maybe chmod 0644 'apache2/info_users_passwd'
maybe chmod 0644 'apache2/magic'
maybe chmod 0755 'apache2/modules.d'
-maybe chmod 0644 'apache2/modules.d/._cfg0000_00_apache_manual.conf'
maybe chmod 0644 'apache2/modules.d/._cfg0000_00_default_settings.conf'
-maybe chmod 0644 'apache2/modules.d/._cfg0000_00_error_documents.conf'
-maybe chmod 0644 'apache2/modules.d/._cfg0000_00_mod_autoindex.conf'
-maybe chmod 0644 'apache2/modules.d/._cfg0000_00_mod_info.conf'
-maybe chmod 0644 'apache2/modules.d/._cfg0000_00_mod_mime.conf'
-maybe chmod 0644 'apache2/modules.d/._cfg0000_00_mod_status.conf'
-maybe chmod 0644 'apache2/modules.d/._cfg0000_00_mpm.conf'
+maybe chmod 0644 'apache2/modules.d/._mrg0000_00_default_settings.conf'
maybe chmod 0644 'apache2/modules.d/.keep_dev-vcs_subversion-0'
maybe chmod 0644 'apache2/modules.d/.keep_www-servers_apache-2'
maybe chmod 0644 'apache2/modules.d/00_apache_manual.conf'
maybe chmod 0755 'apache2/ssl'
maybe chmod 0600 'apache2/ssl/egroupware-cert.pem'
maybe chmod 0755 'apache2/vhosts.d'
-maybe chmod 0644 'apache2/vhosts.d/._cfg0000_00_default_vhost.conf'
-maybe chmod 0644 'apache2/vhosts.d/._cfg0000_default_vhost.include'
maybe chmod 0644 'apache2/vhosts.d/.keep_www-servers_apache-2'
maybe chmod 0644 'apache2/vhosts.d/00_default_ssl_vhost.conf'
maybe chmod 0644 'apache2/vhosts.d/00_default_vhost.conf'
maybe chmod 0644 'colordiffrc-gitdiff'
maybe chmod 0644 'colordiffrc-lightbg'
maybe chmod 0755 'conf.d'
-maybe chmod 0644 'conf.d/._cfg0000_fail2ban'
maybe chmod 0644 'conf.d/acpid'
maybe chmod 0644 'conf.d/apache2'
maybe chmod 0644 'conf.d/atd'
maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_apache_manual.conf.5'
maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_apache_manual.conf.6'
maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_apache_manual.conf.7'
+maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_apache_manual.conf.8'
maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_apache_manual.conf.dist'
maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf'
+maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf.1'
maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf.dist'
+maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new'
+maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_error_documents.conf'
+maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_error_documents.conf.dist'
maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_autoindex.conf'
+maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.1'
maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist'
+maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_info.conf'
+maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_info.conf.dist'
+maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_mime.conf'
+maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_mime.conf.dist'
+maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_status.conf'
+maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_status.conf.dist'
+maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mpm.conf'
+maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mpm.conf.dist'
maybe chmod 0755 'config-archive/etc/apache2/vhosts.d'
maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/00_default_ssl_vhost.conf'
maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/00_default_ssl_vhost.conf.dist'
+maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/00_default_vhost.conf'
+maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/00_default_vhost.conf.dist'
+maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/default_vhost.include'
+maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/default_vhost.include.dist'
maybe chmod 0755 'config-archive/etc/bash'
maybe chmod 0644 'config-archive/etc/bash/bashrc'
maybe chmod 0644 'config-archive/etc/bash/bashrc.1'
maybe chmod 0644 'config-archive/etc/conf.d/acpid.dist'
maybe chmod 0644 'config-archive/etc/conf.d/apache2'
maybe chmod 0644 'config-archive/etc/conf.d/apache2.dist'
+maybe chmod 0644 'config-archive/etc/conf.d/fail2ban'
+maybe chmod 0644 'config-archive/etc/conf.d/fail2ban.dist.new'
maybe chmod 0644 'config-archive/etc/conf.d/fsck'
maybe chmod 0644 'config-archive/etc/conf.d/fsck.dist'
maybe chmod 0644 'config-archive/etc/conf.d/keymaps'
maybe chmod 0644 'config-archive/etc/eselect/postgresql/slots/9.1/server.dist'
maybe chmod 0755 'config-archive/etc/etckeeper'
maybe chmod 0644 'config-archive/etc/etckeeper/etckeeper.conf'
-maybe chmod 0644 'config-archive/etc/etckeeper/etckeeper.conf.dist.new'
+maybe chmod 0644 'config-archive/etc/etckeeper/etckeeper.conf.dist'
maybe chmod 0755 'config-archive/etc/fail2ban'
maybe chmod 0644 'config-archive/etc/fail2ban/fail2ban.conf'
maybe chmod 0644 'config-archive/etc/fail2ban/fail2ban.conf.1'
maybe chmod 0644 'config-archive/etc/fail2ban/fail2ban.conf.dist'
+maybe chmod 0644 'config-archive/etc/fail2ban/jail.conf'
+maybe chmod 0644 'config-archive/etc/fail2ban/jail.conf.dist'
+maybe chmod 0644 'config-archive/etc/fail2ban/paths-debian.conf'
+maybe chmod 0644 'config-archive/etc/fail2ban/paths-debian.conf.dist.new'
maybe chmod 0644 'config-archive/etc/hosts'
maybe chmod 0644 'config-archive/etc/hosts.dist.new'
maybe chmod 0755 'config-archive/etc/init.d'
maybe chmod 0644 'eselect/postgresql/slots/9.5/base'
maybe chmod 0644 'etc-update.conf'
maybe chmod 0755 'etckeeper'
-maybe chmod 0644 'etckeeper/._cfg0000_etckeeper.conf'
maybe chmod 0755 'etckeeper/commit.d'
maybe chmod 0755 'etckeeper/commit.d/10vcs-test'
maybe chmod 0755 'etckeeper/commit.d/30bzr-add'
maybe chmod 0755 'etckeeper/vcs.d'
maybe chmod 0755 'etckeeper/vcs.d/50vcs-cmd'
maybe chmod 0755 'fail2ban'
-maybe chmod 0644 'fail2ban/._cfg0000_jail.conf'
-maybe chmod 0644 'fail2ban/._cfg0000_paths-debian.conf'
maybe chmod 0755 'fail2ban/action.d'
maybe chmod 0644 'fail2ban/action.d/apf.conf'
maybe chmod 0644 'fail2ban/action.d/badips.conf'
maybe chmod 0644 'logrotate.conf'
maybe chmod 0644 'logrotate.conf.orig'
maybe chmod 0755 'logrotate.d'
-maybe chmod 0644 'logrotate.d/._cfg0000_fail2ban'
maybe chmod 0644 'logrotate.d/.keep_app-admin_logrotate-0'
maybe chmod 0644 'logrotate.d/apache2'
maybe chmod 0644 'logrotate.d/clamav'
+++ /dev/null
-# Provide access to the documentation on your server as
-# http://yourserver.example.com/manual/
-# The documentation is always available at
-# http://httpd.apache.org/docs/2.4/
-<IfModule negotiation_module>
-<IfModule setenvif_module>
-<IfDefine MANUAL>
-AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.4.18/manual$1"
-
-<Directory "/usr/share/doc/apache-2.4.18/manual">
- Options Indexes
- AllowOverride None
- Require all granted
-
- <Files *.html>
- SetHandler type-map
- </Files>
-
- SetEnvIf Request_URI ^/manual/(de|en|es|fr|ja|ko|pt-br)/ prefer-language=$1
- RedirectMatch 301 ^/manual(?:/(de|en|es|fr|ja|ko|pt-br)){2,}(/.*)?$ /manual/$1$2
-
- LanguagePriority en de es fr ja ko pt-br
- ForceLanguagePriority Prefer Fallback
-</Directory>
-</IfDefine>
-</IfModule>
-</IfModule>
-
-# vim: ts=4 filetype=apache
+++ /dev/null
-# The configuration below implements multi-language error documents through
-# content-negotiation.
-
-# Customizable error responses come in three flavors:
-# 1) plain text 2) local redirects 3) external redirects
-# Some examples:
-#ErrorDocument 500 "The server made a boo boo."
-#ErrorDocument 404 /missing.html
-#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
-#ErrorDocument 402 http://www.example.com/subscription_info.html
-
-# Required modules: mod_alias, mod_include, mod_negotiation
-# We use Alias to redirect any /error/HTTP_<error>.html.var response to
-# our collection of by-error message multi-language collections. We use
-# includes to substitute the appropriate text.
-# You can modify the messages' appearance without changing any of the
-# default HTTP_<error>.html.var files by adding the line:
-# Alias /error/include/ "/your/include/path/"
-# which allows you to create your own set of files by starting with the
-# /var/www/localhost/error/include/ files and copying them to /your/include/path/,
-# even on a per-VirtualHost basis. The default include files will display
-# your Apache version number and your ServerAdmin email address regardless
-# of the setting of ServerSignature.
-
-<IfDefine ERRORDOCS>
-Alias /error/ "/usr/share/apache2/error/"
-
-<Directory "/usr/share/apache2/error">
- AllowOverride None
- Options IncludesNoExec
- AddOutputFilter Includes html
- AddHandler type-map var
- Require all granted
- LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
- ForceLanguagePriority Prefer Fallback
-</Directory>
-
-ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
-ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
-ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
-ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
-ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
-ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
-ErrorDocument 410 /error/HTTP_GONE.html.var
-ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
-ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
-ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
-ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
-ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
-ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
-ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
-ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
-ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
-ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
-</IfDefine>
-
-# vim: ts=4 filetype=apache
+++ /dev/null
-<IfModule autoindex_module>
-<IfDefine !NO_AUTOINDEX_CONF>
-
-<IfModule alias_module>
-# We include the /icons/ alias for FancyIndexed directory listings. If
-# you do not use FancyIndexing, you may comment this out.
-Alias /icons/ "/usr/share/apache2/icons/"
-
-<Directory "/usr/share/apache2/icons">
- Options Indexes MultiViews
- AllowOverride None
- Require all granted
-</Directory>
-</IfModule>
-
-# Directives controlling the display of server-generated directory listings.
-#
-# To see the listing of a directory, the Options directive for the
-# directory must include "Indexes", and the directory must not contain
-# a file matching those listed in the DirectoryIndex directive.
-
-# IndexOptions: Controls the appearance of server-generated directory
-# listings.
-IndexOptions FancyIndexing VersionSort
-
-# AddIcon* directives tell the server which icon to show for different
-# files or filename extensions. These are only displayed for
-# FancyIndexed directories.
-AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
-
-AddIconByType (TXT,/icons/text.gif) text/*
-AddIconByType (IMG,/icons/image2.gif) image/*
-AddIconByType (SND,/icons/sound2.gif) audio/*
-AddIconByType (VID,/icons/movie.gif) video/*
-
-AddIcon /icons/binary.gif .bin .exe
-AddIcon /icons/binhex.gif .hqx
-AddIcon /icons/tar.gif .tar
-AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
-AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
-AddIcon /icons/a.gif .ps .ai .eps
-AddIcon /icons/layout.gif .html .shtml .htm .pdf
-AddIcon /icons/text.gif .txt
-AddIcon /icons/c.gif .c
-AddIcon /icons/p.gif .pl .py
-AddIcon /icons/f.gif .for
-AddIcon /icons/dvi.gif .dvi
-AddIcon /icons/uuencoded.gif .uu
-AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
-AddIcon /icons/tex.gif .tex
-AddIcon /icons/bomb.gif core
-
-AddIcon /icons/back.gif ..
-AddIcon /icons/hand.right.gif README
-AddIcon /icons/folder.gif ^^DIRECTORY^^
-AddIcon /icons/blank.gif ^^BLANKICON^^
-
-# DefaultIcon is which icon to show for files which do not have an icon
-# explicitly set.
-DefaultIcon /icons/unknown.gif
-
-# AddDescription allows you to place a short description after a file in
-# server-generated indexes. These are only displayed for FancyIndexed
-# directories.
-# Format: AddDescription "description" filename
-
-#AddDescription "GZIP compressed document" .gz
-#AddDescription "tar archive" .tar
-#AddDescription "GZIP compressed tar archive" .tgz
-
-# ReadmeName is the name of the README file the server will look for by
-# default, and append to directory listings.
-
-# HeaderName is the name of a file which should be prepended to
-# directory indexes.
-ReadmeName README.html
-HeaderName HEADER.html
-
-# IndexIgnore is a set of filenames which directory indexing should ignore
-# and not include in the listing. Shell-style wildcarding is permitted.
-IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
-</IfDefine>
-</IfModule>
-
-# vim: ts=4 filetype=apache
+++ /dev/null
-<IfDefine INFO>
-# Allow remote server configuration reports, with the URL of
-# http://servername/server-info
-<Location /server-info>
- SetHandler server-info
- Require local
-</Location>
-</IfDefine>
-
-# vim: ts=4 filetype=apache
+++ /dev/null
-<IfModule mime_module>
-# TypesConfig points to the file containing the list of mappings from
-# filename extension to MIME-type.
-TypesConfig /etc/mime.types
-
-# AddType allows you to add to or override the MIME configuration
-# file specified in TypesConfig for specific file types.
-#AddType application/x-gzip .tgz
-
-# AddEncoding allows you to have certain browsers uncompress
-# information on the fly. Note: Not all browsers support this.
-#AddEncoding x-compress .Z
-#AddEncoding x-gzip .gz .tgz
-
-# If the AddEncoding directives above are commented-out, then you
-# probably should define those extensions to indicate media types:
-AddType application/x-compress .Z
-AddType application/x-gzip .gz .tgz
-
-# AddHandler allows you to map certain file extensions to "handlers":
-# actions unrelated to filetype. These can be either built into the server
-# or added with the Action directive (see below)
-
-# To use CGI scripts outside of ScriptAliased directories:
-# (You will also need to add "ExecCGI" to the "Options" directive.)
-#AddHandler cgi-script .cgi
-
-# For type maps (negotiated resources):
-#AddHandler type-map var
-
-# Filters allow you to process content before it is sent to the client.
-#
-# To parse .shtml files for server-side includes (SSI):
-# (You will also need to add "Includes" to the "Options" directive.)
-#AddType text/html .shtml
-#AddOutputFilter INCLUDES .shtml
-</IfModule>
-
-<IfModule mime_magic_module>
-# The mod_mime_magic module allows the server to use various hints from the
-# contents of the file itself to determine its type. The MIMEMagicFile
-# directive tells the module where the hint definitions are located.
-MIMEMagicFile /etc/apache2/magic
-</IfModule>
-
-# vim: ts=4 filetype=apache
+++ /dev/null
-<IfDefine STATUS>
-# Allow server status reports generated by mod_status,
-# with the URL of http://servername/server-status
-<Location /server-status>
- SetHandler server-status
- Require local
-</Location>
-
-# ExtendedStatus controls whether Apache will generate "full" status
-# information (ExtendedStatus On) or just basic information (ExtendedStatus
-# Off) when the "server-status" handler is called.
-ExtendedStatus On
-</IfDefine>
-
-# vim: ts=4 filetype=apache
+++ /dev/null
-# Server-Pool Management (MPM specific)
-
-# PidFile: The file in which the server should record its process
-# identification number when it starts.
-#
-# DO NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING
-PidFile /run/apache2.pid
-
-# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
-# Mutex file:/run/apache_mpm_mutex
-
-# Only one of the below sections will be relevant on your
-# installed httpd. Use "/usr/sbin/apache2 -l" to find out the
-# active mpm.
-
-# common MPM configuration
-# These configuration directives apply to all MPMs
-#
-# StartServers: Number of child server processes created at startup
-# MaxRequestWorkers: Maximum number of child processes to serve requests
-# MaxConnectionsPerChild: Limit on the number of connections that an individual
-# child server will handle during its life
-
-
-# prefork MPM
-# This is the default MPM if USE=-threads
-#
-# MinSpareServers: Minimum number of idle child server processes
-# MaxSpareServers: Maximum number of idle child server processes
-<IfModule mpm_prefork_module>
- StartServers 5
- MinSpareServers 5
- MaxSpareServers 10
- MaxRequestWorkers 150
- MaxConnectionsPerChild 10000
-</IfModule>
-
-# worker MPM
-# This is the default MPM if USE=threads
-#
-# MinSpareThreads: Minimum number of idle threads available to handle request spikes
-# MaxSpareThreads: Maximum number of idle threads
-# ThreadsPerChild: Number of threads created by each child process
-<IfModule mpm_worker_module>
- StartServers 2
- MinSpareThreads 25
- MaxSpareThreads 75
- ThreadsPerChild 25
- MaxRequestWorkers 150
- MaxConnectionsPerChild 10000
-</IfModule>
-
-# event MPM
-#
-# MinSpareThreads: Minimum number of idle threads available to handle request spikes
-# MaxSpareThreads: Maximum number of idle threads
-# ThreadsPerChild: Number of threads created by each child process
-<IfModule mpm_event_module>
- StartServers 2
- MinSpareThreads 25
- MaxSpareThreads 75
- ThreadsPerChild 25
- MaxRequestWorkers 150
- MaxConnectionsPerChild 10000
-</IfModule>
-
-# peruser MPM
-#
-# MinSpareProcessors: Minimum number of idle child server processes
-# MinProcessors: Minimum number of processors per virtual host
-# MaxProcessors: Maximum number of processors per virtual host
-# ExpireTimeout: Maximum idle time before a child is killed, 0 to disable
-# Multiplexer: Specify a Multiplexer child configuration.
