diff --git a/AppendCMS.sh b/AppendCMS.sh index 33745cd..aa0fcac 100644 --- a/AppendCMS.sh +++ b/AppendCMS.sh @@ -8,7 +8,7 @@ if [ ! -f "/etc/ICTM/phpvar.list" ] ; then echo 'Php var list missing,Please run source /etc/ICTM/selopts.list source /etc/ICTM/mainvar.list source /etc/ICTM/phpvar.list -if [ ! -f "/etc/ICTM/apachevar.list" ] ; then source /etc/ICTM/apachevar.list; fi +if [ -f "/etc/ICTM/apachevar.list" ] ; then source /etc/ICTM/apachevar.list; fi rm /tmp/pkg.list > $OUTPUT 2>&1 source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/"$branchtype"/"$branch"/ModulesMenu.list) diff --git a/AppendModule.sh b/AppendModule.sh index 455dcd3..b4f44de 100644 --- a/AppendModule.sh +++ b/AppendModule.sh @@ -12,6 +12,7 @@ if [ ! -f "/etc/ICTM/phpvar.list" ] ; then echo 'Php var list missing,Please run source /etc/ICTM/selopts.list source /etc/ICTM/mainvar.list source /etc/ICTM/phpvar.list +if [ -f "/etc/ICTM/apachevar.list" ] ; then source /etc/ICTM/apachevar.list; fi rm /tmp/pkg.list source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/"$branchtype"/"$branch"/ModulesMenu.list) diff --git a/CMS/nextcloud/conf.sh b/CMS/nextcloud/conf.sh index d6e78d5..25db50e 100644 --- a/CMS/nextcloud/conf.sh +++ b/CMS/nextcloud/conf.sh @@ -54,13 +54,8 @@ sed -i -e 's/SITEname/'$sitename'/' /etc/update-motd.d/51-nextnotice-"${sitename chmod +x /etc/update-motd.d/51-nextnotice-"${sitename//_}" -#Nextcloud logging location -mkdir /var/log/nextcloud -chmod 774 -R /var/log/nextcloud -ln -s /var/www/"$domain"/html/data/nextcloud.log /var/log/nextcloud/"$sitename" - #fail2ban curl --retry 7 --retry-delay 5 -s "$repo"/raw/"$branchtype"/"$branch"/config/fail2ban/Jails/nextcloud_unconfigured -o /etc/fail2ban/jail.d/"$sitename"-nextcloud.local -sed -i 's/SITEname/'$sitename'/' /etc/fail2ban/jail.d/"$sitename"-nextcloud.local +sed -i 's/DOMain/'$domain'/' /etc/fail2ban/jail.d/"$sitename"-nextcloud.local systemctl reload "$phpFPMService" \ No newline at end of file diff --git a/CMS/wordpress/conf.sh b/CMS/wordpress/conf.sh index de03905..7860d73 100644 --- a/CMS/wordpress/conf.sh +++ b/CMS/wordpress/conf.sh @@ -44,7 +44,7 @@ systemctl reload $phpFPMService if [ ! -f /etc/fail2ban/jail.d/wordpress-syslog.local ]; then curl --retry 7 --retry-delay 5 -s "$repo"/raw/"$branchtype"/"$branch"/config/fail2ban/Jails/wordpress-syslog.jail -o /etc/fail2ban/jail.d/wordpress-syslog.local if [ "$shortdist" = "el8" ]; then - sed -i '/logpath/c\logpath = /var/log/secure' /etc/fail2ban/jail.d/wordpress-syslog.local + sed -i '/logpath/c\logpath = /var/log/messages' /etc/fail2ban/jail.d/wordpress-syslog.local fi fi diff --git a/CoreModules/generic/conf.sh b/CoreModules/generic/conf.sh index 9afb831..e4a84ab 100644 --- a/CoreModules/generic/conf.sh +++ b/CoreModules/generic/conf.sh @@ -44,6 +44,10 @@ curl --retry 7 --retry-delay 5 -s https://plugins.svn.wordpress.org/wp-fail2ban/ if [ "$shortdist" = "el8" ]; then curl --retry 7 --retry-delay 5 -s "$repo"/raw/"$branchtype"/"$branch"/config/fail2ban/action.d/ufw.conf -o /etc/fail2ban/action.d/ufw.conf + curl --retry 7 --retry-delay 5 -s "$repo"/raw/"$branchtype"/"$branch"/config/selinux/policies/fail2ban-allowhttpd.te -o /tmp/fail2ban-allowhttpd.te + checkmodule -M -m -o /tmp/fail2ban-allowhttpd.mod /tmp/fail2ban-allowhttpd.te + semodule_package -o /tmp/fail2ban-allowhttpd.pp -m /tmp/fail2ban-allowhttpd.mod + semodule -i /tmp/fail2ban-allowhttpd.pp fi #Start fail2ban service diff --git a/SubModules/php-fpm/conf.sh b/SubModules/php-fpm/conf.sh index 204ab22..32f44be 100644 --- a/SubModules/php-fpm/conf.sh +++ b/SubModules/php-fpm/conf.sh @@ -20,6 +20,7 @@ if [ "$shortdist" = "el8" ]; then echo "pdo_mysql.default_socket = '/var/run/mysqld/mysqld.sock'" >> /etc/opt/remi/php${phpver//.