From 05b59607bed162345738071be39e2c0c2b35c7a6 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Thu, 16 Sep 2021 14:12:30 +0200 Subject: [PATCH] committing changes in /etc made by "apt dist-upgrade -y" Packages with configuration changes: -acpi-support-base 0.142-8 all -acpid 1:2.0.31-1 amd64 +acpi-support-base 0.143-5 all +acpid 1:2.0.32-1 amd64 -apache2 2.4.38-3+deb10u5 amd64 -apt 1.8.2.3 amd64 -apt-listchanges 3.19 all +apache2 2.4.48-3.1+deb11u1 amd64 +apt 2.2.4 amd64 +apt-listchanges 3.24 all -bash-completion 1:2.8-6 all +bash-completion 1:2.11-2 all -bind9 1:9.11.5.P4+dfsg-5.1+deb10u5 amd64 +bind9 1:9.16.15-1 amd64 -chrony 3.4-4+deb10u1 amd64 +chrony 4.0-8 amd64 -dbus 1.12.20-0+deb10u1 amd64 +dbus 1.12.20-2 amd64 -dictionaries-common 1.28.1 all +dictionaries-common 1.28.4 all -fail2ban 0.10.2-2.1 all +fail2ban 0.11.2-2 all -fontconfig-config 2.13.1-2 all -fonts-dejavu-core 2.37-1 all +fontconfig-config 2.13.1-4.2 all +fonts-dejavu-core 2.37-2 all -grub-common 2.02+dfsg1-20+deb10u4 amd64 -haveged 1.9.1-7 amd64 +grub-common 2.04-20 amd64 +haveged 1.9.14-1 amd64 -icinga2-bin 2.10.3-2+deb10u1 amd64 -icinga2-common 2.10.3-2+deb10u1 all +icinga2-bin 2.12.3-1 amd64 +icinga2-common 2.12.3-1 all -iproute2 4.20.0-2+deb10u1 amd64 -iptables-persistent 1.0.11+deb10u1 all +iproute2 5.10.0-4 amd64 +iptables-persistent 1.0.15 all +libapache2-mod-php7.4 7.4.21-1+deb11u1 amd64 -libldap-common 2.4.47+dfsg-3+deb10u6 all +libldap-common 2.4.57+dfsg-3 all +libnl-3-200 3.4.0-1+b1 amd64 -libpam-modules 1.3.1-5 amd64 +libpam-modules 1.4.0-9 amd64 -lvm2 2.03.02-3 amd64 +lvm2 2.03.11-2.1 amd64 -man-db 2.8.5-2 amd64 +man-db 2.9.4-2 amd64 -mariadb-common 1:10.3.29-0+deb10u1 all +mariadb-common 1:10.5.11-1 all -mlocate 0.26-3 amd64 +mlocate 0.26-5 amd64 -nano 3.2-3 amd64 +nano 5.4-2 amd64 -needrestart 3.4-5 all -netbase 5.6 all -netfilter-persistent 1.0.11+deb10u1 all +needrestart 3.5-4 all +netbase 6.3 all +netfilter-persistent 1.0.15 all -passwd 1:4.5-1.1 amd64 +passwd 1:4.8.1-1 amd64 -procps 2:3.3.15-2 amd64 +procps 2:3.3.17-5 amd64 -rsyslog 8.1901.0-1 amd64 +rsyslog 8.2102.0-2 amd64 -s-nail 14.9.11-2 amd64 +s-nail 14.9.22-1 amd64 -slapd 2.4.47+dfsg-3+deb10u6 amd64 +slapd 2.4.57+dfsg-3 amd64 -subversion 1.10.4-1+deb10u2 amd64 -sudo 1.8.27-1+deb10u3 amd64 +subversion 1.14.1-3 amd64 +sudo 1.9.5p2-3 amd64 -tcpdump 4.9.3-1~deb10u2 amd64 +tcpdump 4.99.0-2 amd64 -vim-common 2:8.1.0875-5 all -vim-tiny 2:8.1.0875-5 amd64 +vim-common 2:8.2.2434-3 all +vim-tiny 2:8.2.2434-3 amd64 -zsh-common 5.7.1-1 all +zsh-common 5.8-6 all Package changes: -ack 2.24-1 all +ack 3.4.0-1 all -acl 2.2.53-4 amd64 +acl 2.2.53-10 amd64 -acpi-support-base 0.142-8 all -acpid 1:2.0.31-1 amd64 +acpi-support-base 0.143-5 all +acpid 1:2.0.32-1 amd64 -apache2 2.4.38-3+deb10u5 amd64 -apache2-bin 2.4.38-3+deb10u5 amd64 -apache2-data 2.4.38-3+deb10u5 all -apache2-utils 2.4.38-3+deb10u5 amd64 -apt 1.8.2.3 amd64 -apt-listchanges 3.19 all -apt-transport-https 1.8.2.3 all -apt-utils 1.8.2.3 amd64 -apticron 1.2.1 all -aptitude 0.8.11-7 amd64 -aptitude-common 0.8.11-7 all -aptitude-doc-en 0.8.11-7 all -at 3.1.23-1 amd64 -augeas-lenses 1.11.0-3 all +apache2 2.4.48-3.1+deb11u1 amd64 +apache2-bin 2.4.48-3.1+deb11u1 amd64 +apache2-data 2.4.48-3.1+deb11u1 all +apache2-utils 2.4.48-3.1+deb11u1 amd64 +apt 2.2.4 amd64 +apt-listchanges 3.24 all +apt-transport-https 2.2.4 all +apt-utils 2.2.4 amd64 +apticron 1.2.5 all +aptitude 0.8.13-3 amd64 +aptitude-common 0.8.13-3 all +aptitude-doc-en 0.8.13-3 all +at 3.1.23-1.1 amd64 +augeas-lenses 1.12.0-2 all -base-passwd 3.5.46 amd64 +base-passwd 3.5.51 amd64 -bash-completion 1:2.8-6 all +bash-completion 1:2.11-2 all -bc 1.07.1-2+b1 amd64 -bind9 1:9.11.5.P4+dfsg-5.1+deb10u5 amd64 -bind9-host 1:9.11.5.P4+dfsg-5.1+deb10u5 amd64 -bind9utils 1:9.11.5.P4+dfsg-5.1+deb10u5 amd64 +bc 1.07.1-2+b2 amd64 +bind9 1:9.16.15-1 amd64 +bind9-dnsutils 1:9.16.15-1 amd64 +bind9-host 1:9.16.15-1 amd64 +bind9-libs 1:9.16.15-1 amd64 +bind9-utils 1:9.16.15-1 amd64 +bind9utils 1:9.16.15-1 all -bsdutils 1:2.33.1-0.1 amd64 -bubblewrap 0.3.1-4 amd64 -build-essential 12.6 amd64 +bsdutils 1:2.36.1-8 amd64 +bubblewrap 0.4.1-3 amd64 +build-essential 12.9 amd64 -bzip2 1.0.6-9.2~deb10u1 amd64 -ca-certificates 20200601~deb10u2 all -certbot 0.31.0-1+deb10u1 all -chrony 3.4-4+deb10u1 amd64 -coinor-cbc 2.9.9+repack1-1 amd64 -coinor-libcbc3 2.9.9+repack1-1 amd64 -coinor-libcgl1 0.59.10+repack1-1 amd64 -coinor-libclp1 1.16.11+repack1-1 amd64 -coinor-libcoinutils3v5 2.10.14+repack1-1 amd64 -coinor-libosi1v5 0.107.9+repack1-1 amd64 -colordiff 1.0.18-1 all -console-data 2:1.12-6 all +bzip2 1.0.8-4 amd64 +ca-certificates 20210119 all +certbot 1.12.0-2 all +chrony 4.0-8 amd64 +coinor-cbc 2.10.5+ds1-3 amd64 +coinor-libcbc3 2.10.5+ds1-3 amd64 +coinor-libcgl1 0.60.3+repack1-2 amd64 +coinor-libclp1 1.17.5+repack1-1 amd64 +coinor-libcoinutils3v5 2.11.4+repack1-1 amd64 +coinor-libosi1v5 0.108.6+repack1-2 amd64 +colordiff 1.0.18-1.1 all +console-data 2:1.12-8 all -coreutils 8.30-3 amd64 -cpio 2.12+dfsg-9 amd64 +coreutils 8.32-4+b1 amd64 +cpio 2.13+dfsg-4 amd64 -cron 3.0pl1-134+deb10u1 amd64 -curl 7.64.0-4+deb10u2 amd64 -dash 0.5.10.2-5 amd64 -dbus 1.12.20-0+deb10u1 amd64 -dc 1.07.1-2+b1 amd64 -dctrl-tools 2.24-3 amd64 +cron 3.0pl1-137 amd64 +curl 7.74.0-1.3+b1 amd64 +dash 0.5.11+git20200708+dd9ef66-5 amd64 +dbus 1.12.20-2 amd64 +dc 1.07.1-2+b2 amd64 +dctrl-tools 2.24-3+b1 amd64 -debconf 1.5.71 all -debconf-i18n 1.5.71 all -debconf-utils 1.5.71 all -debian-archive-keyring 2019.1+deb10u1 all -debian-keyring 2019.02.25 all +debconf 1.5.77 all +debconf-i18n 1.5.77 all +debconf-utils 1.5.77 all +debian-archive-keyring 2021.1.1 all +debian-keyring 2021.07.26 all -dhcpcd5 7.1.0-2 amd64 -dialog 1.3-20190211-1 amd64 -dictionaries-common 1.28.1 all -diffutils 1:3.7-3 amd64 +dhcpcd5 7.1.0-2+b1 amd64 +dialog 1.3-20201126-1 amd64 +dictionaries-common 1.28.4 all +diffutils 1:3.7-5 amd64 -discover-data 2.2013.01.11 all -distro-info-data 0.41+deb10u3 all -dmeventd 2:1.02.155-3 amd64 -dmidecode 3.2-1 amd64 -dmsetup 2:1.02.155-3 amd64 -dns-root-data 2019031302 all -dnsutils 1:9.11.5.P4+dfsg-5.1+deb10u5 amd64 +discover-data 2.2013.01.11+nmu1 all +distro-info-data 0.51 all +dmeventd 2:1.02.175-2.1 amd64 +dmidecode 3.3-2 amd64 +dmsetup 2:1.02.175-2.1 amd64 +dns-root-data 2021011101 all +dnsutils 1:9.16.15-1 all -dpkg-dev 1.19.7 all +dpkg-dev 1.20.9 all -eject 2.1.5+deb1+cvs20081104-13.2 amd64 -elinks 0.13~20190125-3 amd64 -elinks-data 0.13~20190125-3 all +eject 2.36.1-8 amd64 +elinks 0.13.2-1+b1 amd64 +elinks-data 0.13.2-1 all -fail2ban 0.10.2-2.1 all -fakeroot 1.23-1 amd64 +fail2ban 0.11.2-2 all +fakeroot 1.25.3-1.1 amd64 -figlet 2.2.5-3 amd64 -file 1:5.35-4+deb10u2 amd64 -findutils 4.6.0+git+20190209-2 amd64 -fontconfig-config 2.13.1-2 all -fonts-dejavu-core 2.37-1 all -fortune-mod 1:1.99.1-7+b1 amd64 -fortunes 1:1.99.1-7 all -fortunes-bofh-excuses 1.2-2 all +figlet 2.2.5-3+b1 amd64 +file 1:5.39-3 amd64 +findutils 4.8.0-1 amd64 +fontconfig-config 2.13.1-4.2 all +fonts-dejavu-core 2.37-2 all +fortune-mod 1:1.99.1-7.1 amd64 +fortunes 1:1.99.1-7.1 all +fortunes-bofh-excuses 1.2-3 all -fortunes-min 1:1.99.1-7 all -ftp 0.17-34.1 amd64 -fuse 2.9.9-1+deb10u1 amd64 +fortunes-min 1:1.99.1-7.1 all +ftp 0.17-34.1.1 amd64 +fuse 2.9.9-5 amd64 -geoip-bin 1.6.12-1 amd64 -geoip-database 20181108-1 all -gettext-base 0.19.8.1-9 amd64 +geoip-bin 1.6.12-7 amd64 +geoip-database 20191224-3 all +gettext-base 0.21-4 amd64 -gnutls-bin 3.6.7-4+deb10u7 amd64 +gnutls-bin 3.7.1-5 amd64 -grep 3.3-1 amd64 -groff-base 1.22.4-3+deb10u1 amd64 -grub-common 2.02+dfsg1-20+deb10u4 amd64 -grub-pc 2.02+dfsg1-20+deb10u4 amd64 -grub-pc-bin 2.02+dfsg1-20+deb10u4 amd64 -grub2-common 2.02+dfsg1-20+deb10u4 amd64 -guile-2.2-libs 2.2.4+1-2+deb10u1 amd64 -gzip 1.9-3 amd64 -haveged 1.9.1-7 amd64 +grep 3.6-1 amd64 +groff-base 1.22.4-6 amd64 +grub-common 2.04-20 amd64 +grub-pc 2.04-20 amd64 +grub-pc-bin 2.04-20 amd64 +grub2-common 2.04-20 amd64 +gsasl-common 1.10.0-4 all +guile-2.2-libs 2.2.7+1-6 amd64 +gzip 1.10-4 amd64 +haveged 1.9.14-1 amd64 -hostname 3.21 amd64 -htop 2.2.0-1+b1 amd64 -iamerican 3.4.00-6 all -ibritish 3.4.00-6 all -icinga2 2.10.3-2+deb10u1 amd64 -icinga2-bin 2.10.3-2+deb10u1 amd64 -icinga2-common 2.10.3-2+deb10u1 all -ienglish-common 3.4.00-6 all +hostname 3.23 amd64 +htop 3.0.5-7 amd64 +iamerican 3.4.02-2 all +ibritish 3.4.02-2 all +icinga2 2.12.3-1 amd64 +icinga2-bin 2.12.3-1 amd64 +icinga2-common 2.12.3-1 all +ienglish-common 3.4.02-2 all -init 1.56+nmu1 amd64 +init 1.60 amd64 -install-info 6.5.0.dfsg.1-4+b1 amd64 -installation-report 2.71 all -iproute2 4.20.0-2+deb10u1 amd64 -iptables 1.8.2-4 amd64 -iptables-persistent 1.0.11+deb10u1 all -iputils-ping 3:20180629-2+deb10u2 amd64 -ipython3 5.8.0-1 all -isc-dhcp-common 4.4.1-2+deb10u1 amd64 -iso-codes 4.2-1 all -isoquery 3.2.3-1 amd64 -ispell 3.4.00-6+b1 amd64 -javascript-common 11 all -kbd 2.0.4-4 amd64 +install-info 6.7.0.dfsg.2-6 amd64 +installation-report 2.78 all +iproute2 5.10.0-4 amd64 +iptables 1.8.7-1 amd64 +iptables-persistent 1.0.15 all +iputils-ping 3:20210202-1 amd64 +ipython3 7.20.0-1 all +isc-dhcp-common 4.4.1-2.3 amd64 +iso-codes 4.6.0-1 all +isoquery 3.2.4-1 amd64 +ispell 3.4.02-2 amd64 +javascript-common 11+nmu1 all +kbd 2.3.0-3 amd64 -kmod 26-1 amd64 -krb5-locales 1.17-3+deb10u2 all +kmod 28-1 amd64 +krb5-locales 1.18.3-6 all -ldap-utils 2.4.47+dfsg-3+deb10u6 amd64 -less 487-0.1+b1 amd64 +ldap-utils 2.4.57+dfsg-3 amd64 +less 551-2 amd64 -lftp 4.8.4-2 amd64 +lftp 4.8.4-2+b1 amd64 -libacl1 2.2.53-4 amd64 -libaio1 0.3.112-3 amd64 -libalgorithm-diff-perl 1.19.03-2 all -libalgorithm-diff-xs-perl 0.04-5+b1 amd64 +libacl1 2.2.53-10 amd64 +libaio1 0.3.112-9 amd64 +libalgorithm-diff-perl 1.201-1 all +libalgorithm-diff-xs-perl 0.04-6+b1 amd64 -libapache2-mod-php 2:7.3+69 all +libamd2 1:5.8.1+dfsg-2 amd64 +libapache2-mod-php 2:7.4+76 all -libapparmor1 2.13.2-10 amd64 -libapr1 1.6.5-1+b1 amd64 -libaprutil1 1.6.1-4 amd64 -libaprutil1-dbd-sqlite3 1.6.1-4 amd64 -libaprutil1-ldap 1.6.1-4 amd64 +libapache2-mod-php7.4 7.4.21-1+deb11u1 amd64 +libapparmor1 2.13.6-10 amd64 +libapr1 1.7.0-6 amd64 +libaprutil1 1.6.1-5 amd64 +libaprutil1-dbd-sqlite3 1.6.1-5 amd64 +libaprutil1-ldap 1.6.1-5 amd64 -libasan5 8.3.0-6 amd64 +libasan5 9.3.0-22 amd64 -libassuan0 2.5.2-1 amd64 +libassuan0 2.5.3-7.1 amd64 -libattr1 1:2.4.48-4 amd64 -libaudit-common 1:2.8.4-3 all -libaudit1 1:2.8.4-3 amd64 -libaugeas0 1.11.0-3 amd64 -libauthen-ntlm-perl 1.09-1 all -libauthen-sasl-perl 2.1600-1 all -libbind9-161 1:9.11.5.P4+dfsg-5.1+deb10u5 amd64 +libattr1 1:2.4.48-6 amd64 +libaudit-common 1:3.0-2 all +libaudit1 1:3.0-2 amd64 +libaugeas0 1.12.0-2 amd64 +libauthen-ntlm-perl 1.09-1.1 all +libauthen-sasl-perl 2.1600-1.1 all +libbind9-161 1:9.11.19+dfsg-2.1 amd64 -libblas3 3.8.0-2 amd64 +libblas3 3.9.0-3 amd64 +libboost-context1.74.0 1.74.0-9 amd64 +libboost-coroutine1.74.0 1.74.0-9 amd64 +libboost-filesystem1.74.0 1.74.0-9 amd64 +libboost-iostreams1.74.0 1.74.0-9 amd64 +libboost-program-options1.74.0 1.74.0-9 amd64 +libboost-regex1.74.0 1.74.0-9 amd64 -libbrotli1 1.0.7-2+deb10u1 amd64 -libbsd0 0.9.1-2+deb10u1 amd64 -libbz2-1.0 1.0.6-9.2~deb10u1 amd64 +libboost-thread1.74.0 1.74.0-9 amd64 +libbpf0 1:0.3-2 amd64 +libbrotli1 1.0.9-2+b2 amd64 +libbsd0 0.11.3-1 amd64 +libbz2-1.0 1.0.8-4 amd64 -libcap-ng0 0.7.9-2 amd64 -libcap2 1:2.25-2 amd64 -libcap2-bin 1:2.25-2 amd64 +libcap-ng0 0.7.9-2.2+b1 amd64 +libcap2 1:2.44-1 amd64 +libcap2-bin 1:2.44-1 amd64 -libcolamd2 1:5.4.0+dfsg-1 amd64 -libcom-err2 1.44.5-1+deb10u3 amd64 +libcolamd2 1:5.8.1+dfsg-2 amd64 +libcom-err2 1.46.2-2 amd64 -libconfig-inifiles-perl 3.000001-1 all +libconfig-inifiles-perl 3.000003-1 all -libcurl3-gnutls 7.64.0-4+deb10u2 amd64 -libcurl4 7.64.0-4+deb10u2 amd64 -libcurl4-gnutls-dev 7.64.0-4+deb10u2 amd64 +libcurl3-gnutls 7.74.0-1.3+b1 amd64 +libcurl4 7.74.0-1.3+b1 amd64 +libcurl4-gnutls-dev 7.74.0-1.3+b1 amd64 -libdb5.3 5.3.28+dfsg1-0.5 amd64 -libdbus-1-3 1.12.20-0+deb10u1 amd64 -libdebconfclient0 0.249 amd64 -libdevmapper-event1.02.1 2:1.02.155-3 amd64 -libdevmapper1.02.1 2:1.02.155-3 amd64 -libdigest-hmac-perl 1.03+dfsg-2 all +libcwidget4 0.5.18-5 amd64 +libdb5.3 5.3.28+dfsg1-0.8 amd64 +libdbus-1-3 1.12.20-2 amd64 +libdebconfclient0 0.260 amd64 +libdeflate0 1.7-1 amd64 +libdevmapper-event1.02.1 2:1.02.175-2.1 amd64 +libdevmapper1.02.1 2:1.02.175-2.1 amd64 +libdigest-hmac-perl 1.03+dfsg-2.1 all -libdpkg-perl 1.19.7 all -libedit2 3.1-20181209-1 amd64 -libefiboot1 37-2+deb10u1 amd64 -libefivar1 37-2+deb10u1 amd64 -libelf1 0.176-1.1 amd64 +libdns1110 1:9.11.19+dfsg-2.1 amd64 +libdpkg-perl 1.20.9 all +libedit2 3.1-20191231-2+b1 amd64 +libefiboot1 37-6 amd64 +libefivar1 37-6 amd64 +libelf1 0.183-1 amd64 -liberror-perl 0.17027-2 all -libestr0 0.1.10-2.1 amd64 -libev4 1:4.25-1 amd64 +liberror-perl 0.17029-1 all +libestr0 0.1.10-2.1+b1 amd64 +libev4 1:4.33-1 amd64 -libexpat1 2.2.6-2+deb10u1 amd64 +libevent-2.1-7 2.1.12-stable-1 amd64 +libexpat1 2.2.10-2 amd64 -libfakeroot 1.23-1 amd64 -libfastjson4 0.99.8-2 amd64 -libfcgi-perl 0.78-2+b3 amd64 +libfakeroot 1.25.3-1.1 amd64 +libfastjson4 0.99.9-1 amd64 +libfcgi-perl 0.79+ds-2 amd64 +libfcgi0ldbl 2.4.2-2 amd64 -libfile-checktree-perl 4.42-1 all -libfile-fcntllock-perl 0.22-3+b5 amd64 -libfile-next-perl 1.16-2 all -libfl2 2.6.4-6.2 amd64 -libfontconfig1 2.13.1-2 amd64 -libfreetype6 2.9.1-3+deb10u2 amd64 -libfribidi0 1.0.5-3.1+deb10u1 amd64 -libfsplib0 0.11-2 amd64 -libfstrm0 0.4.0-1 amd64 -libfuse-dev 2.9.9-1+deb10u1 amd64 -libfuse2 2.9.9-1+deb10u1 amd64 -libgc1c2 1:7.6.4-0.4 amd64 +libfile-checktree-perl 4.42-1.1 all +libfile-fcntllock-perl 0.22-3+b7 amd64 +libfile-next-perl 1.18-1 all +libfl2 2.6.4-8 amd64 +libfontconfig1 2.13.1-4.2 amd64 +libfreetype6 2.10.4+dfsg-1 amd64 +libfribidi0 1.0.8-2 amd64 +libfsplib0 0.14-5 amd64 +libfstrm0 0.6.0-1+b1 amd64 +libfuse-dev 2.9.9-5 amd64 +libfuse2 2.9.9-5 amd64 +libgc1 1:8.0.4-3 amd64 -libgcrypt20 1.8.4-5+deb10u1 amd64 -libgd3 2.2.5-5.2 amd64 -libgdbm-compat4 1.18.1-4 amd64 +libgcrypt20 1.8.7-6 amd64 +libgd3 2.3.0-2 amd64 +libgdbm-compat4 1.19-2 amd64 -libgdbm6 1.18.1-4 amd64 -libgeoip1 1.6.12-1 amd64 -libgfortran5 8.3.0-6 amd64 -libglib2.0-0 2.58.3-2+deb10u3 amd64 -libgmp-dev 2:6.1.2+dfsg-4 amd64 -libgmp-ocaml 20021123-19+b1 amd64 -libgmp-ocaml-dev 20021123-19+b1 amd64 -libgmp10 2:6.1.2+dfsg-4 amd64 -libgmp3-dev 2:6.1.2+dfsg-4 amd64 -libgmpxx4ldbl 2:6.1.2+dfsg-4 amd64 +libgdbm6 1.19-2 amd64 +libgeoip1 1.6.12-7 amd64 +libgfortran5 10.2.1-6 amd64 +libglib2.0-0 2.66.8-1 amd64 +libglpk40 5.0-1 amd64 +libgmp-dev 2:6.2.1+dfsg-1 amd64 +libgmp-ocaml 20021123-21+b1 amd64 +libgmp-ocaml-dev 20021123-21+b1 amd64 +libgmp10 2:6.2.1+dfsg-1 amd64 +libgmp3-dev 2:6.2.1+dfsg-1 amd64 +libgmpxx4ldbl 2:6.2.1+dfsg-1 amd64 -libgpm2 1.20.7-5 amd64 -libgsasl7 1.8.0-8+b2 amd64 -libgssapi-krb5-2 1.17-3+deb10u2 amd64 +libgpm2 1.20.7-8 amd64 +libgsasl7 1.10.0-4 amd64 +libgssapi-krb5-2 1.18.3-6 amd64 +libhavege2 1.9.14-1 amd64 -libhtml-parser-perl 3.72-3+b3 amd64 -libhtml-tagset-perl 3.20-3 all -libhtml-template-perl 2.97-1 all -libhttp-date-perl 6.02-1 all +libhtml-parser-perl 3.75-1+b1 amd64 +libhtml-tagset-perl 3.20-4 all +libhtml-template-perl 2.97-1.1 all +libhttp-date-perl 6.05-1 all -libidn11 1.33-2.2 amd64 -libidn2-0 2.0.5-1+deb10u1 amd64 -libintl-perl 1.26-2 all -libintl-xs-perl 1.26-2+b4 amd64 -libio-socket-inet6-perl 2.72-2 all -libio-socket-ssl-perl 2.060-3 all -libio-string-perl 1.08-3 all +libicu67 67.1-7 amd64 +libidn11 1.33-3 amd64 +libidn2-0 2.3.0-5 amd64 +libintl-perl 1.26-3 all +libintl-xs-perl 1.26-3 amd64 +libio-socket-inet6-perl 2.72-2.1 all +libio-socket-ssl-perl 2.069-1 all +libio-string-perl 1.08-3.1 all -libiptc0 1.8.2-4 amd64 -libirs161 1:9.11.5.P4+dfsg-5.1+deb10u5 amd64 +libip6tc2 1.8.7-1 amd64 +libiptc0 1.8.7-1 amd64 +libirs161 1:9.11.19+dfsg-2.1 amd64 -libisccc161 1:9.11.5.P4+dfsg-5.1+deb10u5 amd64 -libisccfg163 1:9.11.5.P4+dfsg-5.1+deb10u5 amd64 +libisc1105 1:9.11.19+dfsg-2.1 amd64 +libisccc161 1:9.11.19+dfsg-2.1 amd64 +libisccfg163 1:9.11.19+dfsg-2.1 amd64 -libjansson4 2.12-1 amd64 +libjansson4 2.13.1-1.1 amd64 -libjpeg62-turbo 1:1.5.2-2+deb10u1 amd64 -libjs-jquery 3.3.1~dfsg-3+deb10u1 all +libjpeg62-turbo 1:2.0.6-4 amd64 +libjs-jquery 3.5.1+dfsg+~3.5.5-7 all -libjson-glib-1.0-0 1.4.4-2 amd64 -libjson-glib-1.0-common 1.4.4-2 all -libk5crypto3 1.17-3+deb10u2 amd64 -libkeyutils1 1.6-6 amd64 +libjson-glib-1.0-0 1.6.2-1 amd64 +libjson-glib-1.0-common 1.6.2-1 all +libk5crypto3 1.18.3-6 amd64 +libkeyutils1 1.6.1-2 amd64 -libkmod2 26-1 amd64 -libkrb5-3 1.17-3+deb10u2 amd64 -libkrb5support0 1.17-3+deb10u2 amd64 +libkmod2 28-1 amd64 +libkrb5-3 1.18.3-6 amd64 +libkrb5support0 1.18.3-6 amd64 -liblapack3 3.8.0-2 amd64 -libldap-2.4-2 2.4.47+dfsg-3+deb10u6 amd64 -libldap-common 2.4.47+dfsg-3+deb10u6 all +liblapack3 3.9.0-3 amd64 +libldap-2.4-2 2.4.57+dfsg-3 amd64 +libldap-common 2.4.57+dfsg-3 all -liblmdb0 0.9.22-1 amd64 -liblocale-gettext-perl 1.07-3+b4 amd64 +liblmdb0 0.9.24-1 amd64 +liblocale-gettext-perl 1.07-4+b1 amd64 -liblognorm5 2.0.5-1 amd64 +liblognorm5 2.0.5-1.1 amd64 -libltdl7 2.4.6-9 amd64 -liblua5.1-0 5.1.5-8.1+b2 amd64 -liblua5.2-0 5.2.4-1.1+b2 amd64 -liblua5.3-0 5.3.3-1.1 amd64 -liblvm2cmd2.03 2.03.02-3 amd64 -liblwres161 1:9.11.5.P4+dfsg-5.1+deb10u5 amd64 -liblz4-1 1.8.3-1+deb10u1 amd64 -liblzma5 5.2.4-1 amd64 -liblzo2-2 2.10-0.1 amd64 -libmagic-mgc 1:5.35-4+deb10u2 amd64 -libmagic1 1:5.35-4+deb10u2 amd64 -libmailtools-perl 2.18-1 all +libltdl7 2.4.6-15 amd64 +liblua5.1-0 5.1.5-8.1+b3 amd64 +liblua5.2-0 5.2.4-1.1+b3 amd64 +liblua5.3-0 5.3.3-1.1+b1 amd64 +liblvm2cmd2.03 2.03.11-2.1 amd64 +liblwres161 1:9.11.19+dfsg-2.1 amd64 +liblz4-1 1.9.3-2 amd64 +liblzma5 5.2.5-2 amd64 +liblzo2-2 2.10-2 amd64 +libmagic-mgc 1:5.39-3 amd64 +libmagic1 1:5.39-3 amd64 +libmailtools-perl 2.21-1 all -libmariadb3 1:10.3.29-0+deb10u1 amd64 -libmcrypt4 2.5.8-3.4 amd64 -libmnl0 1.0.4-2 amd64 -libmodule-find-perl 0.13-1 all -libmodule-scandeps-perl 1.27-1 all +libmariadb3 1:10.5.11-1 amd64 +libmaxminddb0 1.5.2-1 amd64 +libmcrypt4 2.5.8-3.4+b1 amd64 +libmd0 1.0.3-3 amd64 +libmnl0 1.0.4-3 amd64 +libmodule-find-perl 0.15-1 all +libmodule-scandeps-perl 1.30-1 all -libmpc3 1.1.0-1 amd64 +libmpc3 1.2.0-1 amd64 -libmpfr6 4.0.2-1 amd64 +libmpfr6 4.1.0-3 amd64 -libncurses-dev 6.1+20181013-2+deb10u2 amd64 -libncurses5 6.1+20181013-2+deb10u2 amd64 -libncurses5-dev 6.1+20181013-2+deb10u2 amd64 -libncurses6 6.1+20181013-2+deb10u2 amd64 -libncursesw5 6.1+20181013-2+deb10u2 amd64 -libncursesw6 6.1+20181013-2+deb10u2 amd64 -libnet-dns-perl 1.19-1 all -libnet-domain-tld-perl 1.75-1 all +libncurses-dev 6.2+20201114-2 amd64 +libncurses5 6.2+20201114-2 amd64 +libncurses5-dev 6.2+20201114-2 amd64 +libncurses6 6.2+20201114-2 amd64 +libncursesw5 6.2+20201114-2 amd64 +libncursesw6 6.2+20201114-2 amd64 +libnet-dns-perl 1.29-1 all +libnet-domain-tld-perl 1.75-1.1 all -libnet-libidn-perl 0.12.ds-3+b1 amd64 +libnet-libidn-perl 0.12.ds-3+b3 amd64 -libnet-ssleay-perl 1.85-2+b1 amd64 -libnetfilter-acct1 1.0.3-2 amd64 -libnetfilter-conntrack3 1.0.7-1 amd64 -libnetfilter-log1 1.0.1-1.1+b1 amd64 +libnet-ssleay-perl 1.88-3+b1 amd64 +libnetaddr-ip-perl 4.079+dfsg-1+b5 amd64 +libnetfilter-acct1 1.0.3-3 amd64 +libnetfilter-conntrack3 1.0.8-3 amd64 +libnetfilter-log1 1.0.1-3 amd64 -libnewt0.52 0.52.20-8 amd64 +libnewt0.52 0.52.21-4+b3 amd64 -libnftnl11 1.1.2-2 amd64 -libnghttp2-14 1.36.0-2+deb10u1 amd64 -libnorm1 1.5.8+dfsg2-1 amd64 -libnpth0 1.6-1 amd64 +libnftnl11 1.1.9-1 amd64 +libnghttp2-14 1.43.0-1 amd64 +libnl-3-200 3.4.0-1+b1 amd64 +libnl-genl-3-200 3.4.0-1+b1 amd64 +libnorm1 1.5.9+dfsg-2 amd64 +libnpth0 1.6-3 amd64 -libntlm0 1.5-1+deb10u1 amd64 -libodbc1 2.3.6-0.1 amd64 -libopts25 1:5.18.12-4 amd64 +libntlm0 1.6-3 amd64 +libodbc1 2.3.6-0.1+b1 amd64 +libopts25 1:5.18.16-4 amd64 -libpam-modules 1.3.1-5 amd64 -libpam-modules-bin 1.3.1-5 amd64 -libpam-runtime 1.3.1-5 all +libpam-modules 1.4.0-9 amd64 +libpam-modules-bin 1.4.0-9 amd64 +libpam-runtime 1.4.0-9 all -libpam0g 1.3.1-5 amd64 +libpam0g 1.4.0-9 amd64 -libparted-i18n 3.2-25 all -libparted2 3.2-25 amd64 -libpcap0.8 1.8.1-6 amd64 -libpci3 1:3.5.2-1 amd64 -libpcre16-3 2:8.39-12 amd64 +libparted-i18n 3.4-1 all +libparted2 3.4-1 amd64 +libpcap0.8 1.10.0-2 amd64 +libpci3 1:3.7.0-5 amd64 +libpcre16-3 2:8.39-13 amd64 -libpcre3 2:8.39-12 amd64 -libpcre3-dev 2:8.39-12 amd64 -libpcre32-3 2:8.39-12 amd64 -libpcrecpp0v5 2:8.39-12 amd64 +libpcre3 2:8.39-13 amd64 +libpcre3-dev 2:8.39-13 amd64 +libpcre32-3 2:8.39-13 amd64 +libpcrecpp0v5 2:8.39-13 amd64 +libperl5.32 5.32.1-4+deb11u1 amd64 -libpipeline1 1.5.1-2 amd64 -libpng16-16 1.6.36-6 amd64 -libpopt0 1.16-12 amd64 -libpq5 11.12-0+deb10u1 amd64 -libproc-processtable-perl 0.56-1 amd64 +libpgm-5.3-0 5.3.128~dfsg-2 amd64 +libpipeline1 1.5.3-1 amd64 +libpng16-16 1.6.37-3 amd64 +libpopt0 1.18-2 amd64 +libpq5 13.3-1 amd64 +libproc-processtable-perl 0.59-2+b1 amd64 -libprotobuf-c1 1.3.1-1+b1 amd64 -libpsl5 0.20.2-2 amd64 +libprocps8 2:3.3.17-5 amd64 +libprotobuf-c1 1.3.3-1+b2 amd64 +libpsl5 0.21.0-1.2 amd64 -librecode0 3.6-23 amd64 -librtmp1 2.4+20151223.gitfa8646d.1-2 amd64 +librecode0 3.6-24 amd64 +librtmp1 2.4+20151223.gitfa8646d.1-2+b2 amd64 -libsasl2-2 2.1.27+dfsg-1+deb10u1 amd64 -libsasl2-modules 2.1.27+dfsg-1+deb10u1 amd64 -libsasl2-modules-db 2.1.27+dfsg-1+deb10u1 amd64 +libruby2.7 2.7.4-1 amd64 +libsasl2-2 2.1.27+dfsg-2.1 amd64 +libsasl2-modules 2.1.27+dfsg-2.1 amd64 +libsasl2-modules-db 2.1.27+dfsg-2.1 amd64 -libsemanage-common 2.8-2 all -libsemanage1 2.8-2 amd64 +libsemanage-common 3.1-1 all +libsemanage1 3.1-1+b2 amd64 -libserf-1-1 1.3.9-7+b10 amd64 -libsigc++-2.0-0v5 2.10.1-2 amd64 -libsigsegv2 2.12-2 amd64 -libslang2 2.3.2-2 amd64 +libserf-1-1 1.3.9-10 amd64 +libsigc++-2.0-0v5 2.10.4-2 amd64 +libsigsegv2 2.13-1 amd64 +libslang2 2.3.2-5 amd64 -libsocket6-perl 0.29-1+b1 amd64 +libsocket6-perl 0.29-1+b3 amd64 -libsqlite3-0 3.27.2-3+deb10u1 amd64 -libsqlite3-dev 3.27.2-3+deb10u1 amd64 -libss2 1.44.5-1+deb10u3 amd64 -libssh2-1 1.8.0-2.1 amd64 -libssl1.1 1.1.1d-0+deb10u7 amd64 +libsqlite3-0 3.34.1-3 amd64 +libsqlite3-dev 3.34.1-3 amd64 +libss2 1.46.2-2 amd64 +libssh2-1 1.9.0-2 amd64 +libssl1.1 1.1.1k-1+deb11u1 amd64 -libsub-name-perl 0.21-1+b3 amd64 -libsuitesparseconfig5 1:5.4.0+dfsg-1 amd64 -libsvn-perl 1.10.4-1+deb10u2 amd64 -libsvn1 1.10.4-1+deb10u2 amd64 +libsub-name-perl 0.26-1+b1 amd64 +libsuitesparseconfig5 1:5.8.1+dfsg-2 amd64 +libsvn-perl 1.14.1-3 amd64 +libsvn1 1.14.1-3 amd64 -libterm-readkey-perl 2.38-1 amd64 -libterm-readline-gnu-perl 1.36-1 amd64 -libtext-charwidth-perl 0.04-7.1+b1 amd64 -libtext-iconv-perl 1.7-5+b7 amd64 -libtext-wrapi18n-perl 0.06-7.1 all -libtiff5 4.1.0+git191117-2~deb10u2 amd64 +libterm-readkey-perl 2.38-1+b2 amd64 +libterm-readline-gnu-perl 1.37-1 amd64 +libtext-charwidth-perl 0.04-10+b1 amd64 +libtext-iconv-perl 1.7-7+b1 amd64 +libtext-wrapi18n-perl 0.06-9 all +libtiff5 4.2.0-1 amd64 -libtimedate-perl 2.3000-2+deb10u1 all -libtinfo5 6.1+20181013-2+deb10u2 