CLI Tool 'v-system-report' for Comprehensive Server Health Check

ISSUE_TEMPLATE.md

@@ -1,23 +1,19 @@
-### Operating System (OS/VERSION):
+### Describe the problem:
 
-Type here, e.g. CentOS 6
+Type here what is the problem
 
-### VestaCP Version:
-
-Type here, e.g. 3.14159
-
-### Installed Software (what you got with the installer):
+### Steps to Reproduce:
 
-Type here, e.g. php-fpm, apache, nginx, mysql
+Type here what we should do in order to see the bug on our test server
 
-### Steps to Reproduce:
+### Debian version:
 
-Type here, e.g. install vesta and type rm -rf / --no-preserve-root
+Type here, example: Debian 10
 
-### Related Issues/Forum Threads:
+### VestaCP Version:
 
-Found anything that might be related to this? It might help us find the cause.
+Type here, example: 0.9.8.26-29
 
-### Other Notes:
+### Installed Software (what you got with the installer):
 
-Anything else?
+Copy here first 22 lines of file /usr/local/vesta/conf/vesta.conf

README.md

@@ -1,42 +1,95 @@
-[Vesta Control Panel](http://vestacp.com/)
-==================================================
 
-[![Join the chat at https://gitter.im/vesta-cp/Lobby](https://badges.gitter.im/vesta-cp/Lobby.svg)](https://gitter.im/vesta-cp/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+<h1 align="center"><a href="https://myvestacp.com">myVesta</a></h1>
 
-* Vesta is an open source hosting control panel.
-* Vesta has a clean and focused interface without the clutter.
-* Vesta has the latest of very innovative technologies.
+<div style="text-align:center">
 
-How to install (2 step)
-----------------------------
-Connect to your server as root via SSH
-```bash
-ssh root@your.server
-```
+[![Screenshot of myVesta](https://www.myvestacp.com/screenshot1.png)](https://www.myvestacp.com/)
 
-Download the installation script, and run it:
-```bash
-curl http://vestacp.com/pub/vst-install.sh | bash
-```
+</div>
 
-How to install (3 step)
-----------------------------
-If the above example does not work, try this 3 step method:
-Connect to your server as root via SSH
-```bash
-ssh root@your.server
-```
+<h1 align="center">About</h1>
+
+<p align="center">myVesta is a security and stability-focused fork of VestaCP, exclusively supporting Debian in order to maintain a streamlined ecosystem. Boasting a clean, clutter-free interface and the latest innovative technologies, our project is committed to staying synchronized with official VestaCP commits. We work independently to enhance security and develop new features, driven by our passion for contributing to the open-source community rather than monetary gain. As such, we will offer all features built for myVesta to the official VestaCP project through pull requests, without interfering with their development milestones.</p>
 
