cpsetup

#!/bin/bash
version="1.5.0";
cpSetup_banner() {
	echo -n "${GREEN}"
	cat <<"EOT"
                        ad88888ba
                       d8"     "8b              ,d
                       Y8,                      88
 ,adPPYba, 8b,dPPYba,  `Y8aaaaa,    ,adPPYba, MM88MMM 88       88 8b,dPPYba,
a8"     "" 88P'    "8a   `"""""8b, a8P_____88   88    88       88 88P'    "8a
8b         88       d8         `8b 8PP"""""""   88    88       88 88       d8
"8a,   ,aa 88b,   ,a8" Y8a     a8P "8b,   ,aa   88,   "8a,   ,a88 88b,   ,a8"
 `"Ybbd8"' 88`YbbdP"'   "Y88888P"   `"Ybbd8"'   "Y888  `"YbbdP'Y8 88`YbbdP"'
           88                                                     88
           88                                                     88
EOT
echo -e "${BLUE}                       Version ${version}${YELLOW}"
	cat <<"EOT"
			 _                  __  __       _
			| |__  _   _    ___|  \/  |_   _| |       ___  ___
			| '_ \| | | |  / __| |\/| | | | | |      / _ \/ __|
			| |_) | |_| |  \__ \ |  | | |_| | |  _  |  __/\__ \
			|_.__/ \__, |  |___/_|  |_|\__, |_| (_)  \___||___/
			       |___/               |___/
EOT
echo -n "${NORMAL}"
}
#                     cPanel Server Setup & Hardening Script
# ------------------------------------------------------------------------------
# @author Myles McNamara
# @date 05.22.2019
# @version 1.5.0
# @source https://github.com/tripflex/cpsetup
# ------------------------------------------------------------------------------
# @usage ./cpsetup [(-h|--help)] [(-v|--verbose)] [(-V|--version)] [(-u|--unattended)]
# ------------------------------------------------------------------------------
# @copyright Copyright (C) 2019 Myles McNamara
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# ------------------------------------------------------------------------------

# Uncomment out the code below to make the script break on error
# set -e
#
# Functions and Definitions
#
# Define help function
function help(){
    echo "cpsetup - sMyles cPanel setup script v${version}";
    echo "Usage example:";
    echo "cpsetup [(-h|--help)] [(-v|--verbose)] [(-V|--version)] [(-u|--unattended)] [(-r|--run) value] [(-R|--functions)]";
    echo "Options:";
    echo "-h or --help: Displays this information.";
    echo "-v or --verbose: Verbose mode on.";
    echo "-V or --version: Displays the current version number.";
    echo "-u or --unattended: Unattended installation ( bypasses all prompts ).";
    echo "-r or --run: Run a specific function.";
    echo "-R or --functions: Show available functions to use with -r or --run command.";
    exit 1;
}

# Declare vars. Flags initalizing to 0.
verbose="--quiet";
yumargs="";
unattended=0;
builddir=~/cpsetupbuild/
sshport=222;
rootemail="your@email.com";
functions=0;
cloudflare_api_key="YOUR_CLOUDFLARE_API_KEY_HERE";
cloudflare_company_name="YOUR CLOUDFLARE HOSTING COMPANY NAME HERE";
railgun_token="YOUR_TOKEN_HERE";
railgun_host="YOUR_PUBLIC_IP_OR_HOSTNAME";

# Debugging on OSX (due to getopt issues), so i define brew location for getopt in env variable
if [[ -z "${SMYLES_GETOPT}" ]]; then
	# ENV variable not set, so use default getopt
	GETOPT_CMD="getopt"
else
	GETOPT_CMD="${SMYLES_GETOPT}"
fi

# Execute getopt
ARGS=$("$GETOPT_CMD" -o "hvVur:R" -l "help,verbose,version,unattended,run:,functions" -n "cpsetup" -- "$@");

#Bad arguments
if [ $? -ne 0 ];
then
    help;
fi
eval set -- "$ARGS";

while true; do
    case "$1" in
        -h|--help)
            shift;
            help;
            ;;
        -v|--verbose)
            shift;
                    verbose="";
            ;;
        -V|--version)
            shift;
                    echo "$version";
                    exit 1;
            ;;
        -u|--unattended)
            shift;
                    unattended="1";
                    yumargs="-y";
            ;;
        -r|--run)
            shift;
                    if [ -n "$1" ];
                    then
                        runcalled="1";
                        run="$1";
                        shift;
                    fi
            ;;
        -R|--functions)
            shift;
            	functions=1;
            ;;

        --)
            shift;
            break;
            ;;
    esac
done

BLACK=$(tput setaf 0)
RED=$(tput setaf 1)
GREEN=$(tput setaf 2)
YELLOW=$(tput setaf 3)
LIME_YELLOW=$(tput setaf 190)
POWDER_BLUE=$(tput setaf 153)
BLUE=$(tput setaf 4)
MAGENTA=$(tput setaf 5)
CYAN=$(tput setaf 6)
WHITE=$(tput setaf 7)
BRIGHT=$(tput bold)
NORMAL=$(tput sgr0)
BLINK=$(tput blink)
REVERSE=$(tput smso)
UNDERLINE=$(tput smul)

