]> Frank Brehm's Git Trees - config/ns3/etc.git/commitdiff
Current state
authorFrank Brehm <frank@brehm-online.com>
Tue, 23 Feb 2016 16:49:18 +0000 (17:49 +0100)
committerFrank Brehm <frank@brehm-online.com>
Tue, 23 Feb 2016 16:49:18 +0000 (17:49 +0100)
254 files changed:
alternatives/lzcat [new symlink]
alternatives/lzcat.1.gz [new symlink]
alternatives/lzcmp [new symlink]
alternatives/lzcmp.1.gz [new symlink]
alternatives/lzdiff [new symlink]
alternatives/lzdiff.1.gz [new symlink]
alternatives/lzegrep [new symlink]
alternatives/lzegrep.1.gz [new symlink]
alternatives/lzfgrep [new symlink]
alternatives/lzfgrep.1.gz [new symlink]
alternatives/lzgrep [new symlink]
alternatives/lzgrep.1.gz [new symlink]
alternatives/lzless [new symlink]
alternatives/lzless.1.gz [new symlink]
alternatives/lzma [new symlink]
alternatives/lzma.1.gz [new symlink]
alternatives/lzmore [new symlink]
alternatives/lzmore.1.gz [new symlink]
alternatives/unlzma [new symlink]
alternatives/unlzma.1.gz [new symlink]
apt/apt.conf.d/00recommends [new file with mode: 0644]
apt/apt.conf.d/01autoremove-kernels
apt/repo.uhu-deb8-1.PublicKey [new file with mode: 0644]
apt/sources.list.d/fbrehm.list [new file with mode: 0644]
apt/trusted.gpg [new file with mode: 0644]
apticron/apticron.conf [new file with mode: 0644]
bash_completion.d/fail2ban [new file with mode: 0644]
bash_completion.d/isoquery [new file with mode: 0644]
ca-certificates.conf
ca-certificates.conf.dpkg-old [new file with mode: 0644]
cron.d/apticron [new file with mode: 0644]
debian_version
default/fail2ban [new file with mode: 0644]
fail2ban/action.d/apf.conf [new file with mode: 0644]
fail2ban/action.d/badips.conf [new file with mode: 0644]
fail2ban/action.d/blocklist_de.conf [new file with mode: 0644]
fail2ban/action.d/bsd-ipfw.conf [new file with mode: 0644]
fail2ban/action.d/complain.conf [new file with mode: 0644]
fail2ban/action.d/dshield.conf [new file with mode: 0644]
fail2ban/action.d/dummy.conf [new file with mode: 0644]
fail2ban/action.d/firewallcmd-ipset.conf [new file with mode: 0644]
fail2ban/action.d/firewallcmd-new.conf [new file with mode: 0644]
fail2ban/action.d/hostsdeny.conf [new file with mode: 0644]
fail2ban/action.d/ipfilter.conf [new file with mode: 0644]
fail2ban/action.d/ipfw.conf [new file with mode: 0644]
fail2ban/action.d/iptables-allports.conf [new file with mode: 0644]
fail2ban/action.d/iptables-blocktype.conf [new file with mode: 0644]
fail2ban/action.d/iptables-ipset-proto4.conf [new file with mode: 0644]
fail2ban/action.d/iptables-ipset-proto6-allports.conf [new file with mode: 0644]
fail2ban/action.d/iptables-ipset-proto6.conf [new file with mode: 0644]
fail2ban/action.d/iptables-multiport-log.conf [new file with mode: 0644]
fail2ban/action.d/iptables-multiport.conf [new file with mode: 0644]
fail2ban/action.d/iptables-new.conf [new file with mode: 0644]
fail2ban/action.d/iptables-xt_recent-echo.conf [new file with mode: 0644]
fail2ban/action.d/iptables.conf [new file with mode: 0644]
fail2ban/action.d/mail-buffered.conf [new file with mode: 0644]
fail2ban/action.d/mail-whois-lines.conf [new file with mode: 0644]
fail2ban/action.d/mail-whois.conf [new file with mode: 0644]
fail2ban/action.d/mail.conf [new file with mode: 0644]
fail2ban/action.d/mynetwatchman.conf [new file with mode: 0644]
fail2ban/action.d/osx-afctl.conf [new file with mode: 0644]
fail2ban/action.d/osx-ipfw.conf [new file with mode: 0644]
fail2ban/action.d/pf.conf [new file with mode: 0644]
fail2ban/action.d/route.conf [new file with mode: 0644]
fail2ban/action.d/sendmail-buffered.conf [new file with mode: 0644]
fail2ban/action.d/sendmail-common.conf [new file with mode: 0644]
fail2ban/action.d/sendmail-whois-lines.conf [new file with mode: 0644]
fail2ban/action.d/sendmail-whois.conf [new file with mode: 0644]
fail2ban/action.d/sendmail.conf [new file with mode: 0644]
fail2ban/action.d/shorewall.conf [new file with mode: 0644]
fail2ban/action.d/ufw.conf [new file with mode: 0644]
fail2ban/fail2ban.conf [new file with mode: 0644]
fail2ban/filter.d/3proxy.conf [new file with mode: 0644]
fail2ban/filter.d/apache-auth.conf [new file with mode: 0644]
fail2ban/filter.d/apache-badbots.conf [new file with mode: 0644]
fail2ban/filter.d/apache-common.conf [new file with mode: 0644]
fail2ban/filter.d/apache-modsecurity.conf [new file with mode: 0644]
fail2ban/filter.d/apache-nohome.conf [new file with mode: 0644]
fail2ban/filter.d/apache-noscript.conf [new file with mode: 0644]
fail2ban/filter.d/apache-overflows.conf [new file with mode: 0644]
fail2ban/filter.d/assp.conf [new file with mode: 0644]
fail2ban/filter.d/asterisk.conf [new file with mode: 0644]
fail2ban/filter.d/common.conf [new file with mode: 0644]
fail2ban/filter.d/courierlogin.conf [new file with mode: 0644]
fail2ban/filter.d/couriersmtp.conf [new file with mode: 0644]
fail2ban/filter.d/cyrus-imap.conf [new file with mode: 0644]
fail2ban/filter.d/dovecot.conf [new file with mode: 0644]
fail2ban/filter.d/dropbear.conf [new file with mode: 0644]
fail2ban/filter.d/ejabberd-auth.conf [new file with mode: 0644]
fail2ban/filter.d/exim-common.conf [new file with mode: 0644]
fail2ban/filter.d/exim-spam.conf [new file with mode: 0644]
fail2ban/filter.d/exim.conf [new file with mode: 0644]
fail2ban/filter.d/freeswitch.conf [new file with mode: 0644]
fail2ban/filter.d/groupoffice.conf [new file with mode: 0644]
fail2ban/filter.d/gssftpd.conf [new file with mode: 0644]
fail2ban/filter.d/horde.conf [new file with mode: 0644]
fail2ban/filter.d/lighttpd-auth.conf [new file with mode: 0644]
fail2ban/filter.d/mysqld-auth.conf [new file with mode: 0644]
fail2ban/filter.d/nagios.conf [new file with mode: 0644]
fail2ban/filter.d/named-refused.conf [new file with mode: 0644]
fail2ban/filter.d/nginx-http-auth.conf [new file with mode: 0644]
fail2ban/filter.d/nsd.conf [new file with mode: 0644]
fail2ban/filter.d/openwebmail.conf [new file with mode: 0644]
fail2ban/filter.d/pam-generic.conf [new file with mode: 0644]
fail2ban/filter.d/perdition.conf [new file with mode: 0644]
fail2ban/filter.d/php-url-fopen.conf [new file with mode: 0644]
fail2ban/filter.d/postfix-sasl.conf [new file with mode: 0644]
fail2ban/filter.d/postfix.conf [new file with mode: 0644]
fail2ban/filter.d/proftpd.conf [new file with mode: 0644]
fail2ban/filter.d/pure-ftpd.conf [new file with mode: 0644]
fail2ban/filter.d/qmail.conf [new file with mode: 0644]
fail2ban/filter.d/recidive.conf [new file with mode: 0644]
fail2ban/filter.d/roundcube-auth.conf [new file with mode: 0644]
fail2ban/filter.d/selinux-common.conf [new file with mode: 0644]
fail2ban/filter.d/selinux-ssh.conf [new file with mode: 0644]
fail2ban/filter.d/sendmail-auth.conf [new file with mode: 0644]
fail2ban/filter.d/sendmail-reject.conf [new file with mode: 0644]
fail2ban/filter.d/sieve.conf [new file with mode: 0644]
fail2ban/filter.d/sogo-auth.conf [new file with mode: 0644]
fail2ban/filter.d/solid-pop3d.conf [new file with mode: 0644]
fail2ban/filter.d/squid.conf [new file with mode: 0644]
fail2ban/filter.d/sshd-ddos.conf [new file with mode: 0644]
fail2ban/filter.d/sshd.conf [new file with mode: 0644]
fail2ban/filter.d/suhosin.conf [new file with mode: 0644]
fail2ban/filter.d/uwimap-auth.conf [new file with mode: 0644]
fail2ban/filter.d/vsftpd.conf [new file with mode: 0644]
fail2ban/filter.d/webmin-auth.conf [new file with mode: 0644]
fail2ban/filter.d/wuftpd.conf [new file with mode: 0644]
fail2ban/filter.d/xinetd-fail.conf [new file with mode: 0644]
fail2ban/jail.conf [new file with mode: 0644]
init.d/fail2ban [new file with mode: 0755]
logrotate.d/fail2ban [new file with mode: 0644]
nail.rc
rc0.d/K01fail2ban [new symlink]
rc1.d/K01fail2ban [new symlink]
rc2.d/S02fail2ban [new symlink]
rc3.d/S02fail2ban [new symlink]
rc4.d/S02fail2ban [new symlink]
rc5.d/S02fail2ban [new symlink]
rc6.d/K01fail2ban [new symlink]
ssl/certs/02265526.0 [new symlink]
ssl/certs/03179a64.0 [new symlink]
ssl/certs/039c618a.0 [deleted symlink]
ssl/certs/04f60c28.0 [new symlink]
ssl/certs/0b1b94ef.0 [new symlink]
ssl/certs/0b759015.0 [deleted symlink]
ssl/certs/0ba01d19.0 [deleted symlink]
ssl/certs/0d188d89.0 [deleted symlink]
ssl/certs/0d5a4e1c.0 [new symlink]
ssl/certs/0d69c7e1.0 [new symlink]
ssl/certs/0dad9736.0 [deleted symlink]
ssl/certs/106f3e4d.0 [new symlink]
ssl/certs/13ea5b5f.0 [new symlink]
ssl/certs/19c1fa33.0 [new symlink]
ssl/certs/1d3472b9.0 [new symlink]
ssl/certs/1e08bfd1.0 [new symlink]
ssl/certs/201cada0.0 [deleted symlink]
ssl/certs/2251b13a.0 [deleted symlink]
ssl/certs/262ba90f.0 [new symlink]
ssl/certs/26eaad2f.0 [new symlink]
ssl/certs/2add47b6.0 [new symlink]
ssl/certs/2afc57aa.0 [deleted symlink]
ssl/certs/2fb1850a.0 [deleted symlink]
ssl/certs/35105088.0 [new symlink]
ssl/certs/3c6676aa.0 [new symlink]
ssl/certs/455f1b52.0 [new symlink]
ssl/certs/4be590e0.0 [new symlink]
ssl/certs/4d654d1d.0 [deleted symlink]
ssl/certs/4fbd6bfa.0 [deleted symlink]
ssl/certs/5021a0a2.0 [deleted symlink]
ssl/certs/553c356e.0 [new symlink]
ssl/certs/56b8a0b6.0 [deleted symlink]
ssl/certs/5a250ea7.0 [new symlink]
ssl/certs/5a4d6896.0 [new symlink]
ssl/certs/631c779f.0 [new symlink]
ssl/certs/6645de82.0 [new symlink]
ssl/certs/6cc3c4c3.0 [deleted symlink]
ssl/certs/778e3cb0.0 [deleted symlink]
ssl/certs/7992b8bb.0 [new symlink]
ssl/certs/84cba82f.0 [deleted symlink]
ssl/certs/88f89ea7.0 [deleted symlink]
ssl/certs/8e52d3cd.0 [deleted symlink]
ssl/certs/9282e51c.0 [new symlink]
ssl/certs/98ec67f0.0 [deleted symlink]
ssl/certs/9c472bf7.0 [deleted symlink]
ssl/certs/9f0f5fd6.0 [new symlink]
ssl/certs/9f541fb4.0 [deleted symlink]
ssl/certs/A-Trust-nQual-03.pem [deleted symlink]
ssl/certs/America_Online_Root_Certification_Authority_1.pem [deleted symlink]
ssl/certs/America_Online_Root_Certification_Authority_2.pem [deleted symlink]
ssl/certs/Buypass_Class_3_CA_1.pem [deleted symlink]
ssl/certs/CA_WoSign_ECC_Root.pem [new symlink]
ssl/certs/CFCA_EV_ROOT.pem [new symlink]
ssl/certs/COMODO_RSA_Certification_Authority.pem [new symlink]
ssl/certs/Certification_Authority_of_WoSign_G2.pem [new symlink]
ssl/certs/Certinomis_-_Root_CA.pem [new symlink]
ssl/certs/ComSign_Secured_CA.pem [deleted symlink]
ssl/certs/Digital_Signature_Trust_Co._Global_CA_1.pem [deleted symlink]
ssl/certs/Digital_Signature_Trust_Co._Global_CA_3.pem [deleted symlink]
ssl/certs/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.pem [deleted symlink]
ssl/certs/Entrust_Root_Certification_Authority_-_EC1.pem [new symlink]
ssl/certs/Entrust_Root_Certification_Authority_-_G2.pem [new symlink]
ssl/certs/GTE_CyberTrust_Global_Root.pem [deleted symlink]
ssl/certs/GlobalSign_ECC_Root_CA_-_R4.pem [new symlink]
ssl/certs/GlobalSign_ECC_Root_CA_-_R5.pem [new symlink]
ssl/certs/IdenTrust_Commercial_Root_CA_1.pem [new symlink]
ssl/certs/IdenTrust_Public_Sector_Root_CA_1.pem [new symlink]
ssl/certs/OISTE_WISeKey_Global_Root_GB_CA.pem [new symlink]
ssl/certs/S-TRUST_Universal_Root_CA.pem [new symlink]
ssl/certs/SG_TRUST_SERVICES_RACINE.pem [deleted symlink]
ssl/certs/Staat_der_Nederlanden_EV_Root_CA.pem [new symlink]
ssl/certs/Staat_der_Nederlanden_Root_CA_-_G3.pem [new symlink]
ssl/certs/TC_TrustCenter_Class_2_CA_II.pem [deleted symlink]
ssl/certs/TC_TrustCenter_Universal_CA_I.pem [deleted symlink]
ssl/certs/TURKTRUST_Certificate_Services_Provider_Root_1.pem [deleted symlink]
ssl/certs/TURKTRUST_Certificate_Services_Provider_Root_2.pem [deleted symlink]
ssl/certs/Thawte_Premium_Server_CA.pem [deleted symlink]
ssl/certs/Thawte_Server_CA.pem [deleted symlink]
ssl/certs/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.pem [new symlink]
ssl/certs/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H6.pem [new symlink]
ssl/certs/USERTrust_ECC_Certification_Authority.pem [new symlink]
ssl/certs/USERTrust_RSA_Certification_Authority.pem [new symlink]
ssl/certs/UTN_DATACorp_SGC_Root_CA.pem [deleted symlink]
ssl/certs/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.pem [deleted symlink]
ssl/certs/a15b3b6b.0 [deleted symlink]
ssl/certs/a5fd78f0.0 [deleted symlink]
ssl/certs/a6a593ba.0 [deleted symlink]
ssl/certs/b0e59380.0 [new symlink]
ssl/certs/b3fb433b.0 [new symlink]
ssl/certs/bad35b78.0 [deleted symlink]
ssl/certs/bda4cc84.0 [deleted symlink]
ssl/certs/c215bc69.0 [deleted symlink]
ssl/certs/c33a80d4.0 [deleted symlink]
ssl/certs/c3a6a9ad.0 [deleted symlink]
ssl/certs/c527e4ab.0 [deleted symlink]
ssl/certs/c679bc3f.0 [new symlink]
ssl/certs/c692a373.0 [deleted symlink]
ssl/certs/c8841d13.0 [deleted symlink]
ssl/certs/ca-certificates.crt
ssl/certs/d18e9066.0 [new symlink]
ssl/certs/d4c339cb.0 [new symlink]
ssl/certs/d5727d6a.0 [new symlink]
ssl/certs/d6325660.0 [new symlink]
ssl/certs/d6e6eab9.0 [new symlink]
ssl/certs/ddc328ff.0 [deleted symlink]
ssl/certs/dfc0fe80.0 [new symlink]
ssl/certs/e73d606e.0 [new symlink]
ssl/certs/eacdeb40.0 [deleted symlink]
ssl/certs/eb375c3e.0 [deleted symlink]
ssl/certs/ef954a4e.0 [new symlink]
ssl/certs/f30dd6ad.0 [new symlink]
ssl/certs/f38a011e.0 [new symlink]
ssl/certs/f58a60fe.0 [deleted symlink]
ssl/certs/fc5a8f99.0 [new symlink]

diff --git a/alternatives/lzcat b/alternatives/lzcat
new file mode 120000 (symlink)
index 0000000..1482e0d
--- /dev/null
@@ -0,0 +1 @@
+/usr/bin/xzcat
\ No newline at end of file
diff --git a/alternatives/lzcat.1.gz b/alternatives/lzcat.1.gz
new file mode 120000 (symlink)
index 0000000..c078545
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/man/man1/xzcat.1.gz
\ No newline at end of file
diff --git a/alternatives/lzcmp b/alternatives/lzcmp
new file mode 120000 (symlink)
index 0000000..5cdef99
--- /dev/null
@@ -0,0 +1 @@
+/usr/bin/xzcmp
\ No newline at end of file
diff --git a/alternatives/lzcmp.1.gz b/alternatives/lzcmp.1.gz
new file mode 120000 (symlink)
index 0000000..f0bafbe
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/man/man1/xzcmp.1.gz
\ No newline at end of file
diff --git a/alternatives/lzdiff b/alternatives/lzdiff
new file mode 120000 (symlink)
index 0000000..0e42921
--- /dev/null
@@ -0,0 +1 @@
+/usr/bin/xzdiff
\ No newline at end of file
diff --git a/alternatives/lzdiff.1.gz b/alternatives/lzdiff.1.gz
new file mode 120000 (symlink)
index 0000000..5687b0a
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/man/man1/xzdiff.1.gz
\ No newline at end of file
diff --git a/alternatives/lzegrep b/alternatives/lzegrep
new file mode 120000 (symlink)
index 0000000..5fee024
--- /dev/null
@@ -0,0 +1 @@
+/usr/bin/xzegrep
\ No newline at end of file
diff --git a/alternatives/lzegrep.1.gz b/alternatives/lzegrep.1.gz
new file mode 120000 (symlink)
index 0000000..c9ad6de
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/man/man1/xzegrep.1.gz
\ No newline at end of file
diff --git a/alternatives/lzfgrep b/alternatives/lzfgrep
new file mode 120000 (symlink)
index 0000000..1b64c1b
--- /dev/null
@@ -0,0 +1 @@
+/usr/bin/xzfgrep
\ No newline at end of file
diff --git a/alternatives/lzfgrep.1.gz b/alternatives/lzfgrep.1.gz
new file mode 120000 (symlink)
index 0000000..b292ba9
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/man/man1/xzfgrep.1.gz
\ No newline at end of file
diff --git a/alternatives/lzgrep b/alternatives/lzgrep
new file mode 120000 (symlink)
index 0000000..05ef59b
--- /dev/null
@@ -0,0 +1 @@
+/usr/bin/xzgrep
\ No newline at end of file
diff --git a/alternatives/lzgrep.1.gz b/alternatives/lzgrep.1.gz
new file mode 120000 (symlink)
index 0000000..8ccd2c5
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/man/man1/xzgrep.1.gz
\ No newline at end of file
diff --git a/alternatives/lzless b/alternatives/lzless
new file mode 120000 (symlink)
index 0000000..5415736
--- /dev/null
@@ -0,0 +1 @@
+/usr/bin/xzless
\ No newline at end of file
diff --git a/alternatives/lzless.1.gz b/alternatives/lzless.1.gz
new file mode 120000 (symlink)
index 0000000..bc81750
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/man/man1/xzless.1.gz
\ No newline at end of file
diff --git a/alternatives/lzma b/alternatives/lzma
new file mode 120000 (symlink)
index 0000000..cdc9bb5
--- /dev/null
@@ -0,0 +1 @@
+/usr/bin/xz
\ No newline at end of file
diff --git a/alternatives/lzma.1.gz b/alternatives/lzma.1.gz
new file mode 120000 (symlink)
index 0000000..16e4bcc
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/man/man1/xz.1.gz
\ No newline at end of file
diff --git a/alternatives/lzmore b/alternatives/lzmore
new file mode 120000 (symlink)
index 0000000..1fad361
--- /dev/null
@@ -0,0 +1 @@
+/usr/bin/xzmore
\ No newline at end of file
diff --git a/alternatives/lzmore.1.gz b/alternatives/lzmore.1.gz
new file mode 120000 (symlink)
index 0000000..e79dfa4
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/man/man1/xzmore.1.gz
\ No newline at end of file
diff --git a/alternatives/unlzma b/alternatives/unlzma
new file mode 120000 (symlink)
index 0000000..c730a4a
--- /dev/null
@@ -0,0 +1 @@
+/usr/bin/unxz
\ No newline at end of file
diff --git a/alternatives/unlzma.1.gz b/alternatives/unlzma.1.gz
new file mode 120000 (symlink)
index 0000000..c772f41
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/man/man1/unxz.1.gz
\ No newline at end of file
diff --git a/apt/apt.conf.d/00recommends b/apt/apt.conf.d/00recommends
new file mode 100644 (file)
index 0000000..7fecedc
--- /dev/null
@@ -0,0 +1,2 @@
+APT::Install-Recommends "false";
+Aptitude::Recommends-Important "false";
index 3fb87d3a394b88f25085195a709d00665b57f863..3555efb479e879d7633d58bffd0ac0db89d9b43a 100644 (file)
@@ -1,37 +1,26 @@
 // DO NOT EDIT! File autogenerated by /etc/kernel/postinst.d/apt-auto-removal
 APT::NeverAutoRemove
 {
-   "^linux-image-3\.16\.0-30-generic$";
    "^linux-image-3\.16\.0-4-amd64$";
    "^linux-image-4\.1\.6-gridscale$";
-   "^linux-headers-3\.16\.0-30-generic$";
    "^linux-headers-3\.16\.0-4-amd64$";
    "^linux-headers-4\.1\.6-gridscale$";
-   "^linux-image-extra-3\.16\.0-30-generic$";
    "^linux-image-extra-3\.16\.0-4-amd64$";
    "^linux-image-extra-4\.1\.6-gridscale$";
-   "^linux-signed-image-3\.16\.0-30-generic$";
    "^linux-signed-image-3\.16\.0-4-amd64$";
    "^linux-signed-image-4\.1\.6-gridscale$";
-   "^kfreebsd-image-3\.16\.0-30-generic$";
    "^kfreebsd-image-3\.16\.0-4-amd64$";
    "^kfreebsd-image-4\.1\.6-gridscale$";
-   "^kfreebsd-headers-3\.16\.0-30-generic$";
    "^kfreebsd-headers-3\.16\.0-4-amd64$";
    "^kfreebsd-headers-4\.1\.6-gridscale$";
-   "^gnumach-image-3\.16\.0-30-generic$";
    "^gnumach-image-3\.16\.0-4-amd64$";
    "^gnumach-image-4\.1\.6-gridscale$";
-   "^.*-modules-3\.16\.0-30-generic$";
    "^.*-modules-3\.16\.0-4-amd64$";
    "^.*-modules-4\.1\.6-gridscale$";
-   "^.*-kernel-3\.16\.0-30-generic$";
    "^.*-kernel-3\.16\.0-4-amd64$";
    "^.*-kernel-4\.1\.6-gridscale$";
-   "^linux-backports-modules-.*-3\.16\.0-30-generic$";
    "^linux-backports-modules-.*-3\.16\.0-4-amd64$";
    "^linux-backports-modules-.*-4\.1\.6-gridscale$";
-   "^linux-tools-3\.16\.0-30-generic$";
    "^linux-tools-3\.16\.0-4-amd64$";
    "^linux-tools-4\.1\.6-gridscale$";
 };
diff --git a/apt/repo.uhu-deb8-1.PublicKey b/apt/repo.uhu-deb8-1.PublicKey
new file mode 100644 (file)
index 0000000..02152c5
--- /dev/null
@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQINBFavlWMBEAC+YKENyf64sRtMCDUmbe14mY+35YHaXDLZfM73DXf/ueQawY2U
+hUEcG9adiGP/n7f5E2UMckWc21TqwM5ALXhUcdnFbkpayyPTMLrp3/2SsBVVTOO5
+j+RVrAEuVl7dBwcrcN51n3Q5E1rsBnVX+5kZ+B1wCSpk7kY8j2T7Ou+79HjBwEfQ
+X04nFIvpPZnM1Hq4ZYpomynADarWLu16WS86LkumC9Fs35bDmtQGEifDuEG8yr9k
+E0ocmNZMLfOS6OaHQMN6RYBsnF8nSrGznXvp0KQYs86YPdbjoZKpRUq3zqSsaJqv
+HgJzonZuadHI6A5Yj5CBsTwneMR3X5RPXtGmiHO/PG+G0c9ZtC5T0pTMvEx5q/o1
+HW8HilGboFxIz01Lf783F82GLA2rwGdeig4hrtgkdBddZCm5GOev7PvhTgnQ5Koc
+llUhxiyh0YlrkM1Mv7Q76lWRX3z0UtzrMDdMNt52DnO8vkm0RMYvRWeebTA74N7j
+n0/Oh8LjVh8lTdTdxruviV6+8hxDHcUy3T2Nc2knasxRdxcJ5hlwuKJ9YCeb5Pya
+LFW6e+KrdxlYnsnYBnpmbi2fFZtLEXv1q7L9wfC37BT6AQNFgjgd8lgVsnQJOTsm
+oexUinvzpuc5m/N9z9Pt6Wr4KYZ/Kh4l39Lzjlssn+I+VlXrp3ql/DRK6QARAQAB
+tDxSZXBvc2l0b3J5IEFkbWluIGZvciBGcmFuayBCcmVobSA8cGFja2FnZXNAYnJl
+aG0tb25saW5lLmNvbT6JAj4EEwECACgFAlavlWMCGwMFCRLMAwAGCwkIBwMCBhUI
+AgkKCwQWAgMBAh4BAheAAAoJELqtpQR6P8vU0GIQAKp/pJ4ArqnHoaP2OGG14B8P
+ivh7YaeZRx5HmZyJdsXLbdMJ8FM/dLvx0wqNM7HtzN11zEqroLeULPJcURiwavF0
+RndFkS9+0QIxCCYZrgpSyR+2UJgGeSzbOipND71elZQ3U6QlDJT/90XsZQwfJNUh
+Ibd3SeT1iW6ARvvZucFmcqgla67IG88Hq80RyZGoepqb73jGDsgw9/3c+Qtv7VBt
+lOZ+pgQksZHMhTWOpQ/JqOocDk6vfqzHOs+0QwbdaBxdBmRtLkBf0/uvkFvqC/R8
+JANdWvoCJqFnnI8QskbtvcnPiSLjqLtxcL+VGn5PjLD6cU8L+WyXfHMiBRZMetuw
+PFlo+Apz9o6Nh7Pg6N875zVSoJFko/w5hTqUBVIFGKCypLJEhOXfFMbTTx/b1/Gi
+yP6vp3V+n3QoxMt99THXSGOrzMu3TfDyNZGDgcq8N6T0MvOM0H0iMIZga6gbqgIm
+qPz2pSpAvZxe5/T48JpYOKiLqTd+Abx6I2scx5VqKrS9tINJWXEwAL0/oR8hcEzO
+QFgFwjwaj7RD3WSLWKy+dwhGVguLKGdPqkOuHj0yl/S6Wcfc3tNZZIm2kauvLI1l
+qp7qk+qMqeJVD0zqL1SyGSNT9YCndCewuso5VMKHyvTVL62X/xGhwAFgsK7qLFj/
+7sftZtXBk8CMv6UvxF0ouQINBFavlWMBEAC4P5+Miz+VbsFss0RHKiSs/+PgusQg
+85lk4J7zQj2S2MseJ35sJSqNX0MUSQ6BCoem+nQSwa1P4enCVonBRyWGRSbUurG/
+ip+WfrsFzHMZmr0JXw8gh/a3Zt9qwz5irERX0p6EDvwPwY411aCm4o+vdj0dPV/T
+CUX6s2dbrl2E2SAsjTzNi7bvKrPPUlufPHVp9o/LZolW40BL4C3r+1PwQFJN/0Np
+DMoKKIVdpmQcz/Ndz7+vFg4YlaeGfIOBt3kzcjt+AiSv+8L0XmtkM/W498VwkSzv
+rqUafJYPK+JtnWxgA7VyGj2fG9BncLONSAs+L1bSKKVQAt8G0H92MWIIUGDNry0b
+fM33xspNmB/7a3Bb9Cfq9eH3FWcMnBjZTGuPbKUEgVRUjyXCqIaDVvrGZBp8MLzZ
+Rg8qybxXMe9liwGdbytf34LMczO1rJN/zDkGf4mIx9LbaNFgcYCRXcb2SIpoW9F6
+hjKPf0+pRQmrelh8KMIevR1MJka3mV0tTN26gG+NBVkR8JjR766VOr5N/ebOAkcP
+GB/oBvmR4TEcqVZnYcDxmhr3Wvv4JjzbwNf0B+TYemq/9w1/IxCsNmx6WoJrdldO
+vk/iZrcF0qCTPeY0i8p+TorZfXkE6lzBqOg6YlTERPdbF1erXPkloRe7fp2iiHTF
+HVTe+0SOhSYUDwARAQABiQIlBBgBAgAPBQJWr5VjAhsMBQkSzAMAAAoJELqtpQR6
+P8vUwLsP+wcduVskRjvL5GzFoYv1fvq/V63x66s3ujWYkxYL0l5VVkcoavNl9BN8
+Ob8G1tfbSazODO8BQchqDxoD0RjZuR3E1AM8Qxx9UEP6jqhGYVAuutesRHeotkua
+QZOcpnVZ5E9SrBTt9xNu6IN8aOMN5TSwqvJsnCLQYUJtluM9luawO7d7ByGWWCpT
+oVjZ2hs4tqZXYz44pCj+TKfRZ1trYdEiQmv3hTY/LhZN3OszZZ/U7ED7UGPxdZ/D
+yCfNRIwhsTeGhB/JnxgamMShcV6p6VJWO3d2ST5wmTV+hgc12EDonAcOaL1W4gM+
+agmxoSg4utzNRK5yxBdIG/cwSeaGhvVK/PVAnfyeckm4esdgvFX0+lYbq58g/c0n
+VmVsy8sTCK7bWzw83CqQ8a4AydjGKQ5Y8aV87IyDsKnxM57l5+/bjL/eCOAolzFO
+hdoNuTkC94vB6WmIqN1FlvL9aSYpUtu+UxiF301t7WmBkuMatCvlqk4gikkY55dh
+oNAuJQCnlv5eqTJzHm41Xc0mPxVuy9shCXY3okuCPoub1pZOGtpDYaoEha34sHLl
+Iqnb4/+OaY2g4pJzevoQzRDPlPI0knUk0LRtjTyt1JpMgfr2+3EF/oFEyd4nPpgx
+EbsYN/rGbaX6tQzDFkFrUA61rjn9C2vr+LYoGcHmWX1oeyVV2OS5
+=1kpZ
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/apt/sources.list.d/fbrehm.list b/apt/sources.list.d/fbrehm.list
new file mode 100644 (file)
index 0000000..59d6e17
--- /dev/null
@@ -0,0 +1,6 @@
+# Packages Frank Brehm
+# ---------------------
+
+#deb   http://www.brehm-online.com/debian/jessie       ./
+deb    http://uhu8.uhu-banane.de/Debian/jessie         ./
+deb-src        http://uhu8.uhu-banane.de/Sources               ./
diff --git a/apt/trusted.gpg b/apt/trusted.gpg
new file mode 100644 (file)
index 0000000..c907e57
Binary files /dev/null and b/apt/trusted.gpg differ
diff --git a/apticron/apticron.conf b/apticron/apticron.conf
new file mode 100644 (file)
index 0000000..07b3bcc
--- /dev/null
@@ -0,0 +1,100 @@
+# apticron.conf
+#
+# set EMAIL to a space separated list of addresses which will be notified of
+# impending updates
+#
+EMAIL="root"
+
+#
+# Set DIFF_ONLY to "1" to only output the difference of the current run
+# compared to the last run (ie. only new upgrades since the last run). If there
+# are no differences, no output/email will be generated. By default, apticron
+# will output everything that needs to be upgraded.
+#
+# DIFF_ONLY="1"
+
+#
+# Set LISTCHANGES_PROFILE if you would like apticron to invoke apt-listchanges
+# with the --profile option. You should add a corresponding profile to
+# /etc/apt/listchanges.conf
+#
+# LISTCHANGES_PROFILE="apticron"
+
+#
+# From hostname manpage: "Displays  all FQDNs of the machine. This option
+# enumerates all configured network addresses on all configured network inter‐
+# faces, and translates them to DNS domain names. Addresses that cannot be
+# translated (i.e. because they do not have an appro‐ priate  reverse DNS
+# entry) are skipped. Note that different addresses may resolve to the same
+# name, therefore the output may contain duplicate entries. Do not make any
+# assumptions about the order of the output."
+#
+# ALL_FQDNS="1"
+
+#
+# Set SYSTEM if you would like apticron to use something other than the output
+# of "hostname -f" for the system name in the mails it generates. This option
+# overrides the ALL_FQDNS above.
+#
+# SYSTEM="foobar.example.com"
+
+#
+# Set IPADDRESSNUM if you would like to configure the maximal number of IP
+# addresses apticron displays. The default is to display 1 address of each
+# family type (inet, inet6), if available.
+#
+# IPADDRESSNUM="1"
+
+#
+# Set IPADDRESSES to a whitespace separated list of reachable addresses for
+# this system. By default, apticron will try to work these out using the
+# "ip" command
+#
+# IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
+
+#
+# Set NOTIFY_HOLDS="0" if you don't want to be notified about new versions of
+# packages on hold in your system. The default behavior is downloading and
+# listing them as any other package.
+#
+# NOTIFY_HOLDS="0"
+
+#
+# Set NOTIFY_NEW="0" if you don't want to be notified about packages which
+# are not installed in your system. Yes, it's possible! There are some issues
+# related to systems which have mixed stable/unstable sources. In these cases
+# apt-get will consider for example that packages with "Priority:
+# required"/"Essential: yes" in unstable but not in stable should be installed,
+# so they will be listed in dist-upgrade output. Please take a look at
+# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=531002#44
+#
+# NOTIFY_NEW="0"
+
+#
+# Set NOTIFY_NO_UPDATES="0" if you don't want to be notified when there is no
+# new versions. Set to 1 could assure you that apticron works well.
+#
+# NOTIFY_NO_UPDATES="0"
+
+#
+# Set CUSTOM_SUBJECT if you want to replace the default subject used in
+# the notification e-mails. This may help filtering/sorting client-side e-mail.
+# If you want to use internal vars please use single quotes here. Ex:
+# $CUSTOM_SUBJECT='[apticron] $SYSTEM: $NUM_PACKAGES package update(s)'
+#
+# CUSTOM_SUBJECT=""
+
+# Set CUSTOM_NO_UPDATES_SUBJECT if you want to replace the default subject used
+# in the no update notification e-mails. This may help filtering/sorting
+# client-side e-mail.
+# If you want to use internal vars please use single quotes here. Ex:
+# $CUSTOM_NO_UPDATES_SUBJECT='[apticron] $SYSTEM: no updates'
+#
+# CUSTOM_NO_UPDATES_SUBJECT=""
+
+#
+# Set CUSTOM_FROM if you want to replace the default sender by changing the
+# 'From:' field used in the notification e-mails. Your default sender will
+# be something like root@ns3.uhu-banane.de.
+#
+# CUSTOM_FROM=""
diff --git a/bash_completion.d/fail2ban b/bash_completion.d/fail2ban
new file mode 100644 (file)
index 0000000..7a42bd1
--- /dev/null
@@ -0,0 +1,149 @@
+# fail2ban bash-completion                                 -*- shell-script -*-
+#
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+__fail2ban_jails () {
+    "$1" status 2>/dev/null | awk -F"\t+" '/Jail list/{print $2}' | sed 's/, / /g'
+}
+
+_fail2ban () {
+    local cur prev words cword
+    _init_completion || return 
+
+    case $prev in
+        -V|--version|-h|--help)
+            return 0 # No further completion valid
+            ;;
+        -c)
+            _filedir -d # Directories
+            return 0
+            ;;
+        -s|-p)
+            _filedir # Files
+            return 0
+            ;;
+        *)
+            if [[ "$cur" == "-"* ]];then
+                COMPREPLY=( $( compgen -W \
+                    "$( _parse_help "$1" --help 2>/dev/null) -V" \
+                     -- "$cur") )
+                return 0
+            fi
+            ;;
+    esac
+
+    if [[ "$1" == *"fail2ban-regex" ]];then
+        _filedir
+        return 0
+    elif [[ "$1" == *"fail2ban-client" ]];then
+        local cmd jail
+        case $prev in
+            "$1")
+                COMPREPLY=( $( compgen -W \
+                    "$( "$1" --help 2>/dev/null | awk '/^    [a-z]+/{print $1}')" \
+                    -- "$cur") )
+                return 0
+                ;;
+            start|reload|stop|status)
+                COMPREPLY=( $(compgen -W "$(__fail2ban_jails "$1")" -- "$cur" ) )
+                return 0
+                ;;
+            set|get)
+                COMPREPLY=( $( compgen -W \
+                    "$( "$1" --help 2>/dev/null | awk '/^    '$prev' [^<]/{print $2}')" \
+                    -- "$cur") )
+                COMPREPLY+=( $(compgen -W "$(__fail2ban_jails "$1")" -- "$cur" ) )
+                return 0
+                ;;
+            *)
+                if [[ "${words[$cword-2]}" == "add" ]];then
+                    COMPREPLY=( $( compgen -W "auto polling gamin pyinotify" -- "$cur" ) )
+                    return 0
+                elif [[ "${words[$cword-2]}" == "set" ||  "${words[$cword-2]}" == "get" ]];then
+                    cmd="${words[cword-2]}"
+                    # Handle in section below
+                elif [[ "${words[$cword-3]}" == "set" || "${words[$cword-3]}" == "get" ]];then
+                    cmd="${words[$cword-3]}"
+                    jail="${words[$cword-2]}"
+                    # Handle in section below
+                fi
+            ;;
+        esac
+
+        if [[ -z "$jail" && -n "$cmd" ]];then
+            case $prev in
+                loglevel)
+                    if [[ "$cmd" == "set" ]];then
+                        COMPREPLY=( $( compgen -W "0 1 2 3 4" -- "$cur" ) )
+                    fi
+                    return 0
+                    ;;
+                logtarget)
+                    if [[ "$cmd" == "set" ]];then
+                        COMPREPLY=( $( compgen -W "STDOUT STDERR SYSLOG" -- "$cur" ) )
+                        _filedir # And files
+                    fi
+                    return 0
+                    ;;
+                *) # Jail name
+                    COMPREPLY=( $( compgen -W \
+                        "$( "$1" --help 2>/dev/null | awk '/^    '${cmd}' <JAIL>/{print $3}')" \
+                        -- "$cur") )
+                    return 0
+                    ;;
+            esac
+        elif [[ -n "$jail" && "$cmd" == "set" ]];then
+            case $prev in
+                addlogpath)
+                    _filedir
+                    return 0
+                    ;;
+                dellogpath|delignoreip)
+                    COMPREPLY=( $( compgen -W \
+                        "$( "$1" get "$jail" "${prev/del/}" 2>/dev/null | awk -F- '{print $2}')" \
+                    -- "$cur" ) )
+                    if [[ -z "$COMPREPLY" && "$prev" == "dellogpath" ]];then
+                        _filedir
+                    fi
+                    return 0
+                    ;;
+                delfailregex|delignoregex)
+                    COMPREPLY=( $( compgen -W \
+                        "$( "$1" get "$jail" "${prev/del/}" 2>/dev/null | awk -F"[][]" '{print $2}')" \
+                    -- "$cur" ) )
+                    return 0
+                    ;;
+                unbanip)
+                    COMPREPLY=( $( compgen -W \
+                        "$( "$1" status "$jail" 2>/dev/null | awk -F"\t+" '/IP list:/{print $2}')" \
+                    -- "$cur" ) )
+                    return 0
+                    ;;
+                idle)
+                    COMPREPLY=( $( compgen -W "on off" -- "$cur" ) )
+                    return 0
+                    ;;
+                usedns)
+                    COMPREPLY=( $( compgen -W "yes no warn" -- "$cur" ) )
+                    return 0
+                    ;;
+            esac
+        fi
+
+    fi # fail2ban-client
+} &&
+complete -F _fail2ban fail2ban-client fail2ban-server fail2ban-regex
diff --git a/bash_completion.d/isoquery b/bash_completion.d/isoquery
new file mode 100644 (file)
index 0000000..c27ed05
--- /dev/null
@@ -0,0 +1,45 @@
+# /etc/bash_completion.d/isoquery
+# Programmable Bash command completion for the ‘isoquery’ command.
