mkdir -p './courier-imap/shared'
mkdir -p './courier-imap/shared.tmp'
mkdir -p './dpkg/dpkg.cfg.d'
+mkdir -p './fail2ban/fail2ban.d'
mkdir -p './gtk-2.0/x86_64-pc-linux-gnu'
-mkdir -p './lvm/cache'
mkdir -p './salt/pki/minions_pre'
mkdir -p './salt/pki/minions_rejected'
mkdir -p './security/limits.d'
mkdir -p './sensors.d'
mkdir -p './skel/.ssh'
mkdir -p './smartd_warning.d'
-mkdir -p './ssh/ca'
mkdir -p './ssl/CA-Brehm/certs'
mkdir -p './ssl/CA-Brehm/crl'
mkdir -p './ssl/CA-Brehm/newcerts'
maybe chmod 0644 'conf.d/crypto-loop'
maybe chmod 0644 'conf.d/device-mapper'
maybe chmod 0644 'conf.d/dmesg'
+maybe chmod 0644 'conf.d/fail2ban'
maybe chmod 0644 'conf.d/fsck'
maybe chmod 0644 'conf.d/gem_server'
maybe chmod 0644 'conf.d/git-daemon'
maybe chmod 0640 'config-archive/etc/cups/snmp.conf.dist'
maybe chmod 0755 'config-archive/etc/default'
maybe chmod 0644 'config-archive/etc/default/grub'
+maybe chmod 0644 'config-archive/etc/default/grub.1'
maybe chmod 0644 'config-archive/etc/default/grub.dist'
maybe chmod 0644 'config-archive/etc/dispatch-conf.conf'
maybe chmod 0644 'config-archive/etc/dispatch-conf.conf.dist.new'
maybe chmod 0644 'config-archive/etc/eselect/postgresql/slots/9.1/server.1'
maybe chmod 0644 'config-archive/etc/eselect/postgresql/slots/9.1/server.2'
maybe chmod 0644 'config-archive/etc/eselect/postgresql/slots/9.1/server.dist'
+maybe chmod 0755 'config-archive/etc/fail2ban'
+maybe chmod 0644 'config-archive/etc/fail2ban/fail2ban.conf'
+maybe chmod 0644 'config-archive/etc/fail2ban/fail2ban.conf.dist'
maybe chmod 0644 'config-archive/etc/hosts'
maybe chmod 0644 'config-archive/etc/hosts.dist.new'
maybe chmod 0755 'config-archive/etc/init.d'
maybe chmod 0755 'config-archive/etc/logrotate.d'
maybe chmod 0644 'config-archive/etc/logrotate.d/clamav'
maybe chmod 0644 'config-archive/etc/logrotate.d/clamav.dist'
+maybe chmod 0644 'config-archive/etc/logrotate.d/fail2ban'
+maybe chmod 0644 'config-archive/etc/logrotate.d/fail2ban.dist.new'
maybe chmod 0644 'config-archive/etc/logrotate.d/syslog-ng'
maybe chmod 0644 'config-archive/etc/logrotate.d/syslog-ng.dist.new'
maybe chmod 0644 'config-archive/etc/logrotate.d/ulogd'
maybe chmod 0644 'config-archive/etc/postfix/main.cf.5'
maybe chmod 0644 'config-archive/etc/postfix/main.cf.6'
maybe chmod 0644 'config-archive/etc/postfix/main.cf.7'
+maybe chmod 0644 'config-archive/etc/postfix/main.cf.8'
maybe chmod 0644 'config-archive/etc/postfix/main.cf.dist'
maybe chmod 0644 'config-archive/etc/profile'
maybe chmod 0755 'config-archive/etc/profile.d'
maybe chmod 0600 'config-archive/etc/ssh/sshd_config.1'
maybe chmod 0600 'config-archive/etc/ssh/sshd_config.2'
maybe chmod 0600 'config-archive/etc/ssh/sshd_config.3'
+maybe chmod 0600 'config-archive/etc/ssh/sshd_config.4'
maybe chmod 0600 'config-archive/etc/ssh/sshd_config.dist'
maybe chmod 0755 'config-archive/etc/stunnel'
maybe chmod 0644 'config-archive/etc/stunnel/stunnel.conf'
maybe chmod 0660 'courier/authlib/authsqliterc.dist'
maybe chmod 0755 'cron.d'
maybe chmod 0644 'cron.d/.keep_sys-process_vixie-cron-0'
+maybe chmod 0644 'cron.d/sysstat'
maybe chmod 0750 'cron.daily'
maybe chmod 0644 'cron.daily/.keep_sys-process_cronbase-0'
maybe chmod 0755 'cron.daily/00-logwatch'
maybe chmod 0755 'cron.daily/mlocate'
maybe chmod 0755 'cron.daily/rkhunter'
maybe chmod 0644 'cron.daily/run_reoback.sh'
-maybe chmod 0755 'cron.daily/sysstat'
maybe chmod 0644 'cron.deny'
maybe chmod 0750 'cron.hourly'
maybe chmod 0644 'cron.hourly/.keep_sys-process_cronbase-0'
maybe chmod 0755 'facter'
maybe chmod 0755 'facter/facts.d'
maybe chmod 0644 'facter/facts.d/.keep_dev-ruby_facter-0'
+maybe chmod 0755 'fail2ban'
+maybe chmod 0755 'fail2ban/action.d'
+maybe chmod 0644 'fail2ban/action.d/apf.conf'
+maybe chmod 0644 'fail2ban/action.d/badips.conf'
+maybe chmod 0644 'fail2ban/action.d/badips.py'
+maybe chmod 0644 'fail2ban/action.d/blocklist_de.conf'
+maybe chmod 0644 'fail2ban/action.d/bsd-ipfw.conf'
+maybe chmod 0644 'fail2ban/action.d/cloudflare.conf'
+maybe chmod 0644 'fail2ban/action.d/complain.conf'
+maybe chmod 0644 'fail2ban/action.d/dshield.conf'
+maybe chmod 0644 'fail2ban/action.d/dummy.conf'
+maybe chmod 0644 'fail2ban/action.d/firewallcmd-ipset.conf'
+maybe chmod 0644 'fail2ban/action.d/firewallcmd-new.conf'
+maybe chmod 0644 'fail2ban/action.d/hostsdeny.conf'
+maybe chmod 0644 'fail2ban/action.d/ipfilter.conf'
+maybe chmod 0644 'fail2ban/action.d/ipfw.conf'
+maybe chmod 0644 'fail2ban/action.d/iptables-allports.conf'
+maybe chmod 0644 'fail2ban/action.d/iptables-common.conf'
+maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto4.conf'
+maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto6-allports.conf'
+maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto6.conf'
+maybe chmod 0644 'fail2ban/action.d/iptables-multiport-log.conf'
+maybe chmod 0644 'fail2ban/action.d/iptables-multiport.conf'
+maybe chmod 0644 'fail2ban/action.d/iptables-new.conf'
+maybe chmod 0644 'fail2ban/action.d/iptables-xt_recent-echo.conf'
+maybe chmod 0644 'fail2ban/action.d/iptables.conf'
+maybe chmod 0644 'fail2ban/action.d/mail-buffered.conf'
+maybe chmod 0644 'fail2ban/action.d/mail-whois-lines.conf'
+maybe chmod 0644 'fail2ban/action.d/mail-whois.conf'
+maybe chmod 0644 'fail2ban/action.d/mail.conf'
+maybe chmod 0644 'fail2ban/action.d/mynetwatchman.conf'
+maybe chmod 0644 'fail2ban/action.d/osx-afctl.conf'
+maybe chmod 0644 'fail2ban/action.d/osx-ipfw.conf'
+maybe chmod 0644 'fail2ban/action.d/pf.conf'
+maybe chmod 0644 'fail2ban/action.d/route.conf'
+maybe chmod 0644 'fail2ban/action.d/sendmail-buffered.conf'
+maybe chmod 0644 'fail2ban/action.d/sendmail-common.conf'
+maybe chmod 0644 'fail2ban/action.d/sendmail-whois-ipjailmatches.conf'
+maybe chmod 0644 'fail2ban/action.d/sendmail-whois-ipmatches.conf'
+maybe chmod 0644 'fail2ban/action.d/sendmail-whois-lines.conf'
+maybe chmod 0644 'fail2ban/action.d/sendmail-whois-matches.conf'
+maybe chmod 0644 'fail2ban/action.d/sendmail-whois.conf'
+maybe chmod 0644 'fail2ban/action.d/sendmail.conf'
+maybe chmod 0644 'fail2ban/action.d/shorewall.conf'
+maybe chmod 0644 'fail2ban/action.d/smtp.py'
+maybe chmod 0644 'fail2ban/action.d/symbiosis-blacklist-allports.conf'
+maybe chmod 0644 'fail2ban/action.d/ufw.conf'
+maybe chmod 0644 'fail2ban/action.d/xarf-login-attack.conf'
+maybe chmod 0644 'fail2ban/fail2ban.conf'
+maybe chmod 0755 'fail2ban/fail2ban.d'
+maybe chmod 0755 'fail2ban/filter.d'
+maybe chmod 0644 'fail2ban/filter.d/3proxy.conf'
+maybe chmod 0644 'fail2ban/filter.d/apache-auth.conf'
+maybe chmod 0644 'fail2ban/filter.d/apache-badbots.conf'
+maybe chmod 0644 'fail2ban/filter.d/apache-botsearch.conf'
+maybe chmod 0644 'fail2ban/filter.d/apache-common.conf'
+maybe chmod 0644 'fail2ban/filter.d/apache-modsecurity.conf'
+maybe chmod 0644 'fail2ban/filter.d/apache-nohome.conf'
+maybe chmod 0644 'fail2ban/filter.d/apache-noscript.conf'
+maybe chmod 0644 'fail2ban/filter.d/apache-overflows.conf'
+maybe chmod 0644 'fail2ban/filter.d/apache-shellshock.conf'
+maybe chmod 0644 'fail2ban/filter.d/assp.conf'
+maybe chmod 0644 'fail2ban/filter.d/asterisk.conf'
+maybe chmod 0644 'fail2ban/filter.d/common.conf'
+maybe chmod 0644 'fail2ban/filter.d/counter-strike.conf'
+maybe chmod 0644 'fail2ban/filter.d/courier-auth.conf'
+maybe chmod 0644 'fail2ban/filter.d/courier-smtp.conf'
+maybe chmod 0644 'fail2ban/filter.d/cyrus-imap.conf'
+maybe chmod 0644 'fail2ban/filter.d/directadmin.conf'
+maybe chmod 0644 'fail2ban/filter.d/dovecot.conf'
+maybe chmod 0644 'fail2ban/filter.d/dropbear.conf'
+maybe chmod 0644 'fail2ban/filter.d/ejabberd-auth.conf'
+maybe chmod 0644 'fail2ban/filter.d/exim-common.conf'
+maybe chmod 0644 'fail2ban/filter.d/exim-spam.conf'
+maybe chmod 0644 'fail2ban/filter.d/exim.conf'
+maybe chmod 0644 'fail2ban/filter.d/freeswitch.conf'
+maybe chmod 0644 'fail2ban/filter.d/groupoffice.conf'
+maybe chmod 0644 'fail2ban/filter.d/gssftpd.conf'
+maybe chmod 0644 'fail2ban/filter.d/guacamole.conf'
+maybe chmod 0644 'fail2ban/filter.d/horde.conf'
+maybe chmod 0644 'fail2ban/filter.d/kerio.conf'
+maybe chmod 0644 'fail2ban/filter.d/lighttpd-auth.conf'
+maybe chmod 0644 'fail2ban/filter.d/monit.conf'
+maybe chmod 0644 'fail2ban/filter.d/mysqld-auth.conf'
+maybe chmod 0644 'fail2ban/filter.d/nagios.conf'
+maybe chmod 0644 'fail2ban/filter.d/named-refused.conf'
+maybe chmod 0644 'fail2ban/filter.d/nginx-http-auth.conf'
+maybe chmod 0644 'fail2ban/filter.d/nsd.conf'
+maybe chmod 0644 'fail2ban/filter.d/openwebmail.conf'
+maybe chmod 0644 'fail2ban/filter.d/oracleims.conf'
+maybe chmod 0644 'fail2ban/filter.d/pam-generic.conf'
+maybe chmod 0644 'fail2ban/filter.d/perdition.conf'
+maybe chmod 0644 'fail2ban/filter.d/php-url-fopen.conf'
+maybe chmod 0644 'fail2ban/filter.d/portsentry.conf'
+maybe chmod 0644 'fail2ban/filter.d/postfix-sasl.conf'
+maybe chmod 0644 'fail2ban/filter.d/postfix.conf'
+maybe chmod 0644 'fail2ban/filter.d/proftpd.conf'
+maybe chmod 0644 'fail2ban/filter.d/pure-ftpd.conf'
+maybe chmod 0644 'fail2ban/filter.d/qmail.conf'
+maybe chmod 0644 'fail2ban/filter.d/recidive.conf'
+maybe chmod 0644 'fail2ban/filter.d/roundcube-auth.conf'
+maybe chmod 0644 'fail2ban/filter.d/selinux-common.conf'
+maybe chmod 0644 'fail2ban/filter.d/selinux-ssh.conf'
+maybe chmod 0644 'fail2ban/filter.d/sendmail-auth.conf'
+maybe chmod 0644 'fail2ban/filter.d/sendmail-reject.conf'
+maybe chmod 0644 'fail2ban/filter.d/sieve.conf'
+maybe chmod 0644 'fail2ban/filter.d/sogo-auth.conf'
+maybe chmod 0644 'fail2ban/filter.d/solid-pop3d.conf'
+maybe chmod 0644 'fail2ban/filter.d/squid.conf'
+maybe chmod 0644 'fail2ban/filter.d/squirrelmail.conf'
+maybe chmod 0644 'fail2ban/filter.d/sshd-ddos.conf'
+maybe chmod 0644 'fail2ban/filter.d/sshd.conf'
+maybe chmod 0644 'fail2ban/filter.d/stunnel.conf'
+maybe chmod 0644 'fail2ban/filter.d/suhosin.conf'
+maybe chmod 0644 'fail2ban/filter.d/tine20.conf'
+maybe chmod 0644 'fail2ban/filter.d/uwimap-auth.conf'
+maybe chmod 0644 'fail2ban/filter.d/vsftpd.conf'
+maybe chmod 0644 'fail2ban/filter.d/webmin-auth.conf'
+maybe chmod 0644 'fail2ban/filter.d/wuftpd.conf'
+maybe chmod 0644 'fail2ban/filter.d/xinetd-fail.conf'
+maybe chmod 0644 'fail2ban/jail.conf'
+maybe chmod 0755 'fail2ban/jail.d'
+maybe chmod 0644 'fail2ban/jail.d/sshd.conf'
+maybe chmod 0644 'fail2ban/paths-common.conf'
+maybe chmod 0644 'fail2ban/paths-debian.conf'
+maybe chmod 0644 'fail2ban/paths-fedora.conf'
+maybe chmod 0644 'fail2ban/paths-freebsd.conf'
+maybe chmod 0644 'fail2ban/paths-osx.conf'
maybe chmod 0644 'filesystems'
maybe chmod 0755 'fonts'
maybe chmod 0755 'fonts/conf.avail'
maybe chmod 0755 'init.d/dhcpcd'
maybe chmod 0755 'init.d/dmesg'
maybe chmod 0755 'init.d/dmeventd'
+maybe chmod 0755 'init.d/fail2ban'
maybe chmod 0755 'init.d/fancontrol'
maybe chmod 0755 'init.d/fsck'
maybe chmod 0755 'init.d/gem_server'
maybe chmod 0644 'kernel-config/config-3.10.7-gentoo-00'
maybe chmod 0644 'kernel-config/config-3.12.13-gentoo-00'
maybe chmod 0644 'kernel-config/config-3.14.14-gentoo-00'
+maybe chmod 0644 'kernel-config/config-3.16.5-gentoo-00'
maybe chmod 0644 'kernel-config/config-3.2.1-gentoo-r2-00'
maybe chmod 0644 'kernel-config/config-3.3.8-gentoo-00'
maybe chmod 0644 'kernel-config/config-3.4.9-gentoo-00'
maybe chmod 0644 'logrotate.d/apache2'
maybe chmod 0644 'logrotate.d/clamav'
maybe chmod 0644 'logrotate.d/elog-save-summary'
+maybe chmod 0644 'logrotate.d/fail2ban'
maybe chmod 0644 'logrotate.d/mysql'
+maybe chmod 0644 'logrotate.d/named'
maybe chmod 0644 'logrotate.d/openrc'
maybe chmod 0644 'logrotate.d/rsyncd'
maybe chmod 0644 'logrotate.d/syslog-ng'
maybe chmod 0700 'lvm/backup'
maybe chmod 0600 'lvm/backup/vg00'
maybe chmod 0700 'lvm/cache'
+maybe chmod 0600 'lvm/cache/.cache'
maybe chmod 0644 'lvm/lvm.conf'
maybe chmod 0755 'lvm/profile'
maybe chmod 0444 'lvm/profile/command_profile_template.profile'
maybe chmod 0444 'openldap/schema/nis.schema'
maybe chmod 0444 'openldap/schema/openldap.ldif'
maybe chmod 0444 'openldap/schema/openldap.schema'
+maybe chmod 0644 'openldap/schema/openssh-lpk.schema'
maybe chmod 0444 'openldap/schema/pmi.ldif'
maybe chmod 0444 'openldap/schema/pmi.schema'
maybe chmod 0444 'openldap/schema/ppolicy.ldif'
maybe chmod 0755 'snmp'
maybe chmod 0644 'snmp/snmpd.conf.example'
maybe chmod 0755 'ssh'
-maybe chmod 0755 'ssh/ca'
maybe chmod 0644 'ssh/moduli'
maybe chmod 0644 'ssh/ssh_config'
maybe chmod 0600 'ssh/ssh_host_dsa_key'
maybe chmod 0600 'ssh/ssh_host_rsa_key'
maybe chmod 0644 'ssh/ssh_host_rsa_key.pub'
maybe chmod 0600 'ssh/sshd_config'
+maybe chmod 0600 'ssh/sshd_config.orig'
maybe chmod 0755 'ssl'
maybe chmod 0755 'ssl/CA-Brehm'
maybe chmod 0755 'ssl/CA-Brehm/apache2'
// Kanäle
- channel complete_debug {
- file "/var/log/bind/complete-debug.log";
- print-category yes;
- print-severity yes;
- print-time yes;
- severity debug 99;
- };
+ //channel complete_debug {
+ // file "/var/log/bind/complete-debug.log";
+ // print-category yes;
+ // print-severity yes;
+ // print-time yes;
+ // severity debug 99;
+ //};
channel logtofile {
file "/var/log/bind/named.log";
print-category yes;
print-time yes;
severity info;
};
- channel moderate_debug {
- file "/var/log/bind/debug.log";
- print-category yes;
- print-severity yes;
- print-time yes;
- severity debug 1;
- };
+ //channel moderate_debug {
+ // file "/var/log/bind/debug.log";
+ // print-category yes;
+ // print-severity yes;
+ // print-time yes;
+ // severity debug 1;
+ //};
channel query_logging {
file "/var/log/bind/query.log";
print-time yes;
};
channel syslog-warning {
syslog daemon;
- severity warning;
+ severity info;
};
};
/*
* Refer to the named.conf(5) and named(8) man pages, and the documentation
- * in /usr/share/doc/bind-9 for more details.
+ * in /usr/share/doc/bind-* for more details.
* Online versions of the documentation can be found here:
- * http://www.isc.org/software/bind/documentation
+ * https://kb.isc.org/article/AA-01031
*
* If you are going to set up an authoritative server, make sure you
* understand the hairy details of how DNS works. Even with simple mistakes,
*/
- //dnssec-enable yes;
+ dnssec-enable yes;
//dnssec-validation yes;
/*
* "If the root key provided has expired,
* named will log the expiration and validation will not work."
*/
- //dnssec-validation auto;
+ dnssec-validation auto;
/* if you have problems and are behind a firewall: */
//query-source address * port 53;
notify no;
};
-zone "127.in-addr.arpa" IN {
- type master;
- file "pri/127.zone";
- notify no;
-};
-
/*
* Briefly, a zone which has been declared delegation-only will be effectively
* limited to containing NS RRs for subdomains, but no actual data beyond its
--- /dev/null
+# Config file for /etc/init.d/fail2ban
+#
+# For information on options, see "/usr/bin/fail2ban-client -h".
+
+FAIL2BAN_OPTIONS=""
+
+# Force execution of the server even if the socket already exists:
+#FAIL2BAN_OPTIONS="-x"
/*
* Refer to the named.conf(5) and named(8) man pages, and the documentation
- * in /usr/share/doc/bind-9 for more details.
+ * in /usr/share/doc/bind-* for more details.
* Online versions of the documentation can be found here:
- * http://www.isc.org/software/bind/documentation
+ * https://kb.isc.org/article/AA-01031
*
* If you are going to set up an authoritative server, make sure you
* understand the hairy details of how DNS works. Even with simple mistakes,
*/
- //dnssec-enable yes;
+ dnssec-enable yes;
//dnssec-validation yes;
/*
* "If the root key provided has expired,
* named will log the expiration and validation will not work."
*/
- //dnssec-validation auto;
+ dnssec-validation auto;
/* if you have problems and are behind a firewall: */
//query-source address * port 53;
notify no;
};
-zone "127.in-addr.arpa" IN {
- type master;
- file "pri/127.zone";
- notify no;
-};
-
/*
* Briefly, a zone which has been declared delegation-only will be effectively
* limited to containing NS RRs for subdomains, but no actual data beyond its
-# Copyright 1999-2013 Gentoo Foundation
+# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-2,v 1.4 2013/09/21 18:10:55 floppym Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-3,v 1.3 2014/09/10 14:38:39 floppym Exp $
#
# To populate all changes in this file you need to regenerate your
# grub configuration file afterwards:
# 'grub2-mkconfig -o /boot/grub/grub.cfg'
#
# See the grub info page for documentation on possible variables and
-# their associated values.
+# their associated values.
GRUB_DISTRIBUTOR="Gentoo"
-GRUB_DEFAULT=0
-GRUB_HIDDEN_TIMEOUT=5
-GRUB_HIDDEN_TIMEOUT_QUIET=true
+# Default menu entry
+#GRUB_DEFAULT=0
+
+# Boot the default entry this many seconds after the menu is displayed
+#GRUB_HIDDEN_TIMEOUT=5
+#GRUB_HIDDEN_TIMEOUT_QUIET=true
+#GRUB_TIMEOUT=5
GRUB_TIMEOUT=10
+#GRUB_TIMEOUT_STYLE=menu
# Append parameters to the linux kernel command line
-# GRUB_CMDLINE_LINUX=""
+#GRUB_CMDLINE_LINUX=""
+#
+# Examples:
+#
+# Boot with network interface renaming disabled
+# GRUB_CMDLINE_LINUX="net.ifnames=0"
+#
+# Boot with systemd instead of sysvinit (openrc)
+# GRUB_CMDLINE_LINUX="init=/usr/lib/systemd/systemd"
# Append parameters to the linux kernel command line for non-recovery entries
#GRUB_CMDLINE_LINUX_DEFAULT=""
--- /dev/null
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-2,v 1.4 2013/09/21 18:10:55 floppym Exp $
+#
+# To populate all changes in this file you need to regenerate your
+# grub configuration file afterwards:
+# 'grub2-mkconfig -o /boot/grub/grub.cfg'
+#
+# See the grub info page for documentation on possible variables and
+# their associated values.
+
+GRUB_DISTRIBUTOR="Gentoo"
+
+GRUB_DEFAULT=0
+GRUB_HIDDEN_TIMEOUT=5
+GRUB_HIDDEN_TIMEOUT_QUIET=true
+GRUB_TIMEOUT=10
+
+# Append parameters to the linux kernel command line
+# GRUB_CMDLINE_LINUX=""
+
+# Append parameters to the linux kernel command line for non-recovery entries
+#GRUB_CMDLINE_LINUX_DEFAULT=""
+
+# Uncomment to disable graphical terminal (grub-pc only)
+#GRUB_TERMINAL=console
+
+# The resolution used on graphical terminal.
+# Note that you can use only modes which your graphic card supports via VBE.
+# You can see them in real GRUB with the command `vbeinfo'.
+#GRUB_GFXMODE=640x480
+GRUB_GFXMODE=800x600
+
+# Path to theme spec txt file.
+# The starfield is by default provided with use truetype.
+# NOTE: when enabling custom theme, ensure you have required font/etc.
+#GRUB_THEME="/boot/grub/themes/starfield/theme.txt"
+
+# Background image used on graphical terminal.
+# Can be in various bitmap formats.
+#GRUB_BACKGROUND="/boot/grub/mybackground.png"
+
+# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to kernel
+GRUB_DISABLE_LINUX_UUID=true
+
+# Uncomment to disable generation of recovery mode menu entries
+#GRUB_DISABLE_RECOVERY=true
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-3,v 1.3 2014/09/10 14:38:39 floppym Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-3,v 1.4 2014/10/16 04:04:02 floppym Exp $
#
# To populate all changes in this file you need to regenerate your
# grub configuration file afterwards:
# You can see them in real GRUB with the command `vbeinfo'.
#GRUB_GFXMODE=640x480
+# Set to 'text' to force the Linux kernel to boot in normal text
+# mode, 'keep' to preserve the graphics mode set using
+# 'GRUB_GFXMODE', 'WIDTHxHEIGHT'['xDEPTH'] to set a particular
+# graphics mode, or a sequence of these separated by commas or
+# semicolons to try several modes in sequence.
+#GRUB_GFXPAYLOAD_LINUX=
+
# Path to theme spec txt file.
# The starfield is by default provided with use truetype.
# NOTE: when enabling custom theme, ensure you have required font/etc.
--- /dev/null
+# Fail2Ban main configuration file
+#
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
+#
+# Changes: in most of the cases you should not modify this
+# file, but provide customizations in fail2ban.local file, e.g.:
+#
+# [Definition]
+# loglevel = 4
+#
+
+[Definition]
+
+# Option: loglevel
+# Notes.: Set the log level output.
+# 1 = ERROR
+# 2 = WARN
+# 3 = INFO
+# 4 = DEBUG
+# Values: [ NUM ] Default: 1
+#
+loglevel = 3
+
+# Option: logtarget
+# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
+# Only one log target can be specified.
+# If you change logtarget from the default value and you are
+# using logrotate -- also adjust or disable rotation in the
+# corresponding configuration file
+# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
+# Values: [ STDOUT | STDERR | SYSLOG | FILE ] Default: STDERR
+#
+logtarget = /var/log/fail2ban.log
+
+# Option: socket
+# Notes.: Set the socket file. This is used to communicate with the daemon. Do
+# not remove this file when Fail2ban runs. It will not be possible to
+# communicate with the server afterwards.
+# Values: [ FILE ] Default: /run/fail2ban/fail2ban.sock
+#
+socket = /run/fail2ban/fail2ban.sock
+
+# Option: pidfile
+# Notes.: Set the PID file. This is used to store the process ID of the
+# fail2ban server.
+# Values: [ FILE ] Default: /run/fail2ban/fail2ban.pid
+#
+pidfile = /run/fail2ban/fail2ban.pid
+
+# vim: filetype=dosini
--- /dev/null
+# Fail2Ban main configuration file
+#
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
+#
+# Changes: in most of the cases you should not modify this
+# file, but provide customizations in fail2ban.local file, e.g.:
+#
+# [Definition]
+# loglevel = DEBUG
+#
+
+[Definition]
+
+# Option: loglevel
+# Notes.: Set the log level output.
+# CRITICAL
+# ERROR
+# WARNING
+# NOTICE
+# INFO
+# DEBUG
+# Values: [ LEVEL ] Default: ERROR
+#
+loglevel = INFO
+
+# Option: logtarget
+# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
+# Only one log target can be specified.
+# If you change logtarget from the default value and you are
+# using logrotate -- also adjust or disable rotation in the
+# corresponding configuration file
+# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
+# Values: [ STDOUT | STDERR | SYSLOG | FILE ] Default: STDERR
+#
+logtarget = /var/log/fail2ban.log
+
+# Option: socket
+# Notes.: Set the socket file. This is used to communicate with the daemon. Do
+# not remove this file when Fail2ban runs. It will not be possible to
+# communicate with the server afterwards.
+# Values: [ FILE ] Default: /run/fail2ban/fail2ban.sock
+#
+socket = /run/fail2ban/fail2ban.sock
+
+# Option: pidfile
+# Notes.: Set the PID file. This is used to store the process ID of the
+# fail2ban server.
+# Values: [ FILE ] Default: /run/fail2ban/fail2ban.pid
+#
+pidfile = /run/fail2ban/fail2ban.pid
+
+# Options: dbfile
+# Notes.: Set the file for the fail2ban persistent data to be stored.
+# A value of ":memory:" means database is only stored in memory
+# and data is lost when fail2ban is stopped.
+# A value of "None" disables the database.
+# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
+dbfile = /var/lib/fail2ban/fail2ban.sqlite3
+
+# Options: dbpurgeage
+# Notes.: Sets age at which bans should be purged from the database
+# Values: [ SECONDS ] Default: 86400 (24hours)
+dbpurgeage = 86400
--- /dev/null
+#
+# Gentoo:
+# http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/fail2ban/files/fail2ban-logrotate?view=markup
+#
+# Debian:
+# https://github.com/fail2ban/fail2ban/blob/debian/debian/fail2ban.logrotate
+#
+# Fedora view:
+# http://pkgs.fedoraproject.org/cgit/fail2ban.git/tree/fail2ban-logrotate
+
+/var/log/fail2ban.log {
+ rotate 7
+ daily
+ size 1024K
+ maxage 1y
+ missingok
+ compress
+ delaycompress
+ postrotate
+ /usr/bin/fail2ban-client flushlogs 1>/dev/null || true
+ endscript
+}
--- /dev/null
+#
+# Gentoo:
+# http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/fail2ban/files/fail2ban-logrotate?view=markup
+#
+# Debian:
+# https://github.com/fail2ban/fail2ban/blob/debian/debian/fail2ban.logrotate
+#
+# Fedora view:
+# http://pkgs.fedoraproject.org/cgit/fail2ban.git/tree/fail2ban-logrotate
+
+/var/log/fail2ban.log {
+ rotate 7
+ missingok
+ compress
+ postrotate
+ /usr/bin/fail2ban-client flushlogs 1>/dev/null || true
+ endscript
+}
# html_directory: The location of the Postfix HTML documentation.
#
-html_directory = /usr/share/doc/postfix-2.10.2/html
+html_directory = /usr/share/doc/postfix-2.10.3/html
# manpage_directory: The location of the Postfix on-line manual pages.
#
# readme_directory: The location of the Postfix README files.
#
-readme_directory = /usr/share/doc/postfix-2.10.2/readme
+readme_directory = /usr/share/doc/postfix-2.10.3/readme
home_mailbox = .maildir/
broken_sasl_auth_clients = yes
# html_directory: The location of the Postfix HTML documentation.
#
-html_directory = /usr/share/doc/postfix-2.10.1/html
+html_directory = /usr/share/doc/postfix-2.10.2/html
# manpage_directory: The location of the Postfix on-line manual pages.
#
# readme_directory: The location of the Postfix README files.
#
-readme_directory = /usr/share/doc/postfix-2.10.1/readme
+readme_directory = /usr/share/doc/postfix-2.10.2/readme
home_mailbox = .maildir/
broken_sasl_auth_clients = yes
# html_directory: The location of the Postfix HTML documentation.
#
-html_directory = /usr/share/doc/postfix-2.10.0/html
+html_directory = /usr/share/doc/postfix-2.10.1/html
# manpage_directory: The location of the Postfix on-line manual pages.
#
# readme_directory: The location of the Postfix README files.
#
-readme_directory = /usr/share/doc/postfix-2.10.0/readme
+readme_directory = /usr/share/doc/postfix-2.10.1/readme
home_mailbox = .maildir/
broken_sasl_auth_clients = yes
# html_directory: The location of the Postfix HTML documentation.
#
-html_directory = /usr/share/doc/postfix-2.9.5/html
+html_directory = /usr/share/doc/postfix-2.10.0/html
# manpage_directory: The location of the Postfix on-line manual pages.
#
# readme_directory: The location of the Postfix README files.
#
-readme_directory = /usr/share/doc/postfix-2.9.5/readme
+readme_directory = /usr/share/doc/postfix-2.10.0/readme
home_mailbox = .maildir/
broken_sasl_auth_clients = yes
# html_directory: The location of the Postfix HTML documentation.
#
-html_directory = /usr/share/doc/postfix-2.9.4/html
+html_directory = /usr/share/doc/postfix-2.9.5/html
# manpage_directory: The location of the Postfix on-line manual pages.
#
# readme_directory: The location of the Postfix README files.
#
-readme_directory = /usr/share/doc/postfix-2.9.4/readme
+readme_directory = /usr/share/doc/postfix-2.9.5/readme
home_mailbox = .maildir/
broken_sasl_auth_clients = yes
# html_directory: The location of the Postfix HTML documentation.
#
-html_directory = /usr/share/doc/postfix-2.9.3/html
+html_directory = /usr/share/doc/postfix-2.9.4/html
# manpage_directory: The location of the Postfix on-line manual pages.
#
# readme_directory: The location of the Postfix README files.
#
-readme_directory = /usr/share/doc/postfix-2.9.3/readme
+readme_directory = /usr/share/doc/postfix-2.9.4/readme
home_mailbox = .maildir/
broken_sasl_auth_clients = yes
# daemon programs (i.e. programs listed in the master.cf file). This
# directory must be owned by root.
#
-daemon_directory = /usr/lib64/postfix
+daemon_directory = /usr/libexec/postfix
# The data_directory parameter specifies the location of Postfix-writable
# data files (caches, random numbers). This directory must be owned
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#
-#mailbox_transport = lmtp:unix:/file/name
+# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd"
+# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
+#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
+#
+# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
+# subsequent line in master.cf.
#mailbox_transport = cyrus
# The fallback_transport specifies the optional transport in master.cf
# html_directory: The location of the Postfix HTML documentation.
#
-html_directory = /usr/share/doc/postfix-2.8.9/html
+html_directory = /usr/share/doc/postfix-2.9.3/html
# manpage_directory: The location of the Postfix on-line manual pages.
#
# readme_directory: The location of the Postfix README files.
#
-readme_directory = /usr/share/doc/postfix-2.8.9/readme
+readme_directory = /usr/share/doc/postfix-2.9.3/readme
home_mailbox = .maildir/
broken_sasl_auth_clients = yes
# html_directory: The location of the Postfix HTML documentation.
#
-html_directory = /usr/share/doc/postfix-2.8.7/html
+html_directory = /usr/share/doc/postfix-2.8.9/html
# manpage_directory: The location of the Postfix on-line manual pages.
#
# readme_directory: The location of the Postfix README files.
#
-readme_directory = /usr/share/doc/postfix-2.8.7/readme
+readme_directory = /usr/share/doc/postfix-2.8.9/readme
home_mailbox = .maildir/
broken_sasl_auth_clients = yes
--- /dev/null
+# Global Postfix configuration file. This file lists only a subset
+# of all parameters. For the syntax, and for a complete parameter
+# list, see the postconf(5) manual page (command: "man 5 postconf").
+#
+# For common configuration examples, see BASIC_CONFIGURATION_README
+# and STANDARD_CONFIGURATION_README. To find these documents, use
+# the command "postconf html_directory readme_directory", or go to
+# http://www.postfix.org/.
+#
+# For best results, change no more than 2-3 parameters at a time,
+# and test if Postfix still works after every change.
+
+# SOFT BOUNCE
+#
+# The soft_bounce parameter provides a limited safety net for
+# testing. When soft_bounce is enabled, mail will remain queued that
+# would otherwise bounce. This parameter disables locally-generated
+# bounces, and prevents the SMTP server from rejecting mail permanently
+# (by changing 5xx replies into 4xx replies). However, soft_bounce
+# is no cure for address rewriting mistakes or mail routing mistakes.
+#
+#soft_bounce = no
+
+# LOCAL PATHNAME INFORMATION
+#
+# The queue_directory specifies the location of the Postfix queue.
+# This is also the root directory of Postfix daemons that run chrooted.
+# See the files in examples/chroot-setup for setting up Postfix chroot
+# environments on different UNIX systems.
+#
+queue_directory = /var/spool/postfix
+
+# The command_directory parameter specifies the location of all
+# postXXX commands.
+#
+command_directory = /usr/sbin
+
+# The daemon_directory parameter specifies the location of all Postfix
+# daemon programs (i.e. programs listed in the master.cf file). This
+# directory must be owned by root.
+#
+daemon_directory = /usr/lib64/postfix
+
+# The data_directory parameter specifies the location of Postfix-writable
+# data files (caches, random numbers). This directory must be owned
+# by the mail_owner account (see below).
+#
+data_directory = /var/lib/postfix
+
+# QUEUE AND PROCESS OWNERSHIP
+#
+# The mail_owner parameter specifies the owner of the Postfix queue
+# and of most Postfix daemon processes. Specify the name of a user
+# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
+# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In
+# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
+# USER.
+#
+mail_owner = postfix
+
+# The default_privs parameter specifies the default rights used by
+# the local delivery agent for delivery to external file or command.
+# These rights are used in the absence of a recipient user context.
+# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
+#
+#default_privs = nobody
+
+# INTERNET HOST AND DOMAIN NAMES
+#
+# The myhostname parameter specifies the internet hostname of this
+# mail system. The default is to use the fully-qualified domain name
+# from gethostname(). $myhostname is used as a default value for many
+# other configuration parameters.
+#
+#myhostname = host.domain.tld
+#myhostname = virtual.domain.tld
+
+# The mydomain parameter specifies the local internet domain name.
+# The default is to use $myhostname minus the first component.
+# $mydomain is used as a default value for many other configuration
+# parameters.
+#
+#mydomain = domain.tld
+
+# SENDING MAIL
+#
+# The myorigin parameter specifies the domain that locally-posted
+# mail appears to come from. The default is to append $myhostname,
+# which is fine for small sites. If you run a domain with multiple
+# machines, you should (1) change this to $mydomain and (2) set up
+# a domain-wide alias database that aliases each user to
+# user@that.users.mailhost.
+#
+# For the sake of consistency between sender and recipient addresses,
+# myorigin also specifies the default domain name that is appended
+# to recipient addresses that have no @domain part.
+#
+#myorigin = $myhostname
+#myorigin = $mydomain
+
+# RECEIVING MAIL
+
+# The inet_interfaces parameter specifies the network interface
+# addresses that this mail system receives mail on. By default,
+# the software claims all active interfaces on the machine. The
+# parameter also controls delivery of mail to user@[ip.address].
+#
+# See also the proxy_interfaces parameter, for network addresses that
+# are forwarded to us via a proxy or network address translator.
+#
+# Note: you need to stop/start Postfix when this parameter changes.
+#
+#inet_interfaces = all
+#inet_interfaces = $myhostname
+#inet_interfaces = $myhostname, localhost
+
+# The proxy_interfaces parameter specifies the network interface
+# addresses that this mail system receives mail on by way of a
+# proxy or network address translation unit. This setting extends
+# the address list specified with the inet_interfaces parameter.