-# Processor: Specify a user and group for a specific child process
-<IfModule mpm_peruser_module>
- MinSpareProcessors 2
- MinProcessors 2
- MaxProcessors 10
- MaxRequestWorkers 150
- MaxConnectionsPerChild 1000
- ExpireTimeout 1800
-
- Multiplexer nobody nobody
- Processor apache apache
-</IfModule>
-
-# itk MPM
-#
-# MinSpareServers: Minimum number of idle child server processes
-# MaxSpareServers: Maximum number of idle child server processes
-<IfModule mpm_itk_module>
- StartServers 5
- MinSpareServers 5
- MaxSpareServers 10
- MaxRequestWorkers 150
- MaxConnectionsPerChild 10000
-</IfModule>
-
-# vim: ts=4 filetype=apache
--- /dev/null
+# This configuration file reflects default settings for Apache HTTP Server.
+# You may change these, but chances are that you may not need to.
+
+# Timeout: The number of seconds before receives and sends time out.
+Timeout 300
+
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
+KeepAlive On
+
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+MaxKeepAliveRequests 100
+
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
+KeepAliveTimeout 15
+
+# UseCanonicalName: Determines how Apache constructs self-referencing
+# URLs and the SERVER_NAME and SERVER_PORT variables.
+# When set "Off", Apache will use the Hostname and Port supplied
+# by the client. When set "On", Apache will use the value of the
+# ServerName directive.
+UseCanonicalName Off
+
+# AccessFileName: The name of the file to look for in each directory
+# for additional configuration directives. See also the AllowOverride
+# directive.
+AccessFileName .htaccess
+
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of: Full | OS | Minor | Minimal | Major | Prod
+# where Full conveys the most information, and Prod the least.
+ServerTokens Full
+
+# TraceEnable
+# This directive overrides the behavior of TRACE for both the core server and
+# mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616,
+# which disallows any request body to accompany the request. TraceEnable off
+# causes the core server and mod_proxy to return a 405 (Method not allowed)
+# error to the client.
+# For security reasons this is turned off by default. (bug #240680)
+TraceEnable off
+
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory
+# listings, mod_status and mod_info output etc., but not CGI generated
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of: On | Off | EMail
+ServerSignature On
+
+# HostnameLookups: Log the names of clients or just their IP addresses
+# e.g., www.apache.org (on) or 204.62.129.132 (off).
+# The default is off because it'd be overall better for the net if people
+# had to knowingly turn this feature on, since enabling it means that
+# each client request will result in AT LEAST one lookup request to the
+# nameserver.
+HostnameLookups Off
+
+# EnableMMAP and EnableSendfile: On systems that support it,
+# memory-mapping or the sendfile syscall is used to deliver
+# files. This usually improves server performance, but must
+# be turned off when serving from networked-mounted
+# filesystems or if support for these functions is otherwise
+# broken on your system.
+EnableMMAP On
+EnableSendfile Off
+
+# FileETag: Configures the file attributes that are used to create
+# the ETag (entity tag) response header field when the document is
+# based on a static file. (The ETag value is used in cache management
+# to save network bandwidth.)
+FileETag MTime Size
+
+# ContentDigest: This directive enables the generation of Content-MD5
+# headers as defined in RFC1864 respectively RFC2616.
+# The Content-MD5 header provides an end-to-end message integrity
+# check (MIC) of the entity-body. A proxy or client may check this
+# header for detecting accidental modification of the entity-body
+# in transit.
+# Note that this can cause performance problems on your server since
+# the message digest is computed on every request (the values are
+# not cached).
+# Content-MD5 is only sent for documents served by the core, and not
+# by any module. For example, SSI documents, output from CGI scripts,
+# and byte range responses do not have this header.
+ContentDigest Off
+
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here. If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+ErrorLog /var/log/apache2/error.log
+
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+LogLevel info
+
+# We configure the "default" to be a very restrictive set of features.
+<Directory />
+ Options FollowSymLinks
+ AllowOverride None
+ Require all denied
+</Directory>
+
+# DirectoryIndex: sets the file that Apache will serve if a directory
+# is requested.
+#
+# The index.html.var file (a type-map) is used to deliver content-
+# negotiated documents. The MultiViews Options can be used for the
+# same purpose, but it is much slower.
+#
+# Do not change this entry unless you know what you are doing.
+<IfModule dir_module>
+ DirectoryIndex index.html index.html.var index.shtml index.htm
+</IfModule>
+
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
+<FilesMatch "^\.ht">
+ Require all denied
+</FilesMatch>
+
+# vim: ts=4 filetype=apache
# Provide access to the documentation on your server as
# http://yourserver.example.com/manual/
# The documentation is always available at
-# http://httpd.apache.org/docs/2.2/
+# http://httpd.apache.org/docs/2.4/
<IfModule negotiation_module>
<IfModule setenvif_module>
<IfDefine MANUAL>
-AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.31/manual$1"
+AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.4.18/manual$1"
-<Directory "/usr/share/doc/apache-2.2.31/manual">
+<Directory "/usr/share/doc/apache-2.4.18/manual">
Options Indexes
AllowOverride None
- Order allow,deny
- Allow from all
+ Require all granted
<Files *.html>
SetHandler type-map
Options IncludesNoExec
AddOutputFilter Includes html
AddHandler type-map var
- Order allow,deny
- Allow from all
+ Require all granted
LanguagePriority de en cs es fr it ja ko nl pl pt-br ro sv tr
ForceLanguagePriority Prefer Fallback
</Directory>
<Directory "/usr/share/apache2/icons">
Options Indexes MultiViews
AllowOverride None
- Order allow,deny
- Allow from all
+ Require all granted
</Directory>
</IfModule>
# http://servername/server-info
<Location /server-info>
SetHandler server-info
- Order deny,allow
- Deny from all
- Allow from 127.0.0.1
- Allow from localhost
- AuthName "Server Status Access"
- AuthType Basic
- AuthUserFile /etc/apache2/info_users_passwd
- Require valid-user
- Satisfy Any
+ Require local
+ Allow from localhost
+ AuthName "Server Status Access"
+ AuthType Basic
+ AuthUserFile /etc/apache2/info_users_passwd
+ Require valid-user
+ Satisfy Any
</Location>
</IfDefine>
-# DefaultType: the default MIME type the server will use for a document
-# if it cannot otherwise determine one, such as from filename extensions.
-# If your server contains mostly text or HTML documents, "text/plain" is
-# a good value. If most of your content is binary, such as applications
-# or images, you may want to use "application/octet-stream" instead to
-# keep browsers from trying to display binary files as though they are
-# text.
-DefaultType text/plain
-
<IfModule mime_module>
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
# with the URL of http://servername/server-status
<Location /server-status>
SetHandler server-status
- Order deny,allow
- Deny from all
- Allow from 127.0.0.1
- Allow from localhost
- AuthName "Server Status Access"
- AuthType Basic
- AuthUserFile /etc/apache2/info_users_passwd
- Require valid-user
- Satisfy Any
+ Require local
+ Allow from localhost
+ AuthName "Server Status Access"
+ AuthType Basic
+ AuthUserFile /etc/apache2/info_users_passwd
+ Require valid-user
+ Satisfy Any
</Location>
# ExtendedStatus controls whether Apache will generate "full" status
# identification number when it starts.
#
# DO NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING
-PidFile /var/run/apache2.pid
+PidFile /run/apache2.pid
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
-#LockFile /var/run/apache2.lock
+# Mutex file:/run/apache_mpm_mutex
# Only one of the below sections will be relevant on your
# installed httpd. Use "/usr/sbin/apache2 -l" to find out the
# These configuration directives apply to all MPMs
#
# StartServers: Number of child server processes created at startup
-# MaxClients: Maximum number of child processes to serve requests
-# MaxRequestsPerChild: Limit on the number of requests that an individual child
-# server will handle during its life
+# MaxRequestWorkers: Maximum number of child processes to serve requests
+# MaxConnectionsPerChild: Limit on the number of connections that an individual
+# child server will handle during its life
# prefork MPM
StartServers 2
MinSpareServers 2
MaxSpareServers 10
- MaxClients 150
- MaxRequestsPerChild 10000
+ MaxRequestWorkers 150
+ MaxConnectionsPerChild 10000
</IfModule>
# worker MPM
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
- MaxClients 150
- MaxRequestsPerChild 10000
+ MaxRequestWorkers 150
+ MaxConnectionsPerChild 10000
</IfModule>
# event MPM
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
- MaxClients 150
- MaxRequestsPerChild 10000
+ MaxRequestWorkers 150
+ MaxConnectionsPerChild 10000
</IfModule>
# peruser MPM
MinSpareProcessors 2
MinProcessors 2
MaxProcessors 10
- MaxClients 150
- MaxRequestsPerChild 1000
+ MaxRequestWorkers 150
+ MaxConnectionsPerChild 1000
ExpireTimeout 1800
Multiplexer nobody nobody
StartServers 5
MinSpareServers 5
MaxSpareServers 10
- MaxClients 150
- MaxRequestsPerChild 10000
+ MaxRequestWorkers 150
+ MaxConnectionsPerChild 10000
</IfModule>
# vim: ts=4 filetype=apache
+++ /dev/null
-# Virtual Hosts
-#
-# If you want to maintain multiple domains/hostnames on your
-# machine you can setup VirtualHost containers for them. Most configurations
-# use only name-based virtual hosts so the server doesn't need to worry about
-# IP addresses. This is indicated by the asterisks in the directives below.
-#
-# Please see the documentation at
-# <URL:http://httpd.apache.org/docs/2.4/vhosts/>
-# for further details before you try to setup virtual hosts.
-#
-# You may use the command line option '-S' to verify your virtual host
-# configuration.
-
-<IfDefine DEFAULT_VHOST>
-# see bug #178966 why this is in here
-
-# Listen: Allows you to bind Apache to specific IP addresses and/or
-# ports, instead of the default. See also the <VirtualHost>
-# directive.
-#
-# Change this to Listen on specific IP addresses as shown below to
-# prevent Apache from glomming onto all bound IP addresses.
-#
-#Listen 12.34.56.78:80
-Listen 80
-
-# When virtual hosts are enabled, the main host defined in the default
-# httpd.conf configuration will go away. We redefine it here so that it is
-# still available.
-#
-# If you disable this vhost by removing -D DEFAULT_VHOST from
-# /etc/conf.d/apache2, the first defined virtual host elsewhere will be
-# the default.
-<VirtualHost *:80>
- ServerName localhost
- Include /etc/apache2/vhosts.d/default_vhost.include
-
- <IfModule mpm_peruser_module>
- ServerEnvironment apache apache
- </IfModule>
-</VirtualHost>
-</IfDefine>
-
-# vim: ts=4 filetype=apache
+++ /dev/null
-# ServerAdmin: Your address, where problems with the server should be
-# e-mailed. This address appears on some server-generated pages, such
-# as error documents. e.g. admin@your-domain.com
-ServerAdmin root@localhost
-
-# DocumentRoot: The directory out of which you will serve your
-# documents. By default, all requests are taken from this directory, but
-# symbolic links and aliases may be used to point to other locations.
-#
-# If you change this to something that isn't under /var/www then suexec
-# will no longer work.
-DocumentRoot "/var/www/localhost/htdocs"
-
-# This should be changed to whatever you set DocumentRoot to.
-<Directory "/var/www/localhost/htdocs">
- # Possible values for the Options directive are "None", "All",
- # or any combination of:
- # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
- #
- # Note that "MultiViews" must be named *explicitly* --- "Options All"
- # doesn't give it to you.
- #
- # The Options directive is both complicated and important. Please see
- # http://httpd.apache.org/docs/2.4/mod/core.html#options
- # for more information.
- Options Indexes FollowSymLinks
-
- # AllowOverride controls what directives may be placed in .htaccess files.
- # It can be "All", "None", or any combination of the keywords:
- # Options FileInfo AuthConfig Limit
- AllowOverride All
-
- # Controls who can get stuff from this server.
- Require all granted
-</Directory>
-
-<IfModule alias_module>
- # Redirect: Allows you to tell clients about documents that used to
- # exist in your server's namespace, but do not anymore. The client
- # will make a new request for the document at its new location.
- # Example:
- # Redirect permanent /foo http://www.example.com/bar
-
- # Alias: Maps web paths into filesystem paths and is used to
- # access content that does not live under the DocumentRoot.
- # Example:
- # Alias /webpath /full/filesystem/path
- #
- # If you include a trailing / on /webpath then the server will
- # require it to be present in the URL. You will also likely
- # need to provide a <Directory> section to allow access to
- # the filesystem path.
-
- # ScriptAlias: This controls which directories contain server scripts.
- # ScriptAliases are essentially the same as Aliases, except that
- # documents in the target directory are treated as applications and
- # run by the server when requested rather than as documents sent to the
- # client. The same rules about trailing "/" apply to ScriptAlias
- # directives as to Alias.
- ScriptAlias /cgi-bin/ "/var/www/localhost/cgi-bin/"
-</IfModule>
-
-# "/var/www/localhost/cgi-bin" should be changed to whatever your ScriptAliased
-# CGI directory exists, if you have that configured.
-<Directory "/var/www/localhost/cgi-bin">
- AllowOverride None
- Options None
- Require all granted
-</Directory>
-
-# vim: ts=4 filetype=apache
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
-# <URL:http://httpd.apache.org/docs/2.2/vhosts/>
+# <URL:http://httpd.apache.org/docs/2.4/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
- # http://httpd.apache.org/docs/2.2/mod/core.html#options
+ # http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
Options Indexes FollowSymLinks
AllowOverride All
# Controls who can get stuff from this server.
- Order allow,deny
- Allow from all
+ Require all granted
</Directory>
<IfModule alias_module>
<Directory "/var/www/localhost/cgi-bin">
AllowOverride None
Options None
- Order allow,deny
- Allow from all
+ Require all granted
</Directory>
# vim: ts=4 filetype=apache
+++ /dev/null
-# Config file for /etc/init.d/fail2ban
-#
-# For information on options, see "/usr/bin/fail2ban-client -h".