BLACKBG=$(tput setab 0)
REDBG=$(tput setab 1)
GREENBG=$(tput setab 2)
YELLOWBG=$(tput setab 3)
BLUEBG=$(tput setab 4)
MAGENTABG=$(tput setab 5)
CYANBG=$(tput setab 6)
WHITEBG=$(tput setab 7)

function headerBlock {
	l=${#1}
	printf "${BLUE}%s\n%s\n%s\n" "--${1//?/-}--" "${GREEN}- $1 -${BLUE}" "--${1//?/-}--${NORMAL}"
}

function lineBreak {
	echo -e "${MAGENTA}-=========================================================================-${NORMAL}"
}

function givemeayes {
	echo -n "$1 (y/N)"
	read answer
	    case "$answer" in
	    Y|y|yes|YES|Yes) return 0 ;;
	    *) return 1 ;;
	    esac
}

function stepcheck {
	if (($unattended > 0)); then
		return 0;
	fi

	step=$1
	lineBreak
	if givemeayes "${BRIGHT}Would you like to ${step} ?${NORMAL}"; then
		return 0;
	else
		echo -e "\n${YELLOW}Skipping ${RED}${step}${YELLOW} per user input, continuing...\n${NORMAL}"
		return 1;
	fi

	read answer
	    case "$answer" in
	    Y|y|yes|YES|Yes) return 0 ;;
	    *) echo -e "\n${RED}Skipping this step per user input, processing next step...\n${NORMAL}"; return 1 ;;
	    esac
}

function installCXS(){
	cd ~
	wget https://download.configserver.com/cxsinstaller.tgz
	tar -xzf cxsinstaller.tgz
	perl cxsinstaller.pl
	rm -fv cxsinstaller.*
}

function installClamAV(){
	/scripts/ensurerpm ${verbose} gmp gmp-devel bzip2-devel libjson-c-dev libcurl-devel
	useradd clamav
	groupadd clamav
	mkdir /usr/local/share/clamav
	chown clamav:clamav /usr/local/share/clamav
	cd ~
	wget --no-check-certificate https://github.com/Cisco-Talos/clamav-devel/archive/clamav-0.101.2.tar.gz
	tar -xzf clamav-*
	rm -rf clamav-*.tar.gz
	cd clamav*
	headerBlock "Building ClamAV from source..."
	./configure --disable-zlib-vcheck ${verbose}
	make ${verbose}
	make install ${verbose}
	headerBlock "Updating configuration files for ClamAV..."
	mv -fv /usr/local/etc/freshclam.conf.sample /usr/local/etc/freshclam.conf
	mv -fv /usr/local/etc/clamd.conf.sample /usr/local/etc/clamd.conf
	sed -i -e 's/Example/#Example/g' /usr/local/etc/freshclam.conf
	sed -i -e 's/Example/#Example/g' /usr/local/etc/clamd.conf
	sed -i -e 's/#LocalSocket/LocalSocket/g' /usr/local/etc/clamd.conf
	sed -i -e 's/LocalSocketGroup/#LocalSocketGroup/g' /usr/local/etc/clamd.conf
	sed -i -e 's/clamd.socket/clamd/g' /usr/local/etc/clamd.conf
	ldconfig
	headerBlock "Updating ClamAV definition files..."
	/usr/local/bin/freshclam ${verbose}
	rm -fv /etc/init.d/clamd
	curl https://download.configserver.com/clamd.service -o /usr/lib/systemd/system/clamd.service
	systemctl daemon-reload
	systemctl enable clamd.service
	systemctl restart clamd.service
	rm -rf /etc/chkserv.d/clamav
	echo "service[clamav]=x,x,x,service clamd restart,clamd,root" >> /etc/chkserv.d/clamav
	touch /var/log/clam-update.log
	chown clamav:clamav /var/log/clam-update.log
	echo "clamav:1" >> /etc/chkserv.d/chkservd.conf
	rm -rf ~/clamav*
	headerBlock "ClamAV installed, sock will be at /tmp/clamd"
}

function installYumColors(){
	if ! grep -q 'color_list_installed_older' /etc/yum.conf ; then
		echo 'color_list_installed_older=red' >> /etc/yum.conf
	fi
	if ! grep -q 'color_list_installed_newer' /etc/yum.conf ; then
		echo 'color_list_installed_newer=yellow' >> /etc/yum.conf
	fi
	if ! grep -q 'color_list_installed_extra' /etc/yum.conf ; then
		echo 'color_list_installed_extra=red' >> /etc/yum.conf
	fi
	if ! grep -q 'color_list_available_reinstall' /etc/yum.conf ; then
		echo 'color_list_available_reinstall=green' >> /etc/yum.conf
	fi
	if ! grep -q 'color_list_available_upgrade' /etc/yum.conf ; then
		echo 'color_list_available_upgrade=blue' >> /etc/yum.conf
	fi
	if ! grep -q 'color_list_available_install' /etc/yum.conf ; then
		echo 'color_list_available_install=cyan' >> /etc/yum.conf
	fi
}

