131 changed files with 7713 additions and 0 deletions
-
61Install_Scripts/debian/install.sh
-
13Install_Scripts/debian/pre-install.sh
-
48Install_Scripts/debian/resources/arguments.sh
-
27Install_Scripts/debian/resources/backup/fusionpbx-backup
-
137Install_Scripts/debian/resources/backup/fusionpbx-maintenance
-
25Install_Scripts/debian/resources/colors.sh
-
29Install_Scripts/debian/resources/config.sh
-
103Install_Scripts/debian/resources/environment.sh
-
37Install_Scripts/debian/resources/fail2ban.sh
-
21Install_Scripts/debian/resources/fail2ban/auth-challenge-ip.conf
-
20Install_Scripts/debian/resources/fail2ban/freeswitch-acl.conf
-
20Install_Scripts/debian/resources/fail2ban/freeswitch-ip.conf
-
18Install_Scripts/debian/resources/fail2ban/freeswitch.conf
-
27Install_Scripts/debian/resources/fail2ban/fusionpbx-404.conf
-
20Install_Scripts/debian/resources/fail2ban/fusionpbx-mac.conf
-
25Install_Scripts/debian/resources/fail2ban/fusionpbx.conf
-
143Install_Scripts/debian/resources/fail2ban/jail.local
-
5Install_Scripts/debian/resources/fail2ban/nginx-404.conf
-
14Install_Scripts/debian/resources/fail2ban/nginx-dos.conf
-
21Install_Scripts/debian/resources/fail2ban/sip-auth-challenge.conf
-
21Install_Scripts/debian/resources/fail2ban/sip-auth-failure.conf
-
145Install_Scripts/debian/resources/finish.sh
-
35Install_Scripts/debian/resources/fusionpbx.sh
-
47Install_Scripts/debian/resources/fusionpbx/config.php
-
126Install_Scripts/debian/resources/ioncube.sh
-
68Install_Scripts/debian/resources/iptables.sh
-
130Install_Scripts/debian/resources/letsencrypt.sh
-
22Install_Scripts/debian/resources/letsencrypt/domain_name.conf
-
19Install_Scripts/debian/resources/monit.sh
-
3Install_Scripts/debian/resources/monit/freeswitch
-
5Install_Scripts/debian/resources/monit/shell.sh
-
30Install_Scripts/debian/resources/nftables.sh
-
84Install_Scripts/debian/resources/nginx.sh
-
305Install_Scripts/debian/resources/nginx/fusionpbx
-
139Install_Scripts/debian/resources/php.sh
-
116Install_Scripts/debian/resources/postgresql.sh
-
31Install_Scripts/debian/resources/postgresql/create.sh
-
70Install_Scripts/debian/resources/postgresql/dsn.sh
-
27Install_Scripts/debian/resources/postgresql/empty.sh
-
54Install_Scripts/debian/resources/postgresql/iptables.sh
-
177Install_Scripts/debian/resources/postgresql/node.sh
-
97Install_Scripts/debian/resources/postgresql/pg_hba.conf
-
62Install_Scripts/debian/resources/postgresql/pg_hba.sh
-
618Install_Scripts/debian/resources/postgresql/postgresql.conf
-
4Install_Scripts/debian/resources/random.sh
-
37Install_Scripts/debian/resources/reboot_phones.sh
-
32Install_Scripts/debian/resources/reset_admin_password.sh
-
27Install_Scripts/debian/resources/sngrep.sh
-
52Install_Scripts/debian/resources/switch.sh
-
3Install_Scripts/debian/resources/switch/conf-copy.sh
-
57Install_Scripts/debian/resources/switch/dsn.sh
-
27Install_Scripts/debian/resources/switch/package-all.sh
-
9Install_Scripts/debian/resources/switch/package-master-all.sh
-
31Install_Scripts/debian/resources/switch/package-master.sh
-
13Install_Scripts/debian/resources/switch/package-permissions.sh
-
56Install_Scripts/debian/resources/switch/package-release.sh
-
13Install_Scripts/debian/resources/switch/package-systemd.sh
-
25Install_Scripts/debian/resources/switch/repo.sh
-
41Install_Scripts/debian/resources/switch/source-master.sh
-
5Install_Scripts/debian/resources/switch/source-permissions.sh
-
143Install_Scripts/debian/resources/switch/source-release.sh
-
15Install_Scripts/debian/resources/switch/source-systemd.sh
-
24Install_Scripts/debian/resources/switch/source-to-package.sh
-
2Install_Scripts/debian/resources/switch/source/etc.default.freeswitch.package
-
4Install_Scripts/debian/resources/switch/source/etc.default.freeswitch.source
-
62Install_Scripts/debian/resources/switch/source/freeswitch.service.package
-
57Install_Scripts/debian/resources/switch/source/freeswitch.service.source
-
53Install_Scripts/debian/resources/switch/source/mod_pgsql.patch
-
44Install_Scripts/debian/resources/upgrade/php.sh
-
60Install_Scripts/ubuntu/install.sh
-
13Install_Scripts/ubuntu/pre-install.sh
-
48Install_Scripts/ubuntu/resources/arguments.sh
-
27Install_Scripts/ubuntu/resources/backup/fusionpbx-backup
-
119Install_Scripts/ubuntu/resources/backup/fusionpbx-maintenance
-
25Install_Scripts/ubuntu/resources/colors.sh
-
28Install_Scripts/ubuntu/resources/config.sh
-
95Install_Scripts/ubuntu/resources/environment.sh
-
35Install_Scripts/ubuntu/resources/fail2ban.sh
-
21Install_Scripts/ubuntu/resources/fail2ban/auth-challenge-ip.conf
-
20Install_Scripts/ubuntu/resources/fail2ban/freeswitch-ip.conf
-
18Install_Scripts/ubuntu/resources/fail2ban/freeswitch.conf
-
27Install_Scripts/ubuntu/resources/fail2ban/fusionpbx-404.conf
-
20Install_Scripts/ubuntu/resources/fail2ban/fusionpbx-mac.conf
-
25Install_Scripts/ubuntu/resources/fail2ban/fusionpbx.conf
-
131Install_Scripts/ubuntu/resources/fail2ban/jail.local
-
5Install_Scripts/ubuntu/resources/fail2ban/nginx-404.conf
-
14Install_Scripts/ubuntu/resources/fail2ban/nginx-dos.conf
-
21Install_Scripts/ubuntu/resources/fail2ban/sip-auth-challenge.conf
-
21Install_Scripts/ubuntu/resources/fail2ban/sip-auth-failure.conf
-
145Install_Scripts/ubuntu/resources/finish.sh
-
35Install_Scripts/ubuntu/resources/fusionpbx.sh
-
47Install_Scripts/ubuntu/resources/fusionpbx/config.php
-
94Install_Scripts/ubuntu/resources/ioncube.sh
-
48Install_Scripts/ubuntu/resources/iptables.sh
-
127Install_Scripts/ubuntu/resources/letsencrypt.sh
-
22Install_Scripts/ubuntu/resources/letsencrypt/domain_name.conf
-
67Install_Scripts/ubuntu/resources/nginx.sh
-
268Install_Scripts/ubuntu/resources/nginx/fusionpbx
-
106Install_Scripts/ubuntu/resources/php.sh
-
90Install_Scripts/ubuntu/resources/postgresql.sh
@ -0,0 +1,61 @@ |
|||
#!/bin/sh |
|||
|
|||
#move to script directory so all relative paths work |
|||
cd "$(dirname "$0")" |
|||
|
|||
#includes |
|||
. ./resources/config.sh |
|||
. ./resources/colors.sh |
|||
. ./resources/environment.sh |
|||
|
|||
# removes the cd img from the /etc/apt/sources.list file (not needed after base install) |
|||
sed -i '/cdrom:/d' /etc/apt/sources.list |
|||
|
|||
#Update to latest packages |
|||
verbose "Update installed packages" |
|||
apt-get update && apt-get upgrade -y |
|||
|
|||
#Add dependencies |
|||
apt-get install -y wget |
|||
apt-get install -y lsb-release |
|||
apt-get install -y systemd |
|||
apt-get install -y systemd-sysv |
|||
apt-get install -y ca-certificates |
|||
apt-get install -y dialog |
|||
apt-get install -y nano |
|||
apt-get install -y net-tools |
|||
|
|||
#SNMP |
|||
apt-get install -y snmpd |
|||
echo "rocommunity public" > /etc/snmp/snmpd.conf |
|||
service snmpd restart |
|||
|
|||
#IPTables |
|||
resources/iptables.sh |
|||
|
|||
#sngrep |
|||
resources/sngrep.sh |
|||
|
|||
#FusionPBX |
|||
resources/fusionpbx.sh |
|||
|
|||
#PHP |
|||
resources/php.sh |
|||
|
|||
#NGINX web server |
|||
resources/nginx.sh |
|||
|
|||
#FreeSWITCH |
|||
resources/switch.sh |
|||
|
|||
#Fail2ban |
|||
resources/fail2ban.sh |
|||
|
|||
#Postgres |
|||
resources/postgresql.sh |
|||
|
|||
#set the ip address |
|||
server_address=$(hostname -I) |
|||
|
|||
#add the database schema, user and groups |
|||
resources/finish.sh |
@ -0,0 +1,13 @@ |
|||
#!/bin/sh |
|||
|
|||
#upgrade the packages |
|||
apt-get update && apt-get upgrade -y |
|||
|
|||
#install packages |
|||
apt-get install -y git lsb-release |
|||
|
|||
#get the install script |
|||
cd /usr/src && git clone https://github.com/fusionpbx/fusionpbx-install.sh.git |
|||
|
|||
#change the working directory |
|||
cd /usr/src/fusionpbx-install.sh/debian |
@ -0,0 +1,48 @@ |
|||
#!/bin/sh |
|||
|
|||
#Process command line options only if we haven't been processed once |
|||
if [ -z "$CPU_CHECK" ]; then |
|||
export script_name=`basename "$0"` |
|||
ARGS=$(getopt -n '$script_name' -o h -l help,use-switch-source,use-switch-package-all,use-switch-master,use-switch-package-unofficial-arm,use-php5-package,use-system-master,no-cpu-check -- "$@") |
|||
|
|||
if [ $? -ne 0 ]; then |
|||
error "Failed parsing options." |
|||
exit 1 |
|||
fi |
|||
|
|||
export USE_SWITCH_SOURCE=false |
|||
export USE_SWITCH_PACKAGE_ALL=false |
|||
export USE_SWITCH_PACKAGE_UNOFFICIAL_ARM=false |
|||
export USE_PHP5_PACKAGE=false |
|||
export USE_SWITCH_MASTER=false |
|||
export USE_SYSTEM_MASTER=false |
|||
export CPU_CHECK=true |
|||
HELP=false |
|||
|
|||
while true; do |
|||
case "$1" in |
|||
--use-switch-source ) export USE_SWITCH_SOURCE=true; shift ;; |
|||
--use-switch-package-all ) export USE_SWITCH_PACKAGE_ALL=true; shift ;; |
|||
--use-switch-master ) export USE_SWITCH_MASTER=true; shift ;; |
|||
--use-system-master ) export USE_SYSTEM_MASTER=true; shift ;; |
|||
--use-php5-package ) export USE_PHP5_PACKAGE=true; shift ;; |
|||
--use-switch-package-unofficial-arm ) export USE_SWITCH_PACKAGE_UNOFFICIAL_ARM=true; export USE_PHP5_PACKAGE=true; shift ;; |
|||
--no-cpu-check ) export CPU_CHECK=false; shift ;; |
|||
-h | --help ) HELP=true; shift ;; |
|||
-- ) shift; break ;; |
|||
* ) break ;; |
|||
esac |
|||
done |
|||
|
|||
if [ .$HELP = .true ]; then |
|||
warning "Debian installer script" |
|||
warning " --use-switch-source will use freeswitch from source rather than ${green}(default:packages)" |
|||
warning " --use-switch-package-all if using packages use the meta-all package" |
|||
warning " --use-switch-package-unofficial-arm if your system is arm and you are using packages, use the unofficial arm repo and force php5* packages" |
|||
warning " --use-php5-package use php5* packages instead of ${green}(default:php7.0)" |
|||
warning " --use-switch-master will use master branch/packages for the switch instead of ${green}(default:stable)" |
|||
warning " --use-system-master will use master branch/packages for the system instead of ${green}(default:stable)" |
|||
warning " --no-cpu-check disable the cpu check ${green}(default:check)" |
|||
exit; |
|||
fi |
|||
fi |
@ -0,0 +1,27 @@ |
|||
#!/bin/sh |
|||
|
|||
export PGPASSWORD="zzz" |
|||
db_host=127.0.0.1 |
|||
db_port=5432 |
|||
|
|||
now=$(date +%Y-%m-%d) |
|||
mkdir -p /var/backups/fusionpbx/postgresql |
|||
|
|||
echo "Backup Started" |
|||
|
|||
#delete postgres backups |
|||
find /var/backups/fusionpbx/postgresql/fusionpbx_pgsql* -mtime +4 -exec rm -f {} \; |
|||
|
|||
#delete the main backup |
|||
find /var/backups/fusionpbx/*.tgz -mtime +2 -exec rm -f {} \; |
|||
|
|||
#backup the database |
|||
pg_dump --verbose -Fc --host=$db_host --port=$db_port -U fusionpbx fusionpbx --schema=public -f /var/backups/fusionpbx/postgresql/fusionpbx_pgsql_$now.sql |
|||
|
|||
#package |
|||
#tar --exclude='/var/lib/freeswitch/recordings/*/archive' -zvcf /var/backups/fusionpbx/backup_$now.tgz /var/backups/fusionpbx/postgresql/fusionpbx_pgsql_$now.sql /var/www/fusionpbx /usr/share/freeswitch/scripts /var/lib/freeswitch/storage /var/lib/freeswitch/recordings /etc/fusionpbx /etc/freeswitch /usr/share/freeswitch/sounds/music/ |
|||
|
|||
#source |
|||
#tar -zvcf /var/backups/fusionpbx/backup_$now.tgz /var/backups/fusionpbx/postgresql/fusionpbx_pgsql_$now.sql /var/www/fusionpbx /usr/local/freeswitch/scripts /usr/local/freeswitch/storage /usr/local/freeswitch/recordings /etc/fusionpbx /usr/local/freeswitch/conf /usr/local/freeswitch/sounds/music/ |
|||
|
|||
echo "Backup Completed" |
@ -0,0 +1,137 @@ |
|||
#!/bin/sh |
|||
|
|||
#settings |
|||
export PGPASSWORD="zzz" |
|||
db_host=127.0.0.1 |
|||
db_port=5432 |
|||
switch_package=true # true or false |
|||
|
|||
purge_voicemail=false |
|||
purge_call_recordings=false |
|||
purge_cdrs=false |
|||
purge_fax=false |
|||
purge_switch_logs=true |
|||
purge_php_sessions=true |
|||
purge_database_transactions=true |
|||
purge_email_queue=false |
|||
purge_fax_queue=true |
|||
|
|||
days_keep_voicemail=90 |
|||
days_keep_call_recordings=90 |
|||
days_keep_cdrs=90 |
|||
days_keep_fax=90 |
|||
days_keep_switch_logs=7 |
|||
days_keep_php_sessions=8 |
|||
days_keep_database_transactions=30 |
|||
days_keep_email_queue=30 |
|||
days_keep_fax_queue=30 |
|||
|
|||
#set the date |
|||
now=$(date +%Y-%m-%d) |
|||
|
|||
#make sure the directory exists |
|||
if [ -e /var/backups/fusionpbx/postgresql ]; then |
|||
echo "postgres backup directory exists" |
|||
else |
|||
mkdir -p /var/backups/fusionpbx/postgresql |
|||
fi |
|||
|
|||
#show message to the console |
|||
echo "Maintenance Started" |
|||
|
|||
if [ .$purge_switch_logs = .true ]; then |
|||
#delete freeswitch logs older 7 days |
|||
if [ .$switch_package = .true ]; then |
|||
find /var/log/freeswitch/freeswitch.log.* -mtime +$days_keep_switch_logs -exec rm {} \; |
|||
else |
|||
find /usr/local/freeswitch/log/freeswitch.log.* -mtime +$days_keep_switch_logs -exec rm {} \; |
|||
fi |
|||
else |
|||
echo "not purging Freeswitch logs" |
|||
fi |
|||
|
|||
if [ .$purge_fax = .true ]; then |
|||
#delete fax older than 90 days |
|||
if [ .$switch_package = .true ]; then |
|||
echo "."; |
|||
find /var/lib/freeswitch/storage/fax/* -name '*.tif' -mtime +$days_keep_fax -exec rm {} \; |
|||
find /var/lib/freeswitch/storage/fax/* -name '*.pdf' -mtime +$days_keep_fax -exec rm {} \; |
|||
else |
|||
echo "."; |
|||
find /usr/local/freeswitch/storage/fax/* -name '*.tif' -mtime +$days_keep_fax -exec rm {} \; |
|||
find /usr/local/freeswitch/storage/fax/* -name '*.pdf' -mtime +$days_keep_fax -exec rm {} \; |
|||
fi |
|||
#delete from the database |
|||
psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_fax_files WHERE fax_date < NOW() - INTERVAL '$days_keep_fax days'" |
|||
psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_fax_logs WHERE fax_date < NOW() - INTERVAL '$days_keep_fax days'" |
|||
else |
|||
echo "not purging Faxes" |
|||
fi |
|||
|
|||
if [ .$purge_call_recordings = .true ]; then |
|||
#delete call recordings older than 90 days |
|||
if [ .$switch_package = .true ]; then |
|||
find /var/lib/freeswitch/recordings/*/archive/* -name '*.wav' -mtime +$days_keep_call_recordings -exec rm {} \; |
|||
find /var/lib/freeswitch/recordings/*/archive/* -name '*.mp3' -mtime +$days_keep_call_recordings -exec rm {} \; |
|||
else |
|||
find /usr/local/freeswitch/recordings/*/archive/* -name '*.wav' -mtime +$days_keep_call_recordings -exec rm {} \; |
|||
find /usr/local/freeswitch/recordings/*/archive/* -name '*.mp3' -mtime +$days_keep_call_recordings -exec rm {} \; |
|||
fi |
|||
psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_call_recordings WHERE call_recording_date < NOW() - INTERVAL '90 days'" |
|||
else |
|||
echo "not purging Recordings." |
|||
fi |
|||
|
|||
if [ .$purge_voicemail = .true ]; then |
|||
#delete voicemail older than 90 days |
|||
if [ .$switch_package = .true ]; then |
|||
echo "."; |
|||
find /var/lib/freeswitch/storage/voicemail/default/* -name 'msg_*.wav' -mtime +$days_keep_voicemail -exec rm {} \; |
|||
find /var/lib/freeswitch/storage/voicemail/default/* -name 'msg_*.mp3' -mtime +$days_keep_voicemail -exec rm {} \; |
|||
else |
|||
echo "."; |
|||
find /usr/local/freeswitch/storage/voicemail/* -name 'msg_*.wav' -mtime +$days_keep_voicemail -exec rm {} \; |
|||
find /usr/local/freeswitch/storage/voicemail/* -name 'msg_*.mp3' -mtime +$days_keep_voicemail -exec rm {} \; |
|||
fi |
|||
psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_voicemail_messages WHERE to_timestamp(created_epoch) < NOW() - INTERVAL '$days_keep_voicemail days'" |
|||
else |
|||
echo "not purging voicemails." |
|||
fi |
|||
|
|||
if [ .$purge_cdrs = .true ]; then |
|||
#delete call detail records older 90 days |
|||
psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_xml_cdr WHERE start_stamp < NOW() - INTERVAL '$days_keep_cdrs days'" |
|||
else |
|||
echo "not purging CDRs." |
|||
fi |
|||
|
|||
#delete php sessions |
|||
if [ .$purge_php_sessions = .true ]; then |
|||
find /var/lib/php/sessions/* -name 'sess_*' -mtime +$days_keep_php_sessions -exec rm {} \; |
|||
else |
|||
echo "not purging PHP Sessions." |
|||
fi |
|||
|
|||
#delete database_transactions older 90 days |
|||
if [ .$purge_database_transactions = .true ]; then |
|||
psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_database_transactions where transaction_date < NOW() - INTERVAL '$days_keep_database_transactions days'" |
|||
else |
|||
echo "not purging database_transactions." |
|||
fi |
|||
|
|||
#delete email_queue older 30 days |
|||
if [ .$purge_email_queue = .true ]; then |
|||
psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_email_queue where email_status = 'sent' and email_date < NOW() - INTERVAL '$days_keep_email_queue days'" |
|||
else |
|||
echo "not purging email_queue." |
|||
fi |
|||
|
|||
#delete fax_queue older 30 days |
|||
if [ .$purge_fax_queue = .true ]; then |
|||
psql --host=127.0.0.1 --username=fusionpbx -c "delete from v_fax_queue where fax_status = 'sent' and fax_date < NOW() - INTERVAL '$days_keep_fax_queue days'" |
|||
else |
|||
echo "not purging fax_queue." |
|||
fi |
|||
|
|||
#completed message |
|||
echo "Maintenance Completed"; |
@ -0,0 +1,25 @@ |
|||
#!/bin/sh |
|||
|
|||
verbose () { |
|||
echo "${green}$1${normal}" |
|||
} |
|||
error () { |
|||
echo "${red}$1${normal}" |
|||
} |
|||
warning () { |
|||
echo "${yellow}$1${normal}" |
|||
} |
|||
|
|||
# check for color support |
|||
if test -t 1; then |
|||
|
|||
# see if it supports colors... |
|||
ncolors=$(tput colors) |
|||
|
|||
if test -n "$ncolors" && test $ncolors -ge 8; then |
|||
normal="$(tput sgr0)" |
|||
red="$(tput setaf 1)" |
|||
green="$(tput setaf 2)" |
|||
yellow="$(tput setaf 3)" |
|||
fi |
|||
fi |
@ -0,0 +1,29 @@ |
|||
|
|||
# FusionPBX Settings |
|||
domain_name=ip_address # hostname, ip_address or a custom value |
|||
system_username=admin # default username admin |
|||
system_password=random # random or a custom value |
|||
system_branch=master # master, stable |
|||
|
|||
# FreeSWITCH Settings |
|||
switch_branch=stable # master, stable |
|||
switch_source=true # true (source compile) or false (binary package) |
|||
switch_package=false # true (binary package) or false (source compile) |
|||
switch_version=1.10.7 # which source code to download, only for source |
|||
switch_tls=true # true or false |
|||
switch_token= # Get the auth token from https://signalwire.com |
|||
# Signup or Login -> Profile -> Personal Auth Token |
|||
# Sofia-Sip Settings |
|||
sofia_version=1.13.8 # release-version for sofia-sip to use |
|||
|
|||
# Database Settings |
|||
database_password=random # random or a custom value (safe characters A-Z, a-z, 0-9) |
|||
database_repo=official # PostgreSQL official, system, 2ndquadrant |
|||
database_version=latest # requires repo official |
|||
database_host=127.0.0.1 # hostname or IP address |
|||
database_port=5432 # port number |
|||
database_backup=false # true or false |
|||
|
|||
# General Settings |
|||
php_version=7.4 # PHP version 7.1, 7.3, 7.4 |
|||
letsencrypt_folder=true # true or false |
@ -0,0 +1,103 @@ |
|||
#!/bin/sh |
|||
|
|||
#make sure lsb release is installed |
|||
apt-get install lsb-release |
|||
|
|||
#operating system details |
|||
os_name=$(lsb_release -is) |
|||
os_codename=$(lsb_release -cs) |
|||
os_mode='unknown' |
|||
|
|||
#cpu details |
|||
cpu_name=$(uname -m) |
|||
cpu_architecture='unknown' |
|||
cpu_mode='unknown' |
|||
|
|||
#set the environment path |
|||
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin |
|||
|
|||
#check what the CPU and OS are |
|||
if [ .$cpu_name = .'armv6l' ]; then |
|||
# RaspberryPi Zero |
|||
os_mode='32' |
|||
cpu_mode='32' |
|||
cpu_architecture='arm' |
|||
elif [ .$cpu_name = .'armv7l' ]; then |
|||
# RaspberryPi 3 is actually armv8l but current Raspbian reports the cpu as armv7l and no Raspbian 64Bit has been released at this time |
|||
os_mode='32' |
|||
cpu_mode='32' |
|||
cpu_architecture='arm' |
|||
elif [ .$cpu_name = .'armv8l' ]; then |
|||
# No test case for armv8l |
|||
os_mode='unknown' |
|||
cpu_mode='64' |
|||
cpu_architecture='arm' |
|||
elif [ .$cpu_name = .'aarch64' ]; then |
|||
os_mode='64' |
|||
cpu_mode='64' |
|||
cpu_architecture='arm' |
|||
elif [ .$cpu_name = .'i386' ]; then |
|||
os_mode='32' |
|||
if [ .$(grep -o -w 'lm' /proc/cpuinfo | head -n 1) = .'lm' ]; then |
|||
cpu_mode='64' |
|||
else |
|||
cpu_mode='32' |
|||
fi |
|||
cpu_architecture='x86' |
|||
elif [ .$cpu_name = .'i686' ]; then |
|||
os_mode='32' |
|||
if [ .$(grep -o -w 'lm' /proc/cpuinfo | head -n 1) = .'lm' ]; then |
|||
cpu_mode='64' |
|||
else |
|||
cpu_mode='32' |
|||
fi |
|||
cpu_architecture='x86' |
|||
elif [ .$cpu_name = .'x86_64' ]; then |
|||
os_mode='64' |
|||
if [ .$(grep -o -w 'lm' /proc/cpuinfo | head -n 1) = .'lm' ]; then |
|||
cpu_mode='64' |
|||
else |
|||
cpu_mode='32' |
|||
fi |
|||
cpu_architecture='x86' |
|||
else |
|||
error "You are using an unsupported cpu '$cpu_name'" |
|||
exit 3 |
|||
fi |
|||
|
|||
if [ .$cpu_architecture = .'arm' ]; then |
|||
if [ .$os_mode = .'32' ]; then |
|||
verbose "Correct CPU and Operating System detected, using the ARM repo" |
|||
elif [ .$os_mode = .'64' ]; then |
|||
error "You are using a 64bit arm OS this is unsupported" |
|||
switch_source=true |
|||
switch_package=false |
|||
else |
|||
error "Unknown OS mode $os_mode this is unsupported" |
|||
switch_source=true |
|||
switch_package=false |
|||
fi |
|||
elif [ .$cpu_architecture = .'x86' ]; then |
|||
if [ .$os_mode = .'32' ]; then |
|||
error "You are using a 32bit OS this is unsupported" |
|||
if [ .$cpu_mode = .'64' ]; then |
|||
warning " Your CPU is 64bit you should consider reinstalling with a 64bit OS" |
|||
fi |
|||
switch_source=true |
|||
switch_package=false |
|||
elif [ .$os_mode = .'64' ]; then |
|||
verbose "Correct CPU and Operating System detected" |
|||
else |
|||
error "Unknown Operating System mode '$os_mode' is unsupported" |
|||
switch_source=true |
|||
switch_package=false |
|||
fi |
|||
else |
|||
error "You are using an unsupported architecture '$cpu_architecture'" |
|||
warning "Detected environment was :-" |
|||
warning "os_name:'$os_name'" |
|||
warning "os_codename:'$os_codename'" |
|||
warning "os_mode:'$os_mode'" |
|||
warning "cpu_name:'$cpu_name'" |
|||
exit 3 |
|||
fi |
@ -0,0 +1,37 @@ |
|||
#!/bin/sh |
|||
|
|||
#move to script directory so all relative paths work |
|||
cd "$(dirname "$0")" |
|||
|
|||
#includes |
|||
. ./config.sh |
|||
. ./colors.sh |
|||
. ./environment.sh |
|||
|
|||
#send a message |
|||
verbose "Installing Fail2ban" |
|||
|
|||
#add the dependencies |
|||
apt-get install -y fail2ban |
|||
|
|||
#move the filters |
|||
cp fail2ban/freeswitch.conf /etc/fail2ban/filter.d/freeswitch.conf |
|||
cp fail2ban/freeswitch-acl.conf /etc/fail2ban/filter.d/freeswitch-acl.conf |
|||
cp fail2ban/sip-auth-failure.conf /etc/fail2ban/filter.d/sip-auth-failure.conf |
|||
cp fail2ban/sip-auth-challenge.conf /etc/fail2ban/filter.d/sip-auth-challenge.conf |
|||
cp fail2ban/auth-challenge-ip.conf /etc/fail2ban/filter.d/auth-challenge-ip.conf |
|||
cp fail2ban/freeswitch-ip.conf /etc/fail2ban/filter.d/freeswitch-ip.conf |
|||
cp fail2ban/fusionpbx.conf /etc/fail2ban/filter.d/fusionpbx.conf |
|||
cp fail2ban/fusionpbx-mac.conf /etc/fail2ban/filter.d/fusionpbx-mac.conf |
|||
cp fail2ban/fusionpbx-404.conf /etc/fail2ban/filter.d/fusionpbx-404.conf |
|||
cp fail2ban/nginx-404.conf /etc/fail2ban/filter.d/nginx-404.conf |
|||
cp fail2ban/nginx-dos.conf /etc/fail2ban/filter.d/nginx-dos.conf |
|||
cp fail2ban/jail.local /etc/fail2ban/jail.local |
|||
|
|||
#update config if source is being used |
|||
#if [ .$switch_source = .true ]; then |
|||
# sed 's#var/log/freeswitch#usr/local/freeswitch/log#g' -i /etc/fail2ban/jail.local |
|||
#fi |
|||
|
|||
#restart fail2ban |
|||
/usr/sbin/service fail2ban restart |
@ -0,0 +1,21 @@ |
|||
# Fail2Ban configuration file |
|||
# |
|||
|
|||
[Definition] |
|||
|
|||
# Option: failregex |
|||
# Notes.: regex to match the password failures messages in the logfile. The |
|||
# host must be matched by a group named "host". The tag "<HOST>" can |
|||
# be used for standard IP/hostname matching and is only an alias for |
|||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
|||
# Values: TEXT |
|||
# |
|||
#[WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'internal' for [+972592277524@xxx.xxx.xxx.xxx] from ip 209.160.120.12 |
|||
failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \((INVITE|REGISTER)\) on sofia profile \'.*\' for \[.*@\d+.\d+.\d+.\d+\] from ip <HOST> |
|||
|
|||
|
|||
# Option: ignoreregex |
|||
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
|||
# Values: TEXT |
|||
# |
|||
ignoreregex = |
@ -0,0 +1,20 @@ |
|||
# Fail2Ban configuration file |
|||
# |
|||
|
|||
[Definition] |
|||
|
|||
# Option: failregex |
|||
# Notes.: regex to match the password failures messages in the logfile. The |
|||
# host must be matched by a group named "host". The tag "<HOST>" can |
|||
# be used for standard IP/hostname matching and is only an alias for |
|||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
|||
# Values: TEXT |
|||
# |
|||
#2021-02-03 16:27:57.292697 [WARNING] sofia_reg.c:2353 IP 62.210.78.91 Rejected by register acl "domains" |
|||
failregex = \[WARNING\] sofia_reg.c:\d+ IP <HOST> Rejected by register acl |
|||
|
|||
# Option: ignoreregex |
|||
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
|||
# Values: TEXT |
|||
# |
|||
ignoreregex = |
@ -0,0 +1,20 @@ |
|||
# Fail2Ban configuration file |
|||
# |
|||
|
|||
[Definition] |
|||
|
|||
# Option: failregex |
|||
# Notes.: regex to match the password failures messages in the logfile. The |
|||
# host must be matched by a group named "host". The tag "<HOST>" can |
|||
# be used for standard IP/hostname matching and is only an alias for |
|||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
|||
# Values: TEXT |
|||
# |
|||
#2014-12-01 00:47:54.331821 [WARNING] sofia_reg.c:2752 Can't find user [1000@xxx.xxx.xxx.xxx] from 62.210.151.162 |
|||
failregex = \[WARNING\] sofia_reg.c:\d+ Can't find user \[.*@\d+.\d+.\d+.\d+\] from <HOST> |
|||
|
|||
# Option: ignoreregex |
|||
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
|||
# Values: TEXT |
|||
# |
|||
ignoreregex = |
@ -0,0 +1,18 @@ |
|||
[Definition] |
|||
|
|||
# Option: failregex |
|||
# Notes.: regex to match the password failures messages in the logfile. The |
|||
# host must be matched by a group named "host". The tag "<HOST>" can |
|||
# be used for standard IP/hostname matching and is only an alias for |
|||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
|||
# Values: TEXT |
|||
# |
|||
failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'.*\' for \[.*\] from ip <HOST> |
|||
\[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia profile \'.*\' for \[.*\] from ip <HOST> |
|||
|
|||
# Option: ignoreregex |
|||
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
|||
# Values: TEXT |
|||
# |
|||
ignoreregex = |
|||
|
@ -0,0 +1,27 @@ |
|||
# Fail2Ban configuration file |
|||
# inbound route - 404 not found |
|||
|
|||
|
|||
[Definition] |
|||
|
|||
|
|||
# Option: failregex |
|||
# Notes.: regex to match the password failures messages in the logfile. The |
|||
# host must be matched by a group named "host". The tag "<HOST>" can |
|||
# be used for standard IP/hostname matching and is only an alias for |
|||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
|||
# Values: TEXT |
|||
# |
|||
#failregex = [hostname] FusionPBX: \[<HOST>\] authentication failed |
|||
#[hostname] variable doesn't seem to work in every case. Do this instead: |
|||
failregex = 404 not found <HOST> |
|||
|
|||
|
|||
#EXECUTE sofia/external/8888888888888@example.fusionpbx.com log([inbound routes] 404 not found 82.68.115.62) |
|||
|
|||
|
|||
# Option: ignoreregex |
|||
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
|||
# Values: TEXT |
|||
# |
|||
ignoreregex = |
@ -0,0 +1,20 @@ |
|||
# Fail2Ban configuration file |
|||
# |
|||
|
|||
[Definition] |
|||
|
|||
# Option: failregex |
|||
# Notes.: regex to match the password failures messages in the logfile. The |
|||
# host must be matched by a group named "host". The tag "<HOST>" can |
|||
# be used for standard IP/hostname matching and is only an alias for |
|||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
|||
# Values: TEXT |
|||
# |
|||
#Oct 9 02:56:16 m1 fusionpbx-provision[28628]: [10.0.0.1] invalid mac address 000000000000 |
|||
failregex = \[<HOST>\] invalid mac address |
|||
|
|||
# Option: ignoreregex |
|||
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
|||
# Values: TEXT |
|||
# |
|||
ignoreregex = |
@ -0,0 +1,25 @@ |
|||
# Fail2Ban configuration file |
|||
# |
|||
# Author: soapee01 |
|||
# |
|||
|
|||
[Definition] |
|||
|
|||
# Option: failregex |
|||
# Notes.: regex to match the password failures messages in the logfile. The |
|||
# host must be matched by a group named "host". The tag "<HOST>" can |
|||
# be used for standard IP/hostname matching and is only an alias for |
|||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
|||
# Values: TEXT |
|||
# |
|||
#failregex = [hostname] FusionPBX: \[<HOST>\] authentication failed |
|||
#[hostname] variable doesn't seem to work in every case. Do this instead: |
|||
failregex = .* FusionPBX: \[<HOST>\] authentication failed for |
|||
= .* FusionPBX: \[<HOST>\] provision attempt bad password for |
|||
|
|||
# Option: ignoreregex |
|||
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
|||
# Values: TEXT |
|||
# |
|||
ignoreregex = |
|||
|
@ -0,0 +1,143 @@ |
|||
[ssh] |
|||
enabled = true |
|||
port = 22 |
|||
protocol = ssh |
|||
filter = sshd |
|||
logpath = /var/log/auth.log |
|||
action = iptables-allports[name=sshd, protocol=all] |
|||
maxretry = 6 |
|||
findtime = 60 |
|||
bantime = 86400 |
|||
|
|||
[freeswitch] |
|||
enabled = false |
|||
port = 5060:5091 |
|||
protocol = all |
|||
filter = freeswitch |
|||
logpath = /var/log/freeswitch/freeswitch.log |
|||
#logpath = /usr/local/freeswitch/log/freeswitch.log |
|||
action = iptables-allports[name=freeswitch, protocol=all] |
|||
maxretry = 10 |
|||
findtime = 60 |
|||
bantime = 3600 |
|||
# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed |
|||
|
|||
[freeswitch-acl] |
|||
enabled = false |
|||
port = 5060:5091 |
|||
protocol = all |
|||
filter = freeswitch-acl |
|||
logpath = /var/log/freeswitch/freeswitch.log |
|||
#logpath = /usr/local/freeswitch/log/freeswitch.log |
|||
action = iptables-allports[name=freeswitch-acl, protocol=all] |
|||
maxretry = 900 |
|||
findtime = 60 |
|||
bantime = 86400 |
|||
|
|||
[freeswitch-ip] |
|||
enabled = false |
|||
port = 5060:5091 |
|||
protocol = all |
|||
filter = freeswitch-ip |
|||
logpath = /var/log/freeswitch/freeswitch.log |
|||
#logpath = /usr/local/freeswitch/log/freeswitch.log |
|||
action = iptables-allports[name=freeswitch-ip, protocol=all] |
|||
maxretry = 1 |
|||
findtime = 60 |
|||
bantime = 86400 |
|||
|
|||
[auth-challenge-ip] |
|||
enabled = false |
|||
port = 5060:5091 |
|||
protocol = all |
|||
filter = auth-challenge-ip |
|||
logpath = /var/log/freeswitch/freeswitch.log |
|||
#logpath = /usr/local/freeswitch/log/freeswitch.log |
|||
action = iptables-allports[name=auth-challenge-ip, protocol=all] |
|||
maxretry = 1 |
|||
findtime = 60 |
|||
bantime = 86400 |
|||
|
|||
[sip-auth-challenge] |
|||
enabled = false |
|||
port = 5060:5091 |
|||
protocol = all |
|||
filter = sip-auth-challenge |
|||
logpath = /var/log/freeswitch/freeswitch.log |
|||
#logpath = /usr/local/freeswitch/log/freeswitch.log |
|||
action = iptables-allports[name=sip-auth-challenge, protocol=all] |
|||
maxretry = 100 |
|||
findtime = 60 |
|||
bantime = 7200 |
|||
|
|||
[sip-auth-failure] |
|||
enabled = false |
|||
port = 5060:5091 |
|||
protocol = all |
|||
filter = sip-auth-failure |
|||
logpath = /var/log/freeswitch/freeswitch.log |
|||
#logpath = /usr/local/freeswitch/log/freeswitch.log |
|||
action = iptables-allports[name=sip-auth-failure, protocol=all] |
|||
maxretry = 6 |
|||
findtime = 60 |
|||
bantime = 7200 |
|||
|
|||
[fusionpbx-404] |
|||
enabled = false |
|||
port = 5060:5091 |
|||
protocol = all |
|||
filter = fusionpbx-404 |
|||
logpath = /var/log/freeswitch/freeswitch.log |
|||
#logpath = /usr/local/freeswitch/log/freeswitch.log |
|||
action = iptables-allports[name=fusionpbx-404, protocol=all] |
|||
maxretry = 6 |
|||
findtime = 60 |
|||
bantime = 86400 |
|||
|
|||
[fusionpbx] |
|||
enabled = true |
|||
port = 80,443 |
|||
protocol = tcp |
|||
filter = fusionpbx |
|||
logpath = /var/log/auth.log |
|||
action = iptables-allports[name=fusionpbx, protocol=all] |
|||
# sendmail-whois[name=fusionpbx, dest=root, sender=fail2ban@example.org] #no smtp server installed |
|||
maxretry = 20 |
|||
findtime = 60 |
|||
bantime = 3600 |
|||
|
|||
[fusionpbx-mac] |
|||
enabled = true |
|||
port = 80,443 |
|||
protocol = tcp |
|||
filter = fusionpbx-mac |
|||
logpath = /var/log/syslog |
|||
action = iptables-allports[name=fusionpbx-mac, protocol=all] |
|||
# sendmail-whois[name=fusionpbx-mac, dest=root, sender=fail2ban@example.org] #no smtp server installed |
|||
maxretry = 10 |
|||
findtime = 60 |
|||
bantime = 86400 |
|||
|
|||
[nginx-404] |
|||
enabled = true |
|||
port = 80,443 |
|||
protocol = tcp |
|||
filter = nginx-404 |
|||
logpath = /var/log/nginx/access*.log |
|||
action = iptables-allports[name=nginx-404, protocol=all] |
|||
bantime = 3600 |
|||
findtime = 60 |
|||
maxretry = 300 |
|||
|
|||
[nginx-dos] |
|||
# Based on apache-badbots but a simple IP check (any IP requesting more than |
|||
# 300 pages in 60 seconds, or 5p/s average, is suspicious) |
|||
enabled = true |
|||
port = 80,443 |
|||
protocol = tcp |
|||
filter = nginx-dos |
|||
logpath = /var/log/nginx/access*.log |
|||
action = iptables-allports[name=nginx-dos, protocol=all] |
|||
findtime = 60 |
|||
bantime = 86400 |
|||
maxretry = 800 |
@ -0,0 +1,5 @@ |
|||
# Fail2Ban configuration file |
|||
# |
|||
[Definition] |
|||
failregex = <HOST> - - \[.*\] "(GET|POST).*HTTP[^ ]* 404 |
|||
ignoreregex = |
@ -0,0 +1,14 @@ |
|||
# Fail2Ban configuration file |
|||
|
|||
[Definition] |
|||
# Option: failregex |
|||
# Notes.: Regexp to catch a generic call from an IP address. |
|||
# Values: TEXT |
|||
# |
|||
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"$ |
|||
|
|||
# Option: ignoreregex |
|||
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
|||
# Values: TEXT |
|||
# |
|||
ignoreregex = |
@ -0,0 +1,21 @@ |
|||
# Fail2Ban configuration file |
|||
# |
|||
# Author: soapee01 |
|||
# |
|||
|
|||
[Definition] |
|||