-
-FAIL2BAN_OPTIONS=""
-
-# Force execution of the server even if the socket already exists:
-#FAIL2BAN_OPTIONS="-x"
<IfModule negotiation_module>
<IfModule setenvif_module>
<IfDefine MANUAL>
-AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.29/manual$1"
+AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.31/manual$1"
-<Directory "/usr/share/doc/apache-2.2.29/manual">
+<Directory "/usr/share/doc/apache-2.2.31/manual">
Options Indexes
AllowOverride None
Order allow,deny
<IfModule negotiation_module>
<IfModule setenvif_module>
<IfDefine MANUAL>
-AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.27-r4/manual$1"
+AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.29/manual$1"
-<Directory "/usr/share/doc/apache-2.2.27-r4/manual">
+<Directory "/usr/share/doc/apache-2.2.29/manual">
Options Indexes
AllowOverride None
Order allow,deny
# http://yourserver.example.com/manual/
# The documentation is always available at
# http://httpd.apache.org/docs/2.2/
+<IfModule negotiation_module>
+<IfModule setenvif_module>
<IfDefine MANUAL>
-AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.27/manual$1"
+AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.27-r4/manual$1"
-<Directory "/usr/share/doc/apache-2.2.27/manual">
+<Directory "/usr/share/doc/apache-2.2.27-r4/manual">
Options Indexes
AllowOverride None
Order allow,deny
ForceLanguagePriority Prefer Fallback
</Directory>
</IfDefine>
+</IfModule>
+</IfModule>
# vim: ts=4 filetype=apache
# The documentation is always available at
# http://httpd.apache.org/docs/2.2/
<IfDefine MANUAL>
-AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.25/manual$1"
+AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.27/manual$1"
-<Directory "/usr/share/doc/apache-2.2.25/manual">
+<Directory "/usr/share/doc/apache-2.2.27/manual">
Options Indexes
AllowOverride None
Order allow,deny
# The documentation is always available at
# http://httpd.apache.org/docs/2.2/
<IfDefine MANUAL>
-AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.24/manual$1"
+AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.25/manual$1"
-<Directory "/usr/share/doc/apache-2.2.24/manual">
+<Directory "/usr/share/doc/apache-2.2.25/manual">
Options Indexes
AllowOverride None
Order allow,deny
# The documentation is always available at
# http://httpd.apache.org/docs/2.2/
<IfDefine MANUAL>
-AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.23/manual$1"
+AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.24/manual$1"
-<Directory "/usr/share/doc/apache-2.2.23/manual">
+<Directory "/usr/share/doc/apache-2.2.24/manual">
Options Indexes
AllowOverride None
Order allow,deny
# The documentation is always available at
# http://httpd.apache.org/docs/2.2/
<IfDefine MANUAL>
-AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.22/manual$1"
+AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.23/manual$1"
-<Directory "/usr/share/doc/apache-2.2.22/manual">
+<Directory "/usr/share/doc/apache-2.2.23/manual">
Options Indexes
AllowOverride None
Order allow,deny
SetEnvIf Request_URI ^/manual/(de|en|es|fr|ja|ko|pt-br)/ prefer-language=$1
RedirectMatch 301 ^/manual(?:/(de|en|es|fr|ja|ko|pt-br)){2,}(/.*)?$ /manual/$1$2
- LanguagePriority en de es fr ja ko pt-br
+ LanguagePriority de en es fr ja ko pt-br
ForceLanguagePriority Prefer Fallback
</Directory>
</IfDefine>
# The documentation is always available at
# http://httpd.apache.org/docs/2.2/
<IfDefine MANUAL>
-AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.21-r1/manual$1"
+AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.22/manual$1"
-<Directory "/usr/share/doc/apache-2.2.21-r1/manual">
+<Directory "/usr/share/doc/apache-2.2.22/manual">
Options Indexes
AllowOverride None
Order allow,deny
--- /dev/null
+# Provide access to the documentation on your server as
+# http://yourserver.example.com/manual/
+# The documentation is always available at
+# http://httpd.apache.org/docs/2.2/
+<IfDefine MANUAL>
+AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.21-r1/manual$1"
+
+<Directory "/usr/share/doc/apache-2.2.21-r1/manual">
+ Options Indexes
+ AllowOverride None
+ Order allow,deny
+ Allow from all
+
+ <Files *.html>
+ SetHandler type-map
+ </Files>
+
+ SetEnvIf Request_URI ^/manual/(de|en|es|fr|ja|ko|pt-br)/ prefer-language=$1
+ RedirectMatch 301 ^/manual(?:/(de|en|es|fr|ja|ko|pt-br)){2,}(/.*)?$ /manual/$1$2
+
+ LanguagePriority en de es fr ja ko pt-br
+ ForceLanguagePriority Prefer Fallback
+</Directory>
+</IfDefine>
+
+# vim: ts=4 filetype=apache
# Provide access to the documentation on your server as
# http://yourserver.example.com/manual/
# The documentation is always available at
-# http://httpd.apache.org/docs/2.2/
+# http://httpd.apache.org/docs/2.4/
<IfModule negotiation_module>
<IfModule setenvif_module>
<IfDefine MANUAL>
-AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.31/manual$1"
+AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.4.18/manual$1"
-<Directory "/usr/share/doc/apache-2.2.31/manual">
+<Directory "/usr/share/doc/apache-2.4.18/manual">
Options Indexes
AllowOverride None
- Order allow,deny
- Allow from all
+ Require all granted
<Files *.html>
SetHandler type-map
# negotiated documents. The MultiViews Options can be used for the
# same purpose, but it is much slower.
#
-# To add files to that list use AddDirectoryIndex in a custom config
-# file. Do not change this entry unless you know what you are doing.
+# Do not change this entry unless you know what you are doing.
<IfModule dir_module>
DirectoryIndex index.html index.html.var index.shtml index.htm
</IfModule>
--- /dev/null
+# This configuration file reflects default settings for Apache HTTP Server.
+# You may change these, but chances are that you may not need to.
+
+# Timeout: The number of seconds before receives and sends time out.
+Timeout 300
+
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
+KeepAlive On
+
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+MaxKeepAliveRequests 100
+
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
+KeepAliveTimeout 15
+
+# UseCanonicalName: Determines how Apache constructs self-referencing
+# URLs and the SERVER_NAME and SERVER_PORT variables.
+# When set "Off", Apache will use the Hostname and Port supplied
+# by the client. When set "On", Apache will use the value of the
+# ServerName directive.
+UseCanonicalName Off
+
+# AccessFileName: The name of the file to look for in each directory
+# for additional configuration directives. See also the AllowOverride
+# directive.
+AccessFileName .htaccess
+
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of: Full | OS | Minor | Minimal | Major | Prod
+# where Full conveys the most information, and Prod the least.
+ServerTokens Full
+
+# TraceEnable
+# This directive overrides the behavior of TRACE for both the core server and
+# mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616,
+# which disallows any request body to accompany the request. TraceEnable off
+# causes the core server and mod_proxy to return a 405 (Method not allowed)
+# error to the client.
+# For security reasons this is turned off by default. (bug #240680)
+TraceEnable off
+
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory
+# listings, mod_status and mod_info output etc., but not CGI generated
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of: On | Off | EMail
+ServerSignature On
+
+# HostnameLookups: Log the names of clients or just their IP addresses
+# e.g., www.apache.org (on) or 204.62.129.132 (off).
+# The default is off because it'd be overall better for the net if people
+# had to knowingly turn this feature on, since enabling it means that
+# each client request will result in AT LEAST one lookup request to the
+# nameserver.
+HostnameLookups Off
+
+# EnableMMAP and EnableSendfile: On systems that support it,
+# memory-mapping or the sendfile syscall is used to deliver
+# files. This usually improves server performance, but must
+# be turned off when serving from networked-mounted
+# filesystems or if support for these functions is otherwise
+# broken on your system.
+EnableMMAP On
+EnableSendfile On
+
+# FileEtag: Configures the file attributes that are used to create
+# the ETag (entity tag) response header field when the document is
+# based on a static file. (The ETag value is used in cache management
+# to save network bandwidth.)
+FileEtag INode MTime Size
+
+# ContentDigest: This directive enables the generation of Content-MD5
+# headers as defined in RFC1864 respectively RFC2616.
+# The Content-MD5 header provides an end-to-end message integrity
+# check (MIC) of the entity-body. A proxy or client may check this
+# header for detecting accidental modification of the entity-body
+# in transit.
+# Note that this can cause performance problems on your server since
+# the message digest is computed on every request (the values are
+# not cached).
+# Content-MD5 is only sent for documents served by the core, and not
+# by any module. For example, SSI documents, output from CGI scripts,
+# and byte range responses do not have this header.
+ContentDigest Off
+
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here. If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+ErrorLog /var/log/apache2/error.log
+
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+LogLevel info
+
+# We configure the "default" to be a very restrictive set of features.
+<Directory />
+ Options FollowSymLinks
+ AllowOverride None
+ Order deny,allow
+ Deny from all
+</Directory>
+
+# DirectoryIndex: sets the file that Apache will serve if a directory
+# is requested.
+#
+# The index.html.var file (a type-map) is used to deliver content-
+# negotiated documents. The MultiViews Options can be used for the
+# same purpose, but it is much slower.
+#
+# To add files to that list use AddDirectoryIndex in a custom config
+# file. Do not change this entry unless you know what you are doing.
+<IfModule dir_module>
+ DirectoryIndex index.html index.html.var index.shtml index.htm
+</IfModule>
+
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
+<FilesMatch "^\.ht">
+ Order allow,deny
+ Deny from all
+</FilesMatch>
+
+# vim: ts=4 filetype=apache
--- /dev/null
+# This configuration file reflects default settings for Apache HTTP Server.
+# You may change these, but chances are that you may not need to.
+
+# Timeout: The number of seconds before receives and sends time out.
+Timeout 300
+
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
+KeepAlive On
+
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+MaxKeepAliveRequests 100
+
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
+KeepAliveTimeout 15
+
+# UseCanonicalName: Determines how Apache constructs self-referencing
+# URLs and the SERVER_NAME and SERVER_PORT variables.
+# When set "Off", Apache will use the Hostname and Port supplied
+# by the client. When set "On", Apache will use the value of the
+# ServerName directive.
+UseCanonicalName Off
+
+# AccessFileName: The name of the file to look for in each directory
+# for additional configuration directives. See also the AllowOverride
+# directive.
+AccessFileName .htaccess
+
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of: Full | OS | Minor | Minimal | Major | Prod
+# where Full conveys the most information, and Prod the least.
+ServerTokens Prod
+
+# TraceEnable
+# This directive overrides the behavior of TRACE for both the core server and
+# mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616,
+# which disallows any request body to accompany the request. TraceEnable off
+# causes the core server and mod_proxy to return a 405 (Method not allowed)
+# error to the client.
+# For security reasons this is turned off by default. (bug #240680)
+TraceEnable off
+
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory
+# listings, mod_status and mod_info output etc., but not CGI generated
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of: On | Off | EMail
+ServerSignature On
+
+# HostnameLookups: Log the names of clients or just their IP addresses
+# e.g., www.apache.org (on) or 204.62.129.132 (off).
+# The default is off because it'd be overall better for the net if people
+# had to knowingly turn this feature on, since enabling it means that
+# each client request will result in AT LEAST one lookup request to the
+# nameserver.
+HostnameLookups Off
+
+# EnableMMAP and EnableSendfile: On systems that support it,
+# memory-mapping or the sendfile syscall is used to deliver
+# files. This usually improves server performance, but must
+# be turned off when serving from networked-mounted
+# filesystems or if support for these functions is otherwise
+# broken on your system.
+EnableMMAP On
+EnableSendfile Off
+
+# FileETag: Configures the file attributes that are used to create
+# the ETag (entity tag) response header field when the document is
+# based on a static file. (The ETag value is used in cache management
+# to save network bandwidth.)
+FileETag MTime Size
+
+# ContentDigest: This directive enables the generation of Content-MD5
+# headers as defined in RFC1864 respectively RFC2616.
+# The Content-MD5 header provides an end-to-end message integrity
+# check (MIC) of the entity-body. A proxy or client may check this
+# header for detecting accidental modification of the entity-body
+# in transit.
+# Note that this can cause performance problems on your server since
+# the message digest is computed on every request (the values are
+# not cached).
+# Content-MD5 is only sent for documents served by the core, and not
+# by any module. For example, SSI documents, output from CGI scripts,
+# and byte range responses do not have this header.
+ContentDigest Off
+
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here. If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+ErrorLog /var/log/apache2/error_log
+
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+LogLevel warn
+
+# We configure the "default" to be a very restrictive set of features.
+<Directory />
+ Options FollowSymLinks
+ AllowOverride None
+ Require all denied
+</Directory>
+
+# DirectoryIndex: sets the file that Apache will serve if a directory
+# is requested.
+#
+# The index.html.var file (a type-map) is used to deliver content-
+# negotiated documents. The MultiViews Options can be used for the
+# same purpose, but it is much slower.
+#
+# Do not change this entry unless you know what you are doing.
+<IfModule dir_module>
+ DirectoryIndex index.html index.html.var
+</IfModule>
+
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
+<FilesMatch "^\.ht">
+ Require all denied
+</FilesMatch>
+
+# vim: ts=4 filetype=apache
--- /dev/null
+# The configuration below implements multi-language error documents through
+# content-negotiation.
+
+# Customizable error responses come in three flavors:
+# 1) plain text 2) local redirects 3) external redirects
+# Some examples:
+#ErrorDocument 500 "The server made a boo boo."
+#ErrorDocument 404 /missing.html
+#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
+#ErrorDocument 402 http://www.example.com/subscription_info.html
+
+# Required modules: mod_alias, mod_include, mod_negotiation
+# We use Alias to redirect any /error/HTTP_<error>.html.var response to
+# our collection of by-error message multi-language collections. We use
+# includes to substitute the appropriate text.
+# You can modify the messages' appearance without changing any of the
+# default HTTP_<error>.html.var files by adding the line:
+# Alias /error/include/ "/your/include/path/"
+# which allows you to create your own set of files by starting with the
+# /var/www/localhost/error/include/ files and copying them to /your/include/path/,
+# even on a per-VirtualHost basis. The default include files will display
+# your Apache version number and your ServerAdmin email address regardless
+# of the setting of ServerSignature.
+
+<IfDefine ERRORDOCS>
+Alias /error/ "/usr/share/apache2/error/"
+
+<Directory "/usr/share/apache2/error">
+ AllowOverride None
+ Options IncludesNoExec
+ AddOutputFilter Includes html
+ AddHandler type-map var
+ Order allow,deny
+ Allow from all
+ LanguagePriority de en cs es fr it ja ko nl pl pt-br ro sv tr
+ ForceLanguagePriority Prefer Fallback
+</Directory>
+
+ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
+ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
+ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
+ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
+ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
+ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
+ErrorDocument 410 /error/HTTP_GONE.html.var
+ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
+ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
+ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
+ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
+ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
+ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
+ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
+ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
+ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
+ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
+</IfDefine>
+
+# vim: ts=4 filetype=apache
--- /dev/null
+# The configuration below implements multi-language error documents through
+# content-negotiation.
+
+# Customizable error responses come in three flavors:
+# 1) plain text 2) local redirects 3) external redirects
+# Some examples:
+#ErrorDocument 500 "The server made a boo boo."
+#ErrorDocument 404 /missing.html
+#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
+#ErrorDocument 402 http://www.example.com/subscription_info.html
+
+# Required modules: mod_alias, mod_include, mod_negotiation
+# We use Alias to redirect any /error/HTTP_<error>.html.var response to
+# our collection of by-error message multi-language collections. We use
+# includes to substitute the appropriate text.
+# You can modify the messages' appearance without changing any of the
+# default HTTP_<error>.html.var files by adding the line:
+# Alias /error/include/ "/your/include/path/"
+# which allows you to create your own set of files by starting with the
+# /var/www/localhost/error/include/ files and copying them to /your/include/path/,
+# even on a per-VirtualHost basis. The default include files will display
+# your Apache version number and your ServerAdmin email address regardless
+# of the setting of ServerSignature.
+
+<IfDefine ERRORDOCS>
+Alias /error/ "/usr/share/apache2/error/"
+
+<Directory "/usr/share/apache2/error">
+ AllowOverride None
+ Options IncludesNoExec
+ AddOutputFilter Includes html
+ AddHandler type-map var
+ Require all granted
+ LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
+ ForceLanguagePriority Prefer Fallback
+</Directory>
+
+ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
+ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
+ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
+ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
+ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
+ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
+ErrorDocument 410 /error/HTTP_GONE.html.var
+ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
+ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
+ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
+ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
+ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
+ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
+ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
+ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
+ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
+ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
+</IfDefine>
+
+# vim: ts=4 filetype=apache
<IfModule autoindex_module>
+<IfDefine !NO_AUTOINDEX_CONF>
+
<IfModule alias_module>
# We include the /icons/ alias for FancyIndexed directory listings. If
# you do not use FancyIndexing, you may comment this out.
# IndexIgnore is a set of filenames which directory indexing should ignore
# and not include in the listing. Shell-style wildcarding is permitted.
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
+</IfDefine>
</IfModule>
# vim: ts=4 filetype=apache
--- /dev/null
+<IfModule autoindex_module>
+<IfModule alias_module>
+# We include the /icons/ alias for FancyIndexed directory listings. If
+# you do not use FancyIndexing, you may comment this out.
+Alias /icons/ "/usr/share/apache2/icons/"
+
+<Directory "/usr/share/apache2/icons">
+ Options Indexes MultiViews
+ AllowOverride None
+ Order allow,deny
+ Allow from all
+</Directory>
+</IfModule>
+
+# Directives controlling the display of server-generated directory listings.
+#
+# To see the listing of a directory, the Options directive for the
+# directory must include "Indexes", and the directory must not contain
+# a file matching those listed in the DirectoryIndex directive.
+
+# IndexOptions: Controls the appearance of server-generated directory
+# listings.
+IndexOptions FancyIndexing VersionSort FoldersFirst HTMLTable IgnoreCase NameWidth=50
+
+# AddIcon* directives tell the server which icon to show for different
+# files or filename extensions. These are only displayed for
+# FancyIndexed directories.
+AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
+
+AddIconByType (TXT,/icons/text.gif) text/*
+AddIconByType (IMG,/icons/image2.gif) image/*
+AddIconByType (SND,/icons/sound2.gif) audio/*
+AddIconByType (VID,/icons/movie.gif) video/*
+
+AddIcon /icons/binary.gif .bin .exe
+AddIcon /icons/binhex.gif .hqx
+AddIcon /icons/tar.gif .tar
+AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
+AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
+AddIcon /icons/a.gif .ps .ai .eps
+AddIcon /icons/layout.gif .html .shtml .htm .pdf
+AddIcon /icons/text.gif .txt
+AddIcon /icons/c.gif .c
+AddIcon /icons/p.gif .pl .py
+AddIcon /icons/f.gif .for
+AddIcon /icons/dvi.gif .dvi
+AddIcon /icons/uuencoded.gif .uu
+AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
+AddIcon /icons/tex.gif .tex
+AddIcon /icons/bomb.gif core
+
+AddIcon /icons/back.gif ..
