#!/bin/sh ####################################################################### #Script Name: da_setup_bsd.sh #Version: 1.6 #Description: Wrapper for installing Da server #Last Modify Date: 03102021 #Author:Brent Dacus #Email:brent[at]thedacus[dot]net ####################################################################### # Banner # ####################################################################### export COLUMNS=100 dasetup_banner() { cat <<"eot" ad88888ba d8" "8b ,d DdadPPYba, Y8, 88 HH 8b ,dPPYba, `Y8aaaaa, ,adPPYba, MM88MMM 88 88 8b,dPPYba, a8 44 88P' "8a `"""""8b, a8P_____88 88 88 88 88P' "8a 8b 55 88 d8 `8b 8PP""""""" 88 88 88 88 d8 D8 aa 88 'b8 Y8a a8P "8b, ,aa 88, "8a, ,a88 88b, ,a8" TTTYbbd8"' `lLYbbdP''ag "Y88888P" `"Ybbd8"' "Y888 `"YbbdP'Y8 88`YbbdP"' 88 88 eot cat <<"eot" Author: Brent Dacus eot } ####################################################################### # Variables # ####################################################################### cur_hostname="$(hostname)" serverip="$(ifconfig | grep -E 'inet.[0-9]' | grep -v '127.0.0.1' | awk 'NR==1{ print $2}')" servername="$(hostname -s)" svrdomainname="$(hostname -d)" os=$(uname) vn=$(uname -v | tr -dc '0-9.' | cut -d \. -f1) rootemail="tech@delainhosting.com" cpu_cores=1 cpu_cores=$(/sbin/sysctl hw.ncpu | cut -d\ -f2) logfile=/root/install.log builddir=~/dasetupbuild/ dadir=/usr/local/directadmin datpldir=/usr/local/directadmin/data/templates/custom datadmdir=/usr/local/directadmin/data/admin cbblddir=/usr/local/directadmin/custombuild daconfile=/usr/local/directadmin/conf/directadmin.conf da=/usr/local/directadmin/directadmin cb=/usr/local/directadmin/custombuild/build export DA_EMAIL="tech@delainhosting.com" ####################################################################### # Main # ####################################################################### mkdir -p ~/dasetupbuild/ trap '' 2 # ignore ctrl+c ##set PS3 prompt## PS3="Number selection? " linebreak() { printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' - } random_pass() { rpc=${1:-$(perl -le 'print int rand(7) + 10')} tr -cd 'a-za-z0-9' /dev/null | head -c${rpc} # perl generates a random integer between 10 and 16 } doreboot() { printf "Need to reboot? (y/n)? " read -r yn yn=${yn:-n} case $yn in [Yy]*) reboot ;; [Nn]*) ;; esac } # ------------------------------------------------------------------------------# # Install Functions # # ------------------------------------------------------------------------------# addadminuser() { printf "Installing Standard packages.\n" printf "Please Wait.\n" pkg install -y perl5 wget curl nano bash >/dev/null printf "Add an admin user? Enter username [bdacus01]:" read -r admuser admuser=${admuser:-bdacus01} grep -E "^$admuser\b" /etc/passwd >/dev/null if [ $? -eq 0 ]; then printf "User found: %s\n" "$admuser" else echo "$(random_pass)" | pw user add $admuser -m -s /bin/tcsh -G wheel -h 0 echo "Created admin user" $admuser "with" "$(random_pass)" "." echo "$(random_pass)" >/home/${admuser}/pass.txt fi printf "Done.\n" grep -q "#User Config" /home/"$admuser"/.cshrc # if not then create it if [ $? -ne 0 ]; then printf 'C shell profile not set up. adding...\n' #-----------------------------------------------------------------------------# # Set your hostfile info inside the eol # #---------------------------------------------------------------------------- sed -i -e 's/.*EDITOR.*/setenv EDITOR nano/g' /home/"$admuser"/.cshrc cat <<"eol" >>/home/"$admuser"/.cshrc #User $admuser Config alias rm rm -i alias cp cp -i alias mv mv -i alias df df -achT set daconf = /usr/local/directadmin/conf/directadmin.conf set cbconf = /usr/local/directadmin/custombuild/options.conf alias da /usr/local/directadmin/directadmin alias dadir cd /usr/local/directadmin/ alias dashdir cd /usr/local/directadmin/scripts alias cbdir cd /usr/local/directadmin/custombuild alias cb /usr/local/directadmin/custombuild/build alias cbconfig /usr/local/directadmin/custombuild/build used_configs alias cbopts /usr/local/directadmin/custombuild/build options alias cbhelp /usr/local/directadmin/custombuild/build opt_help full alias cbvers /usr/local/directadmin/custombuild/build versions alias mysqladmin mysqladmin --defaults-extra-file=/usr/local/directadmin/conf/my.cnf alias mysqldump mysqldump --defaults-extra-file=/usr/local/directadmin/conf/my.cnf alias mysql mysql --defaults-extra-file=/usr/local/directadmin/conf/my.cnf alias lh 'history |grep ' alias la ls -abFG alias lc ls -bCG alias ll ls -abhlG alias lr ls -bRG alias doserver 'curl -o da_setup_bsd.sh -L https://files.delaintech.com/da_setup_bsd.sh && bash da_setup_bsd.sh' eol printf "Print Profile File.