Vesta CP
Aus HS Syswiki
(Unterschied zwischen Versionen)
(→exim/spamassassin) |
(→exim/spamassassin) |
||
| Zeile 205: | Zeile 205: | ||
Exim Ratelimit: | Exim Ratelimit: | ||
| + | |||
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html | http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html | ||
| + | |||
https://forum.vestacp.com/viewtopic.php?f=41&t=12623 | https://forum.vestacp.com/viewtopic.php?f=41&t=12623 | ||
| + | |||
https://www.lowendtalk.com/discussion/105885/multiple-exim-acls-to-limit-outgoing-mails | https://www.lowendtalk.com/discussion/105885/multiple-exim-acls-to-limit-outgoing-mails | ||
| + | |||
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html#useratlim | http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html#useratlim | ||
Version vom 16. Januar 2018, 16:20 Uhr
Inhaltsverzeichnis |
Default vhost templates
Templates can be found in the /usr/local/vesta/data/templates/ directory. Feel free to modify or copy them to create new custom templates. After modifying existing template you need to rebuild user configuration. This can be done using v-rebuild-user command or bulk operation in the web interface (drop down list on a "User" page).
Apache
- default - no additional settings, works well for most sites
- basedir - to fight against phpshells using openbasedir directive
- hosting - separate php limits for each domain (php_admin_value memory/safemode/etc)
- phpcgi - template to run php as cgi. can be useful to run php4 or php5.2
- phpfcgid - to php as fcgi (automatically installed on a server with > 1Gb of RAM)
- wsgi - template to run python projects (can be installed manually)
Apache template actually consists of three files. File with tpl extension is used to build usual virtual host. File with stpl extension is used to build SSL vhost. File with sh extension is optional. It can be used as trigger to run additional shell commands on domain creation. For details see phpfcgid.sh template
Nginx
- default - serves static content, works well for most sites
- hosting - disable_symlinks directive to protect from symlink attacks
- сaching - dynamic pages are cached for 15 min to handle spontaneous traffic aka reddit-effect
- force-https - force users to https/SSL (can be installed manually)
DNS
- default - general dns records
- gmail - predefined records to host mail on google app
- child-ns - template for vanity name servers
Default locations data customers
Hosting data:
- /home/$user/web
- /home/$user/web/$domain1.ch
- /home/$user/web/$domain2.ch
- /home/$user/web/$domain1.ch/cgi-bin
- /home/$user/web/$domain1.ch/document_errors
- /home/$user/web/$domain1.ch/logs
- /home/$user/web/$domain1.ch/private
- /home/$user/web/$domain1.ch/public_html
- /home/$user/web/$domain1.ch/public_shtml
- /home/$user/web/$domain1.ch/stats
Mail data:
- /home/$user/mail
- /home/$user/mail/$domain1.ch
- /home/$user/mail/$domain2.ch
- /home/$user/mail/$domain1.ch/$alias
- /home/$user/mail/$domain1.ch/$alias/cur
- /home/$user/mail/$domain1.ch/$alias/new
- /home/$user/mail/$domain1.ch/$alias/.Spam
Database data:
- /var/lib/mysql/$db1
Webserver conf:
- /home/$user/conf/web/apache2.conf
- /home/$user/conf/web/sapache2.conf (ssl)
- /home/$user/conf/web/nginx.conf
- /home/$user/conf/web/snginx.conf (ssl)
Mail conf:
- /home/$user/conf/mail/$domain/* (exim)
- /home/$user/conf/mail/$domain/passwd (dovecot)
Config and log locations Debian / Ubuntu
https://vestacp.com/docs/#config-log-location-debian-ubuntu
API
Notes