function installMailManage(){
	cd /usr/src
	rm -fv /usr/src/cmm.tgz
	wget http://download.configserver.com/cmm.tgz
	tar -xzf cmm.tgz
	cd cmm
	sh install.sh
	rm -Rfv /usr/src/cmm*
}

function installExplorer(){
	cd /usr/src
	rm -fv /usr/src/cse.tgz
	wget https://download.configserver.com/cse.tgz
	tar -xzf cse.tgz
	cd cse
	sh install.sh
	rm -Rfv /usr/src/cse*
}

function installMailQueue(){
	cd $builddir
	wget http://download.configserver.com/cmq.tgz
	tar -xzf cmq.tgz
	cd cmq
	sh install.sh
}

function installModSecurityControl(){
	cd $builddir
	wget http://download.configserver.com/cmc.tgz
	tar -xzf cmc.tgz
	cd cmc
	sh install.sh
}

function installFirewall(){
	cd $builddir
	wget https://download.configserver.com/csf.tgz
	tar -xzf csf.tgz
	cd csf
	sh install.sh
	# Statistical Graphs available from the csf UI
	yum install ${yumargs} perl-GDGraph
	# Check perl modules
	perl /usr/local/csf/bin/csftest.pl
}

function installMalDetect(){
	cd $builddir
	wget https://www.rfxn.com/downloads/maldetect-current.tar.gz
	tar -xzf maldetect-*.tar.gz
	rm -rf maldetect-*.tar.gz
	cd maldetect*
	sh install.sh
}

function installMailScanner(){
	cd $builddir
	wget https://download.configserver.com/msinstall.tar.gz
	tar -xzf msinstall.tar.gz
	rm -rf msinstall.tar.gz
	cd msinstall/
	sh install.sh
	cd $builddir
	# WHM > Tweak Settings > Uncheck "SpamAssassin Spam Filter" and "SpamAssassin Spam Box"
	# WHM > Service Manager > Uncheck both boxes for spamd and click Save
	# Feature Manager > Edit the feature list "disabled" and uncheck "SpamAssassin" and "SpamAssassin Spam Box"

	sed -i -e 's/skipspamassassin=1/skipspamassassin=0/g' /var/cpanel/cpanel.config
	# Must be ran after updating tweak settings file
	/usr/local/cpanel/whostmgr/bin/whostmgr2 --updatetweaksettings > /dev/null

	echo -e "\n${WHITEBG}${BLACK}!! HEADS UP !! You now need to go to WHM > Service Manager > Uncheck both boxes for spamd and click Save ${NORMAL}\n";
	echo -e "\n${WHITEBG}${BLACK}!! HEADS UP !! You now need to Feature Manager > Edit the feature list 'disabled' and uncheck 'SpamAssassin' and 'SpamAssassin Spam Box' ${NORMAL}\n";
	read -p "Press [Enter] to confirm you have completed this..."

	echo -e "\nYou can now check the files in /usr/mailscanner/etc/rules/*.rules and modify them if desired. There are instructions and examples in the README and EXAMPLES files in that directory";
	read -p "Press [Enter] to continue..."

	# MailScanner won't be scanning for much until you configure it for the domains on your server. We have another handy script that can keep your MailScanner installation in sync with your cPanel /etc/localdomains file.
	/usr/mscpanel/mscpanel.pl -i
	rm -rf msinstall/

	if stepcheck "setup daily MailScanner cronjob to keep cPanel /etc/localdomains in sync?"; then
		headerBlock "Adding MailScanner daily cron job ..."
		installMailScannerCron
	fi
}

function installMailScannerCron(){
	(crontab -l 2>/dev/null; echo "0 0 * * * /usr/mscpanel/mscpanel.pl > /dev/null 2>&1") | crontab -
}

function installSoftaculous(){
	cd $builddir
	wget -N http://files.softaculous.com/install.sh
	chmod 755 install.sh
	./install.sh
}

function installWatchMySQL(){
	cd /usr/src
	wget http://download.ndchost.com/watchmysql/latest-watchmysql
	sh latest-watchmysql
}

function installPHPiniManager(){

	cd /usr/local/cpanel/whostmgr/docroot/cgi
	wget -O addon_phpinimgr.php http://download.how2.be/whm/phpinimgr/addon_phpinimgr.php.txt
	chmod 700 addon_phpinimgr.php

}

function installCleanBackups(){

	cd /usr/src
	wget http://download.ndchost.com/cleanbackups/latest-cleanbackups
	sh latest-cleanbackups

}

function installAccountDNSCheck(){

	cd /usr/src
	wget http://download.ndchost.com/accountdnscheck/latest-accountdnscheck
	sh latest-accountdnscheck