\n" cat /home/"$admuser"/.cshrc printf "Done." else printf "Profile already setup.\n" fi printf 'Shell profile not set up. adding Editor...\n' printf "EDITOR=nano\nexport EDITOR\n" | tee -a /home/"$admuser"/.profile grep -q daconf /root/.cshrc # if not then create it if [ $? -ne 0 ]; then printf 'C shell profile not set up. adding...\n' #-----------------------------------------------------------------------------# # Set your hostfile info inside the eol # #---------------------------------------------------------------------------- sed -i -e 's/.*EDITOR.*/setenv EDITOR nano/g' /root/.cshrc cat <<"eol" >>/root/.cshrc alias rm rm -i alias cp cp -i alias mv mv -i alias df df -achT set daconf = /usr/local/directadmin/conf/directadmin.conf set cbconf = /usr/local/directadmin/custombuild/options.conf alias da /usr/local/directadmin/directadmin alias dadir cd /usr/local/directadmin/ alias dashdir cd /usr/local/directadmin/scripts alias cbdir cd /usr/local/directadmin/custombuild alias cb /usr/local/directadmin/custombuild/build alias cbconfig /usr/local/directadmin/custombuild/build used_configs alias cbopts /usr/local/directadmin/custombuild/build options alias cbhelp /usr/local/directadmin/custombuild/build opt_help full alias cbvers /usr/local/directadmin/custombuild/build versions alias mysqladmin mysqladmin --defaults-extra-file=/usr/local/directadmin/conf/my.cnf alias mysqldump mysqldump --defaults-extra-file=/usr/local/directadmin/conf/my.cnf alias mysql mysql --defaults-extra-file=/usr/local/directadmin/conf/my.cnf alias lh 'history |grep ' alias la ls -abFG alias lc ls -bCG alias ll ls -abhlG alias lr ls -bRG alias doserver 'curl -o da_setup_bsd.sh -L https://files.delaintech.com/da_setup_bsd.sh && bash da_setup_bsd.sh' eol printf "Print Profile File.\n" cat /root/.cshrc printf "Done.\n" else printf "Profile already setup. See Below.\n" cat /root/.cshrc fi printf 'Shell profile not set up. adding Editor...\n' printf "EDITOR=nano\nexport EDITOR\n" | tee -a /root/.profile printf "Set shell as sh for Root. See Below.\n" pw user mod root -s /bin/csh linebreak pw user show root } settimezone() { printf "What TimeZone are you in? [America/Chicago]: " read -r tmzone tmzone=${tmzone:-America/Chicago} grep -E "^$tmzone" /var/db/zoneinfo >/dev/null if [ $? -eq 0 ]; then printf "%s found\n" "$tmzone" else tzsetup "$tmzone" fi printf "We set timezone as: " cat /var/db/zoneinfo printf "Done.\n" } creathostfile() { # does the Host already exist? grep -q ${svrdomainname} /etc/hosts # if not then create it if [ $? -ne 0 ]; then printf 'Hostfile not found. adding...\n' #-----------------------------------------------------------------------------# # Set your hostfile info inside the eol # #---------------------------------------------------------------------------- cat <<"eol" >>/etc/hosts 209.126.81.64 apollo.delainhosting.com apollo 209.145.52.110 athena.delainhosting.com athena 144.91.108.77 thor.delainhosting.com thor 116.202.102.0 saturn.delainhosting.com saturn eol printf "Print Host File.\n" cat /etc/hosts printf "Done.\n" else printf "Hostfile exsits.\nSee Below.\n" cat /etc/hosts fi } #-----------------------------------------------------------------------------# # Set hostname for Server fdqn.server.net # #-----------------------------------------------------------------------------# creathostname() { # does the Host alreadry exist? unset new_hostname printf "Please enter a Hostname to add: " read -r new_hostname grep -q "$new_hostname" /etc/rc.conf >/dev/null if [ $? -ne 0 ]; then printf 'Hostname not found. adding...\n' printf "Changing hostname %s from to %s...\n" "$cur_hostname" "$new_hostname" sysrc hostname="$new_hostname" serverip="$(ifconfig | grep -E 'inet.[0-9]' | grep -v '127.0.0.1' | awk 'NR==1{ print $2}')" servername="${new_hostname}" | cut -d "." -f1 echo "${servername}" echo "${serverip} ${new_hostname} ${servername}" >>/etc/hosts printf "Print Host File.\n" cat /etc/hosts printf "Done.\n" else printf "Hostname exsits.\nAll good.\n" fi } #-----------------------------------------------------------------------------# # create extra host enties for other servers fdqn.server.net # #-----------------------------------------------------------------------------# creathostentry() { # does the Host already exist? unset serverip add_hostname servername printf "Enter Hostname to add:[ IP FDQN Hostname ]: " read -r serverip add_hostname servername grep -q "$add_hostname" /etc/hosts # if not then create it if [ $? -ne 0 ]; then printf 'Hostname not found. adding...