From: Frank Brehm Date: Sun, 14 Dec 2014 07:38:33 +0000 (+0100) Subject: Current state X-Git-Url: https://git.uhu-banane.net/?a=commitdiff_plain;h=350ebbfbfe7a1c6b9763f4d5b5702c9b405331ee;p=config%2Fuhu1%2Fetc.git Current state --- diff --git a/.etckeeper b/.etckeeper index d5ac541..3b009b6 100755 --- a/.etckeeper +++ b/.etckeeper @@ -4,8 +4,8 @@ mkdir -p './ca-certificates/update.d' mkdir -p './courier-imap/shared' mkdir -p './courier-imap/shared.tmp' mkdir -p './dpkg/dpkg.cfg.d' +mkdir -p './fail2ban/fail2ban.d' mkdir -p './gtk-2.0/x86_64-pc-linux-gnu' -mkdir -p './lvm/cache' mkdir -p './salt/pki/minions_pre' mkdir -p './salt/pki/minions_rejected' mkdir -p './security/limits.d' @@ -13,7 +13,6 @@ mkdir -p './security/namespace.d' mkdir -p './sensors.d' mkdir -p './skel/.ssh' mkdir -p './smartd_warning.d' -mkdir -p './ssh/ca' mkdir -p './ssl/CA-Brehm/certs' mkdir -p './ssl/CA-Brehm/crl' mkdir -p './ssl/CA-Brehm/newcerts' @@ -157,6 +156,7 @@ maybe chmod 0644 'conf.d/consolefont' maybe chmod 0644 'conf.d/crypto-loop' maybe chmod 0644 'conf.d/device-mapper' maybe chmod 0644 'conf.d/dmesg' +maybe chmod 0644 'conf.d/fail2ban' maybe chmod 0644 'conf.d/fsck' maybe chmod 0644 'conf.d/gem_server' maybe chmod 0644 'conf.d/git-daemon' @@ -292,6 +292,7 @@ maybe chmod 0640 'config-archive/etc/cups/snmp.conf' maybe chmod 0640 'config-archive/etc/cups/snmp.conf.dist' maybe chmod 0755 'config-archive/etc/default' maybe chmod 0644 'config-archive/etc/default/grub' +maybe chmod 0644 'config-archive/etc/default/grub.1' maybe chmod 0644 'config-archive/etc/default/grub.dist' maybe chmod 0644 'config-archive/etc/dispatch-conf.conf' maybe chmod 0644 'config-archive/etc/dispatch-conf.conf.dist.new' @@ -311,6 +312,9 @@ maybe chmod 0644 'config-archive/etc/eselect/postgresql/slots/9.1/server' maybe chmod 0644 'config-archive/etc/eselect/postgresql/slots/9.1/server.1' maybe chmod 0644 'config-archive/etc/eselect/postgresql/slots/9.1/server.2' maybe chmod 0644 'config-archive/etc/eselect/postgresql/slots/9.1/server.dist' +maybe chmod 0755 'config-archive/etc/fail2ban' +maybe chmod 0644 'config-archive/etc/fail2ban/fail2ban.conf' +maybe chmod 0644 'config-archive/etc/fail2ban/fail2ban.conf.dist' maybe chmod 0644 'config-archive/etc/hosts' maybe chmod 0644 'config-archive/etc/hosts.dist.new' maybe chmod 0755 'config-archive/etc/init.d' @@ -378,6 +382,8 @@ maybe chmod 0644 'config-archive/etc/logrotate.conf.dist' maybe chmod 0755 'config-archive/etc/logrotate.d' maybe chmod 0644 'config-archive/etc/logrotate.d/clamav' maybe chmod 0644 'config-archive/etc/logrotate.d/clamav.dist' +maybe chmod 0644 'config-archive/etc/logrotate.d/fail2ban' +maybe chmod 0644 'config-archive/etc/logrotate.d/fail2ban.dist.new' maybe chmod 0644 'config-archive/etc/logrotate.d/syslog-ng' maybe chmod 0644 'config-archive/etc/logrotate.d/syslog-ng.dist.new' maybe chmod 0644 'config-archive/etc/logrotate.d/ulogd' @@ -550,6 +556,7 @@ maybe chmod 0644 'config-archive/etc/postfix/main.cf.4' maybe chmod 0644 'config-archive/etc/postfix/main.cf.5' maybe chmod 0644 'config-archive/etc/postfix/main.cf.6' maybe chmod 0644 'config-archive/etc/postfix/main.cf.7' +maybe chmod 0644 'config-archive/etc/postfix/main.cf.8' maybe chmod 0644 'config-archive/etc/postfix/main.cf.dist' maybe chmod 0644 'config-archive/etc/profile' maybe chmod 0755 'config-archive/etc/profile.d' @@ -579,6 +586,7 @@ maybe chmod 0600 'config-archive/etc/ssh/sshd_config' maybe chmod 0600 'config-archive/etc/ssh/sshd_config.1' maybe chmod 0600 'config-archive/etc/ssh/sshd_config.2' maybe chmod 0600 'config-archive/etc/ssh/sshd_config.3' +maybe chmod 0600 'config-archive/etc/ssh/sshd_config.4' maybe chmod 0600 'config-archive/etc/ssh/sshd_config.dist' maybe chmod 0755 'config-archive/etc/stunnel' maybe chmod 0644 'config-archive/etc/stunnel/stunnel.conf' @@ -686,6 +694,7 @@ maybe chgrp 'mail' 'courier/authlib/authsqliterc.dist' maybe chmod 0660 'courier/authlib/authsqliterc.dist' maybe chmod 0755 'cron.d' maybe chmod 0644 'cron.d/.keep_sys-process_vixie-cron-0' +maybe chmod 0644 'cron.d/sysstat' maybe chmod 0750 'cron.daily' maybe chmod 0644 'cron.daily/.keep_sys-process_cronbase-0' maybe chmod 0755 'cron.daily/00-logwatch' @@ -694,7 +703,6 @@ maybe chmod 0755 'cron.daily/makewhatis' maybe chmod 0755 'cron.daily/mlocate' maybe chmod 0755 'cron.daily/rkhunter' maybe chmod 0644 'cron.daily/run_reoback.sh' -maybe chmod 0755 'cron.daily/sysstat' maybe chmod 0644 'cron.deny' maybe chmod 0750 'cron.hourly' maybe chmod 0644 'cron.hourly/.keep_sys-process_cronbase-0' @@ -854,6 +862,134 @@ maybe chmod 0755 'etckeeper/vcs.d/50vcs-cmd' maybe chmod 0755 'facter' maybe chmod 0755 'facter/facts.d' maybe chmod 0644 'facter/facts.d/.keep_dev-ruby_facter-0' +maybe chmod 0755 'fail2ban' +maybe chmod 0755 'fail2ban/action.d' +maybe chmod 0644 'fail2ban/action.d/apf.conf' +maybe chmod 0644 'fail2ban/action.d/badips.conf' +maybe chmod 0644 'fail2ban/action.d/badips.py' +maybe chmod 0644 'fail2ban/action.d/blocklist_de.conf' +maybe chmod 0644 'fail2ban/action.d/bsd-ipfw.conf' +maybe chmod 0644 'fail2ban/action.d/cloudflare.conf' +maybe chmod 0644 'fail2ban/action.d/complain.conf' +maybe chmod 0644 'fail2ban/action.d/dshield.conf' +maybe chmod 0644 'fail2ban/action.d/dummy.conf' +maybe chmod 0644 'fail2ban/action.d/firewallcmd-ipset.conf' +maybe chmod 0644 'fail2ban/action.d/firewallcmd-new.conf' +maybe chmod 0644 'fail2ban/action.d/hostsdeny.conf' +maybe chmod 0644 'fail2ban/action.d/ipfilter.conf' +maybe chmod 0644 'fail2ban/action.d/ipfw.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-allports.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-common.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto4.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto6-allports.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto6.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-multiport-log.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-multiport.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-new.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-xt_recent-echo.conf' +maybe chmod 0644 'fail2ban/action.d/iptables.conf' +maybe chmod 0644 'fail2ban/action.d/mail-buffered.conf' +maybe chmod 0644 'fail2ban/action.d/mail-whois-lines.conf' +maybe chmod 0644 'fail2ban/action.d/mail-whois.conf' +maybe chmod 0644 'fail2ban/action.d/mail.conf' +maybe chmod 0644 'fail2ban/action.d/mynetwatchman.conf' +maybe chmod 0644 'fail2ban/action.d/osx-afctl.conf' +maybe chmod 0644 'fail2ban/action.d/osx-ipfw.conf' +maybe chmod 0644 'fail2ban/action.d/pf.conf' +maybe chmod 0644 'fail2ban/action.d/route.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail-buffered.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail-common.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail-whois-ipjailmatches.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail-whois-ipmatches.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail-whois-lines.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail-whois-matches.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail-whois.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail.conf' +maybe chmod 0644 'fail2ban/action.d/shorewall.conf' +maybe chmod 0644 'fail2ban/action.d/smtp.py' +maybe chmod 0644 'fail2ban/action.d/symbiosis-blacklist-allports.conf' +maybe chmod 0644 'fail2ban/action.d/ufw.conf' +maybe chmod 0644 'fail2ban/action.d/xarf-login-attack.conf' +maybe chmod 0644 'fail2ban/fail2ban.conf' +maybe chmod 0755 'fail2ban/fail2ban.d' +maybe chmod 0755 'fail2ban/filter.d' +maybe chmod 0644 'fail2ban/filter.d/3proxy.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-badbots.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-botsearch.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-common.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-modsecurity.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-nohome.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-noscript.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-overflows.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-shellshock.conf' +maybe chmod 0644 'fail2ban/filter.d/assp.conf' +maybe chmod 0644 'fail2ban/filter.d/asterisk.conf' +maybe chmod 0644 'fail2ban/filter.d/common.conf' +maybe chmod 0644 'fail2ban/filter.d/counter-strike.conf' +maybe chmod 0644 'fail2ban/filter.d/courier-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/courier-smtp.conf' +maybe chmod 0644 'fail2ban/filter.d/cyrus-imap.conf' +maybe chmod 0644 'fail2ban/filter.d/directadmin.conf' +maybe chmod 0644 'fail2ban/filter.d/dovecot.conf' +maybe chmod 0644 'fail2ban/filter.d/dropbear.conf' +maybe chmod 0644 'fail2ban/filter.d/ejabberd-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/exim-common.conf' +maybe chmod 0644 'fail2ban/filter.d/exim-spam.conf' +maybe chmod 0644 'fail2ban/filter.d/exim.conf' +maybe chmod 0644 'fail2ban/filter.d/freeswitch.conf' +maybe chmod 0644 'fail2ban/filter.d/groupoffice.conf' +maybe chmod 0644 'fail2ban/filter.d/gssftpd.conf' +maybe chmod 0644 'fail2ban/filter.d/guacamole.conf' +maybe chmod 0644 'fail2ban/filter.d/horde.conf' +maybe chmod 0644 'fail2ban/filter.d/kerio.conf' +maybe chmod 0644 'fail2ban/filter.d/lighttpd-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/monit.conf' +maybe chmod 0644 'fail2ban/filter.d/mysqld-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/nagios.conf' +maybe chmod 0644 'fail2ban/filter.d/named-refused.conf' +maybe chmod 0644 'fail2ban/filter.d/nginx-http-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/nsd.conf' +maybe chmod 0644 'fail2ban/filter.d/openwebmail.conf' +maybe chmod 0644 'fail2ban/filter.d/oracleims.conf' +maybe chmod 0644 'fail2ban/filter.d/pam-generic.conf' +maybe chmod 0644 'fail2ban/filter.d/perdition.conf' +maybe chmod 0644 'fail2ban/filter.d/php-url-fopen.conf' +maybe chmod 0644 'fail2ban/filter.d/portsentry.conf' +maybe chmod 0644 'fail2ban/filter.d/postfix-sasl.conf' +maybe chmod 0644 'fail2ban/filter.d/postfix.conf' +maybe chmod 0644 'fail2ban/filter.d/proftpd.conf' +maybe chmod 0644 'fail2ban/filter.d/pure-ftpd.conf' +maybe chmod 0644 'fail2ban/filter.d/qmail.conf' +maybe chmod 0644 'fail2ban/filter.d/recidive.conf' +maybe chmod 0644 'fail2ban/filter.d/roundcube-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/selinux-common.conf' +maybe chmod 0644 'fail2ban/filter.d/selinux-ssh.conf' +maybe chmod 0644 'fail2ban/filter.d/sendmail-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/sendmail-reject.conf' +maybe chmod 0644 'fail2ban/filter.d/sieve.conf' +maybe chmod 0644 'fail2ban/filter.d/sogo-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/solid-pop3d.conf' +maybe chmod 0644 'fail2ban/filter.d/squid.conf' +maybe chmod 0644 'fail2ban/filter.d/squirrelmail.conf' +maybe chmod 0644 'fail2ban/filter.d/sshd-ddos.conf' +maybe chmod 0644 'fail2ban/filter.d/sshd.conf' +maybe chmod 0644 'fail2ban/filter.d/stunnel.conf' +maybe chmod 0644 'fail2ban/filter.d/suhosin.conf' +maybe chmod 0644 'fail2ban/filter.d/tine20.conf' +maybe chmod 0644 'fail2ban/filter.d/uwimap-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/vsftpd.conf' +maybe chmod 0644 'fail2ban/filter.d/webmin-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/wuftpd.conf' +maybe chmod 0644 'fail2ban/filter.d/xinetd-fail.conf' +maybe chmod 0644 'fail2ban/jail.conf' +maybe chmod 0755 'fail2ban/jail.d' +maybe chmod 0644 'fail2ban/jail.d/sshd.conf' +maybe chmod 0644 'fail2ban/paths-common.conf' +maybe chmod 0644 'fail2ban/paths-debian.conf' +maybe chmod 0644 'fail2ban/paths-fedora.conf' +maybe chmod 0644 'fail2ban/paths-freebsd.conf' +maybe chmod 0644 'fail2ban/paths-osx.conf' maybe chmod 0644 'filesystems' maybe chmod 0755 'fonts' maybe chmod 0755 'fonts/conf.avail' @@ -964,6 +1100,7 @@ maybe chmod 0755 'init.d/device-mapper' maybe chmod 0755 'init.d/dhcpcd' maybe chmod 0755 'init.d/dmesg' maybe chmod 0755 'init.d/dmeventd' +maybe chmod 0755 'init.d/fail2ban' maybe chmod 0755 'init.d/fancontrol' maybe chmod 0755 'init.d/fsck' maybe chmod 0755 'init.d/gem_server' @@ -1073,6 +1210,7 @@ maybe chmod 0644 'kernel-config/config-3.10.25-gentoo-00' maybe chmod 0644 'kernel-config/config-3.10.7-gentoo-00' maybe chmod 0644 'kernel-config/config-3.12.13-gentoo-00' maybe chmod 0644 'kernel-config/config-3.14.14-gentoo-00' +maybe chmod 0644 'kernel-config/config-3.16.5-gentoo-00' maybe chmod 0644 'kernel-config/config-3.2.1-gentoo-r2-00' maybe chmod 0644 'kernel-config/config-3.3.8-gentoo-00' maybe chmod 0644 'kernel-config/config-3.4.9-gentoo-00' @@ -1108,7 +1246,9 @@ maybe chmod 0644 'logrotate.d/.keep_app-admin_logrotate-0' maybe chmod 0644 'logrotate.d/apache2' maybe chmod 0644 'logrotate.d/clamav' maybe chmod 0644 'logrotate.d/elog-save-summary' +maybe chmod 0644 'logrotate.d/fail2ban' maybe chmod 0644 'logrotate.d/mysql' +maybe chmod 0644 'logrotate.d/named' maybe chmod 0644 'logrotate.d/openrc' maybe chmod 0644 'logrotate.d/rsyncd' maybe chmod 0644 'logrotate.d/syslog-ng' @@ -1123,6 +1263,7 @@ maybe chmod 0600 'lvm/archive/vg00_00001-682332803.vg' maybe chmod 0700 'lvm/backup' maybe chmod 0600 'lvm/backup/vg00' maybe chmod 0700 'lvm/cache' +maybe chmod 0600 'lvm/cache/.cache' maybe chmod 0644 'lvm/lvm.conf' maybe chmod 0755 'lvm/profile' maybe chmod 0444 'lvm/profile/command_profile_template.profile' @@ -1285,6 +1426,7 @@ maybe chmod 0444 'openldap/schema/nis.ldif' maybe chmod 0444 'openldap/schema/nis.schema' maybe chmod 0444 'openldap/schema/openldap.ldif' maybe chmod 0444 'openldap/schema/openldap.schema' +maybe chmod 0644 'openldap/schema/openssh-lpk.schema' maybe chmod 0444 'openldap/schema/pmi.ldif' maybe chmod 0444 'openldap/schema/pmi.schema' maybe chmod 0444 'openldap/schema/ppolicy.ldif' @@ -1555,7 +1697,6 @@ maybe chmod 0755 'smartd_warning.sh' maybe chmod 0755 'snmp' maybe chmod 0644 'snmp/snmpd.conf.example' maybe chmod 0755 'ssh' -maybe chmod 0755 'ssh/ca' maybe chmod 0644 'ssh/moduli' maybe chmod 0644 'ssh/ssh_config' maybe chmod 0600 'ssh/ssh_host_dsa_key' @@ -1569,6 +1710,7 @@ maybe chmod 0644 'ssh/ssh_host_key.pub' maybe chmod 0600 'ssh/ssh_host_rsa_key' maybe chmod 0644 'ssh/ssh_host_rsa_key.pub' maybe chmod 0600 'ssh/sshd_config' +maybe chmod 0600 'ssh/sshd_config.orig' maybe chmod 0755 'ssl' maybe chmod 0755 'ssl/CA-Brehm' maybe chmod 0755 'ssl/CA-Brehm/apache2' diff --git a/bind/named-log.conf b/bind/named-log.conf index 9e4de15..be00ad4 100644 --- a/bind/named-log.conf +++ b/bind/named-log.conf @@ -33,13 +33,13 @@ logging { // Kanäle - channel complete_debug { - file "/var/log/bind/complete-debug.log"; - print-category yes; - print-severity yes; - print-time yes; - severity debug 99; - }; + //channel complete_debug { + // file "/var/log/bind/complete-debug.log"; + // print-category yes; + // print-severity yes; + // print-time yes; + // severity debug 99; + //}; channel logtofile { file "/var/log/bind/named.log"; print-category yes; @@ -47,20 +47,20 @@ logging { print-time yes; severity info; }; - channel moderate_debug { - file "/var/log/bind/debug.log"; - print-category yes; - print-severity yes; - print-time yes; - severity debug 1; - }; + //channel moderate_debug { + // file "/var/log/bind/debug.log"; + // print-category yes; + // print-severity yes; + // print-time yes; + // severity debug 1; + //}; channel query_logging { file "/var/log/bind/query.log"; print-time yes; }; channel syslog-warning { syslog daemon; - severity warning; + severity info; }; }; diff --git a/bind/named.conf.orig b/bind/named.conf.orig index 5b9c1cd..39f9be2 100644 --- a/bind/named.conf.orig +++ b/bind/named.conf.orig @@ -1,8 +1,8 @@ /* * Refer to the named.conf(5) and named(8) man pages, and the documentation - * in /usr/share/doc/bind-9 for more details. + * in /usr/share/doc/bind-* for more details. * Online versions of the documentation can be found here: - * http://www.isc.org/software/bind/documentation + * https://kb.isc.org/article/AA-01031 * * If you are going to set up an authoritative server, make sure you * understand the hairy details of how DNS works. Even with simple mistakes, @@ -87,7 +87,7 @@ options { */ - //dnssec-enable yes; + dnssec-enable yes; //dnssec-validation yes; /* @@ -95,7 +95,7 @@ options { * "If the root key provided has expired, * named will log the expiration and validation will not work." */ - //dnssec-validation auto; + dnssec-validation auto; /* if you have problems and are behind a firewall: */ //query-source address * port 53; @@ -131,12 +131,6 @@ zone "localhost" IN { notify no; }; -zone "127.in-addr.arpa" IN { - type master; - file "pri/127.zone"; - notify no; -}; - /* * Briefly, a zone which has been declared delegation-only will be effectively * limited to containing NS RRs for subdomains, but no actual data beyond its diff --git a/conf.d/fail2ban b/conf.d/fail2ban new file mode 100644 index 0000000..00d19f8 --- /dev/null +++ b/conf.d/fail2ban @@ -0,0 +1,8 @@ +# Config file for /etc/init.d/fail2ban +# +# For information on options, see "/usr/bin/fail2ban-client -h". + +FAIL2BAN_OPTIONS="" + +# Force execution of the server even if the socket already exists: +#FAIL2BAN_OPTIONS="-x" diff --git a/config-archive/etc/bind/named.conf.dist.new b/config-archive/etc/bind/named.conf.dist.new index 5b9c1cd..39f9be2 100644 --- a/config-archive/etc/bind/named.conf.dist.new +++ b/config-archive/etc/bind/named.conf.dist.new @@ -1,8 +1,8 @@ /* * Refer to the named.conf(5) and named(8) man pages, and the documentation - * in /usr/share/doc/bind-9 for more details. + * in /usr/share/doc/bind-* for more details. * Online versions of the documentation can be found here: - * http://www.isc.org/software/bind/documentation + * https://kb.isc.org/article/AA-01031 * * If you are going to set up an authoritative server, make sure you * understand the hairy details of how DNS works. Even with simple mistakes, @@ -87,7 +87,7 @@ options { */ - //dnssec-enable yes; + dnssec-enable yes; //dnssec-validation yes; /* @@ -95,7 +95,7 @@ options { * "If the root key provided has expired, * named will log the expiration and validation will not work." */ - //dnssec-validation auto; + dnssec-validation auto; /* if you have problems and are behind a firewall: */ //query-source address * port 53; @@ -131,12 +131,6 @@ zone "localhost" IN { notify no; }; -zone "127.in-addr.arpa" IN { - type master; - file "pri/127.zone"; - notify no; -}; - /* * Briefly, a zone which has been declared delegation-only will be effectively * limited to containing NS RRs for subdomains, but no actual data beyond its diff --git a/config-archive/etc/default/grub b/config-archive/etc/default/grub index 1ea8691..16776f5 100644 --- a/config-archive/etc/default/grub +++ b/config-archive/etc/default/grub @@ -1,23 +1,36 @@ -# Copyright 1999-2013 Gentoo Foundation +# Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-2,v 1.4 2013/09/21 18:10:55 floppym Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-3,v 1.3 2014/09/10 14:38:39 floppym Exp $ # # To populate all changes in this file you need to regenerate your # grub configuration file afterwards: # 'grub2-mkconfig -o /boot/grub/grub.cfg' # # See the grub info page for documentation on possible variables and -# their associated values. +# their associated values. GRUB_DISTRIBUTOR="Gentoo" -GRUB_DEFAULT=0 -GRUB_HIDDEN_TIMEOUT=5 -GRUB_HIDDEN_TIMEOUT_QUIET=true +# Default menu entry +#GRUB_DEFAULT=0 + +# Boot the default entry this many seconds after the menu is displayed +#GRUB_HIDDEN_TIMEOUT=5 +#GRUB_HIDDEN_TIMEOUT_QUIET=true +#GRUB_TIMEOUT=5 GRUB_TIMEOUT=10 +#GRUB_TIMEOUT_STYLE=menu # Append parameters to the linux kernel command line -# GRUB_CMDLINE_LINUX="" +#GRUB_CMDLINE_LINUX="" +# +# Examples: +# +# Boot with network interface renaming disabled +# GRUB_CMDLINE_LINUX="net.ifnames=0" +# +# Boot with systemd instead of sysvinit (openrc) +# GRUB_CMDLINE_LINUX="init=/usr/lib/systemd/systemd" # Append parameters to the linux kernel command line for non-recovery entries #GRUB_CMDLINE_LINUX_DEFAULT="" diff --git a/config-archive/etc/default/grub.1 b/config-archive/etc/default/grub.1 new file mode 100644 index 0000000..1ea8691 --- /dev/null +++ b/config-archive/etc/default/grub.1 @@ -0,0 +1,47 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-2,v 1.4 2013/09/21 18:10:55 floppym Exp $ +# +# To populate all changes in this file you need to regenerate your +# grub configuration file afterwards: +# 'grub2-mkconfig -o /boot/grub/grub.cfg' +# +# See the grub info page for documentation on possible variables and +# their associated values. + +GRUB_DISTRIBUTOR="Gentoo" + +GRUB_DEFAULT=0 +GRUB_HIDDEN_TIMEOUT=5 +GRUB_HIDDEN_TIMEOUT_QUIET=true +GRUB_TIMEOUT=10 + +# Append parameters to the linux kernel command line +# GRUB_CMDLINE_LINUX="" + +# Append parameters to the linux kernel command line for non-recovery entries +#GRUB_CMDLINE_LINUX_DEFAULT="" + +# Uncomment to disable graphical terminal (grub-pc only) +#GRUB_TERMINAL=console + +# The resolution used on graphical terminal. +# Note that you can use only modes which your graphic card supports via VBE. +# You can see them in real GRUB with the command `vbeinfo'. +#GRUB_GFXMODE=640x480 +GRUB_GFXMODE=800x600 + +# Path to theme spec txt file. +# The starfield is by default provided with use truetype. +# NOTE: when enabling custom theme, ensure you have required font/etc. +#GRUB_THEME="/boot/grub/themes/starfield/theme.txt" + +# Background image used on graphical terminal. +# Can be in various bitmap formats. +#GRUB_BACKGROUND="/boot/grub/mybackground.png" + +# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to kernel +GRUB_DISABLE_LINUX_UUID=true + +# Uncomment to disable generation of recovery mode menu entries +#GRUB_DISABLE_RECOVERY=true diff --git a/config-archive/etc/default/grub.dist b/config-archive/etc/default/grub.dist index 8f0549d..f3f7e47 100644 --- a/config-archive/etc/default/grub.dist +++ b/config-archive/etc/default/grub.dist @@ -1,6 +1,6 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-3,v 1.3 2014/09/10 14:38:39 floppym Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-3,v 1.4 2014/10/16 04:04:02 floppym Exp $ # # To populate all changes in this file you need to regenerate your # grub configuration file afterwards: @@ -40,6 +40,13 @@ GRUB_DISTRIBUTOR="Gentoo" # You can see them in real GRUB with the command `vbeinfo'. #GRUB_GFXMODE=640x480 +# Set to 'text' to force the Linux kernel to boot in normal text +# mode, 'keep' to preserve the graphics mode set using +# 'GRUB_GFXMODE', 'WIDTHxHEIGHT'['xDEPTH'] to set a particular +# graphics mode, or a sequence of these separated by commas or +# semicolons to try several modes in sequence. +#GRUB_GFXPAYLOAD_LINUX= + # Path to theme spec txt file. # The starfield is by default provided with use truetype. # NOTE: when enabling custom theme, ensure you have required font/etc. diff --git a/config-archive/etc/fail2ban/fail2ban.conf b/config-archive/etc/fail2ban/fail2ban.conf new file mode 100644 index 0000000..f43afad --- /dev/null +++ b/config-archive/etc/fail2ban/fail2ban.conf @@ -0,0 +1,50 @@ +# Fail2Ban main configuration file +# +# Comments: use '#' for comment lines and ';' (following a space) for inline comments +# +# Changes: in most of the cases you should not modify this +# file, but provide customizations in fail2ban.local file, e.g.: +# +# [Definition] +# loglevel = 4 +# + +[Definition] + +# Option: loglevel +# Notes.: Set the log level output. +# 1 = ERROR +# 2 = WARN +# 3 = INFO +# 4 = DEBUG +# Values: [ NUM ] Default: 1 +# +loglevel = 3 + +# Option: logtarget +# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT. +# Only one log target can be specified. +# If you change logtarget from the default value and you are +# using logrotate -- also adjust or disable rotation in the +# corresponding configuration file +# (e.g. /etc/logrotate.d/fail2ban on Debian systems) +# Values: [ STDOUT | STDERR | SYSLOG | FILE ] Default: STDERR +# +logtarget = /var/log/fail2ban.log + +# Option: socket +# Notes.: Set the socket file. This is used to communicate with the daemon. Do +# not remove this file when Fail2ban runs. It will not be possible to +# communicate with the server afterwards. +# Values: [ FILE ] Default: /run/fail2ban/fail2ban.sock +# +socket = /run/fail2ban/fail2ban.sock + +# Option: pidfile +# Notes.: Set the PID file. This is used to store the process ID of the +# fail2ban server. +# Values: [ FILE ] Default: /run/fail2ban/fail2ban.pid +# +pidfile = /run/fail2ban/fail2ban.pid + +# vim: filetype=dosini diff --git a/config-archive/etc/fail2ban/fail2ban.conf.dist b/config-archive/etc/fail2ban/fail2ban.conf.dist new file mode 100644 index 0000000..2ad9fe7 --- /dev/null +++ b/config-archive/etc/fail2ban/fail2ban.conf.dist @@ -0,0 +1,63 @@ +# Fail2Ban main configuration file +# +# Comments: use '#' for comment lines and ';' (following a space) for inline comments +# +# Changes: in most of the cases you should not modify this +# file, but provide customizations in fail2ban.local file, e.g.: +# +# [Definition] +# loglevel = DEBUG +# + +[Definition] + +# Option: loglevel +# Notes.: Set the log level output. +# CRITICAL +# ERROR +# WARNING +# NOTICE +# INFO +# DEBUG +# Values: [ LEVEL ] Default: ERROR +# +loglevel = INFO + +# Option: logtarget +# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT. +# Only one log target can be specified. +# If you change logtarget from the default value and you are +# using logrotate -- also adjust or disable rotation in the +# corresponding configuration file +# (e.g. /etc/logrotate.d/fail2ban on Debian systems) +# Values: [ STDOUT | STDERR | SYSLOG | FILE ] Default: STDERR +# +logtarget = /var/log/fail2ban.log + +# Option: socket +# Notes.: Set the socket file. This is used to communicate with the daemon. Do +# not remove this file when Fail2ban runs. It will not be possible to +# communicate with the server afterwards. +# Values: [ FILE ] Default: /run/fail2ban/fail2ban.sock +# +socket = /run/fail2ban/fail2ban.sock + +# Option: pidfile +# Notes.: Set the PID file. This is used to store the process ID of the +# fail2ban server. +# Values: [ FILE ] Default: /run/fail2ban/fail2ban.pid +# +pidfile = /run/fail2ban/fail2ban.pid + +# Options: dbfile +# Notes.: Set the file for the fail2ban persistent data to be stored. +# A value of ":memory:" means database is only stored in memory +# and data is lost when fail2ban is stopped. +# A value of "None" disables the database. +# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3 +dbfile = /var/lib/fail2ban/fail2ban.sqlite3 + +# Options: dbpurgeage +# Notes.: Sets age at which bans should be purged from the database +# Values: [ SECONDS ] Default: 86400 (24hours) +dbpurgeage = 86400 diff --git a/config-archive/etc/logrotate.d/fail2ban b/config-archive/etc/logrotate.d/fail2ban new file mode 100644 index 0000000..cd29f90 --- /dev/null +++ b/config-archive/etc/logrotate.d/fail2ban @@ -0,0 +1,22 @@ +# +# Gentoo: +# http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/fail2ban/files/fail2ban-logrotate?view=markup +# +# Debian: +# https://github.com/fail2ban/fail2ban/blob/debian/debian/fail2ban.logrotate +# +# Fedora view: +# http://pkgs.fedoraproject.org/cgit/fail2ban.git/tree/fail2ban-logrotate + +/var/log/fail2ban.log { + rotate 7 + daily + size 1024K + maxage 1y + missingok + compress + delaycompress + postrotate + /usr/bin/fail2ban-client flushlogs 1>/dev/null || true + endscript +} diff --git a/config-archive/etc/logrotate.d/fail2ban.dist.new b/config-archive/etc/logrotate.d/fail2ban.dist.new new file mode 100644 index 0000000..a09870a --- /dev/null +++ b/config-archive/etc/logrotate.d/fail2ban.dist.new @@ -0,0 +1,18 @@ +# +# Gentoo: +# http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/fail2ban/files/fail2ban-logrotate?view=markup +# +# Debian: +# https://github.com/fail2ban/fail2ban/blob/debian/debian/fail2ban.logrotate +# +# Fedora view: +# http://pkgs.fedoraproject.org/cgit/fail2ban.git/tree/fail2ban-logrotate + +/var/log/fail2ban.log { + rotate 7 + missingok + compress + postrotate + /usr/bin/fail2ban-client flushlogs 1>/dev/null || true + endscript +} diff --git a/config-archive/etc/postfix/main.cf b/config-archive/etc/postfix/main.cf index b155ad2..2c7bd57 100644 --- a/config-archive/etc/postfix/main.cf +++ b/config-archive/etc/postfix/main.cf @@ -640,7 +640,7 @@ setgid_group = postdrop # html_directory: The location of the Postfix HTML documentation. # -html_directory = /usr/share/doc/postfix-2.10.2/html +html_directory = /usr/share/doc/postfix-2.10.3/html # manpage_directory: The location of the Postfix on-line manual pages. # @@ -653,7 +653,7 @@ sample_directory = /etc/postfix # readme_directory: The location of the Postfix README files. # -readme_directory = /usr/share/doc/postfix-2.10.2/readme +readme_directory = /usr/share/doc/postfix-2.10.3/readme home_mailbox = .maildir/ broken_sasl_auth_clients = yes diff --git a/config-archive/etc/postfix/main.cf.1 b/config-archive/etc/postfix/main.cf.1 index b47d5a0..b155ad2 100644 --- a/config-archive/etc/postfix/main.cf.1 +++ b/config-archive/etc/postfix/main.cf.1 @@ -640,7 +640,7 @@ setgid_group = postdrop # html_directory: The location of the Postfix HTML documentation. # -html_directory = /usr/share/doc/postfix-2.10.1/html +html_directory = /usr/share/doc/postfix-2.10.2/html # manpage_directory: The location of the Postfix on-line manual pages. # @@ -653,7 +653,7 @@ sample_directory = /etc/postfix # readme_directory: The location of the Postfix README files. # -readme_directory = /usr/share/doc/postfix-2.10.1/readme +readme_directory = /usr/share/doc/postfix-2.10.2/readme home_mailbox = .maildir/ broken_sasl_auth_clients = yes diff --git a/config-archive/etc/postfix/main.cf.2 b/config-archive/etc/postfix/main.cf.2 index a3de299..b47d5a0 100644 --- a/config-archive/etc/postfix/main.cf.2 +++ b/config-archive/etc/postfix/main.cf.2 @@ -640,7 +640,7 @@ setgid_group = postdrop # html_directory: The location of the Postfix HTML documentation. # -html_directory = /usr/share/doc/postfix-2.10.0/html +html_directory = /usr/share/doc/postfix-2.10.1/html # manpage_directory: The location of the Postfix on-line manual pages. # @@ -653,7 +653,7 @@ sample_directory = /etc/postfix # readme_directory: The location of the Postfix README files. # -readme_directory = /usr/share/doc/postfix-2.10.0/readme +readme_directory = /usr/share/doc/postfix-2.10.1/readme home_mailbox = .maildir/ broken_sasl_auth_clients = yes diff --git a/config-archive/etc/postfix/main.cf.3 b/config-archive/etc/postfix/main.cf.3 index f0345ad..a3de299 100644 --- a/config-archive/etc/postfix/main.cf.3 +++ b/config-archive/etc/postfix/main.cf.3 @@ -640,7 +640,7 @@ setgid_group = postdrop # html_directory: The location of the Postfix HTML documentation. # -html_directory = /usr/share/doc/postfix-2.9.5/html +html_directory = /usr/share/doc/postfix-2.10.0/html # manpage_directory: The location of the Postfix on-line manual pages. # @@ -653,7 +653,7 @@ sample_directory = /etc/postfix # readme_directory: The location of the Postfix README files. # -readme_directory = /usr/share/doc/postfix-2.9.5/readme +readme_directory = /usr/share/doc/postfix-2.10.0/readme home_mailbox = .maildir/ broken_sasl_auth_clients = yes diff --git a/config-archive/etc/postfix/main.cf.4 b/config-archive/etc/postfix/main.cf.4 index d148c85..f0345ad 100644 --- a/config-archive/etc/postfix/main.cf.4 +++ b/config-archive/etc/postfix/main.cf.4 @@ -640,7 +640,7 @@ setgid_group = postdrop # html_directory: The location of the Postfix HTML documentation. # -html_directory = /usr/share/doc/postfix-2.9.4/html +html_directory = /usr/share/doc/postfix-2.9.5/html # manpage_directory: The location of the Postfix on-line manual pages. # @@ -653,7 +653,7 @@ sample_directory = /etc/postfix # readme_directory: The location of the Postfix README files. # -readme_directory = /usr/share/doc/postfix-2.9.4/readme +readme_directory = /usr/share/doc/postfix-2.9.5/readme home_mailbox = .maildir/ broken_sasl_auth_clients = yes diff --git a/config-archive/etc/postfix/main.cf.5 b/config-archive/etc/postfix/main.cf.5 index fb2117d..d148c85 100644 --- a/config-archive/etc/postfix/main.cf.5 +++ b/config-archive/etc/postfix/main.cf.5 @@ -640,7 +640,7 @@ setgid_group = postdrop # html_directory: The location of the Postfix HTML documentation. # -html_directory = /usr/share/doc/postfix-2.9.3/html +html_directory = /usr/share/doc/postfix-2.9.4/html # manpage_directory: The location of the Postfix on-line manual pages. # @@ -653,7 +653,7 @@ sample_directory = /etc/postfix # readme_directory: The location of the Postfix README files. # -readme_directory = /usr/share/doc/postfix-2.9.3/readme +readme_directory = /usr/share/doc/postfix-2.9.4/readme home_mailbox = .maildir/ broken_sasl_auth_clients = yes diff --git a/config-archive/etc/postfix/main.cf.6 b/config-archive/etc/postfix/main.cf.6 index 95061cd..fb2117d 100644 --- a/config-archive/etc/postfix/main.cf.6 +++ b/config-archive/etc/postfix/main.cf.6 @@ -39,7 +39,7 @@ command_directory = /usr/sbin # daemon programs (i.e. programs listed in the master.cf file). This # directory must be owned by root. # -daemon_directory = /usr/lib64/postfix +daemon_directory = /usr/libexec/postfix # The data_directory parameter specifies the location of Postfix-writable # data files (caches, random numbers). This directory must be owned @@ -458,7 +458,12 @@ unknown_local_recipient_reject_code = 550 # the main.cf file, otherwise the SMTP server will reject mail for # non-UNIX accounts with "User unknown in local recipient table". # -#mailbox_transport = lmtp:unix:/file/name +# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd" +# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf. +#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp +# +# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and +# subsequent line in master.cf. #mailbox_transport = cyrus # The fallback_transport specifies the optional transport in master.cf @@ -635,7 +640,7 @@ setgid_group = postdrop # html_directory: The location of the Postfix HTML documentation. # -html_directory = /usr/share/doc/postfix-2.8.9/html +html_directory = /usr/share/doc/postfix-2.9.3/html # manpage_directory: The location of the Postfix on-line manual pages. # @@ -648,7 +653,7 @@ sample_directory = /etc/postfix # readme_directory: The location of the Postfix README files. # -readme_directory = /usr/share/doc/postfix-2.8.9/readme +readme_directory = /usr/share/doc/postfix-2.9.3/readme