#!/bin/sh

# OpenSUSE 11.2 Perfect Server ISPConfig script by George Yohng (georgesc#oss3d.com)
# Script Version 1.4

# Do zypper update and reboot before running this script

# Also better change host name (file HOSTNAME) manually before running this script, though looks like it's not necessary

# This script requires two manual actions. 

#    First - when mysql_secure_install is running. One should type a new mysql password, the same as here
#    Second - for ISPConfig3 update. One should type 'svn' when the update type is asked
#    For both of scripts, all other options are default, one can just press ENTER.


# Also, please change MYSQLROOTPASS below, and be sure to enter it verbatim
# during the installation of mysql_secure_install.

# Important: When setting an MX entry, point it to mail.yourdomain.com rather than
# just to yourdomain.com, and create a CNAME entry for mail. Otherwise it doesn't
# seem to work somehow.

THIS_PLATFORM=x86_64

MYSQLROOTPASS=098j91r3kx

# Change this to your server name. By default it's configured to server1.mydomain.com

# If your web site hosts a complete domain, such as domain.com, still leave
# something for MY_HOSTNAME. 'server1' or 'host' is a good name.

MY_HOSTNAME=server1
MY_DOMAIN=mydomain.com

# Packages may have been updated, therefore also check the RPM and TARGZ locations below,
# and preferably use the latest versions of everything.

GETMAIL_RPM=http://download.opensuse.org/repositories/server:/mail/openSUSE_11.2/noarch/getmail-4.17.0-1.1.noarch.rpm
MAILDROP_RPM=http://download.opensuse.org/repositories/server:/mail/openSUSE_11.2/$THIS_PLATFORM/maildrop-2.4.0-1.6.$THIS_PLATFORM.rpm
PAM_MYSQL_TARGZ=http://heanet.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.7RC1.tar.gz
SUPHP_RPM=http://download.opensuse.org/repositories/server:/php/openSUSE_11.2/$THIS_PLATFORM/suphp-0.7.1-3.1.$THIS_PLATFORM.rpm
FAIL2BAN_RPM=http://download.opensuse.org/repositories/home:/kolbma/openSUSE_11.1/$THIS_PLATFORM/fail2ban-0.8.4-2.1.$THIS_PLATFORM.rpm

AWSTATS_RPM=http://download.opensuse.org/repositories/network:/utilities/openSUSE_11.2/noarch/awstats-6.95-3.1.noarch.rpm

SQUIRRELMAIL_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.2/noarch/squirrelmail-1.4.20-1.1.noarch.rpm

JAILKIT_TARGZ=http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gz

PHPMYADMIN_RPM=http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_11.2/noarch/phpMyAdmin-3.3.3-1.1.noarch.rpm
MYDNS_RPM=http://mydns.bboy.net/download/mydns-mysql-1.1.0-1.i386.rpm
VLOGGER_TARGZ=http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz

RDIFF_BACKUP_TARGZ=http://savannah.nongnu.org/download/rdiff-backup/rdiff-backup-1.2.8.tar.gz

EACCELERATOR_TARGZ=http://bart.eaccelerator.net/source/0.9.6.1/eaccelerator-0.9.6.1.tar.bz2

ISPCONFIG_TAR_GZ=http://downloads.sourceforge.net/ispconfig/ISPConfig-3.0.2.1.tar.gz

MY_FULLHOSTNAME=$MY_HOSTNAME.$MY_DOMAIN

# Disable apparmor

/etc/init.d/boot.apparmor stop
chkconfig -d boot.apparmor

# Allow ports through firewall

SuSEfirewall2 open EXT TCP 21 80 8080 25 143 465 585 993 30000:30500
SuSEfirewall2

# Switch off X login (check!)

chkconfig --del xdm
rcxdm stop

# Quota

yast2 -i quota

touch /aquota.user /aquota.group
chmod 600 /aquota.*
touch /srv/aquota.user /srv/aquota.group
chmod 600 /srv/aquota.*

# TODO: change fstab here

mount -o remount /
mount -o remount /srv
mount -o remount /home

quotacheck -avugm
quotaon -avug

# Basic packages

yast2 -i mc

yast2 -i findutils readline libgcc glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget gcc-c++ subversion make vim telnet cron iptables iputils man man-pages nano pico