+#
+# You must specify your proxy/NAT addresses when your system is a
+# backup MX host for other domains, otherwise mail delivery loops
+# will happen when the primary MX host is down.
+#
+#proxy_interfaces =
+#proxy_interfaces = 1.2.3.4
+
+# The mydestination parameter specifies the list of domains that this
+# machine considers itself the final destination for.
+#
+# These domains are routed to the delivery agent specified with the
+# local_transport parameter setting. By default, that is the UNIX
+# compatible delivery agent that lookups all recipients in /etc/passwd
+# and /etc/aliases or their equivalent.
+#
+# The default is $myhostname + localhost.$mydomain. On a mail domain
+# gateway, you should also include $mydomain.
+#
+# Do not specify the names of virtual domains - those domains are
+# specified elsewhere (see VIRTUAL_README).
+#
+# Do not specify the names of domains that this machine is backup MX
+# host for. Specify those names via the relay_domains settings for
+# the SMTP server, or use permit_mx_backup if you are lazy (see
+# STANDARD_CONFIGURATION_README).
+#
+# The local machine is always the final destination for mail addressed
+# to user@[the.net.work.address] of an interface that the mail system
+# receives mail on (see the inet_interfaces parameter).
+#
+# Specify a list of host or domain names, /file/name or type:table
+# patterns, separated by commas and/or whitespace. A /file/name
+# pattern is replaced by its contents; a type:table is matched when
+# a name matches a lookup key (the right-hand side is ignored).
+# Continue long lines by starting the next line with whitespace.
+#
+# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
+#
+#mydestination = $myhostname, localhost.$mydomain, localhost
+#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
+#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
+# mail.$mydomain, www.$mydomain, ftp.$mydomain
+
+# REJECTING MAIL FOR UNKNOWN LOCAL USERS
+#
+# The local_recipient_maps parameter specifies optional lookup tables
+# with all names or addresses of users that are local with respect
+# to $mydestination, $inet_interfaces or $proxy_interfaces.
+#
+# If this parameter is defined, then the SMTP server will reject
+# mail for unknown local users. This parameter is defined by default.
+#
+# To turn off local recipient checking in the SMTP server, specify
+# local_recipient_maps = (i.e. empty).
+#
+# The default setting assumes that you use the default Postfix local
+# delivery agent for local delivery. You need to update the
+# local_recipient_maps setting if:
+#
+# - You define $mydestination domain recipients in files other than
+# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
+# For example, you define $mydestination domain recipients in
+# the $virtual_mailbox_maps files.
+#
+# - You redefine the local delivery agent in master.cf.
+#
+# - You redefine the "local_transport" setting in main.cf.
+#
+# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
+# feature of the Postfix local delivery agent (see local(8)).
+#
+# Details are described in the LOCAL_RECIPIENT_README file.
+#
+# Beware: if the Postfix SMTP server runs chrooted, you probably have
+# to access the passwd file via the proxymap service, in order to
+# overcome chroot restrictions. The alternative, having a copy of
+# the system passwd file in the chroot jail is just not practical.
+#
+# The right-hand side of the lookup tables is conveniently ignored.
+# In the left-hand side, specify a bare username, an @domain.tld
+# wild-card, or specify a user@domain.tld address.
+#
+#local_recipient_maps = unix:passwd.byname $alias_maps
+#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
+#local_recipient_maps =
+
+# The unknown_local_recipient_reject_code specifies the SMTP server
+# response code when a recipient domain matches $mydestination or
+# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
+# and the recipient address or address local-part is not found.
+#
+# The default setting is 550 (reject mail) but it is safer to start
+# with 450 (try again later) until you are certain that your
+# local_recipient_maps settings are OK.
+#
+unknown_local_recipient_reject_code = 550
+
+# TRUST AND RELAY CONTROL
+
+# The mynetworks parameter specifies the list of "trusted" SMTP
+# clients that have more privileges than "strangers".
+#
+# In particular, "trusted" SMTP clients are allowed to relay mail
+# through Postfix. See the smtpd_recipient_restrictions parameter
+# in postconf(5).
+#
+# You can specify the list of "trusted" network addresses by hand
+# or you can let Postfix do it for you (which is the default).
+#
+# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
+# clients in the same IP subnetworks as the local machine.
+# On Linux, this does works correctly only with interfaces specified
+# with the "ifconfig" command.
+#
+# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
+# clients in the same IP class A/B/C networks as the local machine.
+# Don't do this with a dialup site - it would cause Postfix to "trust"
+# your entire provider's network. Instead, specify an explicit
+# mynetworks list by hand, as described below.
+#
+# Specify "mynetworks_style = host" when Postfix should "trust"
+# only the local machine.
+#
+#mynetworks_style = class
+#mynetworks_style = subnet
+#mynetworks_style = host
+
+# Alternatively, you can specify the mynetworks list by hand, in
+# which case Postfix ignores the mynetworks_style setting.
+#
+# Specify an explicit list of network/netmask patterns, where the
+# mask specifies the number of bits in the network part of a host
+# address.
+#
+# You can also specify the absolute pathname of a pattern file instead
+# of listing the patterns here. Specify type:table for table-based lookups
+# (the value on the table right-hand side is not used).
+#
+#mynetworks = 168.100.189.0/28, 127.0.0.0/8
+#mynetworks = $config_directory/mynetworks
+#mynetworks = hash:/etc/postfix/network_table
+
+# The relay_domains parameter restricts what destinations this system will
+# relay mail to. See the smtpd_recipient_restrictions description in
+# postconf(5) for detailed information.
+#
+# By default, Postfix relays mail
+# - from "trusted" clients (IP address matches $mynetworks) to any destination,
+# - from "untrusted" clients to destinations that match $relay_domains or
+# subdomains thereof, except addresses with sender-specified routing.
+# The default relay_domains value is $mydestination.
+#
+# In addition to the above, the Postfix SMTP server by default accepts mail
+# that Postfix is final destination for:
+# - destinations that match $inet_interfaces or $proxy_interfaces,
+# - destinations that match $mydestination
+# - destinations that match $virtual_alias_domains,
+# - destinations that match $virtual_mailbox_domains.
+# These destinations do not need to be listed in $relay_domains.
+#
+# Specify a list of hosts or domains, /file/name patterns or type:name
+# lookup tables, separated by commas and/or whitespace. Continue
+# long lines by starting the next line with whitespace. A file name
+# is replaced by its contents; a type:name table is matched when a
+# (parent) domain appears as lookup key.
+#
+# NOTE: Postfix will not automatically forward mail for domains that
+# list this system as their primary or backup MX host. See the
+# permit_mx_backup restriction description in postconf(5).
+#
+#relay_domains = $mydestination
+
+# INTERNET OR INTRANET
+
+# The relayhost parameter specifies the default host to send mail to
+# when no entry is matched in the optional transport(5) table. When
+# no relayhost is given, mail is routed directly to the destination.
+#
+# On an intranet, specify the organizational domain name. If your
+# internal DNS uses no MX records, specify the name of the intranet
+# gateway host instead.
+#
+# In the case of SMTP, specify a domain, host, host:port, [host]:port,
+# [address] or [address]:port; the form [host] turns off MX lookups.
+#
+# If you're connected via UUCP, see also the default_transport parameter.
+#
+#relayhost = $mydomain
+#relayhost = [gateway.my.domain]
+#relayhost = [mailserver.isp.tld]
+#relayhost = uucphost
+#relayhost = [an.ip.add.ress]
+
+# REJECTING UNKNOWN RELAY USERS
+#
+# The relay_recipient_maps parameter specifies optional lookup tables
+# with all addresses in the domains that match $relay_domains.
+#
+# If this parameter is defined, then the SMTP server will reject
+# mail for unknown relay users. This feature is off by default.
+#
+# The right-hand side of the lookup tables is conveniently ignored.
+# In the left-hand side, specify an @domain.tld wild-card, or specify
+# a user@domain.tld address.
+#
+#relay_recipient_maps = hash:/etc/postfix/relay_recipients
+
+# INPUT RATE CONTROL
+#
+# The in_flow_delay configuration parameter implements mail input
+# flow control. This feature is turned on by default, although it
+# still needs further development (it's disabled on SCO UNIX due
+# to an SCO bug).
+#
+# A Postfix process will pause for $in_flow_delay seconds before
+# accepting a new message, when the message arrival rate exceeds the
+# message delivery rate. With the default 100 SMTP server process
+# limit, this limits the mail inflow to 100 messages a second more
+# than the number of messages delivered per second.
+#
+# Specify 0 to disable the feature. Valid delays are 0..10.
+#
+#in_flow_delay = 1s
+
+# ADDRESS REWRITING
+#
+# The ADDRESS_REWRITING_README document gives information about
+# address masquerading or other forms of address rewriting including
+# username->Firstname.Lastname mapping.
+
+# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
+#
+# The VIRTUAL_README document gives information about the many forms
+# of domain hosting that Postfix supports.
+
+# "USER HAS MOVED" BOUNCE MESSAGES
+#
+# See the discussion in the ADDRESS_REWRITING_README document.
+
+# TRANSPORT MAP
+#
+# See the discussion in the ADDRESS_REWRITING_README document.
+
+# ALIAS DATABASE
+#
+# The alias_maps parameter specifies the list of alias databases used
+# by the local delivery agent. The default list is system dependent.
+#
+# On systems with NIS, the default is to search the local alias
+# database, then the NIS alias database. See aliases(5) for syntax
+# details.
+#
+# If you change the alias database, run "postalias /etc/aliases" (or
+# wherever your system stores the mail alias file), or simply run
+# "newaliases" to build the necessary DBM or DB file.
+#
+# It will take a minute or so before changes become visible. Use
+# "postfix reload" to eliminate the delay.
+#
+#alias_maps = dbm:/etc/aliases
+#alias_maps = hash:/etc/aliases
+#alias_maps = hash:/etc/aliases, nis:mail.aliases
+#alias_maps = netinfo:/aliases
+
+# The alias_database parameter specifies the alias database(s) that
+# are built with "newaliases" or "sendmail -bi". This is a separate
+# configuration parameter, because alias_maps (see above) may specify
+# tables that are not necessarily all under control by Postfix.
+#
+#alias_database = dbm:/etc/aliases
+#alias_database = dbm:/etc/mail/aliases
+#alias_database = hash:/etc/aliases
+#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
+
+# ADDRESS EXTENSIONS (e.g., user+foo)
+#
+# The recipient_delimiter parameter specifies the separator between
+# user names and address extensions (user+foo). See canonical(5),
+# local(8), relocated(5) and virtual(5) for the effects this has on
+# aliases, canonical, virtual, relocated and .forward file lookups.
+# Basically, the software tries user+foo and .forward+foo before
+# trying user and .forward.
+#
+#recipient_delimiter = +
+
+# DELIVERY TO MAILBOX
+#
+# The home_mailbox parameter specifies the optional pathname of a
+# mailbox file relative to a user's home directory. The default
+# mailbox file is /var/spool/mail/user or /var/mail/user. Specify
+# "Maildir/" for qmail-style delivery (the / is required).
+#
+#home_mailbox = Mailbox
+#home_mailbox = Maildir/
+
+# The mail_spool_directory parameter specifies the directory where
+# UNIX-style mailboxes are kept. The default setting depends on the
+# system type.
+#
+#mail_spool_directory = /var/mail
+#mail_spool_directory = /var/spool/mail
+
+# The mailbox_command parameter specifies the optional external
+# command to use instead of mailbox delivery. The command is run as
+# the recipient with proper HOME, SHELL and LOGNAME environment settings.
+# Exception: delivery for root is done as $default_user.
+#
+# Other environment variables of interest: USER (recipient username),
+# EXTENSION (address extension), DOMAIN (domain part of address),
+# and LOCAL (the address localpart).
+#
+# Unlike other Postfix configuration parameters, the mailbox_command
+# parameter is not subjected to $parameter substitutions. This is to
+# make it easier to specify shell syntax (see example below).
+#
+# Avoid shell meta characters because they will force Postfix to run
+# an expensive shell process. Procmail alone is expensive enough.
+#
+# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
+# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
+#
+#mailbox_command = /some/where/procmail
+#mailbox_command = /some/where/procmail -a "$EXTENSION"
+
+# The mailbox_transport specifies the optional transport in master.cf
+# to use after processing aliases and .forward files. This parameter
+# has precedence over the mailbox_command, fallback_transport and
+# luser_relay parameters.
+#
+# Specify a string of the form transport:nexthop, where transport is
+# the name of a mail delivery transport defined in master.cf. The
+# :nexthop part is optional. For more details see the sample transport
+# configuration file.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must update the "local_recipient_maps" setting in
+# the main.cf file, otherwise the SMTP server will reject mail for
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+#mailbox_transport = lmtp:unix:/file/name
+#mailbox_transport = cyrus
+
+# The fallback_transport specifies the optional transport in master.cf
+# to use for recipients that are not found in the UNIX passwd database.
+# This parameter has precedence over the luser_relay parameter.
+#
+# Specify a string of the form transport:nexthop, where transport is
+# the name of a mail delivery transport defined in master.cf. The
+# :nexthop part is optional. For more details see the sample transport
+# configuration file.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must update the "local_recipient_maps" setting in
+# the main.cf file, otherwise the SMTP server will reject mail for
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+#fallback_transport = lmtp:unix:/file/name
+#fallback_transport = cyrus
+#fallback_transport =
+
+# The luser_relay parameter specifies an optional destination address
+# for unknown recipients. By default, mail for unknown@$mydestination,
+# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
+# as undeliverable.
+#
+# The following expansions are done on luser_relay: $user (recipient
+# username), $shell (recipient shell), $home (recipient home directory),
+# $recipient (full recipient address), $extension (recipient address
+# extension), $domain (recipient domain), $local (entire recipient
+# localpart), $recipient_delimiter. Specify ${name?value} or
+# ${name:value} to expand value only when $name does (does not) exist.
+#
+# luser_relay works only for the default Postfix local delivery agent.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must specify "local_recipient_maps =" (i.e. empty) in
+# the main.cf file, otherwise the SMTP server will reject mail for
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+#luser_relay = $user@other.host
+#luser_relay = $local@other.host
+#luser_relay = admin+$local
+
+# JUNK MAIL CONTROLS
+#
+# The controls listed here are only a very small subset. The file
+# SMTPD_ACCESS_README provides an overview.
+
+# The header_checks parameter specifies an optional table with patterns
+# that each logical message header is matched against, including
+# headers that span multiple physical lines.
+#
+# By default, these patterns also apply to MIME headers and to the
+# headers of attached messages. With older Postfix versions, MIME and
+# attached message headers were treated as body text.
+#
+# For details, see "man header_checks".
+#
+#header_checks = regexp:/etc/postfix/header_checks
+
+# FAST ETRN SERVICE
+#
+# Postfix maintains per-destination logfiles with information about
+# deferred mail, so that mail can be flushed quickly with the SMTP
+# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
+# See the ETRN_README document for a detailed description.
+#
+# The fast_flush_domains parameter controls what destinations are
+# eligible for this service. By default, they are all domains that
+# this server is willing to relay mail to.
+#
+#fast_flush_domains = $relay_domains
+
+# SHOW SOFTWARE VERSION OR NOT
+#
+# The smtpd_banner parameter specifies the text that follows the 220
+# code in the SMTP server's greeting banner. Some people like to see
+# the mail version advertised. By default, Postfix shows no version.
+#
+# You MUST specify $myhostname at the start of the text. That is an
+# RFC requirement. Postfix itself does not care.
+#
+#smtpd_banner = $myhostname ESMTP $mail_name
+#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
+
+# PARALLEL DELIVERY TO THE SAME DESTINATION
+#
+# How many parallel deliveries to the same user or domain? With local
+# delivery, it does not make sense to do massively parallel delivery
+# to the same user, because mailbox updates must happen sequentially,
+# and expensive pipelines in .forward files can cause disasters when
+# too many are run at the same time. With SMTP deliveries, 10
+# simultaneous connections to the same domain could be sufficient to
+# raise eyebrows.
+#
+# Each message delivery transport has its XXX_destination_concurrency_limit
+# parameter. The default is $default_destination_concurrency_limit for
+# most delivery transports. For the local delivery agent the default is 2.
+
+#local_destination_concurrency_limit = 2
+#default_destination_concurrency_limit = 20
+
+# DEBUGGING CONTROL
+#
+# The debug_peer_level parameter specifies the increment in verbose
+# logging level when an SMTP client or server host name or address
+# matches a pattern in the debug_peer_list parameter.
+#
+debug_peer_level = 2
+
+# The debug_peer_list parameter specifies an optional list of domain
+# or network patterns, /file/name patterns or type:name tables. When
+# an SMTP client or server host name or address matches a pattern,
+# increase the verbose logging level by the amount specified in the
+# debug_peer_level parameter.
+#
+#debug_peer_list = 127.0.0.1
+#debug_peer_list = some.domain
+
+# The debugger_command specifies the external command that is executed
+# when a Postfix daemon program is run with the -D option.
+#
+# Use "command .. & sleep 5" so that the debugger can attach before
+# the process marches on. If you use an X-based debugger, be sure to
+# set up your XAUTHORITY environment variable before starting Postfix.
+#
+debugger_command =
+ PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
+ ddd $daemon_directory/$process_name $process_id & sleep 5
+
+# If you can't use X, use this to capture the call stack when a
+# daemon crashes. The result is in a file in the configuration
+# directory, and is named after the process name and the process ID.
+#
+# debugger_command =
+# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
+# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
+# >$config_directory/$process_name.$process_id.log & sleep 5
+#
+# Another possibility is to run gdb under a detached screen session.
+# To attach to the screen sesssion, su root and run "screen -r
+# <id_string>" where <id_string> uniquely matches one of the detached
+# sessions (from "screen -list").
+#
+# debugger_command =
+# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
+# -dmS $process_name gdb $daemon_directory/$process_name
+# $process_id & sleep 1
+
+# INSTALL-TIME CONFIGURATION INFORMATION
+#
+# The following parameters are used when installing a new Postfix version.
+#
+# sendmail_path: The full pathname of the Postfix sendmail command.
+# This is the Sendmail-compatible mail posting interface.
+#
+sendmail_path = /usr/sbin/sendmail
+
+# newaliases_path: The full pathname of the Postfix newaliases command.
+# This is the Sendmail-compatible command to build alias databases.
+#
+newaliases_path = /usr/bin/newaliases
+
+# mailq_path: The full pathname of the Postfix mailq command. This
+# is the Sendmail-compatible mail queue listing command.
+#
+mailq_path = /usr/bin/mailq
+
+# setgid_group: The group for mail submission and queue management
+# commands. This must be a group name with a numerical group ID that
+# is not shared with other accounts, not even with the Postfix account.
+#
+setgid_group = postdrop
+
+# html_directory: The location of the Postfix HTML documentation.
+#
+html_directory = /usr/share/doc/postfix-2.8.7/html
+
+# manpage_directory: The location of the Postfix on-line manual pages.
+#
+manpage_directory = /usr/share/man
+
+# sample_directory: The location of the Postfix sample configuration files.
+# This parameter is obsolete as of Postfix 2.1.
+#
+sample_directory = /etc/postfix
+
+# readme_directory: The location of the Postfix README files.
+#
+readme_directory = /usr/share/doc/postfix-2.8.7/readme
+home_mailbox = .maildir/
+broken_sasl_auth_clients = yes
+
+inet_protocols = all
+
+mydomain = uhu-banane.de
+
+# default: mynetworks = 127.0.0.0/8 46.16.73.175/32 [::1]/128 [fe80::%eth0]/64
+mynetworks = 127.0.0.0/8 46.16.73.175/32 [::1]/128
+
+myorigin = $mydomain
+recipient_delimiter = +
+relayhost = [mail.brehm-online.com]
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
+smtp_sasl_security_options = noanonymous
+smtp_tls_cert_file = /etc/postfix/postfix.pem
+smtp_tls_enforce_peername = no
+smtp_tls_key_file = /etc/postfix/postfix.pem
+smtp_use_tls = yes
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_local_domain = $myhostname
+smtpd_sasl_security_options = noanonymous
+smtpd_tls_cert_file = /etc/postfix/postfix.pem
+smtpd_tls_key_file = /etc/postfix/postfix.pem
+smtpd_tls_loglevel = 1
+smtpd_tls_received_header = yes
+smtpd_tls_session_cache_timeout = 3600s
+smtpd_use_tls = yes
+tls_random_source = dev:/dev/urandom
# For common configuration examples, see BASIC_CONFIGURATION_README
# and STANDARD_CONFIGURATION_README. To find these documents, use
# the command "postconf html_directory readme_directory", or go to
-# http://www.postfix.org/.
+# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc.
#
# For best results, change no more than 2-3 parameters at a time,
# and test if Postfix still works after every change.
# html_directory: The location of the Postfix HTML documentation.
#
-html_directory = /usr/share/doc/postfix-2.10.3/html
+html_directory = /usr/share/doc/postfix-2.11.3/html
# manpage_directory: The location of the Postfix on-line manual pages.
#
# readme_directory: The location of the Postfix README files.
#
-readme_directory = /usr/share/doc/postfix-2.10.3/readme
+readme_directory = /usr/share/doc/postfix-2.11.3/readme
home_mailbox = .maildir/
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
# "key type names" for X.509 certificates with RSA key
# Note first defined is used in signature operations!
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
+#PermitTTY yes
PrintMotd no
PrintLastLog no
#TCPKeepAlive yes
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
+# PermitTTY no
# ForceCommand cvs server
# Allow client to pass locale environment variables #367017
# "key type names" for X.509 certificates with RSA key
# Note first defined is used in signature operations!
-#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
+#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
# "key type names" for X.509 certificates with DSA key
# Note first defined is used in signature operations!
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
+# Ciphers and keying
+#RekeyLimit default none
+
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
PrintLastLog no
#TCPKeepAlive yes
#UseLogin no
-#UsePrivilegeSeparation yes
+UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
-#MaxStartups 10
+#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
+#VersionAddendum none
# no default banner path
#Banner none
# tcp receive buffer polling. disable in non autotuning kernels
#TcpRcvBufPoll yes
-# allow the use of the none cipher
-#NoneEnabled no
-
-# disable hpn performance boosts.
+# disable hpn performance boosts
#HPNDisabled no
# buffer size for hpn to non-hpn connections
#HPNBufferSize 2048
+# allow the use of the none cipher
+#NoneEnabled no
+
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
+
+# Allow client to pass locale environment variables #367017
+AcceptEnv LANG LC_*
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
-# possible, but leave them commented. Uncommented options change a
+# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin yes
-PermitRootLogin no
+PermitRootLogin yes
+#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# no default banner path
#Banner none
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
# override default of no subsystems
Subsystem sftp /usr/lib64/misc/sftp-server
-# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $
+# $OpenBSD$
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
+# "key type names" for X.509 certificates with RSA key
+# Note first defined is used in signature operations!
+#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
+#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
+
+# "key type names" for X.509 certificates with DSA key
+# Note first defined is used in signature operations!
+#X509KeyAlgorithm x509v3-sign-dss,dss-asn1
+#X509KeyAlgorithm x509v3-sign-dss,dss-raw
+
+# The intended use for the X509 client certificate. Without this option
+# no chain verification will be done. Currently accepted uses are case
+# insensitive:
+# - "sslclient", "SSL client", "SSL_client" or "client"
+# - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose"
+# - "skip" or ""(empty): don`t check purpose.
+#AllowedCertPurpose sslclient
+
+# Specifies whether self-issued(self-signed) X.509 certificate can be
+# allowed only by entry in AutorizedKeysFile that contain matching
+# public key or certificate blob.
+#KeyAllowSelfIssued no
+
+# Specifies whether CRL must present in store for all certificates in
+# certificate chain with atribute "cRLDistributionPoints"
+#MandatoryCRL no
+
+# A file with multiple certificates of certificate signers
+# in PEM format concatenated together.
+#CACertificateFile /etc/ssh/ca/ca-bundle.crt
+
+# A directory with certificates of certificate signers.
+# The certificates should have name of the form: [HASH].[NUMBER]
+# or have symbolic links to them of this form.
+#CACertificatePath /etc/ssh/ca/crt
+
+# A file with multiple CRL of certificate signers
+# in PEM format concatenated together.
+#CARevocationFile /etc/ssh/ca/ca-bundle.crl
+
+# A directory with CRL of certificate signers.
+# The CRL should have name of the form: [HASH].r[NUMBER]
+# or have symbolic links to them of this form.
+#CARevocationPath /etc/ssh/ca/crl
+
+# LDAP protocol version.
+# Example:
+# CAldapVersion 2
+
+# Note because of OpenSSH options parser limitation
+# use %3D instead of = !
+# LDAP initialization may require URL to be escaped, i.e.
+# use %2C instead of ,(comma). Escaped URL don't depend from
+# LDAP initialization method.
+# Example:
+# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom
+
+# SSH can use "Online Certificate Status Protocol"(OCSP)
+# to validate certificate. Set VAType to
+# - none : do not use OCSP to validate certificates;
+# - ocspcert: validate only certificates that specify `OCSP
+# Service Locator' URL;
+# - ocspspec: use specified in the configuration 'OCSP Responder'
+# to validate all certificates.
+#VAType none
+
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
--- /dev/null
+# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $
+
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented. Uncommented options change a
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# The default requires explicit activation of protocol 1
+#Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin yes
+PermitRootLogin no
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+#AuthorizedKeysFile .ssh/authorized_keys
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication no
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+PrintMotd no
+PrintLastLog no
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10
+#PermitTunnel no
+#ChrootDirectory none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem sftp /usr/lib64/misc/sftp-server
+
+# the following are HPN related configuration options
+# tcp receive buffer polling. disable in non autotuning kernels
+#TcpRcvBufPoll yes
+
+# allow the use of the none cipher
+#NoneEnabled no
+
+# disable hpn performance boosts.
+#HPNDisabled no
+
+# buffer size for hpn to non-hpn connections
+#HPNBufferSize 2048
+
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+# X11Forwarding no
+# AllowTcpForwarding no
+# ForceCommand cvs server
-# $OpenBSD$
+# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
-# "key type names" for X.509 certificates with RSA key
-# Note first defined is used in signature operations!
-#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1
-#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5
-
-# "key type names" for X.509 certificates with DSA key
-# Note first defined is used in signature operations!
-#X509KeyAlgorithm x509v3-sign-dss,dss-asn1
-#X509KeyAlgorithm x509v3-sign-dss,dss-raw
-
-# The intended use for the X509 client certificate. Without this option
-# no chain verification will be done. Currently accepted uses are case
-# insensitive:
-# - "sslclient", "SSL client", "SSL_client" or "client"
-# - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose"
-# - "skip" or ""(empty): don`t check purpose.
-#AllowedCertPurpose sslclient
-
-# Specifies whether self-issued(self-signed) X.509 certificate can be
-# allowed only by entry in AutorizedKeysFile that contain matching
-# public key or certificate blob.
-#KeyAllowSelfIssued no
-
-# Specifies whether CRL must present in store for all certificates in
-# certificate chain with atribute "cRLDistributionPoints"
-#MandatoryCRL no
-
-# A file with multiple certificates of certificate signers
-# in PEM format concatenated together.
-#CACertificateFile /etc/ssh/ca/ca-bundle.crt
-
-# A directory with certificates of certificate signers.
-# The certificates should have name of the form: [HASH].[NUMBER]
-# or have symbolic links to them of this form.
-#CACertificatePath /etc/ssh/ca/crt
-
-# A file with multiple CRL of certificate signers
-# in PEM format concatenated together.
-#CARevocationFile /etc/ssh/ca/ca-bundle.crl
-
-# A directory with CRL of certificate signers.
-# The CRL should have name of the form: [HASH].r[NUMBER]
-# or have symbolic links to them of this form.
-#CARevocationPath /etc/ssh/ca/crl
-
-# LDAP protocol version.
-# Example:
-# CAldapVersion 2
-
-# Note because of OpenSSH options parser limitation
-# use %3D instead of = !
-# LDAP initialization may require URL to be escaped, i.e.
-# use %2C instead of ,(comma). Escaped URL don't depend from
-# LDAP initialization method.
-# Example:
-# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom
-
-# SSH can use "Online Certificate Status Protocol"(OCSP)
-# to validate certificate. Set VAType to
-# - none : do not use OCSP to validate certificates;
-# - ocspcert: validate only certificates that specify `OCSP
-# Service Locator' URL;
-# - ocspspec: use specified in the configuration 'OCSP Responder'
-# to validate all certificates.
-#VAType none
-
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# no default banner path
#Banner none
+# here are the new patched ldap related tokens
+# entries in your LDAP must have posixAccount & ldapPublicKey objectclass
+#UseLPK yes
+#LpkLdapConf /etc/ldap.conf
+#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/
+#LpkUserDN ou=users,dc=phear,dc=org
+#LpkGroupDN ou=groups,dc=phear,dc=org
+#LpkBindDN cn=Manager,dc=phear,dc=org
+#LpkBindPw secret
+#LpkServerGroup mail
+#LpkFilter (hostAccess=master.phear.org)
+#LpkForceTLS no
+#LpkSearchTimelimit 3
+#LpkBindTimelimit 3
+#LpkPubKeyAttr sshPublicKey
+
# override default of no subsystems
Subsystem sftp /usr/lib64/misc/sftp-server
# the following are HPN related configuration options
# tcp receive buffer polling. disable in non autotuning kernels
#TcpRcvBufPoll yes
-
+
# disable hpn performance boosts
#HPNDisabled no
--- /dev/null
+# Run system activity accounting tool every 10 minutes
+*/10 * * * * root /usr/lib64/sa/sa1 1 1
+# 0 * * * * root /usr/lib64/sa/sa1 600 6 &
+# Generate a daily summary of process accounting at 23:53
+53 23 * * * root /usr/lib64/sa/sa2 -A
+
+++ /dev/null
-#!/bin/sh
-# Generate a daily summary of process accounting. Since this will probably
-# get kicked off in the morning, it would probably be better to run against
-# the previous days data.
-/usr/lib64/sa/sa2 -A &
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-3,v 1.3 2014/09/10 14:38:39 floppym Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-3,v 1.4 2014/10/16 04:04:02 floppym Exp $
#
# To populate all changes in this file you need to regenerate your
# grub configuration file afterwards:
#GRUB_GFXMODE=640x480
GRUB_GFXMODE=800x600
+# Set to 'text' to force the Linux kernel to boot in normal text
+# mode, 'keep' to preserve the graphics mode set using
+# 'GRUB_GFXMODE', 'WIDTHxHEIGHT'['xDEPTH'] to set a particular
+# graphics mode, or a sequence of these separated by commas or
+# semicolons to try several modes in sequence.
+#GRUB_GFXPAYLOAD_LINUX=
+
# Path to theme spec txt file.
# The starfield is by default provided with use truetype.
# NOTE: when enabling custom theme, ensure you have required font/etc.
-# /etc/eixrc/00-eirc
+# /etc/eixrc/00-eixrc
#
# All non-hidden files in /etc/eixrc
# (or a subdirectory thereof) are read in alphabetical order.
--- /dev/null
+# Fail2Ban configuration file
+# https://www.rfxn.com/projects/advanced-policy-firewall/
+#
+# Note: APF doesn't play nicely with other actions. It has been observed to
+# remove bans created by other iptables based actions. If you are going to use
+# this action, use it for all of your jails.
+#
+# DON'T MIX APF and other IPTABLES based actions
+[Definition]
+
+actionstart =
+actionstop =
+actioncheck =
+actionban = apf --deny <ip> "banned by Fail2Ban <name>"
+actionunban = apf --remove <ip>
+
+[Init]
+
+# Name used in APF configuration
+#
+name = default
+
+# DEV NOTES:
+#
+# Author: Mark McKinstry
--- /dev/null
+# Fail2ban reporting to badips.com
+#
+# Note: This reports and IP only and does not actually ban traffic. Use
+# another action in the same jail if you want bans to occur.
+#
+# Set the category to the appropriate value before use.
+#
+# To get see register and optional key to get personalised graphs see:
+# http://www.badips.com/blog/personalized-statistics-track-the-attackers-of-all-your-servers-with-one-key
+
+[Definition]
+
+actionban = curl --fail --user-agent "fail2ban v0.8.12" http://www.badips.com/add/<category>/<ip>
+
+[Init]
+
+# Option: category
+# Notes.: Values are from the list here: http://www.badips.com/get/categories
+category =
--- /dev/null
+# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
+# vi: set ft=python sts=4 ts=4 sw=4 noet :
+
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+import sys
+if sys.version_info < (2, 7):
+ raise ImportError("badips.py action requires Python >= 2.7")
+import json
+from functools import partial
+import threading
+import logging
+if sys.version_info >= (3, ):
+ from urllib.request import Request, urlopen
+ from urllib.parse import urlencode
+ from urllib.error import HTTPError
+else:
+ from urllib2 import Request, urlopen, HTTPError
+ from urllib import urlencode
+
+from fail2ban.server.actions import ActionBase
+from fail2ban.version import version as f2bVersion
+
+class BadIPsAction(ActionBase):
+ """Fail2Ban action which reports bans to badips.com, and also
+ blacklist bad IPs listed on badips.com by using another action's
+ ban method.
+
+ Parameters
+ ----------
+ jail : Jail
+ The jail which the action belongs to.
+ name : str
+ Name assigned to the action.
+ category : str
+ Valid badips.com category for reporting failures.
+ score : int, optional
+ Minimum score for bad IPs. Default 3.
+ age : str, optional
+ Age of last report for bad IPs, per badips.com syntax.
+ Default "24h" (24 hours)
+ key : str, optional
+ Key issued by badips.com to report bans, for later retrieval
+ of personalised content.
+ banaction : str, optional
+ Name of banaction to use for blacklisting bad IPs. If `None`,
+ no blacklist of IPs will take place.
+ Default `None`.
+ bancategory : str, optional
+ Name of category to use for blacklisting, which can differ
+ from category used for reporting. e.g. may want to report
+ "postfix", but want to use whole "mail" category for blacklist.
+ Default `category`.
+ bankey : str, optional
+ Key issued by badips.com to blacklist IPs reported with the
+ associated key.
+ updateperiod : int, optional
+ Time in seconds between updating bad IPs blacklist.
+ Default 900 (15 minutes)
+
+ Raises
+ ------
+ ValueError
+ If invalid `category`, `score`, `banaction` or `updateperiod`.
+ """
+
+ _badips = "http://www.badips.com"
+ _Request = partial(
+ Request, headers={'User-Agent': "Fail2Ban %s" % f2bVersion})
+
+ def __init__(self, jail, name, category, score=3, age="24h", key=None,
+ banaction=None, bancategory=None, bankey=None, updateperiod=900):
+ super(BadIPsAction, self).__init__(jail, name)
+
+ self.category = category
+ self.score = score
+ self.age = age
+ self.key = key
+ self.banaction = banaction
+ self.bancategory = bancategory or category
+ self.bankey = bankey
+ self.updateperiod = updateperiod
+
+ self._bannedips = set()
+ # Used later for threading.Timer for updating badips
+ self._timer = None
+
+ def getCategories(self, incParents=False):
+ """Get badips.com categories.
+
+ Returns
+ -------
+ set
+ Set of categories.
+
+ Raises
+ ------
+ HTTPError
+ Any issues with badips.com request.
+ """
+ try:
+ response = urlopen(
+ self._Request("/".join([self._badips, "get", "categories"])))
+ except HTTPError as response:
+ messages = json.loads(response.read().decode('utf-8'))
+ self._logSys.error(
+ "Failed to fetch categories. badips.com response: '%s'",
+ messages['err'])
+ raise
+ else:
+ categories = json.loads(response.read().decode('utf-8'))['categories']
+ categories_names = set(
+ value['Name'] for value in categories)
+ if incParents:
+ categories_names.update(set(
+ value['Parent'] for value in categories
+ if "Parent" in value))
+ return categories_names
+
+ def getList(self, category, score, age, key=None):
+ """Get badips.com list of bad IPs.
+
+ Parameters
+ ----------
+ category : str
+ Valid badips.com category.
+ score : int
+ Minimum score for bad IPs.
+ age : str
+ Age of last report for bad IPs, per badips.com syntax.
+ key : str, optional
+ Key issued by badips.com to fetch IPs reported with the
+ associated key.
+
+ Returns
+ -------
+ set
+ Set of bad IPs.
+
+ Raises
+ ------
+ HTTPError
+ Any issues with badips.com request.
+ """
+ try:
+ url = "?".join([
+ "/".join([self._badips, "get", "list", category, str(score)]),
+ urlencode({'age': age})])
+ if key:
+ url = "&".join([url, urlencode({'key': key})])
+ response = urlopen(self._Request(url))
+ except HTTPError as response:
+ messages = json.loads(response.read().decode('utf-8'))
+ self._logSys.error(
+ "Failed to fetch bad IP list. badips.com response: '%s'",
+ messages['err'])
+ raise
+ else:
+ return set(response.read().decode('utf-8').split())
+
+ @property
+ def category(self):
+ """badips.com category for reporting IPs.
+ """
+ return self._category
+
+ @category.setter
+ def category(self, category):
+ if category not in self.getCategories():
+ self._logSys.error("Category name '%s' not valid. "
+ "see badips.com for list of valid categories",
+ category)
+ raise ValueError("Invalid category: %s" % category)
+ self._category = category
+
+ @property
+ def bancategory(self):
+ """badips.com bancategory for fetching IPs.
+ """
+ return self._bancategory
+
+ @bancategory.setter
+ def bancategory(self, bancategory):
+ if bancategory not in self.getCategories(incParents=True):
+ self._logSys.error("Category name '%s' not valid. "
+ "see badips.com for list of valid categories",
+ bancategory)
+ raise ValueError("Invalid bancategory: %s" % bancategory)
+ self._bancategory = bancategory
+
+ @property
+ def score(self):
+ """badips.com minimum score for fetching IPs.
+ """
+ return self._score
+
+ @score.setter
+ def score(self, score):
+ score = int(score)
+ if 0 <= score <= 5:
+ self._score = score
+ else:
+ raise ValueError("Score must be 0-5")
+
+ @property
+ def banaction(self):
+ """Jail action to use for banning/unbanning.
+ """
+ return self._banaction
+
+ @banaction.setter
+ def banaction(self, banaction):
+ if banaction is not None and banaction not in self._jail.actions:
+ self._logSys.error("Action name '%s' not in jail '%s'",
+ banaction, self._jail.name)
+ raise ValueError("Invalid banaction")
+ self._banaction = banaction
+
+ @property
+ def updateperiod(self):
+ """Period in seconds between banned bad IPs will be updated.