Monitoring: http://www.librenms.org Global dhparam: Path: /etc/ssl/certs/dhparam.pem openssl dhparam -out dhparam.pem 4096 mysql: https://dev.mysql.com/doc/refman/5.7/en/user-resources.html percona: https://forum.vestacp.com/viewtopic.php?t=14688 CPU: for CPUFREQ in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor; do [ -f $CPUFREQ ] || continue; echo -n performance > $CPUFREQ; done Packages: Start-Date: 2017-05-10 17:14:28 Commandline: apt install libclass-dbi-mysql-perl Install: libclass-dbi-mysql-perl:amd64 (1.00-3), libsql-abstract-limit-perl:amd64 (2:0.14.1-5, automatic), libhash-merge-perl:amd64 (0.200-1, automatic), libclass-trigger-perl:amd64 (0.14-1, automatic), libmoo-perl:amd64 (2.000002-1, automatic), libb-hooks-op-check-perl:amd64 (0.19-2build2, automatic), libmodule-runtime-perl:amd64 (0.014-2, automatic), libsql-abstract-perl:amd64 (1.81-1, automatic), libuniversal-moniker-perl:amd64 (0.08-7, automatic), libdbix-contextualfetch-perl:amd64 (1.03-3, automatic), libmultidimensional-perl:amd64 (0.010-1build3, automatic), libdbi-perl:amd64 (1.634-1build1, automatic), libstrictures-perl:amd64 (2.000002-1, automatic), libclass-xsaccessor-perl:amd64 (1.19-2build4, automatic), liblingua-en-inflect-perl:amd64 (1.899-1, automatic), libtime-piece-mysql-perl:amd64 (0.06-2, automatic), libclass-dbi-abstractsearch-perl:amd64 (0.07-3, automatic), libparams-classify-perl:amd64 (0.013-5build1, automatic), libclass-method-modifiers-perl:amd64 (2.11-1, automatic), libclone-perl:amd64 (0.38-1build1, automatic), libsub-name-perl:amd64 (0.14-1build1, automatic), librole-tiny-perl:amd64 (2.000001-2, automatic), libio-stringy-perl:amd64 (2.110-5, automatic), libimport-into-perl:amd64 (1.002005-1, automatic), libdevel-globaldestruction-perl:amd64 (0.13-1, automatic), libindirect-perl:amd64 (0.36-1build1, automatic), libdbd-mysql-perl:amd64 (4.033-1ubuntu0.1, automatic), libclass-data-inheritable-perl:amd64 (0.08-2, automatic), libbareword-filehandles-perl:amd64 (0.003-1build3, automatic), libsub-exporter-progressive-perl:amd64 (0.001011-1, automatic), libclass-dbi-perl:amd64 (3.0.17-4, automatic), libclass-accessor-perl:amd64 (0.34-1, automatic), liblexical-sealrequirehints-perl:amd64 (0.009-1build1, automatic), libima-dbi-perl:amd64 (0.35-2, automatic) End-Date: 2017-05-10 17:14:30 Start-Date: 2017-05-11 16:24:34 Commandline: apt-get install libnghttp2-14 Install: libnghttp2-14:amd64 (1.7.1-1) End-Date: 2017-05-11 16:24:35 Start-Date: 2017-05-11 16:34:28 Commandline: apt-get install php5.6-bz2 php7.1-bz2 php7.0-bz2 Install: php7.0-bz2:amd64 (7.0.18-1+deb.sury.org~xenial+1), php7.1-bz2:amd64 (7.1.4-1+deb.sury.org~xenial+1), php5.6-bz2:amd64 (5.6.30-10+deb.sury.org~xenial+2) End-Date: 2017-05-11 16:34:29 Start-Date: 2017-05-11 16:57:14 Commandline: apt-get install php7.1-tidy php5.6-tidy php7.0-tidy Install: php5.6-tidy:amd64 (5.6.30-10+deb.sury.org~xenial+2), php7.1-tidy:amd64 (7.1.4-1+deb.sury.org~xenial+1), php7.0-tidy:amd64 (7.0.18-1+deb.sury.org~xenial+1), libtidy5:amd64 (1:5.2.0-1+deb.sury.org~xenial+1, automatic) End-Date: 2017-05-11 16:57:16 Start-Date: 2017-05-12 16:28:55 Commandline: apt-get install libapache2-mod-wsgi Install: libpython2.7:amd64 (2.7.12-1ubuntu0~16.04.1, automatic), libapache2-mod-wsgi:amd64 (4.3.0-1.1build1) End-Date: 2017-05-12 16:28:59 Dell Perc: Write cache >> Force write back
