Chore/config updates (hestiacp#4477)

ioannidesalex · jaapmarcus · web-flow · commit dd8f9fcd594a · 2024-08-01T08:46:44.000+02:00
* Add max connections per host for Exim, increase global limit

* Add xferlog to logrotate

* VSFTPD TLS 1.2 ciphers only

* Run NPM Format

* Apply changes to upgrade script

---------

Co-authored-by: Jaap Marcus &lt;9754650+jaapmarcus@users.noreply.github.com&gt;
diff --git a/install/deb/exim/exim4.conf.4.94.template b/install/deb/exim/exim4.conf.4.94.template
@@ -14,6 +14,8 @@ smtp_active_hostname = ${lookup dnsdb{>: defer_never,ptr=$interface_address}{${l
 add_environment = <; PATH=/bin:/usr/bin
 keep_environment =
 disable_ipv6 = true
+smtp_accept_max = 100
+smtp_accept_max_per_host = 20
 
 smtputf8_advertise_hosts =
 domainlist local_domains = dsearch;/etc/exim4/domains/
diff --git a/install/deb/exim/exim4.conf.4.95.template b/install/deb/exim/exim4.conf.4.95.template
@@ -14,6 +14,8 @@ smtp_active_hostname = ${lookup dnsdb{>: defer_never,ptr=$interface_address}{${l
 add_environment = <; PATH=/bin:/usr/bin
 keep_environment =
 disable_ipv6 = true
+smtp_accept_max = 100
+smtp_accept_max_per_host = 20
 
 SRS_SECRET = ${readfile{/etc/exim4/srs.conf}}
 
diff --git a/install/deb/exim/exim4.conf.template b/install/deb/exim/exim4.conf.template
@@ -14,6 +14,8 @@ smtp_active_hostname = ${lookup dnsdb{>: defer_never,ptr=$interface_address}{${l
 add_environment = <; PATH=/bin:/usr/bin
 keep_environment =
 disable_ipv6 = true
+smtp_accept_max = 100
+smtp_accept_max_per_host = 20
 
 smtputf8_advertise_hosts =
 domainlist local_domains = dsearch;/etc/exim4/domains/
diff --git a/install/deb/vsftpd/vsftpd.conf b/install/deb/vsftpd/vsftpd.conf
@@ -1,3 +1,4 @@
+listen=YES
 anonymous_enable=NO
 local_enable=YES
 write_enable=YES
@@ -10,7 +11,6 @@ connect_from_port_20=YES
 xferlog_std_format=YES
 dual_log_enable=YES
 chroot_local_user=YES
-listen=YES
 pam_service_name=vsftpd
 ftpd_banner=Welcome! Please note that all activity is logged.
 userlist_enable=NO
@@ -33,7 +33,7 @@ utf8_filesystem=YES
 ssl_enable=YES
 allow_anon_ssl=NO
 require_ssl_reuse=NO
-ssl_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256
+ssl_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
 ssl_sslv2=NO
 ssl_sslv3=NO
 ssl_tlsv1=NO
diff --git a/install/hst-install-debian.sh b/install/hst-install-debian.sh
@@ -1700,6 +1700,9 @@ if [ "$vsftpd" = 'yes' ]; then
 	touch /var/log/xferlog
 	chown root:adm /var/log/xferlog
 	chmod 640 /var/log/xferlog
+	if [ -s /etc/logrotate.d/vsftpd ] && ! grep -Fq "/var/log/xferlog" /etc/logrotate.d/vsftpd; then
+		sed -i 's|/var/log/vsftpd.log|/var/log/vsftpd.log /var/log/xferlog|g' /etc/logrotate.d/vsftpd
+	fi
 	update-rc.d vsftpd defaults > /dev/null 2>&1
 	systemctl start vsftpd >> $LOG
 	check_result $? "vsftpd start failed"
diff --git a/install/hst-install-ubuntu.sh b/install/hst-install-ubuntu.sh
@@ -1724,6 +1724,9 @@ if [ "$vsftpd" = 'yes' ]; then
 	touch /var/log/xferlog
 	chown root:adm /var/log/xferlog
 	chmod 640 /var/log/xferlog
+	if [ -s /etc/logrotate.d/vsftpd ] && ! grep -Fq "/var/log/xferlog" /etc/logrotate.d/vsftpd; then
+		sed -i 's|/var/log/vsftpd.log|/var/log/vsftpd.log /var/log/xferlog|g' /etc/logrotate.d/vsftpd
+	fi
 	update-rc.d vsftpd defaults > /dev/null 2>&1
 	systemctl start vsftpd >> $LOG
 	check_result $? "vsftpd start failed"
diff --git a/install/upgrade/versions/1.9.0.sh b/install/upgrade/versions/1.9.0.sh
@@ -80,5 +80,20 @@ for package in $packages; do
 	done
 done
 
+# Add xferlog to vsftpd logrotate
+if [ -s /etc/logrotate.d/vsftpd ] && ! grep -Fq "/var/log/xferlog" /etc/logrotate.d/vsftpd; then
+	sed -i 's|/var/log/vsftpd.log|/var/log/vsftpd.log /var/log/xferlog|g' /etc/logrotate.d/vsftpd
+fi
+
+# Use only TLS 1.2 cipher suites for vsftpd
+if [ -s /etc/vsftpd.conf ]; then
+	sed -i "s/ssl_ciphers.*/ssl_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305/g" /etc/vsftpd.conf
+fi
+
+# Increase max connections and limit number of connections per host for Exim
+if [ -s /etc/exim4/exim4.conf.template ] && ! grep -Fq "smtp_accept_max" /etc/exim4/exim4.conf.template; then
+	sed -i '/disable_ipv6 = true/a\smtp_accept_max = 100\nsmtp_accept_max_per_host = 20' /etc/exim4/exim4.conf.template
+fi
+
 $BIN/v-add-user-notification 'admin' 'Hestia security has been upgraded' ' A new user "hestiaweb" has been created and is used for login. Make sure other Hestia packages are updated as well otherwise the system may not work as expected.'
 add_upgrade_message 'Security has been upgraded, A new user "hestiaweb" has been created and is used for login. Make sure other Hestia packages are updated as well otherwise the system may not work as expected.'
