Extended LAMP Library

by petehalverson
3 deployments · 0 still active · last rev. 3 years ago

Compatible with: No distros currently supported
						#!/bin/bash
#
#
# Copyright (c) 2012 Aspen Digital / Peter Halverson <pete@aspendigital.com>
# All rights reserved.

# Redistribution and use in source and binary forms, with or without modification, 
# are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice, this
# list of conditions and the following disclaimer in the documentation and/or
# other materials provided with the distribution.
#
# * Neither the name of Linode LLC nor the names of its contributors may be
# used to endorse or promote products derived from this software without specific prior
# written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
# DAMAGE.
#
# Code references:
#
# StackScript Bash Library
# Copyright (c) 2010 Linode LLC / Christopher S. Aker <caker@linode.com>
# All rights reserved.
#
###########################################################
# MISC functions
###########################################################

function php_install_with_apache_extended {
	aptitude -y install php5 php5-mysql libapache2-mod-php5 php5-curl php5-gd php5-mcrypt php5-cli php-pear php-apc
	touch /tmp/restart-apache2
}

function php_secure_tune {

    sed -i '/^#ServerTokens/d;s/^ServerTokens .*/ServerTokens Prod/' /etc/apache2/conf.d/security
	touch /tmp/restart-apache2
}

function firewall_setup {

	# you can check definitions running /sbin/iptables -L
	# create rules
	
	# Courtesy of Jered
	# http://articles.slicehost.com/2010/4/30/ubuntu-lucid-setup-part-1
		
	echo "*filter" > /etc/iptables.up.rules
	echo "#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0" >> /etc/iptables.up.rules
	echo "-A INPUT -i lo -j ACCEPT" >> /etc/iptables.up.rules
	echo "-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT" >> /etc/iptables.up.rules
	echo "#  Accepts all established inbound connections" >> /etc/iptables.up.rules
	echo "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" >> /etc/iptables.up.rules
	echo "#  Allows all outbound traffic" >> /etc/iptables.up.rules
	echo "#  You can modify this to only allow certain traffic" >> /etc/iptables.up.rules
	echo "-A OUTPUT -j ACCEPT" >> /etc/iptables.up.rules
	echo "# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)" >> /etc/iptables.up.rules
	echo "-A INPUT -p tcp --dport 80 -j ACCEPT" >> /etc/iptables.up.rules
	echo "-A INPUT -p tcp --dport 443 -j ACCEPT" >> /etc/iptables.up.rules
	echo "#  Allows SSH connections" >> /etc/iptables.up.rules
	echo "# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE" >> /etc/iptables.up.rules
	echo "-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT" >> /etc/iptables.up.rules
	echo "# Allow ping" >> /etc/iptables.up.rules
	echo "-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT" >> /etc/iptables.up.rules
	echo "# log iptables denied calls" >> /etc/iptables.up.rules
	echo '-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7' >> /etc/iptables.up.rules
	echo "# Reject all other inbound - default deny unless explicitly allowed policy" >> /etc/iptables.up.rules
	echo "-A INPUT -j REJECT" >> /etc/iptables.up.rules
	echo "-A FORWARD -j REJECT" >> /etc/iptables.up.rules
	echo "COMMIT" >> /etc/iptables.up.rules
	
	#flush current rules
	/sbin/iptables -F
	#update rules
	/sbin/iptables-restore < /etc/iptables.up.rules
	
	#setup rules to be restored after reboot
	echo "#!/bin/sh" > /etc/network/if-pre-up.d/iptables
	echo "/sbin/iptables-restore < /etc/iptables.up.rules" >> /etc/network/if-pre-up.d/iptables

	#change permissions
	chmod +x /etc/network/if-pre-up.d/iptables
}

function virtualhost_logrotate {

	# Courtesy of Jered
	# http://articles.slicehost.com/2010/6/30/understanding-logrotate-on-ubuntu-part-2
	# setup log rotate for virtual hosts - /etc/logrotate.d/virtual-hosts