root@lx1:/usr/local/vesta/bin# ./v-list-user-log user1 DATE TIME CMD ---- ---- --- 2017-04-25 12:35:21 changed language to en 2017-04-25 12:36:52 added web domain user1.ch 2017-04-25 12:36:52 added dns domain user1.ch 2017-04-25 12:36:53 added TXT dns record _domainkey for user1.ch 2017-04-25 12:36:53 added TXT dns record mail._domainkey for user1.ch 2017-04-25 12:36:53 added mail domain user1.ch 2017-04-25 12:36:53 enabled web log analyzer for user1.ch 2017-04-25 12:36:54 added ftp account user1_user1@user1.ch 2017-04-25 12:38:32 added mysql database user1_user1 2017-04-26 12:06:52 added web domain user1-domain2.ch 2017-04-26 12:06:52 added dns domain user1-domain2.ch 2017-04-26 12:06:53 added TXT dns record _domainkey for user1-domain2.ch 2017-04-26 12:06:53 added TXT dns record mail._domainkey for user1-domain2.ch 2017-04-26 12:06:53 added mail domain user1-domain2.ch 2017-04-26 12:25:48 added mail account user1@user1.ch root@lx1:/usr/local/vesta/bin# ./v-list-user-log user2 DATE TIME CMD ---- ---- --- 2017-04-27 12:57:02 changed language to en 2017-04-27 12:57:49 added web domain downtown-bern.ch 2017-04-27 12:57:49 added dns domain downtown-bern.ch 2017-04-27 12:57:49 added TXT dns record _domainkey for downtown-bern.ch 2017-04-27 12:57:49 added TXT dns record mail._domainkey for downtown-bern.ch 2017-04-27 12:57:49 added mail domain downtown-bern.ch 2017-04-27 12:57:50 enabled web log analyzer for downtown-bern.ch 2017-04-27 12:57:55 added ftp account user2_user2@downtown-bern.ch
v-add-user USER PASSWORD EMAIL [PACKAGE] [FNAME] [LNAME] v-add-user user2 mnag2017 abuse@hoststar.ch STARENTRY fname lname v-add-domain USER DOMAIN [IP] [RESTART] v-add-domain user1 user1.ch v-list-web-templates v-change-user-template v-add-database USER DATABASE DBUSER DBPASS [TYPE] [HOST] [CHARSET] v-add-database user1 user1db user1db mnag2017 v-add-web-domain-ftp USER DOMAIN FTP_USER FTP_PASSWORD [FTP_PATH] v-add-web-domain-ftp user2 user2.ch ftp mnag2017
exim/spamassassin
http://lists.merlins.org/archives/sa-exim/2003-July/000511.html
http://svn.apache.org/repos/asf/spamassassin/tags/spamassassin_current_release_3.4.x/sql/README
https://www.rosehosting.com/blog/how-to-setup-a-mailserver-with-exim4-and-dbmail-on-a-debian-7-vps/
https://spamassassin.apache.org/full/3.4.x/doc/spamd.html
https://wiki.apache.org/spamassassin/UsingSQL
https://app.assembla.com/wiki/show/file_sender/Configuring_SRS_with_Exim_(Debian_and_Ubuntu)
https://wiki.herzbube.ch/index.php/Exim#SRS_overview
https://github.com/Exim/exim/wiki/BlockCracking
https://serverfault.com/questions/636804/rate-limit-exim-per-user-basis
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-exim_utilities.html
update-exim4.conf -o /etc/exim4/exim4.conf
Exim Ratelimit:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html
https://forum.vestacp.com/viewtopic.php?f=41&t=12623
https://www.lowendtalk.com/discussion/105885/multiple-exim-acls-to-limit-outgoing-mails
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html#useratlim
apt install libclass-dbi-mysql-perl
/etc/default/spamassassin
OPTIONS="--max-children 5 -x -q -u nobody"
/etc/exim4/exim4.conf.localmacros
log_selector = +subject
/etc/exim4/exim4.conf
# example read from db
#SCORE_QUERY = select value from userpref
#SPAM_SCORE = ${lookup mysql{servers=127.0.0.1/sa/root/mnag2017; SCORE_QUERY}}
acl_check_rcpt:
# get recipient into acl_m3
warn set acl_m3 = ${local_part}@${domain}
#pass user to spamd from acl_m3
#spam = nobody:true/defer_ok
spam = $acl_m3:true/defer_ok
/etc/spamassassin/mysql.cf
allow_user_rules 1
#user_scores_dsn DBI:mysql:sa:localhost;mysql_socket=/var/run/mysqld/mysqld.sock
user_scores_dsn DBI:mysql:sa:127.0.0.1;mysql_socket=/var/run/mysqld/mysqld.sock
user_scores_sql_username root
user_scores_sql_password mnag2017
#user_scores_sql_custom_query SELECT preference, value FROM _TABLE_ WHERE username = _USERNAME_ OR username = '$GLOBAL' OR username = CONCAT('%',_DOMAIN_) ORDER BY username ASC
FTP
- Mainuser / FTP account? restrict permission main user.