+ """
+ return self._updateperiod
+
+ @updateperiod.setter
+ def updateperiod(self, updateperiod):
+ updateperiod = int(updateperiod)
+ if updateperiod > 0:
+ self._updateperiod = updateperiod
+ else:
+ raise ValueError("Update period must be integer greater than 0")
+
+ def _banIPs(self, ips):
+ for ip in ips:
+ try:
+ self._jail.actions[self.banaction].ban({
+ 'ip': ip,
+ 'failures': 0,
+ 'matches': "",
+ 'ipmatches': "",
+ 'ipjailmatches': "",
+ })
+ except Exception as e:
+ self._logSys.error(
+ "Error banning IP %s for jail '%s' with action '%s': %s",
+ ip, self._jail.name, self.banaction, e,
+ exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG)
+ else:
+ self._bannedips.add(ip)
+ self._logSys.info(
+ "Banned IP %s for jail '%s' with action '%s'",
+ ip, self._jail.name, self.banaction)
+
+ def _unbanIPs(self, ips):
+ for ip in ips:
+ try:
+ self._jail.actions[self.banaction].unban({
+ 'ip': ip,
+ 'failures': 0,
+ 'matches': "",
+ 'ipmatches': "",
+ 'ipjailmatches': "",
+ })
+ except Exception as e:
+ self._logSys.info(
+ "Error unbanning IP %s for jail '%s' with action '%s': %s",
+ ip, self._jail.name, self.banaction, e,
+ exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG)
+ else:
+ self._logSys.info(
+ "Unbanned IP %s for jail '%s' with action '%s'",
+ ip, self._jail.name, self.banaction)
+ finally:
+ self._bannedips.remove(ip)
+
+ def start(self):
+ """If `banaction` set, blacklists bad IPs.
+ """
+ if self.banaction is not None:
+ self.update()
+
+ def update(self):
+ """If `banaction` set, updates blacklisted IPs.
+
+ Queries badips.com for list of bad IPs, removing IPs from the
+ blacklist if no longer present, and adds new bad IPs to the
+ blacklist.
+ """
+ if self.banaction is not None:
+ if self._timer:
+ self._timer.cancel()
+ self._timer = None
+
+ try:
+ ips = self.getList(
+ self.bancategory, self.score, self.age, self.bankey)
+ # Remove old IPs no longer listed
+ self._unbanIPs(self._bannedips - ips)
+ # Add new IPs which are now listed
+ self._banIPs(ips - self._bannedips)
+
+ self._logSys.info(
+ "Updated IPs for jail '%s'. Update again in %i seconds",
+ self._jail.name, self.updateperiod)
+ finally:
+ self._timer = threading.Timer(self.updateperiod, self.update)
+ self._timer.start()
+
+ def stop(self):
+ """If `banaction` set, clears blacklisted IPs.
+ """
+ if self.banaction is not None:
+ if self._timer:
+ self._timer.cancel()
+ self._timer = None
+ self._unbanIPs(self._bannedips.copy())
+
+ def ban(self, aInfo):
+ """Reports banned IP to badips.com.
+
+ Parameters
+ ----------
+ aInfo : dict
+ Dictionary which includes information in relation to
+ the ban.
+
+ Raises
+ ------
+ HTTPError
+ Any issues with badips.com request.
+ """
+ try:
+ url = "/".join([self._badips, "add", self.category, aInfo['ip']])
+ if self.key:
+ url = "?".join([url, urlencode({'key': self.key})])
+ response = urlopen(self._Request(url))
+ except HTTPError as response:
+ messages = json.loads(response.read().decode('utf-8'))
+ self._logSys.error(
+ "Response from badips.com report: '%s'",
+ messages['err'])
+ raise
+ else:
+ messages = json.loads(response.read().decode('utf-8'))
+ self._logSys.info(
+ "Response from badips.com report: '%s'",
+ messages['suc'])
+
+Action = BadIPsAction
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Steven Hiscocks
+#
+#
+
+# Action to report IP address to blocklist.de
+# Blocklist.de must be signed up to at www.blocklist.de
+# Once registered, one or more servers can be added.
+# This action requires the server 'email address' and the associated apikey.
+#
+# From blocklist.de:
+# www.blocklist.de is a free and voluntary service provided by a
+# Fraud/Abuse-specialist, whose servers are often attacked on SSH-,
+# Mail-Login-, FTP-, Webserver- and other services.
+# The mission is to report all attacks to the abuse departments of the
+# infected PCs/servers to ensure that the responsible provider can inform
+# the customer about the infection and disable them
+#
+# IMPORTANT:
+#
+# Reporting an IP of abuse is a serious complaint. Make sure that it is
+# serious. Fail2ban developers and network owners recommend you only use this
+# action for:
+# * The recidive where the IP has been banned multiple times
+# * Where maxretry has been set quite high, beyond the normal user typing
+# password incorrectly.
+# * For filters that have a low likelihood of receiving human errors
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart =
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop =
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = curl --fail --data-urlencode 'server=<email>' --data 'apikey=<apikey>' --data 'service=<service>' --data 'ip=<ip>' --data-urlencode 'logs=<matches>' --data 'format=text' --user-agent "fail2ban v0.8.12" "https://www.blocklist.de/en/httpreports.html"
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+
+# Option: email
+# Notes server email address, as per blocklise.de account
+# Values: STRING Default: None
+#
+#email =
+
+# Option: apikey
+# Notes your user blocklist.de user account apikey
+# Values: STRING Default: None
+#
+#apikey =
+
+# Option: service
+# Notes service name you are reporting on, typically aligns with filter name
+# see http://www.blocklist.de/en/httpreports.html for full list
+# Values: STRING Default: None
+#
+#service =
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Nick Munger
+# Modified by: Ken Menzel
+# Daniel Black (start/stop)
+# Fabian Wenk (many ideas as per fail2ban users list)
+#
+# Ensure firewall_enable="YES" in the top of /etc/rc.conf
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num <blocktype> <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" )
+
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = [ ! -f <startstatefile> ] || ( read num < "<startstatefile>" <br> ipfw -q delete $num <br> rm "<startstatefile>" )
+
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+# requires an ipfw rule like "deny ip from table(1) to me"
+actionban = ipfw table <table> add <ip>
+
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = ipfw table <table> delete <ip>
+
+[Init]
+# Option: table
+# Notes: The ipfw table to use. If a ipfw rule using this table already exists,
+# this action will not create a ipfw rule to block it and the following
+# options will have no effect.
+# Values: NUM
+table = 1
+
+# Option: port
+# Notes.: Specifies port to monitor. Blank indicate block all ports.
+# Values: [ NUM | STRING ]
+#
+port =
+
+# Option: startstatefile
+# Notes: A file to indicate that the table rule that was added. Ensure it is unique per table.
+# Values: STRING
+startstatefile = /run/fail2ban/ipfw-started-table_<table>
+
+# Option: block
+# Notes: This is how much to block.
+# Can be "ip", "tcp", "udp" or various other options.
+# Values: STRING
+block = ip
+
+# Option: blocktype
+# Notes.: How to block the traffic. Use a action from man 5 ipfw
+# Common values: deny, unreach port, reset
+# ACTION defination at the top of man ipfw for allowed values.
+# Values: STRING
+#
+blocktype = unreach port
--- /dev/null
+#
+# Author: Mike Rushton
+#
+# Referenced from from http://www.normyee.net/blog/2012/02/02/adding-cloudflare-support-to-fail2ban by NORM YEE
+#
+# To get your Cloudflare API key: https://www.cloudflare.com/my-account
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart =
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop =
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# <failures> number of failures
+# <time> unix timestamp of the ban time
+# Values: CMD
+#
+actionban = curl https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# <failures> number of failures
+# <time> unix timestamp of the ban time
+# Values: CMD
+#
+actionunban = curl https://www.cloudflare.com/api_json.html -d 'a=nul' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
+
+
+[Init]
+
+# Default Cloudflare API token
+cftoken =
+
+# Default Cloudflare username
+cfuser =
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Russell Odom <russ@gloomytrousers.co.uk>, Daniel Black
+# Sends a complaint e-mail to addresses listed in the whois record for an
+# offending IP address.
+# This uses the https://abusix.com/contactdb.html to lookup abuse contacts.
+#
+# DEPENDENCIES:
+# This requires the dig command from bind-utils
+#
+# You should provide the <logpath> in the jail config - lines from the log
+# matching the given IP address will be provided in the complaint as evidence.
+#
+# WARNING
+# -------
+#
+# Please do not use this action unless you are certain that fail2ban
+# does not result in "false positives" for your deployment. False
+# positive reports could serve a mis-favor to the original cause by
+# flooding corresponding contact addresses, and complicating the work
+# of administration personnel responsible for handling (verified) legit
+# complains.
+#
+# Please consider using e.g. sendmail-whois-lines.conf action which
+# would send the reports with relevant information to you, so the
+# report could be first reviewed and then forwarded to a corresponding
+# contact if legit.
+#
+
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart =
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop =
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
+ IP=<ip>
+ if [ ! -z "$ADDRESSES" ]; then
+ (printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep -E '(^|[^0-9])<ip>([^0-9]|$)' <logpath>) | <mailcmd> "Abuse from <ip>" <mailargs> ${ADDRESSES//,/\" \"}
+ fi
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban.\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n
+
+# Path to the log files which contain relevant lines for the abuser IP
+#
+logpath = /dev/null
+
+# Option: mailcmd
+# Notes.: Your system mail command. Is passed 2 args: subject and recipient
+# Values: CMD
+#
+mailcmd = mail -s
+
+# Option: mailargs
+# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+# CC reports to another address:
+# -c me@example.com
+# Appear to come from a different address - the '--' indicates
+# arguments to be passed to Sendmail:
+# -- -f me@example.com
+# Values: [ STRING ]
+#
+mailargs =
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Russell Odom <russ@gloomytrousers.co.uk>
+# Submits attack reports to DShield (http://www.dshield.org/)
+#
+# You MUST configure at least:
+# <port> (the port that's being attacked - use number not name).
+#
+# You SHOULD also provide:
+# <myip> (your public IP address, if it's not the address of eth0)
+# <userid> (your DShield userID, if you have one - recommended, but reports will
+# be used anonymously if not)
+# <protocol> (the protocol in use - defaults to tcp)
+#
+# Best practice is to provide <port> and <protocol> in jail.conf like this:
+# action = dshield[port=1234,protocol=tcp]
+#
+# ...and create "dshield.local" with contents something like this:
+# [Init]
+# myip = 10.0.0.1
+# userid = 12345
+#
+# Other useful configuration values are <mailargs> (you can use for specifying
+# a different sender address for the report e-mails, which should match what is
+# configured at DShield), and <lines>/<minreportinterval>/<maxbufferage> (to
+# configure how often the buffer is flushed).
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart =
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = if [ -f <tmpfile>.buffer ]; then
+ cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>
+ date +%%s > <tmpfile>.lastsent
+ fi
+ rm -f <tmpfile>.buffer <tmpfile>.first
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+# See http://www.dshield.org/specs.html for more on report format/notes
+#
+# Note: We are currently using <time> for the timestamp because no tag is
+# available to indicate the timestamp of the log message(s) which triggered the
+# ban. Therefore the timestamps we are using in the report, whilst often only a
+# few seconds out, are incorrect. See
+# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047
+#
+actionban = TZONE=`date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'`
+ DATETIME="`perl -e '@t=localtime(<time>);printf "%%4d-%%02d-%%02d %%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'` $TZONE"
+ PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`
+ if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
+ printf %%b "$DATETIME\t<userid>\t<failures>\t<ip>\t<srcport>\t<myip>\t<port>\t$PROTOCOL\t<tcpflags>\n" >> <tmpfile>.buffer
+ NOW=`date +%%s`
+ if [ ! -f <tmpfile>.first ]; then
+ echo <time> | cut -d. -f1 > <tmpfile>.first
+ fi
+ if [ ! -f <tmpfile>.lastsent ]; then
+ echo 0 > <tmpfile>.lastsent
+ fi
+ LOGAGE=$(($NOW - `cat <tmpfile>.first`))
+ LASTREPORT=$(($NOW - `cat <tmpfile>.lastsent`))
+ LINES=$( wc -l <tmpfile>.buffer | awk '{ print $1 }' )
+ if [ $LINES -ge <lines> && $LASTREPORT -gt <minreportinterval> ] || [ $LOGAGE -gt <maxbufferage> ]; then
+ cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ $TZONE Fail2Ban" <mailargs> <dest>
+ rm -f <tmpfile>.buffer <tmpfile>.first
+ echo $NOW > <tmpfile>.lastsent
+ fi
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = if [ -f <tmpfile>.first ]; then
+ NOW=`date +%%s`
+ LOGAGE=$(($NOW - `cat <tmpfile>.first`))
+ if [ $LOGAGE -gt <maxbufferage> ]; then
+ cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>
+ rm -f <tmpfile>.buffer <tmpfile>.first
+ echo $NOW > <tmpfile>.lastsent
+ fi
+ fi
+
+
+[Init]
+# Option: port
+# Notes.: The target port for the attack (numerical). MUST be provided in the
+# jail config, as it cannot be detected here.
+# Values: [ NUM ]
+#
+port = ???
+
+# Option: userid
+# Notes.: Your DShield user ID. Should be provided either in the jail config or
+# in a .local file.
+# Register at https://secure.dshield.org/register.html
+# Values: [ NUM ]
+#
+userid = 0
+
+# Option: myip
+# Notes.: The target IP for the attack (your public IP). Should be provided
+# either in the jail config or in a .local file unless your PUBLIC IP
+# is the first IP assigned to eth0
+# Values: [ an IP address ] Default: Tries to find the IP address of eth0,
+# which in most cases will be a private IP, and therefore incorrect
+#
+myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
+
+# Option: protocol
+# Notes.: The protocol over which the attack is happening
+# Values: [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp
+#
+protocol = tcp
+
+# Option: lines
+# Notes.: How many lines to buffer before making a report. Regardless of this,
+# reports are sent a minimum of <minreportinterval> apart, or if the
+# buffer contains an event over <maxbufferage> old, or on shutdown
+# Values: [ NUM ]
+#
+lines = 50
+
+# Option: minreportinterval
+# Notes.: Minimum period (in seconds) that must elapse before we submit another
+# batch of reports. DShield request a minimum of 1 hour (3600 secs)
+# between reports.
+# Values: [ NUM ]
+#
+minreportinterval = 3600
+
+# Option: maxbufferage
+# Notes.: Maximum age (in seconds) of the oldest report in the buffer before we
+# submit the batch, even if we haven't reached <lines> yet. Note that
+# this is only checked on each ban/unban, and that we always send
+# anything in the buffer on shutdown. Must be greater than
+# Values: [ NUM ]
+#
+maxbufferage = 21600
+
+# Option: srcport
+# Notes.: The source port of the attack. You're unlikely to have this info, so
+# you can leave the default
+# Values: [ NUM ]
+#
+srcport = ???
+
+# Option: tcpflags
+# Notes.: TCP flags on attack. You're unlikely to have this info, so you can
+# leave empty
+# Values: [ STRING ]
+#
+tcpflags =
+
+# Option: mailcmd
+# Notes.: Your system mail command. Is passed 2 args: subject and recipient
+# Values: CMD
+#
+mailcmd = mail -s
+
+# Option: mailargs
+# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+# CC reports to another address:
+# -c me@example.com
+# Appear to come from a different address (the From address must match
+# the one configured at DShield - the '--' indicates arguments to be
+# passed to Sendmail):
+# -- -f me@example.com
+# Values: [ STRING ]
+#
+mailargs =
+
+# Option: dest
+# Notes.: Destination e-mail address for reports
+# Values: [ STRING ]
+#
+dest = reports@dshield.org
+
+# Option: tmpfile
+# Notes.: Base name of temporary files used for buffering
+# Values: [ STRING ]
+#
+tmpfile = /run/fail2ban/tmp-dshield
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = touch /run/fail2ban/fail2ban.dummy
+ printf %%b "<init>\n" >> /run/fail2ban/fail2ban.dummy
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = rm -f /run/fail2ban/fail2ban.dummy
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "+<ip>\n" >> /run/fail2ban/fail2ban.dummy
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = printf %%b "-<ip>\n" >> /run/fail2ban/fail2ban.dummy
+
+[Init]
+
+init = 123
+
--- /dev/null
+# Fail2Ban action file for firewall-cmd/ipset
+#
+# This requires:
+# ipset (package: ipset)
+# firewall-cmd (package: firewalld)
+#
+# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
+# Use ipset -V to see the protocol and version.
+#
+# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
+#
+# If you are running on an older kernel you make need to patch in external
+# modules.
+
+[INCLUDES]
+
+before = iptables-common.conf
+
+[Definition]
+
+actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
+ firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+
+actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
+ ipset flush fail2ban-<name>
+ ipset destroy fail2ban-<name>
+
+actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
+
+actionunban = ipset del fail2ban-<name> <ip> -exist
+
+[Init]
+
+# Option: chain
+# Notes specifies the iptables chain to which the fail2ban rules should be
+# added
+# Values: [ STRING ]
+#
+chain = INPUT_direct
+
+# Option: bantime
+# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban)
+# Values: [ NUM ] Default: 600
+
+bantime = 600
+
+
+# DEV NOTES:
+#
+# Author: Edgar Hoch and Daniel Black
+# firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness
--- /dev/null
+# Fail2Ban configuration file
+#
+# Because of the --remove-rules in stop this action requires firewalld-0.3.8+
+
+[INCLUDES]
+
+before = iptables-common.conf
+
+[Definition]
+
+actionstart = firewall-cmd --direct --add-chain ipv4 filter f2b-<name>
+ firewall-cmd --direct --add-rule ipv4 filter f2b-<name> 1000 -j RETURN
+ firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
+
+actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
+ firewall-cmd --direct --remove-rules ipv4 filter f2b-<name>
+ firewall-cmd --direct --remove-chain ipv4 filter f2b-<name>
+
+actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q 'f2b-<name>$'
+
+actionban = firewall-cmd --direct --add-rule ipv4 filter f2b-<name> 0 -s <ip> -j <blocktype>
+
+actionunban = firewall-cmd --direct --remove-rule ipv4 filter f2b-<name> 0 -s <ip> -j <blocktype>
+
+[Init]
+
+# Option: chain
+# Notes specifies the iptables chain to which the fail2ban rules should be
+# added
+# Values: [ STRING ]
+#
+chain = INPUT_direct
+
+# DEV NOTES:
+#
+# Author: Edgar Hoch
+# Copied from iptables-new.conf and modified for use with firewalld by Edgar Hoch.
+# It uses "firewall-cmd" instead of "iptables".
+#
+# Output:
+#
+# $ firewall-cmd --direct --add-chain ipv4 filter fail2ban-name
+# success
+# $ firewall-cmd --direct --add-rule ipv4 filter fail2ban-name 1000 -j RETURN
+# success
+# $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m state --state NEW -p tcp --dport 22 -j fail2ban-name
+# success
+# $ firewall-cmd --direct --get-chains ipv4 filter
+# fail2ban-name
+# $ firewall-cmd --direct --get-chains ipv4 filter | od -h
+# 0000000 6166 6c69 6232 6e61 6e2d 6d61 0a65
+# $ firewall-cmd --direct --get-chains ipv4 filter | grep -Eq 'fail2ban-name( |$)' ; echo $?
+# 0
+# $ firewall-cmd -V
+# 0.3.8
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Edited for cross platform by: James Stout, Yaroslav Halchenko and Daniel Black
+#
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart =
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop =
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = IP=<ip> &&
+ printf %%b "<daemon_list>: $IP\n" >> <file>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = echo "/^<daemon_list>: <ip>$/<br>d<br>w<br>q" | ed <file>
+
+[Init]
+
+# Option: file
+# Notes.: hosts.deny file path.
+# Values: STR Default: /etc/hosts.deny
+#
+file = /etc/hosts.deny
+
+# Option: daemon_list
+# Notes: The list of services that this action will deny. See the man page
+# for hosts.deny/hosts_access. Default is all services.
+# Values: STR Default: ALL
+daemon_list = ALL
--- /dev/null
+# Fail2Ban configuration file
+#
+# NetBSD ipfilter (ipf command) ban/unban
+#
+# Author: Ed Ravin <eravin@panix.com>
+#
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+# enable IPF if not already enabled
+actionstart = /sbin/ipf -E
+
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+# don't disable IPF with "/sbin/ipf -D", there may be other filters in use
+actionstop =
+
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = echo block <blocktype> in quick from <ip>/32 | /sbin/ipf -f -
+
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+# note -r option used to remove matching rule
+actionunban = echo block <blocktype> in quick from <ip>/32 | /sbin/ipf -r -f -
+
+[Init]
+
+# Option: Blocktype
+# Notes : This is the return-icmp[return-code] mentioned in the ipf man page section 5. Keep this quoted to prevent
+# Shell expansion. This should be blank (unquoted) to drop the packet.
+# Values: STRING
+blocktype = "return-icmp(port-unr)"
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Nick Munger
+# Modified by: Cyril Jaquier
+#
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart =
+
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop =
+
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = ipfw add <blocktype> tcp from <ip> to <localhost> <port>
+
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = ipfw delete `ipfw list | grep -i "[^0-9]<ip>[^0-9]" | awk '{print $1;}'`
+
+[Init]
+
+# Option: port
+# Notes.: specifies port to monitor
+# Values: [ NUM | STRING ]
+#
+port = ssh
+
+# Option: localhost
+# Notes.: the local IP address of the network interface
+# Values: IP
+#
+localhost = 127.0.0.1
+
+
+# Option: blocktype
+# Notes.: How to block the traffic. Use a action from man 5 ipfw
+# Common values: deny, unreach port, reset
+# Values: STRING
+#
+blocktype = unreach port
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
+# made active on all ports from original iptables.conf
+#
+#
+
+[INCLUDES]
+
+before = iptables-common.conf
+
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = iptables -N f2b-<name>
+ iptables -A f2b-<name> -j RETURN
+ iptables -I <chain> -p <protocol> -j f2b-<name>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = iptables -D <chain> -p <protocol> -j f2b-<name>
+ iptables -F f2b-<name>
+ iptables -X f2b-<name>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype>
+
+[Init]
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Daniel Black
+#
+# This is a included configuration file and includes the definitions for the iptables
+# used in all iptables based actions by default.
+#
+# The user can override the defaults in iptables-common.local
+
+[INCLUDES]
+
+after = iptables-blocktype.local
+ iptables-common.local
+# iptables-blocktype.local is obsolete
+
+[Init]
+
+# Option: chain
+# Notes specifies the iptables chain to which the Fail2Ban rules should be
+# added
+# Values: STRING Default: INPUT
+chain = INPUT
+
+# Default name of the chain
+#
+name = default
+
+# Option: port
+# Notes.: specifies port to monitor
+# Values: [ NUM | STRING ] Default:
+#
+port = ssh
+
+# Option: protocol
+# Notes.: internally used by config reader for interpolations.
+# Values: [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option: blocktype
+# Note: This is what the action does with rules. This can be any jump target
+# as per the iptables man page (section 8). Common values are DROP
+# REJECT, REJECT --reject-with icmp-port-unreachable
+# Values: STRING
+blocktype = REJECT --reject-with icmp-port-unreachable
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Daniel Black
+#
+# This is for ipset protocol 4 (ipset v4.2). If you have a later version
+# of ipset try to use the iptables-ipset-proto6.conf as it does some things
+# nicer.
+#
+# This requires the program ipset which is normally in package called ipset.
+#
+# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
+#
+# If you are running on an older kernel you make need to patch in external
+# modules. Debian squeeze can do this with:
+# apt-get install xtables-addons-source
+# module-assistant auto-install xtables-addons
+#
+# Debian wheezy and above uses protocol 6
+
+[INCLUDES]
+
+before = iptables-common.conf
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = ipset --create f2b-<name> iphash
+ iptables -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+ ipset --flush f2b-<name>
+ ipset --destroy f2b-<name>
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = ipset --test f2b-<name> <ip> || ipset --add f2b-<name> <ip>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = ipset --test f2b-<name> <ip> && ipset --del f2b-<name> <ip>
+
+[Init]
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Daniel Black
+#
+# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
+# Use ipset -V to see the protocol and version. Version 4 should use
+# iptables-ipset-proto4.conf.
+#
+# This requires the program ipset which is normally in package called ipset.
+#
+# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
+#
+# If you are running on an older kernel you make need to patch in external
+# modules which probably won't be protocol version 6.
+
+[INCLUDES]
+
+before = iptables-common.conf
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = ipset create f2b-<name> hash:ip timeout <bantime>
+ iptables -I <chain> -m set --match-set f2b-<name> src -j <blocktype>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = iptables -D <chain> -m set --match-set f2b-<name> src -j <blocktype>
+ ipset flush f2b-<name>
+ ipset destroy f2b-<name>
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = ipset del f2b-<name> <ip> -exist
+
+[Init]
+
+# Option: bantime
+# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban)
+# Values: [ NUM ] Default: 600
+#
+bantime = 600
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Daniel Black
+#
+# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
+# Use ipset -V to see the protocol and version. Version 4 should use
+# iptables-ipset-proto4.conf.
+#
+# This requires the program ipset which is normally in package called ipset.
+#
+# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
+#
+# If you are running on an older kernel you make need to patch in external
+# modules.
+
+[INCLUDES]
+
+before = iptables-common.conf
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = ipset create f2b-<name> hash:ip timeout <bantime>
+ iptables -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+ ipset flush f2b-<name>
+ ipset destroy f2b-<name>
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = ipset del f2b-<name> <ip> -exist
+
+[Init]
+
+# Option: bantime
+# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban)
+# Values: [ NUM ] Default: 600
+#
+bantime = 600
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Guido Bozzetto
+# Modified: Cyril Jaquier
+#
+# make "f2b-<name>" chain to match drop IP
+# make "f2b-<name>-log" chain to log and drop
+# insert a jump to f2b-<name> from -I <chain> if proto/port match
+#
+#
+
+[INCLUDES]
+
+before = iptables-common.conf
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = iptables -N f2b-<name>
+ iptables -A f2b-<name> -j RETURN
+ iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j f2b-<name>
+ iptables -N f2b-<name>-log
+ iptables -I f2b-<name>-log -j LOG --log-prefix "$(expr f2b-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
+ iptables -A f2b-<name>-log -j <blocktype>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
+ iptables -F f2b-<name>
+ iptables -F f2b-<name>-log
+ iptables -X f2b-<name>
+ iptables -X f2b-<name>-log
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck = iptables -n -L f2b-<name>-log >/dev/null
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = iptables -I f2b-<name> 1 -s <ip> -j f2b-<name>-log
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = iptables -D f2b-<name> -s <ip> -j f2b-<name>-log
+
+[Init]
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Modified by Yaroslav Halchenko for multiport banning
+#
+
+[INCLUDES]
+
+before = iptables-common.conf
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = iptables -N f2b-<name>
+ iptables -A f2b-<name> -j RETURN
+ iptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
+ iptables -F f2b-<name>
+ iptables -X f2b-<name>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype>
+
+[Init]
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Copied from iptables.conf and modified by Yaroslav Halchenko
+# to fulfill the needs of bugreporter dbts#350746.
+#
+#
+
+[INCLUDES]
+
+before = iptables-common.conf
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = iptables -N f2b-<name>
+ iptables -A f2b-<name> -j RETURN
+ iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
+ iptables -F f2b-<name>
+ iptables -X f2b-<name>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype>
+
+[Init]
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
+#
+#
+
+[INCLUDES]
+
+before = iptables-common.conf
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+# Changing iptables rules requires root privileges. If fail2ban is
+# configured to run as root, firewall setup can be performed by
+# fail2ban automatically. However, if fail2ban is configured to run as
+# a normal user, the configuration must be done by some other means
+# (e.g. using static firewall configuration with the
+# iptables-persistent package).
+#
+# Explanation of the rule below:
+# Check if any packets coming from an IP on the f2b-<name>
+# list have been seen in the last 3600 seconds. If yes, update the
+# timestamp for this IP and drop the packet. If not, let the packet
+# through.
+#
+# Fail2ban inserts blacklisted hosts into the f2b-<name> list
+# and removes them from the list after some time, according to its
+# own rules. The 3600 second timeout is independent and acts as a
+# safeguard in case the fail2ban process dies unexpectedly. The
+# shorter of the two timeouts actually matters.
+actionstart = if [ `id -u` -eq 0 ];then iptables -I <chain> -m recent --update --seconds 3600 --name f2b-<name> -j <blocktype>;fi
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = echo / > /proc/net/xt_recent/f2b-<name>
+ if [ `id -u` -eq 0 ];then iptables -D <chain> -m recent --update --seconds 3600 --name f2b-<name> -j <blocktype>;fi
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck = test -e /proc/net/xt_recent/f2b-<name>
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = echo +<ip> > /proc/net/xt_recent/f2b-<name>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = echo -<ip> > /proc/net/xt_recent/f2b-<name>
+
+[Init]
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[INCLUDES]
+
+before = iptables-common.conf
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = iptables -N f2b-<name>
+ iptables -A f2b-<name> -j RETURN
+ iptables -I <chain> -p <protocol> --dport <port> -j f2b-<name>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = iptables -D <chain> -p <protocol> --dport <port> -j f2b-<name>
+ iptables -F f2b-<name>
+ iptables -X f2b-<name>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype>
+
+[Init]
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = if [ -f <tmpfile> ]; then
+ printf %%b "Hi,\n
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from `uname -n`" <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ LINE=$( wc -l <tmpfile> | awk '{ print $1 }' )
+ if [ $LINE -ge <lines> ]; then
+ printf %%b "Hi,\n
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ \nRegards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
+ rm <tmpfile>
+ fi
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Default number of lines that are buffered
+#
+lines = 5
+
+# Default temporary file
+#
+tmpfile = /run/fail2ban/tmp-mail.txt
+
+# Destination/Addressee of the mail
+#
+dest = root
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Modified-By: Yaroslav Halchenko to include grepping on IP over log files
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n\n
+ Here is more information about <ip>:\n
+ `whois <ip> || echo missing whois program`\n\n
+ Lines containing IP:<ip> in <logpath>\n
+ `grep '[^0-9]<ip>[^0-9]' <logpath>`\n\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Destinataire of the mail
+#
+dest = root
+
+# Path to the log files which contain relevant lines for the abuser IP
+#
+logpath = /dev/null
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n\n
+ Here is more information about <ip>:\n
+ `whois <ip> || echo missing whois program`\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Destination/Addressee of the mail
+#
+dest = root
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = printf %%b "Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = printf %%b "Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n
+ Regards,\n
+ Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Destination/Addressee of the mail
+#
+dest = root
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Russell Odom <russ@gloomytrousers.co.uk>
+# Submits attack reports to myNetWatchman (http://www.mynetwatchman.com/)
+#
+# You MUST configure at least:
+# <port> (the port that's being attacked - use number not name).
+# <mnwlogin> (your mNW login).
+# <mnwpass> (your mNW password).
+#
+# You SHOULD also provide:
+# <myip> (your public IP address, if it's not the address of eth0)
+# <protocol> (the protocol in use - defaults to tcp)
+#
+# Best practice is to provide <port> and <protocol> in jail.conf like this:
+# action = mynetwatchman[port=1234,protocol=udp]
+#
+# ...and create "mynetwatchman.local" with contents something like this:
+# [Init]
+# mnwlogin = me@example.com
+# mnwpass = SECRET
+# myip = 10.0.0.1
+#
+# Another useful configuration value is <getcmd>, if you don't have wget
+# installed (an example config for curl is given below)
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart =
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop =
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+#
+# Note: We are currently using <time> for the timestamp because no tag is
+# available to indicate the timestamp of the log message(s) which triggered the
+# ban. Therefore the timestamps we are using in the report, whilst often only a
+# few seconds out, are incorrect. See
+# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047
+#
+actionban = MNWLOGIN=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwlogin>'`
+ MNWPASS=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwpass>'`
+ PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`
+ if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
+ DATETIME=`perl -e '@t=gmtime(<time>);printf "%%4d-%%02d-%%02d+%%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'`
+ <getcmd> "<mnwurl>?AT=2&AV=0&AgentEmail=$MNWLOGIN&AgentPassword=$MNWPASS&AttackerIP=<ip>&SrcPort=<srcport>&ProtocolID=$PROTOCOL&DestPort=<port>&AttackCount=<failures>&VictimIP=<myip>&AttackDateTime=$DATETIME" 2>&1 >> <tmpfile>.out && grep -q 'Attack Report Insert Successful' <tmpfile>.out && rm -f <tmpfile>.out
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+# Option: port
+# Notes.: The target port for the attack (numerical). MUST be provided in
+# the jail config, as it cannot be detected here.
+# Values: [ NUM ] Default: ???
+#
+port = 0
+
+# Option: mnwlogin
+# Notes.: Your mNW login e-mail address. MUST be provided either in the jail
+# config or in a .local file.
+# Register at http://www.mynetwatchman.com/reg.asp
+# Values: [ STRING ] Default: (empty)
+#
+mnwlogin =
+
+# Option: mnwpass
+# Notes.: The password corresponding to your mNW login e-mail address. MUST be
+# provided either in the jail config or in a .local file.
+# Values: [ STRING ] Default: (empty)
+#
+mnwpass =
+
+# Option: myip
+# Notes.: The target IP for the attack (your public IP). Should be overridden
+# either in the jail config or in a .local file unless your PUBLIC IP
+# is the first IP assigned to eth0
+# Values: [ an IP address ] Default: Tries to find the IP address of eth0,
+# which in most cases will be a private IP, and therefore incorrect
+#
+myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
+
+# Option: protocol
+# Notes.: The protocol over which the attack is happening
+# Values: [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp
+#
+protocol = tcp
+
+# Option: getcmd
+# Notes.: A command to fetch a URL. Should output page to STDOUT
+# Values: CMD Default: wget
+#
+getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 --read-timeout=60 --retry-connrefused --output-document=- --user-agent=Fail2Ban
+# Alternative value:
+# getcmd = curl --silent --show-error --retry 3 --connect-timeout 10 --max-time 60 --user-agent Fail2Ban
+
+# Option: srcport
+# Notes.: The source port of the attack. You're unlikely to have this info, so
+# you can leave the default
+# Values: [ NUM ] Default: 0
+#
+srcport = 0
+
+# Option: mnwurl
+# Notes.: The report service URL on the mNW site
+# Values: STRING Default: http://mynetwatchman.com/insertwebreport.asp
+#
+mnwurl = http://mynetwatchman.com/insertwebreport.asp
+
+# Option: tmpfile
+# Notes.: Base name of temporary files
+# Values: [ STRING ] Default: /run/fail2ban/tmp-mynetwatchman
+#
+tmpfile = /run/fail2ban/tmp-mynetwatchman
--- /dev/null
+# Fail2Ban configuration file for using afctl on Mac OS X Server 10.5
+#
+# Anonymous author
+# http://www.fail2ban.org/wiki/index.php?title=HOWTO_Mac_OS_X_Server_(10.5)&diff=prev&oldid=4081
+#
+# Ref: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/afctl.8.html
+
+[Definition]
+actionstart =
+actionstop =
+actioncheck =
+actionban = /usr/libexec/afctl -a <ip> -t <bantime>
+actionunban = /usr/libexec/afctl -r <ip>
+
+[Init]
+bantime = 2880
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Nick Munger
+# Modified by: Andy Fragen and Daniel Black
+#
+# Mod for OS X, using random rulenum as OSX ipfw doesn't include tables
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart =
+
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop =
+
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# Values: CMD
+#
+actionban = ipfw add <rulenum> set <setnum> <blocktype> log <block> from <ip> to <dst> <port>
+
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# Values: CMD
+#
+actionunban = ipfw delete `ipfw -S list | grep -i 'set <setnum> <blocktype> log <block> from <ip> to <dst>' | awk '{print $1;}'`
+
+[Init]
+
+# Option: port
+# Notes.: specifies port to block. Can be blank however may require block="ip"
+# Values: [ NUM | STRING ]
+#
+port = ssh
+
+# Option: dst
+# Notes.: the local IP address of the network interface
+# Values: IP, any, me or anything support by ipfw as a dst
+#
+dst = me
+
+# Option: block
+# Notes: This is how much to block.
+# Can be "ip", "tcp", "udp" or various other options.
+# Values: STRING
+block = tcp
+
+# Option: blocktype
+# Notes.: How to block the traffic. Use a action from man 8 ipfw
+# Common values: deny, unreach port, reset
+# Values: STRING
+#
+blocktype = unreach port
+
+# Option: set number
+# Notes.: The ipset number this is added to.
+# Values: 0-31
+setnum = 10
+
+# Option: number for ipfw rule
+# Notes: This is meant to be automatically generated and not overwritten
+# Values: Random value between 10000 and 12000
+rulenum="`echo $((RANDOM%%2000+10000))`"
+
+# Duplicate prevention mechanism
+#rulenum = "`a=$((RANDOM%%2000+10000)); while ipfw show | grep -q ^$a\ ; do a=$((RANDOM%%2000+10000)); done; echo $a`"
--- /dev/null
+# Fail2Ban configuration file
+#
+# OpenBSD pf ban/unban
+#
+# Author: Nick Hilliard <nick@foobar.org>
+#
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+# we don't enable PF automatically, as it will be enabled elsewhere
+actionstart =
+
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+# we don't disable PF automatically either
+actionstop =
+
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# <failures> number of failures
+# <time> unix timestamp of the ban time
+# Values: CMD
+#
+actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
+
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# <failures> number of failures
+# <time> unix timestamp of the ban time
+# Values: CMD
+#
+# note -r option used to remove matching rule
+actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32
+
+[Init]
+# Option: tablename
+# Notes.: The pf table name.
+# Values: [ STRING ]
+#
+tablename = fail2ban
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Michael Gebetsroither
+#
+# This is for blocking whole hosts through blackhole routes.
+#
+# PRO:
+# - Works on all kernel versions and as no compatibility problems (back to debian lenny and WAY further).
+# - It's FAST for very large numbers of blocked ips.
+# - It's FAST because it Blocks traffic before it enters common iptables chains used for filtering.
+# - It's per host, ideal as action against ssh password bruteforcing to block further attack attempts.
+# - No additional software required beside iproute/iproute2
+#
+# CON:
+# - Blocking is per IP and NOT per service, but ideal as action against ssh password bruteforcing hosts
+
+[Definition]
+actionban = ip route add <blocktype> <ip>
+actionunban = ip route del <blocktype> <ip>
+
+[Init]
+
+# Option: blocktype
+# Note: Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
+# Values: STRING
+blocktype = unreachable
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[INCLUDES]
+
+before = sendmail-common.conf
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The jail <name> has been started successfully.\n
+ Output will be buffered until <lines> lines are available.\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = if [ -f <tmpfile> ]; then
+ printf %%b "Subject: [Fail2Ban] <name>: summary from `uname -n`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+ rm <tmpfile>
+ fi
+ printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
+ From: Fail2Ban <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
+ LINE=$( wc -l <tmpfile> | awk '{ print $1 }' )
+ if [ $LINE -ge <lines> ]; then
+ printf %%b "Subject: [Fail2Ban] <name>: summary from `uname -n`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ These hosts have been banned by Fail2Ban.\n
+ `cat <tmpfile>`
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+ rm <tmpfile>
+ fi
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Default number of lines that are buffered
+#
+lines = 5
+
+# Default temporary file
+#
+tmpfile = /run/fail2ban/tmp-mail.txt
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Common settings for sendmail actions
+#
+# Users can override the defaults in sendmail-common.local
+
+[INCLUDES]
+
+after = sendmail-common.local
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
+ Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The jail <name> has been started successfully.\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
+ Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The jail <name> has been stopped.\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban =
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+[Init]
+
+# Recipient mail address
+#
+dest = root
+
+# Sender mail address
+#
+sender = fail2ban
+
+# Sender display name
+#
+sendername = Fail2Ban
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[INCLUDES]
+
+before = sendmail-common.conf
+
+[Definition]
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
+ Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n\n
+ Here are more information about <ip>:\n
+ `/usr/bin/whois <ip>`\n\n
+ Matches for <name> with <ipjailfailures> failures IP:<ip>\n
+ <ipjailmatches>\n\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[INCLUDES]
+
+before = sendmail-common.conf
+
+[Definition]
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
+ Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n\n
+ Here are more information about <ip>:\n
+ `/usr/bin/whois <ip>`\n\n
+ Matches with <ipfailures> failures IP:<ip>\n
+ <ipmatches>\n\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[INCLUDES]
+
+before = sendmail-common.conf
+
+[Definition]
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
+ Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n\n
+ Here is more information about <ip>:\n
+ `/usr/bin/whois <ip> || echo missing whois program`\n\n
+ Lines containing IP:<ip> in <logpath>\n
+ `grep '[^0-9]<ip>[^0-9]' <logpath>`\n\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
+# Path to the log files which contain relevant lines for the abuser IP
+#
+logpath = /dev/null
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[INCLUDES]
+
+before = sendmail-common.conf
+
+[Definition]
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
+ Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n\n
+ Here are more information about <ip>:\n
+ `/usr/bin/whois <ip>`\n\n
+ Matches:\n
+ <matches>\n\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[INCLUDES]
+
+before = sendmail-common.conf
+
+[Definition]
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
+ Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n\n
+ Here is more information about <ip>:\n
+ `/usr/bin/whois <ip> || echo missing whois program`\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[INCLUDES]
+
+before = sendmail-common.conf
+
+[Definition]
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
+ Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+ From: <sendername> <<sender>>
+ To: <dest>\n
+ Hi,\n
+ The IP <ip> has just been banned by Fail2Ban after
+ <failures> attempts against <name>.\n
+ Regards,\n
+ Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+[Init]
+
+# Default name of the chain
+#
+name = default
+
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+# The default Shorewall configuration is with "BLACKLISTNEWONLY=Yes" (see
+# file /etc/shorewall/shorewall.conf). This means that when Fail2ban adds a
+# new shorewall rule to ban an IP address, that rule will affect only new
+# connections. So if the attempter goes on trying using the same connection
+# he could even log in. In order to get the same behavior of the iptable
+# action (so that the ban is immediate) the /etc/shorewall/shorewall.conf
+# file should me modified with "BLACKLISTNEWONLY=No". Note that as of
+# Shorewall 4.5.13 BLACKLISTNEWONLY is deprecated; however the equivalent
+# of BLACKLISTNEWONLY=No can now be achieved by setting BLACKLIST="ALL".
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart =
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop =
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = shorewall <blocktype> <ip>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = shorewall allow <ip>
+
+[Init]
+
+# Option: blocktype
+# Note: This is what the action does with rules.
+# See man page of shorewall for options that include drop, logdrop, reject, or logreject
+# Values: STRING
+blocktype = reject
--- /dev/null
+# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
+# vi: set ft=python sts=4 ts=4 sw=4 noet :
+
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+import socket
+import smtplib
+from email.mime.text import MIMEText
+from email.utils import formatdate, formataddr
+
+from fail2ban.server.actions import ActionBase, CallingMap
+
+messages = {}
+messages['start'] = \
+"""Hi,
+
+The jail %(jailname)s has been started successfully.
+
+Regards,
+Fail2Ban"""
+
+messages['stop'] = \
+"""Hi,
+
+The jail %(jailname)s has been stopped.
+
+Regards,
+Fail2Ban"""
+
+messages['ban'] = {}
+messages['ban']['head'] = \
+"""Hi,
+
+The IP %(ip)s has just been banned for %(bantime)i seconds
+by Fail2Ban after %(failures)i attempts against %(jailname)s.
+"""
+messages['ban']['tail'] = \
+"""
+Regards,
+Fail2Ban"""
+messages['ban']['matches'] = \
+"""
+Matches for this ban:
+%(matches)s
+"""
+messages['ban']['ipmatches'] = \
+"""
+Matches for %(ip)s:
+%(ipmatches)s
+"""
+messages['ban']['ipjailmatches'] = \
+"""
+Matches for %(ip)s for jail %(jailname)s:
+%(ipjailmatches)s
+"""
+
+class SMTPAction(ActionBase):
+ """Fail2Ban action which sends emails to inform on jail starting,
+ stopping and bans.
+ """
+
+ def __init__(
+ self, jail, name, host="localhost", user=None, password=None,
+ sendername="Fail2Ban", sender="fail2ban", dest="root", matches=None):
+ """Initialise action.
+
+ Parameters
+ ----------
+ jail : Jail
+ The jail which the action belongs to.
+ name : str
+ Named assigned to the action.
+ host : str, optional
+ SMTP host, of host:port format. Default host "localhost" and
+ port "25"
+ user : str, optional
+ Username used for authentication with SMTP server.
+ password : str, optional
+ Password used for authentication with SMTP server.
+ sendername : str, optional
+ Name to use for from address in email. Default "Fail2Ban".
+ sender : str, optional
+ Email address to use for from address in email.
+ Default "fail2ban".
+ dest : str, optional
+ Email addresses of intended recipient(s) in comma space ", "
+ delimited format. Default "root".
+ matches : str, optional
+ Type of matches to be included from ban in email. Can be one
+ of "matches", "ipmatches" or "ipjailmatches". Default None
+ (see man jail.conf.5).
+ """
+
+ super(SMTPAction, self).__init__(jail, name)
+
+ self.host = host
+ #TODO: self.ssl = ssl
+
+ self.user = user
+ self.password =password
+
+ self.fromname = sendername
+ self.fromaddr = sender
+ self.toaddr = dest
+
+ self.matches = matches
+
+ self.message_values = CallingMap(
+ jailname = self._jail.name,
+ hostname = socket.gethostname,
+ bantime = self._jail.actions.getBanTime,
+ )
+
+ def _sendMessage(self, subject, text):
+ """Sends message based on arguments and instance's properties.
+
+ Parameters
+ ----------
+ subject : str
+ Subject of the email.
+ text : str
+ Body of the email.
+
+ Raises
+ ------
+ SMTPConnectionError
+ Error on connecting to host.
+ SMTPAuthenticationError
+ Error authenticating with SMTP server.
+ SMTPException
+ See Python `smtplib` for full list of other possible
+ exceptions.
+ """
+ msg = MIMEText(text)
+ msg['Subject'] = subject
+ msg['From'] = formataddr((self.fromname, self.fromaddr))
+ msg['To'] = self.toaddr
+ msg['Date'] = formatdate()
+
+ smtp = smtplib.SMTP()
+ try:
+ self._logSys.debug("Connected to SMTP '%s', response: %i: %s",
+ self.host, *smtp.connect(self.host))
+ if self.user and self.password:
+ smtp.login(self.user, self.password)
+ failed_recipients = smtp.sendmail(
+ self.fromaddr, self.toaddr.split(", "), msg.as_string())
+ except smtplib.SMTPConnectError:
+ self._logSys.error("Error connecting to host '%s'", self.host)
+ raise
+ except smtplib.SMTPAuthenticationError:
+ self._logSys.error(
+ "Failed to authenticate with host '%s' user '%s'",
+ self.host, self.user)
+ raise
+ except smtplib.SMTPException:
+ self._logSys.error(
+ "Error sending mail to host '%s' from '%s' to '%s'",
+ self.host, self.fromaddr, self.toaddr)
+ raise
+ else:
+ if failed_recipients:
+ self._logSys.warning(
+ "Email to '%s' failed to following recipients: %r",
+ self.toaddr, failed_recipients)
+ self._logSys.debug("Email '%s' successfully sent", subject)
+ finally:
+ try:
+ self._logSys.debug("Disconnected from '%s', response %i: %s",
+ self.host, *smtp.quit())
+ except smtplib.SMTPServerDisconnected:
+ pass # Not connected
+
+ def start(self):
+ """Sends email to recipients informing that the jail has started.
+ """
+ self._sendMessage(
+ "[Fail2Ban] %(jailname)s: started on %(hostname)s" %
+ self.message_values,
+ messages['start'] % self.message_values)
+
+ def stop(self):
+ """Sends email to recipients informing that the jail has stopped.
+ """
+ self._sendMessage(
+ "[Fail2Ban] %(jailname)s: stopped on %(hostname)s" %
+ self.message_values,
+ messages['stop'] % self.message_values)
+
+ def ban(self, aInfo):
+ """Sends email to recipients informing that ban has occurred.
+
+ Parameters
+ ----------
+ aInfo : dict
+ Dictionary which includes information in relation to
+ the ban.
+ """
+ aInfo.update(self.message_values)
+ message = "".join([
+ messages['ban']['head'],
+ messages['ban'].get(self.matches, ""),
+ messages['ban']['tail']
+ ])
+ self._sendMessage(
+ "[Fail2Ban] %(jailname)s: banned %(ip)s from %(hostname)s" %
+ aInfo,
+ message % aInfo)
+
+Action = SMTPAction
--- /dev/null
+# Fail2Ban configuration file for Bytemark Symbiosis firewall
+#
+# Author: Yaroslav Halchenko
+#
+
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart =
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop =
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck = iptables -n -L <chain>
+
+# Option: actionban
+# Notes.: command executed when banning an IP.
+# Values: CMD
+#
+actionban = echo 'all' >| /etc/symbiosis/firewall/blacklist.d/<ip>.auto
+ iptables -I <chain> 1 -s <ip> -j <blocktype>
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP.
+# Values: CMD
+#
+actionunban = rm -f /etc/symbiosis/firewall/blacklist.d/<ip>.auto
+ iptables -D <chain> -s <ip> -j <blocktype> || :
+
+[Init]
+
+# Option: chain
+# Notes specifies the iptables chain to which the fail2ban rules should be
+# added to. blacklist is a chain initiated by symbiosis firewall.
+# Values: STRING Default: blacklist
+chain = blacklist
+
+# Option: blocktype
+# Note: This is to match default symbiosis firewall type for blacklisted IPs
+# Values: STRING
+blocktype = DROP
--- /dev/null
+# Fail2Ban action configuration file for ufw
+#
+# You are required to run "ufw enable" before this will have any effect.
+#
+# The insert position should be appropriate to block the required traffic.
+# A number after an allow rule to the application won't be of much use.
+
+[Definition]
+
+actionstart =
+
+actionstop =
+
+actioncheck =
+
+actionban = [ -n "<application>" ] && app="app <application>" ; ufw insert <insertpos> <blocktype> from <ip> to <destination> $app
+
+actionunban = [ -n "<application>" ] && app="app <application>" ; ufw delete <blocktype> from <ip> to <destination> $app
+
+[Init]
+# Option: insertpos
+# Notes.: The position number in the firewall list to insert the block rule
+insertpos = 1
+
+# Option: blocktype
+# Notes.: reject or deny
+blocktype = reject
+
+# Option: destination
+# Notes.: The destination address to block in the ufw rule
+destination = any
+
+# Option: application
+# Notes.: application from sudo ufw app list
+application =
+
+# DEV NOTES:
+#
+# Author: Guilhem Lettron
+# Enhancements: Daniel Black
--- /dev/null
+# Fail2Ban action for sending xarf Login-Attack messages to IP owner
+#
+# IMPORTANT:
+#
+# Emailing a IP owner of abuse is a serious complain. Make sure that it is
+# serious. Fail2ban developers and network owners recommend you only use this
+# action for:
+# * The recidive where the IP has been banned multiple times
+# * Where maxretry has been set quite high, beyond the normal user typing
+# password incorrectly.
+# * For filters that have a low likelihood of receiving human errors
+#
+# DEPENDENCIES:
+#
+# This requires the dig command from bind-utils
+#
+# This uses the https://abusix.com/contactdb.html to lookup abuse contacts.
+#
+# XARF is a specification for sending a formatted response
+# for non-messaging based abuse including:
+#
+# Login-Attack, Malware-Attack, Fraud (Phishing, etc.), Info DNSBL
+#
+# For details see:
+# https://github.com/abusix/xarf-specification
+# http://www.x-arf.org/schemata.html
+#
+# Author: Daniel Black
+# Based on complain written by Russell Odom <russ@gloomytrousers.co.uk>
+#
+#
+
+[Definition]
+
+actionstart =
+
+actionstop =
+
+actioncheck =
+
+actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
+ IP=<ip>
+ FROM=<sender>
+ SERVICE=<service>
+ FAILURES=<failures>
+ REPORTID=<time>@`uname -n`
+ TLP=<tlp>
+ PORT=<port>
+ DATE=`LC_TIME=C date -u --date=@<time> +"%%a, %%d %%h %%Y %%T +0000"`
+ if [ ! -z "$ADDRESSES" ]; then
+ (printf -- %%b "<header>\n<message>\n<report>\n";
+ date '+Note: Local timezone is %%z (%%Z)';
+ printf -- %%b "<ipmatches>\n\n<footer>") | <mailcmd> <mailargs> ${ADDRESSES//,/\" \"}
+ fi
+
+actionunban =
+
+[Init]
+# Option: header
+# Notes: This is really a fixed value
+header = Subject: abuse report about $IP - $DATE\nAuto-Submitted: auto-generated\nX-XARF: PLAIN\nContent-Transfer-Encoding: 7bit\nContent-Type: multipart/mixed; charset=utf8;\n boundary=Abuse-bfbb0f920793ac03cb8634bde14d8a1e;\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8;\n
+
+# Option: footer
+# Notes: This is really a fixed value and needs to match the report and header
+# mime delimiters
+footer = \n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e--
+
+# Option: report
+# Notes: Intended to be fixed
+report = --Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name=\"report.txt\";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-ID: $REPORTID\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.2\nUser-Agent: Fail2ban v0.9\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nPort: $PORT\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\nTLP: $TLP\n\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name=\"logfile.log\";
+
+# Option: Message
+# Notes: This can be modified by the users
+message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban in a X-ARF format! You can find more information about x-arf at http://www.x-arf.org/specification.html.\n\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n
+
+# Option: loglines
+# Notes.: The number of log lines to search for the IP for the report
+loglines = 9000
+
+# Option: mailcmd
+# Notes.: Your system mail command. It is passed the recipient
+# Values: CMD
+#
+mailcmd = /usr/sbin/sendmail
+
+# Option: mailargs
+# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+# CC reports to another address:
+# -c me@example.com
+# Appear to come from a different address - the '--' indicates
+# arguments to be passed to Sendmail:
+# -- -f me@example.com
+# Values: [ STRING ]
+#
+mailargs = -f <sender>
+
+# Option: tlp
+# Notes.: Traffic light protocol defining the sharing of this information.
+# http://www.trusted-introducer.org/ISTLPv11.pdf
+# green is share to those involved in network security but it is not
+# to be released to the public.
+tlp = green
+
+# ALL of the following parameters should be set so the report contains
+# meaningful information
+
+# Option: service
+# Notes.: This is the service type that was attacked. e.g. ssh, pop3
+service = unspecified
+
+# Option: logpath
+# Notes: Path to the log files which contain relevant lines for the abuser IP
+# Values: Filename(s) space separated and can contain wildcards (these are
+# greped for the IP so make sure these aren't too long
+logpath = /dev/null
+
+# Option: sender
+# Notes.: This is the sender that is included in the XARF report
+sender = fail2ban@`uname -n`
+
+# Option: port
+# Notes.: This is the port number that received the login-attack
+port = 0
+
--- /dev/null
+# Fail2Ban main configuration file
+#
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
+#
+# Changes: in most of the cases you should not modify this
+# file, but provide customizations in fail2ban.local file, e.g.:
+#
+# [Definition]
+# loglevel = DEBUG
+#
+
+[Definition]
+
+# Option: loglevel
+# Notes.: Set the log level output.
+# CRITICAL
+# ERROR
+# WARNING
+# NOTICE
+# INFO
+# DEBUG
+# Values: [ LEVEL ] Default: ERROR
+#
+loglevel = INFO
+
+# Option: logtarget
+# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
+# Only one log target can be specified.
+# If you change logtarget from the default value and you are
+# using logrotate -- also adjust or disable rotation in the
+# corresponding configuration file
+# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
+# Values: [ STDOUT | STDERR | SYSLOG | FILE ] Default: STDERR
+#
+logtarget = /var/log/fail2ban.log
+
+# Option: socket
+# Notes.: Set the socket file. This is used to communicate with the daemon. Do
+# not remove this file when Fail2ban runs. It will not be possible to
+# communicate with the server afterwards.
+# Values: [ FILE ] Default: /run/fail2ban/fail2ban.sock
+#
+socket = /run/fail2ban/fail2ban.sock
+
+# Option: pidfile
+# Notes.: Set the PID file. This is used to store the process ID of the
+# fail2ban server.
+# Values: [ FILE ] Default: /run/fail2ban/fail2ban.pid
+#
+pidfile = /run/fail2ban/fail2ban.pid
+
+# Options: dbfile
+# Notes.: Set the file for the fail2ban persistent data to be stored.
+# A value of ":memory:" means database is only stored in memory
+# and data is lost when fail2ban is stopped.
+# A value of "None" disables the database.
+# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
+dbfile = /var/lib/fail2ban/fail2ban.sqlite3
+
+# Options: dbpurgeage
+# Notes.: Sets age at which bans should be purged from the database
+# Values: [ SECONDS ] Default: 86400 (24hours)
+dbpurgeage = 86400
+
+# vim: filetype=dosini
--- /dev/null
+# Fail2Ban filter for 3proxy
+#
+#
+
+[Definition]
+
+
+failregex = ^\s[+-]\d{4} \S+ \d{3}0[1-9] \S+ <HOST>:\d+ [\d.]+:\d+ \d+ \d+ \d+\s
+
+ignoreregex =
+
+# DEV Notes:
+# http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are
+# all authentication problems (%E field)
+# Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
+#
+# Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246
+# Author: Daniel Black
--- /dev/null
+# Fail2Ban apache-auth filter
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# apache-common.local
+before = apache-common.conf
+
+[Definition]
+
+
+failregex = ^%(_apache_error_client)s (AH(01797|01630): )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$
+ ^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
+ ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*?: password mismatch: \S*(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*?' in realm `.+' (not found|denied by provider): \S*(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH01631: )?user .*?: authorization failure for "\S*":(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*?' but expected `.+'(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*?' received: \S*(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH01793: )?invalid qop `.*?' received: \S*(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .*? received - user attempted time travel(, referer: \S+)?\s*$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# This filter matches the authorization failures of Apache. It takes the log messages
+# from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or
+# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR.
+#
+# An unauthorized response 401 is the first step for a browser to instigate authentication
+# however apache doesn't log this as an error. Only subsequent errors are logged in the
+# error log.
+#
+# Source:
+#
+# By searching the code in http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/*
+# for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should get
+# all of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core
+# to return the actual failure.
+#
+# See also: http://wiki.apache.org/httpd/ListOfErrors
+# Expressions that don't have tests and aren't common.
+# more be added with https://issues.apache.org/bugzilla/show_bug.cgi?id=55284
+# ^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
+# ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$
+# ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*' but no realm specified\s*$
+#
+# referer is always in error log messages if it exists added as per the log_error_core function in server/log.c
+#
+# Author: Cyril Jaquier
+# Major edits by Daniel Black
--- /dev/null
+# Fail2Ban configuration file
+#
+# Regexp to catch known spambots and software alike. Please verify
+# that it is your intent to block IPs which were driven by
+# above mentioned bots.
+
+
+[Definition]
+
+badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
+badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, +http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
+
+failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
+
+ignoreregex =
+
+# DEV Notes:
+# List of bad bots fetched from http://www.user-agents.org
+# Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots.
+#
+# Author: Yaroslav Halchenko
--- /dev/null
+# Fail2Ban filter to match web requests for selected URLs that don't exist
+#
+# This filter is aimed at blocking specific URLs that don't exist. This
+# could be a set of URLs places in a Disallow: directive in robots.txt or
+# just some web services that don't exist caused bots are searching for
+# exploitable content. This filter is designed to have a low false postitive
+# rate due.
+#
+# An alternative to this is the apache-noscript filter which blocks all
+# types of scripts that don't exist.
+#
+#
+# This is normally a predefined list of exploitable or valuable web services
+# that are hidden or aren't actually installed.
+#
+
+[INCLUDES]
+
+# overwrite with apache-common.local if _apache_error_client is incorrect.
+before = apache-common.conf
+
+[Definition]
+
+failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): <webroot><block>(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s script '<webroot><block>' not found or unable to stat(, referer: \S+)?\s*$
+
+ignoreregex =
+
+
+[Init]
+
+# Webroot represents the webroot on which all other files are based
+webroot = /var/www/
+# Block is the actual non-found directories to block
+block = (<webmail>|<phpmyadmin>|<wordpress>)[^,]*
+
+# These are just convient definitions that assist the blocking of stuff that
+# isn't installed
+webmail = roundcube|(ext)?mail|horde|(v-?)?webmail
+
+phpmyadmin = (typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin)
+
+wordpress = wp-(login|signup)\.php
+
+
+# DEV Notes:
+#
+# Author: Daniel Black
--- /dev/null
+# Generic configuration items (to be used as interpolations) in other
+# apache filters.
+
+[INCLUDES]
+
+# Load customizations if any available
+after = apache-common.local
+
+[DEFAULT]
+
+_apache_error_client = \[\] \[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\]
+
+# Common prefix for [error] apache messages which also would include <HOST>
+# Depending on the version it could be
+# 2.2: [Sat Jun 01 11:23:08 2013] [error] [client 1.2.3.4]
+# 2.4: [Thu Jun 27 11:55:44.569531 2013] [core:info] [pid 4101:tid 2992634688] [client 1.2.3.4:46652]
+# 2.4 (perfork): [Mon Dec 23 07:49:01.981912 2013] [:error] [pid 3790] [client 204.232.202.107:46301] script '/var/www/timthumb.php' not found or unable to
+#
+# Reference: https://github.com/fail2ban/fail2ban/issues/268
+#
+# Author: Yaroslav Halchenko
--- /dev/null
+# Fail2Ban apache-modsec filter
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# apache-common.local
+before = apache-common.conf
+
+[Definition]
+
+
+failregex = ^%(_apache_error_client)s ModSecurity: (\[.*?\] )*Access denied with code [45]\d\d.*$
+
+ignoreregex =
+
+# https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats
+# Author: Daniel Black
--- /dev/null
+# Fail2Ban filter to web requests for home directories on Apache servers
+#
+# Regex to match failures to find a home directory on a server, which
+# became popular last days. Most often attacker just uses IP instead of
+# domain name -- so expect to see them in generic error.log if you have
+# per-domain log files.
+
+[INCLUDES]
+
+# overwrite with apache-common.local if _apache_error_client is incorrect.
+before = apache-common.conf
+
+[Definition]
+
+
+failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.*
+
+ignoreregex =
+
+# Author: Yaroslav O. Halchenko <debian@onerussian.com>
--- /dev/null
+# Fail2Ban filter to block web requests for scripts (on non scripted websites)
+#
+# This matches many types of scripts that don't exist. This could generate a
+# lot of false positive matches in cases like wikis and forums where users
+# no affiliated with the website can insert links to missing files/scripts into
+# pages and cause non-malicious browsers of the site to trigger against this
+# filter.
+#
+# If you'd like to match specific URLs that don't exist see the
+# apache-botsearch filter.
+#
+
+[INCLUDES]
+
+# overwrite with apache-common.local if _apache_error_client is incorrect.
+before = apache-common.conf
+
+[Definition]
+
+failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): /\S*(php([45]|[.-]cgi)?|\.asp|\.exe|\.pl)(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s script '/\S*(php([45]|[.-]cgi)?|\.asp|\.exe|\.pl)\S*' not found or unable to stat(, referer: \S+)?\s*$
+
+ignoreregex =
+
+
+# DEV Notes:
+#
+# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs
+#
+# Second regex, script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ is in httpd-2.2
+#
+# Author: Cyril Jaquier
--- /dev/null
+# Fail2Ban filter to block web requests on a long or suspicious nature
+#
+
+[INCLUDES]
+
+# overwrite with apache-common.local if _apache_error_client is incorrect.
+before = apache-common.conf
+
+[Definition]
+
+failregex = ^%(_apache_error_client)s ((AH0013[456]: )?Invalid (method|URI) in request .*( - possible attempt to establish SSL connection on non-SSL port)?|(AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string: .*|AH00566: request failed: invalid characters in URI)(, referer: \S+)?$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# fgrep -r 'URI too long' httpd-2.*
+# httpd-2.2.25/server/protocol.c: "request failed: URI too long (longer than %d)", r->server->limit_req_line);
+# httpd-2.4.4/server/protocol.c: "request failed: URI too long (longer than %d)",
+#
+# fgrep -r 'in request' ../httpd-2.* | fgrep Invalid
+# httpd-2.2.25/server/core.c: "Invalid URI in request %s", r->the_request);
+# httpd-2.2.25/server/core.c: "Invalid method in request %s", r->the_request);
+# httpd-2.2.25/docs/manual/rewrite/flags.html.fr:avertissements 'Invalid URI in request'.
+# httpd-2.4.4/server/core.c: "Invalid URI in request %s", r->the_request);
+# httpd-2.4.4/server/core.c: "Invalid method in request %s - possible attempt to establish SSL connection on non-SSL port", r->the_request);
+# httpd-2.4.4/server/core.c: "Invalid method in request %s", r->the_request);
+#
+# fgrep -r 'invalid characters in URI' httpd-2.*
+# httpd-2.4.4/server/protocol.c: "request failed: invalid characters in URI");
+#
+# http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?r1=739382&r2=739620&pathrev=739620
+# ...possible attempt to establish SSL connection on non-SSL port
+#
+# https://wiki.apache.org/httpd/ListOfErrors
+# Author: Tim Connors
--- /dev/null
+# Fail2Ban filter to block web requests containing custom headers attempting to exploit the shellshock bug
+#
+#
+
+[INCLUDES]
+
+# overwrite with apache-common.local if _apache_error_client is incorrect.
+before = apache-common.conf
+
+[Definition]
+
+failregex = ^%(_apache_error_client)s (AH01215: )?/bin/(ba)?sh: warning: HTTP_.*?: ignoring function definition attempt(, referer: \S+)?\s*$
+ ^%(_apache_error_client)s (AH01215: )?/bin/(ba)?sh: error importing function definition for `HTTP_.*?'(, referer: \S+)?\s*$
+
+ignoreregex =
+
+
+# DEV Notes:
+#
+# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs
+#
+# example log lines:
+# [Thu Sep 25 09:27:18.813902 2014] [cgi:error] [pid 16860] [client 89.207.132.76:59635] AH01215: /bin/bash: warning: HTTP_TEST: ignoring function definition attempt
+# [Thu Sep 25 09:29:56.141832 2014] [cgi:error] [pid 16864] [client 162.247.73.206:41273] AH01215: /bin/bash: error importing function definition for `HTTP_TEST'
+#
+# Author: Eugene Hopkinson (riot@riot.so)
--- /dev/null
+# Fail2Ban filter for Anti-Spam SMTP Proxy Server also known as ASSP
+#
+# Honmepage: http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/
+# ProjektSite: http://sourceforge.net/projects/assp/?source=directory
+#
+#
+
+[Definition]
+
+__assp_actions = (?:dropping|refusing)
+
+failregex = ^(:? \[SSL-out\])? <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$
+ ^(?: \[SSL-out\])? <HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
+ ^ Blocking <HOST> - too much AUTH errors \(\d{,3}\);$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
+# Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+# Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded
+#
+# Author: Enrico Labedzki (enrico.labedzki@deiwos.de)
--- /dev/null
+# Fail2Ban filter for asterisk authentication failures
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = asterisk
+
+__pid_re = (?:\[\d+\])
+
+# All Asterisk log messages begin like this:
+log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?
+
+failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
+ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
+ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
+ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
+ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
+ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
+ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
+ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
+ ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
+
+ignoreregex =
+
+
+# Author: Xavier Devlamynck / Daniel Black
+#
+# General log format - main/logger.c:ast_log
+# Address format - ast_sockaddr_stringify
+#
+# First regex: channels/chan_sip.c
+#
+# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog
--- /dev/null
+# Generic configuration items (to be used as interpolations) in other
+# filters or actions configurations
+#
+
+[INCLUDES]
+
+# Load customizations if any available
+after = common.local
+
+
+[DEFAULT]
+
+# Daemon definition is to be specialized (if needed) in .conf file
+_daemon = \S*
+
+#
+# Shortcuts for easier comprehension of the failregex
+#
+# PID.
+# EXAMPLES: [123]
+__pid_re = (?:\[\d+\])
+
+# Daemon name (with optional source_file:line or whatever)
+# EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix)
+__daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?
+
+# extra daemon info
+# EXAMPLE: [ID 800047 auth.info]
+__daemon_extra_re = (?:\[ID \d+ \S+\])
+
+# Combinations of daemon name and PID
+# EXAMPLES: sshd[31607], pop(pam_unix)[4920]
+__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?)
+
+# Some messages have a kernel prefix with a timestamp
+# EXAMPLES: kernel: [769570.846956]
+__kernel_prefix = kernel: \[ *\d+\.\d+\]
+
+__hostname = \S+
+
+# A MD5 hex
+# EXAMPLES: 07:06:27:55:b0:e3:0c:3c:5a:28:2d:7c:7e:4c:77:5f
+__md5hex = (?:[\da-f]{2}:){15}[\da-f]{2}
+
+# bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or
+# <auth.info> appearing before the host as per testcases/files/logs/bsd/*.
+__bsd_syslog_verbose = (<[^.]+\.[^.]+>)
+
+# Common line prefixes (beginnings) which could be used in filters
+#
+# [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
+#
+# This can be optional (for instance if we match named native log files)
+__prefix_line = \s*%(__bsd_syslog_verbose)s?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s*
+
+# Author: Yaroslav Halchenko
--- /dev/null
+# Fail2Ban filter for failure attempts in Counter Strike-1.6
+#
+#
+
+[Definition]
+
+failregex = ^: Bad Rcon: "rcon \d+ "\S+" sv_contact ".*?"" from "<HOST>:\d+"$
+
+
+[Init]
+
+datepattern = ^L %%d/%%m/%%Y - %%H:%%M:%%S
+
+
+# Author: Daniel Black
+
--- /dev/null
+# Fail2Ban filter for courier authentication failures
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?
+
+failregex = ^%(__prefix_line)sLOGIN FAILED, user=.*, ip=\[<HOST>\]$
+
+ignoreregex =
+
+# Author: Christoph Haas
+# Modified by: Cyril Jaquier
--- /dev/null
+# Fail2Ban filter to block relay attempts though a Courier smtp server
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = courieresmtpd
+
+failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User (<.*> )?unknown\.?$
+ ^%(__prefix_line)serror,relay=<HOST>,msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?$
+
+ignoreregex =
+
+# Author: Cyril Jaquier
--- /dev/null
+# Fail2Ban filter for authentication failures on Cyrus imap server
+#
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = (?:cyrus/)?(?:imap(d|s)?|pop3(d|s)?)
+
+failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$
+
+ignoreregex =
+
+# Author: Jan Wagner <waja@cyconet.org>
--- /dev/null
+# Fail2Ban configuration file for Directadmin
+#
+#
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+failregex = ^: \'<HOST>\' \d{1,3} failed login attempt(s)?. \s*
+
+ignoreregex =
+
+[Init]
+datepattern = ^%%Y:%%m:%%d-%%H:%%M:%%S
+
+#
+# Requires Directadmin v1.45.3 or higher. http://www.directadmin.com/features.php?id=1590
+#
+# Author: Cyril Roos
+
--- /dev/null
+# Fail2Ban filter Dovecot authentication and pop3/imap server
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (auth|dovecot(-auth)?|auth-worker)
+
+failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
+ ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
+ ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
+
+ignoreregex =
+
+[Init]
+
+journalmatch = _SYSTEMD_UNIT=dovecot.service
+
+# DEV Notes:
+# * the first regex is essentially a copy of pam-generic.conf
+# * Probably doesn't do dovecot sql/ldap backends properly
+# * Removed the 'no auth attempts' log lines from the matches because produces
+# lots of false positives on misconfigured MTAs making regexp unusable
+#
+# Author: Martin Waschbuesch
+# Daniel Black (rewrote with begin and end anchors)
--- /dev/null
+# Fail2Ban filter for dropbear
+#
+# NOTE: The regex below is ONLY intended to work with a patched
+# version of Dropbear as described here:
+# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
+# ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
+#
+# The standard Dropbear output doesn't provide enough information to
+# ban all types of attack. The Dropbear patch adds IP address
+# information to the 'exit before auth' message which is always
+# produced for any form of non-successful login. It is that message
+# which this file matches.
+#
+# More information: http://bugs.debian.org/546913
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = dropbear
+
+failregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
+ ^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
+ ^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# The first two regexs here match the unmodified dropbear messages. It isn't
+# possible to match the source of the 'exit before auth' messages from dropbear
+# as they don't include the "from <HOST>" bit.
+#
+# The second last failregex line we need to match with the modified dropbear.
+#
+# For the second regex the following apply:
+#
+# http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c
+# http://svn.dd-wrt.com/changeset/16642#file64
+#
+# http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c
+#
+# Author: Francis Russell
+# Zak B. Elep
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Steven Hiscocks
+#
+#
+
+[Definition]
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile. The
+# host must be matched by a group named "host". The tag "<HOST>" can
+# be used for standard IP/hostname matching and is only an alias for
+# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Multiline regexs should use tag "<SKIPLINES>" to separate lines.
+# This allows lines between the matching lines to continue to be
+# searched for other failures. This tag can be used multiple times.
+# Values: TEXT
+#
+failregex = ^=INFO REPORT==== ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for .+ from IP <HOST> \({{(?:\d+,){3}\d+},\d+}\)$
+ ^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:wait_for_feature_request:\d+ \([^\)]+\) Failed authentication for \S+ from IP <HOST>$
+
+# Option: ignoreregex
+# Notes.: regex to ignore. If this regex matches, the line is ignored.
+# Values: TEXT
+#
+ignoreregex =
+
+[Init]
+
+# "maxlines" is number of log lines to buffer for multi-line regex searches
+maxlines = 2
+
+# Option: journalmatch
+# Notes.: systemd journalctl style match filter for journal based backend
+# Values: TEXT
+#
+journalmatch =
--- /dev/null
+# Fail2Ban filter file for common exim expressions
+#
+# This is to be used by other exim filters
+
+[INCLUDES]
+
+# Load customizations if any available
+after = exim-common.local
+
+[Definition]
+
+host_info = H=([\w.-]+ )?(\(\S+\) )?\[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?(U=\S+ )?(P=e?smtp )?
+pid = ( \[\d+\])?
+
+# DEV Notes:
+# From exim source code: ./src/receive.c:add_host_info_for_log
+#
+# Author: Daniel Black
--- /dev/null
+# Fail2Ban filter for exim the spam rejection messages
+#
+# Honeypot traps are very useful for fighting spam. You just activate an email
+# address on your domain that you do not intend to use at all, and that normal
+# people do not risk to try for contacting you. It may be something that
+# spammers often test. You can also hide the address on a web page to be picked
+# by spam spiders. Or simply parse your mail logs for an invalid address
+# already being frequently targeted by spammers. Enable the address and
+# redirect it to the blackhole. In Exim's alias file, you would add the
+# following line (assuming the address is honeypot@yourdomain.com):
+#
+# honeypot: :blackhole:
+#
+# For the SA: Action: silently tossed message... to be logged exim's SAdevnull option needs to be used.
+#
+# To this filter use the jail.local should contain in the right jail:
+#
+# filter = exim-spam[honeypot=honeypot@yourdomain.com]
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# exim-common.local
+before = exim-common.conf
+
+[Definition]
+
+failregex = ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$
+ ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: .*dnsbl.*\s*$
+ ^%(pid)s \S+ %(host_info)sF=(<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$
+ ^%(pid)s \S+ SA: Action: flagged as Spam but accepted: score=\d+\.\d+ required=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=\S+ \[<HOST>\]\) for <honeypot>$
+ ^%(pid)s \S+ SA: Action: silently tossed message: score=\d+\.\d+ required=\d+\.\d+ trigger=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=(\S+ )?\[<HOST>\]\) for \S+$
+
+ignoreregex =
+
+[Init]
+
+# Option: honeypot
+# Notes.: honeypot is an email address that isn't published anywhere that a
+# legitimate email sender would send email too.
+# Values: email address
+
+honeypot = trap@example.com
+
+# DEV Notes:
+# The %(host_info) defination contains a <HOST> match
+#
+# Author: Cyril Jaquier
+# Daniel Black (rewrote with strong regexs)
--- /dev/null
+# Fail2Ban filter for exim
+#
+# This includes the rejection messages of exim. For spam and filter
+# related bans use the exim-spam.conf
+#
+
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# exim-common.local
+before = exim-common.conf
+
+[Definition]
+
+failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
+ ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
+ ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
+ ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
+ ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
+
+ignoreregex =
+
+# DEV Notes:
+# The %(host_info) defination contains a <HOST> match
+#
+# SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy
+# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
+# user injectable data.
+#
+# Author: Cyril Jaquier
+# Daniel Black (rewrote with strong regexs)
--- /dev/null
+# Fail2Ban configuration file
+#
+# Enable "log-auth-failures" on each Sofia profile to monitor
+# <param name="log-auth-failures" value="true"/>
+# -- this requires a high enough loglevel on your logs to save these messages.
+#
+# In the fail2ban jail.local file for this filter set ignoreip to the internal
+# IP addresses on your LAN.
+#
+
+[Definition]
+
+failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
+ ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$
+
+ignoreregex =
+
+# Author: Rupa SChomaker, soapee01, Daniel Black
+# http://wiki.freeswitch.org/wiki/Fail2ban
+# Thanks to Jim on mailing list of samples and guidance
+#
+# No need to match the following. Its a duplicate of the SIP auth regex.
+# ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP <HOST> Rejected by acl "\S+"\. Falling back to Digest auth\.$
--- /dev/null
+# Fail2Ban filter for Group-Office
+#
+# Enable logging with:
+# $config['info_log']='/home/groupoffice/log/info.log';
+#
+
+[Definition]
+
+failregex = ^\[\]LOGIN FAILED for user: "\S+" from IP: <HOST>$
+
+
+
+# Author: Daniel Black
+
--- /dev/null
+# Fail2Ban filter file for gssftp
+#
+# Note: gssftp is part of the krb5-appl-servers in Fedora
+#
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = ftpd
+
+failregex = ^%(__prefix_line)srepeated login failures from <HOST> \(\S+\)$
+
+ignoreregex =
+
+# Author: Kevin Zembower
+# Edited: Daniel Black - syslog based daemon
--- /dev/null
+# Fail2Ban configuration file for guacamole
+#
+# Author: Steven Hiscocks
+#
+
+[Definition]
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile.
+# Values: TEXT
+#
+failregex = ^.*\nWARNING: Authentication attempt from <HOST> for user "[^"]*" failed\.$
+
+# Option: ignoreregex
+# Notes.: regex to ignore. If this regex matches, the line is ignored.
+# Values: TEXT
+#
+ignoreregex =
+
+[Init]
+# "maxlines" is number of log lines to buffer for multi-line regex searches
+maxlines = 2
--- /dev/null
+# fail2ban filter configuration for horde
+
+
+[Definition]
+
+
+failregex = ^ HORDE \[error\] \[(horde|imp)\] FAILED LOGIN for \S+ \[<HOST>\](\(forwarded for \[\S+\]\))? to (Horde|{[^}]+}) \[(pid \d+ )?on line \d+ of \S+\]$
+
+
+ignoreregex =
+
+# DEV NOTES:
+# https://github.com/horde/horde/blob/master/imp/lib/Auth.php#L132
+# https://github.com/horde/horde/blob/master/horde/login.php
+#
+# Author: Daniel Black
--- /dev/null
+# Fail2ban filter for kerio
+
+[Definition]
+
+failregex = ^ SMTP Spam attack detected from <HOST>,
+ ^ IP address <HOST> found in DNS blacklist \S+, mail from \S+ to \S+$
+ ^ Relay attempt from IP address <HOST>
+ ^ Attempt to deliver to unknown recipient \S+, from \S+, IP address <HOST>$
+[Init]
+
+datepattern = ^\[%%d/%%b/%%Y %%H:%%M:%%S\]
+
+# DEV NOTES:
+#
+# Author: A.P. Lawrence
+#
+# Based off: http://aplawrence.com/Kerio/fail2ban.html
--- /dev/null
+# Fail2Ban filter to match wrong passwords as notified by lighttpd's auth Module
+#
+
+[Definition]
+
+failregex = ^: \(http_auth\.c\.\d+\) (password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: <HOST>\s*$
+
+ignoreregex =
+
+# Author: Francois Boulogne <fboulogne@april.org>
--- /dev/null
+# Fail2Ban filter for monit.conf, looks for failed access attempts
+#
+#
+
+[Definition]
+
+failregex = ^\[[A-Z]+\s+\]\s*error\s*:\s*Warning:\s+Client '<HOST>' supplied unknown user '\w+' accessing monit httpd$
+ ^\[[A-Z]+\s+\]\s*error\s*:\s*Warning:\s+Client '<HOST>' supplied wrong password for user '\w+' accessing monit httpd$
+
--- /dev/null
+# Fail2Ban filter for unsuccesfull MySQL authentication attempts
+#
+#
+# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]:
+# log-error=/var/log/mysqld.log
+# log-warning = 2
+#
+# If using mysql syslog [mysql_safe] has syslog in /etc/my.cnf
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = mysqld
+
+failregex = ^%(__prefix_line)s(\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[Warning\] Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Technically __prefix_line can equate to an empty string hence it can support
+# syslog and non-syslog at once.
+# Example:
+# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)
+#
+# Authors: Artur Penttinen
+# Yaroslav O. Halchenko
--- /dev/null
+# Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2)
+# Detecting unauthorized access to the nrpe2 daemon
+# typically logged in /var/log/messages syslog
+#
+
+[INCLUDES]
+# Read syslog common prefixes
+before = common.conf
+
+[Definition]
+_daemon = nrpe
+failregex = ^%(__prefix_line)sHost <HOST> is not allowed to talk to us!\s*$
+ignoreregex =
+
+# DEV Notes:
+#
+# Author: Ivo Truxa - 2014/02/03
--- /dev/null
+# Fail2Ban filter file for named (bind9).
+#
+
+# This filter blocks attacks against named (bind9) however it requires special
+# configuration on bind.
+#
+# By default, logging is off with bind9 installation.
+#
+# You will need something like this in your named.conf to provide proper logging.
+#
+# logging {
+# channel security_file {
+# file "/var/log/named/security.log" versions 3 size 30m;
+# severity dynamic;
+# print-time yes;
+# };
+# category security {
+# security_file;
+# };
+# };
+
+[Definition]
+
+# Daemon name
+_daemon=named
+
+# Shortcuts for easier comprehension of the failregex
+
+__pid_re=(?:\[\d+\])
+__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
+__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
+
+# hostname daemon_id spaces
+# this can be optional (for instance if we match named native log files)
+__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
+
+failregex = ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
+ ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$
+ ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
+
+# DEV Notes:
+# Trying to generalize the
+# structure which is general to capture general patterns in log
+# lines to cover different configurations/distributions
+#
+# Author: Yaroslav Halchenko
--- /dev/null
+# fail2ban filter configuration for nginx
+
+
+[Definition]
+
+
+failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$
+
+ignoreregex =
+
+# DEV NOTES:
+# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
+# Extensive search of all nginx auth failures not done yet.
+#
+# Author: Daniel Black
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Bas van den Dikkenberg
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = nsd
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile. The
+# host must be matched by a group named "host". The tag "<HOST>" can
+# be used for standard IP/hostname matching and is only an alias for
+# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values: TEXT
+
+failregex = ^\[\]%(__prefix_line)sinfo: ratelimit block .* query <HOST> TYPE255$
+ ^\[\]%(__prefix_line)sinfo: .* <HOST> refused, no acl matches\.$
--- /dev/null
+# Fail2Ban filter for Openwebmail
+# banning hosts with authentication errors in /var/log/openwebmail.log
+# OpenWebMail http://openwebmail.org
+#
+
+[Definition]
+
+failregex = ^ - \[\d+\] \(<HOST>\) (?P<USER>\S+) - login error - (no such user - loginname=(?P=USER)|auth_unix.pl, ret -4, Password incorrect)$
+ ^ - \[\d+\] \(<HOST>\) (?P<USER>\S+) - userinfo error - auth_unix.pl, ret -4, User (?P=USER) doesn't exist$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Author: Ivo Truxa (c) 2013 truXoft.com
--- /dev/null
+# Fail2Ban configuration file
+# for Oracle IMS with XML logging
+#
+# Author: Joel Snyder/jms@opus1.com/2014-June-01
+#
+#
+
+
+[INCLUDES]
+
+# Read common prefixes.
+# If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+# Option: failregex
+# Notes.: regex to match the password failures messages
+# in the logfile. The host must be matched by a
+# group named "host". The tag "<HOST>" can
+# be used for standard IP/hostname matching and is
+# only an alias for
+# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values: TEXT
+#
+#
+# CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6 and ABOVE:
+#
+# In OPTION.DAT you must have LOG_FORMAT=4 and
+# bit 5 of LOG_CONNECTION must be set.
+#
+# Many of these sub-fields are optional and can be turned on and off
+# by the system manager. We need the "tr" field
+# (transport information (present if bit 5 of LOG_CONNECTION is
+# set and transport information is available)).
+# "di" should be there by default if you have LOG_FORMAT=4.
+# Do not use "mi" as this is not included by default.
+#
+# Typical line IF YOU ARE USING TAGGING ! ! ! is:
+# <co ts="2014-06-02T09:45:50.29" pi="123f.3f8.4397"
+# sc="tcp_local" dr="+" ac="U"
+# tr="TCP|192.245.12.223|25|151.1.71.144|59762" ap="SMTP"
+# mi="Bad password"
+# us="01ko8hqnoif09qx0np@imap.opus1.com"
+# di="535 5.7.8 Bad username or password (Authentication failed)."/>
+# Format is generally documented in the PORT_ACCESS mapping
+# at http://docs.oracle.com/cd/E19563-01/819-4428/bgaur/index.html
+#
+# All that would be on one line.
+# Note that you MUST have LOG_FORMAT=4 for this to work!
+#
+
+failregex = ^.*tr="[A-Z]+\|[0-9.]+\|\d+\|<HOST>\|\d+" ap="[^"]*" mi="Bad password" us="[^"]*" di="535 5.7.8 Bad username or password( \(Authentication failed\))?\."/>$
+
+# Option: ignoreregex
+# Notes.: regex to ignore. If this regex matches, the line is ignored.
+# Values: TEXT
+#
+ignoreregex =
--- /dev/null
+# Fail2Ban configuration file for generic PAM authentication errors
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+# if you want to catch only login errors from specific daemons, use something like
+#_ttys_re=(?:ssh|pure-ftpd|ftp)
+#
+# Default: catch all failed logins
+_ttys_re=\S*
+
+__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
+_daemon = \S+
+
+failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# for linux-pam before 0.99.2.0 (late 2005) (removed before 0.8.11 release)
+# _daemon = \S*\(?pam_unix\)?
+# failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+#
+# Author: Yaroslav Halchenko
--- /dev/null
+# Fail2Ban filter for perdition
+#
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon=perdition.\S+
+
+failregex = ^%(__prefix_line)sAuth: <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id=".+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$
+ ^%(__prefix_line)sFatal Error reading authentication information from client <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$
+
+ignoreregex =
+
+# Author: Christophe Carles and Daniel Black
--- /dev/null
+# Fail2Ban filter for URLs with a URL as a script parameters
+# which can be an indication of a fopen url php injection
+#
+# Example of web requests in Apache access log:
+# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
+
+[Definition]
+
+failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Version 2
+# fixes the failregex so REFERERS that contain =http:// don't get blocked
+# (mentioned by "fasuto" (no real email provided... blog comment) in this entry:
+# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489
+#
+# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
--- /dev/null
+# Fail2Ban filter for failure attempts in Counter Strike-1.6
+#
+#
+
+[Definition]
+
+failregex = \/<HOST> Port\: [0-9]+ (TCP|UDP) Blocked$
+
+# Author: Pacop <pacoparu@gmail.com>
+
--- /dev/null
+# Fail2Ban filter for postfix authentication failures
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = postfix/(submission/)?smtp(d|s)
+
+failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
+
+ignoreregex =
+
+[Init]
+
+journalmatch = _SYSTEMD_UNIT=postfix.service
+
+
+# Author: Yaroslav Halchenko
--- /dev/null
+# Fail2Ban filter for selected Postfix SMTP rejections
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = postfix/(submission/)?smtp(d|s)
+
+failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
+ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
+ ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
+ ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
+
+ignoreregex =
+
+[Init]
+
+journalmatch = _SYSTEMD_UNIT=postfix.service
+
+# Author: Cyril Jaquier
--- /dev/null
+# Fail2Ban fitler for the Proftpd FTP daemon
+#
+# Set "UseReverseDNS off" in proftpd.conf to avoid the need for DNS.
+# See: http://www.proftpd.org/docs/howto/DNS.html
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = proftpd
+
+__suffix_failed_login = (User not authorized for login|No such user found|Incorrect password|Password expired|Account disabled|Invalid shell: '\S+'|User in \S+|Limit (access|configuration) denies login|Not a UserAlias|maximum login length exceeded).?
+
+failregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$
+ ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .* \(Login failed\): %(__suffix_failed_login)s\s*$
+ ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: .* login attempted\. *$
+ ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$
+
+ignoreregex =
+
+# Author: Yaroslav Halchenko
+# Daniel Black - hardening of regex
--- /dev/null
+# Fail2Ban filter for pureftp
+#
+# Disable hostname based logging by:
+#
+# Start pure-ftpd with the -H switch or on Ubuntu 'echo yes > /etc/pure-ftpd/conf/DontResolve'
+#
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = pure-ftpd
+
+# Error message specified in multiple languages
+__errmsg = (?:Godkendelse mislykkedes for \[.*\]|Authentifizierung fehlgeschlagen für Benutzer \[.*\].|Authentication failed for user \[.*\]|Autentificación fallida para el usuario \[.*\]|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Azonosítás sikertelen \[.*\] felhasználónak|Autenticazione falita per l'utente \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|Godkjennelse mislyktes for \[.*\]|\[.*\] kullanýcýsý için giriþ hatalý|Autenticação falhou para usuário \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentifikace uživatele selhala \[.*\]|Autentyfikacja nie powiodła się dla użytkownika \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Behörighetskontroll misslyckas för användare \[.*\]|Авторизация не удалась пользователю \[.*\]|\[.*\] 嶸盪 檣隸 褒ぬ|妏蚚氪\[.*\]桄痐囮啖|使用者\[.*\]驗證失敗)
+
+failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s\s*$
+
+ignoreregex =
+
+# Author: Cyril Jaquier
+# Modified: Yaroslav Halchenko for pure-ftpd
+# Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal
+# UTF-8 editing and mechanism thanks to Johannes Weberhofer
+#
+# Only logs to syslog though facility can be changed configuration file/command line
+#
+# To get messages in the right encoding:
+# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[defhint]* | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' > messages
+# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[pr][to] | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' >> messages
+# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[cps][slkv] | grep -Po '".?"' | recode latin2..utf-8 | tr -d '"' >> messages
+# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_ru | grep -Po '".?"' | recode KOI8-R..utf-8 | tr -d '"' >> messages
+# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[kz] | grep -Po '".*?"' | tr -d '"' | recode big5..utf-8 >> messages
--- /dev/null
+# Fail2Ban filters for qmail RBL patches/fake proxies
+#
+# the default djb RBL implementation doesn't log any rejections
+# so is useless with this filter.
+#
+# One patch is here:
+#
+# http://www.tjsi.com/rblsmtpd/faq/ patch to rblsmtpd
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:qmail|rblsmtpd)
+
+failregex = ^%(__prefix_line)s\d+\.\d+ rblsmtpd: <HOST> pid \d+ \S+ 4\d\d \S+\s*$
+ ^%(__prefix_line)s\d+\.\d+ qmail-smtpd: 4\d\d badiprbl: ip <HOST> rbl: \S+\s*$
+ ^%(__prefix_line)s\S+ blocked <HOST> \S+ -\s*$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# These seem to be for two or 3 different patches to qmail or rblsmtpd
+# so you'll probably only ever see one of these regex's that match.
+#
+# ref: https://github.com/fail2ban/fail2ban/pull/386
+#
+# Author: Daniel Black
--- /dev/null
+# Fail2Ban filter for repeat bans
+#
+# This filter monitors the fail2ban log file, and enables you to add long
+# time bans for ip addresses that get banned by fail2ban multiple times.
+#
+# Reasons to use this: block very persistent attackers for a longer time,
+# stop receiving email notifications about the same attacker over and
+# over again.
+#
+# This jail is only useful if you set the 'findtime' and 'bantime' parameters
+# in jail.conf to a higher value than the other jails. Also, this jail has its
+# drawbacks, namely in that it works only with iptables, or if you use a
+# different blocking mechanism for this jail versus others (e.g. hostsdeny
+# for most jails, and shorewall for this one).
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = fail2ban\.actions\s*
+
+# The name of the jail that this filter is used for. In jail.conf, name the
+# jail using this filter 'recidive', or change this line!
+_jailname = recidive
+
+failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
+
+[Init]
+
+journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
+
+# Author: Tom Hendrikx, modifications by Amir Caspi
--- /dev/null
+# Fail2Ban configuration file for roundcube web server
+#
+#
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+failregex = ^\s*(\[\])?(%(__hostname)s roundcube: IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$
+
+ignoreregex =
+# DEV Notes:
+#
+# Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180
+#
+# Part after <HOST> comes straight from IMAP server up until the " in ....."
+# Earlier versions didn't log the IMAP response hence optional.
+#
+# DoS resistance:
+#
+# Assume that the user can inject "from <HOST>" into the imap response
+# somehow. Write test cases around this to ensure that the combination of
+# arbitrary user input and IMAP response doesn't inject the wrong IP for
+# fail2ban
+#
+# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black
--- /dev/null
+# Fail2Ban configuration file for generic SELinux audit messages
+#
+# This file is not intended to be used directly, and should be included into a
+# filter file which would define following variables. See selinux-ssh.conf as
+# and example.
+#
+# _type
+# _uid
+# _auid
+# _subj
+# _msg
+#
+# Also one of these variables must include <HOST>.
+
+[Definition]
+
+failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$
+
+ignoreregex =
+
+# Author: Daniel Black
--- /dev/null
+# Fail2Ban configuration file for SELinux ssh authentication errors
+#
+
+[INCLUDES]
+
+after = selinux-common.conf
+
+[Definition]
+
+_type = USER_(ERR|AUTH)
+_uid = 0
+_auid = \d+
+_subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023
+
+_exe =/usr/sbin/sshd
+_terminal = ssh
+
+_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed
+
+# DEV Notes:
+#
+# Note: USER_LOGIN is ignored as this is the duplicate messsage
+# ssh logs after 3 USER_AUTH failures.
+#
+# Author: Daniel Black
--- /dev/null
+# Fail2Ban filter for sendmail authentication failures
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:sm-(mta|acceptingconnections))
+
+failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Author: Daniel Black
--- /dev/null
+# Fail2Ban filter for sendmail spam/relay type failures
+#
+# Some of the below failregex will only work properly, when the following
+# options are set in the .mc file (see your Sendmail documentation on how
+# to modify it and generate the corresponding .cf file):
+#
+# FEATURE(`delay_checks')
+# FEATURE(`greet_pause', `500')
+# FEATURE(`ratecontrol', `nodelay', `terminate')
+# FEATURE(`conncontrol', `nodelay', `terminate')
+#
+# ratecontrol and conncontrol also need corresponding options ClientRate:
+# and ClientConn: in the access file, see documentation for ratecontrol and
+# conncontrol in the sendmail/cf/README file.
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:(sm-(mta|acceptingconnections)|sendmail))
+
+failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[<HOST>\]( \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
+ ^%(__prefix_line)sruleset=check_relay, arg1=(?P<dom>\S+), arg2=<HOST>, relay=((?P=dom) )?\[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
+ ^%(__prefix_line)s\w{14}: rejecting commands from (\S+ )?\[<HOST>\] due to pre-greeting traffic after \d+ seconds$
+ ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]: ((?i)expn|vrfy) \S+ \[rejected\]$
+ ^(?P<__prefix>%(__prefix_line)s\w+: )<[^@]+@[^>]+>\.\.\. No such user here<SKIPLINES>(?P=__prefix)from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[<HOST>\]$
+
+
+ignoreregex =
+
+
+[Init]
+
+# "maxlines" is number of log lines to buffer for multi-line regex searches
+maxlines = 10
+
+# DEV NOTES:
+#
+# Regarding the last multiline regex:
+#
+# There can be a nunber of non-related lines between the first and second part
+# of this regex maxlines of 10 is quite generious. Only one of the
+# "No such user" lines needs to be matched before the line with the HOST.
+#
+# Note the capture __prefix, includes both the __prefix_lines (which includes
+# the sendmail PID), but also the \w+ which the the sendmail assigned mail ID.
+#
+# Author: Daniel Black and Fabian Wenk
--- /dev/null
+# Fail2Ban filter for sieve authentication failures
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = (?:cyrus/)?(?:tim)?sieved?
+
+failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ authentication failure$
+
+ignoreregex =
+
+# Author: Jan Wagner <waja@cyconet.org>
--- /dev/null
+# Fail2ban filter for SOGo authentcation
+#
+# Log file usually in /var/log/sogo/sogo.log
+
+[Definition]
+
+failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>' for user '.*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$
+
+ignoreregex =
+
+#
+# DEV Notes:
+#
+# The error log may contain multiple hosts, whereas the first one
+# is the client and all others are poxys. We match the first one, only
+#
+# Author: Arnd Brandes
--- /dev/null
+# Fail2Ban filter for unsuccessful solid-pop3 authentication attempts
+#
+# Doesn't currently provide PAM support as PAM log messages don't include rhost as
+# remote IP.
+#
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = solid-pop3d
+
+failregex = ^%(__prefix_line)sauthentication failed: (no such user|can't map user name): .*? - <HOST>$
+ ^%(__prefix_line)s(APOP )?authentication failed for (mapped )?user .*? - <HOST>$
+ ^%(__prefix_line)sroot login not allowed - <HOST>$
+ ^%(__prefix_line)scan't find APOP secret for user .*? - <HOST>$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# solid-pop3d needs to be compiled with --enable-logextend to support
+# IP addresses in log messages.
+#
+# solid-pop3d-0.15/src/main.c contains all authentication errors
+# except for PAM authentication messages ( src/authenticate.c )
+#
+# A pam authentication failure message (note no IP for rhost).
+# Nov 17 23:17:50 emf1pt2-2-35-70 solid-pop3d[17176]: pam_unix(solid-pop3d:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=jacques
+#
+# Authors: Daniel Black
--- /dev/null
+# Fail2Ban filter for Squid attempted proxy bypasses
+#
+#
+
+[Definition]
+
+failregex = ^\s+\d\s<HOST>\s+[A-Z_]+_DENIED/403 .*$
+ ^\s+\d\s<HOST>\s+NONE/405 .*$
+
+
+
+# Author: Daniel Black
+
--- /dev/null
+
+[Definition]
+
+failregex = ^ \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect\.$
+
+
+[Init]
+
+datepattern = ^%%m/%%d/%%Y %%H:%%M:%%S
+
+# DEV NOTES:
+#
+# Author: Daniel Black
--- /dev/null
+# Fail2Ban ssh filter for at attempted exploit
+#
+# The regex here also relates to a exploit:
+#
+# http://www.securityfocus.com/bid/17958/exploit
+# The example code here shows the pushing of the exploit straight after
+# reading the server version. This is where the client version string normally
+# pushed. As such the server will read this unparsible information as
+# "Did not receive identification string".
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = sshd
+
+failregex = ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
+
+ignoreregex =
+
+[Init]
+
+journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
+
+# Author: Yaroslav Halchenko
--- /dev/null
+# Fail2Ban filter for openssh
+#
+# If you want to protect OpenSSH from being bruteforced by password
+# authentication then get public key authentication working before disabling
+# PasswordAuthentication in sshd_config.
+#
+#
+# "Connection from <HOST> port \d+" requires LogLevel VERBOSE in sshd_config
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = sshd
+
+failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
+ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
+ ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
+ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
+ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
+ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
+ ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
+ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
+ ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
+ ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
+ ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
+ ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
+ ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$
+ ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
+ ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
+
+ignoreregex =
+
+[Init]
+
+# "maxlines" is number of log lines to buffer for multi-line regex searches
+maxlines = 10
+
+journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
+
+# DEV Notes:
+#
+# "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because
+# it is coming before use of <HOST> which is not hard-anchored at the end as well,
+# and later catch-all's could contain user-provided input, which need to be greedily
+# matched away first.
+#
+# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black
+
--- /dev/null
+# Fail2ban filter for stunnel
+
+[Definition]
+
+failregex = ^ LOG\d\[\d+:\d+\]:\ SSL_accept from <HOST>:\d+ : (?P<CODE>[\dA-F]+): error:(?P=CODE):SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate$
+
+# DEV NOTES:
+#
+# Author: Daniel Black
+#
+# Based off: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#stunnel4
--- /dev/null
+# Fail2Ban filter for suhosian PHP hardening
+#
+# This occurs with lighttpd or directly from the plugin
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = (?:lighttpd|suhosin)
+
+
+_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s)
+
+failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161
+#
+# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
--- /dev/null
+# Fail2Ban filter for Tine 2.0 authentication
+#
+# Enable logging with:
+# $config['info_log']='/var/log/tine20/tine20.log';
+#
+
+[Definition]
+
+failregex = ^[\da-f]{5,} [\da-f]{5,} (-- none --|.*?)( \d+(\.\d+)?(h|m|s|ms)){0,2} - WARN \(\d+\): Tinebase_Controller::login::\d+ Login with username .*? from <HOST> failed \(-[13]\)!$
+
+ignoreregex =
+
+# Author: Mika (mkl) from Tine20.org forum: https://www.tine20.org/forum/viewtopic.php?f=2&t=15688&p=54766
+# Editor: Daniel Black
+# Advisor: Lars Kneschke
+#
+# Usernames can contain spaces.
+#
+# Authentication: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Controller.php#l105
+# Logger: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Log/Formatter.php
+# formatMicrotimeDiff: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Helper.php#l276
--- /dev/null
+# Fail2Ban filter for uwimap
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:ipop3d|imapd)
+
+failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures|disabled|SYSTEM BREAK-IN ATTEMPT) user=\S* auth=\S* host=.*\[<HOST>\]\s*$
+ ^%(__prefix_line)sFailed .* override of user=.* host=.*\[<HOST>\]\s*$
+
+ignoreregex =
+
+# Author: Amir Caspi
--- /dev/null
+# Fail2Ban filter for vsftp
+#
+# Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch
+# /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the
+# incoming ip address rather than domain names.
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
+_daemon = vsftpd
+
+failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+ ^ \[pid \d+\] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
+
+ignoreregex =
+
+# Author: Cyril Jaquier
+# Documentation from fail2ban wiki
--- /dev/null
+# Fail2Ban filter for webmin
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = webmin
+
+failregex = ^%(__prefix_line)sNon-existent login as .+ from <HOST>\s*$
+ ^%(__prefix_line)sInvalid login as .+ from <HOST>\s*$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# pattern : webmin[15673]: Non-existent login as toto from 86.0.6.217
+# webmin[29544]: Invalid login as root from 86.0.6.217
+#
+# Rule Author: Delvit Guillaume
--- /dev/null
+# Fail2Ban configuration file for wuftpd
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = wu-ftpd
+__pam_re=\(?pam_unix(?:\(wu-ftpd:auth\))?\)?:?
+
+failregex = ^%(__prefix_line)sfailed login from \S+ \[<HOST>\]\s*$
+ ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+
+
+ignoreregex =
+
+# Author: Yaroslav Halchenko
--- /dev/null
+# Fail2Ban filter for xinetd failures
+#
+# Cfr.: /var/log/(daemon\.|sys)log
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = xinetd
+
+failregex = ^%(__prefix_line)sFAIL: \S+ address from=<HOST>$
+ ^%(__prefix_line)sFAIL: \S+ libwrap from=<HOST>$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# libwrap => tcp wrappers: hosts.(allow|deny)
+# address => xinetd: deny_from|only_from
+#
+# Author: Guido Bozzetto
--- /dev/null
+#
+# WARNING: heavily refactored in 0.9.0 release. Please review and
+# customize settings for your setup.
+#
+# Changes: in most of the cases you should not modify this
+# file, but provide customizations in jail.local file,
+# or separate .conf files under jail.d/ directory, e.g.:
+#
+# HOW TO ACTIVATE JAILS:
+#
+# YOU SHOULD NOT MODIFY THIS FILE.
+#
+# It will probably be overwritten or improved in a distribution update.
+#
+# Provide customizations in a jail.local file or a jail.d/customisation.local.
+# For example to change the default bantime for all jails and to enable the
+# ssh-iptables jail the following (uncommented) would appear in the .local file.
+# See man 5 jail.conf for details.
+#
+# [DEFAULT]
+# bantime = 3600
+#
+# [sshd]
+# enabled = true
+#
+# See jail.conf(5) man page for more information
+
+
+
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
+
+
+[INCLUDES]
+
+#before = paths-distro.conf
+before = paths-debian.conf
+
+# The DEFAULT allows a global definition of the options. They can be overridden
+# in each jail afterwards.
+
+[DEFAULT]
+
+#
+# MISCELLANEOUS OPTIONS
+#
+
+# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
+# ban a host which matches an address in this list. Several addresses can be
+# defined using space separator.
+ignoreip = 127.0.0.1/8
+
+# External command that will take an tagged arguments to ignore, e.g. <ip>,
+# and return true if the IP is to be ignored. False otherwise.
+#
+# ignorecommand = /path/to/command <ip>
+ignorecommand =
+
+# "bantime" is the number of seconds that a host is banned.
+bantime = 600
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime = 600
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 5
+
+# "backend" specifies the backend used to get files modification.
+# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
+# This option can be overridden in each jail as well.
+#
+# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
+# If pyinotify is not installed, Fail2ban will use auto.
+# gamin: requires Gamin (a file alteration monitor) to be installed.
+# If Gamin is not installed, Fail2ban will use auto.
+# polling: uses a polling algorithm which does not require external libraries.
+# systemd: uses systemd python library to access the systemd journal.
+# Specifying "logpath" is not valid for this backend.
+# See "journalmatch" in the jails associated filter config
+# auto: will try to use the following backends, in order:
+# pyinotify, gamin, polling.
+backend = auto
+
+# "usedns" specifies if jails should trust hostnames in logs,
+# warn when DNS lookups are performed, or ignore all hostnames in logs
+#
+# yes: if a hostname is encountered, a DNS lookup will be performed.
+# warn: if a hostname is encountered, a DNS lookup will be performed,
+# but it will be logged as a warning.
+# no: if a hostname is encountered, will not be used for banning,
+# but it will be logged as info.
+usedns = warn
+
+# "logencoding" specifies the encoding of the log files handled by the jail
+# This is used to decode the lines from the log file.
+# Typical examples: "ascii", "utf-8"
+#
+# auto: will use the system locale setting
+logencoding = auto
+
+# "enabled" enables the jails.
+# By default all jails are disabled, and it should stay this way.
+# Enable only relevant to your setup jails in your .local or jail.d/*.conf
+#
+# true: jail will be enabled and log files will get monitored for changes
+# false: jail is not enabled
+enabled = false
+
+
+# "filter" defines the filter to use by the jail.
+# By default jails have names matching their filter name
+#
+filter = %(__name__)s
+
+
+#
+# ACTIONS
+#
+
+# Some options used for actions
+
+# Destination email address used solely for the interpolations in
+# jail.{conf,local,d/*} configuration files.
+destemail = root@localhost
+
+# Sender email address used solely for some actions
+sender = root@localhost
+
+# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
+# mailing. Change mta configuration parameter to mail if you want to
+# revert to conventional 'mail'.
+mta = sendmail
+
+# Default protocol
+protocol = tcp
+
+# Specify chain where jumps would need to be added in iptables-* actions
+chain = INPUT
+
+# Ports to be banned
+# Usually should be overridden in a particular jail
+port = 0:65535
+
+#
+# Action shortcuts. To be used to define action parameter
+
+# Default banning action (e.g. iptables, iptables-new,
+# iptables-multiport, shorewall, etc) It is used to define
+# action_* variables. Can be overridden globally or per
+# section within jail.local file
+banaction = iptables-multiport
+
+# The simplest action to take: ban only
+action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report to the destemail.
+action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+ %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+ %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+
+# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
+#
+# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
+# to the destemail.
+action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+ xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
+
+
+# Report block via blocklist.de fail2ban reporting service API
+#
+# See the IMPORTANT note in action.d/blocklist_de.conf for when to
+# use this action. Create a file jail.d/blocklist_de.local containing
+# [Init]
+# blocklist_de_apikey = {api key from registration]
+#
+action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
+
+# Report ban via badips.com, and use as blacklist
+#
+# See BadIPsAction docstring in config/action.d/badips.py for
+# documentation for this action.
+#
+# NOTE: This action relies on banaction being present on start and therefore
+# should be last action defined for a jail.
+#
+action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
+
+# Choose default action. To change, just override value of 'action' with the
+# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
+# globally (section [DEFAULT]) or per specific section
+action = %(action_)s
+
+
+#
+# JAILS
+#
+
+#
+# SSH servers
+#
+
+[sshd]
+
+port = ssh
+logpath = %(sshd_log)s
+
+
+[sshd-ddos]
+# This jail corresponds to the standard configuration in Fail2ban.
+# The mail-whois action send a notification e-mail with a whois request
+# in the body.
+port = ssh
+logpath = %(sshd_log)s
+
+
+[dropbear]
+
+port = ssh
+logpath = %(dropbear_log)s
+
+
+[selinux-ssh]
+
+port = ssh
+logpath = %(auditd_log)s
+maxretry = 5
+
+
+#
+# HTTP servers
+#
+
+[apache-auth]
+
+port = http,https
+logpath = %(apache_error_log)s
+
+
+[apache-badbots]
+# Ban hosts which agent identifies spammer robots crawling the web
+# for email addresses. The mail outputs are buffered.
+port = http,https
+logpath = %(apache_access_log)s
+bantime = 172800
+maxretry = 1
+
+
+[apache-noscript]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 6
+
+
+[apache-overflows]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-nohome]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-botsearch]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-modsecurity]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 2
+
+[apache-shellshock]
+
+port = http,https
+logpath = $(apache_error_log)s
+maxretry = 1
+
+[nginx-http-auth]
+
+ports = http,https
+logpath = %(nginx_error_log)s
+
+
+# Ban attackers that try to use PHP's URL-fopen() functionality
+# through GET/POST variables. - Experimental, with more than a year
+# of usage in production environments.
+
+[php-url-fopen]
+
+port = http,https
+logpath = %(nginx_access_log)s %(apache_access_log)s
+
+
+[suhosin]
+
+port = http,https
+logpath = %(suhosin_log)s
+
+
+[lighttpd-auth]
+# Same as above for Apache's mod_auth
+# It catches wrong authentifications
+port = http,https
+logpath = %(lighttpd_error_log)s
+
+
+#
+# Webmail and groupware servers
+#
+
+[roundcube-auth]
+
+port = http,https
+logpath = /var/log/roundcube/userlogins
+
+
+[openwebmail]
+
+port = http,https
+logpath = /var/log/openwebmail.log
+
+
+[horde]
+
+port = http,https
+logpath = /var/log/horde/horde.log
+
+
+[groupoffice]
+
+port = http,https
+logpath = /home/groupoffice/log/info.log
+
+
+[sogo-auth]
+# Monitor SOGo groupware server
+# without proxy this would be:
+# port = 20000
+port = http,https
+logpath = /var/log/sogo/sogo.log
+
+
+[tine20]
+
+logpath = /var/log/tine20/tine20.log
+port = http,https
+maxretry = 5
+
+
+#
+# Web Applications
+#
+#
+
+[guacamole]
+
+port = http,https
+logpath = /var/log/tomcat*/catalina.out
+
+[monit]
+#Ban clients brute-forcing the monit gui login
+filter = monit
+port = 2812
+logpath = /var/log/monit
+
+
+[webmin-auth]
+
+port = 10000
+logpath = %(syslog_authpriv)s
+
+
+#
+# HTTP Proxy servers
+#
+#
+
+[squid]
+
+port = 80,443,3128,8080
+logpath = /var/log/squid/access.log
+
+
+[3proxy]
+
+port = 3128
+logpath = /var/log/3proxy.log
+
+#
+# FTP servers
+#
+
+
+[proftpd]
+
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(proftpd_log)s
+
+
+[pure-ftpd]
+
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(pureftpd_log)s
+maxretry = 6
+
+
+[gssftpd]
+
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(syslog_daemon)s
+maxretry = 6
+
+
+[wuftpd]
+
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(wuftpd_log)s
+maxretry = 6
+
+
+[vsftpd]
+# or overwrite it in jails.local to be
+# logpath = %(syslog_authpriv)s
+# if you want to rely on PAM failed login attempts
+# vsftpd's failregex should match both of those formats
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(vsftpd_log)s
+
+
+#
+# Mail servers
+#
+
+# ASSP SMTP Proxy Jail
+[assp]
+
+port = smtp,465,submission
+logpath = /root/path/to/assp/logs/maillog.txt
+
+
+[courier-smtp]
+
+port = smtp,465,submission
+logpath = %(syslog_mail)s
+
+
+[postfix]
+
+port = smtp,465,submission
+logpath = %(postfix_log)s
+
+
+[sendmail-auth]
+
+port = submission,465,smtp
+logpath = %(syslog_mail)s
+
+
+[sendmail-reject]
+
+port = smtp,465,submission
+logpath = %(syslog_mail)s
+
+
+[qmail-rbl]
+
+filter = qmail
+port = smtp,465,submission
+logpath = /service/qmail/log/main/current
+
+
+# dovecot defaults to logging to the mail syslog facility
+# but can be set by syslog_facility in the dovecot configuration.
+[dovecot]
+
+port = pop3,pop3s,imap,imaps,submission,465,sieve
+logpath = %(dovecot_log)s
+
+
+[sieve]
+
+port = smtp,465,submission
+logpath = %(dovecot_log)s
+
+
+[solid-pop3d]
+
+port = pop3,pop3s
+logpath = %(solidpop3d_log)s
+
+
+[exim]
+
+port = smtp,465,submission
+logpath = %(exim_main_log)s
+
+
+[exim-spam]
+
+port = smtp,465,submission
+logpath = %(exim_main_log)s
+
+
+[kerio]
+
+port = imap,smtp,imaps,465
+logpath = /opt/kerio/mailserver/store/logs/security.log
+
+
+#
+# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
+# all relevant ports get banned
+#
+
+[courier-auth]
+
+port = smtp,465,submission,imap3,imaps,pop3,pop3s
+logpath = %(syslog_mail)s
+
+
+[postfix-sasl]
+
+port = smtp,465,submission,imap3,imaps,pop3,pop3s
+# You might consider monitoring /var/log/mail.warn instead if you are
+# running postfix since it would provide the same log lines at the
+# "warn" level but overall at the smaller filesize.
+logpath = %(postfix_log)s
+
+
+[perdition]
+
+port = imap3,imaps,pop3,pop3s
+logpath = %(syslog_mail)s
+
+
+[squirrelmail]
+
+port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks
+logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
+
+
+[cyrus-imap]
+
+port = imap3,imaps
+logpath = %(syslog_mail)s
+
+
+[uwimap-auth]
+
+port = imap3,imaps
+logpath = %(syslog_mail)s
+
+
+#
+#
+# DNS servers
+#
+
+
+# !!! WARNING !!!
+# Since UDP is connection-less protocol, spoofing of IP and imitation
+# of illegal actions is way too simple. Thus enabling of this filter
+# might provide an easy way for implementing a DoS against a chosen
+# victim. See
+# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
+# Please DO NOT USE this jail unless you know what you are doing.
+#
+# IMPORTANT: see filter.d/named-refused for instructions to enable logging
+# This jail blocks UDP traffic for DNS requests.
+# [named-refused-udp]
+#
+# filter = named-refused
+# port = domain,953
+# protocol = udp
+# logpath = /var/log/named/security.log
+
+# IMPORTANT: see filter.d/named-refused for instructions to enable logging
+# This jail blocks TCP traffic for DNS requests.
+
+[named-refused]
+
+port = domain,953
+logpath = /var/log/named/security.log
+
+
+[nsd]
+
+port = 53
+action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+ %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+logpath = /var/log/nsd.log
+
+
+#
+# Miscellaneous
+#
+
+[asterisk]
+
+port = 5060,5061
+action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+ %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+ %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
+logpath = /var/log/asterisk/messages
+maxretry = 10
+
+
+[freeswitch]
+
+port = 5060,5061
+action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+ %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+ %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
+logpath = /var/log/freeswitch.log
+maxretry = 10
+
+
+# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
+# equivalent section:
+# log-warning = 2
+#
+# for syslog (daemon facility)
+# [mysqld_safe]
+# syslog
+#
+# for own logfile
+# [mysqld]
+# log-error=/var/log/mysqld.log
+[mysqld-auth]
+
+port = 3306
+logpath = %(mysql_log)s
+maxretry = 5
+
+
+# Jail for more extended banning of persistent abusers
+# !!! WARNING !!!
