|
|
@@ -12,68 +12,11 @@ if [ -z $THEME ]; then
|
|
|
$BIN/v-change-sys-theme default
|
|
|
fi
|
|
|
|
|
|
-# Replace dhparam 1024 with dhparam 4096
|
|
|
-echo "(*) Increasing Diffie-Hellman Parameter strength to 4096-bit..."
|
|
|
-if [ -e /etc/ssl/dhparam.pem ]; then
|
|
|
- mv /etc/ssl/dhparam.pem $HESTIA_BACKUP/conf/
|
|
|
-fi
|
|
|
-cp -f $HESTIA_INSTALL_DIR/ssl/dhparam.pem /etc/ssl/
|
|
|
-chmod 600 /etc/ssl/dhparam.pem
|
|
|
-
|
|
|
# Reduce SSH login grace time
|
|
|
echo "(*) Hardening SSH daemon configuration..."
|
|
|
sed -i "s/LoginGraceTime 2m/LoginGraceTime 1m/g" /etc/ssh/sshd_config
|
|
|
sed -i "s/#LoginGraceTime 2m/LoginGraceTime 1m/g" /etc/ssh/sshd_config
|
|
|
|
|
|
-# Enhance Vsftpd security
|
|
|
-if [ "$FTP_SYSTEM" = "vsftpd" ]; then
|
|
|
- echo "(*) Hardening Vsftpd SSL configuration..."
|
|
|
- cp -f /etc/vsftpd.conf $HESTIA_BACKUP/conf/
|
|
|
- sed -i "s|ssl_tlsv1=YES|ssl_tlsv1=NO|g" /etc/vsftpd.conf
|
|
|
-fi
|
|
|
-
|
|
|
-# Enhance Dovecot security
|
|
|
-if [ "$IMAP_SYSTEM" = "dovecot" ]; then
|
|
|
- echo "(*) Hardening Dovecot SSL configuration..."
|
|
|
- mv /etc/dovecot/conf.d/10-ssl.conf $HESTIA_BACKUP/conf/
|
|
|
- cp -f $HESTIA_INSTALL_DIR/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/
|
|
|
-fi
|
|
|
-# Update DNS resolvers in hestia-nginx's configuration
|
|
|
-echo "(*) Updating DNS resolvers for Hestia Internal Web Server..."
|
|
|
-dns_resolver=$(cat /etc/resolv.conf | grep -i '^nameserver' | cut -d ' ' -f2 | tr '\r\n' ' ' | xargs)
|
|
|
-for ip in $dns_resolver; do
|
|
|
- if [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
|
|
|
- resolver="$ip $resolver"
|
|
|
- fi
|
|
|
-done
|
|
|
-if [ ! -z "$resolver" ]; then
|
|
|
- sed -i "s/1.0.0.1 1.1.1.1/$resolver/g" /usr/local/hestia/nginx/conf/nginx.conf
|
|
|
-fi
|
|
|
-
|
|
|
-# Remove Webalizer and set AWStats as default
|
|
|
-WEBALIZER_CHECK=$(cat $HESTIA/conf/hestia.conf | grep webalizer)
|
|
|
-if [ ! -z "$WEBALIZER_CHECK" ]; then
|
|
|
- echo "(*) Removing Webalizer and setting AWStats as default web statistics backend..."
|
|
|
- apt purge webalizer -y > /dev/null 2>&1
|
|
|
- if [ -d "$HESTIA/data/templates/web/webalizer" ]; then
|
|
|
- rm -rf $HESTIA/data/templates/web/webalizer
|
|
|
- fi
|
|
|
- if [ -d "/var/www/webalizer" ]; then
|
|
|
- rm -rf /var/www/webalizer
|
|
|
- fi
|
|
|
- $HESTIA/bin/v-change-sys-config-value 'STATS_SYSTEM' 'awstats'
|
|
|
-fi
|
|
|
-
|
|
|
-# Remove old hestia.conf files from Apache & NGINX if they exist
|
|
|
-if [ -f "/etc/apache2/conf.d/hestia.conf" ]; then
|
|
|
- echo "(*) Removing old Apache configuration file from previous version of Hestia Control Panel..."
|
|
|
- rm -f /etc/apache2/conf.d/hestia.conf
|
|
|
-fi
|
|
|
-if [ -f "/etc/nginx/conf.d/hestia.conf" ]; then
|
|
|
- echo "(*) Removing old NGINX configuration file from previous version of Hestia Control Panel..."
|
|
|
- rm -f /etc/nginx/conf.d/hestia.conf
|
|
|
-fi
|
|
|
-
|
|
|
# Implement recidive jail for fail2ban
|
|
|
if [ ! -z "$FIREWALL_EXTENSION" ]; then
|
|
|
if ! cat /etc/fail2ban/jail.local | grep -q "recidive"; then
|
|
|
@@ -81,8 +24,12 @@ if [ ! -z "$FIREWALL_EXTENSION" ]; then
|
|
|
fi
|
|
|
fi
|
|
|
|
|
|
-# Update webmail templates to enable OCSP/SSL stapling
|
|
|
+# Enable OCSP SSL stapling and harden nginx configuration for roundcube
|
|
|
if [ ! -z "$IMAP_SYSTEM" ]; then
|
|
|
- echo "(*) Improving SSL security of Roundcube webmail..."
|
|
|
+ echo "(*) Hardening security of Roundcube webmail..."
|
|
|
$BIN/v-update-mail-templates > /dev/null 2>&1
|
|
|
+ if [ -e /etc/nginx/conf.d/webmail.inc ]; then
|
|
|
+ cp -f /etc/nginx/conf.d/webmail.inc $HESTIA_BACKUP/conf/
|
|
|
+ sed -i "s/config|temp|logs/README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING/g" /etc/nginx/conf.d/webmail.inc
|
|
|
+ fi
|
|
|
fi
|
Kristan Kenney