}

function installMySQLTuner(){

	cd /usr/bin
	wget http://mysqltuner.pl/ -O mysqltuner
	chmod +x mysqltuner
}

function installModCloudFlare(){
	cd $builddir
	curl -k -L https://github.com/cloudflare/CloudFlare-CPanel/tarball/master > cloudflare.tar.gz
	tar -zxvf cloudflare.tar.gz
	cd cloudflare-*/
	./cloudflare.install.sh -k ${cloudflare_api_key} -n "${cloudflare_company_name}"
}

function addCloudFlareIPv6SubnetsToCSF(){
	# Add IPs to csf.ignore for LFD
	wget --output-document=- "https://www.cloudflare.com/ips-v6" >> /etc/csf/csf.ignore
	# Add IPs to csf.allow for Firewall
	wget --output-document=- "https://www.cloudflare.com/ips-v6" >> /etc/csf/csf.allow
}

function addCloudFlareIPv4SubnetsToCSF(){
	# Add IPs to csf.ignore for LFD
	wget --output-document=- "https://www.cloudflare.com/ips-v4" >> /etc/csf/csf.ignore
	# Add IPs to csf.allow for Firewall
	wget --output-document=- "https://www.cloudflare.com/ips-v4" >> /etc/csf/csf.allow
}

function configureMemCached(){
	if [ -f /etc/sysconfig/memcached ];then
		echo -e "\n${RED}The /etc/sysconfig/memcached file already exists, renaming to memcached.old ...\n${NORMAL}"
		mv /etc/sysconfig/memcached /etc/sysconfig/memcached.old
	fi

	echo 'PORT="22222"' >> /etc/sysconfig/memcached
	echo 'USER="memcached"' >> /etc/sysconfig/memcached
	echo 'MAXCONN="20480"' >> /etc/sysconfig/memcached
	echo 'CACHESIZE="4096"' >> /etc/sysconfig/memcached
	echo 'OPTIONS="-s /var/run/memcached/memcached.sock"' >> /etc/sysconfig/memcached
	# Add railgun user to memcached group
	usermod -a -G memcached railgun

	if [ ! -d "/var/run/memcached" ];then
		mkdir /var/run/memcached
		chown memcached.memcached /var/run/memcached
	fi

	service memcached stop
	service memcached start

	chmod 770 /var/run/memcached/memcached.sock
	echo -e "\n${NORMAL}If you want to change, review, or update memcached, use the ${YELLOW}/etc/sysconfig/memcached${NORMAL} file."
}

function installCloudFlarePackageRepo(){

	rpm --import https://pkg.cloudflare.com/pubkey.gpg
	cd $builddir
	# Get RHEL major version number
	RHEL_VERSION=$(rpm -q --qf "%{VERSION}" "$(rpm -q --whatprovides redhat-release)" | grep -Eo '^[0-9]*' );
	PACKAGE_URL="http://pkg.cloudflare.com/cloudflare-release-latest.el${RHEL_VERSION}.rpm"

	rpm -ivh $PACKAGE_URL
}

function hardenServerConfig(){

	promptForSSHPort
	promptForRootForwardEmail
	headerBlock "Securing the server with configuration tweaks, please wait..."

	# Check server startup for portreserve, use 2> /dev/null to prevent warning output (if not installed or enabled)
	service portreserve stop 2> /dev/null
	chkconfig portreserve off 2> /dev/null

	configureApache
	configureCSF
	configureSSH
	configurecPanel
	configurePureFTP
	configureTweakSettings
	configureMySQL
	configurePHP
	csf -r
	/etc/init.d/lfd restart
	/etc/init.d/httpd restart
}

function newCpanelApacheLocalConf(){
cat << 'EOF' > /var/cpanel/conf/apache/local
---
"main":
  "serversignature":
    "item":
      "serversignature": 'Off'
  "servertokens":
    "item":
      "servertokens": 'ProductOnly'
  "traceenable":
    "item":
      "traceenable": 'Off'
EOF
}

function configureApache(){

	if [ ! -f /var/cpanel/conf/apache/local ]; then
		newCpanelApacheLocalConf
		/scripts/rebuildhttpdconf
		/etc/init.d/httpd
	else
		#TODO basic sed replacement
		echo -e "cPanel Apache Local Configuration file ( /var/cpanel/conf/apache/local ) already exists, unable to update"
	fi
}

function configureCSF(){
	sed -i -e 's/RESTRICT_SYSLOG = "0"/RESTRICT_SYSLOG = "3"/g' /etc/csf/csf.conf
	sed -i -e 's/SMTP_BLOCK = "0"/SMTP_BLOCK = "1"/g' /etc/csf/csf.conf
	sed -i -e 's/LF_SCRIPT_ALERT = "0"/LF_SCRIPT_ALERT = "1"/g' /etc/csf/csf.conf
	sed -i -e 's/SYSLOG_CHECK = "0"/SYSLOG_CHECK = "1800"/g' /etc/csf/csf.conf
	sed -i -e 's/PT_ALL_USERS = "0"/PT_ALL_USERS = "1"/g' /etc/csf/csf.conf
}

function configureSSH(){
	sed -i -e "s/#Port 22/Port ${sshport}/g" /etc/ssh/sshd_config
	sed -i -e 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
	service sshd restart
}