}/php.d/60-mysql_sock.ini echo "mysql.default_socket = '/var/run/mysqld/mysqld.sock'" >> /etc/opt/remi/php${phpver//.}/php.d/60-mysql_sock.ini echo "mysqli.default_socket = '/var/run/mysqld/mysqld.sock'" >> /etc/opt/remi/php${phpver//.}/php.d/60-mysql_sock.ini +echo "d /run/php 0755 www-data www-data - -" > /usr/lib/tmpfiles.d/php-custom.conf #Centos php Bin sudo ln -s /usr/bin/php${phpver//.} /usr/bin/php #Centos SeLinux diff --git a/SubModules/postfix/conf.sh b/SubModules/postfix/conf.sh index 4e10837..f7c847c 100644 --- a/SubModules/postfix/conf.sh +++ b/SubModules/postfix/conf.sh @@ -13,4 +13,6 @@ root: $email EOF newaliases -systemctl reload postfix postfix@- \ No newline at end of file +systemctl start postfix +systemctl enable postfix +systemctl reload postfix \ No newline at end of file diff --git a/SubModules/postfix/preconf.sh b/SubModules/postfix/preconf.sh index 3dae6a3..44f531b 100644 --- a/SubModules/postfix/preconf.sh +++ b/SubModules/postfix/preconf.sh @@ -7,5 +7,7 @@ if [ -z "${domain}" ]; then fi fi -debconf-set-selections <<< "postfix postfix/mailname string $domain" -debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Internet Site'" \ No newline at end of file +if [ "$shortdist" = "ubu1804" ] || [ "$osrel" = "ubu2004" ] || [ "$osrel" = "deb10" ] ; then + debconf-set-selections <<< "postfix postfix/mailname string $domain" + debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Internet Site'" +fi \ No newline at end of file diff --git a/config/fail2ban/Jails/nextcloud_unconfigured b/config/fail2ban/Jails/nextcloud_unconfigured index 1d0cce5..6965831 100644 --- a/config/fail2ban/Jails/nextcloud_unconfigured +++ b/config/fail2ban/Jails/nextcloud_unconfigured @@ -6,4 +6,4 @@ filter = nextcloud maxretry = 15 bantime = 900 findtime = 900 -logpath = /var/log/nextcloud/SITEname +logpath = /var/www/DOMain/html/data/nextcloud.log diff --git a/config/selinux/policies/fail2ban-allowhttpd.te b/config/selinux/policies/fail2ban-allowhttpd.te new file mode 100644 index 0000000..1d59595 --- /dev/null +++ b/config/selinux/policies/fail2ban-allowhttpd.te @@ -0,0 +1,21 @@ +module fail2ban-allowhttpd 1.1; + +require { + type httpd_sys_rw_content_t; + type fail2ban_t; + type syslogd_var_run_t; + type fail2ban_client_t; + class capability dac_override; + class dir { read getattr search ioctl }; + class file { getattr read open search ioctl }; +} + +#============= fail2ban_client_t ============== +allow fail2ban_client_t httpd_sys_rw_content_t:file getattr; +allow fail2ban_client_t self:capability dac_override; + +#============= fail2ban_t ============== +allow fail2ban_t httpd_sys_rw_content_t:dir { read getattr search ioctl }; +allow fail2ban_t httpd_sys_rw_content_t:file { read getattr open search ioctl }; +allow fail2ban_t syslogd_var_run_t:dir read; +allow fail2ban_t syslogd_var_run_t:file { read getattr open }; \ No newline at end of file