# Host name

echo $MY_FULLHOSTNAME > /etc/HOSTNAME
echo 127.0.0.2 $MY_FULLHOSTNAME $MY_HOSTNAME >> /etc/hosts
echo 69.46.236.210 mydns.bboy.net >> /etc/hosts

export HOST=$MY_FULLHOSTNAME
export HOSTNAME=$MY_FULLHOSTNAME

SuSEconfig

# Postfix, Courier, Saslauthd, MySQL

yast2 -i postfix postfix-mysql mysql mysql-client 
yast2 -i courier-imap courier-authlib courier-authlib-mysql python cron cyrus-sasl cyrus-sasl-crammd5
yast2 -i cyrus-sasl-digestmd5 cyrus-sasl-gssapi cyrus-sasl-otp cyrus-sasl-plain cyrus-sasl-saslauthd libmysqlclient-devel pwgen

chkconfig --add mysql
chkconfig --add postfix
chkconfig --add saslauthd
chkconfig --add fam
chkconfig --add courier-authdaemon
chkconfig --add courier-pop
chkconfig --add courier-imap
chkconfig --add courier-pop-ssl
chkconfig --add courier-imap-ssl
/etc/init.d/mysql start
/etc/init.d/postfix start
/etc/init.d/saslauthd start
/etc/init.d/courier-pop start
/etc/init.d/courier-imap start
/etc/init.d/courier-pop-ssl start
/etc/init.d/courier-imap-ssl start

# getmail

cd /tmp
rpm -i $GETMAIL_RPM
rpm --force -i $MAILDROP_RPM

# pam

yast2 -i pam-devel pam-32bit pam-devel-32bit pam-modules-32bit

# pam_mysql

cd /tmp
wget -c $PAM_MYSQL_TARGZ
tar xvfz pam_mysql-*.tar.gz
rm -rf pam_mysql-*.tar.gz
cd pam_mysql-*
./configure
make
make install
cd /tmp
rm -rf /tmp/pam_mysql-*

test -d /lib64 && cp /lib/security/pam_mysql* /lib64/security

# mysql_secure_installation

mysql_secure_installation

#(echo Y; echo $MYSQLROOTPASS; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; ) 

# amavis, spam asassin, etc

yast2 -i spamassassin amavisd-new clamav clamav-db zoo unzip unrar bzip2 unarj perl-DBD-mysql

sa-update

# TODO: change /etc/amavisd.conf 

#$mydomain = "$MY_DOMAIN";   # a convenient default for other settings
#$myhostname = "$MY_HOSTNAME";

sed -i 's/\$mydomain = '\''example.com'\'';/\$mydomain='\'$MY_DOMAIN\'';\n\$myhostname='\'$MY_FULLHOSTNAME\'';/g' /etc/amavisd.conf

# Correct a path to clamd socket
sed -i 's,/var/run/clamav/clamd,/var/lib/clamav/clamd-socket,g' /etc/amavisd.conf

chkconfig --add amavis
chkconfig --add clamd
/etc/init.d/amavis start
/etc/init.d/clamd start

# Courier IMAP, listen on external ports

sed -i 's/^ADDRESS=127.0.0.1/ADDRESS=0/g' /etc/courier/imapd

# Apache2

yast2 -i apache2 apache2-mod_fcgid

yast2 -i php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dom php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mysql php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-fastcgi php5-pear php5-sysvmsg php5-sysvshm ImageMagick curl apache2-mod_php5

rpm -i $SUPHP_RPM

a2enmod suexec
a2enmod deflate
a2enmod rewrite
a2enmod ssl
a2enmod actions
a2enmod suphp
a2enmod fcgid
chown root:www /usr/sbin/suexec2
chmod 4755 /usr/sbin/suexec2

chkconfig --add apache2
/etc/init.d/apache2 start

# PhpMyAdmin

rpm -i $PHPMYADMIN_RPM

# FTP

yast2 -i pure-ftpd quota


sed -i 's/NoRename.*yes/NoRename no/g' /etc/pure-ftpd/pure-ftpd.conf
sed -i 's/AutoRename.*yes/AutoRename no/g' /etc/pure-ftpd/pure-ftpd.conf
sed -i 's/ProhibitDotFilesWrite.*yes/ProhibitDotFilesWrite no/g' /etc/pure-ftpd/pure-ftpd.conf
sed -i 's/# PassivePortRange.*30000 50000/PassivePortRange 30000 30500/g' /etc/pure-ftpd/pure-ftpd.conf
sed -i 's/LimitRecursion.*2000 8/LimitRecursion 20000 10/g' /etc/pure-ftpd/pure-ftpd.conf
sed -i 's/^Umask\ *.*$/Umask 137:027/' /etc/pure-ftpd/pure-ftpd.conf
sed -i 's/^MaxClientsNumber\ *10$/MaxClientsNumber 256/' /etc/pure-ftpd/pure-ftpd.conf
sed -i 's/^MaxClientsPerIP\ *3$/MaxClientsPerIP 16/' /etc/pure-ftpd/pure-ftpd.conf


