From: root Date: Fri, 11 Mar 2016 09:45:04 +0000 (+0100) Subject: saving uncommitted changes in /etc prior to emerge run X-Git-Url: https://git.uhu-banane.net/?a=commitdiff_plain;h=b7929fd2d86e7f5121e71b91c1425bdbe16cae07;p=config%2Fuhu1%2Fetc.git saving uncommitted changes in /etc prior to emerge run --- diff --git a/.etckeeper b/.etckeeper index f35ee5a..78a9cc4 100755 --- a/.etckeeper +++ b/.etckeeper @@ -79,14 +79,8 @@ maybe chmod 0644 'apache2/httpd.conf' maybe chmod 0644 'apache2/info_users_passwd' maybe chmod 0644 'apache2/magic' maybe chmod 0755 'apache2/modules.d' -maybe chmod 0644 'apache2/modules.d/._cfg0000_00_apache_manual.conf' maybe chmod 0644 'apache2/modules.d/._cfg0000_00_default_settings.conf' -maybe chmod 0644 'apache2/modules.d/._cfg0000_00_error_documents.conf' -maybe chmod 0644 'apache2/modules.d/._cfg0000_00_mod_autoindex.conf' -maybe chmod 0644 'apache2/modules.d/._cfg0000_00_mod_info.conf' -maybe chmod 0644 'apache2/modules.d/._cfg0000_00_mod_mime.conf' -maybe chmod 0644 'apache2/modules.d/._cfg0000_00_mod_status.conf' -maybe chmod 0644 'apache2/modules.d/._cfg0000_00_mpm.conf' +maybe chmod 0644 'apache2/modules.d/._mrg0000_00_default_settings.conf' maybe chmod 0644 'apache2/modules.d/.keep_dev-vcs_subversion-0' maybe chmod 0644 'apache2/modules.d/.keep_www-servers_apache-2' maybe chmod 0644 'apache2/modules.d/00_apache_manual.conf' @@ -113,8 +107,6 @@ maybe chmod 0644 'apache2/modules.d/99_nagios3.conf' maybe chmod 0755 'apache2/ssl' maybe chmod 0600 'apache2/ssl/egroupware-cert.pem' maybe chmod 0755 'apache2/vhosts.d' -maybe chmod 0644 'apache2/vhosts.d/._cfg0000_00_default_vhost.conf' -maybe chmod 0644 'apache2/vhosts.d/._cfg0000_default_vhost.include' maybe chmod 0644 'apache2/vhosts.d/.keep_www-servers_apache-2' maybe chmod 0644 'apache2/vhosts.d/00_default_ssl_vhost.conf' maybe chmod 0644 'apache2/vhosts.d/00_default_vhost.conf' @@ -182,7 +174,6 @@ maybe chmod 0644 'colordiffrc' maybe chmod 0644 'colordiffrc-gitdiff' maybe chmod 0644 'colordiffrc-lightbg' maybe chmod 0755 'conf.d' -maybe chmod 0644 'conf.d/._cfg0000_fail2ban' maybe chmod 0644 'conf.d/acpid' maybe chmod 0644 'conf.d/apache2' maybe chmod 0644 'conf.d/atd' @@ -282,14 +273,32 @@ maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_apache_manual.conf.4' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_apache_manual.conf.5' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_apache_manual.conf.6' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_apache_manual.conf.7' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_apache_manual.conf.8' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_apache_manual.conf.dist' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf.1' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf.dist' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_error_documents.conf' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_error_documents.conf.dist' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_autoindex.conf' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.1' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_info.conf' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_info.conf.dist' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_mime.conf' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_mime.conf.dist' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_status.conf' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_status.conf.dist' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mpm.conf' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mpm.conf.dist' maybe chmod 0755 'config-archive/etc/apache2/vhosts.d' maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/00_default_ssl_vhost.conf' maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/00_default_ssl_vhost.conf.dist' +maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/00_default_vhost.conf' +maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/00_default_vhost.conf.dist' +maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/default_vhost.include' +maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/default_vhost.include.dist' maybe chmod 0755 'config-archive/etc/bash' maybe chmod 0644 'config-archive/etc/bash/bashrc' maybe chmod 0644 'config-archive/etc/bash/bashrc.1' @@ -311,6 +320,8 @@ maybe chmod 0644 'config-archive/etc/conf.d/acpid' maybe chmod 0644 'config-archive/etc/conf.d/acpid.dist' maybe chmod 0644 'config-archive/etc/conf.d/apache2' maybe chmod 0644 'config-archive/etc/conf.d/apache2.dist' +maybe chmod 0644 'config-archive/etc/conf.d/fail2ban' +maybe chmod 0644 'config-archive/etc/conf.d/fail2ban.dist.new' maybe chmod 0644 'config-archive/etc/conf.d/fsck' maybe chmod 0644 'config-archive/etc/conf.d/fsck.dist' maybe chmod 0644 'config-archive/etc/conf.d/keymaps' @@ -375,11 +386,15 @@ maybe chmod 0644 'config-archive/etc/eselect/postgresql/slots/9.1/server.2' maybe chmod 0644 'config-archive/etc/eselect/postgresql/slots/9.1/server.dist' maybe chmod 0755 'config-archive/etc/etckeeper' maybe chmod 0644 'config-archive/etc/etckeeper/etckeeper.conf' -maybe chmod 0644 'config-archive/etc/etckeeper/etckeeper.conf.dist.new' +maybe chmod 0644 'config-archive/etc/etckeeper/etckeeper.conf.dist' maybe chmod 0755 'config-archive/etc/fail2ban' maybe chmod 0644 'config-archive/etc/fail2ban/fail2ban.conf' maybe chmod 0644 'config-archive/etc/fail2ban/fail2ban.conf.1' maybe chmod 0644 'config-archive/etc/fail2ban/fail2ban.conf.dist' +maybe chmod 0644 'config-archive/etc/fail2ban/jail.conf' +maybe chmod 0644 'config-archive/etc/fail2ban/jail.conf.dist' +maybe chmod 0644 'config-archive/etc/fail2ban/paths-debian.conf' +maybe chmod 0644 'config-archive/etc/fail2ban/paths-debian.conf.dist.new' maybe chmod 0644 'config-archive/etc/hosts' maybe chmod 0644 'config-archive/etc/hosts.dist.new' maybe chmod 0755 'config-archive/etc/init.d' @@ -926,7 +941,6 @@ maybe chmod 0755 'eselect/postgresql/slots/9.5' maybe chmod 0644 'eselect/postgresql/slots/9.5/base' maybe chmod 0644 'etc-update.conf' maybe chmod 0755 'etckeeper' -maybe chmod 0644 'etckeeper/._cfg0000_etckeeper.conf' maybe chmod 0755 'etckeeper/commit.d' maybe chmod 0755 'etckeeper/commit.d/10vcs-test' maybe chmod 0755 'etckeeper/commit.d/30bzr-add' @@ -974,8 +988,6 @@ maybe chmod 0644 'etckeeper/update-ignore.d/README' maybe chmod 0755 'etckeeper/vcs.d' maybe chmod 0755 'etckeeper/vcs.d/50vcs-cmd' maybe chmod 0755 'fail2ban' -maybe chmod 0644 'fail2ban/._cfg0000_jail.conf' -maybe chmod 0644 'fail2ban/._cfg0000_paths-debian.conf' maybe chmod 0755 'fail2ban/action.d' maybe chmod 0644 'fail2ban/action.d/apf.conf' maybe chmod 0644 'fail2ban/action.d/badips.conf' @@ -1380,7 +1392,6 @@ maybe chmod 0644 'login.defs' maybe chmod 0644 'logrotate.conf' maybe chmod 0644 'logrotate.conf.orig' maybe chmod 0755 'logrotate.d' -maybe chmod 0644 'logrotate.d/._cfg0000_fail2ban' maybe chmod 0644 'logrotate.d/.keep_app-admin_logrotate-0' maybe chmod 0644 'logrotate.d/apache2' maybe chmod 0644 'logrotate.d/clamav' diff --git a/apache2/modules.d/._cfg0000_00_apache_manual.conf b/apache2/modules.d/._cfg0000_00_apache_manual.conf deleted file mode 100644 index 5699151..0000000 --- a/apache2/modules.d/._cfg0000_00_apache_manual.conf +++ /dev/null @@ -1,29 +0,0 @@ -# Provide access to the documentation on your server as -# http://yourserver.example.com/manual/ -# The documentation is always available at -# http://httpd.apache.org/docs/2.4/ - - - -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.4.18/manual$1" - - - Options Indexes - AllowOverride None - Require all granted - - - SetHandler type-map - - - SetEnvIf Request_URI ^/manual/(de|en|es|fr|ja|ko|pt-br)/ prefer-language=$1 - RedirectMatch 301 ^/manual(?:/(de|en|es|fr|ja|ko|pt-br)){2,}(/.*)?$ /manual/$1$2 - - LanguagePriority en de es fr ja ko pt-br - ForceLanguagePriority Prefer Fallback - - - - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/._cfg0000_00_error_documents.conf b/apache2/modules.d/._cfg0000_00_error_documents.conf deleted file mode 100644 index 61479fa..0000000 --- a/apache2/modules.d/._cfg0000_00_error_documents.conf +++ /dev/null @@ -1,57 +0,0 @@ -# The configuration below implements multi-language error documents through -# content-negotiation. - -# Customizable error responses come in three flavors: -# 1) plain text 2) local redirects 3) external redirects -# Some examples: -#ErrorDocument 500 "The server made a boo boo." -#ErrorDocument 404 /missing.html -#ErrorDocument 404 "/cgi-bin/missing_handler.pl" -#ErrorDocument 402 http://www.example.com/subscription_info.html - -# Required modules: mod_alias, mod_include, mod_negotiation -# We use Alias to redirect any /error/HTTP_.html.var response to -# our collection of by-error message multi-language collections. We use -# includes to substitute the appropriate text. -# You can modify the messages' appearance without changing any of the -# default HTTP_.html.var files by adding the line: -# Alias /error/include/ "/your/include/path/" -# which allows you to create your own set of files by starting with the -# /var/www/localhost/error/include/ files and copying them to /your/include/path/, -# even on a per-VirtualHost basis. The default include files will display -# your Apache version number and your ServerAdmin email address regardless -# of the setting of ServerSignature. - - -Alias /error/ "/usr/share/apache2/error/" - - - AllowOverride None - Options IncludesNoExec - AddOutputFilter Includes html - AddHandler type-map var - Require all granted - LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr - ForceLanguagePriority Prefer Fallback - - -ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var -ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var -ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var -ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var -ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var -ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var -ErrorDocument 410 /error/HTTP_GONE.html.var -ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var -ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var -ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var -ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var -ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var -ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var -ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var -ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var -ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var -ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/._cfg0000_00_mod_autoindex.conf b/apache2/modules.d/._cfg0000_00_mod_autoindex.conf deleted file mode 100644 index 10bf483..0000000 --- a/apache2/modules.d/._cfg0000_00_mod_autoindex.conf +++ /dev/null @@ -1,85 +0,0 @@ - - - - -# We include the /icons/ alias for FancyIndexed directory listings. If -# you do not use FancyIndexing, you may comment this out. -Alias /icons/ "/usr/share/apache2/icons/" - - - Options Indexes MultiViews - AllowOverride None - Require all granted - - - -# Directives controlling the display of server-generated directory listings. -# -# To see the listing of a directory, the Options directive for the -# directory must include "Indexes", and the directory must not contain -# a file matching those listed in the DirectoryIndex directive. - -# IndexOptions: Controls the appearance of server-generated directory -# listings. -IndexOptions FancyIndexing VersionSort - -# AddIcon* directives tell the server which icon to show for different -# files or filename extensions. These are only displayed for -# FancyIndexed directories. -AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip - -AddIconByType (TXT,/icons/text.gif) text/* -AddIconByType (IMG,/icons/image2.gif) image/* -AddIconByType (SND,/icons/sound2.gif) audio/* -AddIconByType (VID,/icons/movie.gif) video/* - -AddIcon /icons/binary.gif .bin .exe -AddIcon /icons/binhex.gif .hqx -AddIcon /icons/tar.gif .tar -AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv -AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip -AddIcon /icons/a.gif .ps .ai .eps -AddIcon /icons/layout.gif .html .shtml .htm .pdf -AddIcon /icons/text.gif .txt -AddIcon /icons/c.gif .c -AddIcon /icons/p.gif .pl .py -AddIcon /icons/f.gif .for -AddIcon /icons/dvi.gif .dvi -AddIcon /icons/uuencoded.gif .uu -AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl -AddIcon /icons/tex.gif .tex -AddIcon /icons/bomb.gif core - -AddIcon /icons/back.gif .. -AddIcon /icons/hand.right.gif README -AddIcon /icons/folder.gif ^^DIRECTORY^^ -AddIcon /icons/blank.gif ^^BLANKICON^^ - -# DefaultIcon is which icon to show for files which do not have an icon -# explicitly set. -DefaultIcon /icons/unknown.gif - -# AddDescription allows you to place a short description after a file in -# server-generated indexes. These are only displayed for FancyIndexed -# directories. -# Format: AddDescription "description" filename - -#AddDescription "GZIP compressed document" .gz -#AddDescription "tar archive" .tar -#AddDescription "GZIP compressed tar archive" .tgz - -# ReadmeName is the name of the README file the server will look for by -# default, and append to directory listings. - -# HeaderName is the name of a file which should be prepended to -# directory indexes. -ReadmeName README.html -HeaderName HEADER.html - -# IndexIgnore is a set of filenames which directory indexing should ignore -# and not include in the listing. Shell-style wildcarding is permitted. -IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t - - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/._cfg0000_00_mod_info.conf b/apache2/modules.d/._cfg0000_00_mod_info.conf deleted file mode 100644 index 2cd32c4..0000000 --- a/apache2/modules.d/._cfg0000_00_mod_info.conf +++ /dev/null @@ -1,10 +0,0 @@ - -# Allow remote server configuration reports, with the URL of -# http://servername/server-info - - SetHandler server-info - Require local - - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/._cfg0000_00_mod_mime.conf b/apache2/modules.d/._cfg0000_00_mod_mime.conf deleted file mode 100644 index fb8a9a5..0000000 --- a/apache2/modules.d/._cfg0000_00_mod_mime.conf +++ /dev/null @@ -1,46 +0,0 @@ - -# TypesConfig points to the file containing the list of mappings from -# filename extension to MIME-type. -TypesConfig /etc/mime.types - -# AddType allows you to add to or override the MIME configuration -# file specified in TypesConfig for specific file types. -#AddType application/x-gzip .tgz - -# AddEncoding allows you to have certain browsers uncompress -# information on the fly. Note: Not all browsers support this. -#AddEncoding x-compress .Z -#AddEncoding x-gzip .gz .tgz - -# If the AddEncoding directives above are commented-out, then you -# probably should define those extensions to indicate media types: -AddType application/x-compress .Z -AddType application/x-gzip .gz .tgz - -# AddHandler allows you to map certain file extensions to "handlers": -# actions unrelated to filetype. These can be either built into the server -# or added with the Action directive (see below) - -# To use CGI scripts outside of ScriptAliased directories: -# (You will also need to add "ExecCGI" to the "Options" directive.) -#AddHandler cgi-script .cgi - -# For type maps (negotiated resources): -#AddHandler type-map var - -# Filters allow you to process content before it is sent to the client. -# -# To parse .shtml files for server-side includes (SSI): -# (You will also need to add "Includes" to the "Options" directive.) -#AddType text/html .shtml -#AddOutputFilter INCLUDES .shtml - - - -# The mod_mime_magic module allows the server to use various hints from the -# contents of the file itself to determine its type. The MIMEMagicFile -# directive tells the module where the hint definitions are located. -MIMEMagicFile /etc/apache2/magic - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/._cfg0000_00_mod_status.conf b/apache2/modules.d/._cfg0000_00_mod_status.conf deleted file mode 100644 index ed8b3c7..0000000 --- a/apache2/modules.d/._cfg0000_00_mod_status.conf +++ /dev/null @@ -1,15 +0,0 @@ - -# Allow server status reports generated by mod_status, -# with the URL of http://servername/server-status - - SetHandler server-status - Require local - - -# ExtendedStatus controls whether Apache will generate "full" status -# information (ExtendedStatus On) or just basic information (ExtendedStatus -# Off) when the "server-status" handler is called. -ExtendedStatus On - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/._cfg0000_00_mpm.conf b/apache2/modules.d/._cfg0000_00_mpm.conf deleted file mode 100644 index bcb9b6b..0000000 --- a/apache2/modules.d/._cfg0000_00_mpm.conf +++ /dev/null @@ -1,99 +0,0 @@ -# Server-Pool Management (MPM specific) - -# PidFile: The file in which the server should record its process -# identification number when it starts. -# -# DO NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING -PidFile /run/apache2.pid - -# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. -# Mutex file:/run/apache_mpm_mutex - -# Only one of the below sections will be relevant on your -# installed httpd. Use "/usr/sbin/apache2 -l" to find out the -# active mpm. - -# common MPM configuration -# These configuration directives apply to all MPMs -# -# StartServers: Number of child server processes created at startup -# MaxRequestWorkers: Maximum number of child processes to serve requests -# MaxConnectionsPerChild: Limit on the number of connections that an individual -# child server will handle during its life - - -# prefork MPM -# This is the default MPM if USE=-threads -# -# MinSpareServers: Minimum number of idle child server processes -# MaxSpareServers: Maximum number of idle child server processes - - StartServers 5 - MinSpareServers 5 - MaxSpareServers 10 - MaxRequestWorkers 150 - MaxConnectionsPerChild 10000 - - -# worker MPM -# This is the default MPM if USE=threads -# -# MinSpareThreads: Minimum number of idle threads available to handle request