home_mailbox = .maildir/ broken_sasl_auth_clients = yes diff --git a/config-archive/etc/postfix/main.cf.7 b/config-archive/etc/postfix/main.cf.7 index 2d40235..95061cd 100644 --- a/config-archive/etc/postfix/main.cf.7 +++ b/config-archive/etc/postfix/main.cf.7 @@ -635,7 +635,7 @@ setgid_group = postdrop # html_directory: The location of the Postfix HTML documentation. # -html_directory = /usr/share/doc/postfix-2.8.7/html +html_directory = /usr/share/doc/postfix-2.8.9/html # manpage_directory: The location of the Postfix on-line manual pages. # @@ -648,7 +648,7 @@ sample_directory = /etc/postfix # readme_directory: The location of the Postfix README files. # -readme_directory = /usr/share/doc/postfix-2.8.7/readme +readme_directory = /usr/share/doc/postfix-2.8.9/readme home_mailbox = .maildir/ broken_sasl_auth_clients = yes diff --git a/config-archive/etc/postfix/main.cf.8 b/config-archive/etc/postfix/main.cf.8 new file mode 100644 index 0000000..2d40235 --- /dev/null +++ b/config-archive/etc/postfix/main.cf.8 @@ -0,0 +1,681 @@ +# Global Postfix configuration file. This file lists only a subset +# of all parameters. For the syntax, and for a complete parameter +# list, see the postconf(5) manual page (command: "man 5 postconf"). +# +# For common configuration examples, see BASIC_CONFIGURATION_README +# and STANDARD_CONFIGURATION_README. To find these documents, use +# the command "postconf html_directory readme_directory", or go to +# http://www.postfix.org/. +# +# For best results, change no more than 2-3 parameters at a time, +# and test if Postfix still works after every change. + +# SOFT BOUNCE +# +# The soft_bounce parameter provides a limited safety net for +# testing. When soft_bounce is enabled, mail will remain queued that +# would otherwise bounce. This parameter disables locally-generated +# bounces, and prevents the SMTP server from rejecting mail permanently +# (by changing 5xx replies into 4xx replies). However, soft_bounce +# is no cure for address rewriting mistakes or mail routing mistakes. +# +#soft_bounce = no + +# LOCAL PATHNAME INFORMATION +# +# The queue_directory specifies the location of the Postfix queue. +# This is also the root directory of Postfix daemons that run chrooted. +# See the files in examples/chroot-setup for setting up Postfix chroot +# environments on different UNIX systems. +# +queue_directory = /var/spool/postfix + +# The command_directory parameter specifies the location of all +# postXXX commands. +# +command_directory = /usr/sbin + +# The daemon_directory parameter specifies the location of all Postfix +# daemon programs (i.e. programs listed in the master.cf file). This +# directory must be owned by root. +# +daemon_directory = /usr/lib64/postfix + +# The data_directory parameter specifies the location of Postfix-writable +# data files (caches, random numbers). This directory must be owned +# by the mail_owner account (see below). +# +data_directory = /var/lib/postfix + +# QUEUE AND PROCESS OWNERSHIP +# +# The mail_owner parameter specifies the owner of the Postfix queue +# and of most Postfix daemon processes. Specify the name of a user +# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS +# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In +# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED +# USER. +# +mail_owner = postfix + +# The default_privs parameter specifies the default rights used by +# the local delivery agent for delivery to external file or command. +# These rights are used in the absence of a recipient user context. +# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. +# +#default_privs = nobody + +# INTERNET HOST AND DOMAIN NAMES +# +# The myhostname parameter specifies the internet hostname of this +# mail system. The default is to use the fully-qualified domain name +# from gethostname(). $myhostname is used as a default value for many +# other configuration parameters. +# +#myhostname = host.domain.tld +#myhostname = virtual.domain.tld + +# The mydomain parameter specifies the local internet domain name. +# The default is to use $myhostname minus the first component. +# $mydomain is used as a default value for many other configuration +# parameters. +# +#mydomain = domain.tld + +# SENDING MAIL +# +# The myorigin parameter specifies the domain that locally-posted +# mail appears to come from. The default is to append $myhostname, +# which is fine for small sites. If you run a domain with multiple +# machines, you should (1) change this to $mydomain and (2) set up +# a domain-wide alias database that aliases each user to +# user@that.users.mailhost. +# +# For the sake of consistency between sender and recipient addresses, +# myorigin also specifies the default domain name that is appended +# to recipient addresses that have no @domain part. +# +#myorigin = $myhostname +#myorigin = $mydomain + +# RECEIVING MAIL + +# The inet_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on. By default, +# the software claims all active interfaces on the machine. The +# parameter also controls delivery of mail to user@[ip.address]. +# +# See also the proxy_interfaces parameter, for network addresses that +# are forwarded to us via a proxy or network address translator. +# +# Note: you need to stop/start Postfix when this parameter changes. +# +#inet_interfaces = all +#inet_interfaces = $myhostname +#inet_interfaces = $myhostname, localhost + +# The proxy_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on by way of a +# proxy or network address translation unit. This setting extends +# the address list specified with the inet_interfaces parameter. +# +# You must specify your proxy/NAT addresses when your system is a +# backup MX host for other domains, otherwise mail delivery loops +# will happen when the primary MX host is down. +# +#proxy_interfaces = +#proxy_interfaces = 1.2.3.4 + +# The mydestination parameter specifies the list of domains that this +# machine considers itself the final destination for. +# +# These domains are routed to the delivery agent specified with the +# local_transport parameter setting. By default, that is the UNIX +# compatible delivery agent that lookups all recipients in /etc/passwd +# and /etc/aliases or their equivalent. +# +# The default is $myhostname + localhost.$mydomain. On a mail domain +# gateway, you should also include $mydomain. +# +# Do not specify the names of virtual domains - those domains are +# specified elsewhere (see VIRTUAL_README). +# +# Do not specify the names of domains that this machine is backup MX +# host for. Specify those names via the relay_domains settings for +# the SMTP server, or use permit_mx_backup if you are lazy (see +# STANDARD_CONFIGURATION_README). +# +# The local machine is always the final destination for mail addressed +# to user@[the.net.work.address] of an interface that the mail system +# receives mail on (see the inet_interfaces parameter). +# +# Specify a list of host or domain names, /file/name or type:table +# patterns, separated by commas and/or whitespace. A /file/name +# pattern is replaced by its contents; a type:table is matched when +# a name matches a lookup key (the right-hand side is ignored). +# Continue long lines by starting the next line with whitespace. +# +# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". +# +#mydestination = $myhostname, localhost.$mydomain, localhost +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, +# mail.$mydomain, www.$mydomain, ftp.$mydomain + +# REJECTING MAIL FOR UNKNOWN LOCAL USERS +# +# The local_recipient_maps parameter specifies optional lookup tables +# with all names or addresses of users that are local with respect +# to $mydestination, $inet_interfaces or $proxy_interfaces. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown local users. This parameter is defined by default. +# +# To turn off local recipient checking in the SMTP server, specify +# local_recipient_maps = (i.e. empty). +# +# The default setting assumes that you use the default Postfix local +# delivery agent for local delivery. You need to update the +# local_recipient_maps setting if: +# +# - You define $mydestination domain recipients in files other than +# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. +# For example, you define $mydestination domain recipients in +# the $virtual_mailbox_maps files. +# +# - You redefine the local delivery agent in master.cf. +# +# - You redefine the "local_transport" setting in main.cf. +# +# - You use the "luser_relay", "mailbox_transport", or "fallback_transport" +# feature of the Postfix local delivery agent (see local(8)). +# +# Details are described in the LOCAL_RECIPIENT_README file. +# +# Beware: if the Postfix SMTP server runs chrooted, you probably have +# to access the passwd file via the proxymap service, in order to +# overcome chroot restrictions. The alternative, having a copy of +# the system passwd file in the chroot jail is just not practical. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify a bare username, an @domain.tld +# wild-card, or specify a user@domain.tld address. +# +#local_recipient_maps = unix:passwd.byname $alias_maps +#local_recipient_maps = proxy:unix:passwd.byname $alias_maps +#local_recipient_maps = + +# The unknown_local_recipient_reject_code specifies the SMTP server +# response code when a recipient domain matches $mydestination or +# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty +# and the recipient address or address local-part is not found. +# +# The default setting is 550 (reject mail) but it is safer to start +# with 450 (try again later) until you are certain that your +# local_recipient_maps settings are OK. +# +unknown_local_recipient_reject_code = 550 + +# TRUST AND RELAY CONTROL + +# The mynetworks parameter specifies the list of "trusted" SMTP +# clients that have more privileges than "strangers". +# +# In particular, "trusted" SMTP clients are allowed to relay mail +# through Postfix. See the smtpd_recipient_restrictions parameter +# in postconf(5). +# +# You can specify the list of "trusted" network addresses by hand +# or you can let Postfix do it for you (which is the default). +# +# By default (mynetworks_style = subnet), Postfix "trusts" SMTP +# clients in the same IP subnetworks as the local machine. +# On Linux, this does works correctly only with interfaces specified +# with the "ifconfig" command. +# +# Specify "mynetworks_style = class" when Postfix should "trust" SMTP +# clients in the same IP class A/B/C networks as the local machine. +# Don't do this with a dialup site - it would cause Postfix to "trust" +# your entire provider's network. Instead, specify an explicit +# mynetworks list by hand, as described below. +# +# Specify "mynetworks_style = host" when Postfix should "trust" +# only the local machine. +# +#mynetworks_style = class +#mynetworks_style = subnet +#mynetworks_style = host + +# Alternatively, you can specify the mynetworks list by hand, in +# which case Postfix ignores the mynetworks_style setting. +# +# Specify an explicit list of network/netmask patterns, where the +# mask specifies the number of bits in the network part of a host +# address. +# +# You can also specify the absolute pathname of a pattern file instead +# of listing the patterns here. Specify type:table for table-based lookups +# (the value on the table right-hand side is not used). +# +#mynetworks = 168.100.189.0/28, 127.0.0.0/8 +#mynetworks = $config_directory/mynetworks +#mynetworks = hash:/etc/postfix/network_table + +# The relay_domains parameter restricts what destinations this system will +# relay mail to. See the smtpd_recipient_restrictions description in +# postconf(5) for detailed information. +# +# By default, Postfix relays mail +# - from "trusted" clients (IP address matches $mynetworks) to any destination, +# - from "untrusted" clients to destinations that match $relay_domains or +# subdomains thereof, except addresses with sender-specified routing. +# The default relay_domains value is $mydestination. +# +# In addition to the above, the Postfix SMTP server by default accepts mail +# that Postfix is final destination for: +# - destinations that match $inet_interfaces or $proxy_interfaces, +# - destinations that match $mydestination +# - destinations that match $virtual_alias_domains, +# - destinations that match $virtual_mailbox_domains. +# These destinations do not need to be listed in $relay_domains. +# +# Specify a list of hosts or domains, /file/name patterns or type:name +# lookup tables, separated by commas and/or whitespace. Continue +# long lines by starting the next line with whitespace. A file name +# is replaced by its contents; a type:name table is matched when a +# (parent) domain appears as lookup key. +# +# NOTE: Postfix will not automatically forward mail for domains that +# list this system as their primary or backup MX host. See the +# permit_mx_backup restriction description in postconf(5). +# +#relay_domains = $mydestination + +# INTERNET OR INTRANET + +# The relayhost parameter specifies the default host to send mail to +# when no entry is matched in the optional transport(5) table. When +# no relayhost is given, mail is routed directly to the destination. +# +# On an intranet, specify the organizational domain name. If your +# internal DNS uses no MX records, specify the name of the intranet +# gateway host instead. +# +# In the case of SMTP, specify a domain, host, host:port, [host]:port, +# [address] or [address]:port; the form [host] turns off MX lookups. +# +# If you're connected via UUCP, see also the default_transport parameter. +# +#relayhost = $mydomain +#relayhost = [gateway.my.domain] +#relayhost = [mailserver.isp.tld] +#relayhost = uucphost +#relayhost = [an.ip.add.ress] + +# REJECTING UNKNOWN RELAY USERS +# +# The relay_recipient_maps parameter specifies optional lookup tables +# with all addresses in the domains that match $relay_domains. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown relay users. This feature is off by default. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify an @domain.tld wild-card, or specify +# a user@domain.tld address. +# +#relay_recipient_maps = hash:/etc/postfix/relay_recipients + +# INPUT RATE CONTROL +# +# The in_flow_delay configuration parameter implements mail input +# flow control. This feature is turned on by default, although it +# still needs further development (it's disabled on SCO UNIX due +# to an SCO bug). +# +# A Postfix process will pause for $in_flow_delay seconds before +# accepting a new message, when the message arrival rate exceeds the +# message delivery rate. With the default 100 SMTP server process +# limit, this limits the mail inflow to 100 messages a second more +# than the number of messages delivered per second. +# +# Specify 0 to disable the feature. Valid delays are 0..10. +# +#in_flow_delay = 1s + +# ADDRESS REWRITING +# +# The ADDRESS_REWRITING_README document gives information about +# address masquerading or other forms of address rewriting including +# username->Firstname.Lastname mapping. + +# ADDRESS REDIRECTION (VIRTUAL DOMAIN) +# +# The VIRTUAL_README document gives information about the many forms +# of domain hosting that Postfix supports. + +# "USER HAS MOVED" BOUNCE MESSAGES +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# TRANSPORT MAP +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# ALIAS DATABASE +# +# The alias_maps parameter specifies the list of alias databases used +# by the local delivery agent. The default list is system dependent. +# +# On systems with NIS, the default is to search the local alias +# database, then the NIS alias database. See aliases(5) for syntax +# details. +# +# If you change the alias database, run "postalias /etc/aliases" (or +# wherever your system stores the mail alias file), or simply run +# "newaliases" to build the necessary DBM or DB file. +# +# It will take a minute or so before changes become visible. Use +# "postfix reload" to eliminate the delay. +# +#alias_maps = dbm:/etc/aliases +#alias_maps = hash:/etc/aliases +#alias_maps = hash:/etc/aliases, nis:mail.aliases +#alias_maps = netinfo:/aliases + +# The alias_database parameter specifies the alias database(s) that +# are built with "newaliases" or "sendmail -bi". This is a separate +# configuration parameter, because alias_maps (see above) may specify +# tables that are not necessarily all under control by Postfix. +# +#alias_database = dbm:/etc/aliases +#alias_database = dbm:/etc/mail/aliases +#alias_database = hash:/etc/aliases +#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases + +# ADDRESS EXTENSIONS (e.g., user+foo) +# +# The recipient_delimiter parameter specifies the separator between +# user names and address extensions (user+foo). See canonical(5), +# local(8), relocated(5) and virtual(5) for the effects this has on +# aliases, canonical, virtual, relocated and .forward file lookups. +# Basically, the software tries user+foo and .forward+foo before +# trying user and .forward. +# +#recipient_delimiter = + + +# DELIVERY TO MAILBOX +# +# The home_mailbox parameter specifies the optional pathname of a +# mailbox file relative to a user's home directory. The default +# mailbox file is /var/spool/mail/user or /var/mail/user. Specify +# "Maildir/" for qmail-style delivery (the / is required). +# +#home_mailbox = Mailbox +#home_mailbox = Maildir/ + +# The mail_spool_directory parameter specifies the directory where +# UNIX-style mailboxes are kept. The default setting depends on the +# system type. +# +#mail_spool_directory = /var/mail +#mail_spool_directory = /var/spool/mail + +# The mailbox_command parameter specifies the optional external +# command to use instead of mailbox delivery. The command is run as +# the recipient with proper HOME, SHELL and LOGNAME environment settings. +# Exception: delivery for root is done as $default_user. +# +# Other environment variables of interest: USER (recipient username), +# EXTENSION (address extension), DOMAIN (domain part of address), +# and LOCAL (the address localpart). +# +# Unlike other Postfix configuration parameters, the mailbox_command +# parameter is not subjected to $parameter substitutions. This is to +# make it easier to specify shell syntax (see example below). +# +# Avoid shell meta characters because they will force Postfix to run +# an expensive shell process. Procmail alone is expensive enough. +# +# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN +# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. +# +#mailbox_command = /some/where/procmail +#mailbox_command = /some/where/procmail -a "$EXTENSION" + +# The mailbox_transport specifies the optional transport in master.cf +# to use after processing aliases and .forward files. This parameter +# has precedence over the mailbox_command, fallback_transport and +# luser_relay parameters. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#mailbox_transport = lmtp:unix:/file/name +#mailbox_transport = cyrus + +# The fallback_transport specifies the optional transport in master.cf +# to use for recipients that are not found in the UNIX passwd database. +# This parameter has precedence over the luser_relay parameter. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#fallback_transport = lmtp:unix:/file/name +#fallback_transport = cyrus +#fallback_transport = + +# The luser_relay parameter specifies an optional destination address +# for unknown recipients. By default, mail for unknown@$mydestination, +# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned +# as undeliverable. +# +# The following expansions are done on luser_relay: $user (recipient +# username), $shell (recipient shell), $home (recipient home directory), +# $recipient (full recipient address), $extension (recipient address +# extension), $domain (recipient domain), $local (entire recipient +# localpart), $recipient_delimiter. Specify ${name?value} or +# ${name:value} to expand value only when $name does (does not) exist. +# +# luser_relay works only for the default Postfix local delivery agent. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must specify "local_recipient_maps =" (i.e. empty) in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#luser_relay = $user@other.host +#luser_relay = $local@other.host +#luser_relay = admin+$local + +# JUNK MAIL CONTROLS +# +# The controls listed here are only a very small subset. The file +# SMTPD_ACCESS_README provides an overview. + +# The header_checks parameter specifies an optional table with patterns +# that each logical message header is matched against, including +# headers that span multiple physical lines. +# +# By default, these patterns also apply to MIME headers and to the +# headers of attached messages. With older Postfix versions, MIME and +# attached message headers were treated as body text. +# +# For details, see "man header_checks". +# +#header_checks = regexp:/etc/postfix/header_checks + +# FAST ETRN SERVICE +# +# Postfix maintains per-destination logfiles with information about +# deferred mail, so that mail can be flushed quickly with the SMTP +# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". +# See the ETRN_README document for a detailed description. +# +# The fast_flush_domains parameter controls what destinations are +# eligible for this service. By default, they are all domains that +# this server is willing to relay mail to. +# +#fast_flush_domains = $relay_domains + +# SHOW SOFTWARE VERSION OR NOT +# +# The smtpd_banner parameter specifies the text that follows the 220 +# code in the SMTP server's greeting banner. Some people like to see +# the mail version advertised. By default, Postfix shows no version. +# +# You MUST specify $myhostname at the start of the text. That is an +# RFC requirement. Postfix itself does not care. +# +#smtpd_banner = $myhostname ESMTP $mail_name +#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) + +# PARALLEL DELIVERY TO THE SAME DESTINATION +# +# How many parallel deliveries to the same user or domain? With local +# delivery, it does not make sense to do massively parallel delivery +# to the same user, because mailbox updates must happen sequentially, +# and expensive pipelines in .forward files can cause disasters when +# too many are run at the same time. With SMTP deliveries, 10 +# simultaneous connections to the same domain could be sufficient to +# raise eyebrows. +# +# Each message delivery transport has its XXX_destination_concurrency_limit +# parameter. The default is $default_destination_concurrency_limit for +# most delivery transports. For the local delivery agent the default is 2. + +#local_destination_concurrency_limit = 2 +#default_destination_concurrency_limit = 20 + +# DEBUGGING CONTROL +# +# The debug_peer_level parameter specifies the increment in verbose +# logging level when an SMTP client or server host name or address +# matches a pattern in the debug_peer_list parameter. +# +debug_peer_level = 2 + +# The debug_peer_list parameter specifies an optional list of domain +# or network patterns, /file/name patterns or type:name tables. When +# an SMTP client or server host name or address matches a pattern, +# increase the verbose logging level by the amount specified in the +# debug_peer_level parameter. +# +#debug_peer_list = 127.0.0.1 +#debug_peer_list = some.domain + +# The debugger_command specifies the external command that is executed +# when a Postfix daemon program is run with the -D option. +# +# Use "command .. & sleep 5" so that the debugger can attach before +# the process marches on. If you use an X-based debugger, be sure to +# set up your XAUTHORITY environment variable before starting Postfix. +# +debugger_command = + PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin + ddd $daemon_directory/$process_name $process_id & sleep 5 + +# If you can't use X, use this to capture the call stack when a +# daemon crashes. The result is in a file in the configuration +# directory, and is named after the process name and the process ID. +# +# debugger_command = +# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; +# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 +# >$config_directory/$process_name.