-modificare default editor in ispconfig, se rulează:
update-alternatives –config editor
– și se alege ce editor se dorește default
-Adăugare reguli în fail2ban
vim /etc/fail2ban/jail.local
[ssh] enables = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 [ssh-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 5
/etc/init.d/fail2ban restart
– Ștergere manuala din fail2ban:
– se rulează:
iptables –L –n
Chain fail2ban-dovecot-pop3imap (1 references)
target prot opt source destination
DROP all — 95.162.128.155 0.0.0.0/0
DROP all — 5.12.230.36 0.0.0.0/0
RETURN all — 0.0.0.0/0 0.0.0.0/0
– și dacă vrem sa ștergem sa zicem 5.12.230.36, rulam:
iptables -D fail2ban-dovecot-pop3imap -s 5.12.230.36 -j DROP
– Cum să whitelist ip-uri în fail2ban:
vi /etc/fail2ban/jail.conf
și adăugăm în el ip-urile care dorim să nu fie verificate cu spațiu între ele:
ignoreip = 192.168.0.23 192.168.23.0/24 10.10.10.10/25
după care restartăm serviciul:
service fail2ban restart
– Protecție mai buna la spam:
cp -pf /etc/postfix/main.cf /etc/postfix/main.cf.bak
postconf -e ‘smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination’
/etc/init.d/postfix restart
– Postgrey elimina foarte mult spam:
apt-get install postgrey
/etc/init.d/postgrey start
vim /etc/postfix/main.cf
-și adaugam la smtpd_recipient_restrictions:check_policy_service inet:127.0.0.1:60000
postfix reload
-Multitail
apt-get -y install multitail
mkdir /root/scripts
cd /root/scripts
vim mytail
#!/bin/bash multitail -ci yellow -e "ailed" -n 1000 /var/log/auth.log \ -ci red -e "Ban" -n 1000 -I /var/log/fail2ban.log \ -ci red -e "fw" -n 1000 -I /var/log/messages \ -ci green -e "Unban" -n 1000 -I /var/log/messages \ -ci blue -e "fail" -n 1000 -I /var/log/syslog
chmod 700 /root/scripts/mytail
– verificam ca merge: /root/scripts/mytail
– facem și shortcut sa accesam direct cu mytail :
ln -s /root/scripts/mytail /usr/bin/.
SSH pe portul 52222
– Mergem la “System – Firewall” in ISPCONFIG si adaugam la sfarsit portul 52222
vim /etc/ssh/sshd_config
– și aici modificam portul din 22 în 52222
/etc/init.d/ssh restart
– MYSQL Tuner
cd /root/scripts
wget http://www.day32.com/MySQL/tuning-primer.sh
wget http://mysqltuner.com/mysqltuner.pl
chmod 700 tuning-primer.sh mysqltuner.pl
perl /root/scripts/mysqltuner.pl
/root/scripts/tuning-primer.sh
(D)DoS Deflate
cd /tmp
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh
vim /usr/local/ddos/ddos.conf
[...] APF_BAN=0 EMAIL_TO="webmaster@widehosting.net" NO_OF_CONNECTIONS=100 [...]
– suntem avertizați la 100 de conexiuni
-Tunning rkhunter:
vim /etc/rkhunter.conf
[...] MAIL-ON-WARNING=webmaster@widehosting.net webmaster@widehosting.net [...]
LM-Sensors – monitorizam temperaturi ai alte alea
apt-get -y install lm-sensors
sensors-detect
apt-get -y install smartmontools
fdisk -l
~# smartctl -a /dev/hda smartctl version 5.36 [i686-pc-linux-gnu] Copyright (C) 2002-6 Bruce Allen Home page is http://smartmontools.sourceforge.net/
-Schimbare parola de admin
mysql -u root -p[yourrootpassword]
use dbispconfig;
UPDATE sys_user SET passwort = md5(‘NEWPASSWORD’) WHERE username = ‘admin’;
quit
-Oprim flood de DNS:
vim /etc/bind/named.conf.options
[...] recursion no; [...]
vim /etc/bind/named.conf
[...] logging { channel security_file { file "/var/log/named/security.log" versions 3 size 30m; severity dynamic; print-time yes; }; category security { security_file; }; }; [...]
mkdir /var/log/named
chmod a+w /var/log/named
/etc/fail2ban/jail.conf
-și schimbam din
[named-refused-udp] enabled = false [named-refused-tcp] enabled = false
-schimbam în true la ambele
/etc/init.d/fail2ban restart
-Folderele din ispconfig
- /usr/local/ispconfig/ : ISPConfig main directory.
