updated sshd config

assets/drupal-ssl-decoupled.nginxconf

@@ -89,7 +89,7 @@ server {
       #fastcgi_param DOCUMENT_ROOT /var/www/enfrancais.fr/api;
       # fastcgi_buffer_size 16k;
       # fastcgi_buffers 4 16k;
-      fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+      fastcgi_pass unix:/run/php/php8.2-fpm.sock;
     }
 
     location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {

assets/drupal-ssl.nginxconf

@@ -116,7 +116,7 @@ server {
     fastcgi_intercept_errors on;
     # fastcgi_buffer_size 16k;
     # fastcgi_buffers 4 16k;
-    fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+    fastcgi_pass unix:/run/php/php8.2-fpm.sock;
   }
   # Fighting with Styles? This little gem is amazing.
   # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6

assets/drupal.nginxconf

@@ -92,7 +92,7 @@ server {
     fastcgi_intercept_errors on;
     # fastcgi_buffer_size 16k;
     # fastcgi_buffers 4 16k;
-    fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+    fastcgi_pass unix:/run/php/php8.2-fpm.sock;
   }
   # Fighting with Styles? This little gem is amazing.
   # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6

assets/fail2ban/filter.d/nginx-badbots.conf

@@ -0,0 +1,5 @@
+[Definition]
+
+failregex = FastCGI sent in stderr: "Primary script unknown" .*, client: <HOST>, server: .*
+
+ignoreregex =

assets/fail2ban/jail.d/nginx-badbots.conf

@@ -0,0 +1,7 @@
+[nginx-badbots]
+
+enabled  = true
+port     = http,https
+filter   = <FILTER>
+logpath  = <LOGPATH>
+maxretry = 2

assets/nginx-phpmyadmin.conf

@@ -22,7 +22,7 @@ server {
     }
 
     location ~ \.php$ {
-      fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+      fastcgi_pass unix:/run/php/php8.2-fpm.sock;
       fastcgi_index index.php;
       include fastcgi_params;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

assets/simple-phpfpm-ssl.nginxconf

@@ -48,7 +48,7 @@ server {
 
   location ~ \.php$ {
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
     fastcgi_index index.php;
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

assets/simple-phpfpm.nginxconf

@@ -24,7 +24,7 @@ server {
 
   location ~ \.php$ {
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_pass unix:/run/php/php7.3-fpm.sock;
+    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
     fastcgi_index index.php;
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

assets/urbackup.service

@@ -5,7 +5,7 @@ ConditionPathExists=/usr/local/sbin/urbackupclientbackend
 [Service]
 Type=forking
 ExecStart=/usr/local/sbin/urbackupclientbackend -d
-PIDFile = /var/run/urbackup_srv.pid
+PIDFile = /run/urbackup_srv.pid
 TimeoutSec=0
 
 [Install]

bin/gitbarrerepos.sh

@@ -111,12 +111,12 @@ if [ "$vh" = "yes" ]; then
   chmod +x post-receive # pre-receive
 
   # setup git repo on site folder
-  cd /home/"$user"/www/"$_domain"/app
+  chown -R "$user":"$user" /home/"$user"/www/"$_domain"/public_html
+  cd /home/"$user"/www/"$_domain"/public_html
   git init
   # link to the bare repo
   git remote add origin /home/"$user"/git-repositories/"$_domain".git
 
-  chown -R "$user":"$user" /home/"$user"/www/"$_domain"/app
 
   cd "$_cwd"
   # done

bin/lemp.sh

@@ -36,20 +36,34 @@ echo -e '\033[35m
  / ____/ __  / ____/
 /_/   /_/ /_/_/
 \033[0m'
-echo -e "\033[35;1mInstalling PHP 7.3 \033[0m"
+
+echo -e "\033[35;1mInstalling SURY \033[0m"
 sleep 3
 
+apt-get --yes install ca-certificates apt-transport-https software-properties-common curl lsb-release
+curl -sSL https://packages.sury.org/php/README.txt | bash -x
+apt-get update && apt-get upgrade
+
+echo -e "\033[35;1mInstalling PHP \033[0m"
+sleep 3
+
+
+
 # mv: cannot stat '/etc/php/7.0/fpm/php.ini': No such file or directory
 # cp: cannot create regular file '/etc/php/7.0/fpm/php.ini': No such file or directory
 # Configuring PHP
 # Failed to enable unit: Unit file php7.0-fpm.service does not exist.
 # Failed to start php7.0-fpm.service: Unit php7.0-fpm.service not found.
 
-apt-get --yes install php7.3-fpm php7.3-mysql php7.3-opcache php7.3-curl php7.3-mbstring php7.3-zip php7.3-xml php7.3-gd php-memcached php7.3-imagick php7.3-apcu
-# php7.3-mcrypt  ??
+# apt-get --yes install php7.4-fpm php7.4-mysql php7.4-opcache php7.4-curl php7.4-mbstring php7.4-zip php7.4-xml php7.4-gd php-memcached php7.4-imagick php7.4-apcu
+# php7.4-mcrypt  ??
 
-mv /etc/php/7.3/fpm/php.ini /etc/php/7.3/fpm/php.ini.back
-cp "$_assets"/php-fpm.ini /etc/php/7.3/fpm/php.ini
+apt-get --yes install php8.1-fpm php8.1-mysql php8.1-opcache php8.1-curl php8.1-mbstring php8.1-zip php8.1-xml php8.1-gd php-memcached php8.1-imagick php8.1-apcu php8.1-redis php8.1-bz2 php8.1-bcmath
+
+# apt-get --yes install php8.2-fpm php8.2-mysql php8.2-opcache php8.2-curl php8.2-mbstring php8.2-zip php8.2-xml php8.2-gd php-memcached php8.2-imagick php8.2-apcu php8.2-redis php8.2-bz2 php8.2-bcmath
+
+mv /etc/php/8.1/fpm/php.ini /etc/php/8.1/fpm/php.ini.back
+cp "$_assets"/php8.1-fpm.ini /etc/php/8.1/fpm/php.ini
 
 echo "Configuring PHP"
 
@@ -57,8 +71,8 @@ mkdir /var/log/php
 chown www-data /var/log/php
 cp "$_assets"/logrotate-php /etc/logrotate.d/php
 
-systemctl enable php7.3-fpm
-systemctl start php7.3-fpm
+systemctl enable php8.1-fpm
+systemctl start php8.1-fpm
 
 # echo "Installing memecached"
 # replaced by redis
@@ -136,24 +150,24 @@ if [ "$installmysql" = "yes" ]; then
   ##### Try 'cp --help' for more information.
 
   # TODO no pma package available :(
-  # apt-get --yes install phpmyadmin
-  # ln -s /usr/share/phpmyadmin /var/www/html/
-  # cp "$_assets"/nginx-phpmyadmin.conf > /etc/nginx/sites-available/phpmyadmin.conf
-  # ln -s /etc/nginx/sites-available/phpmyadmin.conf /etc/nginx/sites-enabled/phpmyadmin.conf
-  # echo -e "\033[92;1mphpMyAdmin installed\033[Om"
-  # echo -e "\033[92;1mYou can access it at yourip/phpmyadmin\033[Om"
+  apt-get --yes install phpmyadmin
+  ln -s /usr/share/phpmyadmin /var/www/html/
+  cp "$_assets"/nginx-phpmyadmin.conf /etc/nginx/sites-available/phpmyadmin.conf
+    
+  echo -e "\033[92;1mphpMyAdmin installed\033[Om"
+  echo -e "\033[92;1mYou can access it at yourip/phpmyadmin\033[Om"
 
   # install from source
-  apt-get --yes install php-{mbstring,zip,gd,xml,pear,gettext,cgi}
-  cd /var/www/html/
-  wget https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.zip
-  unzip phpMyAdmin-latest-all-languages.zip
-  mv phpMyAdmin-*-all-languages pma
-  rm phpMyAdmin-latest-all-languages.zip
-  # cp "$_assets"/nginx-phpmyadmin.conf > /etc/nginx/sites-available/phpmyadmin.conf
-  # ln -s /etc/nginx/sites-available/phpmyadmin.conf /etc/nginx/sites-enabled/phpmyadmin.conf
-  echo -e "\033[92;1mphpMyAdmin installed\033[Om"
-  echo -e "\033[92;1mYou can access it at yourip/pma\033[Om"
+  # apt-get --yes install php-{mbstring,zip,gd,xml,pear,gettext,cgi}
+  # cd /var/www/html/
+  # wget https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.zip
+  # unzip phpMyAdmin-latest-all-languages.zip
+  # mv phpMyAdmin-*-all-languages pma
+  # rm phpMyAdmin-latest-all-languages.zip
+  # # cp "$_assets"/nginx-phpmyadmin.conf > /etc/nginx/sites-available/phpmyadmin.conf
+  # # ln -s /etc/nginx/sites-available/phpmyadmin.conf /etc/nginx/sites-enabled/phpmyadmin.conf
+  # echo -e "\033[92;1mphpMyAdmin installed\033[Om"
+  # echo -e "\033[92;1mYou can access it at yourip/pma\033[Om"
 fi
 
 
@@ -168,7 +182,7 @@ echo -e '\033[35m
 \033[0m'
 echo -e "\033[35;1mInstalling Redis \033[0m"
 sleep 3
-apt-get --yes install redis-server php-redis
+apt-get --yes install redis-server php8.1-redis
 
 # TODO set maxmemory=2gb
 # TODO set maxmemory-policy=volatile-lru
@@ -182,7 +196,7 @@ apt-get --yes install redis-server php-redis
 
 systemctl enable redis-server
 systemctl restart redis-server
-systemctl restart php7.3-fpm
+systemctl restart php8.1-fpm
 echo -e "\033[92;1mRedis installed\033[Om"
 
 echo -e '\033[35m

bin/ssh.sh

@@ -14,8 +14,13 @@ if [ "$EUID" -ne 0 ]; then
   exit
 fi
 
-sed -i 's/PermitRootLogin\ yes/PermitRootLogin no/g' /etc/ssh/sshd_config
-sed -i 's/PermitEmptyPasswords\ yes/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
-sed -i 's/Protocol\ [0-9]/Protocol 2/g' /etc/ssh/sshd_config
+# sed -i 's/PermitRootLogin\ yes/PermitRootLogin no/g' /etc/ssh/sshd_config
+# sed -i 's/PermitEmptyPasswords\ yes/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
+# sed -i 's/Protocol\ [0-9]/Protocol 2/g' /etc/ssh/sshd_config
+
+touch /etc/ssh/sshd_config.d/custom.conf
+echo "PermitRootLogin no" >> /etc/ssh/sshd_config.d/custom.conf
+echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config.d/custom.conf
+
 systemctl reload ssh
 echo -e "\033[92;1mSSH secured\033[Om"

bin/urbackup.sh

@@ -39,15 +39,18 @@ apt install build-essential "g++" "libcrypto++-dev" libz-dev -y
 
 # Download the UrBackup client source files and extract them
 # wget -P /tmp/ https://hndl.urbackup.org/Client/latest/urbackup-client-2.3.4.0.tar.gz
-wget -P /tmp/ https://hndl.urbackup.org/Client/2.4.11/urbackup-client-2.4.11.0.tar.gz
+# wget -P /tmp/ https://hndl.urbackup.org/Client/2.4.11/urbackup-client-2.4.11.0.tar.gz
+# wget -P /tmp/ https://hndl.urbackup.org/Client/2.5.20/urbackup-client-2.5.20.0.tar.gz
+wget -P /tmp/ https://hndl.urbackup.org/Client/2.5.20/urbackup-client-2.5.24.0.tar.gz
 
 cd /tmp
 # tar xzf /tmp/urbackup-client-2.3.4.0.tar.gz
-tar xzf /tmp/urbackup-client-2.4.11.0.tar.gz
+# tar xzf /tmp/urbackup-client-2.5.20.0.tar.gz
+tar xzf /tmp/urbackup-client-2.5.24.0.tar.gz
 
 # Build the UrBackup client and install it
 # cd /tmp/urbackup-client-2.3.4.0
-cd /tmp/urbackup-client-2.4.11.0
+cd /tmp/urbackup-client-2.5.24.0
 ./configure --enable-headless
 make -j4
 make install
@@ -70,7 +73,8 @@ internet_mode_enabled=true
 internet_image_backups_def=false
 default_dirs_def=/etc;var/www;/var/backups/mysql
 startup_backup_delay_def=3
-computername=$_computername" > /usr/local/var/urbackup/data/settings.cfg
+computername=$_computername" > /etc/default/urbackupclient
+# /usr/local/var/urbackup/data/settings.cfg
 
 # firewall
 ufw allow from "$_ip" to any port 35621
@@ -78,7 +82,8 @@ ufw allow from "$_ip" to any port 35622
 ufw allow from "$_ip" to any port 35623
 
 # install and enable systemd service
-cp "$_assets"/urbackup.service /etc/systemd/system/
+# cp "$_assets"/urbackup.service /etc/systemd/system/
+cp urbackupclientbackend-debian.service /etc/systemd/system/urbackup.service
 chmod a+x /etc/systemd/system/urbackup.service
 
 systemctl --system daemon-reload

bin/vhost.sh

@@ -106,6 +106,16 @@ if [ "$vh" = "y" ]; then
   chmod -R g+w /var/www/"$_domain"/
   chmod -R g+r /var/www/"$_domain"/
 
+  #set fail2ban for vhost
+  # https://stackoverflow.com/a/65552146
+  cp "$_assets/fail2ban/jail.d/nginx-badbots.conf" "/etc/fail2ban/jail.d/nginx-badbots-$_domain.conf"
+  sed -i -r "s/\[nginx-badbots\]/\[nginx-badbots-$_domain\]/g" "/etc/fail2ban/jail.d/nginx-badbots-$_domain.conf"
+  sed -i -r "s/<FILTER>/\[nginx-badbots-$_domain\]/g" "/etc/fail2ban/jail.d/nginx-badbots-$_domain.conf"
+  sed -i -r "s/<LOGPATH>/\/var\/www\/$_domain\/log\/error.log/g" "/etc/fail2ban/jail.d/nginx-badbots-$_domain.conf"
+
+  cp "$_assets/fail2ban/filter.d/nginx-badbots.conf" "/etc/fail2ban/filter.d/nginx-badbots-$_domain.conf"
+  sed -i -r "s/<HOST>/$_domain/g" "/etc/fail2ban/filter.d/nginx-badbots-$_domain.conf"
+
 
 
   # create a shortcut to the site

bin/webhook.sh

@@ -91,7 +91,7 @@ git --git-dir=/home/"$user"/git-repositories/"$_domain.git" remote add origin "$
 
 # hook deploy script
 cp -f "$_assets"/webhook-deploy.sh /home/"$user"/webhook_deploy_"$_id".sh
-sed -i -r "s/DOMAIN/$_domain/g" /home/"$user"/webhook_deploy_"$_domain".sh
+sed -i -r "s/DOMAIN/$_domain/g" /home/"$user"/webhook_deploy_"$_id".sh
 chowm $user:$user /home/"$user"/webhook_deploy_"$_id".sh
 chmod +x /home/"$user"/webhook_deploy_"$_id".sh
 

bin/zabbix.sh

@@ -26,12 +26,9 @@ if [ ! -d "$_assets" ]; then
   fi
 fi
 
-# not necessary anymore zabbix-agent 4 is in apt
-# https://packages.debian.org/fr/buster/zabbix-agent
-# TODO downgrade zabbix-agent to 3.4
 
-wget -P /tmp/ http://repo.zabbix.com/zabbix/3.4/debian/pool/main/z/zabbix-release/zabbix-release_3.4-1+stretch_all.deb
-dpkg -i /tmp/zabbix-release_3.4-1+stretch_all.deb
+wget -P /tmp/ wget https://repo.zabbix.com/zabbix/6.4/debian/pool/main/z/zabbix-release/zabbix-release_6.4-1+debian12_all.deb
+dpkg -i /tmp/zabbix-release_6.4-1+debian12_all.deb
 
 apt-get update -y
 
@@ -57,6 +54,10 @@ sed -i "s#Server=127.0.0.1#Server=$_ip#g" /etc/zabbix/zabbix_agentd.conf
 sed -i "s#ServerActive=127.0.0.1#ServerActive=$_ip#g" /etc/zabbix/zabbix_agentd.conf
 sed -i "s#Hostname=Zabbix server#Hostname=$_host_name#g" /etc/zabbix/zabbix_agentd.conf
 
+
+# todo ask if LXC container, if yes install this script
+# https://github.com/kvaps/zabbix-linux-container-template
+
 # APT
 # check for debian security updates
 # not working : https://www.osso.nl/blog/zabbix-counting-security-updates

install.sh

@@ -78,6 +78,7 @@ do
   read _install_vhost
 done
 if [ "$_install_vhost" = "yes" ]; then
+  # TODO bug vhost.sh file does not exists ...
   . bin/vhost.sh
 else
   echo 'no vhost installed'

raw.githubusercontent.com_kvaps_zabbix-linux-container-template_master_zabbix_container.conf.txt

@@ -0,0 +1,4 @@
+UserParameter=ct.memory.size[*],free -b | awk 'NR==2 {total=$ 2; used=($ 3+$ 5); pused=(($ 3+$ 5)*100/$ 2); free=$ 4; pfree=($ 4*100/$ 2); shared=$ 5; buffers=$ 6; cached=$ 6; available=$ 7; pavailable=($ 7*100/$ 2); if("$1" == "") {printf("%.0f", total )} else {printf("%.0f", $1 "" )} }'
+UserParameter=ct.swap.size[*],free -b | awk 'NR==3 {total=$ 2; used=$ 3; free=$ 4; pfree=($ 4*100/$ 2); pused=($ 3*100/$ 2); if("$1" == "") {printf("%.0f", free )} else {printf("%.0f", $1 "" )} }'
+UserParameter=ct.cpu.load[*],cut -d" " -f1-3 /proc/loadavg | awk -F'[, ]+' '{avg1=$(NF-2); avg5=$(NF-1); avg15=$(NF)}{print $2/'$(nproc)'}'
+UserParameter=ct.uptime,cut -d"." -f1 /proc/uptime

readme.md

@@ -1,4 +1,4 @@
-# Install LEMP web server and secure it on debian 10
+# Install LEMP web server and secure it on debian 12
 
 Fail2ban, Ufw, Proftpd, Knockd, Nginx, Mariadb, php7.0-fpm, redis, vhosts, git barre repos, zabbix-agent, dotfiles and more