+AddIcon /icons/hand.right.gif README
+AddIcon /icons/folder.gif ^^DIRECTORY^^
+AddIcon /icons/blank.gif ^^BLANKICON^^
+
+# DefaultIcon is which icon to show for files which do not have an icon
+# explicitly set.
+DefaultIcon /icons/unknown.gif
+
+# AddDescription allows you to place a short description after a file in
+# server-generated indexes. These are only displayed for FancyIndexed
+# directories.
+# Format: AddDescription "description" filename
+
+AddDescription "GZIP-komprimiertes Tar-Archiv" .tar.gz
+AddDescription "GZIP-komprimiertes Dokument" .gz
+AddDescription "Tar-Archive" .tar
+AddDescription "GZIP-komprimiertes Tar-Archiv" .tgz
+AddDescription "PDF-Dokument" .pdf
+
+# ReadmeName is the name of the README file the server will look for by
+# default, and append to directory listings.
+
+# HeaderName is the name of a file which should be prepended to
+# directory indexes.
+ReadmeName README.html
+HeaderName HEADER.html
+
+# IndexIgnore is a set of filenames which directory indexing should ignore
+# and not include in the listing. Shell-style wildcarding is permitted.
+IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
+</IfModule>
+
+# vim: ts=4 filetype=apache
<Directory "/usr/share/apache2/icons">
Options Indexes MultiViews
AllowOverride None
- Order allow,deny
- Allow from all
+ Require all granted
</Directory>
</IfModule>
--- /dev/null
+<IfDefine INFO>
+# Allow remote server configuration reports, with the URL of
+# http://servername/server-info
+<Location /server-info>
+ SetHandler server-info
+ Order deny,allow
+ Deny from all
+ Allow from 127.0.0.1
+ Allow from localhost
+ AuthName "Server Status Access"
+ AuthType Basic
+ AuthUserFile /etc/apache2/info_users_passwd
+ Require valid-user
+ Satisfy Any
+</Location>
+</IfDefine>
+
+# vim: ts=4 filetype=apache
--- /dev/null
+<IfDefine INFO>
+# Allow remote server configuration reports, with the URL of
+# http://servername/server-info
+<Location /server-info>
+ SetHandler server-info
+ Require local
+</Location>
+</IfDefine>
+
+# vim: ts=4 filetype=apache
--- /dev/null
+# DefaultType: the default MIME type the server will use for a document
+# if it cannot otherwise determine one, such as from filename extensions.
+# If your server contains mostly text or HTML documents, "text/plain" is
+# a good value. If most of your content is binary, such as applications
+# or images, you may want to use "application/octet-stream" instead to
+# keep browsers from trying to display binary files as though they are
+# text.
+DefaultType text/plain
+
+<IfModule mime_module>
+# TypesConfig points to the file containing the list of mappings from
+# filename extension to MIME-type.
+TypesConfig /etc/mime.types
+
+# AddType allows you to add to or override the MIME configuration
+# file specified in TypesConfig for specific file types.
+#AddType application/x-gzip .tgz
+
+# AddEncoding allows you to have certain browsers uncompress
+# information on the fly. Note: Not all browsers support this.
+AddEncoding x-compress .Z
+AddEncoding x-gzip .gz .tgz
+
+# If the AddEncoding directives above are commented-out, then you
+# probably should define those extensions to indicate media types:
+AddType application/x-compress .Z
+AddType application/x-gzip .gz .tgz
+
+# AddHandler allows you to map certain file extensions to "handlers":
+# actions unrelated to filetype. These can be either built into the server
+# or added with the Action directive (see below)
+
+# To use CGI scripts outside of ScriptAliased directories:
+# (You will also need to add "ExecCGI" to the "Options" directive.)
+#AddHandler cgi-script .cgi
+
+# For type maps (negotiated resources):
+AddHandler type-map var
+
+# Filters allow you to process content before it is sent to the client.
+#
+# To parse .shtml files for server-side includes (SSI):
+# (You will also need to add "Includes" to the "Options" directive.)
+#AddType text/html .shtml
+#AddOutputFilter INCLUDES .shtml
+</IfModule>
+
+<IfModule mime_magic_module>
+# The mod_mime_magic module allows the server to use various hints from the
+# contents of the file itself to determine its type. The MIMEMagicFile
+# directive tells the module where the hint definitions are located.
+MIMEMagicFile /etc/apache2/magic
+</IfModule>
+
+# vim: ts=4 filetype=apache
--- /dev/null
+<IfModule mime_module>
+# TypesConfig points to the file containing the list of mappings from
+# filename extension to MIME-type.
+TypesConfig /etc/mime.types
+
+# AddType allows you to add to or override the MIME configuration
+# file specified in TypesConfig for specific file types.
+#AddType application/x-gzip .tgz
+
+# AddEncoding allows you to have certain browsers uncompress
+# information on the fly. Note: Not all browsers support this.
+#AddEncoding x-compress .Z
+#AddEncoding x-gzip .gz .tgz
+
+# If the AddEncoding directives above are commented-out, then you
+# probably should define those extensions to indicate media types:
+AddType application/x-compress .Z
+AddType application/x-gzip .gz .tgz
+
+# AddHandler allows you to map certain file extensions to "handlers":
+# actions unrelated to filetype. These can be either built into the server
+# or added with the Action directive (see below)
+
+# To use CGI scripts outside of ScriptAliased directories:
+# (You will also need to add "ExecCGI" to the "Options" directive.)
+#AddHandler cgi-script .cgi
+
+# For type maps (negotiated resources):
+#AddHandler type-map var
+
+# Filters allow you to process content before it is sent to the client.
+#
+# To parse .shtml files for server-side includes (SSI):
+# (You will also need to add "Includes" to the "Options" directive.)
+#AddType text/html .shtml
+#AddOutputFilter INCLUDES .shtml
+</IfModule>
+
+<IfModule mime_magic_module>
+# The mod_mime_magic module allows the server to use various hints from the
+# contents of the file itself to determine its type. The MIMEMagicFile
+# directive tells the module where the hint definitions are located.
+MIMEMagicFile /etc/apache2/magic
+</IfModule>
+
+# vim: ts=4 filetype=apache
--- /dev/null
+<IfDefine STATUS>
+# Allow server status reports generated by mod_status,
+# with the URL of http://servername/server-status
+<Location /server-status>
+ SetHandler server-status
+ Order deny,allow
+ Deny from all
+ Allow from 127.0.0.1
+ Allow from localhost
+ AuthName "Server Status Access"
+ AuthType Basic
+ AuthUserFile /etc/apache2/info_users_passwd
+ Require valid-user
+ Satisfy Any
+</Location>
+
+# ExtendedStatus controls whether Apache will generate "full" status
+# information (ExtendedStatus On) or just basic information (ExtendedStatus
+# Off) when the "server-status" handler is called.
+ExtendedStatus On
+</IfDefine>
+
+# vim: ts=4 filetype=apache
--- /dev/null
+<IfDefine STATUS>
+# Allow server status reports generated by mod_status,
+# with the URL of http://servername/server-status
+<Location /server-status>
+ SetHandler server-status
+ Require local
+</Location>
+
+# ExtendedStatus controls whether Apache will generate "full" status
+# information (ExtendedStatus On) or just basic information (ExtendedStatus
+# Off) when the "server-status" handler is called.
+ExtendedStatus On
+</IfDefine>
+
+# vim: ts=4 filetype=apache
--- /dev/null
+# Server-Pool Management (MPM specific)
+
+# PidFile: The file in which the server should record its process
+# identification number when it starts.
+#
+# DO NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING
+PidFile /var/run/apache2.pid
+
+# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
+#LockFile /var/run/apache2.lock
+
+# Only one of the below sections will be relevant on your
+# installed httpd. Use "/usr/sbin/apache2 -l" to find out the
+# active mpm.
+
+# common MPM configuration
+# These configuration directives apply to all MPMs
+#
+# StartServers: Number of child server processes created at startup
+# MaxClients: Maximum number of child processes to serve requests
+# MaxRequestsPerChild: Limit on the number of requests that an individual child
+# server will handle during its life
+
+
+# prefork MPM
+# This is the default MPM if USE=-threads
+#
+# MinSpareServers: Minimum number of idle child server processes
+# MaxSpareServers: Maximum number of idle child server processes
+<IfModule mpm_prefork_module>
+ StartServers 2
+ MinSpareServers 2
+ MaxSpareServers 10
+ MaxClients 150
+ MaxRequestsPerChild 10000
+</IfModule>
+
+# worker MPM
+# This is the default MPM if USE=threads
+#
+# MinSpareThreads: Minimum number of idle threads available to handle request spikes
+# MaxSpareThreads: Maximum number of idle threads
+# ThreadsPerChild: Number of threads created by each child process
+<IfModule mpm_worker_module>
+ StartServers 2
+ MinSpareThreads 25
+ MaxSpareThreads 75
+ ThreadsPerChild 25
+ MaxClients 150
+ MaxRequestsPerChild 10000
+</IfModule>
+
+# event MPM
+#
+# MinSpareThreads: Minimum number of idle threads available to handle request spikes
+# MaxSpareThreads: Maximum number of idle threads
+# ThreadsPerChild: Number of threads created by each child process
+<IfModule mpm_event_module>
+ StartServers 2
+ MinSpareThreads 25
+ MaxSpareThreads 75
+ ThreadsPerChild 25
+ MaxClients 150
+ MaxRequestsPerChild 10000
+</IfModule>
+
+# peruser MPM
+#
+# MinSpareProcessors: Minimum number of idle child server processes
+# MinProcessors: Minimum number of processors per virtual host
+# MaxProcessors: Maximum number of processors per virtual host
+# ExpireTimeout: Maximum idle time before a child is killed, 0 to disable
+# Multiplexer: Specify a Multiplexer child configuration.
+# Processor: Specify a user and group for a specific child process
+<IfModule mpm_peruser_module>
+ MinSpareProcessors 2
+ MinProcessors 2
+ MaxProcessors 10
+ MaxClients 150
+ MaxRequestsPerChild 1000
+ ExpireTimeout 1800
+
+ Multiplexer nobody nobody
+ Processor apache apache
+</IfModule>
+
+# itk MPM
+#
+# MinSpareServers: Minimum number of idle child server processes
+# MaxSpareServers: Maximum number of idle child server processes
+<IfModule mpm_itk_module>
+ StartServers 5
+ MinSpareServers 5
+ MaxSpareServers 10
+ MaxClients 150
+ MaxRequestsPerChild 10000
+</IfModule>
+
+# vim: ts=4 filetype=apache
--- /dev/null
+# Server-Pool Management (MPM specific)
+
+# PidFile: The file in which the server should record its process
+# identification number when it starts.
+#
+# DO NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING
+PidFile /run/apache2.pid
+
+# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
+# Mutex file:/run/apache_mpm_mutex
+
+# Only one of the below sections will be relevant on your
+# installed httpd. Use "/usr/sbin/apache2 -l" to find out the
+# active mpm.
+
+# common MPM configuration
+# These configuration directives apply to all MPMs
+#
+# StartServers: Number of child server processes created at startup
+# MaxRequestWorkers: Maximum number of child processes to serve requests
+# MaxConnectionsPerChild: Limit on the number of connections that an individual
+# child server will handle during its life
+
+
+# prefork MPM
+# This is the default MPM if USE=-threads
+#
+# MinSpareServers: Minimum number of idle child server processes
+# MaxSpareServers: Maximum number of idle child server processes
+<IfModule mpm_prefork_module>
+ StartServers 5
+ MinSpareServers 5
+ MaxSpareServers 10
+ MaxRequestWorkers 150
+ MaxConnectionsPerChild 10000
+</IfModule>
+
+# worker MPM
+# This is the default MPM if USE=threads
+#
+# MinSpareThreads: Minimum number of idle threads available to handle request spikes
+# MaxSpareThreads: Maximum number of idle threads
+# ThreadsPerChild: Number of threads created by each child process
+<IfModule mpm_worker_module>
+ StartServers 2
+ MinSpareThreads 25
+ MaxSpareThreads 75
+ ThreadsPerChild 25
+ MaxRequestWorkers 150
+ MaxConnectionsPerChild 10000
+</IfModule>
+
+# event MPM
+#
+# MinSpareThreads: Minimum number of idle threads available to handle request spikes
+# MaxSpareThreads: Maximum number of idle threads
+# ThreadsPerChild: Number of threads created by each child process
+<IfModule mpm_event_module>
+ StartServers 2
+ MinSpareThreads 25
+ MaxSpareThreads 75
+ ThreadsPerChild 25
+ MaxRequestWorkers 150
+ MaxConnectionsPerChild 10000
+</IfModule>
+
+# peruser MPM
+#
+# MinSpareProcessors: Minimum number of idle child server processes
+# MinProcessors: Minimum number of processors per virtual host
+# MaxProcessors: Maximum number of processors per virtual host
+# ExpireTimeout: Maximum idle time before a child is killed, 0 to disable
+# Multiplexer: Specify a Multiplexer child configuration.
+# Processor: Specify a user and group for a specific child process
+<IfModule mpm_peruser_module>
+ MinSpareProcessors 2
+ MinProcessors 2
+ MaxProcessors 10
+ MaxRequestWorkers 150
+ MaxConnectionsPerChild 1000
+ ExpireTimeout 1800
+
+ Multiplexer nobody nobody
+ Processor apache apache
+</IfModule>
+
+# itk MPM
+#
+# MinSpareServers: Minimum number of idle child server processes
+# MaxSpareServers: Maximum number of idle child server processes
+<IfModule mpm_itk_module>
+ StartServers 5
+ MinSpareServers 5
+ MaxSpareServers 10
+ MaxRequestWorkers 150
+ MaxConnectionsPerChild 10000
+</IfModule>
+
+# vim: ts=4 filetype=apache
--- /dev/null
+# Virtual Hosts
+#
+# If you want to maintain multiple domains/hostnames on your
+# machine you can setup VirtualHost containers for them. Most configurations
+# use only name-based virtual hosts so the server doesn't need to worry about
+# IP addresses. This is indicated by the asterisks in the directives below.
+#
+# Please see the documentation at
+# <URL:http://httpd.apache.org/docs/2.2/vhosts/>
+# for further details before you try to setup virtual hosts.
+#
+# You may use the command line option '-S' to verify your virtual host
+# configuration.
+
+<IfDefine DEFAULT_VHOST>
+# see bug #178966 why this is in here
+
+# Listen: Allows you to bind Apache to specific IP addresses and/or
+# ports, instead of the default. See also the <VirtualHost>
+# directive.
+#
+# Change this to Listen on specific IP addresses as shown below to
+# prevent Apache from glomming onto all bound IP addresses.
+#
+#Listen 12.34.56.78:80
+Listen 80
+
+# Use name-based virtual hosting.
+NameVirtualHost *:80
+
+# When virtual hosts are enabled, the main host defined in the default
+# httpd.conf configuration will go away. We redefine it here so that it is
+# still available.
+#
+# If you disable this vhost by removing -D DEFAULT_VHOST from
+# /etc/conf.d/apache2, the first defined virtual host elsewhere will be
+# the default.
+<VirtualHost *:80>
+ ServerName www.uhu-banane.de
+ Include /etc/apache2/vhosts.d/default_vhost.include
+
+ <IfModule mpm_peruser_module>
+ ServerEnvironment apache apache
+ </IfModule>
+</VirtualHost>
+</IfDefine>
+
+# vim: ts=4 filetype=apache
--- /dev/null
+# Virtual Hosts
+#
+# If you want to maintain multiple domains/hostnames on your
+# machine you can setup VirtualHost containers for them. Most configurations
+# use only name-based virtual hosts so the server doesn't need to worry about
+# IP addresses. This is indicated by the asterisks in the directives below.
+#
+# Please see the documentation at
+# <URL:http://httpd.apache.org/docs/2.4/vhosts/>
+# for further details before you try to setup virtual hosts.
+#
+# You may use the command line option '-S' to verify your virtual host
+# configuration.
+
+<IfDefine DEFAULT_VHOST>
+# see bug #178966 why this is in here
+
+# Listen: Allows you to bind Apache to specific IP addresses and/or
+# ports, instead of the default. See also the <VirtualHost>
+# directive.
+#
+# Change this to Listen on specific IP addresses as shown below to
+# prevent Apache from glomming onto all bound IP addresses.
+#
+#Listen 12.34.56.78:80
+Listen 80
+
+# When virtual hosts are enabled, the main host defined in the default
+# httpd.conf configuration will go away. We redefine it here so that it is
+# still available.
+#
+# If you disable this vhost by removing -D DEFAULT_VHOST from
+# /etc/conf.d/apache2, the first defined virtual host elsewhere will be
+# the default.
