diff --git a/lib/os/class.ISPConfigDebianOS.inc.php b/lib/os/class.ISPConfigDebianOS.inc.php index 309971d27cbb89ca0ccfaa9955f4b7a500590496..fa10bb3a51eb8a1567ae22f8c657b3194315186a 100644 --- a/lib/os/class.ISPConfigDebianOS.inc.php +++ b/lib/os/class.ISPConfigDebianOS.inc.php @@ -943,7 +943,7 @@ set alert ' . $monitEmail . ' protected function configureSecureShell() { ISPConfigLog::info('Configuring SSHd', true); - $secureShellCustomConfig = '# Created by the ISPConfig autoinstaller on ' . date("Y-m-d"); + $secureShellCustomConfig = ''; // Set Port $sshOption = ISPConfig::getSecureShellPort(); @@ -996,6 +996,10 @@ Port ' . $sshOption; if (in_array($sshOption, $validOptions)) { $secureShellCustomConfig .= ' PermitRootLogin ' . $sshOption; + $replacements = array( + '/^(\s*ALLOW_SSH_ROOT_USER\s*=).*$/m' => '$1' . $sshOption, + ); + $this->replaceContents('/etc/rkhunter.conf.local', $replacements); } else { ISPConfigLog::warn($sshOption . ' is not a valid option for --ssh-permit-root. Allowed values: ' . implode(", ", $validOptions) . '. Ignoring option.'); } @@ -1027,11 +1031,15 @@ PermitEmptyPasswords no X11Forwarding no'; } - // Put the config file in place - file_put_contents('/etc/ssh/sshd_config.d/custom.conf', $secureShellCustomConfig); + if(!empty($secureShellCustomConfig)) { + $secureShellCustomConfig = '# Created by the ISPConfig autoinstaller on ' . date("Y-m-d") . $secureShellCustomConfig; + + // Put the config file in place + file_put_contents('/etc/ssh/sshd_config.d/custom.conf', $secureShellCustomConfig); - // It's safe to restart the SSH daemon as the existing session will be kept alive. - $this->restartService('sshd'); + // It's safe to restart the SSH daemon as the existing session will be kept alive. + $this->restartService('sshd'); + } } protected function installUnattendedUpgrades() { @@ -1545,6 +1553,12 @@ mailman-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mailman"'; $this->exec('systemctl daemon-reload 2>&1'); $this->restartService('mysql'); + ISPConfigLog::info('Configuring rkhunter.', true); + $contents = 'MAIL-ON-WARNING=root +ALLOW_SSH_ROOT_USER=unset +SCRIPTWHITELIST=/usr/bin/lwp-request'; + file_put_contents('/etc/rkhunter.conf.local', $contents); + $packages = $this->getPackagesToInstall('mail'); $this->installPackages($packages);