From: Frank Brehm <frank@brehm-online.com>
Date: Mon, 12 Apr 2021 16:06:49 +0000 (+0200)
Subject: daily autocommit
X-Git-Url: https://git.uhu-banane.net/?a=commitdiff_plain;h=c1b048c18292806d31200dfd045a18f73486345a;p=config%2Fhelga-hetzner%2Fetc.git

daily autocommit
---

diff --git a/iptables/rules.v4 b/iptables/rules.v4
index 870a494..e9554ec 100644
--- a/iptables/rules.v4
+++ b/iptables/rules.v4
@@ -1,7 +1,58 @@
-# Generated by xtables-save v1.8.2 on Mon Apr 12 15:21:35 2021
+# Generated by xtables-save v1.8.2 on Mon Apr 12 16:21:35 2021
 *filter
-:INPUT ACCEPT [0:0]
+:INPUT DROP [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
+:icinga2 - [0:0]
+:rejects - [0:0]
+:mysql - [0:0]
+:portrejects - [0:0]
+-A INPUT -j rejects
+-A INPUT -m state --state ESTABLISHED -j ACCEPT
+-A INPUT -m state --state RELATED -j ACCEPT
+-A INPUT -i lo -m comment --comment myself -j ACCEPT
+-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment echo-request -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -p udp -m udp --dport 68 -m comment --comment "bootp / dhcp" -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 22 -m comment --comment SSH -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -m comment --comment HTTP -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 443 -m comment --comment HTTPS -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 25 -m comment --comment SMTP -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 587 -m comment --comment Submission -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 110 -m comment --comment POP3 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 995 -m comment --comment POP3S -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 143 -m comment --comment IMAP -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 993 -m comment --comment IMAPS -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 4190 -m comment --comment Sieve -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 25565 -m comment --comment Minecraft -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 3306 -j mysql
+-A INPUT -p tcp -m tcp --dport 5665 -j icinga2
+-A INPUT -j portrejects
+-A INPUT -j NFLOG --nflog-prefix  "IPv4 INPUT Reject " --nflog-threshold 1
+-A INPUT -j REJECT --reject-with icmp-port-unreachable
+-A icinga2 -s 185.48.118.128/32 -m comment --comment ns1 -j ACCEPT
+-A icinga2 -s 162.254.24.33/32 -m comment --comment ns2 -j ACCEPT
+-A icinga2 -s 185.102.95.107/32 -m comment --comment ns3 -j ACCEPT
+-A icinga2 -j NFLOG --nflog-prefix  "IPv4 icinga2 Reject " --nflog-threshold 1
+-A icinga2 -j REJECT --reject-with icmp-port-unreachable
+-A rejects -j RETURN
+-A mysql -s 185.48.118.128/32 -m comment --comment ns1 -j ACCEPT
+-A mysql -s 162.254.24.33/32 -m comment --comment ns2 -j ACCEPT
+-A mysql -s 185.102.95.107/32 -m comment --comment ns3 -j ACCEPT
+-A mysql -s 185.48.118.130/32 -m comment --comment sarah -j ACCEPT
+-A mysql -j NFLOG --nflog-prefix  "IPv4 mysql Reject " --nflog-threshold 1
+-A mysql -j REJECT --reject-with icmp-port-unreachable
+-A portrejects -p tcp -m tcp --dport 23 -m comment --comment Telnet -j REJECT --reject-with icmp-port-unreachable
+-A portrejects -p tcp -m tcp --dport 445 -m comment --comment "Microsoft DS" -j REJECT --reject-with icmp-port-unreachable
+-A portrejects -p udp -m udp --dport 137 -m comment --comment "Netbios NS" -j REJECT --reject-with icmp-port-unreachable
+-A portrejects -p tcp -m tcp --dport 137 -m comment --comment "Netbios NS" -j REJECT --reject-with icmp-port-unreachable
+-A portrejects -p tcp -m tcp --dport 1433 -m comment --comment "MS SQL" -j REJECT --reject-with icmp-port-unreachable
+-A portrejects -p udp -m udp --dport 5060 -m comment --comment SIP -j REJECT --reject-with icmp-port-unreachable
+-A portrejects -p tcp -m tcp --dport 5060 -m comment --comment SIP -j REJECT --reject-with icmp-port-unreachable
+-A portrejects -p tcp -m tcp --dport 8080 -m comment --comment "HTTP alternativ" -j REJECT --reject-with icmp-port-unreachable
+-A portrejects -p tcp -m tcp --dport 1900 -j REJECT --reject-with icmp-port-unreachable
+-A portrejects -p tcp -m tcp --dport 2323 -j REJECT --reject-with icmp-port-unreachable
+-A portrejects -p tcp -m tcp --dport 3389 -j REJECT --reject-with icmp-port-unreachable
+-A portrejects -j RETURN
 COMMIT
-# Completed on Mon Apr 12 15:21:35 2021
+# Completed on Mon Apr 12 16:21:35 2021
diff --git a/iptables/rules.v6 b/iptables/rules.v6
index fc613d4..aad94c2 100644
--- a/iptables/rules.v6
+++ b/iptables/rules.v6
@@ -1,9 +1,10 @@
-# Generated by xtables-save v1.8.2 on Mon Apr 12 15:21:35 2021
+# Generated by xtables-save v1.8.2 on Mon Apr 12 16:21:35 2021
 *filter
 :INPUT DROP [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :mysql - [0:0]
+:icinga2 - [0:0]
 -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
 -A INPUT -m conntrack --ctstate RELATED -j ACCEPT
 -A INPUT -p ipv6-icmp -j ACCEPT
@@ -15,6 +16,7 @@
 -A INPUT -p tcp -m multiport --dports 110,995 -m comment --comment "POP3 + POP3S" -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 4190 -m comment --comment Sieve -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 3306 -j mysql
+-A INPUT -p tcp -m tcp --dport 5665 -m comment --comment Icinga -j icinga2
 -A INPUT -j NFLOG --nflog-prefix  "IPv6 INPUT Reject " --nflog-threshold 1
 -A INPUT -j REJECT --reject-with icmp6-port-unreachable
 -A mysql -s ::1/128 -j ACCEPT
@@ -23,5 +25,8 @@
 -A mysql -s 2a06:2380:0:1::3a/128 -m comment --comment ns3 -j ACCEPT
 -A mysql -j NFLOG --nflog-prefix  "IPv6 MySQL Reject " --nflog-threshold 1
 -A mysql -j REJECT --reject-with icmp6-port-unreachable
+-A icinga2 -s 2a06:2380:0:1::3a/128 -m comment --comment ns3 -j ACCEPT
+-A icinga2 -j NFLOG --nflog-prefix  "IPv6 icinga2 Reject " --nflog-threshold 1
+-A icinga2 -j REJECT --reject-with icmp6-port-unreachable
 COMMIT
-# Completed on Mon Apr 12 15:21:35 2021
+# Completed on Mon Apr 12 16:21:35 2021
diff --git a/logrotate.d/ulogd2 b/logrotate.d/ulogd2
index 4d03ba9..adff026 100644
--- a/logrotate.d/ulogd2
+++ b/logrotate.d/ulogd2
@@ -2,8 +2,9 @@
     missingok
     compress
     delaycompress
-    sharedscripts
     create 640 ulog adm
+    minsize 4M
+    sharedscripts
     postrotate
 	if [ -d /run/systemd/system ] && command systemctl >/dev/null 2>&1 && systemctl is-active --quiet ulogd2.service; then
 	    systemctl kill --kill-who main --signal=SIGHUP ulogd2.service
@@ -12,3 +13,5 @@
 	fi
     endscript
 }
+
+# vim: ts=4 filetype=conf noet
diff --git a/motd b/motd
index 9e22bd9..02e55fd 100644
--- a/motd
+++ b/motd
@@ -6,9 +6,8 @@ Debian GNU/Linux 10 (buster)
 |_| |_|\___|_|\__, |\__,_|
               |___/       
 
-Eine Kunstrichtung hat sich erst dann durchgesetzt, wenn sie auch von
-den Schaufensterdekorateuren praktiziert wird.
-		-- Pablo Picasso
+EigentÃ¼mlichkeit ruft EigentÃ¼mlichkeit hervor.
+		-- Goethe, Maximen und Reflektionen, Nr. 59
 
 Today is Boomtime, the 29th day of Discord in the YOLD 3187
 
diff --git a/ulogd.conf b/ulogd.conf
index 285cf9b..6a19f6a 100644
--- a/ulogd.conf
+++ b/ulogd.conf
@@ -25,30 +25,30 @@ loglevel=3
 # 1. load the plugins _first_ from the global section
 # 2. options for each plugin in seperate section below
 
-#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_NFLOG.so"
-#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_ULOG.so"
+plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_NFLOG.so"
+plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_ULOG.so"
 #plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_UNIXSOCK.so"
-#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFCT.so"
-#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IFINDEX.so"
-#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2STR.so"
-#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2BIN.so"
+plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFCT.so"
+plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IFINDEX.so"
+plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2STR.so"
+plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2BIN.so"
 #plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2HBIN.so"
-#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTPKT.so"
-#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_HWHDR.so"
-#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTFLOW.so"
+plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTPKT.so"
+plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_HWHDR.so"
+plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTFLOW.so"
 #plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_MARK.so"
-#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_LOGEMU.so"
-#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SYSLOG.so"
+plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_LOGEMU.so"
+plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SYSLOG.so"
 #plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_XML.so"
 #plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SQLITE3.so"
-#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GPRINT.so"
+plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GPRINT.so"
 #plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_NACCT.so"
 #plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PCAP.so"
 #plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PGSQL.so"
 #plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_MYSQL.so"
 #plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_DBI.so"
-#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_raw2packet_BASE.so"
-#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFACCT.so"
+plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_raw2packet_BASE.so"
+plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFACCT.so"
 #plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GRAPHITE.so"
 #plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_JSON.so"