$process_id.log & sleep 5 +# +# Another possibility is to run gdb under a detached screen session. +# To attach to the screen sesssion, su root and run "screen -r +# " where uniquely matches one of the detached +# sessions (from "screen -list"). +# +# debugger_command = +# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen +# -dmS $process_name gdb $daemon_directory/$process_name +# $process_id & sleep 1 + +# INSTALL-TIME CONFIGURATION INFORMATION +# +# The following parameters are used when installing a new Postfix version. +# +# sendmail_path: The full pathname of the Postfix sendmail command. +# This is the Sendmail-compatible mail posting interface. +# +sendmail_path = /usr/sbin/sendmail + +# newaliases_path: The full pathname of the Postfix newaliases command. +# This is the Sendmail-compatible command to build alias databases. +# +newaliases_path = /usr/bin/newaliases + +# mailq_path: The full pathname of the Postfix mailq command. This +# is the Sendmail-compatible mail queue listing command. +# +mailq_path = /usr/bin/mailq + +# setgid_group: The group for mail submission and queue management +# commands. This must be a group name with a numerical group ID that +# is not shared with other accounts, not even with the Postfix account. +# +setgid_group = postdrop + +# html_directory: The location of the Postfix HTML documentation. +# +html_directory = /usr/share/doc/postfix-2.8.7/html + +# manpage_directory: The location of the Postfix on-line manual pages. +# +manpage_directory = /usr/share/man + +# sample_directory: The location of the Postfix sample configuration files. +# This parameter is obsolete as of Postfix 2.1. +# +sample_directory = /etc/postfix + +# readme_directory: The location of the Postfix README files. +# +readme_directory = /usr/share/doc/postfix-2.8.7/readme +home_mailbox = .maildir/ +broken_sasl_auth_clients = yes + +inet_protocols = all + +mydomain = uhu-banane.de + +# default: mynetworks = 127.0.0.0/8 46.16.73.175/32 [::1]/128 [fe80::%eth0]/64 +mynetworks = 127.0.0.0/8 46.16.73.175/32 [::1]/128 + +myorigin = $mydomain +recipient_delimiter = + +relayhost = [mail.brehm-online.com] +smtp_sasl_auth_enable = yes +smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth +smtp_sasl_security_options = noanonymous +smtp_tls_cert_file = /etc/postfix/postfix.pem +smtp_tls_enforce_peername = no +smtp_tls_key_file = /etc/postfix/postfix.pem +smtp_use_tls = yes +smtpd_sasl_auth_enable = yes +smtpd_sasl_local_domain = $myhostname +smtpd_sasl_security_options = noanonymous +smtpd_tls_cert_file = /etc/postfix/postfix.pem +smtpd_tls_key_file = /etc/postfix/postfix.pem +smtpd_tls_loglevel = 1 +smtpd_tls_received_header = yes +smtpd_tls_session_cache_timeout = 3600s +smtpd_use_tls = yes +tls_random_source = dev:/dev/urandom diff --git a/config-archive/etc/postfix/main.cf.dist b/config-archive/etc/postfix/main.cf.dist index f08724a..85273d8 100644 --- a/config-archive/etc/postfix/main.cf.dist +++ b/config-archive/etc/postfix/main.cf.dist @@ -5,7 +5,7 @@ # For common configuration examples, see BASIC_CONFIGURATION_README # and STANDARD_CONFIGURATION_README. To find these documents, use # the command "postconf html_directory readme_directory", or go to -# http://www.postfix.org/. +# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc. # # For best results, change no more than 2-3 parameters at a time, # and test if Postfix still works after every change. @@ -640,7 +640,7 @@ setgid_group = postdrop # html_directory: The location of the Postfix HTML documentation. # -html_directory = /usr/share/doc/postfix-2.10.3/html +html_directory = /usr/share/doc/postfix-2.11.3/html # manpage_directory: The location of the Postfix on-line manual pages. # @@ -653,5 +653,5 @@ sample_directory = /etc/postfix # readme_directory: The location of the Postfix README files. # -readme_directory = /usr/share/doc/postfix-2.10.3/readme +readme_directory = /usr/share/doc/postfix-2.11.3/readme home_mailbox = .maildir/ diff --git a/config-archive/etc/ssh/sshd_config b/config-archive/etc/ssh/sshd_config index 6401926..c7c3f62 100644 --- a/config-archive/etc/ssh/sshd_config +++ b/config-archive/etc/ssh/sshd_config @@ -24,6 +24,7 @@ #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key # "key type names" for X.509 certificates with RSA key # Note first defined is used in signature operations! @@ -153,8 +154,8 @@ PasswordAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass @@ -170,6 +171,7 @@ UsePAM yes #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes +#PermitTTY yes PrintMotd no PrintLastLog no #TCPKeepAlive yes @@ -213,6 +215,7 @@ Subsystem sftp /usr/lib64/misc/sftp-server #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no +# PermitTTY no # ForceCommand cvs server # Allow client to pass locale environment variables #367017 diff --git a/config-archive/etc/ssh/sshd_config.1 b/config-archive/etc/ssh/sshd_config.1 index e8168d6..6401926 100644 --- a/config-archive/etc/ssh/sshd_config.1 +++ b/config-archive/etc/ssh/sshd_config.1 @@ -27,8 +27,8 @@ # "key type names" for X.509 certificates with RSA key # Note first defined is used in signature operations! -#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 #X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 +#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 # "key type names" for X.509 certificates with DSA key # Note first defined is used in signature operations! @@ -95,6 +95,9 @@ #KeyRegenerationInterval 1h #ServerKeyBits 1024 +# Ciphers and keying +#RekeyLimit default none + # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH @@ -116,6 +119,11 @@ PermitRootLogin yes # but this is overridden so installations will only check .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 @@ -166,16 +174,17 @@ PrintMotd no PrintLastLog no #TCPKeepAlive yes #UseLogin no -#UsePrivilegeSeparation yes +UsePrivilegeSeparation sandbox # Default for new installations. #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid -#MaxStartups 10 +#MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none +#VersionAddendum none # no default banner path #Banner none @@ -190,18 +199,21 @@ Subsystem sftp /usr/lib64/misc/sftp-server # tcp receive buffer polling. disable in non autotuning kernels #TcpRcvBufPoll yes -# allow the use of the none cipher -#NoneEnabled no - -# disable hpn performance boosts. +# disable hpn performance boosts #HPNDisabled no # buffer size for hpn to non-hpn connections #HPNBufferSize 2048 +# allow the use of the none cipher +#NoneEnabled no + # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server + +# Allow client to pass locale environment variables #367017 +AcceptEnv LANG LC_* diff --git a/config-archive/etc/ssh/sshd_config.2 b/config-archive/etc/ssh/sshd_config.2 index e686e9f..e8168d6 100644 --- a/config-archive/etc/ssh/sshd_config.2 +++ b/config-archive/etc/ssh/sshd_config.2 @@ -7,7 +7,7 @@ # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a +# possible, but leave them commented. Uncommented options override the # default value. #Port 22 @@ -103,14 +103,17 @@ # Authentication: #LoginGraceTime 2m -#PermitRootLogin yes -PermitRootLogin no +PermitRootLogin yes +#PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts @@ -140,6 +143,7 @@ PasswordAuthentication no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will @@ -176,6 +180,9 @@ PrintLastLog no # no default banner path #Banner none +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + # override default of no subsystems Subsystem sftp /usr/lib64/misc/sftp-server diff --git a/config-archive/etc/ssh/sshd_config.3 b/config-archive/etc/ssh/sshd_config.3 index ca72979..e686e9f 100644 --- a/config-archive/etc/ssh/sshd_config.3 +++ b/config-archive/etc/ssh/sshd_config.3 @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $ +# $OpenBSD$ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -25,6 +25,72 @@ #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key +# "key type names" for X.509 certificates with RSA key +# Note first defined is used in signature operations! +#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 +#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 + +# "key type names" for X.509 certificates with DSA key +# Note first defined is used in signature operations! +#X509KeyAlgorithm x509v3-sign-dss,dss-asn1 +#X509KeyAlgorithm x509v3-sign-dss,dss-raw + +# The intended use for the X509 client certificate. Without this option +# no chain verification will be done. Currently accepted uses are case +# insensitive: +# - "sslclient", "SSL client", "SSL_client" or "client" +# - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose" +# - "skip" or ""(empty): don`t check purpose. +#AllowedCertPurpose sslclient + +# Specifies whether self-issued(self-signed) X.509 certificate can be +# allowed only by entry in AutorizedKeysFile that contain matching +# public key or certificate blob. +#KeyAllowSelfIssued no + +# Specifies whether CRL must present in store for all certificates in +# certificate chain with atribute "cRLDistributionPoints" +#MandatoryCRL no + +# A file with multiple certificates of certificate signers +# in PEM format concatenated together. +#CACertificateFile /etc/ssh/ca/ca-bundle.crt + +# A directory with certificates of certificate signers. +# The certificates should have name of the form: [HASH].