function configurecPanel(){
	# Enable Shell Fork Bomb Protection
	perl -I/usr/local/cpanel -MCpanel::LoginProfile -le 'print [Cpanel::LoginProfile::install_profile('limits')]->[1];'
	# Compiler access
	chmod 750 /usr/bin/gcc
	# Enable PHP-FPM Service for cPanel
	whmapi1 configureservice service=cpanel_php_fpm enabled=1 monitored=1
	# Check Background Process Killer
	whmapi1 configurebackgroundprocesskiller processes_to_kill=BitchX processes_to_kill-0=bnc processes_to_kill-1=eggdrop processes_to_kill-2=generic-sniffers processes_to_kill-3=guardservices processes_to_kill-4=ircd processes_to_kill-5=psyBNC processes_to_kill-6=ptlink processes_to_kill-7=services
	# Root Forwarder
	if [ ! -f /root/.forward ]; then
    	echo $rootemail > /root/.forward
	fi
}

function configurePureFTP(){
	sed -i -e "s/RootPassLogins: 'yes'/RootPassLogins: 'no'/g" /var/cpanel/conf/pureftpd/main
	sed -i -e "s/AnonymousCantUpload: 'no'/AnonymousCantUpload: 'yes'/g" /var/cpanel/conf/pureftpd/main
	sed -i -e "s/NoAnonymous: 'no'/NoAnonymous: 'yes'/g" /var/cpanel/conf/pureftpd/main
	# Build configuration from cPanel FTP config
	/usr/local/cpanel/whostmgr/bin/whostmgr2 doftpconfiguration > /dev/null
}

function configureTweakSettings(){
	sed -i -e 's/skipboxtrapper=0/skipboxtrapper=1/g' /var/cpanel/cpanel.config
	sed -i -e 's/referrerblanksafety=0/referrerblanksafety=1/g' /var/cpanel/cpanel.config
	sed -i -e 's/referrersafety=0/referrersafety=1/g' /var/cpanel/cpanel.config
	sed -i -e 's/cgihidepass=0/cgihidepass=1/g' /var/cpanel/cpanel.config
	sed -i -e 's/proxysubdomains=1/proxysubdomains=0/g' /var/cpanel/cpanel.config
	sed -i -e 's/smtpmailgidonly=1/smtpmailgidonly=0/g' /var/cpanel/cpanel.config
	echo "maxemailsperhour=199" >> /var/cpanel/cpanel.config
	# Must be ran after updating tweak settings file
	/usr/local/cpanel/whostmgr/bin/whostmgr2 --updatetweaksettings > /dev/null
}

function configureMySQL(){
	if ! grep -q 'local-infile=0' /etc/yum.conf ; then
		echo 'local-infile=0' >> /etc/my.cnf
		/scripts/restartsrv_mysql
	fi
}

function configurePHP(){
	# Example ea-phpXX file location
	# /opt/cpanel/ea-php72/root/etc/php.ini
	EA_PHP_FILES=( /opt/cpanel/ea-php*/root/etc/php.ini )
	# Replace is default /usr/local/lib/php.ini files
	sed -i -e 's/enable_dl = On/enable_dl = Off/g' /usr/local/lib/php.ini
	sed -i -e 's/disable_functions =.*/disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen, ini_set/g' /usr/local/lib/php.ini
	# Replace in any /opt/cpanel/ea-phpXX/root/etc/php.ini files
	sed -i -e 's/enable_dl = On/enable_dl = Off/g' "${EA_PHP_FILES[@]}"
	sed -i -e 's/disable_functions =.*/disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen, ini_set/g' "${EA_PHP_FILES[@]}"
}

function promptForSSHPort(){
	# Configuration Prompts ( only shown when -u is NOT specified )
	if (($unattended < 1)); then
		echo -n "${MAGENTA}Enter SSH port to change from ${BLUE}${sshport}${MAGENTA}:${NORMAL} "
		read customsshport
		if [ $customsshport ]; then
			sshport=$customsshport
		fi
	fi
}

function promptForRootForwardEmail(){
	# Configuration Prompts ( only shown when -u is NOT specified )
	if (($unattended < 1)); then

		echo -n "${MAGENTA}Enter root forwarding email to change from ${BLUE}${rootemail}${MAGENTA}:${NORMAL} "
		read customrootemail
		if [ $customrootemail ]; then rootemail=$customrootemail
		fi

	fi
}

function promptForCloudFlareConfig(){
	# Configuration Prompts ( only shown when -u is NOT specified )
	if (($unattended < 1)); then

		echo -e "\n${WHITEBG}${BLACK}!! HEADS UP !! The mod_cloudflare module will be installed, but you need to recompile Apache with EasyApache in WHM to enable mod_cloudflare!${NORMAL}\n";
		read -p "Press [Enter] key when you are ready to continue..."