|
|||
# Option: failregex |
|||
# Notes.: regex to match the password failures messages in the logfile. The |
|||
# host must be matched by a group named "host". The tag "<HOST>" can |
|||
# be used for standard IP/hostname matching and is only an alias for |
|||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
|||
# Values: TEXT |
|||
# |
|||
failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \(REGISTER\) on sofia profile \'.*\' for \[.*\] from ip <HOST> |
|||
|
|||
# Option: ignoreregex |
|||
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
|||
# Values: TEXT |
|||
# |
|||
ignoreregex = |
@ -0,0 +1,21 @@ |
|||
# Fail2Ban configuration file |
|||
# |
|||
# Author: soapee01 |
|||
# |
|||
|
|||
[Definition] |
|||
|
|||
# Option: failregex |
|||
# Notes.: regex to match the password failures messages in the logfile. The |
|||
# host must be matched by a group named "host". The tag "<HOST>" can |
|||
# be used for standard IP/hostname matching and is only an alias for |
|||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
|||
# Values: TEXT |
|||
# |
|||
failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'.*\' for \[.*\] from ip <HOST> |
|||
|
|||
# Option: ignoreregex |
|||
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
|||
# Values: TEXT |
|||
# |
|||
ignoreregex = |
@ -0,0 +1,145 @@ |
|||
#!/bin/sh |
|||
|
|||
#move to script directory so all relative paths work |
|||
cd "$(dirname "$0")" |
|||
|
|||
#includes |
|||
. ./config.sh |
|||
. ./colors.sh |
|||
|
|||
#database details |
|||
database_username=fusionpbx |
|||
if [ .$database_password = .'random' ]; then |
|||
database_password=$(dd if=/dev/urandom bs=1 count=20 2>/dev/null | base64 | sed 's/[=\+//]//g') |
|||
fi |
|||
|
|||
#allow the script to use the new password |
|||
export PGPASSWORD=$database_password |
|||
|
|||
#update the database password |
|||
#sudo -u postgres psql --host=$database_host --port=$database_port --username=$database_username -c "ALTER USER fusionpbx WITH PASSWORD '$database_password';" |
|||
#sudo -u postgres psql --host=$database_host --port=$database_port --username=$database_username -c "ALTER USER freeswitch WITH PASSWORD '$database_password';" |
|||
sudo -u postgres psql -c "ALTER USER fusionpbx WITH PASSWORD '$database_password';" |
|||
sudo -u postgres psql -c "ALTER USER freeswitch WITH PASSWORD '$database_password';" |
|||
|
|||
#install the database backup |
|||
cp backup/fusionpbx-backup /etc/cron.daily |
|||
cp backup/fusionpbx-maintenance /etc/cron.daily |
|||
chmod 755 /etc/cron.daily/fusionpbx-backup |
|||
chmod 755 /etc/cron.daily/fusionpbx-maintenance |
|||
sed -i "s/zzz/$database_password/g" /etc/cron.daily/fusionpbx-backup |
|||
sed -i "s/zzz/$database_password/g" /etc/cron.daily/fusionpbx-maintenance |
|||
|
|||
#add the config.php |
|||
mkdir -p /etc/fusionpbx |
|||
chown -R www-data:www-data /etc/fusionpbx |
|||
cp fusionpbx/config.php /etc/fusionpbx |
|||
sed -i /etc/fusionpbx/config.php -e s:"{database_host}:$database_host:" |
|||
sed -i /etc/fusionpbx/config.php -e s:'{database_username}:fusionpbx:' |
|||
sed -i /etc/fusionpbx/config.php -e s:"{database_password}:$database_password:" |
|||
|
|||
#add the database schema |
|||
cd /var/www/fusionpbx && php /var/www/fusionpbx/core/upgrade/upgrade_schema.php > /dev/null 2>&1 |
|||
|
|||
#get the server hostname |
|||
if [ .$domain_name = .'hostname' ]; then |
|||
domain_name=$(hostname -f) |
|||
fi |
|||
|
|||
#get the ip address |
|||
if [ .$domain_name = .'ip_address' ]; then |
|||
domain_name=$(hostname -I | cut -d ' ' -f1) |
|||
fi |
|||
|
|||
#get the domain_uuid |
|||
domain_uuid=$(/usr/bin/php /var/www/fusionpbx/resources/uuid.php); |
|||
|
|||
#add the domain name |
|||
psql --host=$database_host --port=$database_port --username=$database_username -c "insert into v_domains (domain_uuid, domain_name, domain_enabled) values('$domain_uuid', '$domain_name', 'true');" |
|||
|
|||
#app defaults |
|||
cd /var/www/fusionpbx && php /var/www/fusionpbx/core/upgrade/upgrade_domains.php |
|||
|
|||
#add the user |
|||
user_uuid=$(/usr/bin/php /var/www/fusionpbx/resources/uuid.php); |
|||
user_salt=$(/usr/bin/php /var/www/fusionpbx/resources/uuid.php); |
|||
user_name=$system_username |
|||
if [ .$system_password = .'random' ]; then |
|||
user_password=$(dd if=/dev/urandom bs=1 count=20 2>/dev/null | base64 | sed 's/[=\+//]//g') |
|||
else |
|||
user_password=$system_password |
|||
fi |
|||
password_hash=$(php -r "echo md5('$user_salt$user_password');"); |
|||
psql --host=$database_host --port=$database_port --username=$database_username -t -c "insert into v_users (user_uuid, domain_uuid, username, password, salt, user_enabled) values('$user_uuid', '$domain_uuid', '$user_name', '$password_hash', '$user_salt', 'true');" |
|||
|
|||
#get the superadmin group_uuid |
|||
#echo "psql --host=$database_host --port=$database_port --username=$database_username -qtAX -c \"select group_uuid from v_groups where group_name = 'superadmin';\"" |
|||
group_uuid=$(psql --host=$database_host --port=$database_port --username=$database_username -qtAX -c "select group_uuid from v_groups where group_name = 'superadmin';"); |
|||
|
|||
#add the user to the group |
|||
user_group_uuid=$(/usr/bin/php /var/www/fusionpbx/resources/uuid.php); |
|||
group_name=superadmin |
|||
#echo "insert into v_user_groups (user_group_uuid, domain_uuid, group_name, group_uuid, user_uuid) values('$user_group_uuid', '$domain_uuid', '$group_name', '$group_uuid', '$user_uuid');" |
|||
psql --host=$database_host --port=$database_port --username=$database_username -c "insert into v_user_groups (user_group_uuid, domain_uuid, group_name, group_uuid, user_uuid) values('$user_group_uuid', '$domain_uuid', '$group_name', '$group_uuid', '$user_uuid');" |
|||
|
|||
#update xml_cdr url, user and password |
|||
xml_cdr_username=$(dd if=/dev/urandom bs=1 count=20 2>/dev/null | base64 | sed 's/[=\+//]//g') |
|||
xml_cdr_password=$(dd if=/dev/urandom bs=1 count=20 2>/dev/null | base64 | sed 's/[=\+//]//g') |
|||
sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{v_http_protocol}:http:" |
|||
sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{domain_name}:$database_host:" |
|||
sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{v_project_path}::" |
|||
sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{v_user}:$xml_cdr_username:" |
|||
sed -i /etc/freeswitch/autoload_configs/xml_cdr.conf.xml -e s:"{v_pass}:$xml_cdr_password:" |
|||
|
|||
#app defaults |
|||
cd /var/www/fusionpbx && php /var/www/fusionpbx/core/upgrade/upgrade.php |
|||
|
|||
#restart freeswitch |
|||
/bin/systemctl daemon-reload |
|||
/bin/systemctl restart freeswitch |
|||
|
|||
#install the email_queue service |
|||
cp /var/www/fusionpbx/app/email_queue/resources/service/debian.service /etc/systemd/system/email_queue.service |
|||
systemctl enable email_queue |
|||
systemctl start email_queue |
|||
systemctl daemon-reload |
|||
|
|||
#install the event_guard service |
|||
cp /var/www/fusionpbx/app/event_guard/resources/service/debian.service /etc/systemd/system/event_guard.service |
|||
/bin/systemctl enable event_guard |
|||
/bin/systemctl start event_guard |
|||
/bin/systemctl daemon-reload |
|||
|
|||
#welcome message |
|||
echo "" |
|||
echo "" |
|||
verbose "Installation Notes. " |
|||
echo "" |
|||
echo " Please save the this information and reboot this system to complete the install. " |
|||
echo "" |
|||
echo " Use a web browser to login." |
|||
echo " domain name: https://$domain_name" |
|||
echo " username: $user_name" |
|||
echo " password: $user_password" |
|||
echo "" |
|||
echo " The domain name in the browser is used by default as part of the authentication." |
|||
echo " If you need to login to a different domain then use username@domain." |
|||
echo " username: $user_name@$domain_name"; |
|||
echo "" |
|||
echo " Official FusionPBX Training" |
|||
echo " Fastest way to learn FusionPBX. For more information https://www.fusionpbx.com." |
|||
echo " Available online and in person. Includes documentation and recording." |
|||
echo "" |
|||
echo " Location: Online" |
|||
echo " Admin Training: TBA" |
|||
echo " Advanced Training: TBA" |
|||
echo " Continuing Education: https://www.fusionpbx.com/training" |
|||
echo " Timezone: https://www.timeanddate.com/weather/usa/idaho" |
|||
echo "" |
|||
echo " Additional information." |
|||
echo " https://fusionpbx.com/members.php" |
|||
echo " https://fusionpbx.com/training.php" |
|||
echo " https://fusionpbx.com/support.php" |
|||
echo " https://www.fusionpbx.com" |
|||
echo " http://docs.fusionpbx.com" |
|||
echo "" |
@ -0,0 +1,35 @@ |
|||
#!/bin/sh |
|||
|
|||
#move to script directory so all relative paths work |
|||
cd "$(dirname "$0")" |
|||
|
|||
#includes |
|||
. ./config.sh |
|||
. ./colors.sh |
|||
|
|||
#send a message |
|||
verbose "Installing FusionPBX" |
|||
|
|||
#install dependencies |
|||
apt-get install -y vim git dbus haveged ssl-cert qrencode |
|||
apt-get install -y ghostscript libtiff5-dev libtiff-tools at |
|||
|
|||
#get the branch |
|||
if [ .$system_branch = .'master' ]; then |
|||
verbose "Using master" |
|||
branch="" |
|||
else |
|||
system_major=$(git ls-remote --heads https://github.com/fusionpbx/fusionpbx.git | cut -d/ -f 3 | grep -P '^\d+\.\d+' | sort | tail -n 1 | cut -d. -f1) |
|||
system_minor=$(git ls-remote --tags https://github.com/fusionpbx/fusionpbx.git $system_major.* | cut -d/ -f3 | grep -P '^\d+\.\d+' | sort | tail -n 1 | cut -d. -f2) |
|||
system_version=$system_major.$system_minor |
|||
verbose "Using version $system_version" |
|||
branch="-b $system_version" |
|||
fi |
|||
|
|||
#add the cache directory |
|||
mkdir -p /var/cache/fusionpbx |
|||
chown -R www-data:www-data /var/cache/fusionpbx |
|||
|
|||
#get the source code |
|||
git clone $branch https://github.com/fusionpbx/fusionpbx.git /var/www/fusionpbx |
|||
chown -R www-data:www-data /var/www/fusionpbx |
@ -0,0 +1,47 @@ |
|||
<?php |
|||
/* |
|||
FusionPBX |
|||
Version: MPL 1.1 |
|||
|
|||
The contents of this file are subject to the Mozilla Public License Version |
|||
1.1 (the "License"); you may not use this file except in compliance with |
|||
the License. You may obtain a copy of the License at |
|||
http://www.mozilla.org/MPL/ |
|||
|
|||
Software distributed under the License is distributed on an "AS IS" basis, |
|||
WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License |
|||
for the specific language governing rights and limitations under the |
|||
License. |
|||
|
|||
The Original Code is FusionPBX |
|||
|
|||
The Initial Developer of the Original Code is |
|||
Mark J Crane <markjcrane@fusionpbx.com> |
|||
Portions created by the Initial Developer are Copyright (C) 2008-2016 |
|||
the Initial Developer. All Rights Reserved. |
|||
|
|||
Contributor(s): |
|||
Mark J Crane <markjcrane@fusionpbx.com> |
|||
*/ |
|||
|
|||
//set the database type
|
|||
$db_type = 'pgsql'; //sqlite, mysql, pgsql, others with a manually created PDO connection
|
|||
|
|||
//sqlite: the db_name and db_path are automatically assigned however the values can be overidden by setting the values here.
|
|||
//$db_name = 'fusionpbx.db'; //host name/ip address + '.db' is the default database filename
|
|||
//$db_path = '/var/www/fusionpbx/secure'; //the path is determined by a php variable
|
|||
|
|||
//pgsql: database connection information
|
|||
$db_host = '{database_host}'; |
|||
$db_port = '5432'; |
|||
$db_name = 'fusionpbx'; |
|||
$db_username = '{database_username}'; |
|||
$db_password = '{database_password}'; |
|||
|
|||
//show errors
|
|||
ini_set('display_errors', '1'); |
|||
//error_reporting (E_ALL); // Report everything
|
|||
//error_reporting (E_ALL ^ E_NOTICE); // hide notices
|
|||
error_reporting(E_ALL ^ E_NOTICE ^ E_WARNING ); //hide notices and warnings
|
|||
|
|||
?>
|
@ -0,0 +1,126 @@ |
|||
#!/bin/sh |
|||
|
|||
#move to script directory so all relative paths work |
|||
cd "$(dirname "$0")" |
|||
|
|||
#includes |
|||
. ./config.sh |
|||
. ./colors.sh |
|||
. ./environment.sh |
|||
|
|||
#show cpu details |
|||
echo "cpu architecture: $cpu_architecture" |
|||
echo "cpu name: $cpu_name" |
|||
|
|||
#make sure unzip is install |
|||
apt-get install -y unzip |
|||
|
|||
#remove the ioncube directory if it exists |
|||
if [ -d "ioncube" ]; then |
|||
rm -Rf ioncube; |
|||
fi |
|||
|
|||
#get the ioncube load and unzip it |
|||
if [ .$cpu_architecture = .'x86' ]; then |
|||
#get the ioncube 64 bit loader |
|||
wget --no-check-certificate https://downloads.ioncube.com/loader_downloads/ioncube_loaders_lin_x86-64.zip |
|||
|
|||
#uncompress the file |
|||
unzip ioncube_loaders_lin_x86-64.zip |
|||
|
|||
#remove the zip file |
|||
rm ioncube_loaders_lin_x86-64.zip |
|||
elif [ .$cpu_architecture = ."arm" ]; then |
|||
if [ .$cpu_name = .'armv7l' ]; then |
|||
#get the ioncube 64 bit loader |
|||
wget --no-check-certificate https://downloads.ioncube.com/loader_downloads/ioncube_loaders_lin_armv7l.zip |
|||
|
|||
#uncompress the file |
|||
unzip ioncube_loaders_lin_armv7l.zip |
|||
|
|||
#remove the zip file |
|||
rm ioncube_loaders_lin_armv7l.zip |
|||
fi |
|||
fi |
|||
|
|||
#set the version of php |
|||
if [ ."$os_codename" = ."bullseye" ]; then |
|||
php_version=7.4 |
|||
fi |
|||
if [ ."$os_codename" = ."buster" ]; then |
|||
php_version=7.3 |
|||
fi |
|||
if [ ."$os_codename" = ."stretch" ]; then |
|||
php_version=7.1 |
|||
fi |
|||
if [ ."$os_codename" = ."jessie" ]; then |
|||
php_version=7.1 |
|||
fi |
|||
|
|||
#copy the loader to the correct directory |
|||
if [ ."$php_version" = ."5.6" ]; then |
|||
#copy the php extension .so into the php lib directory |
|||
cp ioncube/ioncube_loader_lin_5.6.so /usr/lib/php5/20131226 |
|||
|
|||
#add the 00-ioncube.ini file |
|||
echo "zend_extension = /usr/lib/php5/20131226/ioncube_loader_lin_5.6.so" > /etc/php5/fpm/conf.d/00-ioncube.ini |
|||
echo "zend_extension = /usr/lib/php5/20131226/ioncube_loader_lin_5.6.so" > /etc/php5/cli/conf.d/00-ioncube.ini |
|||
|
|||
#restart the service |
|||
service php5-fpm restart |
|||
fi |
|||
if [ ."$php_version" = ."7.0" ]; then |
|||
#copy the php extension .so into the php lib directory |
|||
cp ioncube/ioncube_loader_lin_7.0.so /usr/lib/php/20151012 |
|||
|
|||
#add the 00-ioncube.ini file |
|||
echo "zend_extension = /usr/lib/php/20151012/ioncube_loader_lin_7.0.so" > /etc/php/7.0/fpm/conf.d/00-ioncube.ini |
|||
echo "zend_extension = /usr/lib/php/20151012/ioncube_loader_lin_7.0.so" > /etc/php/7.0/cli/conf.d/00-ioncube.ini |
|||
|
|||
#restart the service |
|||
service php7.0-fpm restart |
|||
fi |
|||
if [ ."$php_version" = ."7.1" ]; then |
|||
#copy the php extension .so into the php lib directory |
|||
cp ioncube/ioncube_loader_lin_7.1.so /usr/lib/php/20160303 |
|||
|
|||
#add the 00-ioncube.ini file |
|||
echo "zend_extension = /usr/lib/php/20160303/ioncube_loader_lin_7.1.so" > /etc/php/7.1/fpm/conf.d/00-ioncube.ini |
|||
echo "zend_extension = /usr/lib/php/20160303/ioncube_loader_lin_7.1.so" > /etc/php/7.1/cli/conf.d/00-ioncube.ini |
|||
|
|||
#restart the service |
|||
service php7.1-fpm restart |
|||
fi |
|||
if [ ."$php_version" = ."7.2" ]; then |
|||
#copy the php extension .so into the php lib directory |
|||
cp ioncube/ioncube_loader_lin_7.2.so /usr/lib/php/20170718 |
|||
|
|||
#add the 00-ioncube.ini file |
|||
echo "zend_extension = /usr/lib/php/20170718/ioncube_loader_lin_7.2.so" > /etc/php/7.2/fpm/conf.d/00-ioncube.ini |
|||
echo "zend_extension = /usr/lib/php/20170718/ioncube_loader_lin_7.2.so" > /etc/php/7.2/cli/conf.d/00-ioncube.ini |
|||
|
|||
#restart the service |
|||
service php7.2-fpm restart |
|||
fi |
|||
if [ ."$php_version" = ."7.3" ]; then |
|||
#copy the php extension .so into the php lib directory |
|||
cp ioncube/ioncube_loader_lin_7.3.so /usr/lib/php/20180731 |
|||
|
|||
#add the 00-ioncube.ini file |
|||
echo "zend_extension = /usr/lib/php/20180731/ioncube_loader_lin_7.3.so" > /etc/php/7.3/fpm/conf.d/00-ioncube.ini |
|||
echo "zend_extension = /usr/lib/php/20180731/ioncube_loader_lin_7.3.so" > /etc/php/7.3/cli/conf.d/00-ioncube.ini |
|||
|
|||
#restart the service |
|||
service php7.3-fpm restart |
|||
fi |
|||
if [ ."$php_version" = ."7.4" ]; then |
|||
#copy the php extension .so into the php lib directory |
|||
cp ioncube/ioncube_loader_lin_7.4.so /usr/lib/php/20190902 |
|||
|
|||
#add the 00-ioncube.ini file |
|||
echo "zend_extension = /usr/lib/php/20190902/ioncube_loader_lin_7.4.so" > /etc/php/7.4/fpm/conf.d/00-ioncube.ini |
|||
echo "zend_extension = /usr/lib/php/20190902/ioncube_loader_lin_7.4.so" > /etc/php/7.4/cli/conf.d/00-ioncube.ini |
|||
|
|||
#restart the service |
|||
service php7.4-fpm restart |
|||
fi |
@ -0,0 +1,68 @@ |
|||
#!/bin/sh |
|||
|
|||
#move to script directory so all relative paths work |
|||
cd "$(dirname "$0")" |
|||
|
|||
|
|||
#add the includes |
|||
. ./config.sh |
|||
. ./colors.sh |
|||
. ./environment.sh |
|||
|
|||
#send a message |
|||
verbose "Configuring IPTables" |
|||
|
|||
#defaults to nftables by default this enables iptables |
|||
if [ ."$os_codename" = ."buster" ]; then |
|||
update-alternatives --set iptables /usr/sbin/iptables-legacy |
|||
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy |
|||
fi |
|||