Partitioning
/ ext4 60G /var xfs 55G /tmp xfs 25G swap 10G /home xfs rest
https://www.beegfs.com/wiki/StorageServerTuning#hn_59ca4f8bbb_9
proftp.conf
ServerName "FTP"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
DefaultServer on
DefaultRoot ~ !adm
#<IfModule mod_vroot.c>
# VRootEngine on
# VRootAlias /etc/security/pam_env.conf etc/security/pam_env.conf
#</IfModule>
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
UseReverseDNS off
User proftpd
Group nogroup
MaxInstances 20
UseSendfile off
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
ListOptions -a
RequireValidShell off
PassivePorts 12000 12100
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
LoadModule mod_sftp.c
LoadModule mod_sftp_pam.c
<IfModule mod_sftp.c>
<VirtualHost 85.10.232.92>
SFTPEngine on
Port 5544
SFTPLog /var/log/proftpd/sftp.log
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key
SFTPCompression delayed
DefaultRoot ~
AllowOverwrite on
AllowRetrieveRestart on
AllowStoreRestart on
# SFTPAuthMethods password
RequireValidShell no
</VirtualHost>
</IfModule>
<Global>
Umask 002
IdentLookups off
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
</Global>
#<IfModule mod_quotatab.c>
#QuotaEngine off
#</IfModule>
LoadModule mod_quotatab.c
LoadModule mod_quotatab_file.c
<IfModule mod_ctrls.c>
ControlsEngine on
ControlsMaxClients 10
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
Mod Security
root@lx1 /etc/apache2 # apt-get install modsecurity-crs libapache2-mod-security2 root@lx1 /etc/apache2 # apachectl -M | grep --color security2 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using lx1.hoststar.hosting. Set the 'ServerName' directive globally to suppress this message security2_module (shared) root@lx1 /usr/share/modsecurity-crs # ln -sf ../modsecurity_crs_10_setup.conf activated_rules/ root@lx1 /usr/share/modsecurity-crs # for f in `ls base_rules`; do sudo ln -s ../base_rules/$f activated_rules/$f; done root@lx1 /usr/share/modsecurity-crs # ll activated_rules/ total 20 drwxr-xr-x 2 root root 4096 Jun 8 14:43 ./ drwxr-xr-x 9 root root 4096 Jun 8 14:39 ../ lrwxrwxrwx 1 root root 44 Jun 8 14:43 modsecurity_35_bad_robots.data -> ../base_rules/modsecurity_35_bad_robots.data lrwxrwxrwx 1 root root 42 Jun 8 14:43 modsecurity_35_scanners.data -> ../base_rules/modsecurity_35_scanners.data lrwxrwxrwx 1 root root 49 Jun 8 14:43 modsecurity_40_generic_attacks.data -> ../base_rules/modsecurity_40_generic_attacks.data lrwxrwxrwx 1 root root 42 Jun 8 14:43 modsecurity_50_outbound.data -> ../base_rules/modsecurity_50_outbound.data lrwxrwxrwx 1 root root 50 Jun 8 14:43 modsecurity_50_outbound_malware.data -> ../base_rules/modsecurity_50_outbound_malware.data lrwxrwxrwx 1 root root 32 Jun 8 14:43 modsecurity_crs_10_setup.conf -> ../modsecurity_crs_10_setup.conf lrwxrwxrwx 1 root