+<p align="center"><b><a href="https://github.com/myvesta/vesta/blob/master/Changelog.md">View Changelog</a>
+</b></p>
+
+<h1>Links</h1>
+<ul>
+  <li><a href="https://www.myvestacp.com/">Visit our homepage.</a></li>
+  <li><a href="https://forum.myvestacp.com/">Check out our forum for discussions and support.</a></li>
+  <li><a href="https://wiki.myvestacp.com/">For more information, take a look at our knowledge base.</a></li>
+</ul>
+
+<h1>Features of myVesta</h1>
+<ul>
+    <li>Support for Debian 11 and 12 (Debian 12 is recommended, but previous Debian releases are also supported)</li>
+    <li>Support for MySQL 8</li>
+    <li><a href="https://forum.myvestacp.com/viewtopic.php?f=20&t=51">nginx templates</a> that can prevent denial-of-service on your server</li>
+    <li><a href="https://forum.myvestacp.com/viewtopic.php?f=18&t=52">Support for multi-PHP versions</a></li>
+    <li>You can <a href="https://forum.myvestacp.com/viewtopic.php?f=20&t=350">host NodeJS apps</a></li>
+    <li>You can limit the maximum number of sent emails (per hour) <a href="https://github.com/myvesta/vesta/blob/master/install/debian/10/exim/exim4.conf.template#L112-L113">per mail account</a> and <a href="https://github.com/myvesta/vesta/blob/master/install/debian/10/exim/exim4.conf.template#L72-L73">per hosting account</a>, preventing hijacking of email accounts and preventing PHP malware scripts to send spam.</li>
+    <li>
+      You can completely "lock" myVesta so it can be accessed only via secret URL, for example https://serverhost:8083/?MY-SECRET-URL
+      <ul>
+        <li>During installation you will be asked to choose a secret URL for your hosting panel</li>
+        <li>Literally no PHP scripts will be alive on your hosting panel (won't be able to get executed), unless you access the hosting panel with secret URL parameter. Thus, when it happens that, let's say, some zero-day exploit pops up - attackers won't be able to access it without knowing your secret URL - PHP scripts from VestaCP will be simply dead - no one will be able to interact with your panel unless they have the secret URL.</li>
+        <li>You can see for yourself how this mechanism was built by looking at:</li>
+        <ul>
+          <li><a href="https://github.com/myvesta/vesta/blob/master/src/deb/for-download/php/php.ini#L496">src/deb/for-download/php/php.ini</a></li>
+          <li><a href="https://github.com/myvesta/vesta/blob/master/web/inc/secure_login.php">web/inc/secure_login.php</a></li>
+        </ul>
+        <li>If you didn't set the secret URL during installation, you can do it anytime. Just execute in shell: <code>echo "&lt;?php \$login_url='MY-SECRET-URL';" > /usr/local/vesta/web/inc/login_url.php</code></li>
+      </ul>
+    </li>
+  <li>We <a href="https://github.com/myvesta/vesta/blob/master/install/debian/10/php/php7.3-dedi.patch#L9">disabled dangerous PHP functions</a> in php.ini, so even if, for example, your customer's CMS gets compromised, hacker will not be able to execute shell scripts from within PHP.</li>
+  <li>Apache is fully switched to mpm_event mode, while PHP is running in PHP-FPM mode, which is the most stable PHP-stack solution
+    <ul><li>OPCache is turned on by default</li></ul>
+    <li>Auto-generating LetsEncrypt SSL for server hostname (signed SSL for Vesta 8083 port, for dovecot (IMAP & POP3) and for Exim (SMTP))</li>
+    <li>You can change Vesta port during installation or later using one command line: v-change-vesta-port [number]</li>
+    <li>ClamAV is configured to block zip/rar/7z archives that contains executable files (just like GMail)</li>
+    <li>Backup will run with lowest priority (to avoid load on server), and can be configured to run only by night (and to stop on the morning and continue next night) </li>
+    <ul>
+    <li>You can compile Vesta binaries by yourself - <a href="https://github.com/myvesta/vesta/blob/master/src/deb/vesta_compile.sh">src/deb/vesta_compile.sh</a></li>
+<li>You can even create your own APT repository in a minute</li>
+<li>We are using latest nginx version for vesta-nginx package</li>
+<li>With your own APT infrastructure you can take security of Vesta-installer infrastructure in your own hands. You will have full control of your Vesta code (this way you can rest assured that there's 0% chance that you'll install malicious packages from repositories that may get hacked)</li>
+<li>Binaries that you compile are 100% compatible with official VestaCP from vestacp.com, so you can run official VestaCP code with your own binaries (in case you don't want the source code from this fork)</li>
+</ul>
+
+  </li>
+  </ul>
+
+<h1>How to install</h1>
 Download the installation script:
-```bash
-curl -O http://vestacp.com/pub/vst-install.sh
+
+```shell
+curl -O http://c.myvestacp.com/vst-install-debian.sh
 ```
+
 Then run it:
-```bash
-bash vst-install.sh
+
+```shell
+bash vst-install-debian.sh
 ```
 
