QTM - Trong bài viết sau, Quản Trị Mạng sẽ hướng dẫn các bạn tạo 1 đoạn mã, có thể tự động thực thi nhiều công đoạn như thiết lập, tùy chỉnh các thông số kỹ thuật… và cuối cùng là cài đặt ứng dụng.
Lưu ý rằng tuyệt đối không được thực thi đoạn mã này trên 1 hệ thống server đang hoạt động bình thường, vì sẽ gây ra hiện tượng xung đột, không tương thích khi đoạn mã tự động khởi tạo hoặc ghi đè các file tùy chỉnh và có thể khiến cho hệ thống ngừng hoạt động. Chỉ nên áp dụng phương pháp này khi cài đặt mới hoàn toàn OpenSUSE 11.2
Những điểm cần lưu ý:
- mysql phụ thuộc hoàn toàn bên trong các đoạn mã mydns
- Thiết lập fail2ban
- Không tắt bỏ chế độ firewall
- Thay đổi các thiết lập của Pure-ftpd (cho phép đổi tên file, thay đổi cổng)
- Cơ chế xác thực thông qua Postfix
- Xác nhận quyền truy cập với Apache SSL, chuyển ISPConfig thành HTTPS
- Khắc phục và hoàn chỉnh quá trình thiết lập NameVirtualHost Apache với OpenSUSE (rất quan trọng đối với Apache để nhận biết các domain đa dạng từ ISPConfig)
- Thiết lập quá trình rdiff-backup với cron
Tuy nhiên, đoạn mã này không phù hợp với những hệ thống trong thực tế yêu cầu 2 thành tố: mysql_secure_install và ispconfig_update_svn đang hoạt động. Sử dụng câu lệnh sau:
zypper update
và
reboot
trước khi thực thi đoạn mã này. Đồng thời, các bạn cũng nên thay đổi host name (nằm trong file HOSTNAME) trước đó.
Đoạn mã này có yêu cầu 2 thao tác sau:
Đầu tiên, khi mysql_secure_install đang hoạt động.
Thứ 2, dành cho việc cập nhật ISPConfig3, hãy gõ lệnh svn hoặc stable khi hệ thống yêu cầu cung cấp dạng cập nhật (nên chọn stable).
Tất cả các lựa chọn khác giữ nguyên ở chế độ mặc định bằng cách nhấn Enter.
Bên cạnh đó, các bạn nên thay đổi những giá trị biến sau trong đoạn mã:
THIS_PLATFORM: có thể là x86_64 hoặc i586.
MYSQLROOTPASS: hãy thay đổi giá trị này, và nhớ làm việc này trong khi cài đặt module mysql_secure_install.
MY_HOSTNAME, MY_DOMAIN: thay đổi thành tên server của bạn, ở giá trị mặc định nó sẽ là server1.mydomain.com.
ISPCONFIG_TAR_GZ: hãy chắc chắn rằng ISPCONFIG_TAR_GZ có trong phiên bản ISPConfig 3 mới nhất.
Lưu đoạn mã này tại 1 nơi nào đó trên server (ví dụ /usr/local/sbin/opensuse_ispconfig3.sh):