\n' echo "${serverip} ${add_hostname} ${servername}" >>/etc/hosts printf "Print Host File.\n" cat /etc/hosts printf "Done.\n" else printf "Hostname exsits.\nAll good.\n" fi while true; do printf "Continue adding? (y/n)?" read -r yn yn=${yn:-n} case $yn in [Yy]*) creathostentry break ;; [Nn]*) break ;; esac done } removehosts() { printf "Here is the Host file.\n" cat /etc/hosts printf "What is the server name or ip to remove?" read -r removehosts sed -i.bkp '/'$removehosts'/d ' /etc/hosts printf "Print Host.\n" cat /etc/hosts printf "Done.\n" while true; do printf "Continue removing? (y/n)?" read -r yn yn=${yn:-n} case $yn in [Yy]*) removehosts break ;; [Nn]*) break ;; esac done } #-----------------------------------------------------------------------------# # Create Swap file # #-----------------------------------------------------------------------------# creatswapfile() { printf 'Enter Swapfile size in GB: ' read -r swapsize swapsize=${swapsize:-2} printf "You choose %s GB for swap.\n" "$swapsize" # does the swap file already exist? cp /etc/fstab /etc/fstab.bak # if not then create it grep -q "swap" /etc/fstab if [ $? -ne 0 ]; then printf 'Swap file not found.\nCreating Swap file.\n' truncate -s ${swapsize}G /swapfile chmod 0600 /swapfile swapon -aq printf "md99 none swap sw,file=/swapfile,late 0 0" | tee -a /etc/fstab swapon -aqL swapinfo -g printf "Done Swap should be active.\nIf not reboot.\n" else printf 'Swap file found.\nNo changes made.\n' fi } serverupdate() { printf "Do we need to do a release update? (y/n)? " read -r yn yn=${yn:-n} case $yn in [Yy]*) printf "Release to move to? 12.2-RELEASE: " read -r bsdrelease freebsd-update upgrade -r $bsdrelease printf "Updating FreeBSD.\nHold Please.\n" freebsd-update install doreboot ;; [Nn]*) ;; esac printf "FreeBSD Cleaning and Updating.\n" pkg autoremove -y >/dev/null pkg clean -a -y >/dev/null printf "Done.\n" printf "Updating FreeBSD.\nHold Please.\n" freebsd-update fetch install doreboot printf "Updating All Packages.\n" mkdir -p /usr/local/etc/pkg/repos cp /etc/pkg/FreeBSD.conf /usr/local/etc/pkg/repos/FreeBSD.conf sed -i -e 's/quarterly/latest/g' /usr/local/etc/pkg/repos/FreeBSD.conf pkg update -f && pkg upgrade -y >/dev/null printf "Done.\n" } #-----------------------------------------------------------------------------# # Start configuring and hardening here # #-----------------------------------------------------------------------------# hardenserver() { printf "Do we need to Secure sshd? (y/n)? " read -r yn yn=${yn:-n} case $yn in [Yy]*) cursshport="$(grep -m1 -E "Port .*" /etc/ssh/sshd_config)" printf "Enter SSH port to change to:" read -r sshport sshport=${sshport:-14} printf "Set to Port: %s\n" "$sshport" printf "Securing the server, please wait...\n" sed -i -e "s/$cursshport/Port ${sshport}/g" /etc/ssh/sshd_config sed -i -e 's/.*UseDNS .*/UseDNS no/g' /etc/ssh/sshd_config sed -i -e 's/#AddressFamily any/AddressFamily inet/g' /etc/ssh/sshd_config sed -i -e 's/#LoginGraceTime 2m/LoginGraceTime 2m/g' /etc/ssh/sshd_config sed -i -e 's/#MaxAuthTries 6/MaxAuthTries 5/g' /etc/ssh/sshd_config sed -i -e 's/#MaxStartups 10:30:100/MaxStartups 10:30:100/g' /etc/ssh/sshd_config sed -i -e 's/.*PermitRootLogin yes/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config sed -i -e 's/.*PasswordAuthentication .*/PasswordAuthentication no/g' /etc/ssh/sshd_config sed -i -e 's/#ClientAliveInterval .*/ClientAliveInterval 120/g' /etc/ssh/sshd_config sed -i -e 's/#ClientAliveCountMax .*/ClientAliveCountMax 15/g' /etc/ssh/sshd_config sed -i -e 's/.*UseBlacklist no/UseBlacklist yes/g' /etc/ssh/sshd_config # remove or disable services sysrc rpcbind_enable="NO" service rpcbind onestop service rpcbind onedisable service sshd restart ;; [Nn]*) ;; esac printf "Do we need to Secure TMP? (y/n)? " read -r yn yn=${yn:-n} case $yn in [Yy]*) grep -q 'zfs_enable="YES"' /etc/rc.conf if [ $? -ne 0 ]; then printf 'Filesystem UFS.\n' filesys="ufs" else printf 'Filesystem ZFS.\n' filesys="zfs" fi case $filesys in "zfs") grep -q "tmpfs" /etc/fstab if [ $? -ne 0 ]; then printf 'tmpfs file not found.\nCreating tmp file.\n' sysrc tmpfs_load="YES" umount -f zroot/tmp zfs set mountpoint=none zroot/tmp umount -f zroot/var/tmp zfs set mountpoint=none zroot/var/tmp rm -rf /tmp mkdir /tmp rm -rf /var/tmp mkdir /var/tmp mount -t tmpfs -o rw,nosuid,noexec,mode=01777 tmpfs /tmp mount -t tmpfs -o rw,nosuid,noexec,mode=01777 tmpfs /var/tmp echo "tmpfs /tmp tmpfs rw,nosuid,noexec,mode=01777 0 0" | tee -a /etc/fstab echo "tmpfs /var/tmp tmpfs rw,nosuid,noexec,mode=01777 0 0" | tee -a /etc/fstab zfs destroy zroot/tmp zfs destroy zroot/var/tmp printf "Done tmp and /var/tmp should be active and secure. ZFS filesystem removed.\nIf not reboot.\n" else printf 'tmp file found.\nNo changes made.\n' fi ;; "ufs") grep -q "tmpfs" /etc/fstab if [ $? -ne 0 ]; then printf 'tmpfs file not found.\nCreating tmp file.\n' sysrc tmpfs_load="YES" umount -f /tmp umount -f /var/tmp rm -rf /tmp mkdir /tmp rm -rf /var/tmp mkdir /var/tmp mount -t tmpfs -o rw,nosuid,noexec,mode=01777 tmpfs /tmp mount -t tmpfs -o rw,nosuid,noexec,mode=01777 tmpfs /var/tmp echo "tmpfs /tmp tmpfs rw,nosuid,noexec,mode=01777 0 0" | tee -a /etc/fstab echo "tmpfs /var/tmp tmpfs rw,nosuid,noexec,mode=01777 0 0" | tee -a /etc/fstab printf "Done tmp and /var.tmp should be active and secure. UFS filesystem removed.\nIf not reboot.\n" else printf 'tmp file found.\nNo changes made.\n' fi ;; *) printf 'Not sure of filesystem.\nNo changes made.\n' ;; esac ;; [Nn]*) ;; esac printf "Do we need to intall Maldetect? (y/n)? " read -r yn yn=${yn:-n} case $yn in [Yy]*) installmaldetect ;; [Nn]*) ;; esac } installfirewall() { pkg install -y pftop spamd touch /usr/local/etc/whitelist_ips echo "99.34.232.208" >/usr/local/etc/whitelist_ips echo "127.0.0.1" >>/usr/local/etc/whitelist_ips echo "$serverip" >>/usr/local/etc/whitelist_ips touch /usr/local/etc/blocked_ips ${da} set ip_blacklist /usr/local/etc/blocked_ips ${da} set ip_whitelist /usr/local/etc/whitelist_ips printf "Securing the server, please wait...\n" #clear DA brute lists : >/usr/local/directadmin/data/admin/brute_ip.data : >/usr/local/directadmin/data/admin/brute_log_entries.list wget -rnH --cut-dirs=2 http://files.delaintech.com/bsd/pf/pf.conf -P /etc/ >>${logfile} wget -rnH --cut-dirs=2 http://files.delaintech.com/bsd/pf/pfloadtable.sh -P /usr/local/bin/ >>${logfile} chmod 755 /usr/local/bin/pfloadtable.sh wget -rnH --cut-dirs=2 http://files.delaintech.com/bsd/pf/pfloadabipdb.sh -P /usr/local/bin/ >>${logfile} chmod 755 /usr/local/bin/pfloadabipdb.sh wget -rnH --cut-dirs=2 http://files.delaintech.com/bsd/pf/pfloadcountry.sh -P /usr/local/bin/ >>${logfile} chmod 755 /usr/local/bin/pfloadcountry.sh cronline0="#pf jobs" ( crontab -l 2>/dev/null echo "$cronline0" ) | sort - | uniq - | crontab - cronline1="@reboot /usr/local/bin/pfloadtable.sh" cronline2="@reboot /usr/local/bin/pfloadabipdb.sh" cronline3="@reboot /usr/local/bin/pfloadcountry.sh" cronline4="0 0 * * * /sbin/pfctl -t bruteforce -T expire 432000" cronline5="0 1 * * * /usr/local/bin/pfloadabipdb.sh" cronline6="0 1 * * * /usr/local/bin/pfloadcountry.sh" crontab -l | sed -e '/^#pf jobs/a\ '"$cronline1" | sort - | uniq - | crontab - crontab -l | sed -e '/^#pf jobs/a\ '"$cronline2" | sort - | uniq - | crontab - crontab -l | sed -e '/^#pf jobs/a\ '"$cronline3" | sort - | uniq - | crontab - crontab -l | sed -e '/^#pf jobs/a\ '"$cronline4" | sort - | uniq - | crontab - crontab -l | sed -e '/^#pf jobs/a\ '"$cronline5" | sort - | uniq - | crontab - crontab -l | sed -e '/^#pf jobs/a\ '"$cronline6" | sort - | uniq - | crontab - service cron restart wget -rnH --cut-dirs=2 http://files.delaintech.com/bsd/pf/block_ip.sh -P ${dadir}/scripts/custom >>${logfile} wget -rnH --cut-dirs=2 http://files.delaintech.com/bsd/pf/unblock_ip.sh -P ${dadir}/scripts/custom >>${logfile} wget -rnH --cut-dirs=2 http://files.delaintech.com/bsd/pf/show_blocked_ips.sh -P ${dadir}/scripts/custom >>${logfile} wget -rnH --cut-dirs=2 http://files.delaintech.com/bsd/pf/brute_force_notice_ip.sh -P ${dadir}/scripts/custom >>${logfile} cd ${dadir}/scripts/custom || return chmod 755 block_ip.sh unblock_ip.sh brute_force_notice_ip.sh show_blocked_ips.sh chown diradmin:diradmin block_ip.sh unblock_ip.sh brute_force_notice_ip.sh show_blocked_ips.sh wget -rnH --cut-dirs=2 http://files.delaintech.com/bsd/pf/blacklistd.conf -P /etc/ >>${logfile} ###Spamd setup sh /usr/local/sbin/add-spamd-to-etc-service grep -q "## For Spamd" /etc/rc.conf.local if [ $? -ne 0 ]; then cat <<"eol" >>/etc/rc.conf.local ## For Spamd spamd_flags="-4 -G20:4:864 -h notyourserver.org -l127.0.0.1 -n \"Not your mail Server.\" -S10 -s1 -v -w1" spamd_black=NO spamlogd_flags="-I -i lo0" eol else printf 'RC local setup already. No changes made.\n' fi grep -q "all:" /usr/local/etc/spamd/spamd.conf if [ $? -ne 0 ]; then touch /usr/local/etc/spamd/spamd.conf cat <<"eol" >/usr/local/etc/spamd/spamd.conf all:\ :: eol else printf 'Spamd.conf setup already. No changes made.\n' fi cp /etc/fstab /etc/fstab.bak.obsp # if not then create it grep -q "fdescfs" /etc/fstab if [ $? -ne 0 ]; then printf 'fdescfs file not found. Creating fdescfs file.