- /usr/local/ispconfig/)interface/web/ : ISPConfig web interface (also symlinked as /var/www/ispconfig).
- (/usr/local/ispconfig/)server/lib/config.inc.php : ISPConfig server config file.
- (/usr/local/ispconfig/)interface/lib/config.inc.php : ISPConfig server config file.
- /var/www/clients/ : the base web directory on a web server.
- client1/ : folder that contains all web for client with ID 1.
- client2/ : folder that contains all web for client with ID 2.
- rummel.com –> /var/www/clients/client2/web4 : a symlink to the folder that contains the web for rummel.com (domain_id = 4).
- web4/ : folder that contains the website with domain_id 4, rummel.com, (panel server > MySQL > dbispconfig.web_domain.domain_id).
- web/ : http web files.
- ssl/ : https web files.
Other directories & files :
- /etc/postfix/smtpd.key : private key.
- /etc/postfix/smtpd.cert : certificate containing the public key.
- /var/log/ispconfig/httpd/rummel.com : access & error logs for rummel.com.
-Roundcube performance tunning:
$rcmail_config['imap_cache'] = 'db'; $rcmail_config['messages_cache'] = true;
http://trac.roundcube.net/wiki/Howto_Performance
-Mesajul de welcome, se editeaza in:
vim /usr/local/ispconfig/server/conf/mail/
-Pornire port 587:
vim /etc/postfix/master.cf
#submission inet n – n – – smtpd
-trebuie sa devina:
submission inet n – n – – smtpd
-tinere spamassassin la cuent cu actualizarile:
crontab -e
23 4 */2 * * /usr/bin/sa-update –nogpg &> /dev/null
-utilitare de postfix:
-Afișează mailurile din coada:
postqueue -p
-Șterge un mail după IP:
postsuper -d MessageID
-Șterge mesajele de la un expeditor:
mailq | grep senderhostname | awk ‘{ print $1′} | postsuper -d –
-Daca serverul este prea încărcat de mailuri se pot muta mailurile curente în hold:
postsuper -h ALL
-Pentru a le readuce în coada de trimitere:
postsuper -r ALL
-Disable la ssl:
vim /etc/nginx/sites-available/ispconfig.vhost
-primele linii trebuie sa arate asa:
ssl off;
# ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
# ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;
-după care:
/etc/init.d/nginx restart
-activare log detaliat pentru PureFTP
echo ‘yes’ > /etc/pure-ftpd/conf/VerboseLog
-apoi restart:
/etc/init.d/pure-ftpd-mysql restart
tail -n 100 /var/log/syslog |grep ftpd
-pentru a anula:
rm -f /etc/pure-ftpd/conf/VerboseLog
/etc/init.d/pure-ftpd-mysql restart
Instalare ioncube loader pe 64bit
wget http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86-64.tar.gz
tar xfvz ioncube_loaders_lin_x86-64.tar.gz
ls /usr/lib/php5/
20100525/ libexec/ maxlifetime
cp ioncube/ioncube_loader_lin_5.4.so /usr/lib/php5/20100525/ioncube.so
vim /etc/php5/conf.d/ioncube.ini
zend_extension = /usr/lib/php5/20100525/ioncube.so
Voila:
# php -v PHP 5.4.4-14+deb7u3 (cli) (built: Jul 17 2013 14:54:08) Copyright (c) 1997-2012 The PHP Group Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies with the ionCube PHP Loader v4.4.1, Copyright (c) 2002-2013, by ionCube Ltd.
Ultimele știri ispconfig: