├── LICENSE.md ├── README.md ├── group_vars └── all │ └── main.yml ├── hosts ├── main.yml └── roles ├── install-cloudflare ├── defaults │ └── main.yml ├── files │ └── cloudflare_setup.sh └── tasks │ ├── install.yml │ └── main.yml ├── install-cloudlinux-alt-packages ├── defaults │ └── main.yml └── tasks │ ├── install.yml │ └── main.yml ├── install-cloudlinux-cagefs ├── defaults │ └── main.yml ├── files │ └── cagefs │ │ ├── cagefs.mp │ │ └── conf.d │ │ ├── composer.cfg │ │ ├── django.cfg │ │ └── ruby.cfg ├── handlers │ └── main.yml └── tasks │ ├── install.yml │ └── main.yml ├── install-cloudlinux ├── defaults │ └── main.yml └── tasks │ ├── install.yml │ └── main.yml ├── install-configserver-cmc ├── defaults │ └── main.yml └── tasks │ ├── install.yml │ └── main.yml ├── install-configserver-cmm ├── defaults │ └── main.yml └── tasks │ ├── install.yml │ └── main.yml ├── install-configserver-cmq ├── defaults │ └── main.yml └── tasks │ ├── install.yml │ └── main.yml ├── install-configserver-cse ├── defaults │ └── main.yml └── tasks │ ├── install.yml │ └── main.yml ├── install-configserver-csf ├── defaults │ └── main.yml ├── files │ ├── csf.allow │ ├── csf.conf │ └── csf.conf_openvz ├── handlers │ └── main.yml └── tasks │ ├── install.yml │ └── main.yml ├── install-configserver-cxs ├── defaults │ └── main.yml └── tasks │ ├── install.yml │ └── main.yml ├── install-cpanel ├── defaults │ └── main.yml ├── files │ ├── cpanel.config │ ├── cpanel.config_ea3 │ ├── features │ │ └── default │ └── pure-ftpd.conf ├── handlers │ └── main.yml ├── tasks │ ├── files.yml │ ├── folders.yml │ ├── install.yml │ ├── main.yml │ ├── os.yml │ ├── post-install.yml │ └── yum.yml └── templates │ ├── etc │ ├── cpanelacctrestore.j2 │ └── wwwacct.conf.j2 │ └── var │ └── cpanel │ ├── cpanel.config.j2 │ └── maxemailsperhour.j2 ├── install-imunify ├── defaults │ └── main.yml └── tasks │ ├── install.yml │ └── main.yml ├── install-kernelcare ├── defaults │ └── main.yml └── tasks │ ├── install.yml │ └── main.yml ├── install-letsencrypt ├── defaults │ └── main.yml ├── files │ ├── letsencrypt-cpanel.licence │ └── letsencrypt.repo └── tasks │ ├── install.yml │ └── main.yml ├── install-sitepad ├── defaults │ └── main.yml ├── tasks │ ├── install.yml │ └── main.yml └── templates │ └── universal.php.j2 ├── install-softaculous ├── defaults │ └── main.yml └── tasks │ ├── install.yml │ └── main.yml └── install-spamexperts └── tasks └── main.yml /LICENSE.md: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2016 Lithium Hosting 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## cPanel Server Setup Playbook 2 | 3 | Ansible Playbook for setting up cPanel/CoudLinux Server. Compatible with CentOS 6 and 7. Works with physical servers, KVM, and OpenVZ Containers. 4 | 5 | Included Roles: 6 | 7 | - **install-cpanel** Installs the latest cPanel version. Requires License but defaults to Trial mode. 8 | - **install-cloudlinux** Converts cPanel server to Cloudlinux. Requires IP or Key license or install will fail. 9 | - **install-cloudlinux-cagesfs** Installs and initiates CageFS 10 | - **install-cloudlinux-alt-packages** Installs all CloudLinux ALT packages including PHP, Ruby, and Python 11 | - **install-configserver-csf** Installs CSF and uploads firewall configuration and allowed IPs. Can handle OpenVZ containers. 12 | - **install-configserver-cmc** 13 | - **install-configserver-cmm** 14 | - **install-configserver-cmq** 15 | - **install-configserver-cse** 16 | - **install-configserver-cxs** Installs ConfigServer eXploit Scanner 17 | - **install-softaculous** Installs Softaculous cPanel Plugin 18 | - **install-cloudflare** Installs CloudFlare cPanel Plugin 19 | - **install-letsencrypt** Installs Let's Encrypt cPanel Plugin 20 | - **install-spamexperts** Installs SpamExperts cPanel Plugin 21 | - **install-imunify** Installs Imunify360. Requires Key License 22 | - **install-sitepad** Installs and configures SitePad Website Builder 23 | 24 | ## Variables & Settings: 25 | 26 | ### General Variables 27 | 28 | - `control_panel: 'cPanel'` (default: cPanel) Sanity Check, only effective when using Tower/AWX Workflows. 29 | - `is_openvz: false`(default: false), Change to true if the target server is OpenVZ Container 30 | 31 | ### CloudLinux Variables 32 | 33 | - `cloudlinux_key: ` (default: *Blank*) Change to use CloudLinux key based license. 34 | 35 | 36 | ### Imunify360 Variables 37 | 38 | - `imunify_key: ` (default: *Blank*) Change to use Imunify360 key based license. 39 | 40 | 41 | ### Plugin Variables 42 | 43 | Changing any of he below settings to `true` will ensure correspoding packages are installed. 44 | 45 | - `install_csf: true` (default: true) 46 | - `install_cmc: true` (default: true) 47 | - `install_cmm: true` (default: true) 48 | - `install_cmq: true` (default: true) 49 | - `install_cse: true` (default: true) 50 | - `install_cxs: false` (default: false) 51 | - `install_softaculous: false` (default: false) 52 | - `install_cloudflare: false` (default: false) 53 | - `install_cloudlinux: false` (default: false) 54 | - `install_kernelcare: true` (default: true) 55 | - `install_cloudlinux_cagefs: false` (default: false) 56 | - `install_cloudlinux_alt: false` (default: false) 57 | - `install_letsencrypt: false` (default: false) 58 | - `install_spamexperts: false` (default: false) 59 | - `install_imunify: false` (default: false) 60 | - `install_sitepad: false` (default: false) 61 | 62 | ### cPanel Settings 63 | 64 | - `cron_email_address: admin@yourdomain.ly` (default: *admin@yourdomain.ly*) 65 | - `cpanel_email_address: admin@yourdomain.ly` (default: *admin@yourdomain.ly*) 66 | - `alerts_email_address: admin@yourdomain.ly` (default: *admin@yourdomain.ly*) 67 | - `cpanel_contact_pager: admin@yourdomain.ly` (default: *admin@yourdomain.ly*) 68 | - `nameserver_primary: ns1.yourdomain.com` 69 | - `nameserver_secondary: ns2.yourdomain.com` 70 | 71 | 72 | ### Cloudflare Settings 73 | 74 | - `cloudflare_company: ` (default: *Blank*) Required to install CloudFlare Plugin 75 | - `cloudflare_mode: extended` (default: *extended*) 76 | - `cloudflare_key: ` (default: *Blank*) Required to install CloudFlare Plugin 77 | 78 | ## License 79 | This ansible playbook is licensed under the MIT license; you can find a full copy of the license itself in the file /LICENSE 80 | 81 | This playbook is largely based on [Lithium Hosting - Ansible cPanel Boostrap](https://github.com/LithiumHosting/ansible-cpanel-bootstrap) -------------------------------------------------------------------------------- /group_vars/all/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # cPanel Variables File 3 | 4 | control_panel: 'cPanel' 5 | is_openvz: 'false' 6 | 7 | # 8 | # CloudLinux 9 | # 10 | cloudlinux_key: 11 | 12 | # 13 | # Imunify360 14 | # 15 | imunify_key: 16 | 17 | # 18 | # Plugin Settings 19 | # 20 | 21 | install_csf: 'true' 22 | install_cmc: 'true' 23 | install_cmm: 'true' 24 | install_cmq: 'true' 25 | install_cse: 'true' 26 | install_cxs: 'false' 27 | 28 | install_softaculous: 'false' 29 | install_cloudflare: 'false' 30 | 31 | install_cloudlinux: 'false' 32 | install_kernelcare: 'true' 33 | install_cloudlinux_cagefs: 'false' 34 | install_cloudlinux_alt: 'false' 35 | install_letsencrypt: 'false' 36 | install_spamexperts: 'false' 37 | install_imunify: 'false' 38 | install_sitepad: 'false' 39 | 40 | # ########################## 41 | # #### cPanel Settings ##### 42 | # ########################## 43 | 44 | cron_email_address: admin@yoursite.ly 45 | cpanel_email_address: admin@yoursite.ly 46 | alerts_email_address: admin@yoursite.ly 47 | cpanel_contact_pager: admin@yoursite.ly 48 | 49 | nameserver_primary: ns1.yourdomain.com 50 | nameserver_secondary: ns2.yourdomain.com 51 | 52 | # 53 | # Cloudflare 54 | # 55 | 56 | cloudflare_company: 57 | cloudflare_mode: extended 58 | cloudflare_key: -------------------------------------------------------------------------------- /hosts: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: cPanel Server Setup Playbook 3 | hosts: all 4 | become: true 5 | 6 | pre_tasks: 7 | - name: Sanity Check | Fail if the Operating System is not supported 8 | fail: 9 | msg: "cPanel installation is supported only on CentOS 6/7" 10 | when: ansible_os_family != 'RedHat' 11 | 12 | roles: 13 | - { role: install-cpanel, tags: [cpanel] } 14 | - { role: install-cloudlinux, tags: [cloudlinux], when: install_cloudlinux == 'true' } 15 | - { role: install-cloudlinux-cagefs, tags: [cloudlinux], when: install_cloudlinux == 'true' and install_cloudlinux_cagefs == 'true' } 16 | - { role: install-cloudlinux-alt-packages, tags: [cloudlinux], when: install_cloudlinux == 'true' and install_cloudlinux_alt == 'true' } 17 | - { role: install-kernelcare, tags: [kernelcare], when: install_kernelcare == 'true' } 18 | - { role: install-configserver-csf, tags: [csf], when: install_csf == 'true' } 19 | - { role: install-configserver-cmc, tags: [cmc], when: install_cmc == 'true' } 20 | - { role: install-configserver-cmm, tags: [cmm], when: install_cmm == 'true' } 21 | - { role: install-configserver-cmq, tags: [cmq], when: install_cmq == 'true' } 22 | - { role: install-configserver-cse, tags: [cse], when: install_cse == 'true' } 23 | - { role: install-configserver-cxs, tags: [cxs], when: install_cxs == 'true' } 24 | - { role: install-softaculous, tags: [softaculous], when: install_softaculous == 'true' } 25 | - { role: install-cloudflare, tags: [cloudflare], when: install_cloudflare == 'true' } 26 | - { role: install-letsencrypt, tags: [letsencrypt], when: install_letsencrypt == 'true' } 27 | - { role: install-spamexperts, tags: [spamexperts], when: install_spamexperts == 'true' } 28 | - { role: install-imunify, tags: [imunify], when: install_imunify == 'true' } 29 | - { role: install-sitepad, tags: [sitepad], when: install_sitepad == 'true' } 30 | -------------------------------------------------------------------------------- /roles/install-cloudflare/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | install_cloudflare: 'false' 3 | -------------------------------------------------------------------------------- /roles/install-cloudflare/files/cloudflare_setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "Grabbing Files" 3 | cd /usr/local/src 4 | wget --no-check-certificate https://github.com/cloudflare/mod_cloudflare/raw/master/mod_cloudflare.c 5 | 6 | echo "Installing Cloudflare Module" 7 | apxs -a -i -c mod_cloudflare.c 8 | 9 | echo "Restarting Apache" 10 | service httpd restart 11 | 12 | echo "Distilling Apache Config for EasyApache" 13 | /usr/local/cpanel/bin/apache_conf_distiller --update 14 | 15 | echo "Done with Cloudflare Module Install - Goodbye" 16 | exit -------------------------------------------------------------------------------- /roles/install-cloudflare/tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Copy cloudflare apache module install script 3 | copy: 4 | src: cloudflare_setup.sh 5 | dest: /usr/src/cloudflare_setup.sh 6 | owner: root 7 | group: root 8 | mode: 0755 9 | tags: install_cloudflare 10 | 11 | - name: Cloudflare Apache Module Setup 12 | command: /bin/bash /usr/src/cloudflare_setup.sh 13 | args: 14 | chdir: /usr/src/ 15 | tags: install_cloudflare 16 | 17 | - name: Install CloudFlare cPanel Plugin 18 | shell: '/bin/bash <(curl -s https://raw.githubusercontent.com/cloudflare/CloudFlare-CPanel/master/cloudflare.install.sh) -k {{ cloudflare_key }} -n "{{ cloudflare_company }}"' 19 | args: 20 | chdir: /usr/src 21 | creates: /usr/local/cpanel/etc/cloudflare.json 22 | executable: /bin/bash 23 | tags: install_cloudflare 24 | -------------------------------------------------------------------------------- /roles/install-cloudflare/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Check if CloudFlare cPanel plugin is installed 3 | stat: 4 | path: /usr/local/cpanel/etc/cloudflare.json 5 | register: cloudflare_check 6 | changed_when: false 7 | check_mode: no 8 | tags: always 9 | 10 | - name: Create cloudflare_installed variable. 11 | set_fact: 12 | cloudflare_installed: "{{ cloudflare_check.stat.exists|bool }}" 13 | check_mode: no 14 | tags: always 15 | 16 | - name: Include the CloudFlare Installer Task 17 | include_tasks: install.yml 18 | when: cloudflare_installed != true and (install_cloudflare is defined and install_cloudflare == 'true') 19 | -------------------------------------------------------------------------------- /roles/install-cloudlinux-alt-packages/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | install_cloudlinux_alt: 'true' 3 | -------------------------------------------------------------------------------- /roles/install-cloudlinux-alt-packages/tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Remove packages 3 | yum: 4 | name: "{{ item }}" 5 | state: removed 6 | with_items: 7 | - git 8 | tags: cloudlinux_alt 9 | 10 | - name: Ensure CloudLinux Alt-Packages Installed and updated 11 | yum: 12 | name: "{{ item }}" 13 | state: installed 14 | update_cache: yes 15 | enablerepo: "cloudlinux-{{ ansible_architecture }}-server-{{ ansible_distribution_major_version }}" 16 | with_items: 17 | - "@alt-php" 18 | - alt-python-virtualenv 19 | - alt-mod-passenger 20 | - "@alt-python" 21 | - "@alt-ruby" 22 | - alt-python27-devel 23 | - lve-stats 24 | tags: cloudlinux_alt 25 | 26 | - name: Maintain Aliases for 3rd party git in /etc/bashrc 27 | lineinfile: 28 | dest: /etc/bashrc 29 | regexp: "{{ item.regexp }}" 30 | line: "{{ item.line }}" 31 | state: present 32 | with_items: 33 | - { regexp: 'alias git=', line: 'alias git="/usr/local/cpanel/3rdparty/bin/git"' } 34 | - { regexp: 'alias git-cvsserver=', line: 'alias git-cvsserver="/usr/local/cpanel/3rdparty/bin/git-cvsserver"' } 35 | - { regexp: 'alias gitk=', line: 'alias gitk="/usr/local/cpanel/3rdparty/bin/gitk"' } 36 | - { regexp: 'alias git-receive-pack=', line: 'alias git-receive-pack="/usr/local/cpanel/3rdparty/bin/git-receive-pack"' } 37 | - { regexp: 'alias git-shell=', line: 'alias git-shell="/usr/local/cpanel/3rdparty/bin/git-shell"' } 38 | - { regexp: 'alias git-upload-archive=', line: 'alias git-upload-archive="/usr/local/cpanel/3rdparty/bin/git-upload-archive"' } 39 | - { regexp: 'alias git-upload-pack=', line: 'alias git-upload-pack="/usr/local/cpanel/3rdparty/bin/git-upload-pack"' } 40 | tags: cloudlinux_alt 41 | -------------------------------------------------------------------------------- /roles/install-cloudlinux-alt-packages/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include the CloudLinux Alt-Packages Installer Task 3 | include_tasks: install.yml 4 | when: cloudlinux_installed == true and (install_cloudlinux_alt is defined and install_cloudlinux_alt == 'true') 5 | -------------------------------------------------------------------------------- /roles/install-cloudlinux-cagefs/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | install_cloudlinux_cagefs: 'false' 3 | -------------------------------------------------------------------------------- /roles/install-cloudlinux-cagefs/files/cagefs/cagefs.mp: -------------------------------------------------------------------------------- 1 | # Lines, which start with "/", specify mounts, that are common for all users: 2 | /var/lib/mysql 3 | /dev/shm 4 | /var/run/postgres 5 | /dev/pts 6 | /usr/local/apache/domlogs 7 | /proc 8 | /var/run/proxyexec/cagefs.sock 9 | /opt 10 | # You can add personal (individual) mounts for users, like below. 11 | # Please, start line with "@" symbol, and then specify path and permissions (comma separated). 12 | # These directories will be virtualized for each user. 13 | @/var/spool/cron,700 14 | @/var/run/screen,777 15 | @/var/cache/php-eaccelerator,777 16 | # Please add exclamation sign at the beginning of the line if you want to mount path read-only, like below. 17 | !/lib 18 | !/usr/lib 19 | !/lib64 20 | !/usr/lib64 21 | !/usr/include 22 | !/usr/share/locale 23 | !/usr/share/terminfo 24 | !/usr/share/zoneinfo 25 | /opt/alt 26 | #!/usr/local/lib/perl5 27 | !/usr/local/lib/php 28 | !/usr/local/cpanel/Cpanel 29 | !/usr/local/cpanel/3rdparty/perl 30 | !/usr/local/cpanel/3rdparty/lib 31 | !/usr/local/cpanel/3rdparty/share 32 | !/usr/local/cpanel/3rdparty/php 33 | !/var/run/postgres/ 34 | !/usr/share/vim 35 | /var/spool/at 36 | %/var/cpanel/userdata 37 | !/usr/local/cpanel/3rdparty/bin 38 | !/var/lib/spamassassin 39 | # next line is added by alt-mod-passenger 40 | /var/passenger 41 | !/var/run/postgres/ 42 | 43 | /usr/local/cpanel/whostmgr/docroot/cgi/softaculous 44 | -------------------------------------------------------------------------------- /roles/install-cloudlinux-cagefs/files/cagefs/conf.d/composer.cfg: -------------------------------------------------------------------------------- 1 | [COMPOSER] 2 | comment = COMPOSER 3 | paths=/usr/local/bin/composer -------------------------------------------------------------------------------- /roles/install-cloudlinux-cagefs/files/cagefs/conf.d/django.cfg: -------------------------------------------------------------------------------- 1 | [DJANGO] 2 | comment = DJANGO 3 | paths=/usr/bin/django-admin, /usr/bin/django-admin.py -------------------------------------------------------------------------------- /roles/install-cloudlinux-cagefs/files/cagefs/conf.d/ruby.cfg: -------------------------------------------------------------------------------- 1 | [ruby] 2 | comment=Ruby 3 | paths=/usr/lib/ruby,/usr/share/rails,/usr/bin/ruby,/usr/bin/rails,/usr/bin/gem,/usr/bin/rake 4 | -------------------------------------------------------------------------------- /roles/install-cloudlinux-cagefs/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: cagefs init 3 | command: /usr/sbin/cagefsctl --init 4 | 5 | - name: cagefs rebuild 6 | command: /usr/sbin/cagefsctl --force-update 7 | -------------------------------------------------------------------------------- /roles/install-cloudlinux-cagefs/tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Ensure CageFS Installed and updated 3 | yum: 4 | name: cagefs 5 | state: installed 6 | update_cache: yes 7 | enablerepo: "cloudlinux-{{ ansible_architecture }}-server-{{ ansible_distribution_major_version }}" 8 | notify: cagefs init 9 | tags: cloudlinux_cagefs 10 | 11 | - name: Ensure files exist 12 | copy: 13 | src: "{{ item.src }}" 14 | dest: "{{ item.dest }}" 15 | backup: yes 16 | mode: 0600 17 | with_items: 18 | - { src: 'cagefs/cagefs.mp', dest: '/etc/cagefs/cagefs.mp' } 19 | - { src: 'cagefs/conf.d/django.cfg', dest: '/etc/cagefs/conf.d/django.cfg' } 20 | - { src: 'cagefs/conf.d/ruby.cfg', dest: '/etc/cagefs/conf.d/ruby.cfg' } 21 | - { src: 'cagefs/conf.d/composer.cfg', dest: '/etc/cagefs/conf.d/composer.cfg' } 22 | notify: cagefs rebuild 23 | tags: cloudlinux_cagefs 24 | -------------------------------------------------------------------------------- /roles/install-cloudlinux-cagefs/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include the CloudLinux CageFS Installer Task 3 | include_tasks: install.yml 4 | when: cloudlinux_installed == true and (install_cloudlinux_cagefs is defined and install_cloudlinux_cagefs == 'true') 5 | -------------------------------------------------------------------------------- /roles/install-cloudlinux/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | install_cloudlinux: 'false' 3 | -------------------------------------------------------------------------------- /roles/install-cloudlinux/tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Download CloudLinux installer 3 | get_url: 4 | url: http://repo.cloudlinux.com/cloudlinux/sources/cln/cldeploy 5 | dest: /usr/src 6 | force: yes 7 | register: cloudlinux_downloaded 8 | when: cloudlinux_installed == false 9 | tags: install_cloudlinux 10 | 11 | - name: Install CloudLinux - Using IP License 12 | command: /bin/bash /usr/src/cldeploy -i 13 | args: 14 | chdir: /usr/src 15 | async: 5400 #wait up-to 90 minutes 16 | poll: 300 #check every 5 minutes 17 | tags: install_cloudlinux 18 | when: cloudlinux_key is not defined 19 | 20 | - name: Install CloudLinux - Using Key License 21 | command: /bin/bash /usr/src/cldeploy -k {{ cloudlinux_key }} 22 | args: 23 | chdir: /usr/src 24 | async: 5400 #wait up-to 90 minutes 25 | poll: 60 #check every 5 minutes 26 | tags: install_cloudlinux 27 | when: cloudlinux_key is defined 28 | 29 | - name: Reboot the server 30 | shell: sleep 2 && shutdown -r now "Ansible updates triggered" 31 | async: 1 32 | poll: 0 33 | ignore_errors: true 34 | 35 | - name: Wait for server come back 36 | wait_for: > 37 | host={{ inventory_hostname }} 38 | port=22 39 | delay=15 40 | timeout=600 41 | delegate_to: localhost 42 | become: false 43 | 44 | - name: Fix tmpwatch cron to not delete links 45 | lineinfile: 46 | regexp: "flags=-umc" 47 | line: "flags=-umcl" 48 | dest: /etc/cron.daily/tmpwatch 49 | tags: install_cloudlinux -------------------------------------------------------------------------------- /roles/install-cloudlinux/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Check if CloudLinux is installed 3 | stat: 4 | path: /usr/bin/cldetect 5 | register: cldetect_check 6 | changed_when: false 7 | check_mode: no 8 | tags: always 9 | 10 | - name: Create cloudlinux_installed variable. 11 | set_fact: 12 | cloudlinux_installed: "{{ cldetect_check.stat.exists|bool }}" 13 | tags: always 14 | 15 | - name: Include the CloudLinux Installer Task 16 | include_tasks: install.yml 17 | when: cloudlinux_installed != true and (install_cloudlinux is defined and install_cloudlinux == 'true') 18 | -------------------------------------------------------------------------------- /roles/install-configserver-cmc/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | install_cmc: 'false' 3 | -------------------------------------------------------------------------------- /roles/install-configserver-cmc/tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Download CMC gzipped tarball 3 | get_url: 4 | url: https://download.configserver.com/cmc.tgz 5 | dest: /usr/src 6 | force: yes 7 | register: cmc_downloaded 8 | when: cmc_installed == false 9 | tags: configserver_cmc 10 | 11 | - name: Unarchive CMC source 12 | unarchive: 13 | src: /usr/src/cmc.tgz 14 | dest: /usr/src/ 15 | copy: no 16 | register: cmc_unarchived 17 | when: cmc_downloaded|changed and cmc_installed == false 18 | tags: configserver_cmc 19 | 20 | - name: Install CMC 21 | shell: bash /usr/src/cmc/install.sh 22 | args: 23 | chdir: /usr/src/cmc 24 | creates: /usr/local/cpanel/whostmgr/docroot/cgi/configserver/cmc/cmc.conf 25 | when: cmc_unarchived|changed and cmc_installed == false 26 | register: cmc_install_completed 27 | tags: configserver_cmc 28 | 29 | -------------------------------------------------------------------------------- /roles/install-configserver-cmc/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Check if CMC is installed 3 | stat: 4 | path: /usr/local/cpanel/whostmgr/docroot/cgi/configserver/cmc/cmc.conf 5 | register: cmc_check 6 | changed_when: false 7 | check_mode: no 8 | tags: always 9 | 10 | - name: Create cmc_installed variable. 11 | set_fact: 12 | cmc_installed: "{{ cmc_check.stat.exists|bool }}" 13 | check_mode: no 14 | tags: always 15 | 16 | - name: Include the CMC Installer Task 17 | include_tasks: install.yml 18 | when: cmc_installed != true and (install_cmc is defined and install_cmc == 'true') 19 | 20 | -------------------------------------------------------------------------------- /roles/install-configserver-cmm/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | install_cmm: 'false' 3 | -------------------------------------------------------------------------------- /roles/install-configserver-cmm/tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Download CMM gzipped tarball 3 | get_url: 4 | url: https://download.configserver.com/cmm.tgz 5 | dest: /usr/src 6 | force: yes 7 | register: cmm_downloaded 8 | when: cmm_installed == false 9 | tags: configserver_cmm 10 | 11 | - name: Unarchive CMM source 12 | unarchive: 13 | src: /usr/src/cmm.tgz 14 | dest: /usr/src/ 15 | copy: no 16 | register: cmm_unarchived 17 | when: cmm_downloaded|changed and cmm_installed == false 18 | tags: configserver_cmm 19 | 20 | - name: Install CMM 21 | shell: bash /usr/src/cmm/install.sh 22 | args: 23 | chdir: /usr/src/cmm 24 | creates: /usr/local/cpanel/whostmgr/docroot/cgi/configserver/cmm/cmm.conf 25 | when: cmm_unarchived|changed and cmm_installed == false 26 | register: cmm_install_completed 27 | tags: configserver_cmm -------------------------------------------------------------------------------- /roles/install-configserver-cmm/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Check if CMM is installed 3 | stat: 4 | path: /usr/local/cpanel/whostmgr/docroot/cgi/configserver/cmm/cmm.conf 5 | register: cmm_check 6 | changed_when: false 7 | check_mode: no 8 | tags: always 9 | 10 | - name: Create cmm_installed variable. 11 | set_fact: 12 | cmm_installed: "{{ cmm_check.stat.exists|bool }}" 13 | check_mode: no 14 | tags: always 15 | 16 | - name: Include the CMM Installer Task 17 | include_tasks: install.yml 18 | when: cmm_installed != true and (install_cmm is defined and install_cmm == 'true') 19 | 20 | -------------------------------------------------------------------------------- /roles/install-configserver-cmq/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | install_cmq: 'false' 3 | -------------------------------------------------------------------------------- /roles/install-configserver-cmq/tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Download CMQ gzipped tarball 3 | get_url: 4 | url: https://download.configserver.com/cmq.tgz 5 | dest: /usr/src 6 | force: yes 7 | register: cmq_downloaded 8 | when: cmq_installed == false 9 | tags: configserver_cmq 10 | 11 | - name: Unarchive CMQ source 12 | unarchive: 13 | src: /usr/src/cmq.tgz 14 | dest: /usr/src/ 15 | copy: no 16 | register: cmq_unarchived 17 | when: cmq_downloaded|changed and cmq_installed == false 18 | tags: configserver_cmq 19 | 20 | - name: Install CMQ 21 | shell: bash /usr/src/cmq/install.sh 22 | args: 23 | chdir: /usr/src/cmq 24 | creates: /usr/local/cpanel/whostmgr/docroot/cgi/configserver/cmq/cmq.conf 25 | when: cmq_unarchived|changed and cmq_installed == false 26 | register: cmq_install_completed 27 | tags: configserver_cmq 28 | -------------------------------------------------------------------------------- /roles/install-configserver-cmq/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Check if CMQ is installed 3 | stat: 4 | path: /usr/local/cpanel/whostmgr/docroot/cgi/configserver/cmq/cmq.conf 5 | register: cmq_check 6 | changed_when: false 7 | check_mode: no 8 | tags: always 9 | 10 | - name: Create cmq_installed variable. 11 | set_fact: 12 | cmq_installed: "{{ cmq_check.stat.exists|bool }}" 13 | check_mode: no 14 | tags: always 15 | 16 | - name: Include the CMQ Installer Task 17 | include_tasks: install.yml 18 | when: cmq_installed != true and (install_cmq is defined and install_cmq == 'true') 19 | -------------------------------------------------------------------------------- /roles/install-configserver-cse/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | install_cse: 'false' -------------------------------------------------------------------------------- /roles/install-configserver-cse/tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Download CSE gzipped tarball 3 | get_url: 4 | url: https://download.configserver.com/cse.tgz 5 | dest: /usr/src 6 | force: yes 7 | register: cse_downloaded 8 | when: cse_installed == false 9 | tags: configserver_cse 10 | 11 | - name: Unarchive CSE source 12 | unarchive: 13 | src: /usr/src/cse.tgz 14 | dest: /usr/src/ 15 | copy: no 16 | register: cse_unarchived 17 | when: cse_downloaded|changed and cse_installed == false 18 | tags: configserver_cse 19 | 20 | - name: Install CSE 21 | shell: bash /usr/src/cse/install.sh 22 | args: 23 | chdir: /usr/src/cse 24 | creates: /usr/local/cpanel/whostmgr/docroot/cgi/configserver/cse/cse.conf 25 | when: cse_unarchived|changed and cse_installed == false 26 | register: cse_install_completed 27 | tags: configserver_cse 28 | -------------------------------------------------------------------------------- /roles/install-configserver-cse/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Check if CSE is installed 3 | stat: 4 | path: /usr/local/cpanel/whostmgr/docroot/cgi/configserver/cse/cse.conf 5 | register: cse_check 6 | changed_when: false 7 | check_mode: no 8 | tags: always 9 | 10 | - name: Create cse_installed variable. 11 | set_fact: 12 | cse_installed: "{{ cse_check.stat.exists|bool }}" 13 | check_mode: no 14 | tags: always 15 | 16 | - name: Include the CSE Installer Task 17 | include_tasks: install.yml 18 | when: cse_installed != true and (install_cse is defined and install_cse == 'true') 19 | -------------------------------------------------------------------------------- /roles/install-configserver-csf/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | install_csf: 'false' 3 | -------------------------------------------------------------------------------- /roles/install-configserver-csf/files/csf.allow: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Copyright 2006-2016, Way to the Web Limited 3 | # URL: http://www.configserver.com 4 | # Email: sales@waytotheweb.com 5 | ############################################################################### 6 | # The following IP addresses will be allowed through iptables. 7 | # One IP address per line. 8 | # CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24). 9 | # Only list IP addresses, not domain names (they will be ignored) 10 | # 11 | # Advanced port+ip filtering allowed with the following format 12 | # tcp/udp|in/out|s/d=port|s/d=ip 13 | # See readme.txt for more information 14 | # 15 | # Note: IP addressess listed in this file will NOT be ignored by lfd, so they 16 | # can still be blocked. If you do not want lfd to block an IP address you must 17 | # add it to csf.ignore 18 | 19 | Include /etc/csf/cpanel.comodo.allow 20 | -------------------------------------------------------------------------------- /roles/install-configserver-csf/files/csf.conf: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # SECTION:Initial Settings 3 | ############################################################################### 4 | # Testing flag - enables a CRON job that clears iptables incase of 5 | # configuration problems when you start csf. This should be enabled until you 6 | # are sure that the firewall works - i.e. incase you get locked out of your 7 | # server! Then do remember to set it to 0 and restart csf when you're sure 8 | # everything is OK. Stopping csf will remove the line from /etc/crontab 9 | # 10 | # lfd will not start while this is enabled 11 | TESTING = "0" 12 | 13 | # The interval for the crontab in minutes. Since this uses the system clock the 14 | # CRON job will run at the interval past the hour and not from when you issue 15 | # the start command. Therefore an interval of 5 minutes means the firewall 16 | # will be cleared in 0-5 minutes from the firewall start 17 | TESTING_INTERVAL = "5" 18 | 19 | # SECURITY WARNING 20 | # ================ 21 | # 22 | # Unfortunately, syslog and rsyslog allow end-users to log messages to some 23 | # system logs via the same unix socket that other local services use. This 24 | # means that any log line shown in these system logs that syslog or rsyslog 25 | # maintain can be spoofed (they are exactly the same as real log lines). 26 | # 27 | # Since some of the features of lfd rely on such log lines, spoofed messages 28 | # can cause false-positive matches which can lead to confusion at best, or 29 | # blocking of any innocent IP address or making the server inaccessible at 30 | # worst. 31 | # 32 | # Any option that relies on the log entries in the files listed in 33 | # /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered 34 | # vulnerable to exploitation by end-users and scripts run by end-users. 35 | # 36 | # NOTE: Not all log files are affected as they may not use syslog/rsyslog 37 | # 38 | # The option RESTRICT_SYSLOG disables all these features that rely on affected 39 | # logs. These options are: 40 | # LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT 41 | # LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP 42 | # LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT 43 | # PORTKNOCKING_ALERT 44 | # 45 | # This list of options use the logs but are not disabled by RESTRICT_SYSLOG: 46 | # ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG 47 | # 48 | # The following options are still enabled by default on new installations so 49 | # that, on balance, csf/lfd still provides expected levels of security: 50 | # LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT 51 | # 52 | # If you set RESTRICT_SYSLOG to "0" or "2" and enable any of the options listed 53 | # above, it should be done with the knowledge that any of the those options 54 | # that are enabled could be triggered by spoofed log lines and lead to the 55 | # server being inaccessible in the worst case. If you do not want to take that 56 | # risk you should set RESTRICT_SYSLOG to "1" and those features will not work 57 | # but you will not be protected from the exploits that they normally help block 58 | # 59 | # The recommended setting for RESTRICT_SYSLOG is "3" to restrict who can access 60 | # the syslog/rsyslog unix socket. 61 | # 62 | # For further advice on how to help mitigate these issues, see 63 | # /etc/csf/readme.txt 64 | # 65 | # 0 = Allow those options listed above to be used and configured 66 | # 1 = Disable all the options listed above and prevent them from being used 67 | # 2 = Disable only alerts about this feature and do nothing else 68 | # 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED ** 69 | RESTRICT_SYSLOG = "0" 70 | 71 | # The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts 72 | # write access to the syslog/rsyslog unix socket(s). The group must not already 73 | # exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option 74 | # to a unique name for the server 75 | # 76 | # You can add users to this group by changing /etc/csf/csf.syslogusers and then 77 | # restarting lfd afterwards. This will create the system group and add the 78 | # users from csf.syslogusers if they exist to that group and will change the 79 | # permissions on the syslog/rsyslog unix socket(s). The socket(s) will be 80 | # monitored and the permissions re-applied should syslog/rsyslog be restarted 81 | # 82 | # Using this option will prevent some legitimate logging, e.g. end-user cron 83 | # job logs 84 | # 85 | # If you want to revert RESTRICT_SYSLOG to another option and disable this 86 | # feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then 87 | # syslog/rsyslog and the unix sockets will be reset 88 | RESTRICT_SYSLOG_GROUP = "mysyslog" 89 | 90 | # This options restricts the ability to modify settings within this file from 91 | # the csf UI. Should the parent control panel be compromised, these restricted 92 | # options could be used to further compromise the server. For this reason we 93 | # recommend leaving this option set to at least "1" and if any of the 94 | # restricted items need to be changed, they are done so from the root shell 95 | # 96 | # 0 = Unrestricted UI 97 | # 1 = Restricted UI 98 | # 2 = Disabled UI 99 | RESTRICT_UI = "1" 100 | 101 | # Enabling auto updates creates a cron job called /etc/cron.d/csf_update which 102 | # runs once per day to see if there is an update to csf+lfd and upgrades if 103 | # available and restarts csf and lfd 104 | # 105 | # You should check for new version announcements at http://blog.configserver.com 106 | AUTO_UPDATES = "1" 107 | 108 | ############################################################################### 109 | # SECTION:IPv4 Port Settings 110 | ############################################################################### 111 | # Lists of ports in the following comma separated lists can be added using a 112 | # colon (e.g. 30000:35000). 113 | 114 | # Some kernel/iptables setups do not perform stateful connection tracking 115 | # correctly (typically some virtual servers or custom compiled kernels), so a 116 | # SPI firewall will not function correctly. If this happens, LF_SPI can be set 117 | # to 0 to reconfigure csf as a static firewall. 118 | # 119 | # As connection tracking will not be configured, applications that rely on it 120 | # will not function unless all outgoing ports are opened. Therefore, all 121 | # outgoing connections will be allowed once all other tests have completed. So 122 | # TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect. 123 | # 124 | # If you allow incoming DNS lookups you may need to use the following 125 | # directive in the options{} section of your named.conf: 126 | # 127 | # query-source port 53; 128 | # 129 | # This will force incoming DNS traffic only through port 53 130 | # 131 | # Disabling this option will break firewall functionality that relies on 132 | # stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall 133 | # less secure 134 | # 135 | # This option should be set to "1" in all other circumstances 136 | LF_SPI = "1" 137 | 138 | # Allow incoming TCP ports 139 | TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,30000:50000" 140 | 141 | # Allow outgoing TCP ports 142 | TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,2087,2089,2703" 143 | 144 | # Allow incoming UDP ports 145 | UDP_IN = "20,21,53,161,5666,1311,1514" 146 | 147 | # Allow outgoing UDP ports 148 | # To allow outgoing traceroute add 33434:33523 to this list 149 | UDP_OUT = "20,21,53,113,123,873,6277,161,5666,1311,1514" 150 | 151 | # Allow incoming PING 152 | ICMP_IN = "1" 153 | 154 | # Set the per IP address incoming ICMP packet rate 155 | # To disable rate limiting set to "0" 156 | ICMP_IN_RATE = "1/s" 157 | 158 | # Allow outgoing PING 159 | ICMP_OUT = "1" 160 | 161 | # Set the per IP address outgoing ICMP packet rate (hits per second allowed), 162 | # e.g. "1/s" 163 | # 164 | # Recommend disabling on cPanel servers as cPanel uses ping test to determine 165 | # fastest mirrors for various functions 166 | # 167 | # To disable rate limiting set to "0" 168 | ICMP_OUT_RATE = "0" 169 | 170 | ############################################################################### 171 | # SECTION:IPv6 Port Settings 172 | ############################################################################### 173 | # IPv6: (Requires ip6tables) 174 | # 175 | # Pre v2.6.20 kernels do not perform stateful connection tracking, so a static 176 | # firewall is configured as a fallback instead if IPV6_SPI is set to 0 below 177 | # 178 | # Supported: 179 | # Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK, 180 | # PACKET_FILTER, WATCH_MODE, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, 181 | # CC6_LOOKUPS, SYNFLOOD, LF_NETBLOCK 182 | # 183 | # Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled 184 | # CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS, 185 | # CC_ALLOW_SMTPAUTH 186 | # 187 | # Supported if ip6tables >= 1.4.3: 188 | # PORTFLOOD, CONNLIMIT 189 | # 190 | # Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is 191 | # installed: 192 | # MESSENGER 193 | # 194 | # Not supported: 195 | # ICMP_IN, ICMP_OUT 196 | # 197 | IPV6 = "1" 198 | 199 | # IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6 200 | # traffic in the INPUT and OUTPUT chains. However, this could increase the risk 201 | # of icmpv6 attacks. To restrict incoming icmpv6, set to "1" but may break some 202 | # connection types 203 | IPV6_ICMP_STRICT = "0" 204 | 205 | # Pre v2.6.20 kernel must set this option to "0" as no working state module is 206 | # present, so a static firewall is configured as a fallback 207 | # 208 | # A workaround has been added for CentOS/RedHat v5 and custom kernels that do 209 | # not support IPv6 connection tracking by opening ephemeral port range 210 | # 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the 211 | # same workaround implemented by RedHat in the sample default IPv6 rules 212 | # 213 | # As connection tracking will not be configured, applications that rely on it 214 | # will not function unless all outgoing ports are opened. Therefore, all 215 | # outgoing connections will be allowed once all other tests have completed. So 216 | # TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect. 217 | # 218 | # If you allow incoming ipv6 DNS lookups you may need to use the following 219 | # directive in the options{} section of your named.conf: 220 | # 221 | # query-source-v6 port 53; 222 | # 223 | # This will force ipv6 incoming DNS traffic only through port 53 224 | # 225 | # These changes are not necessary if the SPI firewall is used 226 | IPV6_SPI = "1" 227 | 228 | # Allow incoming IPv6 TCP ports 229 | TCP6_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096" 230 | 231 | # Allow outgoing IPv6 TCP ports 232 | TCP6_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703" 233 | 234 | # Allow incoming IPv6 UDP ports 235 | UDP6_IN = "20,21,53" 236 | 237 | # Allow outgoing IPv6 UDP ports 238 | # To allow outgoing traceroute add 33434:33523 to this list 239 | UDP6_OUT = "20,21,53,113,123,873,6277,24441" 240 | 241 | ############################################################################### 242 | # SECTION:General Settings 243 | ############################################################################### 244 | # By default, csf will auto-configure iptables to filter all traffic except on 245 | # the loopback device. If you only want iptables rules applied to a specific 246 | # NIC, then list it here (e.g. eth1, or eth+) 247 | ETH_DEVICE = "" 248 | 249 | # By adding a device to this option, ip6tables can be configured only on the 250 | # specified device. Otherwise, ETH_DEVICE and then the default setting will be 251 | # used 252 | ETH6_DEVICE = "" 253 | 254 | # If you don't want iptables rules applied to specific NICs, then list them in 255 | # a comma separated list (e.g "eth1,eth2") 256 | ETH_DEVICE_SKIP = "" 257 | 258 | # To switch from the deprecated iptables "state" module to the "conntrack" 259 | # module, change this to 1 260 | USE_CONNTRACK = "0" 261 | 262 | # Check whether syslog is running. Many of the lfd checks require syslog to be 263 | # running correctly. This test will send a coded message to syslog every 264 | # SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded 265 | # message. If it fails to do so within SYSLOG_CHECK seconds an alert using 266 | # syslogalert.txt is sent 267 | # 268 | # A value of betwen 300 and 3600 seconds is suggested. Set to 0 to disable 269 | SYSLOG_CHECK = "0" 270 | 271 | # Enable this option if you do not wish to block all IP's that have 272 | # authenticated using POP before SMTP (i.e. are valid clients). This option 273 | # checks for IP addresses in /etc/relayhosts, which last for 30 minutes in that 274 | # file after a successful POP authentication. 275 | # 276 | # Set the value to 0 to disable the feature 277 | RELAYHOSTS = "0" 278 | 279 | # Enable this option if you want lfd to ignore (i.e. don't block) IP addresses 280 | # listed in csf.allow in addition to csf.ignore (the default). This option 281 | # should be used with caution as it would mean that IP's allowed through the 282 | # firewall from infected PC's could launch attacks on the server that lfd 283 | # would ignore 284 | IGNORE_ALLOW = "0" 285 | 286 | # Enable the following option if you want to apply strict iptables rules to DNS 287 | # traffic (i.e. relying on iptables connection tracking). Enabling this option 288 | # could cause DNS resolution issues both to and from the server but could help 289 | # prevent abuse of the local DNS server 290 | DNS_STRICT = "0" 291 | 292 | # Enable the following option if you want to apply strict iptables rules to DNS 293 | # traffic between the server and the nameservers listed in /etc/resolv.conf 294 | # Enabling this option could cause DNS resolution issues both to and from the 295 | # server but could help prevent abuse of the local DNS server 296 | DNS_STRICT_NS = "0" 297 | 298 | # Limit the number of IP's kept in the /etc/csf/csf.deny file 299 | # 300 | # Care should be taken when increasing this value on servers with low memory 301 | # resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the 302 | # thousands) can sometimes cause network slowdown 303 | # 304 | # The value set here is the maximum number of IPs/CIDRs allowed 305 | # if the limit is reached, the entries will be rotated so that the oldest 306 | # entries (i.e. the ones at the top) will be removed and the latest is added. 307 | # The limit is only checked when using csf -d (which is what lfd also uses) 308 | # Set to 0 to disable limiting 309 | # 310 | # For implementations wishing to set this value significantly higher, we 311 | # recommend using the IPSET option 312 | DENY_IP_LIMIT = "200" 313 | 314 | # Limit the number of IP's kept in the temprary IP ban list. If the limit is 315 | # reached the oldest IP's in the ban list will be removed and allowed 316 | # regardless of the amount of time remaining for the block 317 | # Set to 0 to disable limiting 318 | DENY_TEMP_IP_LIMIT = "100" 319 | 320 | # Enable login failure detection daemon (lfd). If set to 0 none of the 321 | # following settings will have any effect as the daemon won't start. 322 | LF_DAEMON = "1" 323 | 324 | # Check whether csf appears to have been stopped and restart if necessary, 325 | # unless TESTING is enabled above. The check is done every 300 seconds 326 | LF_CSF = "1" 327 | 328 | # This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE, 329 | # IP6TABLES_RESTORE in two ways: 330 | # 331 | # 1. On a clean server reboot the entire csf iptables configuration is saved 332 | # and then restored where possible to provide a near instant firewall 333 | # startup[*] 334 | # 335 | # 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD, 336 | # BOGON, TOR are loaded using this method in a fraction of the time than if 337 | # this setting is disabled 338 | # 339 | # [*]Not supported on all OS platforms 340 | # 341 | # Set to "0" to disable this functionality 342 | FASTSTART = "1" 343 | 344 | # This option allows you to use ipset v6+ for the following csf options: 345 | # CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny, 346 | # GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER 347 | # 348 | # ipset will only be used with the above options when listing IPs and CIDRs. 349 | # Advanced Allow Filters and temporary blocks use traditional iptables 350 | # 351 | # Using ipset moves the onus of ip matching against large lists away from 352 | # iptables rules and to a purpose built and optimised database matching 353 | # utility. It also simplifies the switching in of updated lists 354 | # 355 | # To use this option you must have a fully functioning installation of ipset 356 | # installed either via rpm or source from http://ipset.netfilter.org/ 357 | # 358 | # Note: Using ipset has many advantages, some disadvantages are that you will 359 | # no longer see packet and byte counts against IPs and it makes identifying 360 | # blocked/allowed IPs that little bit harder 361 | # 362 | # Note: If you mainly use IP address only entries in csf.deny, you can increase 363 | # the value of DENY_IP_LIMIT significantly if you wish 364 | # 365 | # Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ 366 | # containers even if it has been installed 367 | # 368 | # If you find any problems, please post on forums.configserver.com with full 369 | # details of the issue 370 | LF_IPSET = "0" 371 | 372 | # The following sets the hashsize for ipset sets, which must be a power of 2. 373 | # 374 | # Note: Increasing this value will consume more memory for all sets 375 | # Default: "1024" 376 | LF_IPSET_HASHSIZE = "1024" 377 | 378 | # The following sets the maxelem for ipset sets. 379 | # 380 | # Note: Increasing this value will consume more memory for all sets 381 | # Default: "65536" 382 | LF_IPSET_MAXELEM = "65536" 383 | 384 | # If you enable this option then whenever a CLI request to restart csf is used 385 | # lfd will restart csf instead within LF_PARSE seconds 386 | # 387 | # This feature can be helpful for restarting configurations that cannot use 388 | # FASTSTART 389 | LFDSTART = "0" 390 | 391 | # Enable verbose output of iptables commands 392 | VERBOSE = "1" 393 | 394 | # Drop out of order packets and packets in an INVALID state in iptables 395 | # connection tracking 396 | PACKET_FILTER = "1" 397 | 398 | # Perform reverse DNS lookups on IP addresses. See also CC_LOOKUPS 399 | LF_LOOKUPS = "1" 400 | 401 | ############################################################################### 402 | # SECTION:SMTP Settings 403 | ############################################################################### 404 | # Block outgoing SMTP except for root, exim and mailman (forces scripts/users 405 | # to use the exim/sendmail binary instead of sockets access). This replaces the 406 | # protection as WHM > Tweak Settings > SMTP Tweaks 407 | # 408 | # This option uses the iptables ipt_owner/xt_owner module and must be loaded 409 | # for it to work. It may not be available on some VPS platforms 410 | # 411 | # Note: Run /etc/csf/csftest.pl to check whether this option will function on 412 | # this server 413 | SMTP_BLOCK = "0" 414 | 415 | # If SMTP_BLOCK is enabled but you want to allow local connections to port 25 416 | # on the server (e.g. for webmail or web scripts) then enable this option to 417 | # allow outgoing SMTP connections to the loopback device 418 | SMTP_ALLOWLOCAL = "1" 419 | 420 | # This option redirects outgoing SMTP connections destined for remote servers 421 | # for non-bypass users to the local SMTP server to force local relaying of 422 | # email. Such email may require authentication (SMTP AUTH) 423 | SMTP_REDIRECT = "0" 424 | 425 | # This is a comma separated list of the ports to block. You should list all 426 | # ports that exim is configured to listen on 427 | SMTP_PORTS = "25,465,587" 428 | 429 | # Always allow the following comma separated users and groups to bypass 430 | # SMTP_BLOCK 431 | # 432 | # Note: root (UID:0) is always allowed 433 | SMTP_ALLOWUSER = "cpanel" 434 | SMTP_ALLOWGROUP = "mail,mailman" 435 | 436 | # This option will only allow SMTP AUTH to be advertised to the IP addresses 437 | # listed in /etc/csf/csf.smtpauth on EXIM mail servers 438 | # 439 | # The additional option CC_ALLOW_SMTPAUTH can be used with this option to 440 | # additionally restrict access to specific countries 441 | # 442 | # This is to help limit attempts at distributed attacks against SMTP AUTH which 443 | # are difficult to achieve since port 25 needs to be open to relay email 444 | # 445 | # The reason why this works is that if EXIM does not advertise SMTP AUTH on a 446 | # connection, then SMTP AUTH will not accept logins, defeating the attacks 447 | # without restricting mail relaying 448 | # 449 | # Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so 450 | # that the lookup file in /etc/exim.smtpauth is regenerated from the 451 | # information from /etc/csf/csf.smtpauth plus any countries listed in 452 | # CC_ALLOW_SMTPAUTH 453 | # 454 | # NOTE: To make this option work you MUST make the modifications to exim.conf 455 | # as explained in "Exim SMTP AUTH Restriction" section in /etc/csf/readme.txt 456 | # after enabling the option here, otherwise this option will not work 457 | # 458 | # To enable this option, set to 1 and make the exim configuration changes 459 | # To disable this option, set to 0 and undo the exim configuration changes 460 | SMTPAUTH_RESTRICT = "0" 461 | 462 | ############################################################################### 463 | # SECTION:Port Flood Settings 464 | ############################################################################### 465 | # Enable SYN Flood Protection. This option configures iptables to offer some 466 | # protection from tcp SYN packet DOS attempts. You should set the RATE so that 467 | # false-positives are kept to a minimum otherwise visitors may see connection 468 | # issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables 469 | # man page for the correct --limit rate syntax 470 | # 471 | # Note: This option should ONLY be enabled if you know you are under a SYN 472 | # flood attack as it will slow down all new connections from any IP address to 473 | # the server if triggered 474 | SYNFLOOD = "0" 475 | SYNFLOOD_RATE = "100/s" 476 | SYNFLOOD_BURST = "150" 477 | 478 | # Connection Limit Protection. This option configures iptables to offer more 479 | # protection from DOS attacks against specific ports. It can also be used as a 480 | # way to simply limit resource usage by IP address to specific server services. 481 | # This option limits the number of concurrent new connections per IP address 482 | # that can be made to specific ports 483 | # 484 | # This feature does not work on servers that do not have the iptables module 485 | # xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS 486 | # server admins should check with their VPS host provider that the iptables 487 | # module is included 488 | # 489 | # For further information and syntax refer to the Connection Limit Protection 490 | # section of the csf readme.txt 491 | # 492 | # Note: Run /etc/csf/csftest.pl to check whether this option will function on 493 | # this server 494 | CONNLIMIT = "" 495 | 496 | # Port Flood Protection. This option configures iptables to offer protection 497 | # from DOS attacks against specific ports. This option limits the number of 498 | # new connections per time interval that can be made to specific ports 499 | # 500 | # This feature does not work on servers that do not have the iptables module 501 | # ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS 502 | # server admins should check with their VPS host provider that the iptables 503 | # module is included 504 | # 505 | # For further information and syntax refer to the Port Flood Protection 506 | # section of the csf readme.txt 507 | # 508 | # Note: Run /etc/csf/csftest.pl to check whether this option will function on 509 | # this server 510 | PORTFLOOD = "" 511 | 512 | # Outgoing UDP Flood Protection. This option limits outbound UDP packet floods. 513 | # These typically originate from exploit scripts uploaded through vulnerable 514 | # web scripts. Care should be taken on servers that use services that utilise 515 | # high levels of UDP outbound traffic, such as SNMP, so you may need to alter 516 | # the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment 517 | # 518 | # We recommend enabling User ID Tracking (UID_INTERVAL) with this feature 519 | UDPFLOOD = "0" 520 | UDPFLOOD_LIMIT = "100/s" 521 | UDPFLOOD_BURST = "500" 522 | 523 | # This is a list of usernames that should not be rate limited, such as "named" 524 | # to prevent bind traffic from being limited. 525 | # 526 | # Note: root (UID:0) is always allowed 527 | UDPFLOOD_ALLOWUSER = "named" 528 | 529 | ############################################################################### 530 | # SECTION:Logging Settings 531 | ############################################################################### 532 | # Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the 533 | # perl module Sys::Syslog installed to use this feature 534 | SYSLOG = "0" 535 | 536 | # Drop target for iptables rules. This can be set to either DROP ot REJECT. 537 | # REJECT will send back an error packet, DROP will not respond at all. REJECT 538 | # is more polite, however it does provide extra information to a hacker and 539 | # lets them know that a firewall is blocking their attempts. DROP hangs their 540 | # connection, thereby frustrating attempts to port scan the server. 541 | DROP = "DROP" 542 | 543 | # Enable logging of dropped connections to blocked ports to syslog, usually 544 | # /var/log/messages. This option needs to be enabled to use Port Scan Tracking 545 | DROP_LOGGING = "1" 546 | 547 | # Enable logging of dropped incoming connections from blocked IP addresses 548 | # 549 | # This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL) 550 | DROP_IP_LOGGING = "0" 551 | 552 | # Enable logging of dropped outgoing connections 553 | # 554 | # Note: Only outgoing SYN packets for TCP connections are logged, other 555 | # protocols log all packets 556 | # 557 | # We recommend that you enable this option 558 | DROP_OUT_LOGGING = "1" 559 | 560 | # Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting 561 | # out (where available) which can help track abuse 562 | DROP_UID_LOGGING = "1" 563 | 564 | # Only log incoming reserved port dropped connections (0:1023). This can reduce 565 | # the amount of log noise from dropped connections, but will affect options 566 | # such as Port Scan Tracking (PS_INTERVAL) 567 | DROP_ONLYRES = "0" 568 | 569 | # Commonly blocked ports that you do not want logging as they tend to just fill 570 | # up the log file. These ports are specifically blocked (applied to TCP and UDP 571 | # protocols) for incoming connections 572 | DROP_NOLOG = "67,68,111,113,135:139,445,500,513,520" 573 | 574 | # Log packets dropped by the packet filtering option PACKET_FILTER 575 | DROP_PF_LOGGING = "0" 576 | 577 | # Log packets dropped by the Connection Limit Protection option CONNLIMIT. If 578 | # this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP 579 | # addresses breaking the Connection Limit Protection will be blocked 580 | CONNLIMIT_LOGGING = "0" 581 | 582 | # Enable logging of UDP floods. This should be enabled, especially with User ID 583 | # Tracking enabled 584 | UDPFLOOD_LOGGING = "1" 585 | 586 | # Send an alert if log file flooding is detected which causes lfd to skip log 587 | # lines to prevent lfd from looping. If this alert is sent you should check the 588 | # reported log file for the reason for the flooding 589 | LOGFLOOD_ALERT = "0" 590 | 591 | # Configure csf to watch IP addresses (with csf -w [ip]). This option will add 592 | # overhead to packet traversal through iptables and syslog logging, so should 593 | # only be enabled while actively watching IP addresses. See readme.txt for more 594 | # information on the use of this option 595 | WATCH_MODE = "0" 596 | 597 | ############################################################################### 598 | # SECTION:Reporting Settings 599 | ############################################################################### 600 | # By default, lfd will send alert emails using the relevant alert template to 601 | # the To: address configured within that template. Setting the following 602 | # option will override the configured To: field in all lfd alert emails 603 | # 604 | # Leave this option empty to use the To: field setting in each alert template 605 | LF_ALERT_TO = "" 606 | 607 | # By default, lfd will send alert emails using the relevant alert template from 608 | # the From: address configured within that template. Setting the following 609 | # option will override the configured From: field in all lfd alert emails 610 | # 611 | # Leave this option empty to use the From: field setting in each alert template 612 | LF_ALERT_FROM = "" 613 | 614 | # By default, lfd will send all alerts using the SENDMAIL binary. To send using 615 | # SMTP directly, you can set the following to a relaying SMTP server, e.g. 616 | # "127.0.0.1". Leave this setting blank to use SENDMAIL 617 | LF_ALERT_SMTP = "" 618 | 619 | # Block Reporting. lfd can run an external script when it performs and IP 620 | # address block following for example a login failure. The following setting 621 | # is to the full path of the external script which must be executable. See 622 | # readme.txt for format details 623 | # 624 | # Leave this setting blank to disable 625 | BLOCK_REPORT = "" 626 | 627 | # To also run an external script when a temporary block is unblocked: the 628 | # following setting can be the full path of the external script which must be 629 | # executable. See readme.txt for format details 630 | # 631 | # Leave this setting blank to disable 632 | UNBLOCK_REPORT = "" 633 | 634 | # In addition to the standard lfd email alerts, you can additionally enable the 635 | # sending of X-ARF reports (see http://www.x-arf.org/specification.html). Only 636 | # block alert messages will be sent. The reports use our schema at: 637 | # https://download.configserver.com/abuse_login-attack_0.2.json 638 | # 639 | # These reports are in a format accepted by many Netblock owners and should 640 | # help them investigate abuse. This option is not designed to automatically 641 | # forward these reports to the Netblock owners and should be checked for 642 | # false-positive blocks before reporting 643 | # 644 | # If available, the report will also include the abuse contact for the IP from 645 | # the Abusix Contact DB: https://abusix.com/contactdb.html 646 | # 647 | # Note: The following block types are not reported through this feature: 648 | # LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT 649 | X_ARF = "0" 650 | 651 | # By default, lfd will send emails from the root forwarder. Setting the 652 | # following option will override this 653 | X_ARF_FROM = "" 654 | 655 | # By default, lfd will send emails to the root forwarder. Setting the following 656 | # option will override this 657 | X_ARF_TO = "" 658 | 659 | # If you want to automatically send reports to the abuse contact where found, 660 | # you can enable the following option 661 | # 662 | # Note: You MUST set X_ARF_FROM to a valid email address for this option to 663 | # work. This is so that the abuse contact can reply to the report 664 | # 665 | # However, you should be aware that without manual checking you could be 666 | # reporting innocent IP addresses, including your own clients, yourself and 667 | # your own servers 668 | # 669 | # Additionally, just because a contact address is found, does not mean that 670 | # there is anyone on the end of it reading, processing or acting on such 671 | # reports and you could conceivably reported for sending spam 672 | # 673 | # We do not recommend enabling this option. Abuse reports should be checked and 674 | # verified before being forwarded to the abuse contact 675 | X_ARF_ABUSE = "0" 676 | 677 | ############################################################################### 678 | # SECTION:Temp to Perm/Netblock Settings 679 | ############################################################################### 680 | # Temporary to Permanent IP blocking. The following enables this feature to 681 | # permanently block IP addresses that have been temporarily blocked more than 682 | # LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set 683 | # LF_PERMBLOCK to "1" to enable this feature 684 | # 685 | # Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be 686 | # at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting 687 | # (TTL) for blocked IPs, to be effective 688 | # 689 | # Set LF_PERMBLOCK to "0" to disable this feature 690 | LF_PERMBLOCK = "1" 691 | LF_PERMBLOCK_INTERVAL = "86400" 692 | LF_PERMBLOCK_COUNT = "4" 693 | LF_PERMBLOCK_ALERT = "1" 694 | 695 | # Permanently block IPs by network class. The following enables this feature 696 | # to permanently block classes of IP address where individual IP addresses 697 | # within the same class LF_NETBLOCK_CLASS have already been blocked more than 698 | # LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set 699 | # LF_NETBLOCK to "1" to enable this feature 700 | # 701 | # This can be an affective way of blocking DDOS attacks launched from within 702 | # the same network class 703 | # 704 | # Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and 705 | # consideration is required when blocking network classes A or B 706 | # 707 | # Set LF_NETBLOCK to "0" to disable this feature 708 | LF_NETBLOCK = "0" 709 | LF_NETBLOCK_INTERVAL = "86400" 710 | LF_NETBLOCK_COUNT = "4" 711 | LF_NETBLOCK_CLASS = "C" 712 | LF_NETBLOCK_ALERT = "1" 713 | 714 | # Valid settings for LF_NETBLOCK_IPV6 are "/64", "/56", "/48", "/32" and "/24" 715 | # Great care should be taken with IPV6 netblock ranges due to the large number 716 | # of addresses involved 717 | # 718 | # To disable IPv6 netblocks set to "" 719 | LF_NETBLOCK_IPV6 = "" 720 | 721 | ############################################################################### 722 | # SECTION:Global Lists/DYNDNS/Blocklists 723 | ############################################################################### 724 | # Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*, 725 | # SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new 726 | # chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT 727 | # chain, then flush and delete the old dynamic chain and rename the new chain. 728 | # 729 | # This prevents a small window of opportunity opening when an update occurs and 730 | # the dynamic chain is flushed for the new rules. 731 | # 732 | # This option should not be enabled on servers with long dynamic chains (e.g. 733 | # CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on 734 | # Virtuozzo VPS servers with a restricted numiptent value. This is because each 735 | # chain will effectively be duplicated while the update occurs, doubling the 736 | # number of iptables rules 737 | SAFECHAINUPDATE = "0" 738 | 739 | # If you wish to allow access from dynamic DNS records (for example if your IP 740 | # address changes whenever you connect to the internet but you have a dedicated 741 | # dynamic DNS record from the likes of dyndns.org) then you can list the FQDN 742 | # records in csf.dyndns and then set the following to the number of seconds to 743 | # poll for a change in the IP address. If the IP address has changed iptables 744 | # will be updated. 745 | # 746 | # If the FQDN has multiple A records then all of the IP addresses will be 747 | # processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will 748 | # also be allowed. 749 | # 750 | # A setting of 600 would check for IP updates every 10 minutes. Set the value 751 | # to 0 to disable the feature 752 | DYNDNS = "0" 753 | 754 | # To always ignore DYNDNS IP addresses in lfd blocking, set the following 755 | # option to 1 756 | DYNDNS_IGNORE = "0" 757 | 758 | # The follow Global options allow you to specify a URL where csf can grab a 759 | # centralised copy of an IP allow or deny block list of your own. You need to 760 | # specify the full URL in the following options, i.e.: 761 | # http://www.somelocation.com/allow.txt 762 | # 763 | # The actual retrieval of these IP's is controlled by lfd, so you need to set 764 | # LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd 765 | # will perform the retrieval when it runs and then again at the specified 766 | # interval. A sensible interval would probably be every 3600 seconds (1 hour). 767 | # A minimum value of 300 is enforced for LF_GLOBAL if enabled 768 | # 769 | # You do not have to specify both an allow and a deny file 770 | # 771 | # You can also configure a global ignore file for IP's that lfd should ignore 772 | LF_GLOBAL = "0" 773 | 774 | GLOBAL_ALLOW = "" 775 | GLOBAL_DENY = "" 776 | GLOBAL_IGNORE = "" 777 | 778 | # Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set 779 | # this to the URL of the file containing DYNDNS entries 780 | GLOBAL_DYNDNS = "" 781 | 782 | # Set the following to the number of seconds to poll for a change in the IP 783 | # address resoved from GLOBAL_DYNDNS 784 | GLOBAL_DYNDNS_INTERVAL = "600" 785 | 786 | # To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following 787 | # option to 1 788 | GLOBAL_DYNDNS_IGNORE = "0" 789 | 790 | # Blocklists are controlled by modifying /etc/csf/csf.blocklists 791 | # 792 | # If you don't want BOGON rules applied to specific NICs, then list them in 793 | # a comma separated list (e.g "eth1,eth2") 794 | LF_BOGON_SKIP = "" 795 | 796 | # The following option can be used to select either HTTP::Tiny or 797 | # LWP::UserAgent to retrieve URL data. HTTP::Tiny is much faster than 798 | # LWP::UserAgent and is included in the csf distribution. LWP::UserAgent may 799 | # have to be installed manually, but it can better support https:// URL's 800 | # which also needs the LWP::Protocol::https perl module 801 | # 802 | # For example: 803 | # 804 | # On rpm based systems: 805 | # 806 | # yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch 807 | # 808 | # On APT based systems: 809 | # 810 | # apt-get install libwww-perl liblwp-protocol-https-perl 811 | # 812 | # Via cpan: 813 | # 814 | # perl -MCPAN -eshell 815 | # cpan> install LWP LWP::Protocol::https 816 | # 817 | # We recommend setting this set to "2" as upgrades to csf will be performed 818 | # over SSL to https://download.configserver.com 819 | # 820 | # "1" = HTTP::Tiny 821 | # "2" = LWP::UserAgent 822 | URLGET = "2" 823 | 824 | ############################################################################### 825 | # SECTION:Country Code Lists and Settings 826 | ############################################################################### 827 | # Country Code to CIDR allow/deny. In the following two options you can allow 828 | # or deny whole country CIDR ranges. The CIDR blocks are generated from the 829 | # Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry 830 | # and entirely relies on that service being available 831 | # 832 | # Specify the the two-letter ISO Country Code(s). The iptables rules are for 833 | # incoming connections only 834 | # 835 | # Additionally, ASN numbers can also be added to the comma separated lists 836 | # below that also list Country Codes. The same WARNINGS for Country Codes apply 837 | # to the use of ASNs. More about Autonomous System Numbers (ASN): 838 | # http://www.iana.org/assignments/as-numbers/as-numbers.xhtml 839 | # 840 | # You should consider using LF_IPSET when using any of the following options 841 | # 842 | # WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use 843 | # non-geographic IP address designations for their clients 844 | # 845 | # WARNING: Some of the CIDR lists are huge and each one requires a rule within 846 | # the incoming iptables chain. This can result in significant performance 847 | # overheads and could render the server inaccessible in some circumstances. For 848 | # this reason (amongst others) we do not recommend using these options 849 | # 850 | # WARNING: Due to the resource constraints on VPS servers this feature should 851 | # not be used on such systems unless you choose very small CC zones 852 | # 853 | # WARNING: CC_ALLOW allows access through all ports in the firewall. For this 854 | # reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is 855 | # preferred 856 | # 857 | # Each option is a comma separated list of CC's, e.g. "US,GB,DE" 858 | CC_DENY = "" 859 | CC_ALLOW = "" 860 | 861 | # An alternative to CC_ALLOW is to only allow access from the following 862 | # countries but still filter based on the port and packets rules. All other 863 | # connections are dropped 864 | CC_ALLOW_FILTER = "" 865 | 866 | # This option allows access from the following countries to specific ports 867 | # listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP 868 | # 869 | # Note: The rules for this feature are inserted after the allow and deny 870 | # rules to still allow blocking of IP addresses 871 | # 872 | # Each option is a comma separated list of CC's, e.g. "US,GB,DE" 873 | CC_ALLOW_PORTS = "" 874 | 875 | # All listed ports should be removed from TCP_IN/UDP_IN to block access from 876 | # elsewhere. This option uses the same format as TCP_IN/UDP_IN 877 | # 878 | # An example would be to list port 21 here and remove it from TCP_IN/UDP_IN 879 | # then only counties listed in CC_ALLOW_PORTS can access FTP 880 | CC_ALLOW_PORTS_TCP = "" 881 | CC_ALLOW_PORTS_UDP = "" 882 | 883 | # This option denies access from the following countries to specific ports 884 | # listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP 885 | # 886 | # Note: The rules for this feature are inserted after the allow and deny 887 | # rules to still allow allowing of IP addresses 888 | # 889 | # Each option is a comma separated list of CC's, e.g. "US,GB,DE" 890 | CC_DENY_PORTS = "" 891 | 892 | # This option uses the same format as TCP_IN/UDP_IN. The ports listed should 893 | # NOT be removed from TCP_IN/UDP_IN 894 | # 895 | # An example would be to list port 21 here then counties listed in 896 | # CC_DENY_PORTS cannot access FTP 897 | CC_DENY_PORTS_TCP = "" 898 | CC_DENY_PORTS_UDP = "" 899 | 900 | # This Country Code list will prevent lfd from blocking IP address hits for the 901 | # listed CC's 902 | # 903 | # CC_LOOKUPS must be enabled to use this option 904 | CC_IGNORE = "" 905 | 906 | # This Country Code list will only allow SMTP AUTH to be advertised to the 907 | # listed countries in EXIM. This is to help limit attempts at distributed 908 | # attacks against SMTP AUTH which are difficult to achive since port 25 needs 909 | # to be open to relay email 910 | # 911 | # The reason why this works is that if EXIM does not advertise SMTP AUTH on a 912 | # connection, then SMTP AUTH will not accept logins, defeating the attacks 913 | # without restricting mail relaying 914 | # 915 | # This option can generate a very large list of IP addresses that could easily 916 | # severely impact on SMTP (mail) performance, so care must be taken when 917 | # selecting countries and if performance issues ensue 918 | # 919 | # The option SMTPAUTH_RESTRICT must be enabled to use this option 920 | CC_ALLOW_SMTPAUTH = "" 921 | 922 | # Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller 923 | # than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can 924 | # help reduce the number of CC entries and may improve iptables throughput. 925 | # Obviously, this will deny/allow fewer IP addresses depending on how small you 926 | # configure the option 927 | # 928 | # For example, to ignore all CIDR (and single IP) entries small than a /16, set 929 | # this option to "16". Set to "" to block all CC IP addresses 930 | CC_DROP_CIDR = "" 931 | 932 | # Display Country Code and Country for reported IP addresses. This option can 933 | # be configured to use the MaxMind Country Database or the more detailed (and 934 | # much larger and therefore slower) MaxMind City Database 935 | # 936 | # "0" - disable 937 | # "1" - Reports: Country Code and Country 938 | # "2" - Reports: Country Code and Country and Region and City 939 | # "3" - Reports: Country Code and Country and Region and City and ASN 940 | CC_LOOKUPS = "1" 941 | 942 | # Display Country Code and Country for reported IPv6 addresses using the 943 | # MaxMind Country IPv6 Database 944 | # 945 | # "0" - disable 946 | # "1" - Reports: Country Code and Country 947 | # 948 | # This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and 949 | # PORTFLOOD 950 | CC6_LOOKUPS = "0" 951 | 952 | # This option tells lfd how often to retrieve the Maxmind GeoLite Country 953 | # database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in 954 | # days) 955 | CC_INTERVAL = "7" 956 | 957 | ############################################################################### 958 | # SECTION:Login Failure Blocking and Alerts 959 | ############################################################################### 960 | # The following[*] triggers are application specific. If you set LF_TRIGGER to 961 | # "0" the value of each trigger is the number of failures against that 962 | # application that will trigger lfd to block the IP address 963 | # 964 | # If you set LF_TRIGGER to a value greater than "0" then the following[*] 965 | # application triggers are simply on or off ("0" or "1") and the value of 966 | # LF_TRIGGER is the total cumulative number of failures that will trigger lfd 967 | # to block the IP address 968 | # 969 | # Setting the application trigger to "0" disables it 970 | LF_TRIGGER = "5" 971 | 972 | # If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently 973 | # block the IP address, or LF_TRIGGER_PERM can be set to a value greater than 974 | # "1" and the IP address will be blocked temporarily for that value in seconds. 975 | # For example: 976 | # LF_TRIGGER_PERM = "1" => the IP is blocked permanently 977 | # LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour 978 | # 979 | # If LF_TRIGGER is "0", then the application LF_[application]_PERM value works 980 | # in the same way as above and LF_TRIGGER_PERM serves no function 981 | LF_TRIGGER_PERM = "1" 982 | 983 | # To only block access to the failed application instead of a complete block 984 | # for an ip address, you can set the following to "1", but LF_TRIGGER must be 985 | # set to "0" with specific application[*] trigger levels also set appropriately 986 | # 987 | # The ports that are blocked can be configured by changing the PORTS_* options 988 | LF_SELECT = "0" 989 | 990 | # Send an email alert if an IP address is blocked by one of the [*] triggers 991 | LF_EMAIL_ALERT = "1" 992 | 993 | # [*]Enable login failure detection of sshd connections 994 | # 995 | # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read 996 | # this file about RESTRICT_SYSLOG before enabling this option: 997 | LF_SSHD = "5" 998 | LF_SSHD_PERM = "1" 999 | 1000 | # [*]Enable login failure detection of ftp connections 1001 | # 1002 | # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read 1003 | # this file about RESTRICT_SYSLOG before enabling this option: 1004 | LF_FTPD = "0" 1005 | LF_FTPD_PERM = "0" 1006 | 1007 | # [*]Enable login failure detection of SMTP AUTH connections 1008 | LF_SMTPAUTH = "0" 1009 | LF_SMTPAUTH_PERM = "0" 1010 | 1011 | # [*]Enable syntax failure detection of Exim connections 1012 | LF_EXIMSYNTAX = "0" 1013 | LF_EXIMSYNTAX_PERM = "0" 1014 | 1015 | # [*]Enable login failure detection of pop3 connections 1016 | # 1017 | # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read 1018 | # this file about RESTRICT_SYSLOG before enabling this option: 1019 | LF_POP3D = "0" 1020 | LF_POP3D_PERM = "0" 1021 | 1022 | # [*]Enable login failure detection of imap connections 1023 | # 1024 | # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read 1025 | # this file about RESTRICT_SYSLOG before enabling this option: 1026 | LF_IMAPD = "0" 1027 | LF_IMAPD_PERM = "0" 1028 | 1029 | # [*]Enable login failure detection of Apache .htpasswd connections 1030 | # Due to the often high logging rate in the Apache error log, you might want to 1031 | # enable this option only if you know you are suffering from attacks against 1032 | # password protected directories 1033 | LF_HTACCESS = "0" 1034 | LF_HTACCESS_PERM = "0" 1035 | 1036 | # [*]Enable login failure detection of cpanel, webmail and whm connections 1037 | LF_CPANEL = "0" 1038 | LF_CPANEL_PERM = "0" 1039 | 1040 | # [*]Enable failure detection of repeated Apache mod_security rule triggers 1041 | LF_MODSEC = "0" 1042 | LF_MODSEC_PERM = "0" 1043 | 1044 | # [*]Enable detection of repeated BIND denied requests 1045 | # This option should be enabled with care as it will prevent blocked IPs from 1046 | # resolving any domains on the server. You might want to set the trigger value 1047 | # reasonably high to avoid this 1048 | # Example: LF_BIND = "100" 1049 | LF_BIND = "0" 1050 | LF_BIND_PERM = "1" 1051 | 1052 | # [*]Enable detection of repeated suhosin ALERTs 1053 | # Example: LF_SUHOSIN = "5" 1054 | # 1055 | # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read 1056 | # this file about RESTRICT_SYSLOG before enabling this option: 1057 | LF_SUHOSIN = "0" 1058 | LF_SUHOSIN_PERM = "1" 1059 | 1060 | # [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers 1061 | # This option will block IP addresses if cxs detects a hits from the 1062 | # ModSecurity rule associated with it 1063 | # 1064 | # Note: This option takes precedence over LF_MODSEC and removes any hits 1065 | # counted towards LF_MODSEC for the cxs rule 1066 | # 1067 | # This setting should probably set very low, perhaps to 1, if you want to 1068 | # effectively block IP addresses for this trigger option 1069 | LF_CXS = "0" 1070 | LF_CXS_PERM = "1" 1071 | 1072 | # [*]Enable detection of repeated Apache mod_qos rule triggers 1073 | LF_QOS = "0" 1074 | LF_QOS_PERM = "1" 1075 | 1076 | # [*]Enable detection of repeated Apache symlink race condition triggers from 1077 | # the Apache patch provided by: 1078 | # http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html 1079 | # This patch has also been included by cPanel via the easyapache option: 1080 | # "Symlink Race Condition Protection" 1081 | LF_SYMLINK = "0" 1082 | LF_SYMLINK_PERM = "1" 1083 | 1084 | # [*]Enable login failure detection of webmin connections 1085 | # 1086 | # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read 1087 | # this file about RESTRICT_SYSLOG before enabling this option: 1088 | LF_WEBMIN = "0" 1089 | LF_WEBMIN_PERM = "1" 1090 | 1091 | # Send an email alert if anyone logs in successfully using SSH 1092 | # 1093 | # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read 1094 | # this file about RESTRICT_SYSLOG before enabling this option: 1095 | LF_SSH_EMAIL_ALERT = "1" 1096 | 1097 | # Send an email alert if anyone uses su to access another account. This will 1098 | # send an email alert whether the attempt to use su was successful or not 1099 | # 1100 | # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read 1101 | # this file about RESTRICT_SYSLOG before enabling this option: 1102 | LF_SU_EMAIL_ALERT = "1" 1103 | 1104 | # Send an email alert if anyone accesses webmin 1105 | # 1106 | # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read 1107 | # this file about RESTRICT_SYSLOG before enabling this option: 1108 | LF_WEBMIN_EMAIL_ALERT = "1" 1109 | 1110 | # Send an email alert if anyone logs in successfully to root on the console 1111 | # 1112 | # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read 1113 | # this file about RESTRICT_SYSLOG before enabling this option: 1114 | LF_CONSOLE_EMAIL_ALERT = "1" 1115 | 1116 | # This option will keep track of the number of "File does not exist" errors in 1117 | # HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL 1118 | # seconds then the IP address will be blocked 1119 | # 1120 | # Care should be used with this option as it could generate many 1121 | # false-positives, especially Search Bots (use csf.rignore to ignore such bots) 1122 | # so only use this option if you know you are under this type of attack 1123 | # 1124 | # A sensible setting for this would be quite high, perhaps 200 1125 | # 1126 | # To disable set to "0" 1127 | LF_APACHE_404 = "0" 1128 | 1129 | # If this option is set to 1 the blocks will be permanent 1130 | # If this option is > 1, the blocks will be temporary for the specified number 1131 | # of seconds 1132 | LF_APACHE_404_PERM = "3600" 1133 | 1134 | # This option will keep track of the number of "client denied by server 1135 | # configuration" errors in HTACCESS_LOG. If the number of hits is more than 1136 | # LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked 1137 | # 1138 | # Care should be used with this option as it could generate many 1139 | # false-positives, especially Search Bots (use csf.rignore to ignore such bots) 1140 | # so only use this option if you know you are under this type of attack 1141 | # 1142 | # To disable set to "0" 1143 | LF_APACHE_403 = "0" 1144 | 1145 | # If this option is set to 1 the blocks will be permanent 1146 | # If this option is > 1, the blocks will be temporary for the specified number 1147 | # of seconds 1148 | LF_APACHE_403_PERM = "3600" 1149 | 1150 | # Send an email alert if anyone accesses WHM/cPanel via an account listed in 1151 | # LF_CPANEL_ALERT_USERS. An IP address will be reported again 1 hour after the 1152 | # last tracked access (or if lfd is restarted) 1153 | LF_CPANEL_ALERT = "1" 1154 | 1155 | # If a LF_CPANEL_ALERT event is triggered, then if the following contains the 1156 | # path to a script, it will run the script and passed the ip and username and 1157 | # the DNS IP lookup result as 3 arguments 1158 | # 1159 | # The action script must have the execute bit and interpreter (shebang) set 1160 | LF_CPANEL_ALERT_ACTION = "" 1161 | 1162 | # This is a comma separated list of accounts to send alerts for. To send an 1163 | # alert for all accounts set this to "all" 1164 | LF_CPANEL_ALERT_USERS = "root" 1165 | 1166 | # This settings re-enables the cPanel Bandwith chains after iptables is 1167 | # configured. If bandmin is not functioning, or you don't use the bandmin stats 1168 | # you can disable this option 1169 | LF_CPANEL_BANDMIN = "1" 1170 | 1171 | # Enable scanning of the exim mainlog for repeated emails sent from scripts. 1172 | # To use this feature the exim log_selector option must at least be set to: 1173 | # 1174 | # log_selector = +arguments +subject +received_recipients 1175 | # 1176 | # If you already use extended exim logging, then you need to either include 1177 | # +arguments +received_recipients or use +all 1178 | # 1179 | # This setting will then send an alert email if more than LF_SCRIPT_LIMIT lines 1180 | # appear with the same cwd= path in them within an hour. This can be useful in 1181 | # identifying spamming scripts on a server, especially PHP scripts running 1182 | # under the nobody account. The email that is sent includes the exim log lines 1183 | # and also attempts to find scripts that send email in the path that may be the 1184 | # culprit 1185 | LF_SCRIPT_ALERT = "1" 1186 | 1187 | # The limit afterwhich the email alert for email scripts is sent. Care should 1188 | # be taken with this value if you allow clients to use web scripts to maintain 1189 | # pseudo-mailing lists which have large recipients 1190 | LF_SCRIPT_LIMIT = "100" 1191 | 1192 | # If an LF_SCRIPT_ALERT event is triggered, then if the following can contain 1193 | # the path to a script, it will be run in a child process and passed the 1194 | # following information as parameters which also appears in the email alert: 1195 | # Path to the directory containing the script that is sending the email 1196 | # Count of emails sent 1197 | # Sample of the first 10 emails 1198 | # List of possible email scripts within Path 1199 | # 1200 | # The action script must have the execute bit and interpreter (shebang) set 1201 | LF_SCRIPT_ACTION = "" 1202 | 1203 | # If this option is enabled, the directory identified by LF_SCRIPT_ALERT will 1204 | # be chmod 0 and chattr +i to prevent it being accessed. Set the option to 1 1205 | # to enable. 1206 | # 1207 | # WARNING: This option could cause serious system problems if the identified 1208 | # directory is within the OS directory hierarchy. For this reason we do not 1209 | # recommend enabling it unless absolutely necessary. 1210 | LF_SCRIPT_PERM = "0" 1211 | 1212 | # Checks the length of the exim queue and sends an alert email if the value of 1213 | # settings is exceeded. If the ConfigServer MailScanner configuration is used 1214 | # then both the pending and delivery queues will be checked. 1215 | # 1216 | # Note: If there are problems sending out email, this alert may not be received 1217 | # To disable set to "0" 1218 | LF_QUEUE_ALERT = "2000" 1219 | 1220 | # The interval between mail queue checks in seconds. This should not be set too 1221 | # low on servers that often have long queues as the exim binary can use 1222 | # significant resources when checking its queue length 1223 | LF_QUEUE_INTERVAL = "300" 1224 | 1225 | # System Exploit Checking. This option is designed to perform a series of tests 1226 | # to send an alert in case a possible server compromise is detected 1227 | # 1228 | # To enable this feature set the following to the checking interval in seconds 1229 | # (a value of 300 would seem sensible). 1230 | # 1231 | # To disable set to "0" 1232 | LF_EXPLOIT = "300" 1233 | 1234 | # This comma separated list allows you to ignore tests LF_EXPLOIT performs 1235 | # 1236 | # For the SUPERUSER check, you can list usernames in csf.suignore to have them 1237 | # ignored for that test 1238 | # 1239 | # Valid tests are: 1240 | # SUPERUSER,SSHDSPAM 1241 | # 1242 | # If you want to ignore a test add it to this as a comma separated list, e.g. 1243 | # "SUPERUSER,SSHDSPAM" 1244 | LF_EXPLOIT_IGNORE = "" 1245 | 1246 | # Set the time interval to track login and other LF_ failures within (seconds), 1247 | # i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds 1248 | LF_INTERVAL = "3600" 1249 | 1250 | # This is how long the lfd process sleeps (in seconds) before processing the 1251 | # log file entries and checking whether other events need to be triggered 1252 | LF_PARSE = "5" 1253 | 1254 | # This is the interval that is used to flush reports of usernames, files and 1255 | # pids so that persistent problems continue to be reported, in seconds. 1256 | # A value of 3600 seems sensible 1257 | LF_FLUSH = "3600" 1258 | 1259 | # Under some circumstances iptables can fail to include a rule instruction, 1260 | # especially if more than one request is made concurrently. In this event, a 1261 | # permanent block entry may exist in csf.deny, but not in iptables. 1262 | # 1263 | # This option instructs csf to deny an already blocked IP address the number 1264 | # of times set. The downside, is that there will be multiple entries for an IP 1265 | # address in csf.deny and possibly multiple rules for the same IP address in 1266 | # iptables. This needs to be taken into consideration when unblocking such IP 1267 | # addresses. 1268 | # 1269 | # Set to "0" to disable this feature. Do not set this too high for the reasons 1270 | # detailed above (e.g. "5" should be more than enough) 1271 | LF_REPEATBLOCK = "0" 1272 | 1273 | # By default csf will create both an inbound and outbound blocks from/to an IP 1274 | # unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most 1275 | # effective way to block IP traffic. This option instructs csf to only block 1276 | # inbound traffic from those IP's and so reduces the number of iptables rules, 1277 | # but at the expense of less effectiveness. For this reason we recommend 1278 | # leaving this option disabled 1279 | # 1280 | # Set to "0" to disable this feature - the default 1281 | LF_BLOCKINONLY = "0" 1282 | 1283 | ############################################################################### 1284 | # SECTION:Directory Watching & Integrity 1285 | ############################################################################### 1286 | # Enable Directory Watching. This enables lfd to check /tmp and /dev/shm 1287 | # directories for suspicious files, i.e. script exploits. If a suspicious 1288 | # file is found an email alert is sent. One alert per file per LF_FLUSH 1289 | # interval is sent 1290 | # 1291 | # To enable this feature set the following to the checking interval in seconds. 1292 | # To disable set to "0" 1293 | LF_DIRWATCH = "300" 1294 | 1295 | # To remove any suspicious files found during directory watching, enable the 1296 | # following. These files will be appended to a tarball in 1297 | # /var/lib/suspicious.tar 1298 | LF_DIRWATCH_DISABLE = "0" 1299 | 1300 | # This option allows you to have lfd watch a particular file or directory for 1301 | # changes and should they change and email alert using watchalert.txt is sent 1302 | # 1303 | # To enable this feature set the following to the checking interval in seconds 1304 | # (a value of 60 would seem sensible) and add your entries to csf.dirwatch 1305 | # 1306 | # Set to disable set to "0" 1307 | LF_DIRWATCH_FILE = "0" 1308 | 1309 | # System Integrity Checking. This enables lfd to compare md5sums of the 1310 | # servers OS binary application files from the time when lfd starts. If the 1311 | # md5sum of a monitored file changes an alert is sent. This option is intended 1312 | # as an IDS (Intrusion Detection System) and is the last line of detection for 1313 | # a possible root compromise. 1314 | # 1315 | # There will be constant false-positives as the servers OS is updated or 1316 | # monitored application binaries are updated. However, unexpected changes 1317 | # should be carefully inspected. 1318 | # 1319 | # Modified files will only be reported via email once. 1320 | # 1321 | # To enable this feature set the following to the checking interval in seconds 1322 | # (a value of 3600 would seem sensible). This option may increase server I/O 1323 | # load onto the server as it checks system binaries. 1324 | # 1325 | # To disable set to "0" 1326 | LF_INTEGRITY = "3600" 1327 | 1328 | ############################################################################### 1329 | # SECTION:Distributed Attacks 1330 | ############################################################################### 1331 | # Distributed Account Attack. This option will keep track of login failures 1332 | # from distributed IP addresses to a specific application account. If the 1333 | # number of failures matches the trigger value above, ALL of the IP addresses 1334 | # involved in the attack will be blocked according to the temp/perm rules above 1335 | # 1336 | # Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, 1337 | # LF_HTACCESS 1338 | # 1339 | # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read 1340 | # this file about RESTRICT_SYSLOG before enabling this option: 1341 | LF_DISTATTACK = "0" 1342 | 1343 | # Set the following to the minimum number of unique IP addresses that trigger 1344 | # LF_DISTATTACK 1345 | LF_DISTATTACK_UNIQ = "2" 1346 | 1347 | # Distributed FTP Logins. This option will keep track of successful FTP logins. 1348 | # If the number of successful logins to an individual account is at least 1349 | # LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses, 1350 | # then all of the IP addresses will be blocked 1351 | # 1352 | # This option can help mitigate the common FTP account compromise attacks that 1353 | # use a distributed network of zombies to deface websites 1354 | # 1355 | # A sensible setting for this might be 5, depending on how many different 1356 | # IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL 1357 | # 1358 | # To disable set to "0" 1359 | # 1360 | # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read 1361 | # this file about RESTRICT_SYSLOG before enabling this option: 1362 | LF_DISTFTP = "0" 1363 | 1364 | # Set the following to the minimum number of unique IP addresses that trigger 1365 | # LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work 1366 | LF_DISTFTP_UNIQ = "3" 1367 | 1368 | # If this option is set to 1 the blocks will be permanent 1369 | # If this option is > 1, the blocks will be temporary for the specified number 1370 | # of seconds 1371 | LF_DISTFTP_PERM = "1" 1372 | 1373 | # Send an email alert if LF_DISTFTP is triggered 1374 | LF_DISTFTP_ALERT = "1" 1375 | 1376 | # Distributed SMTP Logins. This option will keep track of successful SMTP 1377 | # logins. If the number of successful logins to an individual account is at 1378 | # least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP 1379 | # addresses, then all of the IP addresses will be blocked. These options only 1380 | # apply to the exim MTA 1381 | # 1382 | # This option can help mitigate the common SMTP account compromise attacks that 1383 | # use a distributed network of zombies to send spam 1384 | # 1385 | # A sensible setting for this might be 5, depending on how many different 1386 | # IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL 1387 | # 1388 | # To disable set to "0" 1389 | LF_DISTSMTP = "0" 1390 | 1391 | # Set the following to the minimum number of unique IP addresses that trigger 1392 | # LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work 1393 | LF_DISTSMTP_UNIQ = "3" 1394 | 1395 | # If this option is set to 1 the blocks will be permanent 1396 | # If this option is > 1, the blocks will be temporary for the specified number 1397 | # of seconds 1398 | LF_DISTSMTP_PERM = "1" 1399 | 1400 | # Send an email alert if LF_DISTSMTP is triggered 1401 | LF_DISTSMTP_ALERT = "1" 1402 | 1403 | # This is the interval during which a distributed FTP or SMTP attack is 1404 | # measured 1405 | LF_DIST_INTERVAL = "300" 1406 | 1407 | # If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the 1408 | # path to a script, it will run the script and pass the following as arguments: 1409 | # 1410 | # LF_DISTFTP/LF_DISTSMTP 1411 | # account name 1412 | # log file text 1413 | # 1414 | # The action script must have the execute bit and interpreter (shebang) set 1415 | LF_DIST_ACTION = "" 1416 | 1417 | ############################################################################### 1418 | # SECTION:Login Tracking 1419 | ############################################################################### 1420 | # Block POP3 logins if greater than LT_POP3D times per hour per account per IP 1421 | # address (0=disabled) 1422 | # 1423 | # This is a temporary block for the rest of the hour, afterwhich the IP is 1424 | # unblocked 1425 | # 1426 | # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read 1427 | # this file about RESTRICT_SYSLOG before enabling this option: 1428 | LT_POP3D = "0" 1429 | 1430 | # Block IMAP logins if greater than LT_IMAPD times per hour per account per IP 1431 | # address (0=disabled) - not recommended for IMAP logins due to the ethos 1432 | # within which IMAP works. If you want to use this, setting it quite high is 1433 | # probably a good idea 1434 | # 1435 | # This is a temporary block for the rest of the hour, afterwhich the IP is 1436 | # unblocked 1437 | # 1438 | # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read 1439 | # this file about RESTRICT_SYSLOG before enabling this option: 1440 | LT_IMAPD = "0" 1441 | 1442 | # Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour 1443 | # per IP 1444 | LT_EMAIL_ALERT = "1" 1445 | 1446 | # If LF_PERMBLOCK is enabled but you do not want this to apply to 1447 | # LT_POP3D/LT_IMAPD, then enable this option 1448 | LT_SKIPPERMBLOCK = "0" 1449 | 1450 | ############################################################################### 1451 | # SECTION:Relay Tracking 1452 | ############################################################################### 1453 | # Relay Tracking. This allows you to track email that is relayed through the 1454 | # server. There are also options to send alerts and block external IP addresses 1455 | # if the number of emails relayed per hour exceeds configured limits. The 1456 | # blocks can be either permanent or temporary. 1457 | # 1458 | # The following information applies to each of the following types of relay 1459 | # check: 1460 | # RT_[relay type]_ALERT: 0 = disable, 1 = enable 1461 | # RT_[relay type]_LIMIT: the limit/hour afterwhich an email alert will be sent 1462 | # RT_[relay type]_BLOCK: 0 = no block;1 = perm block;nn=temp block for nn secs 1463 | 1464 | # This option triggers for external email 1465 | RT_RELAY_ALERT = "1" 1466 | RT_RELAY_LIMIT = "100" 1467 | RT_RELAY_BLOCK = "0" 1468 | 1469 | # This option triggers for email authenticated by SMTP AUTH 1470 | RT_AUTHRELAY_ALERT = "1" 1471 | RT_AUTHRELAY_LIMIT = "100" 1472 | RT_AUTHRELAY_BLOCK = "0" 1473 | 1474 | # This option triggers for email authenticated by POP before SMTP 1475 | RT_POPRELAY_ALERT = "1" 1476 | RT_POPRELAY_LIMIT = "100" 1477 | RT_POPRELAY_BLOCK = "0" 1478 | 1479 | # This option triggers for email sent via /usr/sbin/sendmail or /usr/sbin/exim 1480 | RT_LOCALRELAY_ALERT = "1" 1481 | RT_LOCALRELAY_LIMIT = "100" 1482 | 1483 | # This option triggers for email sent via a local IP addresses 1484 | RT_LOCALHOSTRELAY_ALERT = "1" 1485 | RT_LOCALHOSTRELAY_LIMIT = "100" 1486 | 1487 | # If an RT_* event is triggered, then if the following contains the path to 1488 | # a script, it will be run in a child process and passed the following: 1489 | # information as parameters which also appears in the email alert: 1490 | # IP Address 1491 | # Relay Type (RELAY/AUTHRELAY/POPRELAY/LOCALRELAY/LOCALHOSTRELAY) 1492 | # Block Message (Temporary/Permanent Block) 1493 | # Count of emails relayed 1494 | # Sample of the first 10 emails 1495 | # 1496 | # The action script must have the execute bit and interpreter (shebang) set 1497 | RT_ACTION = "" 1498 | 1499 | ############################################################################### 1500 | # SECTION:Connection Tracking 1501 | ############################################################################### 1502 | # Connection Tracking. This option enables tracking of all connections from IP 1503 | # addresses to the server. If the total number of connections is greater than 1504 | # this value then the offending IP address is blocked. This can be used to help 1505 | # prevent some types of DOS attack. 1506 | # 1507 | # Care should be taken with this option. It's entirely possible that you will 1508 | # see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD 1509 | # and HTTP so it could be quite easy to trigger, especially with a lot of 1510 | # closed connections in TIME_WAIT. However, for a server that is prone to DOS 1511 | # attacks this may be very useful. A reasonable setting for this option might 1512 | # be around 300. 