#!/usr/bin/bash

cipher_list='EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!RC4:!DES:!3DES:!IDEA'
tls_versions='TLSv1.2'
combined_ciphers="$cipher_list:+TLSv1.2"
force_ssl_ftp='2'
exim_tls='+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1'

block_3306=1
userdir_protection=1

#tcp_timestamps is a kernel config, wont work on VPS
disable_tcp_timestamps=0

add_if(){
    if [[ ! -f "$3" ]]
    then
        echo "Error: file not found $3"
        touch "$3"
    fi
    if grep -Pq "$1" "$3"; then
        echo "Changing existing directive in $3"
        sed -ri "s%$1%$2%" "$3"
    else
        if [[ "$3" == '/etc/exim.conf.local' ]]
        then
            sed -ri "s%(\@CONFIG\@)%\1\n$2%" "$3"
            echo "adding to exim conf $3"
            return
        elif [[ "$3" == '/var/cpanel/templates/dovecot2.2/main.local' ]]
        then
            sed -i "1s/^/$2\n/" "$3"
            "modifying dovecot conf $3"
            return
        fi
        echo "Creating new directive in $3"
        echo "$2" >> "$3"
    fi
}

if [[ $disable_tcp_timestamps == 1 ]]; then
    sysctl net.ipv4.tcp_timestamps=0
    echo 'net.ipv4.tcp_timestamps = 0' >> /etc/sysctl.conf
fi

#Update Everything
yum update -y
/scripts/upcp

# Dovecot and cPanel services
/usr/local/cpanel/bin/set-tls-settings --all \
--cipher-suites="$cipher_list" \
--protocols="$tls_versions"

if [[ $userdir_protection == 1 ]]
then
    echo 'enabling mod_userdir protection (disabled temp urls)'
    sed -i 's%userdirprotect=0%userdirprotect=1%' "/var/cpanel/cpanel.config"
fi

#Dovecot
file='/var/cpanel/templates/dovecot2.2/main.local'

if [[ ! -f "$file" ]]; then
    cp -arf '/var/cpanel/templates/dovecot2.2/main.default' '/var/cpanel/templates/dovecot2.2/main.local'
fi

find='ssl *= *.*'
replace='ssl = required'
add_if "$find" "$replace" "$file"
/scripts/builddovecotconf
service dovecot restart

# Apache Ciphers
file='/var/cpanel/conf/apache/local'

find='sslciphersuite: *[^ ]+.*'
replace="sslciphersuite: $cipher_list"
add_if "$find" "$replace" "$file"

find='sslprotocol: *[^ ]+.*'
replace="sslprotocol: $tls_versions"
add_if "$find" "$replace" "$file"

rm -f /var/cpanel/conf/apache/local.cache
/scripts/rebuildhttpdconf
service httpd restart


# Sets FTP Ciphers
file='/var/cpanel/conf/pureftpd/local'

find='TLSCipherSuite *: *.*'
replace="TLSCipherSuite: $combined_ciphers"
add_if "$find" "$replace" "$file"

find='TLS *: *[0-2]'
replace="TLS: $force_ssl_ftp"
add_if "$find" "$replace" "$file"

rm -f /var/cpanel/conf/pureftpd/local.cache
/scripts/setupftpserver pure-ftpd --force

# Exim
file='/etc/exim.conf.local'

find='tls_require_ciphers *= *.*'
replace="tls_require_ciphers = $combined_ciphers"
add_if "$find" "$replace" "$file"

find='openssl_options *=.*'
replace="openssl_options = +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1"
add_if "$find" "$replace" "$file"

file='/etc/exim.conf.localopts'

find='require_secure_auth *=.*'
replace='require_secure_auth = 1'
add_if "$find" "$replace" "$file"

find='openssl_options *=.*'
replace="openssl_options = $exim_tls"
add_if "$find" "$replace" "$file"

rm -f /etc/exim.conf.local.cache
/scripts/buildeximconf
service exim restart

service cpanel restart

#Firewall config
if [[ $block_3306 == 1 ]]
then
    echo 'Closing port 3306 in the firewall'
    if test -f /etc/csf/csf.conf
    then
        sed -ri 's%(^TCP_IN *= *"([0-9]{1,5},)*)3306,%\1%' /etc/csf/csf.conf
        service csf restart
    fi
    if test -f /etc/apf/conf.apf
    then
        sed -ri 's%(^IG_TCP_CPORTS *= *"([0-9]{1,5},)*)3306,%\1%' /etc/apf/conf.apf
        service apf restart
    fi
fi

output=''
if [[ $block_3306 == 1 ]]
then
    output+='-Blocked port 3306 in the Firewall\n'
fi
if [[ $disable_tcp_timestamps == 1 ]]
then
    output+='-Disabled TCP Timestamps\n'
fi
if [[ $userdir_protection == 1 ]]
then
    output+='-Disabled temp URLs (user enumeration vulnerabiliy)\n'
fi

disable_tcp_timestamps=0
block_3306=1
userdir_protection=1

echo -e -- "-Configuration Complete-
Changes:
-All system packages updated to the current version
-Apache, Dovecot, Exim, cPanel Services, and FTP all restricted to:
  TLS Versions Supported : $tls_versions
  Cipher Suites Supported : $cipher_list

-Exim plain text login disabled
-Dovecot Encryption is required
-FTP set to require SSL
$output
"