+# Make sure that your loglevel specified in fail2ban.conf/.local
+# is not at DEBUG level -- which might then cause fail2ban to fall into
+# an infinite loop constantly feeding itself with non-informative lines
+[recidive]
+
+logpath = /var/log/fail2ban.log
+port = all
+protocol = all
+bantime = 604800 ; 1 week
+findtime = 86400 ; 1 day
+maxretry = 5
+
+
+# Generic filter for PAM. Has to be used with action which bans all
+# ports such as iptables-allports, shorewall
+
+[pam-generic]
+# pam-generic filter can be customized to monitor specific subset of 'tty's
+banaction = iptables-allports
+logpath = %(syslog_authpriv)s
+
+
+[xinetd-fail]
+
+banaction = iptables-multiport-log
+logpath = %(syslog_daemon)s
+maxretry = 2
+
+
+# stunnel - need to set port for this
+[stunnel]
+
+logpath = /var/log/stunnel4/stunnel.log
+
+
+[ejabberd-auth]
+
+port = 5222
+logpath = /var/log/ejabberd/ejabberd.log
+
+
+[counter-strike]
+
+logpath = /opt/cstrike/logs/L[0-9]*.log
+# Firewall: http://www.cstrike-planet.com/faq/6
+tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
+udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
+action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+ %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+
+# consider low maxretry and a long bantime
+# nobody except your own Nagios server should ever probe nrpe
+[nagios]
+
+enabled = false
+logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility
+maxretry = 1
+
+
+[oracleims]
+# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
+enabled = false
+logpath = /opt/sun/comms/messaging64/log/mail.log_current
+maxretry = 6
+banaction = iptables-allports
+
+[directadmin]
+enabled = false
+logpath = /var/log/directadmin/login.log
+port = 2222
+
+[portsentry]
+enabled = false
+logpath = /var/lib/portsentry/portsentry.history
+maxretry = 1
\ No newline at end of file
--- /dev/null
+# Fail2Ban jail specification file for SSHD
+
+[ssh-iptables]
+
+enabled = true
+filter = sshd
+action = iptables[name=SSH, port=ssh, protocol=tcp]
+ sendmail-whois[name=SSH, dest=frank@brehm-online.com, sender=fail2ban@brehm-online.com, sendername="Fail2Ban"]
+logpath = /var/log/syslog
+maxretry = 5
+
+
+[ssh-ddos]
+
+enabled = false
+filter = sshd-ddos
+action = iptables[name=SSHDDOS, port=ssh, protocol=tcp]
+logpath = /var/log/syslog
+maxretry = 3
+
+
+
+# vim: filetype=dosini
--- /dev/null
+# Common
+#
+
+[INCLUDES]
+
+after = paths-overrides.local
+
+[DEFAULT]
+
+sshd_log = %(syslog_authpriv)s
+
+dropbear_log = %(syslog_authpriv)s
+
+# There is no sensible generic defaults for syslog log targets, thus
+# leaving them empty here so that no errors while parsing/interpolating configs
+syslog_daemon =
+syslog_ftp =
+syslog_local0 =
+syslog_mail_warn =
+syslog_user =
+
+# from /etc/audit/auditd.conf
+auditd_log = /var/log/audit/audit.log
+
+exim_main_log = /var/log/exim/mainlog
+
+nginx_error_log = /var/log/nginx/error.log
+
+nginx_access_log = /var/log/nginx/access.log
+
+
+lighttpd_error_log = /var/log/lighttpd/error.log
+
+# http://www.hardened-php.net/suhosin/configuration.html#suhosin.log.syslog.facility
+# syslog_user is the default. Lighttpd also hooks errors into its log.
+
+suhosin_log = %(syslog_user)s %(lighttpd_error_log)s
+
+# defaults to ftp or local2 if ftp doesn't exist
+proftpd_log = %(syslog_ftp)s
+
+# http://svnweb.freebsd.org/ports/head/ftp/proftpd/files/patch-src_proftpd.8.in?view=markup
+# defaults to ftp but can be overwritten.
+pureftpd_log = %(syslog_ftp)s
+
+# ftp, daemon and then local7 are tried at configure time however it is overwriteable at configure time
+#
+wuftpd_log = %(syslog_ftp)s
+
+# syslog_enable defaults to no. so it defaults to vsftpd_log_file setting of /var/log/vsftpd.log
+# No distro seems to set it to syslog by default
+# If syslog set it defaults to ftp facility if exists at compile time otherwise falls back to daemonlog.
+vsftpd_log = /var/log/vsftpd.log
+
+# Technically syslog_facility in main.cf can overwrite but no-one sane does this.
+postfix_log = %(syslog_mail_warn)s
+
+dovecot_log = %(syslog_mail_warn)s
+
+# Seems to be set at compile time only to LOG_LOCAL0 (src/const.h) at Notice level
+solidpop3d_log = %(syslog_local0)s
+
+mysql_log = %(syslog_daemon)s
--- /dev/null
+# Debian
+
+[INCLUDES]
+
+before = paths-common.conf
+
+after = paths-overrides.local
+
+
+[DEFAULT]
+
+syslog_mail = /var/log/mail.log
+
+syslog_mail_warn = /var/log/mail.warn
+
+syslog_authpriv = /var/log/auth.log
+
+# syslog_auth = /var/log/auth.log
+#
+syslog_user = /var/log/user.log
+
+syslog_ftp = /var/log/syslog
+
+syslog_daemon = /var/log/daemon.log
+
+syslog_local0 = /var/log/messages
+
+
+apache_error_log = /var/log/apache2/*error.log
+
+apache_access_log = /var/log/apache2/*access.log
+
+exim_main_log = /var/log/exim4/mainlog
+
+# was in debian squeezy but not in wheezy
+# /etc/proftpd/proftpd.conf (SystemLog)
+proftpd_log = /var/log/proftpd/proftpd.log
+
+
+
--- /dev/null
+# Fedora
+
+[INCLUDES]
+
+before = paths-common.conf
+
+after = paths-overrides.local
+
+
+[DEFAULT]
+
+syslog_mail = /var/log/maillog
+
+syslog_mail_warn = /var/log/maillog
+
+syslog_authpriv = /var/log/secure
+
+syslog_user = /var/log/messages
+
+syslog_ftp = /var/log/messages
+
+syslog_daemon = /var/log/messages
+
+syslog_local0 = /var/log/messages
+
+
+apache_error_log = /var/log/httpd/*error_log
+
+apache_access_log = /var/log/httpd/*access_log
+
+# /etc/proftpd/proftpd.conf (ExtendedLog for Anonymous)
+# proftpd_log = /var/log/proftpd/auth.log
+# Tested and it worked out in /var/log/messages so assuming syslog_ftp for now.
+
+exim_main_log = /var/log/exim/main.log
+
+mysql_log = /var/lib/mysql/mysqld.log
--- /dev/null
+# FreeBSD
+
+[INCLUDES]
+
+before = paths-common.conf
+
+after = paths-overrides.local
+
+
+[DEFAULT]
+
+# http://www.freebsd.org/doc/handbook/configtuning-syslog.html
+#
+syslog_mail = /var/log/maillog
+
+syslog_mail_warn = /var/log/maillog
+
+syslog_authpriv = /var/log/auth.log
+
+# note - is only ftp.info - if notice /var/log/messages may be needed
+syslog_ftp = /var/log/xferlog
+
+syslog_daemon = /var/log/messages
+
+syslog_local0 = /var/log/messages
+
+# Linux things
+# we fake to avoid parse error in startups
+
+auditd_log = /dev/null
+
+# http://svnweb.freebsd.org/ports/head/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup
+# http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup
+# http://svnweb.freebsd.org/ports/head/www/apache24/files/patch-config.layout
+# http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-config.layout
+
+apache_error_log = /usr/local/www/logs/*error[_.]log
+
+apache_access_log = /usr/local/www/logs/*access[_.]log
+
+# http://svnweb.freebsd.org/ports/head/www/nginx/Makefile?view=markup
+
+nginx_error_log = /var/log/nginx-error.log
+
+nginx_access_log = /var/log/nginx-access.log
+
--- /dev/null
+# OSX
+#
+
+[INCLUDES]
+
+before = paths-common.conf
+
+after = paths-overrides.local
+
+
+[DEFAULT]
+
+syslog_mail = /var/log/mail.log
+
+syslog_mail_warn = /var/log/mail.warn
+
+syslog_authpriv = /var/log/secure.log
+#syslog_auth =
+
+#syslog_user =
+
+#syslog_ftp =
+
+#syslog_daemon =
+
+#syslog_local0 =
+
# the statistics of this clamd installation by logging into
# http://www.stats.clamav.net with the same credentials you used to
# generate the HostID. For more information refer to:
-# http://www.clamav.net/support/faq/faq-cctts/
+# http://www.clamav.net/documentation.html#cctts
# This feature requires SubmitDetectionStats to be enabled.
# Default: disabled
#DetectionStatsHostID unique-id
# Freshclam uses the ClamAV's mirror infrastructure to distribute the
# database and its updates but all the contents are provided under Google's
# terms of use. See http://www.google.com/transparencyreport/safebrowsing
-# and https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-safebrowsing.md
+# and http://www.clamav.net/documentation.html#safebrowsing
# for more information.
# Default: disabled
#SafeBrowsing yes
#Bytecode yes
# Download an additional 3rd party signature database distributed through
-# the ClamAV mirrors. Here you can find a list of available databases:
-# http://www.clamav.net/download/cvd/3rdparty
+# the ClamAV mirrors.
# This option can be used multiple times.
#ExtraDatabase dbname1
#ExtraDatabase dbname2
echo " load_video" | sed "s/^/$submenu_indentation/"
if grep -qx "CONFIG_FB_EFI=y" "${config}" 2> /dev/null \
&& grep -qx "CONFIG_VT_HW_CONSOLE_BINDING=y" "${config}" 2> /dev/null; then
- echo " set gfxpayload=keep" | sed "s/^/$submenu_indentation/"
+ echo ' if [ "x$grub_platform" = xefi ]; then' | sed "s/^/$submenu_indentation/"
+ echo " set gfxpayload=keep" | sed "s/^/$submenu_indentation/"
+ echo ' fi' | sed "s/^/$submenu_indentation/"
fi
else
if [ "x$GRUB_GFXPAYLOAD_LINUX" != xtext ]; then
--- /dev/null
+#!/sbin/runscript
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+#
+# Author: Sireyessire, Cyril Jaquier
+#
+
+extra_started_commands="reload showlog"
+
+FAIL2BAN="/usr/bin/fail2ban-client ${FAIL2BAN_OPTIONS}"
+
+depend() {
+ need net
+ need logger
+ after iptables
+}
+
+start() {
+ ebegin "Starting fail2ban"
+ if [ ! -d /run/fail2ban ]; then
+ mkdir /run/fail2ban || return 1
+ fi
+ if [ -e /run/fail2ban/fail2ban.sock ]; then
+ # remove stalled sock file after system crash
+ # bug 347477
+ rm -rf /run/fail2ban/fail2ban.sock || return 1
+ fi
+ ${FAIL2BAN} start &> /dev/null
+ eend $? "Failed to start fail2ban"
+}
+
+stop() {
+ ebegin "Stopping fail2ban"
+ ${FAIL2BAN} stop &> /dev/null
+ eend $? "Failed to stop fail2ban"
+}
+
+reload() {
+ ebegin "Reloading fail2ban"
+ ${FAIL2BAN} reload > /dev/null
+ eend $? "Failed to reload fail2ban"
+}
+
+showlog(){
+ less /var/log/fail2ban.log
+}
--- /dev/null
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 3.16.5-gentoo Kernel Configuration
+#
+
+#
+# Gentoo Linux
+#
+CONFIG_GENTOO_LINUX=y
+CONFIG_GENTOO_LINUX_UDEV=y
+
+#
+# Support for init systems, system and service managers
+#
+CONFIG_GENTOO_LINUX_INIT_SCRIPT=y
+CONFIG_GENTOO_LINUX_INIT_SYSTEMD=y
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_HAVE_INTEL_TXT=y
+CONFIG_X86_64_SMP=y
+CONFIG_X86_HT=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_FIX_EARLYCON_MEM=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+# CONFIG_LOCALVERSION_AUTO is not set
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="uhu1"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_FHANDLE=y
+CONFIG_USELIB=y
+CONFIG_AUDIT=y
+CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+CONFIG_AUDITSYSCALL=y
+CONFIG_AUDIT_WATCH=y
+CONFIG_AUDIT_TREE=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_GENERIC_IRQ_LEGACY_ALLOC_HWIRQ=y
+CONFIG_GENERIC_PENDING_IRQ=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+# CONFIG_NO_HZ_FULL is not set
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+CONFIG_BSD_PROCESS_ACCT_V3=y
+CONFIG_TASKSTATS=y
+CONFIG_TASK_DELAY_ACCT=y
+CONFIG_TASK_XACCT=y
+CONFIG_TASK_IO_ACCOUNTING=y
+
+#
+# RCU Subsystem
+#
+CONFIG_TREE_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+CONFIG_RCU_STALL_COMMON=y
+# CONFIG_RCU_USER_QS is not set
+CONFIG_RCU_FANOUT=64
+CONFIG_RCU_FANOUT_LEAF=16
+# CONFIG_RCU_FANOUT_EXACT is not set
+# CONFIG_RCU_FAST_NO_HZ is not set
+# CONFIG_TREE_RCU_TRACE is not set
+# CONFIG_RCU_NOCB_CPU is not set
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=21
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_SUPPORTS_INT128=y
+CONFIG_ARCH_WANTS_PROT_NUMA_PROT_NONE=y
+# CONFIG_NUMA_BALANCING is not set
+CONFIG_CGROUPS=y
+# CONFIG_CGROUP_DEBUG is not set
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CPUSETS=y
+CONFIG_PROC_PID_CPUSET=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_RESOURCE_COUNTERS=y
+CONFIG_MEMCG=y
+CONFIG_MEMCG_SWAP=y
+CONFIG_MEMCG_SWAP_ENABLED=y
+CONFIG_MEMCG_KMEM=y
+CONFIG_CGROUP_HUGETLB=y
+CONFIG_CGROUP_PERF=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_FAIR_GROUP_SCHED=y
+CONFIG_CFS_BANDWIDTH=y
+CONFIG_RT_GROUP_SCHED=y
+CONFIG_BLK_CGROUP=y
+# CONFIG_DEBUG_BLK_CGROUP is not set
+CONFIG_CHECKPOINT_RESTORE=y
+# CONFIG_NAMESPACES is not set
+CONFIG_NET_NS=y
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+CONFIG_RELAY=y
+CONFIG_BLK_DEV_INITRD=y
+CONFIG_INITRAMFS_SOURCE=""
+CONFIG_RD_GZIP=y
+CONFIG_RD_BZIP2=y
+CONFIG_RD_LZMA=y
+CONFIG_RD_XZ=y
+CONFIG_RD_LZO=y
+CONFIG_RD_LZ4=y
+# CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_HAVE_UID16=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_EXPERT=y
+CONFIG_UID16=y
+CONFIG_SGETMASK_SYSCALL=y
+CONFIG_SYSFS_SYSCALL=y
+CONFIG_SYSCTL_SYSCALL=y
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_PCI_QUIRKS=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_SLUB_DEBUG=y
+# CONFIG_COMPAT_BRK is not set
+# CONFIG_SLAB is not set
+CONFIG_SLUB=y
+# CONFIG_SLOB is not set
+CONFIG_SLUB_CPU_PARTIAL=y
+# CONFIG_SYSTEM_TRUSTED_KEYRING is not set
+CONFIG_PROFILING=y
+CONFIG_TRACEPOINTS=y
+# CONFIG_OPROFILE is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+CONFIG_KPROBES=y
+# CONFIG_JUMP_LABEL is not set
+CONFIG_OPTPROBES=y
+# CONFIG_UPROBES is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_KRETPROBES=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_HAVE_DMA_CONTIGUOUS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_ALIGNED_STRUCT_PAGE=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y
+CONFIG_ARCH_WANT_OLD_COMPAT_IPC=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_CC_STACKPROTECTOR=y
+# CONFIG_CC_STACKPROTECTOR is not set
+CONFIG_CC_STACKPROTECTOR_NONE=y
+# CONFIG_CC_STACKPROTECTOR_REGULAR is not set
+# CONFIG_CC_STACKPROTECTOR_STRONG is not set
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
+CONFIG_OLD_SIGSUSPEND3=y
+CONFIG_COMPAT_OLD_SIGACTION=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_GCOV_KERNEL is not set
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+CONFIG_MODULES=y
+# CONFIG_MODULE_FORCE_LOAD is not set
+CONFIG_MODULE_UNLOAD=y
+CONFIG_MODULE_FORCE_UNLOAD=y
+# CONFIG_MODVERSIONS is not set
+# CONFIG_MODULE_SRCVERSION_ALL is not set
+# CONFIG_MODULE_SIG is not set
+CONFIG_STOP_MACHINE=y
+CONFIG_BLOCK=y
+CONFIG_BLK_DEV_BSG=y
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+# CONFIG_BLK_DEV_THROTTLING is not set
+CONFIG_BLK_CMDLINE_PARSER=y
+
+#
+# Partition Types
+#
+CONFIG_PARTITION_ADVANCED=y
+CONFIG_ACORN_PARTITION=y
+CONFIG_ACORN_PARTITION_CUMANA=y
+CONFIG_ACORN_PARTITION_EESOX=y
+CONFIG_ACORN_PARTITION_ICS=y
+CONFIG_ACORN_PARTITION_ADFS=y
+CONFIG_ACORN_PARTITION_POWERTEC=y
+CONFIG_ACORN_PARTITION_RISCIX=y
+CONFIG_AIX_PARTITION=y
+CONFIG_OSF_PARTITION=y
+CONFIG_AMIGA_PARTITION=y
+CONFIG_ATARI_PARTITION=y
+CONFIG_MAC_PARTITION=y
+CONFIG_MSDOS_PARTITION=y
+CONFIG_BSD_DISKLABEL=y
+CONFIG_MINIX_SUBPARTITION=y
+CONFIG_SOLARIS_X86_PARTITION=y
+CONFIG_UNIXWARE_DISKLABEL=y
+CONFIG_LDM_PARTITION=y
+CONFIG_LDM_DEBUG=y
+CONFIG_SGI_PARTITION=y
+CONFIG_ULTRIX_PARTITION=y
+CONFIG_SUN_PARTITION=y
+CONFIG_KARMA_PARTITION=y
+CONFIG_EFI_PARTITION=y
+CONFIG_SYSV68_PARTITION=y
+CONFIG_CMDLINE_PARTITION=y
+CONFIG_BLOCK_COMPAT=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+CONFIG_CFQ_GROUP_IOSCHED=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_PADATA=y
+CONFIG_ASN1=m
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
+CONFIG_MUTEX_SPIN_ON_OWNER=y
+CONFIG_RWSEM_SPIN_ON_OWNER=y
+CONFIG_ARCH_USE_QUEUE_RWLOCK=y
+CONFIG_QUEUE_RWLOCK=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+CONFIG_SMP=y
+CONFIG_X86_X2APIC=y
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_NUMACHIP is not set
+# CONFIG_X86_VSMP is not set
+# CONFIG_X86_UV is not set
+# CONFIG_X86_GOLDFISH is not set
+# CONFIG_X86_INTEL_LPSS is not set
+CONFIG_X86_SUPPORTS_MEMORY_FAILURE=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+CONFIG_HYPERVISOR_GUEST=y
+CONFIG_PARAVIRT=y
+# CONFIG_PARAVIRT_DEBUG is not set
+# CONFIG_PARAVIRT_SPINLOCKS is not set
+# CONFIG_XEN is not set
+CONFIG_KVM_GUEST=y
+# CONFIG_KVM_DEBUG_FS is not set
+# CONFIG_PARAVIRT_TIME_ACCOUNTING is not set
+CONFIG_PARAVIRT_CLOCK=y
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+CONFIG_MK8=y
+# CONFIG_MPSC is not set
+# CONFIG_MCORE2 is not set
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_PROCESSOR_SELECT=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+# CONFIG_CPU_SUP_CENTAUR is not set
+CONFIG_HPET_TIMER=y
+CONFIG_HPET_EMULATE_RTC=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+CONFIG_CALGARY_IOMMU=y
+CONFIG_CALGARY_IOMMU_ENABLED_BY_DEFAULT=y
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+# CONFIG_MAXSMP is not set
+CONFIG_NR_CPUS=64
+CONFIG_SCHED_SMT=y
+CONFIG_SCHED_MC=y
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y
+CONFIG_X86_MCE=y
+CONFIG_X86_MCE_INTEL=y
+CONFIG_X86_MCE_AMD=y
+CONFIG_X86_MCE_THRESHOLD=y
+# CONFIG_X86_MCE_INJECT is not set
+CONFIG_X86_THERMAL_VECTOR=y
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX64=y
+# CONFIG_I8K is not set
+CONFIG_MICROCODE=y
+CONFIG_MICROCODE_INTEL=y
+CONFIG_MICROCODE_AMD=y
+CONFIG_MICROCODE_OLD_INTERFACE=y
+CONFIG_MICROCODE_INTEL_EARLY=y
+CONFIG_MICROCODE_AMD_EARLY=y
+CONFIG_MICROCODE_EARLY=y
+CONFIG_X86_MSR=y
+CONFIG_X86_CPUID=y
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_NUMA=y
+CONFIG_AMD_NUMA=y
+CONFIG_X86_64_ACPI_NUMA=y
+CONFIG_NODES_SPAN_OTHER_NODES=y
+# CONFIG_NUMA_EMU is not set
+CONFIG_NODES_SHIFT=6
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_NEED_MULTIPLE_NODES=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+# CONFIG_MOVABLE_NODE is not set
+# CONFIG_HAVE_BOOTMEM_INFO_NODE is not set
+# CONFIG_MEMORY_HOTPLUG is not set
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+CONFIG_MMU_NOTIFIER=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y
+# CONFIG_MEMORY_FAILURE is not set
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+# CONFIG_CLEANCACHE is not set
+CONFIG_FRONTSWAP=y
+CONFIG_CMA=y
+# CONFIG_CMA_DEBUG is not set
+# CONFIG_ZBUD is not set
+# CONFIG_ZSWAP is not set
+# CONFIG_MEM_SOFT_DIRTY is not set
+CONFIG_ZSMALLOC=y
+# CONFIG_PGTABLE_MAPPING is not set
+CONFIG_GENERIC_EARLY_IOREMAP=y
+CONFIG_X86_CHECK_BIOS_CORRUPTION=y
+CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+# CONFIG_MTRR_SANITIZER is not set
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+CONFIG_EFI=y
+CONFIG_EFI_STUB=y
+CONFIG_EFI_MIXED=y
+CONFIG_SECCOMP=y
+# CONFIG_HZ_100 is not set
+# CONFIG_HZ_250 is not set
+# CONFIG_HZ_300 is not set
+CONFIG_HZ_1000=y
+CONFIG_HZ=1000
+CONFIG_SCHED_HRTICK=y
+CONFIG_KEXEC=y
+CONFIG_CRASH_DUMP=y
+# CONFIG_KEXEC_JUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_PHYSICAL_ALIGN=0x1000000
+CONFIG_HOTPLUG_CPU=y
+# CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set
+# CONFIG_DEBUG_HOTPLUG_CPU0 is not set
+# CONFIG_COMPAT_VDSO is not set
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_USE_PERCPU_NUMA_NODE_ID=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_ARCH_HIBERNATION_HEADER=y
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+CONFIG_HIBERNATE_CALLBACKS=y
+CONFIG_HIBERNATION=y
+CONFIG_PM_STD_PARTITION=""
+CONFIG_PM_SLEEP=y
+CONFIG_PM_SLEEP_SMP=y
+# CONFIG_PM_AUTOSLEEP is not set
+CONFIG_PM_WAKELOCKS=y
+CONFIG_PM_WAKELOCKS_LIMIT=100
+CONFIG_PM_WAKELOCKS_GC=y
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+CONFIG_PM_DEBUG=y
+# CONFIG_PM_ADVANCED_DEBUG is not set
+# CONFIG_PM_TEST_SUSPEND is not set
+CONFIG_PM_SLEEP_DEBUG=y
+CONFIG_PM_TRACE=y
+CONFIG_PM_TRACE_RTC=y
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS_POWER is not set
+CONFIG_ACPI_EC_DEBUGFS=m
+CONFIG_ACPI_AC=m
+CONFIG_ACPI_BATTERY=m
+CONFIG_ACPI_BUTTON=m
+CONFIG_ACPI_VIDEO=m
+CONFIG_ACPI_FAN=m
+CONFIG_ACPI_DOCK=y
+CONFIG_ACPI_PROCESSOR=m
+CONFIG_ACPI_HOTPLUG_CPU=y
+CONFIG_ACPI_PROCESSOR_AGGREGATOR=m
+CONFIG_ACPI_THERMAL=m
+CONFIG_ACPI_NUMA=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ACPI_INITRD_TABLE_OVERRIDE=y
+# CONFIG_ACPI_DEBUG is not set
+CONFIG_ACPI_PCI_SLOT=y
+CONFIG_X86_PM_TIMER=y
+CONFIG_ACPI_CONTAINER=y
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_CUSTOM_METHOD is not set
+CONFIG_ACPI_BGRT=y
+# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set
+# CONFIG_ACPI_APEI is not set
+CONFIG_ACPI_EXTLOG=m
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+CONFIG_CPU_FREQ=y
+CONFIG_CPU_FREQ_GOV_COMMON=y
+CONFIG_CPU_FREQ_STAT=m
+CONFIG_CPU_FREQ_STAT_DETAILS=y
+# CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE is not set
+# CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE is not set
+CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE=y
+# CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND is not set
+# CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE is not set
+CONFIG_CPU_FREQ_GOV_PERFORMANCE=m
+CONFIG_CPU_FREQ_GOV_POWERSAVE=m
+CONFIG_CPU_FREQ_GOV_USERSPACE=y
+CONFIG_CPU_FREQ_GOV_ONDEMAND=m
+CONFIG_CPU_FREQ_GOV_CONSERVATIVE=m
+
+#
+# x86 CPU frequency scaling drivers
+#
+# CONFIG_X86_INTEL_PSTATE is not set
+CONFIG_X86_PCC_CPUFREQ=m
+CONFIG_X86_ACPI_CPUFREQ=m
+CONFIG_X86_ACPI_CPUFREQ_CPB=y
+CONFIG_X86_POWERNOW_K8=m
+CONFIG_X86_AMD_FREQ_SENSITIVITY=m
+# CONFIG_X86_SPEEDSTEP_CENTRINO is not set
+# CONFIG_X86_P4_CLOCKMOD is not set
+
+#
+# shared options
+#
+# CONFIG_X86_SPEEDSTEP_LIB is not set
+
+#
+# CPU Idle
+#
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_MULTIPLE_DRIVERS=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+CONFIG_PCI_MMCONFIG=y
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCI_CNB20LE_QUIRK is not set
+CONFIG_PCIEPORTBUS=y
+# CONFIG_HOTPLUG_PCI_PCIE is not set
+CONFIG_PCIEAER=y
+# CONFIG_PCIE_ECRC is not set
+# CONFIG_PCIEAER_INJECT is not set
+CONFIG_PCIEASPM=y
+# CONFIG_PCIEASPM_DEBUG is not set
+CONFIG_PCIEASPM_DEFAULT=y
+# CONFIG_PCIEASPM_POWERSAVE is not set
+# CONFIG_PCIEASPM_PERFORMANCE is not set
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+CONFIG_PCI_REALLOC_ENABLE_AUTO=y
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+CONFIG_PCI_ATS=y
+CONFIG_PCI_IOV=y
+CONFIG_PCI_PRI=y
+CONFIG_PCI_PASID=y
+CONFIG_PCI_IOAPIC=y
+CONFIG_PCI_LABEL=y
+
+#
+# PCI host controller drivers
+#
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+CONFIG_HOTPLUG_PCI=y
+CONFIG_HOTPLUG_PCI_ACPI=y
+# CONFIG_HOTPLUG_PCI_ACPI_IBM is not set
+# CONFIG_HOTPLUG_PCI_CPCI is not set
+CONFIG_HOTPLUG_PCI_SHPC=m
+# CONFIG_RAPIDIO is not set
+# CONFIG_X86_SYSFB is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_COMPAT_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_HAVE_AOUT is not set
+CONFIG_BINFMT_MISC=m
+CONFIG_COREDUMP=y
+CONFIG_IA32_EMULATION=y
+CONFIG_IA32_AOUT=m
+# CONFIG_X86_X32 is not set
+CONFIG_COMPAT=y
+CONFIG_COMPAT_FOR_U64_ALIGNMENT=y
+CONFIG_SYSVIPC_COMPAT=y
+CONFIG_KEYS_COMPAT=y
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_IOSF_MBI=m
+CONFIG_NET=y
+CONFIG_COMPAT_NETLINK_MESSAGES=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+CONFIG_PACKET_DIAG=m
+CONFIG_UNIX=y
+CONFIG_UNIX_DIAG=m
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+# CONFIG_XFRM_SUB_POLICY is not set
+# CONFIG_XFRM_MIGRATE is not set
+# CONFIG_XFRM_STATISTICS is not set
+CONFIG_XFRM_IPCOMP=m
+CONFIG_NET_KEY=m
+# CONFIG_NET_KEY_MIGRATE is not set
+CONFIG_INET=y
+CONFIG_IP_MULTICAST=y
+CONFIG_IP_ADVANCED_ROUTER=y
+CONFIG_IP_FIB_TRIE_STATS=y
+CONFIG_IP_MULTIPLE_TABLES=y
+CONFIG_IP_ROUTE_MULTIPATH=y
+CONFIG_IP_ROUTE_VERBOSE=y
+CONFIG_IP_ROUTE_CLASSID=y
+CONFIG_IP_PNP=y
+CONFIG_IP_PNP_DHCP=y
+CONFIG_IP_PNP_BOOTP=y
+CONFIG_IP_PNP_RARP=y
+CONFIG_NET_IPIP=m
+CONFIG_NET_IPGRE_DEMUX=m
+CONFIG_NET_IP_TUNNEL=m
+CONFIG_NET_IPGRE=m
+CONFIG_NET_IPGRE_BROADCAST=y
+CONFIG_IP_MROUTE=y
+CONFIG_IP_MROUTE_MULTIPLE_TABLES=y
+CONFIG_IP_PIMSM_V1=y
+CONFIG_IP_PIMSM_V2=y
+CONFIG_SYN_COOKIES=y
+CONFIG_NET_IPVTI=m
+CONFIG_INET_AH=m
+CONFIG_INET_ESP=m
+CONFIG_INET_IPCOMP=m
+CONFIG_INET_XFRM_TUNNEL=m
+CONFIG_INET_TUNNEL=m
+CONFIG_INET_XFRM_MODE_TRANSPORT=m
+CONFIG_INET_XFRM_MODE_TUNNEL=m
+CONFIG_INET_XFRM_MODE_BEET=m
+CONFIG_INET_LRO=y
+CONFIG_INET_DIAG=m
+CONFIG_INET_TCP_DIAG=m
+CONFIG_INET_UDP_DIAG=m
+CONFIG_TCP_CONG_ADVANCED=y
+CONFIG_TCP_CONG_BIC=m
+CONFIG_TCP_CONG_CUBIC=m
+CONFIG_TCP_CONG_WESTWOOD=m
+CONFIG_TCP_CONG_HTCP=m
+CONFIG_TCP_CONG_HSTCP=m
+CONFIG_TCP_CONG_HYBLA=m
+CONFIG_TCP_CONG_VEGAS=m
+CONFIG_TCP_CONG_SCALABLE=m
+CONFIG_TCP_CONG_LP=m
+CONFIG_TCP_CONG_VENO=m
+CONFIG_TCP_CONG_YEAH=m
+CONFIG_TCP_CONG_ILLINOIS=m
+CONFIG_DEFAULT_RENO=y
+CONFIG_DEFAULT_TCP_CONG="reno"
+CONFIG_TCP_MD5SIG=y
+CONFIG_IPV6=y
+CONFIG_IPV6_ROUTER_PREF=y
+CONFIG_IPV6_ROUTE_INFO=y
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=m
+CONFIG_INET6_ESP=m
+CONFIG_INET6_IPCOMP=m
+CONFIG_IPV6_MIP6=m
+CONFIG_INET6_XFRM_TUNNEL=m
+CONFIG_INET6_TUNNEL=m
+CONFIG_INET6_XFRM_MODE_TRANSPORT=m
+CONFIG_INET6_XFRM_MODE_TUNNEL=m
+CONFIG_INET6_XFRM_MODE_BEET=m
+CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
+CONFIG_IPV6_VTI=m
+CONFIG_IPV6_SIT=m
+# CONFIG_IPV6_SIT_6RD is not set
+CONFIG_IPV6_NDISC_NODETYPE=y
+CONFIG_IPV6_TUNNEL=m
+CONFIG_IPV6_GRE=m
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+CONFIG_IPV6_MROUTE=y
+CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
+CONFIG_IPV6_PIMSM_V2=y
+CONFIG_NETLABEL=y
+CONFIG_NETWORK_SECMARK=y
+CONFIG_NET_PTP_CLASSIFY=y
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+CONFIG_BRIDGE_NETFILTER=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+CONFIG_NETFILTER_NETLINK_ACCT=m
+CONFIG_NETFILTER_NETLINK_QUEUE=m
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=m
+CONFIG_NF_CONNTRACK_MARK=y
+CONFIG_NF_CONNTRACK_SECMARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+CONFIG_NF_CONNTRACK_TIMEOUT=y
+CONFIG_NF_CONNTRACK_TIMESTAMP=y
+CONFIG_NF_CONNTRACK_LABELS=y
+CONFIG_NF_CT_PROTO_DCCP=m
+CONFIG_NF_CT_PROTO_GRE=m
+CONFIG_NF_CT_PROTO_SCTP=m
+CONFIG_NF_CT_PROTO_UDPLITE=m
+CONFIG_NF_CONNTRACK_AMANDA=m
+CONFIG_NF_CONNTRACK_FTP=m
+CONFIG_NF_CONNTRACK_H323=m
+CONFIG_NF_CONNTRACK_IRC=m
+CONFIG_NF_CONNTRACK_BROADCAST=m
+CONFIG_NF_CONNTRACK_NETBIOS_NS=m
+CONFIG_NF_CONNTRACK_SNMP=m
+CONFIG_NF_CONNTRACK_PPTP=m
+CONFIG_NF_CONNTRACK_SANE=m
+CONFIG_NF_CONNTRACK_SIP=m
+CONFIG_NF_CONNTRACK_TFTP=m
+CONFIG_NF_CT_NETLINK=m
+CONFIG_NF_CT_NETLINK_TIMEOUT=m
+CONFIG_NF_CT_NETLINK_HELPER=m
+CONFIG_NETFILTER_NETLINK_QUEUE_CT=y
+CONFIG_NF_NAT=m
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_DCCP=m
+CONFIG_NF_NAT_PROTO_UDPLITE=m
+CONFIG_NF_NAT_PROTO_SCTP=m
+CONFIG_NF_NAT_AMANDA=m
+CONFIG_NF_NAT_FTP=m
+CONFIG_NF_NAT_IRC=m
+CONFIG_NF_NAT_SIP=m
+CONFIG_NF_NAT_TFTP=m
+CONFIG_NETFILTER_SYNPROXY=m
+CONFIG_NF_TABLES=m
+CONFIG_NF_TABLES_INET=m
+CONFIG_NFT_EXTHDR=m
+CONFIG_NFT_META=m
+CONFIG_NFT_CT=m
+CONFIG_NFT_RBTREE=m
+CONFIG_NFT_HASH=m
+CONFIG_NFT_COUNTER=m
+CONFIG_NFT_LOG=m
+CONFIG_NFT_LIMIT=m
+CONFIG_NFT_NAT=m
+CONFIG_NFT_QUEUE=m
+CONFIG_NFT_REJECT=m
+CONFIG_NFT_REJECT_INET=m
+CONFIG_NFT_COMPAT=m
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=m
+CONFIG_NETFILTER_XT_CONNMARK=m
+CONFIG_NETFILTER_XT_SET=m
+
+#
+# Xtables targets
+#
+CONFIG_NETFILTER_XT_TARGET_AUDIT=m
+CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
+CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
+CONFIG_NETFILTER_XT_TARGET_CT=m
+CONFIG_NETFILTER_XT_TARGET_DSCP=m
+CONFIG_NETFILTER_XT_TARGET_HL=m
+CONFIG_NETFILTER_XT_TARGET_HMARK=m
+CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
+CONFIG_NETFILTER_XT_TARGET_LED=m
+CONFIG_NETFILTER_XT_TARGET_LOG=m
+CONFIG_NETFILTER_XT_TARGET_MARK=m
+CONFIG_NETFILTER_XT_TARGET_NETMAP=m
+CONFIG_NETFILTER_XT_TARGET_NFLOG=m
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
+CONFIG_NETFILTER_XT_TARGET_RATEEST=m
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
+CONFIG_NETFILTER_XT_TARGET_TEE=m
+CONFIG_NETFILTER_XT_TARGET_TPROXY=m
+CONFIG_NETFILTER_XT_TARGET_TRACE=m
+CONFIG_NETFILTER_XT_TARGET_SECMARK=m
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
+CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
+CONFIG_NETFILTER_XT_MATCH_BPF=m
+CONFIG_NETFILTER_XT_MATCH_CGROUP=m