	echo "/srv/www/*/logs/*.log {" > /etc/logrotate.d/virtual-hosts
	echo "    weekly" >> /etc/logrotate.d/virtual-hosts
	echo "    missingok" >> /etc/logrotate.d/virtual-hosts
	echo "    rotate 4" >> /etc/logrotate.d/virtual-hosts
	echo "    compress" >> /etc/logrotate.d/virtual-hosts
	echo "    delaycompress" >> /etc/logrotate.d/virtual-hosts
	echo "    notifempty" >> /etc/logrotate.d/virtual-hosts
	echo "    create 640 root adm" >> /etc/logrotate.d/virtual-hosts
	echo "    sharedscripts" >> /etc/logrotate.d/virtual-hosts
	echo "    postrotate" >> /etc/logrotate.d/virtual-hosts
	echo '        if [ -f "`. /etc/apache2/envvars ; echo ${APACHE_PID_FILE:-/var/run/apache2.pid}`" ]; then' >> /etc/logrotate.d/virtual-hosts
	echo "            /etc/init.d/apache2 reload > /dev/null" >> /etc/logrotate.d/virtual-hosts
	echo "        fi" >> /etc/logrotate.d/virtual-hosts
	echo "    endscript" >> /etc/logrotate.d/virtual-hosts
	echo "}" >> /etc/logrotate.d/virtual-hosts
	
	touch /tmp/restart-apache2
}

function fail2ban_setup {

	aptitude -y install fail2ban

	echo "[DEFAULT]" > /etc/fail2ban/jail.local
	echo "ignoreip = 127.0.0.1/8 166.70.210.180" >> /etc/fail2ban/jail.local
	echo "[apache]" >> /etc/fail2ban/jail.local
	echo "enabled  = true" >> /etc/fail2ban/jail.local
	echo "port     = http,https" >> /etc/fail2ban/jail.local
	echo "filter   = apache-auth" >> /etc/fail2ban/jail.local
	echo "logpath  = /var/log/apache*/*error.log" >> /etc/fail2ban/jail.local
	echo "           /srv/www/*/logs/error.log" >> /etc/fail2ban/jail.local
	echo "maxretry = 6" >> /etc/fail2ban/jail.local
	echo "" >> /etc/fail2ban/jail.local
	echo "[apache-overflows]" >> /etc/fail2ban/jail.local
	echo "enabled  = true" >> /etc/fail2ban/jail.local
	echo "port     = http,https" >> /etc/fail2ban/jail.local
	echo "filter   = apache-overflows" >> /etc/fail2ban/jail.local
	echo "logpath  = /var/log/apache*/*error.log" >> /etc/fail2ban/jail.local
	echo "           /srv/www/*/logs/error.log" >> /etc/fail2ban/jail.local
	echo "maxretry = 2" >> /etc/fail2ban/jail.local
	
	fail2ban-client reload
	echo "----------------" >> /tmp/ss-log
	fail2ban-client status >> /tmp/ss-log
	echo "----------------" >> /tmp/ss-log
}

function upgrade_apc {

	### the pecl apc package seems to be dated. Don't use

	aptitude -y install apache2-dev php5-dev php-pear make 
	
	# use default settings
	printf "\n" | pecl upgrade apc
	pecl list >> /tmp/ss-log
	touch /tmp/restart-apache2
	
}

function set_hostname {
	# $1 - required - the hostname of the server
	
	SYSIP=$(system_primary_ip)

	if [ ! -n "$1" ]; then
		echo "set_hostname() requires the hostname as the first argument"
		return 1;
	fi
	
	echo "$1" > /etc/hostname
	hostname -F /etc/hostname

	if [ "$2" ]; then
		sed -i '/ubuntu/d' /etc/hosts
		sed -i "/127.0.0.1/ c\
			127.0.0.1\tlocalhost.localdomain\tlocalhost" /etc/hosts
	    sed -i "/localhost.localdomain/ a\
            $SYSIP\t$1.$2\t$1" /etc/hosts
	fi


}

function postfix_install_hostname_support {
	# Installs postfix and configure to listen only on the local interface. Also
	# allows for local mail delivery
	# $1 - required - the hostname of the server
	# $2 - required - the domain to masquerade

	echo "postfix postfix/main_mailer_type select Internet Site" | debconf-set-selections
	echo "postfix postfix/mailname string localhost" | debconf-set-selections
	echo "postfix postfix/destinations string localhost.localdomain, localhost" | debconf-set-selections
	aptitude -y install postfix
	/usr/sbin/postconf -e "inet_interfaces = loopback-only"
	#/usr/sbin/postconf -e "local_transport = error:local delivery is disabled"

	/usr/sbin/postconf -e "myhostname = $1.$2"
	/usr/sbin/postconf -e "masquerade_domains = $2"
	/usr/sbin/postconf -e "mydestination = localhost.localdomain, localhost, $1.$2, localhost.$2"

	touch /tmp/restart-postfix
}