\n' echo "fdescfs /dev/fd fdescfs rw 0 0" | tee -a /etc/fstab printf "Done fdescfs should be active. If not reboot.\n" else printf 'fdescfs file found. No changes made.\n' fi grep -q "## For Spamd" /etc/syslog.conf if [ $? -ne 0 ]; then touch /var/log/spamd cat <<"eol" >>/etc/syslogd.conf ## For Spamd !spamd daemon.err;daemon.warn;daemon.info /var/log/spamd eol service syslogd restart else printf 'Syslogd setup alread -ry. No changes made.\n' fi sysrc blacklistd_enable="YES" sysrc obspamd_enable="YES" sysrc obspamlogd_enable="YES" sysrc pf_enable="YES" sysrc pf_rules="/etc/pf.conf" sysrc pflog_enable="YES" sysrc pflog_logfile="/var/log/pflog" sysrc sendmail_enable="NO" sysrc sendmail_submit_enable="NO" sysrc sendmail_outbound_enable="NO" sysrc sendmail_msp_queue_enable="NO" pfctl -nf /etc/pf.conf kldload -n pf kldstat -h service obspamd enable service obspamd start doreboot } installpreq() { pkg install -y gcc gmake perl5 wget bison flex cyrus-sasl cmake python autoconf pkgconf libtool libarchive iconv mailx webalizer gettext udns sudo psmisc openssl krb5 htop screen nano curl zip unzip mysqltuner rsync pigz pcre2 jq bind-tools >/dev/null printf "Installing required DirectAdmin Config!\n" mkdir -p ${cbblddir} cp ${cbblddir}/options.conf ${cbblddir}/options.conf.bak wget -rnH --cut-dirs=1 http://files.delaintech.com/bsd/options.conf -P ${cbblddir} >>${logfile} wget -rnH --cut-dirs=1 http://files.delaintech.com/bsd/php_extensions.conf -P ${cbblddir} >>${logfile} printf "Here is what you have set for DA setup configs.\n" printf "Email set to:" cat /root/.email.txt printf "Nameservers set to:\n" cat /root/.ns1.txt cat /root/.ns2.txt echo ${rootemail} >/root/.forward printf "Email set to:" cat /root/.forward printf "Are we using ([mysql57] mysql8 or mariadb): " read -r custdatabase CMAKE_APPEND="" if [ "${custdatabase}" = "mysql8" ]; then CMAKE_APPEND=" -DFORCE_INSOURCE_BUILD=1 -DDOWNLOAD_BOOST=1 -DWITH_BOOST=/usr/local/boost_mysql -DWITH_PROTOBUF=system" pkg install -y boost-libs ${cb} set mysql 8.0 rm -Rf ${cbblddir}/mysql-8* elif [ "${custdatabase}" = "mariadb" ]; then #Otherwise compilation fails with unknown ld option -plugin CMAKE_APPEND=" -DWITH_BOOST=system -DPLUGIN_AUTH_GSSAPI=NO -DPLUGIN_TOKUDB=NO -DPLUGIN_ROCKSDB=NO -DPLUGIN_MROONGA=NO" pkg install -y boost-libs ${cb} set mysql_inst mariadb else CMAKE_APPEND=" -DFORCE_INSOURCE_BUILD=1 -DDOWNLOAD_BOOST=1 -DWITH_BOOST=/usr/local/boost_mysql -DWITH_PROTOBUF=system" pkg delete -y boost-libs ${cb} set mysql 5.7 rm -Rf ${cbblddir}/mysql-5* fi if [ -d ${cbblddir}/custom/mysql ]; then wget -rnH --cut-dirs=1 http://files.delaintech.com/bsd/cmake.mysql -P ${cbblddir}/custom/mysql >>${logfile} chmod 755 ${cbblddir}/custom/mysql/cmake.mysql echo ${CMAKE_APPEND} >>${cbblddir}/custom/mysql/cmake.mysql else mkdir -p ${cbblddir}/custom/mysql wget -rnH --cut-dirs=1 http://files.delaintech.com/bsd/cmake.mysql -P ${cbblddir}/custom/mysql >>${logfile} chmod 755 ${cbblddir}/custom/mysql/cmake.mysql echo ${CMAKE_APPEND} >>${cbblddir}/custom/mysql/cmake.mysql fi printf "Make sure your cmake file is set correctly..\n" cat /usr/local/directadmin/custombuild/custom/mysql/cmake.mysql } installdirectadmin() { if [ ! -f "$daconfile" ]; then printf "Make sure your hostfile is set correctly..\n" printf "No problem, let's get DirectAdmin installed first ... this could take a minute ... or two ... or thirty .. please wait ...\n" cd /root || return wget -O setup.sh http://www.directadmin.com/setup.sh chmod 755 setup.sh export DA_EMAIL="tech@delainhosting.com" \ export DA_NS1="dns3.${svrdomainname}" \ export DA_NS2="dns2.${svrdomainname}" ./setup.sh auto chown -R diradmin:diradmin ${dadir} else printf "Script killed, Directadmin installed.\n" exit fi ${cb} set_fastest_quiet } installletsencrypt() { resolvedip="dig ${cur_hostname} | awk '/^;; ANSWER SECTION:$/ { getline ; print $5 }'" if [ -n "$resolvedip" ]; then printf 'Creating add sni. adding...\n' ${da} set enable_ssl_sni 1 ${da} set mail_sni 1 printf "Installing Lets encrypt.\n" ${da} set letsencrypt 1 echo "action=directadmin&value=restart" >>/usr/local/directadmin/data/task.queue /usr/local/directadmin/dataskq d2000 ${cb} set "redirect_host ${cur_hostname}" ${cb} set redirect_host_https yes ${cb} clean ${cb} update ${cb} rewrite_confs ${cb} update ${cb} letsencrypt #set ssl on server printf "Installing SSL to server.\n" cd ${dadir}/scripts || return ./letsencrypt.sh request_single ${cur_hostname} 4096 ${da} set ssl 1 ${da} set force_hostname ${cur_hostname} ${da} set ssl_redirect_host ${cur_hostname} service directadmin restart ${da} set letsencrypt_list www:webmail:mail:ftp ${da} set letsencrypt_list_selected www:webmail:mail:ftp ${da} set letsencrypt_renewal_notice_to_admins 0 service directadmin restart printf "Fingers crossed..if your server resolves to the name it should have worked.