+
+shopt -s progcomp
+
+_isoquery_completion () {
+    local cur prev opts
+
+    COMPREPLY=()
+    cur="${COMP_WORDS[COMP_CWORD]}"
+    prev="${COMP_WORDS[COMP_CWORD-1]}"
+
+    opts="-h --help -v --version"
+    opts="${opts} -i --iso -x --xmlfile -l --locale -0 --null"
+    opts="${opts} -n --name -o --official_name -c --common_name"
+
+    case "${prev}" in
+        -i|--iso)
+            local standards=(639 639-3 639-5 3166 3166-2 4217 15924)
+            COMPREPLY=( $(compgen -W "${standards[*]}" -- ${cur}) )
+            ;;
+
+        -x|--xmlfile)
+            COMPREPLY=( $(compgen -A file -- ${cur}) )
+            ;;
+
+        -l|--locale)
+            local locale_names=$(locale --all-locales)
+            COMPREPLY=( $(compgen -W "${locale_names}" -- ${cur}) )
+            ;;
+
+        *)
+            COMPREPLY=($(compgen -W "${opts}" -- ${cur}))  
+            ;;
+    esac
+}
+
+complete -F _isoquery_completion isoquery
+
+
+# Local variables:
+# coding: utf-8
+# mode: shell-script
+# End:
+# vim: fileencoding=utf-8 filetype=bash :
index 9e08541c76c8f6958be3682c9b171ee3fb7f832d..8bad138d5cf64cbb49a81e7d751a81fb10abb0b4 100644 (file)
@@ -21,16 +21,16 @@ mozilla/AffirmTrust_Commercial.crt
 mozilla/AffirmTrust_Networking.crt
 mozilla/AffirmTrust_Premium.crt
 mozilla/AffirmTrust_Premium_ECC.crt
-mozilla/America_Online_Root_Certification_Authority_1.crt
-mozilla/America_Online_Root_Certification_Authority_2.crt
+!mozilla/America_Online_Root_Certification_Authority_1.crt
+!mozilla/America_Online_Root_Certification_Authority_2.crt
 mozilla/ApplicationCA_-_Japanese_Government.crt
 mozilla/Atos_TrustedRoot_2011.crt
-mozilla/A-Trust-nQual-03.crt
+!mozilla/A-Trust-nQual-03.crt
 mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
 mozilla/Baltimore_CyberTrust_Root.crt
 mozilla/Buypass_Class_2_CA_1.crt
 mozilla/Buypass_Class_2_Root_CA.crt
-mozilla/Buypass_Class_3_CA_1.crt
+!mozilla/Buypass_Class_3_CA_1.crt
 mozilla/Buypass_Class_3_Root_CA.crt
 mozilla/CA_Disig.crt
 mozilla/CA_Disig_Root_R1.crt
@@ -52,7 +52,7 @@ mozilla/COMODO_ECC_Certification_Authority.crt
 mozilla/Comodo_Secure_Services_root.crt
 mozilla/Comodo_Trusted_Services_root.crt
 mozilla/ComSign_CA.crt
-mozilla/ComSign_Secured_CA.crt
+!mozilla/ComSign_Secured_CA.crt
 mozilla/Cybertrust_Global_Root.crt
 mozilla/Deutsche_Telekom_Root_CA_2.crt
 mozilla/DigiCert_Assured_ID_Root_CA.crt
@@ -63,8 +63,8 @@ mozilla/DigiCert_Global_Root_G2.crt
 mozilla/DigiCert_Global_Root_G3.crt
 mozilla/DigiCert_High_Assurance_EV_Root_CA.crt
 mozilla/DigiCert_Trusted_Root_G4.crt
-mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt
-mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt
+!mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt
+!mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt
 mozilla/DST_ACES_CA_X6.crt
 mozilla/DST_Root_CA_X3.crt
 mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt
@@ -72,7 +72,7 @@ mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt
 mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
 mozilla/EC-ACC.crt
 mozilla/EE_Certification_Centre_Root_CA.crt
-mozilla/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.crt
+!mozilla/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.crt
 mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt
 mozilla/Entrust_Root_Certification_Authority.crt
 mozilla/ePKI_Root_Certification_Authority.crt
@@ -93,7 +93,7 @@ mozilla/GlobalSign_Root_CA_-_R2.crt
 mozilla/GlobalSign_Root_CA_-_R3.crt
 mozilla/Go_Daddy_Class_2_CA.crt
 mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt
-mozilla/GTE_CyberTrust_Global_Root.crt
+!mozilla/GTE_CyberTrust_Global_Root.crt
 mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt
 mozilla/Hongkong_Post_Root_CA_1.crt
 mozilla/IGC_A.crt
@@ -123,7 +123,7 @@ mozilla/SecureTrust_CA.crt
 mozilla/Security_Communication_EV_RootCA1.crt
 mozilla/Security_Communication_RootCA2.crt
 mozilla/Security_Communication_Root_CA.crt
-mozilla/SG_TRUST_SERVICES_RACINE.crt
+!mozilla/SG_TRUST_SERVICES_RACINE.crt
 mozilla/Sonera_Class_1_Root_CA.crt
 mozilla/Sonera_Class_2_Root_CA.crt
 mozilla/Staat_der_Nederlanden_Root_CA.crt
@@ -142,25 +142,25 @@ mozilla/SwissSign_Gold_CA_-_G2.crt
 mozilla/SwissSign_Platinum_CA_-_G2.crt
 mozilla/SwissSign_Silver_CA_-_G2.crt
 mozilla/Taiwan_GRCA.crt
-mozilla/TC_TrustCenter_Class_2_CA_II.crt
+!mozilla/TC_TrustCenter_Class_2_CA_II.crt
 mozilla/TC_TrustCenter_Class_3_CA_II.crt
-mozilla/TC_TrustCenter_Universal_CA_I.crt
+!mozilla/TC_TrustCenter_Universal_CA_I.crt
 mozilla/TeliaSonera_Root_CA_v1.crt
-mozilla/Thawte_Premium_Server_CA.crt
+!mozilla/Thawte_Premium_Server_CA.crt
 mozilla/thawte_Primary_Root_CA.crt
 mozilla/thawte_Primary_Root_CA_-_G2.crt
 mozilla/thawte_Primary_Root_CA_-_G3.crt
-mozilla/Thawte_Server_CA.crt
+!mozilla/Thawte_Server_CA.crt
 mozilla/Trustis_FPS_Root_CA.crt
 mozilla/T-TeleSec_GlobalRoot_Class_2.crt
 mozilla/T-TeleSec_GlobalRoot_Class_3.crt
 mozilla/TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.crt
-mozilla/TURKTRUST_Certificate_Services_Provider_Root_1.crt
+!mozilla/TURKTRUST_Certificate_Services_Provider_Root_1.crt
 mozilla/TURKTRUST_Certificate_Services_Provider_Root_2007.crt
-mozilla/TURKTRUST_Certificate_Services_Provider_Root_2.crt
+!mozilla/TURKTRUST_Certificate_Services_Provider_Root_2.crt
 mozilla/TWCA_Global_Root_CA.crt
 mozilla/TWCA_Root_Certification_Authority.crt
-mozilla/UTN_DATACorp_SGC_Root_CA.crt
+!mozilla/UTN_DATACorp_SGC_Root_CA.crt
 mozilla/UTN_USERFirst_Email_Root_CA.crt
 mozilla/UTN_USERFirst_Hardware_Root_CA.crt
 mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt
@@ -174,7 +174,7 @@ mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt
 mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
 mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
 mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
-mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt
+!mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt
 mozilla/VeriSign_Universal_Root_Certification_Authority.crt
 mozilla/Visa_eCommerce_Root.crt
 mozilla/WellsSecure_Public_Root_Certificate_Authority.crt
@@ -182,3 +182,22 @@ mozilla/WoSign_China.crt
 mozilla/WoSign.crt
 mozilla/XRamp_Global_CA_Root.crt
 spi-inc.org/spi-cacert-2008.crt
+mozilla/CA_WoSign_ECC_Root.crt
+mozilla/Certification_Authority_of_WoSign_G2.crt
+mozilla/Certinomis_-_Root_CA.crt
+mozilla/CFCA_EV_ROOT.crt
+mozilla/COMODO_RSA_Certification_Authority.crt
+mozilla/Entrust_Root_Certification_Authority_-_EC1.crt
+mozilla/Entrust_Root_Certification_Authority_-_G2.crt
+mozilla/GlobalSign_ECC_Root_CA_-_R4.crt
+mozilla/GlobalSign_ECC_Root_CA_-_R5.crt
+mozilla/IdenTrust_Commercial_Root_CA_1.crt
+mozilla/IdenTrust_Public_Sector_Root_CA_1.crt
+mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt
+mozilla/Staat_der_Nederlanden_EV_Root_CA.crt
+mozilla/Staat_der_Nederlanden_Root_CA_-_G3.crt
+mozilla/S-TRUST_Universal_Root_CA.crt
+mozilla/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.crt
+mozilla/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H6.crt
+mozilla/USERTrust_ECC_Certification_Authority.crt
+mozilla/USERTrust_RSA_Certification_Authority.crt
diff --git a/ca-certificates.conf.dpkg-old b/ca-certificates.conf.dpkg-old
new file mode 100644 (file)
index 0000000..9e08541
--- /dev/null
@@ -0,0 +1,184 @@
+# This file lists certificates that you wish to use or to ignore to be
+# installed in /etc/ssl/certs.
+# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
+#
+# This is autogenerated by dpkg-reconfigure ca-certificates.
+# Certificates should be installed under /usr/share/ca-certificates
+# and files with extension '.crt' is recognized as available certs.
+#
+# line begins with # is comment.
+# line begins with ! is certificate filename to be deselected.
+#
+mozilla/ACCVRAIZ1.crt
+mozilla/ACEDICOM_Root.crt
+mozilla/AC_Raíz_Certicámara_S.A..crt
+mozilla/Actalis_Authentication_Root_CA.crt
+mozilla/AddTrust_External_Root.crt
+mozilla/AddTrust_Low-Value_Services_Root.crt
+mozilla/AddTrust_Public_Services_Root.crt
+mozilla/AddTrust_Qualified_Certificates_Root.crt
+mozilla/AffirmTrust_Commercial.crt
+mozilla/AffirmTrust_Networking.crt
+mozilla/AffirmTrust_Premium.crt
+mozilla/AffirmTrust_Premium_ECC.crt
+mozilla/America_Online_Root_Certification_Authority_1.crt
+mozilla/America_Online_Root_Certification_Authority_2.crt
+mozilla/ApplicationCA_-_Japanese_Government.crt
+mozilla/Atos_TrustedRoot_2011.crt
+mozilla/A-Trust-nQual-03.crt
+mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
+mozilla/Baltimore_CyberTrust_Root.crt
+mozilla/Buypass_Class_2_CA_1.crt
+mozilla/Buypass_Class_2_Root_CA.crt
+mozilla/Buypass_Class_3_CA_1.crt
+mozilla/Buypass_Class_3_Root_CA.crt
+mozilla/CA_Disig.crt
+mozilla/CA_Disig_Root_R1.crt
+mozilla/CA_Disig_Root_R2.crt
+mozilla/Camerfirma_Chambers_of_Commerce_Root.crt
+mozilla/Camerfirma_Global_Chambersign_Root.crt
+mozilla/Certigna.crt
+mozilla/Certinomis_-_Autorité_Racine.crt
+mozilla/Certplus_Class_2_Primary_CA.crt
+mozilla/certSIGN_ROOT_CA.crt
+mozilla/Certum_Root_CA.crt
+mozilla/Certum_Trusted_Network_CA.crt
+mozilla/Chambers_of_Commerce_Root_-_2008.crt
+mozilla/China_Internet_Network_Information_Center_EV_Certificates_Root.crt
+mozilla/CNNIC_ROOT.crt
+mozilla/Comodo_AAA_Services_root.crt
+mozilla/COMODO_Certification_Authority.crt
+mozilla/COMODO_ECC_Certification_Authority.crt
+mozilla/Comodo_Secure_Services_root.crt
+mozilla/Comodo_Trusted_Services_root.crt
+mozilla/ComSign_CA.crt
+mozilla/ComSign_Secured_CA.crt
+mozilla/Cybertrust_Global_Root.crt
+mozilla/Deutsche_Telekom_Root_CA_2.crt
+mozilla/DigiCert_Assured_ID_Root_CA.crt
+mozilla/DigiCert_Assured_ID_Root_G2.crt
+mozilla/DigiCert_Assured_ID_Root_G3.crt
+mozilla/DigiCert_Global_Root_CA.crt
+mozilla/DigiCert_Global_Root_G2.crt
+mozilla/DigiCert_Global_Root_G3.crt
+mozilla/DigiCert_High_Assurance_EV_Root_CA.crt
+mozilla/DigiCert_Trusted_Root_G4.crt
+mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt
+mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt
+mozilla/DST_ACES_CA_X6.crt
+mozilla/DST_Root_CA_X3.crt
+mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt
+mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt
+mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
+mozilla/EC-ACC.crt
+mozilla/EE_Certification_Centre_Root_CA.crt
+mozilla/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.crt
+mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt
+mozilla/Entrust_Root_Certification_Authority.crt
+mozilla/ePKI_Root_Certification_Authority.crt
+mozilla/Equifax_Secure_CA.crt
+mozilla/Equifax_Secure_eBusiness_CA_1.crt
+mozilla/Equifax_Secure_Global_eBusiness_CA.crt
+mozilla/E-Tugra_Certification_Authority.crt
+mozilla/GeoTrust_Global_CA_2.crt
+mozilla/GeoTrust_Global_CA.crt
+mozilla/GeoTrust_Primary_Certification_Authority.crt
+mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt
+mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt
+mozilla/GeoTrust_Universal_CA_2.crt
+mozilla/GeoTrust_Universal_CA.crt
+mozilla/Global_Chambersign_Root_-_2008.crt
+mozilla/GlobalSign_Root_CA.crt
+mozilla/GlobalSign_Root_CA_-_R2.crt
+mozilla/GlobalSign_Root_CA_-_R3.crt
+mozilla/Go_Daddy_Class_2_CA.crt
+mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt
+mozilla/GTE_CyberTrust_Global_Root.crt
+mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt
+mozilla/Hongkong_Post_Root_CA_1.crt
+mozilla/IGC_A.crt
+mozilla/Izenpe.com.crt
+mozilla/Juur-SK.crt
+mozilla/Microsec_e-Szigno_Root_CA_2009.crt
+mozilla/Microsec_e-Szigno_Root_CA.crt
+mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt
+mozilla/NetLock_Business_=Class_B=_Root.crt
+mozilla/NetLock_Express_=Class_C=_Root.crt
+mozilla/NetLock_Notary_=Class_A=_Root.crt
+mozilla/NetLock_Qualified_=Class_QA=_Root.crt
+mozilla/Network_Solutions_Certificate_Authority.crt
+mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt
+mozilla/PSCProcert.crt
+mozilla/QuoVadis_Root_CA_1_G3.crt
+mozilla/QuoVadis_Root_CA_2.crt
+mozilla/QuoVadis_Root_CA_2_G3.crt
+mozilla/QuoVadis_Root_CA_3.crt
+mozilla/QuoVadis_Root_CA_3_G3.crt
+mozilla/QuoVadis_Root_CA.crt
+mozilla/Root_CA_Generalitat_Valenciana.crt
+mozilla/RSA_Security_2048_v3.crt
+mozilla/Secure_Global_CA.crt
+mozilla/SecureSign_RootCA11.crt
+mozilla/SecureTrust_CA.crt
+mozilla/Security_Communication_EV_RootCA1.crt
+mozilla/Security_Communication_RootCA2.crt
+mozilla/Security_Communication_Root_CA.crt
+mozilla/SG_TRUST_SERVICES_RACINE.crt
+mozilla/Sonera_Class_1_Root_CA.crt
+mozilla/Sonera_Class_2_Root_CA.crt
+mozilla/Staat_der_Nederlanden_Root_CA.crt
+mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt
+mozilla/Starfield_Class_2_CA.crt
+mozilla/Starfield_Root_Certificate_Authority_-_G2.crt
+mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt
+mozilla/StartCom_Certification_Authority_2.crt
+mozilla/StartCom_Certification_Authority.crt
+mozilla/StartCom_Certification_Authority_G2.crt
+mozilla/S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt
+mozilla/Swisscom_Root_CA_1.crt
+mozilla/Swisscom_Root_CA_2.crt
+mozilla/Swisscom_Root_EV_CA_2.crt
+mozilla/SwissSign_Gold_CA_-_G2.crt
+mozilla/SwissSign_Platinum_CA_-_G2.crt
+mozilla/SwissSign_Silver_CA_-_G2.crt
+mozilla/Taiwan_GRCA.crt
+mozilla/TC_TrustCenter_Class_2_CA_II.crt
+mozilla/TC_TrustCenter_Class_3_CA_II.crt
+mozilla/TC_TrustCenter_Universal_CA_I.crt
+mozilla/TeliaSonera_Root_CA_v1.crt
+mozilla/Thawte_Premium_Server_CA.crt
+mozilla/thawte_Primary_Root_CA.crt
+mozilla/thawte_Primary_Root_CA_-_G2.crt
+mozilla/thawte_Primary_Root_CA_-_G3.crt
+mozilla/Thawte_Server_CA.crt
+mozilla/Trustis_FPS_Root_CA.crt
+mozilla/T-TeleSec_GlobalRoot_Class_2.crt
+mozilla/T-TeleSec_GlobalRoot_Class_3.crt
+mozilla/TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.crt
+mozilla/TURKTRUST_Certificate_Services_Provider_Root_1.crt
+mozilla/TURKTRUST_Certificate_Services_Provider_Root_2007.crt
+mozilla/TURKTRUST_Certificate_Services_Provider_Root_2.crt
+mozilla/TWCA_Global_Root_CA.crt
+mozilla/TWCA_Root_Certification_Authority.crt
+mozilla/UTN_DATACorp_SGC_Root_CA.crt
+mozilla/UTN_USERFirst_Email_Root_CA.crt
+mozilla/UTN_USERFirst_Hardware_Root_CA.crt
+mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt
+mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt
+mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt
+mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt
+mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt
+mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_2.crt
+mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt
+mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt
+mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
+mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
+mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
+mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt
+mozilla/VeriSign_Universal_Root_Certification_Authority.crt
+mozilla/Visa_eCommerce_Root.crt
+mozilla/WellsSecure_Public_Root_Certificate_Authority.crt
+mozilla/WoSign_China.crt
+mozilla/WoSign.crt
+mozilla/XRamp_Global_CA_Root.crt
+spi-inc.org/spi-cacert-2008.crt
diff --git a/cron.d/apticron b/cron.d/apticron
new file mode 100644 (file)
index 0000000..09d7072
--- /dev/null
@@ -0,0 +1,3 @@
+# cron entry for apticron
+
+49 * * * * root if test -x /usr/sbin/apticron; then /usr/sbin/apticron --cron; else true; fi
index 2983cad049515b2f3cdad093170575baac65ee19..cf022018d84dff72b77a8f74904e8e46964c7175 100644 (file)
@@ -1 +1 @@
-8.2
+8.3
diff --git a/default/fail2ban b/default/fail2ban
new file mode 100644 (file)
index 0000000..35bb377
--- /dev/null
@@ -0,0 +1,39 @@
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+# Author: Cyril Jaquier
+# 
+# $Revision$
+
+# Command line options for Fail2Ban. Refer to "fail2ban-client -h" for
+# valid options.
+FAIL2BAN_OPTS=""
+
+# Run fail2ban as a different user. If not set, fail2ban
+# will run as root.
+#
+# The user is not created automatically.
+# The user can be created e.g. with
+#    useradd --system --no-create-home --home-dir / --groups adm fail2ban
+# Log files are readable by group adm by default. Adding the fail2ban
+# user to this group allows it to read the logfiles.
+#
+# Another manual step that needs to be taken is to allow write access
+# for fail2ban user to fail2ban log files. The /etc/init.d/fail2ban
+# script will change the ownership when starting fail2ban. Logrotate
+# needs to be configured separately, see /etc/logrotate.d/fail2ban.
+#
+# FAIL2BAN_USER="fail2ban"
diff --git a/fail2ban/action.d/apf.conf b/fail2ban/action.d/apf.conf
new file mode 100644 (file)
index 0000000..5c4a261
--- /dev/null
@@ -0,0 +1,25 @@
+# Fail2Ban configuration file
+# https://www.rfxn.com/projects/advanced-policy-firewall/
+#
+# Note: APF doesn't play nicely with other actions. It has been observed to
+# remove bans created by other iptables based actions. If you are going to use
+# this action, use it for all of your jails.
+#
+# DON'T MIX APF and other IPTABLES based actions
+[Definition]
+
+actionstart = 
+actionstop = 
+actioncheck = 
+actionban = apf --deny <ip> "banned by Fail2Ban <name>"
+actionunban = apf --remove <ip>
+
+[Init]
+
+# Name used in APF configuration
+#
+name = default
+
+# DEV NOTES:
+#
+# Author: Mark McKinstry
diff --git a/fail2ban/action.d/badips.conf b/fail2ban/action.d/badips.conf
new file mode 100644 (file)
index 0000000..4a5c0f9
--- /dev/null
@@ -0,0 +1,19 @@
+# Fail2ban reporting to badips.com
+#
+# Note: This reports and IP only and does not actually ban traffic. Use 
+# another action in the same jail if you want bans to occur.
+#
+# Set the category to the appropriate value before use.
+#
+# To get see register and optional key to get personalised graphs see:
+# http://www.badips.com/blog/personalized-statistics-track-the-attackers-of-all-your-servers-with-one-key
+
+[Definition]
+
+actionban = curl --fail  --user-agent "fail2ban v0.8.12" http://www.badips.com/add/<category>/<ip>
+
+[Init]
+
+# Option: category
+# Notes.: Values are from the list here: http://www.badips.com/get/categories
+category = 
diff --git a/fail2ban/action.d/blocklist_de.conf b/fail2ban/action.d/blocklist_de.conf
new file mode 100644 (file)
index 0000000..d4170ca
--- /dev/null
@@ -0,0 +1,86 @@
+# Fail2Ban configuration file
+#
+# Author: Steven Hiscocks
+#
+#
+
+# Action to report IP address to blocklist.de
+# Blocklist.de must be signed up to at www.blocklist.de
+# Once registered, one or more servers can be added.
+# This action requires the server 'email address' and the assoicate apikey.
+#
+# From blocklist.de:
+#   www.blocklist.de is a free and voluntary service provided by a
+#   Fraud/Abuse-specialist, whose servers are often attacked on SSH-,
+#   Mail-Login-, FTP-, Webserver- and other services.
+#   The mission is to report all attacks to the abuse deparments of the
+#   infected PCs/servers to ensure that the responsible provider can inform
+#   the customer about the infection and disable them
+#
+# IMPORTANT: 
+# 
+# Reporting an IP of abuse is a serious complaint. Make sure that it is
+# serious. Fail2ban developers and network owners recommend you only use this
+# action for:
+#   * The recidive where the IP has been banned multiple times
+#   * Where maxretry has been set quite high, beyond the normal user typing
+#     password incorrectly.
+#   * For filters that have a low likelyhood of receiving human errors
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = 
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = curl --fail --data-urlencode 'server=<email>' --data 'apikey=<apikey>' --data 'service=<service>' --data 'ip=<ip>' --data-urlencode 'logs=<matches>' --data 'format=text' --user-agent "fail2ban v0.8.12" "https://www.blocklist.de/en/httpreports.html"
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban =
+
+[Init]
+
+# Option:  email
+# Notes    server email address, as per blocklise.de account
+# Values:  STRING  Default: None
+#
+#email =
+
+# Option:  apikey
+# Notes    your user blocklist.de user account apikey
+# Values:  STRING  Default: None
+#
+#apikey =
+
+# Option:  service
+# Notes    service name you are reporting on, typically aligns with filter name
+#          see http://www.blocklist.de/en/httpreports.html for full list
+# Values:  STRING  Default: None
+#
+#service =
diff --git a/fail2ban/action.d/bsd-ipfw.conf b/fail2ban/action.d/bsd-ipfw.conf
new file mode 100644 (file)
index 0000000..1285361
--- /dev/null
@@ -0,0 +1,83 @@
+# Fail2Ban configuration file
+#
+# Author: Nick Munger
+# Modified by: Ken Menzel
+#              Daniel Black (start/stop)
+#              Fabian Wenk (many ideas as per fail2ban users list)
+#
+# Ensure firewall_enable="YES" in the top of /etc/rc.conf
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num <blocktype> <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" )
+
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =  [ ! -f <startstatefile> ] || ( read num < "<startstatefile>" <br> ipfw -q delete $num <br> rm "<startstatefile>" )
+
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+# requires an ipfw rule like "deny ip from table(1) to me"
+actionban = ipfw table <table> add <ip>
+
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = ipfw table <table> delete <ip>
+
+[Init]
+# Option:  table
+# Notes:   The ipfw table to use. If a ipfw rule using this table already exists,
+#          this action will not create a ipfw rule to block it and the following
+#          options will have no effect.
+# Values:  NUM
+table = 1
+
+# Option:  port
+# Notes.:  Specifies port to monitor. Blank indicate block all ports.
+# Values:  [ NUM | STRING ]
+#
+port = 
+
+# Option:  startstatefile
+# Notes:   A file to indicate that the table rule that was added. Ensure it is unique per table.
+# Values:  STRING
+startstatefile = /var/run/fail2ban/ipfw-started-table_<table>
+
+# Option: block
+# Notes:  This is how much to block.
+#         Can be "ip", "tcp", "udp" or various other options.
+# Values: STRING
+block = ip
+
+# Option:  blocktype
+# Notes.:  How to block the traffic. Use a action from man 5 ipfw
+#          Common values: deny, unreach port, reset
+#          ACTION defination at the top of man ipfw for allowed values.
+# Values:  STRING
+#
+blocktype = unreach port
diff --git a/fail2ban/action.d/complain.conf b/fail2ban/action.d/complain.conf
new file mode 100644 (file)
index 0000000..c017583
--- /dev/null
@@ -0,0 +1,94 @@
+# Fail2Ban configuration file
+#
+# Author: Russell Odom <russ@gloomytrousers.co.uk>, Daniel Black
+# Sends a complaint e-mail to addresses listed in the whois record for an
+# offending IP address.
+# This uses the https://abusix.com/contactdb.html to lookup abuse contacts.
+#
+# DEPENDANCIES:
+# This requires the dig command from bind-utils
+#
+# You should provide the <logpath> in the jail config - lines from the log
+# matching the given IP address will be provided in the complaint as evidence.
+#
+# WARNING
+# -------
+#
+# Please do not use this action unless you are certain that fail2ban
+# does not result in "false positives" for your deployment.  False
+# positive reports could serve a mis-favor to the original cause by
+# flooding corresponding contact addresses, and complicating the work
+# of administration personnel responsible for handling (verified) legit
+# complains.
+#
+# Please consider using e.g. sendmail-whois-lines.conf action which
+# would send the reports with relevant information to you, so the
+# report could be first reviewed and then forwarded to a corresponding
+# contact if legit.
+#
+
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
+           IP=<ip>
+            if [ ! -z "$ADDRESSES" ]; then
+                (printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep -E '(^|[^0-9])<ip>([^0-9]|$)' <logpath>) | <mailcmd> "Abuse from <ip>" <mailargs> ${ADDRESSES//,/\" \"}
+            fi
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban =
+
+[Init]
+message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban.\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n
+
+# Path to the log files which contain relevant lines for the abuser IP
+#
+logpath = /dev/null
+
+# Option:  mailcmd
+# Notes.:  Your system mail command. Is passed 2 args: subject and recipient
+# Values:  CMD
+#
+mailcmd = mail -s
+
+# Option:  mailargs
+# Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
+#          CC reports to another address:
+#              -c me@example.com
+#          Appear to come from a different address - the '--' indicates
+#          arguments to be passed to Sendmail:
+#              -- -f me@example.com
+# Values:  [ STRING ]
+#
+mailargs =
+
diff --git a/fail2ban/action.d/dshield.conf b/fail2ban/action.d/dshield.conf
new file mode 100644 (file)
index 0000000..a004198
--- /dev/null
@@ -0,0 +1,204 @@
+# Fail2Ban configuration file
+#
+# Author: Russell Odom <russ@gloomytrousers.co.uk>
+# Submits attack reports to DShield (http://www.dshield.org/)
+#
+# You MUST configure at least:
+# <port> (the port that's being attacked - use number not name).
+#
+# You SHOULD also provide:
+# <myip> (your public IP address, if it's not the address of eth0)
+# <userid> (your DShield userID, if you have one - recommended, but reports will
+# be used anonymously if not)
+# <protocol> (the protocol in use - defaults to tcp)
+#
+# Best practice is to provide <port> and <protocol> in jail.conf like this:
+# action = dshield[port=1234,protocol=tcp]
+#
+# ...and create "dshield.local" with contents something like this:
+# [Init]
+# myip = 10.0.0.1
+# userid = 12345
+#
+# Other useful configuration values are <mailargs> (you can use for specifying
+# a different sender address for the report e-mails, which should match what is
+# configured at DShield), and <lines>/<minreportinterval>/<maxbufferage> (to
+# configure how often the buffer is flushed).
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = if [ -f <tmpfile>.buffer ]; then
+                 cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>
+                 date +%%s > <tmpfile>.lastsent
+             fi
+             rm -f <tmpfile>.buffer <tmpfile>.first
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+# See http://www.dshield.org/specs.html for more on report format/notes
+#
+# Note: We are currently using <time> for the timestamp because no tag is
+# available to indicate the timestamp of the log message(s) which triggered the
+# ban. Therefore the timestamps we are using in the report, whilst often only a
+# few seconds out, are incorrect. See
+# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047
+#
+actionban = TZONE=`date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'`
+            DATETIME="`perl -e '@t=localtime(<time>);printf "%%4d-%%02d-%%02d %%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'` $TZONE"
+           PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`
+           if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
+            printf %%b "$DATETIME\t<userid>\t<failures>\t<ip>\t<srcport>\t<myip>\t<port>\t$PROTOCOL\t<tcpflags>\n" >> <tmpfile>.buffer
+            NOW=`date +%%s`
+            if [ ! -f <tmpfile>.first ]; then
+                echo <time> | cut -d. -f1 > <tmpfile>.first
+            fi
+            if [ ! -f <tmpfile>.lastsent ]; then
+                echo 0 > <tmpfile>.lastsent
+            fi
+            LOGAGE=$(($NOW - `cat <tmpfile>.first`))
+            LASTREPORT=$(($NOW - `cat <tmpfile>.lastsent`))
+            LINES=$( wc -l <tmpfile>.buffer | awk '{ print $1 }' )
+            if [ $LINES -ge <lines> && $LASTREPORT -gt <minreportinterval> ] || [ $LOGAGE -gt <maxbufferage> ]; then
+                cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ $TZONE Fail2Ban" <mailargs> <dest>
+                rm -f <tmpfile>.buffer <tmpfile>.first
+                echo $NOW > <tmpfile>.lastsent
+            fi
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = if [ -f <tmpfile>.first ]; then
+                  NOW=`date +%%s`
+                  LOGAGE=$(($NOW - `cat <tmpfile>.first`))
+                  if [ $LOGAGE -gt <maxbufferage> ]; then
+                      cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>
+                      rm -f <tmpfile>.buffer <tmpfile>.first
+                      echo $NOW > <tmpfile>.lastsent
+                  fi
+              fi
+
+
+[Init]
+# Option:  port
+# Notes.:  The target port for the attack (numerical). MUST be provided in the
+#          jail config, as it cannot be detected here.
+# Values:  [ NUM ]
+#
+port = ???
+
+# Option:  userid
+# Notes.:  Your DShield user ID. Should be provided either in the jail config or
+#          in a .local file.
+#          Register at https://secure.dshield.org/register.html
+# Values:  [ NUM ]
+#
+userid = 0
+
+# Option:  myip
+# Notes.:  The target IP for the attack (your public IP). Should be provided
+#          either in the jail config or in a .local file unless your PUBLIC IP
+#          is the first IP assigned to eth0
+# Values:  [ an IP address ]  Default: Tries to find the IP address of eth0,
+#          which in most cases will be a private IP, and therefore incorrect
+#
+myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
+
+# Option:  protocol
+# Notes.:  The protocol over which the attack is happening
+# Values:  [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp
+#
+protocol = tcp
+
+# Option:  lines
+# Notes.:  How many lines to buffer before making a report. Regardless of this,
+#          reports are sent a minimum of <minreportinterval> apart, or if the
+#          buffer contains an event over <maxbufferage> old, or on shutdown
+# Values:  [ NUM ]
+#
+lines = 50
+
+# Option:  minreportinterval
+# Notes.:  Minimum period (in seconds) that must elapse before we submit another
+#          batch of reports. DShield request a minimum of 1 hour (3600 secs)
+#          between reports.
+# Values:  [ NUM ]
+#
+minreportinterval = 3600
+
+# Option:  maxbufferage
+# Notes.:  Maximum age (in seconds) of the oldest report in the buffer before we
+#          submit the batch, even if we haven't reached <lines> yet. Note that
+#          this is only checked on each ban/unban, and that we always send
+#          anything in the buffer on shutdown. Must be greater than
+# Values:  [ NUM ]
+#
+maxbufferage = 21600
+
+# Option:  srcport
+# Notes.:  The source port of the attack. You're unlikely to have this info, so
+#          you can leave the default
+# Values:  [ NUM ]
+#
+srcport = ???
+
+# Option:  tcpflags
+# Notes.:  TCP flags on attack. You're unlikely to have this info, so you can
+#          leave empty
+# Values:  [ STRING ]
+#
+tcpflags =
+
+# Option:  mailcmd
+# Notes.:  Your system mail command. Is passed 2 args: subject and recipient
+# Values:  CMD
+#
+mailcmd = mail -s
+
+# Option:  mailargs
+# Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
+#          CC reports to another address:
+#              -c me@example.com
+#          Appear to come from a different address (the From address must match
+#          the one configured at DShield - the '--' indicates arguments to be
+#          passed to Sendmail):
+#              -- -f me@example.com
+# Values:  [ STRING ]
+#
+mailargs =
+
+# Option:  dest
+# Notes.:  Destination e-mail address for reports
+# Values:  [ STRING ]
+#
+dest = reports@dshield.org
+
+# Option:  tmpfile
+# Notes.:  Base name of temporary files used for buffering
+# Values:  [ STRING ]
+#
+tmpfile = /var/run/fail2ban/tmp-dshield
+
diff --git a/fail2ban/action.d/dummy.conf b/fail2ban/action.d/dummy.conf
new file mode 100644 (file)
index 0000000..dc4e1db
--- /dev/null
@@ -0,0 +1,47 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = touch /var/run/fail2ban/fail2ban.dummy
+              printf %%b "<init>\n" >> /var/run/fail2ban/fail2ban.dummy
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = rm -f /var/run/fail2ban/fail2ban.dummy
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = printf %%b "+<ip>\n" >> /var/run/fail2ban/fail2ban.dummy
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = printf %%b "-<ip>\n" >> /var/run/fail2ban/fail2ban.dummy
+
+[Init]
+
+init = 123
+
diff --git a/fail2ban/action.d/firewallcmd-ipset.conf b/fail2ban/action.d/firewallcmd-ipset.conf
new file mode 100644 (file)
index 0000000..03e30c3
--- /dev/null
@@ -0,0 +1,67 @@
+# Fail2Ban action file for firewall-cmd/ipset
+#
+# This requires:
+# ipset (package: ipset)
+# firewall-cmd (package: firewalld)
+#
+# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
+# Use ipset -V to see the protocol and version.
+#
+# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
+#
+# If you are running on an older kernel you make need to patch in external
+# modules.
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+[Definition]
+
+actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
+              firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+
+actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+             ipset flush fail2ban-<name>
+             ipset destroy fail2ban-<name>
+
+actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
+
+actionunban = ipset del fail2ban-<name> <ip> -exist
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]
+#
+port = ssh
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ]
+#
+protocol = tcp
+
+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  [ STRING ]
+#
+chain = INPUT_direct
+
+# Option: bantime
+# Notes:  specifies the bantime in seconds (handled internally rather than by fail2ban)
+# Values:  [ NUM ]  Default: 600
+
+bantime = 600
+
+
+# DEV NOTES:
+#
+# Author: Edgar Hoch and Daniel Black
+# firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness
diff --git a/fail2ban/action.d/firewallcmd-new.conf b/fail2ban/action.d/firewallcmd-new.conf
new file mode 100644 (file)
index 0000000..bae72ca
--- /dev/null
@@ -0,0 +1,72 @@
+# Fail2Ban configuration file
+#
+# Because of the --remove-rules in stop this action requires firewalld-0.3.8+
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+[Definition]
+
+actionstart = firewall-cmd --direct --add-chain ipv4 filter fail2ban-<name>
+              firewall-cmd --direct --add-rule ipv4 filter fail2ban-<name> 1000 -j RETURN
+              firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+
+actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+             firewall-cmd --direct --remove-rules ipv4 filter fail2ban-<name>
+             firewall-cmd --direct --remove-chain ipv4 filter fail2ban-<name>
+
+actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q '^fail2ban-<name>$'
+
+actionban = firewall-cmd --direct --add-rule ipv4 filter fail2ban-<name> 0 -s <ip> -j <blocktype>
+
+actionunban = firewall-cmd --direct --remove-rule ipv4 filter fail2ban-<name> 0 -s <ip> -j <blocktype>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]
+#
+port = ssh
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ]
+#
+protocol = tcp
+
+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  [ STRING ]
+#
+chain = INPUT_direct
+
+# DEV NOTES:
+#
+# Author: Edgar Hoch
+# Copied from iptables-new.conf and modified for use with firewalld by Edgar Hoch.
+#  It uses "firewall-cmd" instead of "iptables".
+#
+# Output:
+# 
+# $ firewall-cmd --direct --add-chain ipv4 filter fail2ban-name
+# success
+# $ firewall-cmd --direct --add-rule ipv4 filter fail2ban-name 1000 -j RETURN
+# success
+# $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m state --state NEW -p tcp --dport 22 -j fail2ban-name
+# success
+# $ firewall-cmd --direct --get-chains ipv4 filter
+# fail2ban-name
+# $ firewall-cmd --direct --get-chains ipv4 filter  | od -h
+# 0000000 6166 6c69 6232 6e61 6e2d 6d61 0a65
+# $ firewall-cmd --direct --get-chains ipv4 filter | grep -Eq 'fail2ban-name( |$)' ; echo $?
