ISPConfig Tunning

0 Comments/in

-modificare default editor in ispconfig, se rulează:ispconfig

update-alternatives –config editor

– și se alege ce editor se dorește default

-Adăugare reguli în fail2ban

vim /etc/fail2ban/jail.local

[ssh]
enables = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 3

[ssh-ddos]

enabled = true
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 5

/etc/init.d/fail2ban restart

– Ștergere manuala din fail2ban:

– se rulează:

iptables –L –n

Chain fail2ban-dovecot-pop3imap (1 references)
target     prot opt source               destination
DROP       all  —  95.162.128.155       0.0.0.0/0
DROP       all  —  5.12.230.36          0.0.0.0/0
RETURN     all  —  0.0.0.0/0            0.0.0.0/0

– și dacă vrem sa ștergem sa zicem 5.12.230.36, rulam:

iptables -D fail2ban-dovecot-pop3imap -s 5.12.230.36 -j DROP

– Cum să whitelist ip-uri în fail2ban:

vi /etc/fail2ban/jail.conf

și adăugăm în el ip-urile care dorim să nu fie verificate cu spațiu între ele:

ignoreip = 192.168.0.23 192.168.23.0/24 10.10.10.10/25

după care restartăm serviciul:

service fail2ban restart

 

– Protecție mai buna la spam:

cp -pf /etc/postfix/main.cf /etc/postfix/main.cf.bak
postconf -e ‘smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination’
/etc/init.d/postfix restart

 

– Postgrey elimina foarte mult spam:

apt-get install postgrey
/etc/init.d/postgrey start

vim /etc/postfix/main.cf

-și adaugam la smtpd_recipient_restrictions:check_policy_service inet:127.0.0.1:60000

postfix reload

-Multitail

apt-get -y install multitail
mkdir /root/scripts
cd /root/scripts
vim mytail

#!/bin/bash
multitail -ci yellow -e "ailed" -n 1000 /var/log/auth.log  \
-ci red -e "Ban" -n 1000 -I /var/log/fail2ban.log \
-ci red -e "fw" -n 1000 -I /var/log/messages \
-ci green -e "Unban" -n 1000 -I /var/log/messages \
-ci blue -e "fail" -n 1000 -I /var/log/syslog
chmod 700 /root/scripts/mytail

– verificam ca merge: /root/scripts/mytail
– facem și shortcut sa accesam direct cu mytail :
ln -s /root/scripts/mytail /usr/bin/.

SSH pe portul 52222
– Mergem la “System – Firewall” in ISPCONFIG si adaugam la sfarsit portul 52222

vim /etc/ssh/sshd_config

– și aici modificam portul din 22 în 52222

/etc/init.d/ssh restart

– MYSQL Tuner

cd /root/scripts
wget http://www.day32.com/MySQL/tuning-primer.sh
wget http://mysqltuner.com/mysqltuner.pl
chmod 700 tuning-primer.sh mysqltuner.pl
perl /root/scripts/mysqltuner.pl
/root/scripts/tuning-primer.sh

(D)DoS Deflate

cd /tmp
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh
vim /usr/local/ddos/ddos.conf

[...]
APF_BAN=0
EMAIL_TO="webmaster@widehosting.net"
NO_OF_CONNECTIONS=100
[...]

– suntem avertizați la 100 de conexiuni

-Tunning rkhunter:

vim /etc/rkhunter.conf

[...]
MAIL-ON-WARNING=webmaster@widehosting.net       webmaster@widehosting.net
[...]

LM-Sensors – monitorizam temperaturi ai alte alea

apt-get -y install lm-sensors
sensors-detect

apt-get -y install smartmontools
fdisk -l

~# smartctl -a /dev/hda
smartctl version 5.36 [i686-pc-linux-gnu] Copyright (C) 2002-6 Bruce Allen
Home page is http://smartmontools.sourceforge.net/

-Schimbare parola de admin

mysql -u root -p[yourrootpassword]
use dbispconfig;
UPDATE sys_user SET passwort = md5(‘NEWPASSWORD’) WHERE username = ‘admin’;
quit

-Oprim flood de DNS:

vim /etc/bind/named.conf.options

[...]
recursion no;
[...]

vim /etc/bind/named.conf

[...]
logging {
channel security_file {
file "/var/log/named/security.log" versions 3 size 30m;
severity dynamic;
print-time yes;
};
category security {
security_file;
};
};
[...]