\n" else printf "Nope..if your server does not resolve. Check DNS.. \n" fi } installmaldetect() { cd $builddir || return wget https://www.rfxn.com/downloads/maldetect-current.tar.gz tar -xzf maldetect-*.tar.gz rm -rf maldetect-*.tar.gz cd maldetect* || return sh install.sh #------------------------------------------------------------------------------# # Pull in your conf.maldet here. Change the links. #------------------------------------------------------------------------------# wget https://files.delaintech.com/conf.maldet -O conf.maldet \cp -f conf.maldet /usr/local/maldetect/ maldet -u } installinstallatron() { cd $builddir || return wget https://data.installatron.com/installatron-plugin.sh chmod +x installatron-plugin.sh ./installatron-plugin.sh -f } confdirectadmin() { mkdir ${datpldir} wget -rnH http://files.delaintech.com/nginx_server.conf -P ${datpldir} >>${logfile} wget -rnH http://files.delaintech.com/nginx_server_secure.conf -P ${datpldir} >>${logfile} wget -rnH http://files.delaintech.com/virtual_host2_secure.conf.CUSTOM.4.post -P ${datpldir} >>${logfile} wget -rnH http://files.delaintech.com/virtual_host2.conf.CUSTOM.4.post -P ${datpldir} >>${logfile} wget -rnH http://files.delaintech.com/php-fpm.conf -P ${datpldir} >>${logfile} ${cb} apache ${cb} mod_htscanner2 #------------------------------------------------------------------------------# # Pull in your custom conf here. Change the links. # #------------------------------------------------------------------------------# service directadmin enable cp /usr/local/directadmin/scripts/setup.txt /usr/local/directadmin/scripts/setupdh.txt wget -rnH http://files.delaintech.com/dns_a.conf -P ${datpldir} >>${logfile} wget -rnH http://files.delaintech.com/dns_ns.conf -P ${datpldir} >>${logfile} wget -rnH http://files.delaintech.com/dns_txt.conf -P ${datpldir} >>${logfile} wget -rnH http://files.delaintech.com/user_create_post.sh -P ${dadir}/scripts/custom >>${logfile} chmod 755 ${dadir}/scripts/custom/user_create_post.sh wget -rnH --cut-dirs=1 http://files.delaintech.com/bsd/all_backups_post.sh -P ${dadir}/scripts/custom >>${logfile} chmod 755 ${dadir}/scripts/custom/all_backups_post.sh wget -rnH http://files.delaintech.com/backup.conf -P ${datadmdir} >>${logfile} wget -rnH http://files.delaintech.com/backup_crons.list -P ${datadmdir} >>${logfile} cp "$daconfile" "$daconfile".bak cd ${cbblddir} || return mkdir custom touch custom/php_disable_functions echo "exec, system, passthru, shell_exec, proc_close, proc_open, show_source" >custom/php_disable_functions ${cb} secure_php ${da} set zstd 1 ${da} set backup_gzip 1 ${da} set zip 1 ${da} set pigz ${cpu_cores} ${da} set enforce_difficult_passwords 1 ${da} set difficult_password_length_min 8 ${da} set check_subdomain_owner 1 ${da} set admin_helper clients.delainhosting.com ${da} set cluster 1 ${da} set enable_threads 1 ${da} set cpu_in_system_info 1 ${da} set delete_messages_days 1 ${da} set delete_tickets_days 1 ${da} set msg_sys "Delain Hosting" # DA hardening ${da} set brutecount 5 ${da} set brute_dos_count 3 ${da} set ip_brutecount 3 ${da} set unblock_brute_ip_time 0 #Never ${da} set clear_blacklist_ip_time 0 #Never ${da} set user_brutecount 3 ${da} set brute_force_time_limit 3600 ${da} set hide_brute_force_notifications 1 ${da} set clear_brute_log_entry_time 1 ${da} set show_info_in_header 0 ${da} set exempt_local_block 1 ${da} set brute_force_log_scanner 1 ${da} set brute_force_scan_apache_logs 2 ${da} set brute_force_apache_log_list_update_interval 10 #disable certain librarys we dont need CB to take care of. echo libpng_current:0: >${cbblddir}/custom/custom_versions.txt echo libsodium_current:0: >>${cbblddir}/custom/custom_versions.txt echo nghttp2_current:0: >>${cbblddir}/custom/custom_versions.txt echo pigz_current:0: >>${cbblddir}/custom/custom_versions.txt echo icu_current:0: >>${cbblddir}/custom/custom_versions.txt echo pcre_current:0: >>${cbblddir}/custom/custom_versions.txt echo pcre2_current:0: >>${cbblddir}/custom/custom_versions.txt echo libxml2_current:0: >>${cbblddir}/custom/custom_versions.txt echo libxslt_current:0: >>${cbblddir}/custom/custom_versions.txt service directadmin restart ${cb} rewrite_confs chown -R diradmin:diradmin ${datpldir} } confmail() { printf "Rebuild all of email? (y/n)? " read -r yn yn=${yn:-n} case $yn in [Yy]*) echo "purgestat /usr/bin/true" >>/etc/mail/mailer.conf printf 'Creating add sni. adding...