From 82f8aa98c1209a430562a09f111824f432965565 Mon Sep 17 00:00:00 2001
From: "Dr. Yves Kreis" <yves@hosting-skills.lu>
Date: Tue, 29 Aug 2023 22:45:29 +0300
Subject: [PATCH] monit

---
 lib/os/class.ISPConfigDebianOS.inc.php | 307 ++++++++++++++-----------
 1 file changed, 167 insertions(+), 140 deletions(-)

diff --git a/lib/os/class.ISPConfigDebianOS.inc.php b/lib/os/class.ISPConfigDebianOS.inc.php
index 309971d..b9f8eba 100644
--- a/lib/os/class.ISPConfigDebianOS.inc.php
+++ b/lib/os/class.ISPConfigDebianOS.inc.php
@@ -5,6 +5,8 @@
  * @author croydon
  */
 class ISPConfigDebianOS extends ISPConfigBaseOS {
+	protected $sshPort = '22';
+
 	public function getPackageVersion($package) {
 		$cmd = 'dpkg --list ' . $package . ' 2>&1';
 		$result = $this->exec($cmd);
@@ -492,10 +494,8 @@ Alias /phpmyadmin /usr/share/phpmyadmin
 
 		ISPConfigLog::info('Configuring Monit.', true);
 		// Set up main config
-		$replacements = array(
-			'set daemon 120' => 'set daemon 60'
-		);
-		$this->replaceContents('/etc/monit/monitrc', $replacements, true);
+		$conf='set daemon 60';
+		file_put_contents('/etc/monit/conf.d/config', $conf);
 
 		// Set up config files for each service that shall be monitored
 		$servicesInstalled = array(
@@ -539,11 +539,10 @@ Alias /phpmyadmin /usr/share/phpmyadmin
 		}
 
 		if (ISPConfig::shallInstall('mail')) {
-			array_push($servicesInstalled, "postfix", "dovecot", "rspamd");
-		}
-
-		if(!ISPConfig::wantsAmavis()) {
-			array_push($servicesInstalled, "redis-server");
+			array_push($servicesInstalled, "postfix", "dovecot");
+			if(!ISPConfig::wantsAmavis()) {
+				array_push($servicesInstalled, "rspamd", "redis-server");
+			}
 		}
 
 		$services = array_unique($servicesInstalled);
@@ -557,18 +556,13 @@ Alias /phpmyadmin /usr/share/phpmyadmin
 				$conf='check process apache with pidfile /var/run/apache2/apache2.pid
 	group apache
 	start program = "/usr/bin/systemctl start apache2" with timeout 60 seconds
-	stop program  = "/usr/bin/systemctl stop apache2"
+	stop  program = "/usr/bin/systemctl stop  apache2"
 	if failed port 80 protocol http then restart
 	if failed port 443 then restart
 	if 5 restarts within 5 cycles then timeout
 	depend apache_bin
-	depend apache_rc
-		
+
 check file apache_bin with path /usr/sbin/apache2
-	group apache
-	include /etc/monit/templates/rootbin
-	
-check file apache_rc with path /etc/init.d/apache2
 	group apache
 	include /etc/monit/templates/rootbin';
 			}
@@ -577,68 +571,51 @@ check file apache_rc with path /etc/init.d/apache2
 				$conf='check process nginx with pidfile /var/run/nginx.pid
 	group nginx
 	start program = "/usr/bin/systemctl start nginx" with timeout 60 seconds
-	stop program  = "/usr/bin/systemctl stop nginx"
+	stop  program = "/usr/bin/systemctl stop  nginx"
 	if failed port 80 protocol http then restart
 	if failed port 443 then restart
 	if 5 restarts within 5 cycles then timeout
 	depend nginx_bin
-	depend nginx_rc
  
