ISPConfig Tunning

-modificare default editor in ispconfig, se rulează:ispconfig

update-alternatives –config editor

– și se alege ce editor se dorește default


-Adăugare reguli în fail2ban

vim /etc/fail2ban/jail.local

[ssh]
enables = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 3

[ssh-ddos]

enabled = true
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 5

/etc/init.d/fail2ban restart


– Ștergere manuala din fail2ban:

– se rulează:

iptables –L –n 

Chain fail2ban-dovecot-pop3imap (1 references)
target     prot opt source               destination
DROP       all  —  95.162.128.155       0.0.0.0/0
DROP       all  —  5.12.230.36          0.0.0.0/0
RETURN     all  —  0.0.0.0/0            0.0.0.0/0

– și dacă vrem sa ștergem sa zicem 5.12.230.36, rulam:

iptables -D fail2ban-dovecot-pop3imap -s 5.12.230.36 -j DROP

– Cum să whitelist ip-uri în fail2ban:

vi /etc/fail2ban/jail.conf

și adăugăm în el ip-urile care dorim să nu fie verificate cu spațiu între ele:

ignoreip = 192.168.0.23 192.168.23.0/24 10.10.10.10/25

după care restartăm serviciul:

service fail2ban restart

 

– Protecție mai buna la spam:

cp -pf /etc/postfix/main.cf /etc/postfix/main.cf.bak
postconf -e ‘smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination’
/etc/init.d/postfix restart

 

– Postgrey elimina foarte mult spam:

apt-get install postgrey
/etc/init.d/postgrey start

vim /etc/postfix/main.cf

-și adaugam la smtpd_recipient_restrictions:check_policy_service inet:127.0.0.1:60000

postfix reload


-Multitail

apt-get -y install multitail
mkdir /root/scripts
cd /root/scripts
vim mytail

#!/bin/bash
multitail -ci yellow -e "ailed" -n 1000 /var/log/auth.log  \
-ci red -e "Ban" -n 1000 -I /var/log/fail2ban.log \
-ci red -e "fw" -n 1000 -I /var/log/messages \
-ci green -e "Unban" -n 1000 -I /var/log/messages \
-ci blue -e "fail" -n 1000 -I /var/log/syslog
chmod 700 /root/scripts/mytail

– verificam ca merge: /root/scripts/mytail
– facem și shortcut sa accesam direct cu mytail :
ln -s /root/scripts/mytail /usr/bin/.


SSH pe portul 52222
– Mergem la “System – Firewall” in ISPCONFIG si adaugam la sfarsit portul 52222

vim /etc/ssh/sshd_config

– și aici modificam portul din 22 în 52222

/etc/init.d/ssh restart


– MYSQL Tuner

cd /root/scripts
wget http://www.day32.com/MySQL/tuning-primer.sh
wget http://mysqltuner.com/mysqltuner.pl
chmod 700 tuning-primer.sh mysqltuner.pl
perl /root/scripts/mysqltuner.pl
/root/scripts/tuning-primer.sh


(D)DoS Deflate

cd /tmp
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh
vim /usr/local/ddos/ddos.conf

[...]
APF_BAN=0
EMAIL_TO="webmaster@widehosting.net"
NO_OF_CONNECTIONS=100
[...]

– suntem avertizați la 100 de conexiuni


-Tunning rkhunter:

vim /etc/rkhunter.conf

[...]
MAIL-ON-WARNING=webmaster@widehosting.net       webmaster@widehosting.net
[...]

LM-Sensors – monitorizam temperaturi ai alte alea

apt-get -y install lm-sensors
sensors-detect

apt-get -y install smartmontools
fdisk -l

~# smartctl -a /dev/hda
smartctl version 5.36 [i686-pc-linux-gnu] Copyright (C) 2002-6 Bruce Allen
Home page is http://smartmontools.sourceforge.net/

-Schimbare parola de admin

mysql -u root -p[yourrootpassword]
use dbispconfig;
UPDATE sys_user SET passwort = md5(‘NEWPASSWORD’) WHERE username = ‘admin’;
quit


-Oprim flood de DNS:

vim /etc/bind/named.conf.options

[...]
recursion no;
[...]