		echo -e "\nExisting value: ${BLUE}${cloudflare_api_key}${NORMAL} \n"
		echo -e "${MAGENTA}Enter your CloudFlare API Key if different from existing${MAGENTA}:${NORMAL} "
		read custom_cloudflare_api_key
		if [ $custom_cloudflare_api_key ]; then
			cloudflare_api_key=$custom_cloudflare_api_key
		fi

		echo -e "\nUsing ${BLUE}${cloudflare_api_key}${NORMAL} as CloudFlare API Key\n"

		echo -e "\nExisting value: ${BLUE}${cloudflare_company_name}${NORMAL} \n"
		echo -e "${MAGENTA}Enter your Hosting Company Name if different from existing${MAGENTA}:${NORMAL} "
		read custom_cloudflare_company_name
		if [ $custom_cloudflare_company_name ]; then
			cloudflare_company_name="${custom_cloudflare_company_name}"
		fi

		echo -e "\nUsing ${BLUE}${cloudflare_company_name}${NORMAL} as CloudFlare Company Name\n"
	fi
}

function promptForRailGunConfig(){
	# Configuration Prompts ( only shown when -u is NOT specified )
	if (($unattended < 1)); then

		server_hostname=$(hostname);
		server_ip=$(curl -4 icanhazip.com);

		echo -e "\nExisting value: ${BLUE}${railgun_token}${NORMAL} \n"
		echo -e "${MAGENTA}Enter your CloudFlare RailGun Token if different from existing (find this at https://partners.cloudflare.com)${MAGENTA}:${NORMAL} "
		read custom_railgun_token
		if [ $custom_railgun_token ]; then
			railgun_token=$custom_railgun_token
		fi

		echo -e "\nUsing ${BLUE}${railgun_token}${NORMAL} as CloudFlare RailGun Token\n"

		echo -e "\nExisting value: ${BLUE}${railgun_host}${NORMAL}"
		echo -e "\nFor reference, your hostname is ${BLUE}${server_hostname}${NORMAL}, your IP is ${BLUE}${server_ip}${NORMAL}\n"
		echo -e "${MAGENTA}Enter your CloudFlare RailGun Host if different from existing (should be servers IP or hostname)${MAGENTA}:${NORMAL} "
		read custom_railgun_host
		if [ $custom_railgun_host ]; then
			railgun_host=$custom_railgun_host
		fi

		# Set to host if nothing set
		if [ $railgun_host = 'YOUR_PUBLIC_IP_OR_HOSTNAME' ]; then
			railgun_host=$(hostname);
		fi

		echo -e "\nUsing ${BLUE}${railgun_host}${NORMAL} as CloudFlare RailGun Host\n"
	fi
}

function configureCloudFlareRailGun(){
	promptForRailGunConfig
	headerBlock "Configuring CloudFlare RailGun, please wait ..."
	sed -i -e 's/memcached.servers/#memcached.servers/g' /etc/railgun/railgun.conf
	sed -i -e 's/activation.token/#activation.token/g' /etc/railgun/railgun.conf
	sed -i -e 's/activation.railgun_host/#activation.railgun_host/g' /etc/railgun/railgun.conf
	echo "memcached.servers = /var/run/memcached/memcached.sock" >> /etc/railgun/railgun.conf
	echo "activation.token = ${railgun_token}" >> /etc/railgun/railgun.conf
	echo "activation.railgun_host = ${railgun_host}" >> /etc/railgun/railgun.conf
	headerBlock "Restarting RailGun service..."
	/etc/init.d/railgun restart
}

function configureMemCachedRailGunSockets(){
	headerBlock "Creating /etc/sysconfig/memcached configuration file, please wait ..."
	configureMemCached
	headerBlock "Restarting memcached service ..."
	service memcached restart
	headerBlock "Setting permissions on /var/run/memcached/memcached.sock to 770"
	chmod 770 /var/run/memcached/memcached.sock
	headerBlock "Adding RailGun user to memcached group"
	usermod -a -G memcached railgun
}

function installJetBackup(){
	headerBlock "Installing Jet Backup, please wait..."
	yum install http://repo.jetlicense.com/centOS/jetapps-repo-latest.rpm
	yum clean all --enablerepo=jetapps*
	yum install jetapps-cpanel --disablerepo=* --enablerepo=jetapps
	jetapps --install jetbackup stable
}

function installAfterLogicWebmailLite(){
	# Make sure 3rd party perl modules is installed
	cpan YAML::Syck
	cd $builddir;
	wget http://www.afterlogic.com/download/webmail-panel-installer.tar.gz
	tar -xzvf webmail-panel-installer.tar.gz
	cd webmail-panel*
	chmod a+x installer
	bash installer -t lite -a install

	server_hostname=$(hostname);

