#!/bin/bash
# Hestia Control Panel upgrade script for target version 1.1.0
#######################################################################################
####### Place additional commands below. #######
#######################################################################################
# Set default theme
if [ -z $THEME ]; then
echo "[ * ] Enabling support for themes..."
$BIN/v-change-sys-theme 'default'
fi
# Reduce SSH login grace time
if [ -e /etc/ssh/sshd_config ]; then
echo "[ * ] Hardening SSH daemon configuration..."
sed -i "s/LoginGraceTime 2m/LoginGraceTime 1m/g" /etc/ssh/sshd_config
sed -i "s/#LoginGraceTime 2m/LoginGraceTime 1m/g" /etc/ssh/sshd_config
fi
# Implement recidive jail for fail2ban
if [ ! -z "$FIREWALL_EXTENSION" ]; then
if ! cat /etc/fail2ban/jail.local | grep -q "\[recidive\]"; then
echo -e "\n\n[recidive]\nenabled = true\nfilter = recidive\naction = hestia[name=HESTIA]\nlogpath = /var/log/fail2ban.log\nmaxretry = 3\nfindtime = 86400\nbantime = 864000" >> /etc/fail2ban/jail.local
fi
fi
# Enable OCSP SSL stapling and harden nginx configuration for roundcube
if [ ! -z "$IMAP_SYSTEM" ]; then
echo "[ * ] Hardening security of Roundcube webmail..."
$BIN/v-update-mail-templates > /dev/null 2>&1
if [ -e /etc/nginx/conf.d/webmail.inc ]; then
cp -f /etc/nginx/conf.d/webmail.inc $HESTIA_BACKUP/conf/
sed -i "s/config|temp|logs/README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING/g" /etc/nginx/conf.d/webmail.inc
fi
fi
# Fix restart queue
if [ -z "$($BIN/v-list-cron-jobs admin | grep 'v-update-sys-queue restart')" ]; then
command="sudo $BIN/v-update-sys-queue restart"
$BIN/v-add-cron-job 'admin' '*/2' '*' '*' '*' '*' "$command"
fi
# Remove deprecated line from ClamAV configuration file
if [ -e "/etc/clamav/clamd.conf" ]; then
clamd_conf_update_check=$(grep DetectBrokenExecutables /etc/clamav/clamd.conf)
if [ ! -z "$clamd_conf_update_check" ]; then
echo "[ * ] Updating ClamAV configuration..."
sed -i '/DetectBrokenExecutables/d' /etc/clamav/clamd.conf
fi
fi
# Remove errornous history.log file created by certain builds due to bug in v-restart-system
if [ -e $HESTIA/data/users/history.log ]; then
rm -f $HESTIA/data/users/history.log
fi
# Use exim4 server hostname instead of mail domain and remove hardcoded mail prefix
if [ ! -z "$MAIL_SYSTEM" ]; then
echo "[ * ] Updating exim configuration..."
if cat /etc/exim4/exim4.conf.template | grep -q 'helo_data = mail.${sender_address_domain}'; then
sed -i 's/helo_data = mail.${sender_address_domain}/helo_data = ${primary_hostname}/g' /etc/exim4/exim4.conf.template
fi
if ! grep -q '^OUTGOING_IP = /' /etc/exim4/exim4.conf.template; then
sed -i '/^OUTGOING_IP/d' /etc/exim4/exim4.conf.template
sed -i 's|^begin acl|OUTGOING_IP = /etc/exim4/domains/$sender_address_domain/ip\nbegin acl|' /etc/exim4/exim4.conf.template
fi
if ! grep -q 'interface =' /etc/exim4/exim4.conf.template; then
sed -i '/interface =/d' /etc/exim4/exim4.conf.template
sed -i 's|dkim_strict = 0|dkim_strict = 0\n interface = ${if exists{OUTGOING_IP}{${readfile{OUTGOING_IP}}}}|' /etc/exim4/exim4.conf.template
fi
fi
# Members of admin group should be permitted to enter admin folder
if [ -d /home/admin ]; then
setfacl -m "g:admin:r-x" /home/admin
fi
# Fix sftp jail cronjob
if [ -e "/etc/cron.d/hestia-sftp" ]; then
if ! cat /etc/cron.d/hestia-sftp | grep -q 'root'; then
echo "@reboot root /usr/local/hestia/bin/v-add-sys-sftp-jail" > /etc/cron.d/hestia-sftp
fi
fi
# Create default writeable folders for all users
echo "[ * ] Updating default writable folders for all users..."
for user in $($HESTIA/bin/v-list-sys-users plain); do
mkdir -p \
$HOMEDIR/$user/.cache \
$HOMEDIR/$user/.config \
$HOMEDIR/$user/.local \
$HOMEDIR/$user/.composer \
$HOMEDIR/$user/.ssh
chown $user:$user \
$HOMEDIR/$user/.cache \
$HOMEDIR/$user/.config \
$HOMEDIR/$user/.local \
$HOMEDIR/$user/.composer \
$HOMEDIR/$user/.ssh
done
# Remove redundant fail2ban jail
if fail2ban-client status sshd > /dev/null 2>&1; then
fail2ban-client stop sshd > /dev/null 2>&1
if [ -f /etc/fail2ban/jail.d/defaults-debian.conf ]; then
mkdir -p $HESTIA_BACKUP/conf/fail2ban/jail.d
mv /etc/fail2ban/jail.d/defaults-debian.conf $HESTIA_BACKUP/conf/fail2ban/jail.d/
fi
fi
# Update Office 365/Microsoft 365 DNS template
if [ -e "$HESTIA/data/templates/dns/office365.tpl" ]; then
echo "[ * ] Updating DNS template for Office 365..."
cp -f $HESTIA/install/deb/templates/dns/office365.tpl $HESTIA/data/templates/dns/office365.tpl
fi
# Ensure that backup compression level is correctly set
GZIP_LVL_CHECK=$(cat $HESTIA/conf/hestia.conf | grep BACKUP_GZIP)
if [ -z "$GZIP_LVL_CHECK" ]; then
echo "[ * ] Updating backup compression level variable..."