\n' ${da} set enable_ssl_sni 1 ${da} set mail_sni 1 ${da} set dkim 1 ${da} set spam_inbox_prefix 0 ${da} set purge_spam_days 30 ${cb} set webapps_inbox_prefix no echo "EASY_NO_REVERSE_IP==50" >/etc/exim.easy_spam_fighter/variables.conf.custom echo "EASY_SPF_FAIL==50" >>/etc/exim.easy_spam_fighter/variables.conf.custom echo "EASY_DKIM_FAIL==10" >>/etc/exim.easy_spam_fighter/variables.conf.custom echo "ssl=required" >/etc/dovecot/conf.d/force_ssl.conf #mail quota warning cd /etc/dovecot/conf.d || return wget -O 91-quota-warning.conf http://files1.directadmin.com/services/all/91-quota-warning.conf wget -O /usr/local/bin/quota-warning.sh http://files1.directadmin.com/services/all/quota-warning.sh chmod 755 /usr/local/bin/quota-warning.sh #end mail quota warning #Webmail client choice ${da} set webmail_link roundcube ${cb} set roundcube yes ${cb} set squirrelmail no printf 'Creating add sni. adding...\n' ${da} set enable_ssl_sni 1 ${da} set mail_sni 1 ${cb} clean ${cb} update ${cb} dovecot ${cb} exim ${cb} pigeonhole ${cb} exim_conf ${cb} dovecot_conf ${cb} blockcracking ${cb} roundcube ;; [Nn]*) ;; esac printf "Set Root mail? (y/n)? " read -r yn yn=${yn:-n} case $yn in [Yy]*) printf "Where should root email go: " read -r rootemail rootemail=${rootemail:-tech@delainhosting.com} grep -E "$rootemail" /etc/mail/aliases >/dev/null if [ $? -eq 0 ]; then printf "%s found already set in Aliases file.\n" "$rootemail" else sed -i -e "s|.*[[:blank:]]*root:[[:blank:]].*|root: ${rootemail}|g" /etc/mail/aliases newaliases printf "Email set to:" grep -E "$rootemail" /etc/mail/aliases fi ;; [Nn]*) ;; esac printf "Disable POP mail? (y/n)? " read -r yn yn=${yn:-y} case $yn in [Yy]*) touch /etc/exim.variables.conf.custom grep -qxF 'hostlist relay_hosts=' /etc/exim.variables.conf.custom || echo 'hostlist relay_hosts=' >>/etc/exim.variables.conf.custom ;; [Nn]*) ;; esac printf "Setup standard mail settings? (y/n)? " read -r yn yn=${yn:-n} case $yn in [Yy]*) #update mailer.conf echo "purgestat /usr/bin/true" >>/etc/mail/mailer.conf printf 'Creating add sni. adding...\n' ${da} set enable_ssl_sni 1 ${da} set mail_sni 1 ${da} set dkim 1 ${da} set spam_inbox_prefix 0 ${da} set purge_spam_days 30 ${cb} set webapps_inbox_prefix no echo "EASY_NO_REVERSE_IP==50" >/etc/exim.easy_spam_fighter/variables.conf.custom echo "EASY_SPF_FAIL==50" >>/etc/exim.easy_spam_fighter/variables.conf.custom echo "EASY_DKIM_FAIL==10" >>/etc/exim.easy_spam_fighter/variables.conf.custom echo "ssl=required" >/etc/dovecot/conf.d/force_ssl.conf #mail quota warning cd /etc/dovecot/conf.d || return wget -O 91-quota-warning.conf http://files1.directadmin.com/services/all/91-quota-warning.conf wget -O /usr/local/bin/quota-warning.sh http://files1.directadmin.com/services/all/quota-warning.sh chmod 755 /usr/local/bin/quota-warning.sh #end mail quota warning #Webmail client choice ${da} set webmail_link roundcube ${cb} set roundcube yes ${cb} set squirrelmail no ${cb} roundcube cat >/etc/dovecot/conf.d/90-special-folders.conf <<"eol" namespace inbox { type = private separator = . subscriptions = yes inbox = yes } namespace inbox { mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Archive { auto = subscribe special_use = \Archive } mailbox Trash { auto = subscribe special_use = \Trash } mailbox Sent { auto = subscribe special_use = \Sent } } eol ;; [Nn]*) ;; esac printf "Need identity switch in Roundcube? (yn)" read -r yn yn=${yn:-n} case $yn in [Yy]*) cat /usr/local/directadmin/scripts/setup.txt mysqldump -uroot -p da_roundcube >da_roundcube.bk.sql wget -rnH http://files.delaintech.com/mysql.initial.sql -P /tmp mysql -uroot -p da_roundcube /etc/resolv.conf <>${logfile} wget -rnH --cut-dirs=2 http://files.delaintech.com/bsd/proftpd/proftpd.conf -P ${cbblddir}/custom/proftpd/conf >>${logfile} chmod 755 custom/proftpd/configure.proftpd wget -rnH --cut-dirs=2 http://files.delaintech.com/bsd/proftpd/proftpd.sftp.conf -P /usr/local/etc >>${logfile} sed -i -e "s|||g" /usr/local/etc/proftpd.sftp.conf ${cb} proftpd printf "Setting up Proftp.\n" service proftpd enable service proftpd restart printf "Done.