1513 | # 1514 | # To disable this feature, set this to 0 1515 | CT_LIMIT = "0" 1516 | 1517 | # Connection Tracking interval. Set this to the the number of seconds between 1518 | # connection tracking scans 1519 | CT_INTERVAL = "30" 1520 | 1521 | # Send an email alert if an IP address is blocked due to connection tracking 1522 | CT_EMAIL_ALERT = "1" 1523 | 1524 | # If you want to make IP blocks permanent then set this to 1, otherwise blocks 1525 | # will be temporary and will be cleared after CT_BLOCK_TIME seconds 1526 | CT_PERMANENT = "0" 1527 | 1528 | # If you opt for temporary IP blocks for CT, then the following is the interval 1529 | # in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins) 1530 | CT_BLOCK_TIME = "1800" 1531 | 1532 | # If you don't want to count the TIME_WAIT state against the connection count 1533 | # then set the following to "1" 1534 | CT_SKIP_TIME_WAIT = "0" 1535 | 1536 | # If you only want to count specific states (e.g. SYN_RECV) then add the states 1537 | # to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT" 1538 | # 1539 | # Leave this option empty to count all states against CT_LIMIT 1540 | CT_STATES = "" 1541 | 1542 | # If you only want to count specific ports (e.g. 80,443) then add the ports 1543 | # to the following as a comma separated list. E.g. "80,443" 1544 | # 1545 | # Leave this option empty to count all ports against CT_LIMIT 1546 | CT_PORTS = "" 1547 | 1548 | ############################################################################### 1549 | # SECTION:Process Tracking 1550 | ############################################################################### 1551 | # Process Tracking. This option enables tracking of user and nobody processes 1552 | # and examines them for suspicious executables or open network ports. Its 1553 | # purpose is to identify potential exploit processes that are running on the 1554 | # server, even if they are obfuscated to appear as system services. If a 1555 | # suspicious process is found an alert email is sent with relevant information. 1556 | # It is then the responsibility of the recipient to investigate the process 1557 | # further as the script takes no further action 1558 | # 1559 | # The following is the number of seconds a process has to be active before it 1560 | # is inspected. If you set this time too low, then you will likely trigger 1561 | # false-positives with CGI or PHP scripts. 1562 | # Set the value to 0 to disable this feature 1563 | PT_LIMIT = "60" 1564 | 1565 | # How frequently processes are checked in seconds 1566 | PT_INTERVAL = "60" 1567 | 1568 | # If you want process tracking to highlight php or perl scripts that are run 1569 | # through apache then disable the following, 1570 | # i.e. set it to 0 1571 | # 1572 | # While enabling this setting will reduce false-positives, having it set to 0 1573 | # does provide better checking for exploits running on the server 1574 | PT_SKIP_HTTP = "0" 1575 | 1576 | # If you want to track all linux accounts on a cPanel server, not just users 1577 | # that are part of cPanel, then enable this option. This is recommended to 1578 | # improve security from compromised accounts 1579 | # 1580 | # Set to 0 to disable the feature, 1 to enable it 1581 | PT_ALL_USERS = "0" 1582 | 1583 | # lfd will report processes, even if they're listed in csf.pignore, if they're 1584 | # tagged as (deleted) by Linux. This information is provided in Linux under 1585 | # /proc/PID/exe. A (deleted) process is one that is running a binary that has 1586 | # the inode for the file removed from the file system directory. This usually 1587 | # happens when the binary has been replaced due to an upgrade for it by the OS 1588 | # vendor or another third party (e.g. cPanel). You need to investigate whether 1589 | # this is indeed the case to be sure that the original binary has not been 1590 | # replaced by a rootkit or is running an exploit. 1591 | # 1592 | # Note: If a deleted executable process is detected and reported then lfd will 1593 | # not report children of the parent (or the parent itself if a child triggered 1594 | # the report) if the parent is also a deleted executable process 1595 | # 1596 | # To stop lfd reporting such process you need to restart the daemon to which it 1597 | # belongs and therefore run the process using the replacement binary (presuming 1598 | # one exists). This will normally mean running the associated startup script in 1599 | # /etc/init.d/ 1600 | # 1601 | # If you do want lfd to report deleted binary processes, set to 1 1602 | PT_DELETED = "0" 1603 | 1604 | # If a PT_DELETED event is triggered, then if the following contains the path to 1605 | # a script, it will be run in a child process and passed the executable, pid, 1606 | # account for the process, and parent pid 1607 | # 1608 | # The action script must have the execute bit and interpreter (shebang) set. An 1609 | # example is provided in /usr/local/csf/bin/pt_deleted_action.pl 1610 | # 1611 | # WARNING: Make sure you read and understand the potential security 1612 | # implications of such processes in PT_DELETED above before simply restarting 1613 | # such processes with a script 1614 | PT_DELETED_ACTION = "" 1615 | 1616 | # User Process Tracking. This option enables the tracking of the number of 1617 | # process any given account is running at one time. If the number of processes 1618 | # exceeds the value of the following setting an email alert is sent with 1619 | # details of those processes. If you specify a user in csf.pignore it will be 1620 | # ignored 1621 | # 1622 | # Set to 0 to disable this feature 1623 | PT_USERPROC = "10" 1624 | 1625 | # This User Process Tracking option sends an alert if any cPanel user process 1626 | # exceeds the memory usage set (MB). To ignore specific processes or users use 1627 | # csf.pignore 1628 | # 1629 | # Set to 0 to disable this feature 1630 | PT_USERMEM = "512" 1631 | 1632 | # This User Process Tracking option sends an alert if any cPanel user process 1633 | # exceeds the time usage set (seconds). To ignore specific processes or users 1634 | # use csf.pignore 1635 | # 1636 | # Set to 0 to disable this feature 1637 | PT_USERTIME = "3600" 1638 | 1639 | # If this option is set then processes detected by PT_USERMEM, PT_USERTIME or 1640 | # PT_USERPROC are killed 1641 | # 1642 | # Warning: We don't recommend enabling this option unless absolutely necessary 1643 | # as it can cause unexpected problems when processes are suddenly terminated. 1644 | # It can also lead to system processes being terminated which could cause 1645 | # stability issues. It is much better to leave this option disabled and to 1646 | # investigate each case as it is reported when the triggers above are breached 1647 | # 1648 | # Note: Processes that are running deleted excecutables (see PT_DELETED) will 1649 | # not be killed by lfd 1650 | PT_USERKILL = "0" 1651 | 1652 | # If you want to disable email alerts if PT_USERKILL is triggered, then set 1653 | # this option to 0 1654 | PT_USERKILL_ALERT = "1" 1655 | 1656 | # If a PT_* event is triggered, then if the following contains the path to 1657 | # a script, it will be run in a child process and passed the PID(s) of the 1658 | # process(es) in a comma separated list. 1659 | # 1660 | # The action script must have the execute bit and interpreter (shebang) set 1661 | PT_USER_ACTION = "" 1662 | 1663 | # Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and 1664 | # defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the 1665 | # load average is greater than or equal to PT_LOAD_LEVEL then an email alert is 1666 | # sent. lfd then does not report subsequent high load until PT_LOAD_SKIP 1667 | # seconds has passed to prevent email floods. 1668 | # 1669 | # Set PT_LOAD to "0" to disable this feature 1670 | PT_LOAD = "30" 1671 | PT_LOAD_AVG = "5" 1672 | PT_LOAD_LEVEL = "6" 1673 | PT_LOAD_SKIP = "3600" 1674 | 1675 | # This is the Apache Server Status URL used in the email alert. Requires the 1676 | # Apache mod_status module to be installed and configured correctly 1677 | PT_APACHESTATUS = "http://127.0.0.1/whm-server-status" 1678 | 1679 | # If a PT_LOAD event is triggered, then if the following contains the path to 1680 | # a script, it will be run in a child process. For example, the script could 1681 | # contain commands to terminate and restart httpd, php, exim, etc incase of 1682 | # looping processes. The action script must have the execute bit an 1683 | # interpreter (shebang) set 1684 | PT_LOAD_ACTION = "" 1685 | 1686 | # Fork Bomb Protection. This option checks the number of processes with the 1687 | # same session id and if greater than the value set, the whole session tree is 1688 | # terminated and an alert sent 1689 | # 1690 | # You can see an example of common session id processes on most Linux systems 1691 | # using: "ps axf -O sid" 1692 | # 1693 | # On cPanel servers, PT_ALL_USERS should be enabled to use this option 1694 | # effectively 1695 | # 1696 | # This option will check root owned processes. Session id 0 and 1 will always 1697 | # be ignored as they represent kernel and init processes. csf.pignore will be 1698 | # honoured, but bear in mind that a session tree can contain a variety of users 1699 | # and executables 1700 | # 1701 | # Care needs to be taken to ensure that this option only detects runaway fork 1702 | # bombs, so should be set higher than any session tree is likely to get (e.g. 1703 | # httpd could have 100s of legitimate children on very busy systems). A 1704 | # sensible starting point on most servers might be 250 1705 | PT_FORKBOMB = "0" 1706 | 1707 | # Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes 1708 | # are often left hung after their connecting IP addresses have been blocked 1709 | # 1710 | # This option will terminate all processes with the cmdline of "sshd: unknown 1711 | # [net]" or "sshd: unknown [priv]" if they have been running for more than 60 1712 | # seconds 1713 | # 1714 | # Note: It is possible that enabling this option may have adverse effects on 1715 | # valid SSHD processes. If this is the case, this option should be disabled 1716 | # 1717 | # Note: Due to the nature of this type of attack, no email reports are sent 1718 | # when the processes are terminated, however the event is logged in lfd.log 1719 | # with a line prefix of "*PT_SSHDHUNG*" 1720 | PT_SSHDHUNG = "0" 1721 | 1722 | ############################################################################### 1723 | # SECTION:Port Scan Tracking 1724 | ############################################################################### 1725 | # Port Scan Tracking. This feature tracks port blocks logged by iptables to 1726 | # syslog. If an IP address generates a port block that is logged more than 1727 | # PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked. 1728 | # 1729 | # This feature could, for example, be useful for blocking hackers attempting 1730 | # to access the standard SSH port if you have moved it to a port other than 22 1731 | # and have removed 22 from the TCP_IN list so that connection attempts to the 1732 | # old port are being logged 1733 | # 1734 | # This feature blocks all iptables blocks from the iptables logs, including 1735 | # repeated attempts to one port or SYN flood blocks, etc 1736 | # 1737 | # Note: This feature will only track iptables blocks from the log file set in 1738 | # IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will 1739 | # cause redundant blocking with DROP_IP_LOGGING enabled 1740 | # 1741 | # Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's) 1742 | # could very quickly fill the iptables rule chains and cause a DOS in itself. 1743 | # The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks 1744 | # and the DENY_TEMP_IP_LIMIT with temporary blocks 1745 | # 1746 | # Set PS_INTERVAL to "0" to disable this feature. A value of between 60 and 300 1747 | # would be sensible to enable this feature 1748 | # 1749 | # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read 1750 | # this file about RESTRICT_SYSLOG before enabling this option: 1751 | PS_INTERVAL = "0" 1752 | PS_LIMIT = "10" 1753 | 1754 | # You can specify the ports and/or port ranges that should be tracked by the 1755 | # Port Scan Tracking feature. The following setting is a comma separated list 1756 | # of those ports and uses the same format as TCP_IN. The default setting of 1757 | # 0:65535,ICMP,INVALID,OPEN covers all ports 1758 | # 1759 | # Special values are: 1760 | # ICMP - include ICMP blocks (see ICMP_*) 1761 | # INVALID - include INVALID blocks (see PACKET_FILTER) 1762 | # OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked* 1763 | PS_PORTS = "0:65535,ICMP" 1764 | 1765 | # To specify how many different ports qualifies as a Port Scan you can increase 1766 | # the following from the default value of 1. The risk in doing so will mean 1767 | # that persistent attempts to attack a specific closed port will not be 1768 | # detected and blocked 1769 | PS_DIVERSITY = "1" 1770 | 1771 | # You can select whether IP blocks for Port Scan Tracking should be temporary 1772 | # or permanent. Set PS_PERMANENT to "0" for temporary and "1" for permanent 1773 | # blocking. If set to "0" PS_BLOCK_TIME is the amount of time in seconds to 1774 | # temporarily block the IP address for 1775 | PS_PERMANENT = "0" 1776 | PS_BLOCK_TIME = "3600" 1777 | 1778 | # Set the following to "1" to enable Port Scan Tracking email alerts, set to 1779 | # "0" to disable them 1780 | PS_EMAIL_ALERT = "1" 1781 | 1782 | ############################################################################### 1783 | # SECTION:User ID Tracking 1784 | ############################################################################### 1785 | # User ID Tracking. This feature tracks UID blocks logged by iptables to 1786 | # syslog. If a UID generates a port block that is logged more than UID_LIMIT 1787 | # times within UID_INTERVAL seconds, an alert will be sent 1788 | # 1789 | # Note: This feature will only track iptables blocks from the log file set in 1790 | # IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled. 1791 | # 1792 | # To ignore specific UIDs list them in csf.uidignore and then restart lfd 1793 | # 1794 | # Set UID_INTERVAL to "0" to disable this feature. A value of between 60 and 300 1795 | # would be sensible to enable this feature 1796 | # 1797 | # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read 1798 | # this file about RESTRICT_SYSLOG before enabling this option: 1799 | UID_INTERVAL = "0" 1800 | UID_LIMIT = "10" 1801 | 1802 | # You can specify the ports and/or port ranges that should be tracked by the 1803 | # User ID Tracking feature. The following setting is a comma separated list 1804 | # of those ports and uses the same format as TCP_OUT. The default setting of 1805 | # 0:65535,ICMP covers all ports 1806 | UID_PORTS = "0:65535,ICMP" 1807 | 1808 | ############################################################################### 1809 | # SECTION:Account Tracking 1810 | ############################################################################### 1811 | # Account Tracking. The following options enable the tracking of modifications 1812 | # to the accounts on a server. If any of the enabled options are triggered by 1813 | # a modifications to an account, an alert email is sent. Only the modification 1814 | # is reported. The cause of the modification will have to be investigated 1815 | # manually 1816 | # 1817 | # You can set AT_ALERT to the following: 1818 | # 0 = disable this feature 1819 | # 1 = enable this feature for all accounts 1820 | # 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc) 1821 | # 3 = enable this feature only for the root account 1822 | AT_ALERT = "2" 1823 | 1824 | # This options is the interval between checks in seconds 1825 | AT_INTERVAL = "60" 1826 | 1827 | # Send alert if a new account is created 1828 | AT_NEW = "1" 1829 | 1830 | # Send alert if an existing account is deleted 1831 | AT_OLD = "1" 1832 | 1833 | # Send alert if an account password has changed 1834 | AT_PASSWD = "1" 1835 | 1836 | # Send alert if an account uid has changed 1837 | AT_UID = "1" 1838 | 1839 | # Send alert if an account gid has changed 1840 | AT_GID = "1" 1841 | 1842 | # Send alert if an account login directory has changed 1843 | AT_DIR = "1" 1844 | 1845 | # Send alert if an account login shell has changed 1846 | AT_SHELL = "1" 1847 | 1848 | ############################################################################### 1849 | # SECTION:Integrated User Interface 1850 | ############################################################################### 1851 | # Integrated User Interface. This feature provides a HTML UI to csf and lfd, 1852 | # without requiring a control panel or web server. The UI runs as a sub process 1853 | # to the lfd daemon 1854 | # 1855 | # As it runs under the root account and successful login provides root access 1856 | # to the server, great care should be taken when configuring and using this 1857 | # feature. There are additional restrictions to enhance secure access to the UI 1858 | # 1859 | # See readme.txt for more information about using this feature BEFORE enabling 1860 | # it for security and access reasons 1861 | # 1862 | # 1 to enable, 0 to disable 1863 | UI = "0" 1864 | 1865 | # Set this to the port that want to bind this service to. You should configure 1866 | # this port to be >1023 and different from any other port already being used 1867 | # 1868 | # Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's 1869 | # to the port using Advanced Allow Filters (see readme.txt) 1870 | UI_PORT = "6666" 1871 | 1872 | # Optionally set the IP address to bind to. Normally this should be left blank 1873 | # to bind to all IP addresses on the server. 1874 | # 1875 | # If the server is configured for IPv6 but the IP to bind to is IPv4, then the 1876 | # IP address MUST use the IPv6 representation. For example 1.2.3.4 must use 1877 | # ::ffff:1.2.3.4 1878 | # 1879 | # Leave blank to bind to all IP addresses on the server 1880 | UI_IP = "" 1881 | 1882 | # This should be a secure, hard to guess username 1883 | # 1884 | # This must be changed from the default 1885 | UI_USER = "username" 1886 | 1887 | # This should be a secure, hard to guess password. That is, at least 8 1888 | # characters long with a mixture of upper and lowercase characters plus 1889 | # numbers and non-alphanumeric characters 1890 | # 1891 | # This must be changed from the default 1892 | UI_PASS = "password" 1893 | 1894 | # This is the login session timeout. If there is no activity for a logged in 1895 | # session within this number of seconds, the session will timeout and a new 1896 | # login will be required 1897 | # 1898 | # For security reasons, you should always keep this option low (i.e 60-300) 1899 | UI_TIMEOUT = "300" 1900 | 1901 | # This is the maximum concurrent connections allowed to the server. The default 1902 | # value should be sufficient 1903 | UI_CHILDREN = "5" 1904 | 1905 | # The number of login retries allowed within a 24 hour period. A successful 1906 | # login from the IP address will clear the failures 1907 | # 1908 | # For security reasons, you should always keep this option low (i.e 0-10) 1909 | UI_RETRY = "5" 1910 | 1911 | # If enabled, this option will add the connecting IP address to the file 1912 | # /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be 1913 | # able to login to the UI while it is listed in this file. The UI_BAN setting 1914 | # does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow, 1915 | # csf.ignore, etc. 1916 | # 1917 | # For security reasons, you should always enable this option 1918 | UI_BAN = "1" 1919 | 1920 | # If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will 1921 | # be allowed to login to the UI. The UI_ALLOW setting does not refer to any of 1922 | # the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc. 1923 | # 1924 | # For security reasons, you should always enable this option and use ui.allow 1925 | UI_ALLOW = "1" 1926 | 1927 | # If enabled, this option will trigger an iptables block through csf after 1928 | # UI_RETRY login failures 1929 | # 1930 | # 0 = no block;1 = perm block;nn=temp block for nn secs 1931 | UI_BLOCK = "1" 1932 | 1933 | # This controls what email alerts are sent with regards to logins to the UI. It 1934 | # uses the uialert.txt template 1935 | # 1936 | # 4 = login success + login failure/ban/block + login attempts 1937 | # 3 = login success + login failure/ban/block 1938 | # 2 = login failure/ban/block 1939 | # 1 = login ban/block 1940 | # 0 = disabled 1941 | UI_ALERT = "4" 1942 | 1943 | # This is the SSL cipher list that the Integrated UI will negotiate from 1944 | UI_CIPHER = "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH" 1945 | 1946 | # This is the SSL protocol version used. See IO::Socket::SSL if you wish to 1947 | # change this and to understand the implications of changing it 1948 | UI_SSL_VERSION = "SSLv23:!SSLv3:!SSLv2" 1949 | 1950 | # If cxs is installed then enabling this option will provide a dropdown box to 1951 | # switch between applications 1952 | UI_CXS = "0" 1953 | 1954 | # There is a modified installation of ConfigServer Explorer (cse) provided with 1955 | # the csf distribution. If this option is enabled it will provide a dropdown 1956 | # box to switch between applications 1957 | UI_CSE = "0" 1958 | 1959 | ############################################################################### 1960 | # SECTION:Messenger service 1961 | ############################################################################### 1962 | # Messenger service. This feature allows the display of a message to a blocked 1963 | # connecting IP address to inform the user that they are blocked in the 1964 | # firewall. This can help when users get themselves blocked, e.g. due to 1965 | # multiple login failures. The service is provided by two daemons running on 1966 | # ports providing either an HTML or TEXT message. 1967 | # 1968 | # This feature does not work on servers that do not have the iptables module 1969 | # ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS 1970 | # server admins should check with their VPS host provider that the iptables 1971 | # module is included. 1972 | # 1973 | # For further information on features and limitations refer to the csf 1974 | # readme.txt 1975 | # 1976 | # Note: Run /etc/csf/csftest.pl to check whether this option will function on 1977 | # this server 1978 | # 1979 | # 1 to enable, 0 to disable 1980 | MESSENGER = "0" 1981 | 1982 | # Provide this service to temporary IP address blocks 1983 | MESSENGER_TEMP = "1" 1984 | 1985 | # Provide this service to permanent IP address blocks 1986 | MESSENGER_PERM = "1" 1987 | 1988 | # User account to run the service servers under. We recommend creating a 1989 | # specific non-priv, non-shell account for this purpose 1990 | MESSENGER_USER = "csf" 1991 | 1992 | # This is the maximum concurrent connections allowed to each service server 1993 | MESSENGER_CHILDREN = "10" 1994 | 1995 | # Set this to the port that will receive the HTML message. You should configure 1996 | # this port to be >1023 and different from the TEXT port. Do NOT enable access 1997 | # to this port in TCP_IN 1998 | MESSENGER_HTML = "8888" 1999 | 2000 | # This comma separated list are the HTML ports that will be redirected for the 2001 | # blocked IP address. If you are using per application blocking (LF_TRIGGER) 2002 | # then only the relevant block port will be redirected to the messenger port 2003 | MESSENGER_HTML_IN = "80,2082,2095" 2004 | 2005 | # Set this to the port that will receive the TEXT message. You should configure 2006 | # this port to be >1023 and different from the HTML port. Do NOT enable access 2007 | # to this port in TCP_IN 2008 | MESSENGER_TEXT = "8889" 2009 | 2010 | # This comma separated list are the TEXT ports that will be redirected for the 2011 | # blocked IP address. If you are using per application blocking (LF_TRIGGER) 2012 | # then only the relevant block port will be redirected to the messenger port 2013 | MESSENGER_TEXT_IN = "21" 2014 | 2015 | # These settings limit the rate at which connections can be made to the 2016 | # messenger service servers. Its intention is to provide protection from 2017 | # attacks or excessive connections to the servers. If the rate is exceeded then 2018 | # iptables will revert for the duration to the normal blocking activity 2019 | # 2020 | # See the iptables man page for the correct --limit rate syntax 2021 | MESSENGER_RATE = "30/m" 2022 | MESSENGER_BURST = "5" 2023 | 2024 | ############################################################################### 2025 | # SECTION:lfd Clustering 2026 | ############################################################################### 2027 | # lfd Clustering. This allows the configuration of an lfd cluster environment 2028 | # where a group of servers can share blocks and configuration option changes. 2029 | # Included are CLI and UI options to send requests to the cluster. 