You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
240 lines
9.1 KiB
240 lines
9.1 KiB
#!/bin/bash
|
|
|
|
# Hestia Control Panel upgrade script for target version 1.1.0
|
|
|
|
#######################################################################################
|
|
####### Place additional commands below. #######
|
|
#######################################################################################
|
|
|
|
# Set default theme
|
|
if [ -z $THEME ]; then
|
|
echo "[ * ] Enabling support for themes..."
|
|
$BIN/v-change-sys-theme 'default'
|
|
fi
|
|
|
|
# Reduce SSH login grace time
|
|
if [ -e /etc/ssh/sshd_config ]; then
|
|
echo "[ * ] Hardening SSH daemon configuration..."
|
|
sed -i "s/LoginGraceTime 2m/LoginGraceTime 1m/g" /etc/ssh/sshd_config
|
|
sed -i "s/#LoginGraceTime 2m/LoginGraceTime 1m/g" /etc/ssh/sshd_config
|
|
fi
|
|
|
|
# Implement recidive jail for fail2ban
|
|
if [ ! -z "$FIREWALL_EXTENSION" ]; then
|
|
if ! cat /etc/fail2ban/jail.local | grep -q "\[recidive\]"; then
|
|
echo -e "\n\n[recidive]\nenabled = true\nfilter = recidive\naction = hestia[name=HESTIA]\nlogpath = /var/log/fail2ban.log\nmaxretry = 3\nfindtime = 86400\nbantime = 864000" >> /etc/fail2ban/jail.local
|
|
fi
|
|
fi
|
|
|
|
# Enable OCSP SSL stapling and harden nginx configuration for roundcube
|
|
if [ ! -z "$IMAP_SYSTEM" ]; then
|
|
echo "[ * ] Hardening security of Roundcube webmail..."
|
|
$BIN/v-update-mail-templates > /dev/null 2>&1
|
|
if [ -e /etc/nginx/conf.d/webmail.inc ]; then
|
|
cp -f /etc/nginx/conf.d/webmail.inc $HESTIA_BACKUP/conf/
|
|
sed -i "s/config|temp|logs/README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING/g" /etc/nginx/conf.d/webmail.inc
|
|
fi
|
|
fi
|
|
|
|
# Fix restart queue
|
|
if [ -z "$($BIN/v-list-cron-jobs admin | grep 'v-update-sys-queue restart')" ]; then
|
|
command="sudo $BIN/v-update-sys-queue restart"
|
|
$BIN/v-add-cron-job 'admin' '*/2' '*' '*' '*' '*' "$command"
|
|
fi
|
|
|
|
# Remove deprecated line from ClamAV configuration file
|
|
if [ -e "/etc/clamav/clamd.conf" ]; then
|
|
clamd_conf_update_check=$(grep DetectBrokenExecutables /etc/clamav/clamd.conf)
|
|
if [ ! -z "$clamd_conf_update_check" ]; then
|
|
echo "[ * ] Updating ClamAV configuration..."
|
|
sed -i '/DetectBrokenExecutables/d' /etc/clamav/clamd.conf
|
|
fi
|
|
fi
|
|
|
|
# Remove errornous history.log file created by certain builds due to bug in v-restart-system
|
|
if [ -e $HESTIA/data/users/history.log ]; then
|
|
rm -f $HESTIA/data/users/history.log
|
|
fi
|
|
|
|
# Use exim4 server hostname instead of mail domain and remove hardcoded mail prefix
|
|
if [ ! -z "$MAIL_SYSTEM" ]; then
|
|
echo "[ * ] Updating exim configuration..."
|
|
if cat /etc/exim4/exim4.conf.template | grep -q 'helo_data = mail.${sender_address_domain}'; then
|
|
sed -i 's/helo_data = mail.${sender_address_domain}/helo_data = ${primary_hostname}/g' /etc/exim4/exim4.conf.template
|
|
fi
|
|
if ! grep -q '^OUTGOING_IP = /' /etc/exim4/exim4.conf.template; then
|
|
sed -i '/^OUTGOING_IP/d' /etc/exim4/exim4.conf.template
|
|
sed -i 's|^begin acl|OUTGOING_IP = /etc/exim4/domains/$sender_address_domain/ip\nbegin acl|' /etc/exim4/exim4.conf.template
|
|
fi
|
|
if ! grep -q 'interface =' /etc/exim4/exim4.conf.template; then
|
|
sed -i '/interface =/d' /etc/exim4/exim4.conf.template
|
|
sed -i 's|dkim_strict = 0|dkim_strict = 0\n interface = ${if exists{OUTGOING_IP}{${readfile{OUTGOING_IP}}}}|' /etc/exim4/exim4.conf.template
|
|
fi
|
|
fi
|
|
|
|
# Members of admin group should be permitted to enter admin folder
|
|
if [ -d /home/admin ]; then
|
|
setfacl -m "g:admin:r-x" /home/admin
|
|
fi
|
|
|
|
# Fix sftp jail cronjob
|
|
if [ -e "/etc/cron.d/hestia-sftp" ]; then
|
|
if ! cat /etc/cron.d/hestia-sftp | grep -q 'root'; then
|
|
echo "@reboot root /usr/local/hestia/bin/v-add-sys-sftp-jail" > /etc/cron.d/hestia-sftp
|
|
fi
|
|
fi
|
|
|
|
# Create default writeable folders for all users
|
|
echo "[ * ] Updating default writable folders for all users..."
