[Feature] Enhanced and Optimized TLS (hestiacp#3555)

* Enhanced and Optimized TLS

* Prepare for installer and backup

* Prepare for upgrade (easy part)

* Prepare for upgrade (hell part)

* Minor changes and Prettier

* Changes for third-party compatibility

* Issue in check

---------

Co-authored-by: Jaap Marcus <9754650+jaapmarcus@users.noreply.github.com>

Author: myrevery

func/upgrade.sh

@@ -271,6 +271,9 @@ upgrade_init_backup() {
 	# Hestia Control Panel configuration files
 	mkdir -p $HESTIA_BACKUP/conf/hestia/
 
+	# OpenSSL configuration files
+	mkdir -p $HESTIA_BACKUP/conf/openssl/
+
 	# Hosting Packages
 	mkdir -p $HESTIA_BACKUP/packages/
 
@@ -352,12 +355,12 @@ upgrade_start_backup() {
 	if [ "$DEBUG_MODE" = "true" ]; then
 		echo "      - Packages"
 	fi
-	cp -rf $HESTIA/data/packages/* $HESTIA_BACKUP/packages/
+	cp -fr $HESTIA/data/packages/* $HESTIA_BACKUP/packages/
 
 	if [ "$DEBUG_MODE" = "true" ]; then
 		echo "      - Templates"
 	fi
-	cp -rf $HESTIA/data/templates/* $HESTIA_BACKUP/templates/
+	cp -fr $HESTIA/data/templates/* $HESTIA_BACKUP/templates/
 
 	if [ "$DEBUG_MODE" = "true" ]; then
 		echo "      - Configuration files:"
@@ -367,7 +370,13 @@ upgrade_start_backup() {
 	if [ "$DEBUG_MODE" = "true" ]; then
 		echo "      ---- hestia"
 	fi
-	cp -rf $HESTIA/conf/* $HESTIA_BACKUP/conf/hestia/
+	cp -fr $HESTIA/conf/* $HESTIA_BACKUP/conf/hestia/
+
+	# OpenSSL configuration files
+	if [ "$DEBUG_MODE" = "true" ]; then
+		echo "      ---- openssl"
+	fi
+	cp -f /etc/ssl/*.cnf $HESTIA_BACKUP/conf/openssl/
 
 	# System service configuration files (apache2, nginx, bind9, vsftpd, etc).
 	if [ -n "$WEB_SYSTEM" ]; then
@@ -424,7 +433,6 @@ upgrade_start_backup() {
 		if [ "$FTP_SYSTEM" = "vsftpd" ]; then
 			cp -f /etc/$FTP_SYSTEM.conf $HESTIA_BACKUP/conf/$FTP_SYSTEM/
 		fi
-
 		if [ "$FTP_SYSTEM" = "proftpd" ]; then
 			cp -f /etc/proftpd/proftpd.conf $HESTIA_BACKUP/conf/$FTP_SYSTEM/
 		fi
@@ -549,12 +557,12 @@ upgrade_b2_tool() {
 
 upgrade_cloudflare_ip() {
 	if [ "$WEB_SYSTEM" = "nginx" ] || [ "$PROXY_SYSTEM" = "nginx" ]; then
-		cf_ips="$(curl -fsLm2 --retry 1 https://api.cloudflare.com/client/v4/ips)"
+		cf_ips="$(curl -fsLm5 --retry 2 https://api.cloudflare.com/client/v4/ips)"
 
 		if [ -n "$cf_ips" ] && [ "$(echo "$cf_ips" | jq -r '.success//""')" = "true" ]; then
 			cf_inc="/etc/nginx/conf.d/cloudflare.inc"
 
-			echo "[ * ] Updating Cloudflare IP Ranges for Nginx..."
+			echo "[ * ] Updating Cloudflare IP Ranges for NGINX..."
 			echo "# Cloudflare IP Ranges" > $cf_inc
 			echo "" >> $cf_inc
 			echo "# IPv4" >> $cf_inc

install/common/dovecot/conf.d/10-ssl.conf

@@ -1,7 +1,7 @@
 ssl = yes
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256
 ssl_min_protocol = TLSv1.2
 ssl_prefer_server_ciphers = yes
-ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 
 ssl_cert = </usr/local/hestia/ssl/certificate.crt
 ssl_key = </usr/local/hestia/ssl/certificate.key

install/deb/exim/exim4.conf.4.94.template

@@ -63,6 +63,7 @@ tls_privatekey = \
 
 daemon_smtp_ports = 25 : 465 : 587
 tls_on_connect_ports = 465
+tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
 never_users = root
 host_lookup = *
 rfc1413_hosts = *