if [ ."$os_codename" = ."bullseye" ]; then |
|||
apt-get install -y iptables |
|||
update-alternatives --set iptables /usr/sbin/iptables-legacy |
|||
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy |
|||
fi |
|||
|
|||
#remove ufw |
|||
ufw reset |
|||
ufw disable |
|||
apt-get remove -y ufw |
|||
#apt-get purge ufw |
|||
|
|||
#run iptables commands |
|||
iptables -A INPUT -i lo -j ACCEPT |
|||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
|||
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase |
|||
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase |
|||
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase |
|||
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase |
|||
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase |
|||
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase |
|||
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase |
|||
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase |
|||
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "system " --algo bm --icase |
|||
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "system " --algo bm --icase |
|||
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "exec." --algo bm --icase |
|||
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "exec." --algo bm --icase |
|||
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase |
|||
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase |
|||
iptables -A INPUT -p tcp --dport 22 -j ACCEPT |
|||
iptables -A INPUT -p tcp --dport 80 -j ACCEPT |
|||
iptables -A INPUT -p tcp --dport 443 -j ACCEPT |
|||
iptables -A INPUT -p tcp --dport 7443 -j ACCEPT |
|||
iptables -A INPUT -p tcp --dport 5060:5091 -j ACCEPT |
|||
iptables -A INPUT -p udp --dport 5060:5091 -j ACCEPT |
|||
iptables -A INPUT -p udp --dport 16384:32768 -j ACCEPT |
|||
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT |
|||
iptables -A INPUT -p udp --dport 1194 -j ACCEPT |
|||
iptables -t mangle -A OUTPUT -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp 46 |
|||
iptables -t mangle -A OUTPUT -p udp -m udp --sport 5060:5091 -j DSCP --set-dscp 26 |
|||
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 5060:5091 -j DSCP --set-dscp 26 |
|||
iptables -P INPUT DROP |
|||
iptables -P FORWARD DROP |
|||
iptables -P OUTPUT ACCEPT |
|||
|
|||
#answer the questions for iptables persistent |
|||
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections |
|||
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections |
|||
apt-get install -y iptables-persistent |
@ -0,0 +1,130 @@ |
|||
#!/bin/sh |
|||
|
|||
# FusionPBX - Install |
|||
# Mark J Crane <markjcrane@fusionpbx.com> |
|||
# Copyright (C) 2018 |
|||
# All Rights Reserved. |
|||
|
|||
#move to script directory so all relative paths work |
|||
cd "$(dirname "$0")" |
|||
|
|||
#includes |
|||
. ./config.sh |
|||
|
|||
#Add dependencies |
|||
apt-get install -y curl |
|||
|
|||
#remove dehyrdated letsencrypt script |
|||
rm /usr/local/sbin/dehydrated |
|||
rm -R /usr/src/dehydrated |
|||
#rm -R /etc/dehydrated/ |
|||
#rm -R /usr/src/dns-01-manual |
|||
#rm -R /var/www/dehydrated |
|||
|
|||
#request the domain name, email address and wild card domain |
|||
read -p 'Domain Name: ' domain_name |
|||
read -p 'Email Address: ' email_address |
|||
|
|||
#get and install dehydrated |
|||
cd /usr/src && git clone https://github.com/lukas2511/dehydrated.git |
|||
cd /usr/src/dehydrated |
|||
cp dehydrated /usr/local/sbin |
|||
mkdir -p /var/www/dehydrated |
|||
mkdir -p /etc/dehydrated/certs |
|||
|
|||
#wildcard detection |
|||
wildcard_domain=$(echo $domain_name | cut -c1-1) |
|||
if [ "$wildcard_domain" = "*" ]; then |
|||
wildcard_domain="true" |
|||
else |
|||
wildcard_domain="false" |
|||
fi |
|||
|
|||
#remove the wildcard and period |
|||
if [ .$wildcard_domain = ."true" ]; then |
|||
domain_name=$(echo "$domain_name" | cut -c3-255) |
|||
fi |
|||
|
|||
#manual dns hook |
|||
if [ .$wildcard_domain = ."true" ]; then |
|||
cd /usr/src |
|||
git clone https://github.com/gheja/dns-01-manual.git |
|||
cd /usr/src/dns-01-manual/ |
|||
cp hook.sh /etc/dehydrated/hook.sh |
|||
chmod 755 /etc/dehydrated/hook.sh |
|||
fi |
|||
|
|||
#copy config and hook.sh into /etc/dehydrated |
|||
cd /usr/src/dehydrated |
|||
cp docs/examples/config /etc/dehydrated |
|||
#cp docs/examples/hook.sh /etc/dehydrated |
|||
|
|||
#update the dehydrated config |
|||
#sed "s#CONTACT_EMAIL=#CONTACT_EMAIL=$email_address" -i /etc/dehydrated/config |
|||
sed -i 's/#CONTACT_EMAIL=/CONTACT_EMAIL="'"$email_address"'"/g' /etc/dehydrated/config |
|||
sed -i 's/#WELLKNOWN=/WELLKNOWN=/g' /etc/dehydrated/config |
|||
|
|||
#accept the terms |
|||
./dehydrated --register --accept-terms --config /etc/dehydrated/config |
|||
|
|||
#set the domain alias |
|||
domain_alias=$(echo "$domain_name" | head -n1 | cut -d " " -f1) |
|||
|
|||
#create an alias when using wildcard dns |
|||
if [ .$wildcard_domain = ."true" ]; then |
|||
echo "*.$domain_name > $domain_name" > /etc/dehydrated/domains.txt |
|||
fi |
|||
|
|||
#add the domain name to domains.txt |
|||
if [ .$wildcard_domain = ."false" ]; then |
|||
echo "$domain_name" > /etc/dehydrated/domains.txt |
|||
fi |
|||
|
|||
#request the certificates |
|||
if [ .$wildcard_domain = ."true" ]; then |
|||
./dehydrated --cron --domain *.$domain_name --preferred-chain "ISRG Root X1" --algo rsa --alias $domain_alias --config /etc/dehydrated/config --out /etc/dehydrated/certs --challenge dns-01 --hook /etc/dehydrated/hook.sh |
|||
fi |
|||
if [ .$wildcard_domain = ."false" ]; then |
|||
./dehydrated --cron --alias $domain_alias --preferred-chain "ISRG Root X1" --algo rsa --config /etc/dehydrated/config --config /etc/dehydrated/config --out /etc/dehydrated/certs --challenge http-01 |
|||
fi |
|||
|
|||
#make sure the nginx ssl directory exists |
|||
mkdir -p /etc/nginx/ssl |
|||
|
|||
#update nginx config |
|||
sed "s@ssl_certificate[ \t]*/etc/ssl/certs/nginx.crt;@ssl_certificate /etc/dehydrated/certs/$domain_alias/fullchain.pem;@g" -i /etc/nginx/sites-available/fusionpbx |
|||
sed "s@ssl_certificate_key[ \t]*/etc/ssl/private/nginx.key;@ssl_certificate_key /etc/dehydrated/certs/$domain_alias/privkey.pem;@g" -i /etc/nginx/sites-available/fusionpbx |
|||
|
|||
#read the config |
|||
/usr/sbin/nginx -t && /usr/sbin/nginx -s reload |
|||
|
|||
#setup freeswitch tls |
|||
if [ .$switch_tls = ."true" ]; then |
|||
|
|||
#make sure the freeswitch directory exists |
|||
mkdir -p /etc/freeswitch/tls |
|||
|
|||
#make sure the freeswitch certificate directory is empty |
|||
rm /etc/freeswitch/tls/* |
|||
|
|||
#combine the certs into all.pem |
|||
cat /etc/dehydrated/certs/$domain_alias/fullchain.pem > /etc/freeswitch/tls/all.pem |
|||
cat /etc/dehydrated/certs/$domain_alias/privkey.pem >> /etc/freeswitch/tls/all.pem |
|||
#cat /etc/dehydrated/certs/$domain_alias/chain.pem >> /etc/freeswitch/tls/all.pem |
|||
|
|||
#copy the certificates |
|||
cp /etc/dehydrated/certs/$domain_alias/cert.pem /etc/freeswitch/tls |
|||
cp /etc/dehydrated/certs/$domain_alias/chain.pem /etc/freeswitch/tls |
|||
cp /etc/dehydrated/certs/$domain_alias/fullchain.pem /etc/freeswitch/tls |
|||
cp /etc/dehydrated/certs/$domain_alias/privkey.pem /etc/freeswitch/tls |
|||
|
|||
#add symbolic links |
|||
ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/agent.pem |
|||
ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/tls.pem |
|||
ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/wss.pem |
|||
ln -s /etc/freeswitch/tls/all.pem /etc/freeswitch/tls/dtls-srtp.pem |
|||
|
|||
#set the permissions |
|||
chown -R www-data:www-data /etc/freeswitch/tls |
|||
|
|||
fi |
@ -0,0 +1,22 @@ |
|||
# the domain we want to get the cert for; |
|||
# technically it's possible to have multiple of this lines, but it only worked |
|||
# with one domain for me, another one only got one cert, so I would recommend |
|||
# separate config files per domain. |
|||
domains = {domain_name} |
|||
|
|||
# increase key size |
|||
rsa-key-size = 2048 # Or 4096 |
|||
|
|||
# the current closed beta (as of 2015-Nov-07) is using this server |
|||
server = https://acme-v01.api.letsencrypt.org/directory |
|||
|
|||
# this address will receive renewal reminders |
|||
email = {email_address} |
|||
|
|||
# turn off the ncurses UI, we want this to be run as a cronjob |
|||
text = True |
|||
|
|||
# authenticate by placing a file in the webroot (under .well-known/acme-challenge/) |
|||
# and then letting LE fetch it |
|||
authenticator = webroot |
|||
webroot-path = /var/www/letsencrypt/ |
@ -0,0 +1,19 @@ |
|||
#!/bin/sh |
|||
|
|||
#move to script directory so all relative paths work |
