiff-backup-*
zypper -n install -l iptraf iftop
# create backup script
mkdir /backup
chown root:root /backup
mkdir /srvbackup_do
chown root:root /srvbackup_do
chmod og-rwx /srvbackup_do
cat > /srvbackup_do/dobackup.sh <<EOFMARKER2
#!/bin/bash
cd /srvbackup_do
sync
mysqladmin -p$MYSQLROOTPASS refresh
mysqlcheck -p$MYSQLROOTPASS -A --auto-repair
# backup into a single file
# mysqldump -p$MYSQLROOTPASS --all-databases >mysqldump.sql
# chmod og-rw mysqldump.sql
# backup into multiple files
rm -rf mysql
mkdir mysql
chown root:root mysql
chmod og-rwx mysql
for i in /var/lib/mysql/*/; do
dbname=\`basename \$i\`
echo >mysql/\$dbname.sql
chown root:root mysql/\$dbname.sql
chmod og-rwx mysql/\$dbname.sql
mysqldump -p$MYSQLROOTPASS \$dbname >mysql/\$dbname.sql
chown root:root mysql/\$dbname.sql
chmod og-rwx mysql/\$dbname.sql
done
/usr/local/bin/rdiff-backup --preserve-numerical-ids --exclude /tmp --exclude /backup --exclude /mnt --exclude /proc --exclude /dev --exclude /sys --exclude /var/lib/ntp/proc --exclude /media --exclude /var/tmp / /backup/$MY_FULLHOSTNAME
EOFMARKER2
chown root:root /srvbackup_do/dobackup.sh
chmod og-rwx /srvbackup_do/dobackup.sh
chmod u+x /srvbackup_do/dobackup.sh
echo '51 3 * * * /srvbackup_do/dobackup.sh >> /var/log/backuplog 2>&1' >>/var/spool/cron/tabs/root
# Fail2ban config
cat > /etc/fail2ban/filter.d/dovecot-pop3imap.conf <<EOFMARKER4
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =
EOFMARKER4
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.def
cat > /etc/fail2ban/jail.conf <<EOFMARKER3
# Fail2Ban configuration file
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto
# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/messages
maxretry = 5
[ssh-ddos-iptables]
enabled = true
filter = sshd-ddos
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/messages
maxretry = 5
[proftpd-iptables]
enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
logpath = /var/log/messages
maxretry = 6
[pure-ftpd-iptables]
enabled = true
filter = pure-ftpd
action = iptables[name=PureFTPD, port=ftp, protocol=tcp]
logpath = /var/log/messages
maxretry = 6
[courier-imap-iptables]
enabled = true
filter = courierlogin
action = iptables[name=CourierIMAP, port=ftp, protocol=tcp]
logpath = /var/log/messages
maxretry = 6
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap,pop3s,imaps", protocol=tcp]
logpath = /var/log/mail
maxretry = 6
# This jail forces the backend to "polling".
[sasl-iptables]
enabled = true
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
logpath = /var/log/mail
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".
[ssh-tcpwrapper]
enabled = true
filter = sshd
action = hostsdeny
ignoreregex = for myuser from
logpath = /var/log/messages
[ssh-ddos-tcpwrapper]
enabled = true
filter = sshd-ddos
action = hostsdeny
ignoreregex = for myuser from
logpath = /var/log/messages
# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.
[apache-tcpwrapper]
enabled = true
filter = apache-auth
action = hostsdeny
logpath = /var/log/apache2/error_log
maxretry = 6
# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.
[postfix-tcpwrapper]
enabled = true
filter = postfix
action = hostsdeny
logpath = /var/log/mail
bantime = 300
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables[name=BadBots1, port=http, protocol=tcp]
iptables[name=BadBots2, port=https, protocol=tcp]
logpath = /var/log/apache2/access_log
bantime = 172800
maxretry = 1
[php-url-fopen]
enabled = false
port = http,https
filter = php-url-fopen
logpath = /var/log/apache2/access_log
maxretry = 1
EOFMARKER3
# Ensure fail2ban recreates a socket file
# Because otherwise after a server crash, fail2ban won't restart
sed -i 's/-q start/-x -q start/' /etc/init.d/fail2ban
# Fix pure-ftpd regexp
sed -i 's/[)][?]: [(][.][+][?]@<HOST>[)] \\\[/)\?: \\(.+?@<HOST>\\) \\[/' /etc/fail2ban/filter.d/pure-ftpd.conf
service fail2ban restart
# Fix getmail user to allow running from cron
sed -i 's/getmail:[!]:/getmail:*:/' /etc/shadow
# Install AWSTATS
rpm -ivh $AWSTATS_RPM
chmod og+w /var/cache/awstats
cp /etc/awstats/awstats.web.conf /etc/awstats/awstats.conf
sed -i 's,^<IfDefine,#<IfDefine,' /etc/apache2/conf.d/awstats.conf
sed -i 's,^</IfDefine,#</IfDefine,' /etc/apache2/conf.d/awstats.conf
rcapache2 restart
mysqladmin -p$MYSQLROOTPASS refresh
# Old code for fixing awstats path directly in the database
# Now it's fixed in server.ini.master before the installation of ISPConfig
#
#mysqldump -u root -p$MYSQLROOTPASS dbispconfig server >/tmp/server.sql
#sed -i 's,\\nawstats_data_dir=[^\\]*\\n,\\nawstats_data_dir=/var/cache/awstats\\n,' /tmp/server.sql
#sed -i 's,\\nawstats_pl=[^\\]*\\n,\\nawstats_pl=/srv/www/cgi-bin/awstats.pl\\n,' /tmp/server.sql
#sed -i 's,\\nawstats_buildstaticpages_pl=[^\\]*\\n,\\nawstats_buildstaticpages_pl=/usr/share/doc/packages/awstats/examples/awstats_buildstaticpages.pl\\n,' /tmp/server.sql
#mysql -u root -p$MYSQLROOTPASS dbispconfig </tmp/server.sql
#rm -rf /tmp/server.sql
#sed -i 's,^#LoadPlugin=\"geoipfree\",LoadPlugin=\"geoipfree\",' /etc/awstats/awstats.conf
sed -i 's,^Max\([^=]*\)= 10$,Max\1= 25,' /etc/awstats/awstats.conf
sed -i 's,^StyleSheet=\"[^\"]*\",StyleSheet=\"\",' /etc/awstats/awstats.conf
# Install eAccelerator
zypper -n install -l php5-devel
cd /tmp
wget $EACCELERATOR_TARGZ
tar xvfj eaccelerator-*.bz2
rm -rf eaccelerator-*.bz2
cd eaccelerator-*
phpize
# the flag is specified to prevent openbasedir limitations with ispconfig
./configure --without-eaccelerator-use-inode
make
make install
cd ..