install/deb/exim/exim4.conf.template

@@ -63,6 +63,7 @@ tls_privatekey = \
 
 daemon_smtp_ports = 25 : 465 : 587
 tls_on_connect_ports = 465
+tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
 never_users = root
 host_lookup = *
 rfc1413_hosts = *

install/deb/nginx/nginx.conf

@@ -22,19 +22,19 @@ http {
 	client_body_timeout             180s;
 	client_header_buffer_size       2k;
 	client_body_buffer_size         256k;
-	client_max_body_size            256m;
+	client_max_body_size            1024m;
 	large_client_header_buffers     4 8k;
 	send_timeout                    60s;
 	keepalive_timeout               30s;
-	keepalive_requests              100000;
+	keepalive_requests              10000;
 	reset_timedout_connection       on;
 	server_tokens                   off;
 	server_name_in_redirect         off;
 	server_names_hash_max_size      512;
 	server_names_hash_bucket_size   512;
 	charset                         utf-8;
 	# FastCGI settings
-	fastcgi_buffers                 8 256k;
+	fastcgi_buffers                 512 4k;
 	fastcgi_buffer_size             256k;
 	fastcgi_busy_buffers_size       256k;
 	fastcgi_temp_file_write_size    256k;
@@ -51,14 +51,15 @@ http {
 	proxy_set_header                X-Real-IP $remote_addr;
 	proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
 	proxy_pass_header               Set-Cookie;
-	proxy_buffers                   32 4k;
-	proxy_buffer_size               8k;
+	proxy_buffers                   256 4k;
+	proxy_buffer_size               32k;
+	proxy_busy_buffers_size         32k;
+	proxy_temp_file_write_size      256k;
 	proxy_connect_timeout           30s;
 	proxy_read_timeout              300s;
 	proxy_send_timeout              180s;
 	# Log format
-	log_format                      main '$remote_addr - $remote_user [$time_local] $request '
-	  '"$status" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"';
+	log_format                      main '$remote_addr - $remote_user [$time_local] $request "$status" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
 	log_format                      bytes '$body_bytes_sent';
 	log_not_found                   off;
 	access_log                      off;
@@ -67,53 +68,46 @@ http {
 	default_type                    application/octet-stream;
 	# Compression
 	gzip                            on;
-	gzip_static                     on;
 	gzip_vary                       on;
+	gzip_static                     on;
 	gzip_comp_level                 6;
 	gzip_min_length                 1024;
-	gzip_buffers                    16 8k;
+	gzip_buffers                    128 4k;
 	gzip_http_version               1.1;
-	gzip_types                      text/plain text/css text/javascript text/js text/xml
-	  application/json application/javascript application/x-javascript application/xml
-	  application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
+	gzip_types                      text/css text/javascript text/js text/plain text/richtext text/shtml text/x-component text/x-java-source text/x-markdown text/x-script text/xml image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon font/otf font/ttf font/x-woff multipart/bag multipart/mixed application/eot application/font application/font-sfnt application/font-woff application/javascript application/javascript-binast application/json application/ld+json application/manifest+json application/opentype application/otf application/rss+xml application/ttf application/truetype application/vnd.api+json application/vnd.ms-fontobject application/wasm application/xhtml+xml application/xml application/xml+rss application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-protobuf application/x-ttf;
 	gzip_proxied                    any;
-	gzip_disable                    "MSIE [1-6]\.";
-    
-	# Cloudflare ips
+	# Cloudflare IPs
 	include                         /etc/nginx/conf.d/cloudflare.inc;
-	
-    # SSL PCI compliance
-	ssl_session_cache               shared:SSL:20m;
-	ssl_session_timeout             60m;
-	ssl_buffer_size                 1400;
-	ssl_protocols                   TLSv1.2 TLSv1.3;
-	ssl_prefer_server_ciphers       on;
-	ssl_ciphers                     "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+	# SSL PCI compliance
+	ssl_buffer_size                 1369;
+	ssl_ciphers                     "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256";
 	ssl_dhparam                     /etc/ssl/dhparam.pem;
-	ssl_ecdh_curve                  secp384r1;
-	ssl_session_tickets             off;
-	resolver                        1.1.1.1 8.8.8.8 valid=300s ipv6=off;
+	ssl_early_data                  on;
+	ssl_ecdh_curve                  auto;
+	ssl_prefer_server_ciphers       on;
+	ssl_protocols                   TLSv1.2 TLSv1.3;
+	ssl_session_cache               shared:SSL:20m;
+	ssl_session_tickets             on;
+	ssl_session_timeout             7d;
+	resolver                        1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8 valid=300s ipv6=off;
 	resolver_timeout                5s;
 	# Error pages
 	error_page                      403 /error/404.html;
 	error_page                      404 /error/404.html;
 	error_page                      410 /error/410.html;
 	error_page                      500 501 502 503 504 505 /error/50x.html;
 	# Proxy cache
-	proxy_cache_path                /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m
-	  max_size=1024m;
+	proxy_cache_path                /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
 	proxy_cache_key                 "$scheme$request_method$host$request_uri";
 	proxy_temp_path                 /var/cache/nginx/temp;
-	proxy_ignore_headers            Expires Cache-Control;
-	proxy_cache_use_stale           error timeout invalid_header http_502;
+	proxy_ignore_headers            Cache-Control Expires;
+	proxy_cache_use_stale           error timeout invalid_header updating http_502;
 	proxy_cache_valid               any 1d;
 	# FastCGI cache
-	fastcgi_cache_path              /var/cache/nginx/micro levels=1:2 keys_zone=microcache:10m
-	  max_size=1024m inactive=30m;
+	fastcgi_cache_path              /var/cache/nginx/micro levels=1:2 keys_zone=microcache:10m inactive=30m max_size=1024m;
 	fastcgi_cache_key               "$scheme$request_method$host$request_uri";
-	fastcgi_cache_methods           GET HEAD;
-	fastcgi_cache_use_stale         updating error timeout invalid_header http_500 http_503;
 	fastcgi_ignore_headers          Cache-Control Expires Set-Cookie;
+	fastcgi_cache_use_stale         error timeout invalid_header updating http_500 http_503;
 	add_header                      X-FastCGI-Cache $upstream_cache_status;
 