 check file nginx_bin with path /usr/sbin/nginx
-	group nginx
-	include /etc/monit/templates/rootbin
-
-check file nginx_rc with path /etc/init.d/nginx
 	group nginx
 	include /etc/monit/templates/rootbin';
 			}
-				
+
 			if ($service == 'mariadb') {
 				if (file_exists('/etc/init.d/mariadb') && file_exists('/usr/sbin/mariadbd')) {
 					$conf='check process mariadb with pidfile /var/run/mysqld/mysqld.pid
-	group mysql
+	group mariadb
 	start program = "/usr/bin/systemctl start mariadb" with timeout 60 seconds
-	stop program = "/usr/bin/systemctl stop mariadb"
+	stop  program = "/usr/bin/systemctl stop  mariadb"
 	if failed host 127.0.0.1 port 3306 protocol mysql then restart
 	if failed unixsocket /var/run/mysqld/mysqld.sock protocol mysql for 3 times within 4 cycles then restart
 	if 5 restarts within 5 cycles then timeout
-	
-	depend mysql_bin
-	depend mysql_rc
-	
-check file mysql_bin with path /usr/sbin/mariadbd
-	group mysql
-   	include /etc/monit/templates/rootbin
-		
-check file mysql_rc with path /etc/init.d/mariadb
-	group mysql
+	depend mariadb_bin
+
+check file mariadb_bin with path /usr/sbin/mariadbd
+	group mariadb
 	include /etc/monit/templates/rootbin';
 				} elseif (file_exists('/etc/init.d/mysql') && file_exists('/usr/sbin/mysqld')) {
 					$conf='check process mariadb with pidfile /var/run/mysqld/mysqld.pid
 	group mysql
 	start program = "/usr/bin/systemctl start mariadb" with timeout 60 seconds
-	stop program = "/usr/bin/systemctl stop mariadb"
+	stop  program = "/usr/bin/systemctl stop  mariadb"
 	if failed host 127.0.0.1 port 3306 protocol mysql then restart
-	if failed unixsocket /var/run/mysqld/mysqld.sock protocol mysql for 3 times within 2 cycles then restart
+	if failed unixsocket /var/run/mysqld/mysqld.sock protocol mysql for 3 times within 4 cycles then restart
 	if 5 restarts within 5 cycles then timeout
-	
 	depend mysql_bin
-	depend mysql_rc
-	
+
 check file mysql_bin with path /usr/sbin/mysqld
-	group mysql
-   	include /etc/monit/templates/rootbin
-		
-check file mysql_rc with path /etc/init.d/mysql
 	group mysql
 	include /etc/monit/templates/rootbin';
 				} else {
 					$conf='check process mariadb with pidfile /var/run/mysqld/mysqld.pid
-	group mysql
+	group mariadb
 	start program = "/usr/bin/systemctl start mariadb" with timeout 60 seconds
-	stop program = "/usr/bin/systemctl stop mariadb"
+	stop  program = "/usr/bin/systemctl stop  mariadb"
 	if failed host 127.0.0.1 port 3306 protocol mysql then restart
-	if failed unixsocket /var/run/mysqld/mysqld.sock protocol mysql for 3 times within 2 cycles then restart
+	if failed unixsocket /var/run/mysqld/mysqld.sock protocol mysql for 3 times within 4 cycles then restart
 	if 5 restarts within 5 cycles then timeout';
 				}
 			}
@@ -648,66 +625,81 @@ check file mysql_rc with path /etc/init.d/mysql
 				if ($service == $phpfpm) {
 					$conf='check process ' . $phpfpm . ' with pidfile /var/run/php/' . $phpfpm . '.pid
 	group php-fpm
-	start program = "/usr/bin/systemctl start ' . $phpfpm .'" with timeout 60 seconds
-	stop program  = "/usr/bin/systemctl stop ' . $phpfpm . '"
+	start program = "/usr/bin/systemctl start ' . $phpfpm . '" with timeout 60 seconds
+	stop  program = "/usr/bin/systemctl stop  ' . $phpfpm . '"
 	if failed unixsocket /var/run/php/' . $phpfpm . '.sock then restart
-	if 5 restarts within 5 cycles then timeout';
+	if 5 restarts within 5 cycles then timeout
+	depend ' . $phpfpm . '_bin
+
+check file ' . $phpfpm . '_bin with path /usr/sbin/php-fpm' . $curver . '
+	group php-fpm
+	include /etc/monit/templates/rootbin';
 				}
 			}
 
