Главная Обзор Помощь
Вход
yosoyhendrix
/
hestiacp
зеркало из https://github.com/hestiacp/hestiacp
1
0
Ответвить 0
Файлы Задачи 0 Вики
Просмотр исходного кода

Chore/config updates (#4477)

* Add max connections per host for Exim, increase global limit

* Add xferlog to logrotate

* VSFTPD TLS 1.2 ciphers only

* Run NPM Format

* Apply changes to upgrade script

---------

Co-authored-by: Jaap Marcus <9754650+jaapmarcus@users.noreply.github.com>
Alexandros Ioannides 1 год назад
Родитель
702695758f
Сommit
dd8f9fcd59
7 измененных файлов с 29 добавлено и 2 удалено
Разделённый вид Показать статистику Diff
  1. 2 0
      install/deb/exim/exim4.conf.4.94.template
  2. 2 0
      install/deb/exim/exim4.conf.4.95.template
  3. 2 0
      install/deb/exim/exim4.conf.template
  4. 2 2
      install/deb/vsftpd/vsftpd.conf
  5. 3 0
      install/hst-install-debian.sh
  6. 3 0
      install/hst-install-ubuntu.sh
  7. 15 0
      install/upgrade/versions/1.9.0.sh

+ 2 - 0
install/deb/exim/exim4.conf.4.94.template
Просмотреть файл 

@@ -14,6 +14,8 @@ smtp_active_hostname = ${lookup dnsdb{>: defer_never,ptr=$interface_address}{${l
 
 add_environment = <; PATH=/bin:/usr/bin
 
 keep_environment =
 
 disable_ipv6 = true
 
+smtp_accept_max = 100
 
+smtp_accept_max_per_host = 20
 
 
 smtputf8_advertise_hosts =
 
 domainlist local_domains = dsearch;/etc/exim4/domains/

+ 2 - 0
install/deb/exim/exim4.conf.4.95.template
Просмотреть файл 

@@ -14,6 +14,8 @@ smtp_active_hostname = ${lookup dnsdb{>: defer_never,ptr=$interface_address}{${l
 
 add_environment = <; PATH=/bin:/usr/bin
 
 keep_environment =
 
 disable_ipv6 = true
 
+smtp_accept_max = 100
 
+smtp_accept_max_per_host = 20
 
 
 SRS_SECRET = ${readfile{/etc/exim4/srs.conf}}

+ 2 - 0
install/deb/exim/exim4.conf.template
Просмотреть файл 

@@ -14,6 +14,8 @@ smtp_active_hostname = ${lookup dnsdb{>: defer_never,ptr=$interface_address}{${l
 
 add_environment = <; PATH=/bin:/usr/bin
 
 keep_environment =
 
 disable_ipv6 = true
 
+smtp_accept_max = 100
 
+smtp_accept_max_per_host = 20
 
 
 smtputf8_advertise_hosts =
 
 domainlist local_domains = dsearch;/etc/exim4/domains/

+ 2 - 2
install/deb/vsftpd/vsftpd.conf
Просмотреть файл 

@@ -1,3 +1,4 @@
 
+listen=YES
 
 anonymous_enable=NO
 
 local_enable=YES
 
 write_enable=YES
 
@@ -10,7 +11,6 @@ connect_from_port_20=YES
 
 xferlog_std_format=YES
 
 dual_log_enable=YES
 
 chroot_local_user=YES
 
-listen=YES
 
 pam_service_name=vsftpd
 
 ftpd_banner=Welcome! Please note that all activity is logged.
 
 userlist_enable=NO
 
@@ -33,7 +33,7 @@ utf8_filesystem=YES
 
 ssl_enable=YES
 
 allow_anon_ssl=NO
 
 require_ssl_reuse=NO
 
-ssl_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256
 
+ssl_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
 
 ssl_sslv2=NO
 
 ssl_sslv3=NO
 
 ssl_tlsv1=NO

+ 3 - 0
install/hst-install-debian.sh
Просмотреть файл 

@@ -1700,6 +1700,9 @@ if [ "$vsftpd" = 'yes' ]; then
 
 	touch /var/log/xferlog
 
 	chown root:adm /var/log/xferlog
 
 	chmod 640 /var/log/xferlog
 
+	if [ -s /etc/logrotate.d/vsftpd ] && ! grep -Fq "/var/log/xferlog" /etc/logrotate.d/vsftpd; then
 
+		sed -i 's|/var/log/vsftpd.log|/var/log/vsftpd.log /var/log/xferlog|g' /etc/logrotate.d/vsftpd
 
+	fi
 
 	update-rc.d vsftpd defaults > /dev/null 2>&1
 
 	systemctl start vsftpd >> $LOG
 
 	check_result $? "vsftpd start failed"

+ 3 - 0
install/hst-install-ubuntu.sh
Просмотреть файл 

@@ -1724,6 +1724,9 @@ if [ "$vsftpd" = 'yes' ]; then
 
 	touch /var/log/xferlog
 
 	chown root:adm /var/log/xferlog
 
 	chmod 640 /var/log/xferlog
 
+	if [ -s /etc/logrotate.d/vsftpd ] && ! grep -Fq "/var/log/xferlog" /etc/logrotate.d/vsftpd; then
 
+		sed -i 's|/var/log/vsftpd.log|/var/log/vsftpd.log /var/log/xferlog|g' /etc/logrotate.d/vsftpd
 
+	fi
 
 	update-rc.d vsftpd defaults > /dev/null 2>&1
 
 	systemctl start vsftpd >> $LOG
 
 	check_result $? "vsftpd start failed"

+ 15 - 0
install/upgrade/versions/1.9.0.sh
Просмотреть файл 

@@ -80,5 +80,20 @@ for package in $packages; do
 
 	done
 
 done
 
 
+# Add xferlog to vsftpd logrotate
 
+if [ -s /etc/logrotate.d/vsftpd ] && ! grep -Fq "/var/log/xferlog" /etc/logrotate.d/vsftpd; then
 
+	sed -i 's|/var/log/vsftpd.log|/var/log/vsftpd.log /var/log/xferlog|g' /etc/logrotate.d/vsftpd
 
+fi
 
+
 
+# Use only TLS 1.2 cipher suites for vsftpd
 
+if [ -s /etc/vsftpd.conf ]; then
 
+	sed -i "s/ssl_ciphers.*/ssl_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305/g" /etc/vsftpd.conf
 
+fi
 
+
 
+# Increase max connections and limit number of connections per host for Exim
 
+if [ -s /etc/exim4/exim4.conf.template ] && ! grep -Fq "smtp_accept_max" /etc/exim4/exim4.conf.template; then
 
+	sed -i '/disable_ipv6 = true/a\smtp_accept_max = 100\nsmtp_accept_max_per_host = 20' /etc/exim4/exim4.conf.template
 
+fi
 
+
 
 $BIN/v-add-user-notification 'admin' 'Hestia security has been upgraded' ' A new user "hestiaweb" has been created and is used for login. Make sure other Hestia packages are updated as well otherwise the system may not work as expected.'
 
 add_upgrade_message 'Security has been upgraded, A new user "hestiaweb" has been created and is used for login. Make sure other Hestia packages are updated as well otherwise the system may not work as expected.'