amd64 -libtinfo6 6.1+20181013-2+deb10u2 amd64 +libtimedate-perl 2.3300-2 all +libtinfo5 6.2+20201114-2 amd64 +libtinfo6 6.2+20201114-2 amd64 -libtre5 0.8.0-6 amd64 +libtre5 0.8.0-6+b1 amd64 -libuchardet0 0.0.6-3 amd64 +libuchardet0 0.0.7-1 amd64 -libunbound8 1.9.0-2+deb10u2 amd64 -libunistring2 0.9.10-1 amd64 -libunwind8 1.2.1-10~deb10u1 amd64 -liburi-perl 1.76-1 all +libunbound8 1.13.1-1 amd64 +libunistring2 0.9.10-4 amd64 +libunwind8 1.3.2-2 amd64 +liburi-perl 5.08-1 all -libusb-1.0-0 2:1.0.22-2 amd64 +libusb-1.0-0 2:1.0.24-3 amd64 -libutf8proc2 2.3.0-1 amd64 -libuuid1 2.33.1-0.1 amd64 -libwebp6 0.6.1-2+deb10u1 amd64 -libwrap0 7.6.q-28 amd64 -libx11-6 2:1.6.7-1+deb10u2 amd64 -libx11-data 2:1.6.7-1+deb10u2 all -libx11-dev 2:1.6.7-1+deb10u2 amd64 +libutf8proc2 2.5.0-1 amd64 +libuuid1 2.36.1-8 amd64 +libuv1 1.40.0-2 amd64 +libwebp6 0.6.1-2.1 amd64 +libwrap0 7.6.q-31 amd64 +libx11-6 2:1.7.2-1 amd64 +libx11-data 2:1.7.2-1 all +libx11-dev 2:1.7.2-1 amd64 -libxapian30 1.4.11-1 amd64 -libxau-dev 1:1.0.8-1+b2 amd64 -libxau6 1:1.0.8-1+b2 amd64 -libxcb1 1.13.1-2 amd64 -libxcb1-dev 1.13.1-2 amd64 +libxapian30 1.4.18-3 amd64 +libxau-dev 1:1.0.9-1 amd64 +libxau6 1:1.0.9-1 amd64 +libxcb1 1.14-3 amd64 +libxcb1-dev 1.14-3 amd64 -libxext6 2:1.3.3-1+b2 amd64 -libxml2 2.9.4+dfsg1-7+deb10u2 amd64 +libxext6 2:1.3.3-1.1 amd64 +libxml2 2.9.10+dfsg-6.7 amd64 -libxslt1.1 1.1.32-2.2~deb10u1 amd64 -libxtables12 1.8.2-4 amd64 +libxslt1.1 1.1.34-4 amd64 +libxtables12 1.8.7-1 amd64 -libyaml-0-2 0.2.1-1 amd64 -libzmq5 4.3.1-4+deb10u2 amd64 +libyaml-0-2 0.2.2-1 amd64 +libzmq5 4.3.4-1 amd64 -linux-image-amd64 4.19+105+deb10u12 amd64 -linux-libc-dev 4.19.194-3 amd64 +linux-image-5.10.0-8-amd64 5.10.46-4 amd64 +linux-image-amd64 5.10.46-4 amd64 +linux-libc-dev 5.10.46-4 amd64 -logrotate 3.14.0-4 amd64 +logrotate 3.18.0-2 amd64 -logwatch 7.5.0-1 all +logwatch 7.5.5-1 all -lsb-release 10.2019051400 all -lsof 4.91+dfsg-1 amd64 +lsb-release 11.1.0 all +lsof 4.93.2+dfsg-1.1 amd64 -lvm2 2.03.02-3 amd64 -m4 1.4.18-2 amd64 +lvm2 2.03.11-2.1 amd64 +m4 1.4.18-5 amd64 -make 4.2.1-1.2 amd64 -man-db 2.8.5-2 amd64 +make 4.3-4.1 amd64 +man-db 2.9.4-2 amd64 -mariadb-common 1:10.3.29-0+deb10u1 all -mawk 1.3.3-17+b3 amd64 -mccs 1:1.1-8 amd64 +mariadb-common 1:10.5.11-1 all +mawk 1.3.4.20200120-2 amd64 +mccs 1:1.1-9 amd64 -mlocate 0.26-3 amd64 -monitoring-plugins-basic 2.2-6 amd64 -monitoring-plugins-common 2.2-6 amd64 -monitoring-plugins-standard 2.2-6 amd64 -mount 2.33.1-0.1 amd64 +mlocate 0.26-5 amd64 +monitoring-plugins-basic 2.3.1-1 amd64 +monitoring-plugins-common 2.3.1-1 amd64 +monitoring-plugins-standard 2.3.1-1 amd64 +mount 2.36.1-8 amd64 -mysql-common 5.8+1.0.5 all -nano 3.2-3 amd64 +mysql-common 5.8+1.0.7 all +nano 5.4-2 amd64 -ncurses-base 6.1+20181013-2+deb10u2 all -ncurses-bin 6.1+20181013-2+deb10u2 amd64 -ncurses-term 6.1+20181013-2+deb10u2 all +ncurses-base 6.2+20201114-2 all +ncurses-bin 6.2+20201114-2 amd64 +ncurses-term 6.2+20201114-2 all -needrestart 3.4-5 all -net-tools 1.60+git20180626.aebd88e-1 amd64 -netbase 5.6 all -netcat-traditional 1.10-41.1 amd64 -netfilter-persistent 1.0.11+deb10u1 all -nfacct 1.0.2-2 amd64 +needrestart 3.5-4 all +net-tools 1.60+git20181103.0eebece-1 amd64 +netbase 6.3 all +netcat-traditional 1.10-46 amd64 +netfilter-persistent 1.0.15 all +nfacct 1.0.2-3 amd64 -ocaml 4.05.0-11 amd64 -ocaml-base 4.05.0-11 amd64 -ocaml-base-nox 4.05.0-11 amd64 -ocaml-compiler-libs 4.05.0-11 amd64 -ocaml-interp 4.05.0-11 amd64 -ocaml-nox 4.05.0-11 amd64 -opam 2.0.3-1+deb10u1 amd64 -opam-doc 2.0.3-1+deb10u1 all -opam-installer 2.0.3-1+deb10u1 amd64 +ocaml 4.11.1-4 amd64 +ocaml-base 4.11.1-4 amd64 +ocaml-base-nox 4.11.1-4 amd64 +ocaml-compiler-libs 4.11.1-4 amd64 +ocaml-interp 4.11.1-4 amd64 +ocaml-nox 4.11.1-4 amd64 +opam 2.0.8-1 amd64 +opam-doc 2.0.8-1 all +opam-installer 2.0.8-1 amd64 -openssl 1.1.1d-0+deb10u7 amd64 -os-prober 1.77 amd64 -parted 3.2-25 amd64 -passwd 1:4.5-1.1 amd64 -patch 2.7.6-3+deb10u1 amd64 -pciutils 1:3.5.2-1 amd64 -perl 5.28.1-6+deb10u1 amd64 -perl-base 5.28.1-6+deb10u1 amd64 -perl-doc 5.28.1-6+deb10u1 all -perl-modules-5.24 5.24.1-3+deb9u5 all +openssl 1.1.1k-1+deb11u1 amd64 +os-prober 1.79 amd64 +parted 3.4-1 amd64 +passwd 1:4.8.1-1 amd64 +patch 2.7.6-7 amd64 +pci.ids 0.0~2021.02.08-1 all +pciutils 1:3.7.0-5 amd64 +perl 5.32.1-4+deb11u1 amd64 +perl-base 5.32.1-4+deb11u1 amd64 +perl-doc 5.32.1-4+deb11u1 all -perl-openssl-defaults 3 amd64 -php 2:7.3+69 all -php-common 2:69 all -php-gd 2:7.3+69 all -php-ldap 2:7.3+69 all -php-mcrypt 1:7.0+49 all +perl-modules-5.32 5.32.1-4+deb11u1 all +perl-openssl-defaults 5 amd64 +php 2:7.4+76 all +php-common 2:76 all +php-gd 2:7.4+76 all +php-ldap 2:7.4+76 all -php7.3 7.3.29-1~deb10u1 all -pinentry-curses 1.1.0-2 amd64 -pkg-config 0.29-6 amd64 -postfix 3.4.14-0+deb10u1 amd64 -postfix-pcre 3.4.14-0+deb10u1 amd64 -postfix-sqlite 3.4.14-0+deb10u1 amd64 +php7.4 7.4.21-1+deb11u1 all +php7.4-cli 7.4.21-1+deb11u1 amd64 +php7.4-common 7.4.21-1+deb11u1 amd64 +php7.4-gd 7.4.21-1+deb11u1 amd64 +php7.4-json 7.4.21-1+deb11u1 amd64 +php7.4-ldap 7.4.21-1+deb11u1 amd64 +php7.4-opcache 7.4.21-1+deb11u1 amd64 +php7.4-readline 7.4.21-1+deb11u1 amd64 +pinentry-curses 1.1.0-4 amd64 +pkg-config 0.29.2-1 amd64 +postfix 3.5.6-1+b1 amd64 +postfix-pcre 3.5.6-1+b1 amd64 +postfix-sqlite 3.5.6-1+b1 amd64 -procps 2:3.3.15-2 amd64 -psmisc 23.2-1 amd64 +procps 2:3.3.17-5 amd64 +psmisc 23.4-2 amd64 -python-apt-common 1.8.4.3 all -python-babel-localedata 2.6.0+dfsg.1-1 all +python-apt-common 2.2.1 all +python-babel-localedata 2.8.0+dfsg.1-7 all -python3-acme 0.31.0-2 all +python3-acme 1.12.0-2 all -python3-asn1crypto 0.24.0-1 all -python3-augeas 0.5.0-1 all -python3-babel 2.6.0+dfsg.1-1 all -python3-bcrypt 3.1.6-1 amd64 -python3-certbot 0.31.0-1+deb10u1 all -python3-certbot-apache 0.31.0-1 all -python3-certifi 2018.8.24-1 all +python3-asn1crypto 1.4.0-1 all +python3-augeas 0.5.0-1.1 all +python3-babel 2.8.0+dfsg.1-7 all +python3-backcall 0.2.0-1 all +python3-bcrypt 3.1.7-4 amd64 +python3-certbot 1.12.0-2 all +python3-certbot-apache 1.10.1-1 all +python3-certifi 2020.6.20-1 all -python3-chardet 3.0.4-3 all -python3-configargparse 0.13.0-1 all -python3-configobj 5.0.6-3 all -python3-cryptography 2.6.1-3+deb10u2 amd64 -python3-dateutil 2.7.3-3 all -python3-debconf 1.5.71 all -python3-decorator 4.3.0-1.1 all -python3-distro 1.3.0-1 all +python3-chardet 4.0.0-1 all +python3-configargparse 1.2.3-1 all +python3-configobj 5.0.6-4 all +python3-cryptography 3.3.2-1 amd64 +python3-dateutil 2.8.1-6 all +python3-debconf 1.5.77 all +python3-decorator 4.4.2-2 all +python3-distro 1.5.0-1 all -python3-dnspython 1.16.0-1+deb10u1 all +python3-dnspython 2.0.0-1 all -python3-future 0.16.0-1 all +python3-future 0.18.2-5 all -python3-gitdb 2.0.5-1 all -python3-idna 2.6-1 all -python3-ipython 5.8.0-1 all -python3-ipython-genutils 0.2.0-1 all -python3-jinja2 2.10-2 all -python3-josepy 1.1.0-2 all +python3-gitdb 4.0.5-1 all +python3-idna 2.10-1 all +python3-ipython 7.20.0-1 all +python3-ipython-genutils 0.2.0-4 all +python3-jedi 0.18.0-1 all +python3-jinja2 2.11.3-1 all +python3-josepy 1.2.0-2 all -python3-mock 2.0.0-4 all +python3-mock 4.0.3-1 all -python3-openssl 19.0.0-1 all -python3-paramiko 2.4.2-0.1 all -python3-parsedatetime 2.4-2 all -python3-pathspec 0.5.9-1 all -python3-pbr 4.2.0-5 all -python3-pexpect 4.6.0-1 all -python3-pickleshare 0.7.5-1 all -python3-pkg-resources 40.8.0-1 all -python3-ply 3.11-3 all -python3-prompt-toolkit 1.0.15-1 all +python3-openssl 20.0.1-1 all +python3-paramiko 2.7.2-1 all +python3-parsedatetime 2.6-1 all +python3-parso 0.8.1-1 all +python3-pathspec 0.8.1-1 all +python3-pbr 5.5.0-2 all +python3-pexpect 4.8.0-2 all +python3-pickleshare 0.7.5-3 all +python3-pkg-resources 52.0.0-4 all +python3-ply 3.11-4 all +python3-prompt-toolkit 3.0.14-1 all -python3-ptyprocess 0.6.0-1 all -python3-pyasn1 0.4.2-3 all +python3-ptyprocess 0.7.0-1 all +python3-pyasn1 0.4.8-1 all -python3-pygments 2.3.1+dfsg-1+deb10u2 all -python3-pyinotify 0.9.6-1 all -python3-requests 2.21.0-1 all -python3-requests-toolbelt 0.8.0-1 all -python3-rfc3339 1.1-1 all -python3-setuptools 40.8.0-1 all -python3-simplegeneric 0.8.1-2 all -python3-six 1.12.0-1 all -python3-smmap 2.0.5-1 all +python3-pygments 2.7.1+dfsg-2.1 all +python3-pyinotify 0.9.6-1.3 all +python3-requests 2.25.1+dfsg-2 all +python3-requests-toolbelt 0.9.1-1 all +python3-rfc3339 1.1-2 all +python3-setuptools 52.0.0-4 all +python3-simplegeneric 0.8.1-3 all +python3-six 1.16.0-2 all +python3-smmap 4.0.0-1 all -python3-traitlets 4.3.2-1 all -python3-tz 2019.1-1 all -python3-urllib3 1.24.1-1 all -python3-wcwidth 0.1.7+dfsg1-3 all +python3-traitlets 5.0.5-1 all +python3-tz 2021.1-1 all +python3-urllib3 1.26.5-1~exp1 all +python3-wcwidth 0.1.9+dfsg1-2 all -python3-zope.component 4.3.0-1 all -python3-zope.event 4.2.0-1 all +python3-zope.component 4.3.0-3 all +python3-zope.event 4.4-3 all -rake 12.3.1-3+deb10u1 all -readline-common 7.0-5 all +rake 13.0.3-1 all +readline-common 8.1-1 all -rsync 3.1.3-6 amd64 -rsyslog 8.1901.0-1 amd64 -ruby 1:2.5.1 amd64 +rsync 3.2.3-4 amd64 +rsyslog 8.2102.0-2 amd64 +ruby 1:2.7+2 amd64 -ruby-minitest 5.11.3-1 all +ruby-minitest 5.13.0-1 all -ruby-power-assert 1.1.1-1 all -ruby-test-unit 3.2.8-1 all +ruby-power-assert 1.1.7-2 all +ruby-rubygems 3.2.5-2 all +ruby-test-unit 3.3.9-1 all -ruby2.5 2.5.5-3+deb10u3 amd64 -rubygems-integration 1.11+deb10u1 all +ruby2.7 2.7.4-1 amd64 +rubygems-integration 1.18 all -s-nail 14.9.11-2 amd64 +s-nail 14.9.22-1 amd64 -sensible-utils 0.0.12 all -shared-mime-info 1.10-1 amd64 -slapd 2.4.47+dfsg-3+deb10u6 amd64 -ssl-cert 1.0.39 all +sensible-utils 0.0.14 all +shared-mime-info 2.0-1 amd64 +slapd 2.4.57+dfsg-3 amd64 +ssl-cert 1.1.0+nmu1 all -strace 4.26-0.2 amd64 -subversion 1.10.4-1+deb10u2 amd64 -subversion-tools 1.10.4-1+deb10u2 amd64 -sudo 1.8.27-1+deb10u3 amd64 -swaks 20181104.0-2 all +strace 5.10-1 amd64 +subversion 1.14.1-3 amd64 +subversion-tools 1.14.1-3 amd64 +sudo 1.9.5p2-3 amd64 +swaks 20201014.0-1 all -systemd-sysv 241-7~deb10u8 amd64 +systemd-sysv 247.3-6 amd64 -tar 1.30+dfsg-6 amd64 -task-english 3.53 all -task-ssh-server 3.53 all -tasksel 3.53 all -tasksel-data 3.53 all -tcpdump 4.9.3-1~deb10u2 amd64 -thin-provisioning-tools 0.7.6-2.1 amd64 +tar 1.34+dfsg-1 amd64 +task-english 3.68 all +task-ssh-server 3.68 all +tasksel 3.68 all +tasksel-data 3.68 all +tcpdump 4.99.0-2 amd64 +thin-provisioning-tools 0.9.0-1 amd64 -time 1.7-25.1+b1 amd64 -traceroute 1:2.1.0-2 amd64 -tzdata 2021a-0+deb10u1 all -ucf 3.0038+nmu1 all +time 1.9-0.1 amd64 +traceroute 1:2.1.0-2+b1 amd64 +tzdata 2021a-1 all +ucf 3.0043 all -unzip 6.0-23+deb10u2 amd64 -usb.ids 2019.07.27-0+deb10u1 all -usbutils 1:010-3 amd64 +unzip 6.0-26 amd64 +usb.ids 2021.06.06-1 all +usbutils 1:013-3 amd64 -util-linux-locales 2.33.1-0.1 all -vim 2:8.1.0875-5 amd64 +util-linux-locales 2.36.1-8 all +vim 2:8.2.2434-3 amd64 -vim-common 2:8.1.0875-5 all -vim-icinga2 2.10.3-2+deb10u1 all -vim-runtime 2:8.1.0875-5 all -vim-tiny 2:8.1.0875-5 amd64 +vim-common 2:8.2.2434-3 all +vim-icinga2 2.12.3-1 all +vim-runtime 2:8.2.2434-3 all +vim-tiny 2:8.2.2434-3 amd64 -wamerican 2018.04.16-1 all -wget 1.20.1-1.1 amd64 -whiptail 0.52.20-8 amd64 -whois 5.4.3 amd64 -x11proto-core-dev 2018.4-4 all -x11proto-dev 2018.4-4 all -xauth 1:1.0.10-1 amd64 -xkb-data 2.26-2 all -xorg-sgml-doctools 1:1.11-1 all -xtrans-dev 1.3.5-1 all -xxd 2:8.1.0875-5 amd64 -xz-utils 5.2.4-1 amd64 -yamllint 1.15.0-1 all -zip 3.0-11+b1 amd64 -zlib1g 1:1.2.11.dfsg-1 amd64 -zlib1g-dev 1:1.2.11.dfsg-1 amd64 -zsh 5.7.1-1 amd64 -zsh-common 5.7.1-1 all +wamerican 2019.10.06-1 all +wget 1.21-1+b1 amd64 +whiptail 0.52.21-4+b3 amd64 +whois 5.5.10 amd64 +x11proto-core-dev 2020.1-1 all +x11proto-dev 2020.1-1 all +xauth 1:1.1-1 amd64 +xkb-data 2.29-2 all +xorg-sgml-doctools 1:1.11-1.1 all +xtrans-dev 1.4.0-1 all +xxd 2:8.2.2434-3 amd64 +xz-utils 5.2.5-2 amd64 +yamllint 1.26.0-2 all +zip 3.0-12 amd64 +zlib1g 1:1.2.11.dfsg-2 amd64 +zlib1g-dev 1:1.2.11.dfsg-2 amd64 +zsh 5.8-6+b2 amd64 +zsh-common 5.8-6 all --- .etckeeper | 180 +- NetworkManager/dispatcher.d/20-chrony | 15 - acpi/powerbtn-acpi-support.sh | 2 +- alternatives/ip6tables.service | 1 + alternatives/iptables.service | 1 + alternatives/pager | 2 +- alternatives/phar | 2 +- alternatives/phar.1.gz | 2 +- alternatives/phar.phar | 2 +- alternatives/phar.phar.1.gz | 2 +- alternatives/php | 2 +- alternatives/php.1.gz | 2 +- alternatives/w | 1 - alternatives/w.1.gz | 1 - apache2/conf-enabled/javascript-common.conf | 1 + apache2/mods-available/dav.load | 4 +- apache2/mods-available/deflate.conf | 3 +- apache2/mods-available/mime.conf | 1 + apache2/mods-available/php7.4.conf | 25 + apache2/mods-available/php7.4.load | 3 + apache2/mods-available/socache_redis.load | 1 + apache2/mods-enabled/php7.3.conf | 1 - apache2/mods-enabled/php7.3.load | 1 - apache2/mods-enabled/php7.4.conf | 1 + apache2/mods-enabled/php7.4.load | 1 + apparmor.d/local/usr.bin.tcpdump | 0 apparmor.d/usr.bin.man | 12 + .../{usr.sbin.tcpdump => usr.bin.tcpdump} | 10 +- apparmor.d/usr.sbin.chronyd | 51 +- apparmor.d/usr.sbin.haveged | 3 + apparmor.d/usr.sbin.named | 2 +- apt/apt.conf.d/01autoremove | 26 +- apt/apt.conf.d/01autoremove-kernels | 62 +- apt/apt.conf.d/20listchanges | 2 + bind/bind.keys | 48 +- bind/named-acl.conf | 2 +- bind/named.conf.options | 2 +- ca-certificates.conf | 22 +- ca-certificates.conf.dpkg-old | 43 +- chrony/chrony.conf.ucf-dist | 21 +- chrony/chrony.keys | 4 +- chrony/conf.d/README | 7 + chrony/sources.d/README | 11 + cron.daily/mlocate | 5 + cron.daily/passwd | 9 - default/chrony | 2 +- default/haveged | 3 +- default/named | 6 + default/netfilter-persistent | 6 + default/rsyslog | 4 - default/useradd | 2 +- dhcp/dhclient-exit-hooks.d/chrony | 16 +- emacs/site-start.d/50dictionaries-common.el | 2 +- ethertypes | 45 + fail2ban/action.d/abuseipdb.conf | 21 +- fail2ban/action.d/badips.py | 116 +- fail2ban/action.d/blocklist_de.conf | 10 +- fail2ban/action.d/bsd-ipfw.conf | 13 +- fail2ban/action.d/cloudflare.conf | 23 +- fail2ban/action.d/complain.conf | 6 +- fail2ban/action.d/dshield.conf | 6 +- fail2ban/action.d/dummy.conf | 4 +- fail2ban/action.d/firewallcmd-ipset.conf | 26 +- fail2ban/action.d/firewallcmd-multiport.conf | 4 +- fail2ban/action.d/firewallcmd-new.conf | 4 +- .../action.d/firewallcmd-rich-logging.conf | 30 +- fail2ban/action.d/firewallcmd-rich-rules.conf | 8 +- fail2ban/action.d/helpers-common.conf | 33 +- fail2ban/action.d/hostsdeny.conf | 14 +- fail2ban/action.d/ipfilter.conf | 4 +- fail2ban/action.d/ipfw.conf | 4 +- fail2ban/action.d/iptables-allports.conf | 4 +- fail2ban/action.d/iptables-ipset-proto4.conf | 4 +- .../iptables-ipset-proto6-allports.conf | 30 +- fail2ban/action.d/iptables-ipset-proto6.conf | 30 +- fail2ban/action.d/iptables-multiport-log.conf | 4 +- fail2ban/action.d/iptables-multiport.conf | 4 +- fail2ban/action.d/iptables-new.conf | 4 +- .../action.d/iptables-xt_recent-echo.conf | 4 +- fail2ban/action.d/iptables.conf | 4 +- fail2ban/action.d/mail-buffered.conf | 12 +- fail2ban/action.d/mail-whois-common.conf | 2 +- fail2ban/action.d/mail-whois-lines.conf | 6 +- fail2ban/action.d/mail-whois.conf | 10 +- fail2ban/action.d/mail.conf | 10 +- fail2ban/action.d/mynetwatchman.conf | 4 +- fail2ban/action.d/nftables-allports.conf | 11 +- fail2ban/action.d/nftables-multiport.conf | 11 +- fail2ban/action.d/nftables.conf | 203 ++ fail2ban/action.d/nginx-block-map.conf | 6 +- fail2ban/action.d/npf.conf | 4 +- fail2ban/action.d/nsupdate.conf | 4 +- fail2ban/action.d/osx-afctl.conf | 4 +- fail2ban/action.d/osx-ipfw.conf | 4 +- fail2ban/action.d/pf.conf | 4 +- fail2ban/action.d/sendmail-buffered.conf | 12 +- .../action.d/sendmail-common.conf.dpkg-dist | 12 +- fail2ban/action.d/sendmail-geoip-lines.conf | 4 +- .../sendmail-whois-ipjailmatches.conf | 5 +- .../action.d/sendmail-whois-ipmatches.conf | 5 +- fail2ban/action.d/sendmail-whois-lines.conf | 9 +- fail2ban/action.d/sendmail-whois-matches.conf | 5 +- .../action.d/sendmail-whois.conf.dpkg-dist | 5 +- fail2ban/action.d/sendmail.conf.dpkg-dist | 2 +- fail2ban/action.d/shorewall-ipset-proto6.conf | 28 +- fail2ban/action.d/shorewall.conf | 6 +- fail2ban/action.d/smtp.py | 12 +- .../symbiosis-blacklist-allports.conf | 4 +- fail2ban/action.d/xarf-login-attack.conf | 28 +- fail2ban/fail2ban.conf.dpkg-dist | 23 +- fail2ban/filter.d/apache-auth.conf | 15 +- fail2ban/filter.d/apache-common.conf | 4 +- fail2ban/filter.d/apache-modsecurity.conf | 2 +- fail2ban/filter.d/apache-noscript.conf | 9 +- fail2ban/filter.d/asterisk.conf | 15 +- fail2ban/filter.d/bitwarden.conf | 13 + fail2ban/filter.d/centreon.conf | 9 + fail2ban/filter.d/common.conf | 32 +- fail2ban/filter.d/courier-smtp.conf | 2 +- fail2ban/filter.d/domino-smtp.conf | 9 +- fail2ban/filter.d/dovecot.conf | 10 +- fail2ban/filter.d/exim.conf | 2 +- fail2ban/filter.d/freeswitch.conf | 32 +- fail2ban/filter.d/gitlab.conf | 6 + fail2ban/filter.d/grafana.conf | 9 + fail2ban/filter.d/guacamole.conf | 50 +- .../ignorecommands/apache-fakegooglebot | 2 +- fail2ban/filter.d/monit.conf | 8 +- fail2ban/filter.d/murmur.conf | 15 +- fail2ban/filter.d/mysqld-auth.conf | 4 +- fail2ban/filter.d/named-refused.conf | 8 +- fail2ban/filter.d/pam-generic.conf | 9 +- fail2ban/filter.d/phpmyadmin-syslog.conf | 2 +- fail2ban/filter.d/postfix.conf | 23 +- fail2ban/filter.d/proftpd.conf | 13 +- fail2ban/filter.d/recidive.conf | 12 +- fail2ban/filter.d/roundcube-auth.conf | 2 +- fail2ban/filter.d/sendmail-auth.conf | 7 +- fail2ban/filter.d/sendmail-reject.conf | 18 +- fail2ban/filter.d/softethervpn.conf | 9 + fail2ban/filter.d/sogo-auth.conf | 2 +- fail2ban/filter.d/sshd.conf | 87 +- fail2ban/filter.d/traefik-auth.conf | 76 + fail2ban/filter.d/znc-adminlog.conf | 34 + fail2ban/jail.conf.dpkg-dist | 128 +- fonts/conf.avail/57-dejavu-sans-mono.conf | 14 - fonts/conf.avail/57-dejavu-sans.conf | 14 - fonts/conf.avail/57-dejavu-serif.conf | 14 - fonts/fonts.conf | 2 +- group | 1 + group- | 1 + group.org | 61 + grub.d/00_header | 18 +- grub.d/05_debian_theme | 4 +- grub.d/10_linux | 55 +- grub.d/20_linux_xen | 104 +- grub.d/30_uefi-firmware | 6 +- gshadow | 1 + gshadow- | 1 + icinga2/conf.d/hosts.conf | 2 +- icinga2/conf.d/notifications.conf | 2 +- icinga2/conf.d/services.conf | 2 +- icinga2/features-available/icingadb.conf | 5 + icinga2/features-available/opentsdb.conf | 16 + icinga2/scripts/mail-host-notification.sh | 22 +- icinga2/scripts/mail-service-notification.sh | 20 +- icinga2/zones.d/README | 4 +- init.d/chrony | 8 +- init.d/dbus | 7 + init.d/fail2ban | 145 +- init.d/icinga2 | 14 +- init.d/{bind9 => named} | 27 +- iproute2/rt_protos | 3 +- iptables/rules.v4 | 30 +- iptables/rules.v6 | 6 +- kernel/postinst.d/apt-auto-removal | 69 +- ldap/ldap.conf | 2 +- ldap/schema/README | 2 +- ldap/schema/collective.ldif | 2 +- ldap/schema/corba.ldif | 2 +- ldap/schema/cosine.ldif | 2 +- ldap/schema/duaconf.ldif | 2 +- ldap/schema/dyngroup.ldif | 2 +- ldap/schema/dyngroup.schema | 2 +- ldap/schema/inetorgperson.ldif | 2 +- ldap/schema/java.ldif | 2 +- ldap/schema/misc.ldif | 2 +- ldap/schema/misc.schema | 2 +- ldap/schema/nis.ldif | 2 +- ldap/schema/nis.schema | 2 +- ldap/schema/openldap.ldif | 2 +- ldap/schema/openldap.schema | 2 +- ldap/schema/pmi.ldif | 2 +- ldap/schema/ppolicy.ldif | 2 +- libnl-3/classid | 45 + libnl-3/pktloc | 76 + .../netfilter-persistent/netfilter-persistent | 1 + logcheck/ignore.d.server/rsyslog | 6 +- lvm/backup/vg00 | 8 +- lvm/lvm.conf | 223 +- lvm/profile/vdo-small.profile | 41 +- mailcap | 22 +- manpath.config | 1 + mysql/mariadb.cnf | 8 +- nagios-plugins/config/curl-http.cfg | 111 + nagios-plugins/config/snmp.cfg | 2 +- nanorc | 251 ++- needrestart/hook.d/10-dpkg | 2 +- needrestart/hook.d/20-rpm | 2 +- needrestart/hook.d/30-pacman | 80 + needrestart/hook.d/90-none | 2 +- needrestart/iucode.sh | 16 + needrestart/needrestart.conf | 48 +- needrestart/notify.conf | 14 +- needrestart/notify.d/200-write | 2 +- needrestart/notify.d/400-notify-send | 11 +- needrestart/notify.d/600-mail | 2 +- needrestart/restart.d/dbus.service | 14 +- needrestart/restart.d/systemd-manager | 12 +- needrestart/restart.d/sysv-init | 12 +- network/if-post-down.d/chrony | 2 +- network/if-up.d/chrony | 2 +- pam.d/common-auth | 2 +- pam.d/common-password | 18 +- pam.d/common-session | 3 +- passwd | 3 +- passwd- | 4 +- passwd.org | 35 + php/7.3/apache2/conf.d/10-opcache.ini | 1 - php/7.3/apache2/conf.d/10-pdo.ini | 1 - php/7.3/apache2/conf.d/20-calendar.ini | 1 - php/7.3/apache2/conf.d/20-ctype.ini | 1 - php/7.3/apache2/conf.d/20-exif.ini | 1 - php/7.3/apache2/conf.d/20-fileinfo.ini | 1 - php/7.3/apache2/conf.d/20-ftp.ini | 1 - php/7.3/apache2/conf.d/20-gd.ini | 1 - php/7.3/apache2/conf.d/20-gettext.ini | 1 - php/7.3/apache2/conf.d/20-iconv.ini | 1 - php/7.3/apache2/conf.d/20-json.ini | 1 - php/7.3/apache2/conf.d/20-ldap.ini | 1 - php/7.3/apache2/conf.d/20-phar.ini | 1 - php/7.3/apache2/conf.d/20-posix.ini | 1 - php/7.3/apache2/conf.d/20-readline.ini | 1 - php/7.3/apache2/conf.d/20-shmop.ini | 1 - php/7.3/apache2/conf.d/20-sockets.ini | 1 - php/7.3/apache2/conf.d/20-sysvmsg.ini | 1 - php/7.3/apache2/conf.d/20-sysvsem.ini | 1 - php/7.3/apache2/conf.d/20-sysvshm.ini | 1 - php/7.3/apache2/conf.d/20-tokenizer.ini | 1 - php/7.3/cli/conf.d/10-opcache.ini | 1 - php/7.3/cli/conf.d/10-pdo.ini | 1 - php/7.3/cli/conf.d/20-calendar.ini | 1 - php/7.3/cli/conf.d/20-ctype.ini | 1 - php/7.3/cli/conf.d/20-exif.ini | 1 - php/7.3/cli/conf.d/20-fileinfo.ini | 1 - php/7.3/cli/conf.d/20-ftp.ini | 1 - php/7.3/cli/conf.d/20-gd.ini | 1 - php/7.3/cli/conf.d/20-gettext.ini | 1 - php/7.3/cli/conf.d/20-iconv.ini | 1 - php/7.3/cli/conf.d/20-json.ini | 1 - php/7.3/cli/conf.d/20-ldap.ini | 1 - php/7.3/cli/conf.d/20-phar.ini | 1 - php/7.3/cli/conf.d/20-posix.ini | 1 - php/7.3/cli/conf.d/20-readline.ini | 1 - php/7.3/cli/conf.d/20-shmop.ini | 1 - php/7.3/cli/conf.d/20-sockets.ini | 1 - php/7.3/cli/conf.d/20-sysvmsg.ini | 1 - php/7.3/cli/conf.d/20-sysvsem.ini | 1 - php/7.3/cli/conf.d/20-sysvshm.ini | 1 - php/7.3/cli/conf.d/20-tokenizer.ini | 1 - php/7.4/apache2/conf.d/10-opcache.ini | 1 + php/7.4/apache2/conf.d/10-pdo.ini | 1 + php/7.4/apache2/conf.d/20-calendar.ini | 1 + php/7.4/apache2/conf.d/20-ctype.ini | 1 + php/7.4/apache2/conf.d/20-exif.ini | 1 + php/7.4/apache2/conf.d/20-ffi.ini | 1 + php/7.4/apache2/conf.d/20-fileinfo.ini | 1 + php/7.4/apache2/conf.d/20-ftp.ini | 1 + php/7.4/apache2/conf.d/20-gd.ini | 1 + php/7.4/apache2/conf.d/20-gettext.ini | 1 + php/7.4/apache2/conf.d/20-iconv.ini | 1 + php/7.4/apache2/conf.d/20-json.ini | 1 + php/7.4/apache2/conf.d/20-ldap.ini | 1 + php/7.4/apache2/conf.d/20-phar.ini | 1 + php/7.4/apache2/conf.d/20-posix.ini | 1 + php/7.4/apache2/conf.d/20-readline.ini | 1 + php/7.4/apache2/conf.d/20-shmop.ini | 1 + php/7.4/apache2/conf.d/20-sockets.ini | 1 + php/7.4/apache2/conf.d/20-sysvmsg.ini | 1 + php/7.4/apache2/conf.d/20-sysvsem.ini | 1 + php/7.4/apache2/conf.d/20-sysvshm.ini | 1 + php/7.4/apache2/conf.d/20-tokenizer.ini | 1 + php/7.4/apache2/php.ini | 1947 +++++++++++++++++ php/7.4/cli/conf.d/10-opcache.ini | 1 + php/7.4/cli/conf.d/10-pdo.ini | 1 + php/7.4/cli/conf.d/20-calendar.ini | 1 + php/7.4/cli/conf.d/20-ctype.ini | 1 + php/7.4/cli/conf.d/20-exif.ini | 1 + php/7.4/cli/conf.d/20-ffi.ini | 1 + php/7.4/cli/conf.d/20-fileinfo.ini | 1 + php/7.4/cli/conf.d/20-ftp.ini | 1 + php/7.4/cli/conf.d/20-gd.ini | 1 + php/7.4/cli/conf.d/20-gettext.ini | 1 + php/7.4/cli/conf.d/20-iconv.ini | 1 + php/7.4/cli/conf.d/20-json.ini | 1 + php/7.4/cli/conf.d/20-ldap.ini | 1 + php/7.4/cli/conf.d/20-phar.ini | 1 + php/7.4/cli/conf.d/20-posix.ini | 1 + php/7.4/cli/conf.d/20-readline.ini | 1 + php/7.4/cli/conf.d/20-shmop.ini | 1 + php/7.4/cli/conf.d/20-sockets.ini | 1 + php/7.4/cli/conf.d/20-sysvmsg.ini | 1 + php/7.4/cli/conf.d/20-sysvsem.ini | 1 + php/7.4/cli/conf.d/20-sysvshm.ini | 1 + php/7.4/cli/conf.d/20-tokenizer.ini | 1 + php/7.4/cli/php.ini | 1947 +++++++++++++++++ php/7.4/mods-available/calendar.ini | 3 + php/7.4/mods-available/ctype.ini | 3 + php/7.4/mods-available/exif.ini | 3 + php/7.4/mods-available/ffi.ini | 3 + php/7.4/mods-available/fileinfo.ini | 3 + php/7.4/mods-available/ftp.ini | 3 + php/7.4/mods-available/gd.ini | 3 + php/7.4/mods-available/gettext.ini | 3 + php/7.4/mods-available/iconv.ini | 3 + php/7.4/mods-available/json.ini | 3 + php/7.4/mods-available/ldap.ini | 3 + php/7.4/mods-available/opcache.ini | 3 + php/7.4/mods-available/pdo.ini | 3 + php/7.4/mods-available/phar.ini | 3 + php/7.4/mods-available/posix.ini | 3 + php/7.4/mods-available/readline.ini | 3 + php/7.4/mods-available/shmop.ini | 3 + php/7.4/mods-available/sockets.ini | 3 + php/7.4/mods-available/sysvmsg.ini | 3 + php/7.4/mods-available/sysvsem.ini | 3 + php/7.4/mods-available/sysvshm.ini | 3 + php/7.4/mods-available/tokenizer.ini | 3 + ppp/ip-down.d/chrony | 2 +- ppp/ip-up.d/chrony | 2 +- profile.d/bash_completion.sh | 9 +- rc0.d/K01named | 1 + rc0.d/K02bind9 | 1 - rc0.d/{K03sendsigs => K02sendsigs} | 0 rc0.d/{K04rsyslog => K03rsyslog} | 0 rc0.d/{K05hwclock.sh => K04hwclock.sh} | 0 rc0.d/{K05umountnfs.sh => K04umountnfs.sh} | 0 rc0.d/{K06networking => K05networking} | 0 rc0.d/{K07umountfs => K06umountfs} | 0 rc0.d/{K08umountroot => K07umountroot} | 0 rc0.d/{K09halt => K08halt} | 0 rc1.d/K01named | 1 + rc1.d/K02bind9 | 1 - rc1.d/{K04rsyslog => K03rsyslog} | 0 rc2.d/S03bind9 | 1 - rc2.d/S03named | 1 + rc3.d/S03bind9 | 1 - rc3.d/S03named | 1 + rc4.d/S03bind9 | 1 - rc4.d/S03named | 1 + rc5.d/S03bind9 | 1 - rc5.d/S03named | 1 + rc6.d/K01named | 1 + rc6.d/K02bind9 | 1 - rc6.d/{K03sendsigs => K02sendsigs} | 0 rc6.d/{K04rsyslog => K03rsyslog} | 0 rc6.d/{K05hwclock.sh => K04hwclock.sh} | 0 rc6.d/{K05umountnfs.sh => K04umountnfs.sh} | 0 rc6.d/{K06networking => K05networking} | 0 rc6.d/{K07umountfs => K06umountfs} | 0 rc6.d/{K08umountroot => K07umountroot} | 0 rc6.d/{K09reboot => K08reboot} | 0 rsyslog.conf.dpkg-dist | 4 +- runit/runsvdir/default/acpid | 1 + s-nail.rc | 158 +- security/faillock.conf | 62 + security/namespace.conf | 5 +- security/pam_env.conf | 2 +- services | 273 +-- shadow | 1 + shadow- | 2 + shadow.org | 35 + ssl/certs/128805a3.0 | 1 - ssl/certs/3fb36b73.0 | 1 + ssl/certs/5c44d531.0 | 1 - ssl/certs/5f618aec.0 | 1 + ssl/certs/6410666e.0 | 1 - ssl/certs/8867006a.0 | 1 - ssl/certs/8d89cda1.0 | 1 + ssl/certs/9b5697b0.0 | 1 + ssl/certs/EE_Certification_Centre_Root_CA.pem | 1 - ssl/certs/GeoTrust_Universal_CA_2.pem | 1 - ssl/certs/LuxTrust_Global_Root_2.pem | 1 - ...ft_ECC_Root_Certificate_Authority_2017.pem | 1 + ...ft_RSA_Root_Certificate_Authority_2017.pem | 1 + ...ER_Global_Root_Certification_Authority.pem | 1 + ssl/certs/OISTE_WISeKey_Global_Root_GA_CA.pem | 1 - .../Staat_der_Nederlanden_Root_CA_-_G2.pem | 1 - ssl/certs/Taiwan_GRCA.pem | 1 - ...ustwave_Global_Certification_Authority.pem | 1 + ...lobal_ECC_P256_Certification_Authority.pem | 1 + ...lobal_ECC_P384_Certification_Authority.pem | 1 + ...c_Primary_Certification_Authority_-_G3.pem | 1 - ssl/certs/b1b8a7f3.0 | 1 - ssl/certs/bf53fb88.0 | 1 + ssl/certs/c0ff1f52.0 | 1 - ssl/certs/ca-certificates.crt | 394 ++-- ssl/certs/certSIGN_Root_CA_G2.pem | 1 + ssl/certs/d887a5bb.0 | 1 + ssl/certs/def36a68.0 | 1 - ssl/certs/e-Szigno_Root_CA_2017.pem | 1 + ssl/certs/e868b802.0 | 1 + ssl/certs/f249de83.0 | 1 + subversion/servers | 57 +- sudo.conf | 124 ++ sudo_logsrvd.conf | 159 ++ sudoers | 4 +- sv/acpid/.meta/installed | 0 sv/acpid/log/run | 5 + sv/acpid/log/supervise | 1 + sv/acpid/run | 5 + sv/acpid/supervise | 1 + sysctl.conf | 2 +- sysctl.d/protect-links.conf | 8 - systemd/system/bind9.service | 1 + .../multi-user.target.wants/named.service | 1 + .../iptables.conf | 2 + .../system/timers.target.wants/mlocate.timer | 1 + vim/vimrc | 2 - vim/vimrc.tiny | 2 +- zsh/zshrc | 8 + 431 files changed, 7524 insertions(+), 1926 deletions(-) delete mode 100755 NetworkManager/dispatcher.d/20-chrony create mode 120000 alternatives/ip6tables.service create mode 120000 alternatives/iptables.service delete mode 120000 alternatives/w delete mode 120000 alternatives/w.1.gz create mode 120000 apache2/conf-enabled/javascript-common.conf create mode 100644 apache2/mods-available/php7.4.conf create mode 100644 apache2/mods-available/php7.4.load create mode 100644 apache2/mods-available/socache_redis.load delete mode 120000 apache2/mods-enabled/php7.3.conf delete mode 120000 apache2/mods-enabled/php7.3.load create mode 120000 apache2/mods-enabled/php7.4.conf create mode 120000 apache2/mods-enabled/php7.4.load create mode 100644 apparmor.d/local/usr.bin.tcpdump rename apparmor.d/{usr.sbin.tcpdump => usr.bin.tcpdump} (89%) create mode 100644 chrony/conf.d/README create mode 100644 chrony/sources.d/README delete mode 100755 cron.daily/passwd create mode 100644 default/named delete mode 100644 default/rsyslog create mode 100644 ethertypes create mode 100644 fail2ban/action.d/nftables.conf create mode 100644 fail2ban/filter.d/bitwarden.conf create mode 100644 fail2ban/filter.d/centreon.conf create mode 100644 fail2ban/filter.d/gitlab.conf create mode 100644 fail2ban/filter.d/grafana.conf create mode 100644 fail2ban/filter.d/softethervpn.conf create mode 100644 fail2ban/filter.d/traefik-auth.conf create mode 100644 fail2ban/filter.d/znc-adminlog.conf create mode 100644 group.org create mode 100644 icinga2/features-available/icingadb.conf rename init.d/{bind9 => named} (78%) create mode 100644 libnl-3/classid create mode 100644 libnl-3/pktloc create mode 100644 logcheck/ignore.d.server/netfilter-persistent/netfilter-persistent create mode 100644 nagios-plugins/config/curl-http.cfg create mode 100755 needrestart/hook.d/30-pacman create mode 100644 needrestart/iucode.sh create mode 100644 passwd.org delete mode 120000 php/7.3/apache2/conf.d/10-opcache.ini delete mode 120000 php/7.3/apache2/conf.d/10-pdo.ini delete mode 120000 php/7.3/apache2/conf.d/20-calendar.ini delete mode 120000 php/7.3/apache2/conf.d/20-ctype.ini delete mode 120000 php/7.3/apache2/conf.d/20-exif.ini delete mode 120000 php/7.3/apache2/conf.d/20-fileinfo.ini delete mode 120000 php/7.3/apache2/conf.d/20-ftp.ini delete mode 120000 php/7.3/apache2/conf.d/20-gd.ini delete mode 120000 php/7.3/apache2/conf.d/20-gettext.ini delete mode 120000 php/7.3/apache2/conf.d/20-iconv.ini delete mode 120000 php/7.3/apache2/conf.d/20-json.ini delete mode 120000 php/7.3/apache2/conf.d/20-ldap.ini delete mode 120000 php/7.3/apache2/conf.d/20-phar.ini delete mode 120000 php/7.3/apache2/conf.d/20-posix.ini delete mode 120000 php/7.3/apache2/conf.d/20-readline.ini delete mode 120000 php/7.3/apache2/conf.d/20-shmop.ini delete mode 120000 php/7.3/apache2/conf.d/20-sockets.ini delete mode 120000 php/7.3/apache2/conf.d/20-sysvmsg.ini delete mode 120000 php/7.3/apache2/conf.d/20-sysvsem.ini delete mode 120000 php/7.3/apache2/conf.d/20-sysvshm.ini delete mode 120000 php/7.3/apache2/conf.d/20-tokenizer.ini delete mode 120000 php/7.3/cli/conf.d/10-opcache.ini delete mode 120000 php/7.3/cli/conf.d/10-pdo.ini delete mode 120000 php/7.3/cli/conf.d/20-calendar.ini delete mode 120000 php/7.3/cli/conf.d/20-ctype.ini delete mode 120000 php/7.3/cli/conf.d/20-exif.ini delete mode 120000 php/7.3/cli/conf.d/20-fileinfo.ini delete mode 120000 php/7.3/cli/conf.d/20-ftp.ini delete mode 120000 php/7.3/cli/conf.d/20-gd.ini delete mode 120000 php/7.3/cli/conf.d/20-gettext.ini delete mode 120000 php/7.3/cli/conf.d/20-iconv.ini delete mode 120000 php/7.3/cli/conf.d/20-json.ini delete mode 120000 php/7.3/cli/conf.d/20-ldap.ini delete mode 120000 php/7.3/cli/conf.d/20-phar.ini delete mode 120000 php/7.3/cli/conf.d/20-posix.ini delete mode 120000 php/7.3/cli/conf.d/20-readline.ini delete mode 120000 php/7.3/cli/conf.d/20-shmop.ini delete mode 120000 php/7.3/cli/conf.d/20-sockets.ini delete mode 120000 php/7.3/cli/conf.d/20-sysvmsg.ini delete mode 120000 php/7.3/cli/conf.d/20-sysvsem.ini delete mode 120000 php/7.3/cli/conf.d/20-sysvshm.ini delete mode 120000 php/7.3/cli/conf.d/20-tokenizer.ini create mode 120000 php/7.4/apache2/conf.d/10-opcache.ini create mode 120000 php/7.4/apache2/conf.d/10-pdo.ini create mode 120000 php/7.4/apache2/conf.d/20-calendar.ini create mode 120000 php/7.4/apache2/conf.d/20-ctype.ini create mode 120000 php/7.4/apache2/conf.d/20-exif.ini create mode 120000 php/7.4/apache2/conf.d/20-ffi.ini create mode 120000 php/7.4/apache2/conf.d/20-fileinfo.ini create mode 120000 php/7.4/apache2/conf.d/20-ftp.ini create mode 120000 php/7.4/apache2/conf.d/20-gd.ini create mode 120000 php/7.4/apache2/conf.d/20-gettext.ini create mode 120000 php/7.4/apache2/conf.d/20-iconv.ini create mode 120000 php/7.4/apache2/conf.d/20-json.ini create mode 120000 php/7.4/apache2/conf.d/20-ldap.ini create mode 120000 php/7.4/apache2/conf.d/20-phar.ini create mode 120000 php/7.4/apache2/conf.d/20-posix.ini create mode 120000 php/7.4/apache2/conf.d/20-readline.ini create mode 120000 php/7.4/apache2/conf.d/20-shmop.ini create mode 120000 php/7.4/apache2/conf.d/20-sockets.ini create mode 120000 php/7.4/apache2/conf.d/20-sysvmsg.ini create mode 120000 php/7.4/apache2/conf.d/20-sysvsem.ini create mode 120000 php/7.4/apache2/conf.d/20-sysvshm.ini create mode 120000 php/7.4/apache2/conf.d/20-tokenizer.ini create mode 100644 php/7.4/apache2/php.ini create mode 120000 php/7.4/cli/conf.d/10-opcache.ini create mode 120000 php/7.4/cli/conf.d/10-pdo.ini create mode 120000 php/7.4/cli/conf.d/20-calendar.ini create mode 120000 php/7.4/cli/conf.d/20-ctype.ini create mode 120000 php/7.4/cli/conf.d/20-exif.ini create mode 120000 php/7.4/cli/conf.d/20-ffi.ini create mode 120000 php/7.4/cli/conf.d/20-fileinfo.ini create mode 120000 php/7.4/cli/conf.d/20-ftp.ini create mode 120000 php/7.4/cli/conf.d/20-gd.ini create mode 120000 php/7.4/cli/conf.d/20-gettext.ini create mode 120000 php/7.4/cli/conf.d/20-iconv.ini create mode 120000 php/7.4/cli/conf.d/20-json.ini create mode 120000 php/7.4/cli/conf.d/20-ldap.ini create mode 120000 php/7.4/cli/conf.d/20-phar.ini create mode 120000 php/7.4/cli/conf.d/20-posix.ini create mode 120000 php/7.4/cli/conf.d/20-readline.ini create mode 120000 php/7.4/cli/conf.d/20-shmop.ini create mode 120000 php/7.4/cli/conf.d/20-sockets.ini create mode 120000 php/7.4/cli/conf.d/20-sysvmsg.ini create mode 120000 php/7.4/cli/conf.d/20-sysvsem.ini create mode 120000 php/7.4/cli/conf.d/20-sysvshm.ini create mode 120000 php/7.4/cli/conf.d/20-tokenizer.ini create mode 100644 php/7.4/cli/php.ini create mode 100644 php/7.4/mods-available/calendar.ini create mode 100644 php/7.4/mods-available/ctype.ini create mode 100644 php/7.4/mods-available/exif.ini create mode 100644 php/7.4/mods-available/ffi.ini create mode 100644 php/7.4/mods-available/fileinfo.ini create mode 100644 php/7.4/mods-available/ftp.ini create mode 100644 php/7.4/mods-available/gd.ini create mode 100644 php/7.4/mods-available/gettext.ini create mode 100644 php/7.4/mods-available/iconv.ini create mode 100644 php/7.4/mods-available/json.ini create mode 100644 php/7.4/mods-available/ldap.ini create mode 100644 php/7.4/mods-available/opcache.ini create mode 100644 php/7.4/mods-available/pdo.ini create mode 100644 php/7.4/mods-available/phar.ini create mode 100644 php/7.4/mods-available/posix.ini create mode 100644 php/7.4/mods-available/readline.ini create mode 100644 php/7.4/mods-available/shmop.ini create mode 100644 php/7.4/mods-available/sockets.ini create mode 100644 php/7.4/mods-available/sysvmsg.ini create mode 100644 php/7.4/mods-available/sysvsem.ini create mode 100644 php/7.4/mods-available/sysvshm.ini create mode 100644 php/7.4/mods-available/tokenizer.ini create mode 120000 rc0.d/K01named delete mode 120000 rc0.d/K02bind9 rename rc0.d/{K03sendsigs => K02sendsigs} (100%) rename rc0.d/{K04rsyslog => K03rsyslog} (100%) rename rc0.d/{K05hwclock.sh => K04hwclock.sh} (100%) rename rc0.d/{K05umountnfs.sh => K04umountnfs.sh} (100%) rename rc0.d/{K06networking => K05networking} (100%) rename rc0.d/{K07umountfs => K06umountfs} (100%) rename rc0.d/{K08umountroot => K07umountroot} (100%) rename rc0.d/{K09halt => K08halt} (100%) create mode 120000 rc1.d/K01named delete mode 120000 rc1.d/K02bind9 rename rc1.d/{K04rsyslog => K03rsyslog} (100%) delete mode 120000 rc2.d/S03bind9 create mode 120000 rc2.d/S03named delete mode 120000 rc3.d/S03bind9 create mode 120000 rc3.d/S03named delete mode 120000 rc4.d/S03bind9 create mode 120000 rc4.d/S03named delete mode 120000 rc5.d/S03bind9 create mode 120000 rc5.d/S03named create mode 120000 rc6.d/K01named delete mode 120000 rc6.d/K02bind9 rename rc6.d/{K03sendsigs => K02sendsigs} (100%) rename rc6.d/{K04rsyslog => K03rsyslog} (100%) rename rc6.d/{K05hwclock.sh => K04hwclock.sh} (100%) rename rc6.d/{K05umountnfs.sh => K04umountnfs.sh} (100%) rename rc6.d/{K06networking => K05networking} (100%) rename rc6.d/{K07umountfs => K06umountfs} (100%) rename rc6.d/{K08umountroot => K07umountroot} (100%) rename rc6.d/{K09reboot => K08reboot} (100%) create mode 120000 runit/runsvdir/default/acpid create mode 100644 security/faillock.conf create mode 100644 shadow.org delete mode 120000 ssl/certs/128805a3.0 create mode 120000 ssl/certs/3fb36b73.0 delete mode 120000 ssl/certs/5c44d531.0 create mode 120000 ssl/certs/5f618aec.0 delete mode 120000 ssl/certs/6410666e.0 delete mode 120000 ssl/certs/8867006a.0 create mode 120000 ssl/certs/8d89cda1.0 create mode 120000 ssl/certs/9b5697b0.0 delete mode 120000 ssl/certs/EE_Certification_Centre_Root_CA.pem delete mode 120000 ssl/certs/GeoTrust_Universal_CA_2.pem delete mode 120000 ssl/certs/LuxTrust_Global_Root_2.pem create mode 120000 ssl/certs/Microsoft_ECC_Root_Certificate_Authority_2017.pem create mode 120000 ssl/certs/Microsoft_RSA_Root_Certificate_Authority_2017.pem create mode 120000 ssl/certs/NAVER_Global_Root_Certification_Authority.pem delete mode 120000 ssl/certs/OISTE_WISeKey_Global_Root_GA_CA.pem delete mode 120000 ssl/certs/Staat_der_Nederlanden_Root_CA_-_G2.pem delete mode 120000 ssl/certs/Taiwan_GRCA.pem create mode 120000 ssl/certs/Trustwave_Global_Certification_Authority.pem create mode 120000 ssl/certs/Trustwave_Global_ECC_P256_Certification_Authority.pem create mode 120000 ssl/certs/Trustwave_Global_ECC_P384_Certification_Authority.pem delete mode 120000 ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem delete mode 120000 ssl/certs/b1b8a7f3.0 create mode 120000 ssl/certs/bf53fb88.0 delete mode 120000 ssl/certs/c0ff1f52.0 create mode 120000 ssl/certs/certSIGN_Root_CA_G2.pem create mode 120000 ssl/certs/d887a5bb.0 delete mode 120000 ssl/certs/def36a68.0 create mode 120000 ssl/certs/e-Szigno_Root_CA_2017.pem create mode 120000 ssl/certs/e868b802.0 create mode 120000 ssl/certs/f249de83.0 create mode 100644 sudo.conf create mode 100644 sudo_logsrvd.conf create mode 100644 sv/acpid/.meta/installed create mode 100755 sv/acpid/log/run create mode 120000 sv/acpid/log/supervise create mode 100755 sv/acpid/run create mode 120000 sv/acpid/supervise delete mode 100644 sysctl.d/protect-links.conf create mode 120000 systemd/system/bind9.service create mode 120000 systemd/system/multi-user.target.wants/named.service create mode 100644 systemd/system/netfilter-persistent.service.d/iptables.conf create mode 120000 systemd/system/timers.target.wants/mlocate.timer diff --git a/.etckeeper b/.etckeeper index d12c5f1..235dc3d 100755 --- a/.etckeeper +++ b/.etckeeper @@ -1,8 +1,10 @@ # Generated by etckeeper. Do not edit. +mkdir -p './NetworkManager/dispatcher.d' mkdir -p './X11/xkb' mkdir -p './apm/event.d' mkdir -p './apt/auth.conf.d' +mkdir -p './apt/listchanges.conf.d' mkdir -p './apt/preferences.d' mkdir -p './binfmt.d' mkdir -p './ca-certificates/update.d' @@ -32,7 +34,6 @@ mkdir -p './mysql/mariadb.conf.d' mkdir -p './network/if-pre-up.d' mkdir -p './network/interfaces.d' mkdir -p './opt' -mkdir -p './perl/CPAN' mkdir -p './postfix/dynamicmaps.cf.d' mkdir -p './postfix/sasl' mkdir -p './salt/pki/master/minions_autosign' @@ -52,7 +53,6 @@ maybe chmod 0700 '.etckeeper' maybe chmod 0600 '.gitignore' maybe chmod 0755 'NetworkManager' maybe chmod 0755 'NetworkManager/dispatcher.d' -maybe chmod 0755 'NetworkManager/dispatcher.d/20-chrony' maybe chmod 0755 'X11' maybe chmod 0755 'X11/Xsession.d' maybe chmod 0644 'X11/Xsession.d/90gpg-agent' @@ -174,6 +174,8 @@ maybe chmod 0644 'apache2/mods-available/negotiation.conf' maybe chmod 0644 'apache2/mods-available/negotiation.load' maybe chmod 0644 'apache2/mods-available/php7.3.conf' maybe chmod 0644 'apache2/mods-available/php7.3.load' +maybe chmod 0644 'apache2/mods-available/php7.4.conf' +maybe chmod 0644 'apache2/mods-available/php7.4.load' maybe chmod 0644 'apache2/mods-available/proxy.conf' maybe chmod 0644 'apache2/mods-available/proxy.load' maybe chmod 0644 'apache2/mods-available/proxy_ajp.load' @@ -211,6 +213,7 @@ maybe chmod 0644 'apache2/mods-available/slotmem_plain.load' maybe chmod 0644 'apache2/mods-available/slotmem_shm.load' maybe chmod 0644 'apache2/mods-available/socache_dbm.load' maybe chmod 0644 'apache2/mods-available/socache_memcache.load' +maybe chmod 0644 'apache2/mods-available/socache_redis.load' maybe chmod 0644 'apache2/mods-available/socache_shmcb.load' maybe chmod 0644 'apache2/mods-available/speling.load' maybe chmod 0644 'apache2/mods-available/ssl.conf' @@ -242,15 +245,16 @@ maybe chmod 0755 'apparmor.d' maybe chmod 0755 'apparmor.d/force-complain' maybe chmod 0755 'apparmor.d/local' maybe chmod 0644 'apparmor.d/local/usr.bin.man' +maybe chmod 0644 'apparmor.d/local/usr.bin.tcpdump' maybe chmod 0644 'apparmor.d/local/usr.sbin.chronyd' maybe chmod 0644 'apparmor.d/local/usr.sbin.haveged' maybe chmod 0644 'apparmor.d/local/usr.sbin.named' maybe chmod 0644 'apparmor.d/local/usr.sbin.tcpdump' maybe chmod 0644 'apparmor.d/usr.bin.man' +maybe chmod 0644 'apparmor.d/usr.bin.tcpdump' maybe chmod 0644 'apparmor.d/usr.sbin.chronyd' maybe chmod 0644 'apparmor.d/usr.sbin.haveged' maybe chmod 0644 'apparmor.d/usr.sbin.named' -maybe chmod 0644 'apparmor.d/usr.sbin.tcpdump' maybe chmod 0755 'apt' maybe chmod 0644 'apt/SALTSTACK-GPG-KEY.pub' maybe chmod 0755 'apt/apt.conf.d' @@ -265,6 +269,7 @@ maybe chmod 0644 'apt/apt.conf.d/70debconf' maybe chmod 0644 'apt/apt.conf.d/99needrestart' maybe chmod 0755 'apt/auth.conf.d' maybe chmod 0644 'apt/listchanges.conf' +maybe chmod 0755 'apt/listchanges.conf.d' maybe chmod 0755 'apt/preferences.d' maybe chmod 0644 'apt/repo.uhu-banane.de.gpg-key.pub' maybe chmod 0644 'apt/repo.uhu-banane.de.gpg-key2.pub' @@ -366,6 +371,10 @@ maybe chmod 0755 'chrony' maybe chmod 0644 'chrony/chrony.conf' maybe chmod 0644 'chrony/chrony.conf.ucf-dist' maybe chmod 0640 'chrony/chrony.keys' +maybe chmod 0755 'chrony/conf.d' +maybe chmod 0644 'chrony/conf.d/README' +maybe chmod 0755 'chrony/sources.d' +maybe chmod 0644 'chrony/sources.d/README' maybe chmod 0644 'colordiffrc' maybe chmod 0755 'console-setup' maybe chmod 0644 'console-setup/cached_Lat15-Fixed16.psf.gz' @@ -419,7 +428,6 @@ maybe chmod 0755 'cron.daily/etckeeper' maybe chmod 0755 'cron.daily/logrotate' maybe chmod 0755 'cron.daily/man-db' maybe chmod 0755 'cron.daily/mlocate' -maybe chmod 0755 'cron.daily/passwd' maybe chmod 0755 'cron.hourly' maybe chmod 0644 'cron.hourly/.placeholder' maybe chmod 0755 'cron.monthly' @@ -457,12 +465,12 @@ maybe chmod 0644 'default/icinga2' maybe chmod 0644 'default/keyboard' maybe chmod 0644 'default/locale' maybe chmod 0644 'default/locale.bak' +maybe chmod 0644 'default/named' maybe chmod 0644 'default/netfilter-persistent' maybe chmod 0644 'default/networking' maybe chmod 0644 'default/nss' maybe chmod 0644 'default/rcS' maybe chmod 0644 'default/rsync' -maybe chmod 0644 'default/rsyslog' maybe chmod 0644 'default/salt-master.environment' maybe chmod 0644 'default/salt-minion.environment' maybe chmod 0644 'default/slapd' @@ -551,6 +559,7 @@ maybe chmod 0755 'etckeeper/update-ignore.d/01update-ignore' maybe chmod 0644 'etckeeper/update-ignore.d/README' maybe chmod 0755 'etckeeper/vcs.d' maybe chmod 0755 'etckeeper/vcs.d/50vcs-cmd' +maybe chmod 0644 'ethertypes' maybe chmod 0755 'fail2ban' maybe chmod 0755 'fail2ban/action.d' maybe chmod 0644 'fail2ban/action.d/abuseipdb.conf' @@ -595,6 +604,7 @@ maybe chmod 0644 'fail2ban/action.d/netscaler.conf' maybe chmod 0644 'fail2ban/action.d/nftables-allports.conf' maybe chmod 0644 'fail2ban/action.d/nftables-common.conf' maybe chmod 0644 'fail2ban/action.d/nftables-multiport.conf' +maybe chmod 0644 'fail2ban/action.d/nftables.conf' maybe chmod 0644 'fail2ban/action.d/nginx-block-map.conf' maybe chmod 0644 'fail2ban/action.d/npf.conf' maybe chmod 0644 'fail2ban/action.d/nsupdate.conf' @@ -638,7 +648,9 @@ maybe chmod 0644 'fail2ban/filter.d/apache-pass.conf' maybe chmod 0644 'fail2ban/filter.d/apache-shellshock.conf' maybe chmod 0644 'fail2ban/filter.d/assp.conf' maybe chmod 0644 'fail2ban/filter.d/asterisk.conf' +maybe chmod 0644 'fail2ban/filter.d/bitwarden.conf' maybe chmod 0644 'fail2ban/filter.d/botsearch-common.conf' +maybe chmod 0644 'fail2ban/filter.d/centreon.conf' maybe chmod 0644 'fail2ban/filter.d/common.conf' maybe chmod 0644 'fail2ban/filter.d/counter-strike.conf' maybe chmod 0644 'fail2ban/filter.d/courier-auth.conf' @@ -655,6 +667,8 @@ maybe chmod 0644 'fail2ban/filter.d/exim-spam.conf' maybe chmod 0644 'fail2ban/filter.d/exim.conf' maybe chmod 0644 'fail2ban/filter.d/freeswitch.conf' maybe chmod 0644 'fail2ban/filter.d/froxlor-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/gitlab.conf' +maybe chmod 0644 'fail2ban/filter.d/grafana.conf' maybe chmod 0644 'fail2ban/filter.d/groupoffice.conf' maybe chmod 0644 'fail2ban/filter.d/gssftpd.conf' maybe chmod 0644 'fail2ban/filter.d/guacamole.conf' @@ -697,6 +711,7 @@ maybe chmod 0644 'fail2ban/filter.d/sendmail-auth.conf' maybe chmod 0644 'fail2ban/filter.d/sendmail-reject.conf' maybe chmod 0644 'fail2ban/filter.d/sieve.conf' maybe chmod 0644 'fail2ban/filter.d/slapd.conf' +maybe chmod 0644 'fail2ban/filter.d/softethervpn.conf' maybe chmod 0644 'fail2ban/filter.d/sogo-auth.conf' maybe chmod 0644 'fail2ban/filter.d/solid-pop3d.conf' maybe chmod 0644 'fail2ban/filter.d/squid.conf' @@ -706,11 +721,13 @@ maybe chmod 0644 'fail2ban/filter.d/sshd.conf' maybe chmod 0644 'fail2ban/filter.d/stunnel.conf' maybe chmod 0644 'fail2ban/filter.d/suhosin.conf' maybe chmod 0644 'fail2ban/filter.d/tine20.conf' +maybe chmod 0644 'fail2ban/filter.d/traefik-auth.conf' maybe chmod 0644 'fail2ban/filter.d/uwimap-auth.conf' maybe chmod 0644 'fail2ban/filter.d/vsftpd.conf' maybe chmod 0644 'fail2ban/filter.d/webmin-auth.conf' maybe chmod 0644 'fail2ban/filter.d/wuftpd.conf' maybe chmod 0644 'fail2ban/filter.d/xinetd-fail.conf' +maybe chmod 0644 'fail2ban/filter.d/znc-adminlog.conf' maybe chmod 0644 'fail2ban/filter.d/zoneminder.conf' maybe chmod 0644 'fail2ban/jail.conf' maybe chmod 0644 'fail2ban/jail.conf.bak' @@ -761,6 +778,7 @@ maybe chmod 0644 'groff/man.local' maybe chmod 0644 'groff/mdoc.local' maybe chmod 0644 'group' maybe chmod 0644 'group-' +maybe chmod 0644 'group.org' maybe chmod 0755 'grub.d' maybe chmod 0755 'grub.d/00_header' maybe chmod 0755 'grub.d/05_debian_theme' @@ -786,62 +804,143 @@ maybe chmod 0644 'hosts.deny' maybe chown 'nagios' 'icinga2' maybe chgrp 'nagios' 'icinga2' maybe chmod 0750 'icinga2' -maybe chmod 0755 'icinga2/conf.d' +maybe chown 'nagios' 'icinga2/conf.d' +maybe chgrp 'nagios' 'icinga2/conf.d' +maybe chmod 0750 'icinga2/conf.d' +maybe chown 'nagios' 'icinga2/conf.d/app.conf' +maybe chgrp 'nagios' 'icinga2/conf.d/app.conf' maybe chmod 0644 'icinga2/conf.d/app.conf' +maybe chown 'nagios' 'icinga2/conf.d/apt.conf' +maybe chgrp 'nagios' 'icinga2/conf.d/apt.conf' maybe chmod 0644 'icinga2/conf.d/apt.conf' +maybe chown 'nagios' 'icinga2/conf.d/commands.conf' +maybe chgrp 'nagios' 'icinga2/conf.d/commands.conf' maybe chmod 0644 'icinga2/conf.d/commands.conf' +maybe chown 'nagios' 'icinga2/conf.d/downtimes.conf' +maybe chgrp 'nagios' 'icinga2/conf.d/downtimes.conf' maybe chmod 0644 'icinga2/conf.d/downtimes.conf' +maybe chown 'nagios' 'icinga2/conf.d/groups.conf' +maybe chgrp 'nagios' 'icinga2/conf.d/groups.conf' maybe chmod 0644 'icinga2/conf.d/groups.conf' +maybe chown 'nagios' 'icinga2/conf.d/hosts.conf' +maybe chgrp 'nagios' 'icinga2/conf.d/hosts.conf' maybe chmod 0644 'icinga2/conf.d/hosts.conf' +maybe chown 'nagios' 'icinga2/conf.d/notifications.conf' +maybe chgrp 'nagios' 'icinga2/conf.d/notifications.conf' maybe chmod 0644 'icinga2/conf.d/notifications.conf' +maybe chown 'nagios' 'icinga2/conf.d/satellite.conf' +maybe chgrp 'nagios' 'icinga2/conf.d/satellite.conf' maybe chmod 0644 'icinga2/conf.d/satellite.conf' +maybe chown 'nagios' 'icinga2/conf.d/services.conf' +maybe chgrp 'nagios' 'icinga2/conf.d/services.conf' maybe chmod 0644 'icinga2/conf.d/services.conf' +maybe chown 'nagios' 'icinga2/conf.d/templates.conf' +maybe chgrp 'nagios' 'icinga2/conf.d/templates.conf' maybe chmod 0644 'icinga2/conf.d/templates.conf' +maybe chown 'nagios' 'icinga2/conf.d/timeperiods.conf' +maybe chgrp 'nagios' 'icinga2/conf.d/timeperiods.conf' maybe chmod 0644 'icinga2/conf.d/timeperiods.conf' +maybe chown 'nagios' 'icinga2/conf.d/users.conf' +maybe chgrp 'nagios' 'icinga2/conf.d/users.conf' maybe chmod 0644 'icinga2/conf.d/users.conf' -maybe chmod 0644 'icinga2/constants.conf' +maybe chown 'nagios' 'icinga2/constants.conf' +maybe chgrp 'nagios' 'icinga2/constants.conf' +maybe chmod 0640 'icinga2/constants.conf' maybe chmod 0644 'icinga2/constants.conf.orig' -maybe chmod 0755 'icinga2/features-available' +maybe chown 'nagios' 'icinga2/features-available' +maybe chgrp 'nagios' 'icinga2/features-available' +maybe chmod 0750 'icinga2/features-available' +maybe chown 'nagios' 'icinga2/features-available/api.conf' +maybe chgrp 'nagios' 'icinga2/features-available/api.conf' maybe chmod 0644 'icinga2/features-available/api.conf' +maybe chown 'nagios' 'icinga2/features-available/api.conf.orig' +maybe chgrp 'nagios' 'icinga2/features-available/api.conf.orig' maybe chmod 0644 'icinga2/features-available/api.conf.orig' +maybe chown 'nagios' 'icinga2/features-available/checker.conf' +maybe chgrp 'nagios' 'icinga2/features-available/checker.conf' maybe chmod 0644 'icinga2/features-available/checker.conf' +maybe chown 'nagios' 'icinga2/features-available/command.conf' +maybe chgrp 'nagios' 'icinga2/features-available/command.conf' maybe chmod 0644 'icinga2/features-available/command.conf' +maybe chown 'nagios' 'icinga2/features-available/compatlog.conf' +maybe chgrp 'nagios' 'icinga2/features-available/compatlog.conf' maybe chmod 0644 'icinga2/features-available/compatlog.conf' +maybe chown 'nagios' 'icinga2/features-available/debuglog.conf' +maybe chgrp 'nagios' 'icinga2/features-available/debuglog.conf' maybe chmod 0644 'icinga2/features-available/debuglog.conf' +maybe chown 'nagios' 'icinga2/features-available/elasticsearch.conf' +maybe chgrp 'nagios' 'icinga2/features-available/elasticsearch.conf' maybe chmod 0644 'icinga2/features-available/elasticsearch.conf' +maybe chown 'nagios' 'icinga2/features-available/gelf.conf' +maybe chgrp 'nagios' 'icinga2/features-available/gelf.conf' maybe chmod 0644 'icinga2/features-available/gelf.conf' +maybe chown 'nagios' 'icinga2/features-available/graphite.conf' +maybe chgrp 'nagios' 'icinga2/features-available/graphite.conf' maybe chmod 0644 'icinga2/features-available/graphite.conf' +maybe chown 'nagios' 'icinga2/features-available/icingadb.conf' +maybe chgrp 'nagios' 'icinga2/features-available/icingadb.conf' +maybe chmod 0644 'icinga2/features-available/icingadb.conf' +maybe chown 'nagios' 'icinga2/features-available/influxdb.conf' +maybe chgrp 'nagios' 'icinga2/features-available/influxdb.conf' maybe chmod 0644 'icinga2/features-available/influxdb.conf' +maybe chown 'nagios' 'icinga2/features-available/livestatus.conf' +maybe chgrp 'nagios' 'icinga2/features-available/livestatus.conf' maybe chmod 0644 'icinga2/features-available/livestatus.conf' +maybe chown 'nagios' 'icinga2/features-available/mainlog.conf' +maybe chgrp 'nagios' 'icinga2/features-available/mainlog.conf' maybe chmod 0644 'icinga2/features-available/mainlog.conf' +maybe chown 'nagios' 'icinga2/features-available/notification.conf' +maybe chgrp 'nagios' 'icinga2/features-available/notification.conf' maybe chmod 0644 'icinga2/features-available/notification.conf' +maybe chown 'nagios' 'icinga2/features-available/opentsdb.conf' +maybe chgrp 'nagios' 'icinga2/features-available/opentsdb.conf' maybe chmod 0644 'icinga2/features-available/opentsdb.conf' +maybe chown 'nagios' 'icinga2/features-available/perfdata.conf' +maybe chgrp 'nagios' 'icinga2/features-available/perfdata.conf' maybe chmod 0644 'icinga2/features-available/perfdata.conf' +maybe chown 'nagios' 'icinga2/features-available/statusdata.conf' +maybe chgrp 'nagios' 'icinga2/features-available/statusdata.conf' maybe chmod 0644 'icinga2/features-available/statusdata.conf' +maybe chown 'nagios' 'icinga2/features-available/syslog.conf' +maybe chgrp 'nagios' 'icinga2/features-available/syslog.conf' maybe chmod 0644 'icinga2/features-available/syslog.conf' -maybe chmod 0755 'icinga2/features-enabled' -maybe chmod 0644 'icinga2/icinga2.conf' +maybe chown 'nagios' 'icinga2/features-enabled' +maybe chgrp 'nagios' 'icinga2/features-enabled' +maybe chmod 0750 'icinga2/features-enabled' +maybe chown 'nagios' 'icinga2/icinga2.conf' +maybe chgrp 'nagios' 'icinga2/icinga2.conf' +maybe chmod 0640 'icinga2/icinga2.conf' maybe chmod 0644 'icinga2/init.conf' maybe chown 'nagios' 'icinga2/pki' maybe chgrp 'nagios' 'icinga2/pki' maybe chmod 0700 'icinga2/pki' +maybe chown 'nagios' 'icinga2/pki/ca.crt' +maybe chgrp 'nagios' 'icinga2/pki/ca.crt' maybe chmod 0644 'icinga2/pki/ca.crt' maybe chown 'nagios' 'icinga2/pki/ns3.uhu-banane.de.crt' maybe chgrp 'nagios' 'icinga2/pki/ns3.uhu-banane.de.crt' maybe chmod 0644 'icinga2/pki/ns3.uhu-banane.de.crt' +maybe chown 'nagios' 'icinga2/pki/ns3.uhu-banane.de.crt.orig' +maybe chgrp 'nagios' 'icinga2/pki/ns3.uhu-banane.de.crt.orig' maybe chmod 0644 'icinga2/pki/ns3.uhu-banane.de.crt.orig' maybe chown 'nagios' 'icinga2/pki/ns3.uhu-banane.de.key' maybe chgrp 'nagios' 'icinga2/pki/ns3.uhu-banane.de.key' maybe chmod 0600 'icinga2/pki/ns3.uhu-banane.de.key' +maybe chown 'nagios' 'icinga2/pki/ns3.uhu-banane.de.key.orig' +maybe chgrp 'nagios' 'icinga2/pki/ns3.uhu-banane.de.key.orig' maybe chmod 0600 'icinga2/pki/ns3.uhu-banane.de.key.orig' maybe chmod 0755 'icinga2/repository.d' maybe chmod 0644 'icinga2/repository.d/README' maybe chmod 0755 'icinga2/scripts' maybe chmod 0755 'icinga2/scripts/mail-host-notification.sh' maybe chmod 0755 'icinga2/scripts/mail-service-notification.sh' -maybe chmod 0644 'icinga2/zones.conf' +maybe chown 'nagios' 'icinga2/zones.conf' +maybe chgrp 'nagios' 'icinga2/zones.conf' +maybe chmod 0640 'icinga2/zones.conf' maybe chmod 0644 'icinga2/zones.conf.orig' -maybe chmod 0755 'icinga2/zones.d' +maybe chown 'nagios' 'icinga2/zones.d' +maybe chgrp 'nagios' 'icinga2/zones.d' +maybe chmod 0750 'icinga2/zones.d' maybe chmod 0644 'icinga2/zones.d/README' maybe chmod 0755 'init' maybe chmod 0755 'init.d' @@ -849,7 +948,6 @@ maybe chmod 0755 'init.d/acpid' maybe chmod 0755 'init.d/apache-htcacheclean' maybe chmod 0755 'init.d/apache2' maybe chmod 0755 'init.d/atd' -maybe chmod 0755 'init.d/bind9' maybe chmod 0755 'init.d/bootlogs' maybe chmod 0755 'init.d/bootmisc.sh' maybe chmod 0755 'init.d/brightness' @@ -879,6 +977,7 @@ maybe chmod 0755 'init.d/mountdevsubfs.sh' maybe chmod 0755 'init.d/mountkernfs.sh' maybe chmod 0755 'init.d/mountnfs-bootclean.sh' maybe chmod 0755 'init.d/mountnfs.sh' +maybe chmod 0755 'init.d/named' maybe chmod 0755 'init.d/netfilter-persistent' maybe chmod 0755 'init.d/networking' maybe chmod 0755 'init.d/postfix' @@ -1274,6 +1373,9 @@ maybe chmod 0755 'letsencrypt/renewal-hooks/pre' maybe chmod 0644 'letsencrypt/renewal/git.uhu-banane.net.conf' maybe chmod 0644 'lftp.conf' maybe chmod 0644 'libaudit.conf' +maybe chmod 0755 'libnl-3' +maybe chmod 0644 'libnl-3/classid' +maybe chmod 0644 'libnl-3/pktloc' maybe chmod 0755 'lighttpd' maybe chmod 0755 'lighttpd/conf-available' maybe chmod 0644 'lighttpd/conf-available/90-javascript-alias.conf' @@ -1284,6 +1386,8 @@ maybe chmod 0755 'logcheck' maybe chmod 0755 'logcheck/ignore.d.server' maybe chmod 0644 'logcheck/ignore.d.server/gpg-agent' maybe chmod 0644 'logcheck/ignore.d.server/libsasl2-modules' +maybe chmod 0755 'logcheck/ignore.d.server/netfilter-persistent' +maybe chmod 0644 'logcheck/ignore.d.server/netfilter-persistent/netfilter-persistent' maybe chmod 0644 'logcheck/ignore.d.server/rsyslog' maybe chmod 0644 'login.defs' maybe chmod 0644 'logrotate.conf' @@ -1366,6 +1470,7 @@ maybe chmod 0755 'nagios-plugins' maybe chmod 0755 'nagios-plugins/config' maybe chmod 0644 'nagios-plugins/config/apt.cfg' maybe chmod 0644 'nagios-plugins/config/breeze.cfg' +maybe chmod 0644 'nagios-plugins/config/curl-http.cfg' maybe chmod 0644 'nagios-plugins/config/dhcp.cfg' maybe chmod 0644 'nagios-plugins/config/disk-smb.cfg' maybe chmod 0644 'nagios-plugins/config/disk.cfg' @@ -1407,7 +1512,9 @@ maybe chmod 0644 'needrestart/conf.d/README.needrestart' maybe chmod 0755 'needrestart/hook.d' maybe chmod 0755 'needrestart/hook.d/10-dpkg' maybe chmod 0755 'needrestart/hook.d/20-rpm' +maybe chmod 0755 'needrestart/hook.d/30-pacman' maybe chmod 0755 'needrestart/hook.d/90-none' +maybe chmod 0644 'needrestart/iucode.sh' maybe chmod 0644 'needrestart/needrestart.conf' maybe chmod 0644 'needrestart/notify.conf' maybe chmod 0755 'needrestart/notify.d' @@ -1464,8 +1571,8 @@ maybe chmod 0644 'pam.d/su-l' maybe chmod 0644 'pam.d/sudo' maybe chmod 0644 'passwd' maybe chmod 0644 'passwd-' +maybe chmod 0644 'passwd.org' maybe chmod 0755 'perl' -maybe chmod 0755 'perl/CPAN' maybe chmod 0755 'perl/Net' maybe chmod 0644 'perl/Net/libnet.cfg' maybe chmod 0755 'php' @@ -1494,10 +1601,8 @@ maybe chmod 0644 'php/7.0/mods-available/sysvshm.ini' maybe chmod 0644 'php/7.0/mods-available/tokenizer.ini' maybe chmod 0755 'php/7.3' maybe chmod 0755 'php/7.3/apache2' -maybe chmod 0755 'php/7.3/apache2/conf.d' maybe chmod 0644 'php/7.3/apache2/php.ini' maybe chmod 0755 'php/7.3/cli' -maybe chmod 0755 'php/7.3/cli/conf.d' maybe chmod 0644 'php/7.3/cli/php.ini' maybe chmod 0755 'php/7.3/mods-available' maybe chmod 0644 'php/7.3/mods-available/calendar.ini' @@ -1521,6 +1626,36 @@ maybe chmod 0644 'php/7.3/mods-available/sysvmsg.ini' maybe chmod 0644 'php/7.3/mods-available/sysvsem.ini' maybe chmod 0644 'php/7.3/mods-available/sysvshm.ini' maybe chmod 0644 'php/7.3/mods-available/tokenizer.ini' +maybe chmod 0755 'php/7.4' +maybe chmod 0755 'php/7.4/apache2' +maybe chmod 0755 'php/7.4/apache2/conf.d' +maybe chmod 0644 'php/7.4/apache2/php.ini' +maybe chmod 0755 'php/7.4/cli' +maybe chmod 0755 'php/7.4/cli/conf.d' +maybe chmod 0644 'php/7.4/cli/php.ini' +maybe chmod 0755 'php/7.4/mods-available' +maybe chmod 0644 'php/7.4/mods-available/calendar.ini' +maybe chmod 0644 'php/7.4/mods-available/ctype.ini' +maybe chmod 0644 'php/7.4/mods-available/exif.ini' +maybe chmod 0644 'php/7.4/mods-available/ffi.ini' +maybe chmod 0644 'php/7.4/mods-available/fileinfo.ini' +maybe chmod 0644 'php/7.4/mods-available/ftp.ini' +maybe chmod 0644 'php/7.4/mods-available/gd.ini' +maybe chmod 0644 'php/7.4/mods-available/gettext.ini' +maybe chmod 0644 'php/7.4/mods-available/iconv.ini' +maybe chmod 0644 'php/7.4/mods-available/json.ini' +maybe chmod 0644 'php/7.4/mods-available/ldap.ini' +maybe chmod 0644 'php/7.4/mods-available/opcache.ini' +maybe chmod 0644 'php/7.4/mods-available/pdo.ini' +maybe chmod 0644 'php/7.4/mods-available/phar.ini' +maybe chmod 0644 'php/7.4/mods-available/posix.ini' +maybe chmod 0644 'php/7.4/mods-available/readline.ini' +maybe chmod 0644 'php/7.4/mods-available/shmop.ini' +maybe chmod 0644 'php/7.4/mods-available/sockets.ini' +maybe chmod 0644 'php/7.4/mods-available/sysvmsg.ini' +maybe chmod 0644 'php/7.4/mods-available/sysvsem.ini' +maybe chmod 0644 'php/7.4/mods-available/sysvshm.ini' +maybe chmod 0644 'php/7.4/mods-available/tokenizer.ini' maybe chmod 0755 'postfix' maybe chmod 0644 'postfix/dynamicmaps.cf' maybe chmod 0755 'postfix/dynamicmaps.cf.d' @@ -1639,6 +1774,7 @@ maybe chmod 0755 'salt/proxy.d' maybe chmod 0644 'salt/roster' maybe chmod 0755 'security' maybe chmod 0644 'security/access.conf' +maybe chmod 0644 'security/faillock.conf' maybe chmod 0644 'security/group.conf' maybe chmod 0644 'security/limits.conf' maybe chmod 0755 'security/limits.d' @@ -1654,6 +1790,7 @@ maybe chmod 0644 'selinux/semanage.conf' maybe chmod 0644 'services' maybe chmod 0640 'shadow' maybe chmod 0640 'shadow-' +maybe chmod 0640 'shadow.org' maybe chmod 0644 'shells' maybe chmod 0755 'skel' maybe chmod 0644 'skel/.bash_logout' @@ -1707,10 +1844,18 @@ maybe chmod 0644 'subuid-' maybe chmod 0755 'subversion' maybe chmod 0644 'subversion/config' maybe chmod 0644 'subversion/servers' +maybe chmod 0644 'sudo.conf' +maybe chmod 0644 'sudo_logsrvd.conf' maybe chmod 0440 'sudoers' maybe chmod 0755 'sudoers.d' maybe chmod 0440 'sudoers.d/README' maybe chmod 0755 'sv' +maybe chmod 0755 'sv/acpid' +maybe chmod 0755 'sv/acpid/.meta' +maybe chmod 0644 'sv/acpid/.meta/installed' +maybe chmod 0755 'sv/acpid/log' +maybe chmod 0755 'sv/acpid/log/run' +maybe chmod 0755 'sv/acpid/run' maybe chmod 0755 'sv/ssh' maybe chmod 0755 'sv/ssh/.meta' maybe chmod 0644 'sv/ssh/.meta/installed' @@ -1721,7 +1866,6 @@ maybe chmod 0755 'sv/ssh/run' maybe chmod 0644 'sysctl.conf' maybe chmod 0755 'sysctl.d' maybe chmod 0644 'sysctl.d/README.sysctl' -maybe chmod 0644 'sysctl.d/protect-links.conf' maybe chmod 0755 'systemd' maybe chmod 0644 'systemd/journald.conf' maybe chmod 0644 'systemd/logind.conf' @@ -1742,6 +1886,8 @@ maybe chmod 0755 'systemd/system/getty@.service.d' maybe chmod 0644 'systemd/system/getty@.service.d/noclear.conf' maybe chmod 0644 'systemd/system/local.service' maybe chmod 0755 'systemd/system/multi-user.target.wants' +maybe chmod 0755 'systemd/system/netfilter-persistent.service.d' +maybe chmod 0644 'systemd/system/netfilter-persistent.service.d/iptables.conf' maybe chmod 0755 'systemd/system/network-online.target.wants' maybe chmod 0755 'systemd/system/paths.target.wants' maybe chmod 0755 'systemd/system/sockets.target.wants' diff --git a/NetworkManager/dispatcher.d/20-chrony b/NetworkManager/dispatcher.d/20-chrony deleted file mode 100755 index 0b0c3e7..0000000 --- a/NetworkManager/dispatcher.d/20-chrony +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh -# This is a NetworkManager dispatcher / networkd-dispatcher script for -# chronyd to set its NTP sources online or offline when a network interface -# is configured or removed - -export LC_ALL=C - -# For NetworkManager consider only up/down events -[ $# -ge 2 ] && [ "$2" != "up" ] && [ "$2" != "down" ] && exit 0 - -# Note: for networkd-dispatcher routable.d ~= on and off.d ~= off - -chronyc onoffline > /dev/null 2>&1 - -exit 0 diff --git a/acpi/powerbtn-acpi-support.sh b/acpi/powerbtn-acpi-support.sh index ec66597..7c8723e 100755 --- a/acpi/powerbtn-acpi-support.sh +++ b/acpi/powerbtn-acpi-support.sh @@ -15,7 +15,7 @@ fi . /usr/share/acpi-support/policy-funcs -if { CheckPolicy || HasLogindAndSystemd1Manager; }; then +if { CheckPolicy || HasDBusLogin1; }; then exit 0 fi diff --git a/alternatives/ip6tables.service b/alternatives/ip6tables.service new file mode 120000 index 0000000..8589be0 --- /dev/null +++ b/alternatives/ip6tables.service @@ -0,0 +1 @@ +/lib/systemd/system/netfilter-persistent.service \ No newline at end of file diff --git a/alternatives/iptables.service b/alternatives/iptables.service new file mode 120000 index 0000000..8589be0 --- /dev/null +++ b/alternatives/iptables.service @@ -0,0 +1 @@ +/lib/systemd/system/netfilter-persistent.service \ No newline at end of file diff --git a/alternatives/pager b/alternatives/pager index cbce297..a967155 120000 --- a/alternatives/pager +++ b/alternatives/pager @@ -1 +1 @@ -/bin/less \ No newline at end of file +/usr/bin/less \ No newline at end of file diff --git a/alternatives/phar b/alternatives/phar index b3b4ae7..0e07b6a 120000 --- a/alternatives/phar +++ b/alternatives/phar @@ -1 +1 @@ -/usr/bin/phar7.3 \ No newline at end of file +/usr/bin/phar7.4 \ No newline at end of file diff --git a/alternatives/phar.1.gz b/alternatives/phar.1.gz index f308505..1890990 120000 --- a/alternatives/phar.1.gz +++ b/alternatives/phar.1.gz @@ -1 +1 @@ -/usr/share/man/man1/phar7.3.1.gz \ No newline at end of file +/usr/share/man/man1/phar7.4.1.gz \ No newline at end of file diff --git a/alternatives/phar.phar b/alternatives/phar.phar index a03cf84..955f488 120000 --- a/alternatives/phar.phar +++ b/alternatives/phar.phar @@ -1 +1 @@ -/usr/bin/phar.phar7.3 \ No newline at end of file +/usr/bin/phar.phar7.4 \ No newline at end of file diff --git a/alternatives/phar.phar.1.gz b/alternatives/phar.phar.1.gz index 74ee7f3..4564897 120000 --- a/alternatives/phar.phar.1.gz +++ b/alternatives/phar.phar.1.gz @@ -1 +1 @@ -/usr/share/man/man1/phar.phar7.3.1.gz \ No newline at end of file +/usr/share/man/man1/phar.phar7.4.1.gz \ No newline at end of file diff --git a/alternatives/php b/alternatives/php index c890124..36f459d 120000 --- a/alternatives/php +++ b/alternatives/php @@ -1 +1 @@ -/usr/bin/php7.3 \ No newline at end of file +/usr/bin/php7.4 \ No newline at end of file diff --git a/alternatives/php.1.gz b/alternatives/php.1.gz index 4338797..f5c4834 120000 --- a/alternatives/php.1.gz +++ b/alternatives/php.1.gz @@ -1 +1 @@ -/usr/share/man/man1/php7.3.1.gz \ No newline at end of file +/usr/share/man/man1/php7.4.1.gz \ No newline at end of file diff --git a/alternatives/w b/alternatives/w deleted file mode 120000 index 11c34c4..0000000 --- a/alternatives/w +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/w.procps \ No newline at end of file diff --git a/alternatives/w.1.gz b/alternatives/w.1.gz deleted file mode 120000 index 7391b64..0000000 --- a/alternatives/w.1.gz +++ /dev/null @@ -1 +0,0 @@ -/usr/share/man/man1/w.procps.1.gz \ No newline at end of file diff --git a/apache2/conf-enabled/javascript-common.conf b/apache2/conf-enabled/javascript-common.conf new file mode 120000 index 0000000..0a4baa4 --- /dev/null +++ b/apache2/conf-enabled/javascript-common.conf @@ -0,0 +1 @@ +../conf-available/javascript-common.conf \ No newline at end of file diff --git a/apache2/mods-available/dav.load b/apache2/mods-available/dav.load index 6f6d1bb..a5867ff 100644 --- a/apache2/mods-available/dav.load +++ b/apache2/mods-available/dav.load @@ -1 +1,3 @@ -LoadModule dav_module /usr/lib/apache2/modules/mod_dav.so + + LoadModule dav_module /usr/lib/apache2/modules/mod_dav.so + diff --git a/apache2/mods-available/deflate.conf b/apache2/mods-available/deflate.conf index db48f92..e891e03 100644 --- a/apache2/mods-available/deflate.conf +++ b/apache2/mods-available/deflate.conf @@ -1,8 +1,9 @@ - AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css + AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript AddOutputFilterByType DEFLATE application/x-javascript application/javascript application/ecmascript AddOutputFilterByType DEFLATE application/rss+xml + AddOutputFilterByType DEFLATE application/wasm AddOutputFilterByType DEFLATE application/xml diff --git a/apache2/mods-available/mime.conf b/apache2/mods-available/mime.conf index 37dac86..38f8eb5 100644 --- a/apache2/mods-available/mime.conf +++ b/apache2/mods-available/mime.conf @@ -76,6 +76,7 @@ AddLanguage ca .ca AddLanguage cs .cz .cs AddLanguage cy .cy + AddLanguage da .da AddLanguage da .dk AddLanguage de .de AddLanguage dz .dz diff --git a/apache2/mods-available/php7.4.conf b/apache2/mods-available/php7.4.conf new file mode 100644 index 0000000..d4df3e5 --- /dev/null +++ b/apache2/mods-available/php7.4.conf @@ -0,0 +1,25 @@ + + SetHandler application/x-httpd-php + + + SetHandler application/x-httpd-php-source + # Deny access to raw php sources by default + # To re-enable it's recommended to enable access to the files + # only in specific virtual host or directory + Require all denied + +# Deny access to files without filename (e.g. '.php') + + Require all denied + + +# Running PHP scripts in user directories is disabled by default +# +# To re-enable PHP in user directories comment the following lines +# (from to .) Do NOT set it to On as it +# prevents .htaccess files from disabling it. + + + php_admin_flag engine Off + + diff --git a/apache2/mods-available/php7.4.load b/apache2/mods-available/php7.4.load new file mode 100644 index 0000000..94935a4 --- /dev/null +++ b/apache2/mods-available/php7.4.load @@ -0,0 +1,3 @@ +# Conflicts: php5 +# Depends: mpm_prefork +LoadModule php7_module /usr/lib/apache2/modules/libphp7.4.so diff --git a/apache2/mods-available/socache_redis.load b/apache2/mods-available/socache_redis.load new file mode 100644 index 0000000..b1a8de2 --- /dev/null +++ b/apache2/mods-available/socache_redis.load @@ -0,0 +1 @@ +LoadModule socache_redis_module /usr/lib/apache2/modules/mod_socache_redis.so diff --git a/apache2/mods-enabled/php7.3.conf b/apache2/mods-enabled/php7.3.conf deleted file mode 120000 index 9c8673f..0000000 --- a/apache2/mods-enabled/php7.3.conf +++ /dev/null @@ -1 +0,0 @@ -../mods-available/php7.3.conf \ No newline at end of file diff --git a/apache2/mods-enabled/php7.3.load b/apache2/mods-enabled/php7.3.load deleted file mode 120000 index ea4fee1..0000000 --- a/apache2/mods-enabled/php7.3.load +++ /dev/null @@ -1 +0,0 @@ -../mods-available/php7.3.load \ No newline at end of file diff --git a/apache2/mods-enabled/php7.4.conf b/apache2/mods-enabled/php7.4.conf new file mode 120000 index 0000000..7170bad --- /dev/null +++ b/apache2/mods-enabled/php7.4.conf @@ -0,0 +1 @@ +../mods-available/php7.4.conf \ No newline at end of file diff --git a/apache2/mods-enabled/php7.4.load b/apache2/mods-enabled/php7.4.load new file mode 120000 index 0000000..e223ffc --- /dev/null +++ b/apache2/mods-enabled/php7.4.load @@ -0,0 +1 @@ +../mods-available/php7.4.load \ No newline at end of file diff --git a/apparmor.d/local/usr.bin.tcpdump b/apparmor.d/local/usr.bin.tcpdump new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/usr.bin.man b/apparmor.d/usr.bin.man index 569aec9..b6cd0be 100644 --- a/apparmor.d/usr.bin.man +++ b/apparmor.d/usr.bin.man @@ -39,6 +39,12 @@ capability setuid, capability setgid, + # Ordinary permission checks sometimes involve checking whether the + # process has this capability, which can produce audit log messages. + # Silence them. + deny capability dac_override, + deny capability dac_read_search, + signal peer=@{profile_name}, signal peer=/usr/bin/man//&man_groff, signal peer=/usr/bin/man//&man_filter, @@ -66,9 +72,12 @@ profile man_groff { /usr/bin/vgrind rm, /etc/groff/** r, + /etc/papersize r, /usr/lib/groff/site-tmac/** r, /usr/share/groff/** r, + /tmp/groff* rw, + signal peer=/usr/bin/man, # @{profile_name} doesn't seem to work here. signal peer=/usr/bin/man//&man_groff, @@ -95,6 +104,9 @@ profile man_filter { # do is feed data to the invoking man process. /** r, + # Allow writing cat pages. + /var/cache/man/** w, + signal peer=/usr/bin/man, # @{profile_name} doesn't seem to work here. signal peer=/usr/bin/man//&man_filter, diff --git a/apparmor.d/usr.sbin.tcpdump b/apparmor.d/usr.bin.tcpdump similarity index 89% rename from apparmor.d/usr.sbin.tcpdump rename to apparmor.d/usr.bin.tcpdump index 7a7da4f..38b2a35 100644 --- a/apparmor.d/usr.sbin.tcpdump +++ b/apparmor.d/usr.bin.tcpdump @@ -1,7 +1,7 @@ # vim:syntax=apparmor #include -/usr/sbin/tcpdump { +profile tcpdump /usr/bin/tcpdump { #include #include #include @@ -10,6 +10,7 @@ capability setuid, capability setgid, capability dac_override, + capability chown, network raw, network packet, @@ -18,10 +19,11 @@ @{PROC}/bus/usb/** r, # for finding an interface + /dev/ r, @{PROC}/[0-9]*/net/dev r, /sys/bus/usb/devices/ r, /sys/class/net/ r, - /sys/devices/**/net/* r, + /sys/devices/**/net/** r, # for -j capability net_admin, @@ -56,8 +58,8 @@ # for convenience with -r (ie, read pcap files from other sources) /var/log/snort/*log* r, - /usr/sbin/tcpdump mr, + /usr/bin/tcpdump mr, # Site-specific additions and overrides. See local/README for details. - #include + #include } diff --git a/apparmor.d/usr.sbin.chronyd b/apparmor.d/usr.sbin.chronyd index 04f9d47..89e7f34 100644 --- a/apparmor.d/usr.sbin.chronyd +++ b/apparmor.d/usr.sbin.chronyd @@ -1,30 +1,48 @@ # Last Modified: Sat Jan 20 10:45:05 2018 #include -/usr/sbin/chronyd (attach_disconnected) { +/usr/sbin/chronyd flags=(attach_disconnected) { #include #include - capability sys_time, + # For /run/chrony to be created + capability chown, + + # Give “root” the ability to read and write the PID file + capability dac_override, + capability dac_read_search, + + # Needed to support HW timestamping + capability net_admin, + + # Needed to allow NTP server sockets to be bound to a privileged port capability net_bind_service, - capability setuid, + + # Needed to allow an NTP socket to be bound to a device using the + # SO_BINDTODEVICE socket option on kernels before 5.7 + capability net_raw, + + # Needed to drop privileges capability setgid, + capability setuid, + + # Needed to set the SCHED_FIFO real-time scheduler at the specified priority + # using the '-P' option capability sys_nice, + + # Needed to lock chronyd into RAM capability sys_resource, - # for /run/chrony to be created - capability chown, - # Needed to support HW timestamping - capability net_admin, + + # Needed to set the system/real-time clock + capability sys_time, /usr/sbin/chronyd mr, /etc/chrony/{,**} r, - /{,var/}run/chronyd.pid w, - /{,var/}run/chrony/{,*} rw, - /var/lib/chrony/{,*} r, - /var/lib/chrony/* w, - /var/log/chrony/{,*} r, - /var/log/chrony/* w, + /var/lib/chrony/{,*} rw, + /var/log/chrony/{,*} rw, + @{run}/chrony/{,*} rw, + @{run}/chrony-dhcp/{,*} r, # Using the “tempcomp” directive gives chronyd the ability to improve # the stability and accuracy of the clock by compensating the temperature @@ -36,11 +54,10 @@ # are common use cases; others should be set as local include (see below). # Configs using a 'chrony.' prefix like the tempcomp config file example /etc/chrony.* r, - # Example gpsd socket is outside /{,var/}run/chrony/ - /{,var/}run/chrony.tty{,*}.sock rw, + # Example gpsd socket is outside @{run}/chrony/ + @{run}/chrony.tty{,*}.sock rw, # To sign replies to MS-SNTP clients by the smbd daemon - /var/lib/samba/ntp_signd r, - /var/lib/samba/ntp_signd/{,*} rw, + /var/lib/samba/ntp_signd/socket rw, # rtc /etc/adjtime r, diff --git a/apparmor.d/usr.sbin.haveged b/apparmor.d/usr.sbin.haveged index 0e61138..1224d31 100644 --- a/apparmor.d/usr.sbin.haveged +++ b/apparmor.d/usr.sbin.haveged @@ -3,6 +3,7 @@ /usr/sbin/haveged { #include + #include # Required for ioctl RNDADDENTROPY capability sys_admin, @@ -19,5 +20,7 @@ /sys/devices/system/cpu/cpu*/cache/index*/{type,size,level} r, /usr/sbin/haveged mr, + /run/haveged.pid w, + #include } diff --git a/apparmor.d/usr.sbin.named b/apparmor.d/usr.sbin.named index a4622da..fe14850 100644 --- a/apparmor.d/usr.sbin.named +++ b/apparmor.d/usr.sbin.named @@ -2,7 +2,7 @@ # Last Modified: Fri Jun 1 16:43:22 2007 #include -/usr/sbin/named flags=(attach_disconnected) { +profile named /usr/sbin/named flags=(attach_disconnected) { #include #include diff --git a/apt/apt.conf.d/01autoremove b/apt/apt.conf.d/01autoremove index f9d9e85..478c571 100644 --- a/apt/apt.conf.d/01autoremove +++ b/apt/apt.conf.d/01autoremove @@ -10,31 +10,13 @@ APT VersionedKernelPackages { - # linux kernels - "linux-image"; - "linux-headers"; - "linux-image-extra"; - "linux-modules"; - "linux-modules-extra"; - "linux-signed-image"; - "linux-image-unsigned"; - # kfreebsd kernels - "kfreebsd-image"; - "kfreebsd-headers"; - # hurd kernels - "gnumach-image"; + # kernels + "linux-.*"; + "kfreebsd-.*"; + "gnumach-.*"; # (out-of-tree) modules ".*-modules"; ".*-kernel"; - "linux-backports-modules-.*"; - "linux-modules-.*"; - # tools - "linux-tools"; - "linux-cloud-tools"; - # build info - "linux-buildinfo"; - # source code - "linux-source"; }; Never-MarkAuto-Sections diff --git a/apt/apt.conf.d/01autoremove-kernels b/apt/apt.conf.d/01autoremove-kernels index 720a9d5..710ed07 100644 --- a/apt/apt.conf.d/01autoremove-kernels +++ b/apt/apt.conf.d/01autoremove-kernels @@ -1,62 +1,2 @@ // DO NOT EDIT! File autogenerated by /etc/kernel/postinst.d/apt-auto-removal -APT::NeverAutoRemove -{ - "^linux-image-4\.19\.0-16-amd64$"; - "^linux-image-4\.19\.0-17-amd64$"; - "^linux-headers-4\.19\.0-16-amd64$"; - "^linux-headers-4\.19\.0-17-amd64$"; - "^linux-image-extra-4\.19\.0-16-amd64$"; - "^linux-image-extra-4\.19\.0-17-amd64$"; - "^linux-modules-4\.19\.0-16-amd64$"; - "^linux-modules-4\.19\.0-17-amd64$"; - "^linux-modules-extra-4\.19\.0-16-amd64$"; - "^linux-modules-extra-4\.19\.0-17-amd64$"; - "^linux-signed-image-4\.19\.0-16-amd64$"; - "^linux-signed-image-4\.19\.0-17-amd64$"; - "^linux-image-unsigned-4\.19\.0-16-amd64$"; - "^linux-image-unsigned-4\.19\.0-17-amd64$"; - "^kfreebsd-image-4\.19\.0-16-amd64$"; - "^kfreebsd-image-4\.19\.0-17-amd64$"; - "^kfreebsd-headers-4\.19\.0-16-amd64$"; - "^kfreebsd-headers-4\.19\.0-17-amd64$"; - "^gnumach-image-4\.19\.0-16-amd64$"; - "^gnumach-image-4\.19\.0-17-amd64$"; - "^.*-modules-4\.19\.0-16-amd64$"; - "^.*-modules-4\.19\.0-17-amd64$"; - "^.*-kernel-4\.19\.0-16-amd64$"; - "^.*-kernel-4\.19\.0-17-amd64$"; - "^linux-backports-modules-.*-4\.19\.0-16-amd64$"; - "^linux-backports-modules-.*-4\.19\.0-17-amd64$"; - "^linux-modules-.*-4\.19\.0-16-amd64$"; - "^linux-modules-.*-4\.19\.0-17-amd64$"; - "^linux-tools-4\.19\.0-16-amd64$"; - "^linux-tools-4\.19\.0-17-amd64$"; - "^linux-cloud-tools-4\.19\.0-16-amd64$"; - "^linux-cloud-tools-4\.19\.0-17-amd64$"; - "^linux-buildinfo-4\.19\.0-16-amd64$"; - "^linux-buildinfo-4\.19\.0-17-amd64$"; - "^linux-source-4\.19\.0-16-amd64$"; - "^linux-source-4\.19\.0-17-amd64$"; -}; -/* Debug information: -# dpkg list: -ii linux-image-4.19.0-16-amd64 4.19.181-1 amd64 Linux 4.19 for 64-bit PCs (signed) -iF linux-image-4.19.0-17-amd64 4.19.194-3 amd64 Linux 4.19 for 64-bit PCs (signed) -ii linux-image-amd64 4.19+105+deb10u12 amd64 Linux for 64-bit PCs (meta-package) -# list of installed kernel packages: -4.19.0-16-amd64 4.19.181-1 -4.19.0-17-amd64 4.19.194-3 -# list of different kernel versions: -4.19.194-3 -4.19.181-1 -# Installing kernel: 4.19.194-3 (4.19.0-17-amd64) -# Running kernel: 4.19.194-3 (4.19.0-17-amd64) -# Last kernel: 4.19.194-3 -# Previous kernel: 4.19.181-1 -# Kernel versions list to keep: -4.19.181-1 -4.19.194-3 -# Kernel packages (version part) to protect: -4\.19\.0-16-amd64 -4\.19\.0-17-amd64 -*/ +APT::LastInstalledKernel "5.10.0-8-amd64"; diff --git a/apt/apt.conf.d/20listchanges b/apt/apt.conf.d/20listchanges index 1768735..4af5989 100644 --- a/apt/apt.conf.d/20listchanges +++ b/apt/apt.conf.d/20listchanges @@ -1,3 +1,5 @@ DPkg::Pre-Install-Pkgs { "/usr/bin/apt-listchanges --apt || test $? -lt 10"; }; DPkg::Tools::Options::/usr/bin/apt-listchanges::Version "2"; DPkg::Tools::Options::/usr/bin/apt-listchanges::InfoFD "20"; +Dir::Etc::apt-listchanges-main "listchanges.conf"; +Dir::Etc::apt-listchanges-parts "listchanges.conf.d"; diff --git a/bind/bind.keys b/bind/bind.keys index 5e5a32b..6d4217f 100644 --- a/bind/bind.keys +++ b/bind/bind.keys @@ -4,42 +4,30 @@ # be configured elsewhere; if they are configured here, they will not be # recognized or used by named. # -# The built-in trust anchors are provided for convenience of configuration. -# They are not activated within named.conf unless specifically switched on. -# To use the built-in key, use "dnssec-validation auto;" in the -# named.conf options. Without this option being set, the keys in this -# file are ignored. +# To use the built-in root key, set "dnssec-validation auto;" in the +# named.conf options, or else leave "dnssec-validation" unset. If +# "dnssec-validation" is set to "yes", then the keys in this file are +# ignored; keys will need to be explicitly configured in named.conf for +# validation to work. "auto" is the default setting, unless named is +# built with "configure --disable-auto-validation", in which case the +# default is "yes". # # This file is NOT expected to be user-configured. # -# These keys are current as of October 2017. If any key fails to -# initialize correctly, it may have expired. In that event you should -# replace this file with a current version. The latest version of -# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. +# Servers being set up for the first time can use the contents of this file +# as initializing keys; thereafter, the keys in the managed key database +# will be trusted and maintained automatically. # -# See https://data.iana.org/root-anchors/root-anchors.xml -# for current trust anchor information for the root zone. - -managed-keys { - # This key (19036) is to be phased out starting in 2017. It will - # remain in the root zone for some time after its successor key - # has been added. It will remain this file until it is removed from - # the root zone. - . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF - FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX - bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD - X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz - W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS - Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq - QxA+Uk1ihz0="; +# These keys are current as of Mar 2019. If any key fails to initialize +# correctly, it may have expired. In that event you should replace this +# file with a current version. The latest version of bind.keys can always +# be obtained from ISC at https://www.isc.org/bind-keys. +# +# See https://data.iana.org/root-anchors/root-anchors.xml for current trust +# anchor information for the root zone. +trust-anchors { # This key (20326) was published in the root zone in 2017. - # Servers which were already using the old key (19036) should - # roll seamlessly to this new one via RFC 5011 rollover. Servers - # being set up for the first time can use the contents of this - # file as initializing keys; thereafter, the keys in the - # managed key database will be trusted and maintained - # automatically. . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF diff --git a/bind/named-acl.conf b/bind/named-acl.conf index 5675512..4f643bb 100644 --- a/bind/named-acl.conf +++ b/bind/named-acl.conf @@ -116,7 +116,7 @@ acl common-allow-transfer { #---------------------------------------- acl local-host-ips { - 127.0.0.1/8; + 127.0.0.0/8; ::1/128; }; diff --git a/bind/named.conf.options b/bind/named.conf.options index 44af16c..1250674 100644 --- a/bind/named.conf.options +++ b/bind/named.conf.options @@ -47,7 +47,7 @@ options { //======================================================================== //dnssec-enable yes; dnssec-validation auto; - dnssec-lookaside auto; + # dnssec-lookaside auto; /* * As of bind 9.8.0: diff --git a/ca-certificates.conf b/ca-certificates.conf index 786d9c7..6f21a87 100644 --- a/ca-certificates.conf +++ b/ca-certificates.conf @@ -71,7 +71,7 @@ mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt !mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt mozilla/EC-ACC.crt -mozilla/EE_Certification_Centre_Root_CA.crt +!mozilla/EE_Certification_Centre_Root_CA.crt !mozilla/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.crt mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt mozilla/Entrust_Root_Certification_Authority.crt @@ -85,7 +85,7 @@ mozilla/E-Tugra_Certification_Authority.crt !mozilla/GeoTrust_Primary_Certification_Authority.crt !mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt !mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt -mozilla/GeoTrust_Universal_CA_2.crt +!mozilla/GeoTrust_Universal_CA_2.crt !mozilla/GeoTrust_Universal_CA.crt mozilla/Global_Chambersign_Root_-_2008.crt mozilla/GlobalSign_Root_CA.crt @@ -107,7 +107,7 @@ mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt !mozilla/NetLock_Notary_=Class_A=_Root.crt !mozilla/NetLock_Qualified_=Class_QA=_Root.crt mozilla/Network_Solutions_Certificate_Authority.crt -mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt +!mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt !mozilla/PSCProcert.crt mozilla/QuoVadis_Root_CA_1_G3.crt mozilla/QuoVadis_Root_CA_2.crt @@ -127,7 +127,7 @@ mozilla/Security_Communication_Root_CA.crt !mozilla/Sonera_Class_1_Root_CA.crt mozilla/Sonera_Class_2_Root_CA.crt !mozilla/Staat_der_Nederlanden_Root_CA.crt -mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt +!mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt mozilla/Starfield_Class_2_CA.crt mozilla/Starfield_Root_Certificate_Authority_-_G2.crt mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt @@ -141,7 +141,7 @@ mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt mozilla/SwissSign_Gold_CA_-_G2.crt !mozilla/SwissSign_Platinum_CA_-_G2.crt mozilla/SwissSign_Silver_CA_-_G2.crt -mozilla/Taiwan_GRCA.crt +!mozilla/Taiwan_GRCA.crt !mozilla/TC_TrustCenter_Class_2_CA_II.crt !mozilla/TC_TrustCenter_Class_3_CA_II.crt !mozilla/TC_TrustCenter_Universal_CA_I.crt @@ -171,7 +171,7 @@ mozilla/TWCA_Root_Certification_Authority.crt !mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_2.crt !mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt !mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt -mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt +!mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt !mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt !mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt !mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt @@ -218,7 +218,7 @@ mozilla/Amazon_Root_CA_3.crt mozilla/Amazon_Root_CA_4.crt !mozilla/D-TRUST_Root_CA_3_2013.crt mozilla/GDCA_TrustAUTH_R5_ROOT.crt -mozilla/LuxTrust_Global_Root_2.crt +!mozilla/LuxTrust_Global_Root_2.crt mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt mozilla/SSL.com_Root_Certification_Authority_ECC.crt @@ -246,3 +246,11 @@ mozilla/GTS_Root_R4.crt mozilla/Hongkong_Post_Root_CA_3.crt mozilla/UCA_Extended_Validation_Root.crt mozilla/UCA_Global_G2_Root.crt +mozilla/certSIGN_Root_CA_G2.crt +mozilla/e-Szigno_Root_CA_2017.crt +mozilla/Microsoft_ECC_Root_Certificate_Authority_2017.crt +mozilla/Microsoft_RSA_Root_Certificate_Authority_2017.crt +mozilla/NAVER_Global_Root_Certification_Authority.crt +mozilla/Trustwave_Global_Certification_Authority.crt +mozilla/Trustwave_Global_ECC_P256_Certification_Authority.crt +mozilla/Trustwave_Global_ECC_P384_Certification_Authority.crt diff --git a/ca-certificates.conf.dpkg-old b/ca-certificates.conf.dpkg-old index f7e63e5..786d9c7 100644 --- a/ca-certificates.conf.dpkg-old +++ b/ca-certificates.conf.dpkg-old @@ -13,7 +13,7 @@ mozilla/ACCVRAIZ1.crt !mozilla/ACEDICOM_Root.crt !mozilla/AC_Raíz_Certicámara_S.A..crt mozilla/Actalis_Authentication_Root_CA.crt -mozilla/AddTrust_External_Root.crt +!mozilla/AddTrust_External_Root.crt !mozilla/AddTrust_Low-Value_Services_Root.crt !mozilla/AddTrust_Public_Services_Root.crt !mozilla/AddTrust_Qualified_Certificates_Root.crt @@ -39,7 +39,7 @@ mozilla/CA_Disig_Root_R2.crt !mozilla/Camerfirma_Global_Chambersign_Root.crt mozilla/Certigna.crt !mozilla/Certinomis_-_Autorité_Racine.crt -mozilla/Certplus_Class_2_Primary_CA.crt +!mozilla/Certplus_Class_2_Primary_CA.crt mozilla/certSIGN_ROOT_CA.crt !mozilla/Certum_Root_CA.crt mozilla/Certum_Trusted_Network_CA.crt @@ -54,7 +54,7 @@ mozilla/COMODO_ECC_Certification_Authority.crt !mozilla/ComSign_CA.crt !mozilla/ComSign_Secured_CA.crt mozilla/Cybertrust_Global_Root.crt -mozilla/Deutsche_Telekom_Root_CA_2.crt +!mozilla/Deutsche_Telekom_Root_CA_2.crt mozilla/DigiCert_Assured_ID_Root_CA.crt mozilla/DigiCert_Assured_ID_Root_G2.crt mozilla/DigiCert_Assured_ID_Root_G3.crt @@ -81,12 +81,12 @@ mozilla/ePKI_Root_Certification_Authority.crt !mozilla/Equifax_Secure_Global_eBusiness_CA.crt mozilla/E-Tugra_Certification_Authority.crt !mozilla/GeoTrust_Global_CA_2.crt -mozilla/GeoTrust_Global_CA.crt -mozilla/GeoTrust_Primary_Certification_Authority.crt -mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt -mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt +!mozilla/GeoTrust_Global_CA.crt +!mozilla/GeoTrust_Primary_Certification_Authority.crt +!mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt +!mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt mozilla/GeoTrust_Universal_CA_2.crt -mozilla/GeoTrust_Universal_CA.crt +!mozilla/GeoTrust_Universal_CA.crt mozilla/Global_Chambersign_Root_-_2008.crt mozilla/GlobalSign_Root_CA.crt mozilla/GlobalSign_Root_CA_-_R2.crt @@ -147,9 +147,9 @@ mozilla/Taiwan_GRCA.crt !mozilla/TC_TrustCenter_Universal_CA_I.crt mozilla/TeliaSonera_Root_CA_v1.crt !mozilla/Thawte_Premium_Server_CA.crt -mozilla/thawte_Primary_Root_CA.crt -mozilla/thawte_Primary_Root_CA_-_G2.crt -mozilla/thawte_Primary_Root_CA_-_G3.crt +!mozilla/thawte_Primary_Root_CA.crt +!mozilla/thawte_Primary_Root_CA_-_G2.crt +!mozilla/thawte_Primary_Root_CA_-_G3.crt !mozilla/Thawte_Server_CA.crt mozilla/Trustis_FPS_Root_CA.crt mozilla/T-TeleSec_GlobalRoot_Class_2.crt @@ -172,10 +172,10 @@ mozilla/TWCA_Root_Certification_Authority.crt !mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt !mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt -mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt -mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt +!mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt +!mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt !mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt -mozilla/VeriSign_Universal_Root_Certification_Authority.crt +!mozilla/VeriSign_Universal_Root_Certification_Authority.crt !mozilla/Visa_eCommerce_Root.crt !mozilla/WellsSecure_Public_Root_Certificate_Authority.crt !mozilla/WoSign_China.crt @@ -184,7 +184,7 @@ mozilla/XRamp_Global_CA_Root.crt !spi-inc.org/spi-cacert-2008.crt !mozilla/CA_WoSign_ECC_Root.crt !mozilla/Certification_Authority_of_WoSign_G2.crt -mozilla/Certinomis_-_Root_CA.crt +!mozilla/Certinomis_-_Root_CA.crt mozilla/CFCA_EV_ROOT.crt mozilla/COMODO_RSA_Certification_Authority.crt mozilla/Entrust_Root_Certification_Authority_-_EC1.crt @@ -233,3 +233,16 @@ mozilla/TrustCor_RootCert_CA-2.crt mozilla/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt mozilla/GlobalSign_Root_CA_-_R6.crt mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt +mozilla/Certigna_Root_CA.crt +mozilla/emSign_ECC_Root_CA_-_C3.crt +mozilla/emSign_ECC_Root_CA_-_G3.crt +mozilla/emSign_Root_CA_-_C1.crt +mozilla/emSign_Root_CA_-_G1.crt +mozilla/Entrust_Root_Certification_Authority_-_G4.crt +mozilla/GTS_Root_R1.crt +mozilla/GTS_Root_R2.crt +mozilla/GTS_Root_R3.crt +mozilla/GTS_Root_R4.crt +mozilla/Hongkong_Post_Root_CA_3.crt +mozilla/UCA_Extended_Validation_Root.crt +mozilla/UCA_Global_G2_Root.crt diff --git a/chrony/chrony.conf.ucf-dist b/chrony/chrony.conf.ucf-dist index 6c19767..b3a9510 100644 --- a/chrony/chrony.conf.ucf-dist +++ b/chrony/chrony.conf.ucf-dist @@ -1,7 +1,18 @@ # Welcome to the chrony configuration file. See chrony.conf(5) for more -# information about usuable directives. +# information about usable directives. + +# Include configuration files found in /etc/chrony/conf.d. +confdir /etc/chrony/conf.d + +# Use Debian vendor zone. pool 2.debian.pool.ntp.org iburst +# Use time sources from DHCP. +sourcedir /run/chrony-dhcp + +# Use NTP sources found in /etc/chrony/sources.d. +sourcedir /etc/chrony/sources.d + # This directive specify the location of the file containing ID/key pairs for # NTP authentication. keyfile /etc/chrony/chrony.keys @@ -10,6 +21,9 @@ keyfile /etc/chrony/chrony.keys # information. driftfile /var/lib/chrony/chrony.drift +# Save NTS keys and cookies. +ntsdumpdir /var/lib/chrony + # Uncomment the following line to turn logging on. #log tracking measurements statistics @@ -26,3 +40,8 @@ rtcsync # Step the system clock instead of slewing it if the adjustment is larger than # one second, but only in the first three clock updates. makestep 1 3 + +# Get TAI-UTC offset and leap seconds from the system tz database. +# This directive must be commented out when using time sources serving +# leap-smeared time. +leapsectz right/UTC diff --git a/chrony/chrony.keys b/chrony/chrony.keys index cee70b3..a2d655d 100644 --- a/chrony/chrony.keys +++ b/chrony/chrony.keys @@ -6,5 +6,5 @@ # chronyc keygen 1 SHA256 256 >> /etc/chrony/chrony.keys # would generate a 256-bit SHA-256 key using ID 1. # -# A list of supported hash functions and output encoding can be found in -# the "keyfile" section from the "/usr/share/doc/chrony/chrony.txt.gz" file. +# A list of supported hash functions and output encoding is available by +# consulting the "keyfile" directive in the chrony.conf(5) man page. diff --git a/chrony/conf.d/README b/chrony/conf.d/README new file mode 100644 index 0000000..de1fa8e --- /dev/null +++ b/chrony/conf.d/README @@ -0,0 +1,7 @@ +Files found under the /etc/chrony/conf.d directory with the .conf suffix are +parsed in the lexicographical order of the file names when chronyd starts up. +This enables a fragmented configuration of chronyd. + +Although those files can contain any directives listed in chrony.conf(5), +it would be wiser to add NTP sources in the /etc/chrony/sources.d +directory. Please read /etc/chrony/sources.d/README for more information. diff --git a/chrony/sources.d/README b/chrony/sources.d/README new file mode 100644 index 0000000..268544d --- /dev/null +++ b/chrony/sources.d/README @@ -0,0 +1,11 @@ +Only NTP sources can be specified in the /etc/chrony/sources.d directory. +Files in this directory must end with the ".sources" suffix, and can only +contain the "peer", "pool" and "server" directives. + +There is no need to restart chronyd for these time sources to be usable, +running 'chronyc reload sources' is sufficient. + +Example: + +# echo 'server 192.0.2.1 iburst' > /etc/chrony/sources.d/local-ntp-server.sources +# chronyc reload sources diff --git a/cron.daily/mlocate b/cron.daily/mlocate index bc69541..9104f3b 100755 --- a/cron.daily/mlocate +++ b/cron.daily/mlocate @@ -2,6 +2,11 @@ set -e +# skip in favour of systemd timer +if [ -d /run/systemd/system ]; then + exit 0 +fi + [ -x /usr/bin/updatedb.mlocate ] || exit 0 if which on_ac_power >/dev/null 2>&1; then diff --git a/cron.daily/passwd b/cron.daily/passwd deleted file mode 100755 index 4778bf0..0000000 --- a/cron.daily/passwd +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh - -cd /var/backups || exit 0 - -for FILE in passwd group shadow gshadow; do - test -f /etc/$FILE || continue - cmp -s $FILE.bak /etc/$FILE && continue - cp -p /etc/$FILE $FILE.bak && chmod 600 $FILE.bak -done diff --git a/default/chrony b/default/chrony index eead3e6..028f63d 100644 --- a/default/chrony +++ b/default/chrony @@ -3,4 +3,4 @@ # the chrony daemon without editing the init script or service file. # Options to pass to chrony. -DAEMON_OPTS="-F -1" +DAEMON_OPTS="-F 1" diff --git a/default/haveged b/default/haveged index 77b6941..679e989 100644 --- a/default/haveged +++ b/default/haveged @@ -1,5 +1,4 @@ # Configuration file for haveged # Options to pass to haveged: -# -w sets low entropy watermark (in bits) -DAEMON_ARGS="-w 1024" +#DAEMON_ARGS="" diff --git a/default/named b/default/named new file mode 100644 index 0000000..66352f0 --- /dev/null +++ b/default/named @@ -0,0 +1,6 @@ +# +# run resolvconf? +RESOLVCONF=no + +# startup options for the server +OPTIONS="-u bind" diff --git a/default/netfilter-persistent b/default/netfilter-persistent index 7b31799..661c678 100644 --- a/default/netfilter-persistent +++ b/default/netfilter-persistent @@ -2,3 +2,9 @@ # Plugins may extend this file or have their own FLUSH_ON_STOP=0 + +# Set to yes to skip saving rules/sets when netfilter-persistent is called with +# the save parameter +# IPTABLES_SKIP_SAVE=yes +# IP6TABLES_SKIP_SAVE=yes +# IPSET_SKIP_SAVE=yes diff --git a/default/rsyslog b/default/rsyslog deleted file mode 100644 index 8ec3ea0..0000000 --- a/default/rsyslog +++ /dev/null @@ -1,4 +0,0 @@ -# Options for rsyslogd -# -x disables DNS lookups for remote messages -# See rsyslogd(8) for more details -RSYSLOGD_OPTIONS="" diff --git a/default/useradd b/default/useradd index a834fef..e32955a 100644 --- a/default/useradd +++ b/default/useradd @@ -2,7 +2,7 @@ # # The SHELL variable specifies the default login shell on your # system. -# Similar to DHSELL in adduser. However, we use "sh" here because +# Similar to DSHELL in adduser. However, we use "sh" here because # useradd is a low level utility and should be as general # as possible SHELL=/bin/sh diff --git a/dhcp/dhclient-exit-hooks.d/chrony b/dhcp/dhclient-exit-hooks.d/chrony index 690f3ab..f3dacd7 100644 --- a/dhcp/dhclient-exit-hooks.d/chrony +++ b/dhcp/dhclient-exit-hooks.d/chrony @@ -1,17 +1,19 @@ -SERVERFILE=/var/lib/dhcp/chrony.servers.$interface +CHRONY_SOURCEDIR=/run/chrony-dhcp +SERVERFILE=$CHRONY_SOURCEDIR/$interface.sources chrony_config() { - rm -f $SERVERFILE + rm -f "$SERVERFILE" + mkdir -p "$CHRONY_SOURCEDIR" for server in $new_ntp_servers; do - echo "$server iburst" >> $SERVERFILE + echo "server $server iburst" >> "$SERVERFILE" done - /usr/lib/chrony/chrony-helper update-daemon || : + /usr/bin/chronyc reload sources > /dev/null 2>&1 || : } chrony_restore() { - if [ -f $SERVERFILE ]; then - rm -f $SERVERFILE - /usr/lib/chrony/chrony-helper update-daemon || : + if [ -f "$SERVERFILE" ]; then + rm -f "$SERVERFILE" + /usr/bin/chronyc reload sources > /dev/null 2>&1 || : fi } diff --git a/emacs/site-start.d/50dictionaries-common.el b/emacs/site-start.d/50dictionaries-common.el index 0719f65..fc254f7 100644 --- a/emacs/site-start.d/50dictionaries-common.el +++ b/emacs/site-start.d/50dictionaries-common.el @@ -1,6 +1,6 @@ ;; File: startup.el.in ;; Description: Emacsen startup for dictionaries-common in Debian -;; Authors: Rafael Laboissière +;; Authors: Rafael Laboissière ;; Agustin Martin ;; Created on: Fri Oct 22 09:48:21 CEST 1999 diff --git a/ethertypes b/ethertypes new file mode 100644 index 0000000..caa9f56 --- /dev/null +++ b/ethertypes @@ -0,0 +1,45 @@ +# Ethernet frame types +# +# The EtherType is a two-octet field of Ethernet frames used to indicate +# which protocol is contained in their payload. +# +# More entries, mostly historical, can be found on: +# https://www.iana.org/assignments/ieee-802-numbers/ +# http://standards-oui.ieee.org/ethertype/eth.txt +# +# ... # Comment +# +IPv4 0800 ip ip4 # IP (IPv4) +X25 0805 +ARP 0806 ether-arp # Address Resolution Protocol +FR_ARP 0808 # Frame Relay ARP [RFC1701] +BPQ 08FF # G8BPQ AX.25 over Ethernet +TRILL 22F3 # TRILL [RFC6325] +L2-IS-IS 22F4 # TRILL IS-IS [RFC6325] +TEB 6558 # Transparent Ethernet Bridging [RFC1701] +RAW_FR 6559 # Raw Frame Relay [RFC1701] +RARP 8035 # Reverse ARP [RFC903] +ATALK 809B # Appletalk +AARP 80F3 # Appletalk Address Resolution Protocol +802_1Q 8100 8021q 1q 802.1q dot1q # VLAN tagged frame [802.1q] +IPX 8137 # Novell IPX +NetBEUI 8191 # NetBEUI +IPv6 86DD ip6 # IP version 6 +PPP 880B # Point-to-Point Protocol +MPLS 8847 # MPLS [RFC5332] +MPLS_MULTI 8848 # MPLS with upstream-assigned label [RFC5332] +ATMMPOA 884C # MultiProtocol over ATM +PPP_DISC 8863 # PPP over Ethernet discovery stage +PPP_SES 8864 # PPP over Ethernet session stage +ATMFATE 8884 # Frame-based ATM Transport over Ethernet +EAPOL 888E # EAP over LAN [802.1x] +S-TAG 88A8 # QinQ Service VLAN tag identifier [802.1q] +EAP_PREAUTH 88C7 # EAPOL Pre-Authentication [802.11i] +LLDP 88CC # Link Layer Discovery Protocol [802.1ab] +MACSEC 88E5 # Media Access Control Security [802.1ae] +PBB 88E7 macinmac # Provider Backbone Bridging [802.1ah] +MVRP 88F5 # Multiple VLAN Registration Protocol [802.1q] +PTP 88F7 # Precision Time Protocol +FCOE 8906 # Fibre Channel over Ethernet +FIP 8914 # FCoE Initialization Protocol +ROCE 8915 # RDMA over Converged Ethernet diff --git a/fail2ban/action.d/abuseipdb.conf b/fail2ban/action.d/abuseipdb.conf index 15e41fb..ed958c8 100644 --- a/fail2ban/action.d/abuseipdb.conf +++ b/fail2ban/action.d/abuseipdb.conf @@ -21,14 +21,13 @@ # # Example, for ssh bruteforce (in section [sshd] of `jail.local`): # action = %(known/action)s -# %(action_abuseipdb)s[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"] +# abuseipdb[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"] # -# See below for catagories. +# See below for categories. # -# Original Ref: https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban # Added to fail2ban by Andrew James Collett (ajcollett) -## abuseIPDB Catagories, `the abuseipdb_category` MUST be set in the jail.conf action call. +## abuseIPDB Categories, `the abuseipdb_category` MUST be set in the jail.conf action call. # Example, for ssh bruteforce: action = %(action_abuseipdb)s[abuseipdb_category="18,22"] # ID Title Description # 3 Fraud Orders @@ -47,14 +46,17 @@ [Definition] +# bypass action for restored tickets +norestored = 1 + # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = @@ -80,13 +82,10 @@ actioncheck = # wherever you install the helper script. For the PHP helper script, see # # -# --ciphers ecdhe_ecdsa_aes_256_sha is used to workaround a -# "NSS error -12286" from curl as it attempts to connect using -# SSLv3. See https://www.centos.org/forums/viewtopic.php?t=52732 # Tags: See jail.conf(5) man page # Values: CMD # -actionban = curl --fail --ciphers ecdhe_ecdsa_aes_256_sha --data 'key=' --data-urlencode 'comment=' --data 'ip=' --data 'category=' "https://www.abuseipdb.com/report/json" +actionban = lgm=$(printf '%%.1000s\n...' ""); curl -sSf "https://api.abuseipdb.com/api/v2/report" -H "Accept: application/json" -H "Key: " --data-urlencode "comment=$lgm" --data-urlencode "ip=" --data "categories=" # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -101,5 +100,5 @@ actionunban = # Notes Your API key from abuseipdb.com # Values: STRING Default: None # Register for abuseipdb [https://www.abuseipdb.com], get api key and set below. -# You will need to set the catagory in the action call. +# You will need to set the category in the action call. abuseipdb_apikey = diff --git a/fail2ban/action.d/badips.py b/fail2ban/action.d/badips.py index 473fbf3..805120e 100644 --- a/fail2ban/action.d/badips.py +++ b/fail2ban/action.d/badips.py @@ -18,20 +18,22 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. import sys -if sys.version_info < (2, 7): +if sys.version_info < (2, 7): # pragma: no cover raise ImportError("badips.py action requires Python >= 2.7") import json import threading import logging -if sys.version_info >= (3, ): +if sys.version_info >= (3, ): # pragma: 2.x no cover from urllib.request import Request, urlopen from urllib.parse import urlencode from urllib.error import HTTPError -else: +else: # pragma: 3.x no cover from urllib2 import Request, urlopen, HTTPError from urllib import urlencode -from fail2ban.server.actions import ActionBase +from fail2ban.server.actions import Actions, ActionBase, BanTicket +from fail2ban.helpers import splitwords, str2LogLevel + class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable @@ -52,9 +54,6 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable age : str, optional Age of last report for bad IPs, per badips.com syntax. Default "24h" (24 hours) - key : str, optional - Key issued by badips.com to report bans, for later retrieval - of personalised content. banaction : str, optional Name of banaction to use for blacklisting bad IPs. If `None`, no blacklist of IPs will take place. @@ -65,11 +64,17 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable "postfix", but want to use whole "mail" category for blacklist. Default `category`. bankey : str, optional - Key issued by badips.com to blacklist IPs reported with the - associated key. + Key issued by badips.com to retrieve personal list + of blacklist IPs. updateperiod : int, optional Time in seconds between updating bad IPs blacklist. Default 900 (15 minutes) + loglevel : int/str, optional + Log level of the message when an IP is (un)banned. + Default `DEBUG`. + Can be also supplied as two-value list (comma- or space separated) to + provide level of the summary message when a group of IPs is (un)banned. + Example `DEBUG,INFO`. agent : str, optional User agent transmitted to server. Default `Fail2Ban/ver.` @@ -81,13 +86,13 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable """ TIMEOUT = 10 - _badips = "http://www.badips.com" + _badips = "https://www.badips.com" def _Request(self, url, **argv): return Request(url, headers={'User-Agent': self.agent}, **argv) - def __init__(self, jail, name, category, score=3, age="24h", key=None, - banaction=None, bancategory=None, bankey=None, updateperiod=900, agent="Fail2Ban", - timeout=TIMEOUT): + def __init__(self, jail, name, category, score=3, age="24h", + banaction=None, bancategory=None, bankey=None, updateperiod=900, + loglevel='DEBUG', agent="Fail2Ban", timeout=TIMEOUT): super(BadIPsAction, self).__init__(jail, name) self.timeout = timeout @@ -95,10 +100,12 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable self.category = category self.score = score self.age = age - self.key = key self.banaction = banaction self.bancategory = bancategory or category self.bankey = bankey + loglevel = splitwords(loglevel) + self.sumloglevel = str2LogLevel(loglevel[-1]) + self.loglevel = str2LogLevel(loglevel[0]) self.updateperiod = updateperiod self._bannedips = set() @@ -114,6 +121,15 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable except Exception as e: # pragma: no cover return False, e + def logError(self, response, what=''): # pragma: no cover - sporadical (502: Bad Gateway, etc) + messages = {} + try: + messages = json.loads(response.read().decode('utf-8')) + except: + pass + self._logSys.error( + "%s. badips.com response: '%s'", what, + messages.get('err', 'Unknown')) def getCategories(self, incParents=False): """Get badips.com categories. @@ -133,11 +149,8 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable try: response = urlopen( self._Request("/".join([self._badips, "get", "categories"])), timeout=self.timeout) - except HTTPError as response: - messages = json.loads(response.read().decode('utf-8')) - self._logSys.error( - "Failed to fetch categories. badips.com response: '%s'", - messages['err']) + except HTTPError as response: # pragma: no cover + self.logError(response, "Failed to fetch categories") raise else: response_json = json.loads(response.read().decode('utf-8')) @@ -186,12 +199,10 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable urlencode({'age': age})]) if key: url = "&".join([url, urlencode({'key': key})]) + self._logSys.debug('badips.com: get list, url: %r', url) response = urlopen(self._Request(url), timeout=self.timeout) - except HTTPError as response: - messages = json.loads(response.read().decode('utf-8')) - self._logSys.error( - "Failed to fetch bad IP list. badips.com response: '%s'", - messages['err']) + except HTTPError as response: # pragma: no cover + self.logError(response, "Failed to fetch bad IP list") raise else: return set(response.read().decode('utf-8').split()) @@ -219,7 +230,7 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable @bancategory.setter def bancategory(self, bancategory): - if bancategory not in self.getCategories(incParents=True): + if bancategory != "any" and bancategory not in self.getCategories(incParents=True): self._logSys.error("Category name '%s' not valid. " "see badips.com for list of valid categories", bancategory) @@ -271,13 +282,8 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable def _banIPs(self, ips): for ip in ips: try: - self._jail.actions[self.banaction].ban({ - 'ip': ip, - 'failures': 0, - 'matches': "", - 'ipmatches': "", - 'ipjailmatches': "", - }) + ai = Actions.ActionInfo(BanTicket(ip), self._jail) + self._jail.actions[self.banaction].ban(ai) except Exception as e: self._logSys.error( "Error banning IP %s for jail '%s' with action '%s': %s", @@ -285,27 +291,22 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG) else: self._bannedips.add(ip) - self._logSys.info( + self._logSys.log(self.loglevel, "Banned IP %s for jail '%s' with action '%s'", ip, self._jail.name, self.banaction) def _unbanIPs(self, ips): for ip in ips: try: - self._jail.actions[self.banaction].unban({ - 'ip': ip, - 'failures': 0, - 'matches': "", - 'ipmatches': "", - 'ipjailmatches': "", - }) + ai = Actions.ActionInfo(BanTicket(ip), self._jail) + self._jail.actions[self.banaction].unban(ai) except Exception as e: - self._logSys.info( + self._logSys.error( "Error unbanning IP %s for jail '%s' with action '%s': %s", ip, self._jail.name, self.banaction, e, exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG) else: - self._logSys.info( + self._logSys.log(self.loglevel, "Unbanned IP %s for jail '%s' with action '%s'", ip, self._jail.name, self.banaction) finally: @@ -333,12 +334,19 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable ips = self.getList( self.bancategory, self.score, self.age, self.bankey) # Remove old IPs no longer listed - self._unbanIPs(self._bannedips - ips) + s = self._bannedips - ips + m = len(s) + self._unbanIPs(s) # Add new IPs which are now listed - self._banIPs(ips - self._bannedips) - - self._logSys.info( - "Updated IPs for jail '%s'. Update again in %i seconds", + s = ips - self._bannedips + p = len(s) + self._banIPs(s) + if m != 0 or p != 0: + self._logSys.log(self.sumloglevel, + "Updated IPs for jail '%s' (-%d/+%d)", + self._jail.name, m, p) + self._logSys.debug( + "Next update for jail '%' in %i seconds", self._jail.name, self.updateperiod) finally: self._timer = threading.Timer(self.updateperiod, self.update) @@ -368,19 +376,15 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable Any issues with badips.com request. """ try: - url = "/".join([self._badips, "add", self.category, aInfo['ip']]) - if self.key: - url = "?".join([url, urlencode({'key': self.key})]) + url = "/".join([self._badips, "add", self.category, str(aInfo['ip'])]) + self._logSys.debug('badips.com: ban, url: %r', url) response = urlopen(self._Request(url), timeout=self.timeout) - except HTTPError as response: - messages = json.loads(response.read().decode('utf-8')) - self._logSys.error( - "Response from badips.com report: '%s'", - messages['err']) + except HTTPError as response: # pragma: no cover + self.logError(response, "Failed to ban") raise else: messages = json.loads(response.read().decode('utf-8')) - self._logSys.info( + self._logSys.debug( "Response from badips.com report: '%s'", messages['suc']) diff --git a/fail2ban/action.d/blocklist_de.conf b/fail2ban/action.d/blocklist_de.conf index 2f31d8b..ba6d427 100644 --- a/fail2ban/action.d/blocklist_de.conf +++ b/fail2ban/action.d/blocklist_de.conf @@ -31,13 +31,13 @@ [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = @@ -54,7 +54,7 @@ actioncheck = # Tags: See jail.conf(5) man page # Values: CMD # -actionban = curl --fail --data-urlencode 'server=' --data 'apikey=' --data 'service=' --data 'ip=' --data-urlencode 'logs=' --data 'format=text' --user-agent "" "https://www.blocklist.de/en/httpreports.html" +actionban = curl --fail --data-urlencode "server=" --data "apikey=" --data "service=" --data "ip=" --data-urlencode "logs=
" --data 'format=text' --user-agent "" "https://www.blocklist.de/en/httpreports.html" # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -64,10 +64,8 @@ actionban = curl --fail --data-urlencode 'server=' --data 'apikey=)' > /dev/null 2>&1 || ( ipfw show | awk 'BEGIN { b = } { if ($1 < b) {} else if ($1 == b) { b = $1 + 1 } else { e = b } } END { if (e) exit e
else exit b }'; num=$?; ipfw -q add $num from table\(\) to me ; echo $num > "" ) +actionstart = ipfw show | fgrep -c -m 1 -s 'table(
)' > /dev/null 2>&1 || ( + num=$(ipfw show | awk 'BEGIN { b = } { if ($1 == b) { b = $1 + 1 } } END { print b }'); + ipfw -q add "$num" from table\(
\) to me ; echo "$num" > "" + ) # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = [ ! -f ] || ( read num < ""
ipfw -q delete $num
rm "" ) @@ -38,7 +41,7 @@ actioncheck = # Values: CMD # # requires an ipfw rule like "deny ip from table(1) to me" -actionban = e=`ipfw table
add 2>&1`; x=$?; [ $x -eq 0 -o "$e" = 'ipfw: setsockopt(IP_FW_TABLE_XADD): File exists' ] || { echo "$e" 1>&2; exit $x; } +actionban = e=`ipfw table
add 2>&1`; x=$?; [ $x -eq 0 -o "$e" = 'ipfw: setsockopt(IP_FW_TABLE_XADD): File exists' ] || echo "$e" | grep -q "record already exists" || { echo "$e" 1>&2; exit $x; } # Option: actionunban @@ -47,7 +50,7 @@ actionban = e=`ipfw table
add 2>&1`; x=$?; [ $x -eq 0 -o "$e" = 'ip # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = e=`ipfw table
delete 2>&1`; x=$?; [ $x -eq 0 -o "$e" = 'ipfw: setsockopt(IP_FW_TABLE_XDEL): No such process' ] || { echo "$e" 1>&2; exit $x; } +actionunban = e=`ipfw table
delete 2>&1`; x=$?; [ $x -eq 0 -o "$e" = 'ipfw: setsockopt(IP_FW_TABLE_XDEL): No such process' ] || echo "$e" | grep -q "record not found" || { echo "$e" 1>&2; exit $x; } [Init] # Option: table diff --git a/fail2ban/action.d/cloudflare.conf b/fail2ban/action.d/cloudflare.conf index 89df5b9..361cb17 100644 --- a/fail2ban/action.d/cloudflare.conf +++ b/fail2ban/action.d/cloudflare.conf @@ -5,7 +5,7 @@ # # Please set jail.local's permission to 640 because it contains your CF API key. # -# This action depends on curl. +# This action depends on curl (and optionally jq). # Referenced from http://www.normyee.net/blog/2012/02/02/adding-cloudflare-support-to-fail2ban by NORM YEE # # To get your CloudFlare API Key: https://www.cloudflare.com/a/account/my-account @@ -15,13 +15,13 @@ [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = @@ -43,9 +43,9 @@ actioncheck = # API v1 #actionban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=' -d 'email=' -d 'key=' # API v4 -actionban = curl -s -o /dev/null -X POST -H 'X-Auth-Email: ' -H 'X-Auth-Key: ' \ - -H 'Content-Type: application/json' -d '{ "mode": "block", "configuration": { "target": "ip", "value": "" } }' \ - https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules +actionban = curl -s -o /dev/null -X POST <_cf_api_prms> \ + -d '{"mode":"block","configuration":{"target":"ip","value":""},"notes":"Fail2Ban "}' \ + <_cf_api_url> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -58,9 +58,14 @@ actionban = curl -s -o /dev/null -X POST -H 'X-Auth-Email: ' -H 'X-Auth- # API v1 #actionunban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=nul' -d 'tkn=' -d 'email=' -d 'key=' # API v4 -actionunban = curl -s -o /dev/null -X DELETE -H 'X-Auth-Email: ' -H 'X-Auth-Key: ' \ - https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules/$(curl -s -X GET -H 'X-Auth-Email: ' -H 'X-Auth-Key: ' \ - 'https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules?mode=block&configuration_target=ip&configuration_value=&page=1&per_page=1' | cut -d'"' -f6) +actionunban = id=$(curl -s -X GET <_cf_api_prms> \ + "<_cf_api_url>?mode=block&configuration_target=ip&configuration_value=&page=1&per_page=1¬es=Fail2Ban%%20" \ + | { jq -r '.result[0].id' 2>/dev/null || tr -d '\n' | sed -nE 's/^.*"result"\s*:\s*\[\s*\{\s*"id"\s*:\s*"([^"]+)".*$/\1/p'; }) + if [ -z "$id" ]; then echo ": id for cannot be found"; exit 0; fi; + curl -s -o /dev/null -X DELETE <_cf_api_prms> "<_cf_api_url>/$id" + +_cf_api_url = https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules +_cf_api_prms = -H 'X-Auth-Email: ' -H 'X-Auth-Key: ' -H 'Content-Type: application/json' [Init] diff --git a/fail2ban/action.d/complain.conf b/fail2ban/action.d/complain.conf index 1f74d63..4d73b05 100644 --- a/fail2ban/action.d/complain.conf +++ b/fail2ban/action.d/complain.conf @@ -41,13 +41,13 @@ debug = 0 norestored = 1 # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = @@ -102,7 +102,7 @@ logpath = /dev/null # Notes.: Your system mail command. Is passed 2 args: subject and recipient # Values: CMD # -mailcmd = mail -s +mailcmd = mail -E 'set escape' -s # Option: mailargs # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: diff --git a/fail2ban/action.d/dshield.conf b/fail2ban/action.d/dshield.conf index 4f2e09c..3d5a7a5 100644 --- a/fail2ban/action.d/dshield.conf +++ b/fail2ban/action.d/dshield.conf @@ -32,13 +32,13 @@ norestored = 1 # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = if [ -f .buffer ]; then @@ -179,7 +179,7 @@ tcpflags = # Notes.: Your system mail command. Is passed 2 args: subject and recipient # Values: CMD # -mailcmd = mail -s +mailcmd = mail -E 'set escape' -s # Option: mailargs # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: diff --git a/fail2ban/action.d/dummy.conf b/fail2ban/action.d/dummy.conf index 41250c2..eb07e32 100644 --- a/fail2ban/action.d/dummy.conf +++ b/fail2ban/action.d/dummy.conf @@ -7,7 +7,7 @@ [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = if [ ! -z '' ]; then touch ; fi; @@ -22,7 +22,7 @@ actionflush = printf %%b "-*\n" echo "%(debug)s clear all" # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = if [ ! -z '' ]; then rm -f ; fi; diff --git a/fail2ban/action.d/firewallcmd-ipset.conf b/fail2ban/action.d/firewallcmd-ipset.conf index dcf2037..c89a024 100644 --- a/fail2ban/action.d/firewallcmd-ipset.conf +++ b/fail2ban/action.d/firewallcmd-ipset.conf @@ -18,7 +18,7 @@ before = firewallcmd-common.conf [Definition] -actionstart = ipset create hash:ip timeout +actionstart = ipset create hash:ip timeout firewall-cmd --direct --add-rule filter 0 -m set --match-set src -j actionflush = ipset flush @@ -27,7 +27,9 @@ actionstop = firewall-cmd --direct --remove-rule filter 0 ipset destroy -actionban = ipset add timeout -exist +actionban = ipset add timeout -exist + +# actionprolong = %(actionban)s actionunban = ipset del -exist @@ -40,11 +42,19 @@ actionunban = ipset del -exist # chain = INPUT_direct -# Option: bantime -# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban) -# Values: [ NUM ] Default: 600 +# Option: default-ipsettime +# Notes: specifies default timeout in seconds (handled default ipset timeout only) +# Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban) +default-ipsettime = 0 + +# Option: ipsettime +# Notes: specifies ticket timeout (handled ipset timeout only) +# Values: [ NUM ] Default: 0 (managed by fail2ban by unban) +ipsettime = 0 -bantime = 600 +# expresion to caclulate timeout from bantime, example: +# banaction = %(known/banaction)s[ipsettime=''] +timeout-bantime = $([ "" -le 2147483 ] && echo "" || echo 0) # Option: actiontype # Notes.: defines additions to the blocking rule @@ -61,7 +71,7 @@ allports = -p # Option: multiport # Notes.: addition to block access only to specific ports # Usage.: use in jail config: banaction = firewallcmd-ipset[actiontype=] -multiport = -p -m multiport --dports +multiport = -p -m multiport --dports "$(echo '' | sed s/:/-/g)" ipmset = f2b- familyopt = @@ -69,7 +79,7 @@ familyopt = [Init?family=inet6] ipmset = f2b-6 -familyopt = family inet6 +familyopt = family inet6 # DEV NOTES: diff --git a/fail2ban/action.d/firewallcmd-multiport.conf b/fail2ban/action.d/firewallcmd-multiport.conf index 81540e5..0c401f1 100644 --- a/fail2ban/action.d/firewallcmd-multiport.conf +++ b/fail2ban/action.d/firewallcmd-multiport.conf @@ -11,9 +11,9 @@ before = firewallcmd-common.conf actionstart = firewall-cmd --direct --add-chain filter f2b- firewall-cmd --direct --add-rule filter f2b- 1000 -j RETURN - firewall-cmd --direct --add-rule filter 0 -m conntrack --ctstate NEW -p -m multiport --dports -j f2b- + firewall-cmd --direct --add-rule filter 0 -m conntrack --ctstate NEW -p -m multiport --dports "$(echo '' | sed s/:/-/g)" -j f2b- -actionstop = firewall-cmd --direct --remove-rule filter 0 -m conntrack --ctstate NEW -p -m multiport --dports -j f2b- +actionstop = firewall-cmd --direct --remove-rule filter 0 -m conntrack --ctstate NEW -p -m multiport --dports "$(echo '' | sed s/:/-/g)" -j f2b- firewall-cmd --direct --remove-rules filter f2b- firewall-cmd --direct --remove-chain filter f2b- diff --git a/fail2ban/action.d/firewallcmd-new.conf b/fail2ban/action.d/firewallcmd-new.conf index b06f5cc..7b08603 100644 --- a/fail2ban/action.d/firewallcmd-new.conf +++ b/fail2ban/action.d/firewallcmd-new.conf @@ -10,9 +10,9 @@ before = firewallcmd-common.conf actionstart = firewall-cmd --direct --add-chain filter f2b- firewall-cmd --direct --add-rule filter f2b- 1000 -j RETURN - firewall-cmd --direct --add-rule filter 0 -m state --state NEW -p -m multiport --dports -j f2b- + firewall-cmd --direct --add-rule filter 0 -m state --state NEW -p -m multiport --dports "$(echo '' | sed s/:/-/g)" -j f2b- -actionstop = firewall-cmd --direct --remove-rule filter 0 -m state --state NEW -p -m multiport --dports -j f2b- +actionstop = firewall-cmd --direct --remove-rule filter 0 -m state --state NEW -p -m multiport --dports "$(echo '' | sed s/:/-/g)" -j f2b- firewall-cmd --direct --remove-rules filter f2b- firewall-cmd --direct --remove-chain filter f2b- diff --git a/fail2ban/action.d/firewallcmd-rich-logging.conf b/fail2ban/action.d/firewallcmd-rich-logging.conf index badfee8..21e4508 100644 --- a/fail2ban/action.d/firewallcmd-rich-logging.conf +++ b/fail2ban/action.d/firewallcmd-rich-logging.conf @@ -1,6 +1,6 @@ # Fail2Ban configuration file # -# Author: Donald Yandt +# Authors: Donald Yandt, Sergey G. Brester # # Because of the rich rule commands requires firewalld-0.3.1+ # This action uses firewalld rich-rules which gives you a cleaner iptables since it stores rules according to zones and not @@ -10,36 +10,15 @@ # # If you use the --permanent rule you get a xml file in /etc/firewalld/zones/.xml that can be shared and parsed easliy # -# Example commands to view rules: -# firewall-cmd [--zone=] --list-rich-rules -# firewall-cmd [--zone=] --list-all -# firewall-cmd [--zone=zone] --query-rich-rule='rule' +# This is an derivative of firewallcmd-rich-rules.conf, see there for details and other parameters. [INCLUDES] -before = firewallcmd-common.conf +before = firewallcmd-rich-rules.conf [Definition] -actionstart = - -actionstop = - -actioncheck = - -# you can also use zones and/or service names. -# -# zone example: -# firewall-cmd --zone= --add-rich-rule="rule family='' source address='' port port='' protocol='' log prefix='f2b-' level='' limit value='/m' " -# -# service name example: -# firewall-cmd --zone= --add-rich-rule="rule family='' source address='' service name='' log prefix='f2b-' level='' limit value='/m' " -# -# Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges separated by a comma or space for an example: http, https, 22-60, 18 smtp - -actionban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='' source address='' port port='$p' protocol='' log prefix='f2b-' level='' limit value='/m' "; done - -actionunban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='' source address='' port port='$p' protocol='' log prefix='f2b-' level='' limit value='/m' "; done +rich-suffix = log prefix='f2b-' level='' limit value='/m' [Init] @@ -48,4 +27,3 @@ level = info # log rate per minute rate = 1 - diff --git a/fail2ban/action.d/firewallcmd-rich-rules.conf b/fail2ban/action.d/firewallcmd-rich-rules.conf index bed7179..803d7d1 100644 --- a/fail2ban/action.d/firewallcmd-rich-rules.conf +++ b/fail2ban/action.d/firewallcmd-rich-rules.conf @@ -35,8 +35,10 @@ actioncheck = # # Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges separated by a comma or space for an example: http, https, 22-60, 18 smtp -actionban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='' source address='' port port='$p' protocol='' "; done - -actionunban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='' source address='' port port='$p' protocol='' "; done +fwcmd_rich_rule = rule family='' source address='' port port='$p' protocol='' %(rich-suffix)s +actionban = ports="$(echo '' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done + +actionunban = ports="$(echo '' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done +rich-suffix = \ No newline at end of file diff --git a/fail2ban/action.d/helpers-common.conf b/fail2ban/action.d/helpers-common.conf index 5799d9d..03422a8 100644 --- a/fail2ban/action.d/helpers-common.conf +++ b/fail2ban/action.d/helpers-common.conf @@ -1,16 +1,17 @@ -[DEFAULT] - -# Usage: -# _grep_logs_args = 'test' -# (printf %%b "Log-excerpt contains 'test':\n"; %(_grep_logs)s; printf %%b "Log-excerpt contains 'test':\n") | mail ... -# -_grep_logs = logpath=""; grep -E %(_grep_logs_args)s $logpath | -_grep_logs_args = "(^|[^0-9a-fA-F:])$(echo '' | sed 's/\./\\./g')([^0-9a-fA-F:]|$)" - -# Used for actions, that should not by executed if ticket was restored: -_bypass_if_restored = if [ '' = '1' ]; then exit 0; fi; - -[Init] -greplimit = tail -n -grepmax = 1000 -grepopts = -m +[DEFAULT] + +# Usage: +# _grep_logs_args = 'test' +# (printf %%b "Log-excerpt contains 'test':\n"; %(_grep_logs)s; printf %%b "Log-excerpt contains 'test':\n") | mail ... +# +_grep_logs = logpath=""; grep %(_grep_logs_args)s $logpath | +# options `-wF` used to match only whole words and fixed string (not as pattern) +_grep_logs_args = -wF "" + +# Used for actions, that should not by executed if ticket was restored: +_bypass_if_restored = if [ '' = '1' ]; then exit 0; fi; + +[Init] +greplimit = tail -n +grepmax = 1000 +grepopts = -m diff --git a/fail2ban/action.d/hostsdeny.conf b/fail2ban/action.d/hostsdeny.conf index 5cca652..8eebbaf 100644 --- a/fail2ban/action.d/hostsdeny.conf +++ b/fail2ban/action.d/hostsdeny.conf @@ -8,13 +8,13 @@ [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = @@ -31,7 +31,7 @@ actioncheck = # Tags: See jail.conf(5) man page # Values: CMD # -actionban = IP= && printf %%b ": $IP\n" >> +actionban = printf %%b ": \n" >> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -39,7 +39,7 @@ actionban = IP= && printf %%b ": $IP\n" >> # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = IP=$(echo | sed 's/\./\\./g') && sed -i "/^: $IP$/d" +actionunban = IP=$(echo "" | sed 's/[][\.]/\\\0/g') && sed -i "/^: $IP$/d" [Init] @@ -54,3 +54,9 @@ file = /etc/hosts.deny # for hosts.deny/hosts_access. Default is all services. # Values: STR Default: ALL daemon_list = ALL + +# internal variable IP (to differentiate the IPv4 and IPv6 syntax, where it is enclosed in brackets): +ip_value = + +[Init?family=inet6] +ip_value = [] diff --git a/fail2ban/action.d/ipfilter.conf b/fail2ban/action.d/ipfilter.conf index 61420e3..02091d6 100644 --- a/fail2ban/action.d/ipfilter.conf +++ b/fail2ban/action.d/ipfilter.conf @@ -9,7 +9,7 @@ [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # # enable IPF if not already enabled @@ -17,7 +17,7 @@ actionstart = /sbin/ipf -E # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # # don't disable IPF with "/sbin/ipf -D", there may be other filters in use diff --git a/fail2ban/action.d/ipfw.conf b/fail2ban/action.d/ipfw.conf index 3762520..956b154 100644 --- a/fail2ban/action.d/ipfw.conf +++ b/fail2ban/action.d/ipfw.conf @@ -8,14 +8,14 @@ [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = diff --git a/fail2ban/action.d/iptables-allports.conf b/fail2ban/action.d/iptables-allports.conf index dbea598..caf9ab8 100644 --- a/fail2ban/action.d/iptables-allports.conf +++ b/fail2ban/action.d/iptables-allports.conf @@ -14,7 +14,7 @@ before = iptables-common.conf [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = -N f2b- @@ -22,7 +22,7 @@ actionstart = -N f2b- -I -p -j f2b- # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = -D -p -j f2b- diff --git a/fail2ban/action.d/iptables-ipset-proto4.conf b/fail2ban/action.d/iptables-ipset-proto4.conf index 30353f3..99ebbf8 100644 --- a/fail2ban/action.d/iptables-ipset-proto4.conf +++ b/fail2ban/action.d/iptables-ipset-proto4.conf @@ -24,7 +24,7 @@ before = iptables-common.conf [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = ipset --create f2b- iphash @@ -38,7 +38,7 @@ actionstart = ipset --create f2b- iphash actionflush = ipset --flush f2b- # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = -D -p -m multiport --dports -m set --match-set f2b- src -j diff --git a/fail2ban/action.d/iptables-ipset-proto6-allports.conf b/fail2ban/action.d/iptables-ipset-proto6-allports.conf index b761ad8..67d7947 100644 --- a/fail2ban/action.d/iptables-ipset-proto6-allports.conf +++ b/fail2ban/action.d/iptables-ipset-proto6-allports.conf @@ -23,10 +23,10 @@ before = iptables-common.conf [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # -actionstart = ipset create hash:ip timeout +actionstart = ipset create hash:ip timeout -I -m set --match-set src -j # Option: actionflush @@ -36,7 +36,7 @@ actionstart = ipset create hash:ip timeout actionflush = ipset flush # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = -D -m set --match-set src -j @@ -49,7 +49,9 @@ actionstop = -D -m set --match-set src -j timeout -exist +actionban = ipset add timeout -exist + +# actionprolong = %(actionban)s # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -61,11 +63,19 @@ actionunban = ipset del -exist [Init] -# Option: bantime -# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban) -# Values: [ NUM ] Default: 600 -# -bantime = 600 +# Option: default-ipsettime +# Notes: specifies default timeout in seconds (handled default ipset timeout only) +# Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban) +default-ipsettime = 0 + +# Option: ipsettime +# Notes: specifies ticket timeout (handled ipset timeout only) +# Values: [ NUM ] Default: 0 (managed by fail2ban by unban) +ipsettime = 0 + +# expresion to caclulate timeout from bantime, example: +# banaction = %(known/banaction)s[ipsettime=''] +timeout-bantime = $([ "" -le 2147483 ] && echo "" || echo 0) ipmset = f2b- familyopt = @@ -74,4 +84,4 @@ familyopt = [Init?family=inet6] ipmset = f2b-6 -familyopt = family inet6 +familyopt = family inet6 diff --git a/fail2ban/action.d/iptables-ipset-proto6.conf b/fail2ban/action.d/iptables-ipset-proto6.conf index e337eed..8760102 100644 --- a/fail2ban/action.d/iptables-ipset-proto6.conf +++ b/fail2ban/action.d/iptables-ipset-proto6.conf @@ -23,10 +23,10 @@ before = iptables-common.conf [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # -actionstart = ipset create hash:ip timeout +actionstart = ipset create hash:ip timeout -I -p -m multiport --dports -m set --match-set src -j # Option: actionflush @@ -36,7 +36,7 @@ actionstart = ipset create hash:ip timeout actionflush = ipset flush # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = -D -p -m multiport --dports -m set --match-set src -j @@ -49,7 +49,9 @@ actionstop = -D -p -m multiport --dports -m # Tags: See jail.conf(5) man page # Values: CMD # -actionban = ipset add timeout -exist +actionban = ipset add timeout -exist + +# actionprolong = %(actionban)s # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -61,11 +63,19 @@ actionunban = ipset del -exist [Init] -# Option: bantime -# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban) -# Values: [ NUM ] Default: 600 -# -bantime = 600 +# Option: default-ipsettime +# Notes: specifies default timeout in seconds (handled default ipset timeout only) +# Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban) +default-ipsettime = 0 + +# Option: ipsettime +# Notes: specifies ticket timeout (handled ipset timeout only) +# Values: [ NUM ] Default: 0 (managed by fail2ban by unban) +ipsettime = 0 + +# expresion to caclulate timeout from bantime, example: +# banaction = %(known/banaction)s[ipsettime=''] +timeout-bantime = $([ "" -le 2147483 ] && echo "" || echo 0) ipmset = f2b- familyopt = @@ -74,4 +84,4 @@ familyopt = [Init?family=inet6] ipmset = f2b-6 -familyopt = family inet6 +familyopt = family inet6 diff --git a/fail2ban/action.d/iptables-multiport-log.conf b/fail2ban/action.d/iptables-multiport-log.conf index 62c2b4b..df126db 100644 --- a/fail2ban/action.d/iptables-multiport-log.conf +++ b/fail2ban/action.d/iptables-multiport-log.conf @@ -16,7 +16,7 @@ before = iptables-common.conf [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = -N f2b- @@ -34,7 +34,7 @@ actionflush = -F f2b- -F f2b--log # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = -D -p -m multiport --dports -j f2b- diff --git a/fail2ban/action.d/iptables-multiport.conf b/fail2ban/action.d/iptables-multiport.conf index c05f6ff..41b00c5 100644 --- a/fail2ban/action.d/iptables-multiport.conf +++ b/fail2ban/action.d/iptables-multiport.conf @@ -11,7 +11,7 @@ before = iptables-common.conf [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = -N f2b- @@ -19,7 +19,7 @@ actionstart = -N f2b- -I -p -m multiport --dports -j f2b- # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = -D -p -m multiport --dports -j f2b- diff --git a/fail2ban/action.d/iptables-new.conf b/fail2ban/action.d/iptables-new.conf index 5b31680..39a1709 100644 --- a/fail2ban/action.d/iptables-new.conf +++ b/fail2ban/action.d/iptables-new.conf @@ -13,7 +13,7 @@ before = iptables-common.conf [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = -N f2b- @@ -21,7 +21,7 @@ actionstart = -N f2b- -I -m state --state NEW -p --dport -j f2b- # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = -D -m state --state NEW -p --dport -j f2b- diff --git a/fail2ban/action.d/iptables-xt_recent-echo.conf b/fail2ban/action.d/iptables-xt_recent-echo.conf index 1970de1..9744922 100644 --- a/fail2ban/action.d/iptables-xt_recent-echo.conf +++ b/fail2ban/action.d/iptables-xt_recent-echo.conf @@ -12,7 +12,7 @@ before = iptables-common.conf [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # # Changing iptables rules requires root privileges. If fail2ban is @@ -42,7 +42,7 @@ actionstart = if [ `id -u` -eq 0 ];then -I -m recent --update actionflush = # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = echo / > /proc/net/xt_recent/ diff --git a/fail2ban/action.d/iptables.conf b/fail2ban/action.d/iptables.conf index bf83e24..8ed5fda 100644 --- a/fail2ban/action.d/iptables.conf +++ b/fail2ban/action.d/iptables.conf @@ -11,7 +11,7 @@ before = iptables-common.conf [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = -N f2b- @@ -19,7 +19,7 @@ actionstart = -N f2b- -I -p --dport -j f2b- # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = -D -p --dport -j f2b- diff --git a/fail2ban/action.d/mail-buffered.conf b/fail2ban/action.d/mail-buffered.conf index 88cd623..79b8410 100644 --- a/fail2ban/action.d/mail-buffered.conf +++ b/fail2ban/action.d/mail-buffered.conf @@ -10,17 +10,17 @@ norestored = 1 # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = printf %%b "Hi,\n The jail has been started successfully.\n Output will be buffered until lines are available.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] : started on " + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = if [ -f ]; then @@ -28,13 +28,13 @@ actionstop = if [ -f ]; then These hosts have been banned by Fail2Ban.\n `cat ` Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] : Summary from " + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : Summary from " rm fi printf %%b "Hi,\n The jail has been stopped.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] : stopped on " + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " # Option: actioncheck # Notes.: command executed once before each actionban command @@ -55,7 +55,7 @@ actionban = printf %%b "`date`: ( failures)\n" >> These hosts have been banned by Fail2Ban.\n `cat ` \nRegards,\n - Fail2Ban"|mail -s "[Fail2Ban] : Summary" + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : Summary" rm fi diff --git a/fail2ban/action.d/mail-whois-common.conf b/fail2ban/action.d/mail-whois-common.conf index b0d27af..ecf3a5d 100644 --- a/fail2ban/action.d/mail-whois-common.conf +++ b/fail2ban/action.d/mail-whois-common.conf @@ -17,7 +17,7 @@ _whois = whois || echo "missing whois program" # character set before sending it to a mail program # make sure you have 'file' and 'iconv' commands installed when opting for that _whois_target_charset = UTF-8 -_whois_convert_charset = whois | +_whois_convert_charset = (%(_whois)s) | { WHOIS_OUTPUT=$(cat) ; WHOIS_CHARSET=$(printf %%b "$WHOIS_OUTPUT" | file -b --mime-encoding -) ; printf %%b "$WHOIS_OUTPUT" | iconv -f $WHOIS_CHARSET -t %(_whois_target_charset)s//TRANSLIT - ; } # choose between _whois and _whois_convert_charset in mail-whois-common.local diff --git a/fail2ban/action.d/mail-whois-lines.conf b/fail2ban/action.d/mail-whois-lines.conf index 37e2d9b..d2818cb 100644 --- a/fail2ban/action.d/mail-whois-lines.conf +++ b/fail2ban/action.d/mail-whois-lines.conf @@ -15,7 +15,7 @@ before = mail-whois-common.conf norestored = 1 # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = printf %%b "Hi,\n @@ -24,7 +24,7 @@ actionstart = printf %%b "Hi,\n Fail2Ban" | "[Fail2Ban] : started on " # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = printf %%b "Hi,\n @@ -72,7 +72,7 @@ actionunban = # Notes.: Your system mail command. Is passed 2 args: subject and recipient # Values: CMD # -mailcmd = mail -s +mailcmd = mail -E 'set escape' -s # Default name of the chain # diff --git a/fail2ban/action.d/mail-whois.conf b/fail2ban/action.d/mail-whois.conf index 1f69f4c..ab33b61 100644 --- a/fail2ban/action.d/mail-whois.conf +++ b/fail2ban/action.d/mail-whois.conf @@ -14,22 +14,22 @@ before = mail-whois-common.conf norestored = 1 # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = printf %%b "Hi,\n The jail has been started successfully.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] : started on " + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = printf %%b "Hi,\n The jail has been stopped.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] : stopped on " + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " # Option: actioncheck # Notes.: command executed once before each actionban command @@ -49,7 +49,7 @@ actionban = printf %%b "Hi,\n Here is more information about :\n `%(_whois_command)s`\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] : banned from " + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : banned from " # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the diff --git a/fail2ban/action.d/mail.conf b/fail2ban/action.d/mail.conf index cfc1cf6..f4838dd 100644 --- a/fail2ban/action.d/mail.conf +++ b/fail2ban/action.d/mail.conf @@ -10,22 +10,22 @@ norestored = 1 # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = printf %%b "Hi,\n The jail has been started successfully.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] : started on " + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = printf %%b "Hi,\n The jail has been stopped.\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] : stopped on " + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " # Option: actioncheck # Notes.: command executed once before each actionban command @@ -43,7 +43,7 @@ actionban = printf %%b "Hi,\n The IP has just been banned by Fail2Ban after attempts against .\n Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] : banned from " + Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : banned from " # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the diff --git a/fail2ban/action.d/mynetwatchman.conf b/fail2ban/action.d/mynetwatchman.conf index 8f3edf9..b0ab2cc 100644 --- a/fail2ban/action.d/mynetwatchman.conf +++ b/fail2ban/action.d/mynetwatchman.conf @@ -28,13 +28,13 @@ [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = diff --git a/fail2ban/action.d/nftables-allports.conf b/fail2ban/action.d/nftables-allports.conf index 6c69da3..908abe4 100644 --- a/fail2ban/action.d/nftables-allports.conf +++ b/fail2ban/action.d/nftables-allports.conf @@ -6,17 +6,12 @@ # Modified: Alexander Belykh # adapted for nftables # +# Obsolete: superseded by nftables[type=allports] [INCLUDES] -before = nftables-common.conf +before = nftables.conf [Definition] -# Option: nftables_mode -# Notes.: additional expressions for nftables filter rule -# Values: nftables expressions -# -nftables_mode = meta l4proto - -[Init] +type = allports diff --git a/fail2ban/action.d/nftables-multiport.conf b/fail2ban/action.d/nftables-multiport.conf index d1afafb..ba3ec92 100644 --- a/fail2ban/action.d/nftables-multiport.conf +++ b/fail2ban/action.d/nftables-multiport.conf @@ -6,17 +6,12 @@ # Modified: Alexander Belykh # adapted for nftables # +# Obsolete: superseded by nftables[type=multiport] [INCLUDES] -before = nftables-common.conf +before = nftables.conf [Definition] -# Option: nftables_mode -# Notes.: additional expressions for nftables filter rule -# Values: nftables expressions -# -nftables_mode = dport \{ \} - -[Init] +type = multiport \ No newline at end of file diff --git a/fail2ban/action.d/nftables.conf b/fail2ban/action.d/nftables.conf new file mode 100644 index 0000000..77cf366 --- /dev/null +++ b/fail2ban/action.d/nftables.conf @@ -0,0 +1,203 @@ +# Fail2Ban configuration file +# +# Author: Daniel Black +# Author: Cyril Jaquier +# Modified: Yaroslav O. Halchenko +# made active on all ports from original iptables.conf +# Modified: Alexander Belykh +# adapted for nftables +# +# This is a included configuration file and includes the definitions for the nftables +# used in all nftables based actions by default. +# +# The user can override the defaults in nftables-common.local +# Example: redirect flow to honeypot +# +# [Init] +# table_family = ip +# chain_type = nat +# chain_hook = prerouting +# chain_priority = -50 +# blocktype = counter redirect to 2222 + +[INCLUDES] + +after = nftables-common.local + +[Definition] + +# Option: type +# Notes.: type of the action. +# Values: [ multiport | allports ] Default: multiport +# +type = multiport + +rule_match-custom = +rule_match-allports = meta l4proto \{ \} +rule_match-multiport = $proto dport \{ $(echo '' | sed s/:/-/g) \} +match = > + +# Option: rule_stat +# Notes.: statement for nftables filter rule. +# leaving it empty will block all (include udp and icmp) +# Values: nftables statement +# +rule_stat = %(match)s saddr @ + +# optional interator over protocol's: +_nft_for_proto-custom-iter = +_nft_for_proto-custom-done = +_nft_for_proto-allports-iter = +_nft_for_proto-allports-done = +_nft_for_proto-multiport-iter = for proto in $(echo '' | sed 's/,/ /g'); do +_nft_for_proto-multiport-done = done + +_nft_list = -a list chain
+_nft_get_handle_id = grep -oP '@\s+.*\s+\Khandle\s+(\d+)$' + +_nft_add_set = add set
\{ type \; \} + <_nft_for_proto--iter> + add rule
%(rule_stat)s + <_nft_for_proto--done> +_nft_del_set = { %(_nft_list)s | %(_nft_get_handle_id)s; } | while read -r hdl; do + delete rule
$hdl; done + delete set
+ +# Option: _nft_shutdown_table +# Notes.: command executed after the stop in order to delete table (it checks that no sets are available): +# Values: CMD +# +_nft_shutdown_table = { list table
| grep -qP '^\s+set\s+'; } || { + delete table
+ } + +# Option: actionstart +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). +# Values: CMD +# +actionstart = add table
+ -- add chain
\{ type hook priority \; \} + %(_nft_add_set)s + +# Option: actionflush +# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action); +# uses `nft flush set ...` and as fallback (e. g. unsupported) recreates the set (with references) +# Values: CMD +# +actionflush = { flush set
2> /dev/null; } || { + %(_nft_del_set)s + %(_nft_add_set)s + } + +# Option: actionstop +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +# Values: CMD +# +actionstop = %(_nft_del_set)s + <_nft_shutdown_table> + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = list chain
| grep -q '@[ \t]' + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = add element
\{ \} + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = delete element
\{ \} + +[Init] + +# Option: table +# Notes.: main table to store chain and sets (automatically created on demand) +# Values: STRING Default: f2b-table +table = f2b-table + +# Option: table_family +# Notes.: address family to work in +# Values: [ip | ip6 | inet] Default: inet +table_family = inet + +# Option: chain +# Notes.: main chain to store rules +# Values: STRING Default: f2b-chain +chain = f2b-chain + +# Option: chain_type +# Notes.: refers to the kind of chain to be created +# Values: [filter | route | nat] Default: filter +# +chain_type = filter + +# Option: chain_hook +# Notes.: refers to the kind of chain to be created +# Values: [ prerouting | input | forward | output | postrouting ] Default: input +# +chain_hook = input + +# Option: chain_priority +# Notes.: priority in the chain. +# Values: NUMBER Default: -1 +# +chain_priority = -1 + +# Option: addr_type +# Notes.: address type to work with +# Values: [ipv4_addr | ipv6_addr] Default: ipv4_addr +# +addr_type = ipv4_addr + +# Default name of the filtering set +# +name = default + +# Option: port +# Notes.: specifies port to monitor +# Values: [ NUM | STRING ] Default: +# +port = ssh + +# Option: protocol +# Notes.: internally used by config reader for interpolations. +# Values: [ tcp | udp ] Default: tcp +# +protocol = tcp + +# Option: blocktype +# Note: This is what the action does with rules. This can be any jump target +# as per the nftables man page (section 8). Common values are drop, +# reject, reject with icmpx type host-unreachable, redirect to 2222 +# Values: STRING +blocktype = reject + +# Option: nftables +# Notes.: Actual command to be executed, including common to all calls options +# Values: STRING +nftables = nft + +# Option: addr_set +# Notes.: The name of the nft set used to store banned addresses +# Values: STRING +addr_set = addr-set- + +# Option: addr_family +# Notes.: The family of the banned addresses +# Values: [ ip | ip6 ] +addr_family = ip + +[Init?family=inet6] +addr_family = ip6 +addr_type = ipv6_addr +addr_set = addr6-set- diff --git a/fail2ban/action.d/nginx-block-map.conf b/fail2ban/action.d/nginx-block-map.conf index 33c15f9..ee70290 100644 --- a/fail2ban/action.d/nginx-block-map.conf +++ b/fail2ban/action.d/nginx-block-map.conf @@ -103,6 +103,8 @@ actionstop = %(actionflush)s actioncheck = -actionban = echo "\\\\ 1;" >> '%(blck_lst_file)s'; %(blck_lst_reload)s +_echo_blck_row = printf '\%%s 1;\n' "" -actionunban = id=$(echo "" | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/$id 1;/d" %(blck_lst_file)s; %(blck_lst_reload)s +actionban = %(_echo_blck_row)s >> '%(blck_lst_file)s'; %(blck_lst_reload)s + +actionunban = id=$(%(_echo_blck_row)s | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/^$id$/d" %(blck_lst_file)s; %(blck_lst_reload)s diff --git a/fail2ban/action.d/npf.conf b/fail2ban/action.d/npf.conf index 8b00d17..3bbb2f5 100644 --- a/fail2ban/action.d/npf.conf +++ b/fail2ban/action.d/npf.conf @@ -9,7 +9,7 @@ [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # # we don't enable NPF automatically, as it will be enabled elsewhere @@ -17,7 +17,7 @@ actionstart = # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # # we don't disable NPF automatically either diff --git a/fail2ban/action.d/nsupdate.conf b/fail2ban/action.d/nsupdate.conf index 7886825..ef56c6b 100644 --- a/fail2ban/action.d/nsupdate.conf +++ b/fail2ban/action.d/nsupdate.conf @@ -42,14 +42,14 @@ [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = diff --git a/fail2ban/action.d/osx-afctl.conf b/fail2ban/action.d/osx-afctl.conf index a319fc6..a75e572 100644 --- a/fail2ban/action.d/osx-afctl.conf +++ b/fail2ban/action.d/osx-afctl.conf @@ -12,5 +12,5 @@ actioncheck = actionban = /usr/libexec/afctl -a -t actionunban = /usr/libexec/afctl -r -[Init] -bantime = 2880 +actionprolong = %(actionunban)s && %(actionban)s + diff --git a/fail2ban/action.d/osx-ipfw.conf b/fail2ban/action.d/osx-ipfw.conf index abe4009..6ff6afd 100644 --- a/fail2ban/action.d/osx-ipfw.conf +++ b/fail2ban/action.d/osx-ipfw.conf @@ -9,14 +9,14 @@ [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = diff --git a/fail2ban/action.d/pf.conf b/fail2ban/action.d/pf.conf index 905312c..933b4de 100644 --- a/fail2ban/action.d/pf.conf +++ b/fail2ban/action.d/pf.conf @@ -10,7 +10,7 @@ [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # # we don't enable PF automatically; to enable run pfctl -e @@ -35,7 +35,7 @@ actionstart = echo "table <-> persist counters" | -f- actionstart_on_demand = false # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # # we only disable PF rules we've installed prior diff --git a/fail2ban/action.d/sendmail-buffered.conf b/fail2ban/action.d/sendmail-buffered.conf index 37bc642..13803f8 100644 --- a/fail2ban/action.d/sendmail-buffered.conf +++ b/fail2ban/action.d/sendmail-buffered.conf @@ -14,7 +14,7 @@ before = sendmail-common.conf norestored = 1 # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = printf %%b "Subject: [Fail2Ban] : started on @@ -24,10 +24,10 @@ actionstart = printf %%b "Subject: [Fail2Ban] : started on The jail has been started successfully.\n Output will be buffered until lines are available.\n Regards,\n - Fail2Ban" | /usr/sbin/sendmail -f + Fail2Ban" | # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = if [ -f ]; then @@ -38,7 +38,7 @@ actionstop = if [ -f ]; then These hosts have been banned by Fail2Ban.\n `cat ` Regards,\n - Fail2Ban" | /usr/sbin/sendmail -f + Fail2Ban" | rm fi printf %%b "Subject: [Fail2Ban] : stopped on @@ -47,7 +47,7 @@ actionstop = if [ -f ]; then Hi,\n The jail has been stopped.\n Regards,\n - Fail2Ban" | /usr/sbin/sendmail -f + Fail2Ban" | # Option: actioncheck # Notes.: command executed once before each actionban command @@ -71,7 +71,7 @@ actionban = printf %%b "`date`: ( failures)\n" >> These hosts have been banned by Fail2Ban.\n `cat ` Regards,\n - Fail2Ban" | /usr/sbin/sendmail -f + Fail2Ban" | rm fi diff --git a/fail2ban/action.d/sendmail-common.conf.dpkg-dist b/fail2ban/action.d/sendmail-common.conf.dpkg-dist index 46eca9c..1e31fad 100644 --- a/fail2ban/action.d/sendmail-common.conf.dpkg-dist +++ b/fail2ban/action.d/sendmail-common.conf.dpkg-dist @@ -11,7 +11,7 @@ after = sendmail-common.local [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = printf %%b "Subject: [Fail2Ban] : started on @@ -21,10 +21,10 @@ actionstart = printf %%b "Subject: [Fail2Ban] : started on Hi,\n The jail has been started successfully.\n Regards,\n - Fail2Ban" | /usr/sbin/sendmail -f + Fail2Ban" | # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = printf %%b "Subject: [Fail2Ban] : stopped on @@ -34,7 +34,7 @@ actionstop = printf %%b "Subject: [Fail2Ban] : stopped on Hi,\n The jail has been stopped.\n Regards,\n - Fail2Ban" | /usr/sbin/sendmail -f + Fail2Ban" | # Option: actioncheck # Notes.: command executed once before each actionban command @@ -60,6 +60,10 @@ actionunban = [Init] +# Your system mail command +# +mailcmd = /usr/sbin/sendmail -f "" "" + # Recipient mail address # dest = root diff --git a/fail2ban/action.d/sendmail-geoip-lines.conf b/fail2ban/action.d/sendmail-geoip-lines.conf index b7c1bf3..b36e49a 100644 --- a/fail2ban/action.d/sendmail-geoip-lines.conf +++ b/fail2ban/action.d/sendmail-geoip-lines.conf @@ -37,11 +37,11 @@ actionban = ( printf %%b "Subject: [Fail2Ban] : banned from " | cut -d':' -f2-` AS:`geoiplookup -f /usr/share/GeoIP/GeoIPASNum.dat "" | cut -d':' -f2-` hostname: \n\n - Lines containing failures of \n"; + Lines containing failures of (max )\n"; %(_grep_logs)s; printf %%b "\n Regards,\n - Fail2Ban" ) | /usr/sbin/sendmail -f + Fail2Ban" ) | [Init] diff --git a/fail2ban/action.d/sendmail-whois-ipjailmatches.conf b/fail2ban/action.d/sendmail-whois-ipjailmatches.conf index 06ea3a3..7790ec5 100644 --- a/fail2ban/action.d/sendmail-whois-ipjailmatches.conf +++ b/fail2ban/action.d/sendmail-whois-ipjailmatches.conf @@ -7,6 +7,7 @@ [INCLUDES] before = sendmail-common.conf + mail-whois-common.conf [Definition] @@ -27,11 +28,11 @@ actionban = printf %%b "Subject: [Fail2Ban] : banned from has just been banned by Fail2Ban after attempts against .\n\n Here is more information about :\n - `/usr/bin/whois `\n\n + `%(_whois_command)s`\n\n Matches for with failures IP:\n \n\n Regards,\n - Fail2Ban" | /usr/sbin/sendmail -f + Fail2Ban" | [Init] diff --git a/fail2ban/action.d/sendmail-whois-ipmatches.conf b/fail2ban/action.d/sendmail-whois-ipmatches.conf index 83bff1b..e4717ca 100644 --- a/fail2ban/action.d/sendmail-whois-ipmatches.conf +++ b/fail2ban/action.d/sendmail-whois-ipmatches.conf @@ -7,6 +7,7 @@ [INCLUDES] before = sendmail-common.conf + mail-whois-common.conf [Definition] @@ -27,11 +28,11 @@ actionban = printf %%b "Subject: [Fail2Ban] : banned from has just been banned by Fail2Ban after attempts against .\n\n Here is more information about :\n - `/usr/bin/whois `\n\n + `%(_whois_command)s`\n\n Matches with failures IP:\n \n\n Regards,\n - Fail2Ban" | /usr/sbin/sendmail -f + Fail2Ban" | [Init] diff --git a/fail2ban/action.d/sendmail-whois-lines.conf b/fail2ban/action.d/sendmail-whois-lines.conf index 4b947cb..47ec6ed 100644 --- a/fail2ban/action.d/sendmail-whois-lines.conf +++ b/fail2ban/action.d/sendmail-whois-lines.conf @@ -7,6 +7,7 @@ [INCLUDES] before = sendmail-common.conf + mail-whois-common.conf helpers-common.conf [Definition] @@ -27,13 +28,13 @@ actionban = ( printf %%b "Subject: [Fail2Ban] : banned from has just been banned by Fail2Ban after attempts against .\n\n - Here is more information about :\n - `/usr/bin/whois || echo missing whois program`\n\n - Lines containing failures of \n"; + Here is more information about :\n" + %(_whois_command)s; + printf %%b "\nLines containing failures of (max )\n"; %(_grep_logs)s; printf %%b "\n Regards,\n - Fail2Ban" ) | /usr/sbin/sendmail -f + Fail2Ban" ) | [Init] diff --git a/fail2ban/action.d/sendmail-whois-matches.conf b/fail2ban/action.d/sendmail-whois-matches.conf index 0152013..08215ea 100644 --- a/fail2ban/action.d/sendmail-whois-matches.conf +++ b/fail2ban/action.d/sendmail-whois-matches.conf @@ -7,6 +7,7 @@ [INCLUDES] before = sendmail-common.conf + mail-whois-common.conf [Definition] @@ -27,11 +28,11 @@ actionban = printf %%b "Subject: [Fail2Ban] : banned from has just been banned by Fail2Ban after attempts against .\n\n Here is more information about :\n - `/usr/bin/whois `\n\n + `%(_whois_command)s`\n\n Matches:\n \n\n Regards,\n - Fail2Ban" | /usr/sbin/sendmail -f + Fail2Ban" | [Init] diff --git a/fail2ban/action.d/sendmail-whois.conf.dpkg-dist b/fail2ban/action.d/sendmail-whois.conf.dpkg-dist index 2fb01ed..9e93cd3 100644 --- a/fail2ban/action.d/sendmail-whois.conf.dpkg-dist +++ b/fail2ban/action.d/sendmail-whois.conf.dpkg-dist @@ -7,6 +7,7 @@ [INCLUDES] before = sendmail-common.conf + mail-whois-common.conf [Definition] @@ -27,9 +28,9 @@ actionban = printf %%b "Subject: [Fail2Ban] : banned from has just been banned by Fail2Ban after attempts against .\n\n Here is more information about :\n - `/usr/bin/whois || echo missing whois program`\n + `%(_whois_command)s`\n Regards,\n - Fail2Ban" | /usr/sbin/sendmail -f + Fail2Ban" | [Init] diff --git a/fail2ban/action.d/sendmail.conf.dpkg-dist b/fail2ban/action.d/sendmail.conf.dpkg-dist index cf42091..ad9e8d7 100644 --- a/fail2ban/action.d/sendmail.conf.dpkg-dist +++ b/fail2ban/action.d/sendmail.conf.dpkg-dist @@ -27,7 +27,7 @@ actionban = printf %%b "Subject: [Fail2Ban] : banned from has just been banned by Fail2Ban after attempts against .\n Regards,\n - Fail2Ban" | /usr/sbin/sendmail -f + Fail2Ban" | [Init] diff --git a/fail2ban/action.d/shorewall-ipset-proto6.conf b/fail2ban/action.d/shorewall-ipset-proto6.conf index 1ebcfb0..eacb53d 100644 --- a/fail2ban/action.d/shorewall-ipset-proto6.conf +++ b/fail2ban/action.d/shorewall-ipset-proto6.conf @@ -47,15 +47,15 @@ [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = if ! ipset -quiet -name list f2b- >/dev/null; - then ipset -quiet -exist create f2b- hash:ip timeout ; + then ipset -quiet -exist create f2b- hash:ip timeout ; fi # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = ipset flush f2b- @@ -66,7 +66,9 @@ actionstop = ipset flush f2b- # Tags: See jail.conf(5) man page # Values: CMD # -actionban = ipset add f2b- timeout -exist +actionban = ipset add f2b- timeout -exist + +# actionprolong = %(actionban)s # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -76,10 +78,16 @@ actionban = ipset add f2b- timeout -exist # actionunban = ipset del f2b- -exist -[Init] +# Option: default-ipsettime +# Notes: specifies default timeout in seconds (handled default ipset timeout only) +# Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban) +default-ipsettime = 0 -# Option: bantime -# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban) -# Values: [ NUM ] Default: 600 -# -bantime = 600 +# Option: ipsettime +# Notes: specifies ticket timeout (handled ipset timeout only) +# Values: [ NUM ] Default: 0 (managed by fail2ban by unban) +ipsettime = 0 + +# expresion to caclulate timeout from bantime, example: +# banaction = %(known/banaction)s[ipsettime=''] +timeout-bantime = $([ "" -le 2147483 ] && echo "" || echo 0) diff --git a/fail2ban/action.d/shorewall.conf b/fail2ban/action.d/shorewall.conf index 282b95a..83d08d9 100644 --- a/fail2ban/action.d/shorewall.conf +++ b/fail2ban/action.d/shorewall.conf @@ -9,7 +9,7 @@ # connections. So if the attempter goes on trying using the same connection # he could even log in. In order to get the same behavior of the iptable # action (so that the ban is immediate) the /etc/shorewall/shorewall.conf -# file should me modified with "BLACKLISTNEWONLY=No". Note that as of +# file should be modified with "BLACKLISTNEWONLY=No". Note that as of # Shorewall 4.5.13 BLACKLISTNEWONLY is deprecated; however the equivalent # of BLACKLISTNEWONLY=No can now be achieved by setting BLACKLIST="ALL". # @@ -17,13 +17,13 @@ [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = diff --git a/fail2ban/action.d/smtp.py b/fail2ban/action.d/smtp.py index 9cdfe32..5c27d0f 100644 --- a/fail2ban/action.d/smtp.py +++ b/fail2ban/action.d/smtp.py @@ -159,25 +159,25 @@ class SMTPAction(ActionBase): try: self._logSys.debug("Connected to SMTP '%s', response: %i: %s", self.host, *smtp.connect(self.host)) - if self.user and self.password: + if self.user and self.password: # pragma: no cover (ATM no tests covering that) smtp.login(self.user, self.password) failed_recipients = smtp.sendmail( self.fromaddr, self.toaddr.split(", "), msg.as_string()) - except smtplib.SMTPConnectError: + except smtplib.SMTPConnectError: # pragma: no cover self._logSys.error("Error connecting to host '%s'", self.host) raise - except smtplib.SMTPAuthenticationError: + except smtplib.SMTPAuthenticationError: # pragma: no cover self._logSys.error( "Failed to authenticate with host '%s' user '%s'", self.host, self.user) raise - except smtplib.SMTPException: + except smtplib.SMTPException: # pragma: no cover self._logSys.error( "Error sending mail to host '%s' from '%s' to '%s'", self.host, self.fromaddr, self.toaddr) raise else: - if failed_recipients: + if failed_recipients: # pragma: no cover self._logSys.warning( "Email to '%s' failed to following recipients: %r", self.toaddr, failed_recipients) @@ -186,7 +186,7 @@ class SMTPAction(ActionBase): try: self._logSys.debug("Disconnected from '%s', response %i: %s", self.host, *smtp.quit()) - except smtplib.SMTPServerDisconnected: + except smtplib.SMTPServerDisconnected: # pragma: no cover pass # Not connected def start(self): diff --git a/fail2ban/action.d/symbiosis-blacklist-allports.conf b/fail2ban/action.d/symbiosis-blacklist-allports.conf index c24a8e0..6fb7d0a 100644 --- a/fail2ban/action.d/symbiosis-blacklist-allports.conf +++ b/fail2ban/action.d/symbiosis-blacklist-allports.conf @@ -10,13 +10,13 @@ before = iptables-common.conf [Definition] # Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = # Option: actionstop -# Notes.: command executed once at the end of Fail2Ban +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = diff --git a/fail2ban/action.d/xarf-login-attack.conf b/fail2ban/action.d/xarf-login-attack.conf index 2b135c4..f348b2c 100644 --- a/fail2ban/action.d/xarf-login-attack.conf +++ b/fail2ban/action.d/xarf-login-attack.conf @@ -41,7 +41,12 @@ actionstop = actioncheck = -actionban = oifs=${IFS}; IFS=.;SEP_IP=( ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs} +actionban = oifs=${IFS}; + RESOLVER_ADDR="%(addr_resolver)s" + if [ "" -gt 0 ]; then echo "try to resolve $RESOLVER_ADDR"; fi + ADDRESSES=$(dig +short -t txt -q $RESOLVER_ADDR | tr -d '"') + IFS=,; ADDRESSES=$(echo $ADDRESSES) + IFS=${oifs} IP= FROM= SERVICE= @@ -51,26 +56,37 @@ actionban = oifs=${IFS}; IFS=.;SEP_IP=( ); set -- ${SEP_IP}; ADDRESSES=$(di PORT= DATE=`LC_ALL=C date --date=@