\n" } confmysql() { printf "Are we using ([mysql57] mysql8 or mariadb): " read -r custdatabase CMAKE_APPEND="" if [ "${custdatabase}" = "mysql8" ]; then CMAKE_APPEND=" -DFORCE_INSOURCE_BUILD=1 -DDOWNLOAD_BOOST=1 -DWITH_BOOST=/usr/local/boost_mysql -DWITH_PROTOBUF=system" pkg install -y boost-libs ${cb} set mysql 8.0 rm -Rf ${cbblddir}/mysql-8* elif [ "${custdatabase}" = "mariadb" ]; then #Otherwise compilation fails with unknown ld option -plugin CMAKE_APPEND=" -DDOWNLOAD_BOOST=1 -DWITH_BOOST=/usr/local/boost_mysql -DPLUGIN_AUTH_GSSAPI=NO -DPLUGIN_TOKUDB=NO -DPLUGIN_ROCKSDB=NO -DPLUGIN_MROONGA=NO" ${cb} set mysql_inst mariadb else CMAKE_APPEND=" -DFORCE_INSOURCE_BUILD=1 -DDOWNLOAD_BOOST=1 -DWITH_BOOST=/usr/local/boost_mysql -DWITH_PROTOBUF=system" pkg delete -y boost-libs ${cb} set mysql 5.7 rm -Rf ${cbblddir}/mysql-5* fi if [ -d ${cbblddir}/custom/mysql ]; then wget -rnH --cut-dirs=1 http://files.delaintech.com/bsd/cmake.mysql -P ${cbblddir}/custom/mysql >>${logfile} chmod 755 ${cbblddir}/custom/mysql/cmake.mysql echo ${CMAKE_APPEND} >>${cbblddir}/custom/mysql/cmake.mysql else mkdir -p ${cbblddir}/custom/mysql wget -rnH --cut-dirs=1 http://files.delaintech.com/bsd/cmake.mysql -P ${cbblddir}/custom/mysql >>${logfile} chmod 755 ${cbblddir}/custom/mysql/cmake.mysql echo ${CMAKE_APPEND} >>${cbblddir}/custom/mysql/cmake.mysql fi printf "Make sure your cmake file is set correctly..\n" cat /usr/local/directadmin/custombuild/custom/mysql/cmake.mysql if ! grep -q 'bind-address = 127.0.0.1' /etc/my.cnf; then echo 'bind-address = 127.0.0.1' >>/etc/my.cnf service mysqld enable service mysqld restart fi ${da} set one_click_pma_login 1 } serverstatus() { printf "Checking Directadmin.\n" service pf status service directadmin status service sshd status service obspamd status service httpd status service nginx status service php-fpm74 status service named status service exim status service dovecot status service mysqld status service proftpd status printf "Done.\n" } buildalld() { printf 'Running Build All D...Go sleep or get Coffee!\n' rm -Rf ${cbblddir}/mysql-5* rm -Rf ${cbblddir}/mysql-8* ${cb} update ${cb} all d ${cb} rewrite_confs printf "Build ALL done.\n" } backupall() { printf "Install Rclone for file backup.(yn)" read -r yn yn=${yn:-n} case $yn in [Yy]*) printf 'Installing Rclone for file backup.\n' pkg install -y rclone pidof mkdir -p /var/log/rclone touch /var/log/rclone/aws.log printf "Setup Rclone.\n" rclone config ;; [Nn]*) ;; esac printf 'Running Server file backup.\n' ${cb} mysql_backup if [ -d /sys_backup ] && [ -d /admin_backups ]; then chmod 755 /admin_backups chmod 755 /sys_backup chown admin:admin /admin_backups chown admin:admin /sys_backup cd / tar -czvf /sys_backup/backup.tgz --exclude sys_backup/backup.tar.gz --exclude home/admin/admin_backup --exclude admin_backups --exclude root/*c* usr/local/directadmin/conf usr/local/directadmin/scripts/custom usr/local/directadmin/custombuild/custom usr/local/directadmin/data/templates/custom usr/local/directadmin/data/templates/mx usr/local/directadmin/data/admin/packages/ usr/local/directadmin/data/admin/packages.list usr/local/directadmin/data/users/admin/packages/ usr/local/directadmin/data/users/admin/packages.list /usr/local/directadmin/data/admin/backup* sys_backup/mysql_backups usr/local/etc etc root else mkdir -p /admin_backups mkdir -p /sys_backup chmod 755 /admin_backups chmod 755 /sys_backup chown admin:admin /admin_backups chown admin:admin /sys_backup cd / tar -czvf /sys_backup/backup.tgz --exclude sys_backup/backup.tar.gz --exclude home/admin/admin_backup --exclude admin_backups --exclude root/*c* usr/local/directadmin/conf usr/local/directadmin/scripts/custom usr/local/directadmin/custombuild/custom usr/local/directadmin/data/templates/custom usr/local/directadmin/data/templates/mx usr/local/directadmin/data/admin/packages/ usr/local/directadmin/data/admin/packages.list usr/local/directadmin/data/users/admin/packages/ usr/local/directadmin/data/users/admin/packages.list /usr/local/directadmin/data/admin/backup* sys_backup/mysql_backups usr/local/etc etc root printf "Server Backup done.\n" fi /usr/local/directadmin/scripts/custom/all_backups_post.sh } #-------------------------------------------------------------------------------# # Main Direct Admin Functions # # ------------------------------------------------------------------------------# clear dasetup_banner linebreak #Check that user is root. if [ "$(id -u)" = "0" ]; then printf "We are root. Continuing on....\n" else printf "This script must be run as root. Exiting.\n" exit 1 fi #What Distro are you on? printf "This installer is for FreeBSD 11+.\n" 2>&1 if [ "$os" = "FreeBSD" ]; then printf "System runs on $os version $vn. Great! Continuing on....\n" else printf "System runs on unsupported os. Exiting...\n" exit fi #Menus Starts here linebreak cat <&2 ;; esac done done if [ -d "$builddir" ]; then rm -rf $builddir fi mkdir $builddir if [ $run ]; then ${run} exit fi printf "Cleaning up build files, please wait...\n" cd ~ || return rm -rf $builddir