[NUMBER] +# or have symbolic links to them of this form. +#CACertificatePath /etc/ssh/ca/crt + +# A file with multiple CRL of certificate signers +# in PEM format concatenated together. +#CARevocationFile /etc/ssh/ca/ca-bundle.crl + +# A directory with CRL of certificate signers. +# The CRL should have name of the form: [HASH].r[NUMBER] +# or have symbolic links to them of this form. +#CARevocationPath /etc/ssh/ca/crl + +# LDAP protocol version. +# Example: +# CAldapVersion 2 + +# Note because of OpenSSH options parser limitation +# use %3D instead of = ! +# LDAP initialization may require URL to be escaped, i.e. +# use %2C instead of ,(comma). Escaped URL don't depend from +# LDAP initialization method. +# Example: +# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom + +# SSH can use "Online Certificate Status Protocol"(OCSP) +# to validate certificate. Set VAType to +# - none : do not use OCSP to validate certificates; +# - ocspcert: validate only certificates that specify `OCSP +# Service Locator' URL; +# - ocspspec: use specified in the configuration 'OCSP Responder' +# to validate all certificates. +#VAType none + # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 diff --git a/config-archive/etc/ssh/sshd_config.4 b/config-archive/etc/ssh/sshd_config.4 new file mode 100644 index 0000000..ca72979 --- /dev/null +++ b/config-archive/etc/ssh/sshd_config.4 @@ -0,0 +1,134 @@ +# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# The default requires explicit activation of protocol 1 +#Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin yes +PermitRootLogin no +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes +#AuthorizedKeysFile .ssh/authorized_keys + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication no +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +PrintMotd no +PrintLastLog no +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib64/misc/sftp-server + +# the following are HPN related configuration options +# tcp receive buffer polling. disable in non autotuning kernels +#TcpRcvBufPoll yes + +# allow the use of the none cipher +#NoneEnabled no + +# disable hpn performance boosts. +#HPNDisabled no + +# buffer size for hpn to non-hpn connections +#HPNBufferSize 2048 + + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server diff --git a/config-archive/etc/ssh/sshd_config.dist b/config-archive/etc/ssh/sshd_config.dist index c76351a..5683e16 100644 --- a/config-archive/etc/ssh/sshd_config.dist +++ b/config-archive/etc/ssh/sshd_config.dist @@ -1,4 +1,4 @@ -# $OpenBSD$ +# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -26,72 +26,6 @@ #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key -# "key type names" for X.509 certificates with RSA key -# Note first defined is used in signature operations! -#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 -#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 - -# "key type names" for X.509 certificates with DSA key -# Note first defined is used in signature operations! -#X509KeyAlgorithm x509v3-sign-dss,dss-asn1 -#X509KeyAlgorithm x509v3-sign-dss,dss-raw - -# The intended use for the X509 client certificate. Without this option -# no chain verification will be done. Currently accepted uses are case -# insensitive: -# - "sslclient", "SSL client", "SSL_client" or "client" -# - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose" -# - "skip" or ""(empty): don`t check purpose. -#AllowedCertPurpose sslclient - -# Specifies whether self-issued(self-signed) X.509 certificate can be -# allowed only by entry in AutorizedKeysFile that contain matching -# public key or certificate blob. -#KeyAllowSelfIssued no - -# Specifies whether CRL must present in store for all certificates in -# certificate chain with atribute "cRLDistributionPoints" -#MandatoryCRL no - -# A file with multiple certificates of certificate signers -# in PEM format concatenated together. -#CACertificateFile /etc/ssh/ca/ca-bundle.crt - -# A directory with certificates of certificate signers. -# The certificates should have name of the form: [HASH].[NUMBER] -# or have symbolic links to them of this form. -#CACertificatePath /etc/ssh/ca/crt - -# A file with multiple CRL of certificate signers -# in PEM format concatenated together. -#CARevocationFile /etc/ssh/ca/ca-bundle.crl - -# A directory with CRL of certificate signers. -# The CRL should have name of the form: [HASH].r[NUMBER] -# or have symbolic links to them of this form. -#CARevocationPath /etc/ssh/ca/crl - -# LDAP protocol version. -# Example: -# CAldapVersion 2 - -# Note because of OpenSSH options parser limitation -# use %3D instead of = ! -# LDAP initialization may require URL to be escaped, i.e. -# use %2C instead of ,(comma). Escaped URL don't depend from -# LDAP initialization method. -# Example: -# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom - -# SSH can use "Online Certificate Status Protocol"(OCSP) -# to validate certificate. Set VAType to -# - none : do not use OCSP to validate certificates; -# - ocspcert: validate only certificates that specify `OCSP -# Service Locator' URL; -# - ocspspec: use specified in the configuration 'OCSP Responder' -# to validate all certificates. -#VAType none - # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 @@ -189,13 +123,29 @@ UsePrivilegeSeparation sandbox # Default for new installations. # no default banner path #Banner none +# here are the new patched ldap related tokens +# entries in your LDAP must have posixAccount & ldapPublicKey objectclass +#UseLPK yes +#LpkLdapConf /etc/ldap.conf +#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ +#LpkUserDN ou=users,dc=phear,dc=org +#LpkGroupDN ou=groups,dc=phear,dc=org +#LpkBindDN cn=Manager,dc=phear,dc=org +#LpkBindPw secret +#LpkServerGroup mail +#LpkFilter (hostAccess=master.phear.org) +#LpkForceTLS no +#LpkSearchTimelimit 3 +#LpkBindTimelimit 3 +#LpkPubKeyAttr sshPublicKey + # override default of no subsystems Subsystem sftp /usr/lib64/misc/sftp-server # the following are HPN related configuration options # tcp receive buffer polling. disable in non autotuning kernels #TcpRcvBufPoll yes - + # disable hpn performance boosts #HPNDisabled no diff --git a/cron.d/sysstat b/cron.d/sysstat new file mode 100644 index 0000000..1edaa67 --- /dev/null +++ b/cron.d/sysstat @@ -0,0 +1,6 @@ +# Run system activity accounting tool every 10 minutes +*/10 * * * * root /usr/lib64/sa/sa1 1 1 +# 0 * * * * root /usr/lib64/sa/sa1 600 6 & +# Generate a daily summary of process accounting at 23:53 +53 23 * * * root /usr/lib64/sa/sa2 -A + diff --git a/cron.daily/sysstat b/cron.daily/sysstat deleted file mode 100755 index 11211b5..0000000 --- a/cron.daily/sysstat +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh -# Generate a daily summary of process accounting. Since this will probably -# get kicked off in the morning, it would probably be better to run against -# the previous days data. -/usr/lib64/sa/sa2 -A & diff --git a/default/grub b/default/grub index 16776f5..027df60 100644 --- a/default/grub +++ b/default/grub @@ -1,6 +1,6 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-3,v 1.3 2014/09/10 14:38:39 floppym Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-3,v 1.4 2014/10/16 04:04:02 floppym Exp $ # # To populate all changes in this file you need to regenerate your # grub configuration file afterwards: @@ -44,6 +44,13 @@ GRUB_TIMEOUT=10 #GRUB_GFXMODE=640x480 GRUB_GFXMODE=800x600 +# Set to 'text' to force the Linux kernel to boot in normal text +# mode, 'keep' to preserve the graphics mode set using +# 'GRUB_GFXMODE', 'WIDTHxHEIGHT'['xDEPTH'] to set a particular +# graphics mode, or a sequence of these separated by commas or +# semicolons to try several modes in sequence. +#GRUB_GFXPAYLOAD_LINUX= + # Path to theme spec txt file. # The starfield is by default provided with use truetype. # NOTE: when enabling custom theme, ensure you have required font/etc. diff --git a/eixrc/00-eixrc b/eixrc/00-eixrc index be2cdea..8e63813 100644 --- a/eixrc/00-eixrc +++ b/eixrc/00-eixrc @@ -1,4 +1,4 @@ -# /etc/eixrc/00-eirc +# /etc/eixrc/00-eixrc # # All non-hidden files in /etc/eixrc # (or a subdirectory thereof) are read in alphabetical order. diff --git a/fail2ban/action.d/apf.conf b/fail2ban/action.d/apf.conf new file mode 100644 index 0000000..5c4a261 --- /dev/null +++ b/fail2ban/action.d/apf.conf @@ -0,0 +1,25 @@ +# Fail2Ban configuration file +# https://www.rfxn.com/projects/advanced-policy-firewall/ +# +# Note: APF doesn't play nicely with other actions. It has been observed to +# remove bans created by other iptables based actions. If you are going to use +# this action, use it for all of your jails. +# +# DON'T MIX APF and other IPTABLES based actions +[Definition] + +actionstart = +actionstop = +actioncheck = +actionban = apf --deny "banned by Fail2Ban " +actionunban = apf --remove + +[Init] + +# Name used in APF configuration +# +name = default + +# DEV NOTES: +# +# Author: Mark McKinstry diff --git a/fail2ban/action.d/badips.conf b/fail2ban/action.d/badips.conf new file mode 100644 index 0000000..4a5c0f9 --- /dev/null +++ b/fail2ban/action.d/badips.conf @@ -0,0 +1,19 @@ +# Fail2ban reporting to badips.com +# +# Note: This reports and IP only and does not actually ban traffic. Use +# another action in the same jail if you want bans to occur. +# +# Set the category to the appropriate value before use. +# +# To get see register and optional key to get personalised graphs see: +# http://www.badips.com/blog/personalized-statistics-track-the-attackers-of-all-your-servers-with-one-key + +[Definition] + +actionban = curl --fail --user-agent "fail2ban v0.8.12" http://www.badips.com/add// + +[Init] + +# Option: category +# Notes.: Values are from the list here: http://www.badips.com/get/categories +category = diff --git a/fail2ban/action.d/badips.py b/fail2ban/action.d/badips.py new file mode 100644 index 0000000..250b1dc --- /dev/null +++ b/fail2ban/action.d/badips.py @@ -0,0 +1,363 @@ +# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- +# vi: set ft=python sts=4 ts=4 sw=4 noet : + +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +import sys +if sys.version_info < (2, 7): + raise ImportError("badips.py action requires Python >= 2.7") +import json +from functools import partial +import threading +import logging +if sys.version_info >= (3, ): + from urllib.request import Request, urlopen + from urllib.parse import urlencode + from urllib.error import HTTPError +else: + from urllib2 import Request, urlopen, HTTPError + from urllib import urlencode + +from fail2ban.server.actions import ActionBase +from fail2ban.version import version as f2bVersion + +class BadIPsAction(ActionBase): + """Fail2Ban action which reports bans to badips.com, and also + blacklist bad IPs listed on badips.com by using another action's + ban method. + + Parameters + ---------- + jail : Jail + The jail which the action belongs to. + name : str + Name assigned to the action. + category : str + Valid badips.com category for reporting failures. + score : int, optional + Minimum score for bad IPs. Default 3. + age : str, optional + Age of last report for bad IPs, per badips.com syntax. + Default "24h" (24 hours) + key : str, optional + Key issued by badips.com to report bans, for later retrieval + of personalised content. + banaction : str, optional + Name of banaction to use for blacklisting bad IPs. If `None`, + no blacklist of IPs will take place. + Default `None`. + bancategory : str, optional + Name of category to use for blacklisting, which can differ + from category used for reporting. e.g. may want to report + "postfix", but want to use whole "mail" category for blacklist. + Default `category`. + bankey : str, optional + Key issued by badips.com to blacklist IPs reported with the + associated key. + updateperiod : int, optional + Time in seconds between updating bad IPs blacklist. + Default 900 (15 minutes) + + Raises + ------ + ValueError + If invalid `category`, `score`, `banaction` or `updateperiod`. + """ + + _badips = "http://www.badips.com" + _Request = partial( + Request, headers={'User-Agent': "Fail2Ban %s" % f2bVersion}) + + def __init__(self, jail, name, category, score=3, age="24h", key=None, + banaction=None, bancategory=None, bankey=None, updateperiod=900): + super(BadIPsAction, self).