spikes -# MaxSpareThreads: Maximum number of idle threads -# ThreadsPerChild: Number of threads created by each child process - - StartServers 2 - MinSpareThreads 25 - MaxSpareThreads 75 - ThreadsPerChild 25 - MaxRequestWorkers 150 - MaxConnectionsPerChild 10000 - - -# event MPM -# -# MinSpareThreads: Minimum number of idle threads available to handle request spikes -# MaxSpareThreads: Maximum number of idle threads -# ThreadsPerChild: Number of threads created by each child process - - StartServers 2 - MinSpareThreads 25 - MaxSpareThreads 75 - ThreadsPerChild 25 - MaxRequestWorkers 150 - MaxConnectionsPerChild 10000 - - -# peruser MPM -# -# MinSpareProcessors: Minimum number of idle child server processes -# MinProcessors: Minimum number of processors per virtual host -# MaxProcessors: Maximum number of processors per virtual host -# ExpireTimeout: Maximum idle time before a child is killed, 0 to disable -# Multiplexer: Specify a Multiplexer child configuration. -# Processor: Specify a user and group for a specific child process - - MinSpareProcessors 2 - MinProcessors 2 - MaxProcessors 10 - MaxRequestWorkers 150 - MaxConnectionsPerChild 1000 - ExpireTimeout 1800 - - Multiplexer nobody nobody - Processor apache apache - - -# itk MPM -# -# MinSpareServers: Minimum number of idle child server processes -# MaxSpareServers: Maximum number of idle child server processes - - StartServers 5 - MinSpareServers 5 - MaxSpareServers 10 - MaxRequestWorkers 150 - MaxConnectionsPerChild 10000 - - -# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/._mrg0000_00_default_settings.conf b/apache2/modules.d/._mrg0000_00_default_settings.conf new file mode 100644 index 0000000..4d9ac11 --- /dev/null +++ b/apache2/modules.d/._mrg0000_00_default_settings.conf @@ -0,0 +1,131 @@ +# This configuration file reflects default settings for Apache HTTP Server. +# You may change these, but chances are that you may not need to. + +# Timeout: The number of seconds before receives and sends time out. +Timeout 300 + +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +KeepAlive On + +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +MaxKeepAliveRequests 100 + +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +KeepAliveTimeout 15 + +# UseCanonicalName: Determines how Apache constructs self-referencing +# URLs and the SERVER_NAME and SERVER_PORT variables. +# When set "Off", Apache will use the Hostname and Port supplied +# by the client. When set "On", Apache will use the value of the +# ServerName directive. +UseCanonicalName Off + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +AccessFileName .htaccess + +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minor | Minimal | Major | Prod +# where Full conveys the most information, and Prod the least. +ServerTokens Full + +# TraceEnable +# This directive overrides the behavior of TRACE for both the core server and +# mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616, +# which disallows any request body to accompany the request. TraceEnable off +# causes the core server and mod_proxy to return a 405 (Method not allowed) +# error to the client. +# For security reasons this is turned off by default. (bug #240680) +TraceEnable off + +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +ServerSignature On + +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +HostnameLookups Off + +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall is used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +EnableMMAP On +EnableSendfile Off + +# FileETag: Configures the file attributes that are used to create +# the ETag (entity tag) response header field when the document is +# based on a static file. (The ETag value is used in cache management +# to save network bandwidth.) +FileETag MTime Size + +# ContentDigest: This directive enables the generation of Content-MD5 +# headers as defined in RFC1864 respectively RFC2616. +# The Content-MD5 header provides an end-to-end message integrity +# check (MIC) of the entity-body. A proxy or client may check this +# header for detecting accidental modification of the entity-body +# in transit. +# Note that this can cause performance problems on your server since +# the message digest is computed on every request (the values are +# not cached). +# Content-MD5 is only sent for documents served by the core, and not +# by any module. For example, SSI documents, output from CGI scripts, +# and byte range responses do not have this header. +ContentDigest Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +ErrorLog /var/log/apache2/error.log + +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +LogLevel info + +# We configure the "default" to be a very restrictive set of features. + + Options FollowSymLinks + AllowOverride None + Require all denied + + +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# +# The index.html.var file (a type-map) is used to deliver content- +# negotiated documents. The MultiViews Options can be used for the +# same purpose, but it is much slower. +# +# Do not change this entry unless you know what you are doing. + + DirectoryIndex index.html index.html.var index.shtml index.htm + + +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. + + Require all denied + + +# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/00_apache_manual.conf b/apache2/modules.d/00_apache_manual.conf index e2c1b36..7e7fa4a 100644 --- a/apache2/modules.d/00_apache_manual.conf +++ b/apache2/modules.d/00_apache_manual.conf @@ -1,17 +1,16 @@ # Provide access to the documentation on your server as # http://yourserver.example.com/manual/ # The documentation is always available at -# http://httpd.apache.org/docs/2.2/ +# http://httpd.apache.org/docs/2.4/ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.31/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.4.18/manual$1" - + Options Indexes AllowOverride None - Order allow,deny - Allow from all + Require all granted SetHandler type-map diff --git a/apache2/modules.d/00_error_documents.conf b/apache2/modules.d/00_error_documents.conf index 90c6b0a..79cf538 100644 --- a/apache2/modules.d/00_error_documents.conf +++ b/apache2/modules.d/00_error_documents.conf @@ -30,8 +30,7 @@ Alias /error/ "/usr/share/apache2/error/" Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var - Order allow,deny - Allow from all + Require all granted LanguagePriority de en cs es fr it ja ko nl pl pt-br ro sv tr ForceLanguagePriority Prefer Fallback diff --git a/apache2/modules.d/00_mod_autoindex.conf b/apache2/modules.d/00_mod_autoindex.conf index bb8ecc3..e103ccb 100644 --- a/apache2/modules.d/00_mod_autoindex.conf +++ b/apache2/modules.d/00_mod_autoindex.conf @@ -9,8 +9,7 @@ Alias /icons/ "/usr/share/apache2/icons/" Options Indexes MultiViews AllowOverride None - Order allow,deny - Allow from all + Require all granted diff --git a/apache2/modules.d/00_mod_info.conf b/apache2/modules.d/00_mod_info.conf index 35cbd2c..1d21be1 100644 --- a/apache2/modules.d/00_mod_info.conf +++ b/apache2/modules.d/00_mod_info.conf @@ -3,15 +3,13 @@ # http://servername/server-info SetHandler server-info - Order deny,allow - Deny from all - Allow from 127.0.0.1 - Allow from localhost - AuthName "Server Status Access" - AuthType Basic - AuthUserFile /etc/apache2/info_users_passwd - Require valid-user - Satisfy Any + Require local + Allow from localhost + AuthName "Server Status Access" + AuthType Basic + AuthUserFile /etc/apache2/info_users_passwd + Require valid-user + Satisfy Any diff --git a/apache2/modules.d/00_mod_mime.conf b/apache2/modules.d/00_mod_mime.conf index 6229e61..3940107 100644 --- a/apache2/modules.d/00_mod_mime.conf +++ b/apache2/modules.d/00_mod_mime.conf @@ -1,12 +1,3 @@ -# DefaultType: the default MIME type the server will use for a document -# if it cannot otherwise determine one, such as from filename extensions. -# If your server contains mostly text or HTML documents, "text/plain" is -# a good value. If most of your content is binary, such as applications -# or images, you may want to use "application/octet-stream" instead to -# keep browsers from trying to display binary files as though they are -# text. -DefaultType text/plain - # TypesConfig points to the file containing the list of mappings from # filename extension to MIME-type. diff --git a/apache2/modules.d/00_mod_status.conf b/apache2/modules.d/00_mod_status.conf index 615122c..74a1011 100644 --- a/apache2/modules.d/00_mod_status.conf +++ b/apache2/modules.d/00_mod_status.conf @@ -3,15 +3,13 @@ # with the URL of http://servername/server-status SetHandler server-status - Order deny,allow - Deny from all - Allow from 127.0.0.1 - Allow from localhost - AuthName "Server Status Access" - AuthType Basic - AuthUserFile /etc/apache2/info_users_passwd - Require valid-user - Satisfy Any + Require local + Allow from localhost + AuthName "Server Status Access" + AuthType Basic + AuthUserFile /etc/apache2/info_users_passwd + Require valid-user + Satisfy Any # ExtendedStatus controls whether Apache will generate "full" status diff --git a/apache2/modules.d/00_mpm.conf b/apache2/modules.d/00_mpm.conf index 27dc24d..23c56fa 100644 --- a/apache2/modules.d/00_mpm.conf +++ b/apache2/modules.d/00_mpm.conf @@ -4,10 +4,10 @@ # identification number when it starts. # # DO NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING -PidFile /var/run/apache2.pid +PidFile /run/apache2.pid # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. -#LockFile /var/run/apache2.lock +# Mutex file:/run/apache_mpm_mutex # Only one of the below sections will be relevant on your # installed httpd. Use "/usr/sbin/apache2 -l" to find out the @@ -17,9 +17,9 @@ PidFile /var/run/apache2.pid # These configuration directives apply to all MPMs # # StartServers: Number of child server processes created at startup -# MaxClients: Maximum number of child processes to serve requests -# MaxRequestsPerChild: Limit on the number of requests that an individual child -# server will handle during its life +# MaxRequestWorkers: Maximum number of child processes to serve requests +# MaxConnectionsPerChild: Limit on the number of connections that an individual +# child server will handle during its life # prefork MPM @@ -31,8 +31,8 @@ PidFile /var/run/apache2.pid StartServers 2 MinSpareServers 2 MaxSpareServers 10 - MaxClients 150 - MaxRequestsPerChild 10000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 # worker MPM @@ -46,8 +46,8 @@ PidFile /var/run/apache2.pid MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 - MaxClients 150 - MaxRequestsPerChild 10000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 # event MPM @@ -60,8 +60,8 @@ PidFile /var/run/apache2.pid MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 - MaxClients 150 - MaxRequestsPerChild 10000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 # peruser MPM @@ -76,8 +76,8 @@ PidFile /var/run/apache2.pid MinSpareProcessors 2 MinProcessors 2 MaxProcessors 10 - MaxClients 150 - MaxRequestsPerChild 1000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 1000 ExpireTimeout 1800 Multiplexer nobody nobody @@ -92,8 +92,8 @@ PidFile /var/run/apache2.pid StartServers 5 MinSpareServers 5 MaxSpareServers 10 - MaxClients 150 - MaxRequestsPerChild 10000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 # vim: ts=4 filetype=apache diff --git a/apache2/vhosts.d/._cfg0000_00_default_vhost.conf b/apache2/vhosts.d/._cfg0000_00_default_vhost.conf deleted file mode 100644 index b9766b5..0000000 --- a/apache2/vhosts.d/._cfg0000_00_default_vhost.conf +++ /dev/null @@ -1,45 +0,0 @@ -# Virtual Hosts -# -# If you want to maintain multiple domains/hostnames on your -# machine you can setup VirtualHost containers for them. Most configurations -# use only name-based virtual hosts so the server doesn't need to worry about -# IP addresses. This is indicated by the asterisks in the directives below. -# -# Please see the documentation at -# -# for further details before you try to setup virtual hosts. -# -# You may use the command line option '-S' to verify your virtual host -# configuration. - - -# see bug #178966 why this is in here - -# Listen: Allows you to bind Apache to specific IP addresses and/or -# ports, instead of the default. See also the -# directive. -# -# Change this to Listen on specific IP addresses as shown below to -# prevent Apache from glomming onto all bound IP addresses. -# -#Listen 12.34.56.78:80 -Listen 80 - -# When virtual hosts are enabled, the main host defined in the default -# httpd.conf configuration will go away. We redefine it here so that it is -# still available. -# -# If you disable this vhost by removing -D DEFAULT_VHOST from -# /etc/conf.d/apache2, the first defined virtual host elsewhere will be -# the default. - - ServerName localhost - Include /etc/apache2/vhosts.d/default_vhost.include - - - ServerEnvironment apache apache - - - - -# vim: ts=4 filetype=apache diff --git a/apache2/vhosts.d/._cfg0000_default_vhost.include b/apache2/vhosts.d/._cfg0000_default_vhost.include deleted file mode 100644 index af6ece8..0000000 --- a/apache2/vhosts.d/._cfg0000_default_vhost.include +++ /dev/null @@ -1,71 +0,0 @@ -# ServerAdmin: Your address, where problems with the server should be -# e-mailed. This address appears on some server-generated pages, such -# as error documents. e.g. admin@your-domain.com -ServerAdmin root@localhost - -# DocumentRoot: The directory out of which you will serve your -# documents. By default, all requests are taken from this directory, but -# symbolic links and aliases may be used to point to other locations. -# -# If you change this to something that isn't under /var/www then suexec -# will no longer work. -DocumentRoot "/var/www/localhost/htdocs" - -# This should be changed to whatever you set DocumentRoot to. - - # Possible values for the Options directive are "None", "All", - # or any combination of: - # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews - # - # Note that "MultiViews" must be named *explicitly* --- "Options All" - # doesn't give it to you. - # - # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs/2.4/mod/core.html#options - # for more information. - Options Indexes FollowSymLinks - - # AllowOverride controls what directives may be placed in .htaccess files. - # It can be "All", "None", or any combination of the keywords: - # Options FileInfo AuthConfig Limit - AllowOverride All - - # Controls who can get stuff from this server. - Require all granted - - - - # Redirect: Allows you to tell clients about documents that used to - # exist in your server's namespace, but do not anymore. The client - # will make a new request for the document at its new location. - # Example: - # Redirect permanent /foo http://www.example.com/bar - - # Alias: Maps web paths into filesystem paths and is used to - # access content that does not live under the DocumentRoot. - # Example: - # Alias /webpath /full/filesystem/path - # - # If you include a trailing / on /webpath then the server will - # require it to be present in the URL. You will also likely - # need to provide a section to allow access to - # the filesystem path. - - # ScriptAlias: This controls which directories contain server scripts. - # ScriptAliases are essentially the same as Aliases, except that - # documents in the target directory are treated as applications and - # run by the server when requested rather than as documents sent to the - # client. The same rules about trailing "/" apply to ScriptAlias - # directives as to Alias. - ScriptAlias /cgi-bin/ "/var/www/localhost/cgi-bin/" - - -# "/var/www/localhost/cgi-bin" should be changed to whatever your ScriptAliased -# CGI directory exists, if you have that configured. - - AllowOverride None - Options None - Require all granted - - -# vim: ts=4 filetype=apache diff --git a/apache2/vhosts.d/00_default_vhost.conf b/apache2/vhosts.d/00_default_vhost.conf index 2b46233..a0a7312 100644 --- a/apache2/vhosts.d/00_default_vhost.conf +++ b/apache2/vhosts.d/00_default_vhost.conf @@ -6,7 +6,7 @@ # IP addresses. This is indicated by the asterisks in the directives below. # # Please see the documentation at -# +# # for further details before you try to setup virtual hosts. # # You may use the command line option '-S' to verify your virtual host diff --git a/apache2/vhosts.d/default_vhost.include b/apache2/vhosts.d/default_vhost.include index 61282a6..8032dd2 100644 --- a/apache2/vhosts.d/default_vhost.include +++ b/apache2/vhosts.d/default_vhost.include @@ -21,7 +21,7 @@ DocumentRoot "/var/www/localhost/htdocs" # doesn't give it to you. # # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs/2.2/mod/core.html#options + # http://httpd.apache.org/docs/2.4/mod/core.html#options # for more information. Options Indexes FollowSymLinks @@ -31,8 +31,7 @@ DocumentRoot "/var/www/localhost/htdocs" AllowOverride All # Controls who can get stuff from this server. - Order allow,deny - Allow from all + Require all granted @@ -66,8 +65,7 @@ DocumentRoot "/var/www/localhost/htdocs" AllowOverride None Options None - Order allow,deny - Allow from all + Require all granted # vim: ts=4 filetype=apache diff --git a/conf.d/._cfg0000_fail2ban b/conf.d/._cfg0000_fail2ban deleted file mode 100644 index 00d19f8..0000000 --- a/conf.d/._cfg0000_fail2ban +++ /dev/null @@ -1,8 +0,0 @@ -# Config file for /etc/init.d/fail2ban -# -# For information on options, see "/usr/bin/fail2ban-client -h". - -FAIL2BAN_OPTIONS="" - -# Force execution of the server even if the socket already exists: -#FAIL2BAN_OPTIONS="-x" diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf b/config-archive/etc/apache2/modules.d/00_apache_manual.conf index f352638..e2c1b36 100644 --- a/config-archive/etc/apache2/modules.d/00_apache_manual.conf +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf @@ -5,9 +5,9 @@ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.29/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.31/manual$1" - + Options Indexes AllowOverride None Order allow,deny diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.1 