forked from hestiacp/hestiacp
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path1.1.0.sh
More file actions
224 lines (195 loc) · 8.6 KB
/
1.1.0.sh
File metadata and controls
224 lines (195 loc) · 8.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
#!/bin/bash
# Hestia Control Panel upgrade script for target version 1.1.0
#######################################################################################
####### Place additional commands below. #######
#######################################################################################
# Set default theme
if [ -z $THEME ]; then
echo "[ * ] Enabling support for themes..."
$BIN/v-change-sys-theme 'default'
fi
# Reduce SSH login grace time
if [ -e /etc/ssh/sshd_config ]; then
echo "[ * ] Hardening SSH daemon configuration..."
sed -i "s/LoginGraceTime 2m/LoginGraceTime 1m/g" /etc/ssh/sshd_config
sed -i "s/#LoginGraceTime 2m/LoginGraceTime 1m/g" /etc/ssh/sshd_config
fi
# Implement recidive jail for fail2ban
if [ ! -z "$FIREWALL_EXTENSION" ]; then
if ! cat /etc/fail2ban/jail.local | grep -q "\[recidive\]"; then
echo -e "\n\n[recidive]\nenabled = true\nfilter = recidive\naction = hestia[name=HESTIA]\nlogpath = /var/log/fail2ban.log\nmaxretry = 3\nfindtime = 86400\nbantime = 864000" >> /etc/fail2ban/jail.local
fi
fi
# Enable OCSP SSL stapling and harden nginx configuration for roundcube
if [ ! -z "$IMAP_SYSTEM" ]; then
echo "[ * ] Hardening security of Roundcube webmail..."
$BIN/v-update-mail-templates > /dev/null 2>&1
if [ -e /etc/nginx/conf.d/webmail.inc ]; then
cp -f /etc/nginx/conf.d/webmail.inc $HESTIA_BACKUP/conf/
sed -i "s/config|temp|logs/README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING/g" /etc/nginx/conf.d/webmail.inc
fi
fi
# Fix restart queue
if [ -z "$($BIN/v-list-cron-jobs admin | grep 'v-update-sys-queue restart')" ]; then
command="sudo $BIN/v-update-sys-queue restart"
$BIN/v-add-cron-job 'admin' '*/2' '*' '*' '*' '*' "$command"
fi
# Remove deprecated line from ClamAV configuration file
if [ -e "/etc/clamav/clamd.conf" ]; then
clamd_conf_update_check=$(grep DetectBrokenExecutables /etc/clamav/clamd.conf)
if [ ! -z "$clamd_conf_update_check" ]; then
echo "[ * ] Updating ClamAV configuration..."
sed -i '/DetectBrokenExecutables/d' /etc/clamav/clamd.conf
fi
fi
# Remove errornous history.log file created by certain builds due to bug in v-restart-system
if [ -e $HESTIA/data/users/history.log ]; then
rm -f $HESTIA/data/users/history.log
fi
# Use exim4 server hostname instead of mail domain and remove hardcoded mail prefix
if [ ! -z "$MAIL_SYSTEM" ]; then
echo "[ * ] Updating exim configuration..."
if cat /etc/exim4/exim4.conf.template | grep -q 'helo_data = mail.${sender_address_domain}'; then
sed -i 's/helo_data = mail.${sender_address_domain}/helo_data = ${primary_hostname}/g' /etc/exim4/exim4.conf.template
fi
if ! grep -q '^OUTGOING_IP = /' /etc/exim4/exim4.conf.template; then
sed -i '/^OUTGOING_IP/d' /etc/exim4/exim4.conf.template
sed -i 's|^begin acl|OUTGOING_IP = /etc/exim4/domains/$sender_address_domain/ip\nbegin acl|' /etc/exim4/exim4.conf.template
fi
if ! grep -q 'interface =' /etc/exim4/exim4.conf.template; then
sed -i '/interface =/d' /etc/exim4/exim4.conf.template
sed -i 's|dkim_strict = 0|dkim_strict = 0\n interface = ${if exists{OUTGOING_IP}{${readfile{OUTGOING_IP}}}}|' /etc/exim4/exim4.conf.template
fi
fi
# Members of admin group should be permitted to enter admin folder
if [ -d /home/admin ]; then
setfacl -m "g:admin:r-x" /home/admin
fi
# Fix sftp jail cronjob
if [ -e "/etc/cron.d/hestia-sftp" ]; then
if ! cat /etc/cron.d/hestia-sftp | grep -q 'root'; then
echo "@reboot root /usr/local/hestia/bin/v-add-sys-sftp-jail" > /etc/cron.d/hestia-sftp
fi
fi
# Create default writeable folders for all users
echo "[ * ] Updating default writable folders for all users..."