chkconfig --add pure-ftpd
/etc/init.d/pure-ftpd start

# MyDNS

rpm -ivh --force $MYDNS_RPM


# MyDNS script

cat > /etc/init.d/mydns <<EOFMARKER
#! /bin/sh
# Copyright (c) 1995-2004 SUSE Linux AG, Nuernberg, Germany.
# All rights reserved.
#
# Author: Kurt Garloff
# Please send feedback to http://www.suse.de/feedback/
#
# /etc/init.d/mydns
#   and its symbolic link
# /(usr/)sbin/rcmydns
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# Template system startup script for some example service/daemon mydns
#
# LSB compatible service control script; see http://www.linuxbase.org/spec/
#
# Note: This template uses functions rc_XXX defined in /etc/rc.status on
# UnitedLinux (UL) based Linux distributions. If you want to base your
# script on this template and ensure that it works on non UL based LSB
# compliant Linux distributions, you either have to provide the rc.status
# functions from UL or change the script to work without them.
#
### BEGIN INIT INFO
# Provides:          mydns
# Required-Start:    \$syslog \$remote_fs mysql
# Should-Start: \$time ypbind sendmail
# Required-Stop:     \$syslog \$remote_fs
# Should-Stop: \$time ypbind sendmail
# Default-Start:     3 5
# Default-Stop:      0 1 2 6
# Short-Description: mydns XYZ daemon providing ZYX
# Description:       Start mydns to allow XY and provide YZ
#       continued on second line by '#<TAB>'
#       should contain enough info for the runlevel editor
#       to give admin some idea what this service does and
#       what it's needed for ...
#       (The Short-Description should already be a good hint.)
### END INIT INFO
#
# Any extensions to the keywords given above should be preceeded by
# X-VendorTag- (X-UnitedLinux- X-SuSE- for us) according to LSB.
#
# Notes on Required-Start/Should-Start:
# * There are two different issues that are solved by Required-Start
#    and Should-Start
# (a) Hard dependencies: This is used by the runlevel editor to determine
#     which services absolutely need to be started to make the start of
#     this service make sense. Example: nfsserver should have
#     Required-Start: \$portmap
#     Also, required services are started before the dependent ones.
#     The runlevel editor will warn about such missing hard dependencies
#     and suggest enabling. During system startup, you may expect an error,
#     if the dependency is not fulfilled.
# (b) Specifying the init script ordering, not real (hard) dependencies.
#     This is needed by insserv to determine which service should be
#     started first (and at a later stage what services can be started
#     in parallel). The tag Should-Start: is used for this.
#     It tells, that if a service is available, it should be started
#     before. If not, never mind.
# * When specifying hard dependencies or ordering requirements, you can
#   use names of services (contents of their Provides: section)
#   or pseudo names starting with a \$. The following ones are available
#   according to LSB (1.1):
#       \$local_fs               all local file systems are mounted
#                               (most services should need this!)
#       \$remote_fs              all remote file systems are mounted
#                               (note that /usr may be remote, so
#                                many services should Require this!)
#       \$syslog                 system logging facility up
#       \$network                low level networking (eth card, ...)
#       \$named                  hostname resolution available
#       \$netdaemons             all network daemons are running
#   The \$netdaemons pseudo service has been removed in LSB 1.2.
#   For now, we still offer it for backward compatibility.
#   These are new (LSB 1.2):
#       \$time                   the system time has been set correctly
#       \$portmap                SunRPC portmapping service available
#   UnitedLinux extensions:
#       \$ALL                    indicates that a script should be inserted
#                               at the end
# * The services specified in the stop tags
#   (Required-Stop/Should-Stop)
#   specify which services need to be still running when this service
#   is shut down. Often the entries there are just copies or a subset
#   from the respective start tag.
# * Should-Start/Stop are now part of LSB as of 2.0,
#   formerly SUSE/Unitedlinux used X-UnitedLinux-Should-Start/-Stop.
#   insserv does support both variants.
# * X-UnitedLinux-Default-Enabled: yes/no is used at installation time
#   (%fillup_and_insserv macro in %post of many RPMs) to specify whether
#   a startup script should default to be enabled after installation.
#   It's not used by insserv.
#
# Note on runlevels:
# 0 - halt/poweroff                     6 - reboot
# 1 - single user                       2 - multiuser without network exported
# 3 - multiuser w/ network (text mode)  5 - multiuser w/ network and X11 (xdm)
#
# Note on script names:
# http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html
# A registry has been set up to manage the init script namespace.
# http://www.lanana.org/
# Please use the names already registered or register one or use a
# vendor prefix.