-License
-----------------------------
-Vesta is licensed under  [GPL v3 ](https://github.com/serghey-rodin/vesta/blob/master/LICENSE) license
+Or use our <a href="https://www.myvestacp.com/install_generator.html">installer generator</a>.
+
+<h1>Useful scripts</h1>
+<ul>
+  <li><a href="https://forum.myvestacp.com/viewtopic.php?f=24&t=50">How to move accounts from one (my)Vesta server to another myVesta server</a></li>
+  <li><a href="https://forum.myvestacp.com/viewtopic.php?f=17&t=386">WordPress installer in one second </a></li>(v-install-wordpress)
+  <li><a href="https://forum.myvestacp.com/viewtopic.php?f=17&t=385">Cloning script that will copy the whole site from one (sub)domain to another (sub)domain </a></li>(v-clone-website)
+  <li><a href="https://forum.myvestacp.com/viewtopic.php?f=17&t=382">Script that will migrate your site from http to https, replacing http to https URLs in database </a></li>(v-migrate-site-to-https)
+  <li><a href="https://forum.myvestacp.com/viewtopic.php?f=24&t=63">Script for importing cPanel backups to Vesta (thanks to Maks Usmanov - Skamasle) </a></li> (v-import-cpanel-backup)
+  <li><a href="https://forum.myvestacp.com/viewtopic.php?f=18&t=52">Script that will install multiple PHP versions on your server</a></li>
+  <li><a href="https://forum.myvestacp.com/viewtopic.php?f=20&t=350">How to host NodeJS apps</a></li>
+  <li><a href="https://forum.myvestacp.com/viewtopic.php?f=20&t=51">Script that will install nginx templates that can prevent denial-of-service on your server</a></li>
+  <li><a href="https://forum.myvestacp.com/viewtopic.php?f=15&t=47">Official VestaCP Softaculous installer</a></li>
+</ul>
+
+
+<h1>Licence</h1>
+myVesta is licensed under <a href="https://github.com/serghey-rodin/vesta/blob/master/LICENSE">GPL v3</a> license.
+
 

SECURITY.md

@@ -0,0 +1,5 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report security issues to info@myvestacp.com

bin/v-activate-rocket-nginx

@@ -0,0 +1,142 @@
+#!/bin/bash
+# info: Install rocket-nginx extension for certain domain
+# options: DOMAIN 
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+whoami=$(whoami)
+if [ "$whoami" != "root" ]; then
+    echo "You must be root to execute this script"
+    exit 1
+fi
+
+# Importing system environment
+source /etc/profile
+
+# Argument definition
+domain=$1
+
+user=$(/usr/local/vesta/bin/v-search-domain-owner $domain)
+USER=$user
+
+# Includes
+source /usr/local/vesta/func/main.sh
+source /usr/local/vesta/func/domain.sh
+
+if [ -z "$user" ]; then
+    check_result $E_NOTEXIST "domain $domain doesn't exist"
+fi
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '1' "$#" 'DOMAIN'
+is_format_valid 'domain'
+is_object_valid 'user' 'USER' "$user"
+is_object_unsuspended 'user' 'USER' "$user"
+
+if [ ! -d "/home/$user" ]; then
+    echo "User doesn't exist";
+    exit 1;
+fi
+
+if [ ! -d "/home/$user/web/$domain/public_html" ]; then
+    echo "Domain doesn't exist";
+    exit 1;
+fi
+
+if [ ! -f "/home/$user/web/$domain/public_html/wp-config.php" ]; then
+    echo 'Please install WordPress first.'
+    exit 1;
+fi
+
+if [ ! -d "/etc/nginx/rocket-nginx" ]; then
+    echo "rocket-nginx is not installed";
+    echo "Do you want to install it now (y/n)?"
+    read answer
+    if [ "$answer" == "y" ]; then
+        echo "Installing rocket-nginx..."
+        curl -sL https://c.myvestacp.com/tools/install-rocket-nginx.sh | bash -
+    else
+        echo "Exiting script"
+        exit 1;
+    fi
+fi
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Changing Proxy Template
+# Check if the proxy template is already set correctly
+current_template=$(/usr/local/vesta/bin/v-list-web-domain $user $domain | grep 'PROXY:' | awk '{print $2}')
+if [ "$current_template" == "wprocket-force-https" ] || [ "$current_template" == "wprocket-hosting" ]; then
+    echo "Proxy Template is already set up correctly"
+else
+    # Prompt the user to choose whether to force HTTPS or not
+    echo "Do you want to force-https in your Proxy Template or not (y/n):"
+    read answer
+
+    # Change the proxy template based on the user's choice
+    if [ "$answer" == "y" ]; then
+        /usr/local/vesta/bin/v-change-web-domain-proxy-tpl "$user" "$domain" "wprocket-force-https"
+    else
+        /usr/local/vesta/bin/v-change-web-domain-proxy-tpl "$user" "$domain" "wprocket-hosting"
+    fi
+
+    echo "Proxy Template is ready"
+fi
+
+# Disabling wp-cron in wp-config.php
+cd /home/$user/web/$domain/public_html
+checkstring_disable="define('DISABLE_WP_CRON', true)"
+checkstring_enable="define('DISABLE_WP_CRON', false)"
+string_disable="define( 'DISABLE_WP_CRON', true );"
+line="<?php"
+file="wp-config.php"
+
+if grep -q -w -i -F "$checkstring_disable" "$file"; then
+  echo "WP-Cron is already disabled in your wp-config.php"
+elif grep -q -w -i -F "$checkstring_enable" "$file"; then
+  echo "Disabling WP-Cron in your wp-config.php..."
+  sed -i "/$checkstring_enable/d" "$file"
+  sed -i "/$line/Ia $string_disable" "$file"
+else
+  echo "Disabling WP-Cron in your wp-config.php..."
+  sed -i "/$line/Ia $string_disable" "$file"
+fi
+
+
+# Adding cron job
+# Check if a cron job already exists for any of the specified PHP-FPM versions
+existing_cron=$(crontab -l -u $user | grep -o "wp-cron.php >/home/$user/web/$domain/cron.log" | grep -v "grep")
+
+if [ ! -z "$existing_cron" ]; then
+    echo "There is already a cron job added for user $user and domain $domain."
+else
+    echo "Adding cron job..."
+    # Add the cron job
+    fpm_ver=$(/usr/local/vesta/bin/v-get-php-version-of-domain "$domain")
+    touch /home/$user/web/$domain/cron.log
+    chown $user:$user /home/$user/web/$domain/cron.log
+
+    case $fpm_ver in
+        5.6 | 7.0 | 7.1 | 7.2 | 7.3 | 7.4 | 8.0 | 8.1 | 8.2 | 8.3) 
+            /usr/local/vesta/bin/v-add-cron-job "$user" "*/15" "*" "*" "*" "*" "cd /home/$user/web/$domain/public_html; /usr/bin/php$fpm_ver wp-cron.php >/home/$user/web/$domain/cron.log 2>&1"
+            ;;
+    esac
+fi
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+echo "Installation is completed."
+echo "Checking RESPONSE HEADERS (You should see x-rocket-nginx-serving-static if the WP Rocket plugin is activated):"
+curl -I https://$domain
+
+exit