2030 | # 2031 | # See the readme.txt file for more information and details on setup and 2032 | # security risks. 2033 | # 2034 | # Comma separated list of cluster member IP addresses to send requests to 2035 | CLUSTER_SENDTO = "" 2036 | 2037 | # Comma separated list of cluster member IP addresses to receive requests from 2038 | CLUSTER_RECVFROM = "" 2039 | 2040 | # IP address of the master node in the cluster allowed to send CLUSTER_CONFIG 2041 | # changes 2042 | CLUSTER_MASTER = "" 2043 | 2044 | # If this is a NAT server, set this to the public IP address of this server 2045 | CLUSTER_NAT = "" 2046 | 2047 | # If a cluster member should send requests on an IP other than the default IP, 2048 | # set it here 2049 | CLUSTER_LOCALADDR = "" 2050 | 2051 | # Cluster communication port (must be the same on all member servers). There 2052 | # is no need to open this port in the firewall as csf will automatically add 2053 | # in and out bound rules to allow communication between cluster members 2054 | CLUSTER_PORT = "7777" 2055 | 2056 | # This is a secret key used to encrypt cluster communications using the 2057 | # Blowfish algorithm. It should be between 8 and 56 characters long, 2058 | # preferably > 20 random characters 2059 | # 56 chars: 01234567890123456789012345678901234567890123456789012345 2060 | CLUSTER_KEY = "" 2061 | 2062 | # Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those 2063 | # servers must have this servers IP address listed in their CLUSTER_RECVFROM 2064 | # 2065 | # Set to 0 to disable this feature 2066 | CLUSTER_BLOCK = "1" 2067 | 2068 | # This option allows the enabling and disabling of the Cluster configuration 2069 | # changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the 2070 | # CLUSTER_MASTER server 2071 | # 2072 | # Set this option to 1 to allow Cluster configurations to be received 2073 | CLUSTER_CONFIG = "0" 2074 | 2075 | # Maximum number of child processes to listen on. High blocking rates or large 2076 | # clusters may need to increase this 2077 | CLUSTER_CHILDREN = "10" 2078 | 2079 | ############################################################################### 2080 | # SECTION:Port Knocking 2081 | ############################################################################### 2082 | # Port Knocking. This feature allows port knocking to be enabled on multiple 2083 | # ports with a variable number of knocked ports and a timeout. There must be a 2084 | # minimum of 3 ports to knock for an entry to be valid 2085 | # 2086 | # See the following for information regarding Port Knocking: 2087 | # http://www.portknocking.org/ 2088 | # 2089 | # This feature does not work on servers that do not have the iptables module 2090 | # ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS 2091 | # server admins should check with their VPS host provider that the iptables 2092 | # module is included 2093 | # 2094 | # For further information and syntax refer to the Port Knocking section of the 2095 | # csf readme.txt 2096 | # 2097 | # Note: Run /etc/csf/csftest.pl to check whether this option will function on 2098 | # this server 2099 | # 2100 | # openport;protocol;timeout;kport1;kport2;kport3[...;kportN],... 2101 | # e.g.: 22;TCP;20;100;200;300;400 2102 | PORTKNOCKING = "" 2103 | 2104 | # Enable PORTKNOCKING logging by iptables 2105 | PORTKNOCKING_LOG = "1" 2106 | 2107 | # Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must 2108 | # also be enabled to use this option 2109 | # 2110 | # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read 2111 | # this file about RESTRICT_SYSLOG before enabling this option: 2112 | PORTKNOCKING_ALERT = "0" 2113 | 2114 | ############################################################################### 2115 | # SECTION:Log Scanner 2116 | ############################################################################### 2117 | # Log Scanner. This feature will send out an email summary of the log lines of 2118 | # each log listed in /etc/csf/csf.logfiles. All lines will be reported unless 2119 | # they match a regular expression in /etc/csf/csf.logignore 2120 | # 2121 | # File globbing is supported for logs listed in /etc/csf/csf.logfiles. However, 2122 | # be aware that the more files lfd has to track, the greater the performance 2123 | # hit. Note: File globs are only evaluated when lfd is started 2124 | # 2125 | # Note: lfd builds the report continuously from lines logged after lfd has 2126 | # started, so any lines logged when lfd is not running will not be reported 2127 | # (e.g. during reboot). If lfd is restarted, then the report will include any 2128 | # lines logged during the previous lfd logging period that weren't reported 2129 | # 2130 | # 1 to enable, 0 to disable 2131 | LOGSCANNER = "0" 2132 | 2133 | # This is the interval each report will be sent based on the logalert.txt 2134 | # template 2135 | # 2136 | # The interval can be set to: 2137 | # "hourly" - sent on the hour 2138 | # "daily" - sent at midnight (00:00) 2139 | # "manual" - sent whenever "csf --logrun" is run. This allows for scheduling 2140 | # via cron job 2141 | LOGSCANNER_INTERVAL = "hourly" 2142 | 2143 | # Report Style 2144 | # 1 = Separate chronological log lines per log file 2145 | # 2 = Simply chronological log of all lines 2146 | LOGSCANNER_STYLE = "1" 2147 | 2148 | # Send the report email even if no log lines reported 2149 | # 1 to enable, 0 to disable 2150 | LOGSCANNER_EMPTY = "1" 2151 | 2152 | # Maximum number of lines in the report before it is truncated. This is to 2153 | # prevent log lines flooding resulting in an excessively large report. This 2154 | # might need to be increased if you choose a daily report 2155 | LOGSCANNER_LINES = "5000" 2156 | 2157 | ############################################################################### 2158 | # SECTION:Statistics Settings 2159 | ############################################################################### 2160 | # Statistics 2161 | # 2162 | # Some of the Statistics output requires the gd graphics library and the 2163 | # GD::Graph perl module with all dependent modules to be installed for the UI 2164 | # for them to be displayed 2165 | # 2166 | # This option enabled statistical data gathering 2167 | ST_ENABLE = "1" 2168 | 2169 | # This option determines how many iptables log lines to store for reports 2170 | ST_IPTABLES = "100" 2171 | 2172 | # This option indicates whether rDNS and CC lookups are performed at the time 2173 | # the log line is recorded (this is not performed when viewing the reports) 2174 | # 2175 | # Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits, 2176 | # then enabling this setting could cause serious performance problems 2177 | ST_LOOKUP = "0" 2178 | 2179 | # This option will gather basic system statstics. Through the UI it displays 2180 | # various graphs for disk, cpu, memory, network, etc usage over 4 intervals: 2181 | # . Hourly (per minute) 2182 | # . 24 hours (per minute) 2183 | # . 7 days (per minute averaged over an hour) 2184 | # . 30 days (per minute averaged over an hour) - user definable 2185 | # The data is stored in /var/lib/csf/stats/system and the option requires the 2186 | # perl GD::Graph module 2187 | # 2188 | # Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on 2189 | # those systems do not store the required information in /proc/diskstats 2190 | # On new installations or when enabling this option it will take time for these 2191 | # graphs to be populated 2192 | ST_SYSTEM = "1" 2193 | 2194 | # Set the maximum days to collect statistics for. The default is 30 days, the 2195 | # more data that is collected the longer it will take for each of the graphs to 2196 | # be generated 2197 | ST_SYSTEM_MAXDAYS = "30" 2198 | 2199 | # If ST_SYSTEM is enabled, then these options can collect MySQL statistical 2200 | # data. To use this option the server must have the perl modules DBI and 2201 | # DBD::mysql installed. 2202 | # 2203 | # Set this option to "0" to disable MySQL data collection 2204 | ST_MYSQL = "0" 2205 | 2206 | # The following options are for authentication for MySQL data collection. If 2207 | # the password is left blank and the user set to "root" then the procedure will 2208 | # look for authentication data in /root/.my.cnf. Otherwise, you will need to 2209 | # provide a MySQL username and password to collect the data. Any MySQL user 2210 | # account can be used 2211 | ST_MYSQL_USER = "root" 2212 | ST_MYSQL_PASS = "" 2213 | ST_MYSQL_HOST = "localhost" 2214 | 2215 | # If ST_SYSTEM is enabled, then this option can collect Apache statistical data 2216 | # The value for PT_APACHESTATUS must be correctly set 2217 | ST_APACHE = "0" 2218 | 2219 | # The following options measure disk write performance using dd (location set 2220 | # via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and 2221 | # the statistics will plot the MB/s response time of the disk. As this is an IO 2222 | # intensive operation, it may not be prudent to run this test too often, so by 2223 | # default it is only run every 5 minutes and the result duplicated for each 2224 | # intervening minute for the statistics 2225 | # 2226 | # This is not necessrily a good measure of disk performance, primarily because 2227 | # the measurements are for relatively small amounts of data over a small amount 2228 | # of time. To properly test disk performance there are a variety of tools 2229 | # available that should be run for extended periods of time to obtain an 2230 | # accurate measurement. This metric is provided to give an idea of how the disk 2231 | # is performing over time 2232 | # 2233 | # Note: There is a 15 second timeout performing the check 2234 | # 2235 | # Set to 0 to disable, 1 to enable 2236 | ST_DISKW = "0" 2237 | 2238 | # The number of minutes that elapse between tests. Default is 5, minimum is 1. 2239 | ST_DISKW_FREQ = "5" 2240 | 2241 | # This is the command line passed to dd. If you are familiar with dd, or wish 2242 | # to move the output file (of) to a different disk, then you can alter this 2243 | # command. Take great care when making any changes to this command as it is 2244 | # very easy to overwrite a disk using dd if you make a mistake 2245 | ST_DISKW_DD = "if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync" 2246 | 2247 | ############################################################################### 2248 | # SECTION:OS Specific Settings 2249 | ############################################################################### 2250 | # Binary locations 2251 | IPTABLES = "/sbin/iptables" 2252 | IPTABLES_SAVE = "/sbin/iptables-save" 2253 | IPTABLES_RESTORE = "/sbin/iptables-restore" 2254 | IP6TABLES = "/sbin/ip6tables" 2255 | IP6TABLES_SAVE = "/sbin/ip6tables-save" 2256 | IP6TABLES_RESTORE = "/sbin/ip6tables-restore" 2257 | MODPROBE = "/sbin/modprobe" 2258 | IFCONFIG = "/sbin/ifconfig" 2259 | SENDMAIL = "/usr/sbin/sendmail" 2260 | PS = "/bin/ps" 2261 | VMSTAT = "/usr/bin/vmstat" 2262 | NETSTAT = "/bin/netstat" 2263 | LS = "/bin/ls" 2264 | MD5SUM = "/usr/bin/md5sum" 2265 | TAR = "/bin/tar" 2266 | CHATTR = "/usr/bin/chattr" 2267 | UNZIP = "/usr/bin/unzip" 2268 | GUNZIP = "/bin/gunzip" 2269 | DD = "/bin/dd" 2270 | TAIL = "/usr/bin/tail" 2271 | GREP = "/bin/grep" 2272 | IPSET = "/usr/sbin/ipset" 2273 | SYSTEMCTL = "/usr/bin/systemctl" 2274 | HOST = "/usr/bin/host" 2275 | IP = "/sbin/ip" 2276 | 2277 | # Log file locations 2278 | # 2279 | # File globbing is allowed for the following logs. However, be aware that the 2280 | # more files lfd has to track, the greater the performance hit 2281 | # 2282 | # Note: File globs are only evaluated when lfd is started 2283 | # 2284 | HTACCESS_LOG = "/usr/local/apache/logs/error_log" 2285 | MODSEC_LOG = "/usr/local/apache/logs/error_log" 2286 | SSHD_LOG = "/var/log/secure" 2287 | SU_LOG = "/var/log/secure" 2288 | FTPD_LOG = "/var/log/messages" 2289 | SMTPAUTH_LOG = "/var/log/exim_mainlog" 2290 | SMTPRELAY_LOG = "/var/log/exim_mainlog" 2291 | POP3D_LOG = "/var/log/maillog" 2292 | IMAPD_LOG = "/var/log/maillog" 2293 | CPANEL_LOG = "/usr/local/cpanel/logs/login_log" 2294 | CPANEL_ACCESSLOG = "/usr/local/cpanel/logs/access_log" 2295 | SCRIPT_LOG = "/var/log/exim_mainlog" 2296 | IPTABLES_LOG = "/var/log/messages" 2297 | SUHOSIN_LOG = "/var/log/messages" 2298 | BIND_LOG = "/var/log/messages" 2299 | SYSLOG_LOG = "/var/log/messages" 2300 | WEBMIN_LOG = "/var/log/secure" 2301 | 2302 | CUSTOM1_LOG = "/var/log/customlog" 2303 | CUSTOM2_LOG = "/var/log/customlog" 2304 | CUSTOM3_LOG = "/var/log/customlog" 2305 | CUSTOM4_LOG = "/var/log/customlog" 2306 | CUSTOM5_LOG = "/var/log/customlog" 2307 | CUSTOM6_LOG = "/var/log/customlog" 2308 | CUSTOM7_LOG = "/var/log/customlog" 2309 | CUSTOM8_LOG = "/var/log/customlog" 2310 | CUSTOM9_LOG = "/var/log/customlog" 2311 | 2312 | # The following are comma separated lists used if LF_SELECT is enabled, 2313 | # otherwise they are not used. They are derived from the application returned 2314 | # from a regex match in /usr/local/csf/bin/regex.pm 2315 | # 2316 | # All ports default to tcp blocks. To specify udp or tcp use the format: 2317 | # port;protocol,port;protocol,... For example, "53;udp,53;tcp" 2318 | PORTS_pop3d = "110,995" 2319 | PORTS_imapd = "143,993" 2320 | PORTS_htpasswd = "80,443" 2321 | PORTS_mod_security = "80,443" 2322 | PORTS_mod_qos = "80,443" 2323 | PORTS_symlink = "80,443" 2324 | PORTS_suhosin = "80,443" 2325 | PORTS_cxs = "80,443" 2326 | PORTS_bind = "53;udp,53;tcp" 2327 | PORTS_ftpd = "20,21" 2328 | PORTS_webmin = "10000" 2329 | PORTS_cpanel = "2077,2078,2082,2083,2086,2087,2095,2096" 2330 | # This list is extended, if present, by the ports defined by 2331 | # /etc/chkservd/exim-* 2332 | PORTS_smtpauth = "25,465,587" 2333 | PORTS_eximsyntax = "25,465,587" 2334 | # This list is replaced, if present, by "Port" definitions in 2335 | # /etc/ssh/sshd_config 2336 | PORTS_sshd = "22" 2337 | 2338 | # For internal use only. You should not enable this option as it could cause 2339 | # instability in csf and lfd 2340 | DEBUG = "0" 2341 | ############################################################################### 2342 | -------------------------------------------------------------------------------- /roles/install-configserver-csf/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: restart csf 3 | command: /usr/sbin/csf -r 4 | 5 | - name: restart lfd 6 | service: 7 | name: lfd 8 | state: restarted -------------------------------------------------------------------------------- /roles/install-configserver-csf/tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Download CSF gzipped tarball 3 | get_url: 4 | url: https://download.configserver.com/csf.tgz 5 | dest: /usr/src 6 | force: yes 7 | register: csf_downloaded 8 | when: csf_installed == false 9 | tags: configserver_csf 10 | 11 | - name: Unarchive CSF source 12 | unarchive: 13 | src: /usr/src/csf.tgz 14 | dest: /usr/src 15 | copy: no 16 | register: csf_unarchived 17 | when: csf_downloaded|changed and csf_installed == false 18 | tags: configserver_csf 19 | 20 | - name: Install CSF 21 | shell: bash /usr/src/csf/install.sh 22 | args: 23 | chdir: /usr/src/csf 24 | creates: /usr/sbin/csf 25 | when: csf_unarchived|changed and csf_installed == false 26 | register: csf_install_completed 27 | tags: configserver_csf 28 | 29 | - name: Maintain CSF Config 30 | copy: 31 | src: csf.conf 32 | dest: /etc/csf/csf.conf 33 | when: csf_install_completed|changed and is_openvz == 'false' 34 | notify: 35 | - restart csf 36 | - restart lfd 37 | tags: configserver_csf 38 | 39 | - name: Maintain CSF OpenVZ Config 40 | copy: 41 | src: csf.conf 42 | dest: /etc/csf/csf.conf 43 | when: csf_install_completed|changed and is_openvz == 'true' and ansible_venet0 is defined 44 | notify: 45 | - restart csf 46 | - restart lfd 47 | tags: configserver_csf 48 | 49 | - name: Copy csfpre.sh 50 | copy: 51 | src: csfpre.sh 52 | dest: /etc/csf/csfpre.sh 53 | when: csf_install_completed|changed and is_openvz == 'true' and ansible_venet0 is defined 54 | notify: 55 | - restart csf 56 | - restart lfd 57 | tags: configserver_csf 58 | 59 | - name: Maintain CSF Allow 60 | copy: 61 | src: csf.allow 62 | dest: /etc/csf/csf.allow 63 | owner: root 64 | group: root 65 | mode: 0600 66 | when: csf_install_completed|changed 67 | notify: restart csf 68 | tags: configserver_csf 69 | -------------------------------------------------------------------------------- /roles/install-configserver-csf/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Check if CSF is installed 3 | stat: 4 | path: /usr/sbin/csf 5 | register: csf_check 6 | changed_when: false 7 | check_mode: no 8 | tags: always 9 | 10 | - name: Create csf_installed variable. 11 | set_fact: 12 | csf_installed: "{{ csf_check.stat.exists|bool }}" 13 | check_mode: no 14 | tags: always 15 | 16 | - name: Include the CSF Installer Task 17 | include_tasks: install.yml 18 | when: csf_installed != true and (install_csf is defined and install_csf == 'true') 19 | -------------------------------------------------------------------------------- /roles/install-configserver-cxs/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | install_cxs: 'false' -------------------------------------------------------------------------------- /roles/install-configserver-cxs/tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Download CXS gzipped tarball 3 | get_url: 4 | url: https://download.configserver.com/cxsinstaller.tgz 5 | dest: /usr/src 6 | force: yes 7 | register: cxs_downloaded 8 | when: cxs_installed == false 9 | tags: configserver_cxs 10 | 11 | - name: Unarchive CXS source 12 | unarchive: 13 | src: /usr/src/cxsinstaller.tgz 14 | dest: /usr/src 15 | copy: no 16 | register: cxs_unarchived 17 | when: cxs_downloaded|changed and cxs_installed == false 18 | tags: configserver_cxs 19 | 20 | - name: Install CXS 21 | shell: perl /usr/src/cxsinstaller.pl 22 | args: 23 | chdir: /usr/src 24 | creates: /usr/sbin/cxs 25 | when: cxs_unarchived|changed and cxs_installed == false 26 | register: cxs_install_completed 27 | tags: configserver_cxs 28 | -------------------------------------------------------------------------------- /roles/install-configserver-cxs/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Check if CXS is installed 3 | stat: 4 | path: /usr/sbin/cxs 5 | register: cxs_check 6 | changed_when: false 7 | check_mode: no 8 | tags: always 9 | 10 | - name: Create cxs_installed variable. 11 | set_fact: 12 | cxs_installed: "{{ cxs_check.stat.exists|bool }}" 13 | check_mode: no 14 | tags: always 15 | 16 | - name: Include the CXS Installer Task 17 | include_tasks: install.yml 18 | when: cxs_installed != true and (install_cxs is defined and install_cxs == 'true') 19 | -------------------------------------------------------------------------------- /roles/install-cpanel/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ## cPanel options for wwwacct.conf 3 | nameserver_primary: ns1.yourdomain.com 4 | nameserver_secondary: ns2.yourdomain.com 5 | nameserver_tertiary: #optional 6 | nameserver_quaternary: #optional 7 | 8 | cpanel_contact_pager: #optional (email address) 9 | cpanel_email_address: #optional (email address) 10 | 11 | cpanel_maxemailsperhour: 500 12 | 13 | restore_accounts: -------------------------------------------------------------------------------- /roles/install-cpanel/files/cpanel.config: -------------------------------------------------------------------------------- 1 | #### NOTICE #### 2 | # After manually editing any configuration settings in this file, 3 | # please run '/usr/local/cpanel/scripts/restartsrv_cpsrvd' or 4 | # 'service cpanel restart' to fully update your server's configuration. 5 | 6 | RS=paper_lantern 7 | VFILTERDIR=/etc/vfilters 8 | access_log=/usr/local/cpanel/logs/access_log 9 | account_login_access=owner_root 10 | adminuser=cpanel 11 | allow_login_autocomplete=1 12 | allow_server_info_status_from= 13 | allow_weak_checksums=0 14 | allowcpsslinstall=1 15 | allowparkhostnamedomainsubdomains=0 16 | allowwhmparkonothers=0 17 | allowparkonothers=0 18 | allowremotedomains=0 19 | allowresellershostnamedomainsubdomains=0 20 | allowunregistereddomains=0 21 | alwaysredirecttossl=1 22 | anon_data_optout=0 23 | apache_port=0.0.0.0:80 24 | apache_ssl_port=0.0.0.0:443 25 | api_shell=0 26 | autocreateaentries=1 27 | autodiscover_host=cpanelemaildiscovery.cpanel.net 28 | autodiscover_mail_service=imap 29 | autodiscover_proxy_subdomains=0 30 | awstatsbrowserupdate=0 31 | awstatsreversedns=0 32 | basename=cpanel 33 | bind_deferred_restart_time=2 34 | blockcommondomains=1 35 | bwcycle=2 36 | cgiemaildisabled=0 37 | cgihidepass=1 38 | check_zone_owner=1 39 | check_zone_syntax=1 40 | chkservd_check_interval=300 41 | chkservd_hang_allowed_intervals=2 42 | chkservd_plaintext_notify=0 43 | cluster_autodisable_threshold=10 44 | cluster_failure_notifications=1 45 | conserve_memory=0 46 | cookieipvalidation=strict 47 | coredump=0 48 | cpaddons_adminemail= 49 | cpaddons_autoupdate=1 50 | cpaddons_max_moderation_req_all_mod=99 51 | cpaddons_max_moderation_req_per_mod=99 52 | cpaddons_moderation_request=0 53 | cpaddons_no_3rd_party=0 54 | cpaddons_no_modified_cpanel=1 55 | cpaddons_notify_owner=1 56 | cpaddons_notify_root=1 57 | cpaddons_notify_users=Allow users to choose 58 | cpanel_locale= 59 | cpredirect=Origin Domain Name 60 | cpredirectssl=SSL Certificate Name 61 | cpsrvd-domainlookup=0 62 | create_account_dkim=1 63 | create_account_spf=0 64 | cycle_hours=24 65 | database_prefix=1 66 | debughooks=0 67 | default_archive-logs=1 68 | default_login_theme=cpanel 69 | default_remove-old-archived-logs=1 70 | defaultmailaction=localuser 71 | disable-php-as-reseller-security=0 72 | disablequotacache=0 73 | discardformmailbccsubject=1 74 | disk_usage_include_mailman=1 75 | disk_usage_include_sqldbs=1 76 | dnsadmin_log=0 77 | dnsadmin_verbose_sync=0 78 | dnsadminapp 79 | dnslookuponconnect=0 80 | docroot=/usr/local/cpanel/base 81 | domainowner_mail_pass=0 82 | dormant_services=cpdavd,cphulkd,cpsrvd,dnsadmin,spamd 83 | dumplogs=1 84 | email_account_quota_default_selected=userdefined 85 | email_account_quota_userdefined_default_value=1024 86 | email_send_limits_count_mailman=0 87 | email_send_limits_defer_cutoff=125 88 | email_send_limits_max_defer_fail_percentage 89 | email_send_limits_min_defer_fail_to_trigger_protection=5 90 | emailarchive=1 91 | emailpasswords=0 92 | emailusers_diskusage_critical_contact_admin=1 93 | emailusers_diskusage_critical_percent=90 94 | emailusers_diskusage_full_contact_admin=1 95 | emailusers_diskusage_full_percent=98 96 | emailusers_diskusage_warn_contact_admin=0 97 | emailusers_diskusage_warn_percent=80 98 | emailusers_mailbox_critical_percent=90 99 | emailusers_mailbox_full_percent=98 100 | emailusers_mailbox_warn_percent=80 101 | emailusersbandwidthexceed=0 102 | emailusersbandwidthexceed70=0 103 | emailusersbandwidthexceed75=0 104 | emailusersbandwidthexceed80=1 105 | emailusersbandwidthexceed85=0 106 | emailusersbandwidthexceed90=0 107 | emailusersbandwidthexceed95=0 108 | emailusersbandwidthexceed97=0 109 | emailusersbandwidthexceed98=0 110 | emailusersbandwidthexceed99=0 111 | empty_trash_days=disabled 112 | enable_piped_logs=0 113 | enablecompileroptimizations=0 114 | engine=cpanel 115 | enginepl=cpanel.pl 116 | engineroot=/usr/local/cpanel 117 | exim-retrytime=15 118 | exim_retention_days=10 119 | eximmailtrap=1 120 | extracpus=0 121 | file_upload_max_bytes 122 | file_upload_must_leave_bytes=5 123 | file_usage=0 124 | ftppasslogs=0 125 | ftpquotacheck_expire_time=30 126 | ftpserver=pure-ftpd 127 | gzip_compression_level=6 128 | gzip_pigz_block_size=4096 129 | gzip_pigz_processes=1 130 | htaccess_check_recurse=2 131 | ignoredepreciated=0 132 | invite_sub=1 133 | ionice_bandwidth_processing=6 134 | ionice_cpbackup=6 135 | ionice_email_archive_maintenance=7 136 | ionice_dovecot_maintenance=7 137 | ionice_ftpquotacheck=6 138 | ionice_log_processing=7 139 | ionice_quotacheck=6 140 | ionice_userbackup=7 141 | ionice_userproc=6 142 | ipv6_control=0 143 | ipv6_listen=0 144 | jailapache=0 145 | jaildefaultshell=0 146 | jailmountbinsuid=0 147 | jailmountusrbinsuid=0 148 | jailprocmode=mount_proc_jailed_fallback_full 149 | keepftplogs=0 150 | keeplogs=0 151 | keepstatslog=0 152 | loadthreshold 153 | local_nameserver_type=bind 154 | logchmod=0640 155 | logout_redirect_url= 156 | log_successful_logins=0 157 | mailbox_storage_format=maildir 158 | mailserver=dovecot 159 | maxcpsrvdconnections=200 160 | maxemailsperhour 161 | maxmem=768 162 | minpwstrength=65 163 | modsec_keep_hits=7 164 | mycnf_auto_adjust_openfiles_limit=1 165 | mycnf_auto_adjust_maxallowedpacket=1 166 | mycnf_auto_adjust_innodb_buffer_pool_size=0 167 | myname=cpaneld 168 | mysql-host=localhost 169 | mysql-version=5.6 170 | mysqldebug=0 171 | maintenance_rpm_version_check=1 172 | maintenance_rpm_version_digest_check=1 173 | nobodyspam=1 174 | nocpbackuplogs=0 175 | nosendlangupdates=0 176 | numacctlist=30 177 | overwritecustomproxysubdomains=0 178 | overwritecustomsrvrecords=0 179 | permit_appconfig_entries_without_acls=0 180 | permit_appconfig_entries_without_features=0 181 | permit_unregistered_apps_as_reseller=0 182 | permit_unregistered_apps_as_root=0 183 | php_max_execution_time=90 184 | php_post_max_size=55 185 | php_upload_max_filesize=50 186 | phploader=ioncube 187 | phpopenbasedirhome=0 188 | popbeforesmtpsenders=0 189 | popbeforesmtp=0 190 | postgresdebug=0 191 | product=cPanel 192 | proxysubdomains=1 193 | proxysubdomainsfornewaccounts=1 194 | proxysubdomainsoverride=1 195 | publichtmlsubsonly=1 196 | query_apache_for_nobody_senders=1 197 | referrerblanksafety=1 198 | referrersafety=1 199 | remotewhmtimeout=35 200 | repquota_timeout=60 201 | requiressl=1 202 | resetpass=1 203 | resetpass_sub=1 204 | root=/usr/local/cpanel 205 | rotatelogs_size_threshhold_in_megabytes=300 206 | roundcube_db=mysql 207 | security_advice_changes_notifications=0 208 | send_error_reports=1 209 | send_server_configuration=1 210 | send_server_usage=1 211 | server_locale=en 212 | showwhmbwusageinmegs=0 213 | signature_validation=Release Keyring Only 214 | skip_chkservd_recovery_notify=0 215 | skipanalog=0 216 | skiprecentauthedmailiptracker=0 217 | skipapacheclientsoptimizer=0 218 | skipawstats=0 219 | skipboxcheck=1 220 | skipboxtrapper=1 221 | skipbwlimitcheck=0 222 | skipchkservd=0 223 | skipcpbandwd=0 224 | skipdiskcheck=0 225 | skipoomcheck=0 226 | skipdiskusage=0 227 | skipeximstats=0 228 | skipformmail=1 229 | skiphorde=0 230 | skiphttpauth=1 231 | skipjailmanager=0 232 | skipmailman=0 233 | skipmailauthoptimizer=0 234 | skipmodseclog=0 235 | skipnotifyacctbackupfailure=0 236 | skipparentcheck=0 237 | skiproundcube=0 238 | skipspamassassin=0 239 | skipspambox=1 240 | skipsqmail=0 241 | skiptailwatchd=0 242 | skipwebalizer=0 243 | smtpmailgidonly=1 244 | stats_log=/usr/local/cpanel/logs/stats_log 245 | statsloglevel=1 246 | statthreshhold=256 247 | system_diskusage_critical_percent=92.55 248 | system_diskusage_warn_percent=82.55 249 | tcp_check_failure_threshold=3 250 | transfers_timeout=1800 251 | tweak_unset_vars= 252 | upcp_log_retention_days=45 253 | update_log_analysis_retention_length=90 254 | use_apache_md5_for_htaccess=1 255 | use_information_schema=1 256 | useauthnameservers=0 257 | usemailformailmanurl=0 258 | usemysqloldpass=0 259 | userdirprotect=1 260 | verify_3rdparty_cpaddons=0 261 | version=3.4 262 | -------------------------------------------------------------------------------- /roles/install-cpanel/files/cpanel.config_ea3: -------------------------------------------------------------------------------- 1 | #### NOTICE #### 2 | # After manually editing any configuration settings in this file, 3 | # please run '/usr/local/cpanel/scripts/restartsrv_cpsrvd' or 4 | # 'service cpanel restart' to fully update your server's configuration. 