Forked from
ISPConfig / ISPConfig 3
-
Marius Burkard authoredDNSSEC-Implementation for BIND-Users (Including TLSA for DANE) This implements DNSSEC on a full automatic base. Whenever a zone gets added, changed or deleted it will be signed (or in case of deletion the keys get deleted) This adds full dnssec capabilities to the system. Hints: - DNSKEY-Records are not visible within ISPConfig as they get added by a script by the server cron. - If there is low available entropy (<400 bits) new keys will not generate. In this case the zonefile (which was never signed before) stays unsigned until next change of soa or any rr in that zone. IF a key exists zone files will always be signed. - I recommend installing haveged - especially on VMs - which raises available entropy by a huge amount of bits - only de and en language included. - DNSSEC can be switched on/off on a per zone base and is only available for primary zones (of course). - Zone-Transfers will transfer the signed zone if DNSSEC is enabled for the originating zone The scripts have been tested on my productive 3.0 server for about 4 weeks as well as a functional test for any scenarios I thought about in my 3.1 testing environment. More info (older version): https://www.howtoforge.com/community/threads/bit-hacky-implementation-of-dnssec-patch-and-tlsa-dane.71829/ ANOTHER HINT: Currently the New zone Wizard is not working. This also happens in latest ISPC master branch so I ignored that and filed a bug report: http://bugtracker.ispconfig.org/index.php?do=details&task_id=4069 //Edit: One more note: I left the wizard/templates unchanged as it is buggy at the moment. Providing a checkbox to switch dnssec_wanted between Y and N is up to you here. Should not be too complicated though... See merge request !269
Marius Burkard authoredDNSSEC-Implementation for BIND-Users (Including TLSA for DANE) This implements DNSSEC on a full automatic base. Whenever a zone gets added, changed or deleted it will be signed (or in case of deletion the keys get deleted) This adds full dnssec capabilities to the system. Hints: - DNSKEY-Records are not visible within ISPConfig as they get added by a script by the server cron. - If there is low available entropy (<400 bits) new keys will not generate. In this case the zonefile (which was never signed before) stays unsigned until next change of soa or any rr in that zone. IF a key exists zone files will always be signed. - I recommend installing haveged - especially on VMs - which raises available entropy by a huge amount of bits - only de and en language included. - DNSSEC can be switched on/off on a per zone base and is only available for primary zones (of course). - Zone-Transfers will transfer the signed zone if DNSSEC is enabled for the originating zone The scripts have been tested on my productive 3.0 server for about 4 weeks as well as a functional test for any scenarios I thought about in my 3.1 testing environment. More info (older version): https://www.howtoforge.com/community/threads/bit-hacky-implementation-of-dnssec-patch-and-tlsa-dane.71829/ ANOTHER HINT: Currently the New zone Wizard is not working. This also happens in latest ISPC master branch so I ignored that and filed a bug report: http://bugtracker.ispconfig.org/index.php?do=details&task_id=4069 //Edit: One more note: I left the wizard/templates unchanged as it is buggy at the moment. Providing a checkbox to switch dnssec_wanted between Y and N is up to you here. Should not be too complicated though... See merge request !269
TODO.txt 3.52 KiB
---------------------------------------
- ISPConfig 3 ToDo list
---------------------------------------
Please feel free to edit this file, add new tasks,
remove done tasks or assign yourself to a task.
Form Validators
--------------------------------------
Installer
--------------------------------------
- Add a function to let a server join a existing installation.
- Add Package haveged to requirements (at least if entropy is low) as it raises available entropy significantly which is very needed for DNSSEC Key-generation
If it is not installed and entropy is low generating dnssec-keys lasts minutes (and would time out the server thus is not done) and new signing keys are not generated.
If there are no keys the zones can not be signed and will only be availableas a unsigned copy.
Uninstaller
--------------------------------------
- Add a function to remove ispconfig user
Server
--------------------------------------
Mail module
--------------------------------------
Administration module
--------------------------------------
- Firewall Solution -- Andrew lathama Latham lathama@gmail.com
* Monitor existing IPTABLES rules is done and in the monitor page.
* Add IPTABLES rules
semi-functional and in development also functional in multiserver
* Delete IPTABLES rules
semi-functional and in development also functional in multiserver
* Merge IPTABLES rules made from the CLI with those made from ISPConfig3
Interesting topic about merging control with with the GUI and the CLI
interface for a systems adminitstrator who might add a rule during an
attack or for trouble shooting and forget to remove it.
* Fail2Ban
Add configuration for fail2ban on certian systems. Imagine an admin
wishes to use fail2ban on one service but not others. Rare but an issue
when a large number of clients use a single NAT for all users and failed
logins and traffic looks like an attack. Maybe a whitelist configuration
as an optional setting.
* Remoting
Enable remoting hooks for updating IPTABLES
* Service Checks
Adding saftey checks to make sure that the admin does not lock his/herself
out of the system by accident. We all make mistakes.
-- Note: I'd love a pure iptables firewall as well. I've made such a script for
my work, which uses a simple config file to open/close ports and support for
ip exclusions. I think we could use it as a base to start with, it's up on the dev forum
url: http://www.howtoforge.com/forums/showthread.php?p=261311 (Mark_NL)
Clients module
--------------------------------------
Sites (web) module
--------------------------------------
BE-Designer module
--------------------------------------
WARNING: Please do not use the BE Designer at the moment, the serializing
function of the module editor may break some of the existing modules.
Remoting framework
--------------------------------------
- Add more connections to other data. Remoting hooks for FS and Email Quota
Interface
--------------------------------------
- Enhance the paging in lists (e.g. like this: [1 2 3 4 ... 10])
- DNS: Add Checkbox to switch dnssec_wanted between Y and N to templates and/or wizard. I recommend doing it in the wizard though.
General tasks
--------------------------------------
- Add, extend or modify comments in PEAR syntax so that they can be read with
phpdocumentor.
- Doxygen might be a good idea (phpdocumentor looks nice but no active development)
-- http://drupal.org/node/1354 may have some good ideas.
-- http://engineeredweb.com/blog/10/9/4-reasons-consider-doxygen-over-phpdocumentor