 			if ($service == 'memcached') {
 				$conf='check process memcached with pidfile /var/run/memcached/memcached.pid
 	group memcached
-	start program = "/usr/bin/systemctl start memcached"
-	stop program = "/usr/bin/systemctl stop memcached"
+	start program = "/usr/bin/systemctl start memcached" with timeout 60 seconds
+	stop  program = "/usr/bin/systemctl stop  memcached"
 	if failed host 127.0.0.1 port 11211 protocol memcache then restart
 	if 5 restarts within 5 cycles then timeout
-	
 	depend memcache_bin
-	depend memcache_rc
-	
+
 check file memcache_bin with path /usr/bin/memcached
-	group memcached
-	include /etc/monit/templates/rootbin
-   
-check file memcache_rc with path /etc/init.d/memcached
 	group memcached
 	include /etc/monit/templates/rootbin';
 			}
-				
+
 			if ($service == 'pure-ftpd-mysql') {
 				$conf='check process pure-ftpd-mysql with pidfile /var/run/pure-ftpd/pure-ftpd.pid
+	group pure-ftpd
 	start program = "/usr/bin/systemctl start pure-ftpd-mysql" with timeout 60 seconds
-	stop program  = "/usr/bin/systemctl stop pure-ftpd-mysql"
+	stop  program = "/usr/bin/systemctl stop  pure-ftpd-mysql"
 	if failed port 21 protocol ftp then restart
-	if 5 restarts within 5 cycles then timeout';
+	if 5 restarts within 5 cycles then timeout
+	depend pure-ftpd_bin
+
+check file pure-ftpd_bin with path /usr/sbin/pure-ftpd-mysql
+	group pure-ftpd
+	include /etc/monit/templates/rootbin';
 			}
 
 			if ($service == 'fail2ban') {
 				$conf='check process fail2ban with pidfile /var/run/fail2ban/fail2ban.pid
+	group fail2ban
 	start program = "/usr/bin/systemctl start fail2ban" with timeout 60 seconds
-    stop  program = "/usr/bin/systemctl stop fail2ban"
-    if failed unixsocket /var/run/fail2ban/fail2ban.sock then restart
-    if 5 restarts within 5 cycles then timeout
+	stop  program = "/usr/bin/systemctl stop  fail2ban"
+	if failed unixsocket /var/run/fail2ban/fail2ban.sock then restart
+	if 5 restarts within 5 cycles then timeout
 
 check file fail2ban_log with path /var/log/fail2ban.log
+	group fail2ban
 	if match "ERROR|WARNING" then alert';
 			}
 
-				
 			if ($service == 'sshd') {
 				$conf='check process sshd with pidfile /var/run/sshd.pid
 	group sshd
-	start program = "/etc/init.d/ssh start"
-	stop  program = "/etc/init.d/ssh stop"
-	if failed host localhost port 22 with proto ssh then restart
+	start program = "/usr/bin/systemctl start ssh" with timeout 60 seconds
+	stop  program = "/usr/bin/systemctl stop  ssh"
+	if failed host localhost port ' . $this->sshPort . ' with proto ssh then restart
 	if 5 restarts with 5 cycles then timeout
 	depend on sshd_bin
 	depend on sftp_bin
-	depend on sshd_rc
-	depend on sshd_rsa_key
-	depend on sshd_dsa_key
-			 
+';
+				if (!ISPConfig::wantsSecureShellHardened()) {
+					$conf.='	depend on sshd_rsa_key
+';
+					if (file_exists('/etc/ssh/ssh_host_dsa_key')) {
+						$conf.='	depend on sshd_dsa_key
+';
+					}
+					$conf.='	depend on sshd_ecdsa_key
+';
+				}
+				$conf.='	depend on sshd_ed25519_key
+
 check file sshd_bin with path /usr/sbin/sshd
 	group sshd
 	include /etc/monit/templates/rootbin
@@ -715,39 +707,45 @@ check file sshd_bin with path /usr/sbin/sshd
 check file sftp_bin with path /usr/lib/openssh/sftp-server
 	group sshd
 	include /etc/monit/templates/rootbin
-			 
-check file sshd_rsa_key with path /etc/ssh/ssh_host_rsa_key
+
+';
+				if (!ISPConfig::wantsSecureShellHardened()) {
+					$conf.='check file sshd_rsa_key with path /etc/ssh/ssh_host_rsa_key
 	group sshd
 	include /etc/monit/templates/rootstrict
 