rm -rf eaccelerator-*
cat > /etc/php5/conf.d/eaccelerator.ini <<EOFMARKER4
extension="eaccelerator.so"
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/var/cache/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
EOFMARKER4
mkdir -p /var/cache/eaccelerator
chmod 0777 /var/cache/eaccelerator
rcapache2 restart
# adjust postfix interfaces
sed -i 's/^inet_interfaces = localhost/inet_interfaces = all/g' /etc/postfix/main.cf
sed -i 's/^#tlsmgr/tlsmgr/g' /etc/postfix/master.cf
rcpostfix restart
# Fix squirrelmail
sed -i 's/^\$default_folder_prefix.*/$default_folder_prefix = '\'\'';/' /srv/www/htdocs/squirrelmail/config/config.php
# ==============
if [ "$ISPCONFIG_SVN" == "yes" ]; then
# Update ISPConfig from SVN
cd /tmp
svn export svn://svn.ispconfig.org/ispconfig3/trunk/ ispconfigsvn
fix_ispconfig /tmp/ispconfigsvn
# Run update
php -q update.php
cd /tmp
rm -rf /tmp/ispconfigsvn
fi
# =========================================================================
# Fix configuration files, overwritten by ISPConfig update
# Re-run these lines after ISP-Config update
# Pure-ftpd
fix_pureftpd /etc/pure-ftpd/pure-ftpd.conf
rcpure-ftpd restart
# Dovecot
fix_dovecot /etc/dovecot/dovecot.conf
cd /usr/share/doc/packages/dovecot
cat >./mkcert.sh <<EOFMARKER5
#!/bin/sh
# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.
OPENSSL=\${OPENSSL-openssl}
SSLDIR=\${SSLDIR-/etc/ssl}
OPENSSLCONFIG=\${OPENSSLCONFIG-dovecot-openssl.cnf}
CERTDIR=\$SSLDIR/certs
KEYDIR=\$SSLDIR/private
CERTFILE=\$CERTDIR/dovecot.pem
KEYFILE=\$KEYDIR/dovecot.pem
if [ ! -d \$CERTDIR ]; then
echo "\$SSLDIR/certs directory doesn't exist"
exit 1
fi
if [ ! -d \$KEYDIR ]; then
echo "\$SSLDIR/private directory doesn't exist"
exit 1
fi
if [ -f \$CERTFILE ]; then
echo "\$CERTFILE already exists, won't overwrite"
exit 1
fi
if [ -f \$KEYFILE ]; then
echo "\$KEYFILE already exists, won't overwrite"
exit 1
fi
\$OPENSSL req -new -x509 -nodes -config \$OPENSSLCONFIG -out \$CERTFILE -keyout \$KEYFILE -days 365 || exit 2
chmod 0600 \$KEYFILE
echo
\$OPENSSL x509 -subject -fingerprint -noout -in \$CERTFILE || exit 2
EOFMARKER5
cat >./dovecot-openssl.cnf <<EOFMARKER6
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
# country (2 letter code)
#C=FI
# State or Province Name (full name)
#ST=
# Locality Name (eg. city)
#L=Helsinki
# Organization (eg. company)
#O=Dovecot
# Organizational Unit Name (eg. section)
OU=IMAP server
# Common Name (*.example.com is also possible)
CN=imap.example.com
# E-mail contact
emailAddress=Этот адрес электронной почты защищён от спам-ботов. У вас должен быть включен JavaScript для просмотра.
[ cert_type ]
nsCertType = server
EOFMARKER6
sh ./mkcert.sh
cd /
rcdovecot restart
rcpostfix restart
# CustomLog
fix_customlog /etc/apache2/sites-available/ispconfig.conf
fix_customlog /usr/local/ispconfig/server/conf/apache_ispconfig.conf.master
sed -i 's,^LogFormat=.*,LogFormat = "%host %other %logname %time1 %methodurl %code %other %refererquot %uaquot %other %bytesd",' /etc/awstats/awstats.conf
a2enmod logio
rcapache2 restart
Теперь Вы можете запустить его следующим образом:
|
На данный урок имеется виртуальный образ готового сервера, ознакомиться с которым подробней и скачать его можно на форуме Идеальный сервер - OpenSUSE 11.4 [ISPConfig 3] + скачать.