 	# Cache bypass
@@ -131,4 +125,4 @@ http {
 	# Wildcard include
 	include                         /etc/nginx/conf.d/*.conf;
 	include                         /etc/nginx/conf.d/domains/*.conf;
-}
+}

install/deb/proftpd/tls.conf

@@ -13,7 +13,9 @@
 TLSEngine                               on
 TLSLog                                  /var/log/proftpd/tls.log
 # this is an example of protocols, proftp works witl all, but use only the most secure ones like TLSv1.1 and TLSv1.2
-TLSProtocol                             TLSv1.2
+TLSCipherSuite                          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256
+TLSProtocol                             TLSv1.2 TLSv1.3
+TLSServerCipherPreference               on
 #
 # Server SSL certificate. You can generate a self-signed certificate using
 # a command like:
@@ -42,9 +44,9 @@ TLSRSACertificateKeyFile                /usr/local/hestia/ssl/certificate.key
 # Per default drop connection if client tries to start a renegotiate
 # This is a fix for CVE-2009-3555 but could break some clients.
 #
-#TLSOptions                                                     AllowClientRenegotiations
+#TLSOptions                      AllowClientRenegotiations
 #
-TLSOptions                       NoSessionReuseRequired AllowClientRenegotiations
+TLSOptions                      NoSessionReuseRequired AllowClientRenegotiations
 # Authenticate clients that want to use FTP over TLS?
 #
 #TLSVerifyClient                         off

install/deb/vsftpd/vsftpd.conf

@@ -31,7 +31,7 @@ utf8_filesystem=YES
 ssl_enable=YES
 allow_anon_ssl=NO
 require_ssl_reuse=NO
-ssl_ciphers=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
+ssl_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256
 ssl_sslv2=NO
 ssl_sslv3=NO
 ssl_tlsv1=NO

install/hst-install-debian.sh

@@ -49,7 +49,7 @@ software="acl apache2 apache2-suexec-custom apache2-suexec-pristine apache2-util
   php$fpm_v-pgsql php$fpm_v-pspell php$fpm_v-readline php$fpm_v-xml php$fpm_v-zip postgresql postgresql-contrib
   proftpd-basic quota rrdtool rsyslog spamassassin sudo sysstat unrar-free unzip util-linux vim-common vsftpd whois zip zstd"
 
-installer_dependencies="apt-transport-https ca-certificates curl dirmngr gnupg wget"
+installer_dependencies="apt-transport-https ca-certificates curl dirmngr gnupg openssl wget"
 
 # Defining help function
 help() {
@@ -685,7 +685,7 @@ if [ -z "$(swapon -s)" ] && [ "$memory" -lt 1000000 ]; then
 	chmod 600 /swapfile
 	mkswap /swapfile
 	swapon /swapfile
-	echo "/swapfile   none    swap    sw    0   0" >> /etc/fstab
+	echo "/swapfile	none	swap	sw	0	0" >> /etc/fstab
 fi
 