+# 0
+# $ firewall-cmd -V
+# 0.3.8
+
diff --git a/fail2ban/action.d/hostsdeny.conf b/fail2ban/action.d/hostsdeny.conf
new file mode 100644 (file)
index 0000000..d74f498
--- /dev/null
@@ -0,0 +1,57 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Edited for cross platform by: James Stout, Yaroslav Halchenko and Daniel Black
+#
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = 
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = 
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = IP=<ip> &&
+            printf %%b "<daemon_list>: $IP\n" >> <file>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = echo "/^<daemon_list>: <ip>$/<br>d<br>w<br>q" | ed <file>
+
+[Init]
+
+# Option:  file
+# Notes.:  hosts.deny file path.
+# Values:  STR  Default:  /etc/hosts.deny
+#
+file = /etc/hosts.deny
+
+# Option:  daemon_list
+# Notes:   The list of services that this action will deny. See the man page
+#          for hosts.deny/hosts_access. Default is all services.
+# Values:  STR  Default: ALL
+daemon_list = ALL
diff --git a/fail2ban/action.d/ipfilter.conf b/fail2ban/action.d/ipfilter.conf
new file mode 100644 (file)
index 0000000..61420e3
--- /dev/null
@@ -0,0 +1,58 @@
+# Fail2Ban configuration file
+#
+# NetBSD ipfilter (ipf command) ban/unban
+#
+# Author: Ed Ravin <eravin@panix.com>
+#
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+# enable IPF if not already enabled
+actionstart = /sbin/ipf -E
+
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+# don't disable IPF with "/sbin/ipf -D", there may be other filters in use
+actionstop = 
+
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = echo block <blocktype> in quick from <ip>/32 | /sbin/ipf -f -
+
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+# note -r option used to remove matching rule
+actionunban = echo block <blocktype> in quick from <ip>/32 | /sbin/ipf -r -f -
+
+[Init]
+
+# Option: Blocktype
+# Notes : This is the return-icmp[return-code] mentioned in the ipf man page section 5. Keep this quoted to prevent
+#         Shell expansion. This should be blank (unquoted) to drop the packet.
+# Values: STRING
+blocktype = "return-icmp(port-unr)"
diff --git a/fail2ban/action.d/ipfw.conf b/fail2ban/action.d/ipfw.conf
new file mode 100644 (file)
index 0000000..3762520
--- /dev/null
@@ -0,0 +1,68 @@
+# Fail2Ban configuration file
+#
+# Author: Nick Munger
+# Modified by: Cyril Jaquier
+#
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = 
+
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = 
+
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = ipfw add <blocktype> tcp from <ip> to <localhost> <port>
+
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = ipfw delete `ipfw list | grep -i "[^0-9]<ip>[^0-9]" | awk '{print $1;}'`
+
+[Init]
+
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]
+#
+port = ssh
+
+# Option:  localhost
+# Notes.:  the local IP address of the network interface
+# Values:  IP
+#
+localhost = 127.0.0.1
+
+
+# Option:  blocktype
+# Notes.:  How to block the traffic. Use a action from man 5 ipfw
+#          Common values: deny, unreach port, reset
+# Values:  STRING
+#
+blocktype = unreach port
diff --git a/fail2ban/action.d/iptables-allports.conf b/fail2ban/action.d/iptables-allports.conf
new file mode 100644 (file)
index 0000000..91d4071
--- /dev/null
@@ -0,0 +1,70 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
+#                      made active on all ports from original iptables.conf
+#
+#
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = iptables -N fail2ban-<name>
+              iptables -A fail2ban-<name> -j RETURN
+              iptables -I <chain> -p <protocol> -j fail2ban-<name>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
+             iptables -F fail2ban-<name>
+             iptables -X fail2ban-<name>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
diff --git a/fail2ban/action.d/iptables-blocktype.conf b/fail2ban/action.d/iptables-blocktype.conf
new file mode 100644 (file)
index 0000000..c505e49
--- /dev/null
@@ -0,0 +1,22 @@
+# Fail2Ban configuration file
+#
+# Author: Daniel Black
+#
+# This is a included configuration file and includes the defination for the blocktype
+# used in all iptables based actions by default.
+#
+# The user can override the default in iptables-blocktype.local
+
+[INCLUDES]
+
+after = iptables-blocktype.local
+
+[Init]
+
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable
+
diff --git a/fail2ban/action.d/iptables-ipset-proto4.conf b/fail2ban/action.d/iptables-ipset-proto4.conf
new file mode 100644 (file)
index 0000000..9a44530
--- /dev/null
@@ -0,0 +1,73 @@
+# Fail2Ban configuration file
+#
+# Author: Daniel Black
+#
+# This is for ipset protocol 4 (ipset v4.2). If you have a later version
+# of ipset try to use the iptables-ipset-proto6.conf as it does some things
+# nicer.
+# 
+# This requires the program ipset which is normally in package called ipset.
+#
+# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
+#
+# If you are running on an older kernel you make need to patch in external
+# modules. Debian squeeze can do this with:
+#   apt-get install xtables-addons-source 
+#   module-assistant auto-install xtables-addons
+#
+# Debian wheezy and above uses protocol 6
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = ipset --create fail2ban-<name> iphash
+              iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+             ipset --flush fail2ban-<name>
+             ipset --destroy fail2ban-<name>
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = ipset --test fail2ban-<name> <ip> ||  ipset --add fail2ban-<name> <ip>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = ipset --test fail2ban-<name> <ip> && ipset --del fail2ban-<name> <ip>
+
+[Init]
+
+# Default name of the ipset
+#
+name = default
+
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]  Default: ssh
+#
+port = ssh
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
diff --git a/fail2ban/action.d/iptables-ipset-proto6-allports.conf b/fail2ban/action.d/iptables-ipset-proto6-allports.conf
new file mode 100644 (file)
index 0000000..933926e
--- /dev/null
@@ -0,0 +1,64 @@
+# Fail2Ban configuration file
+#
+# Author: Daniel Black
+#
+# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
+# Use ipset -V to see the protocol and version. Version 4 should use
+# iptables-ipset-proto4.conf.
+#
+# This requires the program ipset which is normally in package called ipset.
+#
+# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
+#
+# If you are running on an older kernel you make need to patch in external
+# modules which probably won't be protocol version 6.
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
+              iptables -I INPUT -m set --match-set fail2ban-<name> src -j <blocktype>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = iptables -D INPUT -m set --match-set fail2ban-<name> src -j <blocktype>
+             ipset flush fail2ban-<name>
+             ipset destroy fail2ban-<name>
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = ipset del fail2ban-<name> <ip> -exist
+
+[Init]
+
+# Default name of the ipset
+#
+name = default
+
+# Option: bantime
+# Notes:  specifies the bantime in seconds (handled internally rather than by fail2ban)
+# Values:  [ NUM ]  Default: 600
+
+bantime = 600
diff --git a/fail2ban/action.d/iptables-ipset-proto6.conf b/fail2ban/action.d/iptables-ipset-proto6.conf
new file mode 100644 (file)
index 0000000..4dfb1a6
--- /dev/null
@@ -0,0 +1,76 @@
+# Fail2Ban configuration file
+#
+# Author: Daniel Black
+#
+# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
+# Use ipset -V to see the protocol and version. Version 4 should use
+# iptables-ipset-proto4.conf.
+#
+# This requires the program ipset which is normally in package called ipset.
+#
+# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
+#
+# If you are running on an older kernel you make need to patch in external
+# modules.
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
+              iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+             ipset flush fail2ban-<name>
+             ipset destroy fail2ban-<name>
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = ipset del fail2ban-<name> <ip> -exist
+
+[Init]
+
+# Default name of the ipset
+#
+name = default
+
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]  Default: ssh
+#
+port = ssh
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option: bantime
+# Notes:  specifies the bantime in seconds (handled internally rather than by fail2ban)
+# Values:  [ NUM ]  Default: 600
+
+bantime = 600
diff --git a/fail2ban/action.d/iptables-multiport-log.conf b/fail2ban/action.d/iptables-multiport-log.conf
new file mode 100644 (file)
index 0000000..6084cb6
--- /dev/null
@@ -0,0 +1,83 @@
+# Fail2Ban configuration file
+#
+# Author: Guido Bozzetto
+# Modified: Cyril Jaquier
+#
+# make "fail2ban-<name>" chain to match drop IP
+# make "fail2ban-<name>-log" chain to log and drop
+# insert a jump to fail2ban-<name> from -I <chain> if proto/port match
+#
+#
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = iptables -N fail2ban-<name>
+              iptables -A fail2ban-<name> -j RETURN
+              iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+              iptables -N fail2ban-<name>-log
+              iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
+              iptables -A fail2ban-<name>-log -j <blocktype>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+             iptables -F fail2ban-<name>
+             iptables -F fail2ban-<name>-log
+             iptables -X fail2ban-<name>
+             iptables -X fail2ban-<name>-log
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = iptables -n -L fail2ban-<name>-log >/dev/null
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]  Default:
+#
+port = ssh
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
diff --git a/fail2ban/action.d/iptables-multiport.conf b/fail2ban/action.d/iptables-multiport.conf
new file mode 100644 (file)
index 0000000..daa3114
--- /dev/null
@@ -0,0 +1,73 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Modified by Yaroslav Halchenko for multiport banning
+#
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = iptables -N fail2ban-<name>
+              iptables -A fail2ban-<name> -j RETURN
+              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+             iptables -F fail2ban-<name>
+             iptables -X fail2ban-<name>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]  Default:
+#
+port = ssh
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
diff --git a/fail2ban/action.d/iptables-new.conf b/fail2ban/action.d/iptables-new.conf
new file mode 100644 (file)
index 0000000..f35f387
--- /dev/null
@@ -0,0 +1,76 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Copied from iptables.conf and modified by Yaroslav Halchenko 
+#  to fulfill the needs of bugreporter dbts#350746.
+#
+#
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = iptables -N fail2ban-<name>
+              iptables -A fail2ban-<name> -j RETURN
+              iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+             iptables -F fail2ban-<name>
+             iptables -X fail2ban-<name>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]  Default:
+#
+port = ssh
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
diff --git a/fail2ban/action.d/iptables-xt_recent-echo.conf b/fail2ban/action.d/iptables-xt_recent-echo.conf
new file mode 100644 (file)
index 0000000..bc2e897
--- /dev/null
@@ -0,0 +1,77 @@
+# Fail2Ban configuration file
+#
+# Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
+#
+#
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+# Changing iptables rules requires root privileges. If fail2ban is
+# configured to run as root, firewall setup can be performed by
+# fail2ban automatically. However, if fail2ban is configured to run as
+# a normal user, the configuration must be done by some other means
+# (e.g. using static firewall configuration with the
+# iptables-persistent package).
+# 
+# Explanation of the rule below:
+#    Check if any packets coming from an IP on the fail2ban-<name>
+#    list have been seen in the last 3600 seconds. If yes, update the
+#    timestamp for this IP and drop the packet. If not, let the packet
+#    through.
+#
+#    Fail2ban inserts blacklisted hosts into the fail2ban-<name> list
+#    and removes them from the list after some time, according to its
+#    own rules. The 3600 second timeout is independent and acts as a
+#    safeguard in case the fail2ban process dies unexpectedly. The
+#    shorter of the two timeouts actually matters.
+actionstart = if [ `id -u` -eq 0 ];then iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j <blocktype>;fi
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = echo / > /proc/net/xt_recent/fail2ban-<name>
+             if [ `id -u` -eq 0 ];then iptables -D INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j <blocktype>;fi
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = test -e /proc/net/xt_recent/fail2ban-<name>
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = echo +<ip> > /proc/net/xt_recent/fail2ban-<name>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = echo -<ip> > /proc/net/xt_recent/fail2ban-<name>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
diff --git a/fail2ban/action.d/iptables.conf b/fail2ban/action.d/iptables.conf
new file mode 100644 (file)
index 0000000..370e473
--- /dev/null
@@ -0,0 +1,73 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[INCLUDES]
+
+before = iptables-blocktype.conf
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = iptables -N fail2ban-<name>
+              iptables -A fail2ban-<name> -j RETURN
+              iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
+             iptables -F fail2ban-<name>
+             iptables -X fail2ban-<name>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]  Default:
+#
+port = ssh
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
diff --git a/fail2ban/action.d/mail-buffered.conf b/fail2ban/action.d/mail-buffered.conf
new file mode 100644 (file)
index 0000000..914d4a5
--- /dev/null
@@ -0,0 +1,83 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = printf %%b "Hi,\n
+              The jail <name> has been started successfully.\n
+              Output will be buffered until <lines> lines are available.\n
+              Regards,\n
+              Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = if [ -f <tmpfile> ]; then
+                 printf %%b "Hi,\n
+                 These hosts have been banned by Fail2Ban.\n
+                 `cat <tmpfile>`
+                 Regards,\n
+                 Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from `uname -n`" <dest>
+                 rm <tmpfile>
+             fi
+             printf %%b "Hi,\n
+             The jail <name> has been stopped.\n
+             Regards,\n
+             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+            LINE=$( wc -l <tmpfile> | awk '{ print $1 }' )
+            if [ $LINE -ge <lines> ]; then
+                printf %%b "Hi,\n
+                These hosts have been banned by Fail2Ban.\n
+                `cat <tmpfile>`
+                \nRegards,\n
+                Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
+                rm <tmpfile>
+            fi
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = 
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Default number of lines that are buffered
+#
+lines = 5
+
+# Default temporary file
+#
+tmpfile = /var/run/fail2ban/tmp-mail.txt
+
+# Destination/Addressee of the mail
+#
+dest = root
diff --git a/fail2ban/action.d/mail-whois-lines.conf b/fail2ban/action.d/mail-whois-lines.conf
new file mode 100644 (file)
index 0000000..aa7d095
--- /dev/null
@@ -0,0 +1,69 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Modified-By: Yaroslav Halchenko to include grepping on IP over log files
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = printf %%b "Hi,\n
+              The jail <name> has been started successfully.\n
+              Regards,\n
+              Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = printf %%b "Hi,\n
+             The jail <name> has been stopped.\n
+             Regards,\n
+             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = printf %%b "Hi,\n
+            The IP <ip> has just been banned by Fail2Ban after
+            <failures> attempts against <name>.\n\n
+            Here is more information about <ip>:\n
+            `whois <ip> || echo missing whois program`\n\n
+            Lines containing IP:<ip> in <logpath>\n
+            `grep '[^0-9]<ip>[^0-9]' <logpath>`\n\n
+            Regards,\n
+            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from  `uname -n`" <dest>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = 
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Destinataire of the mail
+#
+dest = root
+
+# Path to the log files which contain relevant lines for the abuser IP
+#
+logpath = /dev/null
diff --git a/fail2ban/action.d/mail-whois.conf b/fail2ban/action.d/mail-whois.conf
new file mode 100644 (file)
index 0000000..e4c8450
--- /dev/null
@@ -0,0 +1,64 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = printf %%b "Hi,\n
+              The jail <name> has been started successfully.\n
+              Regards,\n
+              Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = printf %%b "Hi,\n
+             The jail <name> has been stopped.\n
+             Regards,\n
+             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = printf %%b "Hi,\n
+            The IP <ip> has just been banned by Fail2Ban after
+            <failures> attempts against <name>.\n\n
+            Here is more information about <ip>:\n
+            `whois <ip> || echo missing whois program`\n
+            Regards,\n
+            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = 
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Destination/Addressee of the mail
+#
+dest = root
+
diff --git a/fail2ban/action.d/mail.conf b/fail2ban/action.d/mail.conf
new file mode 100644 (file)
index 0000000..7bf51a1
--- /dev/null
@@ -0,0 +1,62 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = printf %%b "Hi,\n
+              The jail <name> has been started successfully.\n
+              Regards,\n
+              Fail2Ban"|mail -s "[Fail2Ban] <name>: started  on `uname -n`" <dest>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = printf %%b "Hi,\n
+             The jail <name> has been stopped.\n
+             Regards,\n
+             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = printf %%b "Hi,\n
+            The IP <ip> has just been banned by Fail2Ban after
+            <failures> attempts against <name>.\n
+            Regards,\n
+            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = 
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Destination/Addressee of the mail
+#
+dest = root
+
diff --git a/fail2ban/action.d/mynetwatchman.conf b/fail2ban/action.d/mynetwatchman.conf
new file mode 100644 (file)
index 0000000..5245a4e
--- /dev/null
@@ -0,0 +1,139 @@
+# Fail2Ban configuration file
+#
+# Author: Russell Odom <russ@gloomytrousers.co.uk>
+# Submits attack reports to myNetWatchman (http://www.mynetwatchman.com/)
+#
+# You MUST configure at least:
+# <port> (the port that's being attacked - use number not name).
+# <mnwlogin> (your mNW login).
+# <mnwpass> (your mNW password).
+#
+# You SHOULD also provide:
+# <myip> (your public IP address, if it's not the address of eth0)
+# <protocol> (the protocol in use - defaults to tcp)
+#
+# Best practice is to provide <port> and <protocol> in jail.conf like this:
+# action = mynetwatchman[port=1234,protocol=udp]
+#
+# ...and create "mynetwatchman.local" with contents something like this:
+# [Init]
+# mnwlogin = me@example.com
+# mnwpass = SECRET
+# myip = 10.0.0.1
+#
+# Another useful configuration value is <getcmd>, if you don't have wget
+# installed (an example config for curl is given below)
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+#
+# Note: We are currently using <time> for the timestamp because no tag is
+# available to indicate the timestamp of the log message(s) which triggered the
+# ban. Therefore the timestamps we are using in the report, whilst often only a
+# few seconds out, are incorrect. See
+# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047
+#
+actionban = MNWLOGIN=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwlogin>'`
+            MNWPASS=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwpass>'`
+           PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`
+           if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
+           DATETIME=`perl -e '@t=gmtime(<time>);printf "%%4d-%%02d-%%02d+%%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'`
+            <getcmd> "<mnwurl>?AT=2&AV=0&AgentEmail=$MNWLOGIN&AgentPassword=$MNWPASS&AttackerIP=<ip>&SrcPort=<srcport>&ProtocolID=$PROTOCOL&DestPort=<port>&AttackCount=<failures>&VictimIP=<myip>&AttackDateTime=$DATETIME" 2>&1 >> <tmpfile>.out && grep -q 'Attack Report Insert Successful' <tmpfile>.out && rm -f <tmpfile>.out
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban =
+
+[Init]
+# Option:  port
+# Notes.:  The target port for the attack (numerical). MUST be provided in
+#          the jail config, as it cannot be detected here.
+# Values:  [ NUM ]  Default: ???
+#
+port = 0
+
+# Option:  mnwlogin
+# Notes.:  Your mNW login e-mail address. MUST be provided either in the jail
+#          config or in a .local file.
+#          Register at http://www.mynetwatchman.com/reg.asp
+# Values:  [ STRING ]  Default: (empty)
+#
+mnwlogin =
+
+# Option:  mnwpass
+# Notes.:  The password corresponding to your mNW login e-mail address. MUST be
+#          provided either in the jail config or in a .local file.
+# Values:  [ STRING ]  Default: (empty)
+#
+mnwpass =
+
+# Option:  myip
+# Notes.:  The target IP for the attack (your public IP). Should be overridden
+#          either in the jail config or in a .local file unless your PUBLIC IP
+#          is the first IP assigned to eth0
+# Values:  [ an IP address ]  Default: Tries to find the IP address of eth0,
+#          which in most cases will be a private IP, and therefore incorrect
+#
+myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
+
+# Option:  protocol
+# Notes.:  The protocol over which the attack is happening
+# Values:  [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp
+#
+protocol = tcp
+
+# Option:  getcmd
+# Notes.:  A command to fetch a URL. Should output page to STDOUT
+# Values:  CMD  Default: wget
+#
+getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 --read-timeout=60 --retry-connrefused --output-document=- --user-agent=Fail2Ban
+# Alternative value:
+# getcmd = curl --silent --show-error --retry 3 --connect-timeout 10 --max-time 60 --user-agent Fail2Ban
+
+# Option:  srcport
+# Notes.:  The source port of the attack. You're unlikely to have this info, so
+#          you can leave the default
+# Values:  [ NUM ]  Default: 0
+#
+srcport = 0
+
+# Option:  mnwurl
+# Notes.:  The report service URL on the mNW site
+# Values:  STRING  Default: http://mynetwatchman.com/insertwebreport.asp
+#
+mnwurl = http://mynetwatchman.com/insertwebreport.asp
+
+# Option:  tmpfile
+# Notes.:  Base name of temporary files
+# Values:  [ STRING ]  Default: /var/run/fail2ban/tmp-mynetwatchman
+#
+tmpfile = /var/run/fail2ban/tmp-mynetwatchman
diff --git a/fail2ban/action.d/osx-afctl.conf b/fail2ban/action.d/osx-afctl.conf
new file mode 100644 (file)
index 0000000..a319fc6
--- /dev/null
@@ -0,0 +1,16 @@
+# Fail2Ban configuration file for using afctl on Mac OS X Server 10.5
+#
+# Anonymous author
+# http://www.fail2ban.org/wiki/index.php?title=HOWTO_Mac_OS_X_Server_(10.5)&diff=prev&oldid=4081
+#
+# Ref: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/afctl.8.html
+
+[Definition]
+actionstart = 
+actionstop = 
+actioncheck = 
+actionban = /usr/libexec/afctl -a <ip> -t <bantime>
+actionunban = /usr/libexec/afctl -r <ip>
+
+[Init]
+bantime = 2880
diff --git a/fail2ban/action.d/osx-ipfw.conf b/fail2ban/action.d/osx-ipfw.conf
new file mode 100644 (file)
index 0000000..abe4009
--- /dev/null
@@ -0,0 +1,87 @@
+# Fail2Ban configuration file
+#
+# Author: Nick Munger
+# Modified by: Andy Fragen and Daniel Black
+#
+# Mod for OS X, using random rulenum as OSX ipfw doesn't include tables
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = 
+
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = 
+
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+# Values:  CMD
+#
+actionban = ipfw add <rulenum> set <setnum> <blocktype> log <block> from <ip> to <dst> <port>
+
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+# Values:  CMD
+#
+actionunban = ipfw delete `ipfw -S list | grep -i 'set <setnum> <blocktype> log <block> from <ip> to <dst>' | awk '{print $1;}'`
+
+[Init]
+
+# Option:  port
+# Notes.:  specifies port to block. Can be blank however may require block="ip"
+# Values:  [ NUM | STRING ]
+#
+port = ssh
+
+# Option:  dst
+# Notes.:  the local IP address of the network interface
+# Values:  IP, any, me or anything support by ipfw as a dst
+#
+dst = me
+
+# Option: block
+# Notes:  This is how much to block.
+#         Can be "ip", "tcp", "udp" or various other options.
+# Values: STRING
+block = tcp
+
+# Option:  blocktype
+# Notes.:  How to block the traffic. Use a action from man 8 ipfw
+#          Common values: deny, unreach port, reset
+# Values:  STRING
+#
+blocktype = unreach port
+
+# Option:  set number
+# Notes.:  The ipset number this is added to.
+# Values:  0-31
+setnum = 10
+
+# Option:  number for ipfw rule
+# Notes:   This is meant to be automatically generated and not overwritten
+# Values:  Random value between 10000 and 12000
+rulenum="`echo $((RANDOM%%2000+10000))`"
+
+# Duplicate prevention mechanism
+#rulenum = "`a=$((RANDOM%%2000+10000)); while ipfw show | grep -q ^$a\ ; do a=$((RANDOM%%2000+10000)); done; echo $a`"
diff --git a/fail2ban/action.d/pf.conf b/fail2ban/action.d/pf.conf
new file mode 100644 (file)
index 0000000..edcaa17
--- /dev/null
@@ -0,0 +1,62 @@
+# Fail2Ban configuration file
+#
+# OpenBSD pf ban/unban
+#
+# Author: Nick Hilliard <nick@foobar.org>
+#
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+# we don't enable PF automatically, as it will be enabled elsewhere
+actionstart = 
+
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+# we don't disable PF automatically either
+actionstop = 
+
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
+
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+# note -r option used to remove matching rule
+actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32
+
+[Init]
+# Option:  tablename
+# Notes.:  The pf table name.
+# Values:  [ STRING ]
+#
+tablename = fail2ban
+
diff --git a/fail2ban/action.d/route.conf b/fail2ban/action.d/route.conf
new file mode 100644 (file)
index 0000000..123245e
--- /dev/null
@@ -0,0 +1,26 @@
+# Fail2Ban configuration file
+#
+# Author: Michael Gebetsroither
+#
+# This is for blocking whole hosts through blackhole routes.
+#
+# PRO:
+#   - Works on all kernel versions and as no compatibility problems (back to debian lenny and WAY further).
+#   - It's FAST for very large numbers of blocked ips.
+#   - It's FAST because it Blocks traffic before it enters common iptables chains used for filtering.
+#   - It's per host, ideal as action against ssh password bruteforcing to block further attack attempts.
+#   - No additional software required beside iproute/iproute2
+#
+# CON:
+#   - Blocking is per IP and NOT per service, but ideal as action against ssh password bruteforcing hosts
+
+[Definition]
+actionban   = ip route add <blocktype> <ip>
+actionunban = ip route del <blocktype> <ip>
+
+[Init]
+
+# Option:  blocktype
+# Note:    Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
+# Values:  STRING
+blocktype = unreachable
diff --git a/fail2ban/action.d/sendmail-buffered.conf b/fail2ban/action.d/sendmail-buffered.conf
new file mode 100644 (file)
index 0000000..80eb20a
--- /dev/null
@@ -0,0 +1,96 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[INCLUDES]
+
+before = sendmail-common.conf
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
+              From: <sendername> <<sender>>
+              To: <dest>\n
+              Hi,\n
+              The jail <name> has been started successfully.\n
+              Output will be buffered until <lines> lines are available.\n
+              Regards,\n
+              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = if [ -f <tmpfile> ]; then
+                 printf %%b "Subject: [Fail2Ban] <name>: summary from `uname -n`
+                 From: <sendername> <<sender>>
+                 To: <dest>\n
+                 Hi,\n
+                 These hosts have been banned by Fail2Ban.\n
+                 `cat <tmpfile>`
+                 Regards,\n
+                 Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+                 rm <tmpfile>
+             fi
+             printf %%b "Subject: [Fail2Ban] <name>: stopped  on `uname -n`
+             From: Fail2Ban <<sender>>
+             To: <dest>\n
+             Hi,\n
+             The jail <name> has been stopped.\n
+             Regards,\n
+             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+            LINE=$( wc -l <tmpfile> | awk '{ print $1 }' )
+            if [ $LINE -ge <lines> ]; then
+                printf %%b "Subject: [Fail2Ban] <name>: summary from `uname -n`
+                From: <sendername> <<sender>>
+                To: <dest>\n
+                Hi,\n
+                These hosts have been banned by Fail2Ban.\n
+                `cat <tmpfile>`
+                Regards,\n
+                Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+                rm <tmpfile>
+            fi
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = 
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Default number of lines that are buffered
+#
+lines = 5
+
+# Default temporary file
+#
+tmpfile = /var/run/fail2ban/tmp-mail.txt
+
diff --git a/fail2ban/action.d/sendmail-common.conf b/fail2ban/action.d/sendmail-common.conf
new file mode 100644 (file)
index 0000000..e282047
--- /dev/null
@@ -0,0 +1,23 @@
+# Fail2Ban configuration file
+#
+# Common settings for sendmail actions
+#
+# Users can override the defaults in sendmail-common.local
+
+[INCLUDES]
+
+after = sendmail-common.local
+
+[Init]
+
+# Recipient mail address
+#
+dest = root
+
+# Sender mail address
+#
+sender = fail2ban
+
+# Sender display name
+#
+sendername = Fail2Ban
diff --git a/fail2ban/action.d/sendmail-whois-lines.conf b/fail2ban/action.d/sendmail-whois-lines.conf
new file mode 100644 (file)
index 0000000..e97868b
--- /dev/null
@@ -0,0 +1,82 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[INCLUDES]
+
+before = sendmail-common.conf
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
+              Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+              From: <sendername> <<sender>>
+              To: <dest>\n
+              Hi,\n
+              The jail <name> has been started successfully.\n
+              Regards,\n
+              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
+             Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+             From: <sendername> <<sender>>
+             To: <dest>\n
+             Hi,\n
+             The jail <name> has been stopped.\n
+             Regards,\n
+             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
+            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+            From: <sendername> <<sender>>
+            To: <dest>\n
+            Hi,\n
+            The IP <ip> has just been banned by Fail2Ban after
+            <failures> attempts against <name>.\n\n
+            Here is more information about <ip>:\n
+            `/usr/bin/whois <ip> || echo missing whois program`\n\n
+            Lines containing IP:<ip> in <logpath>\n
+            `grep '[^0-9]<ip>[^0-9]' <logpath>`\n\n
+            Regards,\n
+            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = 
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Path to the log files which contain relevant lines for the abuser IP
+#
+logpath = /dev/null
+
diff --git a/fail2ban/action.d/sendmail-whois.conf b/fail2ban/action.d/sendmail-whois.conf
new file mode 100644 (file)
index 0000000..e428c44
--- /dev/null
@@ -0,0 +1,76 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[INCLUDES]
+
+before = sendmail-common.conf
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
+              Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+              From: <sendername> <<sender>>
+              To: <dest>\n
+              Hi,\n
+              The jail <name> has been started successfully.\n
+              Regards,\n
+              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
+             Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+             From: <sendername> <<sender>>
+             To: <dest>\n
+             Hi,\n
+             The jail <name> has been stopped.\n
+             Regards,\n
+             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
+            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+            From: <sendername> <<sender>>
+            To: <dest>\n
+            Hi,\n
+            The IP <ip> has just been banned by Fail2Ban after
+            <failures> attempts against <name>.\n\n
+            Here is more information about <ip>:\n
+            `/usr/bin/whois <ip> || echo missing whois program`\n
+            Regards,\n
+            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = 
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
diff --git a/fail2ban/action.d/sendmail.conf b/fail2ban/action.d/sendmail.conf
new file mode 100644 (file)
index 0000000..70f3832
--- /dev/null
@@ -0,0 +1,74 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[INCLUDES]
+
+before = sendmail-common.conf
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
+              Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+              From: <sendername> <<sender>>
+              To: <dest>\n
+              Hi,\n
+              The jail <name> has been started successfully.\n
+              Regards,\n
+              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
+             Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+             From: <sendername> <<sender>>
+             To: <dest>\n
+             Hi,\n
+             The jail <name> has been stopped.\n
+             Regards,\n
+             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
+            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+            From: <sendername> <<sender>>
+            To: <dest>\n
+            Hi,\n
+            The IP <ip> has just been banned by Fail2Ban after
+            <failures> attempts against <name>.\n
+            Regards,\n
+            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = 
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
diff --git a/fail2ban/action.d/shorewall.conf b/fail2ban/action.d/shorewall.conf
new file mode 100644 (file)
index 0000000..81ac051
--- /dev/null
@@ -0,0 +1,57 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+# The default Shorewall configuration is with "BLACKLISTNEWONLY=Yes" (see
+# file /etc/shorewall/shorewall.conf). This means that when Fail2ban adds a
+# new shorewall rule to ban an IP address, that rule will affect only new
+# connections. So if the attempter goes on trying using the same connection
+# he could even log in. In order to get the same behavior of the iptable
+# action (so that the ban is immediate) the /etc/shorewall/shorewall.conf
+# file should me modified with "BLACKLISTNEWONLY=No".
+# 
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = 
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = 
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = shorewall <blocktype> <ip>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = shorewall allow <ip>
+
+[Init]
+
+# Option:  blocktype
+# Note:    This is what the action does with rules.
+#          See man page of shorewall for options that include drop, logdrop, reject, or logreject
+# Values:  STRING
+blocktype = reject
diff --git a/fail2ban/action.d/ufw.conf b/fail2ban/action.d/ufw.conf
new file mode 100644 (file)
index 0000000..c826729
--- /dev/null
@@ -0,0 +1,40 @@
+# Fail2Ban action configuration file for ufw
+#
+# You are required to run "ufw enable" before this will have an effect.
+#
+# The insert position should be approprate to block the required traffic.
+# A number after an allow rule to the application won't be much use.
+
+[Definition]
+
+actionstart = 
+
+actionstop = 
+
+actioncheck = 
+
+actionban = [ -n "<application>" ] && app="app <application>" ; ufw insert <insertpos> <blocktype> from <ip> to <destination> $app
+
+actionunban = [ -n "<application>" ] && app="app <application>" ; ufw delete <blocktype> from <ip> to <destination> $app
+
+[Init]
+# Option: insertpos
+# Notes.:  The postition number in the firewall list to insert the block rule
+insertpos = 1
+
+# Option: blocktype
+# Notes.: reject or deny
+blocktype = reject
+
+# Option: destination
+# Notes.: The destination address to block in the ufw rule
+destination = any
+
+# Option: application
+# Notes.: application from sudo ufw app list
+application = 
+
+# DEV NOTES:
+# 
+# Author: Guilhem Lettron
+# Enhancements: Daniel Black
diff --git a/fail2ban/fail2ban.conf b/fail2ban/fail2ban.conf
new file mode 100644 (file)
index 0000000..8300179
--- /dev/null
@@ -0,0 +1,50 @@
+# Fail2Ban main configuration file
+#
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
+#
+# Changes:  in most of the cases you should not modify this
+#           file, but provide customizations in fail2ban.local file, e.g.:
+#
+# [Definition]
+# loglevel = 4
+#
+
+[Definition]
+
+# Option: loglevel
+# Notes.: Set the log level output.
+#         1 = ERROR
+#         2 = WARN
+#         3 = INFO
+#         4 = DEBUG
+# Values: [ NUM ]  Default: 1
+#
+loglevel = 3
+
+# Option: logtarget
+# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
+#         Only one log target can be specified.
+#         If you change logtarget from the default value and you are
+#         using logrotate -- also adjust or disable rotation in the
+#         corresponding configuration file
+#         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
+# Values: [ STDOUT | STDERR | SYSLOG | FILE ]  Default: STDERR
+#
+logtarget = /var/log/fail2ban.log
+
+# Option: socket
+# Notes.: Set the socket file. This is used to communicate with the daemon. Do
+#         not remove this file when Fail2ban runs. It will not be possible to
+#         communicate with the server afterwards.
+# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.sock
+#
+socket = /var/run/fail2ban/fail2ban.sock
+
+# Option: pidfile
+# Notes.: Set the PID file. This is used to store the process ID of the
+#         fail2ban server.
+# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
+#
+pidfile = /var/run/fail2ban/fail2ban.pid
+
+# vim: filetype=dosini
diff --git a/fail2ban/filter.d/3proxy.conf b/fail2ban/filter.d/3proxy.conf
new file mode 100644 (file)
index 0000000..299c3a2
--- /dev/null
@@ -0,0 +1,18 @@
+# Fail2Ban filter for 3proxy
+#
+#
+
+[Definition]
+
+
+failregex = ^\s[+-]\d{4} \S+ \d{3}0[1-9] \S+ <HOST>:\d+ [\d.]+:\d+ \d+ \d+ \d+\s
+
+ignoreregex = 
+
+# DEV Notes:
+# http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are
+# all authentication problems (%E field)
+# Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
+#
+# Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246
+# Author: Daniel Black
diff --git a/fail2ban/filter.d/apache-auth.conf b/fail2ban/filter.d/apache-auth.conf
new file mode 100644 (file)
index 0000000..f421348
--- /dev/null
@@ -0,0 +1,56 @@
+# Fail2Ban apache-auth filter
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# apache-common.local
+before = apache-common.conf
+
+[Definition]
+
+
+failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
+            ^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$
+            ^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$
+            ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$
+            ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
+            ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*?: password mismatch: \S*(, referer: \S+)?\s*$
+            ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*?' in realm `.+' (not found|denied by provider): \S*(, referer: \S+)?\s*$
+            ^%(_apache_error_client)s (AH01631: )?user .*?: authorization failure for "\S*":(, referer: \S+)?\s*$
+            ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$
+            ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*?' but expected `.+'(, referer: \S+)?\s*$
+            ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*?' received: \S*(, referer: \S+)?\s*$
+            ^%(_apache_error_client)s (AH01793: )?invalid qop `.*?' received: \S*(, referer: \S+)?\s*$
+            ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .*? received - user attempted time travel(, referer: \S+)?\s*$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# This filter matches the authorization failures of Apache. It takes the log messages
+# from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or
+# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR.
+#
+# An unauthorized response 401 is the first step for a browser to instigate authentication
+# however apache doesn't log this as an error. Only subsequent errors are logged in the 
+# error log.
+#
+# Source:
+#
+# By searching the code in http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/*
+# for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should get
+# all of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core
+# to return the actual failure.
+#
+# See also: http://wiki.apache.org/httpd/ListOfErrors
+# Expressions that don't have tests and aren't common.
+# more be added with  https://issues.apache.org/bugzilla/show_bug.cgi?id=55284 
+#     ^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
+#     ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$
+#     ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*' but no realm specified\s*$
+#
+# referer is always in error log messages if it exists added as per the log_error_core function in server/log.c
+# 
+# Author: Cyril Jaquier
+# Major edits by Daniel Black
diff --git a/fail2ban/filter.d/apache-badbots.conf b/fail2ban/filter.d/apache-badbots.conf
new file mode 100644 (file)
index 0000000..b2ac962
--- /dev/null
@@ -0,0 +1,21 @@
+# Fail2Ban configuration file
+#
+# Regexp to catch known spambots and software alike. Please verify
+# that it is your intent to block IPs which were driven by
+# above mentioned bots.
+
+
+[Definition]
+
+badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
+badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots&#44; +http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
+
+failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
+
+ignoreregex =
+
+# DEV Notes:
+# List of bad bots fetched from http://www.user-agents.org
+# Generated on Thu Nov  7 14:23:35 PST 2013 by files/gen_badbots.
+#
+# Author: Yaroslav Halchenko
diff --git a/fail2ban/filter.d/apache-common.conf b/fail2ban/filter.d/apache-common.conf
new file mode 100644 (file)
index 0000000..6059148
--- /dev/null
@@ -0,0 +1,21 @@
+# Generic configuration items (to be used as interpolations) in other
+# apache filters.
+
+[INCLUDES]
+
+# Load customizations if any available
+after = apache-common.local
+
+[DEFAULT]
+
+_apache_error_client = \[[^]]*\] \[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\]
+
+# Common prefix for [error] apache messages which also would include <HOST>
+# Depending on the version it could be
+# 2.2: [Sat Jun 01 11:23:08 2013] [error] [client 1.2.3.4]
+# 2.4: [Thu Jun 27 11:55:44.569531 2013] [core:info] [pid 4101:tid 2992634688] [client 1.2.3.4:46652]
+# 2.4 (perfork): [Mon Dec 23 07:49:01.981912 2013] [:error] [pid 3790] [client 204.232.202.107:46301] script '/var/www/timthumb.php' not found or unable to 
+#
+# Reference: https://github.com/fail2ban/fail2ban/issues/268
+#
+# Author: Yaroslav Halchenko
diff --git a/fail2ban/filter.d/apache-modsecurity.conf b/fail2ban/filter.d/apache-modsecurity.conf
new file mode 100644 (file)
index 0000000..ad7e9b2
--- /dev/null
@@ -0,0 +1,18 @@
+# Fail2Ban apache-modsec filter
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# apache-common.local
+before = apache-common.conf
+
+[Definition]
+
+
+failregex = ^%(_apache_error_client)s ModSecurity:  (\[.*?\] )*Access denied with code [45]\d\d.*$
+
+ignoreregex = 
+
+# https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats
+# Author: Daniel Black
diff --git a/fail2ban/filter.d/apache-nohome.conf b/fail2ban/filter.d/apache-nohome.conf
new file mode 100644 (file)
index 0000000..358d6d3
--- /dev/null
@@ -0,0 +1,20 @@
+# Fail2Ban filter to web requests for home directories on Apache servers
+#
+# Regex to match failures to find a home directory on a server, which
+# became popular last days. Most often attacker just uses IP instead of
+# domain name -- so expect to see them in generic error.log if you have
+# per-domain log files.