$BIN/v-change-sys-config-value "BACKUP_GZIP" '9'
fi
# Randomize Roundcube des_key for better security
if [ -f "/etc/roundcube/config.inc.php" ]; then
rcDesKey="$(openssl rand -base64 30 | tr -d "/" | cut -c1-24)"
sed -i "s/vtIOjLZo9kffJoqzpSbm5r1r/$rcDesKey/g" /etc/roundcube/config.inc.php
fi
# Place robots.txt to prevent webmail crawling by search engine bots.
if [ -e "/var/lib/roundcube/" ]; then
if [ ! -f "/var/lib/roundcube/robots.txt" ]; then
echo "User-agent: *" > /var/lib/roundcube/robots.txt
echo "Disallow: /" >> /var/lib/roundcube/robots.txt
fi
fi
# Installing postgresql repo
if [ -e "/etc/postgresql" ]; then
echo "[ * ] Enabling native PostgreSQL APT repository..."
osname="$(cat /etc/os-release | grep "^ID\=" | sed "s/ID\=//g")"
if [ "$osname" = "ubuntu" ]; then
codename="$(lsb_release -s -c)"
else
codename="$(cat /etc/os-release | grep VERSION= | cut -f 2 -d \( | cut -f 1 -d \))"
fi
echo "deb http://apt.postgresql.org/pub/repos/apt/ $codename-pgdg main" > /etc/apt/sources.list.d/postgresql.list
wget --quiet https://www.postgresql.org/media/keys/ACCC4CF8.asc -O /tmp/psql_signing.key
APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key add /tmp/psql_signing.key > /dev/null 2>&1
rm /tmp/psql_signing.key
fi
# Hardening MySQL configuration, prevent local infile.
if [ -e "/etc/mysql/my.cnf" ]; then
mysql_local_infile_check=$(grep local-infile /etc/mysql/my.cnf)
if [ -z "$mysql_local_infile_check" ]; then
echo "[ * ] Hardening MySQL configuration..."
sed -i '/symbolic-links\=0/a\local-infile=0' /etc/mysql/my.cnf
fi
fi
# Hardening nginx configuration, drop TLSv1.1 support.
if [ -e "/etc/nginx/nginx.conf" ]; then
nginx_tls_check=$(grep TLSv1.1 /etc/nginx/nginx.conf)
if [ ! -z "$nginx_tls_check" ]; then
echo "[ * ] Updating nginx security settings - disabling TLS v1.1..."
sed -i 's/TLSv1.1 //g' /etc/nginx/nginx.conf
fi
fi
# Fix logrotate permission bug for nginx
if [ -e "/etc/logrotate/nginx" ]; then
sed -i "s/create 640 nginx adm/create 640/g" /etc/logrotate.d/nginx
fi
# Fix logrotate permission bug for apache
if [ -e "/etc/logrotate/apache2" ]; then
sed -i "s/create 640 root adm/create 640/g" /etc/logrotate.d/apache2
fi
# Repair messed up user log permissions from the logrotate bug. Ignoring errors
for user in $($HESTIA/bin/v-list-users plain | cut -f1); do
for domain in $($HESTIA/bin/v-list-web-domains $user plain | cut -f1); do
chown root:$user /var/log/$WEB_SYSTEM/domains/$domain.* > /dev/null 2>&1
for sub_domain in $($HESTIA/bin/v-list-web-domain $user $domain plain | cut -f7 | tr ',' '\n'); do
chown root:$user /var/log/$WEB_SYSTEM/domains/$sub_domain.* > /dev/null 2>&1
done
done
done
chown root:root /var/log/$WEB_SYSTEM/domains/$WEBMAIL_ALIAS* > /dev/null 2>&1
# Enable IMAP/POP3 quota information
if [ "$IMAP_SYSTEM" = "dovecot" ]; then
echo "[ * ] Enabling IMAP quota information reporting..."
if [ -e /etc/dovecot/conf.d/20-pop3.conf ]; then
cp -f $HESTIA/install/deb/dovecot/conf.d/20-pop3.conf /etc/dovecot/conf.d/20-pop3.conf
fi
if [ -e /etc/dovecot/conf.d/20-imap.conf ]; then
cp -f $HESTIA/install/deb/dovecot/conf.d/20-imap.conf /etc/dovecot/conf.d/20-imap.conf
fi
if [ -e /etc/dovecot/conf.d/90-quota.conf ]; then
cp -f $HESTIA/install/deb/dovecot/conf.d/90-quota.conf /etc/dovecot/conf.d/90-quota.conf
fi
fi
# Trigger multiphp legacy migration script
num_php_versions=$(ls -d /etc/php/*/fpm/pool.d 2> /dev/null | wc -l)
if [ "$num_php_versions" -gt 1 ] && [ -z "$WEB_BACKEND" ]; then
echo "[ * ] Enabling modular Multi-PHP backend..."
cp -rf $HESTIA/data/templates/web $HESTIA_BACKUP/templates/web
bash $HESTIA/install/upgrade/manual/migrate_multiphp.sh > /dev/null 2>&1
fi
# Disable global subfolder alias for webmail in favor of subdomain
if [ -e /etc/nginx/conf.d/webmail.inc ]; then
rm -f /etc/nginx/conf.d/webmail.inc
fi
if [ -e /etc/apache2/conf.d/roundcube.conf ]; then
rm -f /etc/apache2/conf.d/roundcube.conf
fi