+<VirtualHost *:80>
+ ServerName localhost
+ Include /etc/apache2/vhosts.d/default_vhost.include
+
+ <IfModule mpm_peruser_module>
+ ServerEnvironment apache apache
+ </IfModule>
+</VirtualHost>
+</IfDefine>
+
+# vim: ts=4 filetype=apache
--- /dev/null
+# ServerAdmin: Your address, where problems with the server should be
+# e-mailed. This address appears on some server-generated pages, such
+# as error documents. e.g. admin@your-domain.com
+ServerAdmin frank@brehm-online.com
+
+# DocumentRoot: The directory out of which you will serve your
+# documents. By default, all requests are taken from this directory, but
+# symbolic links and aliases may be used to point to other locations.
+#
+# If you change this to something that isn't under /var/www then suexec
+# will no longer work.
+DocumentRoot "/var/www/localhost/htdocs"
+
+# This should be changed to whatever you set DocumentRoot to.
+<Directory "/var/www/localhost/htdocs">
+ # Possible values for the Options directive are "None", "All",
+ # or any combination of:
+ # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
+ #
+ # Note that "MultiViews" must be named *explicitly* --- "Options All"
+ # doesn't give it to you.
+ #
+ # The Options directive is both complicated and important. Please see
+ # http://httpd.apache.org/docs/2.2/mod/core.html#options
+ # for more information.
+ Options Indexes FollowSymLinks
+
+ # AllowOverride controls what directives may be placed in .htaccess files.
+ # It can be "All", "None", or any combination of the keywords:
+ # Options FileInfo AuthConfig Limit
+ AllowOverride All
+
+ # Controls who can get stuff from this server.
+ Order allow,deny
+ Allow from all
+</Directory>
+
+<IfModule alias_module>
+ # Redirect: Allows you to tell clients about documents that used to
+ # exist in your server's namespace, but do not anymore. The client
+ # will make a new request for the document at its new location.
+ # Example:
+ # Redirect permanent /foo http://www.example.com/bar
+
+ # Alias: Maps web paths into filesystem paths and is used to
+ # access content that does not live under the DocumentRoot.
+ # Example:
+ # Alias /webpath /full/filesystem/path
+ #
+ # If you include a trailing / on /webpath then the server will
+ # require it to be present in the URL. You will also likely
+ # need to provide a <Directory> section to allow access to
+ # the filesystem path.
+
+ # ScriptAlias: This controls which directories contain server scripts.
+ # ScriptAliases are essentially the same as Aliases, except that
+ # documents in the target directory are treated as applications and
+ # run by the server when requested rather than as documents sent to the
+ # client. The same rules about trailing "/" apply to ScriptAlias
+ # directives as to Alias.
+ ScriptAlias /cgi-bin/ "/var/www/localhost/cgi-bin/"
+</IfModule>
+
+# "/var/www/localhost/cgi-bin" should be changed to whatever your ScriptAliased
+# CGI directory exists, if you have that configured.
+<Directory "/var/www/localhost/cgi-bin">
+ AllowOverride None
+ Options None
+ Order allow,deny
+ Allow from all
+</Directory>
+
+# vim: ts=4 filetype=apache
--- /dev/null
+# ServerAdmin: Your address, where problems with the server should be
+# e-mailed. This address appears on some server-generated pages, such
+# as error documents. e.g. admin@your-domain.com
+ServerAdmin root@localhost
+
+# DocumentRoot: The directory out of which you will serve your
+# documents. By default, all requests are taken from this directory, but
+# symbolic links and aliases may be used to point to other locations.
+#
+# If you change this to something that isn't under /var/www then suexec
+# will no longer work.
+DocumentRoot "/var/www/localhost/htdocs"
+
+# This should be changed to whatever you set DocumentRoot to.
+<Directory "/var/www/localhost/htdocs">
+ # Possible values for the Options directive are "None", "All",
+ # or any combination of:
+ # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
+ #
+ # Note that "MultiViews" must be named *explicitly* --- "Options All"
+ # doesn't give it to you.
+ #
+ # The Options directive is both complicated and important. Please see
+ # http://httpd.apache.org/docs/2.4/mod/core.html#options
+ # for more information.
+ Options Indexes FollowSymLinks
+
+ # AllowOverride controls what directives may be placed in .htaccess files.
+ # It can be "All", "None", or any combination of the keywords:
+ # Options FileInfo AuthConfig Limit
+ AllowOverride All
+
+ # Controls who can get stuff from this server.
+ Require all granted
+</Directory>
+
+<IfModule alias_module>
+ # Redirect: Allows you to tell clients about documents that used to
+ # exist in your server's namespace, but do not anymore. The client
+ # will make a new request for the document at its new location.
+ # Example:
+ # Redirect permanent /foo http://www.example.com/bar
+
+ # Alias: Maps web paths into filesystem paths and is used to
+ # access content that does not live under the DocumentRoot.
+ # Example:
+ # Alias /webpath /full/filesystem/path
+ #
+ # If you include a trailing / on /webpath then the server will
+ # require it to be present in the URL. You will also likely
+ # need to provide a <Directory> section to allow access to
+ # the filesystem path.
+
+ # ScriptAlias: This controls which directories contain server scripts.
+ # ScriptAliases are essentially the same as Aliases, except that
+ # documents in the target directory are treated as applications and
+ # run by the server when requested rather than as documents sent to the
+ # client. The same rules about trailing "/" apply to ScriptAlias
+ # directives as to Alias.
+ ScriptAlias /cgi-bin/ "/var/www/localhost/cgi-bin/"
+</IfModule>
+
+# "/var/www/localhost/cgi-bin" should be changed to whatever your ScriptAliased
+# CGI directory exists, if you have that configured.
+<Directory "/var/www/localhost/cgi-bin">
+ AllowOverride None
+ Options None
+ Require all granted
+</Directory>
+
+# vim: ts=4 filetype=apache
--- /dev/null
+# Config file for /etc/init.d/fail2ban
+#
+# For information on options, see "/usr/bin/fail2ban-client -h".
+
+FAIL2BAN_OPTIONS="-v"
+
+# Force execution of the server even if the socket already exists:
+#FAIL2BAN_OPTIONS="-x"
--- /dev/null
+# Config file for /etc/init.d/fail2ban
+#
+# For information on options, see "/usr/bin/fail2ban-client -h".
+
+FAIL2BAN_OPTIONS=""
+
+# Force execution of the server even if the socket already exists:
+#FAIL2BAN_OPTIONS="-x"
--- /dev/null
+# The VCS to use.
+#VCS="hg"
+VCS="git"
+#VCS="bzr"
+#VCS="darcs"
+
+# Options passed to git commit when run by etckeeper.
+GIT_COMMIT_OPTIONS=""
+
+# Options passed to hg commit when run by etckeeper.
+HG_COMMIT_OPTIONS=""
+
+# Options passed to bzr commit when run by etckeeper.
+BZR_COMMIT_OPTIONS=""
+
+# Options passed to darcs record when run by etckeeper.
+DARCS_COMMIT_OPTIONS="-a"
+
+# Uncomment to avoid etckeeper committing existing changes
+# to /etc automatically once per day.
+#AVOID_DAILY_AUTOCOMMITS=1
+
+# Uncomment the following to avoid special file warning
+# (the option is enabled automatically by cronjob regardless).
+#AVOID_SPECIAL_FILE_WARNING=1
+
+# Uncomment to avoid etckeeper committing existing changes to
+# /etc before installation. It will cancel the installation,
+# so you can commit the changes by hand.
+#AVOID_COMMIT_BEFORE_INSTALL=1
+
+# The high-level package manager that's being used.
+# (apt, pacman-g2, yum, dnf, zypper etc)
+#HIGHLEVEL_PACKAGE_MANAGER=apt
+
+# Gentoo specific:
+# For portage this is emerge
+# For paludis this is cave
+HIGHLEVEL_PACKAGE_MANAGER=emerge
+
+# The low-level package manager that's being used.
+# (dpkg, rpm, pacman, pacman-g2, etc)
+#LOWLEVEL_PACKAGE_MANAGER=dpkg
+
+# Gentoo specific:
+# For portage this is qlist
+# For paludis this is cave
+LOWLEVEL_PACKAGE_MANAGER=qlist
+
+# To push each commit to a remote, put the name of the remote here.
+# (eg, "origin" for git). Space-separated lists of multiple remotes
+# also work (eg, "origin gitlab github" for git).
+PUSH_REMOTE=""
+++ /dev/null
-# The VCS to use.
-#VCS="hg"
-VCS="git"
-#VCS="bzr"
-#VCS="darcs"
-
-# Options passed to git commit when run by etckeeper.
-GIT_COMMIT_OPTIONS=""
-
-# Options passed to hg commit when run by etckeeper.
-HG_COMMIT_OPTIONS=""
-
-# Options passed to bzr commit when run by etckeeper.
-BZR_COMMIT_OPTIONS=""
-
-# Options passed to darcs record when run by etckeeper.
-DARCS_COMMIT_OPTIONS="-a"
-
-# Uncomment to avoid etckeeper committing existing changes
-# to /etc automatically once per day.
-#AVOID_DAILY_AUTOCOMMITS=1
-
-# Uncomment the following to avoid special file warning
-# (the option is enabled automatically by cronjob regardless).
-#AVOID_SPECIAL_FILE_WARNING=1
-
-# Uncomment to avoid etckeeper committing existing changes to
-# /etc before installation. It will cancel the installation,
-# so you can commit the changes by hand.
-#AVOID_COMMIT_BEFORE_INSTALL=1
-
-# The high-level package manager that's being used.
-# (apt, pacman-g2, yum, zypper etc)
-# For gentoo this is emerge
-HIGHLEVEL_PACKAGE_MANAGER=emerge
-
-# The low-level package manager that's being used.
-# (dpkg, rpm, pacman, pacman-g2, etc)
-# For gentoo this is qlist
-LOWLEVEL_PACKAGE_MANAGER=qlist
-
-# To push each commit to a remote, put the name of the remote here.
-# (eg, "origin" for git).
-PUSH_REMOTE=""
--- /dev/null
+#
+# WARNING: heavily refactored in 0.9.0 release. Please review and
+# customize settings for your setup.
+#
+# Changes: in most of the cases you should not modify this
+# file, but provide customizations in jail.local file,
+# or separate .conf files under jail.d/ directory, e.g.:
+#
+# HOW TO ACTIVATE JAILS:
+#
+# YOU SHOULD NOT MODIFY THIS FILE.
+#
+# It will probably be overwritten or improved in a distribution update.
+#
+# Provide customizations in a jail.local file or a jail.d/customisation.local.
+# For example to change the default bantime for all jails and to enable the
+# ssh-iptables jail the following (uncommented) would appear in the .local file.
+# See man 5 jail.conf for details.
+#
+# [DEFAULT]
+# bantime = 3600
+#
+# [sshd]
+# enabled = true
+#
+# See jail.conf(5) man page for more information
+
+
+
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
+
+
+[INCLUDES]
+
+#before = paths-distro.conf
+before = paths-debian.conf
+
+# The DEFAULT allows a global definition of the options. They can be overridden
+# in each jail afterwards.
+
+[DEFAULT]
+
+sshd_log = /var/log/syslog.d/authpriv.log
+
+#
+# MISCELLANEOUS OPTIONS
+#
+
+# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
+# ban a host which matches an address in this list. Several addresses can be
+# defined using space separator.
+ignoreip = 127.0.0.1/8
+
+# External command that will take an tagged arguments to ignore, e.g. <ip>,
+# and return true if the IP is to be ignored. False otherwise.
+#
+# ignorecommand = /path/to/command <ip>
+ignorecommand =
+
+# "bantime" is the number of seconds that a host is banned.
+bantime = 600
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime = 600
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 5
+
+# "backend" specifies the backend used to get files modification.
+# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
+# This option can be overridden in each jail as well.
+#
+# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
+# If pyinotify is not installed, Fail2ban will use auto.
+# gamin: requires Gamin (a file alteration monitor) to be installed.
+# If Gamin is not installed, Fail2ban will use auto.
+# polling: uses a polling algorithm which does not require external libraries.
+# systemd: uses systemd python library to access the systemd journal.
+# Specifying "logpath" is not valid for this backend.
+# See "journalmatch" in the jails associated filter config
+# auto: will try to use the following backends, in order:
+# pyinotify, gamin, polling.
+#
+# Note: if systemd backend is choses as the default but you enable a jail
+# for which logs are present only in its own log files, specify some other
+# backend for that jail (e.g. polling) and provide empty value for
+# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
+backend = auto
+
+# "usedns" specifies if jails should trust hostnames in logs,
+# warn when DNS lookups are performed, or ignore all hostnames in logs
+#
+# yes: if a hostname is encountered, a DNS lookup will be performed.
+# warn: if a hostname is encountered, a DNS lookup will be performed,
+# but it will be logged as a warning.
+# no: if a hostname is encountered, will not be used for banning,
+# but it will be logged as info.
+usedns = warn
+
+# "logencoding" specifies the encoding of the log files handled by the jail
+# This is used to decode the lines from the log file.
+# Typical examples: "ascii", "utf-8"
+#
+# auto: will use the system locale setting
+logencoding = auto
+
+# "enabled" enables the jails.
+# By default all jails are disabled, and it should stay this way.
+# Enable only relevant to your setup jails in your .local or jail.d/*.conf
+#
+# true: jail will be enabled and log files will get monitored for changes
+# false: jail is not enabled
+enabled = false
+
+
+# "filter" defines the filter to use by the jail.
+# By default jails have names matching their filter name
+#
+filter = %(__name__)s
+
+
+#
+# ACTIONS
+#
+
+# Some options used for actions
+
+# Destination email address used solely for the interpolations in
+# jail.{conf,local,d/*} configuration files.
+destemail = root@localhost
+
+# Sender email address used solely for some actions
+sender = root@localhost
+
+# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
+# mailing. Change mta configuration parameter to mail if you want to
+# revert to conventional 'mail'.
+mta = sendmail
+
+# Default protocol
+protocol = tcp
+
+# Specify chain where jumps would need to be added in iptables-* actions
+chain = INPUT
+
+# Ports to be banned
+# Usually should be overridden in a particular jail
+port = 0:65535
+
+#
+# Action shortcuts. To be used to define action parameter
+
+# Default banning action (e.g. iptables, iptables-new,
+# iptables-multiport, shorewall, etc) It is used to define
+# action_* variables. Can be overridden globally or per
+# section within jail.local file
+banaction = iptables-multiport
+
+# The simplest action to take: ban only
+action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report to the destemail.
+action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+ %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+ %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+
+# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
+#
+# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
+# to the destemail.
+action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+ xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
+
+
+# Report block via blocklist.de fail2ban reporting service API
+#
+# See the IMPORTANT note in action.d/blocklist_de.conf for when to
+# use this action. Create a file jail.d/blocklist_de.local containing
+# [Init]
+# blocklist_de_apikey = {api key from registration]
+#
+action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
+
+# Report ban via badips.com, and use as blacklist
+#
+# See BadIPsAction docstring in config/action.d/badips.py for
+# documentation for this action.
+#
+# NOTE: This action relies on banaction being present on start and therefore
+# should be last action defined for a jail.
+#
+action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
+
+# Choose default action. To change, just override value of 'action' with the
+# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
+# globally (section [DEFAULT]) or per specific section
+action = %(action_)s
+
+
+#
+# JAILS
+#
+
+#
+# SSH servers
+#
+
+[sshd]
+
+port = ssh
+logpath = /var/log/syslog.d/authpriv.log
+
+
+[sshd-ddos]
+# This jail corresponds to the standard configuration in Fail2ban.
+# The mail-whois action send a notification e-mail with a whois request
+# in the body.
+port = ssh
+logpath = /var/log/syslog.d/authpriv.log
+
+
+[dropbear]
+
+port = ssh
+logpath = %(dropbear_log)s
+
+
+[selinux-ssh]
+
+port = ssh
+logpath = %(auditd_log)s
+maxretry = 5
+
+
+#
+# HTTP servers
+#
+
+[apache-auth]
+
+port = http,https
+logpath = %(apache_error_log)s
+
+
+[apache-badbots]
+# Ban hosts which agent identifies spammer robots crawling the web
+# for email addresses. The mail outputs are buffered.
+port = http,https
+logpath = %(apache_access_log)s
+bantime = 172800
+maxretry = 1
+
+
+[apache-noscript]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 6
+
+
+[apache-overflows]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-nohome]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-botsearch]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-fakegooglebot]
+
+port = http,https
+logpath = %(apache_access_log)s
+maxretry = 1
+ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
+
+
+[apache-modsecurity]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 2
+
+[apache-shellshock]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 1
+
+[nginx-http-auth]
+
+port = http,https
+logpath = %(nginx_error_log)s
+
+[nginx-botsearch]
+
+port = http,https
+logpath = %(nginx_error_log)s
+maxretry = 2
+
+# Ban attackers that try to use PHP's URL-fopen() functionality
+# through GET/POST variables. - Experimental, with more than a year
+# of usage in production environments.