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
+CONFIG_NETFILTER_XT_MATCH_COMMENT=m
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
+CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
+CONFIG_NETFILTER_XT_MATCH_CPU=m
+CONFIG_NETFILTER_XT_MATCH_DCCP=m
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
+CONFIG_NETFILTER_XT_MATCH_DSCP=m
+CONFIG_NETFILTER_XT_MATCH_ECN=m
+CONFIG_NETFILTER_XT_MATCH_ESP=m
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
+CONFIG_NETFILTER_XT_MATCH_HELPER=m
+CONFIG_NETFILTER_XT_MATCH_HL=m
+CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
+CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
+CONFIG_NETFILTER_XT_MATCH_L2TP=m
+CONFIG_NETFILTER_XT_MATCH_LENGTH=m
+CONFIG_NETFILTER_XT_MATCH_LIMIT=m
+CONFIG_NETFILTER_XT_MATCH_MAC=m
+CONFIG_NETFILTER_XT_MATCH_MARK=m
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
+CONFIG_NETFILTER_XT_MATCH_NFACCT=m
+CONFIG_NETFILTER_XT_MATCH_OSF=m
+CONFIG_NETFILTER_XT_MATCH_OWNER=m
+CONFIG_NETFILTER_XT_MATCH_POLICY=m
+CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
+CONFIG_NETFILTER_XT_MATCH_QUOTA=m
+CONFIG_NETFILTER_XT_MATCH_RATEEST=m
+CONFIG_NETFILTER_XT_MATCH_REALM=m
+CONFIG_NETFILTER_XT_MATCH_RECENT=m
+CONFIG_NETFILTER_XT_MATCH_SCTP=m
+CONFIG_NETFILTER_XT_MATCH_SOCKET=m
+CONFIG_NETFILTER_XT_MATCH_STATE=m
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
+CONFIG_NETFILTER_XT_MATCH_STRING=m
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
+CONFIG_NETFILTER_XT_MATCH_TIME=m
+CONFIG_NETFILTER_XT_MATCH_U32=m
+CONFIG_IP_SET=m
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=m
+CONFIG_IP_SET_BITMAP_IPMAC=m
+CONFIG_IP_SET_BITMAP_PORT=m
+CONFIG_IP_SET_HASH_IP=m
+CONFIG_IP_SET_HASH_IPMARK=m
+CONFIG_IP_SET_HASH_IPPORT=m
+CONFIG_IP_SET_HASH_IPPORTIP=m
+CONFIG_IP_SET_HASH_IPPORTNET=m
+CONFIG_IP_SET_HASH_NETPORTNET=m
+CONFIG_IP_SET_HASH_NET=m
+CONFIG_IP_SET_HASH_NETNET=m
+CONFIG_IP_SET_HASH_NETPORT=m
+CONFIG_IP_SET_HASH_NETIFACE=m
+CONFIG_IP_SET_LIST_SET=m
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=m
+CONFIG_NF_CONNTRACK_IPV4=m
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_NF_TABLES_IPV4=m
+CONFIG_NFT_CHAIN_ROUTE_IPV4=m
+CONFIG_NFT_CHAIN_NAT_IPV4=m
+CONFIG_NFT_REJECT_IPV4=m
+CONFIG_NF_TABLES_ARP=m
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=m
+CONFIG_IP_NF_MATCH_ECN=m
+CONFIG_IP_NF_MATCH_RPFILTER=m
+CONFIG_IP_NF_MATCH_TTL=m
+CONFIG_IP_NF_FILTER=m
+CONFIG_IP_NF_TARGET_REJECT=m
+CONFIG_IP_NF_TARGET_SYNPROXY=m
+CONFIG_IP_NF_TARGET_ULOG=m
+CONFIG_NF_NAT_IPV4=m
+CONFIG_IP_NF_TARGET_MASQUERADE=m
+CONFIG_IP_NF_TARGET_NETMAP=m
+CONFIG_IP_NF_TARGET_REDIRECT=m
+CONFIG_NF_NAT_SNMP_BASIC=m
+CONFIG_NF_NAT_PROTO_GRE=m
+CONFIG_NF_NAT_PPTP=m
+CONFIG_NF_NAT_H323=m
+CONFIG_IP_NF_MANGLE=m
+CONFIG_IP_NF_TARGET_CLUSTERIP=m
+CONFIG_IP_NF_TARGET_ECN=m
+CONFIG_IP_NF_TARGET_TTL=m
+CONFIG_IP_NF_RAW=m
+CONFIG_IP_NF_SECURITY=m
+CONFIG_IP_NF_ARPTABLES=m
+CONFIG_IP_NF_ARPFILTER=m
+CONFIG_IP_NF_ARP_MANGLE=m
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=m
+CONFIG_NF_CONNTRACK_IPV6=m
+CONFIG_NF_TABLES_IPV6=m
+CONFIG_NFT_CHAIN_ROUTE_IPV6=m
+CONFIG_NFT_CHAIN_NAT_IPV6=m
+CONFIG_NFT_REJECT_IPV6=m
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=m
+CONFIG_IP6_NF_MATCH_EUI64=m
+CONFIG_IP6_NF_MATCH_FRAG=m
+CONFIG_IP6_NF_MATCH_OPTS=m
+CONFIG_IP6_NF_MATCH_HL=m
+CONFIG_IP6_NF_MATCH_IPV6HEADER=m
+CONFIG_IP6_NF_MATCH_MH=m
+CONFIG_IP6_NF_MATCH_RPFILTER=m
+CONFIG_IP6_NF_MATCH_RT=m
+CONFIG_IP6_NF_TARGET_HL=m
+CONFIG_IP6_NF_FILTER=m
+CONFIG_IP6_NF_TARGET_REJECT=m
+CONFIG_IP6_NF_TARGET_SYNPROXY=m
+CONFIG_IP6_NF_MANGLE=m
+CONFIG_IP6_NF_RAW=m
+CONFIG_IP6_NF_SECURITY=m
+CONFIG_NF_NAT_IPV6=m
+CONFIG_IP6_NF_TARGET_MASQUERADE=m
+CONFIG_IP6_NF_TARGET_NPT=m
+CONFIG_NF_TABLES_BRIDGE=m
+CONFIG_NFT_BRIDGE_META=m
+CONFIG_BRIDGE_NF_EBTABLES=m
+CONFIG_BRIDGE_EBT_BROUTE=m
+CONFIG_BRIDGE_EBT_T_FILTER=m
+CONFIG_BRIDGE_EBT_T_NAT=m
+CONFIG_BRIDGE_EBT_802_3=m
+CONFIG_BRIDGE_EBT_AMONG=m
+CONFIG_BRIDGE_EBT_ARP=m
+CONFIG_BRIDGE_EBT_IP=m
+CONFIG_BRIDGE_EBT_IP6=m
+CONFIG_BRIDGE_EBT_LIMIT=m
+CONFIG_BRIDGE_EBT_MARK=m
+CONFIG_BRIDGE_EBT_PKTTYPE=m
+CONFIG_BRIDGE_EBT_STP=m
+CONFIG_BRIDGE_EBT_VLAN=m
+CONFIG_BRIDGE_EBT_ARPREPLY=m
+CONFIG_BRIDGE_EBT_DNAT=m
+CONFIG_BRIDGE_EBT_MARK_T=m
+CONFIG_BRIDGE_EBT_REDIRECT=m
+CONFIG_BRIDGE_EBT_SNAT=m
+CONFIG_BRIDGE_EBT_LOG=m
+CONFIG_BRIDGE_EBT_ULOG=m
+CONFIG_BRIDGE_EBT_NFLOG=m
+CONFIG_IP_DCCP=m
+CONFIG_INET_DCCP_DIAG=m
+
+#
+# DCCP CCIDs Configuration
+#
+# CONFIG_IP_DCCP_CCID2_DEBUG is not set
+CONFIG_IP_DCCP_CCID3=y
+# CONFIG_IP_DCCP_CCID3_DEBUG is not set
+CONFIG_IP_DCCP_TFRC_LIB=y
+
+#
+# DCCP Kernel Hacking
+#
+# CONFIG_IP_DCCP_DEBUG is not set
+# CONFIG_NET_DCCPPROBE is not set
+CONFIG_IP_SCTP=m
+# CONFIG_NET_SCTPPROBE is not set
+# CONFIG_SCTP_DBG_OBJCNT is not set
+CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y
+# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1 is not set
+# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set
+CONFIG_SCTP_COOKIE_HMAC_MD5=y
+CONFIG_SCTP_COOKIE_HMAC_SHA1=y
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+# CONFIG_L2TP is not set
+CONFIG_STP=m
+CONFIG_MRP=m
+CONFIG_BRIDGE=m
+CONFIG_BRIDGE_IGMP_SNOOPING=y
+CONFIG_BRIDGE_VLAN_FILTERING=y
+CONFIG_HAVE_NET_DSA=y
+CONFIG_NET_DSA=m
+CONFIG_NET_DSA_TAG_TRAILER=y
+CONFIG_VLAN_8021Q=m
+# CONFIG_VLAN_8021Q_GVRP is not set
+CONFIG_VLAN_8021Q_MVRP=y
+# CONFIG_DECNET is not set
+CONFIG_LLC=m
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_IEEE802154 is not set
+CONFIG_NET_SCHED=y
+
+#
+# Queueing/Scheduling
+#
+CONFIG_NET_SCH_CBQ=m
+CONFIG_NET_SCH_HTB=m
+CONFIG_NET_SCH_HFSC=m
+CONFIG_NET_SCH_PRIO=m
+CONFIG_NET_SCH_MULTIQ=m
+CONFIG_NET_SCH_RED=m
+CONFIG_NET_SCH_SFB=m
+CONFIG_NET_SCH_SFQ=m
+CONFIG_NET_SCH_TEQL=m
+CONFIG_NET_SCH_TBF=m
+CONFIG_NET_SCH_GRED=m
+CONFIG_NET_SCH_DSMARK=m
+CONFIG_NET_SCH_NETEM=m
+CONFIG_NET_SCH_DRR=m
+CONFIG_NET_SCH_MQPRIO=m
+CONFIG_NET_SCH_CHOKE=m
+CONFIG_NET_SCH_QFQ=m
+CONFIG_NET_SCH_CODEL=m
+CONFIG_NET_SCH_FQ_CODEL=m
+CONFIG_NET_SCH_FQ=m
+CONFIG_NET_SCH_HHF=m
+CONFIG_NET_SCH_PIE=m
+CONFIG_NET_SCH_INGRESS=m
+CONFIG_NET_SCH_PLUG=m
+
+#
+# Classification
+#
+CONFIG_NET_CLS=y
+CONFIG_NET_CLS_BASIC=m
+CONFIG_NET_CLS_TCINDEX=m
+CONFIG_NET_CLS_ROUTE4=m
+CONFIG_NET_CLS_FW=m
+CONFIG_NET_CLS_U32=m
+CONFIG_CLS_U32_PERF=y
+CONFIG_CLS_U32_MARK=y
+CONFIG_NET_CLS_RSVP=m
+CONFIG_NET_CLS_RSVP6=m
+CONFIG_NET_CLS_FLOW=m
+CONFIG_NET_CLS_CGROUP=m
+CONFIG_NET_CLS_BPF=m
+CONFIG_NET_EMATCH=y
+CONFIG_NET_EMATCH_STACK=32
+CONFIG_NET_EMATCH_CMP=m
+CONFIG_NET_EMATCH_NBYTE=m
+CONFIG_NET_EMATCH_U32=m
+CONFIG_NET_EMATCH_META=m
+CONFIG_NET_EMATCH_TEXT=m
+CONFIG_NET_EMATCH_IPSET=m
+CONFIG_NET_CLS_ACT=y
+CONFIG_NET_ACT_POLICE=m
+CONFIG_NET_ACT_GACT=m
+CONFIG_GACT_PROB=y
+CONFIG_NET_ACT_MIRRED=m
+CONFIG_NET_ACT_IPT=m
+CONFIG_NET_ACT_NAT=m
+CONFIG_NET_ACT_PEDIT=m
+CONFIG_NET_ACT_SIMP=m
+CONFIG_NET_ACT_SKBEDIT=m
+CONFIG_NET_ACT_CSUM=m
+CONFIG_NET_CLS_IND=y
+CONFIG_NET_SCH_FIFO=y
+# CONFIG_DCB is not set
+CONFIG_DNS_RESOLVER=y
+# CONFIG_BATMAN_ADV is not set
+CONFIG_OPENVSWITCH=m
+CONFIG_OPENVSWITCH_GRE=y
+CONFIG_OPENVSWITCH_VXLAN=y
+CONFIG_VSOCKETS=m
+CONFIG_NETLINK_MMAP=y
+CONFIG_NETLINK_DIAG=m
+CONFIG_NET_MPLS_GSO=m
+# CONFIG_HSR is not set
+CONFIG_RPS=y
+CONFIG_RFS_ACCEL=y
+CONFIG_XPS=y
+CONFIG_CGROUP_NET_PRIO=y
+CONFIG_CGROUP_NET_CLASSID=y
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+# CONFIG_BPF_JIT is not set
+CONFIG_NET_FLOW_LIMIT=y
+
+#
+# Network testing
+#
+CONFIG_NET_PKTGEN=m
+CONFIG_NET_TCPPROBE=m
+CONFIG_NET_DROP_MONITOR=m
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+CONFIG_WEXT_CORE=y
+CONFIG_WEXT_PROC=y
+CONFIG_CFG80211=y
+# CONFIG_NL80211_TESTMODE is not set
+# CONFIG_CFG80211_DEVELOPER_WARNINGS is not set
+# CONFIG_CFG80211_REG_DEBUG is not set
+# CONFIG_CFG80211_CERTIFICATION_ONUS is not set
+CONFIG_CFG80211_DEFAULT_PS=y
+# CONFIG_CFG80211_DEBUGFS is not set
+# CONFIG_CFG80211_INTERNAL_REGDB is not set
+CONFIG_CFG80211_WEXT=y
+# CONFIG_LIB80211 is not set
+CONFIG_MAC80211=y
+CONFIG_MAC80211_HAS_RC=y
+# CONFIG_MAC80211_RC_PID is not set
+CONFIG_MAC80211_RC_MINSTREL=y
+CONFIG_MAC80211_RC_MINSTREL_HT=y
+CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y
+CONFIG_MAC80211_RC_DEFAULT="minstrel_ht"
+# CONFIG_MAC80211_MESH is not set
+CONFIG_MAC80211_LEDS=y
+# CONFIG_MAC80211_DEBUGFS is not set
+# CONFIG_MAC80211_MESSAGE_TRACING is not set
+# CONFIG_MAC80211_DEBUG_MENU is not set
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+# CONFIG_NET_9P is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER=y
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+CONFIG_FW_LOADER_USER_HELPER=y
+# CONFIG_DEBUG_DRIVER is not set
+CONFIG_DEBUG_DEVRES=y
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+CONFIG_GENERIC_CPU_AUTOPROBE=y
+# CONFIG_DMA_SHARED_BUFFER is not set
+# CONFIG_DMA_CMA is not set
+
+#
+# Bus devices
+#
+CONFIG_CONNECTOR=y
+CONFIG_PROC_EVENTS=y
+# CONFIG_MTD is not set
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+CONFIG_BLK_DEV_NULL_BLK=m
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+CONFIG_ZRAM=m
+CONFIG_ZRAM_LZ4_COMPRESS=y
+# CONFIG_ZRAM_DEBUG is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+CONFIG_BLK_DEV_DRBD=m
+# CONFIG_DRBD_FAULT_INJECTION is not set
+CONFIG_BLK_DEV_NBD=m
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SKD is not set
+# CONFIG_BLK_DEV_SX8 is not set
+CONFIG_BLK_DEV_RAM=y
+CONFIG_BLK_DEV_RAM_COUNT=16
+CONFIG_BLK_DEV_RAM_SIZE=16384
+# CONFIG_BLK_DEV_XIP is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+CONFIG_DUMMY_IRQ=m
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+CONFIG_VMWARE_BALLOON=m
+# CONFIG_SRAM is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+CONFIG_EEPROM_93CX6=m
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_INTEL_MEI is not set
+# CONFIG_INTEL_MEI_ME is not set
+# CONFIG_INTEL_MEI_TXE is not set
+# CONFIG_VMWARE_VMCI is not set
+
+#
+# Intel MIC Host Driver
+#
+# CONFIG_INTEL_MIC_HOST is not set
+
+#
+# Intel MIC Card Driver
+#
+# CONFIG_INTEL_MIC_CARD is not set
+# CONFIG_GENWQE is not set
+# CONFIG_ECHO is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+CONFIG_RAID_ATTRS=m
+CONFIG_SCSI=y
+CONFIG_SCSI_DMA=y
+# CONFIG_SCSI_TGT is not set
+# CONFIG_SCSI_NETLINK is not set
+CONFIG_SCSI_PROC_FS=y
+
+#
+# SCSI support type (disk, tape, CD-ROM)
+#
+CONFIG_BLK_DEV_SD=y
+# CONFIG_CHR_DEV_ST is not set
+# CONFIG_CHR_DEV_OSST is not set
+CONFIG_BLK_DEV_SR=y
+CONFIG_BLK_DEV_SR_VENDOR=y
+CONFIG_CHR_DEV_SG=y
+# CONFIG_CHR_DEV_SCH is not set
+# CONFIG_SCSI_MULTI_LUN is not set
+CONFIG_SCSI_CONSTANTS=y
+# CONFIG_SCSI_LOGGING is not set
+# CONFIG_SCSI_SCAN_ASYNC is not set
+
+#
+# SCSI Transports
+#
+CONFIG_SCSI_SPI_ATTRS=y
+# CONFIG_SCSI_FC_ATTRS is not set
+# CONFIG_SCSI_ISCSI_ATTRS is not set
+# CONFIG_SCSI_SAS_ATTRS is not set
+# CONFIG_SCSI_SAS_LIBSAS is not set
+# CONFIG_SCSI_SRP_ATTRS is not set
+# CONFIG_SCSI_LOWLEVEL is not set
+# CONFIG_SCSI_DH is not set
+# CONFIG_SCSI_OSD_INITIATOR is not set
+CONFIG_ATA=y
+# CONFIG_ATA_NONSTANDARD is not set
+CONFIG_ATA_VERBOSE_ERROR=y
+CONFIG_ATA_ACPI=y
+CONFIG_SATA_PMP=y
+
+#
+# Controllers with non-SFF native interface
+#
+CONFIG_SATA_AHCI=y
+# CONFIG_SATA_AHCI_PLATFORM is not set
+# CONFIG_SATA_INIC162X is not set
+# CONFIG_SATA_ACARD_AHCI is not set
+# CONFIG_SATA_SIL24 is not set
+CONFIG_ATA_SFF=y
+
+#
+# SFF controllers with custom DMA interface
+#
+# CONFIG_PDC_ADMA is not set
+# CONFIG_SATA_QSTOR is not set
+# CONFIG_SATA_SX4 is not set
+CONFIG_ATA_BMDMA=y
+
+#
+# SATA SFF controllers with BMDMA
+#
+CONFIG_ATA_PIIX=y
+# CONFIG_SATA_MV is not set
+# CONFIG_SATA_NV is not set
+# CONFIG_SATA_PROMISE is not set
+# CONFIG_SATA_SIL is not set
+# CONFIG_SATA_SIS is not set
+# CONFIG_SATA_SVW is not set
+# CONFIG_SATA_ULI is not set
+# CONFIG_SATA_VIA is not set
+# CONFIG_SATA_VITESSE is not set
+
+#
+# PATA SFF controllers with BMDMA
+#
+# CONFIG_PATA_ALI is not set
+CONFIG_PATA_AMD=y
+# CONFIG_PATA_ARTOP is not set
+# CONFIG_PATA_ATIIXP is not set
+# CONFIG_PATA_ATP867X is not set
+# CONFIG_PATA_CMD64X is not set
+# CONFIG_PATA_CYPRESS is not set
+# CONFIG_PATA_EFAR is not set
+# CONFIG_PATA_HPT366 is not set
+# CONFIG_PATA_HPT37X is not set
+# CONFIG_PATA_HPT3X2N is not set
+# CONFIG_PATA_HPT3X3 is not set
+# CONFIG_PATA_IT8213 is not set
+# CONFIG_PATA_IT821X is not set
+# CONFIG_PATA_JMICRON is not set
+# CONFIG_PATA_MARVELL is not set
+# CONFIG_PATA_NETCELL is not set
+# CONFIG_PATA_NINJA32 is not set
+# CONFIG_PATA_NS87415 is not set
+CONFIG_PATA_OLDPIIX=y
+# CONFIG_PATA_OPTIDMA is not set
+# CONFIG_PATA_PDC2027X is not set
+# CONFIG_PATA_PDC_OLD is not set
+# CONFIG_PATA_RADISYS is not set
+# CONFIG_PATA_RDC is not set
+CONFIG_PATA_SCH=y
+# CONFIG_PATA_SERVERWORKS is not set
+# CONFIG_PATA_SIL680 is not set
+# CONFIG_PATA_SIS is not set
+# CONFIG_PATA_TOSHIBA is not set
+# CONFIG_PATA_TRIFLEX is not set
+# CONFIG_PATA_VIA is not set
+# CONFIG_PATA_WINBOND is not set
+
+#
+# PIO-only SFF controllers
+#
+# CONFIG_PATA_CMD640_PCI is not set
+# CONFIG_PATA_MPIIX is not set
+# CONFIG_PATA_NS87410 is not set
+# CONFIG_PATA_OPTI is not set
+# CONFIG_PATA_PLATFORM is not set
+# CONFIG_PATA_RZ1000 is not set
+
+#
+# Generic fallback / legacy drivers
+#
+# CONFIG_PATA_ACPI is not set
+# CONFIG_ATA_GENERIC is not set
+# CONFIG_PATA_LEGACY is not set
+CONFIG_MD=y
+CONFIG_BLK_DEV_MD=y
+CONFIG_MD_AUTODETECT=y
+CONFIG_MD_LINEAR=m
+CONFIG_MD_RAID0=m
+CONFIG_MD_RAID1=m
+CONFIG_MD_RAID10=m
+CONFIG_MD_RAID456=m
+CONFIG_MD_MULTIPATH=m
+CONFIG_MD_FAULTY=m
+CONFIG_BCACHE=m
+# CONFIG_BCACHE_DEBUG is not set
+# CONFIG_BCACHE_CLOSURES_DEBUG is not set
+CONFIG_BLK_DEV_DM_BUILTIN=y
+CONFIG_BLK_DEV_DM=y
+# CONFIG_DM_DEBUG is not set
+CONFIG_DM_BUFIO=m
+CONFIG_DM_BIO_PRISON=m
+CONFIG_DM_PERSISTENT_DATA=m
+CONFIG_DM_DEBUG_BLOCK_STACK_TRACING=y
+CONFIG_DM_CRYPT=m
+CONFIG_DM_SNAPSHOT=m
+CONFIG_DM_THIN_PROVISIONING=m
+CONFIG_DM_CACHE=m
+CONFIG_DM_CACHE_MQ=m
+CONFIG_DM_CACHE_CLEANER=m
+CONFIG_DM_ERA=m
+CONFIG_DM_MIRROR=y
+CONFIG_DM_LOG_USERSPACE=m
+CONFIG_DM_RAID=m
+CONFIG_DM_ZERO=m
+CONFIG_DM_MULTIPATH=m
+CONFIG_DM_MULTIPATH_QL=m
+CONFIG_DM_MULTIPATH_ST=m
+CONFIG_DM_DELAY=m
+# CONFIG_DM_UEVENT is not set
+CONFIG_DM_FLAKEY=m
+CONFIG_DM_VERITY=m
+CONFIG_DM_SWITCH=m
+# CONFIG_TARGET_CORE is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_MII=y
+CONFIG_NET_CORE=y
+CONFIG_BONDING=m
+CONFIG_DUMMY=m
+# CONFIG_EQUALIZER is not set
+# CONFIG_NET_FC is not set
+# CONFIG_IFB is not set
+CONFIG_NET_TEAM=m
+CONFIG_NET_TEAM_MODE_BROADCAST=m
+CONFIG_NET_TEAM_MODE_ROUNDROBIN=m
+CONFIG_NET_TEAM_MODE_RANDOM=m
+CONFIG_NET_TEAM_MODE_ACTIVEBACKUP=m
+CONFIG_NET_TEAM_MODE_LOADBALANCE=m
+CONFIG_MACVLAN=m
+# CONFIG_MACVTAP is not set
+CONFIG_VXLAN=m
+CONFIG_NETCONSOLE=y
+CONFIG_NETPOLL=y
+CONFIG_NET_POLL_CONTROLLER=y
+CONFIG_NTB_NETDEV=m
+CONFIG_TUN=m
+CONFIG_VETH=m
+CONFIG_VIRTIO_NET=y
+CONFIG_NLMON=m
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+# CONFIG_VHOST_NET is not set
+
+#
+# Distributed Switch Architecture drivers
+#
+# CONFIG_NET_DSA_MV88E6XXX is not set
+CONFIG_NET_DSA_MV88E6060=m
+# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set
+# CONFIG_NET_DSA_MV88E6131 is not set
+# CONFIG_NET_DSA_MV88E6123_61_65 is not set
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+# CONFIG_ALTERA_TSE is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+CONFIG_NET_VENDOR_ARC=y
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+CONFIG_TIGON3=y
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+CONFIG_NET_CALXEDA_XGMAC=m
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_CX_ECAT is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+CONFIG_NET_TULIP=y
+# CONFIG_DE2104X is not set
+# CONFIG_TULIP is not set
+# CONFIG_DE4X5 is not set
+# CONFIG_WINBOND_840 is not set
+# CONFIG_DM9102 is not set
+# CONFIG_ULI526X is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+CONFIG_E100=y
+CONFIG_E1000=y
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+# CONFIG_I40E is not set
+# CONFIG_I40EVF is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+CONFIG_SKY2=y
+# CONFIG_SKY2_DEBUG is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+# CONFIG_MLX5_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+CONFIG_FORCEDETH=y
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+CONFIG_8139TOO=y
+CONFIG_8139TOO_PIO=y
+# CONFIG_8139TOO_TUNE_TWISTER is not set
+# CONFIG_8139TOO_8129 is not set
+# CONFIG_8139_OLD_RX_RESET is not set
+# CONFIG_R8169 is not set
+# CONFIG_SH_ETH is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SAMSUNG=y
+# CONFIG_SXGBE_ETH is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC911X is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+CONFIG_WIZNET_W5100=m
+CONFIG_WIZNET_W5300=m
+# CONFIG_WIZNET_BUS_DIRECT is not set
+# CONFIG_WIZNET_BUS_INDIRECT is not set
+CONFIG_WIZNET_BUS_ANY=y
+CONFIG_FDDI=y
+# CONFIG_DEFXX is not set
+# CONFIG_SKFP is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+CONFIG_PHYLIB=y
+
+#
+# MII PHY device drivers
+#
+# CONFIG_AT803X_PHY is not set
+CONFIG_AMD_PHY=m
+# CONFIG_MARVELL_PHY is not set
+# CONFIG_DAVICOM_PHY is not set
+# CONFIG_QSEMI_PHY is not set
+# CONFIG_LXT_PHY is not set
+# CONFIG_CICADA_PHY is not set
+# CONFIG_VITESSE_PHY is not set
+# CONFIG_SMSC_PHY is not set
+# CONFIG_BROADCOM_PHY is not set
+# CONFIG_BCM7XXX_PHY is not set
+# CONFIG_BCM87XX_PHY is not set
+# CONFIG_ICPLUS_PHY is not set
+# CONFIG_REALTEK_PHY is not set
+# CONFIG_NATIONAL_PHY is not set
+# CONFIG_STE10XP is not set
+# CONFIG_LSI_ET1011C_PHY is not set
+# CONFIG_MICREL_PHY is not set
+# CONFIG_FIXED_PHY is not set
+# CONFIG_MDIO_BITBANG is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+
+#
+# USB Network Adapters
+#
+# CONFIG_USB_CATC is not set
+# CONFIG_USB_KAWETH is not set
+# CONFIG_USB_PEGASUS is not set
+# CONFIG_USB_RTL8150 is not set
+# CONFIG_USB_RTL8152 is not set
+# CONFIG_USB_USBNET is not set
+# CONFIG_USB_IPHETH is not set
+CONFIG_WLAN=y
+# CONFIG_LIBERTAS_THINFIRM is not set
+# CONFIG_AIRO is not set
+# CONFIG_ATMEL is not set
+# CONFIG_AT76C50X_USB is not set
+# CONFIG_PRISM54 is not set
+# CONFIG_USB_ZD1201 is not set
+# CONFIG_USB_NET_RNDIS_WLAN is not set
+# CONFIG_RTL8180 is not set
+# CONFIG_RTL8187 is not set
+# CONFIG_ADM8211 is not set
+# CONFIG_MAC80211_HWSIM is not set
+# CONFIG_MWL8K is not set
+# CONFIG_ATH_CARDS is not set
+# CONFIG_B43 is not set
+# CONFIG_B43LEGACY is not set
+# CONFIG_BRCMSMAC is not set
+# CONFIG_BRCMFMAC is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_IPW2100 is not set
+# CONFIG_IPW2200 is not set
+# CONFIG_IWLWIFI is not set
+# CONFIG_IWL4965 is not set
+# CONFIG_IWL3945 is not set
+# CONFIG_LIBERTAS is not set
+# CONFIG_HERMES is not set
+# CONFIG_P54_COMMON is not set
+# CONFIG_RT2X00 is not set
+CONFIG_RTL_CARDS=y
+# CONFIG_RTL8192CE is not set
+# CONFIG_RTL8192SE is not set
+# CONFIG_RTL8192DE is not set
+# CONFIG_RTL8723AE is not set
+# CONFIG_RTL8723BE is not set
+# CONFIG_RTL8188EE is not set
+# CONFIG_RTL8192CU is not set
+# CONFIG_WL_TI is not set
+# CONFIG_ZD1211RW is not set
+# CONFIG_MWIFIEX is not set
+# CONFIG_CW1200 is not set
+# CONFIG_RSI_91X is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+CONFIG_VMXNET3=m
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+CONFIG_INPUT_POLLDEV=y
+CONFIG_INPUT_SPARSEKMAP=y
+CONFIG_INPUT_MATRIXKMAP=m
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+# CONFIG_INPUT_MOUSEDEV_PSAUX is not set
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+CONFIG_VT_HW_CONSOLE_BINDING=y
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+# CONFIG_LEGACY_PTYS is not set
+CONFIG_SERIAL_NONSTANDARD=y
+# CONFIG_ROCKETPORT is not set
+# CONFIG_CYCLADES is not set
+# CONFIG_MOXA_INTELLIO is not set
+# CONFIG_MOXA_SMARTIO is not set
+# CONFIG_SYNCLINK is not set
+# CONFIG_SYNCLINKMP is not set
+# CONFIG_SYNCLINK_GT is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_ISI is not set
+# CONFIG_N_HDLC is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+
+#
+# KCopy
+#
+CONFIG_KCOPY=m
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+CONFIG_SERIAL_EARLYCON=y
+CONFIG_SERIAL_8250=y
+CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y
+CONFIG_SERIAL_8250_PNP=y
+CONFIG_SERIAL_8250_CONSOLE=y
+CONFIG_SERIAL_8250_DMA=y
+CONFIG_SERIAL_8250_PCI=y
+CONFIG_SERIAL_8250_NR_UARTS=32
+CONFIG_SERIAL_8250_RUNTIME_UARTS=4
+CONFIG_SERIAL_8250_EXTENDED=y
+CONFIG_SERIAL_8250_MANY_PORTS=y
+CONFIG_SERIAL_8250_SHARE_IRQ=y
+CONFIG_SERIAL_8250_DETECT_IRQ=y
+CONFIG_SERIAL_8250_RSA=y
+# CONFIG_SERIAL_8250_DW is not set
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+CONFIG_SERIAL_CORE=y
+CONFIG_SERIAL_CORE_CONSOLE=y
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+# CONFIG_SERIAL_FSL_LPUART is not set
+# CONFIG_TTY_PRINTK is not set
+# CONFIG_VIRTIO_CONSOLE is not set
+# CONFIG_IPMI_HANDLER is not set
+CONFIG_HW_RANDOM=y
+CONFIG_HW_RANDOM_TIMERIOMEM=m
+CONFIG_HW_RANDOM_INTEL=m
+CONFIG_HW_RANDOM_AMD=m
+CONFIG_HW_RANDOM_VIA=m
+CONFIG_HW_RANDOM_VIRTIO=y
+CONFIG_NVRAM=y
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+CONFIG_HPET=y
+# CONFIG_HPET_MMAP is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+CONFIG_SPMI=m
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+CONFIG_PPS=y
+# CONFIG_PPS_DEBUG is not set
+
+#
+# PPS clients support
+#
+CONFIG_PPS_CLIENT_KTIMER=m
+CONFIG_PPS_CLIENT_LDISC=m
+CONFIG_PPS_CLIENT_GPIO=m
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+CONFIG_PTP_1588_CLOCK=y
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_APPLESMC is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_NCT6683 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_SCH5627 is not set
+# CONFIG_SENSORS_SCH5636 is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+CONFIG_THERMAL_GOV_FAIR_SHARE=y
+CONFIG_THERMAL_GOV_STEP_WISE=y
+CONFIG_THERMAL_GOV_USER_SPACE=y
+CONFIG_THERMAL_EMULATION=y
+CONFIG_INTEL_POWERCLAMP=m
+CONFIG_X86_PKG_TEMP_THERMAL=m
+CONFIG_ACPI_INT3403_THERMAL=m
+CONFIG_INTEL_SOC_DTS_THERMAL=m
+
+#
+# Texas Instruments thermal drivers
+#
+CONFIG_WATCHDOG=y
+CONFIG_WATCHDOG_CORE=y
+# CONFIG_WATCHDOG_NOWAYOUT is not set
+
+#
+# Watchdog Device Drivers
+#
+# CONFIG_SOFT_WATCHDOG is not set
+# CONFIG_XILINX_WATCHDOG is not set
+# CONFIG_DW_WATCHDOG is not set
+# CONFIG_ACQUIRE_WDT is not set
+# CONFIG_ADVANTECH_WDT is not set
+# CONFIG_ALIM1535_WDT is not set
+# CONFIG_ALIM7101_WDT is not set
+# CONFIG_F71808E_WDT is not set
+# CONFIG_SP5100_TCO is not set
+# CONFIG_SBC_FITPC2_WATCHDOG is not set
+# CONFIG_EUROTECH_WDT is not set
+# CONFIG_IB700_WDT is not set
+# CONFIG_IBMASR is not set
+# CONFIG_WAFER_WDT is not set
+# CONFIG_I6300ESB_WDT is not set
+# CONFIG_IE6XX_WDT is not set
+# CONFIG_ITCO_WDT is not set
+# CONFIG_IT8712F_WDT is not set
+# CONFIG_IT87_WDT is not set
+# CONFIG_HP_WATCHDOG is not set
+# CONFIG_SC1200_WDT is not set
+# CONFIG_PC87413_WDT is not set
+# CONFIG_NV_TCO is not set
+# CONFIG_60XX_WDT is not set
+# CONFIG_CPU5_WDT is not set
+# CONFIG_SMSC_SCH311X_WDT is not set
+# CONFIG_SMSC37B787_WDT is not set
+CONFIG_VIA_WDT=m
+# CONFIG_W83627HF_WDT is not set
+# CONFIG_W83877F_WDT is not set
+# CONFIG_W83977F_WDT is not set
+# CONFIG_MACHZ_WDT is not set
+# CONFIG_SBC_EPX_C3_WATCHDOG is not set
+
+#
+# PCI-based Watchdog Cards
+#
+# CONFIG_PCIPCWATCHDOG is not set
+# CONFIG_WDTPCI is not set
+
+#
+# USB-based Watchdog Cards
+#
+# CONFIG_USBPCWATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_CS5535 is not set
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_KEMPLD is not set
+# CONFIG_MFD_VIPERBOARD is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_RTSX_USB is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+
+#
+# Direct Rendering Manager
+#
+# CONFIG_DRM is not set
+
+#
+# Frame buffer Devices
+#
+# CONFIG_FB is not set
+CONFIG_BACKLIGHT_LCD_SUPPORT=y
+# CONFIG_LCD_CLASS_DEVICE is not set
+CONFIG_BACKLIGHT_CLASS_DEVICE=y
+CONFIG_BACKLIGHT_GENERIC=y
+# CONFIG_BACKLIGHT_APPLE is not set
+# CONFIG_BACKLIGHT_SAHARA is not set
+# CONFIG_VGASTATE is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+CONFIG_VGACON_SOFT_SCROLLBACK=y
+CONFIG_VGACON_SOFT_SCROLLBACK_SIZE=64
+CONFIG_DUMMY_CONSOLE=y
+# CONFIG_SOUND is not set
+
+#
+# HID support
+#
+CONFIG_HID=m
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=m
+
+#
+# Special HID drivers
+#
+# CONFIG_HID_A4TECH is not set
+# CONFIG_HID_ACRUX is not set
+# CONFIG_HID_APPLE is not set
+# CONFIG_HID_APPLEIR is not set
+# CONFIG_HID_AUREAL is not set
+# CONFIG_HID_BELKIN is not set
+# CONFIG_HID_CHERRY is not set
+# CONFIG_HID_CHICONY is not set
+# CONFIG_HID_CYPRESS is not set
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+# CONFIG_HID_ELO is not set
+# CONFIG_HID_EZKEY is not set
+# CONFIG_HID_HOLTEK is not set
+# CONFIG_HID_HUION is not set
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_UCLOGIC is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+# CONFIG_HID_TWINHAN is not set
+# CONFIG_HID_KENSINGTON is not set
+# CONFIG_HID_LCPOWER is not set
+# CONFIG_HID_LENOVO_TPKBD is not set
+# CONFIG_HID_LOGITECH is not set
+# CONFIG_HID_MAGICMOUSE is not set
+# CONFIG_HID_MICROSOFT is not set
+# CONFIG_HID_MONTEREY is not set
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_NTRIG is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_ROCCAT is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SONY is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_RMI is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THINGM is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_WACOM is not set
+# CONFIG_HID_WIIMOTE is not set
+# CONFIG_HID_XINMO is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+
+#
+# USB HID support
+#
+CONFIG_USB_HID=m
+# CONFIG_HID_PID is not set
+# CONFIG_USB_HIDDEV is not set
+
+#
+# USB HID Boot Protocol drivers
+#
+# CONFIG_USB_KBD is not set
+# CONFIG_USB_MOUSE is not set
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_COMMON=y
+CONFIG_USB_ARCH_HAS_HCD=y
+CONFIG_USB=y
+CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
+
+#
+# Miscellaneous USB options
+#
+CONFIG_USB_DEFAULT_PERSIST=y
+# CONFIG_USB_DYNAMIC_MINORS is not set
+# CONFIG_USB_OTG_WHITELIST is not set
+# CONFIG_USB_OTG_BLACKLIST_HUB is not set
+# CONFIG_USB_OTG_FSM is not set
+CONFIG_USB_MON=y
+# CONFIG_USB_WUSB_CBAF is not set
+
+#
+# USB Host Controller Drivers
+#
+# CONFIG_USB_C67X00_HCD is not set
+# CONFIG_USB_XHCI_HCD is not set
+CONFIG_USB_EHCI_HCD=y
+# CONFIG_USB_EHCI_ROOT_HUB_TT is not set
+# CONFIG_USB_EHCI_TT_NEWSCHED is not set
+CONFIG_USB_EHCI_PCI=y
+# CONFIG_USB_EHCI_HCD_PLATFORM is not set
+# CONFIG_USB_OXU210HP_HCD is not set
+# CONFIG_USB_ISP116X_HCD is not set
+# CONFIG_USB_ISP1760_HCD is not set
+# CONFIG_USB_ISP1362_HCD is not set
+# CONFIG_USB_FUSBH200_HCD is not set
+# CONFIG_USB_FOTG210_HCD is not set
+CONFIG_USB_OHCI_HCD=y
+CONFIG_USB_OHCI_HCD_PCI=y
+# CONFIG_USB_OHCI_HCD_PLATFORM is not set
+CONFIG_USB_UHCI_HCD=y
+# CONFIG_USB_SL811_HCD is not set
+# CONFIG_USB_R8A66597_HCD is not set
+# CONFIG_USB_HCD_TEST_MODE is not set
+
+#
+# USB Device Class drivers
+#
+# CONFIG_USB_ACM is not set
+CONFIG_USB_PRINTER=y
+# CONFIG_USB_WDM is not set
+# CONFIG_USB_TMC is not set
+
+#
+# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
+#
+
+#
+# also be needed; see USB_STORAGE Help for more info
+#
+CONFIG_USB_STORAGE=y
+# CONFIG_USB_STORAGE_DEBUG is not set
+# CONFIG_USB_STORAGE_REALTEK is not set
+# CONFIG_USB_STORAGE_DATAFAB is not set
+# CONFIG_USB_STORAGE_FREECOM is not set
+# CONFIG_USB_STORAGE_ISD200 is not set
+# CONFIG_USB_STORAGE_USBAT is not set
+# CONFIG_USB_STORAGE_SDDR09 is not set
+# CONFIG_USB_STORAGE_SDDR55 is not set
+# CONFIG_USB_STORAGE_JUMPSHOT is not set
+# CONFIG_USB_STORAGE_ALAUDA is not set
+# CONFIG_USB_STORAGE_ONETOUCH is not set
+# CONFIG_USB_STORAGE_KARMA is not set
+# CONFIG_USB_STORAGE_CYPRESS_ATACB is not set