for user in $($HESTIA/bin/v-list-sys-users plain); do
mkdir -p \
$HOMEDIR/$user/.cache \
$HOMEDIR/$user/.config \
$HOMEDIR/$user/.local \
$HOMEDIR/$user/.composer \
$HOMEDIR/$user/.ssh
chown $user:$user \
$HOMEDIR/$user/.cache \
$HOMEDIR/$user/.config \
$HOMEDIR/$user/.local \
$HOMEDIR/$user/.composer \
$HOMEDIR/$user/.ssh
done
# Remove redundant fail2ban jail
if fail2ban-client status sshd > /dev/null 2>&1; then
fail2ban-client stop sshd > /dev/null 2>&1
if [ -f /etc/fail2ban/jail.d/defaults-debian.conf ]; then
mkdir -p $HESTIA_BACKUP/conf/fail2ban/jail.d
mv /etc/fail2ban/jail.d/defaults-debian.conf $HESTIA_BACKUP/conf/fail2ban/jail.d/
fi
fi
# Update Office 365/Microsoft 365 DNS template
if [ -e "$HESTIA/data/templates/dns/office365.tpl" ]; then
echo "[ * ] Updating DNS template for Office 365..."
cp -f $HESTIA/install/deb/templates/dns/office365.tpl $HESTIA/data/templates/dns/office365.tpl
fi
# Ensure that backup compression level is correctly set
GZIP_LVL_CHECK=$(cat $HESTIA/conf/hestia.conf | grep BACKUP_GZIP)
if [ -z "$GZIP_LVL_CHECK" ]; then
echo "[ * ] Updating backup compression level variable..."
$BIN/v-change-sys-config-value "BACKUP_GZIP" '9'
fi
# Randomize Roundcube des_key for better security
if [ -f "/etc/roundcube/config.inc.php" ]; then
rcDesKey="$(openssl rand -base64 30 | tr -d "/" | cut -c1-24)"
sed -i "s/vtIOjLZo9kffJoqzpSbm5r1r/$rcDesKey/g" /etc/roundcube/config.inc.php
fi
# Place robots.txt to prevent webmail crawling by search engine bots.
if [ -e "/var/lib/roundcube/" ]; then
if [ ! -f "/var/lib/roundcube/robots.txt" ]; then
echo "User-agent: *" > /var/lib/roundcube/robots.txt
echo "Disallow: /" >> /var/lib/roundcube/robots.txt
fi
fi
# Installing postgresql repo
if [ -e "/etc/postgresql" ]; then
echo "[ * ] Enabling native PostgreSQL APT repository..."
osname="$(cat /etc/os-release | grep "^ID\=" | sed "s/ID\=//g")"
if [ "$osname" = "ubuntu" ]; then
codename="$(lsb_release -s -c)"
else
codename="$(cat /etc/os-release | grep VERSION= | cut -f 2 -d \( | cut -f 1 -d \))"
fi
echo "deb http://apt.postgresql.org/pub/repos/apt/ $codename-pgdg main" > /etc/apt/sources.list.d/postgresql.list
wget --quiet https://www.postgresql.org/media/keys/ACCC4CF8.asc -O /tmp/psql_signing.key
APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key add /tmp/psql_signing.key > /dev/null 2>&1
rm /tmp/psql_signing.key
fi
# Hardening MySQL configuration, prevent local infile.
if [ -e "/etc/mysql/my.cnf" ]; then
mysql_local_infile_check=$(grep local-infile /etc/mysql/my.cnf)
if [ -z "$mysql_local_infile_check" ]; then
echo "[ * ] Hardening MySQL configuration..."