vim /etc/bind/named.conf

[...]
logging {
channel security_file {
file "/var/log/named/security.log" versions 3 size 30m;
severity dynamic;
print-time yes;
};
category security {
security_file;
};
};
[...]

mkdir /var/log/named
chmod a+w /var/log/named
/etc/fail2ban/jail.conf

-și schimbam din

[named-refused-udp]
enabled = false
[named-refused-tcp]
enabled = false

-schimbam în true la ambele

/etc/init.d/fail2ban restart


-Folderele din ispconfig

  • /usr/local/ispconfig/ : ISPConfig main directory.
    • /usr/local/ispconfig/)interface/web/ : ISPConfig web interface (also symlinked as /var/www/ispconfig).
    • (/usr/local/ispconfig/)server/lib/config.inc.php : ISPConfig server config file.
    • (/usr/local/ispconfig/)interface/lib/config.inc.php : ISPConfig server config file.
  • /var/www/clients/ : the base web directory on a web server.
    • client1/ : folder that contains all web for client with ID 1.
    • client2/ : folder that contains all web for client with ID 2.
      • rummel.com –> /var/www/clients/client2/web4 : a symlink to the folder that contains the web for rummel.com (domain_id = 4).
      • web4/ : folder that contains the website with domain_id 4, rummel.com, (panel server > MySQL > dbispconfig.web_domain.domain_id).
        • web/ : http web files.
        • ssl/ : https web files.

Other directories & files :

  • /etc/postfix/smtpd.key : private key.
  • /etc/postfix/smtpd.cert : certificate containing the public key.
  • /var/log/ispconfig/httpd/rummel.com : access & error logs for rummel.com.

-Roundcube performance tunning:

$rcmail_config['imap_cache'] = 'db';
$rcmail_config['messages_cache'] = true;

http://trac.roundcube.net/wiki/Howto_Performance


-Mesajul de welcome, se editeaza in:
vim /usr/local/ispconfig/server/conf/mail/


-Pornire port 587:
vim /etc/postfix/master.cf
#submission inet n – n – – smtpd
-trebuie sa devina:
submission inet n – n – – smtpd


-tinere spamassassin la cuent cu actualizarile:
crontab -e
23 4 */2 * * /usr/bin/sa-update –nogpg &> /dev/null


-utilitare de postfix:

-Afișează mailurile din coada:

postqueue -p

-Șterge un mail după IP:

postsuper -d MessageID

-Șterge mesajele de la un expeditor:

mailq | grep senderhostname | awk ‘{ print $1′} | postsuper -d –

-Daca serverul este prea încărcat de mailuri se pot muta mailurile curente în hold:

postsuper -h ALL

-Pentru a le readuce în coada de trimitere:

postsuper -r ALL


-Disable la ssl:

vim /etc/nginx/sites-available/ispconfig.vhost

-primele linii trebuie sa arate asa:

ssl off;
# ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
# ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;

-după care:

/etc/init.d/nginx restart

-activare log detaliat pentru PureFTP

echo ‘yes’ > /etc/pure-ftpd/conf/VerboseLog

-apoi restart:

/etc/init.d/pure-ftpd-mysql restart
tail -n 100 /var/log/syslog |grep ftpd

-pentru a anula:

rm -f /etc/pure-ftpd/conf/VerboseLog
/etc/init.d/pure-ftpd-mysql restart


Instalare ioncube loader pe 64bit

wget http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86-64.tar.gz

tar xfvz ioncube_loaders_lin_x86-64.tar.gz

ls /usr/lib/php5/

20100525/    libexec/     maxlifetime

cp ioncube/ioncube_loader_lin_5.4.so /usr/lib/php5/20100525/ioncube.so

vim /etc/php5/conf.d/ioncube.ini

zend_extension = /usr/lib/php5/20100525/ioncube.so

Voila:

# php -v
PHP 5.4.4-14+deb7u3 (cli) (built: Jul 17 2013 14:54:08)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
    with the ionCube PHP Loader v4.4.1, Copyright (c) 2002-2013, by ionCube Ltd.


Ultimele știri ispconfig:



0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Zi cu cuvintele tale...