b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.1 index 5d8ffc1..f352638 100644 --- a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.1 +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.1 @@ -5,9 +5,9 @@ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.27-r4/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.29/manual$1" - + Options Indexes AllowOverride None Order allow,deny diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.2 b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.2 index 391c2e6..5d8ffc1 100644 --- a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.2 +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.2 @@ -2,10 +2,12 @@ # http://yourserver.example.com/manual/ # The documentation is always available at # http://httpd.apache.org/docs/2.2/ + + -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.27/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.27-r4/manual$1" - + Options Indexes AllowOverride None Order allow,deny @@ -22,5 +24,7 @@ AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apac ForceLanguagePriority Prefer Fallback + + # vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.3 b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.3 index 33ae915..391c2e6 100644 --- a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.3 +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.3 @@ -3,9 +3,9 @@ # The documentation is always available at # http://httpd.apache.org/docs/2.2/ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.25/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.27/manual$1" - + Options Indexes AllowOverride None Order allow,deny diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.4 b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.4 index f43bf59..33ae915 100644 --- a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.4 +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.4 @@ -3,9 +3,9 @@ # The documentation is always available at # http://httpd.apache.org/docs/2.2/ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.24/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.25/manual$1" - + Options Indexes AllowOverride None Order allow,deny diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.5 b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.5 index 240d6b4..f43bf59 100644 --- a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.5 +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.5 @@ -3,9 +3,9 @@ # The documentation is always available at # http://httpd.apache.org/docs/2.2/ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.23/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.24/manual$1" - + Options Indexes AllowOverride None Order allow,deny diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.6 b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.6 index 25de5d1..240d6b4 100644 --- a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.6 +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.6 @@ -3,9 +3,9 @@ # The documentation is always available at # http://httpd.apache.org/docs/2.2/ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.22/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.23/manual$1" - + Options Indexes AllowOverride None Order allow,deny @@ -18,7 +18,7 @@ AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apac SetEnvIf Request_URI ^/manual/(de|en|es|fr|ja|ko|pt-br)/ prefer-language=$1 RedirectMatch 301 ^/manual(?:/(de|en|es|fr|ja|ko|pt-br)){2,}(/.*)?$ /manual/$1$2 - LanguagePriority en de es fr ja ko pt-br + LanguagePriority de en es fr ja ko pt-br ForceLanguagePriority Prefer Fallback diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.7 b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.7 index a1bfed2..25de5d1 100644 --- a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.7 +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.7 @@ -3,9 +3,9 @@ # The documentation is always available at # http://httpd.apache.org/docs/2.2/ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.21-r1/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.22/manual$1" - + Options Indexes AllowOverride None Order allow,deny diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.8 b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.8 new file mode 100644 index 0000000..a1bfed2 --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.8 @@ -0,0 +1,26 @@ +# Provide access to the documentation on your server as +# http://yourserver.example.com/manual/ +# The documentation is always available at +# http://httpd.apache.org/docs/2.2/ + +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.21-r1/manual$1" + + + Options Indexes + AllowOverride None + Order allow,deny + Allow from all + + + SetHandler type-map + + + SetEnvIf Request_URI ^/manual/(de|en|es|fr|ja|ko|pt-br)/ prefer-language=$1 + RedirectMatch 301 ^/manual(?:/(de|en|es|fr|ja|ko|pt-br)){2,}(/.*)?$ /manual/$1$2 + + LanguagePriority en de es fr ja ko pt-br + ForceLanguagePriority Prefer Fallback + + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.dist b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.dist index f4ff100..5699151 100644 --- a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.dist +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.dist @@ -1,17 +1,16 @@ # Provide access to the documentation on your server as # http://yourserver.example.com/manual/ # The documentation is always available at -# http://httpd.apache.org/docs/2.2/ +# http://httpd.apache.org/docs/2.4/ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.31/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.4.18/manual$1" - + Options Indexes AllowOverride None - Order allow,deny - Allow from all + Require all granted SetHandler type-map diff --git a/config-archive/etc/apache2/modules.d/00_default_settings.conf b/config-archive/etc/apache2/modules.d/00_default_settings.conf index 0213f2b..ac0ab07 100644 --- a/config-archive/etc/apache2/modules.d/00_default_settings.conf +++ b/config-archive/etc/apache2/modules.d/00_default_settings.conf @@ -118,8 +118,7 @@ LogLevel info # negotiated documents. The MultiViews Options can be used for the # same purpose, but it is much slower. # -# To add files to that list use AddDirectoryIndex in a custom config -# file. Do not change this entry unless you know what you are doing. +# Do not change this entry unless you know what you are doing. DirectoryIndex index.html index.html.var index.shtml index.htm diff --git a/config-archive/etc/apache2/modules.d/00_default_settings.conf.1 b/config-archive/etc/apache2/modules.d/00_default_settings.conf.1 new file mode 100644 index 0000000..0213f2b --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_default_settings.conf.1 @@ -0,0 +1,134 @@ +# This configuration file reflects default settings for Apache HTTP Server. +# You may change these, but chances are that you may not need to. + +# Timeout: The number of seconds before receives and sends time out. +Timeout 300 + +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +KeepAlive On + +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +MaxKeepAliveRequests 100 + +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +KeepAliveTimeout 15 + +# UseCanonicalName: Determines how Apache constructs self-referencing +# URLs and the SERVER_NAME and SERVER_PORT variables. +# When set "Off", Apache will use the Hostname and Port supplied +# by the client. When set "On", Apache will use the value of the +# ServerName directive. +UseCanonicalName Off + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +AccessFileName .htaccess + +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minor | Minimal | Major | Prod +# where Full conveys the most information, and Prod the least. +ServerTokens Full + +# TraceEnable +# This directive overrides the behavior of TRACE for both the core server and +# mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616, +# which disallows any request body to accompany the request. TraceEnable off +# causes the core server and mod_proxy to return a 405 (Method not allowed) +# error to the client. +# For security reasons this is turned off by default. (bug #240680) +TraceEnable off + +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +ServerSignature On + +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +HostnameLookups Off + +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall is used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +EnableMMAP On +EnableSendfile On + +# FileEtag: Configures the file attributes that are used to create +# the ETag (entity tag) response header field when the document is +# based on a static file. (The ETag value is used in cache management +# to save network bandwidth.) +FileEtag INode MTime Size + +# ContentDigest: This directive enables the generation of Content-MD5 +# headers as defined in RFC1864 respectively RFC2616. +# The Content-MD5 header provides an end-to-end message integrity +# check (MIC) of the entity-body. A proxy or client may check this +# header for detecting accidental modification of the entity-body +# in transit. +# Note that this can cause performance problems on your server since +# the message digest is computed on every request (the values are +# not cached). +# Content-MD5 is only sent for documents served by the core, and not +# by any module. For example, SSI documents, output from CGI scripts, +# and byte range responses do not have this header. +ContentDigest Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +ErrorLog /var/log/apache2/error.log + +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +LogLevel info + +# We configure the "default" to be a very restrictive set of features. + + Options FollowSymLinks + AllowOverride None + Order deny,allow + Deny from all + + +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# +# The index.html.var file (a type-map) is used to deliver content- +# negotiated documents. The MultiViews Options can be used for the +# same purpose, but it is much slower. +# +# To add files to that list use AddDirectoryIndex in a custom config +# file. Do not change this entry unless you know what you are doing. + + DirectoryIndex index.html index.html.var index.shtml index.htm + + +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. + + Order allow,deny + Deny from all + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new b/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new new file mode 100644 index 0000000..38635aa --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new @@ -0,0 +1,131 @@ +# This configuration file reflects default settings for Apache HTTP Server. +# You may change these, but chances are that you may not need to. + +# Timeout: The number of seconds before receives and sends time out. +Timeout 300 + +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +KeepAlive On + +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +MaxKeepAliveRequests 100 + +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +KeepAliveTimeout 15 + +# UseCanonicalName: Determines how Apache constructs self-referencing +# URLs and the SERVER_NAME and SERVER_PORT variables. +# When set "Off", Apache will use the Hostname and Port supplied +# by the client. When set "On", Apache will use the value of the +# ServerName directive. +UseCanonicalName Off + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +AccessFileName .htaccess + +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minor | Minimal | Major | Prod +# where Full conveys the most information, and Prod the least. +ServerTokens Prod + +# TraceEnable +# This directive overrides the behavior of TRACE for both the core server and +# mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616, +# which disallows any request body to accompany the request. TraceEnable off +# causes the core server and mod_proxy to return a 405 (Method not allowed) +# error to the client. +# For security reasons this is turned off by default. (bug #240680) +TraceEnable off + +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +ServerSignature On + +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +HostnameLookups Off + +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall is used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +EnableMMAP On +EnableSendfile Off + +# FileETag: Configures the file attributes that are used to create +# the ETag (entity tag) response header field when the document is +# based on a static file. (The ETag value is used in cache management +# to save network bandwidth.) +FileETag MTime Size + +# ContentDigest: This directive enables the generation of Content-MD5 +# headers as defined in RFC1864 respectively RFC2616. +# The Content-MD5 header provides an end-to-end message integrity +# check (MIC) of the entity-body. A proxy or client may check this +# header for detecting accidental modification of the entity-body +# in transit. +# Note that this can cause performance problems on your server since +# the message digest is computed on every request (the values are +# not cached). +# Content-MD5 is only sent for documents served by the core, and not +# by any module. For example, SSI documents, output from CGI scripts, +# and byte range responses do not have this header. +ContentDigest Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +ErrorLog /var/log/apache2/error_log + +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +LogLevel warn + +# We configure the "default" to be a very restrictive set of features. + + Options FollowSymLinks + AllowOverride None + Require all denied + + +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# +# The index.html.var file (a type-map) is used to deliver content- +# negotiated documents. The MultiViews Options can be used for the +# same purpose, but it is much slower. +# +# Do not change this entry unless you know what you are doing. + + DirectoryIndex index.html index.html.var + + +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. + + Require all denied + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_error_documents.conf b/config-archive/etc/apache2/modules.d/00_error_documents.conf new file mode 100644 index 0000000..90c6b0a --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_error_documents.conf @@ -0,0 +1,58 @@ +# The configuration below implements multi-language error documents through +# content-negotiation. + +# Customizable error responses come in three flavors: +# 1) plain text 2) local redirects 3) external redirects +# Some examples: +#ErrorDocument 500 "The server made a boo boo." +#ErrorDocument 404 /missing.html +#ErrorDocument 404 "/cgi-bin/missing_handler.pl" +#ErrorDocument 402 http://www.example.com/subscription_info.html + +# Required modules: mod_alias, mod_include, mod_negotiation +# We use Alias to redirect any /error/HTTP_.html.var response to +# our collection of by-error message multi-language collections. We use +# includes to substitute the appropriate text. +# You can modify the messages' appearance without changing any of the +# default HTTP_.html.var files by adding the line: +# Alias /error/include/ "/your/include/path/" +# which allows you to create your own set of files by starting with the +# /var/www/localhost/error/include/ files and copying them to /your/include/path/, +# even on a per-VirtualHost basis. The default include files will display +# your Apache version number and your ServerAdmin email address regardless +# of the setting of ServerSignature. + + +Alias /error/ "/usr/share/apache2/error/" + + + AllowOverride None + Options IncludesNoExec + AddOutputFilter Includes html + AddHandler type-map var + Order allow,deny + Allow from all + LanguagePriority de en cs es fr it ja ko nl pl pt-br ro sv tr + ForceLanguagePriority Prefer Fallback + + +ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var +ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var +ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var +ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var +ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var +ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var +ErrorDocument 410 /error/HTTP_GONE.html.var +ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var +ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var +ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var +ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var +ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var +ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var +ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var +ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var +ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var +ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_error_documents.conf.dist b/config-archive/etc/apache2/modules.d/00_error_documents.conf.dist new file mode 100644 index 0000000..61479fa --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_error_documents.conf.dist @@ -0,0 +1,57 @@ +# The configuration below implements multi-language error documents through +# content-negotiation. + +# Customizable error responses come in three flavors: +# 1) plain text 2) local redirects 3) external redirects +# Some examples: +#ErrorDocument 500 "The server made a boo boo." +#ErrorDocument 404 /missing.html +#ErrorDocument 404 "/cgi-bin/missing_handler.pl" +#ErrorDocument 402 http://www.example.com/subscription_info.html + +# Required modules: mod_alias, mod_include, mod_negotiation +# We use Alias to redirect any /error/HTTP_.html.var response to +# our collection of by-error message multi-language collections. We use +# includes to substitute the appropriate text. +# You can modify the messages' appearance without changing any of the +# default HTTP_.html.var files by adding the line: +# Alias /error/include/ "/your/include/path/" +# which allows you to create your own set of files by starting with the +# /var/www/localhost/error/include/ files and copying them to /your/include/path/, +# even on a per-VirtualHost basis. The default include files will display +# your Apache version number and your ServerAdmin email address regardless +# of the setting of ServerSignature. + + +Alias /error/ "/usr/share/apache2/error/" + + + AllowOverride None + Options IncludesNoExec + AddOutputFilter Includes html + AddHandler type-map var + Require all granted + LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr + ForceLanguagePriority Prefer Fallback + + +ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var +ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var +ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var +ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var +ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var +ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var +ErrorDocument 410 /error/HTTP_GONE.html.var +ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var +ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var +ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var +ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var +ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var +ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var +ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var +ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var +ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var +ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf index e04516d..bb8ecc3 100644 --- a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf +++ b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf @@ -1,4 +1,6 @@ + + # We include the /icons/ alias for FancyIndexed directory listings. If # you do not use FancyIndexing, you may comment this out. @@ -80,6 +82,7 @@ HeaderName HEADER.html # IndexIgnore is a set of filenames which directory indexing should ignore # and not include in the listing. Shell-style wildcarding is permitted. IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t + # vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.1 b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.1 new file mode 100644 index 0000000..e04516d --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.1 @@ -0,0 +1,85 @@ + + +# We include the /icons/ alias for FancyIndexed directory listings. If +# you do not use FancyIndexing, you may comment this out. +Alias /icons/ "/usr/share/apache2/icons/" + + + Options Indexes MultiViews + AllowOverride None + Order allow,deny + Allow from all + + + +# Directives controlling the display of server-generated directory listings. +# +# To see the listing of a directory, the Options directive for the +# directory must include "Indexes", and the directory must not contain +# a file matching those listed in the DirectoryIndex directive. + +# IndexOptions: Controls the appearance of server-generated directory +# listings. +IndexOptions FancyIndexing VersionSort FoldersFirst HTMLTable IgnoreCase NameWidth=50 + +# AddIcon* directives tell the server which icon to show for different +# files or filename extensions. These are only displayed for +# FancyIndexed directories. +AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip + +AddIconByType (TXT,/icons/text.gif) text/* +AddIconByType (IMG,/icons/image2.gif) image/* +AddIconByType (SND,/icons/sound2.gif) audio/* +AddIconByType (VID,/icons/movie.gif) video/* + +AddIcon /icons/binary.gif .bin .exe +AddIcon /icons/binhex.gif .hqx +AddIcon /icons/tar.gif .tar +AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv +AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip +AddIcon /icons/a.gif .ps .ai .eps +AddIcon /icons/layout.gif .html .shtml .htm .pdf +AddIcon /icons/text.gif .txt +AddIcon /icons/c.gif .c +AddIcon /icons/p.gif .pl .py +AddIcon /icons/f.gif .for +AddIcon /icons/dvi.gif .dvi +AddIcon /icons/uuencoded.gif .uu +AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl +AddIcon /icons/tex.gif .tex +AddIcon /icons/bomb.gif core + +AddIcon /icons/back.gif .. +AddIcon /icons/hand.right.gif README +AddIcon /icons/folder.gif ^^DIRECTORY^^ +AddIcon /icons/blank.gif ^^BLANKICON^^ + +# DefaultIcon is which icon to show for files which do not have an icon +# explicitly set. +DefaultIcon /icons/unknown.gif + +# AddDescription allows you to place a short description after a file in +# server-generated indexes. These are only displayed for FancyIndexed +# directories. +# Format: AddDescription "description" filename + +AddDescription "GZIP-komprimiertes Tar-Archiv" .tar.gz +AddDescription "GZIP-komprimiertes Dokument" .gz +AddDescription "Tar-Archive" .tar +AddDescription "GZIP-komprimiertes Tar-Archiv" .tgz +AddDescription "PDF-Dokument" .pdf + +# ReadmeName is the name of the README file the server will look for by +# default, and append to directory listings. + +# HeaderName is the name of a file which should be prepended to +# directory indexes. +ReadmeName README.html +HeaderName HEADER.html + +# IndexIgnore is a set of filenames which directory indexing should ignore +# and not include in the listing. Shell-style wildcarding is permitted. +IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist index 097410a..10bf483 100644 --- a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist +++ b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist @@ -9,8 +9,7 @@ Alias /icons/ "/usr/share/apache2/icons/" Options Indexes MultiViews AllowOverride None - Order allow,deny - Allow from all + Require all granted diff --git a/config-archive/etc/apache2/modules.d/00_mod_info.conf b/config-archive/etc/apache2/modules.d/00_mod_info.conf new file mode 100644 index 0000000..35cbd2c --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_mod_info.conf @@ -0,0 +1,18 @@ + +# Allow remote server configuration reports, with the URL of +# http://servername/server-info + + SetHandler server-info + Order deny,allow + Deny from all + Allow from 127.0.0.1 + Allow from localhost + AuthName "Server Status Access" + AuthType Basic + AuthUserFile /etc/apache2/info_users_passwd + Require valid-user + Satisfy Any + + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_mod_info.conf.dist b/config-archive/etc/apache2/modules.d/00_mod_info.conf.dist new file mode 100644 index 0000000..2cd32c4 --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_mod_info.conf.dist @@ -0,0 +1,10 @@ + +# Allow remote server configuration reports, with the URL of +# http://servername/server-info + + SetHandler server-info + Require local + + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_mod_mime.conf b/config-archive/etc/apache2/modules.d/00_mod_mime.conf new file mode 100644 index 0000000..6229e61 --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_mod_mime.conf @@ -0,0 +1,55 @@ +# DefaultType: the default MIME type the server will use for a document +# if it cannot otherwise determine one, such as from filename extensions. +# If your server contains mostly text or HTML documents, "text/plain" is +# a good value. If most of your content is binary, such as applications +# or images, you may want to use "application/octet-stream" instead to +# keep browsers from trying to display binary files as though they are +# text. +DefaultType text/plain + + +# TypesConfig points to the file containing the list of mappings from +# filename extension to MIME-type. +TypesConfig /etc/mime.types + +# AddType allows you to add to or override the MIME configuration +# file specified in TypesConfig for specific file types. +#AddType application/x-gzip .tgz + +# AddEncoding allows you to have certain browsers uncompress +# information on the fly. Note: Not all browsers support this. +AddEncoding x-compress .Z +AddEncoding x-gzip .gz .tgz + +# If the AddEncoding directives above are commented-out, then you +# probably should define those extensions to indicate media types: +AddType application/x-compress .Z +AddType application/x-gzip .gz .tgz + +# AddHandler allows you to map certain file extensions to "handlers": +# actions unrelated to filetype. These can be either built into the server +# or added with the Action directive (see below) + +# To use CGI scripts outside of ScriptAliased directories: +# (You will also need to add "ExecCGI" to the "Options" directive.) +#AddHandler cgi-script .cgi + +# For type maps (negotiated resources): +AddHandler type-map var + +# Filters allow you to process content before it is sent to the client. +# +# To parse .shtml files for server-side includes (SSI): +# (You will also need to add "Includes" to the "Options" directive.) +#AddType text/html .shtml +#AddOutputFilter INCLUDES .shtml + + + +# The mod_mime_magic module allows the server to use various hints from the +# contents of the file itself to determine its type. The MIMEMagicFile +# directive tells the module where the hint definitions are located. +MIMEMagicFile /etc/apache2/magic + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_mod_mime.conf.dist b/config-archive/etc/apache2/modules.d/00_mod_mime.conf.dist new file mode 100644 index 0000000..fb8a9a5 --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_mod_mime.conf.dist @@ -0,0 +1,46 @@ + +# TypesConfig points to the file containing the list of mappings from +# filename extension to MIME-type. +TypesConfig /etc/mime.types + +# AddType allows you to add to or override the MIME configuration +# file specified in TypesConfig for specific file types. +#AddType application/x-gzip .tgz + +# AddEncoding allows you to have certain browsers uncompress +# information on the fly. Note: Not all browsers support this. +#AddEncoding x-compress .Z +#AddEncoding x-gzip .gz .tgz + +# If the AddEncoding directives above are commented-out, then you +# probably should define those extensions to indicate media types: +AddType application/x-compress .Z +AddType application/x-gzip .gz .tgz + +# AddHandler allows you to map certain file extensions to "handlers": +# actions unrelated to filetype. These can be either built into the server +# or added with the Action directive (see below) + +# To use CGI scripts outside of ScriptAliased directories: +# (You will also need to add "ExecCGI" to the "Options" directive.) +#AddHandler cgi-script .cgi + +# For type maps (negotiated resources): +#AddHandler type-map var + +# Filters allow you to process content before it is sent to the client. +# +# To parse .shtml files for server-side includes (SSI): +# (You will also need to add "Includes" to the "Options" directive.) +#AddType text/html .shtml +#AddOutputFilter INCLUDES .shtml + + + +# The mod_mime_magic module allows the server to use various hints from the +# contents of the file itself to determine its type. The MIMEMagicFile +# directive tells the module where the hint definitions are located. +MIMEMagicFile /etc/apache2/magic + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_mod_status.conf b/config-archive/etc/apache2/modules.d/00_mod_status.conf new file mode 100644 index 0000000..615122c --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_mod_status.conf @@ -0,0 +1,23 @@ + +# Allow server status reports generated by mod_status, +# with the URL of http://servername/server-status + + SetHandler server-status + Order deny,allow + Deny from all + Allow from 127.0.0.1 + Allow from localhost + AuthName "Server Status Access" + AuthType Basic + AuthUserFile /etc/apache2/info_users_passwd + Require valid-user + Satisfy Any + + +# ExtendedStatus controls whether Apache will generate "full" status +# information (ExtendedStatus On) or just basic information (ExtendedStatus +# Off) when the "server-status" handler is called. +ExtendedStatus On + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_mod_status.conf.dist b/config-archive/etc/apache2/modules.d/00_mod_status.conf.dist new file mode 100644 index 0000000..ed8b3c7 --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_mod_status.conf.dist @@ -0,0 +1,15 @@ + +# Allow server status reports generated by mod_status, +# with the URL of http://servername/server-status + + SetHandler server-status + Require local + + +# ExtendedStatus controls whether Apache will generate "full" status +# information (ExtendedStatus On) or just basic information (ExtendedStatus +# Off) when the "server-status" handler is called. +ExtendedStatus On + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_mpm.conf b/config-archive/etc/apache2/modules.d/00_mpm.conf new file mode 100644 index 0000000..27dc24d --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_mpm.conf @@ -0,0 +1,99 @@ +# Server-Pool Management (MPM specific) + +# PidFile: The file in which the server should record its process +# identification number when it starts. +# +# DO NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING +PidFile /var/run/apache2.pid + +# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. +#LockFile /var/run/apache2.lock + +# Only one of the below sections will be relevant on your +# installed httpd. Use "/usr/sbin/apache2 -l" to find out the +# active mpm. + +# common MPM configuration +# These configuration directives apply to all MPMs +# +# StartServers: Number of child server processes created at startup +# MaxClients: Maximum number of child processes to serve requests +# MaxRequestsPerChild: Limit on the number of requests that an individual child +# server will handle during its life + + +# prefork MPM +# This is the default MPM if USE=-threads +# +# MinSpareServers: Minimum number of idle child server processes +# MaxSpareServers: Maximum number of idle child server processes + + StartServers 2 + MinSpareServers 2 + MaxSpareServers 10 + MaxClients 150 + MaxRequestsPerChild 10000 + + +# worker MPM +# This is the default MPM if USE=threads +# +# MinSpareThreads: Minimum number of idle threads available to handle request spikes +# MaxSpareThreads: Maximum number of idle threads +# ThreadsPerChild: Number of threads created by each child process + + StartServers 2 + MinSpareThreads 25 + MaxSpareThreads 75 + ThreadsPerChild 25 + MaxClients 150 + MaxRequestsPerChild 10000 + + +# event MPM +# +# MinSpareThreads: Minimum number of idle threads available to handle request spikes +# MaxSpareThreads: Maximum number of idle threads +# ThreadsPerChild: Number of threads created by each child process + + StartServers 2 + MinSpareThreads 25 + MaxSpareThreads 75 + ThreadsPerChild 25 + MaxClients 150 + MaxRequestsPerChild 10000 + + +# peruser MPM +# +# MinSpareProcessors: Minimum number of idle child server processes +# MinProcessors: Minimum number of processors per virtual host +# MaxProcessors: Maximum number of processors per virtual host +# ExpireTimeout: Maximum idle time before a child is killed, 0 to disable +# Multiplexer: Specify a Multiplexer child configuration. +# Processor: Specify a user and group for a specific child process + + MinSpareProcessors 2 + MinProcessors 2 + MaxProcessors 10 + MaxClients 150 + MaxRequestsPerChild 1000 + ExpireTimeout 1800 + + Multiplexer nobody nobody + Processor apache apache + + +# itk MPM +# +# MinSpareServers: Minimum number of idle child server processes +# MaxSpareServers: Maximum number of idle child server processes + + StartServers 5 + MinSpareServers 5 + MaxSpareServers 10 + MaxClients 150 + MaxRequestsPerChild 10000 + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_mpm.conf.dist b/config-archive/etc/apache2/modules.d/00_mpm.conf.dist new file mode 100644 index 0000000..bcb9b6b --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_mpm.conf.dist @@ -0,0 +1,99 @@ +# Server-Pool Management (MPM specific) + +# PidFile: The file in which the server should record its process +# identification number when it starts. +# +# DO NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING +PidFile /run/apache2.pid + +# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. +# Mutex file:/run/apache_mpm_mutex + +# Only one of the below sections will be relevant on your +# installed httpd. Use "/usr/sbin/apache2 -l" to find out the +# active mpm. + +# common MPM configuration +# These configuration directives apply to all MPMs +# +# StartServers: Number of child server processes created at startup +# MaxRequestWorkers: Maximum number of child processes to serve requests +# MaxConnectionsPerChild: Limit on the number of connections that an individual +# child server will handle during its life + + +# prefork MPM +# This is the default MPM if USE=-threads +# +# MinSpareServers: Minimum number of idle child server processes +# MaxSpareServers: Maximum number of idle child server processes + + StartServers 5 + MinSpareServers 5 + MaxSpareServers 10 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 + + +# worker MPM +# This is the default MPM if USE=threads +# +# MinSpareThreads: Minimum number of idle threads available to handle request spikes +# MaxSpareThreads: Maximum number of idle threads +# ThreadsPerChild: Number of threads created by each child process + + StartServers 2 + MinSpareThreads 25 + MaxSpareThreads 75 + ThreadsPerChild 25 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 + + +# event MPM +# +# MinSpareThreads: Minimum number of idle threads available to handle request spikes +# MaxSpareThreads: Maximum number of idle threads +# ThreadsPerChild: Number of threads created by each child process + + StartServers 2 + MinSpareThreads 25 + MaxSpareThreads 75 + ThreadsPerChild 25 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 + + +# peruser MPM +# +# MinSpareProcessors: Minimum number of idle child server processes +# MinProcessors: Minimum number of processors per virtual host +# MaxProcessors: Maximum number of processors per virtual host +# ExpireTimeout: Maximum idle time before a child is killed, 0 to disable +# Multiplexer: Specify a Multiplexer child configuration. +# Processor: Specify a user and group for a specific child process + + MinSpareProcessors 2 + MinProcessors 2 + MaxProcessors 10 + MaxRequestWorkers 150 + MaxConnectionsPerChild 1000 + ExpireTimeout 1800 + + Multiplexer nobody nobody + Processor apache apache + + +# itk MPM +# +# MinSpareServers: Minimum number of idle child server processes +# MaxSpareServers: Maximum number of idle child server