# Check for missing binaries (stale symlinks should not happen)
# Note: Special treatment of stop for LSB conformance
MYDNS_BIN=/usr/sbin/mydns
test -x \$MYDNS_BIN || { echo "\$mydns_BIN not installed";
        if [ "\$1" = "stop" ]; then exit 0;
        else exit 5; fi; }

# Check for existence of needed config file and read it
#MYDNS_CONFIG=/etc/sysconfig/mydns
#test -r \$MYDNS_CONFIG || { echo "\$mydns_CONFIG not existing";
#       if [ "\$1" = "stop" ]; then exit 0;
#       else exit 6; fi; }


# Read config
#. \$MYDNS_CONFIG

# Source LSB init functions
# providing start_daemon, killproc, pidofproc,
# log_success_msg, log_failure_msg and log_warning_msg.
# This is currently not used by UnitedLinux based distributions and
# not needed for init scripts for UnitedLinux only. If it is used,
# the functions from rc.status should not be sourced or used.
#. /lib/lsb/init-functions

# Shell functions sourced from /etc/rc.status:
#      rc_check         check and set local and overall rc status
#      rc_status        check and set local and overall rc status
#      rc_status -v     be verbose in local rc status and clear it afterwards
#      rc_status -v -r  ditto and clear both the local and overall rc status
#      rc_status -s     display "skipped" and exit with status 3
#      rc_status -u     display "unused" and exit with status 3
#      rc_failed        set local and overall rc status to failed
#      rc_failed <num>  set local and overall rc status to <num>
#      rc_reset         clear both the local and overall rc status
#      rc_exit          exit appropriate to overall rc status
#      rc_active        checks whether a service is activated by symlinks
. /etc/rc.status

# Reset status of this service
rc_reset

# Return values acc. to LSB for all commands but status:
# 0       - success
# 1       - generic or unspecified error
# 2       - invalid or excess argument(s)
# 3       - unimplemented feature (e.g. "reload")
# 4       - user had insufficient privileges
# 5       - program is not installed
# 6       - program is not configured
# 7       - program is not running
# 8--199  - reserved (8--99 LSB, 100--149 distrib, 150--199 appl)
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signaling is not supported) are
# considered a success.

case "\$1" in
    start)
        echo -n "Starting mydns "
        ## Start daemon with startproc(8). If this fails
        ## the return value is set appropriately by startproc.
        startproc \$MYDNS_BIN

        # Remember status and be verbose
        rc_status -v
        ;;
    stop)
        echo -n "Shutting down mydns "
        ## Stop daemon with killproc(8) and if this fails
        ## killproc sets the return value according to LSB.

        killproc -TERM \$MYDNS_BIN

        # Remember status and be verbose
        rc_status -v
        ;;
    try-restart|condrestart)
        ## Do a restart only if the service was active before.
        ## Note: try-restart is now part of LSB (as of 1.9).
        ## RH has a similar command named condrestart.
        if test "\$1" = "condrestart"; then
                echo "\${attn} Use try-restart \${done}(LSB)\${attn} rather than condrestart \${warn}(RH)\${norm}"
        fi
        \$0 status
        if test \$? = 0; then
                \$0 restart
        else
                rc_reset        # Not running is not a failure.
        fi
        # Remember status and be quiet
        rc_status
        ;;
    restart)
        ## Stop the service and regardless of whether it was
        ## running or not, start it again.
        \$0 stop
        \$0 start

        # Remember status and be quiet
        rc_status
        ;;
    force-reload)
        ## Signal the daemon to reload its config. Most daemons
        ## do this on signal 1 (SIGHUP).
        ## If it does not support it, restart.

        echo -n "Reload service mydns "
        ## if it supports it:
        killproc -HUP \$MYDNS_BIN
        #touch /var/run/mydns.pid
        rc_status -v

        ## Otherwise:
        #\$0 try-restart
        #rc_status
        ;;
    reload)
        ## Like force-reload, but if daemon does not support
        ## signaling, do nothing (!)