+
+[INCLUDES]
+
+# overwrite with apache-common.local if _apache_error_client is incorrect.
+before = apache-common.conf
+
+[Definition]
+
+
+failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.*
+
+ignoreregex = 
+
+# Author: Yaroslav O. Halchenko <debian@onerussian.com>
diff --git a/fail2ban/filter.d/apache-noscript.conf b/fail2ban/filter.d/apache-noscript.conf
new file mode 100644 (file)
index 0000000..9a591ca
--- /dev/null
@@ -0,0 +1,24 @@
+# Fail2Ban filter to block web requests for scripts (on non scripted websites)
+#
+#
+
+[INCLUDES]
+
+# overwrite with apache-common.local if _apache_error_client is incorrect.
+before = apache-common.conf
+
+[Definition]
+
+failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): /\S*(php([45]|[.-]cgi)?|\.asp|\.exe|\.pl)(, referer: \S+)?\s*$
+            ^%(_apache_error_client)s script '/\S*(php([45]|[.-]cgi)?|\.asp|\.exe|\.pl)\S*' not found or unable to stat(, referer: \S+)?\s*$
+
+ignoreregex = 
+
+
+# DEV Notes:
+#
+# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs
+#
+# Second regex, script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ is Before http-2.2
+#
+# Author: Cyril Jaquier
diff --git a/fail2ban/filter.d/apache-overflows.conf b/fail2ban/filter.d/apache-overflows.conf
new file mode 100644 (file)
index 0000000..74e44b8
--- /dev/null
@@ -0,0 +1,36 @@
+# Fail2Ban filter to block web requests on a long or suspicious nature
+#
+
+[INCLUDES]
+
+# overwrite with apache-common.local if _apache_error_client is incorrect.
+before = apache-common.conf
+
+[Definition]
+
+failregex = ^%(_apache_error_client)s ((AH0013[456]: )?Invalid (method|URI) in request .*( - possible attempt to establish SSL connection on non-SSL port)?|(AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string: .*|AH00566: request failed: invalid characters in URI)(, referer: \S+)?$
+
+ignoreregex =
+
+# DEV Notes:
+# 
+# fgrep -r 'URI too long' httpd-2.*
+#   httpd-2.2.25/server/protocol.c:                          "request failed: URI too long (longer than %d)", r->server->limit_req_line);
+#   httpd-2.4.4/server/protocol.c:                              "request failed: URI too long (longer than %d)",
+#
+# fgrep -r 'in request' ../httpd-2.* | fgrep Invalid
+#   httpd-2.2.25/server/core.c:                     "Invalid URI in request %s", r->the_request);
+#   httpd-2.2.25/server/core.c:                          "Invalid method in request %s", r->the_request);
+#   httpd-2.2.25/docs/manual/rewrite/flags.html.fr:avertissements 'Invalid URI in request'.
+#   httpd-2.4.4/server/core.c:                     "Invalid URI in request %s", r->the_request);
+#   httpd-2.4.4/server/core.c:                              "Invalid method in request %s - possible attempt to establish SSL connection on non-SSL port", r->the_request);
+#   httpd-2.4.4/server/core.c:                              "Invalid method in request %s", r->the_request);
+#
+# fgrep -r 'invalid characters in URI' httpd-2.*
+#   httpd-2.4.4/server/protocol.c:                              "request failed: invalid characters in URI");
+#
+# http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?r1=739382&r2=739620&pathrev=739620
+#   ...possible attempt to establish SSL connection on non-SSL port
+#
+# https://wiki.apache.org/httpd/ListOfErrors
+# Author: Tim Connors
diff --git a/fail2ban/filter.d/assp.conf b/fail2ban/filter.d/assp.conf
new file mode 100644 (file)
index 0000000..2aa8958
--- /dev/null
@@ -0,0 +1,24 @@
+# Fail2Ban filter for Anti-Spam SMTP Proxy Server also known as ASSP
+# 
+#    Honmepage:   http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/
+#    ProjektSite: http://sourceforge.net/projects/assp/?source=directory
+#
+#
+
+[Definition] 
+
+__assp_actions = (?:dropping|refusing)
+
+failregex = ^(:? \[SSL-out\])? <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$
+                       ^(?: \[SSL-out\])? <HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
+                       ^ Blocking <HOST> - too much AUTH errors \(\d{,3}\);$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
+#           Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+#           Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded 
+#
+# Author: Enrico Labedzki (enrico.labedzki@deiwos.de)
diff --git a/fail2ban/filter.d/asterisk.conf b/fail2ban/filter.d/asterisk.conf
new file mode 100644 (file)
index 0000000..54b2db7
--- /dev/null
@@ -0,0 +1,39 @@
+# Fail2Ban filter for asterisk authentication failures
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = asterisk
+
+__pid_re = (?:\[\d+\])
+
+# All Asterisk log messages begin like this:
+log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?
+
+failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
+            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
+            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
+            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
+            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
+            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
+            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
+            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
+            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
+
+ignoreregex =
+
+
+# Author: Xavier Devlamynck / Daniel Black
+#
+# General log format - main/logger.c:ast_log
+# Address format - ast_sockaddr_stringify
+#
+# First regex: channels/chan_sip.c
+#
+# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog
diff --git a/fail2ban/filter.d/common.conf b/fail2ban/filter.d/common.conf
new file mode 100644 (file)
index 0000000..ae8e8b7
--- /dev/null
@@ -0,0 +1,56 @@
+# Generic configuration items (to be used as interpolations) in other
+# filters  or actions configurations
+#
+
+[INCLUDES]
+
+# Load customizations if any available
+after = common.local
+
+
+[DEFAULT]
+
+# Daemon definition is to be specialized (if needed) in .conf file
+_daemon = \S*
+
+#
+# Shortcuts for easier comprehension of the failregex
+#
+# PID.
+# EXAMPLES: [123]
+__pid_re = (?:\[\d+\])
+
+# Daemon name (with optional source_file:line or whatever)
+# EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix)
+__daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?
+
+# extra daemon info
+# EXAMPLE: [ID 800047 auth.info]
+__daemon_extra_re = (?:\[ID \d+ \S+\])
+
+# Combinations of daemon name and PID
+# EXAMPLES: sshd[31607], pop(pam_unix)[4920]
+__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?)
+
+# Some messages have a kernel prefix with a timestamp
+# EXAMPLES: kernel: [769570.846956]
+__kernel_prefix = kernel: \[ *\d+\.\d+\]
+
+__hostname = \S+
+
+# A MD5 hex
+# EXAMPLES: 07:06:27:55:b0:e3:0c:3c:5a:28:2d:7c:7e:4c:77:5f
+__md5hex = (?:[\da-f]{2}:){15}[\da-f]{2}
+
+# bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or
+# <auth.info> appearing before the host as per testcases/files/logs/bsd/*.
+__bsd_syslog_verbose = (<[^.]+\.[^.]+>)
+
+# Common line prefixes (beginnings) which could be used in filters
+#
+#      [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
+#
+# This can be optional (for instance if we match named native log files)
+__prefix_line = \s*%(__bsd_syslog_verbose)s?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s*
+
+# Author: Yaroslav Halchenko
diff --git a/fail2ban/filter.d/courierlogin.conf b/fail2ban/filter.d/courierlogin.conf
new file mode 100644 (file)
index 0000000..1170a63
--- /dev/null
@@ -0,0 +1,19 @@
+# Fail2Ban filter for courier authentication failures
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?
+
+failregex = ^%(__prefix_line)sLOGIN FAILED, user=.*, ip=\[<HOST>\]$
+
+ignoreregex = 
+
+# Author: Christoph Haas
+# Modified by: Cyril Jaquier
diff --git a/fail2ban/filter.d/couriersmtp.conf b/fail2ban/filter.d/couriersmtp.conf
new file mode 100644 (file)
index 0000000..2b9a13f
--- /dev/null
@@ -0,0 +1,19 @@
+# Fail2Ban filter to block relay attempts though a Courier smtp server
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = courieresmtpd
+
+failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User unknown\.$
+
+ignoreregex = 
+
+# Author: Cyril Jaquier
diff --git a/fail2ban/filter.d/cyrus-imap.conf b/fail2ban/filter.d/cyrus-imap.conf
new file mode 100644 (file)
index 0000000..3560234
--- /dev/null
@@ -0,0 +1,20 @@
+# Fail2Ban filter for authentication failures on Cyrus imap server
+#
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = (?:cyrus/)?(?:imapd?|pop3d?)
+
+failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$
+
+ignoreregex = 
+
+# Author: Jan Wagner <waja@cyconet.org>
diff --git a/fail2ban/filter.d/dovecot.conf b/fail2ban/filter.d/dovecot.conf
new file mode 100644 (file)
index 0000000..864e9f8
--- /dev/null
@@ -0,0 +1,25 @@
+# Fail2Ban filter Dovecot authentication and pop3/imap server
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (auth|dovecot(-auth)?|auth-worker)
+
+failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
+            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
+            ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
+
+ignoreregex = 
+
+# DEV Notes:
+# * the first regex is essentially a copy of pam-generic.conf
+# * Probably doesn't do dovecot sql/ldap backends properly
+# * Removed the 'no auth attempts' log lines from the matches because produces
+#    lots of false positives on misconfigured MTAs making regexp unuseable
+#
+# Author: Martin Waschbuesch
+#         Daniel Black (rewrote with begin and end anchors)
diff --git a/fail2ban/filter.d/dropbear.conf b/fail2ban/filter.d/dropbear.conf
new file mode 100644 (file)
index 0000000..288b088
--- /dev/null
@@ -0,0 +1,48 @@
+# Fail2Ban filter for dropbear
+#
+# NOTE: The regex below is ONLY intended to work with a patched
+# version of Dropbear as described here:
+# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
+#            ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
+#
+# The standard Dropbear output doesn't provide enough information to
+# ban all types of attack.  The Dropbear patch adds IP address
+# information to the 'exit before auth' message which is always
+# produced for any form of non-successful login. It is that message
+# which this file matches.
+#
+# More information: http://bugs.debian.org/546913
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = dropbear
+
+failregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
+            ^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
+            ^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# The first two regexs here match the unmodified dropbear messages. It isn't
+# possible to match the source of the 'exit before auth' messages from dropbear
+# as they don't include the "from <HOST>" bit.
+#
+# The second last failregex line we need to match with the modified dropbear.
+#
+# For the second regex the following apply:
+#
+# http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c
+# http://svn.dd-wrt.com/changeset/16642#file64
+#
+# http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c
+#
+# Author: Francis Russell
+#         Zak B. Elep
diff --git a/fail2ban/filter.d/ejabberd-auth.conf b/fail2ban/filter.d/ejabberd-auth.conf
new file mode 100644 (file)
index 0000000..1e15ebc
--- /dev/null
@@ -0,0 +1,19 @@
+# Fail2Ban configuration file
+#
+# Author: Steven Hiscocks
+#
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+#          Multiline regexs should use tag "<SKIPLINES>" to separate lines.
+#          This allows lines between the matching lines to continue to be
+#          searched for other failures. This tag can be used multiple times.
+# Values:  TEXT
+#
+failregex = ^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:wait_for_feature_request:\d+ \([^\)]+\) Failed authentication for \S+ from IP <HOST>$
diff --git a/fail2ban/filter.d/exim-common.conf b/fail2ban/filter.d/exim-common.conf
new file mode 100644 (file)
index 0000000..1c0a0a2
--- /dev/null
@@ -0,0 +1,18 @@
+# Fail2Ban filter file for common exim expressions
+#
+# This is to be used by other exim filters
+
+[INCLUDES]
+
+# Load customizations if any available
+after = exim-common.local
+
+[Definition]
+
+host_info = H=([\w.-]+ )?(\(\S+\) )?\[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?(U=\S+ )?(P=e?smtp )?
+pid = ( \[\d+\])?
+
+# DEV Notes:
+# From exim source code: ./src/receive.c:add_host_info_for_log
+#
+# Author:  Daniel Black
diff --git a/fail2ban/filter.d/exim-spam.conf b/fail2ban/filter.d/exim-spam.conf
new file mode 100644 (file)
index 0000000..7c02215
--- /dev/null
@@ -0,0 +1,24 @@
+# Fail2Ban filter for exim the spam rejection messages
+#
+## For the SA: Action: silently tossed message... to be logged exim's SAdevnull option needs to be used.
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# exim-common.local
+before = exim-common.conf
+
+[Definition]
+
+failregex =  ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$
+             ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: .*dnsbl.*\s*$
+             ^%(pid)s \S+ %(host_info)sF=(<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$
+             ^%(pid)s \S+ SA: Action: silently tossed message: score=\d+\.\d+ required=\d+\.\d+ trigger=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=(\S+ )?\[<HOST>\]\) for \S+$
+
+ignoreregex = 
+
+# DEV Notes:
+# The %(host_info) defination contains a <HOST> match
+#
+# Author: Cyril Jaquier
+#         Daniel Black (rewrote with strong regexs)
diff --git a/fail2ban/filter.d/exim.conf b/fail2ban/filter.d/exim.conf
new file mode 100644 (file)
index 0000000..b5028f0
--- /dev/null
@@ -0,0 +1,32 @@
+# Fail2Ban filter for exim
+#
+# This includes the rejection messages of exim. For spam and filter
+# related bans use the exim-spam.conf
+#
+
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# exim-common.local
+before = exim-common.conf
+
+[Definition]
+
+failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
+             ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
+             ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
+             ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
+             ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
+
+ignoreregex = 
+
+# DEV Notes:
+# The %(host_info) defination contains a <HOST> match
+#
+# SMTP protocol synchronization error \([^)]*\)  <- This needs to be non-greedy
+# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
+# user injectable data.
+#
+# Author: Cyril Jaquier
+#         Daniel Black (rewrote with strong regexs)
diff --git a/fail2ban/filter.d/freeswitch.conf b/fail2ban/filter.d/freeswitch.conf
new file mode 100644 (file)
index 0000000..ecc4a8b
--- /dev/null
@@ -0,0 +1,23 @@
+# Fail2Ban configuration file
+#
+# Enable "log-auth-failures" on each Sofia profile to monitor
+# <param name="log-auth-failures" value="true"/>
+# -- this requires a high enough loglevel on your logs to save these messages.
+#
+# In the fail2ban jail.local file for this filter set ignoreip to the internal
+# IP addresses on your LAN.
+#
+
+[Definition]
+
+failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
+            ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$
+
+ignoreregex =
+
+# Author: Rupa SChomaker, soapee01, Daniel Black
+# http://wiki.freeswitch.org/wiki/Fail2ban
+# Thanks to Jim on mailing list of samples and guidance
+#
+# No need to match the following. Its a duplicate of the SIP auth regex.
+#  ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP <HOST> Rejected by acl "\S+"\. Falling back to Digest auth\.$
diff --git a/fail2ban/filter.d/groupoffice.conf b/fail2ban/filter.d/groupoffice.conf
new file mode 100644 (file)
index 0000000..d5a4e4d
--- /dev/null
@@ -0,0 +1,14 @@
+# Fail2Ban filter for Group-Office
+#
+# Enable logging with:
+# $config['info_log']='/home/groupoffice/log/info.log';
+#
+
+[Definition]
+
+failregex = ^\[\]LOGIN FAILED for user: "\S+" from IP: <HOST>$
+
+
+
+# Author: Daniel Black
+
diff --git a/fail2ban/filter.d/gssftpd.conf b/fail2ban/filter.d/gssftpd.conf
new file mode 100644 (file)
index 0000000..5f9fb6a
--- /dev/null
@@ -0,0 +1,18 @@
+# Fail2Ban filter file for gssftp
+#
+# Note: gssftp is part of the krb5-appl-servers in Fedora
+#
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = ftpd
+
+failregex = ^%(__prefix_line)srepeated login failures from <HOST> \(\S+\)$
+
+ignoreregex = 
+
+# Author: Kevin Zembower
+# Edited: Daniel Black - syslog based daemon
diff --git a/fail2ban/filter.d/horde.conf b/fail2ban/filter.d/horde.conf
new file mode 100644 (file)
index 0000000..b94ebf6
--- /dev/null
@@ -0,0 +1,16 @@
+# fail2ban filter configuration for horde
+
+
+[Definition]
+
+
+failregex = ^ HORDE \[error\] \[(horde|imp)\] FAILED LOGIN for \S+ \[<HOST>\](\(forwarded for \[\S+\]\))? to (Horde|{[^}]+}) \[(pid \d+ )?on line \d+ of \S+\]$
+
+
+ignoreregex = 
+
+# DEV NOTES:
+# https://github.com/horde/horde/blob/master/imp/lib/Auth.php#L132
+# https://github.com/horde/horde/blob/master/horde/login.php
+# 
+# Author: Daniel Black
diff --git a/fail2ban/filter.d/lighttpd-auth.conf b/fail2ban/filter.d/lighttpd-auth.conf
new file mode 100644 (file)
index 0000000..3bd01f2
--- /dev/null
@@ -0,0 +1,10 @@
+# Fail2Ban filter to match wrong passwords as notified by lighttpd's auth Module
+#
+
+[Definition]
+
+failregex = ^: \(http_auth\.c\.\d+\) (password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: <HOST>\s*$
+
+ignoreregex = 
+
+# Author: Francois Boulogne <fboulogne@april.org>
diff --git a/fail2ban/filter.d/mysqld-auth.conf b/fail2ban/filter.d/mysqld-auth.conf
new file mode 100644 (file)
index 0000000..92dc9a9
--- /dev/null
@@ -0,0 +1,32 @@
+# Fail2Ban filter for unsuccesfull MySQL authentication attempts
+#
+#
+# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]:
+# log-error=/var/log/mysqld.log
+# log-warning = 2
+#
+# If using mysql syslog [mysql_safe] has syslog in /etc/my.cnf
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = mysqld
+
+failregex = ^%(__prefix_line)s(\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[Warning\] Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# Technically __prefix_line can equate to an empty string hence it can support
+# syslog and non-syslog at once.
+# Example:
+# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)
+#
+# Authors: Artur Penttinen
+#          Yaroslav O. Halchenko
diff --git a/fail2ban/filter.d/nagios.conf b/fail2ban/filter.d/nagios.conf
new file mode 100644 (file)
index 0000000..0429d3f
--- /dev/null
@@ -0,0 +1,17 @@
+# Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2)
+# Detecting unauthorized access to the nrpe2 daemon 
+# typically logged in /var/log/messages syslog
+#
+
+[INCLUDES]
+# Read syslog common prefixes
+before = common.conf
+
+[Definition]
+_daemon     = nrpe
+failregex   = ^%(__prefix_line)sHost <HOST> is not allowed to talk to us!\s*$
+ignoreregex =
+
+# DEV Notes:
+# 
+# Author: Ivo Truxa - 2014/02/03
diff --git a/fail2ban/filter.d/named-refused.conf b/fail2ban/filter.d/named-refused.conf
new file mode 100644 (file)
index 0000000..be997bd
--- /dev/null
@@ -0,0 +1,48 @@
+# Fail2Ban filter file for named (bind9).
+#
+
+# This filter blocks attacks against named (bind9) however it requires special
+# configuration on bind.
+#
+# By default, logging is off with bind9 installation.
+#
+# You will need something like this in your named.conf to provide proper logging.
+#
+# logging {
+#     channel security_file {
+#         file "/var/log/named/security.log" versions 3 size 30m;
+#         severity dynamic;
+#         print-time yes;
+#     };
+#     category security {
+#         security_file;
+#     };
+# };
+
+[Definition]
+
+# Daemon name
+_daemon=named
+
+# Shortcuts for easier comprehension of the failregex
+
+__pid_re=(?:\[\d+\])
+__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
+__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
+
+#       hostname       daemon_id         spaces
+# this can be optional (for instance if we match named native log files)
+__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
+
+failregex = ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
+            ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$
+            ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
+
+# DEV Notes:
+# Trying to generalize the
+#          structure which is general to capture general patterns in log
+#          lines to cover different configurations/distributions
+#          
+# (\.\d+)? is a really ugly catch of the microseconds not captured in the date detector
+#
+# Author: Yaroslav Halchenko
diff --git a/fail2ban/filter.d/nginx-http-auth.conf b/fail2ban/filter.d/nginx-http-auth.conf
new file mode 100644 (file)
index 0000000..79dda30
--- /dev/null
@@ -0,0 +1,15 @@
+# fail2ban filter configuration for nginx
+
+
+[Definition]
+
+
+failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
+
+ignoreregex = 
+
+# DEV NOTES:
+# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
+# Extensive search of all nginx auth failures not done yet.
+# 
+# Author: Daniel Black
diff --git a/fail2ban/filter.d/nsd.conf b/fail2ban/filter.d/nsd.conf
new file mode 100644 (file)
index 0000000..cd4ce35
--- /dev/null
@@ -0,0 +1,26 @@
+# Fail2Ban configuration file
+#
+# Author: Bas van den Dikkenberg
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = nsd
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+
+failregex =  ^\[\]%(__prefix_line)sinfo: ratelimit block .* query <HOST> TYPE255$
+              ^\[\]%(__prefix_line)sinfo: .* <HOST> refused, no acl matches\.$
diff --git a/fail2ban/filter.d/openwebmail.conf b/fail2ban/filter.d/openwebmail.conf
new file mode 100644 (file)
index 0000000..ef51031
--- /dev/null
@@ -0,0 +1,15 @@
+# Fail2Ban filter for Openwebmail
+# banning hosts with authentication errors in /var/log/openwebmail.log
+# OpenWebMail http://openwebmail.org
+#
+
+[Definition]
+
+failregex = ^ - \[\d+\] \(<HOST>\) (?P<USER>\S+) - login error - (no such user - loginname=(?P=USER)|auth_unix.pl, ret -4, Password incorrect)$
+            ^ - \[\d+\] \(<HOST>\) (?P<USER>\S+) - userinfo error - auth_unix.pl, ret -4, User (?P=USER) doesn't exist$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Author: Ivo Truxa (c) 2013 truXoft.com
diff --git a/fail2ban/filter.d/pam-generic.conf b/fail2ban/filter.d/pam-generic.conf
new file mode 100644 (file)
index 0000000..aea4752
--- /dev/null
@@ -0,0 +1,29 @@
+# Fail2Ban configuration file for generic PAM authentication errors
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+# if you want to catch only login errors from specific daemons, use something like
+#_ttys_re=(?:ssh|pure-ftpd|ftp)
+#
+# Default: catch all failed logins
+_ttys_re=\S*
+
+__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
+_daemon = \S+
+
+failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# for linux-pam before 0.99.2.0 (late 2005) (removed before 0.8.11 release)
+# _daemon = \S*\(?pam_unix\)?
+# failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+#
+# Author: Yaroslav Halchenko
diff --git a/fail2ban/filter.d/perdition.conf b/fail2ban/filter.d/perdition.conf
new file mode 100644 (file)
index 0000000..c47dcac
--- /dev/null
@@ -0,0 +1,18 @@
+# Fail2Ban filter for perdition
+#
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon=perdition.\S+
+
+failregex = ^%(__prefix_line)sAuth: <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id=".+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$
+            ^%(__prefix_line)sFatal Error reading authentication information from client <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$
+
+ignoreregex =
+
+# Author: Christophe Carles and Daniel Black
diff --git a/fail2ban/filter.d/php-url-fopen.conf b/fail2ban/filter.d/php-url-fopen.conf
new file mode 100644 (file)
index 0000000..87bd04c
--- /dev/null
@@ -0,0 +1,20 @@
+# Fail2Ban filter for URLs with a URL as a script parameters
+# which can be an indication of a fopen url php injection
+#
+# Example of web requests in Apache access log:
+# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
+
+[Definition]
+
+failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# Version 2
+# fixes the failregex so REFERERS that contain =http:// don't get blocked
+# (mentioned by "fasuto" (no real email provided... blog comment) in this entry:
+# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489
+#
+# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
diff --git a/fail2ban/filter.d/postfix-sasl.conf b/fail2ban/filter.d/postfix-sasl.conf
new file mode 100644 (file)
index 0000000..d232f86
--- /dev/null
@@ -0,0 +1,14 @@
+# Fail2Ban filter for postfix authentication failures
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = postfix/smtpd
+
+failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
+
+# Author: Yaroslav Halchenko
diff --git a/fail2ban/filter.d/postfix.conf b/fail2ban/filter.d/postfix.conf
new file mode 100644 (file)
index 0000000..7330f10
--- /dev/null
@@ -0,0 +1,22 @@
+# Fail2Ban filter for selected Postfix SMTP rejections
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = postfix/smtpd
+
+failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
+            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
+            ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
+            ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
+
+ignoreregex = 
+
+# Author: Cyril Jaquier
diff --git a/fail2ban/filter.d/proftpd.conf b/fail2ban/filter.d/proftpd.conf
new file mode 100644 (file)
index 0000000..ac714cc
--- /dev/null
@@ -0,0 +1,24 @@
+# Fail2Ban fitler for the Proftpd FTP daemon
+#
+# Set "UseReverseDNS off" in proftpd.conf to avoid the need for DNS.
+# See: http://www.proftpd.org/docs/howto/DNS.html
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = proftpd
+
+__suffix_failed_login = (User not authorized for login|No such user found|Incorrect password|Password expired|Account disabled|Invalid shell: '\S+'|User in \S+|Limit (access|configuration) denies login|Not a UserAlias|maximum login length exceeded).?
+
+failregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$
+            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .* \(Login failed\): %(__suffix_failed_login)s\s*$
+            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: .* login attempted\. *$
+            ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$
+
+ignoreregex = 
+
+# Author: Yaroslav Halchenko
+#         Daniel Black - hardening of regex
diff --git a/fail2ban/filter.d/pure-ftpd.conf b/fail2ban/filter.d/pure-ftpd.conf
new file mode 100644 (file)
index 0000000..b6d3660
--- /dev/null
@@ -0,0 +1,30 @@
+# Fail2Ban filter for pureftp
+#
+# Disable hostname based logging by:
+#
+# Start pure-ftpd with the -H switch or on Ubuntu 'echo yes > /etc/pure-ftpd/conf/DontResolve'
+#
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = pure-ftpd
+
+# Error message specified in multiple languages
+__errmsg = (?:�ϥΪ�\[.*\]���ҥ���|ʹ����\[.*\]��֤ʧ��|\[.*\] kullan�c�s� i�in giri� hatal�|����������� �� ������� ������������ \[.*\]|Godkjennelse mislyktes for \[.*\]|Beh�righetskontroll misslyckas f�r anv�ndare \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentica��o falhou para usu�rio \[.*\]|Autentyfikacja nie powiod�a si� dla u�ytkownika \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|\[.*\] ��� ���� ����|Autenticazione falita per l'utente \[.*\]|Azonos�t�s sikertelen \[.*\] felhaszn�l�nak|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Autentificaci�n fallida para el usuario \[.*\]|Authentication failed for user \[.*\]|Authentifizierung fehlgeschlagen f�r Benutzer \[.*\].|Godkendelse mislykkedes for \[.*\]|Autentifikace u�ivatele selhala \[.*\])
+
+failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s\s*$
+
+ignoreregex = 
+
+# Author: Cyril Jaquier
+# Modified: Yaroslav Halchenko for pure-ftpd
+# Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal
+#
+# Only logs to syslog though facility can be changed configuration file/command line
+#
+# fgrep -r MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src
diff --git a/fail2ban/filter.d/qmail.conf b/fail2ban/filter.d/qmail.conf
new file mode 100644 (file)
index 0000000..62d499c
--- /dev/null
@@ -0,0 +1,31 @@
+# Fail2Ban filters for qmail RBL patches/fake proxies
+#
+# the default djb RBL implementation doesn't log any rejections 
+# so is useless with this filter.
+#
+# One patch is here:
+#
+# http://www.tjsi.com/rblsmtpd/faq/ patch to rblsmtpd
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:qmail|rblsmtpd)
+
+failregex = ^%(__prefix_line)s\d+\.\d+ rblsmtpd: <HOST> pid \d+ \S+ 4\d\d \S+\s*$
+            ^%(__prefix_line)s\d+\.\d+ qmail-smtpd: 4\d\d badiprbl: ip <HOST> rbl: \S+\s*$
+            ^%(__prefix_line)s\S+ blocked <HOST> \S+ -\s*$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# These seem to be for two or 3 different patches to qmail or rblsmtpd
+# so you'll probably only ever see one of these regex's that match.
+#
+# ref: https://github.com/fail2ban/fail2ban/pull/386
+#
+# Author: Daniel Black
diff --git a/fail2ban/filter.d/recidive.conf b/fail2ban/filter.d/recidive.conf
new file mode 100644 (file)
index 0000000..13d2f53
--- /dev/null
@@ -0,0 +1,32 @@
+# Fail2Ban filter for repeat bans
+#
+# This filter monitors the fail2ban log file, and enables you to add long 
+# time bans for ip addresses that get banned by fail2ban multiple times.
+#
+# Reasons to use this: block very persistent attackers for a longer time, 
+# stop receiving email notifications about the same attacker over and 
+# over again.
+#
+# This jail is only useful if you set the 'findtime' and 'bantime' parameters 
+# in jail.conf to a higher value than the other jails. Also, this jail has its
+# drawbacks, namely in that it works only with iptables, or if you use a 
+# different blocking mechanism for this jail versus others (e.g. hostsdeny 
+# for most jails, and shorewall for this one).
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = fail2ban\.actions
+
+# The name of the jail that this filter is used for. In jail.conf, name the 
+# jail using this filter 'recidive', or change this line!
+_jailname = recidive
+
+failregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions%(__pid_re)s?:\s+)WARNING\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
+
+# Author: Tom Hendrikx, modifications by Amir Caspi 
diff --git a/fail2ban/filter.d/roundcube-auth.conf b/fail2ban/filter.d/roundcube-auth.conf
new file mode 100644 (file)
index 0000000..e3e7858
--- /dev/null
@@ -0,0 +1,29 @@
+# Fail2Ban configuration file for roundcube web server
+#
+#
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+failregex = ^\s*(\[(\s[+-][0-9]{4})?\])?(%(__hostname)s roundcube: IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$
+
+ignoreregex = 
+# DEV Notes:
+#
+# Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180
+#
+# Part after <HOST> comes straight from IMAP server up until the " in ....."
+# Earlier versions didn't log the IMAP response hence optional.
+#
+# DoS resistance:
+#
+# Assume that the user can inject "from <HOST>" into the imap response
+# somehow. Write test cases around this to ensure that the combination of
+# arbitrary user input and IMAP response doesn't inject the wrong IP for
+# fail2ban
+#
+# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black
diff --git a/fail2ban/filter.d/selinux-common.conf b/fail2ban/filter.d/selinux-common.conf
new file mode 100644 (file)
index 0000000..7269e8f
--- /dev/null
@@ -0,0 +1,21 @@
+# Fail2Ban configuration file for generic SELinux audit messages
+#
+# This file is not intended to be used directly, and should be included into a
+# filter file which would define following variables. See selinux-ssh.conf as
+# and example.
+#
+# _type
+# _uid
+# _auid 
+# _subj
+# _msg
+#
+# Also one of these variables must include <HOST>.
+
+[Definition]
+
+failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$
+
+ignoreregex =
+
+# Author: Daniel Black
diff --git a/fail2ban/filter.d/selinux-ssh.conf b/fail2ban/filter.d/selinux-ssh.conf
new file mode 100644 (file)
index 0000000..6955094
--- /dev/null
@@ -0,0 +1,25 @@
+# Fail2Ban configuration file for SELinux ssh authentication errors
+#
+
+[INCLUDES]
+
+after = selinux-common.conf
+
+[Definition]
+
+_type = USER_(ERR|AUTH)
+_uid  = 0
+_auid = \d+
+_subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023
+
+_exe  =/usr/sbin/sshd
+_terminal = ssh
+
+_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed
+
+# DEV Notes:
+#
+# Note: USER_LOGIN is ignored as this is the duplicate messsage
+# ssh logs after 3 USER_AUTH failures.
+# 
+# Author: Daniel Black
diff --git a/fail2ban/filter.d/sendmail-auth.conf b/fail2ban/filter.d/sendmail-auth.conf
new file mode 100644 (file)
index 0000000..138fbb8
--- /dev/null
@@ -0,0 +1,18 @@
+# Fail2Ban filter for sendmail authentication failures
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:sm-(mta|acceptingconnections))
+
+failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Author: Daniel Black
diff --git a/fail2ban/filter.d/sendmail-reject.conf b/fail2ban/filter.d/sendmail-reject.conf
new file mode 100644 (file)
index 0000000..3a89731
--- /dev/null
@@ -0,0 +1,34 @@
+# Fail2Ban filter for sendmail spam/relay type failures
+#
+# Some of the below failregex will only work properly, when the following
+# options are set in the .mc file (see your Sendmail documentation on how
+# to modify it and generate the corresponding .cf file):
+#
+# FEATURE(`delay_checks')
+# FEATURE(`greet_pause', `500')
+# FEATURE(`ratecontrol', `nodelay', `terminate')
+# FEATURE(`conncontrol', `nodelay', `terminate')
+#
+# ratecontrol and conncontrol also need corresponding options ClientRate:
+# and ClientConn: in the access file, see documentation for ratecontrol and
+# conncontrol in the sendmail/cf/README file.
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:sm-(mta|acceptingconnections))
+
+failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[<HOST>\]( \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
+            ^%(__prefix_line)sruleset=check_relay, arg1=(?P<dom>\S+), arg2=<HOST>, relay=((?P=dom) )?\[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
+            ^%(__prefix_line)s\w{14}: rejecting commands from  (\S+ )?\[<HOST>\] due to pre-greeting traffic after \d+ seconds$
+            ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]: ((?i)expn|vrfy) \S+ \[rejected\]$
+
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Author: Daniel Black and Fabian Wenk
diff --git a/fail2ban/filter.d/sieve.conf b/fail2ban/filter.d/sieve.conf
new file mode 100644 (file)
index 0000000..999b68a
--- /dev/null
@@ -0,0 +1,18 @@
+# Fail2Ban filter for sieve authentication failures
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_deamon = (?:cyrus/)?(?:tim)?sieved?
+
+failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ authentication failure$
+
+ignoreregex = 
+
+# Author: Jan Wagner <waja@cyconet.org>
diff --git a/fail2ban/filter.d/sogo-auth.conf b/fail2ban/filter.d/sogo-auth.conf
new file mode 100644 (file)
index 0000000..d56c94f
--- /dev/null
@@ -0,0 +1,17 @@
+# Fail2ban filter for SOGo authentcation
+#
+# Log file usually in /var/log/sogo/sogo.log
+
+[Definition]
+
+failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>' for user '.*' might not have worked( - password policy: \d*  grace: -?\d*  expire: -?\d*  bound: -?\d*)?\s*$
+
+ignoreregex = 
+
+# 
+# DEV Notes:
+#
+# The error log may contain multiple hosts, whereas the first one 
+# is the client and all others are poxys. We match the first one, only
+#
+# Author: Arnd Brandes
diff --git a/fail2ban/filter.d/solid-pop3d.conf b/fail2ban/filter.d/solid-pop3d.conf
new file mode 100644 (file)
index 0000000..d97cc13
--- /dev/null
@@ -0,0 +1,32 @@
+# Fail2Ban filter for unsuccesful solid-pop3 authentication attempts
+#
+# Doesn't currently provide PAM support as PAM log messages don't include rhost as
+# remote IP.
+#
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = solid-pop3d
+
+failregex = ^%(__prefix_line)sauthentication failed: (no such user|can't map user name): .*? - <HOST>$
+            ^%(__prefix_line)s(APOP )?authentication failed for (mapped )?user .*? - <HOST>$
+            ^%(__prefix_line)sroot login not allowed - <HOST>$
+            ^%(__prefix_line)scan't find APOP secret for user .*? - <HOST>$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# solid-pop3d needs to be compiled with --enable-logextend to support
+# IP addresses in log messages.
+#
+# solid-pop3d-0.15/src/main.c contains all authentication errors
+# except for PAM authentication messages ( src/authenticate.c )
+#
+# A pam authentication failure message (note no IP for rhost).
+# Nov 17 23:17:50 emf1pt2-2-35-70 solid-pop3d[17176]: pam_unix(solid-pop3d:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=jacques
+# 
+# Authors: Daniel Black
diff --git a/fail2ban/filter.d/squid.conf b/fail2ban/filter.d/squid.conf
new file mode 100644 (file)
index 0000000..da28269
--- /dev/null
@@ -0,0 +1,13 @@
+# Fail2Ban filter for Squid attempted proxy bypasses
+#
+#
+
+[Definition]
+
+failregex = ^\s+\d\s<HOST>\s+[A-Z_]+_DENIED/403 .*$
+            ^\s+\d\s<HOST>\s+NONE/405 .*$
+
+
+
+# Author: Daniel Black
+
diff --git a/fail2ban/filter.d/sshd-ddos.conf b/fail2ban/filter.d/sshd-ddos.conf
new file mode 100644 (file)
index 0000000..1fa8723
--- /dev/null
@@ -0,0 +1,25 @@
+# Fail2Ban ssh filter for at attempted exploit
+#
+# The regex here also relates to a exploit:
+#
+#  http://www.securityfocus.com/bid/17958/exploit
+#  The example code here shows the pushing of the exploit straight after
+#  reading the server version. This is where the client version string normally
+#  pushed. As such the server will read this unparsible information as
+#  "Did not receive identification string".
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = sshd
+
+failregex = ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
+
+ignoreregex = 
+
+# Author: Yaroslav Halchenko
diff --git a/fail2ban/filter.d/sshd.conf b/fail2ban/filter.d/sshd.conf
new file mode 100644 (file)
index 0000000..9d289e8
--- /dev/null
@@ -0,0 +1,37 @@
+# Fail2Ban filter for openssh
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = sshd
+
+failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
+            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
+            ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
+            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
+            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
+            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
+            ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+#   "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because
+#   it is coming before use of <HOST> which is not hard-anchored at the end as well,
+#   and later catch-all's could contain user-provided input, which need to be greedily
+#   matched away first.
+#
+# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black
diff --git a/fail2ban/filter.d/suhosin.conf b/fail2ban/filter.d/suhosin.conf
new file mode 100644 (file)
index 0000000..f125ead
--- /dev/null
@@ -0,0 +1,28 @@
+# Fail2Ban filter for suhosian PHP hardening
+#
+# This occurs with lighttpd or directly from the plugin
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = (?:lighttpd|suhosin)
+
+
+_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s)
+
+failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161
+#
+# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
diff --git a/fail2ban/filter.d/uwimap-auth.conf b/fail2ban/filter.d/uwimap-auth.conf
new file mode 100644 (file)
index 0000000..f734eb7
--- /dev/null
@@ -0,0 +1,17 @@
+# Fail2Ban filter for uwimap
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:ipop3d|imapd)
+
+failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures|disabled|SYSTEM BREAK-IN ATTEMPT) user=\S* auth=\S* host=.*\[<HOST>\]\s*$ 
+            ^%(__prefix_line)sFailed .* override of user=.* host=.*\[<HOST>\]\s*$
+
+ignoreregex = 
+
+# Author: Amir Caspi
diff --git a/fail2ban/filter.d/vsftpd.conf b/fail2ban/filter.d/vsftpd.conf
new file mode 100644 (file)
index 0000000..4de2bef
--- /dev/null
@@ -0,0 +1,22 @@
+# Fail2Ban filter for vsftp
+#
+# Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch
+# /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the
+# incoming ip address rather than domain names.