vi /usr/local/sbin/opensuse_ispconfig3.sh
#!/bin/sh
# Script by George Yohng (georgesc#oss3d.com)
# Do zypper update and reboot before running this script
# Also better change host name (file HOSTNAME) manually before running this script, though looks like it's not necessary
# This script requires two manual actions.
# First - when mysql_secure_install is running. One should type a new mysql password, the same as here
# Second - for ISPConfig3 update. One should type 'svn' when the update type is asked
# For both of scripts, all other options are default, one can just press ENTER.
# Also, please change MYSQLROOTPASS below, and be sure to enter it verbatim
# during the installation of mysql_secure_install.
# Important: When setting an MX entry, point it to mail.yourdomain.com rather than
# just to yourdomain.com, and create a CNAME entry for mail. Otherwise it doesn't
# seem to work somehow.
THIS_PLATFORM=x86_64
MYSQLROOTPASS=098j91r3kx
# Change this to your server name. By default it's configured to server1.mydomain.com
# If your web site hosts a complete domain, such as domain.com, still leave
# something for MY_HOSTNAME. 'server1' or 'host' is a good name.
MY_HOSTNAME=server1
MY_DOMAIN=mydomain.com
# Packages may have been updated, therefore also check the RPM and TARGZ locations below,
# and preferably use the latest versions of everything.
GETMAIL_RPM=http://download.opensuse.org/repositories/server:/mail/openSUSE_11.2/noarch/getmail-4.17.0-1.1.noarch.rpm
MAILDROP_RPM=http://download.opensuse.org/repositories/server:/mail/openSUSE_11.2/$THIS_PLATFORM/maildrop-2.4.0-1.6.$THIS_PLATFORM.rpm
PAM_MYSQL_TARGZ=http://heanet.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.7RC1.tar.gz
SUPHP_RPM=http://download.opensuse.org/repositories/server:/php/openSUSE_11.2/$THIS_PLATFORM/suphp-0.7.1-3.1.$THIS_PLATFORM.rpm
#SUPHP_RPM=http://download.opensuse.org/repositories/home:/kolbma/openSUSE_11.1/$THIS_PLATFORM/suphp-0.7.1-16.1.$THIS_PLATFORM.rpm
FAIL2BAN_RPM=http://download.opensuse.org/repositories/home:/kolbma/openSUSE_11.1/$THIS_PLATFORM/fail2ban-0.8.4-2.1.$THIS_PLATFORM.rpm
SQUIRRELMAIL_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.2/noarch/squirrelmail-1.4.20-1.1.noarch.rpm
JAILKIT_TARGZ=http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gz
PHPMYADMIN_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.2/noarch/phpMyAdmin-3.3.3-1.1.noarch.rpm
MYDNS_RPM=http://mydns.bboy.net/download/mydns-mysql-1.1.0-1.i386.rpm
VLOGGER_TARGZ=http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz
RDIFF_BACKUP_TARGZ=http://savannah.nongnu.org/download/rdiff-backup/rdiff-backup-1.2.8.tar.gz
ISPCONFIG_TAR_GZ=http://downloads.sourceforge.net/ispconfig/ISPConfig-3.0.2.2.tar.gz?use_mirror=
MY_FULLHOSTNAME=$MY_HOSTNAME.$MY_DOMAIN
# Disable apparmor
/etc/init.d/boot.apparmor stop
chkconfig -d boot.apparmor
# Allow ports through firewall
SuSEfirewall2 open EXT TCP 21 80 8080 25 143 465 585 993 30000:30500
SuSEfirewall2
# Switch off X login (check!)
chkconfig --del xdm
rcxdm stop
# Quota
yast2 -i quota
touch /aquota.user /aquota.group
chmod 600 /aquota.*
touch /srv/aquota.user /srv/aquota.group
chmod 600 /srv/aquota.*
# TODO: change fstab here
mount -o remount /
mount -o remount /srv
mount -o remount /home
quotacheck -avugm
quotaon -avug
# Basic packages
yast2 -i mc
yast2 -i findutils readline libgcc glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget gcc-c++ subversion make vim telnet cron iptables iputils man man-pages nano pico
# Host name
echo $MY_FULLHOSTNAME > /etc/HOSTNAME
echo 127.0.0.2 $MY_FULLHOSTNAME $MY_HOSTNAME >> /etc/hosts
echo 69.46.236.210 mydns.bboy.net >> /etc/hosts
export HOST=$MY_FULLHOSTNAME
export HOSTNAME=$MY_FULLHOSTNAME