        # If it supports signaling:
        echo -n "Reload service mydns "
        killproc -HUP \$MYDNS_BIN
        #touch /var/run/mydns.pid
        rc_status -v

        ## Otherwise if it does not support reload:
        #rc_failed 3
        #rc_status -v
        ;;
    status)
        echo -n "Checking for service mydns "
        ## Check status with checkproc(8), if process is running
        ## checkproc will return with exit status 0.

        # Return value is slightly different for the status command:
        # 0 - service up and running
        # 1 - service dead, but /var/run/  pid  file exists
        # 2 - service dead, but /var/lock/ lock file exists
        # 3 - service not running (unused)
        # 4 - service status unknown :-(
        # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)

        # NOTE: checkproc returns LSB compliant status values.
        checkproc \$MYDNS_BIN
        # NOTE: rc_status knows that we called this init script with
        # "status" option and adapts its messages accordingly.
        rc_status -v
        ;;
    probe)
        ## Optional: Probe for the necessity of a reload, print out the
        ## argument to this init script which is required for a reload.
        ## Note: probe is not (yet) part of LSB (as of 1.9)

        test /etc/mydns/mydns.conf -nt /var/run/mydns.pid && echo reload
        ;;
    *)
        echo "Usage: \$0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
        exit 1
        ;;
esac
rc_exit
EOFMARKER

chmod 755 /etc/init.d/mydns
chkconfig --add mydns

# VLOGGER and WEBALIZER

cd /tmp
wget -c $VLOGGER_TARGZ
tar xvfz vlogger-*.tar.gz
rm -f vlogger-*.tar.gz
mv vlogger-*/vlogger /usr/sbin/
rm -rf vlogger*

yast2 -i webalizer perl-DateManip

# Fail2ban

rpm -i $FAIL2BAN_RPM

chkconfig --add fail2ban
service fail2ban start

# Jailkit

cd /tmp
wget -c $JAILKIT_TARGZ
tar xvfz jailkit-*.tar.gz
rm -f jailkit-*.tar.gz
cd jailkit-*
./configure
make
make install
cd /tmp
rm -rf jailkit-*

# Synchronize system clock
# Remove this, if you are inside XENU

yast2 -i xntp

chkconfig --add ntp
/etc/init.d/ntp start

# ISPCONFIG

cd /tmp
wget -c $ISPCONFIG_TAR_GZ
tar xvfz ISPConfig-*.tar.gz
cd ispconfig3_install/install/

(echo; echo; echo $MY_FULLHOSTNAME; echo; echo; echo $MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; ) | php -q install.php

cd /tmp
rm -rf /tmp/ispconfig3_install
rm -f /tmp/ISPConfig-*.tar.gz

# Squirrelmail 

rpm -i $SQUIRRELMAIL_RPM
ln -s /srv/www/htdocs/squirrelmail /usr/local/ispconfig/interface/web/webmail

# Symlink

ln -s /srv/www/htdocs/phpMyAdmin /usr/local/ispconfig/interface/web/phpmyadmin

sed -i 's/\"en_US\.UTF-8/\"en_US\.ISO-8859-1/g' /etc/sysconfig/language

sed -i 's/x\-httpd\-php\=\"php\:\/usr\/bin\/php\-cgi5\"/x-httpd-php="php:\/usr\/bin\/php-cgi5"\nx-httpd-suphp="php:\/usr\/bin\/php-cgi5"/g' /etc/suphp.conf

SuSEconfig

/usr/local/bin/ispconfig_update_from_svn.sh

openssl genrsa -passout pass:0passphrase$MYSQLROOTPASS -des3 -out /etc/apache2/ssl.key/server.key 4096
(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -passin pass:0passphrase$MYSQLROOTPASS -new -key /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.csr/server.csr
openssl x509 -passin pass:0passphrase$MYSQLROOTPASS -req -days 3650 -in /etc/apache2/ssl.csr/server.csr -signkey /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.crt/server.crt
openssl rsa -passin pass:0passphrase$MYSQLROOTPASS -in /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.key/server.key.insecure
mv /etc/apache2/ssl.key/server.key /etc/apache2/ssl.key/server.key.secure
mv /etc/apache2/ssl.key/server.key.insecure /etc/apache2/ssl.key/server.key
a2enmod ssl