+
+[php-url-fopen]
+
+port = http,https
+logpath = %(nginx_access_log)s
+ %(apache_access_log)s
+
+
+[suhosin]
+
+port = http,https
+logpath = %(suhosin_log)s
+
+
+[lighttpd-auth]
+# Same as above for Apache's mod_auth
+# It catches wrong authentifications
+port = http,https
+logpath = %(lighttpd_error_log)s
+
+
+#
+# Webmail and groupware servers
+#
+
+[roundcube-auth]
+
+port = http,https
+logpath = /var/log/roundcube/userlogins
+
+
+[openwebmail]
+
+port = http,https
+logpath = /var/log/openwebmail.log
+
+
+[horde]
+
+port = http,https
+logpath = /var/log/horde/horde.log
+
+
+[groupoffice]
+
+port = http,https
+logpath = /home/groupoffice/log/info.log
+
+
+[sogo-auth]
+# Monitor SOGo groupware server
+# without proxy this would be:
+# port = 20000
+port = http,https
+logpath = /var/log/sogo/sogo.log
+
+
+[tine20]
+
+logpath = /var/log/tine20/tine20.log
+port = http,https
+maxretry = 5
+
+
+#
+# Web Applications
+#
+#
+
+[drupal-auth]
+
+port = http,https
+logpath = %(syslog_daemon)s
+
+[guacamole]
+
+port = http,https
+logpath = /var/log/tomcat*/catalina.out
+
+[monit]
+#Ban clients brute-forcing the monit gui login
+filter = monit
+port = 2812
+logpath = /var/log/monit
+
+
+[webmin-auth]
+
+port = 10000
+logpath = %(syslog_authpriv)s
+
+
+#
+# HTTP Proxy servers
+#
+#
+
+[squid]
+
+port = 80,443,3128,8080
+logpath = /var/log/squid/access.log
+
+
+[3proxy]
+
+port = 3128
+logpath = /var/log/3proxy.log
+
+#
+# FTP servers
+#
+
+
+[proftpd]
+
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(proftpd_log)s
+
+
+[pure-ftpd]
+
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(pureftpd_log)s
+maxretry = 6
+
+
+[gssftpd]
+
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(syslog_daemon)s
+maxretry = 6
+
+
+[wuftpd]
+
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(wuftpd_log)s
+maxretry = 6
+
+
+[vsftpd]
+# or overwrite it in jails.local to be
+# logpath = %(syslog_authpriv)s
+# if you want to rely on PAM failed login attempts
+# vsftpd's failregex should match both of those formats
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(vsftpd_log)s
+
+
+#
+# Mail servers
+#
+
+# ASSP SMTP Proxy Jail
+[assp]
+
+port = smtp,465,submission
+logpath = /root/path/to/assp/logs/maillog.txt
+
+
+[courier-smtp]
+
+port = smtp,465,submission
+logpath = %(syslog_mail)s
+
+
+[postfix]
+
+port = smtp,465,submission
+logpath = %(postfix_log)s
+
+
+[postfix-rbl]
+
+port = smtp,465,submission
+logpath = %(syslog_mail)s
+maxretry = 1
+
+
+[sendmail-auth]
+
+port = submission,465,smtp
+logpath = %(syslog_mail)s
+
+
+[sendmail-reject]
+
+port = smtp,465,submission
+logpath = %(syslog_mail)s
+
+
+[qmail-rbl]
+
+filter = qmail
+port = smtp,465,submission
+logpath = /service/qmail/log/main/current
+
+
+# dovecot defaults to logging to the mail syslog facility
+# but can be set by syslog_facility in the dovecot configuration.
+[dovecot]
+
+port = pop3,pop3s,imap,imaps,submission,465,sieve
+logpath = %(dovecot_log)s
+
+
+[sieve]
+
+port = smtp,465,submission
+logpath = %(dovecot_log)s
+
+
+[solid-pop3d]
+
+port = pop3,pop3s
+logpath = %(solidpop3d_log)s
+
+
+[exim]
+
+port = smtp,465,submission
+logpath = %(exim_main_log)s
+
+
+[exim-spam]
+
+port = smtp,465,submission
+logpath = %(exim_main_log)s
+
+
+[kerio]
+
+port = imap,smtp,imaps,465
+logpath = /opt/kerio/mailserver/store/logs/security.log
+
+
+#
+# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
+# all relevant ports get banned
+#
+
+[courier-auth]
+
+port = smtp,465,submission,imap3,imaps,pop3,pop3s
+logpath = %(syslog_mail)s
+
+
+[postfix-sasl]
+
+port = smtp,465,submission,imap3,imaps,pop3,pop3s
+# You might consider monitoring /var/log/mail.warn instead if you are
+# running postfix since it would provide the same log lines at the
+# "warn" level but overall at the smaller filesize.
+logpath = %(postfix_log)s
+
+
+[perdition]
+
+port = imap3,imaps,pop3,pop3s
+logpath = %(syslog_mail)s
+
+
+[squirrelmail]
+
+port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks
+logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
+
+
+[cyrus-imap]
+
+port = imap3,imaps
+logpath = %(syslog_mail)s
+
+
+[uwimap-auth]
+
+port = imap3,imaps
+logpath = %(syslog_mail)s
+
+
+#
+#
+# DNS servers
+#
+
+
+# !!! WARNING !!!
+# Since UDP is connection-less protocol, spoofing of IP and imitation
+# of illegal actions is way too simple. Thus enabling of this filter
+# might provide an easy way for implementing a DoS against a chosen
+# victim. See
+# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
+# Please DO NOT USE this jail unless you know what you are doing.
+#
+# IMPORTANT: see filter.d/named-refused for instructions to enable logging
+# This jail blocks UDP traffic for DNS requests.
+# [named-refused-udp]
+#
+# filter = named-refused
+# port = domain,953
+# protocol = udp
+# logpath = /var/log/named/security.log
+
+# IMPORTANT: see filter.d/named-refused for instructions to enable logging
+# This jail blocks TCP traffic for DNS requests.
+
+[named-refused]
+
+port = domain,953
+logpath = /var/log/named/security.log
+
+
+[nsd]
+
+port = 53
+action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+ %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+logpath = /var/log/nsd.log
+
+
+#
+# Miscellaneous
+#
+
+[asterisk]
+
+port = 5060,5061
+action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+ %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+ %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
+logpath = /var/log/asterisk/messages
+maxretry = 10
+
+
+[freeswitch]
+
+port = 5060,5061
+action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+ %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+ %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
+logpath = /var/log/freeswitch.log
+maxretry = 10
+
+
+# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
+# equivalent section:
+# log-warning = 2
+#
+# for syslog (daemon facility)
+# [mysqld_safe]
+# syslog
+#
+# for own logfile
+# [mysqld]
+# log-error=/var/log/mysqld.log
+[mysqld-auth]
+
+port = 3306
+logpath = %(mysql_log)s
+maxretry = 5
+
+
+# Jail for more extended banning of persistent abusers
+# !!! WARNINGS !!!
+# 1. Make sure that your loglevel specified in fail2ban.conf/.local
+# is not at DEBUG level -- which might then cause fail2ban to fall into
+# an infinite loop constantly feeding itself with non-informative lines
+# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
+# to maintain entries for failed logins for sufficient amount of time
+[recidive]
+
+logpath = /var/log/fail2ban.log
+banaction = iptables-allports
+bantime = 604800 ; 1 week
+findtime = 86400 ; 1 day
+maxretry = 5
+
+
+# Generic filter for PAM. Has to be used with action which bans all
+# ports such as iptables-allports, shorewall
+
+[pam-generic]
+# pam-generic filter can be customized to monitor specific subset of 'tty's
+banaction = iptables-allports
+logpath = %(syslog_authpriv)s
+
+
+[xinetd-fail]
+
+banaction = iptables-multiport-log
+logpath = %(syslog_daemon)s
+maxretry = 2
+
+
+# stunnel - need to set port for this
+[stunnel]
+
+logpath = /var/log/stunnel4/stunnel.log
+
+
+[ejabberd-auth]
+
+port = 5222
+logpath = /var/log/ejabberd/ejabberd.log
+
+
+[counter-strike]
+
+logpath = /opt/cstrike/logs/L[0-9]*.log
+# Firewall: http://www.cstrike-planet.com/faq/6
+tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
+udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
+action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+ %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+
+# consider low maxretry and a long bantime
+# nobody except your own Nagios server should ever probe nrpe
+[nagios]
+
+enabled = false
+logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility
+maxretry = 1
+
+
+[oracleims]
+# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
+enabled = false
+logpath = /opt/sun/comms/messaging64/log/mail.log_current
+maxretry = 6
+banaction = iptables-allports
+
+[directadmin]
+enabled = false
+logpath = /var/log/directadmin/login.log
+port = 2222
+
+[portsentry]
+enabled = false
+logpath = /var/lib/portsentry/portsentry.history
+maxretry = 1
+
+# vim: filetype=dosini
--- /dev/null
+#
+# WARNING: heavily refactored in 0.9.0 release. Please review and
+# customize settings for your setup.
+#
+# Changes: in most of the cases you should not modify this
+# file, but provide customizations in jail.local file,
+# or separate .conf files under jail.d/ directory, e.g.:
+#
+# HOW TO ACTIVATE JAILS:
+#
+# YOU SHOULD NOT MODIFY THIS FILE.
+#
+# It will probably be overwritten or improved in a distribution update.
+#
+# Provide customizations in a jail.local file or a jail.d/customisation.local.
+# For example to change the default bantime for all jails and to enable the
+# ssh-iptables jail the following (uncommented) would appear in the .local file.
+# See man 5 jail.conf for details.
+#
+# [DEFAULT]
+# bantime = 3600
+#
+# [sshd]
+# enabled = true
+#
+# See jail.conf(5) man page for more information
+
+
+
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
+
+
+[INCLUDES]
+
+#before = paths-distro.conf
+before = paths-debian.conf
+
+# The DEFAULT allows a global definition of the options. They can be overridden
+# in each jail afterwards.
+
+[DEFAULT]
+
+#
+# MISCELLANEOUS OPTIONS
+#
+
+# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
+# ban a host which matches an address in this list. Several addresses can be
+# defined using space separator.
+ignoreip = 127.0.0.1/8
+
+# External command that will take an tagged arguments to ignore, e.g. <ip>,
+# and return true if the IP is to be ignored. False otherwise.
+#
+# ignorecommand = /path/to/command <ip>
+ignorecommand =
+
+# "bantime" is the number of seconds that a host is banned.
+bantime = 600
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime = 600
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 5
+
+# "backend" specifies the backend used to get files modification.
+# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
+# This option can be overridden in each jail as well.
+#
+# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
+# If pyinotify is not installed, Fail2ban will use auto.
+# gamin: requires Gamin (a file alteration monitor) to be installed.
+# If Gamin is not installed, Fail2ban will use auto.
+# polling: uses a polling algorithm which does not require external libraries.
+# systemd: uses systemd python library to access the systemd journal.
+# Specifying "logpath" is not valid for this backend.
+# See "journalmatch" in the jails associated filter config
+# auto: will try to use the following backends, in order:
+# pyinotify, gamin, polling.
+#
+# Note: if systemd backend is choses as the default but you enable a jail
+# for which logs are present only in its own log files, specify some other
+# backend for that jail (e.g. polling) and provide empty value for
+# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
+backend = auto
+
+# "usedns" specifies if jails should trust hostnames in logs,
+# warn when DNS lookups are performed, or ignore all hostnames in logs
+#
+# yes: if a hostname is encountered, a DNS lookup will be performed.
+# warn: if a hostname is encountered, a DNS lookup will be performed,
+# but it will be logged as a warning.
+# no: if a hostname is encountered, will not be used for banning,
+# but it will be logged as info.
+usedns = warn
+
+# "logencoding" specifies the encoding of the log files handled by the jail
+# This is used to decode the lines from the log file.
+# Typical examples: "ascii", "utf-8"
+#
+# auto: will use the system locale setting
+logencoding = auto
+
+# "enabled" enables the jails.
+# By default all jails are disabled, and it should stay this way.
+# Enable only relevant to your setup jails in your .local or jail.d/*.conf
+#
+# true: jail will be enabled and log files will get monitored for changes
+# false: jail is not enabled
+enabled = false
+
+
+# "filter" defines the filter to use by the jail.
+# By default jails have names matching their filter name
+#
+filter = %(__name__)s
+
+
+#
+# ACTIONS
+#
+
+# Some options used for actions
+
+# Destination email address used solely for the interpolations in
+# jail.{conf,local,d/*} configuration files.
+destemail = root@localhost
+
+# Sender email address used solely for some actions
+sender = root@localhost
+
+# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
+# mailing. Change mta configuration parameter to mail if you want to
+# revert to conventional 'mail'.
+mta = sendmail
+
+# Default protocol
+protocol = tcp
+
+# Specify chain where jumps would need to be added in iptables-* actions
+chain = INPUT
+
+# Ports to be banned
+# Usually should be overridden in a particular jail
+port = 0:65535
+
+#
+# Action shortcuts. To be used to define action parameter
+
+# Default banning action (e.g. iptables, iptables-new,
+# iptables-multiport, shorewall, etc) It is used to define
+# action_* variables. Can be overridden globally or per
+# section within jail.local file
+banaction = iptables-multiport
+
+# The simplest action to take: ban only
+action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report to the destemail.
+action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+ %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+ %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+
+# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
+#
+# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
+# to the destemail.
+action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+ xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
+
+# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
+ %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+
+# Report block via blocklist.de fail2ban reporting service API
+#
+# See the IMPORTANT note in action.d/blocklist_de.conf for when to
+# use this action. Create a file jail.d/blocklist_de.local containing
+# [Init]
+# blocklist_de_apikey = {api key from registration]
+#
+action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
+
+# Report ban via badips.com, and use as blacklist
+#
+# See BadIPsAction docstring in config/action.d/badips.py for
+# documentation for this action.
+#
+# NOTE: This action relies on banaction being present on start and therefore
+# should be last action defined for a jail.
+#
+action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
+
+# Choose default action. To change, just override value of 'action' with the
+# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
+# globally (section [DEFAULT]) or per specific section
+action = %(action_)s
+
+
+#
+# JAILS
+#
+
+#
+# SSH servers
+#
+
+[sshd]
+
+port = ssh
+logpath = %(sshd_log)s
+
+
+[sshd-ddos]
+# This jail corresponds to the standard configuration in Fail2ban.
+# The mail-whois action send a notification e-mail with a whois request
+# in the body.
+port = ssh
+logpath = %(sshd_log)s
+
+
+[dropbear]
+
+port = ssh
+logpath = %(dropbear_log)s
+
+
+[selinux-ssh]
+
+port = ssh
+logpath = %(auditd_log)s
+maxretry = 5
+
+
+#
+# HTTP servers
+#
+
+[apache-auth]
+
+port = http,https
+logpath = %(apache_error_log)s
+
+
+[apache-badbots]
+# Ban hosts which agent identifies spammer robots crawling the web
+# for email addresses. The mail outputs are buffered.
+port = http,https
+logpath = %(apache_access_log)s
+bantime = 172800
+maxretry = 1
+
+
+[apache-noscript]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 6
+
+
+[apache-overflows]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-nohome]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-botsearch]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-fakegooglebot]
+
+port = http,https
+logpath = %(apache_access_log)s
+maxretry = 1
+ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
+
+
+[apache-modsecurity]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 2
+
+[apache-shellshock]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 1
+
+[nginx-http-auth]
+
+port = http,https
+logpath = %(nginx_error_log)s
+
+[nginx-botsearch]
+
+port = http,https
+logpath = %(nginx_error_log)s
+maxretry = 2
+
+# Ban attackers that try to use PHP's URL-fopen() functionality
+# through GET/POST variables. - Experimental, with more than a year
+# of usage in production environments.