processes + + StartServers 5 + MinSpareServers 5 + MaxSpareServers 10 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/vhosts.d/00_default_vhost.conf b/config-archive/etc/apache2/vhosts.d/00_default_vhost.conf new file mode 100644 index 0000000..2b46233 --- /dev/null +++ b/config-archive/etc/apache2/vhosts.d/00_default_vhost.conf @@ -0,0 +1,48 @@ +# Virtual Hosts +# +# If you want to maintain multiple domains/hostnames on your +# machine you can setup VirtualHost containers for them. Most configurations +# use only name-based virtual hosts so the server doesn't need to worry about +# IP addresses. This is indicated by the asterisks in the directives below. +# +# Please see the documentation at +# +# for further details before you try to setup virtual hosts. +# +# You may use the command line option '-S' to verify your virtual host +# configuration. + + +# see bug #178966 why this is in here + +# Listen: Allows you to bind Apache to specific IP addresses and/or +# ports, instead of the default. See also the +# directive. +# +# Change this to Listen on specific IP addresses as shown below to +# prevent Apache from glomming onto all bound IP addresses. +# +#Listen 12.34.56.78:80 +Listen 80 + +# Use name-based virtual hosting. +NameVirtualHost *:80 + +# When virtual hosts are enabled, the main host defined in the default +# httpd.conf configuration will go away. We redefine it here so that it is +# still available. +# +# If you disable this vhost by removing -D DEFAULT_VHOST from +# /etc/conf.d/apache2, the first defined virtual host elsewhere will be +# the default. + + ServerName www.uhu-banane.de + Include /etc/apache2/vhosts.d/default_vhost.include + + + ServerEnvironment apache apache + + + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/vhosts.d/00_default_vhost.conf.dist b/config-archive/etc/apache2/vhosts.d/00_default_vhost.conf.dist new file mode 100644 index 0000000..b9766b5 --- /dev/null +++ b/config-archive/etc/apache2/vhosts.d/00_default_vhost.conf.dist @@ -0,0 +1,45 @@ +# Virtual Hosts +# +# If you want to maintain multiple domains/hostnames on your +# machine you can setup VirtualHost containers for them. Most configurations +# use only name-based virtual hosts so the server doesn't need to worry about +# IP addresses. This is indicated by the asterisks in the directives below. +# +# Please see the documentation at +# +# for further details before you try to setup virtual hosts. +# +# You may use the command line option '-S' to verify your virtual host +# configuration. + + +# see bug #178966 why this is in here + +# Listen: Allows you to bind Apache to specific IP addresses and/or +# ports, instead of the default. See also the +# directive. +# +# Change this to Listen on specific IP addresses as shown below to +# prevent Apache from glomming onto all bound IP addresses. +# +#Listen 12.34.56.78:80 +Listen 80 + +# When virtual hosts are enabled, the main host defined in the default +# httpd.conf configuration will go away. We redefine it here so that it is +# still available. +# +# If you disable this vhost by removing -D DEFAULT_VHOST from +# /etc/conf.d/apache2, the first defined virtual host elsewhere will be +# the default. + + ServerName localhost + Include /etc/apache2/vhosts.d/default_vhost.include + + + ServerEnvironment apache apache + + + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/vhosts.d/default_vhost.include b/config-archive/etc/apache2/vhosts.d/default_vhost.include new file mode 100644 index 0000000..61282a6 --- /dev/null +++ b/config-archive/etc/apache2/vhosts.d/default_vhost.include @@ -0,0 +1,73 @@ +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +ServerAdmin frank@brehm-online.com + +# DocumentRoot: The directory out of which you will serve your +# documents. By default, all requests are taken from this directory, but +# symbolic links and aliases may be used to point to other locations. +# +# If you change this to something that isn't under /var/www then suexec +# will no longer work. +DocumentRoot "/var/www/localhost/htdocs" + +# This should be changed to whatever you set DocumentRoot to. + + # Possible values for the Options directive are "None", "All", + # or any combination of: + # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews + # + # Note that "MultiViews" must be named *explicitly* --- "Options All" + # doesn't give it to you. + # + # The Options directive is both complicated and important. Please see + # http://httpd.apache.org/docs/2.2/mod/core.html#options + # for more information. + Options Indexes FollowSymLinks + + # AllowOverride controls what directives may be placed in .htaccess files. + # It can be "All", "None", or any combination of the keywords: + # Options FileInfo AuthConfig Limit + AllowOverride All + + # Controls who can get stuff from this server. + Order allow,deny + Allow from all + + + + # Redirect: Allows you to tell clients about documents that used to + # exist in your server's namespace, but do not anymore. The client + # will make a new request for the document at its new location. + # Example: + # Redirect permanent /foo http://www.example.com/bar + + # Alias: Maps web paths into filesystem paths and is used to + # access content that does not live under the DocumentRoot. + # Example: + # Alias /webpath /full/filesystem/path + # + # If you include a trailing / on /webpath then the server will + # require it to be present in the URL. You will also likely + # need to provide a section to allow access to + # the filesystem path. + + # ScriptAlias: This controls which directories contain server scripts. + # ScriptAliases are essentially the same as Aliases, except that + # documents in the target directory are treated as applications and + # run by the server when requested rather than as documents sent to the + # client. The same rules about trailing "/" apply to ScriptAlias + # directives as to Alias. + ScriptAlias /cgi-bin/ "/var/www/localhost/cgi-bin/" + + +# "/var/www/localhost/cgi-bin" should be changed to whatever your ScriptAliased +# CGI directory exists, if you have that configured. + + AllowOverride None + Options None + Order allow,deny + Allow from all + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/vhosts.d/default_vhost.include.dist b/config-archive/etc/apache2/vhosts.d/default_vhost.include.dist new file mode 100644 index 0000000..af6ece8 --- /dev/null +++ b/config-archive/etc/apache2/vhosts.d/default_vhost.include.dist @@ -0,0 +1,71 @@ +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +ServerAdmin root@localhost + +# DocumentRoot: The directory out of which you will serve your +# documents. By default, all requests are taken from this directory, but +# symbolic links and aliases may be used to point to other locations. +# +# If you change this to something that isn't under /var/www then suexec +# will no longer work. +DocumentRoot "/var/www/localhost/htdocs" + +# This should be changed to whatever you set DocumentRoot to. + + # Possible values for the Options directive are "None", "All", + # or any combination of: + # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews + # + # Note that "MultiViews" must be named *explicitly* --- "Options All" + # doesn't give it to you. + # + # The Options directive is both complicated and important. Please see + # http://httpd.apache.org/docs/2.4/mod/core.html#options + # for more information. + Options Indexes FollowSymLinks + + # AllowOverride controls what directives may be placed in .htaccess files. + # It can be "All", "None", or any combination of the keywords: + # Options FileInfo AuthConfig Limit + AllowOverride All + + # Controls who can get stuff from this server. + Require all granted + + + + # Redirect: Allows you to tell clients about documents that used to + # exist in your server's namespace, but do not anymore. The client + # will make a new request for the document at its new location. + # Example: + # Redirect permanent /foo http://www.example.com/bar + + # Alias: Maps web paths into filesystem paths and is used to + # access content that does not live under the DocumentRoot. + # Example: + # Alias /webpath /full/filesystem/path + # + # If you include a trailing / on /webpath then the server will + # require it to be present in the URL. You will also likely + # need to provide a section to allow access to + # the filesystem path. + + # ScriptAlias: This controls which directories contain server scripts. + # ScriptAliases are essentially the same as Aliases, except that + # documents in the target directory are treated as applications and + # run by the server when requested rather than as documents sent to the + # client. The same rules about trailing "/" apply to ScriptAlias + # directives as to Alias. + ScriptAlias /cgi-bin/ "/var/www/localhost/cgi-bin/" + + +# "/var/www/localhost/cgi-bin" should be changed to whatever your ScriptAliased +# CGI directory exists, if you have that configured. + + AllowOverride None + Options None + Require all granted + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/conf.d/fail2ban b/config-archive/etc/conf.d/fail2ban new file mode 100644 index 0000000..50eaf41 --- /dev/null +++ b/config-archive/etc/conf.d/fail2ban @@ -0,0 +1,8 @@ +# Config file for /etc/init.d/fail2ban +# +# For information on options, see "/usr/bin/fail2ban-client -h". + +FAIL2BAN_OPTIONS="-v" + +# Force execution of the server even if the socket already exists: +#FAIL2BAN_OPTIONS="-x" diff --git a/config-archive/etc/conf.d/fail2ban.dist.new b/config-archive/etc/conf.d/fail2ban.dist.new new file mode 100644 index 0000000..00d19f8 --- /dev/null +++ b/config-archive/etc/conf.d/fail2ban.dist.new @@ -0,0 +1,8 @@ +# Config file for /etc/init.d/fail2ban +# +# For information on options, see "/usr/bin/fail2ban-client -h". + +FAIL2BAN_OPTIONS="" + +# Force execution of the server even if the socket already exists: +#FAIL2BAN_OPTIONS="-x" diff --git a/config-archive/etc/etckeeper/etckeeper.conf.dist b/config-archive/etc/etckeeper/etckeeper.conf.dist new file mode 100644 index 0000000..0a9c88b --- /dev/null +++ b/config-archive/etc/etckeeper/etckeeper.conf.dist @@ -0,0 +1,53 @@ +# The VCS to use. +#VCS="hg" +VCS="git" +#VCS="bzr" +#VCS="darcs" + +# Options passed to git commit when run by etckeeper. +GIT_COMMIT_OPTIONS="" + +# Options passed to hg commit when run by etckeeper. +HG_COMMIT_OPTIONS="" + +# Options passed to bzr commit when run by etckeeper. +BZR_COMMIT_OPTIONS="" + +# Options passed to darcs record when run by etckeeper. +DARCS_COMMIT_OPTIONS="-a" + +# Uncomment to avoid etckeeper committing existing changes +# to /etc automatically once per day. +#AVOID_DAILY_AUTOCOMMITS=1 + +# Uncomment the following to avoid special file warning +# (the option is enabled automatically by cronjob regardless). +#AVOID_SPECIAL_FILE_WARNING=1 + +# Uncomment to avoid etckeeper committing existing changes to +# /etc before installation. It will cancel the installation, +# so you can commit the changes by hand. +#AVOID_COMMIT_BEFORE_INSTALL=1 + +# The high-level package manager that's being used. +# (apt, pacman-g2, yum, dnf, zypper etc) +#HIGHLEVEL_PACKAGE_MANAGER=apt + +# Gentoo specific: +# For portage this is emerge +# For paludis this is cave +HIGHLEVEL_PACKAGE_MANAGER=emerge + +# The low-level package manager that's being used. +# (dpkg, rpm, pacman, pacman-g2, etc) +#LOWLEVEL_PACKAGE_MANAGER=dpkg + +# Gentoo specific: +# For portage this is qlist +# For paludis this is cave +LOWLEVEL_PACKAGE_MANAGER=qlist + +# To push each commit to a remote, put the name of the remote here. +# (eg, "origin" for git). Space-separated lists of multiple remotes +# also work (eg, "origin gitlab github" for git). +PUSH_REMOTE="" diff --git a/config-archive/etc/etckeeper/etckeeper.conf.dist.new b/config-archive/etc/etckeeper/etckeeper.conf.dist.new deleted file mode 100644 index c1da4bf..0000000 --- a/config-archive/etc/etckeeper/etckeeper.conf.dist.new +++ /dev/null @@ -1,44 +0,0 @@ -# The VCS to use. -#VCS="hg" -VCS="git" -#VCS="bzr" -#VCS="darcs" - -# Options passed to git commit when run by etckeeper. -GIT_COMMIT_OPTIONS="" - -# Options passed to hg commit when run by etckeeper. -HG_COMMIT_OPTIONS="" - -# Options passed to bzr commit when run by etckeeper. -BZR_COMMIT_OPTIONS="" - -# Options passed to darcs record when run by etckeeper. -DARCS_COMMIT_OPTIONS="-a" - -# Uncomment to avoid etckeeper committing existing changes -# to /etc automatically once per day. -#AVOID_DAILY_AUTOCOMMITS=1 - -# Uncomment the following to avoid special file warning -# (the option is enabled automatically by cronjob regardless). -#AVOID_SPECIAL_FILE_WARNING=1 - -# Uncomment to avoid etckeeper committing existing changes to -# /etc before installation. It will cancel the installation, -# so you can commit the changes by hand. -#AVOID_COMMIT_BEFORE_INSTALL=1 - -# The high-level package manager that's being used. -# (apt, pacman-g2, yum, zypper etc) -# For gentoo this is emerge -HIGHLEVEL_PACKAGE_MANAGER=emerge - -# The low-level package manager that's being used. -# (dpkg, rpm, pacman, pacman-g2, etc) -# For gentoo this is qlist -LOWLEVEL_PACKAGE_MANAGER=qlist - -# To push each commit to a remote, put the name of the remote here. -# (eg, "origin" for git). -PUSH_REMOTE="" diff --git a/config-archive/etc/fail2ban/jail.conf b/config-archive/etc/fail2ban/jail.conf new file mode 100644 index 0000000..82be8d0 --- /dev/null +++ b/config-archive/etc/fail2ban/jail.conf @@ -0,0 +1,762 @@ +# +# WARNING: heavily refactored in 0.9.0 release. Please review and +# customize settings for your setup. +# +# Changes: in most of the cases you should not modify this +# file, but provide customizations in jail.local file, +# or separate .conf files under jail.d/ directory, e.g.: +# +# HOW TO ACTIVATE JAILS: +# +# YOU SHOULD NOT MODIFY THIS FILE. +# +# It will probably be overwritten or improved in a distribution update. +# +# Provide customizations in a jail.local file or a jail.d/customisation.local. +# For example to change the default bantime for all jails and to enable the +# ssh-iptables jail the following (uncommented) would appear in the .local file. +# See man 5 jail.conf for details. +# +# [DEFAULT] +# bantime = 3600 +# +# [sshd] +# enabled = true +# +# See jail.conf(5) man page for more information + + + +# Comments: use '#' for comment lines and ';' (following a space) for inline comments + + +[INCLUDES] + +#before = paths-distro.conf +before = paths-debian.conf + +# The DEFAULT allows a global definition of the options. They can be overridden +# in each jail afterwards. + +[DEFAULT] + +sshd_log = /var/log/syslog.d/authpriv.log + +# +# MISCELLANEOUS OPTIONS +# + +# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not +# ban a host which matches an address in this list. Several addresses can be +# defined using space separator. +ignoreip = 127.0.0.1/8 + +# External command that will take an tagged arguments to ignore, e.g. , +# and return true if the IP is to be ignored. False otherwise. +# +# ignorecommand = /path/to/command +ignorecommand = + +# "bantime" is the number of seconds that a host is banned. +bantime = 600 + +# A host is banned if it has generated "maxretry" during the last "findtime" +# seconds. +findtime = 600 + +# "maxretry" is the number of failures before a host get banned. +maxretry = 5 + +# "backend" specifies the backend used to get files modification. +# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". +# This option can be overridden in each jail as well. +# +# pyinotify: requires pyinotify (a file alteration monitor) to be installed. +# If pyinotify is not installed, Fail2ban will use auto. +# gamin: requires Gamin (a file alteration monitor) to be installed. +# If Gamin is not installed, Fail2ban will use auto. +# polling: uses a polling algorithm which does not require external libraries. +# systemd: uses systemd python library to access the systemd journal. +# Specifying "logpath" is not valid for this backend. +# See "journalmatch" in the jails associated filter config +# auto: will try to use the following backends, in order: +# pyinotify, gamin, polling. +# +# Note: if systemd backend is choses as the default but you enable a jail +# for which logs are present only in its own log files, specify some other +# backend for that jail (e.g. polling) and provide empty value for +# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 +backend = auto + +# "usedns" specifies if jails should trust hostnames in logs, +# warn when DNS lookups are performed, or ignore all hostnames in logs +# +# yes: if a hostname is encountered, a DNS lookup will be performed. +# warn: if a hostname is encountered, a DNS lookup will be performed, +# but it will be logged as a warning. +# no: if a hostname is encountered, will not be used for banning, +# but it will be logged as info. +usedns = warn + +# "logencoding" specifies the encoding of the log files handled by the jail +# This is used to decode the lines from the log file. +# Typical examples: "ascii", "utf-8" +# +# auto: will use the system locale setting +logencoding = auto + +# "enabled" enables the jails. +# By default all jails are disabled, and it should stay this way. +# Enable only relevant to your setup jails in your .local or jail.d/*.conf +# +# true: jail will be enabled and log files will get monitored for changes +# false: jail is not enabled +enabled = false + + +# "filter" defines the filter to use by the jail. +# By default jails have names matching their filter name +# +filter = %(__name__)s + + +# +# ACTIONS +# + +# Some options used for actions + +# Destination email address used solely for the interpolations in +# jail.{conf,local,d/*} configuration files. +destemail = root@localhost + +# Sender email address used solely for some actions +sender = root@localhost + +# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the +# mailing. Change mta configuration parameter to mail if you want to +# revert to conventional 'mail'. +mta = sendmail + +# Default protocol +protocol = tcp + +# Specify chain where jumps would need to be added in iptables-* actions +chain = INPUT + +# Ports to be banned +# Usually should be overridden in a particular jail +port = 0:65535 + +# +# Action shortcuts. To be used to define action parameter + +# Default banning action (e.g. iptables, iptables-new, +# iptables-multiport, shorewall, etc) It is used to define +# action_* variables. Can be overridden globally or per +# section within jail.local file +banaction = iptables-multiport + +# The simplest action to take: ban only +action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report to the destemail. +action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report and relevant log lines +# to the destemail. +action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] + +# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action +# +# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines +# to the destemail. +action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] + + +# Report block via blocklist.de fail2ban reporting service API +# +# See the IMPORTANT note in action.d/blocklist_de.conf for when to +# use this action. Create a file jail.d/blocklist_de.local containing +# [Init] +# blocklist_de_apikey = {api key from registration] +# +action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"] + +# Report ban via badips.com, and use as blacklist +# +# See BadIPsAction docstring in config/action.d/badips.py for +# documentation for this action. +# +# NOTE: This action relies on banaction being present on start and therefore +# should be last action defined for a jail. +# +action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"] + +# Choose default action. To change, just override value of 'action' with the +# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local +# globally (section [DEFAULT]) or per specific section +action = %(action_)s + + +# +# JAILS +# + +# +# SSH servers +# + +[sshd] + +port = ssh +logpath = /var/log/syslog.d/authpriv.log + + +[sshd-ddos] +# This jail corresponds to the standard configuration in Fail2ban. +# The mail-whois action send a notification e-mail with a whois request +# in the body. +port = ssh +logpath = /var/log/syslog.d/authpriv.log + + +[dropbear] + +port = ssh +logpath = %(dropbear_log)s + + +[selinux-ssh] + +port = ssh +logpath = %(auditd_log)s +maxretry = 5 + + +# +# HTTP servers +# + +[apache-auth] + +port = http,https +logpath = %(apache_error_log)s + + +[apache-badbots] +# Ban hosts which agent identifies spammer robots crawling the web +# for email addresses. The mail outputs are buffered. +port = http,https +logpath = %(apache_access_log)s +bantime = 172800 +maxretry = 1 + + +[apache-noscript] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 6 + + +[apache-overflows] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-nohome] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-botsearch] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-fakegooglebot] + +port = http,https +logpath = %(apache_access_log)s +maxretry = 1 +ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot + + +[apache-modsecurity] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + +[apache-shellshock] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 1 + +[nginx-http-auth] + +port = http,https +logpath = %(nginx_error_log)s + +[nginx-botsearch] + +port = http,https +logpath = %(nginx_error_log)s +maxretry = 2 + +# Ban attackers that try to use PHP's URL-fopen() functionality +# through GET/POST variables. - Experimental, with more than a year +# of usage in production environments. + +[php-url-fopen] + +port = http,https +logpath = %(nginx_access_log)s + %(apache_access_log)s + + +[suhosin] + +port = http,https +logpath = %(suhosin_log)s + + +[lighttpd-auth] +# Same as above for Apache's mod_auth +# It catches wrong authentifications +port = http,https +logpath = %(lighttpd_error_log)s + + +# +# Webmail and groupware servers +# + +[roundcube-auth] + +port = http,https +logpath = /var/log/roundcube/userlogins + + +[openwebmail] + +port = http,https +logpath = /var/log/openwebmail.log + + +[horde] + +port = http,https +logpath = /var/log/horde/horde.log + + +[groupoffice] + +port = http,https +logpath = /home/groupoffice/log/info.log + + +[sogo-auth] +# Monitor SOGo groupware server +# without proxy this would be: +# port = 20000 +port = http,https +logpath = /var/log/sogo/sogo.log + + +[tine20] + +logpath = /var/log/tine20/tine20.log +port = http,https +maxretry = 5 + + +# +# Web Applications +# +# + +[drupal-auth] + +port = http,https +logpath = %(syslog_daemon)s + +[guacamole] + +port = http,https +logpath = /var/log/tomcat*/catalina.out + +[monit] +#Ban clients brute-forcing the monit gui login +filter = monit +port = 2812 +logpath = /var/log/monit + + +[webmin-auth] + +port = 10000 +logpath = %(syslog_authpriv)s + + +# +# HTTP Proxy servers +# +# + +[squid] + +port = 80,443,3128,8080 +logpath = /var/log/squid/access.log + + +[3proxy] + +port = 3128 +logpath = /var/log/3proxy.log + +# +# FTP servers +# + + +[proftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(proftpd_log)s + + +[pure-ftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(pureftpd_log)s +maxretry = 6 + + +[gssftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(syslog_daemon)s +maxretry = 6 + + +[wuftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(wuftpd_log)s +maxretry = 6 + + +[vsftpd] +# or overwrite it in jails.local to be +# logpath = %(syslog_authpriv)s +# if you want to rely on PAM failed login attempts +# vsftpd's failregex should match both of those formats +port = ftp,ftp-data,ftps,ftps-data +logpath = %(vsftpd_log)s + + +# +# Mail servers +# + +# ASSP SMTP Proxy Jail +[assp] + +port = smtp,465,submission +logpath = /root/path/to/assp/logs/maillog.txt + + +[courier-smtp] + +port = smtp,465,submission +logpath = %(syslog_mail)s + + +[postfix] + +port = smtp,465,submission +logpath = %(postfix_log)s + + +[postfix-rbl] + +port = smtp,465,submission +logpath = %(syslog_mail)s +maxretry = 1 + + +[sendmail-auth] + +port = submission,465,smtp +logpath = %(syslog_mail)s + + +[sendmail-reject] + +port = smtp,465,submission +logpath = %(syslog_mail)s + + +[qmail-rbl] + +filter = qmail +port = smtp,465,submission +logpath = /service/qmail/log/main/current + + +# dovecot defaults to logging to the mail syslog facility +# but can be set by syslog_facility in the dovecot configuration. +[dovecot] + +port = pop3,pop3s,imap,imaps,submission,465,sieve +logpath = %(dovecot_log)s + + +[sieve] + +port = smtp,465,submission +logpath = %(dovecot_log)s + + +[solid-pop3d] + +port = pop3,pop3s +logpath = %(solidpop3d_log)s + + +[exim] + +port = smtp,465,submission +logpath = %(exim_main_log)s + + +[exim-spam] + +port = smtp,465,submission +logpath = %(exim_main_log)s + + +[kerio] + +port = imap,smtp,imaps,465 +logpath = /opt/kerio/mailserver/store/logs/security.log + + +# +# Mail servers authenticators: might be used for smtp,ftp,imap servers, so +# all relevant ports get banned +# + +[courier-auth] + +port = smtp,465,submission,imap3,imaps,pop3,pop3s +logpath = %(syslog_mail)s + + +[postfix-sasl] + +port = smtp,465,submission,imap3,imaps,pop3,pop3s +# You might consider monitoring /var/log/mail.warn instead if you are +# running postfix since it would provide the same log lines at the +# "warn" level but overall at the smaller filesize. +logpath = %(postfix_log)s + + +[perdition] + +port = imap3,imaps,pop3,pop3s +logpath = %(syslog_mail)s + + +[squirrelmail] + +port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks +logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log + + +[cyrus-imap] + +port = imap3,imaps +logpath = %(syslog_mail)s + + +[uwimap-auth] + +port = imap3,imaps +logpath = %(syslog_mail)s + + +# +# +# DNS servers +# + + +# !!! WARNING !!! +# Since UDP is connection-less protocol, spoofing of IP and imitation +# of illegal actions is way too simple. Thus enabling of this filter +# might provide an easy way for implementing a DoS against a chosen +# victim. See +# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html +# Please DO NOT USE this jail unless you know what you are doing. +# +# IMPORTANT: see filter.d/named-refused for instructions to enable logging +# This jail blocks UDP traffic for DNS requests. +# [named-refused-udp] +# +# filter = named-refused +# port = domain,953 +# protocol = udp +# logpath = /var/log/named/security.log + +# IMPORTANT: see filter.d/named-refused for instructions to enable logging +# This jail blocks TCP traffic for DNS requests. + +[named-refused] + +port = domain,953 +logpath = /var/log/named/security.log + + +[nsd] + +port = 53 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] +logpath = /var/log/nsd.log + + +# +# Miscellaneous +# + +[asterisk] + +port = 5060,5061 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] +logpath = /var/log/asterisk/messages +maxretry = 10 + + +[freeswitch] + +port = 5060,5061 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] +logpath = /var/log/freeswitch.log +maxretry = 10 + + +# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or +# equivalent section: +# log-warning = 2 +# +# for syslog (daemon facility) +# [mysqld_safe] +# syslog +# +# for own logfile +# [mysqld] +# log-error=/var/log/mysqld.log +[mysqld-auth] + +port = 3306 +logpath = %(mysql_log)s +maxretry = 5 + + +# Jail for more extended banning of persistent abusers +# !!! WARNINGS !!! +# 1. Make sure that your loglevel specified in fail2ban.conf/.local +# is not at DEBUG level -- which might then cause fail2ban to fall into +# an infinite loop constantly feeding itself with non-informative lines +# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) +# to maintain entries for failed logins for sufficient amount of time +[recidive] + +logpath = /var/log/fail2ban.log +banaction = iptables-allports +bantime = 604800 ; 1 week +findtime = 86400 ; 1 day +maxretry = 5 + + +# Generic filter for PAM. Has to be used with action which bans all +# ports such as iptables-allports, shorewall + +[pam-generic] +# pam-generic filter can be customized to monitor specific subset of 'tty's +banaction = iptables-allports +logpath = %(syslog_authpriv)s + + +[xinetd-fail] + +banaction = iptables-multiport-log +logpath = %(syslog_daemon)s +maxretry = 2 + + +# stunnel - need to set port for this +[stunnel] + +logpath = /var/log/stunnel4/stunnel.log + + +[ejabberd-auth] + +port = 5222 +logpath = /var/log/ejabberd/ejabberd.log + + +[counter-strike] + +logpath = /opt/cstrike/logs/L[0-9]*.log +# Firewall: http://www.cstrike-planet.com/faq/6 +tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 +udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] + +# consider low maxretry and a long bantime +# nobody except your own Nagios server should ever probe nrpe +[nagios] + +enabled = false +logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility +maxretry = 1 + + +[oracleims] +# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above +enabled = false +logpath = /opt/sun/comms/messaging64/log/mail.log_current +maxretry = 6 +banaction = iptables-allports + +[directadmin] +enabled = false +logpath = /var/log/directadmin/login.log +port = 2222 + +[portsentry] +enabled = false +logpath = /var/lib/portsentry/portsentry.history +maxretry = 1 + +# vim: filetype=dosini diff --git a/config-archive/etc/fail2ban/jail.conf.dist b/config-archive/etc/fail2ban/jail.conf.dist new file mode 100644 index 0000000..f545ff1 --- /dev/null +++ b/config-archive/etc/fail2ban/jail.conf.dist @@ -0,0 +1,782 @@ +# +# WARNING: heavily refactored in 0.9.0 release. Please review and +# customize settings for your setup. +# +# Changes: in most of the cases you should not modify this +# file, but provide customizations in jail.local file, +# or separate .conf files under jail.d/ directory, e.g.: +# +# HOW TO ACTIVATE JAILS: +# +# YOU SHOULD NOT MODIFY THIS FILE. +# +# It will probably be overwritten or improved in a distribution update. +# +# Provide customizations in a jail.local file or a jail.d/customisation.local. +# For example to change the default bantime for all jails and to enable the +# ssh-iptables jail the following (uncommented) would appear in the .local file. +# See man 5 jail.conf for details. +# +# [DEFAULT] +# bantime = 3600 +# +# [sshd] +# enabled = true +# +# See jail.conf(5) man page for more information + + + +# Comments: use '#' for comment lines and ';' (following a space) for inline comments + + +[INCLUDES] + +#before = paths-distro.conf +before = paths-debian.conf + +# The DEFAULT allows a global definition of the options. They can be overridden +# in each jail afterwards. + +[DEFAULT] + +# +# MISCELLANEOUS OPTIONS +# + +# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not +# ban a host which matches an address in this list. Several addresses can be +# defined using space separator. +ignoreip = 127.0.0.1/8 + +# External command that will take an tagged arguments to ignore, e.g. , +# and return true if the IP is to be ignored. False otherwise. +# +# ignorecommand = /path/to/command +ignorecommand = + +# "bantime" is the number of seconds that a host is banned. +bantime = 600 + +# A host is banned if it has generated "maxretry" during the last "findtime" +# seconds. +findtime = 600 + +# "maxretry" is the number of failures before a host get banned. +maxretry = 5 + +# "backend" specifies the backend used to get files modification. +# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". +# This option can be overridden in each jail as well. +# +# pyinotify: requires pyinotify (a file alteration monitor) to be installed. +# If pyinotify is not installed, Fail2ban will use auto. +# gamin: requires Gamin (a file alteration monitor) to be installed. +# If Gamin is not installed, Fail2ban will use auto. +# polling: uses a polling algorithm which does not require external libraries. +# systemd: uses systemd python library to access the systemd journal. +# Specifying "logpath" is not valid for this backend. +# See "journalmatch" in the jails associated filter config +# auto: will try to use the following backends, in order: +# pyinotify, gamin, polling. +# +# Note: if systemd backend is choses as the default but you enable a jail +# for which logs are present only in its own log files, specify some other +# backend for that jail (e.g. polling) and provide empty value for +# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 +backend = auto + +# "usedns" specifies if jails should trust hostnames in logs, +# warn when DNS lookups are performed, or ignore all hostnames in logs +# +# yes: if a hostname is encountered, a DNS lookup will be performed. +# warn: if a hostname is encountered, a DNS lookup will be performed, +# but it will be logged as a warning. +# no: if a hostname is encountered, will not be used for banning, +# but it will be logged as info. +usedns = warn + +# "logencoding" specifies the encoding of the log files handled by the jail +# This is used to decode the lines from the log file. +# Typical examples: "ascii", "utf-8" +# +# auto: will use the system locale setting +logencoding = auto + +# "enabled" enables the jails. +# By default all jails are disabled, and it should stay this way. +# Enable only relevant to your setup jails in your .local or jail.d/*.conf +# +# true: jail will be enabled and log files will get monitored for changes +# false: jail is not enabled +enabled = false + + +# "filter" defines the filter to use by the jail. +# By default jails have names matching their filter name +# +filter = %(__name__)s + + +# +# ACTIONS +# + +# Some options used for actions + +# Destination email address used solely for the interpolations in +# jail.{conf,local,d/*} configuration files. +destemail = root@localhost + +# Sender email address used solely for some actions +sender = root@localhost + +# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the +# mailing. Change mta configuration parameter to mail if you want to +# revert to conventional 'mail'. +mta = sendmail + +# Default protocol +protocol = tcp + +# Specify chain where jumps would need to be added in iptables-* actions +chain = INPUT + +# Ports to be banned +# Usually should be overridden in a particular jail +port = 0:65535 + +# +# Action shortcuts. To be used to define action parameter + +# Default banning action (e.g. iptables, iptables-new, +# iptables-multiport, shorewall, etc) It is used to define +# action_* variables. Can be overridden globally or per +# section within jail.local file +banaction = iptables-multiport + +# The simplest action to take: ban only +action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report to the destemail. +action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report and relevant log lines +# to the destemail. +action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] + +# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action +# +# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines +# to the destemail. +action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] + +# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines +# to the destemail. +action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] + %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] + +# Report block via blocklist.de fail2ban reporting service API +# +# See the IMPORTANT note in action.d/blocklist_de.conf for when to +# use this action. Create a file jail.d/blocklist_de.local containing +# [Init] +# blocklist_de_apikey = {api key from registration] +# +action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"] + +# Report ban via badips.com, and use as blacklist +# +# See BadIPsAction docstring in config/action.d/badips.py for +# documentation for this action. +# +# NOTE: This action relies on banaction being present on start and therefore +# should be last action defined for a jail. +# +action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"] + +# Choose default action. To change, just override value of 'action' with the +# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local +# globally (section [DEFAULT]) or per specific section +action = %(action_)s + + +# +# JAILS +# + +# +# SSH servers +# + +[sshd] + +port = ssh +logpath = %(sshd_log)s + + +[sshd-ddos] +# This jail corresponds to the standard configuration in Fail2ban. +# The mail-whois action send a notification e-mail with a whois request +# in the body. +port = ssh +logpath = %(sshd_log)s + + +[dropbear] + +port = ssh +logpath = %(dropbear_log)s + + +[selinux-ssh] + +port = ssh +logpath = %(auditd_log)s +maxretry = 5 + + +# +# HTTP servers +# + +[apache-auth] + +port = http,https +logpath = %(apache_error_log)s + + +[apache-badbots] +# Ban hosts which agent identifies spammer robots crawling the web +# for email addresses. The mail outputs are buffered. +port = http,https +logpath = %(apache_access_log)s +bantime = 172800 +maxretry = 1 + + +[apache-noscript] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 6 + + +[apache-overflows] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-nohome] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-botsearch] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-fakegooglebot] + +port = http,https +logpath = %(apache_access_log)s +maxretry = 1 +ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot + + +[apache-modsecurity] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + +[apache-shellshock] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 1 + +[nginx-http-auth] + +port = http,https +logpath = %(nginx_error_log)s + +[nginx-botsearch] + +port = http,https +logpath = %(nginx_error_log)s +maxretry = 2 + +# Ban attackers that try to use PHP's URL-fopen() functionality +# through GET/POST variables. - Experimental, with more than a year +# of usage in production environments. + +[php-url-fopen] + +port = http,https +logpath = %(nginx_access_log)s + %(apache_access_log)s + + +[suhosin] + +port = http,https +logpath = %(suhosin_log)s + + +[lighttpd-auth] +# Same as above for Apache's mod_auth +# It catches wrong authentifications +port = http,https +logpath = %(lighttpd_error_log)s + + +# +# Webmail and groupware servers +# + +[roundcube-auth] + +port = http,https +logpath = logpath = %(roundcube_errors_log)s + + +[openwebmail] + +port = http,https +logpath = /var/log/openwebmail.log + + +[horde] + +port = http,https +logpath = /var/log/horde/horde.log + + +[groupoffice] + +port = http,https +logpath = /home/groupoffice/log/info.log + + +[sogo-auth] +# Monitor SOGo groupware server +# without proxy this would be: +# port = 20000 +port = http,https +logpath = /var/log/sogo/sogo.log + + +[tine20] + +logpath = /var/log/tine20/tine20.log +port = http,https +maxretry = 5 + + +# +# Web Applications +# +# + +[drupal-auth] + +port = http,https +logpath = %(syslog_daemon)s + +[guacamole] + +port = http,https +logpath = /var/log/tomcat*/catalina.out + +[monit] +#Ban clients brute-forcing the monit gui login +filter = monit +port = 2812 +logpath = /var/log/monit + + +[webmin-auth] + +port = 10000 +logpath = %(syslog_authpriv)s + + +[froxlor-auth] + +port = http,https +logpath = %(syslog_authpriv)s + + +# +# HTTP Proxy servers +# +# + +[squid] + +port = 80,443,3128,8080 +logpath = /var/log/squid/access.log + + +[3proxy] + +port = 3128 +logpath = /var/log/3proxy.log + + +# +# FTP servers +# + + +[proftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(proftpd_log)s + + +[pure-ftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(pureftpd_log)s +maxretry = 6 + + +[gssftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(syslog_daemon)s +maxretry = 6 + + +[wuftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(wuftpd_log)s +maxretry = 6 + + +[vsftpd] +# or overwrite it in jails.local to be +# logpath = %(syslog_authpriv)s +# if you want to rely on PAM failed login attempts +# vsftpd's failregex should match both of those formats +port = ftp,ftp-data,ftps,ftps-data +logpath = %(vsftpd_log)s + + +# +# Mail servers +# + +# ASSP SMTP Proxy Jail +[assp] + +port = smtp,465,submission +logpath = /root/path/to/assp/logs/maillog.txt + + +[courier-smtp] + +port = smtp,465,submission +logpath = %(syslog_mail)s + + +[postfix] + +port = smtp,465,submission +logpath = %(postfix_log)s + + +[postfix-rbl] + +port = smtp,465,submission +logpath = %(syslog_mail)s +maxretry = 1 + + +[sendmail-auth] + +port = submission,465,smtp +logpath = %(syslog_mail)s + + +[sendmail-reject] + +port = smtp,465,submission +logpath = %(syslog_mail)s + + +[qmail-rbl] + +filter = qmail +port = smtp,465,submission +logpath = /service/qmail/log/main/current + + +# dovecot defaults to logging to the mail syslog facility +# but can be set by syslog_facility in the dovecot configuration. +[dovecot] + +port = pop3,pop3s,imap,imaps,submission,465,sieve +logpath = %(dovecot_log)s + + +[sieve] + +port = smtp,465,submission +logpath = %(dovecot_log)s + + +[solid-pop3d] + +port = pop3,pop3s +logpath = %(solidpop3d_log)s + + +[exim] + +port = smtp,465,submission +logpath = %(exim_main_log)s + + +[exim-spam] + +port = smtp,465,submission +logpath = %(exim_main_log)s + + +[kerio] + +port = imap,smtp,imaps,465 +logpath = /opt/kerio/mailserver/store/logs/security.log + + +# +# Mail servers authenticators: might be used for smtp,ftp,imap servers, so +# all relevant ports get banned +# + +[courier-auth] + +port = smtp,465,submission,imap3,imaps,pop3,pop3s +logpath = %(syslog_mail)s + + +[postfix-sasl] + +port = smtp,465,submission,imap3,imaps,pop3,pop3s +# You might consider monitoring /var/log/mail.warn instead if you are +# running postfix since it would provide the same log lines at the +# "warn" level but overall at the smaller filesize. +logpath = %(postfix_log)s + + +[perdition] + +port = imap3,imaps,pop3,pop3s +logpath = %(syslog_mail)s + + +[squirrelmail] + +port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks +logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log + + +[cyrus-imap] + +port = imap3,imaps +logpath = %(syslog_mail)s + + +[uwimap-auth] + +port = imap3,imaps +logpath = %(syslog_mail)s + + +# +# +# DNS servers +# + + +# !!! WARNING !!! +# Since UDP is connection-less protocol, spoofing of IP and imitation +# of illegal actions is way too simple. Thus enabling of this filter +# might provide an easy way for implementing a DoS against a chosen +# victim. See +# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html +# Please DO NOT USE this jail unless you know what you are doing. +# +# IMPORTANT: see filter.d/named-refused for instructions to enable logging +# This jail blocks UDP traffic for DNS requests. +# [named-refused-udp] +# +# filter = named-refused +# port = domain,953 +# protocol = udp +# logpath = /var/log/named/security.log + +# IMPORTANT: see filter.d/named-refused for instructions to enable logging +# This jail blocks TCP traffic for DNS requests. + +[named-refused] + +port = domain,953 +logpath = /var/log/named/security.log + + +[nsd] + +port = 53 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] +logpath = /var/log/nsd.log + + +# +# Miscellaneous +# + +[asterisk] + +port = 5060,5061 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] +logpath = /var/log/asterisk/messages +maxretry = 10 + + +[freeswitch] + +port = 5060,5061 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] +logpath = /var/log/freeswitch.log +maxretry = 10 + + +# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or +# equivalent section: +# log-warning = 2 +# +# for syslog (daemon facility) +# [mysqld_safe] +# syslog +# +# for own logfile +# [mysqld] +# log-error=/var/log/mysqld.log +[mysqld-auth] + +port = 3306 +logpath = %(mysql_log)s +maxretry = 5 + + +# Jail for more extended banning of persistent abusers +# !!! WARNINGS !!! +# 1. Make sure that your loglevel specified in fail2ban.conf/.local +# is not at DEBUG level -- which might then cause fail2ban to fall into +# an infinite loop constantly feeding itself with non-informative lines +# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) +# to maintain entries for failed logins for sufficient amount of time +[recidive] + +logpath = /var/log/fail2ban.log +banaction = iptables-allports +bantime = 604800 ; 1 week +findtime = 86400 ; 1 day +maxretry = 5 + + +# Generic filter for PAM. Has to be used with action which bans all +# ports such as iptables-allports, shorewall + +[pam-generic] +# pam-generic filter can be customized to monitor specific subset of 'tty's +banaction = iptables-allports +logpath = %(syslog_authpriv)s + + +[xinetd-fail] + +banaction = iptables-multiport-log +logpath = %(syslog_daemon)s +maxretry = 2 + + +# stunnel - need to set port for this +[stunnel] + +logpath = /var/log/stunnel4/stunnel.log + + +[ejabberd-auth] + +port = 5222 +logpath = /var/log/ejabberd/ejabberd.log + + +[counter-strike] + +logpath = /opt/cstrike/logs/L[0-9]*.log +# Firewall: http://www.cstrike-planet.com/faq/6 +tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 +udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] + +# consider low maxretry and a long bantime +# nobody except your own Nagios server should ever probe nrpe +[nagios] + +enabled = false +logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility +maxretry = 1 + + +[oracleims] +# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above +enabled = false +logpath = /opt/sun/comms/messaging64/log/mail.log_current +maxretry = 6 +banaction = iptables-allports + +[directadmin] +enabled = false +logpath = /var/log/directadmin/login.log +port = 2222 + +[portsentry] +enabled = false +logpath = /var/lib/portsentry/portsentry.history +maxretry = 1 + +[pass2allow-ftp] +# this pass2allow example allows FTP traffic after successful HTTP authentication +port = ftp,ftp-data,ftps,ftps-data +# knocking_url variable must be overridden to some secret value in filter.d/apache-pass.local +filter = apache-pass +# access log of the website with HTTP auth +logpath = %(apache_access_log)s +blocktype = RETURN +returntype = DROP +bantime = 3600 +maxretry = 1 +findtime = 1 diff --git a/config-archive/etc/fail2ban/paths-debian.conf b/config-archive/etc/fail2ban/paths-debian.conf new file mode 100644 index 0000000..bf7d764 --- /dev/null +++ b/config-archive/etc/fail2ban/paths-debian.conf @@ -0,0 +1,40 @@ +# Debian + +[INCLUDES] + +before = paths-common.conf + +after = paths-overrides.local + + +[DEFAULT] + +syslog_mail = /var/log/syslog.d/mail.log + +syslog_mail_warn = /var/log/mail/mail.warn.log + +syslog_authpriv = /var/log/syslog.d/authpriv.log + +syslog_auth = /var/log/syslog.d/auth.log + +syslog_user = /var/log/syslog.d/user.log + +syslog_ftp = /var/log/syslog + +syslog_daemon = /var/log/syslog.d/daemon.log + +syslog_local0 = /var/log/syslog.d/local0.log + + +apache_error_log = /var/log/apache2/*error.log + +apache_access_log = /var/log/apache2/*access.log + +exim_main_log = /var/log/exim4/mainlog + +# was in debian squeezy but not in wheezy +# /etc/proftpd/proftpd.conf (SystemLog) +proftpd_log = /var/log/proftpd/proftpd.log + + +# vim: filetype=dosini diff --git a/config-archive/etc/fail2ban/paths-debian.conf.dist.new b/config-archive/etc/fail2ban/paths-debian.conf.dist.new new file mode 100644 index 0000000..4c27dac --- /dev/null +++ b/config-archive/etc/fail2ban/paths-debian.conf.dist.new @@ -0,0 +1,37 @@ +# Debian + +[INCLUDES] + +before = paths-common.conf + +after = paths-overrides.local + + +[DEFAULT] + +syslog_mail = /var/log/mail.log + +syslog_mail_warn = /var/log/mail.warn + +syslog_authpriv = /var/log/auth.log + +# syslog_auth = /var/log/auth.log +# +syslog_user = /var/log/user.log + +syslog_ftp = /var/log/syslog + +syslog_daemon = /var/log/daemon.log + +syslog_local0 = /var/log/messages + + +apache_error_log = /var/log/apache2/*error.log + +apache_access_log = /var/log/apache2/*access.log + +exim_main_log = /var/log/exim4/mainlog + +# was in debian squeezy but not in wheezy +# /etc/proftpd/proftpd.conf (SystemLog) +proftpd_log = /var/log/proftpd/proftpd.log diff --git a/config-archive/etc/logrotate.d/fail2ban.dist.new b/config-archive/etc/logrotate.d/fail2ban.dist.new index a09870a..fe4f797 100644 --- a/config-archive/etc/logrotate.d/fail2ban.dist.new +++ b/config-archive/etc/logrotate.d/fail2ban.dist.new @@ -9,9 +9,7 @@ # http://pkgs.fedoraproject.org/cgit/fail2ban.git/tree/fail2ban-logrotate /var/log/fail2ban.log { - rotate 7 missingok - compress postrotate /usr/bin/fail2ban-client flushlogs 1>/dev/null || true endscript diff --git a/etckeeper/._cfg0000_etckeeper.conf b/etckeeper/._cfg0000_etckeeper.conf deleted file mode 100644 index 0a9c88b..0000000 --- a/etckeeper/._cfg0000_etckeeper.conf +++ /dev/null @@ -1,53 +0,0 @@ -# The VCS to use. -#VCS="hg" -VCS="git" -#VCS="bzr" -#VCS="darcs" - -# Options passed to git commit when run by etckeeper. -GIT_COMMIT_OPTIONS="" - -# Options passed to hg commit when run by etckeeper. -HG_COMMIT_OPTIONS="" - -# Options passed to bzr commit when run by etckeeper. -BZR_COMMIT_OPTIONS="" - -# Options passed to darcs record when run by etckeeper. -DARCS_COMMIT_OPTIONS="-a" - -# Uncomment to avoid etckeeper committing existing changes -# to /etc automatically once per day. -#AVOID_DAILY_AUTOCOMMITS=1 - -# Uncomment the following to avoid special file warning -# (the option is enabled automatically by cronjob regardless). -#AVOID_SPECIAL_FILE_WARNING=1 - -# Uncomment to avoid etckeeper committing existing changes to -# /etc before installation. It will cancel the installation, -# so you can commit the changes by hand. -#AVOID_COMMIT_BEFORE_INSTALL=1 - -# The high-level package manager that's being used. -# (apt, pacman-g2, yum, dnf, zypper etc) -#HIGHLEVEL_PACKAGE_MANAGER=apt - -# Gentoo specific: -# For portage this is emerge -# For paludis this is cave -HIGHLEVEL_PACKAGE_MANAGER=emerge - -# The low-level package manager that's being used. -# (dpkg, rpm, pacman, pacman-g2, etc) -#LOWLEVEL_PACKAGE_MANAGER=dpkg - -# Gentoo specific: -# For portage this is qlist -# For paludis this is cave -LOWLEVEL_PACKAGE_MANAGER=qlist - -# To push each commit to a remote, put the name of the remote here. -# (eg, "origin" for git). Space-separated lists of multiple remotes -# also work (eg, "origin gitlab github" for git). -PUSH_REMOTE="" diff --git a/etckeeper/etckeeper.conf b/etckeeper/etckeeper.conf index a5983d9..8134bfb 100644 --- a/etckeeper/etckeeper.conf +++ b/etckeeper/etckeeper.conf @@ -30,15 +30,24 @@ DARCS_COMMIT_OPTIONS="-a" #AVOID_COMMIT_BEFORE_INSTALL=1 # The high-level package manager that's being used. -# (apt, pacman-g2, yum, zypper etc) -# For gentoo this is emerge +# (apt, pacman-g2, yum, dnf, zypper etc) +#HIGHLEVEL_PACKAGE_MANAGER=apt + +# Gentoo specific: +# For portage this is emerge +# For paludis this is cave HIGHLEVEL_PACKAGE_MANAGER=emerge # The low-level package manager that's being used. # (dpkg, rpm, pacman, pacman-g2, etc) -# For gentoo this is qlist +#LOWLEVEL_PACKAGE_MANAGER=dpkg + +# Gentoo specific: +# For portage this is qlist +# For paludis this is cave LOWLEVEL_PACKAGE_MANAGER=qlist # To push each commit to a remote, put the name of the remote here. -# (eg, "origin" for git). +# (eg, "origin" for git). Space-separated lists of multiple remotes +# also work (eg, "origin gitlab github" for git). PUSH_REMOTE="origin" diff --git a/fail2ban/._cfg0000_jail.conf b/fail2ban/._cfg0000_jail.conf deleted file mode 100644 index f545ff1..0000000 --- a/fail2ban/._cfg0000_jail.conf +++ /dev/null @@ -1,782 +0,0 @@ -# -# WARNING: heavily refactored in 0.9.0 release. Please review and -# customize settings for your setup. -# -# Changes: in most of the cases you should not modify this -# file, but provide customizations in jail.local file, -# or separate .conf files under jail.d/ directory, e.g.: -# -# HOW TO ACTIVATE JAILS: -# -# YOU SHOULD NOT MODIFY THIS FILE. -# -# It will probably be overwritten or improved in a distribution update. -# -# Provide customizations in a jail.local file or a jail.d/customisation.local. -# For example to change the default bantime for all jails and to enable the -# ssh-iptables jail the following (uncommented) would appear in the .local file. -# See man 5 jail.conf for details. -# -# [DEFAULT] -# bantime = 3600 -# -# [sshd] -# enabled = true -# -# See jail.conf(5) man page for more information - - - -# Comments: use '#' for comment lines and ';' (following a space) for inline comments - - -[INCLUDES] - -#before = paths-distro.conf -before = paths-debian.conf - -# The DEFAULT allows a global definition of the options. They can be overridden -# in each jail afterwards. - -[DEFAULT] - -# -# MISCELLANEOUS OPTIONS -# - -# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not -# ban a host which matches an address in this list. Several addresses can be -# defined using space separator. -ignoreip = 127.0.0.1/8 - -# External command that will take an tagged arguments to ignore, e.g. , -# and return true if the IP is to be ignored. False otherwise. -# -# ignorecommand = /path/to/command -ignorecommand = - -# "bantime" is the number of seconds that a host is banned. -bantime = 600 - -# A host is banned if it has generated "maxretry" during the last "findtime" -# seconds. -findtime = 600 - -# "maxretry" is the number of failures before a host get banned. -maxretry = 5 - -# "backend" specifies the backend used to get files modification. -# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". -# This option can be overridden in each jail as well. -# -# pyinotify: requires pyinotify (a file alteration monitor) to be installed. -# If pyinotify is not installed, Fail2ban will use auto. -# gamin: requires Gamin (a file alteration monitor) to be installed. -# If Gamin is not installed, Fail2ban will use auto. -# polling: uses a polling algorithm which does not require external libraries. -# systemd: uses systemd python library to access the systemd journal. -# Specifying "logpath" is not valid for this backend. -# See "journalmatch" in the jails associated filter config -# auto: will try to use the following backends, in order: -# pyinotify, gamin, polling. -# -# Note: if systemd backend is choses as the default but you enable a jail -# for which logs are present only in its own log files, specify some other -# backend for that jail (e.g. polling) and provide empty value for -# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 -backend = auto - -# "usedns" specifies if jails should trust hostnames in logs, -# warn when DNS lookups are performed, or ignore all hostnames in logs -# -# yes: if a hostname is encountered, a DNS lookup will be performed. -# warn: if a hostname is encountered, a DNS lookup will be performed, -# but it will be logged as a warning. -# no: if a hostname is encountered, will not be used for banning, -# but it will be logged as info. -usedns = warn - -# "logencoding" specifies the encoding of the log files handled by the jail -# This is used to decode the lines from the log file. -# Typical examples: "ascii", "utf-8" -# -# auto: will use the system locale setting -logencoding = auto - -# "enabled" enables the jails. -# By default all jails are disabled, and it should stay this way. -# Enable only relevant to your setup jails in your .local or jail.d/*.conf -# -# true: jail will be enabled and log files will get monitored for changes -# false: jail is not enabled -enabled = false - - -# "filter" defines the filter to use by the jail. -# By default jails have names matching their filter name -# -filter = %(__name__)s - - -# -# ACTIONS -# - -# Some options used for actions - -# Destination email address used solely for the interpolations in -# jail.{conf,local,d/*} configuration files. -destemail = root@localhost - -# Sender email address used solely for some actions -sender = root@localhost - -# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the -# mailing. Change mta configuration parameter to mail if you want to -# revert to conventional 'mail'. -mta = sendmail - -# Default protocol -protocol = tcp - -# Specify chain where jumps would need to be added in iptables-* actions -chain = INPUT - -# Ports to be banned -# Usually should be overridden in a particular jail -port = 0:65535 - -# -# Action shortcuts. To be used to define action parameter - -# Default banning action (e.g. iptables, iptables-new, -# iptables-multiport, shorewall, etc) It is used to define -# action_* variables. Can be overridden globally or per -# section within jail.local file -banaction = iptables-multiport - -# The simplest action to take: ban only -action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] - -# ban & send an e-mail with whois report to the destemail. -action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] - %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] - -# ban & send an e-mail with whois report and relevant log lines -# to the destemail. -action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] - %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] - -# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action -# -# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines -# to the destemail. -action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] - xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] - -# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines -# to the destemail. -action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] - %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] - -# Report block via blocklist.de fail2ban reporting service API -# -# See the IMPORTANT note in action.d/blocklist_de.conf for when to -# use this action. Create a file jail.d/blocklist_de.local containing -# [Init] -# blocklist_de_apikey = {api key from registration] -# -action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"] - -# Report ban via badips.com, and use as blacklist -# -# See BadIPsAction docstring in config/action.d/badips.py for -# documentation for this action. -# -# NOTE: This action relies on banaction being present on start and therefore -# should be last action defined for a jail. -# -action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"] - -# Choose default action. To change, just override value of 'action' with the -# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local -# globally (section [DEFAULT]) or per specific section -action = %(action_)s - - -# -# JAILS -# - -# -# SSH servers -# - -[sshd] - -port = ssh -logpath = %(sshd_log)s - - -[sshd-ddos] -# This jail corresponds to the standard configuration in Fail2ban. -# The mail-whois action send a notification e-mail with a whois request -# in the body. -port = ssh -logpath = %(sshd_log)s - - -[dropbear] - -port = ssh -logpath = %(dropbear_log)s - - -[selinux-ssh] - -port = ssh -logpath = %(auditd_log)s -maxretry = 5 - - -# -# HTTP servers -# - -[apache-auth] - -port = http,https -logpath = %(apache_error_log)s - - -[apache-badbots] -# Ban hosts which agent identifies spammer robots crawling the web -# for email addresses. The mail outputs are buffered. -port = http,https -logpath = %(apache_access_log)s -bantime = 172800 -maxretry = 1 - - -[apache-noscript] - -port = http,https -logpath = %(apache_error_log)s -maxretry = 6 - - -[apache-overflows] - -port = http,https -logpath = %(apache_error_log)s -maxretry = 2 - - -[apache-nohome] - -port = http,https -logpath = %(apache_error_log)s -maxretry = 2 - - -[apache-botsearch] - -port = http,https -logpath = %(apache_error_log)s -maxretry = 2 - - -[apache-fakegooglebot] - -port = http,https -logpath = %(apache_access_log)s -maxretry = 1 -ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot - - -[apache-modsecurity] - -port = http,https -logpath = %(apache_error_log)s -maxretry = 2 - -[apache-shellshock] - -port = http,https -logpath = %(apache_error_log)s -maxretry = 1 - -[nginx-http-auth] - -port = http,https -logpath = %(nginx_error_log)s - -[nginx-botsearch] - -port = http,https -logpath = %(nginx_error_log)s -maxretry = 2 - -# Ban attackers that try to use PHP's URL-fopen() functionality -# through GET/POST variables. - Experimental, with more than a year -# of usage in production environments. - -[php-url-fopen] - -port = http,https -logpath = %(nginx_access_log)s - %(apache_access_log)s - - -[suhosin] - -port = http,https -logpath = %(suhosin_log)s - - -[lighttpd-auth] -# Same as above for Apache's mod_auth -# It catches wrong authentifications -port = http,https -logpath = %(lighttpd_error_log)s - - -# -# Webmail and groupware servers -# - -[roundcube-auth] - -port = http,https -logpath = logpath = %(roundcube_errors_log)s - - -[openwebmail] - -port = http,https -logpath = /var/log/openwebmail.log - - -[horde] - -port = http,https -logpath = /var/log/horde/horde.log - - -[groupoffice] - -port = http,https -logpath = /home/groupoffice/log/info.log - - -[sogo-auth] -# Monitor SOGo groupware server -# without proxy this would be: -# port = 20000 -port = http,https -logpath = /var/log/sogo/sogo.log - - -[tine20] - -logpath = /var/log/tine20/tine20.log -port = http,https -maxretry = 5 - - -# -# Web Applications -# -# - -[drupal-auth] - -port = http,https -logpath = %(syslog_daemon)s - -[guacamole] - -port = http,https -logpath = /var/log/tomcat*/catalina.out - -[monit] -#Ban clients brute-forcing the monit gui login -filter = monit -port = 2812 -logpath = /var/log/monit - - -[webmin-auth] - -port = 10000 -logpath = %(syslog_authpriv)s - - -[froxlor-auth] - -port = http,https -logpath = %(syslog_authpriv)s - - -# -# HTTP Proxy servers -# -# - -[squid] - -port = 80,443,3128,8080 -logpath = /var/log/squid/access.log - - -[3proxy] - -port = 3128 -logpath = /var/log/3proxy.log - - -# -# FTP servers -# - - -[proftpd] - -port = ftp,ftp-data,ftps,ftps-data -logpath = %(proftpd_log)s - - -[pure-ftpd] - -port = ftp,ftp-data,ftps,ftps-data -logpath = %(pureftpd_log)s -maxretry = 6 - - -[gssftpd] - -port = ftp,ftp-data,ftps,ftps-data -logpath = %(syslog_daemon)s -maxretry = 6 - - -[wuftpd] - -port = ftp,ftp-data,ftps,ftps-data -logpath = %(wuftpd_log)s -maxretry = 6 - - -[vsftpd] -# or overwrite it in jails.local to be -# logpath = %(syslog_authpriv)s -# if you want to rely on PAM failed login attempts -# vsftpd's failregex should match both of those formats -port = ftp,ftp-data,ftps,ftps-data -logpath = %(vsftpd_log)s - - -# -# Mail servers -# - -# ASSP SMTP Proxy Jail -[assp] - -port = smtp,465,submission -logpath = /root/path/to/assp/logs/maillog.txt - - -[courier-smtp] - -port = smtp,465,submission -logpath = %(syslog_mail)s - - -[postfix] - -port = smtp,465,submission -logpath = %(postfix_log)s - - -[postfix-rbl] - -port = smtp,465,submission -logpath = %(syslog_mail)s -maxretry = 1 - - -[sendmail-auth] - -port = submission,465,smtp -logpath = %(syslog_mail)s - - -[sendmail-reject] - -port = smtp,465,submission -logpath = %(syslog_mail)s - - -[qmail-rbl] - -filter = qmail -port = smtp,465,submission -logpath = /service/qmail/log/main/current - - -# dovecot defaults to logging to the mail syslog facility -# but can be set by syslog_facility in the dovecot configuration. -[dovecot] - -port = pop3,pop3s,imap,imaps,submission,465,sieve -logpath = %(dovecot_log)s - - -[sieve] - -port = smtp,465,submission -logpath = %(dovecot_log)s - - -[solid-pop3d] - -port = pop3,pop3s -logpath = %(solidpop3d_log)s - - -[exim] - -port = smtp,465,submission -logpath = %(exim_main_log)s - - -[exim-spam] - -port = smtp,465,submission -logpath = %(exim_main_log)s - - -[kerio] - -port = imap,smtp,imaps,465 -logpath = /opt/kerio/mailserver/store/logs/security.log - - -# -# Mail servers authenticators: might be used for smtp,ftp,imap servers, so -# all relevant ports get banned -# - -[courier-auth] - -port = smtp,465,submission,imap3,imaps,pop3,pop3s -logpath = %(syslog_mail)s - - -[postfix-sasl] - -port = smtp,465,submission,imap3,imaps,pop3,pop3s -# You might consider monitoring /var/log/mail.warn instead if you are -# running postfix since it would provide the same log lines at the -# "warn" level but overall at the smaller filesize. -logpath = %(postfix_log)s - - -[perdition] - -port = imap3,imaps,pop3,pop3s -logpath = %(syslog_mail)s - - -[squirrelmail] - -port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks -logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log - - -[cyrus-imap] - -port = imap3,imaps -logpath = %(syslog_mail)s - - -[uwimap-auth] - -port = imap3,imaps -logpath = %(syslog_mail)s - - -# -# -# DNS servers -# - - -# !!! WARNING !!! -# Since UDP is connection-less protocol, spoofing of IP and imitation -# of illegal actions is way too simple. Thus enabling of this filter -# might provide an easy way for implementing a DoS against a chosen -# victim. See -# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html -# Please DO NOT USE this jail unless you know what you are doing. -# -# IMPORTANT: see filter.d/named-refused for instructions to enable logging -# This jail blocks UDP traffic for DNS requests. -# [named-refused-udp] -# -# filter = named-refused -# port = domain,953 -# protocol = udp -# logpath = /var/log/named/security.log - -# IMPORTANT: see filter.d/named-refused for instructions to enable logging -# This jail blocks TCP traffic for DNS requests. - -[named-refused] - -port = domain,953 -logpath = /var/log/named/security.log - - -[nsd] - -port = 53 -action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] - %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] -logpath = /var/log/nsd.log - - -# -# Miscellaneous -# - -[asterisk] - -port = 5060,5061 -action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] - %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] - %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] -logpath = /var/log/asterisk/messages -maxretry = 10 - - -[freeswitch] - -port = 5060,5061 -action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] - %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] - %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] -logpath = /var/log/freeswitch.log -maxretry = 10 - - -# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or -# equivalent section: -# log-warning = 2 -# -# for syslog (daemon facility) -# [mysqld_safe] -# syslog -# -# for own logfile -# [mysqld] -# log-error=/var/log/mysqld.log -[mysqld-auth] - -port = 3306 -logpath = %(mysql_log)s -maxretry = 5 - - -# Jail for more extended banning of persistent abusers -# !!! WARNINGS !!! -# 1. Make sure that your loglevel specified in fail2ban.conf/.local -# is not at DEBUG level -- which might then cause fail2ban to fall into -# an infinite loop constantly feeding itself with non-informative lines -# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) -# to maintain entries for failed logins for sufficient amount of time -[recidive] - -logpath = /var/log/fail2ban.log -banaction = iptables-allports -bantime = 604800 ; 1 week -findtime = 86400 ; 1 day -maxretry = 5 - - -# Generic filter for PAM. Has to be used with action which bans all -# ports such as iptables-allports, shorewall - -[pam-generic] -# pam-generic filter can be customized to monitor specific subset of 'tty's -banaction = iptables-allports -logpath = %(syslog_authpriv)s - - -[xinetd-fail] - -banaction = iptables-multiport-log -logpath = %(syslog_daemon)s -maxretry = 2 - - -# stunnel - need to set port for this -[stunnel] - -logpath = /var/log/stunnel4/stunnel.log - - -[ejabberd-auth] - -port = 5222 -logpath = /var/log/ejabberd/ejabberd.log - - -[counter-strike] - -logpath = /opt/cstrike/logs/L[0-9]*.log -# Firewall: http://www.cstrike-planet.com/faq/6 -tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 -udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 -action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] - %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] - -# consider low maxretry and a long bantime -# nobody except your own Nagios server should ever probe nrpe -[nagios] - -enabled = false -logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility -maxretry = 1 - - -[oracleims] -# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above -enabled = false -logpath = /opt/sun/comms/messaging64/log/mail.log_current -maxretry = 6 -banaction = iptables-allports - -[directadmin] -enabled = false -logpath = /var/log/directadmin/login.log -port = 2222 - -[portsentry] -enabled = false -logpath = /var/lib/portsentry/portsentry.history -maxretry = 1 - -[pass2allow-ftp] -# this pass2allow example allows FTP traffic after successful HTTP authentication -port = ftp,ftp-data,ftps,ftps-data -# knocking_url variable must be overridden to some secret value in filter.d/apache-pass.local -filter = apache-pass -# access log of the website with HTTP auth -logpath = %(apache_access_log)s -blocktype = RETURN -returntype = DROP -bantime = 3600 -maxretry = 1 -findtime = 1 diff --git a/fail2ban/._cfg0000_paths-debian.conf b/fail2ban/._cfg0000_paths-debian.conf deleted file mode 100644 index 4c27dac..0000000 --- a/fail2ban/._cfg0000_paths-debian.conf +++ /dev/null @@ -1,37 +0,0 @@ -# Debian - -[INCLUDES] - -before = paths-common.conf - -after = paths-overrides.local - - -[DEFAULT] - -syslog_mail = /var/log/mail.log - -syslog_mail_warn = /var/log/mail.warn - -syslog_authpriv = /var/log/auth.log - -# syslog_auth = /var/log/auth.log -# -syslog_user = /var/log/user.log - -syslog_ftp = /var/log/syslog - -syslog_daemon = /var/log/daemon.log - -syslog_local0 = /var/log/messages - - -apache_error_log = /var/log/apache2/*error.log - -apache_access_log = /var/log/apache2/*access.log - -exim_main_log = /var/log/exim4/mainlog - -# was in debian squeezy but not in wheezy -# /etc/proftpd/proftpd.conf (SystemLog) -proftpd_log = /var/log/proftpd/proftpd.log diff --git a/fail2ban/jail.conf b/fail2ban/jail.conf index 82be8d0..40bc7e2 100644 --- a/fail2ban/jail.conf +++ b/fail2ban/jail.conf @@ -176,6 +176,10 @@ action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(por action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] +# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines +# to the destemail. +action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] + %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # Report block via blocklist.de fail2ban reporting service API # @@ -213,7 +217,7 @@ action = %(action_)s [sshd] port = ssh -logpath = /var/log/syslog.d/authpriv.log +logpath = %(sshd_log)s [sshd-ddos] @@ -221,7 +225,7 @@ logpath = /var/log/syslog.d/authpriv.log # The mail-whois action send a notification e-mail with a whois request # in the body. port = ssh -logpath = /var/log/syslog.d/authpriv.log +logpath = %(sshd_log)s [dropbear] @@ -346,7 +350,7 @@ logpath = %(lighttpd_error_log)s [roundcube-auth] port = http,https -logpath = /var/log/roundcube/userlogins +logpath = logpath = %(roundcube_errors_log)s [openwebmail] @@ -410,6 +414,12 @@ port = 10000 logpath = %(syslog_authpriv)s +[froxlor-auth] + +port = http,https +logpath = %(syslog_authpriv)s + + # # HTTP Proxy servers # @@ -426,6 +436,7 @@ logpath = /var/log/squid/access.log port = 3128 logpath = /var/log/3proxy.log + # # FTP servers # @@ -759,4 +770,17 @@ enabled = false logpath = /var/lib/portsentry/portsentry.history maxretry = 1 +[pass2allow-ftp] +# this pass2allow example allows FTP traffic after successful HTTP authentication +port = ftp,ftp-data,ftps,ftps-data +# knocking_url variable must be overridden to some secret value in filter.d/apache-pass.local +filter = apache-pass +# access log of the website with HTTP auth +logpath = %(apache_access_log)s +blocktype = RETURN +returntype = DROP +bantime = 3600 +maxretry = 1 +findtime = 1 + # vim: filetype=dosini diff --git a/logrotate.d/._cfg0000_fail2ban b/logrotate.d/._cfg0000_fail2ban deleted file mode 100644 index fe4f797..0000000 --- a/logrotate.d/._cfg0000_fail2ban +++ /dev/null @@ -1,16 +0,0 @@ -# -# Gentoo: -# http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/fail2ban/files/fail2ban-logrotate?view=markup -# -# Debian: -# https://github.com/fail2ban/fail2ban/blob/debian/debian/fail2ban.logrotate -# -# Fedora view: -# http://pkgs.fedoraproject.org/cgit/fail2ban.git/tree/fail2ban-logrotate - -/var/log/fail2ban.log { - missingok - postrotate - /usr/bin/fail2ban-client flushlogs 1>/dev/null || true - endscript -}