sed -i 's/.VirtualHost _default_\:8080./\<VirtualHost _default_\:8080\>\nSSLEngine On\nSSLCertificateFile \/etc\/apache2\/ssl.crt\/server.crt\nSSLCertificateKeyFile \/etc\/apache2\/ssl.key\/server.key/g' /etc/apache2/sites-available/ispconfig.vhost

sed -i 's/DirectoryIndex index.html index.html.var/DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php5 index.php4 index.php3 index.pl index.html.var index.aspx default.aspx/g' /etc/apache2/httpd.conf

# enable named hosts
sed -i 's/^#NameVirtualHost \*\:80$/NameVirtualHost *:80/g' /etc/apache2/listen.conf

sed -i 's,^Alias /error/,#Alias /error/,' /etc/apache2/errors.conf

sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/apache2/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/cli/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 120/' /etc/php5/fastcgi/php.ini

sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/apache2/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/cli/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 32M/' /etc/php5/fastcgi/php.ini

sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/apache2/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/cli/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/' /etc/php5/fastcgi/php.ini

rcapache2 restart

# postfix certificate

(echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;echo;) | openssl req -new -key /etc/postfix/smtpd.key -out /etc/postfix/smtpd.csr
openssl x509 -req -days 3650 -in /etc/postfix/smtpd.csr -signkey /etc/postfix/smtpd.key -out /etc/postfix/smtpd.cert

chmod o-rwx /etc/postfix/smtpd.csr
chmod o-rwx /etc/postfix/smtpd.cert

# rdiff-backup

yast2 -i python-devel librsync

cd tmp
wget -c $RDIFF_BACKUP_TARGZ
wget -c http://savannah.nongnu.org/download/rdiff-backup/rdiff-backup-1.2.8.tar.gz
tar xfz rdiff-backup-*.tar.gz
rm -f rdiff-backup-*.tar.gz
cd rdiff-backup-*
./setup.py install
cd /tmp
rm -rf rdiff-backup-*

yast2 -i iptraf iftop

# create backup script

mkdir /backup
chown root:root /backup

mkdir /srvbackup_do
chown root:root /srvbackup_do
chmod og-rwx /srvbackup_do

cat > /srvbackup_do/dobackup.sh <<EOFMARKER2
#!/bin/bash

cd /srvbackup_do
sync
mysqladmin -p$MYSQLROOTPASS refresh
mysqlcheck -p$MYSQLROOTPASS -A --auto-repair
mysqldump -p$MYSQLROOTPASS --all-databases >mysqldump.sql
chmod og-rw mysqldump.sql
/usr/local/bin/rdiff-backup --preserve-numerical-ids --exclude /tmp --exclude /backup --exclude /mnt --exclude /proc --exclude /dev --exclude /sys --exclude /var/lib/ntp/proc --exclude /media --exclude /var/tmp / /backup/$MY_FULLHOSTNAME
EOFMARKER2

chown root:root /srvbackup_do/dobackup.sh
chmod og-rwx /srvbackup_do/dobackup.sh
chmod u+x /srvbackup_do/dobackup.sh

echo '51 3 * * * /srvbackup_do/dobackup.sh >> /var/log/backuplog 2>&1' >>/var/spool/cron/tabs/root

# Fail2ban config

cat > /etc/fail2ban/filter.d/dovecot-pop3imap.conf <<EOFMARKER4
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =
EOFMARKER4


cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.def
cat > /etc/fail2ban/jail.conf <<EOFMARKER3
# Fail2Ban configuration file

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/messages
maxretry = 5

[ssh-ddos-iptables]

enabled  = true
filter   = sshd-ddos
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/messages
maxretry = 5


[proftpd-iptables]

enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
logpath  = /var/log/messages
maxretry = 6

[pure-ftpd-iptables]

enabled  = true
filter   = pure-ftpd
action   = iptables[name=PureFTPD, port=ftp, protocol=tcp]
logpath  = /var/log/messages
maxretry = 6

[courier-imap-iptables]

enabled  = true
filter   = courierlogin
action   = iptables[name=CourierIMAP, port=ftp, protocol=tcp]
logpath  = /var/log/messages
maxretry = 6

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap,pop3s,imaps", protocol=tcp]
logpath = /var/log/mail
maxretry = 6


# This jail forces the backend to "polling".

[sasl-iptables]

enabled  = true
filter   = sasl
backend  = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
logpath  = /var/log/mail

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled     = true
filter      = sshd
action      = hostsdeny
ignoreregex = for myuser from
logpath     = /var/log/messages

[ssh-ddos-tcpwrapper]

enabled     = true
filter      = sshd-ddos
action      = hostsdeny
ignoreregex = for myuser from
logpath     = /var/log/messages


# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled  = true
filter	 = apache-auth
action   = hostsdeny
logpath  = /var/log/apache2/error_log
maxretry = 6

# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.