+
+[php-url-fopen]
+
+port = http,https
+logpath = %(nginx_access_log)s
+ %(apache_access_log)s
+
+
+[suhosin]
+
+port = http,https
+logpath = %(suhosin_log)s
+
+
+[lighttpd-auth]
+# Same as above for Apache's mod_auth
+# It catches wrong authentifications
+port = http,https
+logpath = %(lighttpd_error_log)s
+
+
+#
+# Webmail and groupware servers
+#
+
+[roundcube-auth]
+
+port = http,https
+logpath = logpath = %(roundcube_errors_log)s
+
+
+[openwebmail]
+
+port = http,https
+logpath = /var/log/openwebmail.log
+
+
+[horde]
+
+port = http,https
+logpath = /var/log/horde/horde.log
+
+
+[groupoffice]
+
+port = http,https
+logpath = /home/groupoffice/log/info.log
+
+
+[sogo-auth]
+# Monitor SOGo groupware server
+# without proxy this would be:
+# port = 20000
+port = http,https
+logpath = /var/log/sogo/sogo.log
+
+
+[tine20]
+
+logpath = /var/log/tine20/tine20.log
+port = http,https
+maxretry = 5
+
+
+#
+# Web Applications
+#
+#
+
+[drupal-auth]
+
+port = http,https
+logpath = %(syslog_daemon)s
+
+[guacamole]
+
+port = http,https
+logpath = /var/log/tomcat*/catalina.out
+
+[monit]
+#Ban clients brute-forcing the monit gui login
+filter = monit
+port = 2812
+logpath = /var/log/monit
+
+
+[webmin-auth]
+
+port = 10000
+logpath = %(syslog_authpriv)s
+
+
+[froxlor-auth]
+
+port = http,https
+logpath = %(syslog_authpriv)s
+
+
+#
+# HTTP Proxy servers
+#
+#
+
+[squid]
+
+port = 80,443,3128,8080
+logpath = /var/log/squid/access.log
+
+
+[3proxy]
+
+port = 3128
+logpath = /var/log/3proxy.log
+
+
+#
+# FTP servers
+#
+
+
+[proftpd]
+
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(proftpd_log)s
+
+
+[pure-ftpd]
+
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(pureftpd_log)s
+maxretry = 6
+
+
+[gssftpd]
+
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(syslog_daemon)s
+maxretry = 6
+
+
+[wuftpd]
+
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(wuftpd_log)s
+maxretry = 6
+
+
+[vsftpd]
+# or overwrite it in jails.local to be
+# logpath = %(syslog_authpriv)s
+# if you want to rely on PAM failed login attempts
+# vsftpd's failregex should match both of those formats
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(vsftpd_log)s
+
+
+#
+# Mail servers
+#
+
+# ASSP SMTP Proxy Jail
+[assp]
+
+port = smtp,465,submission
+logpath = /root/path/to/assp/logs/maillog.txt
+
+
+[courier-smtp]
+
+port = smtp,465,submission
+logpath = %(syslog_mail)s
+
+
+[postfix]
+
+port = smtp,465,submission
+logpath = %(postfix_log)s
+
+
+[postfix-rbl]
+
+port = smtp,465,submission
+logpath = %(syslog_mail)s
+maxretry = 1
+
+
+[sendmail-auth]
+
+port = submission,465,smtp
+logpath = %(syslog_mail)s
+
+
+[sendmail-reject]
+
+port = smtp,465,submission
+logpath = %(syslog_mail)s
+
+
+[qmail-rbl]
+
+filter = qmail
+port = smtp,465,submission
+logpath = /service/qmail/log/main/current
+
+
+# dovecot defaults to logging to the mail syslog facility
+# but can be set by syslog_facility in the dovecot configuration.
+[dovecot]
+
+port = pop3,pop3s,imap,imaps,submission,465,sieve
+logpath = %(dovecot_log)s
+
+
+[sieve]
+
+port = smtp,465,submission
+logpath = %(dovecot_log)s
+
+
+[solid-pop3d]
+
+port = pop3,pop3s
+logpath = %(solidpop3d_log)s
+
+
+[exim]
+
+port = smtp,465,submission
+logpath = %(exim_main_log)s
+
+
+[exim-spam]
+
+port = smtp,465,submission
+logpath = %(exim_main_log)s
+
+
+[kerio]
+
+port = imap,smtp,imaps,465
+logpath = /opt/kerio/mailserver/store/logs/security.log
+
+
+#
+# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
+# all relevant ports get banned
+#
+
+[courier-auth]
+
+port = smtp,465,submission,imap3,imaps,pop3,pop3s
+logpath = %(syslog_mail)s
+
+
+[postfix-sasl]
+
+port = smtp,465,submission,imap3,imaps,pop3,pop3s
+# You might consider monitoring /var/log/mail.warn instead if you are
+# running postfix since it would provide the same log lines at the
+# "warn" level but overall at the smaller filesize.
+logpath = %(postfix_log)s
+
+
+[perdition]
+
+port = imap3,imaps,pop3,pop3s
+logpath = %(syslog_mail)s
+
+
+[squirrelmail]
+
+port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks
+logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
+
+
+[cyrus-imap]
+
+port = imap3,imaps
+logpath = %(syslog_mail)s
+
+
+[uwimap-auth]
+
+port = imap3,imaps
+logpath = %(syslog_mail)s
+
+
+#
+#
+# DNS servers
+#
+
+
+# !!! WARNING !!!
+# Since UDP is connection-less protocol, spoofing of IP and imitation
+# of illegal actions is way too simple. Thus enabling of this filter
+# might provide an easy way for implementing a DoS against a chosen
+# victim. See
+# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
+# Please DO NOT USE this jail unless you know what you are doing.
+#
+# IMPORTANT: see filter.d/named-refused for instructions to enable logging
+# This jail blocks UDP traffic for DNS requests.
+# [named-refused-udp]
+#
+# filter = named-refused
+# port = domain,953
+# protocol = udp
+# logpath = /var/log/named/security.log
+
+# IMPORTANT: see filter.d/named-refused for instructions to enable logging
+# This jail blocks TCP traffic for DNS requests.
+
+[named-refused]
+
+port = domain,953
+logpath = /var/log/named/security.log
+
+
+[nsd]
+
+port = 53
+action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+ %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+logpath = /var/log/nsd.log
+
+
+#
+# Miscellaneous
+#
+
+[asterisk]
+
+port = 5060,5061
+action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+ %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+ %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
+logpath = /var/log/asterisk/messages
+maxretry = 10
+
+
+[freeswitch]
+
+port = 5060,5061
+action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+ %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+ %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
+logpath = /var/log/freeswitch.log
+maxretry = 10
+
+
+# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
+# equivalent section:
+# log-warning = 2
+#
+# for syslog (daemon facility)
+# [mysqld_safe]
+# syslog
+#
+# for own logfile
+# [mysqld]
+# log-error=/var/log/mysqld.log
+[mysqld-auth]
+
+port = 3306
+logpath = %(mysql_log)s
+maxretry = 5
+
+
+# Jail for more extended banning of persistent abusers
+# !!! WARNINGS !!!
+# 1. Make sure that your loglevel specified in fail2ban.conf/.local
+# is not at DEBUG level -- which might then cause fail2ban to fall into
+# an infinite loop constantly feeding itself with non-informative lines
+# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
+# to maintain entries for failed logins for sufficient amount of time
+[recidive]
+
+logpath = /var/log/fail2ban.log
+banaction = iptables-allports
+bantime = 604800 ; 1 week
+findtime = 86400 ; 1 day
+maxretry = 5
+
+
+# Generic filter for PAM. Has to be used with action which bans all
+# ports such as iptables-allports, shorewall
+
+[pam-generic]
+# pam-generic filter can be customized to monitor specific subset of 'tty's
+banaction = iptables-allports
+logpath = %(syslog_authpriv)s
+
+
+[xinetd-fail]
+
+banaction = iptables-multiport-log
+logpath = %(syslog_daemon)s
+maxretry = 2
+
+
+# stunnel - need to set port for this
+[stunnel]
+
+logpath = /var/log/stunnel4/stunnel.log
+
+
+[ejabberd-auth]
+
+port = 5222
+logpath = /var/log/ejabberd/ejabberd.log
+
+
+[counter-strike]
+
+logpath = /opt/cstrike/logs/L[0-9]*.log
+# Firewall: http://www.cstrike-planet.com/faq/6
+tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
+udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
+action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+ %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+
+# consider low maxretry and a long bantime
+# nobody except your own Nagios server should ever probe nrpe
+[nagios]
+
+enabled = false
+logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility
+maxretry = 1
+
+
+[oracleims]
+# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
+enabled = false
+logpath = /opt/sun/comms/messaging64/log/mail.log_current
+maxretry = 6
+banaction = iptables-allports
+
+[directadmin]
+enabled = false
+logpath = /var/log/directadmin/login.log
+port = 2222
+
+[portsentry]
+enabled = false
+logpath = /var/lib/portsentry/portsentry.history
+maxretry = 1
+
+[pass2allow-ftp]
+# this pass2allow example allows FTP traffic after successful HTTP authentication
+port = ftp,ftp-data,ftps,ftps-data
+# knocking_url variable must be overridden to some secret value in filter.d/apache-pass.local
+filter = apache-pass
+# access log of the website with HTTP auth
+logpath = %(apache_access_log)s
+blocktype = RETURN
+returntype = DROP
+bantime = 3600
+maxretry = 1
+findtime = 1
--- /dev/null
+# Debian
+
+[INCLUDES]
+
+before = paths-common.conf
+
+after = paths-overrides.local
+
+
+[DEFAULT]
+
+syslog_mail = /var/log/syslog.d/mail.log
+
+syslog_mail_warn = /var/log/mail/mail.warn.log
+
+syslog_authpriv = /var/log/syslog.d/authpriv.log
+
+syslog_auth = /var/log/syslog.d/auth.log
+
+syslog_user = /var/log/syslog.d/user.log
+
+syslog_ftp = /var/log/syslog
+
+syslog_daemon = /var/log/syslog.d/daemon.log
+
+syslog_local0 = /var/log/syslog.d/local0.log
+
+
+apache_error_log = /var/log/apache2/*error.log
+
+apache_access_log = /var/log/apache2/*access.log
+
+exim_main_log = /var/log/exim4/mainlog
+
+# was in debian squeezy but not in wheezy
+# /etc/proftpd/proftpd.conf (SystemLog)
+proftpd_log = /var/log/proftpd/proftpd.log
+
+
+# vim: filetype=dosini
--- /dev/null
+# Debian
+
+[INCLUDES]
+
+before = paths-common.conf
+
+after = paths-overrides.local
+
+
+[DEFAULT]
+
+syslog_mail = /var/log/mail.log
+
+syslog_mail_warn = /var/log/mail.warn
+
+syslog_authpriv = /var/log/auth.log
+
+# syslog_auth = /var/log/auth.log
+#
+syslog_user = /var/log/user.log
+
+syslog_ftp = /var/log/syslog
+
+syslog_daemon = /var/log/daemon.log
+
+syslog_local0 = /var/log/messages
+
+
+apache_error_log = /var/log/apache2/*error.log
+
+apache_access_log = /var/log/apache2/*access.log
+
+exim_main_log = /var/log/exim4/mainlog
+
+# was in debian squeezy but not in wheezy
+# /etc/proftpd/proftpd.conf (SystemLog)
+proftpd_log = /var/log/proftpd/proftpd.log
# http://pkgs.fedoraproject.org/cgit/fail2ban.git/tree/fail2ban-logrotate
/var/log/fail2ban.log {
- rotate 7
missingok
- compress
postrotate
/usr/bin/fail2ban-client flushlogs 1>/dev/null || true
endscript
+++ /dev/null
-# The VCS to use.
-#VCS="hg"
-VCS="git"
-#VCS="bzr"
-#VCS="darcs"
-
-# Options passed to git commit when run by etckeeper.
-GIT_COMMIT_OPTIONS=""
-
-# Options passed to hg commit when run by etckeeper.
-HG_COMMIT_OPTIONS=""
-
-# Options passed to bzr commit when run by etckeeper.
-BZR_COMMIT_OPTIONS=""
-
-# Options passed to darcs record when run by etckeeper.
-DARCS_COMMIT_OPTIONS="-a"
-
-# Uncomment to avoid etckeeper committing existing changes
-# to /etc automatically once per day.
-#AVOID_DAILY_AUTOCOMMITS=1
-
-# Uncomment the following to avoid special file warning
-# (the option is enabled automatically by cronjob regardless).
-#AVOID_SPECIAL_FILE_WARNING=1
-
-# Uncomment to avoid etckeeper committing existing changes to
-# /etc before installation. It will cancel the installation,
-# so you can commit the changes by hand.
-#AVOID_COMMIT_BEFORE_INSTALL=1
-
-# The high-level package manager that's being used.
-# (apt, pacman-g2, yum, dnf, zypper etc)
-#HIGHLEVEL_PACKAGE_MANAGER=apt
-
-# Gentoo specific:
-# For portage this is emerge
-# For paludis this is cave
-HIGHLEVEL_PACKAGE_MANAGER=emerge
-
-# The low-level package manager that's being used.
-# (dpkg, rpm, pacman, pacman-g2, etc)
-#LOWLEVEL_PACKAGE_MANAGER=dpkg
-
-# Gentoo specific:
-# For portage this is qlist
-# For paludis this is cave
-LOWLEVEL_PACKAGE_MANAGER=qlist
-
-# To push each commit to a remote, put the name of the remote here.
-# (eg, "origin" for git). Space-separated lists of multiple remotes
-# also work (eg, "origin gitlab github" for git).
-PUSH_REMOTE=""
#AVOID_COMMIT_BEFORE_INSTALL=1
# The high-level package manager that's being used.
-# (apt, pacman-g2, yum, zypper etc)
-# For gentoo this is emerge
+# (apt, pacman-g2, yum, dnf, zypper etc)
+#HIGHLEVEL_PACKAGE_MANAGER=apt
+
+# Gentoo specific:
+# For portage this is emerge
+# For paludis this is cave
HIGHLEVEL_PACKAGE_MANAGER=emerge
# The low-level package manager that's being used.
# (dpkg, rpm, pacman, pacman-g2, etc)
-# For gentoo this is qlist
+#LOWLEVEL_PACKAGE_MANAGER=dpkg
+
+# Gentoo specific:
+# For portage this is qlist
+# For paludis this is cave
LOWLEVEL_PACKAGE_MANAGER=qlist
# To push each commit to a remote, put the name of the remote here.
-# (eg, "origin" for git).
+# (eg, "origin" for git). Space-separated lists of multiple remotes
+# also work (eg, "origin gitlab github" for git).
PUSH_REMOTE="origin"
+++ /dev/null
-#
-# WARNING: heavily refactored in 0.9.0 release. Please review and
-# customize settings for your setup.
-#
-# Changes: in most of the cases you should not modify this
-# file, but provide customizations in jail.local file,
-# or separate .conf files under jail.d/ directory, e.g.:
-#
-# HOW TO ACTIVATE JAILS:
-#
-# YOU SHOULD NOT MODIFY THIS FILE.
-#
-# It will probably be overwritten or improved in a distribution update.
-#
-# Provide customizations in a jail.local file or a jail.d/customisation.local.
-# For example to change the default bantime for all jails and to enable the
-# ssh-iptables jail the following (uncommented) would appear in the .local file.
-# See man 5 jail.conf for details.
-#
-# [DEFAULT]
-# bantime = 3600
-#
-# [sshd]
-# enabled = true
-#
-# See jail.conf(5) man page for more information
-
-
-
-# Comments: use '#' for comment lines and ';' (following a space) for inline comments
-
-
-[INCLUDES]
-
-#before = paths-distro.conf
-before = paths-debian.conf
-
-# The DEFAULT allows a global definition of the options. They can be overridden
-# in each jail afterwards.
-
-[DEFAULT]
-
-#
-# MISCELLANEOUS OPTIONS
-#
-
-# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
-# ban a host which matches an address in this list. Several addresses can be
-# defined using space separator.
-ignoreip = 127.0.0.1/8
-
-# External command that will take an tagged arguments to ignore, e.g. <ip>,
-# and return true if the IP is to be ignored. False otherwise.
-#
-# ignorecommand = /path/to/command <ip>
-ignorecommand =
-
-# "bantime" is the number of seconds that a host is banned.
-bantime = 600
-
-# A host is banned if it has generated "maxretry" during the last "findtime"
-# seconds.
-findtime = 600
-
-# "maxretry" is the number of failures before a host get banned.
-maxretry = 5
-
-# "backend" specifies the backend used to get files modification.
-# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
-# This option can be overridden in each jail as well.
-#
-# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
-# If pyinotify is not installed, Fail2ban will use auto.
-# gamin: requires Gamin (a file alteration monitor) to be installed.
-# If Gamin is not installed, Fail2ban will use auto.
-# polling: uses a polling algorithm which does not require external libraries.
-# systemd: uses systemd python library to access the systemd journal.
-# Specifying "logpath" is not valid for this backend.
-# See "journalmatch" in the jails associated filter config
-# auto: will try to use the following backends, in order:
-# pyinotify, gamin, polling.
-#
-# Note: if systemd backend is choses as the default but you enable a jail
-# for which logs are present only in its own log files, specify some other
-# backend for that jail (e.g. polling) and provide empty value for
-# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
-backend = auto
-
-# "usedns" specifies if jails should trust hostnames in logs,
-# warn when DNS lookups are performed, or ignore all hostnames in logs
-#
-# yes: if a hostname is encountered, a DNS lookup will be performed.
-# warn: if a hostname is encountered, a DNS lookup will be performed,
-# but it will be logged as a warning.
-# no: if a hostname is encountered, will not be used for banning,
-# but it will be logged as info.
-usedns = warn
-
-# "logencoding" specifies the encoding of the log files handled by the jail
-# This is used to decode the lines from the log file.
-# Typical examples: "ascii", "utf-8"
-#
-# auto: will use the system locale setting
-logencoding = auto
-
-# "enabled" enables the jails.
-# By default all jails are disabled, and it should stay this way.
-# Enable only relevant to your setup jails in your .local or jail.d/*.conf
-#
-# true: jail will be enabled and log files will get monitored for changes
-# false: jail is not enabled
-enabled = false
-
-
-# "filter" defines the filter to use by the jail.