|||
cd "$(dirname "$0")" |
|||
|
|||
#includes |
|||
. ./config.sh |
|||
|
|||
#install monit |
|||
apt-get install -y monit |
|||
|
|||
#make the monit shell script executable |
|||
chmod 755 monit/shell.sh |
|||
|
|||
#copy the freeswitch monit config |
|||
cp monit/freeswitch /etc/monit/conf.d |
|||
|
|||
#restart monit |
|||
service monit restart |
@ -0,0 +1,3 @@ |
|||
check process freeswitch with pidfile /run/freeswitch/freeswitch.pid |
|||
start program = "/usr/src/fusionpbx-install.sh/debian/resources/monit/./shell.sh" |
|||
stop program = "/usr/bin/freeswitch -stop" |
@ -0,0 +1,5 @@ |
|||
#!/bin/sh |
|||
|
|||
mkdir -p /var/run/freeswitch |
|||
chown -R www-data:www-data /var/run/freeswitch |
|||
/usr/bin/freeswitch -nc -u www-data -g www-data -nonat |
@ -0,0 +1,30 @@ |
|||
#!/bin/sh |
|||
|
|||
#move to script directory so all relative paths work |
|||
cd "$(dirname "$0")" |
|||
|
|||
#add the includes |
|||
. ./config.sh |
|||
. ./colors.sh |
|||
. ./environment.sh |
|||
|
|||
#send a message |
|||
verbose "Configuring nftables" |
|||
|
|||
#run iptables commands |
|||
nft add rule ip filter INPUT iifname "lo" counter accept |
|||
nft add rule ip filter INPUT ct state related,established counter accept |
|||
nft add rule ip filter INPUT tcp dport 22 counter accept |
|||
nft add rule ip filter INPUT tcp dport 80 counter accept |
|||
nft add rule ip filter INPUT tcp dport 443 counter accept |
|||
nft add rule ip filter INPUT tcp dport 7443 counter accept |
|||
nft add rule ip filter INPUT tcp dport 5060-5091 counter accept |
|||
nft add rule ip filter INPUT udp dport 5060-5091 counter accept |
|||
nft add rule ip filter INPUT udp dport 16384-32768 counter accept |
|||
nft add rule ip filter INPUT icmp type echo-request counter accept |
|||
nft add rule ip filter INPUT udp dport 1194 counter accept |
|||
nft add rule ip mangle OUTPUT udp sport 16384-32768 counter ip dscp set 0x2e |
|||
nft add rule ip mangle OUTPUT tcp sport 5060-5091 counter ip dscp set 0x1a |
|||
nft add rule ip mangle OUTPUT udp sport 5060-5091 counter ip dscp set 0x1a |
|||
|
|||
|
@ -0,0 +1,84 @@ |
|||
#!/bin/sh |
|||
|
|||
#move to script directory so all relative paths work |
|||
cd "$(dirname "$0")" |
|||
|
|||
#includes |
|||
. ./config.sh |
|||
. ./colors.sh |
|||
. ./environment.sh |
|||
|
|||
#send a message |
|||
verbose "Installing the web server" |
|||
|
|||
#change the version of php for arm |
|||
if [ ."$cpu_architecture" = ."arm" ]; then |
|||
#Pi2 and Pi3 Raspbian |
|||
#Odroid |
|||
if [ ."$os_codename" = ."stretch" ]; then |
|||
php_version=7.2 |
|||
else |
|||
php_version=5.6 |
|||
fi |
|||
fi |
|||
|
|||
#set the version of php |
|||
if [ ."$os_codename" = ."bullseye" ]; then |
|||
php_version=7.4 |
|||
fi |
|||
if [ ."$os_codename" = ."buster" ]; then |
|||
php_version=7.3 |
|||
fi |
|||
if [ ."$os_codename" = ."stretch" ]; then |
|||
php_version=7.1 |
|||
fi |
|||
if [ ."$os_codename" = ."jessie" ]; then |
|||
php_version=7.1 |
|||
fi |
|||
|
|||
#enable fusionpbx nginx config |
|||
cp nginx/fusionpbx /etc/nginx/sites-available/fusionpbx |
|||
|
|||
#prepare socket name |
|||
if [ ."$php_version" = ."5.6" ]; then |
|||
sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php5-fpm.sock;#g' |
|||
fi |
|||
if [ ."$php_version" = ."7.0" ]; then |
|||
sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php/php7.0-fpm.sock;#g' |
|||
fi |
|||
if [ ."$php_version" = ."7.1" ]; then |
|||
sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php/php7.1-fpm.sock;#g' |
|||
fi |
|||
if [ ."$php_version" = ."7.2" ]; then |
|||
sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php/php7.2-fpm.sock;#g' |
|||
fi |
|||
if [ ."$php_version" = ."7.3" ]; then |
|||
sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php/php7.3-fpm.sock;#g' |
|||
fi |
|||
if [ ."$php_version" = ."7.4" ]; then |
|||
sed -i /etc/nginx/sites-available/fusionpbx -e 's#unix:.*;#unix:/var/run/php/php7.4-fpm.sock;#g' |
|||
fi |
|||
ln -s /etc/nginx/sites-available/fusionpbx /etc/nginx/sites-enabled/fusionpbx |
|||
|
|||
#self signed certificate |
|||
ln -s /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/nginx.key |
|||
ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/nginx.crt |
|||
|
|||
#remove the default site |
|||
rm /etc/nginx/sites-enabled/default |
|||
|
|||
#update config if LetsEncrypt folder is unwanted |
|||
# if [ .$letsencrypt_folder = .false ]; then |
|||
# sed -i '151,155d' /etc/nginx/sites-available/fusionpbx |
|||
# fi |
|||
|
|||
#add the letsencrypt directory |
|||
if [ .$letsencrypt_folder = .true ]; then |
|||
mkdir -p /var/www/letsencrypt/ |
|||
fi |
|||
|
|||
#flush systemd cache |
|||
systemctl daemon-reload |
|||
|
|||
#restart nginx |
|||
service nginx restart |
@ -0,0 +1,305 @@ |
|||
|
|||
server { |
|||
listen 127.0.0.1:80; |
|||
server_name 127.0.0.1; |
|||
access_log /var/log/nginx/access.log; |
|||
error_log /var/log/nginx/error.log; |
|||
|
|||
client_max_body_size 80M; |
|||
client_body_buffer_size 128k; |
|||
|
|||
location / { |
|||
root /var/www/fusionpbx; |
|||
index index.php; |
|||
} |
|||
|
|||
location ~ \.php$ { |
|||
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock; |
|||
#fastcgi_pass 127.0.0.1:9000; |
|||
fastcgi_index index.php; |
|||
include fastcgi_params; |
|||
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name; |
|||
} |
|||
|
|||
# Allow the upgrade routines to run longer than normal |
|||
location = /core/upgrade/index.php { |
|||
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock; |
|||
#fastcgi_pass 127.0.0.1:9000; |
|||
fastcgi_index index.php; |
|||
include fastcgi_params; |
|||
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name; |
|||
fastcgi_read_timeout 15m; |
|||
} |
|||
|
|||
# Disable viewing .htaccess & .htpassword & .db & .git |
|||
location ~ .htaccess { |
|||
deny all; |
|||
} |
|||
location ~ .htpassword { |
|||
deny all; |
|||
} |
|||
location ~^.+.(db)$ { |
|||
deny all; |
|||
} |
|||
location ~ /\.git { |
|||
deny all; |
|||
} |
|||
location ~ /\.lua { |
|||
deny all; |
|||
} |
|||
location ~ /\. { |
|||
deny all; |
|||
} |
|||
} |
|||
|
|||
server { |
|||
listen 80; |
|||
server_name fusionpbx; |
|||
|
|||
#redirect letsencrypt to dehydrated |
|||
location ^~ /.well-known/acme-challenge { |
|||
default_type "text/plain"; |
|||
auth_basic "off"; |
|||
alias /var/www/dehydrated; |
|||
} |
|||
|
|||
#rewrite rule - send to https with an exception for provisioning |
|||
if ($uri !~* ^.*(provision|xml_cdr|firmware).*$) { |
|||
rewrite ^(.*) https://$host$1 permanent; |
|||
break; |
|||
} |
|||
|
|||
#REST api |
|||
if ($uri ~* ^.*/api/.*$) { |
|||
rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last; |
|||
break; |
|||
} |
|||
|
|||
#algo |
|||
rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last; |
|||
|
|||
#mitel |
|||
rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last; |
|||
rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last; |
|||
|
|||
#grandstream |
|||
rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1; |
|||
rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml; |
|||
rewrite "^.*/provision/(phonebook\.xml)?$" /app/provision/index.php?file=$1 last; |
|||
#grandstream-wave softphone by ext because Android doesn't pass MAC. |
|||
rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1; |
|||
|
|||
#aastra |
|||
rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg; |
|||
#rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last; |
|||
|
|||
#yealink |
|||
#rewrite "^.*/provision/(y[0-9]{12})(\.cfg|\.boot)?$" /app/provision/index.php?file=$1$2; |
|||
rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg; |
|||
rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last; |
|||
|
|||
#polycom |
|||
rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg"; |
|||
#rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2; |
|||
rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg; |
|||
rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg; |
|||
rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1; |
|||
rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg"; |
|||
rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml"; |
|||
|
|||
#cisco |
|||
rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last; |
|||
rewrite "^.*/provision/directory\.xml$" /app/provision/?file=directory.xml; |
|||
|
|||
#Escene |
|||
rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$" "/app/provision/?ext=$1&file={%24mac}_extern.xml" last; |
|||
rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$" "/app/provision/?ext=$1&file={%24mac}_phonebo |