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
+_daemon =  vsftpd
+
+failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+            ^ \[pid \d+\] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
+
+ignoreregex = 
+
+# Author: Cyril Jaquier
+# Documentation from fail2ban wiki
diff --git a/fail2ban/filter.d/webmin-auth.conf b/fail2ban/filter.d/webmin-auth.conf
new file mode 100644 (file)
index 0000000..a0f014c
--- /dev/null
@@ -0,0 +1,22 @@
+# Fail2Ban filter for webmin
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = webmin
+
+failregex = ^%(__prefix_line)sNon-existent login as .+ from <HOST>\s*$
+            ^%(__prefix_line)sInvalid login as .+ from <HOST>\s*$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# pattern :     webmin[15673]: Non-existent login as toto from 86.0.6.217
+#               webmin[29544]: Invalid login as root from 86.0.6.217
+#
+# Rule Author: Delvit Guillaume
diff --git a/fail2ban/filter.d/wuftpd.conf b/fail2ban/filter.d/wuftpd.conf
new file mode 100644 (file)
index 0000000..45149f6
--- /dev/null
@@ -0,0 +1,22 @@
+# Fail2Ban configuration file for wuftpd
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = wu-ftpd
+__pam_re=\(?pam_unix(?:\(wu-ftpd:auth\))?\)?:?
+
+failregex = ^%(__prefix_line)sfailed login from \S+ \[<HOST>\]\s*$
+            ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+
+
+ignoreregex = 
+
+# Author: Yaroslav Halchenko
diff --git a/fail2ban/filter.d/xinetd-fail.conf b/fail2ban/filter.d/xinetd-fail.conf
new file mode 100644 (file)
index 0000000..d75e3d6
--- /dev/null
@@ -0,0 +1,27 @@
+# Fail2Ban filter for xinetd failures
+#
+# Cfr.: /var/log/(daemon\.|sys)log
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = xinetd
+
+failregex = ^%(__prefix_line)sFAIL: \S+ address from=<HOST>$
+            ^%(__prefix_line)sFAIL: \S+ libwrap from=<HOST>$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# libwrap => tcp wrappers: hosts.(allow|deny)
+# address => xinetd: deny_from|only_from
+#
+# Author: Guido Bozzetto
diff --git a/fail2ban/jail.conf b/fail2ban/jail.conf
new file mode 100644 (file)
index 0000000..89f56ca
--- /dev/null
@@ -0,0 +1,552 @@
+# Fail2Ban configuration file.
+#
+# This file was composed for Debian systems from the original one
+# provided now under /usr/share/doc/fail2ban/examples/jail.conf
+# for additional examples.
+#
+# Comments: use '#' for comment lines and ';' for inline comments
+#
+# To avoid merges during upgrades DO NOT MODIFY THIS FILE
+# and rather provide your changes in /etc/fail2ban/jail.local
+#
+
+# The DEFAULT allows a global definition of the options. They can be overridden
+# in each jail afterwards.
+
+[DEFAULT]
+
+# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
+# ban a host which matches an address in this list. Several addresses can be
+# defined using space separator.
+ignoreip = 127.0.0.1/8
+
+# External command that will take an tagged arguments to ignore, e.g. <ip>,
+# and return true if the IP is to be ignored. False otherwise.
+#
+# ignorecommand = /path/to/command <ip>
+ignorecommand =
+
+# "bantime" is the number of seconds that a host is banned.
+bantime  = 600
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime = 600
+maxretry = 3
+
+# "backend" specifies the backend used to get files modification.
+# Available options are "pyinotify", "gamin", "polling" and "auto".
+# This option can be overridden in each jail as well.
+#
+# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
+#            If pyinotify is not installed, Fail2ban will use auto.
+# gamin:     requires Gamin (a file alteration monitor) to be installed.
+#            If Gamin is not installed, Fail2ban will use auto.
+# polling:   uses a polling algorithm which does not require external libraries.
+# auto:      will try to use the following backends, in order:
+#            pyinotify, gamin, polling.
+backend = auto
+
+# "usedns" specifies if jails should trust hostnames in logs,
+#   warn when reverse DNS lookups are performed, or ignore all hostnames in logs
+#
+# yes:   if a hostname is encountered, a reverse DNS lookup will be performed.
+# warn:  if a hostname is encountered, a reverse DNS lookup will be performed,
+#        but it will be logged as a warning.
+# no:    if a hostname is encountered, will not be used for banning,
+#        but it will be logged as info.
+usedns = warn
+
+#
+# Destination email address used solely for the interpolations in
+# jail.{conf,local} configuration files.
+destemail = root@localhost
+
+#
+# Name of the sender for mta actions
+sendername = Fail2Ban
+
+# Email address of the sender
+sender = fail2ban@localhost
+
+#
+# ACTIONS
+#
+
+# Default banning action (e.g. iptables, iptables-new,
+# iptables-multiport, shorewall, etc) It is used to define
+# action_* variables. Can be overridden globally or per
+# section within jail.local file
+banaction = iptables-multiport
+
+# email action. Since 0.8.1 upstream fail2ban uses sendmail
+# MTA for the mailing. Change mta configuration parameter to mail
+# if you want to revert to conventional 'mail'.
+mta = sendmail
+
+# Default protocol
+protocol = tcp
+
+# Specify chain where jumps would need to be added in iptables-* actions
+chain = INPUT
+
+#
+# Action shortcuts. To be used to define action parameter
+
+# The simplest action to take: ban only
+action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report to the destemail.
+action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
+
+# ban & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
+
+# Choose default action.  To change, just override value of 'action' with the
+# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
+# globally (section [DEFAULT]) or per specific section
+action = %(action_)s
+
+#
+# JAILS
+#
+
+# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
+# was shipped in Debian. Enable any defined here jail by including
+#
+# [SECTION_NAME]
+# enabled = true
+
+#
+# in /etc/fail2ban/jail.local.
+#
+# Optionally you may override any other parameter (e.g. banaction,
+# action, port, logpath, etc) in that section within jail.local
+
+[ssh]
+
+enabled  = true
+port     = ssh
+filter   = sshd
+logpath  = /var/log/auth.log
+maxretry = 6
+
+[dropbear]
+
+enabled  = false
+port     = ssh
+filter   = dropbear
+logpath  = /var/log/auth.log
+maxretry = 6
+
+# Generic filter for pam. Has to be used with action which bans all ports
+# such as iptables-allports, shorewall
+[pam-generic]
+
+enabled  = false
+# pam-generic filter can be customized to monitor specific subset of 'tty's
+filter   = pam-generic
+# port actually must be irrelevant but lets leave it all for some possible uses
+port     = all
+banaction = iptables-allports
+port     = anyport
+logpath  = /var/log/auth.log
+maxretry = 6
+
+[xinetd-fail]
+
+enabled   = false
+filter    = xinetd-fail
+port      = all
+banaction = iptables-multiport-log
+logpath   = /var/log/daemon.log
+maxretry  = 2
+
+
+[ssh-ddos]
+
+enabled  = false
+port     = ssh
+filter   = sshd-ddos
+logpath  = /var/log/auth.log
+maxretry = 6
+
+
+# Here we use blackhole routes for not requiring any additional kernel support
+# to store large volumes of banned IPs
+
+[ssh-route]
+
+enabled = false
+filter = sshd
+action = route
+logpath = /var/log/sshd.log
+maxretry = 6
+
+# Here we use a combination of Netfilter/Iptables and IPsets
+# for storing large volumes of banned IPs
+#
+# IPset comes in two versions. See ipset -V for which one to use
+# requires the ipset package and kernel support.
+[ssh-iptables-ipset4]
+
+enabled  = false
+port     = ssh
+filter   = sshd
+banaction = iptables-ipset-proto4
+logpath  = /var/log/sshd.log
+maxretry = 6
+
+[ssh-iptables-ipset6]
+
+enabled  = false
+port     = ssh
+filter   = sshd
+banaction = iptables-ipset-proto6
+logpath  = /var/log/sshd.log
+maxretry = 6
+
+
+#
+# HTTP servers
+#
+
+[apache]
+
+enabled  = false
+port     = http,https
+filter   = apache-auth
+logpath  = /var/log/apache*/*error.log
+maxretry = 6
+
+# default action is now multiport, so apache-multiport jail was left
+# for compatibility with previous (<0.7.6-2) releases
+[apache-multiport]
+
+enabled   = false
+port      = http,https
+filter    = apache-auth
+logpath   = /var/log/apache*/*error.log
+maxretry  = 6
+
+[apache-noscript]
+
+enabled  = false
+port     = http,https
+filter   = apache-noscript
+logpath  = /var/log/apache*/*error.log
+maxretry = 6
+
+[apache-overflows]
+
+enabled  = false
+port     = http,https
+filter   = apache-overflows
+logpath  = /var/log/apache*/*error.log
+maxretry = 2
+
+[apache-modsecurity]
+
+enabled  = false
+filter   = apache-modsecurity
+port     = http,https
+logpath  = /var/log/apache*/*error.log
+maxretry = 2
+
+[apache-nohome]
+
+enabled  = false
+filter   = apache-nohome
+port     = http,https
+logpath  = /var/log/apache*/*error.log
+maxretry = 2
+
+# Ban attackers that try to use PHP's URL-fopen() functionality
+# through GET/POST variables. - Experimental, with more than a year
+# of usage in production environments.
+
+[php-url-fopen]
+
+enabled = false
+port    = http,https
+filter  = php-url-fopen
+logpath = /var/www/*/logs/access_log
+
+# A simple PHP-fastcgi jail which works with lighttpd.
+# If you run a lighttpd server, then you probably will
+# find these kinds of messages in your error_log:
+#   ALERT – tried to register forbidden variable ‘GLOBALS’
+#   through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
+
+[lighttpd-fastcgi]
+
+enabled = false
+port    = http,https
+filter  = lighttpd-fastcgi
+logpath = /var/log/lighttpd/error.log
+
+# Same as above for mod_auth
+# It catches wrong authentifications
+
+[lighttpd-auth]
+
+enabled = false
+port    = http,https
+filter  = suhosin
+logpath = /var/log/lighttpd/error.log
+
+[nginx-http-auth]
+
+enabled = false
+filter  = nginx-http-auth
+port    = http,https
+logpath = /var/log/nginx/error.log
+
+# Monitor roundcube server
+
+[roundcube-auth]
+
+enabled  = false
+filter   = roundcube-auth
+port     = http,https
+logpath  = /var/log/roundcube/userlogins
+
+
+[sogo-auth]
+
+enabled  = false
+filter   = sogo-auth
+port     = http, https
+# without proxy this would be:
+# port    = 20000
+logpath  = /var/log/sogo/sogo.log
+
+
+#
+# FTP servers
+#
+
+[vsftpd]
+
+enabled  = false
+port     = ftp,ftp-data,ftps,ftps-data
+filter   = vsftpd
+logpath  = /var/log/vsftpd.log
+# or overwrite it in jails.local to be
+# logpath = /var/log/auth.log
+# if you want to rely on PAM failed login attempts
+# vsftpd's failregex should match both of those formats
+maxretry = 6
+
+
+[proftpd]
+
+enabled  = false
+port     = ftp,ftp-data,ftps,ftps-data
+filter   = proftpd
+logpath  = /var/log/proftpd/proftpd.log
+maxretry = 6
+
+
+[pure-ftpd]
+
+enabled  = false
+port     = ftp,ftp-data,ftps,ftps-data
+filter   = pure-ftpd
+logpath  = /var/log/syslog
+maxretry = 6
+
+
+[wuftpd]
+
+enabled  = false
+port     = ftp,ftp-data,ftps,ftps-data
+filter   = wuftpd
+logpath  = /var/log/syslog
+maxretry = 6
+
+
+#
+# Mail servers
+#
+
+[postfix]
+
+enabled  = false
+port     = smtp,ssmtp,submission
+filter   = postfix
+logpath  = /var/log/mail.log
+
+
+[couriersmtp]
+
+enabled  = false
+port     = smtp,ssmtp,submission
+filter   = couriersmtp
+logpath  = /var/log/mail.log
+
+
+#
+# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
+# all relevant ports get banned
+#
+
+[courierauth]
+
+enabled  = false
+port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
+filter   = courierlogin
+logpath  = /var/log/mail.log
+
+
+[sasl]
+
+enabled  = false
+port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
+filter   = postfix-sasl
+# You might consider monitoring /var/log/mail.warn instead if you are
+# running postfix since it would provide the same log lines at the
+# "warn" level but overall at the smaller filesize.
+logpath  = /var/log/mail.log
+
+[dovecot]
+
+enabled = false
+port    = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
+filter  = dovecot
+logpath = /var/log/mail.log
+
+# To log wrong MySQL access attempts add to /etc/my.cnf:
+# log-error=/var/log/mysqld.log
+# log-warning = 2
+[mysqld-auth]
+
+enabled  = false
+filter   = mysqld-auth
+port     = 3306
+logpath  = /var/log/mysqld.log
+
+
+# DNS Servers
+
+
+# These jails block attacks against named (bind9). By default, logging is off
+# with bind9 installation. You will need something like this:
+#
+# logging {
+#     channel security_file {
+#         file "/var/log/named/security.log" versions 3 size 30m;
+#         severity dynamic;
+#         print-time yes;
+#     };
+#     category security {
+#         security_file;
+#     };
+# };
+#
+# in your named.conf to provide proper logging
+
+# !!! WARNING !!!
+#   Since UDP is connection-less protocol, spoofing of IP and imitation
+#   of illegal actions is way too simple.  Thus enabling of this filter
+#   might provide an easy way for implementing a DoS against a chosen
+#   victim. See
+#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
+#   Please DO NOT USE this jail unless you know what you are doing.
+#[named-refused-udp]
+#
+#enabled  = false
+#port     = domain,953
+#protocol = udp
+#filter   = named-refused
+#logpath  = /var/log/named/security.log
+
+[named-refused-tcp]
+
+enabled  = false
+port     = domain,953
+protocol = tcp
+filter   = named-refused
+logpath  = /var/log/named/security.log
+
+[freeswitch]
+
+enabled  = false
+filter   = freeswitch
+logpath  = /var/log/freeswitch.log
+maxretry = 10
+action   = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp]
+           iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp]
+
+[ejabberd-auth]
+
+enabled  = false
+filter   = ejabberd-auth
+port     = xmpp-client
+protocol = tcp
+logpath  = /var/log/ejabberd/ejabberd.log
+
+
+# Multiple jails, 1 per protocol, are necessary ATM:
+# see https://github.com/fail2ban/fail2ban/issues/37
+[asterisk-tcp]
+
+enabled  = false
+filter   = asterisk
+port     = 5060,5061
+protocol = tcp
+logpath  = /var/log/asterisk/messages
+
+[asterisk-udp]
+
+enabled  = false
+filter  = asterisk
+port     = 5060,5061
+protocol = udp
+logpath  = /var/log/asterisk/messages
+
+
+# Jail for more extended banning of persistent abusers
+# !!! WARNING !!!
+#   Make sure that your loglevel specified in fail2ban.conf/.local
+#   is not at DEBUG level -- which might then cause fail2ban to fall into
+#   an infinite loop constantly feeding itself with non-informative lines
+[recidive]
+
+enabled  = false
+filter   = recidive
+logpath  = /var/log/fail2ban.log
+action   = iptables-allports[name=recidive]
+           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
+bantime  = 604800  ; 1 week
+findtime = 86400   ; 1 day
+maxretry = 5
+
+# See the IMPORTANT note in action.d/blocklist_de.conf for when to
+# use this action
+#
+# Report block via blocklist.de fail2ban reporting service API
+# See action.d/blocklist_de.conf for more information
+[ssh-blocklist]
+
+enabled  = false
+filter   = sshd
+action   = iptables[name=SSH, port=ssh, protocol=tcp]
+           sendmail-whois[name=SSH, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"]
+           blocklist_de[email="%(sender)s", apikey="xxxxxx", service="%(filter)s"]
+logpath  = /var/log/sshd.log
+maxretry = 20
+
+
+# consider low maxretry and a long bantime
+# nobody except your own Nagios server should ever probe nrpe
+[nagios]
+enabled  = false
+filter   = nagios
+action   = iptables[name=Nagios, port=5666, protocol=tcp]
+           sendmail-whois[name=Nagios, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"]
+logpath  = /var/log/messages     ; nrpe.cfg may define a different log_facility
+maxretry = 1
diff --git a/init.d/fail2ban b/init.d/fail2ban
new file mode 100755 (executable)
index 0000000..98e7216
--- /dev/null
@@ -0,0 +1,244 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          fail2ban
+# Required-Start:    $local_fs $remote_fs
+# Required-Stop:     $local_fs $remote_fs
+# Should-Start:      $time $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall iptables-persistent ferm
+# Should-Stop:       $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall iptables-persistent ferm
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Start/stop fail2ban
+# Description:       Start/stop fail2ban, a daemon scanning the log files and
+#                    banning potential attackers.
+### END INIT INFO
+
+# Author: Aaron Isotton <aaron@isotton.com>
+# Modified: by Yaroslav Halchenko <debian@onerussian.com>
+#  reindented + minor corrections + to work on sarge without modifications
+# Modified: by Glenn Aaldering <glenn@openvideo.nl>
+#  added exit codes for status command
+#
+PATH=/usr/sbin:/usr/bin:/sbin:/bin
+DESC="authentication failure monitor"
+NAME=fail2ban
+
+# fail2ban-client is not a daemon itself but starts a daemon and
+# loads its with configuration
+DAEMON=/usr/bin/$NAME-client
+SCRIPTNAME=/etc/init.d/$NAME
+
+# Ad-hoc way to parse out socket file name
+SOCKFILE=`grep -h '^[^#]*socket *=' /etc/$NAME/$NAME.conf /etc/$NAME/$NAME.local 2>/dev/null \
+          | tail -n 1 | sed -e 's/.*socket *= *//g' -e 's/ *$//g'`
+[ -z "$SOCKFILE" ] && SOCKFILE='/tmp/fail2ban.sock'
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Run as root by default.
+FAIL2BAN_USER=root
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+DAEMON_ARGS="$FAIL2BAN_OPTS"
+
+# Load the VERBOSE setting and other rcS variables
+[ -f /etc/default/rcS ] && . /etc/default/rcS
+
+# Predefine what can be missing from lsb source later on -- necessary to run
+# on sarge. Just present it in a bit more compact way from what was shipped
+log_daemon_msg () {
+       [ -z "$1" ] && return 1
+       echo -n "$1:"
+       [ -z "$2" ] || echo -n " $2"
+}
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
+# Actually has to (>=2.0-7) present in sarge. log_daemon_msg is predefined
+#  so we must be ok
+. /lib/lsb/init-functions
+
+#
+# Shortcut function for abnormal init script interruption
+#
+report_bug()
+{
+       echo $*
+       echo "Please submit a bug report to Debian BTS (reportbug fail2ban)"
+       exit 1
+}
+
+#
+# Helper function to check if socket is present, which is often left after
+# abnormal exit of fail2ban and needs to be removed
+#
+check_socket()
+{
+       # Return
+       #       0 if socket is present and readable
+       #       1 if socket file is not present
+       #       2 if socket file is present but not readable
+       #       3 if socket file is present but is not a socket
+       [ -e "$SOCKFILE" ] || return 1
+       [ -r "$SOCKFILE" ] || return 2
+       [ -S "$SOCKFILE" ] || return 3
+       return 0
+}
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+       # Return
+       #       0 if daemon has been started
+       #       1 if daemon was already running
+       #       2 if daemon could not be started
+       do_status && return 1
+
+       if [ -e "$SOCKFILE" ]; then
+               log_failure_msg "Socket file $SOCKFILE is present"
+               [ "$1" = "force-start" ] \
+                       && log_success_msg "Starting anyway as requested" \
+                       || return 2
+               DAEMON_ARGS="$DAEMON_ARGS -x"
+       fi
+
+       # Assure that /var/run/fail2ban exists
+       [ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban
+
+       if [ "$FAIL2BAN_USER" != "root" ]; then
+               # Make the socket directory, IP lists and fail2ban log
+               # files writable by fail2ban
+               chown "$FAIL2BAN_USER" /var/run/fail2ban
+               # Create the logfile if it doesn't exist
+               touch /var/log/fail2ban.log
+               chown "$FAIL2BAN_USER" /var/log/fail2ban.log
+               find /proc/net/xt_recent -name 'fail2ban-*' -exec chown "$FAIL2BAN_USER" {} \;
+       fi
+
+       start-stop-daemon --start --quiet --chuid "$FAIL2BAN_USER" --exec $DAEMON -- \
+               $DAEMON_ARGS start > /dev/null\
+               || return 2
+
+       return 0
+}
+
+
+#
+# Function that checks the status of fail2ban and returns
+# corresponding code
+#
+do_status()
+{
+       $DAEMON ping > /dev/null 2>&1
+       return $?
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+       # Return
+       #       0 if daemon has been stopped
+       #       1 if daemon was already stopped
+       #       2 if daemon could not be stopped
+       #       other if a failure occurred
+       $DAEMON status > /dev/null 2>&1 || return 1
+       $DAEMON stop > /dev/null || return 2
+
+       # now we need actually to wait a bit since it might take time
+       # for server to react on client's stop request. Especially
+       # important for restart command on slow boxes
+       count=1
+       while do_status && [ $count -lt 60 ]; do
+               sleep 1
+               count=$(($count+1))
+       done
+       [ $count -lt 60 ] || return 3 # failed to stop
+
+       return 0
+}
+
+#
+# Function to reload configuration
+#
+do_reload() {
+       $DAEMON reload > /dev/null && return 0 || return 1
+       return 0
+}
+
+# yoh:
+# shortcut function to don't duplicate case statements and to don't use
+# bashisms (arrays). Fixes #368218
+#
+log_end_msg_wrapper()
+{
+       if [ "$3" != "no" ]; then
+               [ $1 -lt $2 ] && value=0 || value=1
+               log_end_msg $value
+       fi
+}
+
+command="$1"
+case "$command" in
+       start|force-start)
+               [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+               do_start "$command"
+               log_end_msg_wrapper $? 2 "$VERBOSE"
+               ;;
+
+       stop)
+               [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+               do_stop
+               log_end_msg_wrapper $? 2 "$VERBOSE"
+               ;;
+
+       restart|force-reload)
+               log_daemon_msg "Restarting $DESC" "$NAME"
+               do_stop
+               case "$?" in
+                       0|1)
+                               do_start
+                               log_end_msg_wrapper $? 1 "always"
+                               ;;
+                       *)
+                               # Failed to stop
+                               log_end_msg 1
+                               ;;
+               esac
+               ;;
+
+       reload|force-reload)
+        log_daemon_msg "Reloading $DESC" "$NAME"
+        do_reload
+        log_end_msg $?
+        ;;
+
+       status)
+               log_daemon_msg "Status of $DESC"
+               do_status
+               case $? in
+                       0)  log_success_msg " $NAME is running" ;;
+                       255)
+                               check_socket
+                               case $? in
+                                       1)  log_failure_msg " $NAME is not running" && exit 3 ;;
+                                       0)  log_failure_msg " $NAME is not running but $SOCKFILE exists" && exit 3 ;;
+                                       2)  log_failure_msg " $SOCKFILE not readable, status of $NAME is unknown" && exit 3 ;;
+                                       3)  log_failure_msg " $SOCKFILE exists but not a socket, status of $NAME is unknown" && exit 3 ;;
+                                       *)  report_bug "Unknown return code from $NAME:check_socket." && exit 4 ;;
+                               esac
+                               ;;
+                       *)  report_bug "Unknown $NAME status code" && exit 4
+               esac
+               ;;
+       *)
+               echo "Usage: $SCRIPTNAME {start|force-start|stop|restart|force-reload|status}" >&2
+               exit 3
+               ;;
+esac
+
+:
diff --git a/logrotate.d/fail2ban b/logrotate.d/fail2ban
new file mode 100644 (file)
index 0000000..ea46428
--- /dev/null
@@ -0,0 +1,17 @@
+/var/log/fail2ban.log {
+   
+    weekly
+    rotate 4
+    compress
+
+    delaycompress
+    missingok
+    postrotate
+       fail2ban-client flushlogs 1>/dev/null
+    endscript
+
+    # If fail2ban runs as non-root it still needs to have write access
+    # to logfiles.
+    # create 640 fail2ban adm
+    create 640 root adm
+}
diff --git a/nail.rc b/nail.rc
index c74862c2eb642e2c2c8e8cb566f73ce89aa2ab65..85d474bf096c142f2dd4610a90c1dac50e3fdda0 100644 (file)
--- a/nail.rc
+++ b/nail.rc
@@ -39,7 +39,8 @@ set quote
 
 # Outgoing messages are sent in ISO-8859-1 if all their characters are
 # representable in it, otherwise in UTF-8.
-set sendcharsets=iso-8859-1,utf-8
+# set sendcharsets=iso-8859-1,utf-8
+set sendcharsets=utf-8
 
 # Display sender's real names in header summaries.
 set showname
diff --git a/rc0.d/K01fail2ban b/rc0.d/K01fail2ban
new file mode 120000 (symlink)
index 0000000..625bcdc
--- /dev/null
@@ -0,0 +1 @@
+../init.d/fail2ban
\ No newline at end of file
diff --git a/rc1.d/K01fail2ban b/rc1.d/K01fail2ban
new file mode 120000 (symlink)
index 0000000..625bcdc
--- /dev/null
@@ -0,0 +1 @@
+../init.d/fail2ban
\ No newline at end of file
diff --git a/rc2.d/S02fail2ban b/rc2.d/S02fail2ban
new file mode 120000 (symlink)
index 0000000..625bcdc
--- /dev/null
@@ -0,0 +1 @@
+../init.d/fail2ban
\ No newline at end of file
diff --git a/rc3.d/S02fail2ban b/rc3.d/S02fail2ban
new file mode 120000 (symlink)
index 0000000..625bcdc
--- /dev/null
@@ -0,0 +1 @@
+../init.d/fail2ban
\ No newline at end of file
diff --git a/rc4.d/S02fail2ban b/rc4.d/S02fail2ban
new file mode 120000 (symlink)
index 0000000..625bcdc
--- /dev/null
@@ -0,0 +1 @@
+../init.d/fail2ban
\ No newline at end of file
diff --git a/rc5.d/S02fail2ban b/rc5.d/S02fail2ban
new file mode 120000 (symlink)
index 0000000..625bcdc
--- /dev/null
@@ -0,0 +1 @@
+../init.d/fail2ban
\ No newline at end of file
diff --git a/rc6.d/K01fail2ban b/rc6.d/K01fail2ban
new file mode 120000 (symlink)
index 0000000..625bcdc
--- /dev/null
@@ -0,0 +1 @@
+../init.d/fail2ban
\ No newline at end of file
diff --git a/ssl/certs/02265526.0 b/ssl/certs/02265526.0
new file mode 120000 (symlink)
index 0000000..8f7ad29
--- /dev/null
@@ -0,0 +1 @@
+Entrust_Root_Certification_Authority_-_G2.pem
\ No newline at end of file
diff --git a/ssl/certs/03179a64.0 b/ssl/certs/03179a64.0
new file mode 120000 (symlink)
index 0000000..5167cdf
--- /dev/null
@@ -0,0 +1 @@
+Staat_der_Nederlanden_EV_Root_CA.pem
\ No newline at end of file
diff --git a/ssl/certs/039c618a.0 b/ssl/certs/039c618a.0
deleted file mode 120000 (symlink)
index d743974..0000000
+++ /dev/null
@@ -1 +0,0 @@
-TURKTRUST_Certificate_Services_Provider_Root_2.pem
\ No newline at end of file
diff --git a/ssl/certs/04f60c28.0 b/ssl/certs/04f60c28.0
new file mode 120000 (symlink)
index 0000000..e08a770
--- /dev/null
@@ -0,0 +1 @@
+USERTrust_ECC_Certification_Authority.pem
\ No newline at end of file
diff --git a/ssl/certs/0b1b94ef.0 b/ssl/certs/0b1b94ef.0
new file mode 120000 (symlink)
index 0000000..69ff81e
--- /dev/null
@@ -0,0 +1 @@
+CFCA_EV_ROOT.pem
\ No newline at end of file
diff --git a/ssl/certs/0b759015.0 b/ssl/certs/0b759015.0
deleted file mode 120000 (symlink)
index d77a6c4..0000000
+++ /dev/null
@@ -1 +0,0 @@
-E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.pem
\ No newline at end of file
diff --git a/ssl/certs/0ba01d19.0 b/ssl/certs/0ba01d19.0
deleted file mode 120000 (symlink)
index 4cf7655..0000000
+++ /dev/null
@@ -1 +0,0 @@
-SG_TRUST_SERVICES_RACINE.pem
\ No newline at end of file
diff --git a/ssl/certs/0d188d89.0 b/ssl/certs/0d188d89.0
deleted file mode 120000 (symlink)
index d77a6c4..0000000
+++ /dev/null
@@ -1 +0,0 @@
-E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.pem
\ No newline at end of file
diff --git a/ssl/certs/0d5a4e1c.0 b/ssl/certs/0d5a4e1c.0
new file mode 120000 (symlink)
index 0000000..6f6df9e
--- /dev/null
@@ -0,0 +1 @@
+TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.pem
\ No newline at end of file
diff --git a/ssl/certs/0d69c7e1.0 b/ssl/certs/0d69c7e1.0
new file mode 120000 (symlink)
index 0000000..6ab0a22
--- /dev/null
@@ -0,0 +1 @@
+GlobalSign_ECC_Root_CA_-_R4.pem
\ No newline at end of file
diff --git a/ssl/certs/0dad9736.0 b/ssl/certs/0dad9736.0
deleted file mode 120000 (symlink)
index 4cf7655..0000000
+++ /dev/null
@@ -1 +0,0 @@
-SG_TRUST_SERVICES_RACINE.pem
\ No newline at end of file
diff --git a/ssl/certs/106f3e4d.0 b/ssl/certs/106f3e4d.0
new file mode 120000 (symlink)