sed -i '/symbolic-links\=0/a\local-infile=0' /etc/mysql/my.cnf
fi
fi
# Hardening nginx configuration, drop TLSv1.1 support.
if [ -e "/etc/nginx/nginx.conf" ]; then
nginx_tls_check=$(grep TLSv1.1 /etc/nginx/nginx.conf)
if [ ! -z "$nginx_tls_check" ]; then
echo "[ * ] Updating nginx security settings - disabling TLS v1.1..."
sed -i 's/TLSv1.1 //g' /etc/nginx/nginx.conf
fi
fi
# Fix logrotate permission bug for nginx
if [ -e "/etc/logrotate/nginx" ]; then
sed -i "s/create 640 nginx adm/create 640/g" /etc/logrotate.d/nginx
fi
# Fix logrotate permission bug for apache
if [ -e "/etc/logrotate/apache2" ]; then
sed -i "s/create 640 root adm/create 640/g" /etc/logrotate.d/apache2
fi
# Repair messed up user log permissions from the logrotate bug. Ignoring errors
for user in $($HESTIA/bin/v-list-users plain | cut -f1); do
for domain in $($HESTIA/bin/v-list-web-domains $user plain | cut -f1); do
chown root:$user /var/log/$WEB_SYSTEM/domains/$domain.* > /dev/null 2>&1
for sub_domain in $($HESTIA/bin/v-list-web-domain $user $domain plain | cut -f7 | tr ',' '\n'); do
chown root:$user /var/log/$WEB_SYSTEM/domains/$sub_domain.* > /dev/null 2>&1
done
done
done
chown root:root /var/log/$WEB_SYSTEM/domains/$WEBMAIL_ALIAS* > /dev/null 2>&1
# Enable IMAP/POP3 quota information
if [ "$IMAP_SYSTEM" = "dovecot" ]; then
echo "[ * ] Enabling IMAP quota information reporting..."
if [ -e /etc/dovecot/conf.d/20-pop3.conf ]; then
cp -f $HESTIA/install/deb/dovecot/conf.d/20-pop3.conf /etc/dovecot/conf.d/20-pop3.conf
fi
if [ -e /etc/dovecot/conf.d/20-imap.conf ]; then
cp -f $HESTIA/install/deb/dovecot/conf.d/20-imap.conf /etc/dovecot/conf.d/20-imap.conf
fi
if [ -e /etc/dovecot/conf.d/90-quota.conf ]; then
cp -f $HESTIA/install/deb/dovecot/conf.d/90-quota.conf /etc/dovecot/conf.d/90-quota.conf
fi
fi
# Trigger multiphp legacy migration script
num_php_versions=$(ls -d /etc/php/*/fpm/pool.d 2> /dev/null | wc -l)
if [ "$num_php_versions" -gt 1 ] && [ -z "$WEB_BACKEND" ]; then
echo "[ * ] Enabling modular Multi-PHP backend..."
cp -rf $HESTIA/data/templates/web $HESTIA_BACKUP/templates/web
bash $HESTIA/install/upgrade/manual/migrate_multiphp.sh > /dev/null 2>&1
fi
# Disable global subfolder alias for webmail in favor of subdomain
if [ -e /etc/nginx/conf.d/webmail.inc ]; then
rm -f /etc/nginx/conf.d/webmail.inc
fi
if [ -e /etc/apache2/conf.d/roundcube.conf ]; then
rm -f /etc/apache2/conf.d/roundcube.conf
fi