-check file sshd_dsa_key with path /etc/ssh/ssh_host_dsa_key
+';
+					if (file_exists('/etc/ssh/ssh_host_dsa_key')) {
+						$conf.='check file sshd_rsa_key with path /etc/ssh/ssh_host_dsa_key
 	group sshd
 	include /etc/monit/templates/rootstrict
-			 
-check file sshd_rc with path /etc/ssh/sshd_config
+
+';
+					}
+					$conf.='check file sshd_ecdsa_key with path /etc/ssh/ssh_host_ecdsa_key
 	group sshd
-	include /etc/monit/templates/rootrc';
+	include /etc/monit/templates/rootstrict
+
+';
+				}
+				$conf.='check file sshd_ed25519_key with path /etc/ssh/ssh_host_ed25519_key
+	group sshd
+	include /etc/monit/templates/rootstrict';
 			}
 
 			if ($service == 'crond') {
 				$conf='check process crond with pidfile /var/run/crond.pid
-	group system
 	group crond
 	start program = "/usr/bin/systemctl start cron" with timeout 60 seconds
-	stop  program = "/usr/bin/systemctl stop cron"
+	stop  program = "/usr/bin/systemctl stop  cron"
 	if 5 restarts with 5 cycles then timeout
 	depend cron_bin
-	depend cron_rc
 	depend cron_spool
-			 
+
 check file cron_bin with path /usr/sbin/cron
 	group crond
 	include /etc/monit/templates/rootbin
-		 
-check file cron_rc with path "/etc/init.d/cron"
-	group crond
-	include /etc/monit/templates/rootbin
-			 
+
 check directory cron_spool with path /var/spool/cron/crontabs
 	group crond
 	if failed permission 1730 then unmonitor
@@ -757,110 +755,136 @@ check directory cron_spool with path /var/spool/cron/crontabs
 
 			if ($service == 'named') {
 				$conf='check process named with pidfile /var/run/named/named.pid
+	group named
 	start program = "/usr/bin/systemctl start named" with timeout 60 seconds
-	stop program  = "/usr/bin/systemctl stop named"
-	if failed port 53 use type udp protocol dns then restart
-	if 5 restarts within 5 cycles then timeout';
+	stop program  = "/usr/bin/systemctl stop  named"
+	if failed host localhost port 53 type udp protocol dns then restart
+	if 5 restarts within 5 cycles then timeout
+	depend named_bin
+	depend named_rndc
+
+check file named_bin with path /usr/sbin/named
+	group named
+	include /etc/monit/templates/rootbin
+
+check file named_rndc with path /etc/bind/rndc.key
+	group named
+	if failed checksum       then unmonitor
+	if failed permission 640 then unmonitor
+	if failed uid bind       then unmonitor
+	if failed gid bind       then unmonitor';
 			}
-				
+
 			if ($service == 'postfix') {
 				$conf='check process postfix with pidfile /var/spool/postfix/pid/master.pid
-	group mail
 	group postfix
 	start program = "/usr/bin/systemctl start postfix" with timeout 60 seconds
-	stop  program = "/usr/bin/systemctl stop postfix"
+	stop  program = "/usr/bin/systemctl stop  postfix"
 	if failed host localhost port 25 with protocol smtp for 2 times within 2 cycles then restart
 	if 5 restarts with 5 cycles then timeout
 	depend master_bin
-	depend postfix_rc
 	depend postdrop_bin
 	depend postqueue_bin
 	depend master_cf
 	depend main_cf
-			 
+
 check file master_bin with path /usr/lib/postfix/sbin/master
 	group postfix
 	include /etc/monit/templates/rootbin
-			 
+
 check file postdrop_bin with path /usr/sbin/postdrop
 	group postfix
 	if failed checksum        then unmonitor
 	if failed permission 2555 then unmonitor
 	if failed uid root        then unmonitor
 	if failed gid postdrop    then unmonitor
-			 
+
 check file postqueue_bin with path /usr/sbin/postqueue
 	group postfix
 	if failed checksum        then unmonitor
 	if failed permission 2555 then unmonitor
 	if failed uid root        then unmonitor
 	if failed gid postdrop    then unmonitor
-			 
+
 check file master_cf with path /etc/postfix/master.cf
 	group postfix
 	include /etc/monit/templates/rootrc
-			 
+
 check file main_cf with path /etc/postfix/main.cf
 	group postfix
-	include /etc/monit/templates/rootrc
-			 
-check file postfix_rc with path /etc/init.d/postfix
-	group postfix
-	include /etc/monit/templates/rootbin';
+	include /etc/monit/templates/rootrc';
+
 			}
 				
 			if ($service == 'dovecot') {
 				$conf='check process dovecot with pidfile /var/run/dovecot/master.pid
-	group mail
+	group dovecot
 	start program = "/usr/bin/systemctl start dovecot" with timeout 60 seconds
-	stop program = "/usr/bin/systemctl stop dovecot"
+	stop  program = "/usr/bin/systemctl stop  dovecot"
 	#if failed host mail.yourdomain.tld port 993 type tcpssl sslauto protocol imap then restart
 	if failed port 143 protocol imap then restart
-	if 5 restarts within 5 cycles then timeout';
+	if 5 restarts within 5 cycles then timeout
+	depend dovecot_bin
+
+check file dovecot_bin with path /usr/sbin/dovecot
+	group dovecot
+	include /etc/monit/templates/rootbin';
 			}
-				
+
 			if ($service == 'rspamd') {
 				$conf='check process rspamd
 	matching \'rspamd: main process\'
 	start program = "/usr/bin/systemctl start rspamd" with timeout 60 seconds
-	stop program = "/usr/bin/systemctl start rspamd"
-					
+	stop  program = "/usr/bin/systemctl stop  rspamd"
 	if cpu is greater than 40% then alert
 	if cpu > 60% for 4 cycles then alert
 	if memory > 80% for 4 cycles then alert
-	if totalmem > 1024 MB for 4 cycles then alert';
+	if totalmem > 1024 MB for 4 cycles then alert
+	depend rspamd_bin
+
+check file rspamd_bin with path /usr/bin/rspamd
+	group rspamd
+	include /etc/monit/templates/rootbin';
 			}
 