index 0000000..433d7b1
--- /dev/null
@@ -0,0 +1 @@
+Entrust_Root_Certification_Authority_-_EC1.pem
\ No newline at end of file
diff --git a/ssl/certs/13ea5b5f.0 b/ssl/certs/13ea5b5f.0
new file mode 120000 (symlink)
index 0000000..e78b135
--- /dev/null
@@ -0,0 +1 @@
+ssl-cert-snakeoil.pem
\ No newline at end of file
diff --git a/ssl/certs/19c1fa33.0 b/ssl/certs/19c1fa33.0
new file mode 120000 (symlink)
index 0000000..691724a
--- /dev/null
@@ -0,0 +1 @@
+S-TRUST_Universal_Root_CA.pem
\ No newline at end of file
diff --git a/ssl/certs/1d3472b9.0 b/ssl/certs/1d3472b9.0
new file mode 120000 (symlink)
index 0000000..b76c9bc
--- /dev/null
@@ -0,0 +1 @@
+GlobalSign_ECC_Root_CA_-_R5.pem
\ No newline at end of file
diff --git a/ssl/certs/1e08bfd1.0 b/ssl/certs/1e08bfd1.0
new file mode 120000 (symlink)
index 0000000..8445bf8
--- /dev/null
@@ -0,0 +1 @@
+IdenTrust_Public_Sector_Root_CA_1.pem
\ No newline at end of file
diff --git a/ssl/certs/201cada0.0 b/ssl/certs/201cada0.0
deleted file mode 120000 (symlink)
index ce3441c..0000000
+++ /dev/null
@@ -1 +0,0 @@
-America_Online_Root_Certification_Authority_2.pem
\ No newline at end of file
diff --git a/ssl/certs/2251b13a.0 b/ssl/certs/2251b13a.0
deleted file mode 120000 (symlink)
index a818c21..0000000
+++ /dev/null
@@ -1 +0,0 @@
-ComSign_Secured_CA.pem
\ No newline at end of file
diff --git a/ssl/certs/262ba90f.0 b/ssl/certs/262ba90f.0
new file mode 120000 (symlink)
index 0000000..c1e72f7
--- /dev/null
@@ -0,0 +1 @@
+Certification_Authority_of_WoSign_G2.pem
\ No newline at end of file
diff --git a/ssl/certs/26eaad2f.0 b/ssl/certs/26eaad2f.0
new file mode 120000 (symlink)
index 0000000..628c97d
--- /dev/null
@@ -0,0 +1 @@
+CA_WoSign_ECC_Root.pem
\ No newline at end of file
diff --git a/ssl/certs/2add47b6.0 b/ssl/certs/2add47b6.0
new file mode 120000 (symlink)
index 0000000..b76c9bc
--- /dev/null
@@ -0,0 +1 @@
+GlobalSign_ECC_Root_CA_-_R5.pem
\ No newline at end of file
diff --git a/ssl/certs/2afc57aa.0 b/ssl/certs/2afc57aa.0
deleted file mode 120000 (symlink)
index 8ff7099..0000000
+++ /dev/null
@@ -1 +0,0 @@
-TC_TrustCenter_Class_2_CA_II.pem
\ No newline at end of file
diff --git a/ssl/certs/2fb1850a.0 b/ssl/certs/2fb1850a.0
deleted file mode 120000 (symlink)
index ce3441c..0000000
+++ /dev/null
@@ -1 +0,0 @@
-America_Online_Root_Certification_Authority_2.pem
\ No newline at end of file
diff --git a/ssl/certs/35105088.0 b/ssl/certs/35105088.0
new file mode 120000 (symlink)
index 0000000..e29daca
--- /dev/null
@@ -0,0 +1 @@
+USERTrust_RSA_Certification_Authority.pem
\ No newline at end of file
diff --git a/ssl/certs/3c6676aa.0 b/ssl/certs/3c6676aa.0
new file mode 120000 (symlink)
index 0000000..5167cdf
--- /dev/null
@@ -0,0 +1 @@
+Staat_der_Nederlanden_EV_Root_CA.pem
\ No newline at end of file
diff --git a/ssl/certs/455f1b52.0 b/ssl/certs/455f1b52.0
new file mode 120000 (symlink)
index 0000000..8f7ad29
--- /dev/null
@@ -0,0 +1 @@
+Entrust_Root_Certification_Authority_-_G2.pem
\ No newline at end of file
diff --git a/ssl/certs/4be590e0.0 b/ssl/certs/4be590e0.0
new file mode 120000 (symlink)
index 0000000..8445bf8
--- /dev/null
@@ -0,0 +1 @@
+IdenTrust_Public_Sector_Root_CA_1.pem
\ No newline at end of file
diff --git a/ssl/certs/4d654d1d.0 b/ssl/certs/4d654d1d.0
deleted file mode 120000 (symlink)
index a6320be..0000000
+++ /dev/null
@@ -1 +0,0 @@
-GTE_CyberTrust_Global_Root.pem
\ No newline at end of file
diff --git a/ssl/certs/4fbd6bfa.0 b/ssl/certs/4fbd6bfa.0
deleted file mode 120000 (symlink)
index 08d92a2..0000000
+++ /dev/null
@@ -1 +0,0 @@
-UTN_DATACorp_SGC_Root_CA.pem
\ No newline at end of file
diff --git a/ssl/certs/5021a0a2.0 b/ssl/certs/5021a0a2.0
deleted file mode 120000 (symlink)
index 83c343e..0000000
+++ /dev/null
@@ -1 +0,0 @@
-TC_TrustCenter_Universal_CA_I.pem
\ No newline at end of file
diff --git a/ssl/certs/553c356e.0 b/ssl/certs/553c356e.0
new file mode 120000 (symlink)
index 0000000..e78b135
--- /dev/null
@@ -0,0 +1 @@
+ssl-cert-snakeoil.pem
\ No newline at end of file
diff --git a/ssl/certs/56b8a0b6.0 b/ssl/certs/56b8a0b6.0
deleted file mode 120000 (symlink)
index d743974..0000000
+++ /dev/null
@@ -1 +0,0 @@
-TURKTRUST_Certificate_Services_Provider_Root_2.pem
\ No newline at end of file
diff --git a/ssl/certs/5a250ea7.0 b/ssl/certs/5a250ea7.0
new file mode 120000 (symlink)
index 0000000..bbad2cb
--- /dev/null
@@ -0,0 +1 @@
+Staat_der_Nederlanden_Root_CA_-_G3.pem
\ No newline at end of file
diff --git a/ssl/certs/5a4d6896.0 b/ssl/certs/5a4d6896.0
new file mode 120000 (symlink)
index 0000000..bbad2cb
--- /dev/null
@@ -0,0 +1 @@
+Staat_der_Nederlanden_Root_CA_-_G3.pem
\ No newline at end of file
diff --git a/ssl/certs/631c779f.0 b/ssl/certs/631c779f.0
new file mode 120000 (symlink)
index 0000000..691724a
--- /dev/null
@@ -0,0 +1 @@
+S-TRUST_Universal_Root_CA.pem
\ No newline at end of file
diff --git a/ssl/certs/6645de82.0 b/ssl/certs/6645de82.0
new file mode 120000 (symlink)
index 0000000..c07d435
--- /dev/null
@@ -0,0 +1 @@
+TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H6.pem
\ No newline at end of file
diff --git a/ssl/certs/6cc3c4c3.0 b/ssl/certs/6cc3c4c3.0
deleted file mode 120000 (symlink)
index d9b56b9..0000000
+++ /dev/null
@@ -1 +0,0 @@
-Thawte_Server_CA.pem
\ No newline at end of file
diff --git a/ssl/certs/778e3cb0.0 b/ssl/certs/778e3cb0.0
deleted file mode 120000 (symlink)
index 08d92a2..0000000
+++ /dev/null
@@ -1 +0,0 @@
-UTN_DATACorp_SGC_Root_CA.pem
\ No newline at end of file
diff --git a/ssl/certs/7992b8bb.0 b/ssl/certs/7992b8bb.0
new file mode 120000 (symlink)
index 0000000..6f6df9e
--- /dev/null
@@ -0,0 +1 @@
+TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.pem
\ No newline at end of file
diff --git a/ssl/certs/84cba82f.0 b/ssl/certs/84cba82f.0
deleted file mode 120000 (symlink)
index 43a1892..0000000
+++ /dev/null
@@ -1 +0,0 @@
-TURKTRUST_Certificate_Services_Provider_Root_1.pem
\ No newline at end of file
diff --git a/ssl/certs/88f89ea7.0 b/ssl/certs/88f89ea7.0
deleted file mode 120000 (symlink)
index 43a1892..0000000
+++ /dev/null
@@ -1 +0,0 @@
-TURKTRUST_Certificate_Services_Provider_Root_1.pem
\ No newline at end of file
diff --git a/ssl/certs/8e52d3cd.0 b/ssl/certs/8e52d3cd.0
deleted file mode 120000 (symlink)
index 80f08aa..0000000
+++ /dev/null
@@ -1 +0,0 @@
-Buypass_Class_3_CA_1.pem
\ No newline at end of file
diff --git a/ssl/certs/9282e51c.0 b/ssl/certs/9282e51c.0
new file mode 120000 (symlink)
index 0000000..69ff81e
--- /dev/null
@@ -0,0 +1 @@
+CFCA_EV_ROOT.pem
\ No newline at end of file
diff --git a/ssl/certs/98ec67f0.0 b/ssl/certs/98ec67f0.0
deleted file mode 120000 (symlink)
index 96360b2..0000000
+++ /dev/null
@@ -1 +0,0 @@
-Thawte_Premium_Server_CA.pem
\ No newline at end of file
diff --git a/ssl/certs/9c472bf7.0 b/ssl/certs/9c472bf7.0
deleted file mode 120000 (symlink)
index 6d9e3ae..0000000
+++ /dev/null
@@ -1 +0,0 @@
-A-Trust-nQual-03.pem
\ No newline at end of file
diff --git a/ssl/certs/9f0f5fd6.0 b/ssl/certs/9f0f5fd6.0
new file mode 120000 (symlink)
index 0000000..bcbbc5f
--- /dev/null
@@ -0,0 +1 @@
+Certinomis_-_Root_CA.pem
\ No newline at end of file
diff --git a/ssl/certs/9f541fb4.0 b/ssl/certs/9f541fb4.0
deleted file mode 120000 (symlink)
index 9982aa5..0000000
+++ /dev/null
@@ -1 +0,0 @@
-Digital_Signature_Trust_Co._Global_CA_3.pem
\ No newline at end of file
diff --git a/ssl/certs/A-Trust-nQual-03.pem b/ssl/certs/A-Trust-nQual-03.pem
deleted file mode 120000 (symlink)
index 537bc59..0000000
+++ /dev/null
@@ -1 +0,0 @@
-/usr/share/ca-certificates/mozilla/A-Trust-nQual-03.crt
\ No newline at end of file
diff --git a/ssl/certs/America_Online_Root_Certification_Authority_1.pem b/ssl/certs/America_Online_Root_Certification_Authority_1.pem
deleted file mode 120000 (symlink)
index 7bc40e2..0000000
+++ /dev/null
@@ -1 +0,0 @@
-/usr/share/ca-certificates/mozilla/America_Online_Root_Certification_Authority_1.crt
\ No newline at end of file
diff --git a/ssl/certs/America_Online_Root_Certification_Authority_2.pem b/ssl/certs/America_Online_Root_Certification_Authority_2.pem
deleted file mode 120000 (symlink)
index cfb37b2..0000000
+++ /dev/null
@@ -1 +0,0 @@
-/usr/share/ca-certificates/mozilla/America_Online_Root_Certification_Authority_2.crt
\ No newline at end of file
diff --git a/ssl/certs/Buypass_Class_3_CA_1.pem b/ssl/certs/Buypass_Class_3_CA_1.pem
deleted file mode 120000 (symlink)
index 1a26bd9..0000000
+++ /dev/null
@@ -1 +0,0 @@
-/usr/share/ca-certificates/mozilla/Buypass_Class_3_CA_1.crt
\ No newline at end of file
diff --git a/ssl/certs/CA_WoSign_ECC_Root.pem b/ssl/certs/CA_WoSign_ECC_Root.pem
new file mode 120000 (symlink)
index 0000000..a5e3632
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/ca-certificates/mozilla/CA_WoSign_ECC_Root.crt
\ No newline at end of file
diff --git a/ssl/certs/CFCA_EV_ROOT.pem b/ssl/certs/CFCA_EV_ROOT.pem
new file mode 120000 (symlink)
index 0000000..5c79296
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/ca-certificates/mozilla/CFCA_EV_ROOT.crt
\ No newline at end of file
diff --git a/ssl/certs/COMODO_RSA_Certification_Authority.pem b/ssl/certs/COMODO_RSA_Certification_Authority.pem
new file mode 120000 (symlink)
index 0000000..ffb0fae
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/ca-certificates/mozilla/COMODO_RSA_Certification_Authority.crt
\ No newline at end of file
diff --git a/ssl/certs/Certification_Authority_of_WoSign_G2.pem b/ssl/certs/Certification_Authority_of_WoSign_G2.pem
new file mode 120000 (symlink)
index 0000000..ffec4ca
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/ca-certificates/mozilla/Certification_Authority_of_WoSign_G2.crt
\ No newline at end of file
diff --git a/ssl/certs/Certinomis_-_Root_CA.pem b/ssl/certs/Certinomis_-_Root_CA.pem
new file mode 120000 (symlink)
index 0000000..3aa9877
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/ca-certificates/mozilla/Certinomis_-_Root_CA.crt
\ No newline at end of file
diff --git a/ssl/certs/ComSign_Secured_CA.pem b/ssl/certs/ComSign_Secured_CA.pem
deleted file mode 120000 (symlink)
index 19064d4..0000000
+++ /dev/null
@@ -1 +0,0 @@
-/usr/share/ca-certificates/mozilla/ComSign_Secured_CA.crt
\ No newline at end of file
diff --git a/ssl/certs/Digital_Signature_Trust_Co._Global_CA_1.pem b/ssl/certs/Digital_Signature_Trust_Co._Global_CA_1.pem
deleted file mode 120000 (symlink)
index 03ac639..0000000
+++ /dev/null
@@ -1 +0,0 @@
-/usr/share/ca-certificates/mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt
\ No newline at end of file
diff --git a/ssl/certs/Digital_Signature_Trust_Co._Global_CA_3.pem b/ssl/certs/Digital_Signature_Trust_Co._Global_CA_3.pem
deleted file mode 120000 (symlink)
index 9af8b34..0000000
+++ /dev/null
@@ -1 +0,0 @@
-/usr/share/ca-certificates/mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt
\ No newline at end of file
diff --git a/ssl/certs/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.pem b/ssl/certs/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.pem
deleted file mode 120000 (symlink)
index d78bf05..0000000
+++ /dev/null
@@ -1 +0,0 @@
-/usr/share/ca-certificates/mozilla/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.crt
\ No newline at end of file
diff --git a/ssl/certs/Entrust_Root_Certification_Authority_-_EC1.pem b/ssl/certs/Entrust_Root_Certification_Authority_-_EC1.pem
new file mode 120000 (symlink)
index 0000000..0981741
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_EC1.crt
\ No newline at end of file
diff --git a/ssl/certs/Entrust_Root_Certification_Authority_-_G2.pem b/ssl/certs/Entrust_Root_Certification_Authority_-_G2.pem
new file mode 120000 (symlink)
index 0000000..ad49a19
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_G2.crt
\ No newline at end of file
diff --git a/ssl/certs/GTE_CyberTrust_Global_Root.pem b/ssl/certs/GTE_CyberTrust_Global_Root.pem
deleted file mode 120000 (symlink)
index a7f2ed1..0000000
+++ /dev/null
@@ -1 +0,0 @@
-/usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt
\ No newline at end of file
diff --git a/ssl/certs/GlobalSign_ECC_Root_CA_-_R4.pem b/ssl/certs/GlobalSign_ECC_Root_CA_-_R4.pem
new file mode 120000 (symlink)
index 0000000..51ce324
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R4.crt
\ No newline at end of file
diff --git a/ssl/certs/GlobalSign_ECC_Root_CA_-_R5.pem b/ssl/certs/GlobalSign_ECC_Root_CA_-_R5.pem
new file mode 120000 (symlink)
index 0000000..4a26990
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R5.crt
\ No newline at end of file
diff --git a/ssl/certs/IdenTrust_Commercial_Root_CA_1.pem b/ssl/certs/IdenTrust_Commercial_Root_CA_1.pem
new file mode 120000 (symlink)
index 0000000..02d40ff
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/ca-certificates/mozilla/IdenTrust_Commercial_Root_CA_1.crt
\ No newline at end of file
diff --git a/ssl/certs/IdenTrust_Public_Sector_Root_CA_1.pem b/ssl/certs/IdenTrust_Public_Sector_Root_CA_1.pem
new file mode 120000 (symlink)
index 0000000..25f7c77
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/ca-certificates/mozilla/IdenTrust_Public_Sector_Root_CA_1.crt
\ No newline at end of file
diff --git a/ssl/certs/OISTE_WISeKey_Global_Root_GB_CA.pem b/ssl/certs/OISTE_WISeKey_Global_Root_GB_CA.pem
new file mode 120000 (symlink)
index 0000000..3dbaca4
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt
\ No newline at end of file
diff --git a/ssl/certs/S-TRUST_Universal_Root_CA.pem b/ssl/certs/S-TRUST_Universal_Root_CA.pem
new file mode 120000 (symlink)
index 0000000..27025c2
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/ca-certificates/mozilla/S-TRUST_Universal_Root_CA.crt
\ No newline at end of file
diff --git a/ssl/certs/SG_TRUST_SERVICES_RACINE.pem b/ssl/certs/SG_TRUST_SERVICES_RACINE.pem
deleted file mode 120000 (symlink)
index a0e03ab..0000000
+++ /dev/null
@@ -1 +0,0 @@
-/usr/share/ca-certificates/mozilla/SG_TRUST_SERVICES_RACINE.crt
\ No newline at end of file
diff --git a/ssl/certs/Staat_der_Nederlanden_EV_Root_CA.pem b/ssl/certs/Staat_der_Nederlanden_EV_Root_CA.pem
new file mode 120000 (symlink)
index 0000000..e1d64aa
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/ca-certificates/mozilla/Staat_der_Nederlanden_EV_Root_CA.crt
\ No newline at end of file
diff --git a/ssl/certs/Staat_der_Nederlanden_Root_CA_-_G3.pem b/ssl/certs/Staat_der_Nederlanden_Root_CA_-_G3.pem
new file mode 120000 (symlink)
index 0000000..37ac9b3
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/ca-certificates/mozilla/Staat_der_Nederlanden_Root_CA_-_G3.crt
\ No newline at end of file
diff --git a/ssl/certs/TC_TrustCenter_Class_2_CA_II.pem b/ssl/certs/TC_TrustCenter_Class_2_CA_II.pem
deleted file mode 120000 (symlink)
index 90e59bd..0000000
+++ /dev/null
@@ -1 +0,0 @@
-/usr/share/ca-certificates/mozilla/TC_TrustCenter_Class_2_CA_II.crt
\ No newline at end of file
diff --git a/ssl/certs/TC_TrustCenter_Universal_CA_I.pem b/ssl/certs/TC_TrustCenter_Universal_CA_I.pem
deleted file mode 120000 (symlink)
index bd4176c..0000000
+++ /dev/null
@@ -1 +0,0 @@
-/usr/share/ca-certificates/mozilla/TC_TrustCenter_Universal_CA_I.crt
\ No newline at end of file
diff --git a/ssl/certs/TURKTRUST_Certificate_Services_Provider_Root_1.pem b/ssl/certs/TURKTRUST_Certificate_Services_Provider_Root_1.pem
deleted file mode 120000 (symlink)
index e8576c8..0000000
+++ /dev/null
@@ -1 +0,0 @@
-/usr/share/ca-certificates/mozilla/TURKTRUST_Certificate_Services_Provider_Root_1.crt
\ No newline at end of file
diff --git a/ssl/certs/TURKTRUST_Certificate_Services_Provider_Root_2.pem b/ssl/certs/TURKTRUST_Certificate_Services_Provider_Root_2.pem
deleted file mode 120000 (symlink)
index 25681e0..0000000
+++ /dev/null
@@ -1 +0,0 @@
-/usr/share/ca-certificates/mozilla/TURKTRUST_Certificate_Services_Provider_Root_2.crt
\ No newline at end of file
diff --git a/ssl/certs/Thawte_Premium_Server_CA.pem b/ssl/certs/Thawte_Premium_Server_CA.pem
deleted file mode 120000 (symlink)
index c3d7894..0000000
+++ /dev/null
@@ -1 +0,0 @@
-/usr/share/ca-certificates/mozilla/Thawte_Premium_Server_CA.crt
\ No newline at end of file
diff --git a/ssl/certs/Thawte_Server_CA.pem b/ssl/certs/Thawte_Server_CA.pem
deleted file mode 120000 (symlink)
index 0e664ea..0000000
+++ /dev/null
@@ -1 +0,0 @@
-/usr/share/ca-certificates/mozilla/Thawte_Server_CA.crt
\ No newline at end of file
diff --git a/ssl/certs/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.pem b/ssl/certs/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.pem
new file mode 120000 (symlink)
index 0000000..f1f0dfe
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/ca-certificates/mozilla/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.crt
\ No newline at end of file
diff --git a/ssl/certs/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H6.pem b/ssl/certs/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H6.pem
new file mode 120000 (symlink)
index 0000000..181c0c7
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/ca-certificates/mozilla/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H6.crt
\ No newline at end of file
diff --git a/ssl/certs/USERTrust_ECC_Certification_Authority.pem b/ssl/certs/USERTrust_ECC_Certification_Authority.pem
new file mode 120000 (symlink)
index 0000000..2d72c32
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/ca-certificates/mozilla/USERTrust_ECC_Certification_Authority.crt
\ No newline at end of file
diff --git a/ssl/certs/USERTrust_RSA_Certification_Authority.pem b/ssl/certs/USERTrust_RSA_Certification_Authority.pem
new file mode 120000 (symlink)
index 0000000..dbdd940
--- /dev/null
@@ -0,0 +1 @@
+/usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt
\ No newline at end of file
diff --git a/ssl/certs/UTN_DATACorp_SGC_Root_CA.pem b/ssl/certs/UTN_DATACorp_SGC_Root_CA.pem
deleted file mode 120000 (symlink)
index 8bee682..0000000
+++ /dev/null
@@ -1 +0,0 @@
-/usr/share/ca-certificates/mozilla/UTN_DATACorp_SGC_Root_CA.crt
\ No newline at end of file
diff --git a/ssl/certs/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.pem b/ssl/certs/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.pem
deleted file mode 120000 (symlink)
index 8c2ff85..0000000
+++ /dev/null
@@ -1 +0,0 @@
-/usr/share/ca-certificates/mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt
\ No newline at end of file
diff --git a/ssl/certs/a15b3b6b.0 b/ssl/certs/a15b3b6b.0
deleted file mode 120000 (symlink)
index 9982aa5..0000000
+++ /dev/null
@@ -1 +0,0 @@
-Digital_Signature_Trust_Co._Global_CA_3.pem
\ No newline at end of file
diff --git a/ssl/certs/a5fd78f0.0 b/ssl/certs/a5fd78f0.0
deleted file mode 120000 (symlink)
index 8ff7099..0000000
+++ /dev/null
@@ -1 +0,0 @@
-TC_TrustCenter_Class_2_CA_II.pem
\ No newline at end of file
diff --git a/ssl/certs/a6a593ba.0 b/ssl/certs/a6a593ba.0
deleted file mode 120000 (symlink)
index 181058d..0000000
+++ /dev/null
@@ -1 +0,0 @@
-Digital_Signature_Trust_Co._Global_CA_1.pem
\ No newline at end of file
diff --git a/ssl/certs/b0e59380.0 b/ssl/certs/b0e59380.0
new file mode 120000 (symlink)
index 0000000..6ab0a22
--- /dev/null
@@ -0,0 +1 @@
+GlobalSign_ECC_Root_CA_-_R4.pem
\ No newline at end of file
diff --git a/ssl/certs/b3fb433b.0 b/ssl/certs/b3fb433b.0
new file mode 120000 (symlink)
index 0000000..433d7b1
--- /dev/null
@@ -0,0 +1 @@
+Entrust_Root_Certification_Authority_-_EC1.pem
\ No newline at end of file
diff --git a/ssl/certs/bad35b78.0 b/ssl/certs/bad35b78.0
deleted file mode 120000 (symlink)
index 885f4ff..0000000
+++ /dev/null
@@ -1 +0,0 @@
-Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.pem
\ No newline at end of file
diff --git a/ssl/certs/bda4cc84.0 b/ssl/certs/bda4cc84.0
deleted file mode 120000 (symlink)
index 11e6482..0000000
+++ /dev/null
@@ -1 +0,0 @@
-America_Online_Root_Certification_Authority_1.pem
\ No newline at end of file
diff --git a/ssl/certs/c215bc69.0 b/ssl/certs/c215bc69.0
deleted file mode 120000 (symlink)
index 181058d..0000000
+++ /dev/null
@@ -1 +0,0 @@
-Digital_Signature_Trust_Co._Global_CA_1.pem
\ No newline at end of file
diff --git a/ssl/certs/c33a80d4.0 b/ssl/certs/c33a80d4.0
deleted file mode 120000 (symlink)
index 96360b2..0000000
+++ /dev/null
@@ -1 +0,0 @@
-Thawte_Premium_Server_CA.pem
\ No newline at end of file
diff --git a/ssl/certs/c3a6a9ad.0 b/ssl/certs/c3a6a9ad.0
deleted file mode 120000 (symlink)
index 6d9e3ae..0000000
+++ /dev/null
@@ -1 +0,0 @@
-A-Trust-nQual-03.pem
\ No newline at end of file
diff --git a/ssl/certs/c527e4ab.0 b/ssl/certs/c527e4ab.0
deleted file mode 120000 (symlink)
index 885f4ff..0000000
+++ /dev/null
@@ -1 +0,0 @@
-Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.pem
\ No newline at end of file
diff --git a/ssl/certs/c679bc3f.0 b/ssl/certs/c679bc3f.0
new file mode 120000 (symlink)
index 0000000..c07d435
--- /dev/null
@@ -0,0 +1 @@
+TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H6.pem
\ No newline at end of file
diff --git a/ssl/certs/c692a373.0 b/ssl/certs/c692a373.0
deleted file mode 120000 (symlink)
index a6320be..0000000
+++ /dev/null
@@ -1 +0,0 @@
-GTE_CyberTrust_Global_Root.pem
\ No newline at end of file
diff --git a/ssl/certs/c8841d13.0 b/ssl/certs/c8841d13.0
deleted file mode 120000 (symlink)
index 83c343e..0000000
+++ /dev/null
@@ -1 +0,0 @@
-TC_TrustCenter_Universal_CA_I.pem
\ No newline at end of file
index 3a43b642816630bf49a810b76deaba35df3ea077..92de1ba617ee13f72c44f2640f47c85b45c99822 100644 (file)
@@ -328,61 +328,6 @@ aobgxCd05DhT1wV/GzTjxi+zygk8N53X57hG8f2h4nECMEJZh0PUUd+60wkyWs6I
 flc9nF9Ca/UHLbXwgpP5WW+uZPpY5Yse42O+tYHNbwKMeQ==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIDpDCCAoygAwIBAgIBATANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEc
-MBoGA1UEChMTQW1lcmljYSBPbmxpbmUgSW5jLjE2MDQGA1UEAxMtQW1lcmljYSBP
-bmxpbmUgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAxMB4XDTAyMDUyODA2
-MDAwMFoXDTM3MTExOTIwNDMwMFowYzELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0Ft
-ZXJpY2EgT25saW5lIEluYy4xNjA0BgNVBAMTLUFtZXJpY2EgT25saW5lIFJvb3Qg
-Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKgv6KRpBgNHw+kqmP8ZonCaxlCyfqXfaE0bfA+2l2h9LaaLl+lk
-hsmj76CGv2BlnEtUiMJIxUo5vxTjWVXlGbR0yLQFOVwWpeKVBeASrlmLojNoWBym
-1BW32J/X3HGrfpq/m44zDyL9Hy7nBzbvYjnF3cu6JRQj3gzGPTzOggjmZj7aUTsW
-OqMFf6Dch9Wc/HKpoH145LcxVR5lu9RhsCFg7RAycsWSJR74kEoYeEfffjA3PlAb
-2xzTa5qGUwew76wGePiEmf4hjUyAtgyC9mZweRrTT6PP8c9GsEsPPt2IYriMqQko
-O3rHl+Ee5fSfwMCuJKDIodkP1nsmgmkyPacCAwEAAaNjMGEwDwYDVR0TAQH/BAUw
-AwEB/zAdBgNVHQ4EFgQUAK3Zo/Z59m50qX8zPYEX10zPM94wHwYDVR0jBBgwFoAU
-AK3Zo/Z59m50qX8zPYEX10zPM94wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB
-BQUAA4IBAQB8itEfGDeC4Liwo+1WlchiYZwFos3CYiZhzRAW18y0ZTTQEYqtqKkF
-Zu90821fnZmv9ov761KyBZiibyrFVL0lvV+uyIbqRizBs73B6UlwGBaXCBOMIOAb
-LjpHyx7kADCVW/RFo8AasAFOq73AI25jP4BKxQft3OJvx8Fi8eNy1gTIdGcL+oir
-oQHIb/AUr9KZzVGTfu0uOMe9zkZQPXLjeSWdm4grECDdpbgyn43gKd8hdIaC2y+C
-MMbHNYaz+ZZfRtsMRf3zUMNvxsNIrUam4SdHCh0Om7bCd39j8uB9Gr784N/Xx6ds
-sPmuujz9dLQR6FgNgLzTqIA6me11zEZ7
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIFpDCCA4ygAwIBAgIBATANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEc
-MBoGA1UEChMTQW1lcmljYSBPbmxpbmUgSW5jLjE2MDQGA1UEAxMtQW1lcmljYSBP
-bmxpbmUgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAyMB4XDTAyMDUyODA2
-MDAwMFoXDTM3MDkyOTE0MDgwMFowYzELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0Ft
-ZXJpY2EgT25saW5lIEluYy4xNjA0BgNVBAMTLUFtZXJpY2EgT25saW5lIFJvb3Qg
-Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkgMjCCAiIwDQYJKoZIhvcNAQEBBQADggIP
-ADCCAgoCggIBAMxBRR3pPU0Q9oyxQcngXssNt79Hc9PwVU3dxgz6sWYFas14tNwC
-206B89enfHG8dWOgXeMHDEjsJcQDIPT/DjsS/5uN4cbVG7RtIuOx238hZK+GvFci
-KtZHgVdEglZTvYYUAQv8f3SkWq7xuhG1m1hagLQ3eAkzfDJHA1zEpYNI9FdWboE2
-JxhP7JsowtS013wMPgwr38oE18aO6lhOqKSlGBxsRZijQdEt0sdtjRnxrXm3gT+9
-BoInLRBYBbV4Bbkv2wxrkJB+FFk4u5QkE+XRnRTf04JNRvCAOVIyD+OEsnpD8l7e
-Xz8d3eOyG6ChKiMDbi4BFYdcpnV1x5dhvt6G3NRI270qv0pV2uh9UPu0gBe4lL8B
-PeraunzgWGcXuVjgiIZGZ2ydEEdYMtA1fHkqkKJaEBEjNa0vzORKW6fIJ/KD3l67
-Xnfn6KVuY8INXWHQjNJsWiEOyiijzirplcdIz5ZvHZIlyMbGwcEMBawmxNJ10uEq
-Z8A9W6Wa6897GqidFEXlD6CaZd4vKL3Ob5Rmg0gp2OpljK+T2WSfVVcmv2/LNzGZ
-o2C7HK2JNDJiuEMhBnIMoVxtRsX6Kc8w3onccVvdtjc+31D1uAclJuW8tf48ArO3
-+L5DwYcRlJ4jbBeKuIonDFRH8KmzwICMoCfrHRnjB453cMor9H124HhnAgMBAAGj
-YzBhMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFE1FwWg4u3OpaaEg5+31IqEj
-FNeeMB8GA1UdIwQYMBaAFE1FwWg4u3OpaaEg5+31IqEjFNeeMA4GA1UdDwEB/wQE
-AwIBhjANBgkqhkiG9w0BAQUFAAOCAgEAZ2sGuV9FOypLM7PmG2tZTiLMubekJcmn
-xPBUlgtk87FYT15R/LKXeydlwuXK5w0MJXti4/qftIe3RUavg6WXSIylvfEWK5t2
-LHo1YGwRgJfMqZJS5ivmae2p+DYtLHe/YUjRYwu5W1LtGLBDQiKmsXeu3mnFzccc
-obGlHBD7GL4acN3Bkku+KVqdPzW+5X1R+FXgJXUjhx5c3LqdsKyzadsXg8n33gy8
-CNyRnqjQ1xU3c6U1uPx+xURABsPr+CKAXEfOAuMRn0T//ZoyzH1kUQ7rVyZ2OuMe
-IjzCpjbdGe+n/BLzJsBZMYVMnNjP36TMzCmT/5RtdlwTCJfy7aULTd3oyWgOZtMA
-DjMSW7yV5TKQqLPGbIOtd+6Lfn6xqavT4fG2wLHqiMDn05DpKJKUe2h7lyoKZy2F
-AjgQ5ANh1NolNscIWC2hp1GvMApJ9aZphwctREZ2jirlmjvXGKL8nDgQzMY70rUX
-Om/9riW99XJZZLF0KjhfGEzfz3EEWjbUvy+ZnOjZurGV5gJLIaFb1cFPj65pbVPb
-AZO1XB4Y3WRayhgoPmMEEf0cjQAPuDffZ4qdZqkCapH/E8ovXYO8h5Ns3CRRFgQl
-Zvqz2cK6Kb6aSDiCmfS/O0oxGfm/jiEzFMpPVF/7zvuPcX/9XhmgD0uRuMRUvAaw
-RY8mkaKO/qk=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
 MIIDoDCCAoigAwIBAgIBMTANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJKUDEc
 MBoGA1UEChMTSmFwYW5lc2UgR292ZXJubWVudDEWMBQGA1UECxMNQXBwbGljYXRp
 b25DQTAeFw0wNzEyMTIxNTAwMDBaFw0xNzEyMTIxNTAwMDBaMEMxCzAJBgNVBAYT
@@ -426,29 +371,6 @@ lmh6cYGJ4Qvh6hEbaAjMaZ7snkGeRDImeuKHCnE96+RapNLbxc3G3mB/ufNPRJLv
 KrcYPqcZ2Qt9sTdBQrC6YB3y/gkRsPCHe6ed
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIDzzCCAregAwIBAgIDAWweMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJB
-VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp
-bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRkwFwYDVQQLDBBBLVRydXN0LW5R
-dWFsLTAzMRkwFwYDVQQDDBBBLVRydXN0LW5RdWFsLTAzMB4XDTA1MDgxNzIyMDAw
-MFoXDTE1MDgxNzIyMDAwMFowgY0xCzAJBgNVBAYTAkFUMUgwRgYDVQQKDD9BLVRy
-dXN0IEdlcy4gZi4gU2ljaGVyaGVpdHNzeXN0ZW1lIGltIGVsZWt0ci4gRGF0ZW52
-ZXJrZWhyIEdtYkgxGTAXBgNVBAsMEEEtVHJ1c3QtblF1YWwtMDMxGTAXBgNVBAMM
-EEEtVHJ1c3QtblF1YWwtMDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQCtPWFuA/OQO8BBC4SAzewqo51ru27CQoT3URThoKgtUaNR8t4j8DRE/5TrzAUj
-lUC5B3ilJfYKvUWG6Nm9wASOhURh73+nyfrBJcyFLGM/BWBzSQXgYHiVEEvc+RFZ
-znF/QJuKqiTfC0Li21a8StKlDJu3Qz7dg9MmEALP6iPESU7l0+m0iKsMrmKS1GWH
-2WrX9IWf5DMiJaXlyDO6w8dB3F/GaswADm0yqLaHNgBid5seHzTLkDx4iHQF63n1
-k3Flyp3HaxgtPVxO59X4PzF9j4fsCiIvI+n+u33J4PTs63zEsMMtYrWacdaxaujs
-2e3Vcuy+VwHOBVWf3tFgiBCzAgMBAAGjNjA0MA8GA1UdEwEB/wQFMAMBAf8wEQYD
-VR0OBAoECERqlWdVeRFPMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOC
-AQEAVdRU0VlIXLOThaq/Yy/kgM40ozRiPvbY7meIMQQDbwvUB/tOdQ/TLtPAF8fG
-KOwGDREkDg6lXb+MshOWcdzUzg4NCmgybLlBMRmrsQd7TZjTXLDR8KdCoLXEjq/+
-8T/0709GAHbrAvv5ndJAlseIOrifEXnzgGWovR/TeIGgUUw3tKZdJXDRZslo+S4R
-FGjxVJgIrCaSD96JntT6s3kr0qN51OyLrIdTaEJMUVF0HhsnLuP1Hyl0Te2v9+GS
-mYHovjrHF1D2t8b8m7CKa9aIA5GPBnc6hQLdmNVDeD/GMBWsm2vLV7eJUYs66MmE
-DNuxUCAKGkq6ahq97BvIxYSazQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
 MIIGFDCCA/ygAwIBAgIIU+w77vuySF8wDQYJKoZIhvcNAQEFBQAwUTELMAkGA1UE
 BhMCRVMxQjBABgNVBAMMOUF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uIEZpcm1h
 cHJvZmVzaW9uYWwgQ0lGIEE2MjYzNDA2ODAeFw0wOTA1MjAwODM4MTVaFw0zMDEy
@@ -556,26 +478,6 @@ I+uUWnpp3Q+/QFesa1lQ2aOZ4W7+jQF5JyMV3pKdewlNWudLSDBaGOYKbeaP4NK7
 Y11aWOIv4x3kqdbQCtCev9eBCfHJxyYNrJgWVqA=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIDUzCCAjugAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJOTzEd
-MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxHTAbBgNVBAMMFEJ1eXBhc3Mg
-Q2xhc3MgMyBDQSAxMB4XDTA1MDUwOTE0MTMwM1oXDTE1MDUwOTE0MTMwM1owSzEL
-MAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MR0wGwYD
-VQQDDBRCdXlwYXNzIENsYXNzIDMgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKSO13TZKWTeXx+HgJHqTjnmGcZEC4DVC69TB4sSveZn8AKxifZg
-isRbsELRwCGoy+Gb72RRtqfPFfV0gGgEkKBYouZ0plNTVUhjP5JW3SROjvi6K//z
-NIqeKNc0n6wv1g/xpC+9UrJJhW05NfBEMJNGJPO251P7vGGvqaMU+8IXF4Rs4HyI
-+MkcVyzwPX6UvCWThOiaAJpFBUJXgPROztmuOfbIUxAMZTpHe2DC1vqRycZxbL2R
-hzyRhkmr8w+gbCZ2Xhysm3HljbybIR6c1jh+JIAVMYKWsUnTYjdbiAwKYjT+p0h+
-mbEwi5A3lRyoH6UsjfRVyNvdWQrCrXig9IsCAwEAAaNCMEAwDwYDVR0TAQH/BAUw
-AwEB/zAdBgNVHQ4EFgQUOBTmyPCppAP0Tj4io1vy1uCtQHQwDgYDVR0PAQH/BAQD
-AgEGMA0GCSqGSIb3DQEBBQUAA4IBAQABZ6OMySU9E2NdFm/soT4JXJEVKirZgCFP
-Bdy7pYmrEzMqnji3jG8CcmPHc3ceCQa6Oyh7pEfJYWsICCD8igWKH7y6xsL+z27s
-EzNxZy5p+qksP2bAEllNC1QCkoS72xLvg3BweMhT+t/Gxv/ciC8HwEmdMldg0/L2