|
|
for user in $($HESTIA/bin/v-list-sys-users plain); do
|
|
mkdir -p \
|
|
$HOMEDIR/$user/.cache \
|
|
$HOMEDIR/$user/.config \
|
|
$HOMEDIR/$user/.local \
|
|
$HOMEDIR/$user/.composer \
|
|
$HOMEDIR/$user/.ssh
|
|
|
|
chown $user:$user \
|
|
$HOMEDIR/$user/.cache \
|
|
$HOMEDIR/$user/.config \
|
|
$HOMEDIR/$user/.local \
|
|
$HOMEDIR/$user/.composer \
|
|
$HOMEDIR/$user/.ssh
|
|
done
|
|
|
|
# Remove redundant fail2ban jail
|
|
if fail2ban-client status sshd > /dev/null 2>&1; then
|
|
fail2ban-client stop sshd > /dev/null 2>&1
|
|
if [ -f /etc/fail2ban/jail.d/defaults-debian.conf ]; then
|
|
mkdir -p $HESTIA_BACKUP/conf/fail2ban/jail.d
|
|
mv /etc/fail2ban/jail.d/defaults-debian.conf $HESTIA_BACKUP/conf/fail2ban/jail.d/
|
|
fi
|
|
fi
|
|
|
|
# Update Office 365/Microsoft 365 DNS template
|
|
if [ -e "$HESTIA/data/templates/dns/office365.tpl" ]; then
|
|
echo "[ * ] Updating DNS template for Office 365..."
|
|
cp -f $HESTIA/install/deb/templates/dns/office365.tpl $HESTIA/data/templates/dns/office365.tpl
|
|
fi
|
|
|
|
# Ensure that backup compression level is correctly set
|
|
GZIP_LVL_CHECK=$(cat $HESTIA/conf/hestia.conf | grep BACKUP_GZIP)
|
|
if [ -z "$GZIP_LVL_CHECK" ]; then
|
|
echo "[ * ] Updating backup compression level variable..."
|
|
$BIN/v-change-sys-config-value "BACKUP_GZIP" '9'
|
|
fi
|
|
|
|
# Randomize Roundcube des_key for better security
|
|
if [ -f "/etc/roundcube/config.inc.php" ]; then
|
|
rcDesKey="$(openssl rand -base64 30 | tr -d "/" | cut -c1-24)"
|
|
sed -i "s/vtIOjLZo9kffJoqzpSbm5r1r/$rcDesKey/g" /etc/roundcube/config.inc.php
|
|
fi
|
|
|
|
# Place robots.txt to prevent webmail crawling by search engine bots.
|
|
if [ -e "/var/lib/roundcube/" ]; then
|
|
if [ ! -f "/var/lib/roundcube/robots.txt" ]; then
|
|
echo "User-agent: *" > /var/lib/roundcube/robots.txt
|
|
echo "Disallow: /" >> /var/lib/roundcube/robots.txt
|
|
fi
|
|
fi
|
|
|
|
# Installing postgresql repo
|
|
if [ -e "/etc/postgresql" ]; then
|
|
echo "[ * ] Enabling native PostgreSQL APT repository..."
|
|
osname="$(cat /etc/os-release | grep "^ID\=" | sed "s/ID\=//g")"
|
|
if [ "$osname" = "ubuntu" ]; then
|
|
codename="$(lsb_release -s -c)"
|
|
else
|
|
codename="$(cat /etc/os-release | grep VERSION= | cut -f 2 -d \( | cut -f 1 -d \))"
|
|
fi
|
|
echo "deb http://apt.postgresql.org/pub/repos/apt/ $codename-pgdg main" > /etc/apt/sources.list.d/postgresql.list
|
|
wget --quiet https://www.postgresql.org/media/keys/ACCC4CF8.asc -O /tmp/psql_signing.key
|
|
APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key add /tmp/psql_signing.key > /dev/null 2>&1
|
|
rm /tmp/psql_signing.key
|
|
fi
|
|
|
|
# Hardening MySQL configuration, prevent local infile.
|
|
if [ -e "/etc/mysql/my.cnf" ]; then
|
|
mysql_local_infile_check=$(grep local-infile /etc/mysql/my.cnf)
|
|
if [ -z "$mysql_local_infile_check" ]; then
|
|
echo "[ * ] Hardening MySQL configuration..."