5 | 6 | RS=x3 7 | SecurityPolicy::TwoFactorAuth=1 8 | VFILTERDIR=/etc/vfilters 9 | access_log=/usr/local/cpanel/logs/access_log 10 | account_login_access=owner_root 11 | adminuser=cpanel 12 | allow_login_autocomplete=1 13 | allow_server_info_status_from= 14 | allow_weak_checksums=0 15 | allowcpsslinstall=1 16 | allowparkhostnamedomainsubdomains=0 17 | allowparkonothers=0 18 | allowremotedomains=0 19 | allowresellershostnamedomainsubdomains=0 20 | allowunregistereddomains=0 21 | allowwhmparkonothers=0 22 | alwaysredirecttossl=1 23 | anon_data_optout=0 24 | apache_port=0.0.0.0:80 25 | apache_ssl_port=0.0.0.0:443 26 | api_shell=0 27 | autocreateaentries=1 28 | autodiscover_host=cpanelemaildiscovery.cpanel.net 29 | autodiscover_mail_service=imap 30 | autodiscover_proxy_subdomains=0 31 | awstatsbrowserupdate=0 32 | awstatsreversedns=0 33 | basename=cpanel 34 | bind_deferred_restart_time=0 35 | blockcommondomains=1 36 | bwcycle=2 37 | cgiemaildisabled=0 38 | cgihidepass=1 39 | check_zone_owner=1 40 | check_zone_syntax=1 41 | chkservd_check_interval=300 42 | chkservd_hang_allowed_intervals=2 43 | chkservd_plaintext_notify=0 44 | cluster_autodisable_threshold=10 45 | cluster_failure_notifications=1 46 | conserve_memory=0 47 | cookieipvalidation=disabled 48 | coredump=0 49 | cpaddons_adminemail= 50 | cpaddons_autoupdate=1 51 | cpaddons_max_moderation_req_all_mod=99 52 | cpaddons_max_moderation_req_per_mod=99 53 | cpaddons_moderation_request=0 54 | cpaddons_no_3rd_party=0 55 | cpaddons_no_modified_cpanel=1 56 | cpaddons_notify_owner=1 57 | cpaddons_notify_root=1 58 | cpaddons_notify_users=Allow users to choose 59 | cpanel_locale= 60 | cpredirect=Origin Domain Name 61 | cpredirectssl=SSL Certificate Name 62 | cpsrvd-domainlookup=0 63 | create_account_dkim=1 64 | create_account_spf=0 65 | cycle_hours=24 66 | database_prefix=1 67 | debughooks=0 68 | default_archive-logs=1 69 | default_login_theme=cpanel 70 | default_remove-old-archived-logs=1 71 | defaultmailaction=localuser 72 | disable-php-as-reseller-security=0 73 | disableipnscheck=0 74 | disablequotacache=0 75 | discardformmailbccsubject=1 76 | disk_usage_include_mailman=1 77 | disk_usage_include_sqldbs=1 78 | dnsadmin_log=0 79 | dnsadmin_verbose_sync=0 80 | dnsadminapp 81 | dnslookuponconnect=0 82 | docroot=/usr/local/cpanel/base 83 | domainowner_mail_pass=0 84 | dormant_services=cpdavd,cphulkd,cpsrvd,dnsadmin,spamd 85 | dumplogs=1 86 | email_account_quota_default_selected=userdefined 87 | email_account_quota_userdefined_default_value=1024 88 | email_send_limits_count_mailman=0 89 | email_send_limits_defer_cutoff=125 90 | email_send_limits_max_defer_fail_percentage 91 | email_send_limits_min_defer_fail_to_trigger_protection=5 92 | emailarchive=1 93 | emailpasswords=0 94 | emailusers_diskusage_critical_contact_admin=1 95 | emailusers_diskusage_critical_percent=90.0000 96 | emailusers_diskusage_full_contact_admin=1 97 | emailusers_diskusage_full_percent=98.0000 98 | emailusers_diskusage_warn_contact_admin=0 99 | emailusers_diskusage_warn_percent=80.0000 100 | emailusers_mailbox_critical_percent=90.0000 101 | emailusers_mailbox_full_percent=98.0000 102 | emailusers_mailbox_warn_percent=80.0000 103 | emailusersbandwidthexceed=0 104 | emailusersbandwidthexceed70=0 105 | emailusersbandwidthexceed75=0 106 | emailusersbandwidthexceed80=1 107 | emailusersbandwidthexceed85=0 108 | emailusersbandwidthexceed90=0 109 | emailusersbandwidthexceed95=0 110 | emailusersbandwidthexceed97=0 111 | emailusersbandwidthexceed98=0 112 | emailusersbandwidthexceed99=0 113 | enable_piped_logs=0 114 | enablecompileroptimizations=0 115 | engine=cpanel 116 | enginepl=cpanel.pl 117 | engineroot=/usr/local/cpanel 118 | exim-retrytime=15 119 | exim_retention_days=10 120 | eximmailtrap=1 121 | extracpus=0 122 | file_upload_max_bytes 123 | file_upload_must_leave_bytes=5 124 | file_usage=0 125 | ftppasslogs=0 126 | ftpquotacheck_expire_time=30 127 | ftpserver=pure-ftpd 128 | gzip_compression_level=6 129 | gzip_pigz_block_size=4096 130 | gzip_pigz_processes=1 131 | htaccess_check_recurse=2 132 | ignoredepreciated=0 133 | ionice_bandwidth_processing=6 134 | ionice_cpbackup=6 135 | ionice_email_archive_maintenance=7 136 | ionice_ftpquotacheck=6 137 | ionice_log_processing=7 138 | ionice_quotacheck=6 139 | ionice_userbackup=7 140 | ionice_userproc=6 141 | ipv6_control=0 142 | ipv6_listen=0 143 | jailapache=0 144 | jaildefaultshell=0 145 | jailmountbinsuid=0 146 | jailmountusrbinsuid=0 147 | jailprocmode=mount_proc_jailed_fallback_full 148 | keepftplogs=0 149 | keeplogs=0 150 | keepstatslog=0 151 | loadthreshold 152 | local_nameserver_type=bind 153 | logchmod=0640 154 | logout_redirect_url= 155 | lve_enablepythonapp=0 156 | lve_enablerubyapp=0 157 | mailserver=dovecot 158 | maintenance_rpm_version_check=1 159 | maintenance_rpm_version_digest_check=1 160 | maxcpsrvdconnections=200 161 | maxemailsperhour=100 162 | maxmem=512 163 | minpwstrength=65 164 | modsec_keep_hits=7 165 | mycnf_auto_adjust_innodb_buffer_pool_size=0 166 | mycnf_auto_adjust_maxallowedpacket=1 167 | mycnf_auto_adjust_openfiles_limit=1 168 | myname=cpaneld 169 | mysql-host=localhost 170 | mysql-version=5.6 171 | mysqldebug=0 172 | nativessl=1 173 | nobodyspam=0 174 | nocpbackuplogs=0 175 | nosendlangupdates=0 176 | numacctlist=30 177 | overwritecustomproxysubdomains=0 178 | overwritecustomsrvrecords=0 179 | permit_appconfig_entries_without_acls=0 180 | permit_appconfig_entries_without_features=0 181 | permit_unregistered_apps_as_reseller=0 182 | permit_unregistered_apps_as_root=0 183 | php_max_execution_time=90 184 | php_post_max_size=55 185 | php_upload_max_filesize=50 186 | phploader=ioncube 187 | phpopenbasedirhome=1 188 | popbeforesmtp=0 189 | popbeforesmtpsenders=0 190 | port=2082 191 | postgresdebug=0 192 | product=cPanel 193 | proxysubdomains=1 194 | proxysubdomainsfornewaccounts=1 195 | proxysubdomainsoverride=1 196 | publichtmlsubsonly=0 197 | referrerblanksafety=1 198 | referrersafety=1 199 | remotewhmtimeout=35 200 | repquota_timeout=60 201 | requiressl=1 202 | resetpass=0 203 | resetpass_sub=0 204 | root=/usr/local/cpanel 205 | rotatelogs_size_threshhold_in_megabytes=300 206 | roundcube_db=mysql 207 | send_error_reports=1 208 | send_server_configuration=1 209 | send_server_usage=1 210 | server_locale=en 211 | showwhmbwusageinmegs=0 212 | signature_validation=Release Keyring Only 213 | skip_chkservd_recovery_notify=0 214 | skipanalog=0 215 | skipapacheclientsoptimizer=0 216 | skipawstats=0 217 | skipboxcheck=1 218 | skipboxtrapper=1 219 | skipbwlimitcheck=0 220 | skipchkservd=0 221 | skipcpbandwd=0 222 | skipdiskcheck=0 223 | skipdiskusage=0 224 | skipeximstats=0 225 | skipformmail=1 226 | skiphorde=0 227 | skiphttpauth=1 228 | skipjailmanager=0 229 | skipmailauthoptimizer=0 230 | skipmailman=0 231 | skipmodseclog=0 232 | skipnotifyacctbackupfailure=0 233 | skipoomcheck=0 234 | skipparentcheck=0 235 | skiprecentauthedmailiptracker=0 236 | skiproundcube=0 237 | skipspamassassin=0 238 | skipspambox=1 239 | skipsqmail=0 240 | skiptailwatchd=0 241 | skipwebalizer=0 242 | skipwhoisns=0 243 | smtpmailgidonly=0 244 | stats_log=/usr/local/cpanel/logs/stats_log 245 | statsloglevel=1 246 | statthreshhold=256 247 | stunnel=0 248 | system_diskusage_critical_percent=92.5500 249 | system_diskusage_warn_percent=82.5500 250 | tcp_check_failure_threshold=3 251 | transfers_timeout=1800 252 | tweak_unset_vars= 253 | upcp_log_retention_days=45 254 | update_log_analysis_retention_length=90 255 | use_apache_md5_for_htaccess=1 256 | use_information_schema=1 257 | useauthnameservers=0 258 | usemailformailmanurl=0 259 | usemysqloldpass=0 260 | userdirprotect=0 261 | verify_3rdparty_cpaddons=0 262 | version=3.4 -------------------------------------------------------------------------------- /roles/install-cpanel/files/features/default: -------------------------------------------------------------------------------- 1 | zoneedit=1 2 | api_shell=0 3 | modsecurity=1 -------------------------------------------------------------------------------- /roles/install-cpanel/files/pure-ftpd.conf: -------------------------------------------------------------------------------- 1 | 2 | ############################################################ 3 | # # 4 | # Configuration file for pure-ftpd wrappers # 5 | # # 6 | ############################################################ 7 | 8 | # If you want to run Pure-FTPd with this configuration 9 | # instead of command-line options, please run the 10 | # following command : 11 | # 12 | # /usr/sbin/pure-config.pl /usr/etc/pure-ftpd.conf 13 | # 14 | # Please don't forget to have a look at documentation at 15 | # http://www.pureftpd.org/documentation.shtml for a complete list of 16 | # options. 17 | 18 | # Cage in every user in his home directory 19 | 20 | ChrootEveryone yes 21 | 22 | 23 | 24 | # If the previous option is set to "no", members of the following group 25 | # won't be caged. Others will be. If you don't want chroot()ing anyone, 26 | # just comment out ChrootEveryone and TrustedGID. 27 | 28 | # TrustedGID 100 29 | 30 | 31 | 32 | # Turn on compatibility hacks for broken clients 33 | 34 | BrokenClientsCompatibility no 35 | 36 | 37 | 38 | # Maximum number of simultaneous users 39 | 40 | MaxClientsNumber 50 41 | 42 | 43 | 44 | # Fork in background 45 | 46 | Daemonize Yes 47 | 48 | 49 | 50 | # Maximum number of sim clients with the same IP address 51 | 52 | MaxClientsPerIP 8 53 | 54 | 55 | 56 | # If you want to log all client commands, set this to "yes". 57 | # This directive can be duplicated to also log server responses. 58 | 59 | VerboseLog no 60 | 61 | 62 | 63 | # List dot-files even when the client doesn't send "-a". 64 | 65 | DisplayDotFiles yes 66 | 67 | 68 | 69 | # Don't allow authenticated users - have a public anonymous FTP only. 70 | 71 | AnonymousOnly no 72 | 73 | 74 | 75 | # Disallow anonymous connections. Only allow authenticated users. 76 | 77 | NoAnonymous yes 78 | 79 | 80 | 81 | # Syslog facility (auth, authpriv, daemon, ftp, security, user, local*) 82 | # The default facility is "ftp". "none" disables logging. 83 | 84 | SyslogFacility ftp 85 | 86 | 87 | 88 | # Display fortune cookies 89 | 90 | # FortunesFile /usr/share/fortune/zippy 91 | 92 | 93 | 94 | # Don't resolve host names in log files. Logs are less verbose, but 95 | # it uses less bandwidth. Set this to "yes" on very busy servers or 96 | # if you don't have a working DNS. 97 | 98 | DontResolve yes 99 | 100 | 101 | 102 | # Maximum idle time in minutes (default = 15 minutes) 103 | 104 | MaxIdleTime 15 105 | 106 | 107 | 108 | # LDAP configuration file (see README.LDAP) 109 | 110 | # LDAPConfigFile /etc/pureftpd-ldap.conf 111 | 112 | 113 | 114 | # MySQL configuration file (see README.MySQL) 115 | 116 | # MySQLConfigFile /etc/pureftpd-mysql.conf 117 | 118 | 119 | # Postgres configuration file (see README.PGSQL) 120 | 121 | # PGSQLConfigFile /etc/pureftpd-pgsql.conf 122 | 123 | 124 | # PureDB user database (see README.Virtual-Users) 125 | 126 | # PureDB /etc/pureftpd.pdb 127 | 128 | 129 | # Path to pure-authd socket (see README.Authentication-Modules) 130 | 131 | ExtAuth /var/run/ftpd.sock 132 | 133 | 134 | 135 | # If you want to enable PAM authentication, uncomment the following line 136 | 137 | # PAMAuthentication yes 138 | 139 | 140 | 141 | # If you want simple Unix (/etc/passwd) authentication, uncomment this 142 | 143 | # UnixAuthentication yes 144 | 145 | 146 | 147 | # Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and 148 | # UnixAuthentication can be used only once, but they can be combined 149 | # together. For instance, if you use MySQLConfigFile, then UnixAuthentication, 150 | # the SQL server will be asked. If the SQL authentication fails because the 151 | # user wasn't found, another try # will be done with /etc/passwd and 152 | # /etc/shadow. If the SQL authentication fails because the password was wrong, 153 | # the authentication chain stops here. Authentication methods are chained in 154 | # the order they are given. 155 | 156 | 157 | 158 | # 'ls' recursion limits. The first argument is the maximum number of 159 | # files to be displayed. The second one is the max subdirectories depth 160 | 161 | LimitRecursion 10000 8 162 | 163 | 164 | 165 | # Are anonymous users allowed to create new directories ? 166 | 167 | AnonymousCanCreateDirs no 168 | 169 | 170 | 171 | # If the system is more loaded than the following value, 172 | # anonymous users aren't allowed to download. 173 | 174 | MaxLoad 4 175 | 176 | 177 | 178 | # Port range for passive connections replies. - for firewalling. 179 | 180 | PassivePortRange 30000 50000 181 | 182 | 183 | 184 | # Force an IP address in PASV/EPSV/SPSV replies. - for NAT. 185 | # Symbolic host names are also accepted for gateways with dynamic IP 186 | # addresses. 187 | 188 | # ForcePassiveIP 192.168.0.1 189 | 190 | 191 | 192 | # Upload/download ratio for anonymous users. 193 | 194 | # AnonymousRatio 1 10 195 | 196 | 197 | 198 | # Upload/download ratio for all users. 199 | # This directive superscedes the previous one. 200 | 201 | # UserRatio 1 10 202 | 203 | 204 | 205 | # Disallow downloading of files owned by "ftp", ie. 206 | # files that were uploaded but not validated by a local admin. 207 | 208 | AntiWarez yes 209 | 210 | 211 | 212 | # IP address/port to listen to (default=all IP and port 21). 213 | 214 | Bind 21 215 | 216 | 217 | 218 | # Maximum bandwidth for anonymous users in KB/s 219 | 220 | # AnonymousBandwidth 8 221 | 222 | 223 | 224 | # Maximum bandwidth for *all* users (including anonymous) in KB/s 225 | # Use AnonymousBandwidth *or* UserBandwidth, both makes no sense. 226 | 227 | # UserBandwidth 8 228 | 229 | 230 | 231 | # File creation mask. : . 232 | # 177:077 if you feel paranoid. 233 | 234 | Umask 133:022 235 | 236 | 237 | 238 | # Minimum UID for an authenticated user to log in. 239 | 240 | MinUID 100 241 | 242 | 243 | 244 | # Allow FXP transfers for authenticated users. 245 | 246 | AllowUserFXP no 247 | 248 | 249 | 250 | # Allow anonymous FXP for anonymous and non-anonymous users. 251 | 252 | AllowAnonymousFXP no 253 | 254 | 255 | 256 | # Users can't delete/write files beginning with a dot ('.') 257 | # even if they own them. If TrustedGID is enabled, this group 258 | # will have access to dot-files, though. 259 | 260 | ProhibitDotFilesWrite no 261 | 262 | 263 | 264 | # Prohibit *reading* of files beginning with a dot (.history, .ssh...) 265 | 266 | ProhibitDotFilesRead no 267 | 268 | 269 | 270 | # Never overwrite files. When a file whose name already exist is uploaded, 271 | # it get automatically renamed to file.1, file.2, file.3, ... 272 | 273 | AutoRename no 274 | 275 | 276 | 277 | # Disallow anonymous users to upload new files (no = upload is allowed) 278 | 279 | AnonymousCantUpload yes 280 | 281 | 282 | 283 | # Only connections to this specific IP address are allowed to be 284 | # non-anonymous. You can use this directive to open several public IPs for 285 | # anonymous FTP, and keep a private firewalled IP for remote administration. 286 | # You can also only allow a non-routable local IP (like 10.x.x.x) to 287 | # authenticate, and keep a public anon-only FTP server on another IP. 288 | 289 | #TrustedIP 10.1.1.1 290 | 291 | 292 | 293 | # If you want to add the PID to every logged line, uncomment the following 294 | # line. 295 | 296 | #LogPID yes 297 | 298 | 299 | 300 | # Create an additional log file with transfers logged in a Apache-like format : 301 | # fw.c9x.org - jedi [13/Dec/1975:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338 302 | # This log file can then be processed by www traffic analyzers. 303 | 304 | AltLog xferlog:/etc/apache2/logs/domlogs/ftpxferlog 305 | 306 | 307 | 308 | # Create an additional log file with transfers logged in a format optimized 309 | # for statistic reports. 310 | 311 | # AltLog stats:/var/log/pureftpd.log 312 | 313 | 314 | 315 | # Create an additional log file with transfers logged in the standard W3C 316 | # format (compatible with most commercial log analyzers) 317 | 318 | # AltLog w3c:/var/log/pureftpd.log 319 | 320 | 321 | 322 | # Disallow the CHMOD command. Users can't change perms of their files. 323 | 324 | #NoChmod yes 325 | 326 | 327 | 328 | # Allow users to resume and upload files, but *NOT* to delete them. 329 | 330 | #KeepAllFiles yes 331 | 332 | 333 | 334 | # Automatically create home directories if they are missing 335 | 336 | #CreateHomeDir yes 337 | 338 | 339 | 340 | # Enable virtual quotas. The first number is the max number of files. 341 | # The second number is the max size of megabytes. 342 | # So 1000:10 limits every user to 1000 files and 10 Mb. 343 | 344 | #Quota 1000:10 345 | 346 | 347 | 348 | # If your pure-ftpd has been compiled with standalone support, you can change 349 | # the location of the pid file. The default is /var/run/pure-ftpd.pid 350 | 351 | #PIDFile /var/run/pure-ftpd.pid 352 | 353 | 354 | 355 | # If your pure-ftpd has been compiled with pure-uploadscript support, 356 | # this will make pure-ftpd write info about new uploads to 357 | # /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and 358 | # spawn a script to handle the upload. 359 | # Don't enable this option if you don't actually use pure-uploadscript. 360 | 361 | CallUploadScript yes 362 | 363 | 364 | 365 | # This option is useful with servers where anonymous upload is 366 | # allowed. As /var/ftp is in /var, it save some space and protect 367 | # the log files. When the partition is more that X percent full, 368 | # new uploads are disallowed. 369 | 370 | MaxDiskUsage 99 371 | 372 | 373 | 374 | # Set to 'yes' if you don't want your users to rename files. 375 | 376 | #NoRename yes 377 | 378 | 379 | 380 | # Be 'customer proof' : workaround against common customer mistakes like 381 | # 'chmod 0 public_html', that are valid, but that could cause ignorant 382 | # customers to lock their files, and then keep your technical support busy 383 | # with silly issues. If you're sure all your users have some basic Unix 384 | # knowledge, this feature is useless. If you're a hosting service, enable it. 385 | 386 | CustomerProof yes 387 | 388 | 389 | 390 | # Per-user concurrency limits. It will only work if the FTP server has 391 | # been compiled with --with-peruserlimits (and this is the case on 392 | # most binary distributions) . 393 | # The format is : : 394 | # For instance, 3:20 means that the same authenticated user can have 3 active 395 | # sessions max. And there are 20 anonymous sessions max. 396 | 397 | # PerUserLimits 3:20 398 | 399 | 400 | 401 | # When a file is uploaded and there is already a previous version of the file 402 | # with the same name, the old file will neither get removed nor truncated. 403 | # Upload will take place in a temporary file and once the upload is complete, 404 | # the switch to the new version will be atomic. For instance, when a large PHP 405 | # script is being uploaded, the web server will still serve the old version and 406 | # immediatly switch to the new one as soon as the full file will have been 407 | # transfered. This option is incompatible with virtual quotas. 408 | 409 | # NoTruncate yes 410 | 411 | 412 | 413 | # This option can accept three values : 414 | # 0 : disable SSL/TLS encryption layer (default). 415 | # 1 : accept both traditional and encrypted sessions. 416 | # 2 : refuse connections that don't use SSL/TLS security mechanisms, 417 | # including anonymous sessions. 418 | # Do _not_ uncomment this blindly. Be sure that : 419 | # 1) Your server has been compiled with SSL/TLS support (--with-tls), 420 | # 2) A valid certificate is in place, 421 | # 3) Only compatible clients will log in. 422 | 423 | TLS 1 424 | 425 | 426 | # OpenSSL ciphers suite for TLS sessions. 427 | # Prefix with -C: in order to require valid client certificates. 428 | # If -C: is used, make sure that clients' public keys are installed 429 | # on the server. 430 | # SSL is disabled by default. TLS 1.0, 1.1 and 1.2 are available by 431 | # default. 432 | 433 | TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 434 | 435 | 436 | 437 | # Certificate file, for TLS 438 | 439 | # CertFile /etc/ssl/private/pure-ftpd.pem 440 | 441 | 442 | 443 | # Listen only to IPv4 addresses in standalone mode (ie. disable IPv6) 444 | # By default, both IPv4 and IPv6 are enabled. 445 | 446 | # IPV4Only yes 447 | 448 | 449 | 450 | # Listen only to IPv6 addresses in standalone mode (ie. disable IPv4) 451 | # By default, both IPv4 and IPv6 are enabled. 452 | 453 | # IPV6Only yes 454 | 455 | # UTF-8 support for file names (RFC 2640) 456 | # Define charset of the server filesystem and optionnally the default charset 457 | # for remote clients if they don't use UTF-8. 458 | # Works only if pure-ftpd has been compiled with --with-rfc2640 459 | 460 | # FileSystemCharset big5 461 | # ClientCharset big5 462 | -------------------------------------------------------------------------------- /roles/install-cpanel/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: restart exim 3 | command: /scripts/restartsrv_exim 4 | 5 | - name: restart apache 6 | command: /scripts/restartsrv_httpd 7 | 8 | - name: restart mysql 9 | command: /scripts/restartsrv_mysql 10 | 11 | - name: restart cpanel 12 | command: /scripts/restartsrv_cpsrvd 13 | 14 | - name: restart pure-ftpd 15 | command: /scripts/restartsrv_pureftpd 16 | 17 | - name: restart network 18 | service: 19 | name: network 20 | state: restarted -------------------------------------------------------------------------------- /roles/install-cpanel/tasks/files.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # file: roles/cpanel/tasks/files.yml 3 | # 4 | # cPanel Role 5 | # Task for handling custom config files for cPanel 6 | # 7 | - name: Copy cPanel custom config Files 8 | copy: 9 | src: "{{ item.src }}" 10 | dest: "{{ item.dest }}" 11 | owner: root 12 | group: root 13 | mode: "{{ item.mode }}" 14 | with_items: 15 | - { src: "cpanel.config", dest: "/root/cpanel_profile/cpanel.config", mode: "0644" } 16 | tags: cpanel 17 | 18 | - name: Copy cPanel restore acocunts file 19 | template: 20 | src: "etc/cpanelacctrestore.j2" 21 | dest: "/etc/cpanelacctrestore" 22 | owner: root 23 | group: root 24 | mode: "0644" 25 | tags: cpanel 26 | 27 | -------------------------------------------------------------------------------- /roles/install-cpanel/tasks/folders.