 			if ($service == 'redis-server') {
-				$conf='check process redis-server with pidfile "/var/run/redis/redis-server.pid"
-				start program = "/usr/bin/systemctl start redis-server"
-				stop program = "/usr/bin/systemctl stop redis-server"
-				if failed host 127.0.0.1 port 6379 protocol redis then restart
-				if 5 restarts within 5 cycles then timeout';
+				$conf='check process redis-server with pidfile /var/run/redis/redis-server.pid
+	group redis-server
+	start program = "/usr/bin/systemctl start redis-server"
+	stop  program = "/usr/bin/systemctl stop  redis-server"
+	if failed host 127.0.0.1 port 6379 protocol redis then restart
+	if 5 restarts within 5 cycles then timeout
+	depend redis-server_bin
+
+check file redis-server_bin with path /usr/bin/redis-server
+	group redis-server
+	include /etc/monit/templates/rootbin';
 			}
-				
+
 			if ($service == 'filesystem') {
 				$conf='check filesystem rootfs with path /
+	group server
 	if space usage > 90% then alert
 	if inode usage > 80% then alert';
 			}
-				
+
 			if ($service == 'resources') {
 				$conf='check system $HOST
+	group server
 	if loadavg (5min) > 3 then alert
-    if loadavg (15min) > 1 then alert
-    if memory usage > 80% for 4 cycles then alert
-    if swap usage > 20% for 6 cycles then alert
-    # Test the user part of CPU usage 
-    if cpu usage (user) > 80% for 6 cycles then alert
-    # Test the system part of CPU usage 
-    if cpu usage (system) > 20% for 6 cycles then alert
-    # Test the i/o wait part of CPU usage 
-    if cpu usage (wait) > 80% for 4 cycles then alert
-    # Test CPU usage including user, system and wait. Note that 
-    # multi-core systems can generate 100% per core
-    # so total CPU usage can be more than 100%
-    if cpu usage > 200% for 4 cycles then alert';
+	if loadavg (15min) > 1 then alert
+	if memory usage > 80% for 4 cycles then alert
+	if swap usage > 20% for 6 cycles then alert
+	# Test the user part of CPU usage 
+	if cpu usage (user) > 80% for 6 cycles then alert
+	# Test the system part of CPU usage 
+	if cpu usage (system) > 20% for 6 cycles then alert
+	# Test the i/o wait part of CPU usage 
+	if cpu usage (wait) > 80% for 4 cycles then alert
+	# Test CPU usage including user, system and wait. Note that 
+	# multi-core systems can generate 100% per core
+	# so total CPU usage can be more than 100%
+	if cpu usage > 200% for 4 cycles then alert';
 			}
 
 			file_put_contents($confAvailableDir . $service, $conf);
@@ -872,6 +896,7 @@ check file postfix_rc with path /etc/init.d/postfix
 		$conf = '#set mailserver localhost
 #set mailserver smtp.example.com port 587
 	#username "user@example.com" password "welcome"
+	#using tls
 				
 #set alert admin@example.com
 
@@ -916,7 +941,7 @@ set alert ' . $monitEmail . '
 		}
 		file_put_contents($confAvailableDir . $service, $conf);
 		$services[] = $service;
-		
+
 		// Configure main config with UI and admin + pass
 		$service = "webui";
 		$monitpw = '';
@@ -925,15 +950,16 @@ set alert ' . $monitEmail . '
 	#SSL ENABLE
 	#PEMFILE /usr/local/ispconfig/interface/ssl/ispserver.pem
 	allow admin:' . $monitpw;
-			
 		file_put_contents($confAvailableDir . $service, $conf);
 		$services[] = $service;
 
 		foreach ($services as $confFile) {
-			$cmd = 'ln -s ' . $confAvailableDir . $confFile . ' ' . $confEnabledDir;
-			$result = $this->exec($cmd);
-			if($result === false) {
-				throw new ISPConfigOSException('Command ' . $cmd . ' failed.');
+			if(!is_link($confEnabledDir . $confFile) && !is_file($confEnabledDir . $confFile)) {
+				$cmd = 'ln -s ' . $confAvailableDir . $confFile . ' ' . $confEnabledDir;
+				$result = $this->exec($cmd);
+				if($result === false) {
+					throw new ISPConfigOSException('Command ' . $cmd . ' failed.');
+				}
 			}
 		}
 
@@ -977,6 +1003,7 @@ set alert ' . $monitEmail . '
 				'8081' // ISPConfig apps vhost
 			);
 			if (!in_array($sshOption, $invalidOptions)) {
+				$this->sshPort = $sshOption;
 				$secureShellCustomConfig .= '
 Port ' . $sshOption;
 				ISPConfigLog::info('Configuring custom port for the SSH daemon. After install, you can login through SSH on port ' . $sshOption);
@@ -1897,13 +1924,13 @@ mailman-unsubscribe:  "|/var/lib/mailman/mail/mailman unsubscribe mailman"';
 
 		$this->fixDbconfigCommon();
 
+		$this->configureSecureShell();
+
 		$monit_password = '';
 		if(ISPConfig::wantsMonit()) {
 			$monit_password = $this->installMonit();
 		}
 
-		$this->configureSecureShell();
-
 		if(ISPConfig::wantsUnattendedUpgrades()) {
 			$this->installUnattendedUpgrades();
 		}
-- 
GitLab