-# By default jails have names matching their filter name
-#
-filter = %(__name__)s
-
-
-#
-# ACTIONS
-#
-
-# Some options used for actions
-
-# Destination email address used solely for the interpolations in
-# jail.{conf,local,d/*} configuration files.
-destemail = root@localhost
-
-# Sender email address used solely for some actions
-sender = root@localhost
-
-# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
-# mailing. Change mta configuration parameter to mail if you want to
-# revert to conventional 'mail'.
-mta = sendmail
-
-# Default protocol
-protocol = tcp
-
-# Specify chain where jumps would need to be added in iptables-* actions
-chain = INPUT
-
-# Ports to be banned
-# Usually should be overridden in a particular jail
-port = 0:65535
-
-#
-# Action shortcuts. To be used to define action parameter
-
-# Default banning action (e.g. iptables, iptables-new,
-# iptables-multiport, shorewall, etc) It is used to define
-# action_* variables. Can be overridden globally or per
-# section within jail.local file
-banaction = iptables-multiport
-
-# The simplest action to take: ban only
-action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-
-# ban & send an e-mail with whois report to the destemail.
-action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
-
-# ban & send an e-mail with whois report and relevant log lines
-# to the destemail.
-action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
-
-# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
-#
-# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
-# to the destemail.
-action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
-
-# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
-# to the destemail.
-action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
- %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
-
-# Report block via blocklist.de fail2ban reporting service API
-#
-# See the IMPORTANT note in action.d/blocklist_de.conf for when to
-# use this action. Create a file jail.d/blocklist_de.local containing
-# [Init]
-# blocklist_de_apikey = {api key from registration]
-#
-action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
-
-# Report ban via badips.com, and use as blacklist
-#
-# See BadIPsAction docstring in config/action.d/badips.py for
-# documentation for this action.
-#
-# NOTE: This action relies on banaction being present on start and therefore
-# should be last action defined for a jail.
-#
-action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
-
-# Choose default action. To change, just override value of 'action' with the
-# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
-# globally (section [DEFAULT]) or per specific section
-action = %(action_)s
-
-
-#
-# JAILS
-#
-
-#
-# SSH servers
-#
-
-[sshd]
-
-port = ssh
-logpath = %(sshd_log)s
-
-
-[sshd-ddos]
-# This jail corresponds to the standard configuration in Fail2ban.
-# The mail-whois action send a notification e-mail with a whois request
-# in the body.
-port = ssh
-logpath = %(sshd_log)s
-
-
-[dropbear]
-
-port = ssh
-logpath = %(dropbear_log)s
-
-
-[selinux-ssh]
-
-port = ssh
-logpath = %(auditd_log)s
-maxretry = 5
-
-
-#
-# HTTP servers
-#
-
-[apache-auth]
-
-port = http,https
-logpath = %(apache_error_log)s
-
-
-[apache-badbots]
-# Ban hosts which agent identifies spammer robots crawling the web
-# for email addresses. The mail outputs are buffered.
-port = http,https
-logpath = %(apache_access_log)s
-bantime = 172800
-maxretry = 1
-
-
-[apache-noscript]
-
-port = http,https
-logpath = %(apache_error_log)s
-maxretry = 6
-
-
-[apache-overflows]
-
-port = http,https
-logpath = %(apache_error_log)s
-maxretry = 2
-
-
-[apache-nohome]
-
-port = http,https
-logpath = %(apache_error_log)s
-maxretry = 2
-
-
-[apache-botsearch]
-
-port = http,https
-logpath = %(apache_error_log)s
-maxretry = 2
-
-
-[apache-fakegooglebot]
-
-port = http,https
-logpath = %(apache_access_log)s
-maxretry = 1
-ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
-
-
-[apache-modsecurity]
-
-port = http,https
-logpath = %(apache_error_log)s
-maxretry = 2
-
-[apache-shellshock]
-
-port = http,https
-logpath = %(apache_error_log)s
-maxretry = 1
-
-[nginx-http-auth]
-
-port = http,https
-logpath = %(nginx_error_log)s
-
-[nginx-botsearch]
-
-port = http,https
-logpath = %(nginx_error_log)s
-maxretry = 2
-
-# Ban attackers that try to use PHP's URL-fopen() functionality
-# through GET/POST variables. - Experimental, with more than a year
-# of usage in production environments.
-
-[php-url-fopen]
-
-port = http,https
-logpath = %(nginx_access_log)s
- %(apache_access_log)s
-
-
-[suhosin]
-
-port = http,https
-logpath = %(suhosin_log)s
-
-
-[lighttpd-auth]
-# Same as above for Apache's mod_auth
-# It catches wrong authentifications
-port = http,https
-logpath = %(lighttpd_error_log)s
-
-
-#
-# Webmail and groupware servers
-#
-
-[roundcube-auth]
-
-port = http,https
-logpath = logpath = %(roundcube_errors_log)s
-
-
-[openwebmail]
-
-port = http,https
-logpath = /var/log/openwebmail.log
-
-
-[horde]
-
-port = http,https
-logpath = /var/log/horde/horde.log
-
-
-[groupoffice]
-
-port = http,https
-logpath = /home/groupoffice/log/info.log
-
-
-[sogo-auth]
-# Monitor SOGo groupware server
-# without proxy this would be:
-# port = 20000
-port = http,https
-logpath = /var/log/sogo/sogo.log
-
-
-[tine20]
-
-logpath = /var/log/tine20/tine20.log
-port = http,https
-maxretry = 5
-
-
-#
-# Web Applications
-#
-#
-
-[drupal-auth]
-
-port = http,https
-logpath = %(syslog_daemon)s
-
-[guacamole]
-
-port = http,https
-logpath = /var/log/tomcat*/catalina.out
-
-[monit]
-#Ban clients brute-forcing the monit gui login
-filter = monit
-port = 2812
-logpath = /var/log/monit
-
-
-[webmin-auth]
-
-port = 10000
-logpath = %(syslog_authpriv)s
-
-
-[froxlor-auth]
-
-port = http,https
-logpath = %(syslog_authpriv)s
-
-
-#
-# HTTP Proxy servers
-#
-#
-
-[squid]
-
-port = 80,443,3128,8080
-logpath = /var/log/squid/access.log
-
-
-[3proxy]
-
-port = 3128
-logpath = /var/log/3proxy.log
-
-
-#
-# FTP servers
-#
-
-
-[proftpd]
-
-port = ftp,ftp-data,ftps,ftps-data
-logpath = %(proftpd_log)s
-
-
-[pure-ftpd]
-
-port = ftp,ftp-data,ftps,ftps-data
-logpath = %(pureftpd_log)s
-maxretry = 6
-
-
-[gssftpd]
-
-port = ftp,ftp-data,ftps,ftps-data
-logpath = %(syslog_daemon)s
-maxretry = 6
-
-
-[wuftpd]
-
-port = ftp,ftp-data,ftps,ftps-data
-logpath = %(wuftpd_log)s
-maxretry = 6
-
-
-[vsftpd]
-# or overwrite it in jails.local to be
-# logpath = %(syslog_authpriv)s
-# if you want to rely on PAM failed login attempts
-# vsftpd's failregex should match both of those formats
-port = ftp,ftp-data,ftps,ftps-data
-logpath = %(vsftpd_log)s
-
-
-#
-# Mail servers
-#
-
-# ASSP SMTP Proxy Jail
-[assp]
-
-port = smtp,465,submission
-logpath = /root/path/to/assp/logs/maillog.txt
-
-
-[courier-smtp]
-
-port = smtp,465,submission
-logpath = %(syslog_mail)s
-
-
-[postfix]
-
-port = smtp,465,submission
-logpath = %(postfix_log)s
-
-
-[postfix-rbl]
-
-port = smtp,465,submission
-logpath = %(syslog_mail)s
-maxretry = 1
-
-
-[sendmail-auth]
-
-port = submission,465,smtp
-logpath = %(syslog_mail)s
-
-
-[sendmail-reject]
-
-port = smtp,465,submission
-logpath = %(syslog_mail)s
-
-
-[qmail-rbl]
-
-filter = qmail
-port = smtp,465,submission
-logpath = /service/qmail/log/main/current
-
-
-# dovecot defaults to logging to the mail syslog facility
-# but can be set by syslog_facility in the dovecot configuration.
-[dovecot]
-
-port = pop3,pop3s,imap,imaps,submission,465,sieve
-logpath = %(dovecot_log)s
-
-
-[sieve]
-
-port = smtp,465,submission
-logpath = %(dovecot_log)s
-
-
-[solid-pop3d]
-
-port = pop3,pop3s
-logpath = %(solidpop3d_log)s
-
-
-[exim]
-
-port = smtp,465,submission
-logpath = %(exim_main_log)s
-
-
-[exim-spam]
-
-port = smtp,465,submission
-logpath = %(exim_main_log)s
-
-
-[kerio]
-
-port = imap,smtp,imaps,465
-logpath = /opt/kerio/mailserver/store/logs/security.log
-
-
-#
-# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
-# all relevant ports get banned
-#
-
-[courier-auth]
-
-port = smtp,465,submission,imap3,imaps,pop3,pop3s
-logpath = %(syslog_mail)s
-
-
-[postfix-sasl]
-
-port = smtp,465,submission,imap3,imaps,pop3,pop3s
-# You might consider monitoring /var/log/mail.warn instead if you are
-# running postfix since it would provide the same log lines at the
-# "warn" level but overall at the smaller filesize.
-logpath = %(postfix_log)s
-
-
-[perdition]
-
-port = imap3,imaps,pop3,pop3s
-logpath = %(syslog_mail)s
-
-
-[squirrelmail]
-
-port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks
-logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
-
-
-[cyrus-imap]
-
-port = imap3,imaps
-logpath = %(syslog_mail)s
-
-
-[uwimap-auth]
-
-port = imap3,imaps
-logpath = %(syslog_mail)s
-
-
-#
-#
-# DNS servers
-#
-
-
-# !!! WARNING !!!
-# Since UDP is connection-less protocol, spoofing of IP and imitation
-# of illegal actions is way too simple. Thus enabling of this filter
-# might provide an easy way for implementing a DoS against a chosen
-# victim. See
-# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
-# Please DO NOT USE this jail unless you know what you are doing.
-#
-# IMPORTANT: see filter.d/named-refused for instructions to enable logging
-# This jail blocks UDP traffic for DNS requests.
-# [named-refused-udp]
-#
-# filter = named-refused
-# port = domain,953
-# protocol = udp
-# logpath = /var/log/named/security.log
-
-# IMPORTANT: see filter.d/named-refused for instructions to enable logging
-# This jail blocks TCP traffic for DNS requests.
-
-[named-refused]
-
-port = domain,953
-logpath = /var/log/named/security.log
-
-
-[nsd]
-
-port = 53
-action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
- %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
-logpath = /var/log/nsd.log
-
-
-#
-# Miscellaneous
-#
-
-[asterisk]
-
-port = 5060,5061
-action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
- %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
- %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
-logpath = /var/log/asterisk/messages
-maxretry = 10
-
-
-[freeswitch]
-
-port = 5060,5061
-action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
- %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
- %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
-logpath = /var/log/freeswitch.log
-maxretry = 10
-
-
-# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
-# equivalent section:
-# log-warning = 2
-#
-# for syslog (daemon facility)
-# [mysqld_safe]
-# syslog
-#
-# for own logfile
-# [mysqld]
-# log-error=/var/log/mysqld.log
-[mysqld-auth]
-
-port = 3306
-logpath = %(mysql_log)s
-maxretry = 5
-
-
-# Jail for more extended banning of persistent abusers
-# !!! WARNINGS !!!
-# 1. Make sure that your loglevel specified in fail2ban.conf/.local
-# is not at DEBUG level -- which might then cause fail2ban to fall into
-# an infinite loop constantly feeding itself with non-informative lines
-# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
-# to maintain entries for failed logins for sufficient amount of time
-[recidive]
-
-logpath = /var/log/fail2ban.log
-banaction = iptables-allports
-bantime = 604800 ; 1 week
-findtime = 86400 ; 1 day
-maxretry = 5
-
-
-# Generic filter for PAM. Has to be used with action which bans all
-# ports such as iptables-allports, shorewall
-
-[pam-generic]
-# pam-generic filter can be customized to monitor specific subset of 'tty's
-banaction = iptables-allports
-logpath = %(syslog_authpriv)s
-
-
-[xinetd-fail]
-
-banaction = iptables-multiport-log
-logpath = %(syslog_daemon)s
-maxretry = 2
-
-
-# stunnel - need to set port for this
-[stunnel]
-
-logpath = /var/log/stunnel4/stunnel.log
-
-
-[ejabberd-auth]
-
-port = 5222
-logpath = /var/log/ejabberd/ejabberd.log
-
-
-[counter-strike]
-
-logpath = /opt/cstrike/logs/L[0-9]*.log
-# Firewall: http://www.cstrike-planet.com/faq/6
-tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
-udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
-action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
- %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
-
-# consider low maxretry and a long bantime
-# nobody except your own Nagios server should ever probe nrpe
-[nagios]
-
-enabled = false
-logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility
-maxretry = 1
-
-
-[oracleims]
-# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
-enabled = false
-logpath = /opt/sun/comms/messaging64/log/mail.log_current
-maxretry = 6
-banaction = iptables-allports
-
-[directadmin]
-enabled = false
-logpath = /var/log/directadmin/login.log
-port = 2222
-
-[portsentry]
-enabled = false
-logpath = /var/lib/portsentry/portsentry.history
-maxretry = 1
-
-[pass2allow-ftp]
-# this pass2allow example allows FTP traffic after successful HTTP authentication
-port = ftp,ftp-data,ftps,ftps-data
-# knocking_url variable must be overridden to some secret value in filter.d/apache-pass.local
-filter = apache-pass
-# access log of the website with HTTP auth
-logpath = %(apache_access_log)s
-blocktype = RETURN
-returntype = DROP
-bantime = 3600
-maxretry = 1
-findtime = 1
+++ /dev/null
-# Debian
-
-[INCLUDES]
-
-before = paths-common.conf
-
-after = paths-overrides.local
-
-
-[DEFAULT]
-
-syslog_mail = /var/log/mail.log
-
-syslog_mail_warn = /var/log/mail.warn
-
-syslog_authpriv = /var/log/auth.log
-
-# syslog_auth = /var/log/auth.log
-#
-syslog_user = /var/log/user.log
-
-syslog_ftp = /var/log/syslog
-
-syslog_daemon = /var/log/daemon.log
-
-syslog_local0 = /var/log/messages
-
-
-apache_error_log = /var/log/apache2/*error.log
-
-apache_access_log = /var/log/apache2/*access.log
-
-exim_main_log = /var/log/exim4/mainlog
-
-# was in debian squeezy but not in wheezy
-# /etc/proftpd/proftpd.conf (SystemLog)
-proftpd_log = /var/log/proftpd/proftpd.log
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
+# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
+ %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Report block via blocklist.de fail2ban reporting service API
#
[sshd]
port = ssh
-logpath = /var/log/syslog.d/authpriv.log
+logpath = %(sshd_log)s
[sshd-ddos]
# The mail-whois action send a notification e-mail with a whois request
# in the body.
port = ssh
-logpath = /var/log/syslog.d/authpriv.log
+logpath = %(sshd_log)s
[dropbear]
[roundcube-auth]
port = http,https
-logpath = /var/log/roundcube/userlogins
+logpath = logpath = %(roundcube_errors_log)s
[openwebmail]
logpath = %(syslog_authpriv)s
+[froxlor-auth]
+
+port = http,https
+logpath = %(syslog_authpriv)s
+
+
#
# HTTP Proxy servers
#
port = 3128
logpath = /var/log/3proxy.log
+
#
# FTP servers
#
logpath = /var/lib/portsentry/portsentry.history
maxretry = 1
+[pass2allow-ftp]
+# this pass2allow example allows FTP traffic after successful HTTP authentication
+port = ftp,ftp-data,ftps,ftps-data
+# knocking_url variable must be overridden to some secret value in filter.d/apache-pass.local
+filter = apache-pass
+# access log of the website with HTTP auth
+logpath = %(apache_access_log)s
+blocktype = RETURN
+returntype = DROP
+bantime = 3600
+maxretry = 1
+findtime = 1
+
# vim: filetype=dosini
+++ /dev/null
-#
-# Gentoo:
-# http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/fail2ban/files/fail2ban-logrotate?view=markup
-#
-# Debian:
-# https://github.com/fail2ban/fail2ban/blob/debian/debian/fail2ban.logrotate
-#
-# Fedora view:
-# http://pkgs.fedoraproject.org/cgit/fail2ban.git/tree/fail2ban-logrotate
-
-/var/log/fail2ban.log {
- missingok
- postrotate
- /usr/bin/fail2ban-client flushlogs 1>/dev/null || true
- endscript
-}
projects / config / uhu1 / etc.git / commitdiff