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # file: roles/cpanel/tasks/folders.yml 3 | # 4 | # cPanel Role 5 | # Task for handling required folders for cPanel install 6 | # 7 | - name: Create required cPanel folder structure 8 | file: 9 | path: "{{ item.path }}" 10 | state: directory 11 | mode: "{{ item.mode }}" 12 | with_items: 13 | - { path: "/var/cpanel/easy/apache", mode: "0755" } 14 | - { path: "/root/cpanel_profile", mode: "0755" } 15 | - { path: "/etc/cpanel", mode: "0755" } 16 | - { path: "/var/cpanel/apps", mode: "0755" } 17 | - { path: "/var/cpanel/rbl_info", mode: "0755" } 18 | tags: cpanel 19 | -------------------------------------------------------------------------------- /roles/install-cpanel/tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # file: roles/cpanel/tasks/install.yml 3 | # 4 | # cPanel Role 5 | # Task for handling cPanel install 6 | # 7 | - name: Fetch cPanel 8 | get_url: 9 | url: https://securedownloads.cpanel.net/latest 10 | dest: /home/latest 11 | mode: 0755 12 | force: yes 13 | validate_certs: false 14 | tags: cpanel 15 | 16 | - name: Install cPanel 17 | command: /bin/bash /home/latest 18 | args: 19 | chdir: /home 20 | creates: /root/installer.lock 21 | async: 5400 #wait up-to 90 minutes was 5400 22 | poll: 300 #check every 5 minutes 23 | register: cpanel_install_completed 24 | tags: cpanel 25 | 26 | ## If the install task completes before the install is actually completed 27 | ## This task serves as a backup. 28 | - name: Wait for cPanel to install... 29 | wait_for: 30 | path: /var/log/cpanel-install.log 31 | search_regex: "Thank you for installing cPanel" 32 | tags: cpanel 33 | -------------------------------------------------------------------------------- /roles/install-cpanel/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # file: roles/cpanel/tasks/main.yml 3 | # 4 | # cpanel Role 5 | # Task for handling the cPanel config and install 6 | # 7 | 8 | - name: Check whether cPanel is installed 9 | stat: 10 | path: '/usr/local/cpanel/cpanel' 11 | register: cpanel_check 12 | check_mode: no 13 | failed_when: false 14 | changed_when: false 15 | tags: cpanel 16 | 17 | - name: Register cpanel_installed variable 18 | set_fact: 19 | cpanel_installed: true 20 | when: cpanel_check.stat.exists 21 | tags: cpanel 22 | 23 | - name: cPanel OS Pre-requisites 24 | include_tasks: os.yml 25 | when: cpanel_installed is not defined and ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7' 26 | 27 | - name: cPanel Package Pre-requisites 28 | include_tasks: yum.yml 29 | when: cpanel_installed is not defined 30 | 31 | - name: cPanel Folder Structure 32 | include_tasks: folders.yml 33 | when: cpanel_installed is not defined 34 | 35 | - name: cPanel Custom Configs 36 | include_tasks: files.yml 37 | when: cpanel_installed is not defined 38 | 39 | - name: cPanel Installer Task 40 | include_tasks: install.yml 41 | when: cpanel_installed is not defined 42 | 43 | - name: cPanel Post Install Task 44 | include_tasks: post-install.yml 45 | when: cpanel_install_completed is defined and cpanel_install_completed.changed 46 | 47 | - name: Get installed version of cPanel 48 | shell: "/usr/local/cpanel/cpanel -V" 49 | changed_when: false 50 | check_mode: no 51 | register: cpanel_version_raw 52 | tags: always 53 | 54 | - name: Create cpanel_version variable. 55 | set_fact: 56 | cpanel_version: "{{ cpanel_version_raw.stdout.split()[0] }}" 57 | tags: always 58 | 59 | - name: Create cpanel_build_version variable. 60 | set_fact: 61 | cpanel_build_version: "{{ cpanel_version_raw.stdout.split()[2].strip(')') }}" 62 | tags: always 63 | -------------------------------------------------------------------------------- /roles/install-cpanel/tasks/os.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Unmanage Network Interfaces 3 | lineinfile: 4 | line: 'NM_CONTROLLED="no"' 5 | state: present 6 | path: /etc/sysconfig/network-scripts/ifcfg-{{item}} 7 | with_items: "{{ ansible_interfaces }}" 8 | 9 | - name: Disable NetworkManager Service 10 | service: 11 | name: NetworkManager 12 | state: stopped 13 | enabled: no 14 | 15 | - name: Enable network service 16 | service: 17 | name: network 18 | state: started 19 | enabled: yes 20 | 21 | - name: Restart network service 22 | service: 23 | name: network 24 | state: restarted 25 | 26 | - name: Remove local resolver from resolv.conf 27 | lineinfile: 28 | line: 'nameserver 127.0.0.1' 29 | state: absent 30 | path: /etc/resolv.conf 31 | 32 | - name: Add 8.8.8.8 to resolve.conf 33 | lineinfile: 34 | line: 'nameserver 8.8.8.8' 35 | state: present 36 | path: /etc/resolv.conf 37 | 38 | - name: Add 8.8.4.4 to resolve.conf 39 | lineinfile: 40 | line: 'nameserver 8.8.4.4' 41 | state: present 42 | path: /etc/resolv.conf -------------------------------------------------------------------------------- /roles/install-cpanel/tasks/post-install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # file: roles/cpanel/tasks/post-install.yml 3 | # 4 | # cPanel Role 5 | # Task for handling custom settings after cPanel is installed 6 | # 7 | 8 | - name: Post Install | cPanel config customization 9 | template: 10 | src: "{{ item.src }}" 11 | dest: "{{ item.dest }}" 12 | owner: root 13 | group: root 14 | mode: "{{ item.mode }}" 15 | with_items: 16 | - { src: "etc/wwwacct.conf.j2", dest: "/etc/wwwacct.conf", mode: "0644" } 17 | - { src: "var/cpanel/maxemailsperhour.j2", dest: "/var/cpanel/maxemailsperhour", mode: "0644" } 18 | tags: cpanel 19 | 20 | - name: Post Install | disable the cPanel setup wizard 21 | file: 22 | path: /etc/.whostmgrft 23 | state: touch 24 | owner: root 25 | group: root 26 | mode: 0644 27 | changed_when: false 28 | tags: cpanel 29 | 30 | - name: Post Install | Enable IMAP Server (dovecot) 31 | shell: /scripts/setupmailserver dovecot 32 | 33 | - name: Post Install | Enable DNS Server (bind) 34 | shell: /scripts/setupnameserver bind 35 | 36 | - name: Post Install | Enable FTP Server (pure-ftpd) 37 | shell: /scripts/setupftpserver pure-ftpd 38 | 39 | - name: Post Install | Ensure hostname in /etc/localdomains 40 | lineinfile: 41 | regexp: "^{{ ansible_fqdn }}$" 42 | dest: /etc/localdomains 43 | line: "{{ ansible_fqdn }}" 44 | owner: root 45 | group: mail 46 | mode: 0640 47 | tags: cpanel 48 | 49 | - name: Post Install | traceroute protection 50 | file: 51 | path: /bin/traceroute 52 | mode: 0700 53 | tags: cpanel 54 | 55 | - name: Post Install | TMPWatch Cron 56 | cron: 57 | name: "TMPWatch" 58 | minute: "*/30" 59 | job: "/usr/sbin/tmpwatch --mtime --nosymlinks 4 /tmp" 60 | state: present 61 | tags: cpanel 62 | 63 | - name: Post Install | Generate Remote Access Key | Step 1 64 | shell: export REMOTE_USER=root 65 | 66 | - name: Post Install | Generate Remote Access Key | Step 2 67 | shell: /usr/local/cpanel/bin/mkaccesshash 68 | 69 | - name: Post Install | Configure Pure-ftpd Server 70 | file: 71 | src: pure-ftpd.conf 72 | dest: /etc/pure-ftpd.conf 73 | mode: 0755 74 | owner: root 75 | group: root 76 | notify: restart pure-ftpd 77 | 78 | - name: Post Install | Enable ModSec OWASP Vendor 79 | shell: /scripts/modsec_vendor add http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP3.yaml 80 | 81 | - name: Post Install | Enable Updates for ModSec OWASP Vendor 82 | shell: /scripts/modsec_vendor enable-updates OWASP3 83 | 84 | - name: Post Install | Configure Default Features List 85 | copy: 86 | src: features/default 87 | dest: /var/cpanel/features/default 88 | mode: 0644 89 | owner: root 90 | group: root 91 | 92 | -------------------------------------------------------------------------------- /roles/install-cpanel/tasks/yum.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # file: roles/cpanel/tasks/yum.yml 3 | # 4 | # cPanel Role 5 | # Task for handling yum package stuff 6 | # 7 | - name: cPanel Required packages rpms 8 | yum: 9 | name: "{{ item.name }}" 10 | state: "{{ item.state }}" 11 | with_items: 12 | - { name: "curl", state: "installed" } 13 | - { name: "wget", state: "installed" } 14 | - { name: "perl", state: "installed" } 15 | - { name: "@Desktop", state: "removed" } 16 | - { name: "@Mono", state: "removed" } 17 | - { name: "@E-mail server", state: "removed" } 18 | - { name: "@FTP server", state: removed } 19 | - { name: "@GNOME Desktop Environment", state: "removed" } 20 | - { name: "@KDE Desktop", state: "removed" } 21 | - { name: "@X Window System", state: "removed" } 22 | - { name: "@Xfce", state: "removed" } 23 | - { name: "@Web Server", state: "removed" } 24 | tags: yum 25 | -------------------------------------------------------------------------------- /roles/install-cpanel/templates/etc/cpanelacctrestore.j2: -------------------------------------------------------------------------------- 1 | {% if restore_accounts %} 2 | {% for account in restore_accounts %} 3 | {{ account }} 4 | {% endfor %} 5 | {% endif %} -------------------------------------------------------------------------------- /roles/install-cpanel/templates/etc/wwwacct.conf.j2: -------------------------------------------------------------------------------- 1 | HOST {{ ansible_fqdn }} 2 | HOMEDIR /home 3 | ETHDEV {{ ansible_default_ipv4.interface }} 4 | NS {{ nameserver_primary }} 5 | NS2 {{ nameserver_secondary }} 6 | HOMEMATCH 7 | NSTTL 86400 8 | NS4 {{ nameserver_quaternary }} 9 | TTL 14400 10 | ADDR {{ ansible_default_ipv4.address }} 11 | DEFMOD paper_lantern 12 | SCRIPTALIAS y 13 | MINUID 500 14 | CONTACTPAGER {{ cpanel_contact_pager }} 15 | NS3 {{ nameserver_tertiary }} 16 | CONTACTEMAIL {{ cpanel_email_address }} 17 | LOGSTYLE combined 18 | DEFWEBMAILTHEME paper_lantern 19 | {% if ansible_default_ipv6.address is defined %}ADDR6 {{ ansible_default_ipv6.address }} {% endif %} -------------------------------------------------------------------------------- /roles/install-cpanel/templates/var/cpanel/cpanel.config.j2: -------------------------------------------------------------------------------- 1 | #### NOTICE #### 2 | # After manually editing any configuration settings in this file, 3 | # please run '/usr/local/cpanel/scripts/restartsrv_cpsrvd' or 4 | # 'service cpanel restart' to fully update your server's configuration. 5 | 6 | RS=paper_lantern 7 | SecurityPolicy::TwoFactorAuth=1 8 | VFILTERDIR=/etc/vfilters 9 | access_log=/usr/local/cpanel/logs/access_log 10 | account_login_access=owner_root 11 | adminuser=cpanel 12 | allow_deprecated_accesshash=1 13 | allow_login_autocomplete=1 14 | allow_server_info_status_from= 15 | allow_weak_checksums=0 16 | allowcpsslinstall=1 17 | allowparkhostnamedomainsubdomains=0 18 | allowparkonothers=0 19 | allowremotedomains=0 20 | allowresellershostnamedomainsubdomains=0 21 | allowunregistereddomains=0 22 | allowwhmparkonothers=0 23 | alwaysredirecttossl=1 24 | anon_data_optout=0 25 | apache_port=0.0.0.0:80 26 | apache_ssl_port=0.0.0.0:443 27 | api_shell=0 28 | autocreateaentries=1 29 | autodiscover_host={{ ansible_fqdn }} 30 | autodiscover_mail_service=imap 31 | autodiscover_proxy_subdomains=1 32 | autoupdate_certificate_on_hostname_mismatch=1 33 | awstatsbrowserupdate=0 34 | awstatsreversedns=0 35 | basename=cpanel 36 | bind_deferred_restart_time=2 37 | blockcommondomains=1 38 | bwcycle=2 39 | cgiemaildisabled=1 40 | cgihidepass=1 41 | check_zone_owner=1 42 | check_zone_syntax=1 43 | chkservd_check_interval=300 44 | chkservd_hang_allowed_intervals=2 45 | chkservd_plaintext_notify=0 46 | cluster_autodisable_threshold=10 47 | cluster_failure_notifications=1 48 | conserve_memory=0 49 | cookieipvalidation=disabled 50 | coredump=0 51 | cpaddons_adminemail= 52 | cpaddons_autoupdate=1 53 | cpaddons_max_moderation_req_all_mod=99 54 | cpaddons_max_moderation_req_per_mod=99 55 | cpaddons_moderation_request=0 56 | cpaddons_no_3rd_party=0 57 | cpaddons_no_modified_cpanel=1 58 | cpaddons_notify_owner=1 59 | cpaddons_notify_root=1 60 | cpaddons_notify_users=Allow users to choose 61 | cpanel_locale= 62 | cpredirect=Origin Domain Name 63 | cpredirectssl=SSL Certificate Name 64 | cpsrvd-domainlookup=0 65 | create_account_dkim=1 66 | create_account_spf=0 67 | cycle_hours=24 68 | database_prefix=1 69 | debughooks=0 70 | default_archive-logs=1 71 | default_login_theme=cpanel 72 | default_remove-old-archived-logs=1 73 | defaultmailaction=localuser 74 | disable-php-as-reseller-security=0 75 | disablequotacache=0 76 | disk_usage_include_mailman=1 77 | disk_usage_include_sqldbs=1 78 | dnsadmin_log=0 79 | dnsadmin_verbose_sync=0 80 | dnsadminapp 81 | dnslookuponconnect=0 82 | docroot=/usr/local/cpanel/base 83 | domainowner_mail_pass=0 84 | dormant_services=cpdavd,cphulkd,cpsrvd,dnsadmin,spamd 85 | dumplogs=1 86 | email_account_quota_default_selected=userdefined 87 | email_account_quota_userdefined_default_value=1024 88 | email_send_limits_count_mailman=0 89 | email_send_limits_defer_cutoff=125 90 | email_send_limits_max_defer_fail_percentage 91 | email_send_limits_min_defer_fail_to_trigger_protection=5 92 | emailarchive=1 93 | emailpasswords=0 94 | emailsperdaynotify 95 | emailusers_diskusage_critical_contact_admin=1 96 | emailusers_diskusage_critical_percent=90.0000 97 | emailusers_diskusage_full_contact_admin=1 98 | emailusers_diskusage_full_percent=98.0000 99 | emailusers_diskusage_warn_contact_admin=0 100 | emailusers_diskusage_warn_percent=80.0000 101 | emailusers_mailbox_critical_percent=90.0000 102 | emailusers_mailbox_full_percent=98.0000 103 | emailusers_mailbox_warn_percent=80.0000 104 | emailusersbandwidthexceed=0 105 | emailusersbandwidthexceed70=0 106 | emailusersbandwidthexceed75=0 107 | emailusersbandwidthexceed80=1 108 | emailusersbandwidthexceed85=0 109 | emailusersbandwidthexceed90=0 110 | emailusersbandwidthexceed95=0 111 | emailusersbandwidthexceed97=0 112 | emailusersbandwidthexceed98=0 113 | emailusersbandwidthexceed99=0 114 | empty_trash_days=disabled 115 | enable_piped_logs=0 116 | enablecompileroptimizations=0 117 | enablefileprotect=1 118 | engine=cpanel 119 | enginepl=cpanel.pl 120 | engineroot=/usr/local/cpanel 121 | exim-retrytime=15 122 | exim_retention_days=10 123 | eximmailtrap=1 124 | extracpus=0 125 | file_upload_max_bytes 126 | file_upload_must_leave_bytes=5 127 | file_usage=0 128 | ftppasslogs=0 129 | ftpquotacheck_expire_time=30 130 | ftpserver=pure-ftpd 131 | global_dcv_rewrite_exclude=1 132 | gzip_compression_level=6 133 | gzip_pigz_block_size=4096 134 | gzip_pigz_processes=1 135 | htaccess_check_recurse=2 136 | ignoredepreciated=0 137 | invite_sub=1 138 | ionice_bandwidth_processing=6 139 | ionice_cpbackup=6 140 | ionice_dovecot_maintenance=7 141 | ionice_email_archive_maintenance=7 142 | ionice_ftpquotacheck=6 143 | ionice_log_processing=7 144 | ionice_quotacheck=6 145 | ionice_userbackup=7 146 | ionice_userproc=6 147 | ipv6_control=0 148 | ipv6_listen=0 149 | jailapache=0 150 | jaildefaultshell=0 151 | jailmountbinsuid=0 152 | jailmountusrbinsuid=0 153 | jailprocmode=mount_proc_jailed_fallback_full 154 | keepftplogs=0 155 | keeplogs=0 156 | keepstatslog=0 157 | loadthreshold 158 | local_nameserver_type=bind 159 | log_successful_logins=0 160 | logchmod=0640 161 | logout_redirect_url= 162 | mailbox_storage_format=maildir 163 | mailserver=dovecot 164 | maintenance_rpm_version_check=1 165 | maintenance_rpm_version_digest_check=1 166 | maxcpsrvdconnections=200 167 | maxemailsperhour 168 | maxmem=768 169 | minpwstrength=65 170 | minpwstrength_mysql=70 171 | minpwstrength_virtual=70 172 | modsec_keep_hits=7 173 | mycnf_auto_adjust_innodb_buffer_pool_size=0 174 | mycnf_auto_adjust_maxallowedpacket=1 175 | mycnf_auto_adjust_openfiles_limit=1 176 | myname=cpaneld 177 | mysql-host=localhost 178 | mysql-version=5.6 179 | mysqldebug=0 180 | nobodyspam=1 181 | nocpbackuplogs=0 182 | nosendlangupdates=0 183 | notify_expiring_certificates=0 184 | numacctlist=30 185 | overwritecustomproxysubdomains=0 186 | overwritecustomsrvrecords=0 187 | permit_appconfig_entries_without_acls=0 188 | permit_appconfig_entries_without_features=0 189 | permit_unregistered_apps_as_reseller=0 190 | permit_unregistered_apps_as_root=0 191 | php_max_execution_time=90 192 | php_post_max_size=55 193 | php_system_default_version=ea-php70 194 | php_upload_max_filesize=50 195 | phploader=ioncube 196 | phpopenbasedirhome=1 197 | pma_disableis=0 198 | popbeforesmtp=0 199 | popbeforesmtpsenders=0 200 | postgresdebug=0 201 | product=cPanel 202 | proxysubdomains=1 203 | proxysubdomainsfornewaccounts=1 204 | proxysubdomainsoverride=1 205 | publichtmlsubsonly=1 206 | query_apache_for_nobody_senders=1 207 | referrerblanksafety=1 208 | referrersafety=1 209 | remotewhmtimeout=35 210 | repquota_timeout=60 211 | requiressl=1 212 | resetpass=0 213 | resetpass_sub=0 214 | root=/usr/local/cpanel 215 | rotatelogs_size_threshhold_in_megabytes=300 216 | roundcube_db=mysql 217 | rpmup_allow_kernel=0 218 | selfsigned_generation_for_bestavailable_ssl_install=1 219 | send_error_reports=1 220 | send_server_configuration=1 221 | send_server_usage=1 222 | server_locale=en 223 | showwhmbwusageinmegs=0 224 | signature_validation=Release Keyring Only 225 | skip_chkservd_recovery_notify=0 226 | skipanalog=0 227 | skipapacheclientsoptimizer=0 228 | skipawstats=0 229 | skipboxcheck=1 230 | skipboxtrapper=1 231 | skipbwlimitcheck=0 232 | skipchkservd=0 233 | skipcpbandwd=0 234 | skipdiskcheck=0 235 | skipdiskusage=0 236 | skipeximstats=0 237 | skiphorde=0 238 | skiphttpauth=1 239 | skipjailmanager=0 240 | skipmailauthoptimizer=0 241 | skipmailman=0 242 | skipmodseclog=0 243 | skipnotifyacctbackupfailure=0 244 | skipoomcheck=0 245 | skipparentcheck=0 246 | skiprecentauthedmailiptracker=0 247 | skiproundcube=0 248 | skipspamassassin=0 249 | skipspambox=1 250 | skipsqmail=0 251 | skiptailwatchd=0 252 | skipwebalizer=0 253 | smtpmailgidonly=1 254 | stats_log=/usr/local/cpanel/logs/stats_log 255 | statsloglevel=1 256 | statthreshhold=256 257 | system_diskusage_critical_percent=92.5500 258 | system_diskusage_warn_percent=82.5500 259 | tcp_check_failure_threshold=3 260 | transfers_timeout=1800 261 | tweak_unset_vars= 262 | upcp_log_retention_days=45 263 | update_log_analysis_retention_length=90 264 | use_apache_md5_for_htaccess=1 265 | use_information_schema=1 266 | useauthnameservers=0 267 | usemailformailmanurl=0 268 | usemysqloldpass=0 269 | userdirprotect=1 270 | verify_3rdparty_cpaddons=0 271 | version=3.4 272 | xframecpsrvd=0 273 | -------------------------------------------------------------------------------- /roles/install-cpanel/templates/var/cpanel/maxemailsperhour.j2: -------------------------------------------------------------------------------- 1 | {{ cpanel_maxemailsperhour }} -------------------------------------------------------------------------------- /roles/install-imunify/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | install_imunify: 'false' 3 | imunify_key: '' -------------------------------------------------------------------------------- /roles/install-imunify/tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Download Imunify360 Installer Package 4 | get_url: 5 | url: http://repo.imunify360.cloudlinux.com/defence360/i360deploy.sh 6 | dest: /usr/src 7 | force: yes 8 | register: imunify_downloaded 9 | 10 | - name: Install Imunify360 11 | shell: bash /usr/src/i360deploy.sh -k {{ imunify_key }} 12 | args: 13 | chdir: /usr/src 14 | creates: /etc/sysconfig/imunify360/imunify360.config 15 | executable: /bin/bash 16 | ignore_errors: true 17 | when: imunify_downloaded|changed and imunify_installed == false and imunify_key is defined -------------------------------------------------------------------------------- /roles/install-imunify/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Check if Imunify360 is installed 4 | stat: 5 | path: /etc/sysconfig/imunify360/imunify360.config 6 | register: imunify_check 7 | changed_when: false 8 | check_mode: no 9 | tags: always 10 | 11 | - name: Create imunify_installed variable. 12 | set_fact: 13 | imunify_installed: "{{ imunify_check.stat.exists|bool }}" 14 | check_mode: no 15 | tags: always 16 | 17 | - name: Include the Imunify360 Installer Task 18 | include_tasks: install.yml 19 | when: imunify_installed != true and (install_imunify is defined and install_imunify == 'true') 20 | -------------------------------------------------------------------------------- /roles/install-kernelcare/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | install_kernelcare: 'false' 3 | -------------------------------------------------------------------------------- /roles/install-kernelcare/tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install Kernelcare 3 | yum: 4 | name: https://downloads.kernelcare.com/kernelcare-latest.x86_64.rpm 5 | state: present 6 | tags: install_kernelcare 7 | -------------------------------------------------------------------------------- /roles/install-kernelcare/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Check if Kernelcare is installed 3 | stat: 4 | path: /usr/bin/kcarectl 5 | register: kernelcare_check 6 | changed_when: false 7 | check_mode: no 8 | tags: always 9 | 10 | - name: Create kernelcare_installed variable. 11 | set_fact: 12 | kernelcare_installed: "{{ kernelcare_check.stat.exists|bool }}" 13 | tags: always 14 | 15 | - name: Include the Kernelcare Installer Task 16 | include_tasks: install.yml 17 | when: kernelcare_installed != true and (install_kernelcare is defined and install_kernelcare == 'true') 18 | -------------------------------------------------------------------------------- /roles/install-letsencrypt/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | install_letsencrypt: 'false' -------------------------------------------------------------------------------- /roles/install-letsencrypt/files/letsencrypt-cpanel.licence: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shumbashi/cpanel-ansible/7d5b32edc77658874e2c6fe078329ed73cc0d33e/roles/install-letsencrypt/files/letsencrypt-cpanel.licence -------------------------------------------------------------------------------- /roles/install-letsencrypt/files/letsencrypt.repo: -------------------------------------------------------------------------------- 1 | [letsencrypt-cpanel] 2 | name=Let's Encrypt for cPanel 3 | baseurl=https://letsencrypt-for-cpanel.com/repo 4 | gpgcheck=0 5 | -------------------------------------------------------------------------------- /roles/install-letsencrypt/tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for install-letsencrypt 3 | 4 | - name: Upload License File 5 | copy: 6 | src: letsencrypt-cpanel.licence 7 | dest: /etc/letsencrypt-cpanel.licence 8 | mode: 0700 9 | 10 | - name: Add Repository 11 | copy: 12 | src: letsencrypt.repo 13 | dest: /etc/yum.repos.d/letsencrypt.repo 14 | 15 | - name: Install Plugin 16 | yum: 17 | name: letsencrypt-cpanel 18 | state: installed 19 | update_cache: true 20 | -------------------------------------------------------------------------------- /roles/install-letsencrypt/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Check if LetsEncrypt is installed 3 | stat: 4 | path: /etc/letsencrypt-cpanel.conf 5 | register: letsencrypt_check 6 | changed_when: false 7 | check_mode: no 8 | tags: always 9 | 10 | - name: Create letsencrypt_installed variable. 11 | set_fact: 12 | letsencrypt_installed: "{{ letsencrypt_check.stat.exists|bool }}" 13 | check_mode: no 14 | tags: always 15 | 16 | - name: Include the LetsEncrypt Installer Task 17 | include_tasks: install.yml 18 | when: letsencrypt_installed != true and (install_letsencrypt is defined and install_letsencrypt == 'true') -------------------------------------------------------------------------------- /roles/install-sitepad/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | install_sitepad: 'false' -------------------------------------------------------------------------------- /roles/install-sitepad/tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Download Sitepad Installer Package 3 | get_url: 4 | url: http://files.sitepad.com/install.sh 5 | dest: /usr/src 6 | force: yes 7 | mode: 0755 8 | register: sitepad_downloaded 9 | 10 | - name: Install Sitepad 11 | shell: /bin/bash /usr/src/install.sh 12 | args: 13 | chdir: /usr/src 14 | creates: /usr/local/sitepad/universal.php 15 | when: sitepad_downloaded|changed and sitepad_installed == false 16 | register: installation_complete 17 | 18 | - name: Generate Sitepad Customized Configuration 19 | template: 20 | src: universal.php.j2 21 | dest: /usr/local/sitepad/universal.php 22 | force: yes 23 | backup: yes 24 | when: installation_complete|changed 25 | 26 | - name: Protect Sitepad universal.php from Overwrite 27 | shell: chattr +i /usr/local/sitepad/universal.php 28 | args: 29 | chdir: /usr/local/sitepad/ 30 | when: installation_complete|changed 31 | -------------------------------------------------------------------------------- /roles/install-sitepad/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Check if Sitepad is installed 3 | stat: 4 | path: /usr/local/sitepad/universal.php 5 | register: sitepad_check 6 | changed_when: false 7 | check_mode: no 8 | tags: always 9 | 10 | - name: Create sitepad_installed variable. 11 | set_fact: 12 | sitepad_installed: "{{ sitepad_check.stat.exists|bool }}" 13 | check_mode: no 14 | tags: always 15 | 16 | - name: Include the Sitepad Installer Task 17 | include_tasks: install.yml 18 | when: sitepad_installed != true and (install_sitepad is defined and install_sitepad == 'true') 19 | -------------------------------------------------------------------------------- /roles/install-sitepad/templates/universal.php.j2: -------------------------------------------------------------------------------- 1 |