mkdir /var/log/named
chmod a+w /var/log/named
/etc/fail2ban/jail.conf

-și schimbam din

[named-refused-udp]
enabled = false
[named-refused-tcp]
enabled = false

-schimbam în true la ambele

/etc/init.d/fail2ban restart

-Folderele din ispconfig

  • /usr/local/ispconfig/ : ISPConfig main directory.
    • /usr/local/ispconfig/)interface/web/ : ISPConfig web interface (also symlinked as /var/www/ispconfig).
    • (/usr/local/ispconfig/)server/lib/config.inc.php : ISPConfig server config file.
    • (/usr/local/ispconfig/)interface/lib/config.inc.php : ISPConfig server config file.
  • /var/www/clients/ : the base web directory on a web server.
    • client1/ : folder that contains all web for client with ID 1.
    • client2/ : folder that contains all web for client with ID 2.
      • rummel.com –> /var/www/clients/client2/web4 : a symlink to the folder that contains the web for rummel.com (domain_id = 4).
      • web4/ : folder that contains the website with domain_id 4, rummel.com, (panel server > MySQL > dbispconfig.web_domain.domain_id).
        • web/ : http web files.
        • ssl/ : https web files.

Other directories & files :

  • /etc/postfix/smtpd.key : private key.
  • /etc/postfix/smtpd.cert : certificate containing the public key.
  • /var/log/ispconfig/httpd/rummel.com : access & error logs for rummel.com.

-Roundcube performance tunning:

$rcmail_config['imap_cache'] = 'db';
$rcmail_config['messages_cache'] = true;

http://trac.roundcube.net/wiki/Howto_Performance

-Mesajul de welcome, se editeaza in:
vim /usr/local/ispconfig/server/conf/mail/

-Pornire port 587:
vim /etc/postfix/master.cf
#submission inet n – n – – smtpd
-trebuie sa devina:
submission inet n – n – – smtpd

-tinere spamassassin la cuent cu actualizarile:
crontab -e
23 4 */2 * * /usr/bin/sa-update –nogpg &> /dev/null

-utilitare de postfix:

-Afișează mailurile din coada:

postqueue -p

-Șterge un mail după IP:

postsuper -d MessageID

-Șterge mesajele de la un expeditor:

mailq | grep senderhostname | awk ‘{ print $1′} | postsuper -d –

-Daca serverul este prea încărcat de mailuri se pot muta mailurile curente în hold:

postsuper -h ALL

-Pentru a le readuce în coada de trimitere:

postsuper -r ALL

-Disable la ssl:

vim /etc/nginx/sites-available/ispconfig.vhost

-primele linii trebuie sa arate asa:

ssl off;
# ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
# ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;

-după care:

/etc/init.d/nginx restart

-activare log detaliat pentru PureFTP

echo ‘yes’ > /etc/pure-ftpd/conf/VerboseLog

-apoi restart:

/etc/init.d/pure-ftpd-mysql restart
tail -n 100 /var/log/syslog |grep ftpd

-pentru a anula:

rm -f /etc/pure-ftpd/conf/VerboseLog
/etc/init.d/pure-ftpd-mysql restart

Instalare ioncube loader pe 64bit

wget http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86-64.tar.gz

tar xfvz ioncube_loaders_lin_x86-64.tar.gz

ls /usr/lib/php5/

20100525/    libexec/     maxlifetime

cp ioncube/ioncube_loader_lin_5.4.so /usr/lib/php5/20100525/ioncube.so

vim /etc/php5/conf.d/ioncube.ini

zend_extension = /usr/lib/php5/20100525/ioncube.so

Voila:

# php -v
PHP 5.4.4-14+deb7u3 (cli) (built: Jul 17 2013 14:54:08)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
    with the ionCube PHP Loader v4.4.1, Copyright (c) 2002-2013, by ionCube Ltd.


Ultimele știri ispconfig:
You might also like
Patch DKIM pentru ISPConfig
Creare și întreținere mail
Instalare ruby pe debian
Cum verificam parole de mail usor de spart din ispconfig3
Retea IPV6 pe Mikrotik
OwnCloud – Cloud pentru oricine
Ispconfig nginx wordpress permalinks
Verificare raid scsi controller perc 4
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *