Vesta CP
Hja (Diskussion | Beiträge) (→Notes) |
(→exim/spamassassin) |
||
(19 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt) | |||
Zeile 92: | Zeile 92: | ||
mysql: | mysql: | ||
https://dev.mysql.com/doc/refman/5.7/en/user-resources.html | https://dev.mysql.com/doc/refman/5.7/en/user-resources.html | ||
+ | |||
+ | percona: | ||
+ | https://forum.vestacp.com/viewtopic.php?t=14688 | ||
+ | |||
CPU: | CPU: | ||
for CPUFREQ in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor; do [ -f $CPUFREQ ] || continue; echo -n performance > $CPUFREQ; done | for CPUFREQ in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor; do [ -f $CPUFREQ ] || continue; echo -n performance > $CPUFREQ; done | ||
+ | |||
+ | Packages: | ||
+ | Start-Date: 2017-05-10 17:14:28 | ||
+ | Commandline: apt install libclass-dbi-mysql-perl | ||
+ | Install: libclass-dbi-mysql-perl:amd64 (1.00-3), libsql-abstract-limit-perl:amd64 (2:0.14.1-5, automatic), libhash-merge-perl:amd64 (0.200-1, automatic), libclass-trigger-perl:amd64 (0.14-1, automatic), libmoo-perl:amd64 (2.000002-1, automatic), libb-hooks-op-check-perl:amd64 (0.19-2build2, automatic), libmodule-runtime-perl:amd64 (0.014-2, automatic), libsql-abstract-perl:amd64 (1.81-1, automatic), libuniversal-moniker-perl:amd64 (0.08-7, automatic), libdbix-contextualfetch-perl:amd64 (1.03-3, automatic), libmultidimensional-perl:amd64 (0.010-1build3, automatic), libdbi-perl:amd64 (1.634-1build1, automatic), libstrictures-perl:amd64 (2.000002-1, automatic), libclass-xsaccessor-perl:amd64 (1.19-2build4, automatic), liblingua-en-inflect-perl:amd64 (1.899-1, automatic), libtime-piece-mysql-perl:amd64 (0.06-2, automatic), libclass-dbi-abstractsearch-perl:amd64 (0.07-3, automatic), libparams-classify-perl:amd64 (0.013-5build1, automatic), libclass-method-modifiers-perl:amd64 (2.11-1, automatic), libclone-perl:amd64 (0.38-1build1, automatic), libsub-name-perl:amd64 (0.14-1build1, automatic), librole-tiny-perl:amd64 (2.000001-2, automatic), libio-stringy-perl:amd64 (2.110-5, automatic), libimport-into-perl:amd64 (1.002005-1, automatic), libdevel-globaldestruction-perl:amd64 (0.13-1, automatic), libindirect-perl:amd64 (0.36-1build1, automatic), libdbd-mysql-perl:amd64 (4.033-1ubuntu0.1, automatic), libclass-data-inheritable-perl:amd64 (0.08-2, automatic), libbareword-filehandles-perl:amd64 (0.003-1build3, automatic), libsub-exporter-progressive-perl:amd64 (0.001011-1, automatic), libclass-dbi-perl:amd64 (3.0.17-4, automatic), libclass-accessor-perl:amd64 (0.34-1, automatic), liblexical-sealrequirehints-perl:amd64 (0.009-1build1, automatic), libima-dbi-perl:amd64 (0.35-2, automatic) | ||
+ | End-Date: 2017-05-10 17:14:30 | ||
+ | |||
+ | Start-Date: 2017-05-11 16:24:34 | ||
+ | Commandline: apt-get install libnghttp2-14 | ||
+ | Install: libnghttp2-14:amd64 (1.7.1-1) | ||
+ | End-Date: 2017-05-11 16:24:35 | ||
+ | |||
+ | Start-Date: 2017-05-11 16:34:28 | ||
+ | Commandline: apt-get install php5.6-bz2 php7.1-bz2 php7.0-bz2 | ||
+ | Install: php7.0-bz2:amd64 (7.0.18-1+deb.sury.org~xenial+1), php7.1-bz2:amd64 (7.1.4-1+deb.sury.org~xenial+1), php5.6-bz2:amd64 (5.6.30-10+deb.sury.org~xenial+2) | ||
+ | End-Date: 2017-05-11 16:34:29 | ||
+ | |||
+ | Start-Date: 2017-05-11 16:57:14 | ||
+ | Commandline: apt-get install php7.1-tidy php5.6-tidy php7.0-tidy | ||
+ | Install: php5.6-tidy:amd64 (5.6.30-10+deb.sury.org~xenial+2), php7.1-tidy:amd64 (7.1.4-1+deb.sury.org~xenial+1), php7.0-tidy:amd64 (7.0.18-1+deb.sury.org~xenial+1), libtidy5:amd64 (1:5.2.0-1+deb.sury.org~xenial+1, automatic) | ||
+ | End-Date: 2017-05-11 16:57:16 | ||
+ | |||
+ | Start-Date: 2017-05-12 16:28:55 | ||
+ | Commandline: apt-get install libapache2-mod-wsgi | ||
+ | Install: libpython2.7:amd64 (2.7.12-1ubuntu0~16.04.1, automatic), libapache2-mod-wsgi:amd64 (4.3.0-1.1build1) | ||
+ | End-Date: 2017-05-12 16:28:59 | ||
+ | |||
+ | Dell Perc: | ||
+ | Write cache >> Force write back | ||
+ | |||
</pre> | </pre> | ||
Zeile 156: | Zeile 190: | ||
https://wiki.apache.org/spamassassin/UsingSQL | https://wiki.apache.org/spamassassin/UsingSQL | ||
+ | |||
+ | https://app.assembla.com/wiki/show/file_sender/Configuring_SRS_with_Exim_(Debian_and_Ubuntu) | ||
+ | |||
+ | https://wiki.herzbube.ch/index.php/Exim#SRS_overview | ||
+ | |||
+ | https://github.com/Exim/exim/wiki/BlockCracking | ||
+ | |||
+ | https://serverfault.com/questions/636804/rate-limit-exim-per-user-basis | ||
+ | |||
+ | http://www.exim.org/exim-html-current/doc/html/spec_html/ch-exim_utilities.html | ||
+ | |||
+ | update-exim4.conf -o /etc/exim4/exim4.conf | ||
+ | |||
+ | |||
+ | Exim Ratelimit: | ||
+ | |||
+ | http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html | ||
+ | |||
+ | https://forum.vestacp.com/viewtopic.php?f=41&t=12623 | ||
+ | |||
+ | https://www.lowendtalk.com/discussion/105885/multiple-exim-acls-to-limit-outgoing-mails | ||
+ | |||
+ | http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html#useratlim | ||
+ | |||
+ | https://serverfault.com/questions/851021/add-x-spam-flag-using-exim4 | ||
+ | |||
<pre> | <pre> | ||
Zeile 277: | Zeile 337: | ||
ControlsSocket /var/run/proftpd/proftpd.sock | ControlsSocket /var/run/proftpd/proftpd.sock | ||
</IfModule> | </IfModule> | ||
+ | </pre> | ||
+ | |||
+ | = Mod Security= | ||
+ | <pre> | ||
+ | root@lx1 /etc/apache2 # apt-get install modsecurity-crs libapache2-mod-security2 | ||
+ | |||
+ | |||
+ | |||
+ | root@lx1 /etc/apache2 # apachectl -M | grep --color security2 | ||
+ | AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using lx1.hoststar.hosting. Set the 'ServerName' directive globally to suppress this message | ||
+ | security2_module (shared) | ||
+ | |||
+ | |||
+ | root@lx1 /usr/share/modsecurity-crs # ln -sf ../modsecurity_crs_10_setup.conf activated_rules/ | ||
+ | |||
+ | |||
+ | root@lx1 /usr/share/modsecurity-crs # for f in `ls base_rules`; do sudo ln -s ../base_rules/$f activated_rules/$f; done | ||
+ | root@lx1 /usr/share/modsecurity-crs # ll activated_rules/ | ||
+ | total 20 | ||
+ | drwxr-xr-x 2 root root 4096 Jun 8 14:43 ./ | ||
+ | drwxr-xr-x 9 root root 4096 Jun 8 14:39 ../ | ||
+ | lrwxrwxrwx 1 root root 44 Jun 8 14:43 modsecurity_35_bad_robots.data -> ../base_rules/modsecurity_35_bad_robots.data | ||
+ | lrwxrwxrwx 1 root root 42 Jun 8 14:43 modsecurity_35_scanners.data -> ../base_rules/modsecurity_35_scanners.data | ||
+ | lrwxrwxrwx 1 root root 49 Jun 8 14:43 modsecurity_40_generic_attacks.data -> ../base_rules/modsecurity_40_generic_attacks.data | ||
+ | lrwxrwxrwx 1 root root 42 Jun 8 14:43 modsecurity_50_outbound.data -> ../base_rules/modsecurity_50_outbound.data | ||
+ | lrwxrwxrwx 1 root root 50 Jun 8 14:43 modsecurity_50_outbound_malware.data -> ../base_rules/modsecurity_50_outbound_malware.data | ||
+ | lrwxrwxrwx 1 root root 32 Jun 8 14:43 modsecurity_crs_10_setup.conf -> ../modsecurity_crs_10_setup.conf | ||
+ | lrwxrwxrwx 1 root root 57 Jun 8 14:43 modsecurity_crs_20_protocol_violations.conf -> ../base_rules/modsecurity_crs_20_protocol_violations.conf | ||
+ | lrwxrwxrwx 1 root root 56 Jun 8 14:43 modsecurity_crs_21_protocol_anomalies.conf -> ../base_rules/modsecurity_crs_21_protocol_anomalies.conf | ||
+ | lrwxrwxrwx 1 root root 52 Jun 8 14:43 modsecurity_crs_23_request_limits.conf -> ../base_rules/modsecurity_crs_23_request_limits.conf | ||
+ | lrwxrwxrwx 1 root root 49 Jun 8 14:43 modsecurity_crs_30_http_policy.conf -> ../base_rules/modsecurity_crs_30_http_policy.conf | ||
+ | lrwxrwxrwx 1 root root 48 Jun 8 14:43 modsecurity_crs_35_bad_robots.conf -> ../base_rules/modsecurity_crs_35_bad_robots.conf | ||
+ | lrwxrwxrwx 1 root root 53 Jun 8 14:43 modsecurity_crs_40_generic_attacks.conf -> ../base_rules/modsecurity_crs_40_generic_attacks.conf | ||
+ | lrwxrwxrwx 1 root root 59 Jun 8 14:43 modsecurity_crs_41_sql_injection_attacks.conf -> ../base_rules/modsecurity_crs_41_sql_injection_attacks.conf | ||
+ | lrwxrwxrwx 1 root root 49 Jun 8 14:43 modsecurity_crs_41_xss_attacks.conf -> ../base_rules/modsecurity_crs_41_xss_attacks.conf | ||
+ | lrwxrwxrwx 1 root root 52 Jun 8 14:43 modsecurity_crs_42_tight_security.conf -> ../base_rules/modsecurity_crs_42_tight_security.conf | ||
+ | lrwxrwxrwx 1 root root 45 Jun 8 14:43 modsecurity_crs_45_trojans.conf -> ../base_rules/modsecurity_crs_45_trojans.conf | ||
+ | lrwxrwxrwx 1 root root 55 Jun 8 14:43 modsecurity_crs_47_common_exceptions.conf -> ../base_rules/modsecurity_crs_47_common_exceptions.conf | ||
+ | lrwxrwxrwx 1 root root 62 Jun 8 14:43 modsecurity_crs_48_local_exceptions.conf.example -> ../base_rules/modsecurity_crs_48_local_exceptions.conf.example | ||
+ | lrwxrwxrwx 1 root root 54 Jun 8 14:43 modsecurity_crs_49_inbound_blocking.conf -> ../base_rules/modsecurity_crs_49_inbound_blocking.conf | ||
+ | lrwxrwxrwx 1 root root 46 Jun 8 14:43 modsecurity_crs_50_outbound.conf -> ../base_rules/modsecurity_crs_50_outbound.conf | ||
+ | lrwxrwxrwx 1 root root 55 Jun 8 14:43 modsecurity_crs_59_outbound_blocking.conf -> ../base_rules/modsecurity_crs_59_outbound_blocking.conf | ||
+ | lrwxrwxrwx 1 root root 49 Jun 8 14:43 modsecurity_crs_60_correlation.conf -> ../base_rules/modsecurity_crs_60_correlation.conf | ||
+ | |||
+ | |||
+ | root@lx1 /etc/modsecurity # cp modsecurity.conf-recommended modsecurity.conf | ||
+ | vi modsecurity.conf | ||
+ | |||
+ | #SecRuleEngine DetectionOnly | ||
+ | SecRuleEngine On | ||
+ | |||
+ | |||
+ | root@lx1 /etc/apache2/mods-available # view security2.conf | ||
+ | |||
+ | IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf | ||
+ | |||
+ | |||
+ | chmod 1733 /var/log/apache2/ << part of modsec things ;) | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | https://modsecurity.org/crs/ | ||
+ | |||
+ | = Perl = | ||
+ | |||
+ | <pre> | ||
+ | libapache2-mod-perl2 the needed package. | ||
+ | |||
+ | ScriptAlias /p-bin/ /home/web1/web/downtown-bern.ch/pcgi-bin/ | ||
+ | <Directory /home/web1/web/downtown-bern.ch/pcgi-bin/> | ||
+ | # Options FollowSymLinks ExecCGI | ||
+ | # AddHandler cgi-script .cgi .pl | ||
+ | <Files ~ "\.(pl|cgi)$"> | ||
+ | SetHandler perl-script | ||
+ | PerlResponseHandler ModPerl::PerlRun | ||
+ | Options ExecCGI SymLinksIfOwnerMatch | ||
+ | PerlSendHeader On | ||
+ | </Files> | ||
</pre> | </pre> |
Aktuelle Version vom 16. Januar 2018, 16:22 Uhr
Inhaltsverzeichnis |
[Bearbeiten] Default vhost templates
Templates can be found in the /usr/local/vesta/data/templates/ directory. Feel free to modify or copy them to create new custom templates. After modifying existing template you need to rebuild user configuration. This can be done using v-rebuild-user command or bulk operation in the web interface (drop down list on a "User" page).
[Bearbeiten] Apache
- default - no additional settings, works well for most sites
- basedir - to fight against phpshells using openbasedir directive
- hosting - separate php limits for each domain (php_admin_value memory/safemode/etc)
- phpcgi - template to run php as cgi. can be useful to run php4 or php5.2
- phpfcgid - to php as fcgi (automatically installed on a server with > 1Gb of RAM)
- wsgi - template to run python projects (can be installed manually)
Apache template actually consists of three files. File with tpl extension is used to build usual virtual host. File with stpl extension is used to build SSL vhost. File with sh extension is optional. It can be used as trigger to run additional shell commands on domain creation. For details see phpfcgid.sh template
[Bearbeiten] Nginx
- default - serves static content, works well for most sites
- hosting - disable_symlinks directive to protect from symlink attacks
- сaching - dynamic pages are cached for 15 min to handle spontaneous traffic aka reddit-effect
- force-https - force users to https/SSL (can be installed manually)
[Bearbeiten] DNS
- default - general dns records
- gmail - predefined records to host mail on google app
- child-ns - template for vanity name servers
[Bearbeiten] Default locations data customers
Hosting data:
- /home/$user/web
- /home/$user/web/$domain1.ch
- /home/$user/web/$domain2.ch
- /home/$user/web/$domain1.ch/cgi-bin
- /home/$user/web/$domain1.ch/document_errors
- /home/$user/web/$domain1.ch/logs
- /home/$user/web/$domain1.ch/private
- /home/$user/web/$domain1.ch/public_html
- /home/$user/web/$domain1.ch/public_shtml
- /home/$user/web/$domain1.ch/stats
Mail data:
- /home/$user/mail
- /home/$user/mail/$domain1.ch
- /home/$user/mail/$domain2.ch
- /home/$user/mail/$domain1.ch/$alias
- /home/$user/mail/$domain1.ch/$alias/cur
- /home/$user/mail/$domain1.ch/$alias/new
- /home/$user/mail/$domain1.ch/$alias/.Spam
Database data:
- /var/lib/mysql/$db1
Webserver conf:
- /home/$user/conf/web/apache2.conf
- /home/$user/conf/web/sapache2.conf (ssl)
- /home/$user/conf/web/nginx.conf
- /home/$user/conf/web/snginx.conf (ssl)
Mail conf:
- /home/$user/conf/mail/$domain/* (exim)
- /home/$user/conf/mail/$domain/passwd (dovecot)
[Bearbeiten] Config and log locations Debian / Ubuntu
https://vestacp.com/docs/#config-log-location-debian-ubuntu
[Bearbeiten] API
[Bearbeiten] Notes
Monitoring: http://www.librenms.org Global dhparam: Path: /etc/ssl/certs/dhparam.pem openssl dhparam -out dhparam.pem 4096 mysql: https://dev.mysql.com/doc/refman/5.7/en/user-resources.html percona: https://forum.vestacp.com/viewtopic.php?t=14688 CPU: for CPUFREQ in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor; do [ -f $CPUFREQ ] || continue; echo -n performance > $CPUFREQ; done Packages: Start-Date: 2017-05-10 17:14:28 Commandline: apt install libclass-dbi-mysql-perl Install: libclass-dbi-mysql-perl:amd64 (1.00-3), libsql-abstract-limit-perl:amd64 (2:0.14.1-5, automatic), libhash-merge-perl:amd64 (0.200-1, automatic), libclass-trigger-perl:amd64 (0.14-1, automatic), libmoo-perl:amd64 (2.000002-1, automatic), libb-hooks-op-check-perl:amd64 (0.19-2build2, automatic), libmodule-runtime-perl:amd64 (0.014-2, automatic), libsql-abstract-perl:amd64 (1.81-1, automatic), libuniversal-moniker-perl:amd64 (0.08-7, automatic), libdbix-contextualfetch-perl:amd64 (1.03-3, automatic), libmultidimensional-perl:amd64 (0.010-1build3, automatic), libdbi-perl:amd64 (1.634-1build1, automatic), libstrictures-perl:amd64 (2.000002-1, automatic), libclass-xsaccessor-perl:amd64 (1.19-2build4, automatic), liblingua-en-inflect-perl:amd64 (1.899-1, automatic), libtime-piece-mysql-perl:amd64 (0.06-2, automatic), libclass-dbi-abstractsearch-perl:amd64 (0.07-3, automatic), libparams-classify-perl:amd64 (0.013-5build1, automatic), libclass-method-modifiers-perl:amd64 (2.11-1, automatic), libclone-perl:amd64 (0.38-1build1, automatic), libsub-name-perl:amd64 (0.14-1build1, automatic), librole-tiny-perl:amd64 (2.000001-2, automatic), libio-stringy-perl:amd64 (2.110-5, automatic), libimport-into-perl:amd64 (1.002005-1, automatic), libdevel-globaldestruction-perl:amd64 (0.13-1, automatic), libindirect-perl:amd64 (0.36-1build1, automatic), libdbd-mysql-perl:amd64 (4.033-1ubuntu0.1, automatic), libclass-data-inheritable-perl:amd64 (0.08-2, automatic), libbareword-filehandles-perl:amd64 (0.003-1build3, automatic), libsub-exporter-progressive-perl:amd64 (0.001011-1, automatic), libclass-dbi-perl:amd64 (3.0.17-4, automatic), libclass-accessor-perl:amd64 (0.34-1, automatic), liblexical-sealrequirehints-perl:amd64 (0.009-1build1, automatic), libima-dbi-perl:amd64 (0.35-2, automatic) End-Date: 2017-05-10 17:14:30 Start-Date: 2017-05-11 16:24:34 Commandline: apt-get install libnghttp2-14 Install: libnghttp2-14:amd64 (1.7.1-1) End-Date: 2017-05-11 16:24:35 Start-Date: 2017-05-11 16:34:28 Commandline: apt-get install php5.6-bz2 php7.1-bz2 php7.0-bz2 Install: php7.0-bz2:amd64 (7.0.18-1+deb.sury.org~xenial+1), php7.1-bz2:amd64 (7.1.4-1+deb.sury.org~xenial+1), php5.6-bz2:amd64 (5.6.30-10+deb.sury.org~xenial+2) End-Date: 2017-05-11 16:34:29 Start-Date: 2017-05-11 16:57:14 Commandline: apt-get install php7.1-tidy php5.6-tidy php7.0-tidy Install: php5.6-tidy:amd64 (5.6.30-10+deb.sury.org~xenial+2), php7.1-tidy:amd64 (7.1.4-1+deb.sury.org~xenial+1), php7.0-tidy:amd64 (7.0.18-1+deb.sury.org~xenial+1), libtidy5:amd64 (1:5.2.0-1+deb.sury.org~xenial+1, automatic) End-Date: 2017-05-11 16:57:16 Start-Date: 2017-05-12 16:28:55 Commandline: apt-get install libapache2-mod-wsgi Install: libpython2.7:amd64 (2.7.12-1ubuntu0~16.04.1, automatic), libapache2-mod-wsgi:amd64 (4.3.0-1.1build1) End-Date: 2017-05-12 16:28:59 Dell Perc: Write cache >> Force write back
root@lx1:/usr/local/vesta/bin# ./v-list-user-log user1 DATE TIME CMD ---- ---- --- 2017-04-25 12:35:21 changed language to en 2017-04-25 12:36:52 added web domain user1.ch 2017-04-25 12:36:52 added dns domain user1.ch 2017-04-25 12:36:53 added TXT dns record _domainkey for user1.ch 2017-04-25 12:36:53 added TXT dns record mail._domainkey for user1.ch 2017-04-25 12:36:53 added mail domain user1.ch 2017-04-25 12:36:53 enabled web log analyzer for user1.ch 2017-04-25 12:36:54 added ftp account user1_user1@user1.ch 2017-04-25 12:38:32 added mysql database user1_user1 2017-04-26 12:06:52 added web domain user1-domain2.ch 2017-04-26 12:06:52 added dns domain user1-domain2.ch 2017-04-26 12:06:53 added TXT dns record _domainkey for user1-domain2.ch 2017-04-26 12:06:53 added TXT dns record mail._domainkey for user1-domain2.ch 2017-04-26 12:06:53 added mail domain user1-domain2.ch 2017-04-26 12:25:48 added mail account user1@user1.ch root@lx1:/usr/local/vesta/bin# ./v-list-user-log user2 DATE TIME CMD ---- ---- --- 2017-04-27 12:57:02 changed language to en 2017-04-27 12:57:49 added web domain downtown-bern.ch 2017-04-27 12:57:49 added dns domain downtown-bern.ch 2017-04-27 12:57:49 added TXT dns record _domainkey for downtown-bern.ch 2017-04-27 12:57:49 added TXT dns record mail._domainkey for downtown-bern.ch 2017-04-27 12:57:49 added mail domain downtown-bern.ch 2017-04-27 12:57:50 enabled web log analyzer for downtown-bern.ch 2017-04-27 12:57:55 added ftp account user2_user2@downtown-bern.ch
v-add-user USER PASSWORD EMAIL [PACKAGE] [FNAME] [LNAME] v-add-user user2 mnag2017 abuse@hoststar.ch STARENTRY fname lname v-add-domain USER DOMAIN [IP] [RESTART] v-add-domain user1 user1.ch v-list-web-templates v-change-user-template v-add-database USER DATABASE DBUSER DBPASS [TYPE] [HOST] [CHARSET] v-add-database user1 user1db user1db mnag2017 v-add-web-domain-ftp USER DOMAIN FTP_USER FTP_PASSWORD [FTP_PATH] v-add-web-domain-ftp user2 user2.ch ftp mnag2017
[Bearbeiten] exim/spamassassin
http://lists.merlins.org/archives/sa-exim/2003-July/000511.html
http://svn.apache.org/repos/asf/spamassassin/tags/spamassassin_current_release_3.4.x/sql/README
https://www.rosehosting.com/blog/how-to-setup-a-mailserver-with-exim4-and-dbmail-on-a-debian-7-vps/
https://spamassassin.apache.org/full/3.4.x/doc/spamd.html
https://wiki.apache.org/spamassassin/UsingSQL
https://app.assembla.com/wiki/show/file_sender/Configuring_SRS_with_Exim_(Debian_and_Ubuntu)
https://wiki.herzbube.ch/index.php/Exim#SRS_overview
https://github.com/Exim/exim/wiki/BlockCracking
https://serverfault.com/questions/636804/rate-limit-exim-per-user-basis
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-exim_utilities.html
update-exim4.conf -o /etc/exim4/exim4.conf
Exim Ratelimit:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html
https://forum.vestacp.com/viewtopic.php?f=41&t=12623
https://www.lowendtalk.com/discussion/105885/multiple-exim-acls-to-limit-outgoing-mails
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html#useratlim
https://serverfault.com/questions/851021/add-x-spam-flag-using-exim4
apt install libclass-dbi-mysql-perl /etc/default/spamassassin OPTIONS="--max-children 5 -x -q -u nobody" /etc/exim4/exim4.conf.localmacros log_selector = +subject /etc/exim4/exim4.conf # example read from db #SCORE_QUERY = select value from userpref #SPAM_SCORE = ${lookup mysql{servers=127.0.0.1/sa/root/mnag2017; SCORE_QUERY}} acl_check_rcpt: # get recipient into acl_m3 warn set acl_m3 = ${local_part}@${domain} #pass user to spamd from acl_m3 #spam = nobody:true/defer_ok spam = $acl_m3:true/defer_ok /etc/spamassassin/mysql.cf allow_user_rules 1 #user_scores_dsn DBI:mysql:sa:localhost;mysql_socket=/var/run/mysqld/mysqld.sock user_scores_dsn DBI:mysql:sa:127.0.0.1;mysql_socket=/var/run/mysqld/mysqld.sock user_scores_sql_username root user_scores_sql_password mnag2017 #user_scores_sql_custom_query SELECT preference, value FROM _TABLE_ WHERE username = _USERNAME_ OR username = '$GLOBAL' OR username = CONCAT('%',_DOMAIN_) ORDER BY username ASC
[Bearbeiten] FTP
- Mainuser / FTP account? restrict permission main user.
[Bearbeiten] Partitioning
/ ext4 60G /var xfs 55G /tmp xfs 25G swap 10G /home xfs rest
https://www.beegfs.com/wiki/StorageServerTuning#hn_59ca4f8bbb_9
[Bearbeiten] proftp.conf
ServerName "FTP" ServerIdent on "FTP Server ready." ServerAdmin root@localhost DefaultServer on DefaultRoot ~ !adm #<IfModule mod_vroot.c> # VRootEngine on # VRootAlias /etc/security/pam_env.conf etc/security/pam_env.conf #</IfModule> AuthPAMConfig proftpd AuthOrder mod_auth_pam.c* mod_auth_unix.c UseReverseDNS off User proftpd Group nogroup MaxInstances 20 UseSendfile off LogFormat default "%h %l %u %t \"%r\" %s %b" LogFormat auth "%v [%P] %h %t \"%r\" %s" ListOptions -a RequireValidShell off PassivePorts 12000 12100 TransferLog /var/log/proftpd/xferlog SystemLog /var/log/proftpd/proftpd.log LoadModule mod_sftp.c LoadModule mod_sftp_pam.c <IfModule mod_sftp.c> <VirtualHost 85.10.232.92> SFTPEngine on Port 5544 SFTPLog /var/log/proftpd/sftp.log SFTPHostKey /etc/ssh/ssh_host_rsa_key SFTPHostKey /etc/ssh/ssh_host_dsa_key SFTPCompression delayed DefaultRoot ~ AllowOverwrite on AllowRetrieveRestart on AllowStoreRestart on # SFTPAuthMethods password RequireValidShell no </VirtualHost> </IfModule> <Global> Umask 002 IdentLookups off AllowOverwrite yes <Limit ALL SITE_CHMOD> AllowAll </Limit> </Global> #<IfModule mod_quotatab.c> #QuotaEngine off #</IfModule> LoadModule mod_quotatab.c LoadModule mod_quotatab_file.c <IfModule mod_ctrls.c> ControlsEngine on ControlsMaxClients 10 ControlsLog /var/log/proftpd/controls.log ControlsInterval 5 ControlsSocket /var/run/proftpd/proftpd.sock </IfModule>
[Bearbeiten] Mod Security
root@lx1 /etc/apache2 # apt-get install modsecurity-crs libapache2-mod-security2 root@lx1 /etc/apache2 # apachectl -M | grep --color security2 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using lx1.hoststar.hosting. Set the 'ServerName' directive globally to suppress this message security2_module (shared) root@lx1 /usr/share/modsecurity-crs # ln -sf ../modsecurity_crs_10_setup.conf activated_rules/ root@lx1 /usr/share/modsecurity-crs # for f in `ls base_rules`; do sudo ln -s ../base_rules/$f activated_rules/$f; done root@lx1 /usr/share/modsecurity-crs # ll activated_rules/ total 20 drwxr-xr-x 2 root root 4096 Jun 8 14:43 ./ drwxr-xr-x 9 root root 4096 Jun 8 14:39 ../ lrwxrwxrwx 1 root root 44 Jun 8 14:43 modsecurity_35_bad_robots.data -> ../base_rules/modsecurity_35_bad_robots.data lrwxrwxrwx 1 root root 42 Jun 8 14:43 modsecurity_35_scanners.data -> ../base_rules/modsecurity_35_scanners.data lrwxrwxrwx 1 root root 49 Jun 8 14:43 modsecurity_40_generic_attacks.data -> ../base_rules/modsecurity_40_generic_attacks.data lrwxrwxrwx 1 root root 42 Jun 8 14:43 modsecurity_50_outbound.data -> ../base_rules/modsecurity_50_outbound.data lrwxrwxrwx 1 root root 50 Jun 8 14:43 modsecurity_50_outbound_malware.data -> ../base_rules/modsecurity_50_outbound_malware.data lrwxrwxrwx 1 root root 32 Jun 8 14:43 modsecurity_crs_10_setup.conf -> ../modsecurity_crs_10_setup.conf lrwxrwxrwx 1 root root 57 Jun 8 14:43 modsecurity_crs_20_protocol_violations.conf -> ../base_rules/modsecurity_crs_20_protocol_violations.conf lrwxrwxrwx 1 root root 56 Jun 8 14:43 modsecurity_crs_21_protocol_anomalies.conf -> ../base_rules/modsecurity_crs_21_protocol_anomalies.conf lrwxrwxrwx 1 root root 52 Jun 8 14:43 modsecurity_crs_23_request_limits.conf -> ../base_rules/modsecurity_crs_23_request_limits.conf lrwxrwxrwx 1 root root 49 Jun 8 14:43 modsecurity_crs_30_http_policy.conf -> ../base_rules/modsecurity_crs_30_http_policy.conf lrwxrwxrwx 1 root root 48 Jun 8 14:43 modsecurity_crs_35_bad_robots.conf -> ../base_rules/modsecurity_crs_35_bad_robots.conf lrwxrwxrwx 1 root root 53 Jun 8 14:43 modsecurity_crs_40_generic_attacks.conf -> ../base_rules/modsecurity_crs_40_generic_attacks.conf lrwxrwxrwx 1 root root 59 Jun 8 14:43 modsecurity_crs_41_sql_injection_attacks.conf -> ../base_rules/modsecurity_crs_41_sql_injection_attacks.conf lrwxrwxrwx 1 root root 49 Jun 8 14:43 modsecurity_crs_41_xss_attacks.conf -> ../base_rules/modsecurity_crs_41_xss_attacks.conf lrwxrwxrwx 1 root root 52 Jun 8 14:43 modsecurity_crs_42_tight_security.conf -> ../base_rules/modsecurity_crs_42_tight_security.conf lrwxrwxrwx 1 root root 45 Jun 8 14:43 modsecurity_crs_45_trojans.conf -> ../base_rules/modsecurity_crs_45_trojans.conf lrwxrwxrwx 1 root root 55 Jun 8 14:43 modsecurity_crs_47_common_exceptions.conf -> ../base_rules/modsecurity_crs_47_common_exceptions.conf lrwxrwxrwx 1 root root 62 Jun 8 14:43 modsecurity_crs_48_local_exceptions.conf.example -> ../base_rules/modsecurity_crs_48_local_exceptions.conf.example lrwxrwxrwx 1 root root 54 Jun 8 14:43 modsecurity_crs_49_inbound_blocking.conf -> ../base_rules/modsecurity_crs_49_inbound_blocking.conf lrwxrwxrwx 1 root root 46 Jun 8 14:43 modsecurity_crs_50_outbound.conf -> ../base_rules/modsecurity_crs_50_outbound.conf lrwxrwxrwx 1 root root 55 Jun 8 14:43 modsecurity_crs_59_outbound_blocking.conf -> ../base_rules/modsecurity_crs_59_outbound_blocking.conf lrwxrwxrwx 1 root root 49 Jun 8 14:43 modsecurity_crs_60_correlation.conf -> ../base_rules/modsecurity_crs_60_correlation.conf root@lx1 /etc/modsecurity # cp modsecurity.conf-recommended modsecurity.conf vi modsecurity.conf #SecRuleEngine DetectionOnly SecRuleEngine On root@lx1 /etc/apache2/mods-available # view security2.conf IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf chmod 1733 /var/log/apache2/ << part of modsec things ;)
[Bearbeiten] Perl
libapache2-mod-perl2 the needed package. ScriptAlias /p-bin/ /home/web1/web/downtown-bern.ch/pcgi-bin/ <Directory /home/web1/web/downtown-bern.ch/pcgi-bin/> # Options FollowSymLinks ExecCGI # AddHandler cgi-script .cgi .pl <Files ~ "\.(pl|cgi)$"> SetHandler perl-script PerlResponseHandler ModPerl::PerlRun Options ExecCGI SymLinksIfOwnerMatch PerlSendHeader On </Files>