	echo -e "\n${WHITEBG}${BLACK}!! HEADS UP !! You MUST login to webmail using an active email account on your server, and then go to this URL: ${NORMAL}\n";
	echo -e "\n${WHITEBG}${BLACK} http://${server_hostname}:2095/3rdparty/afterlogic/adminpanel/index.php: ${NORMAL}\n";
	echo -e "\n${WHITEBG}${BLACK} And login with these credentials: ${NORMAL}\n";
	echo -e "\n${BLUE}Username: ${NORMAL}mailadm\n";
	echo -e "\n${BLUE}Password: ${NORMAL}12345\n";
	echo -e "\n${WHITEBG}${BLACK} !!! Once you login to admin webmail interface make SURE you change the password!!!! ${NORMAL}\n";
	echo -e "\n${WHITEBG}${BLACK} !!! If you do not ANYBODY will be able to login to the webmail admin interface!!!! ${NORMAL}\n";
	read -p "Press [Enter] key to confirm you understand and continue..."
}

function installLetsEncryptAutoSSL(){
	/scripts/install_lets_encrypt_autossl_provider
}

function installCloudFlareRailGun(){
	headerBlock "Attempting to install MemCached, please wait..."
	yum install memcached -y

	headerBlock "Adding CloudFlare RailGun package repository, please wait..."
	installCloudFlarePackageRepo

	headerBlock "Installing CloudFlare Railgun, please wait..."
	yum install railgun-stable -y

	headerBlock "Adding ... CloudFlareRemoteIPTrustedProxy 127.0.0.1 ... to apache user conf file ..."
	if grep -q "CloudFlareRemoteIPTrustedProxy" /usr/local/apache/conf/includes/post_virtualhost_global.conf ; then
		echo -e "\n${RED}CloudFlareRemoteIPTrustedProxy already found in /usr/local/apache/conf/includes/post_virtualhost_global.conf file!\n${NORMAL}"
	else
		echo "<IfModule mod_cloudflare.c>" >> /usr/local/apache/conf/includes/post_virtualhost_global.conf
		echo "CloudFlareRemoteIPHeader CF-Connecting-IP" >> /usr/local/apache/conf/includes/post_virtualhost_global.conf
		echo "CloudFlareRemoteIPTrustedProxy 127.0.0.1" >> /usr/local/apache/conf/includes/post_virtualhost_global.conf
		echo "</IfModule>" >> /usr/local/apache/conf/includes/post_virtualhost_global.conf

		headerBlock "Rebuilding apache configuration ..."
		/scripts/rebuildhttpdconf
		headerBlock "Restarting apache ..."
		/scripts/restartsrv_apache
	fi

	headerBlock "Adding memcached and rg-listener to CSF process ignore list..."
	if grep -q "exe:/usr/bin/memcached" /etc/csf/csf.pignore ; then
		echo "exe:/usr/bin/memcached" >> /etc/csf/csf.pignore
	fi
	if grep -q "exe:/usr/bin/rg-listener" /etc/csf/csf.pignore ; then
		echo "exe:/usr/bin/rg-listener" >> /etc/csf/csf.pignore
	fi
	headerBlock "Restarting ConfigServer Firewall, please wait..."
	csf -r
}

cpanel_installed=$(/usr/local/cpanel/cpanel -V 2>/dev/null)

clear
cpSetup_banner
echo -e "\n";
if (($functions > 0 )); then
	echo -e "${RED}Here's a list of available functions to call when using the -r or --run command:${NORMAL}"
	echo -e "\n";
	compgen -A function | egrep -vw 'givemeayes|help|headerBlock|lineBreak|stepcheck|promptForSSHPort|promptForRootForwardEmail|cpSetup_banner';
	echo -e "\n";
	exit;
fi

if [ -z "$cpanel_installed" ]; then
	echo -e "${WHITEBG}${RED}${BRIGHT}${BLINK}Whoa Nelly!${NORMAL}${WHITEBG}${BLACK}It looks like cPanel is not installed on this server!${NORMAL}"
	if givemeayes "${RED}Would you like to install cPanel before running this script?${NORMAL}"; then
		headerBlock "No problem, let's get cPanel installed first ... this could take a minute ... or two ... or thirty .. please wait ..."
		echo -e "\n";
		read -p "Press [Enter] key when you are ready..."
		cd /home && curl -o latest -L http://httpupdate.cpanel.net/latest && sh latest
	else
		if ! givemeayes "${RED}Okay no problem, do you want to continue to this script (without installing cPanel)?${NORMAL}"; then
			echo -e "\n${RED}Script killed, nothing has been changed or installed.\n${NORMAL}"
			exit;
		fi
	fi
fi

echo -e "${WHITEBG}${RED}${BRIGHT}${BLINK}Heads Up!${NORMAL}${WHITEBG}${BLACK}A couple things you should know about this script:${NORMAL}"
echo -e "* You must have ${YELLOW}ioncube${NORMAL} enabled in ${YELLOW}WHM${NORMAL} under ${BLUE}Tweak Settings${NORMAL} > ${MAGENTA}cPanel PHP Loader${NORMAL} to install Softaculous"
echo -e "* You must go through the initial setup in ${YELLOW}WHM${NORMAL}, selecting dns and ftp server type (when you first login to WHM) before running this script."
echo -e "${BLUE}Like the script?  Contribute to the open source community and this project at http://github.com/tripflex/cpsetup ... surfs up!${NORMAL}"
echo -e "\n";