bin/v-activate-vesta-license

@@ -27,15 +27,15 @@ source $VESTA/conf/vesta.conf
 
 # Checking arg number
 check_args '2' "$#" 'MODULE LICENSE'
-
+is_user_format_valid "$license" "license"
 
 #----------------------------------------------------------#
 #                       Action                             #
 #----------------------------------------------------------#
 
 # Activating license
 v_host='https://vestacp.com/checkout'
-answer=$(curl -s $v_host/activate.php?licence_key=$license&module=$module)
+answer=$(curl --max-time 60 -s $v_host/activate.php?licence_key=$license&module=$module)
 check_result $? "cant' connect to vestacp.com " $E_CONNECT
 
 # Checking server answer

bin/v-add-firewall-ban

@@ -72,6 +72,13 @@ $iptables -I fail2ban-$chain 1 -s $ip \
 # Changing permissions
 chmod 660 $conf
 
+# nginx deny rules conf
+if [ "$chain" = "WEB" ] && [ -f "/etc/nginx/conf.d/block.conf" ]; then
+    if ! grep -q  "deny $ip;" /etc/nginx/conf.d/block.conf; then
+        echo "deny $ip;" >> /etc/nginx/conf.d/block.conf
+        systemctl reload nginx
+   fi
+fi
 
 #----------------------------------------------------------#
 #                       Vesta                              #

bin/v-add-firewall-rule

@@ -83,6 +83,16 @@ sort_fw_rules
 # Updating system firewall
 $BIN/v-update-firewall
 
+if [ "$WEB_SYSTEM" == 'nginx' ] || [ "$PROXY_SYSTEM" == 'nginx' ]; then
+    if [ "$port_ext" == "80,443" ] && [ "$action" == "DROP" ]; then
+        touch /etc/nginx/conf.d/block-firewall.conf
+        if ! grep -q "deny $ip;" /etc/nginx/conf.d/block-firewall.conf; then
+            echo "deny $ip;" >> /etc/nginx/conf.d/block-firewall.conf
+            systemctl restart nginx
+        fi
+    fi
+fi
+
 
 #----------------------------------------------------------#
 #                       Vesta                              #