From 800b5e65f557b7b7e6b53b3c2b190fa4e3b133b8 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Sat, 8 Sep 2018 00:05:01 +0200 Subject: [PATCH] daily autocommit --- .etckeeper | 2 ++ cron.daily/logrotate | 12 ++++++++- iptables/rules.v4 | 62 +++++++++++++++++++++++++++++--------------- iptables/rules.v6 | 24 ++++++++--------- logrotate.conf | 16 ------------ logrotate.d/btmp | 11 ++++++++ logrotate.d/wtmp | 12 +++++++++ 7 files changed, 89 insertions(+), 50 deletions(-) create mode 100644 logrotate.d/btmp create mode 100644 logrotate.d/wtmp diff --git a/.etckeeper b/.etckeeper index de7b9b0..ac3d09a 100755 --- a/.etckeeper +++ b/.etckeeper @@ -2149,6 +2149,7 @@ maybe chmod 0644 'logrotate.d/apport' maybe chmod 0644 'logrotate.d/apt' maybe chmod 0644 'logrotate.d/aptitude' maybe chmod 0644 'logrotate.d/bind' +maybe chmod 0644 'logrotate.d/btmp' maybe chmod 0644 'logrotate.d/chrony' maybe chmod 0644 'logrotate.d/ctdb' maybe chmod 0644 'logrotate.d/cups-daemon' @@ -2167,6 +2168,7 @@ maybe chmod 0644 'logrotate.d/samba' maybe chmod 0644 'logrotate.d/speech-dispatcher' maybe chmod 0644 'logrotate.d/ufw' maybe chmod 0644 'logrotate.d/winbind' +maybe chmod 0644 'logrotate.d/wtmp' maybe chmod 0644 'lsb-release' maybe chmod 0644 'ltrace.conf' maybe chmod 0755 'lvm' diff --git a/cron.daily/logrotate b/cron.daily/logrotate index 0f18864..7cd4040 100755 --- a/cron.daily/logrotate +++ b/cron.daily/logrotate @@ -11,4 +11,14 @@ done >> status.clean mv status.clean status test -x /usr/sbin/logrotate || exit 0 -/usr/sbin/logrotate /etc/logrotate.conf +LOG=/var/log/logrotate.log +echo >> ${LOG} +echo "################################################" >> ${LOG} +echo "[$(date --rfc-3339=seconds )]: Start Logrotating" >> ${LOG} +/usr/sbin/logrotate /etc/logrotate.conf >> ${LOG} 2>&1 +EXITVALUE=$? +if [ $EXITVALUE != 0 ]; then + /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]" +fi +echo "[$(date --rfc-3339=seconds )]: End Logrotating" >> ${LOG} +exit $EXITVALUE diff --git a/iptables/rules.v4 b/iptables/rules.v4 index c5dc7b7..087e5ee 100644 --- a/iptables/rules.v4 +++ b/iptables/rules.v4 @@ -1,28 +1,18 @@ -# Generated by iptables-save v1.6.1 on Mon Jul 9 18:37:19 2018 -*nat -:PREROUTING ACCEPT [1722:94287] -:INPUT ACCEPT [587:43491] -:OUTPUT ACCEPT [999:73894] -:POSTROUTING ACCEPT [999:73894] --A POSTROUTING -o eth1 -j MASQUERADE -COMMIT -# Completed on Mon Jul 9 18:37:19 2018 -# Generated by iptables-save v1.6.1 on Mon Jul 9 18:37:19 2018 -*mangle -:PREROUTING ACCEPT [78783:21431779] -:INPUT ACCEPT [77648:21380983] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [112963:69035449] -:POSTROUTING ACCEPT [112984:69037785] -COMMIT -# Completed on Mon Jul 9 18:37:19 2018 -# Generated by iptables-save v1.6.1 on Mon Jul 9 18:37:19 2018 +# Generated by iptables-save v1.6.1 on Fri Sep 7 10:33:38 2018 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] -:OUTPUT ACCEPT [112596:68974784] +:OUTPUT ACCEPT [514:97020] +-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT +-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT +-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT +-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED -j ACCEPT +-A INPUT -s 221.232.0.0/14 -p tcp -m tcp --dport 22 -j DROP +-A INPUT -s 61.183.0.0/16 -p tcp -m tcp --dport 22 -j DROP +-A INPUT -s 61.184.0.0/16 -p tcp -m tcp --dport 22 -j DROP +-A INPUT -s 125.65.42.0/24 -p tcp -m tcp --dport 22 -j DROP -A INPUT -s 133.9.187.135/32 -p tcp -m tcp --dport 22 -j DROP -A INPUT -s 216.32.92.138/32 -p tcp -m tcp --dport 22 -j DROP -A INPUT -i lo -j ACCEPT @@ -49,6 +39,11 @@ COMMIT -A INPUT -i eth1 -p udp -m udp --dport 631 -j DROP -A INPUT -j NFLOG --nflog-prefix "INPUT Drop " --nflog-threshold 1 -A INPUT -j DROP +-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT +-A FORWARD -i virbr0 -o virbr0 -j