# Postfix, Courier, Saslauthd, MySQL
yast2 -i postfix postfix-mysql mysql mysql-client courier-imap courier-authlib courier-authlib-mysql python cron cyrus-sasl cyrus-sasl-crammd5 cyrus-sasl-digestmd5 cyrus-sasl-gssapi cyrus-sasl-otp cyrus-sasl-plain cyrus-sasl-saslauthd libmysqlclient-devel pwgen
chkconfig --add mysql
chkconfig --add postfix
chkconfig --add saslauthd
chkconfig --add fam
chkconfig --add courier-authdaemon
chkconfig --add courier-pop
chkconfig --add courier-imap
chkconfig --add courier-pop-ssl
chkconfig --add courier-imap-ssl
/etc/init.d/mysql start
/etc/init.d/postfix start
/etc/init.d/saslauthd start
/etc/init.d/courier-pop start
/etc/init.d/courier-imap start
/etc/init.d/courier-pop-ssl start
/etc/init.d/courier-imap-ssl start
# getmail
cd /tmp
rpm -i $GETMAIL_RPM
rpm --force -i $MAILDROP_RPM
# pam
yast2 -i pam-devel pam-32bit pam-devel-32bit pam-modules-32bit
# pam_mysql
cd /tmp
wget -c $PAM_MYSQL_TARGZ
tar xvfz pam_mysql-*.tar.gz
rm -rf pam_mysql-*.tar.gz
cd pam_mysql-*
./configure
make
make install
cd /tmp
rm -rf /tmp/pam_mysql-*
# mysql_secure_installation
mysql_secure_installation
#(echo Y; echo $MYSQLROOTPASS; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; )
# amavis, spam asassin, etc
yast2 -i amavisd-new clamav clamav-db zoo unzip unrar bzip2 unarj perl-DBD-mysql
# TODO: change /etc/amavisd.conf
#$mydomain = "$MY_DOMAIN"; # a convenient default for other settings
#$myhostname = "$MY_HOSTNAME";
sed -i 's/\$mydomain = '\''example.com'\'';/\$mydomain='\'$MY_DOMAIN\'';\n\$myhostname='\'$MY_FULLHOSTNAME\'';/g' /etc/amavisd.conf
chkconfig --add amavis
chkconfig --add clamd
/etc/init.d/amavis start
/etc/init.d/clamd start
# Apache2
yast2 -i apache2 apache2-mod_fcgid
yast2 -i php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dom php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mysql php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-fastcgi php5-pear php5-sysvmsg php5-sysvshm ImageMagick curl apache2-mod_php5
rpm -i $SUPHP_RPM
a2enmod suexec
a2enmod rewrite
a2enmod ssl
a2enmod actions
a2enmod suphp
a2enmod fcgid
chown root:www /usr/sbin/suexec2
chmod 4755 /usr/sbin/suexec2
chkconfig --add apache2
/etc/init.d/apache2 start
# PhpMyAdmin
rpm -i $PHPMYADMIN_RPM
# FTP
yast2 -i pure-ftpd quota
sed -i 's/NoRename.*yes/NoRename no/g' /etc/pure-ftpd/pure-ftpd.conf
sed -i 's/AutoRename.*yes/AutoRename no/g' /etc/pure-ftpd/pure-ftpd.conf
sed -i 's/# PassivePortRange.*30000 50000/PassivePortRange 30000 30500/g' /etc/pure-ftpd/pure-ftpd.conf
chkconfig --add pure-ftpd
/etc/init.d/pure-ftpd start
# MyDNS
rpm -ivh --force $MYDNS_RPM
# MyDNS script
cat > /etc/init.d/mydns <<EOFMARKER
#! /bin/sh
# Copyright (c) 1995-2004 SUSE Linux AG, Nuernberg, Germany.
# All rights reserved.
#
# Author: Kurt Garloff
# Please send feedback to http://www.suse.de/feedback/
#
# /etc/init.d/mydns
# and its symbolic link
# /(usr/)sbin/rcmydns
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# Template system startup script for some example service/daemon mydns
#
# LSB compatible service control script; see http://www.linuxbase.org/spec/
#
# Note: This template uses functions rc_XXX defined in /etc/rc.status on
# UnitedLinux (UL) based Linux distributions. If you want to base your
# script on this template and ensure that it works on non UL based LSB
# compliant Linux distributions, you either have to provide the rc.status
# functions from UL or change the script to work without them.
#
### BEGIN INIT INFO
# Provides: mydns
# Required-Start: \$syslog \$remote_fs mysql
# Should-Start: \$time ypbind sendmail
# Required-Stop: \$syslog \$remote_fs
# Should-Stop: \$time ypbind sendmail
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: mydns XYZ daemon providing ZYX
# Description: Start mydns to allow XY and provide YZ
# continued on second line by '#<TAB>'
# should contain enough info for the runlevel editor
# to give admin some idea what this service does and
# what it's needed for ...
# (The Short-Description should already be a good hint.)
### END INIT INFO
#
# Any extensions to the keywords given above should be preceeded by
# X-VendorTag- (X-UnitedLinux- X-SuSE- for us) according to LSB.
#
# Notes on Required-Start/Should-Start:
# * There are two different issues that are solved by Required-Start
# and Should-Start
# (a) Hard dependencies: This is used by the runlevel editor to determine
# which services absolutely need to be started to make the start of
# this service make sense. Example: nfsserver should have
# Required-Start: \$portmap
# Also, required services are started before the dependent ones.
# The runlevel editor will warn about such missing hard dependencies
# and suggest enabling. During system startup, you may expect an error,
# if the dependency is not fulfilled.
# (b) Specifying the init script ordering, not real (hard) dependencies.
# This is needed by insserv to determine which service should be
# started first (and at a later stage what services can be started
# in parallel). The tag Should-Start: is used for this.
# It tells, that if a service is available, it should be started
# before. If not, never mind.
# * When specifying hard dependencies or ordering requirements, you can
# use names of services (contents of their Provides: section)
# or pseudo names starting with a \$. The following ones are available
# according to LSB (1.1):
# \$local_fs all local file systems are mounted
# (most services should need this!)
# \$remote_fs all remote file systems are mounted
# (note that /usr may be remote, so
# many services should Require this!)
# \$syslog system logging facility up
# \$network low level networking (eth card, ...)
# \$named hostname resolution available
# \$netdaemons all network daemons are running
# The \$netdaemons pseudo service has been removed in LSB 1.2.
# For now, we still offer it for backward compatibility.
# These are new (LSB 1.2):
# \$time the system time has been set correctly
# \$portmap SunRPC portmapping service available
# UnitedLinux extensions:
# \$ALL indicates that a script should be inserted
# at the end
# * The services specified in the stop tags
# (Required-Stop/Should-Stop)
# specify which services need to be still running when this service
# is shut down. Often the entries there are just copies or a subset
# from the respective start tag.
# * Should-Start/Stop are now part of LSB as of 2.0,
# formerly SUSE/Unitedlinux used X-UnitedLinux-Should-Start/-Stop.
# insserv does support both variants.
# * X-UnitedLinux-Default-Enabled: yes/no is used at installation time
# (%fillup_and_insserv macro in %post of many RPMs) to specify whether
# a startup script should default to be enabled after installation.
# It's not used by insserv.
#
# Note on runlevels:
# 0 - halt/poweroff 6 - reboot
# 1 - single user 2 - multiuser without network exported
# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm)
#
# Note on script names:
# http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html
# A registry has been set up to manage the init script namespace.
# http://www.lanana.org/
# Please use the names already registered or register one or use a
# vendor prefix.
# Check for missing binaries (stale symlinks should not happen)
# Note: Special treatment of stop for LSB conformance
MYDNS_BIN=/usr/sbin/mydns
test -x \$MYDNS_BIN || { echo "\$mydns_BIN not installed";
if [ "\$1" = "stop" ]; then exit 0;
else exit 5; fi; }
# Check for existence of needed config file and read it
#MYDNS_CONFIG=/etc/sysconfig/mydns
#test -r \$MYDNS_CONFIG || { echo "\$mydns_CONFIG not existing";
# if [ "\$1" = "stop" ]; then exit 0;
# else exit 6; fi; }
# Read config
#. \$MYDNS_CONFIG
# Source LSB init functions
# providing start_daemon, killproc, pidofproc,
# log_success_msg, log_failure_msg and log_warning_msg.
# This is currently not used by UnitedLinux based distributions and
# not needed for init scripts for UnitedLinux only. If it is used,
# the functions from rc.status should not be sourced or used.
#. /lib/lsb/init-functions
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v be verbose in local rc status and clear it afterwards
# rc_status -v -r ditto and clear both the local and overall rc status
# rc_status -s display "skipped" and exit with status 3
# rc_status -u display "unused" and exit with status 3
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num>
# rc_reset clear both the local and overall rc status
# rc_exit exit appropriate to overall rc status
# rc_active checks whether a service is activated by symlinks
. /etc/rc.status
# Reset status of this service
rc_reset
# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - user had insufficient privileges
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
# 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl)
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signaling is not supported) are
# considered a success.
case "\$1" in
start)
echo -n "Starting mydns "
## Start daemon with startproc(8). If this fails
## the return value is set appropriately by startproc.
startproc \$MYDNS_BIN
# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down mydns "
## Stop daemon with killproc(8) and if this fails
## killproc sets the return value according to LSB.
killproc -TERM \$MYDNS_BIN
# Remember status and be verbose
rc_status -v
;;
try-restart|condrestart)
## Do a restart only if the service was active before.
## Note: try-restart is now part of LSB (as of 1.9).
## RH has a similar command named condrestart.
if test "\$1" = "condrestart"; then
echo "\${attn} Use try-restart \${done}(LSB)\${attn} rather than condrestart \${warn}(RH)\${norm}"
fi
\$0 status
if test \$? = 0; then
\$0 restart
else
rc_reset # Not running is not a failure.
fi
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
\$0 stop
\$0 start
# Remember status and be quiet
rc_status
;;
force-reload)
## Signal the daemon to reload its config. Most daemons
## do this on signal 1 (SIGHUP).
## If it does not support it, restart.
echo -n "Reload service mydns "
## if it supports it:
killproc -HUP \$MYDNS_BIN
#touch /var/run/mydns.pid
rc_status -v
## Otherwise:
#\$0 try-restart
#rc_status
;;
reload)
## Like force-reload, but if daemon does not support
## signaling, do nothing (!)
# If it supports signaling:
echo -n "Reload service mydns "
killproc -HUP \$MYDNS_BIN
#touch /var/run/mydns.pid
rc_status -v
## Otherwise if it does not support reload:
#rc_failed 3
#rc_status -v
;;
status)
echo -n "Checking for service mydns "
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
# Return value is slightly different for the status command:
# 0 - service up and running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running (unused)
# 4 - service status unknown :-(
# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
# NOTE: checkproc returns LSB compliant status values.
checkproc \$MYDNS_BIN
# NOTE: rc_status knows that we called this init script with
# "status" option and adapts its messages accordingly.
rc_status -v
;;
probe)
## Optional: Probe for the necessity of a reload, print out the
## argument to this init script which is required for a reload.
## Note: probe is not (yet) part of LSB (as of 1.9)
test /etc/mydns/mydns.conf -nt /var/run/mydns.pid && echo reload
;;
*)
echo "Usage: \$0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit
EOFMARKER
chmod 755 /etc/init.d/mydns
chkconfig --add mydns
# VLOGGER and WEBALIZER
cd /tmp
wget -c $VLOGGER_TARGZ
tar xvfz vlogger-*.tar.gz
rm -f vlogger-*.tar.gz
mv vlogger-*/vlogger /usr/sbin/
rm -rf vlogger*
yast2 -i webalizer perl-DateManip
# Fail2ban
rpm -i $FAIL2BAN_RPM
chkconfig --add fail2ban
service fail2ban start
# Jailkit
cd /tmp
wget -c $JAILKIT_TARGZ
tar xvfz jailkit-*.tar.gz
rm -f jailkit-*.tar.gz
cd jailkit-*
./configure
make
make install
cd /tmp
rm -rf jailkit-*
# Synchronize system clock
yast2 -i xntp
chkconfig --add ntp
/etc/init.d/ntp start
# ISPCONFIG
cd /tmp
wget -c $ISPCONFIG_TAR_GZ
tar xvfz ISPConfig-*.tar.gz
cd ispconfig3_install/install/
(echo; echo; echo $MY_FULLHOSTNAME; echo; echo; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; ) | php -q install.php
cd /tmp
rm -rf /tmp/ispconfig3_install
rm -f /tmp/ISPConfig-*.tar.gz
# Squirrelmail
rpm -i $SQUIRRELMAIL_RPM
ln -s /srv/www/htdocs/squirrelmail /usr/local/ispconfig/interface/web/webmail
# Symlink
ln -s /srv/www/htdocs/phpMyAdmin /usr/local/ispconfig/interface/web/phpmyadmin
sed -i 's/\"en_US\.UTF-8/\"en_US\.ISO-8859-1/g' /etc/sysconfig/language
sed -i 's/x\-httpd\-php\=\"php\:\/usr\/bin\/php\-cgi5\"/x-httpd-php="php:\/usr\/bin\/php-cgi5"\nx-httpd-suphp="php:\/usr\/bin\/php-cgi5"/g' /etc/suphp.conf
SuSEconfig
/usr/local/bin/ispconfig_update_from_svn.sh
openssl genrsa -passout pass:0passphrase$MYSQLROOTPASS -des3 -out /etc/apache2/ssl.key/server.key 4096
(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -passin pass:0passphrase$MYSQLROOTPASS -new -key /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.csr/server.csr
openssl x509 -passin pass:0passphrase$MYSQLROOTPASS -req -days 3650 -in /etc/apache2/ssl.csr/server.csr -signkey /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.crt/server.crt
openssl rsa -passin pass:0passphrase$MYSQLROOTPASS -in /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.key/server.key.insecure
mv /etc/apache2/ssl.key/server.key /etc/apache2/ssl.key/server.key.secure
mv /etc/apache2/ssl.key/server.key.insecure /etc/apache2/ssl.key/server.key
a2enmod ssl
sed -i 's/.VirtualHost _default_\:8080./\<VirtualHost _default_\:8080\>\nSSLEngine On\nSSLCertificateFile \/etc\/apache2\/ssl.crt\/server.crt\nSSLCertificateKeyFile \/etc\/apache2\/ssl.key\/server.key/g' /etc/apache2/sites-available/ispconfig.vhost
sed -i 's/DirectoryIndex index.html index.html.var/DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php5 index.php4 index.php3 index.pl index.html.var index.aspx default.aspx/g' /etc/apache2/httpd.conf
# enable named hosts
sed -i 's/^#NameVirtualHost \*\:80$/NameVirtualHost *:80/g' /etc/apache2/listen.conf
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/apache2/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/cli/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/fastcgi/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/apache2/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/cli/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/fastcgi/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/apache2/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/cli/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/fastcgi/php.ini
rcapache2 restart
# postfix certificate
(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -new -key /etc/postfix/smtpd.key -out /etc/postfix/smtpd.csr
openssl x509 -req -days 3650 -in /etc/postfix/smtpd.csr -signkey /etc/postfix/smtpd.key -out /etc/postfix/smtpd.cert
chmod o-rwx /etc/postfix/smtpd.csr
chmod o-rwx /etc/postfix/smtpd.cert
# rdiff-backup
yast2 -i python-devel librsync
cd tmp
wget -c $RDIFF_BACKUP_TARGZ
wget -c http://savannah.nongnu.org/download/rdiff-backup/rdiff-backup-1.2.8.tar.gz
tar xfz rdiff-backup-*.tar.gz
rm -f rdiff-backup-*.tar.gz
cd rdiff-backup-*
./setup.py install
cd /tmp
rm -rf rdiff-backup-*
yast -i iptraf
# create backup script
mkdir /backup
chown root:root /backup
mkdir /srvbackup_do
chown root:root /srvbackup_do
chmod og-rwx /srvbackup_do
cat > /srvbackup_do/dobackup.sh <<EOFMARKER2
#!/bin/bash
cd /srvbackup_do
sync
mysqladmin -p$MYSQLROOTPASS refresh
mysqldump -p$MYSQLROOTPASS --all-databases >mysqldump.sql
chmod og-rw mysqldump.sql
/usr/local/bin/rdiff-backup --preserve-numerical-ids --exclude /tmp --exclude /backup --exclude /mnt --exclude /proc --exclude /dev --exclude /sys --exclude /var/lib/ntp/proc --exclude /media --exclude /var/tmp / /backup/$MY_FULLHOSTNAME
EOFMARKER2
chown root:root /srvbackup_do/dobackup.sh
chmod og-rwx /srvbackup_do/dobackup.sh
chmod u+x /srvbackup_do/dobackup.sh
echo '51 3 * * * /srvbackup_do/dobackup.sh >> /var/log/backuplog 2>&1' >>/var/spool/cron/tabs/root
# Fail2ban config
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.def
cat > /etc/fail2ban/jail.conf <<EOFMARKER3
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# \$Revision: 747 \$
#
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto
# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
# sendmail-whois[name=SSH, dest=georgef2b@oss3d.com, sender=fail2ban@mail.com]
logpath = /var/log/messages
maxretry = 5
[proftpd-iptables]
enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
# sendmail-whois[name=ProFTPD, dest=georgef2b@oss3d.com]
logpath = /var/log/messages
maxretry = 6
# This jail forces the backend to "polling".
[sasl-iptables]
enabled = true
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
# sendmail-whois[name=sasl, dest=georgef2b@oss3d.com]
logpath = /var/log/mail
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".
[ssh-tcpwrapper]
enabled = true
filter = sshd
action = hostsdeny
# sendmail-whois[name=SSH, dest=georgef2b@oss3d.com]
ignoreregex = for myuser from
logpath = /var/log/messages
# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.
[apache-tcpwrapper]
enabled = true
filter = apache-auth
action = hostsdeny
logpath = /var/log/apache2/error_log
maxretry = 6
# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.
[postfix-tcpwrapper]
enabled = true
filter = postfix
action = hostsdeny[file=/not/a/standard/path/hosts.deny]
# sendmail[name=Postfix, dest=georgef2b@oss3d.com]
logpath = /var/log/mail
bantime = 300
# Do not ban anybody. Just report information about the remote host.
# A notification is sent at most every 600 seconds (bantime).
[vsftpd-notification]
enabled = false
filter = vsftpd
action = sendmail-whois[name=VSFTPD, dest=georgef2b@oss3d.com]
logpath = /var/log/messages
maxretry = 5
bantime = 1800
# Same as above but with banning the IP address.
[vsftpd-iptables]
enabled = false
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
# sendmail-whois[name=VSFTPD, dest=georgef2b@oss3d.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables[name=BadBots1, port=http, protocol=tcp]
iptables[name=BadBots2, port=https, protocol=tcp]
# sendmail-buffered[name=BadBots, lines=5, dest=georgef2b@oss3d.com]
logpath = /var/log/apache2/access_log
bantime = 172800
maxretry = 1
# Use shorewall instead of iptables.
[apache-shorewall]
enabled = false
filter = apache-noscript
action = shorewall
# sendmail[name=Postfix, dest=georgef2b@oss3d.com]
logpath = /var/log/apache2/error_log
# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.
[php-url-fopen]
enabled = false
port = http,https
filter = php-url-fopen
logpath = /var/log/apache2/access_log
maxretry = 1
# A simple PHP-fastcgi jail which works with lighttpd.
# If you run a lighttpd server, then you probably will
# find these kinds of messages in your error_log:
# ALERT – tried to register forbidden variable ‘GLOBALS’
# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
# This jail would block the IP 1.2.3.4.
[lighttpd-fastcgi]
enabled = false
port = http,https
filter = lighttpd-fastcgi
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2
# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.
[ssh-ipfw]
enabled = false
filter = sshd
action = ipfw[localhost=192.168.0.1]
sendmail-whois[name="SSH,IPFW", dest=georgef2b@oss3d.com]
logpath = /var/log/auth.log
ignoreip = 168.192.0.1
# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
#
# in your named.conf to provide proper logging.
# This jail blocks UDP traffic for DNS requests.
[named-refused-udp]
enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
sendmail-whois[name=Named, dest=georgef2b@oss3d.com]
logpath = /var/log/named/security.log
ignoreip = 168.192.0.1
# This jail blocks TCP traffic for DNS requests.
[named-refused-tcp]
enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
sendmail-whois[name=Named, dest=georgef2b@oss3d.com]
logpath = /var/log/named/security.log
ignoreip = 168.192.0.1
EOFMARKER3
service fail2ban restart
Gán thuộc tính thực thi cho đoạn mã:
chmod 755 /usr/local/sbin/opensuse_ispconfig3.sh
Và các bạn có thể chạy đoạn mã này bằng câu lệnh sau:
/usr/local/sbin/opensuse_ispconfig3.sh
Chúc các bạn thành công!