-mSlf56oBzKwzqBwKu5HEA6BvtjT5htOzdlSY9EqBs1OdTUDs5XcTRa9bqh/YL0yC
-e/4qxFi7T/ye/QNlGioOw6UgFpRreaaiErS7GqQjel/wroQk5PMr+4okoyeYZdow
-dXb8GZHo2+ubPzK/QJcHJrrM85SFSnonk8+QQtS4Wxam58tAA915
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
 MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd
 MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg
 Q2xhc3MgMyBSb290IENBMB4XDTEwMTAyNjA4Mjg1OFoXDTQwMTAyNjA4Mjg1OFow
@@ -1110,28 +1012,6 @@ Res3x+F2T3I5GN9+dHLHcy056mDmrRGiVod7w2ia/viMcKjfZTL0pECMocJEAw6U
 AGegcQCCSA==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIDqzCCApOgAwIBAgIRAMcoRwmzuGxFjB36JPU2TukwDQYJKoZIhvcNAQEFBQAw
-PDEbMBkGA1UEAxMSQ29tU2lnbiBTZWN1cmVkIENBMRAwDgYDVQQKEwdDb21TaWdu
-MQswCQYDVQQGEwJJTDAeFw0wNDAzMjQxMTM3MjBaFw0yOTAzMTYxNTA0NTZaMDwx
-GzAZBgNVBAMTEkNvbVNpZ24gU2VjdXJlZCBDQTEQMA4GA1UEChMHQ29tU2lnbjEL
-MAkGA1UEBhMCSUwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGtWhf
-HZQVw6QIVS3joFd67+l0Kru5fFdJGhFeTymHDEjWaueP1H5XJLkGieQcPOqs49oh
-gHMhCu95mGwfCP+hUH3ymBvJVG8+pSjsIQQPRbsHPaHA+iqYHU4Gk/v1iDurX8sW
-v+bznkqH7Rnqwp9D5PGBpX8QTz7RSmKtUxvLg/8HZaWSLWapW7ha9B20IZFKF3ue
-Mv5WJDmyVIRD9YTC2LxBkMyd1mja6YJQqTtoz7VdApRgFrFD2UNd3V2Hbuq7s8lr
-9gOUCXDeFhF6K+h2j0kQmHe5Y1yLM5d19guMsqtb3nQgJT/j8xH5h2iGNXHDHYwt
-6+UarA9z1YJZQIDTAgMBAAGjgacwgaQwDAYDVR0TBAUwAwEB/zBEBgNVHR8EPTA7
-MDmgN6A1hjNodHRwOi8vZmVkaXIuY29tc2lnbi5jby5pbC9jcmwvQ29tU2lnblNl
-Y3VyZWRDQS5jcmwwDgYDVR0PAQH/BAQDAgGGMB8GA1UdIwQYMBaAFMFL7XC29z58
-ADsAj8c+DkWfHl3sMB0GA1UdDgQWBBTBS+1wtvc+fAA7AI/HPg5Fnx5d7DANBgkq
-hkiG9w0BAQUFAAOCAQEAFs/ukhNQq3sUnjO2QiBq1BW9Cav8cujvR3qQrFHBZE7p
-iL1DRYHjZiM/EoZNGeQFsOY3wo3aBijJD4mkU6l1P7CW+6tMM1X5eCZGbxs2mPtC
-dsGCuY7e+0X5YxtiOzkGynd6qDwJz2w2PQ8KRUtpFhpFfTMDZflScZAmlaxMDPWL
-kz/MdXSFmLr/YnpNH4n+rr2UAJm/EaXc4HnFFgt9AmEd6oX5AhVP51qJThRv4zdL
-hfXBPGHg/QVBspJ/wx2g0K5SZGBrGMYmnNj1ZOQ2GmKfig8+/21OGVZOIJFsnzQz
-OjRXUDpvgV4GxvU+fE6OK85lBi5d0ipTdF7Tbieejw==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
 MIIDoTCCAomgAwIBAgILBAAAAAABD4WqLUgwDQYJKoZIhvcNAQEFBQAwOzEYMBYG
 A1UEChMPQ3liZXJ0cnVzdCwgSW5jMR8wHQYDVQQDExZDeWJlcnRydXN0IEdsb2Jh
 bCBSb290MB4XDTA2MTIxNTA4MDAwMFoXDTIxMTIxNTA4MDAwMFowOzEYMBYGA1UE
@@ -1349,44 +1229,6 @@ r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1
 gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIDKTCCApKgAwIBAgIENnAVljANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJV
-UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMREwDwYDVQQL
-EwhEU1RDQSBFMTAeFw05ODEyMTAxODEwMjNaFw0xODEyMTAxODQwMjNaMEYxCzAJ
-BgNVBAYTAlVTMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4x
-ETAPBgNVBAsTCERTVENBIEUxMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQCg
-bIGpzzQeJN3+hijM3oMv+V7UQtLodGBmE5gGHKlREmlvMVW5SXIACH7TpWJENySZ
-j9mDSI+ZbZUTu0M7LklOiDfBu1h//uG9+LthzfNHwJmm8fOR6Hh8AMthyUQncWlV
-Sn5JTe2io74CTADKAqjuAQIxZA9SLRN0dja1erQtcQIBA6OCASQwggEgMBEGCWCG
-SAGG+EIBAQQEAwIABzBoBgNVHR8EYTBfMF2gW6BZpFcwVTELMAkGA1UEBhMCVVMx
-JDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UECxMI
-RFNUQ0EgRTExDTALBgNVBAMTBENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMTAxODEw
-MjNagQ8yMDE4MTIxMDE4MTAyM1owCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFGp5
-fpFpRhgTCgJ3pVlbYJglDqL4MB0GA1UdDgQWBBRqeX6RaUYYEwoCd6VZW2CYJQ6i
-+DAMBgNVHRMEBTADAQH/MBkGCSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqG
-SIb3DQEBBQUAA4GBACIS2Hod3IEGtgllsofIH160L+nEHvI8wbsEkBFKg05+k7lN
-QseSJqBcNJo4cvj9axY+IO6CizEqkzaFI4iKPANo08kJD038bKTaKHKTDomAsH3+
-gG9lbRgzl4vCa4nuYD3Im+9/KzJic5PLPON74nZ4RbyhkwS7hp86W0N6w4pl
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIDKTCCApKgAwIBAgIENm7TzjANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJV
-UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMREwDwYDVQQL
-EwhEU1RDQSBFMjAeFw05ODEyMDkxOTE3MjZaFw0xODEyMDkxOTQ3MjZaMEYxCzAJ
-BgNVBAYTAlVTMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4x
-ETAPBgNVBAsTCERTVENBIEUyMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQC/
-k48Xku8zExjrEH9OFr//Bo8qhbxe+SSmJIi2A7fBw18DW9Fvrn5C6mYjuGODVvso
-LeE4i7TuqAHhzhy2iCoiRoX7n6dwqUcUP87eZfCocfdPJmyMvMa1795JJ/9IKn3o
-TQPMx7JSxhcxEzu1TdvIxPbDDyQq2gyd55FbgM2UnQIBA6OCASQwggEgMBEGCWCG
-SAGG+EIBAQQEAwIABzBoBgNVHR8EYTBfMF2gW6BZpFcwVTELMAkGA1UEBhMCVVMx
-JDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UECxMI
-RFNUQ0EgRTIxDTALBgNVBAMTBENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMDkxOTE3
-MjZagQ8yMDE4MTIwOTE5MTcyNlowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFB6C
-TShlgDzJQW6sNS5ay97u+DlbMB0GA1UdDgQWBBQegk0oZYA8yUFurDUuWsve7vg5
-WzAMBgNVHRMEBTADAQH/MBkGCSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqG
-SIb3DQEBBQUAA4GBAEeNg61i8tuwnkUiBbmi1gMOOHLnnvx75pO2mqWilMg0HZHR
-xdf0CiUPPXiBng+xZ8SQTGPdXqfiup/1902lMXucKS1M/mQ+7LZT/uqb7YLbdHVL
-B3luHtgZg3Pe9T7Qtd7nS2h9Qy4qIOF+oHhEngj1mPnHfxsb1gYgAlihw6ID
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
 MIIECTCCAvGgAwIBAgIQDV6ZCtadt3js2AdWO4YV2TANBgkqhkiG9w0BAQUFADBb
 MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3Qx
 ETAPBgNVBAsTCERTVCBBQ0VTMRcwFQYDVQQDEw5EU1QgQUNFUyBDQSBYNjAeFw0w
@@ -1570,28 +1412,6 @@ iAYLtqZLICjU3j2LrTcFU3T+bsy8QxdxXvnFzBqpYe73dgzzcvRyrc9yAjYHR8/v
 GVCJYMzpJJUPwssd8m92kMfMdcGWxZ0=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIDtjCCAp6gAwIBAgIQRJmNPMADJ72cdpW56tustTANBgkqhkiG9w0BAQUFADB1
-MQswCQYDVQQGEwJUUjEoMCYGA1UEChMfRWxla3Ryb25payBCaWxnaSBHdXZlbmxp
-Z2kgQS5TLjE8MDoGA1UEAxMzZS1HdXZlbiBLb2sgRWxla3Ryb25payBTZXJ0aWZp
-a2EgSGl6bWV0IFNhZ2xheWljaXNpMB4XDTA3MDEwNDExMzI0OFoXDTE3MDEwNDEx
-MzI0OFowdTELMAkGA1UEBhMCVFIxKDAmBgNVBAoTH0VsZWt0cm9uaWsgQmlsZ2kg
-R3V2ZW5saWdpIEEuUy4xPDA6BgNVBAMTM2UtR3V2ZW4gS29rIEVsZWt0cm9uaWsg
-U2VydGlmaWthIEhpem1ldCBTYWdsYXlpY2lzaTCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAMMSIJ6wXgBljU5Gu4Bc6SwGl9XzcslwuedLZYDBS75+PNdU
-MZTe1RK6UxYC6lhj71vY8+0qGqpxSKPcEC1fX+tcS5yWCEIlKBHMilpiAVDV6wlT
-L/jDj/6z/P2douNffb7tC+Bg62nsM+3YjfsSSYMAyYuXjDtzKjKzEve5TfL0TW3H
-5tYmNwjy2f1rXKPlSFxYvEK+A1qBuhw1DADT9SN+cTAIJjjcJRFHLfO6IxClv7wC
-90Nex/6wN1CZew+TzuZDLMN+DfIcQ2Zgy2ExR4ejT669VmxMvLz4Bcpk9Ok0oSy1
-c+HCPujIyTQlCFzz7abHlJ+tiEMl1+E5YP6sOVkCAwEAAaNCMEAwDgYDVR0PAQH/
-BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJ/uRLOU1fqRTy7ZVZoE
-VtstxNulMA0GCSqGSIb3DQEBBQUAA4IBAQB/X7lTW2M9dTLn+sR0GstG30ZpHFLP
-qk/CaOv/gKlR6D1id4k9CnU58W5dF4dvaAXBlGzZXd/aslnLpRCKysw5zZ/rTt5S
-/wzw9JKp8mxTq5vSR6AfdPebmvEvFZ96ZDAYBzwqD2fK/A+JYZ1lpTzlvBNbCNvj
-/+27BrtqBrF6T2XGgv0enIu1De5Iu7i9qgi0+6N8y5/NkHZchpZ4Vwpm+Vganf2X
-KWDeEaaQHBkc7gGWIjQ0LpH5t8Qn0Xvmv/uARFoW5evg1Ao4vOSR49XrXMGs3xtq
-fJ7lddK2l4fbzIcrQzqECK+rPNv3PGYxhrCdU3nt+CPeQuMtgvEP5fqX
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
 MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
 RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
 bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
@@ -2081,21 +1901,6 @@ LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
 4uJEvlz36hz1
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
-VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
-bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv
-b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV
-UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
-cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
-b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH
-iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS
-r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
-04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
-GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
-3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
-lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
 MIIEMTCCAxmgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBlTELMAkGA1UEBhMCR1Ix
 RDBCBgNVBAoTO0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1
 dGlvbnMgQ2VydC4gQXV0aG9yaXR5MUAwPgYDVQQDEzdIZWxsZW5pYyBBY2FkZW1p
@@ -2940,41 +2745,6 @@ JRDL8Try2frbSVa7pv6nQTXD4IhhyYjH3zYQIphZ6rBK+1YWc26sTfcioU+tHXot
 RSflMMFe8toTyyVCUZVHA4xsIcx0Qu1T/zOLjw9XARYvz6buyXAiFL39vmwLAw==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIGGTCCBAGgAwIBAgIIPtVRGeZNzn4wDQYJKoZIhvcNAQELBQAwajEhMB8GA1UE
-AxMYU0cgVFJVU1QgU0VSVklDRVMgUkFDSU5FMRwwGgYDVQQLExMwMDAyIDQzNTI1
-Mjg5NTAwMDIyMRowGAYDVQQKExFTRyBUUlVTVCBTRVJWSUNFUzELMAkGA1UEBhMC
-RlIwHhcNMTAwOTA2MTI1MzQyWhcNMzAwOTA1MTI1MzQyWjBqMSEwHwYDVQQDExhT
-RyBUUlVTVCBTRVJWSUNFUyBSQUNJTkUxHDAaBgNVBAsTEzAwMDIgNDM1MjUyODk1
-MDAwMjIxGjAYBgNVBAoTEVNHIFRSVVNUIFNFUlZJQ0VTMQswCQYDVQQGEwJGUjCC
-AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANqoVgLsfJXwTukK0rcHoyKL
-ULO5Lhk9V9sZqtIr5M5C4myh5F0lHjMdtkXRtPpZilZwyW0IdmlwmubHnAgwE/7m
-0ZJoYT5MEfJu8rF7V1ZLCb3cD9lxDOiaN94iEByZXtaxFwfTpDktwhpz/cpLKQfC
-eSnIyCauLMT8I8hL4oZWDyj9tocbaF85ZEX9aINsdSQePHWZYfrSFPipS7HYfad4
-0hNiZbXWvn5qA7y1svxkMMPQwpk9maTTzdGxxFOHe0wTE2Z/v9VlU2j5XB7ltP82
-mUWjn2LAfxGCAVTeD2WlOa6dSEyJoxA74OaD9bDaLB56HFwfAKzMq6dgZLPGxXvH
-VUZ0PJCBDkqOWZ1UsEixUkw7mO6r2jS3U81J2i/rlb4MVxH2lkwEeVyZ1eXkvm/q
-R+5RS+8iJq612BGqQ7t4vwt+tN3PdB0lqYljseI0gcSINTjiAg0PE8nVKoIV8IrE
-QzJW5FMdHay2z32bll0eZOl0c8RW5BZKUm2SOdPhTQ4/YrnerbUdZbldUv5dCamc
-tKQM2S9FdqXPjmqanqqwEaHrYcbrPx78ZrQSnUZ/MhaJvnFFr5Eh2f2Tv7QCkUL/
-SR/tixVo3R+OrJvdggWcRGkWZBdWX0EPSk8ED2VQhpOX7EW/XcIc3M/E2DrmeAXQ
-xVVVqV7+qzohu+VyFPcLAgMBAAGjgcIwgb8wHQYDVR0OBBYEFCkgy/HDD9oGjhOT
-h/5fYBopu/O2MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUKSDL8cMP2gaO
-E5OH/l9gGim787YwEQYDVR0gBAowCDAGBgRVHSAAMEkGA1UdHwRCMEAwPqA8oDqG
-OGh0dHA6Ly9jcmwuc2d0cnVzdHNlcnZpY2VzLmNvbS9yYWNpbmUtR3JvdXBlU0cv
-TGF0ZXN0Q1JMMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEATEZn
-4ERQ9cW2urJRCiUTHbfHiC4fuStkoMuTiFJZqmD1zClSF/8E5ze0MRFGfisebKeL
-PEeaXvSqXZA7RT2fSsmKe47A7j55i5KjyJRKuCgRa6YlX129x8j7g09VMeZc8BN8
-471/Kiw3N5RJr4QfFCeiWBCPCjk3GhIgQY8Z9qkfGe2yNLKtfTNEi18KB0PydkVF
-La3kjQ4A/QQIqudr+xe9sAhWDjUqcvCz5006Tw3c82ASszhkjNv54SaNL+9O6CRH
-PjY0imkPKGuLh8a9hSb50+tpIVZgkdb34GLCqHGuLt5mI7VSRqakSDcsfwEWVxH3
-Jw0O5Q/WkEXhHj8h3NL8FhgTPk1qsiZqQF4leP049KxYejcbmEAEx47J1MRnYbGY
-rvDNDty5r2WDewoEij9hqvddQYbmxkzCTzpcVuooO6dEz8hKZPVyYC3jQ7hK4HU8
-MuSqFtcRucFF2ZtmY2blIrc07rrVdC8lZPOBVMt33lfUk+OsBzE6PlwDg1dTx/D+
-aNglUE0SyObhlY1nqzyTPxcCujjXnvcwpT09RAEzGpqfjtCf8e4wiHPvriQZupdz
-FcHscQyEZLV77LxpPqRtCRY2yko5isune8YdfucziMm+MG2chZUh6Uc7Bn6B4upG
-5nBYgOao8p0LadEziVkw82TTC/bOKwn7fRB2LhA=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
 MIIDIDCCAgigAwIBAgIBJDANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEP
 MA0GA1UEChMGU29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MxIENBMB4XDTAx
 MDQwNjEwNDkxM1oXDTIxMDQwNjEwNDkxM1owOTELMAkGA1UEBhMCRkkxDzANBgNV
@@ -3516,33 +3286,6 @@ LMDDav7v3Aun+kbfYNucpllQdSNpc5Oy+fwC00fmcc4QAu4njIT/rEUNE1yDMuAl
 pYYsfPQS
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIEqjCCA5KgAwIBAgIOLmoAAQACH9dSISwRXDswDQYJKoZIhvcNAQEFBQAwdjEL
-MAkGA1UEBhMCREUxHDAaBgNVBAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxIjAgBgNV
-BAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDIgQ0ExJTAjBgNVBAMTHFRDIFRydXN0
-Q2VudGVyIENsYXNzIDIgQ0EgSUkwHhcNMDYwMTEyMTQzODQzWhcNMjUxMjMxMjI1
-OTU5WjB2MQswCQYDVQQGEwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIgR21i
-SDEiMCAGA1UECxMZVEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMiBDQTElMCMGA1UEAxMc
-VEMgVHJ1c3RDZW50ZXIgQ2xhc3MgMiBDQSBJSTCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAKuAh5uO8MN8h9foJIIRszzdQ2Lu+MNF2ujhoF/RKrLqk2jf
-tMjWQ+nEdVl//OEd+DFwIxuInie5e/060smp6RQvkL4DUsFJzfb95AhmC1eKokKg
-uNV/aVyQMrKXDcpK3EY+AlWJU+MaWss2xgdW94zPEfRMuzBwBJWl9jmM/XOBCH2J
-XjIeIqkiRUuwZi4wzJ9l/fzLganx4Duvo4bRierERXlQXa7pIXSSTYtZgo+U4+lK
-8edJsBTj9WLL1XK9H7nSn6DNqPoByNkN39r8R52zyFTfSUrxIan+GE7uSNQZu+99
-5OKdy1u2bv/jzVrndIIFuoAlOMvkaZ6vQaoahPUCAwEAAaOCATQwggEwMA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTjq1RMgKHbVkO3
-kUrL84J6E1wIqzCB7QYDVR0fBIHlMIHiMIHfoIHcoIHZhjVodHRwOi8vd3d3LnRy
-dXN0Y2VudGVyLmRlL2NybC92Mi90Y19jbGFzc18yX2NhX0lJLmNybIaBn2xkYXA6
-Ly93d3cudHJ1c3RjZW50ZXIuZGUvQ049VEMlMjBUcnVzdENlbnRlciUyMENsYXNz
-JTIwMiUyMENBJTIwSUksTz1UQyUyMFRydXN0Q2VudGVyJTIwR21iSCxPVT1yb290
-Y2VydHMsREM9dHJ1c3RjZW50ZXIsREM9ZGU/Y2VydGlmaWNhdGVSZXZvY2F0aW9u
-TGlzdD9iYXNlPzANBgkqhkiG9w0BAQUFAAOCAQEAjNfffu4bgBCzg/XbEeprS6iS
-GNn3Bzn1LL4GdXpoUxUc6krtXvwjshOg0wn/9vYua0Fxec3ibf2uWWuFHbhOIprt
-ZjluS5TmVfwLG4t3wVMTZonZKNaL80VKY7f9ewthXbhtvsPcW3nS7Yblok2+XnR8
-au0WOB9/WIFaGusyiC2y8zl3gK9etmF1KdsjTYjKUCjLhdLTEKJZbtOTVAB6okaV
-hgWcqRmY5TFyDADiZ9lA4CQze28suVyrZZ0srHbqNZn1l7kPJOzHdiEoZa5X6AeI
-dUpWoNIFOqTmjZKILPPy4cHGYdtBxceb9w4aUUXCYWvcZCcXjFq32nQozZfkvQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
 MIIEqjCCA5KgAwIBAgIOSkcAAQAC5aBd1j8AUb8wDQYJKoZIhvcNAQEFBQAwdjEL
 MAkGA1UEBhMCREUxHDAaBgNVBAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxIjAgBgNV
 BAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDMgQ0ExJTAjBgNVBAMTHFRDIFRydXN0
@@ -3570,29 +3313,6 @@ g0bsyEa1+K+XwDsJHI/OcpY9M1ZwvJbL2NV9IJqDnxrcOfHFcqMRA/07QlIp2+gB
 S+opvaqCZh77gaqnN60TGOaSw4HBM7uIHqHn4rS9MWwOUT1v+5ZWgOI2F9Hc5A==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIID3TCCAsWgAwIBAgIOHaIAAQAC7LdggHiNtgYwDQYJKoZIhvcNAQEFBQAweTEL
-MAkGA1UEBhMCREUxHDAaBgNVBAoTE1RDIFRydXN0Q2VudGVyIEdtYkgxJDAiBgNV
-BAsTG1RDIFRydXN0Q2VudGVyIFVuaXZlcnNhbCBDQTEmMCQGA1UEAxMdVEMgVHJ1
-c3RDZW50ZXIgVW5pdmVyc2FsIENBIEkwHhcNMDYwMzIyMTU1NDI4WhcNMjUxMjMx
-MjI1OTU5WjB5MQswCQYDVQQGEwJERTEcMBoGA1UEChMTVEMgVHJ1c3RDZW50ZXIg
-R21iSDEkMCIGA1UECxMbVEMgVHJ1c3RDZW50ZXIgVW5pdmVyc2FsIENBMSYwJAYD
-VQQDEx1UQyBUcnVzdENlbnRlciBVbml2ZXJzYWwgQ0EgSTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAKR3I5ZEr5D0MacQ9CaHnPM42Q9e3s9B6DGtxnSR
-JJZ4Hgmgm5qVSkr1YnwCqMqs+1oEdjneX/H5s7/zA1hV0qq34wQi0fiU2iIIAI3T
-fCZdzHd55yx4Oagmcw6iXSVphU9VDprvxrlE4Vc93x9UIuVvZaozhDrzznq+VZeu
-jRIPFDPiUHDDSYcTvFHe15gSWu86gzOSBnWLknwSaHtwag+1m7Z3W0hZneTvWq3z
-wZ7U10VOylY0Ibw+F1tvdwxIAUMpsN0/lm7mlaoMwCC2/T42J5zjXM9OgdwZu5GQ
-fezmlwQek8wiSdeXhrYTCjxDI3d+8NzmzSQfO4ObNDqDNOMCAwEAAaNjMGEwHwYD
-VR0jBBgwFoAUkqR1LKSevoFE63n8isWVpesQdXMwDwYDVR0TAQH/BAUwAwEB/zAO
-BgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFJKkdSyknr6BROt5/IrFlaXrEHVzMA0G
-CSqGSIb3DQEBBQUAA4IBAQAo0uCG1eb4e/CX3CJrO5UUVg8RMKWaTzqwOuAGy2X1
-7caXJ/4l8lfmXpWMPmRgFVp/Lw0BxbFg/UU1z/CyvwbZ71q+s2IhtNerNXxTPqYn
-8aEt2hojnczd7Dwtnic0XQ/CNnm8yUpiLe1r2X1BQ3y2qsrtYbE3ghUJGooWMNjs
-ydZHcnhLEEYUjl8Or+zHL6sQ17bxbuyGssLoDZJz3KL0Dzq/YSMQiZxIQG5wALPT
-ujdEWBF6AmqI8Dc08BnprNRlc/ZpjGSUOnmFKbAWKwyCPwacx/0QK54PLLae4xW/
-2TYcuiUaUj0a7CIMHOCkoj3w6DnPgcB77V0fb8XQC9eY
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
 MIIFODCCAyCgAwIBAgIRAJW+FqD3LkbxezmCcvqLzZYwDQYJKoZIhvcNAQEFBQAw
 NzEUMBIGA1UECgwLVGVsaWFTb25lcmExHzAdBgNVBAMMFlRlbGlhU29uZXJhIFJv
 b3QgQ0EgdjEwHhcNMDcxMDE4MTIwMDUwWhcNMzIxMDE4MTIwMDUwWjA3MRQwEgYD
@@ -3623,25 +3343,6 @@ HL/EVlP6Y2XQ8xwOFvVrhlhNGNTkDY6lnVuR3HYkUD/GKvvZt5y11ubQ2egZixVx
 SK236thZiNSQvxaz2emsWWFUyBy6ysHK4bkgTI86k4mloMy/0/Z1pHWWbVY=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx
-FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
-VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
-biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy
-dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t
-MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB
-MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG
-A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp
-b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl
-cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv
-bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE
-VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ
-ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR
-uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
-9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
-hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM
-pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
 MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB
 qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
 Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
@@ -3708,25 +3409,6 @@ m7v/OeZWYdMKp8RcTGB7BXcmer/YB1IsYvdwY9k5vG8cwnncdimvzsUsZAReiDZu
 MdRAGmI0Nj81Aa6sY6A=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIDEzCCAnygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBxDELMAkGA1UEBhMCWkEx
-FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
-VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
-biBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEm
-MCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wHhcNOTYwODAx
-MDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCBxDELMAkGA1UEBhMCWkExFTATBgNVBAgT
-DFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYDVQQKExRUaGF3
-dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNl
-cyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEmMCQGCSqGSIb3
-DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
-gY0AMIGJAoGBANOkUG7I/1Zr5s9dtuoMaHVHoqrC2oQl/Kj0R1HahbUgdJSGHg91
-yekIYfUGbTBuFRkC6VLAYttNmZ7iagxEOM3+vuNkCXDF/rFrKbYvScg71CcEJRCX
-L+eQbcAoQpnXTEPew/UhbVSfXcNY4cDk2VuwuNy0e982OsK1ZiIS1ocNAgMBAAGj
-EzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAB/pMaVz7lcxG
-7oWDTSEwjsrZqG9JGubaUeNgcGyEYRGhGshIPllDfU+VPaGLtwtimHp1it2ITk6e
-QNuozDJ0uW8NxuOzRAvZim+aKZuZGCg70eNAKJpaPNW15yAbi8qkq43pUdniTCxZ
-qdq5snUb9kLy78fyGPmJvKP/iiMucEc=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
 MIIDZzCCAk+gAwIBAgIQGx+ttiD5JNM2a/fH8YygWTANBgkqhkiG9w0BAQUFADBF
 MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPVHJ1c3RpcyBMaW1pdGVkMRwwGgYDVQQL
 ExNUcnVzdGlzIEZQUyBSb290IENBMB4XDTAzMTIyMzEyMTQwNloXDTI0MDEyMTEx
@@ -3824,30 +3506,6 @@ oN+J1q2MdqMTw5RhK2vZbMEHCiIHhWyFJEapvj+LeISCfiQMnf2BN+MlqO02TpUs
 yZyQ2uypQjyttgI=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIID+zCCAuOgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBtzE/MD0GA1UEAww2VMOc
-UktUUlVTVCBFbGVrdHJvbmlrIFNlcnRpZmlrYSBIaXptZXQgU2HEn2xhecSxY8Sx
-c8SxMQswCQYDVQQGDAJUUjEPMA0GA1UEBwwGQU5LQVJBMVYwVAYDVQQKDE0oYykg
-MjAwNSBUw5xSS1RSVVNUIEJpbGdpIMSwbGV0acWfaW0gdmUgQmlsacWfaW0gR8O8
-dmVubGnEn2kgSGl6bWV0bGVyaSBBLsWeLjAeFw0wNTA1MTMxMDI3MTdaFw0xNTAz
-MjIxMDI3MTdaMIG3MT8wPQYDVQQDDDZUw5xSS1RSVVNUIEVsZWt0cm9uaWsgU2Vy
-dGlmaWthIEhpem1ldCBTYcSfbGF5xLFjxLFzxLExCzAJBgNVBAYMAlRSMQ8wDQYD
-VQQHDAZBTktBUkExVjBUBgNVBAoMTShjKSAyMDA1IFTDnFJLVFJVU1QgQmlsZ2kg
-xLBsZXRpxZ9pbSB2ZSBCaWxpxZ9pbSBHw7x2ZW5sacSfaSBIaXptZXRsZXJpIEEu
-xZ4uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAylIF1mMD2Bxf3dJ7
-XfIMYGFbazt0K3gNfUW9InTojAPBxhEqPZW8qZSwu5GXyGl8hMW0kWxsE2qkVa2k
-heiVfrMArwDCBRj1cJ02i67L5BuBf5OI+2pVu32Fks66WJ/bMsW9Xe8iSi9BB35J
-YbOG7E6mQW6EvAPs9TscyB/C7qju6hJKjRTP8wrgUDn5CDX4EVmt5yLqS8oUBt5C
-urKZ8y1UiBAG6uEaPj1nH/vO+3yC6BFdSsG5FOpU2WabfIl9BJpiyelSPJ6c79L1
-JuTm5Rh8i27fbMx4W09ysstcP4wFjdFMjK2Sx+F4f2VsSQZQLJ4ywtdKxnWKWU51
-b0dewQIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAV
-9VX/N5aAWSGk/KEVTCD21F/aAyT8z5Aa9CEKmu46sWrv7/hg0Uw2ZkUd82YCdAR7
-kjCo3gp2D++Vbr3JN+YaDayJSFvMgzbC9UZcWYJWtNX+I7TYVBxEq8Sn5RTOPEFh
-fEPmzcSBCYsk+1Ql1haolgxnB2+zUEfjHCQo3SqYpGH+2+oSN7wBGjSFvW5P55Fy
-B0SFHljKVETd96y5y4khctuPwGkplyqjrhgjlxxBKot8KsF8kOipKMDTkcatKIdA
-aLX/7KfS0zgYnNN9aV3wxqUeJBujR/xpB2jn5Jq07Q+hh4cCzofSSE7hvP/L8XKS
-RGQDJereW26fyfJOrN3H
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
 MIIEPTCCAyWgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBvzE/MD0GA1UEAww2VMOc
 UktUUlVTVCBFbGVrdHJvbmlrIFNlcnRpZmlrYSBIaXptZXQgU2HEn2xhecSxY8Sx
 c8SxMQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMV4wXAYDVQQKDFVUw5xS
@@ -3873,31 +3531,6 @@ XRik7r4EW5nVcV9VZWRi1aKbBFmGyGJ353yCRWo9F7/snXUMrqNvWtMvmDb08PUZ
 qxFdyKbjKlhqQgnDvZImZjINXQhVdP+MmNAKpoRq0Tl9
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIEPDCCAySgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBvjE/MD0GA1UEAww2VMOc
-UktUUlVTVCBFbGVrdHJvbmlrIFNlcnRpZmlrYSBIaXptZXQgU2HEn2xhecSxY8Sx
-c8SxMQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMV0wWwYDVQQKDFRUw5xS
-S1RSVVNUIEJpbGdpIMSwbGV0acWfaW0gdmUgQmlsacWfaW0gR8O8dmVubGnEn2kg
-SGl6bWV0bGVyaSBBLsWeLiAoYykgS2FzxLFtIDIwMDUwHhcNMDUxMTA3MTAwNzU3
-WhcNMTUwOTE2MTAwNzU3WjCBvjE/MD0GA1UEAww2VMOcUktUUlVTVCBFbGVrdHJv
-bmlrIFNlcnRpZmlrYSBIaXptZXQgU2HEn2xhecSxY8Sxc8SxMQswCQYDVQQGEwJU
-UjEPMA0GA1UEBwwGQW5rYXJhMV0wWwYDVQQKDFRUw5xSS1RSVVNUIEJpbGdpIMSw
-bGV0acWfaW0gdmUgQmlsacWfaW0gR8O8dmVubGnEn2kgSGl6bWV0bGVyaSBBLsWe
-LiAoYykgS2FzxLFtIDIwMDUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQCpNn7DkUNMwxmYCMjHWHtPFoylzkkBH3MOrHUTpvqeLCDe2JAOCtFp0if7qnef
-J1Il4std2NiDUBd9irWCPwSOtNXwSadktx4uXyCcUHVPr+G1QRT0mJKIx+XlZEdh
-R3n9wFHxwZnn3M5q+6+1ATDcRhzviuyV79z/rxAc653YsKpqhRgNF8k+v/Gb0AmJ
-Qv2gQrSdiVFVKc8bcLyEVK3BEx+Y9C52YItdP5qtygy/p1Zbj3e41Z55SZI/4PGX
-JHpsmxcPbe9TmJEr5A++WXkHeLuXlfSfadRYhwqp48y2WBmfJiGxxFmNskF1wK1p
-zpwACPI2/z7woQ8arBT9pmAPAgMBAAGjQzBBMB0GA1UdDgQWBBTZN7NOBf3Zz58S
-Fq62iS/rJTqIHDAPBgNVHQ8BAf8EBQMDBwYAMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
-KoZIhvcNAQEFBQADggEBAHJglrfJ3NgpXiOFX7KzLXb7iNcX/nttRbj2hWyfIvwq
-ECLsqrkw9qtY1jkQMZkpAL2JZkH7dN6RwRgLn7Vhy506vvWolKMiVW4XSf/SKfE4
-Jl3vpao6+XF75tpYHdN0wgH6PmlYX63LaL4ULptswLbcoCb6dxriJNoaN+BnrdFz
-gw2lGh1uEpJ+hGIAF728JRhX8tepb1mIvDS3LoV4nZbcFMMsilKbloxSZj2GFotH
-uFEJjOp9zYhys2AzsfAKRO8P9Qk3iCQOLGsgOqL6EfJANZxEaGM7rDNvY7wsu/LS
-y3Z9fYjYHcgFHW68lKlmjHdxx/qR+i9Rnuk5UrbnBEI=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
 MIIFQTCCAymgAwIBAgICDL4wDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVFcx
 EjAQBgNVBAoTCVRBSVdBTi1DQTEQMA4GA1UECxMHUm9vdCBDQTEcMBoGA1UEAxMT
 VFdDQSBHbG9iYWwgUm9vdCBDQTAeFw0xMjA2MjcwNjI4MzNaFw0zMDEyMzExNTU5
@@ -3950,32 +3583,6 @@ aspHYcN6+NOSBB+4IIThNlQWx0DeO4pz3N/GCUzf7Nr/1FNCocnyYh0igzyXxfkZ
 YiesZSLX0zzG5Y6yU8xJzrww/nsOM5D77dIUkR8Hrw==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIEXjCCA0agAwIBAgIQRL4Mi1AAIbQR0ypoBqmtaTANBgkqhkiG9w0BAQUFADCB
-kzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug
-Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho
-dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xGzAZBgNVBAMTElVUTiAtIERBVEFDb3Jw
-IFNHQzAeFw05OTA2MjQxODU3MjFaFw0xOTA2MjQxOTA2MzBaMIGTMQswCQYDVQQG
-EwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYD
-VQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cu
-dXNlcnRydXN0LmNvbTEbMBkGA1UEAxMSVVROIC0gREFUQUNvcnAgU0dDMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3+5YEKIrblXEjr8uRgnn4AgPLit6
-E5Qbvfa2gI5lBZMAHryv4g+OGQ0SR+ysraP6LnD43m77VkIVni5c7yPeIbkFdicZ
-D0/Ww5y0vpQZY/KmEQrrU0icvvIpOxboGqBMpsn0GFlowHDyUwDAXlCCpVZvNvlK
-4ESGoE1O1kduSUrLZ9emxAW5jh70/P/N5zbgnAVssjMiFdC04MwXwLLA9P4yPykq
-lXvY8qdOD1R8oQ2AswkDwf9c3V6aPryuvEeKaq5xyh+xKrhfQgUL7EYw0XILyulW
-bfXv33i+Ybqypa4ETLyorGkVl73v67SMvzX41MPRKA5cOp9wGDMgd8SirwIDAQAB
-o4GrMIGoMAsGA1UdDwQEAwIBxjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRT
-MtGzz3/64PGgXYVOktKeRR20TzA9BgNVHR8ENjA0MDKgMKAuhixodHRwOi8vY3Js
-LnVzZXJ0cnVzdC5jb20vVVROLURBVEFDb3JwU0dDLmNybDAqBgNVHSUEIzAhBggr
-BgEFBQcDAQYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBMA0GCSqGSIb3DQEBBQUAA4IB
-AQAnNZcAiosovcYzMB4p/OL31ZjUQLtgyr+rFywJNn9Q+kHcrpY6CiM+iVnJowft
-Gzet/Hy+UUla3joKVAgWRcKZsYfNjGjgaQPpxE6YsjuMFrMOoAyYUJuTqXAJyCyj
-j98C5OBxOvG0I3KgqgHf35g+FFCgMSa9KOlaMCZ1+XtgHI3zzVAmbQQnmt/VDUVH
-KWss5nbZqSl9Mt3JNjy9rjXxEZ4du5A/EkdOjtd+D2JzHVImOBwYSf0wdJrE5SIv
-2MCN7ZF6TACPcn9d2t0bi0Vr591pl6jFVkwPDPafepE39peC4N1xaf92P2BNPM/3
-mfnGV/TJVTl4uix5yaaIK/QI
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
 MIIEojCCA4qgAwIBAgIQRL4Mi1AAJLQR0zYlJWfJiTANBgkqhkiG9w0BAQUFADCB
 rjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug
 Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho
@@ -4249,30 +3856,6 @@ WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
 hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIEGjCCAwICEQDsoKeLbnVqAc/EfMwvlF7XMA0GCSqGSIb3DQEBBQUAMIHKMQsw
-CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl
-cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu
-LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT
-aWduIENsYXNzIDQgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
-dHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD
-VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT
-aWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJ
-bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWdu
-IENsYXNzIDQgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
-LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3LpRFpxlmr8Y+1
-GQ9Wzsy1HyDkniYlS+BzZYlZ3tCD5PUPtbut8XzoIfzk6AzufEUiGXaStBO3IFsJ
-+mGuqPKljYXCKtbeZjbSmwL0qJJgfJxptI8kHtCGUvYynEFYHiK9zUVilQhu0Gbd
-U6LM8BDcVHOLBKFGMzNcF0C5nk3T875Vg+ixiY5afJqWIpA7iCXy0lOIAgwLePLm
-NxdLMEYH5IBtptiWLugs+BGzOA1mppvqySNb247i8xOOGlktqgLw7KSHZtzBP/XY
-ufTsgsbSPZUd5cBPhMnZo0QoBmrXRazwa2rvTl/4EYIeOGM0ZlDUPpNz+jDDZq3/
-ky2X7wMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAj/ola09b5KROJ1WrIhVZPMq1
-CtRK26vdoV9TxaBXOcLORyu+OshWv8LZJxA6sQU8wHcxuzrTBXttmhwwjIDLk5Mq
-g6sFUYICABFna/OIYUdfA5PVWw3g8dShMjWFsjrbsIKr0csKvE+MW8VLADsfKoKm
-fjaF3H48ZwC15DtS4KjrXRX5xm3wrR0OhbepmnMUWluPQSjA1egtTaRezarZ7c7c
-2NU8Qh0XwRJdRTjDOPP8hS6DRkiy1yBfkjaP53kPmF6Z6PDQpLv1U70qzlmwr25/
-bLvSHgCwIe34QWKCudiyxLtGUPMxxY8BqHTr9Xgn2uf3ZkPznoM+IKrDNWCRzg==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
 MIIEuTCCA6GgAwIBAgIQQBrEZCGzEyEDDrvkEhrFHTANBgkqhkiG9w0BAQsFADCB
 vTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
 ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwOCBWZXJp
@@ -4484,3 +4067,476 @@ T7jYhkalMwIsJWE3KpLIrIF0aGOHM3a9BX9e1dUCbb2v/ypaqknsmHlHU5H2DjRa
 yaXG67Ljxay2oHA1u8hRadDytaIybrw/oDc5fHE2pgXfDBLkFqfF1stjo5VwP+YE
 o2A=
 -----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICCTCCAY+gAwIBAgIQaEpYcIBr8I8C+vbe6LCQkDAKBggqhkjOPQQDAzBGMQsw
+CQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxGzAZBgNVBAMT
+EkNBIFdvU2lnbiBFQ0MgUm9vdDAeFw0xNDExMDgwMDU4NThaFw00NDExMDgwMDU4
+NThaMEYxCzAJBgNVBAYTAkNOMRowGAYDVQQKExFXb1NpZ24gQ0EgTGltaXRlZDEb
+MBkGA1UEAxMSQ0EgV29TaWduIEVDQyBSb290MHYwEAYHKoZIzj0CAQYFK4EEACID
+YgAE4f2OuEMkq5Z7hcK6C62N4DrjJLnSsb6IOsq/Srj57ywvr1FQPEd1bPiUt5v8
+KB7FVMxjnRZLU8HnIKvNrCXSf4/CwVqCXjCLelTOA7WRf6qU0NGKSMyCBSah1VES
+1ns2o0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
+FgQUqv3VWqP2h4syhf3RMluARZPzA7gwCgYIKoZIzj0EAwMDaAAwZQIxAOSkhLCB
+1T2wdKyUpOgOPQB0TKGXa/kNUTyh2Tv0Daupn75OcsqF1NnstTJFGG+rrQIwfcf3
+aWMvoeGY7xMQ0Xk/0f7qO3/eVvSQsRUR2LIiFdAvwyYua/GRspBl9JrmkO5K
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDfDCCAmSgAwIBAgIQayXaioidfLwPBbOxemFFRDANBgkqhkiG9w0BAQsFADBY
+MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxLTArBgNV
+BAMTJENlcnRpZmljYXRpb24gQXV0aG9yaXR5IG9mIFdvU2lnbiBHMjAeFw0xNDEx
+MDgwMDU4NThaFw00NDExMDgwMDU4NThaMFgxCzAJBgNVBAYTAkNOMRowGAYDVQQK
+ExFXb1NpZ24gQ0EgTGltaXRlZDEtMCsGA1UEAxMkQ2VydGlmaWNhdGlvbiBBdXRo
+b3JpdHkgb2YgV29TaWduIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAvsXEoCKASU+/2YcRxlPhuw+9YH+v9oIOH9ywjj2X4FA8jzrvZjtFB5sg+OPX
+JYY1kBaiXW8wGQiHC38Gsp1ij96vkqVg1CuAmlI/9ZqD6TRay9nVYlzmDuDfBpgO
+gHzKtB0TiGsOqCR3A9DuW/PKaZE1OVbFbeP3PU9ekzgkyhjpJMuSA93MHD0JcOQg
+5PGurLtzaaNjOg9FD6FKmsLRY6zLEPg95k4ot+vElbGs/V6r+kHLXZ1L3PR8du9n
+fwB6jdKgGlxNIuG12t12s9R23164i5jIFFTMaxeSt+BKv0mUYQs4kI9dJGwlezt5
+2eJ+na2fmKEG/HgUYFf47oB3sQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD
+VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU+mCp62XF3RYUCE4MD42b4Pdkr2cwDQYJ
+KoZIhvcNAQELBQADggEBAFfDejaCnI2Y4qtAqkePx6db7XznPWZaOzG73/MWM5H8
+fHulwqZm46qwtyeYP0nXYGdnPzZPSsvxFPpahygc7Y9BMsaV+X3avXtbwrAh449G
+3CE4Q3RM+zD4F3LBMvzIkRfEzFg3TgvMWvchNSiDbGAtROtSjFA9tWwS1/oJu2yy
+SrHFieT801LYYRf+epSEj3m2M1m6D8QL4nCgS3gu+sif/a+RZQp4OBXllxcU3fng
+LDT4ONCEIgDAFFEYKwLcMFrw6AF8NTojrwjkr6qOKEJJLvD1mTS+7Q9LGOHSJDy7
+XUe3IfKN0QqZjuNuPq1w4I+5ysxugTH2e5x6eeRncRg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFkjCCA3qgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJGUjET
+MBEGA1UEChMKQ2VydGlub21pczEXMBUGA1UECxMOMDAwMiA0MzM5OTg5MDMxHTAb
+BgNVBAMTFENlcnRpbm9taXMgLSBSb290IENBMB4XDTEzMTAyMTA5MTcxOFoXDTMz
+MTAyMTA5MTcxOFowWjELMAkGA1UEBhMCRlIxEzARBgNVBAoTCkNlcnRpbm9taXMx
+FzAVBgNVBAsTDjAwMDIgNDMzOTk4OTAzMR0wGwYDVQQDExRDZXJ0aW5vbWlzIC0g
+Um9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANTMCQosP5L2
+fxSeC5yaah1AMGT9qt8OHgZbn1CF6s2Nq0Nn3rD6foCWnoR4kkjW4znuzuRZWJfl
+LieY6pOod5tK8O90gC3rMB+12ceAnGInkYjwSond3IjmFPnVAy//ldu9n+ws+hQV
+WZUKxkd8aRi5pwP5ynapz8dvtF4F/u7BUrJ1Mofs7SlmO/NKFoL21prbcpjp3vDF
+TKWrteoB4owuZH9kb/2jJZOLyKIOSY008B/sWEUuNKqEUL3nskoTuLAPrjhdsKkb
+5nPJWqHZZkCqqU2mNAKthH6yI8H7KsZn9DS2sJVqM09xRLWtwHkziOC/7aOgFLSc
+CbAK42C++PhmiM1b8XcF4LVzbsF9Ri6OSyemzTUK/eVNfaoqoynHWmgE6OXWk6Ri
+wsXm9E/G+Z8ajYJJGYrKWUM66A0ywfRMEwNvbqY/kXPLynNvEiCL7sCCeN5LLsJJ
+wx3tFvYk9CcbXFcx3FXuqB5vbKziRcxXV4p1VxngtViZSTYxPDMBbRZKzbgqg4SG