[postfix-tcpwrapper]

enabled  = true
filter   = postfix
action   = hostsdeny
logpath  = /var/log/mail
bantime  = 300

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled  = true
filter   = apache-badbots
action   = iptables[name=BadBots1, port=http,  protocol=tcp]
           iptables[name=BadBots2, port=https, protocol=tcp]
logpath  = /var/log/apache2/access_log
bantime  = 172800
maxretry = 1

[php-url-fopen]

enabled = false
port    = http,https
filter  = php-url-fopen
logpath = /var/log/apache2/access_log
maxretry = 1

EOFMARKER3

# Ensure fail2ban recreates a socket file
# Because otherwise after a server crash, fail2ban won't restart

sed -i 's/-q start/-x -q start/' /etc/init.d/fail2ban

# Fix pure-ftpd regexp

sed -i 's/[)][?]: [(][.][+][?]@<HOST>[)] \\\[/)\?: \\(.+?@<HOST>\\) \\[/' /etc/fail2ban/filter.d/pure-ftpd.conf

service fail2ban restart

# Install AWSTATS

rpm -ivh $AWSTATS_RPM

cp /etc/awstats/awstats.web.conf /etc/awstats/awstats.conf
sed -i 's,^<IfDefine,#<IfDefine,'  /etc/apache2/conf.d/awstats.conf
sed -i 's,^</IfDefine,#</IfDefine,'  /etc/apache2/conf.d/awstats.conf

rcapache2 restart

mysqladmin -p$MYSQLROOTPASS refresh

mysqldump -u root -p$MYSQLROOTPASS dbispconfig server >/tmp/server.sql

sed -i 's,\\nawstats_data_dir=[^\\]*\\n,\\nawstats_data_dir=/var/cache/awstats\\n,' /tmp/server.sql
sed -i 's,\\nawstats_pl=[^\\]*\\n,\\nawstats_pl=/srv/www/cgi-bin/awstats.pl\\n,' /tmp/server.sql
sed -i 's,\\nawstats_buildstaticpages_pl=[^\\]*\\n,\\nawstats_buildstaticpages_pl=/usr/share/doc/packages/awstats/examples/awstats_buildstaticpages.pl\\n,' /tmp/server.sql

mysql -u root -p$MYSQLROOTPASS dbispconfig </tmp/server.sql

rm -rf /tmp/server.sql

#sed -i 's,^#LoadPlugin=\"geoipfree\",LoadPlugin=\"geoipfree\",' /etc/awstats/awstats.conf
sed -i 's,^Max\([^=]*\)= 10$,Max\1= 25,' /etc/awstats/awstats.conf
sed -i 's,^StyleSheet=\"[^\"]*\",StyleSheet=\"\",' /etc/awstats/awstats.conf

# Install eAccelerator

yast2 -i php5-devel

cd /tmp
wget $EACCELERATOR_TARGZ
tar xvfj eaccelerator-*.bz2
rm -rf eaccelerator-*.bz2
cd eaccelerator-*
phpize
# the flag is specified to prevent openbasedir limitations with ispconfig
./configure --without-eaccelerator-use-inode 
make
make install

cd ..
rm -rf eaccelerator-*

cat > /etc/php5/conf.d/eaccelerator.ini <<EOFMARKER4
extension="eaccelerator.so"
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/var/cache/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
EOFMARKER4

mkdir -p /var/cache/eaccelerator
chmod 0777 /var/cache/eaccelerator

rcapache2 restart

# adjust postfix interfaces

sed -i 's/^inet_interfaces = localhost/inet_interfaces = all/g' /etc/postfix/main.cf

rcpostfix restart

# enable maildrop filters

ln -s /usr/local/ispconfig/server/plugins-available/maildrop_plugin.inc.php /usr/local/ispconfig/server/plugins-enabled/maildrop_plugin.inc.php