 #----------------------------------------------------------#
@@ -786,7 +786,10 @@ check_result $? 'apt-get upgrade failed'
 mkdir -p $hst_backups
 cd $hst_backups
 mkdir nginx apache2 php vsftpd proftpd bind exim4 dovecot clamd
-mkdir spamassassin mysql postgresql hestia
+mkdir spamassassin mysql postgresql openssl hestia
+
+# Backup OpenSSL configuration
+cp /etc/ssl/openssl.cnf $hst_backups/openssl > /dev/null 2>&1
 
 # Backup nginx configuration
 systemctl stop nginx > /dev/null 2>&1
@@ -799,7 +802,7 @@ rm -f /etc/apache2/conf.d/* > /dev/null 2>&1
 
 # Backup PHP-FPM configuration
 systemctl stop php*-fpm > /dev/null 2>&1
-cp -r /etc/php/* $hst_backups/php/ > /dev/null 2>&1
+cp -r /etc/php/* $hst_backups/php > /dev/null 2>&1
 
 # Backup Bind configuration
 systemctl stop bind9 > /dev/null 2>&1
@@ -1261,6 +1264,22 @@ cp -rf $HESTIA_COMMON_DIR/api $HESTIA/data/
 # Configuring server hostname
 $HESTIA/bin/v-change-sys-hostname $servername > /dev/null 2>&1
 
+# Configuring global OpenSSL options
+echo "[ * ] Configuring OpenSSL to improve TLS performance..."
+tls13_ciphers="TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384"
+if [ "$release" = "10" ] || [ "$release" = "11" ]; then
+	sed -i '/^system_default = system_default_sect$/a system_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
+elif [ "$release" = "12" ]; then
+	if ! grep -qw "^ssl_conf = ssl_sect$" /etc/ssl/openssl.cnf 2> /dev/null; then
+		sed -i '/providers = provider_sect$/a ssl_conf = ssl_sect' /etc/ssl/openssl.cnf
+	fi
+	if ! grep -qw "^[ssl_sect]$" /etc/ssl/openssl.cnf 2> /dev/null; then
+		sed -i '$a \\n[ssl_sect]\nsystem_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
+	elif grep -qw "^system_default = system_default_sect$" /etc/ssl/openssl.cnf 2> /dev/null; then
+		sed -i '/^system_default = system_default_sect$/a system_default = hestia_openssl_sect\n\n[hestia_openssl_sect]\nCiphersuites = '"$tls13_ciphers"'\nOptions = PrioritizeChaCha' /etc/ssl/openssl.cnf
+	fi
+fi
+
 # Generating SSL certificate
 echo "[ * ] Generating default self-signed SSL certificate..."
 $HESTIA/bin/v-generate-ssl-cert $(hostname) '' 'US' 'California' \
@@ -1335,12 +1354,12 @@ for ip in $dns_resolver; do
 	fi
 done
 if [ -n "$resolver" ]; then
-	sed -i "s/1.1.1.1 8.8.8.8/$resolver/g" /etc/nginx/nginx.conf
-	sed -i "s/1.1.1.1 8.8.8.8/$resolver/g" /usr/local/hestia/nginx/conf/nginx.conf
+	sed -i "s/1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8/$resolver/g" /etc/nginx/nginx.conf
+	sed -i "s/1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8/$resolver/g" /usr/local/hestia/nginx/conf/nginx.conf
 fi
 
 # https://github.com/ergin/nginx-cloudflare-real-ip/
-cf_ips="$(curl -fsLm2 --retry 1 https://api.cloudflare.com/client/v4/ips)"
+cf_ips="$(curl -fsLm5 --retry 2 https://api.cloudflare.com/client/v4/ips)"
 
 if [ -n "$cf_ips" ] && [ "$(echo "$cf_ips" | jq -r '.success//""')" = "true" ]; then
 	cf_inc="/etc/nginx/conf.d/cloudflare.inc"
@@ -1479,7 +1498,7 @@ if [ "$vsftpd" = 'yes' ]; then
 	touch /var/log/xferlog
 	chown root:adm /var/log/xferlog
 	chmod 640 /var/log/xferlog
-	update-rc.d vsftpd defaults
+	update-rc.d vsftpd defaults > /dev/null 2>&1
 	systemctl start vsftpd >> $LOG
 	check_result $? "vsftpd start failed"
 fi