|
|
sed -i '/symbolic-links\=0/a\local-infile=0' /etc/mysql/my.cnf
|
|
fi
|
|
fi
|
|
|
|
# Hardening nginx configuration, drop TLSv1.1 support.
|
|
if [ -e "/etc/nginx/nginx.conf" ]; then
|
|
nginx_tls_check=$(grep TLSv1.1 /etc/nginx/nginx.conf)
|
|
if [ ! -z "$nginx_tls_check" ]; then
|
|
echo "[ * ] Updating nginx security settings - disabling TLS v1.1..."
|
|
sed -i 's/TLSv1.1 //g' /etc/nginx/nginx.conf
|
|
fi
|
|
fi
|
|
|
|
# Fix logrotate permission bug for nginx
|
|
if [ -e "/etc/logrotate/nginx" ]; then
|
|
sed -i "s/create 640 nginx adm/create 640/g" /etc/logrotate.d/nginx
|
|
fi
|
|
|
|
# Fix logrotate permission bug for apache
|
|
if [ -e "/etc/logrotate/apache2" ]; then
|
|
sed -i "s/create 640 root adm/create 640/g" /etc/logrotate.d/apache2
|
|
fi
|
|
|
|
# Repair messed up user log permissions from the logrotate bug. Ignoring errors
|
|
for user in $($HESTIA/bin/v-list-users plain | cut -f1); do
|
|
for domain in $($HESTIA/bin/v-list-web-domains $user plain | cut -f1); do
|
|
chown root:$user /var/log/$WEB_SYSTEM/domains/$domain.* > /dev/null 2>&1
|
|
for sub_domain in $($HESTIA/bin/v-list-web-domain $user $domain plain | cut -f7 | tr ',' '\n'); do
|
|
chown root:$user /var/log/$WEB_SYSTEM/domains/$sub_domain.* > /dev/null 2>&1
|
|
done
|
|
done
|
|
done
|
|
|
|
chown root:root /var/log/$WEB_SYSTEM/domains/$WEBMAIL_ALIAS* > /dev/null 2>&1
|
|
|
|
# Enable IMAP/POP3 quota information
|
|
if [ "$IMAP_SYSTEM" = "dovecot" ]; then
|
|
echo "[ * ] Enabling IMAP quota information reporting..."
|
|
if [ -e /etc/dovecot/conf.d/20-pop3.conf ]; then
|
|
if [ -e /etc/redhat-release ]; then
|
|
cp -f $HESTIA/install/rpm/dovecot/conf.d/20-pop3.conf /etc/dovecot/conf.d/20-pop3.conf
|
|
else
|
|
cp -f $HESTIA/install/deb/dovecot/conf.d/20-pop3.conf /etc/dovecot/conf.d/20-pop3.conf
|
|
fi
|
|
fi
|
|
if [ -e /etc/dovecot/conf.d/20-imap.conf ]; then
|
|
if [ -e /etc/redhat-release ]; then
|
|
cp -f $HESTIA/install/rpm/dovecot/conf.d/20-imap.conf /etc/dovecot/conf.d/20-imap.conf
|
|
else
|
|
cp -f $HESTIA/install/deb/dovecot/conf.d/20-imap.conf /etc/dovecot/conf.d/20-imap.conf
|
|
fi
|
|
fi
|
|
if [ -e /etc/dovecot/conf.d/90-quota.conf ]; then
|
|
if [ -e /etc/redhat-release ]; then
|
|
cp -f $HESTIA/install/deb/dovecot/conf.d/90-quota.conf /etc/dovecot/conf.d/90-quota.conf
|
|
else
|
|
cp -f $HESTIA/install/deb/dovecot/conf.d/90-quota.conf /etc/dovecot/conf.d/90-quota.conf
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
# Trigger multiphp legacy migration script
|
|
num_php_versions=$(ls -d /etc/php/*/fpm/pool.d 2> /dev/null | wc -l)
|
|
if [ "$num_php_versions" -gt 1 ] && [ -z "$WEB_BACKEND" ]; then
|
|
echo "[ * ] Enabling modular Multi-PHP backend..."
|
|
cp -rf $HESTIA/data/templates/web $HESTIA_BACKUP/templates/web
|
|
bash $HESTIA/install/upgrade/manual/migrate_multiphp.sh > /dev/null 2>&1
|
|
fi
|
|
|
|
# Disable global subfolder alias for webmail in favor of subdomain
|
|
if [ -e /etc/nginx/conf.d/webmail.inc ]; then
|
|
rm -f /etc/nginx/conf.d/webmail.inc
|
|
fi
|
|
if [ -e /etc/apache2/conf.d/roundcube.conf ]; then
|
|
rm -f /etc/apache2/conf.d/roundcube.conf
|
|
fi
|
|
if [ -e /etc/httpd/conf.h.d/roundcube.conf ]; then
|
|
rm -f /etc/httpd/conf.h.d/roundcube.conf
|
|
fi
|