if (($unattended > 0)); then
	echo -e "${YELLOW}!!! WARNING: Unattended mode ENABLED, MAKE SURE YOU SET ALL CONFIG VALUES IN THIS SCRIPT !! YOU HAVE BEEN WARNED !!${NORMAL}"
fi

if [ $run ]; then
	echo -e "${YELLOW}RUN command specified, only the${RED} $run ${YELLOW}function will be executed. ${NORMAL}"
fi

echo -e "\n";

if ! givemeayes "${RED}Would you like to continue with the install?${NORMAL}"; then
	echo -e "\n${RED}Script killed, nothing has been changed or installed.\n${NORMAL}"
	exit;
fi

if [ -d "$builddir" ]; then
	rm -rf $builddir
fi

mkdir $builddir

if [ $run ]; then
	${run}
	exit;
fi

if stepcheck "install yum colors"; then
	headerBlock "Adding yum colors if does not exist..."
	installYumColors
fi

if stepcheck "update all server packages"; then
	headerBlock "Updating all system packages, please wait this may take a minute..."
	yum clean all ${verbose}
	yum update ${yumargs} ${verbose}
fi

if stepcheck "install ConfigServer MailManage"; then
	headerBlock "Installing ConfigServer MailManage, please wait..."
	installMailManage
fi

if stepcheck "install ConfigServer MailQueue"; then
	headerBlock "Installing ConfigServer MailQueue, please wait..."
	installMailQueue
fi

if stepcheck "install ConfigServer Firewall"; then
	headerBlock "Installing ConfigServer Firewall, please wait..."
	installFirewall
fi

if stepcheck "install ConfigServer ModSecurity Control (WHM already has this builtin)"; then
	headerBlock "Installing ConfigServer ModSecurity Control, please wait..."
	installModSecurityControl
fi

if stepcheck "install ConfigServer Explorer"; then
	headerBlock "Installing ConfigServer Explorer, please wait..."
	installExplorer
fi

if stepcheck "install R-fx Malware Detect"; then
	headerBlock "Installing R-fx Malware Detect, please wait..."
	installMalDetect
fi

if stepcheck "install ConfigServer Exploit Scanner (requires license)"; then
	headerBlock "Installing ConfigServer Exploit Scanner, please wait..."
	installCXS
fi

echo -e "\n";
echo -n "${YELLOW}!! HEADS UP !!${RED}( You SHOULD do this NOW ): ${NORMAL}You must have ${YELLOW}ioncube${NORMAL} enabled in ${YELLOW}WHM${NORMAL} under ${BLUE}Tweak Settings${NORMAL} > ${MAGENTA}cPanel PHP Loader${NORMAL} or Softaculous will not install"
echo -e "\n";
if stepcheck "install Softaculous"; then
	headerBlock "Installing Softaculous, please wait..."
	installSoftaculous
fi

if stepcheck "install Account DNS Check"; then
	headerBlock "Installing Account DNS Check, please wait..."
	installAccountDNSCheck
fi

if stepcheck "install WatchMySQL"; then
	headerBlock "Installing WatchMySQL, please wait..."
	installWatchMySQL
fi

if stepcheck "install MySQL Tuner"; then
	headerBlock "Installing MySQL Tuner, please wait..."
	installMySQLTuner
fi

if stepcheck "harden server configuration"; then
	hardenServerConfig
fi

if stepcheck "install ClamAV from source"; then
	headerBlock "Installing ClamAV from source, please wait..."
	installClamAV
fi

if stepcheck "install CloudFlare mod_cloudflare"; then
	promptForCloudFlareConfig
	headerBlock "Downloading and installing mod_cloudflare, please wait..."
	installModCloudFlare
fi

if stepcheck "add CloudFlare IPv4 and IPv6 subnets to ConfigServer Firewall allow list"; then
	headerBlock "Adding IPv4 subnets to CSF allow list, please wait..."
	addCloudFlareIPv4SubnetsToCSF
	headerBlock "Adding IPv6 subnets to CSF allow list, please wait..."
	addCloudFlareIPv4SubnetsToCSF
	headerBlock "Restarting ConfigServer Firewall, please wait..."
	csf -r
fi

if stepcheck "install CloudFlare RailGun (includes memcached)"; then
	installCloudFlareRailGun
fi

if stepcheck "configure memcached for RailGun using sockets"; then
	configureMemCachedRailGunSockets
fi

if stepcheck "configure CloudFlare RailGun"; then
	configureCloudFlareRailGun
fi

if stepcheck "install AfterLogic WebMail Lite"; then
	installAfterLogicWebmailLite
fi

if stepcheck "install Lets Encrypt for AutoSSL"; then
	installLetsEncryptAutoSSL
fi

headerBlock "Cleaning up build files, please wait..."
cd ~
rm -rf $builddir
echo -e "\n${CYAN}Script Complete! Profit!\n${NORMAL}"
echo -e "\n${WHITEBG}${RED}!!! If you installed mod_cloudflare DONT FORGET to login to WHM and recompile Apache with mod_cloudflare (using EasyApache) !!! \n${NORMAL}"