root 57 Jun 8 14:43 modsecurity_crs_20_protocol_violations.conf -> ../base_rules/modsecurity_crs_20_protocol_violations.conf lrwxrwxrwx 1 root root 56 Jun 8 14:43 modsecurity_crs_21_protocol_anomalies.conf -> ../base_rules/modsecurity_crs_21_protocol_anomalies.conf lrwxrwxrwx 1 root root 52 Jun 8 14:43 modsecurity_crs_23_request_limits.conf -> ../base_rules/modsecurity_crs_23_request_limits.conf lrwxrwxrwx 1 root root 49 Jun 8 14:43 modsecurity_crs_30_http_policy.conf -> ../base_rules/modsecurity_crs_30_http_policy.conf lrwxrwxrwx 1 root root 48 Jun 8 14:43 modsecurity_crs_35_bad_robots.conf -> ../base_rules/modsecurity_crs_35_bad_robots.conf lrwxrwxrwx 1 root root 53 Jun 8 14:43 modsecurity_crs_40_generic_attacks.conf -> ../base_rules/modsecurity_crs_40_generic_attacks.conf lrwxrwxrwx 1 root root 59 Jun 8 14:43 modsecurity_crs_41_sql_injection_attacks.conf -> ../base_rules/modsecurity_crs_41_sql_injection_attacks.conf lrwxrwxrwx 1 root root 49 Jun 8 14:43 modsecurity_crs_41_xss_attacks.conf -> ../base_rules/modsecurity_crs_41_xss_attacks.conf lrwxrwxrwx 1 root root 52 Jun 8 14:43 modsecurity_crs_42_tight_security.conf -> ../base_rules/modsecurity_crs_42_tight_security.conf lrwxrwxrwx 1 root root 45 Jun 8 14:43 modsecurity_crs_45_trojans.conf -> ../base_rules/modsecurity_crs_45_trojans.conf lrwxrwxrwx 1 root root 55 Jun 8 14:43 modsecurity_crs_47_common_exceptions.conf -> ../base_rules/modsecurity_crs_47_common_exceptions.conf lrwxrwxrwx 1 root root 62 Jun 8 14:43 modsecurity_crs_48_local_exceptions.conf.example -> ../base_rules/modsecurity_crs_48_local_exceptions.conf.example lrwxrwxrwx 1 root root 54 Jun 8 14:43 modsecurity_crs_49_inbound_blocking.conf -> ../base_rules/modsecurity_crs_49_inbound_blocking.conf lrwxrwxrwx 1 root root 46 Jun 8 14:43 modsecurity_crs_50_outbound.conf -> ../base_rules/modsecurity_crs_50_outbound.conf lrwxrwxrwx 1 root root 55 Jun 8 14:43 modsecurity_crs_59_outbound_blocking.conf -> ../base_rules/modsecurity_crs_59_outbound_blocking.conf lrwxrwxrwx 1 root root 49 Jun 8 14:43 modsecurity_crs_60_correlation.conf -> ../base_rules/modsecurity_crs_60_correlation.conf root@lx1 /etc/modsecurity # cp modsecurity.conf-recommended modsecurity.conf vi modsecurity.conf #SecRuleEngine DetectionOnly SecRuleEngine On root@lx1 /etc/apache2/mods-available # view security2.conf IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf chmod 1733 /var/log/apache2/ << part of modsec things ;)
Perl
libapache2-mod-perl2 the needed package.
ScriptAlias /p-bin/ /home/web1/web/downtown-bern.ch/pcgi-bin/
<Directory /home/web1/web/downtown-bern.ch/pcgi-bin/>
# Options FollowSymLinks ExecCGI
# AddHandler cgi-script .cgi .pl
<Files ~ "\.(pl|cgi)$">
SetHandler perl-script
PerlResponseHandler ModPerl::PerlRun
Options ExecCGI SymLinksIfOwnerMatch
PerlSendHeader On
</Files>