+# CONFIG_USB_STORAGE_ENE_UB6250 is not set
+# CONFIG_USB_UAS is not set
+
+#
+# USB Imaging devices
+#
+# CONFIG_USB_MDC800 is not set
+# CONFIG_USB_MICROTEK is not set
+# CONFIG_USB_MUSB_HDRC is not set
+# CONFIG_USB_DWC3 is not set
+# CONFIG_USB_DWC2 is not set
+# CONFIG_USB_CHIPIDEA is not set
+
+#
+# USB port drivers
+#
+# CONFIG_USB_SERIAL is not set
+
+#
+# USB Miscellaneous drivers
+#
+# CONFIG_USB_EMI62 is not set
+# CONFIG_USB_EMI26 is not set
+# CONFIG_USB_ADUTUX is not set
+# CONFIG_USB_SEVSEG is not set
+# CONFIG_USB_RIO500 is not set
+# CONFIG_USB_LEGOTOWER is not set
+# CONFIG_USB_LCD is not set
+# CONFIG_USB_LED is not set
+# CONFIG_USB_CYPRESS_CY7C63 is not set
+# CONFIG_USB_CYTHERM is not set
+# CONFIG_USB_IDMOUSE is not set
+# CONFIG_USB_FTDI_ELAN is not set
+# CONFIG_USB_APPLEDISPLAY is not set
+# CONFIG_USB_SISUSBVGA is not set
+# CONFIG_USB_LD is not set
+# CONFIG_USB_TRANCEVIBRATOR is not set
+# CONFIG_USB_IOWARRIOR is not set
+# CONFIG_USB_TEST is not set
+# CONFIG_USB_EHSET_TEST_FIXTURE is not set
+# CONFIG_USB_ISIGHTFW is not set
+# CONFIG_USB_YUREX is not set
+# CONFIG_USB_EZUSB_FX2 is not set
+
+#
+# USB Physical Layer drivers
+#
+# CONFIG_USB_PHY is not set
+# CONFIG_NOP_USB_XCEIV is not set
+# CONFIG_SAMSUNG_USB2PHY is not set
+# CONFIG_SAMSUNG_USB3PHY is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+CONFIG_NEW_LEDS=y
+CONFIG_LEDS_CLASS=y
+
+#
+# LED drivers
+#
+# CONFIG_LEDS_CLEVO_MAIL is not set
+# CONFIG_LEDS_INTEL_SS4200 is not set
+
+#
+# LED driver for blink(1) USB RGB LED is under Special HID drivers (HID_THINGM)
+#
+
+#
+# LED Triggers
+#
+CONFIG_LEDS_TRIGGERS=y
+# CONFIG_LEDS_TRIGGER_TIMER is not set
+# CONFIG_LEDS_TRIGGER_ONESHOT is not set
+# CONFIG_LEDS_TRIGGER_HEARTBEAT is not set
+# CONFIG_LEDS_TRIGGER_BACKLIGHT is not set
+# CONFIG_LEDS_TRIGGER_CPU is not set
+# CONFIG_LEDS_TRIGGER_DEFAULT_ON is not set
+
+#
+# iptables trigger is under Netfilter config (LED target)
+#
+# CONFIG_LEDS_TRIGGER_TRANSIENT is not set
+# CONFIG_LEDS_TRIGGER_CAMERA is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+CONFIG_EDAC=y
+CONFIG_EDAC_LEGACY_SYSFS=y
+# CONFIG_EDAC_DEBUG is not set
+CONFIG_EDAC_DECODE_MCE=y
+# CONFIG_EDAC_MCE_INJ is not set
+# CONFIG_EDAC_MM_EDAC is not set
+CONFIG_RTC_LIB=y
+CONFIG_RTC_CLASS=y
+# CONFIG_RTC_HCTOSYS is not set
+CONFIG_RTC_SYSTOHC=y
+CONFIG_RTC_HCTOSYS_DEVICE="rtc0"
+# CONFIG_RTC_DEBUG is not set
+
+#
+# RTC interfaces
+#
+CONFIG_RTC_INTF_SYSFS=y
+CONFIG_RTC_INTF_PROC=y
+CONFIG_RTC_INTF_DEV=y
+# CONFIG_RTC_INTF_DEV_UIE_EMUL is not set
+# CONFIG_RTC_DRV_TEST is not set
+
+#
+# SPI RTC drivers
+#
+
+#
+# Platform RTC drivers
+#
+CONFIG_RTC_DRV_CMOS=y
+# CONFIG_RTC_DRV_DS1286 is not set
+# CONFIG_RTC_DRV_DS1511 is not set
+# CONFIG_RTC_DRV_DS1553 is not set
+# CONFIG_RTC_DRV_DS1742 is not set
+# CONFIG_RTC_DRV_STK17TA8 is not set
+# CONFIG_RTC_DRV_M48T86 is not set
+# CONFIG_RTC_DRV_M48T35 is not set
+# CONFIG_RTC_DRV_M48T59 is not set
+# CONFIG_RTC_DRV_MSM6242 is not set
+# CONFIG_RTC_DRV_BQ4802 is not set
+# CONFIG_RTC_DRV_RP5C01 is not set
+# CONFIG_RTC_DRV_V3020 is not set
+# CONFIG_RTC_DRV_DS2404 is not set
+
+#
+# on-CPU RTC drivers
+#
+# CONFIG_RTC_DRV_MOXART is not set
+# CONFIG_RTC_DRV_XGENE is not set
+
+#
+# HID Sensor RTC drivers
+#
+# CONFIG_RTC_DRV_HID_SENSOR_TIME is not set
+CONFIG_DMADEVICES=y
+# CONFIG_DMADEVICES_DEBUG is not set
+
+#
+# DMA Devices
+#
+# CONFIG_INTEL_MID_DMAC is not set
+# CONFIG_INTEL_IOATDMA is not set
+# CONFIG_DW_DMAC_CORE is not set
+# CONFIG_DW_DMAC is not set
+# CONFIG_DW_DMAC_PCI is not set
+CONFIG_DMA_ACPI=y
+# CONFIG_AUXDISPLAY is not set
+CONFIG_UIO=m
+CONFIG_UIO_CIF=m
+CONFIG_UIO_PDRV_GENIRQ=m
+CONFIG_UIO_DMEM_GENIRQ=m
+CONFIG_UIO_AEC=m
+CONFIG_UIO_SERCOS3=m
+CONFIG_UIO_PCI_GENERIC=m
+CONFIG_UIO_NETX=m
+# CONFIG_UIO_MF624 is not set
+CONFIG_VFIO_IOMMU_TYPE1=m
+CONFIG_VFIO=m
+CONFIG_VFIO_PCI=m
+# CONFIG_VFIO_PCI_VGA is not set
+CONFIG_VIRT_DRIVERS=y
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_HYPERV is not set
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_DELL_SMO8800 is not set
+# CONFIG_FUJITSU_LAPTOP is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_HP_WIRELESS is not set
+# CONFIG_PANASONIC_LAPTOP is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+CONFIG_EEEPC_LAPTOP=y
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_SAMSUNG_LAPTOP is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_APPLE_GMUX is not set
+CONFIG_INTEL_RST=m
+CONFIG_INTEL_SMARTCONNECT=m
+# CONFIG_PVPANIC is not set
+# CONFIG_CHROME_PLATFORMS is not set
+
+#
+# SOC (System On Chip) specific Drivers
+#
+
+#
+# Hardware Spinlock drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_SH_TIMER_CMT is not set
+# CONFIG_SH_TIMER_MTU2 is not set
+# CONFIG_SH_TIMER_TMU is not set
+# CONFIG_EM_TIMER_STI is not set
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_API=y
+CONFIG_IOMMU_SUPPORT=y
+CONFIG_AMD_IOMMU=y
+CONFIG_AMD_IOMMU_STATS=y
+CONFIG_AMD_IOMMU_V2=m
+CONFIG_DMAR_TABLE=y
+CONFIG_INTEL_IOMMU=y
+CONFIG_INTEL_IOMMU_DEFAULT_ON=y
+CONFIG_INTEL_IOMMU_FLOPPY_WA=y
+CONFIG_IRQ_REMAP=y
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+CONFIG_NTB=m
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# PHY Subsystem
+#
+CONFIG_GENERIC_PHY=y
+CONFIG_BCM_KONA_USB2_PHY=m
+# CONFIG_PHY_SAMSUNG_USB2 is not set
+CONFIG_POWERCAP=y
+CONFIG_INTEL_RAPL=m
+# CONFIG_MCB is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# EFI (Extensible Firmware Interface) Support
+#
+CONFIG_EFI_VARS=y
+CONFIG_EFI_RUNTIME_MAP=y
+CONFIG_UEFI_CPER=y
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+CONFIG_EXT2_FS_XATTR=y
+CONFIG_EXT2_FS_POSIX_ACL=y
+CONFIG_EXT2_FS_SECURITY=y
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+CONFIG_EXT3_FS_XATTR=y
+CONFIG_EXT3_FS_POSIX_ACL=y
+CONFIG_EXT3_FS_SECURITY=y
+CONFIG_EXT4_FS=y
+CONFIG_EXT4_FS_POSIX_ACL=y
+CONFIG_EXT4_FS_SECURITY=y
+# CONFIG_EXT4_DEBUG is not set
+CONFIG_JBD=y
+CONFIG_JBD_DEBUG=y
+CONFIG_JBD2=y
+CONFIG_JBD2_DEBUG=y
+CONFIG_FS_MBCACHE=y
+CONFIG_REISERFS_FS=m
+# CONFIG_REISERFS_CHECK is not set
+CONFIG_REISERFS_PROC_INFO=y
+CONFIG_REISERFS_FS_XATTR=y
+CONFIG_REISERFS_FS_POSIX_ACL=y
+CONFIG_REISERFS_FS_SECURITY=y
+CONFIG_JFS_FS=m
+CONFIG_JFS_POSIX_ACL=y
+CONFIG_JFS_SECURITY=y
+# CONFIG_JFS_DEBUG is not set
+CONFIG_JFS_STATISTICS=y
+CONFIG_XFS_FS=m
+CONFIG_XFS_QUOTA=y
+CONFIG_XFS_POSIX_ACL=y
+CONFIG_XFS_RT=y
+CONFIG_XFS_WARN=y
+# CONFIG_XFS_DEBUG is not set
+CONFIG_GFS2_FS=m
+# CONFIG_GFS2_FS_LOCKING_DLM is not set
+CONFIG_OCFS2_FS=m
+CONFIG_OCFS2_FS_O2CB=m
+CONFIG_OCFS2_FS_USERSPACE_CLUSTER=m
+CONFIG_OCFS2_FS_STATS=y
+CONFIG_OCFS2_DEBUG_MASKLOG=y
+CONFIG_OCFS2_DEBUG_FS=y
+CONFIG_BTRFS_FS=m
+CONFIG_BTRFS_FS_POSIX_ACL=y
+# CONFIG_BTRFS_FS_CHECK_INTEGRITY is not set
+CONFIG_BTRFS_FS_RUN_SANITY_TESTS=y
+# CONFIG_BTRFS_DEBUG is not set
+CONFIG_BTRFS_ASSERT=y
+CONFIG_NILFS2_FS=m
+CONFIG_FS_POSIX_ACL=y
+CONFIG_EXPORTFS=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+CONFIG_FANOTIFY=y
+CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
+CONFIG_QUOTA=y
+CONFIG_QUOTA_NETLINK_INTERFACE=y
+# CONFIG_PRINT_QUOTA_WARNING is not set
+# CONFIG_QUOTA_DEBUG is not set
+CONFIG_QUOTA_TREE=m
+# CONFIG_QFMT_V1 is not set
+CONFIG_QFMT_V2=m
+CONFIG_QUOTACTL=y
+CONFIG_QUOTACTL_COMPAT=y
+CONFIG_AUTOFS4_FS=y
+CONFIG_FUSE_FS=m
+CONFIG_CUSE=m
+
+#
+# Caches
+#
+CONFIG_FSCACHE=m
+CONFIG_FSCACHE_STATS=y
+CONFIG_FSCACHE_HISTOGRAM=y
+# CONFIG_FSCACHE_DEBUG is not set
+# CONFIG_FSCACHE_OBJECT_LIST is not set
+# CONFIG_CACHEFILES is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=m
+CONFIG_JOLIET=y
+CONFIG_ZISOFS=y
+CONFIG_UDF_FS=m
+CONFIG_UDF_NLS=y
+
+#
+# DOS/FAT/NT Filesystems
+#
+CONFIG_FAT_FS=m
+CONFIG_MSDOS_FS=m
+CONFIG_VFAT_FS=m
+CONFIG_FAT_DEFAULT_CODEPAGE=437
+CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"
+CONFIG_NTFS_FS=m
+# CONFIG_NTFS_DEBUG is not set
+CONFIG_NTFS_RW=y
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_VMCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_KERNFS=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+CONFIG_TMPFS_POSIX_ACL=y
+CONFIG_TMPFS_XATTR=y
+CONFIG_HUGETLBFS=y
+CONFIG_HUGETLB_PAGE=y
+CONFIG_CONFIGFS_FS=m
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_ECRYPT_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+CONFIG_LOGFS=m
+CONFIG_CRAMFS=m
+CONFIG_SQUASHFS=m
+CONFIG_SQUASHFS_FILE_CACHE=y
+# CONFIG_SQUASHFS_FILE_DIRECT is not set
+CONFIG_SQUASHFS_DECOMP_SINGLE=y
+# CONFIG_SQUASHFS_DECOMP_MULTI is not set
+# CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU is not set
+CONFIG_SQUASHFS_XATTR=y
+CONFIG_SQUASHFS_ZLIB=y
+CONFIG_SQUASHFS_LZO=y
+CONFIG_SQUASHFS_XZ=y
+CONFIG_SQUASHFS_4K_DEVBLK_SIZE=y
+CONFIG_SQUASHFS_EMBEDDED=y
+CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+CONFIG_ROMFS_FS=m
+CONFIG_ROMFS_BACKED_BY_BLOCK=y
+CONFIG_ROMFS_ON_BLOCK=y
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+CONFIG_UFS_FS=m
+# CONFIG_UFS_FS_WRITE is not set
+# CONFIG_UFS_DEBUG is not set
+CONFIG_F2FS_FS=m
+CONFIG_F2FS_STAT_FS=y
+CONFIG_F2FS_FS_XATTR=y
+CONFIG_F2FS_FS_POSIX_ACL=y
+CONFIG_F2FS_FS_SECURITY=y
+CONFIG_F2FS_CHECK_FS=y
+CONFIG_EFIVAR_FS=m
+CONFIG_NETWORK_FILESYSTEMS=y
+CONFIG_NFS_FS=m
+CONFIG_NFS_V2=m
+CONFIG_NFS_V3=m
+CONFIG_NFS_V3_ACL=y
+CONFIG_NFS_V4=m
+# CONFIG_NFS_SWAP is not set
+CONFIG_NFS_V4_1=y
+CONFIG_NFS_V4_2=y
+CONFIG_PNFS_FILE_LAYOUT=m
+CONFIG_PNFS_BLOCK=m
+CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
+# CONFIG_NFS_V4_1_MIGRATION is not set
+CONFIG_NFS_V4_SECURITY_LABEL=y
+# CONFIG_NFS_FSCACHE is not set
+# CONFIG_NFS_USE_LEGACY_DNS is not set
+CONFIG_NFS_USE_KERNEL_DNS=y
+CONFIG_NFS_DEBUG=y
+# CONFIG_NFSD is not set
+CONFIG_LOCKD=m
+CONFIG_LOCKD_V4=y
+CONFIG_NFS_ACL_SUPPORT=m
+CONFIG_NFS_COMMON=y
+CONFIG_SUNRPC=m
+CONFIG_SUNRPC_GSS=m
+CONFIG_SUNRPC_BACKCHANNEL=y
+CONFIG_RPCSEC_GSS_KRB5=m
+CONFIG_SUNRPC_DEBUG=y
+# CONFIG_CEPH_FS is not set
+CONFIG_CIFS=m
+CONFIG_CIFS_STATS=y
+CONFIG_CIFS_STATS2=y
+# CONFIG_CIFS_WEAK_PW_HASH is not set
+# CONFIG_CIFS_UPCALL is not set
+CONFIG_CIFS_XATTR=y
+CONFIG_CIFS_POSIX=y
+CONFIG_CIFS_ACL=y
+CONFIG_CIFS_DEBUG=y
+# CONFIG_CIFS_DEBUG2 is not set
+# CONFIG_CIFS_DFS_UPCALL is not set
+CONFIG_CIFS_SMB2=y
+CONFIG_CIFS_FSCACHE=y
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="utf8"
+CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_CODEPAGE_737=m
+CONFIG_NLS_CODEPAGE_775=m
+CONFIG_NLS_CODEPAGE_850=m
+CONFIG_NLS_CODEPAGE_852=m
+CONFIG_NLS_CODEPAGE_855=m
+CONFIG_NLS_CODEPAGE_857=m
+CONFIG_NLS_CODEPAGE_860=m
+CONFIG_NLS_CODEPAGE_861=m
+CONFIG_NLS_CODEPAGE_862=m
+CONFIG_NLS_CODEPAGE_863=m
+CONFIG_NLS_CODEPAGE_864=m
+CONFIG_NLS_CODEPAGE_865=m
+CONFIG_NLS_CODEPAGE_866=m
+CONFIG_NLS_CODEPAGE_869=m
+CONFIG_NLS_CODEPAGE_936=m
+CONFIG_NLS_CODEPAGE_950=m
+CONFIG_NLS_CODEPAGE_932=m
+CONFIG_NLS_CODEPAGE_949=m
+CONFIG_NLS_CODEPAGE_874=m
+CONFIG_NLS_ISO8859_8=m
+CONFIG_NLS_CODEPAGE_1250=m
+CONFIG_NLS_CODEPAGE_1251=m
+CONFIG_NLS_ASCII=y
+CONFIG_NLS_ISO8859_1=y
+CONFIG_NLS_ISO8859_2=m
+CONFIG_NLS_ISO8859_3=m
+CONFIG_NLS_ISO8859_4=m
+CONFIG_NLS_ISO8859_5=m
+CONFIG_NLS_ISO8859_6=m
+CONFIG_NLS_ISO8859_7=m
+CONFIG_NLS_ISO8859_9=m
+CONFIG_NLS_ISO8859_13=m
+CONFIG_NLS_ISO8859_14=m
+CONFIG_NLS_ISO8859_15=y
+CONFIG_NLS_KOI8_R=m
+CONFIG_NLS_KOI8_U=m
+CONFIG_NLS_MAC_ROMAN=m
+CONFIG_NLS_MAC_CELTIC=m
+CONFIG_NLS_MAC_CENTEURO=m
+CONFIG_NLS_MAC_CROATIAN=m
+CONFIG_NLS_MAC_CYRILLIC=m
+CONFIG_NLS_MAC_GAELIC=m
+CONFIG_NLS_MAC_GREEK=m
+CONFIG_NLS_MAC_ICELAND=m
+CONFIG_NLS_MAC_INUIT=m
+CONFIG_NLS_MAC_ROMANIAN=m
+CONFIG_NLS_MAC_TURKISH=m
+CONFIG_NLS_UTF8=y
+CONFIG_DLM=m
+# CONFIG_DLM_DEBUG is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+
+#
+# printk and dmesg options
+#
+CONFIG_PRINTK_TIME=y
+CONFIG_DEFAULT_MESSAGE_LOGLEVEL=4
+# CONFIG_BOOT_PRINTK_DELAY is not set
+# CONFIG_DYNAMIC_DEBUG is not set
+
+#
+# Compile-time checks and compiler options
+#
+# CONFIG_DEBUG_INFO is not set
+# CONFIG_ENABLE_WARN_DEPRECATED is not set
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=2048
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+CONFIG_DEBUG_FS=y
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+CONFIG_MAGIC_SYSRQ=y
+CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x1
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_DEBUG_PAGEALLOC is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_SLUB_DEBUG_ON is not set
+# CONFIG_SLUB_STATS is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+CONFIG_DEBUG_STACK_USAGE=y
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+# CONFIG_DEBUG_MEMORY_INIT is not set
+# CONFIG_DEBUG_PER_CPU_MAPS is not set
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+CONFIG_DEBUG_STACKOVERFLOW=y
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_KMEMCHECK is not set
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+# CONFIG_LOCKUP_DETECTOR is not set
+# CONFIG_DETECT_HUNG_TASK is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_PANIC_TIMEOUT=0
+# CONFIG_SCHED_DEBUG is not set
+CONFIG_SCHEDSTATS=y
+CONFIG_TIMER_STATS=y
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_RT_MUTEX_TESTER is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_LOCK_TORTURE_TEST is not set
+CONFIG_STACKTRACE=y
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_DEBUG_PI_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_TORTURE_TEST is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+CONFIG_RCU_CPU_STALL_TIMEOUT=60
+# CONFIG_RCU_CPU_STALL_INFO is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_NOP_TRACER=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_FUNCTION_TRACE_MCOUNT_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACE_CLOCK=y
+CONFIG_RING_BUFFER=y
+CONFIG_EVENT_TRACING=y
+CONFIG_CONTEXT_SWITCH_TRACER=y
+CONFIG_TRACING=y
+CONFIG_GENERIC_TRACER=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+CONFIG_BLK_DEV_IO_TRACE=y
+CONFIG_KPROBE_EVENT=y
+# CONFIG_UPROBE_EVENT is not set
+CONFIG_PROBE_EVENTS=y
+# CONFIG_FTRACE_STARTUP_TEST is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_TRACEPOINT_BENCHMARK is not set
+# CONFIG_RING_BUFFER_BENCHMARK is not set
+# CONFIG_RING_BUFFER_STARTUP_TEST is not set
+
+#
+# Runtime Testing
+#
+# CONFIG_LKDTM is not set
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_KPROBES_SANITY_TEST is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_RBTREE_TEST is not set
+# CONFIG_INTERVAL_TREE_TEST is not set
+CONFIG_PERCPU_TEST=m
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_ASYNC_RAID6_TEST is not set
+CONFIG_TEST_STRING_HELPERS=m
+# CONFIG_TEST_KSTRTOX is not set
+CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
+# CONFIG_DMA_API_DEBUG is not set
+CONFIG_TEST_MODULE=m
+CONFIG_TEST_USER_COPY=m
+CONFIG_TEST_BPF=m
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+CONFIG_EARLY_PRINTK_DBGP=y
+# CONFIG_EARLY_PRINTK_EFI is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+# CONFIG_DEBUG_RODATA_TEST is not set
+# CONFIG_DEBUG_SET_MODULE_RONX is not set
+CONFIG_DEBUG_NX_TEST=m
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+# CONFIG_X86_DECODER_SELFTEST is not set
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+CONFIG_DEBUG_BOOT_PARAMS=y
+# CONFIG_CPA_DEBUG is not set
+CONFIG_OPTIMIZE_INLINING=y
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
+
+#
+# Security options
+#
+CONFIG_KEYS=y
+# CONFIG_PERSISTENT_KEYRINGS is not set
+# CONFIG_BIG_KEYS is not set
+CONFIG_ENCRYPTED_KEYS=y
+CONFIG_KEYS_DEBUG_PROC_KEYS=y
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+CONFIG_SECURITY=y
+CONFIG_SECURITYFS=y
+CONFIG_SECURITY_NETWORK=y
+# CONFIG_SECURITY_NETWORK_XFRM is not set
+CONFIG_SECURITY_PATH=y
+# CONFIG_INTEL_TXT is not set
+CONFIG_LSM_MMAP_MIN_ADDR=65536
+CONFIG_SECURITY_SELINUX=y
+CONFIG_SECURITY_SELINUX_BOOTPARAM=y
+CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
+CONFIG_SECURITY_SELINUX_DISABLE=y
+CONFIG_SECURITY_SELINUX_DEVELOP=y
+CONFIG_SECURITY_SELINUX_AVC_STATS=y
+CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
+# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
+# CONFIG_SECURITY_SMACK is not set
+# CONFIG_SECURITY_TOMOYO is not set
+# CONFIG_SECURITY_APPARMOR is not set
+CONFIG_SECURITY_YAMA=y
+# CONFIG_SECURITY_YAMA_STACKED is not set
+CONFIG_INTEGRITY=y
+# CONFIG_INTEGRITY_SIGNATURE is not set
+CONFIG_INTEGRITY_AUDIT=y
+# CONFIG_IMA is not set
+CONFIG_EVM=y
+
+#
+# EVM options
+#
+CONFIG_EVM_ATTR_FSUUID=y
+CONFIG_DEFAULT_SECURITY_SELINUX=y
+# CONFIG_DEFAULT_SECURITY_YAMA is not set
+# CONFIG_DEFAULT_SECURITY_DAC is not set
+CONFIG_DEFAULT_SECURITY="selinux"
+CONFIG_XOR_BLOCKS=m
+CONFIG_ASYNC_CORE=m
+CONFIG_ASYNC_MEMCPY=m
+CONFIG_ASYNC_XOR=m
+CONFIG_ASYNC_PQ=m
+CONFIG_ASYNC_RAID6_RECOV=m
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=m
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=m
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=m
+CONFIG_CRYPTO_NULL=m
+CONFIG_CRYPTO_PCRYPT=m
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=m
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_TEST=m
+CONFIG_CRYPTO_ABLK_HELPER=m
+CONFIG_CRYPTO_GLUE_HELPER_X86=m
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=m
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+CONFIG_CRYPTO_CTS=m
+CONFIG_CRYPTO_ECB=m
+CONFIG_CRYPTO_LRW=m
+CONFIG_CRYPTO_PCBC=m
+CONFIG_CRYPTO_XTS=m
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=m
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=m
+CONFIG_CRYPTO_VMAC=m
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+CONFIG_CRYPTO_CRC32=m
+CONFIG_CRYPTO_CRC32_PCLMUL=m
+CONFIG_CRYPTO_CRCT10DIF=y
+CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
+CONFIG_CRYPTO_GHASH=m
+CONFIG_CRYPTO_MD4=m
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=m
+CONFIG_CRYPTO_RMD128=m
+CONFIG_CRYPTO_RMD160=m
+CONFIG_CRYPTO_RMD256=m
+CONFIG_CRYPTO_RMD320=m
+CONFIG_CRYPTO_SHA1=y
+CONFIG_CRYPTO_SHA1_SSSE3=m
+CONFIG_CRYPTO_SHA256_SSSE3=m
+CONFIG_CRYPTO_SHA512_SSSE3=m
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=m
+CONFIG_CRYPTO_TGR192=m
+CONFIG_CRYPTO_WP512=m
+CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=m
+CONFIG_CRYPTO_AES_NI_INTEL=m
+CONFIG_CRYPTO_ANUBIS=m
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=m
+CONFIG_CRYPTO_BLOWFISH_COMMON=m
+CONFIG_CRYPTO_BLOWFISH_X86_64=m
+CONFIG_CRYPTO_CAMELLIA=m
+CONFIG_CRYPTO_CAMELLIA_X86_64=m
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
+CONFIG_CRYPTO_CAST_COMMON=m
+CONFIG_CRYPTO_CAST5=m
+CONFIG_CRYPTO_CAST5_AVX_X86_64=m
+CONFIG_CRYPTO_CAST6=m
+CONFIG_CRYPTO_CAST6_AVX_X86_64=m
+CONFIG_CRYPTO_DES=y
+CONFIG_CRYPTO_FCRYPT=m
+CONFIG_CRYPTO_KHAZAD=m
+CONFIG_CRYPTO_SALSA20=m
+CONFIG_CRYPTO_SALSA20_X86_64=m
+CONFIG_CRYPTO_SEED=m
+CONFIG_CRYPTO_SERPENT=m
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=m
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
+CONFIG_CRYPTO_TEA=m
+CONFIG_CRYPTO_TWOFISH=m
+CONFIG_CRYPTO_TWOFISH_COMMON=m
+CONFIG_CRYPTO_TWOFISH_X86_64=m
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=m
+CONFIG_CRYPTO_ZLIB=m
+CONFIG_CRYPTO_LZO=m
+CONFIG_CRYPTO_LZ4=m
+CONFIG_CRYPTO_LZ4HC=m
+
+#
+# Random Number Generation
+#
+CONFIG_CRYPTO_ANSI_CPRNG=m
+CONFIG_CRYPTO_USER_API=m
+CONFIG_CRYPTO_USER_API_HASH=m
+CONFIG_CRYPTO_USER_API_SKCIPHER=m
+CONFIG_CRYPTO_HASH_INFO=y
+CONFIG_CRYPTO_HW=y
+# CONFIG_CRYPTO_DEV_PADLOCK is not set
+# CONFIG_CRYPTO_DEV_CCP is not set
+CONFIG_ASYMMETRIC_KEY_TYPE=m
+CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=m
+CONFIG_PUBLIC_KEY_ALGO_RSA=m
+CONFIG_X509_CERTIFICATE_PARSER=m
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+CONFIG_BINARY_PRINTF=y
+
+#
+# Library routines
+#
+CONFIG_RAID6_PQ=m
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_CRC_CCITT=m
+CONFIG_CRC16=y
+CONFIG_CRC_T10DIF=m
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+CONFIG_CRC32_SELFTEST=y
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=m
+CONFIG_LIBCRC32C=m
+CONFIG_CRC8=m
+# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
+# CONFIG_RANDOM32_SELFTEST is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=m
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_COMPRESS=m
+CONFIG_LZ4HC_COMPRESS=m
+CONFIG_LZ4_DECOMPRESS=y
+CONFIG_XZ_DEC=y
+CONFIG_XZ_DEC_X86=y
+CONFIG_XZ_DEC_POWERPC=y
+CONFIG_XZ_DEC_IA64=y
+CONFIG_XZ_DEC_ARM=y
+CONFIG_XZ_DEC_ARMTHUMB=y
+CONFIG_XZ_DEC_SPARC=y
+CONFIG_XZ_DEC_BCJ=y
+CONFIG_XZ_DEC_TEST=m
+CONFIG_DECOMPRESS_GZIP=y
+CONFIG_DECOMPRESS_BZIP2=y
+CONFIG_DECOMPRESS_LZMA=y
+CONFIG_DECOMPRESS_XZ=y
+CONFIG_DECOMPRESS_LZO=y
+CONFIG_DECOMPRESS_LZ4=y
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=m
+CONFIG_TEXTSEARCH_BM=m
+CONFIG_TEXTSEARCH_FSM=m
+CONFIG_BTREE=y
+CONFIG_ASSOCIATIVE_ARRAY=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT_MAP=y
+CONFIG_HAS_DMA=y
+CONFIG_CPU_RMAP=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+CONFIG_LRU_CACHE=m
+CONFIG_AVERAGE=y
+CONFIG_CLZ_TAB=y
+CONFIG_CORDIC=m
+# CONFIG_DDR is not set
+CONFIG_MPILIB=m
+CONFIG_OID_REGISTRY=m
+CONFIG_UCS2_STRING=y
--- /dev/null
+#
+# Gentoo:
+# http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/fail2ban/files/fail2ban-logrotate?view=markup
+#
+# Debian:
+# https://github.com/fail2ban/fail2ban/blob/debian/debian/fail2ban.logrotate
+#
+# Fedora view:
+# http://pkgs.fedoraproject.org/cgit/fail2ban.git/tree/fail2ban-logrotate
+
+/var/log/fail2ban.log {
+ rotate 7
+ daily
+ size 1024K
+ maxage 1y
+ missingok
+ compress
+ delaycompress
+ postrotate
+ /usr/bin/fail2ban-client flushlogs 1>/dev/null || true
+ endscript
+}
--- /dev/null
+script named-reload
+ /etc/init.d/named restart >/dev/null || true
+endscript
+
+/var/log/named/complete-debug.log /var/log/named/debug.log /var/log/named/query.log {
+ daily
+ olddir /var/log/named/%Y-%m
+ size 4M
+ maxage 6m
+ notifempty
+ missingok
+ postrotate named-reload
+}
+
+/var/log/named/named.log {
+ weekly
+ olddir /var/log/named/%Y-%m
+ size 1M
+ maxage 2y
+ notifempty
+ missingok
+ postrotate named-reload
+}
+
+
+# vim: ts=4 filetype=conf
/etc/init.d/syslog-ng reload >/dev/null || true
endscript
-/var/log/messages {
+/var/log/messages /var/log/syslog {
daily
olddir /var/log/.old/%Y-%m
size 1024K
maxage 1y
}
-/var/log/debug.log {
+/var/log/debug.log /var/log/debug /var/log/all {
daily
olddir /var/log/.old/%Y-%m
size 4M
--- /dev/null
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
+# Author: Eric AUGE <eau@phear.org>
+#
+# Based on the proposal of : Mark Ruijter
+#
+
+
+# octetString SYNTAX
+attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
+ DESC 'MANDATORY: OpenSSH Public key'
+ EQUALITY octetStringMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+
+# printableString SYNTAX yes|no
+objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
# ODBC-Header not found ...
#net-dns/bind dlz geoip gssapi -odbc pkcs11 sdb-ldap urandom
-net-dns/bind dlz geoip gssapi -odbc -pkcs11 -sdb-ldap urandom
+net-dns/bind dlz geoip gssapi nslint -odbc -pkcs11 -sdb-ldap -seccomp -threads urandom
net-dns/bind-tools gssapi pkcs11 urandom
net-dns/libidn -java
net-misc/curl libssh2
net-misc/iputils -doc caps gnutls
-net-misc/openssh X509
+net-misc/openssh sctp -X509
net-misc/openvpn down-root iproute2
net-nds/openldap experimental -kerberos overlays
# For common configuration examples, see BASIC_CONFIGURATION_README
# and STANDARD_CONFIGURATION_README. To find these documents, use
# the command "postconf html_directory readme_directory", or go to
-# http://www.postfix.org/.
+# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc.
#
# For best results, change no more than 2-3 parameters at a time,
# and test if Postfix still works after every change.
# html_directory: The location of the Postfix HTML documentation.
#
-html_directory = /usr/share/doc/postfix-2.10.3/html
+html_directory = /usr/share/doc/postfix-2.11.3/html
# manpage_directory: The location of the Postfix on-line manual pages.
#
# readme_directory: The location of the Postfix README files.
#
-readme_directory = /usr/share/doc/postfix-2.10.3/readme
+readme_directory = /usr/share/doc/postfix-2.11.3/readme
home_mailbox = .maildir/
broken_sasl_auth_clients = yes
#
# Postfix master process configuration file. For details on the format
-# of the file, see the master(5) manual page (command: "man 5 master").
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+# -o smtpd_recipient_restrictions=
+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+# -o smtpd_recipient_restrictions=
+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
-SEARCH_DIRS_MASK="/opt/icedtea-bin-6.1.13.3"
+SEARCH_DIRS_MASK="/opt/icedtea-bin-6.1.13.5"
--- /dev/null
+/etc/init.d/fail2ban
\ No newline at end of file
-# $OpenBSD$
+# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
-# AllowedCertPurpose sslserver
-# MandatoryCRL no
-# CACertificateFile /etc/ssh/ca/ca-bundle.crt
-# CACertificatePath /etc/ssh/ca/crt
-# CARevocationFile /etc/ssh/ca/ca-bundle.crl
-# CARevocationPath /etc/ssh/ca/crl
-# UserCACertificateFile ~/.ssh/ca-bundle.crt
-# UserCACertificatePath ~/.ssh/crt
-# UserCARevocationFile ~/.ssh/ca-bundle.crl
-# UserCARevocationPath ~/.ssh/crl
-# VAType none
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
-# $OpenBSD$
+# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
+# here are the new patched ldap related tokens
+# entries in your LDAP must have posixAccount & ldapPublicKey objectclass
+#UseLPK yes
+#LpkLdapConf /etc/ldap.conf
+#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/
+#LpkUserDN ou=users,dc=phear,dc=org
+#LpkGroupDN ou=groups,dc=phear,dc=org
+#LpkBindDN cn=Manager,dc=phear,dc=org
+#LpkBindPw secret
+#LpkServerGroup mail
+#LpkFilter (hostAccess=master.phear.org)
+#LpkForceTLS no
+#LpkSearchTimelimit 3
+#LpkBindTimelimit 3
+#LpkPubKeyAttr sshPublicKey
+
# override default of no subsystems
Subsystem sftp /usr/lib64/misc/sftp-server
# the following are HPN related configuration options
# tcp receive buffer polling. disable in non autotuning kernels
#TcpRcvBufPoll yes
-
+
# disable hpn performance boosts
#HPNDisabled no
--- /dev/null
+# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
+
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented. Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# The default requires explicit activation of protocol 1
+#Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+#AuthorizedKeysFile .ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+PrintLastLog no
+#TCPKeepAlive yes
+#UseLogin no
+UsePrivilegeSeparation sandbox # Default for new installations.
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# here are the new patched ldap related tokens
+# entries in your LDAP must have posixAccount & ldapPublicKey objectclass
+#UseLPK yes
+#LpkLdapConf /etc/ldap.conf
+#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/
+#LpkUserDN ou=users,dc=phear,dc=org
+#LpkGroupDN ou=groups,dc=phear,dc=org
+#LpkBindDN cn=Manager,dc=phear,dc=org
+#LpkBindPw secret
+#LpkServerGroup mail
+#LpkFilter (hostAccess=master.phear.org)
+#LpkForceTLS no
+#LpkSearchTimelimit 3
+#LpkBindTimelimit 3
+#LpkPubKeyAttr sshPublicKey
+
+# override default of no subsystems
+Subsystem sftp /usr/lib64/misc/sftp-server
+
+# the following are HPN related configuration options
+# tcp receive buffer polling. disable in non autotuning kernels
+#TcpRcvBufPoll yes
+
+# disable hpn performance boosts
+#HPNDisabled no
+
+# buffer size for hpn to non-hpn connections
+#HPNBufferSize 2048
+
+
+# allow the use of the none cipher
+#NoneEnabled no
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+# X11Forwarding no
+# AllowTcpForwarding no
+# PermitTTY no
+# ForceCommand cvs server
+
+# Allow client to pass locale environment variables #367017
+AcceptEnv LANG LC_*
-# sysstat-11.0.0 configuration file.
+# sysstat-11.0.2 configuration file.
# How long to keep log files (in days).
# If value is greater than 28, then log files are kept in
projects / config / uhu1 / etc.git / commitdiff