+m/lg0h9tkQPTYKbVPZrdd5A9NaSfD171UkRpucC63M9933zZxKyGIjK8e2uR73r4
+F2iw4lNVYC2vPsKD2NkJK/DAZNuHi5HMkesE/Xa0lZrmFAYb1TQdvtj/dBxThZng
+WVJKYe2InmtJiUZ+IFrZ50rlau7SZRFDAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIB
+BjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTvkUz1pcMw6C8I6tNxIqSSaHh0
+2TAfBgNVHSMEGDAWgBTvkUz1pcMw6C8I6tNxIqSSaHh02TANBgkqhkiG9w0BAQsF
+AAOCAgEAfj1U2iJdGlg+O1QnurrMyOMaauo++RLrVl89UM7g6kgmJs95Vn6RHJk/
+0KGRHCwPT5iVWVO90CLYiF2cN/z7ZMF4jIuaYAnq1fohX9B0ZedQxb8uuQsLrbWw
+F6YSjNRieOpWauwK0kDDPAUwPk2Ut59KA9N9J0u2/kTO+hkzGm2kQtHdzMjI1xZS
+g081lLMSVX3l4kLr5JyTCcBMWwerx20RoFAXlCOotQqSD7J6wWAsOMwaplv/8gzj
+qh8c3LigkyfeY+N/IZ865Z764BNqdeuWXGKRlI5nU7aJ+BIJy29SWwNyhlCVCNSN
+h4YVH5Uk2KRvms6knZtt0rJ2BobGVgjF6wnaNsIbW0G+YSrjcOa4pvi2WsS9Iff/
+ql+hbHY5ZtbqTFXhADObE5hjyW/QASAJN1LnDE8+zbz1X5YnpyACleAu6AdBBR8V
+btaw5BngDwKTACdyxYvRVB9dSsNAl35VpnzBMwQUAR1JIGkLGZOdblgi90AMRgwj
+Y/M50n92Uaf0yKHxDHYiI0ZSKS3io0EHVmmY0gUJvGnHWmHNj4FgFU2A3ZDifcRQ
+8ow7bkrHxuaAKzyBvBGAFhAn1/DNP3nMcyrDflOR1m749fPH0FFNjkulW+YZFzvW
+gQncItzujrnEj1PhZ7szuIgVRs/taTX/dQ1G885x4cVrhkIGuUE=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFjTCCA3WgAwIBAgIEGErM1jANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJD
+TjEwMC4GA1UECgwnQ2hpbmEgRmluYW5jaWFsIENlcnRpZmljYXRpb24gQXV0aG9y
+aXR5MRUwEwYDVQQDDAxDRkNBIEVWIFJPT1QwHhcNMTIwODA4MDMwNzAxWhcNMjkx
+MjMxMDMwNzAxWjBWMQswCQYDVQQGEwJDTjEwMC4GA1UECgwnQ2hpbmEgRmluYW5j
+aWFsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRUwEwYDVQQDDAxDRkNBIEVWIFJP
+T1QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXXWvNED8fBVnVBU03
+sQ7smCuOFR36k0sXgiFxEFLXUWRwFsJVaU2OFW2fvwwbwuCjZ9YMrM8irq93VCpL
+TIpTUnrD7i7es3ElweldPe6hL6P3KjzJIx1qqx2hp/Hz7KDVRM8Vz3IvHWOX6Jn5
+/ZOkVIBMUtRSqy5J35DNuF++P96hyk0g1CXohClTt7GIH//62pCfCqktQT+x8Rgp
+7hZZLDRJGqgG16iI0gNyejLi6mhNbiyWZXvKWfry4t3uMCz7zEasxGPrb382KzRz
+EpR/38wmnvFyXVBlWY9ps4deMm/DGIq1lY+wejfeWkU7xzbh72fROdOXW3NiGUgt
+hxwG+3SYIElz8AXSG7Ggo7cbcNOIabla1jj0Ytwli3i/+Oh+uFzJlU9fpy25IGvP
+a931DfSCt/SyZi4QKPaXWnuWFo8BGS1sbn85WAZkgwGDg8NNkt0yxoekN+kWzqot
+aK8KgWU6cMGbrU1tVMoqLUuFG7OA5nBFDWteNfB/O7ic5ARwiRIlk9oKmSJgamNg
+TnYGmE69g60dWIolhdLHZR4tjsbftsbhf4oEIRUpdPA+nJCdDC7xij5aqgwJHsfV
+PKPtl8MeNPo4+QgO48BdK4PRVmrJtqhUUy54Mmc9gn900PvhtgVguXDbjgv5E1hv
+cWAQUhC5wUEJ73IfZzF4/5YFjQIDAQABo2MwYTAfBgNVHSMEGDAWgBTj/i39KNAL
+tbq2osS/BqoFjJP7LzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAd
+BgNVHQ4EFgQU4/4t/SjQC7W6tqLEvwaqBYyT+y8wDQYJKoZIhvcNAQELBQADggIB
+ACXGumvrh8vegjmWPfBEp2uEcwPenStPuiB/vHiyz5ewG5zz13ku9Ui20vsXiObT
+ej/tUxPQ4i9qecsAIyjmHjdXNYmEwnZPNDatZ8POQQaIxffu2Bq41gt/UP+TqhdL
+jOztUmCypAbqTuv0axn96/Ua4CUqmtzHQTb3yHQFhDmVOdYLO6Qn+gjYXB74BGBS
+ESgoA//vU2YApUo0FmZ8/Qmkrp5nGm9BC2sGE5uPhnEFtC+NiWYzKXZUmhH4J/qy
+P5Hgzg0b8zAarb8iXRvTvyUFTeGSGn+ZnzxEk8rUQElsgIfXBDrDMlI1Dlb4pd19
+xIsNER9Tyx6yF7Zod1rg1MvIB671Oi6ON7fQAUtDKXeMOZePglr4UeWJoBjnaH9d
+Ci77o0cOPaYjesYBx4/IXr9tgFa+iiS6M+qf4TIRnvHST4D2G0CvOJ4RUHlzEhLN
+5mydLIhyPDCBBpEi6lmt2hkuIsKNuYyH4Ga8cyNfIWRjgEj1oDwYPZTISEEdQLpe
+/v5WOaHIz16eGWRGENoXkbcFgKyLmZJ956LYBws2J+dIeWCKw9cTXPhyQN9Ky8+Z
+AAoACxGV2lZFA4gKn2fQ1XmxqI1AbQ3CekD6819kR5LLU7m7Wc5P/dAVUwHY3+vZ
+5nbv0CO7O6l5s9UCKc2Jo5YPSjXnTkLAdc0Hz+Ys63su
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCB
+hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
+A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
+BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMTE5
+MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
+EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
+Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNh
+dGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCR
+6FSS0gpWsawNJN3Fz0RndJkrN6N9I3AAcbxT38T6KhKPS38QVr2fcHK3YX/JSw8X
+pz3jsARh7v8Rl8f0hj4K+j5c+ZPmNHrZFGvnnLOFoIJ6dq9xkNfs/Q36nGz637CC
+9BR++b7Epi9Pf5l/tfxnQ3K9DADWietrLNPtj5gcFKt+5eNu/Nio5JIk2kNrYrhV
+/erBvGy2i/MOjZrkm2xpmfh4SDBF1a3hDTxFYPwyllEnvGfDyi62a+pGx8cgoLEf
+Zd5ICLqkTqnyg0Y3hOvozIFIQ2dOciqbXL1MGyiKXCJ7tKuY2e7gUYPDCUZObT6Z
++pUX2nwzV0E8jVHtC7ZcryxjGt9XyD+86V3Em69FmeKjWiS0uqlWPc9vqv9JWL7w
+qP/0uK3pN/u6uPQLOvnoQ0IeidiEyxPx2bvhiWC4jChWrBQdnArncevPDt09qZah
+SL0896+1DSJMwBGB7FY79tOi4lu3sgQiUpWAk2nojkxl8ZEDLXB0AuqLZxUpaVIC
+u9ffUGpVRr+goyhhf3DQw6KqLCGqR84onAZFdr+CGCe01a60y1Dma/RMhnEw6abf
+Fobg2P9A3fvQQoh/ozM6LlweQRGBY84YcWsr7KaKtzFcOmpH4MN5WdYgGq/yapiq
+crxXStJLnbsQ/LBMQeXtHT1eKJ2czL+zUdqnR+WEUwIDAQABo0IwQDAdBgNVHQ4E
+FgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB
+/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAArx1UaEt65Ru2yyTUEUAJNMnMvl
+wFTPoCWOAvn9sKIN9SCYPBMtrFaisNZ+EZLpLrqeLppysb0ZRGxhNaKatBYSaVqM
+4dc+pBroLwP0rmEdEBsqpIt6xf4FpuHA1sj+nq6PK7o9mfjYcwlYRm6mnPTXJ9OV
+2jeDchzTc+CiR5kDOF3VSXkAKRzH7JsgHAckaVd4sjn8OoSgtZx8jb8uk2Intzna
+FxiuvTwJaP+EmzzV1gsD41eeFPfR60/IvYcjt7ZJQ3mFXLrrkguhxuhoqEwWsRqZ
+CuhTLJK7oQkYdQxlqHvLI7cawiiFwxv/0Cti76R7CZGYZ4wUAc1oBmpjIXUDgIiK
+boHGhfKppC3n9KUkEEeDys30jXlYsQab5xoq2Z0B15R97QNKyvDb6KkBPvVWmcke
+jkk9u+UJueBPSZI9FoJAzMxZxuY67RIuaTxslbH9qh17f4a+Hg4yRvv7E491f0yL
+S0Zj/gA0QHDBw7mh3aZw4gSzQbzpgJHqZJx64SIDqZxubw5lT2yHh17zbqD5daWb
+QOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk527RH89elWsn2/x20Kk4yl
+0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7ILaZRfyHB
+NVOFBkpdn627G190
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC+TCCAoCgAwIBAgINAKaLeSkAAAAAUNCR+TAKBggqhkjOPQQDAzCBvzELMAkG
+A1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3
+d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDEyIEVu
+dHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEzMDEGA1UEAxMq
+RW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRUMxMB4XDTEy
+MTIxODE1MjUzNloXDTM3MTIxODE1NTUzNlowgb8xCzAJBgNVBAYTAlVTMRYwFAYD
+VQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0
+L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxMiBFbnRydXN0LCBJbmMuIC0g
+Zm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMzAxBgNVBAMTKkVudHJ1c3QgUm9vdCBD
+ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEVDMTB2MBAGByqGSM49AgEGBSuBBAAi
+A2IABIQTydC6bUF74mzQ61VfZgIaJPRbiWlH47jCffHyAsWfoPZb1YsGGYZPUxBt
+ByQnoaD41UcZYUx9ypMn6nQM72+WCf5j7HBdNq1nd67JnXxVRDqiY1Ef9eNi1KlH
+Bz7MIKNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+BBYEFLdj5xrdjekIplWDpOBqUEFlEUJJMAoGCCqGSM49BAMDA2cAMGQCMGF52OVC
+R98crlOZF7ZvHH3hvxGU0QOIdeSNiaSKd0bebWHvAvX7td/M/k7//qnmpwIwW5nX
+hTcGtXsI/esni0qU+eH6p44mCOh8kmhtc9hvJqwhAriZtyZBWyVgrtBIGu4G
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC
+VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
+cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs
+IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz
+dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy
+NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu
+dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt
+dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0
+aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj
+YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T
+RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN
+cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW
+wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1
+U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0
+jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
+BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN
+BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/
+jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ
+Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v
+1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R
+nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH
+VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIB4TCCAYegAwIBAgIRKjikHJYKBN5CsiilC+g0mAIwCgYIKoZIzj0EAwIwUDEk
+MCIGA1UECxMbR2xvYmFsU2lnbiBFQ0MgUm9vdCBDQSAtIFI0MRMwEQYDVQQKEwpH
+bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTEyMTExMzAwMDAwMFoX
+DTM4MDExOTAzMTQwN1owUDEkMCIGA1UECxMbR2xvYmFsU2lnbiBFQ0MgUm9vdCBD
+QSAtIFI0MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuMZ5049sJQ6fLjkZHAOkrprlOQcJ
+FspjsbmG+IpXwVfOQvpzofdlQv8ewQCybnMO/8ch5RikqtlxP6jUuc6MHaNCMEAw
+DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFSwe61F
+uOJAf/sKbvu+M8k8o4TVMAoGCCqGSM49BAMCA0gAMEUCIQDckqGgE6bPA7DmxCGX
+kPoUVy0D7O48027KqGx2vKLeuwIgJ6iFJzWbVsaj8kfSt24bAgAXqmemFZHe+pTs
+ewv4n4Q=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICHjCCAaSgAwIBAgIRYFlJ4CYuu1X5CneKcflK2GwwCgYIKoZIzj0EAwMwUDEk
+MCIGA1UECxMbR2xvYmFsU2lnbiBFQ0MgUm9vdCBDQSAtIFI1MRMwEQYDVQQKEwpH
+bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTEyMTExMzAwMDAwMFoX
+DTM4MDExOTAzMTQwN1owUDEkMCIGA1UECxMbR2xvYmFsU2lnbiBFQ0MgUm9vdCBD
+QSAtIFI1MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu
+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAER0UOlvt9Xb/pOdEh+J8LttV7HpI6SFkc
+8GIxLcB6KP4ap1yztsyX50XUWPrRd21DosCHZTQKH3rd6zwzocWdTaRvQZU4f8ke
+hOvRnkmSh5SHDDqFSmafnVmTTZdhBoZKo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD
+VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPeYpSJvqB8ohREom3m7e0oPQn1kwCgYI
+KoZIzj0EAwMDaAAwZQIxAOVpEslu28YxuglB4Zf4+/2a4n0Sye18ZNPLBSWLVtmg
+515dTguDnFt2KaAJJiFqYgIwcdK1j1zqO+F4CYWodZI7yFz9SO8NdCKoCOJuxUnO
+xwy8p2Fp8fc74SrL+SvzZpA3
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK
+MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu
+VHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQw
+MTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScw
+JQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqG
+SIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT
+3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU
++ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gp
+S0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1
+bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi
+T0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCL
+vYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjK
+Vsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZK
+dHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHT
+c+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hv
+l7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5N
+iGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
+/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQAD
+ggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH
+6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwt
+LRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93
+nAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3
++wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRK
+W2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pT
+AwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLq
+l1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG
+4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZ
+mUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A
+7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFZjCCA06gAwIBAgIQCgFCgAAAAUUjz0Z8AAAAAjANBgkqhkiG9w0BAQsFADBN
+MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MSowKAYDVQQDEyFJZGVu
+VHJ1c3QgUHVibGljIFNlY3RvciBSb290IENBIDEwHhcNMTQwMTE2MTc1MzMyWhcN
+MzQwMTE2MTc1MzMyWjBNMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0
+MSowKAYDVQQDEyFJZGVuVHJ1c3QgUHVibGljIFNlY3RvciBSb290IENBIDEwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2IpT8pEiv6EdrCvsnduTyP4o7
+ekosMSqMjbCpwzFrqHd2hCa2rIFCDQjrVVi7evi8ZX3yoG2LqEfpYnYeEe4IFNGy
+RBb06tD6Hi9e28tzQa68ALBKK0CyrOE7S8ItneShm+waOh7wCLPQ5CQ1B5+ctMlS
+bdsHyo+1W/CD80/HLaXIrcuVIKQxKFdYWuSNG5qrng0M8gozOSI5Cpcu81N3uURF
+/YTLNiCBWS2ab21ISGHKTN9T0a9SvESfqy9rg3LvdYDaBjMbXcjaY8ZNzaxmMc3R
+3j6HEDbhuaR672BQssvKplbgN6+rNBM5Jeg5ZuSYeqoSmJxZZoY+rfGwyj4GD3vw
+EUs3oERte8uojHH01bWRNszwFcYr3lEXsZdMUD2xlVl8BX0tIdUAvwFnol57plzy
+9yLxkA2T26pEUWbMfXYD62qoKjgZl3YNa4ph+bz27nb9cCvdKTz4Ch5bQhyLVi9V
+GxyhLrXHFub4qjySjmm2AcG1hp2JDws4lFTo6tyePSW8Uybt1as5qsVATFSrsrTZ
+2fjXctscvG29ZV/viDUqZi/u9rNl8DONfJhBaUYPQxxp+pu10GFqzcpL2UyQRqsV
+WaFHVCkugyhfHMKiq3IXAAaOReyL4jM9f9oZRORicsPfIsbyVtTdX5Vy7W1f90gD
+W/3FKqD2cyOEEBsB5wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQU43HgntinQtnbcZFrlJPrw6PRFKMwDQYJKoZIhvcN
+AQELBQADggIBAEf63QqwEZE4rU1d9+UOl1QZgkiHVIyqZJnYWv6IAcVYpZmxI1Qj
+t2odIFflAWJBF9MJ23XLblSQdf4an4EKwt3X9wnQW3IV5B4Jaj0z8yGa5hV+rVHV
+DRDtfULAj+7AmgjVQdZcDiFpboBhDhXAuM/FSRJSzL46zNQuOAXeNf0fb7iAaJg9
+TaDKQGXSc3z1i9kKlT/YPyNtGtEqJBnZhbMX73huqVjRI9PHE+1yJX9dsXNw0H8G
+lwmEKYBhHfpe/3OsoOOJuBxxFcbeMX8S3OFtm6/n6J91eEyrRjuazr8FGF1NFTwW
+mhlQBJqymm9li1JfPFgEKCXAZmExfrngdbkaqIHWchezxQMxNRF4eKLg6TCMf4Df
+WN88uieW4oA0beOY02QnrEh+KHdcxiVhJfiFDGX6xDIvpZgF5PgLZxYWxoK4Mhn5
++bl53B/N66+rDt0b20XkeucC4pVd/GnwU2lhlXV5C15V5jgclKlZM57IcXR5f1GJ
+tshquDDIajjDbp7hNxbqBWJMWxJH7ae0s1hWx0nzfxJoCTFx8G34Tkf71oXuxVhA
+GaQdp/lLQzfcaFpPz+vCZHTetBXZ9FRUGi8c15dxVJCO2SCdUyt/q4/i6jC8UDfv
+8Ue1fXwsBOxonbRJRBD0ckscZOf85muQ3Wl9af0AVqW3rLatt8o+Ae+c
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIQdrEgUnTwhYdGs/gjGvbCwDANBgkqhkiG9w0BAQsFADBt
+MQswCQYDVQQGEwJDSDEQMA4GA1UEChMHV0lTZUtleTEiMCAGA1UECxMZT0lTVEUg
+Rm91bmRhdGlvbiBFbmRvcnNlZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9i
+YWwgUm9vdCBHQiBDQTAeFw0xNDEyMDExNTAwMzJaFw0zOTEyMDExNTEwMzFaMG0x
+CzAJBgNVBAYTAkNIMRAwDgYDVQQKEwdXSVNlS2V5MSIwIAYDVQQLExlPSVNURSBG
+b3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNlS2V5IEdsb2Jh
+bCBSb290IEdCIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2Be3
+HEokKtaXscriHvt9OO+Y9bI5mE4nuBFde9IllIiCFSZqGzG7qFshISvYD06fWvGx
+WuR51jIjK+FTzJlFXHtPrby/h0oLS5daqPZI7H17Dc0hBt+eFf1Biki3IPShehtX
+1F1Q/7pn2COZH8g/497/b1t3sWtuuMlk9+HKQUYOKXHQuSP8yYFfTvdv37+ErXNk
+u7dCjmn21HYdfp2nuFeKUWdy19SouJVUQHMD9ur06/4oQnc/nSMbsrY9gBQHTC5P
+99UKFg29ZkM3fiNDecNAhvVMKdqOmq0NpQSHiB6F4+lT1ZvIiwNjeOvgGUpuuy9r
+M2RYk61pv48b74JIxwIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw
+AwEB/zAdBgNVHQ4EFgQUNQ/INmNe4qPs+TtmFc5RUuORmj0wEAYJKwYBBAGCNxUB
+BAMCAQAwDQYJKoZIhvcNAQELBQADggEBAEBM+4eymYGQfp3FsLAmzYh7KzKNbrgh
+cViXfa43FK8+5/ea4n32cZiZBKpDdHij40lhPnOMTZTg+XHEthYOU3gf1qKHLwI5
+gSk8rxWYITD+KJAAjNHhy/peyP34EEY7onhCkRd0VQreUGdNZtGn//3ZwLWoo4rO
+ZvUPQ82nK1d7Y0Zqqi5S2PTt4W2tKZB4SLrhI6qjiey1q5bAtEuiHZeeevJuQHHf
+aPFlTc58Bd9TZaml8LGXBHAVRgOY1NK/VLSgWH1Sb9pWJmLU2NuJMW8c8CLC02Ic
+Nc1MaRVUGpCY3useX8p3x8uOPUNpnJpY0CQ73xtAln41rYHHTnG6iBM=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFcDCCA1igAwIBAgIEAJiWjTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJO
+TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFh
+dCBkZXIgTmVkZXJsYW5kZW4gRVYgUm9vdCBDQTAeFw0xMDEyMDgxMTE5MjlaFw0y
+MjEyMDgxMTEwMjhaMFgxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIg
+TmVkZXJsYW5kZW4xKTAnBgNVBAMMIFN0YWF0IGRlciBOZWRlcmxhbmRlbiBFViBS
+b290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA48d+ifkkSzrS
+M4M1LGns3Amk41GoJSt5uAg94JG6hIXGhaTK5skuU6TJJB79VWZxXSzFYGgEt9nC
+UiY4iKTWO0Cmws0/zZiTs1QUWJZV1VD+hq2kY39ch/aO5ieSZxeSAgMs3NZmdO3d
+Z//BYY1jTw+bbRcwJu+r0h8QoPnFfxZpgQNH7R5ojXKhTbImxrpsX23Wr9GxE46p
+rfNeaXUmGD5BKyF/7otdBwadQ8QpCiv8Kj6GyzyDOvnJDdrFmeK8eEEzduG/L13l
+pJhQDBXd4Pqcfzho0LKmeqfRMb1+ilgnQ7O6M5HTp5gVXJrm0w912fxBmJc+qiXb
+j5IusHsMX/FjqTf5m3VpTCgmJdrV8hJwRVXj33NeN/UhbJCONVrJ0yPr08C+eKxC
+KFhmpUZtcALXEPlLVPxdhkqHz3/KRawRWrUgUY0viEeXOcDPusBCAUCZSCELa6fS
+/ZbV0b5GnUngC6agIk440ME8MLxwjyx1zNDFjFE7PZQIZCZhfbnDZY8UnCHQqv0X
+cgOPvZuM5l5Tnrmd74K74bzickFbIZTTRTeU0d8JOV3nI6qaHcptqAqGhYqCvkIH
+1vI4gnPah1vlPNOePqc7nvQDs/nxfRN0Av+7oeX6AHkcpmZBiFxgV6YuCcS6/ZrP
+px9Aw7vMWgpVSzs4dlG4Y4uElBbmVvMCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP6rAJCYniT8qcwaivsnuL8wbqg7
+MA0GCSqGSIb3DQEBCwUAA4ICAQDPdyxuVr5Os7aEAJSrR8kN0nbHhp8dB9O2tLsI
+eK9p0gtJ3jPFrK3CiAJ9Brc1AsFgyb/E6JTe1NOpEyVa/m6irn0F3H3zbPB+po3u
+2dfOWBfoqSmuc0iH55vKbimhZF8ZE/euBhD/UcabTVUlT5OZEAFTdfETzsemQUHS
+v4ilf0X8rLiltTMMgsT7B/Zq5SWEXwbKwYY5EdtYzXc7LMJMD16a4/CrPmEbUCTC
+wPTxGfARKbalGAKb12NMcIxHowNDXLldRqANb/9Zjr7dn3LDWyvfjFvO5QxGbJKy
+CqNMVEIYFRIYvdr8unRu/8G2oGTYqV9Vrp9canaW2HNnh/tNf1zuacpzEPuKqf2e
+vTY4SUmH9A4U8OmHuD+nT3pajnnUk+S7aFKErGzp85hwVXIy+TSrK0m1zSBi5Dp6
+Z2Orltxtrpfs/J92VoguZs9btsmksNcFuuEnL5O7Jiqik7Ab846+HUCjuTaPPoIa
+Gl6I6lD4WeKDRikL40Rc4ZW2aZCaFG+XroHPaO+Zmr615+F/+PoTRxZMzG0IQOeL
+eG9QgkRQP2YGiqtDhFZKDyAthg710tvSeopLzaXoTvFeJiUBWSOgftL2fiFX1ye8
+FVdMpEbB4IMeDExNH08GGeL5qPQ6gqGyeUN51q1veieQA6TqJIc/2b3Z6fJfUEkc
+7uzXLg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFdDCCA1ygAwIBAgIEAJiiOTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJO
+TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSswKQYDVQQDDCJTdGFh
+dCBkZXIgTmVkZXJsYW5kZW4gUm9vdCBDQSAtIEczMB4XDTEzMTExNDExMjg0MloX
+DTI4MTExMzIzMDAwMFowWjELMAkGA1UEBhMCTkwxHjAcBgNVBAoMFVN0YWF0IGRl
+ciBOZWRlcmxhbmRlbjErMCkGA1UEAwwiU3RhYXQgZGVyIE5lZGVybGFuZGVuIFJv
+b3QgQ0EgLSBHMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL4yolQP
+cPssXFnrbMSkUeiFKrPMSjTysF/zDsccPVMeiAho2G89rcKezIJnByeHaHE6n3WW
+IkYFsO2tx1ueKt6c/DrGlaf1F2cY5y9JCAxcz+bMNO14+1Cx3Gsy8KL+tjzk7FqX
+xz8ecAgwoNzFs21v0IJyEavSgWhZghe3eJJg+szeP4TrjTgzkApyI/o1zCZxMdFy
+KJLZWyNtZrVtB0LrpjPOktvA9mxjeM3KTj215VKb8b475lRgsGYeCasH/lSJEULR
+9yS6YHgamPfJEf0WwTUaVHXvQ9Plrk7O53vDxk5hUUurmkVLoR9BvUhTFXFkC4az
+5S6+zqQbwSmEorXLCCN2QyIkHxcE1G6cxvx/K2Ya7Irl1s9N9WMJtxU51nus6+N8
+6U78dULI7ViVDAZCopz35HCz33JvWjdAidiFpNfxC95DGdRKWCyMijmev4SH8RY7
+Ngzp07TKbBlBUgmhHbBqv4LvcFEhMtwFdozL92TkA1CvjJFnq8Xy7ljY3r735zHP
+bMk7ccHViLVlvMDoFxcHErVc0qsgk7TmgoNwNsXNo42ti+yjwUOH5kPiNL6VizXt
+BznaqB16nzaeErAMZRKQFWDZJkBE41ZgpRDUajz9QdwOWke275dhdU/Z/seyHdTt
+XUmzqWrLZoQT1Vyg3N9udwbRcXXIV2+vD3dbAgMBAAGjQjBAMA8GA1UdEwEB/wQF
+MAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRUrfrHkleuyjWcLhL75Lpd
+INyUVzANBgkqhkiG9w0BAQsFAAOCAgEAMJmdBTLIXg47mAE6iqTnB/d6+Oea31BD
+U5cqPco8R5gu4RV78ZLzYdqQJRZlwJ9UXQ4DO1t3ApyEtg2YXzTdO2PCwyiBwpwp
+LiniyMMB8jPqKqrMCQj3ZWfGzd/TtiunvczRDnBfuCPRy5FOCvTIeuXZYzbB1N/8
+Ipf3YF3qKS9Ysr1YvY2WTxB1v0h7PVGHoTx0IsL8B3+A3MSs/mrBcDCw6Y5p4ixp
+gZQJut3+TcCDjJRYwEYgr5wfAvg1VUkvRtTA8KCWAg8zxXHzniN9lLf9OtMJgwYh
+/WA9rjLA0u6NpvDntIJ8CsxwyXmA+P5M9zWEGYox+wrZ13+b8KKaa8MFSu1BYBQw
+0aoRQm7TIwIEC8Zl3d1Sd9qBa7Ko+gE4uZbqKmxnl4mUnrzhVNXkanjvSr0rmj1A
+fsbAddJu+2gw7OyLnflJNZoaLNmzlTnVHpL3prllL+U9bTpITAjc5CgSKL59NVzq
+4BZ+Extq1z7XnvwtdbLBFNUjA9tbbws+eC8N3jONFrdI54OagQ97wUNNVQQXOEpR
+1VmiiXTTn74eS9fGbbeIJG9gkaSChVtWQbzQRKtqE77RLFi3EjNYsjdj3BP1lB0/
+QFH1T/U67cjF68IeHRaVesd+QnGTbksVtzDfqu1XhUisHWrdOWnk4Xl4vs4Fv6EM
+94B7IWcnMFk=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIID2DCCAsCgAwIBAgIQYFbFSyNAW2TU7SXa2dYeHjANBgkqhkiG9w0BAQsFADCB
+hTELMAkGA1UEBhMCREUxKTAnBgNVBAoTIERldXRzY2hlciBTcGFya2Fzc2VuIFZl
+cmxhZyBHbWJIMScwJQYDVQQLEx5TLVRSVVNUIENlcnRpZmljYXRpb24gU2Vydmlj
+ZXMxIjAgBgNVBAMTGVMtVFJVU1QgVW5pdmVyc2FsIFJvb3QgQ0EwHhcNMTMxMDIy
+MDAwMDAwWhcNMzgxMDIxMjM1OTU5WjCBhTELMAkGA1UEBhMCREUxKTAnBgNVBAoT
+IERldXRzY2hlciBTcGFya2Fzc2VuIFZlcmxhZyBHbWJIMScwJQYDVQQLEx5TLVRS
+VVNUIENlcnRpZmljYXRpb24gU2VydmljZXMxIjAgBgNVBAMTGVMtVFJVU1QgVW5p
+dmVyc2FsIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo
+4wvfETeFgpq1bGZ8YT/ARxodRuOwVWTluII5KAd+F//0m4rwkYHqOD8heGxI7Gsv
+otOKcrKn19nqf7TASWswJYmM67fVQGGY4tw8IJLNZUpynxqOjPolFb/zIYMoDYuv
+WRGCQ1ybTSVRf1gYY2A7s7WKi1hjN0hIkETCQN1d90NpKZhcEmVeq5CSS2bf1XUS
+U1QYpt6K1rtXAzlZmRgFDPn9FcaQZEYXgtfCSkE9/QC+V3IYlHcbU1qJAfYzcg6T
+OtzoHv0FBda8c+CI3KtP7LUYhk95hA5IKmYq3TLIeGXIC51YAQVx7YH1aBduyw20
+S9ih7K446xxYL6FlAzQvAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P
+AQH/BAQDAgEGMB0GA1UdDgQWBBSafdfr639UmEUptCCrbQuWIxmkwjANBgkqhkiG
+9w0BAQsFAAOCAQEATpYS2353XpInniEXGIJ22D+8pQkEZoiJrdtVszNqxmXEj03z
+MjbceQSWqXcy0Zf1GGuMuu3OEdBEx5LxtESO7YhSSJ7V/Vn4ox5R+wFS5V/let2q
+JE8ii912RvaloA812MoPmLkwXSBvwoEevb3A/hXTOCoJk5gnG5N70Cs0XmilFU/R
+UsOgyqCDRR319bdZc11ZAY+qwkcvFHHVKeMQtUeTJcwjKdq3ctiR1OwbSIoi5MEq
+9zpok59FGW5Dt8z+uJGaYRo2aWNkkijzb2GShROfyQcsi1fc65551cLeCNVUsldO
+KjKNoeI60RAgIjl9NEVvcTvDHfz/sk+o4vYwHg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEJzCCAw+gAwIBAgIHAI4X/iQggTANBgkqhkiG9w0BAQsFADCBsTELMAkGA1UE
+BhMCVFIxDzANBgNVBAcMBkFua2FyYTFNMEsGA1UECgxEVMOcUktUUlVTVCBCaWxn
+aSDEsGxldGnFn2ltIHZlIEJpbGnFn2ltIEfDvHZlbmxpxJ9pIEhpem1ldGxlcmkg
+QS7Fni4xQjBABgNVBAMMOVTDnFJLVFJVU1QgRWxla3Ryb25payBTZXJ0aWZpa2Eg
+SGl6bWV0IFNhxJ9sYXnEsWPEsXPEsSBINTAeFw0xMzA0MzAwODA3MDFaFw0yMzA0
+MjgwODA3MDFaMIGxMQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMU0wSwYD
+VQQKDERUw5xSS1RSVVNUIEJpbGdpIMSwbGV0acWfaW0gdmUgQmlsacWfaW0gR8O8
+dmVubGnEn2kgSGl6bWV0bGVyaSBBLsWeLjFCMEAGA1UEAww5VMOcUktUUlVTVCBF
+bGVrdHJvbmlrIFNlcnRpZmlrYSBIaXptZXQgU2HEn2xhecSxY8Sxc8SxIEg1MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApCUZ4WWe60ghUEoI5RHwWrom
+/4NZzkQqL/7hzmAD/I0Dpe3/a6i6zDQGn1k19uwsu537jVJp45wnEFPzpALFp/kR
+Gml1bsMdi9GYjZOHp3GXDSHHmflS0yxjXVW86B8BSLlg/kJK9siArs1mep5Fimh3
+4khon6La8eHBEJ/rPCmBp+EyCNSgBbGM+42WAA4+Jd9ThiI7/PS98wl+d+yG6w8z
+5UNP9FR1bSmZLmZaQ9/LXMrI5Tjxfjs1nQ/0xVqhzPMggCTTV+wVunUlm+hkS7M0
+hO8EuPbJbKoCPrZV4jI3X/xml1/N1p7HIL9Nxqw/dV8c7TKcfGkAaZHjIxhT6QID
+AQABo0IwQDAdBgNVHQ4EFgQUVpkHHtOsDGlktAxQR95DLL4gwPswDgYDVR0PAQH/
+BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJ5FdnsX
+SDLyOIspve6WSk6BGLFRRyDN0GSxDsnZAdkJzsiZ3GglE9Rc8qPoBP5yCccLqh0l
+VX6Wmle3usURehnmp349hQ71+S4pL+f5bFgWV1Al9j4uPqrtd3GqqpmWRgqujuwq
+URawXs3qZwQcWDD1YIq9pr1N5Za0/EKJAWv2cMhQOQwt1WbZyNKzMrcbGW3LM/nf
+peYVhDfwwvJllpKQd/Ct9JDpEXjXk4nAPQu6KfTomZ1yju2dL+6SfaHx/126M2CF
+Yv4HAqGEVka+lgqaE9chTLd8B59OTj+RdPsnnRHM3eaxynFNExc5JsUpISuTKWqW
++qtB4Uu2NQvAmxU=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEJjCCAw6gAwIBAgIGfaHyZeyKMA0GCSqGSIb3DQEBCwUAMIGxMQswCQYDVQQG
+EwJUUjEPMA0GA1UEBwwGQW5rYXJhMU0wSwYDVQQKDERUw5xSS1RSVVNUIEJpbGdp
+IMSwbGV0acWfaW0gdmUgQmlsacWfaW0gR8O8dmVubGnEn2kgSGl6bWV0bGVyaSBB
+LsWeLjFCMEAGA1UEAww5VMOcUktUUlVTVCBFbGVrdHJvbmlrIFNlcnRpZmlrYSBI
+aXptZXQgU2HEn2xhecSxY8Sxc8SxIEg2MB4XDTEzMTIxODA5MDQxMFoXDTIzMTIx
+NjA5MDQxMFowgbExCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExTTBLBgNV
+BAoMRFTDnFJLVFJVU1QgQmlsZ2kgxLBsZXRpxZ9pbSB2ZSBCaWxpxZ9pbSBHw7x2
+ZW5sacSfaSBIaXptZXRsZXJpIEEuxZ4uMUIwQAYDVQQDDDlUw5xSS1RSVVNUIEVs
+ZWt0cm9uaWsgU2VydGlmaWthIEhpem1ldCBTYcSfbGF5xLFjxLFzxLEgSDYwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdsGjW6L0UlqMACprx9MfMkU1x
+eHe59yEmFXNRFpQJRwXiM/VomjX/3EsvMsew7eKC5W/a2uqsxgbPJQ1BgfbBOCK9
++bGlprMBvD9QFyv26WZV1DOzXPhDIHiTVRZwGTLmiddk671IUP320EEDwnS3/faA
+z1vFq6TWlRKb55cTMgPp1KtDWxbtMyJkKbbSk60vbNg9tvYdDjTu0n2pVQ8g9P0p
+u5FbHH3GQjhtQiht1AH7zYiXSX6484P4tZgvsycLSF5W506jM7NE1qXyGJTtHB6p
+lVxiSvgNZ1GpryHV+DKdeboaX+UEVU0TRv/yz3THGmNtwx8XEsMeED5gCLMxAgMB
+AAGjQjBAMB0GA1UdDgQWBBTdVRcT9qzoSCHK77Wv0QAy7Z6MtTAOBgNVHQ8BAf8E
+BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAb1gNl0Oq
+FlQ+v6nfkkU/hQu7VtMMUszIv3ZnXuaqs6fvuay0EBQNdH49ba3RfdCaqaXKGDsC
+QC4qnFAUi/5XfldcEQlLNkVS9z2sFP1E34uXI9TDwe7UU5X+LEr+DXCqu4svLcsy
+o4LyVN/Y8t3XSHLuSqMplsNEzm61kod2pLv0kmzOLBQJZo6NrRa1xxsJYTvjIKID
+gI6tflEATseWhvtDmHd9KMeP2Cpu54Rvl0EpABZeTeIT6lnAY2c6RPuY/ATTMHKm
+9ocJV612ph1jmv3XZch4gyt1O6VbuA1df74jrlZVlFjvH4GMKrLN5ptjnhi85WsG
+tAuYSyher4hYyw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICjzCCAhWgAwIBAgIQXIuZxVqUxdJxVt7NiYDMJjAKBggqhkjOPQQDAzCBiDEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNl
+eSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMT
+JVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMjAx
+MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgT
+Ck5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUg
+VVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBFQ0MgQ2VydGlm
+aWNhdGlvbiBBdXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQarFRaqflo
+I+d61SRvU8Za2EurxtW20eZzca7dnNYMYf3boIkDuAUU7FfO7l0/4iGzzvfUinng
+o4N+LZfQYcTxmdwlkWOrfzCjtHDix6EznPO/LlxTsV+zfTJ/ijTjeXmjQjBAMB0G
+A1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1xmNjmjAOBgNVHQ8BAf8EBAMCAQYwDwYD
+VR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjA2Z6EWCNzklwBBHU6+4WMB
+zzuqQhFkoJ2UOQIReVx7Hfpkue4WQrO/isIJxOzksU0CMQDpKmFHjFJKS04YcPbW
+RNZu9YO6bVi9JNlWSOrvxKJGgYhqOkbRqZtNyWHa0V1Xahg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
+iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
+cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
+BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
+MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
+BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
+aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
+dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
+3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
+tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
+Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
+VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
+79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
+c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
+Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
+c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
+UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
+Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
+BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
+A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
+Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
+VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
+ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
+8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
+iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
+Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
+XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
+qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
+VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
+L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
+jjxDah2nGN59PRbxYvnKkKj9
+-----END CERTIFICATE-----
diff --git a/ssl/certs/d18e9066.0 b/ssl/certs/d18e9066.0
new file mode 120000 (symlink)
index 0000000..6d43d0a
--- /dev/null
@@ -0,0 +1 @@
+IdenTrust_Commercial_Root_CA_1.pem
\ No newline at end of file
diff --git a/ssl/certs/d4c339cb.0 b/ssl/certs/d4c339cb.0
new file mode 120000 (symlink)
index 0000000..e5b24aa
--- /dev/null
@@ -0,0 +1 @@
+COMODO_RSA_Certification_Authority.pem
\ No newline at end of file
diff --git a/ssl/certs/d5727d6a.0 b/ssl/certs/d5727d6a.0
new file mode 120000 (symlink)
index 0000000..628c97d
--- /dev/null
@@ -0,0 +1 @@
+CA_WoSign_ECC_Root.pem
\ No newline at end of file
diff --git a/ssl/certs/d6325660.0 b/ssl/certs/d6325660.0
new file mode 120000 (symlink)
index 0000000..e5b24aa
--- /dev/null
@@ -0,0 +1 @@
+COMODO_RSA_Certification_Authority.pem
\ No newline at end of file
diff --git a/ssl/certs/d6e6eab9.0 b/ssl/certs/d6e6eab9.0
new file mode 120000 (symlink)
index 0000000..bcbbc5f
--- /dev/null
@@ -0,0 +1 @@
+Certinomis_-_Root_CA.pem
\ No newline at end of file
diff --git a/ssl/certs/ddc328ff.0 b/ssl/certs/ddc328ff.0
deleted file mode 120000 (symlink)
index d9b56b9..0000000
+++ /dev/null
@@ -1 +0,0 @@
-Thawte_Server_CA.pem
\ No newline at end of file
diff --git a/ssl/certs/dfc0fe80.0 b/ssl/certs/dfc0fe80.0
new file mode 120000 (symlink)
index 0000000..99ec072
--- /dev/null
@@ -0,0 +1 @@
+OISTE_WISeKey_Global_Root_GB_CA.pem
\ No newline at end of file
diff --git a/ssl/certs/e73d606e.0 b/ssl/certs/e73d606e.0
new file mode 120000 (symlink)
index 0000000..99ec072
--- /dev/null
@@ -0,0 +1 @@
+OISTE_WISeKey_Global_Root_GB_CA.pem
\ No newline at end of file
diff --git a/ssl/certs/eacdeb40.0 b/ssl/certs/eacdeb40.0
deleted file mode 120000 (symlink)
index 11e6482..0000000
+++ /dev/null
@@ -1 +0,0 @@
-America_Online_Root_Certification_Authority_1.pem
\ No newline at end of file
diff --git a/ssl/certs/eb375c3e.0 b/ssl/certs/eb375c3e.0
deleted file mode 120000 (symlink)
index 80f08aa..0000000
+++ /dev/null
@@ -1 +0,0 @@
-Buypass_Class_3_CA_1.pem
\ No newline at end of file
diff --git a/ssl/certs/ef954a4e.0 b/ssl/certs/ef954a4e.0
new file mode 120000 (symlink)
index 0000000..6d43d0a
--- /dev/null
@@ -0,0 +1 @@
+IdenTrust_Commercial_Root_CA_1.pem
\ No newline at end of file
diff --git a/ssl/certs/f30dd6ad.0 b/ssl/certs/f30dd6ad.0
new file mode 120000 (symlink)
index 0000000..e08a770
--- /dev/null
@@ -0,0 +1 @@
+USERTrust_ECC_Certification_Authority.pem
\ No newline at end of file
diff --git a/ssl/certs/f38a011e.0 b/ssl/certs/f38a011e.0
new file mode 120000 (symlink)
index 0000000..c1e72f7
--- /dev/null
@@ -0,0 +1 @@
+Certification_Authority_of_WoSign_G2.pem
\ No newline at end of file
diff --git a/ssl/certs/f58a60fe.0 b/ssl/certs/f58a60fe.0
deleted file mode 120000 (symlink)
index a818c21..0000000
+++ /dev/null
@@ -1 +0,0 @@
-ComSign_Secured_CA.pem
\ No newline at end of file
diff --git a/ssl/certs/fc5a8f99.0 b/ssl/certs/fc5a8f99.0
new file mode 120000 (symlink)
index 0000000..e29daca
--- /dev/null
@@ -0,0 +1 @@
+USERTrust_RSA_Certification_Authority.pem
\ No newline at end of file