__init__(jail, name) + + self.category = category + self.score = score + self.age = age + self.key = key + self.banaction = banaction + self.bancategory = bancategory or category + self.bankey = bankey + self.updateperiod = updateperiod + + self._bannedips = set() + # Used later for threading.Timer for updating badips + self._timer = None + + def getCategories(self, incParents=False): + """Get badips.com categories. + + Returns + ------- + set + Set of categories. + + Raises + ------ + HTTPError + Any issues with badips.com request. + """ + try: + response = urlopen( + self._Request("/".join([self._badips, "get", "categories"]))) + except HTTPError as response: + messages = json.loads(response.read().decode('utf-8')) + self._logSys.error( + "Failed to fetch categories. badips.com response: '%s'", + messages['err']) + raise + else: + categories = json.loads(response.read().decode('utf-8'))['categories'] + categories_names = set( + value['Name'] for value in categories) + if incParents: + categories_names.update(set( + value['Parent'] for value in categories + if "Parent" in value)) + return categories_names + + def getList(self, category, score, age, key=None): + """Get badips.com list of bad IPs. + + Parameters + ---------- + category : str + Valid badips.com category. + score : int + Minimum score for bad IPs. + age : str + Age of last report for bad IPs, per badips.com syntax. + key : str, optional + Key issued by badips.com to fetch IPs reported with the + associated key. + + Returns + ------- + set + Set of bad IPs. + + Raises + ------ + HTTPError + Any issues with badips.com request. + """ + try: + url = "?".join([ + "/".join([self._badips, "get", "list", category, str(score)]), + urlencode({'age': age})]) + if key: + url = "&".join([url, urlencode({'key': key})]) + response = urlopen(self._Request(url)) + except HTTPError as response: + messages = json.loads(response.read().decode('utf-8')) + self._logSys.error( + "Failed to fetch bad IP list. badips.com response: '%s'", + messages['err']) + raise + else: + return set(response.read().decode('utf-8').split()) + + @property + def category(self): + """badips.com category for reporting IPs. + """ + return self._category + + @category.setter + def category(self, category): + if category not in self.getCategories(): + self._logSys.error("Category name '%s' not valid. " + "see badips.com for list of valid categories", + category) + raise ValueError("Invalid category: %s" % category) + self._category = category + + @property + def bancategory(self): + """badips.com bancategory for fetching IPs. + """ + return self._bancategory + + @bancategory.setter + def bancategory(self, bancategory): + if bancategory not in self.getCategories(incParents=True): + self._logSys.error("Category name '%s' not valid. " + "see badips.com for list of valid categories", + bancategory) + raise ValueError("Invalid bancategory: %s" % bancategory) + self._bancategory = bancategory + + @property + def score(self): + """badips.com minimum score for fetching IPs. + """ + return self._score + + @score.setter + def score(self, score): + score = int(score) + if 0 <= score <= 5: + self._score = score + else: + raise ValueError("Score must be 0-5") + + @property + def banaction(self): + """Jail action to use for banning/unbanning. + """ + return self._banaction + + @banaction.setter + def banaction(self, banaction): + if banaction is not None and banaction not in self._jail.actions: + self._logSys.error("Action name '%s' not in jail '%s'", + banaction, self._jail.name) + raise ValueError("Invalid banaction") + self._banaction = banaction + + @property + def updateperiod(self): + """Period in seconds between banned bad IPs will be updated. + """ + return self._updateperiod + + @updateperiod.setter + def updateperiod(self, updateperiod): + updateperiod = int(updateperiod) + if updateperiod > 0: + self._updateperiod = updateperiod + else: + raise ValueError("Update period must be integer greater than 0") + + def _banIPs(self, ips): + for ip in ips: + try: + self._jail.actions[self.banaction].ban({ + 'ip': ip, + 'failures': 0, + 'matches': "", + 'ipmatches': "", + 'ipjailmatches': "", + }) + except Exception as e: + self._logSys.error( + "Error banning IP %s for jail '%s' with action '%s': %s", + ip, self._jail.name, self.banaction, e, + exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG) + else: + self._bannedips.add(ip) + self._logSys.info( + "Banned IP %s for jail '%s' with action '%s'", + ip, self._jail.name, self.banaction) + + def _unbanIPs(self, ips): + for ip in ips: + try: + self._jail.actions[self.banaction].unban({ + 'ip': ip, + 'failures': 0, + 'matches': "", + 'ipmatches': "", + 'ipjailmatches': "", + }) + except Exception as e: + self._logSys.info( + "Error unbanning IP %s for jail '%s' with action '%s': %s", + ip, self._jail.name, self.banaction, e, + exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG) + else: + self._logSys.info( + "Unbanned IP %s for jail '%s' with action '%s'", + ip, self._jail.name, self.banaction) + finally: + self._bannedips.remove(ip) + + def start(self): + """If `banaction` set, blacklists bad IPs. + """ + if self.banaction is not None: + self.update() + + def update(self): + """If `banaction` set, updates blacklisted IPs. + + Queries badips.com for list of bad IPs, removing IPs from the + blacklist if no longer present, and adds new bad IPs to the + blacklist. + """ + if self.banaction is not None: + if self._timer: + self._timer.cancel() + self._timer = None + + try: + ips = self.getList( + self.bancategory, self.score, self.age, self.bankey) + # Remove old IPs no longer listed + self._unbanIPs(self._bannedips - ips) + # Add new IPs which are now listed + self._banIPs(ips - self._bannedips) + + self._logSys.info( + "Updated IPs for jail '%s'. Update again in %i seconds", + self._jail.name, self.updateperiod) + finally: + self._timer = threading.Timer(self.updateperiod, self.update) + self._timer.start() + + def stop(self): + """If `banaction` set, clears blacklisted IPs. + """ + if self.banaction is not None: + if self._timer: + self._timer.cancel() + self._timer = None + self._unbanIPs(self._bannedips.copy()) + + def ban(self, aInfo): + """Reports banned IP to badips.com. + + Parameters + ---------- + aInfo : dict + Dictionary which includes information in relation to + the ban. + + Raises + ------ + HTTPError + Any issues with badips.com request. + """ + try: + url = "/".join([self._badips, "add", self.category, aInfo['ip']]) + if self.key: + url = "?".join([url, urlencode({'key': self.key})]) + response = urlopen(self._Request(url)) + except HTTPError as response: + messages = json.loads(response.read().decode('utf-8')) + self._logSys.error( + "Response from badips.com report: '%s'", + messages['err']) + raise + else: + messages = json.loads(response.read().decode('utf-8')) + self._logSys.info( + "Response from badips.com report: '%s'", + messages['suc']) + +Action = BadIPsAction diff --git a/fail2ban/action.d/blocklist_de.conf b/fail2ban/action.d/blocklist_de.conf new file mode 100644 index 0000000..6d52069 --- /dev/null +++ b/fail2ban/action.d/blocklist_de.conf @@ -0,0 +1,86 @@ +# Fail2Ban configuration file +# +# Author: Steven Hiscocks +# +# + +# Action to report IP address to blocklist.de +# Blocklist.de must be signed up to at www.blocklist.de +# Once registered, one or more servers can be added. +# This action requires the server 'email address' and the associated apikey. +# +# From blocklist.de: +# www.blocklist.de is a free and voluntary service provided by a +# Fraud/Abuse-specialist, whose servers are often attacked on SSH-, +# Mail-Login-, FTP-, Webserver- and other services. +# The mission is to report all attacks to the abuse departments of the +# infected PCs/servers to ensure that the responsible provider can inform +# the customer about the infection and disable them +# +# IMPORTANT: +# +# Reporting an IP of abuse is a serious complaint. Make sure that it is +# serious. Fail2ban developers and network owners recommend you only use this +# action for: +# * The recidive where the IP has been banned multiple times +# * Where maxretry has been set quite high, beyond the normal user typing +# password incorrectly. +# * For filters that have a low likelihood of receiving human errors +# + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = curl --fail --data-urlencode 'server=' --data 'apikey=' --data 'service=' --data 'ip=' --data-urlencode 'logs=' --data 'format=text' --user-agent "fail2ban v0.8.12" "https://www.blocklist.de/en/httpreports.html" + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = + +[Init] + +# Option: email +# Notes server email address, as per blocklise.de account +# Values: STRING Default: None +# +#email = + +# Option: apikey +# Notes your user blocklist.de user account apikey +# Values: STRING Default: None +# +#apikey = + +# Option: service +# Notes service name you are reporting on, typically aligns with filter name +# see http://www.blocklist.de/en/httpreports.html for full list +# Values: STRING Default: None +# +#service = diff --git a/fail2ban/action.d/bsd-ipfw.conf b/fail2ban/action.d/bsd-ipfw.conf new file mode 100644 index 0000000..475d247 --- /dev/null +++ b/fail2ban/action.d/bsd-ipfw.conf @@ -0,0 +1,83 @@ +# Fail2Ban configuration file +# +# Author: Nick Munger +# Modified by: Ken Menzel +# Daniel Black (start/stop) +# Fabian Wenk (many ideas as per fail2ban users list) +# +# Ensure firewall_enable="YES" in the top of /etc/rc.conf +# + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = ipfw show | fgrep -q 'table()' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e
else exit b }'; num=$?; ipfw -q add $num from table\(
\) to me ; echo $num > "" ) + + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = [ ! -f ] || ( read num < ""
ipfw -q delete $num
rm "" ) + + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +# requires an ipfw rule like "deny ip from table(1) to me" +actionban = ipfw table
add + + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = ipfw table
delete + +[Init] +# Option: table +# Notes: The ipfw table to use. If a ipfw rule using this table already exists, +# this action will not create a ipfw rule to block it and the following +# options will have no effect. +# Values: NUM +table = 1 + +# Option: port +# Notes.: Specifies port to monitor. Blank indicate block all ports. +# Values: [ NUM | STRING ] +# +port = + +# Option: startstatefile +# Notes: A file to indicate that the table rule that was added. Ensure it is unique per table. +# Values: STRING +startstatefile = /run/fail2ban/ipfw-started-table_
+ +# Option: block +# Notes: This is how much to block. +# Can be "ip", "tcp", "udp" or various other options. +# Values: STRING +block = ip + +# Option: blocktype +# Notes.: How to block the traffic. Use a action from man 5 ipfw +# Common values: deny, unreach port, reset +# ACTION defination at the top of man ipfw for allowed values. +# Values: STRING +# +blocktype = unreach port diff --git a/fail2ban/action.d/cloudflare.conf b/fail2ban/action.d/cloudflare.conf new file mode 100644 index 0000000..4d5e2dc --- /dev/null +++ b/fail2ban/action.d/cloudflare.conf @@ -0,0 +1,55 @@ +# +# Author: Mike Rushton +# +# Referenced from from http://www.normyee.net/blog/2012/02/02/adding-cloudflare-support-to-fail2ban by NORM YEE +# +# To get your Cloudflare API key: https://www.cloudflare.com/my-account +# + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# number of failures +#