ACCEPT +-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable +-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED -j ACCEPT -A FORWARD -p icmp -j ACCEPT @@ -58,5 +53,30 @@ COMMIT -A FORWARD -i lo -j ACCEPT -A FORWARD -j NFLOG --nflog-prefix "FORWARD Drop " --nflog-threshold 1 -A FORWARD -j DROP +-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT +COMMIT +# Completed on Fri Sep 7 10:33:38 2018 +# Generated by iptables-save v1.6.1 on Fri Sep 7 10:33:38 2018 +*mangle +:PREROUTING ACCEPT [2780971:1073916911] +:INPUT ACCEPT [2775019:1073614296] +:FORWARD ACCEPT [530:60638] +:OUTPUT ACCEPT [981171:208638362] +:POSTROUTING ACCEPT [1124728:225421903] +-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill +COMMIT +# Completed on Fri Sep 7 10:33:38 2018 +# Generated by iptables-save v1.6.1 on Fri Sep 7 10:33:38 2018 +*nat +:PREROUTING ACCEPT [175037:83596528] +:INPUT ACCEPT [169380:83319440] +:OUTPUT ACCEPT [115353:23384772] +:POSTROUTING ACCEPT [111775:22620528] +-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN +-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN +-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 +-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 +-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE +-A POSTROUTING -o eth1 -j MASQUERADE COMMIT -# Completed on Mon Jul 9 18:37:19 2018 +# Completed on Fri Sep 7 10:33:38 2018 diff --git a/iptables/rules.v6 b/iptables/rules.v6 index 5391572..405ca19 100644 --- a/iptables/rules.v6 +++ b/iptables/rules.v6 @@ -1,17 +1,8 @@ -# Generated by ip6tables-save v1.6.1 on Mon Jul 9 18:37:19 2018 -*mangle -:PREROUTING ACCEPT [2772:1042808] -:INPUT ACCEPT [128:18749] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [28:3099] -:POSTROUTING ACCEPT [49:5855] -COMMIT -# Completed on Mon Jul 9 18:37:19 2018 -# Generated by ip6tables-save v1.6.1 on Mon Jul 9 18:37:19 2018 +# Generated by ip6tables-save v1.6.1 on Fri Sep 7 10:33:38 2018 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] -:OUTPUT ACCEPT [28:3099] +:OUTPUT ACCEPT [705:86754] :f_mail - [0:0] -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED -j ACCEPT @@ -60,4 +51,13 @@ COMMIT -A f_mail -j NFLOG --nflog-prefix "IPv6 F_MAIL Reject " --nflog-threshold 1 -A f_mail -j REJECT --reject-with icmp6-port-unreachable COMMIT -# Completed on Mon Jul 9 18:37:19 2018 +# Completed on Fri Sep 7 10:33:38 2018 +# Generated by ip6tables-save v1.6.1 on Fri Sep 7 10:33:38 2018 +*mangle +:PREROUTING ACCEPT [13771:4996662] +:INPUT ACCEPT [1513:206900] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [705:86754] +:POSTROUTING ACCEPT [1228:161933] +COMMIT +# Completed on Fri Sep 7 10:33:38 2018 diff --git a/logrotate.conf b/logrotate.conf index 7f50acb..2e7887e 100644 --- a/logrotate.conf +++ b/logrotate.conf @@ -32,20 +32,4 @@ noolddir # packages drop log rotation information into this directory include /etc/logrotate.d -# no packages own wtmp, or btmp -- we'll rotate them here -/var/log/wtmp { - missingok - monthly - create 0664 root utmp - rotate 12 - minsize 4M -} - -/var/log/btmp { - missingok - monthly - create 0660 root utmp - rotate 1 -} - # system-specific logs may be configured here diff --git a/logrotate.d/btmp b/logrotate.d/btmp new file mode 100644 index 0000000..2e5f092 --- /dev/null +++ b/logrotate.d/btmp @@ -0,0 +1,11 @@ +# no packages own btmp -- we'll rotate it here +/var/log/btmp { + missingok + weekly + create 0660 root utmp + minsize 4M + rotate 12 + dateext + dateformat -%Y-%m-%d +} + diff --git a/logrotate.d/wtmp b/logrotate.d/wtmp new file mode 100644 index 0000000..9f89f5e --- /dev/null +++ b/logrotate.d/wtmp @@ -0,0 +1,12 @@ +# no packages own wtmp, or btmp -- we'll rotate them here +/var/log/wtmp { + missingok + weekly + create 0664 root utmp + rotate 12 + minsize 4M + dateext + dateformat -%Y-%m-%d +} + + -- 2.39.5