From b7929fd2d86e7f5121e71b91c1425bdbe16cae07 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 11 Mar 2016 10:45:04 +0100 Subject: [PATCH] saving uncommitted changes in /etc prior to emerge run --- .etckeeper | 41 +- .../._mrg0000_00_default_settings.conf | 131 +++ apache2/modules.d/00_apache_manual.conf | 9 +- apache2/modules.d/00_error_documents.conf | 3 +- apache2/modules.d/00_mod_autoindex.conf | 3 +- apache2/modules.d/00_mod_info.conf | 16 +- apache2/modules.d/00_mod_mime.conf | 9 - apache2/modules.d/00_mod_status.conf | 16 +- apache2/modules.d/00_mpm.conf | 30 +- apache2/vhosts.d/00_default_vhost.conf | 2 +- apache2/vhosts.d/default_vhost.include | 8 +- .../apache2/modules.d/00_apache_manual.conf | 4 +- .../apache2/modules.d/00_apache_manual.conf.1 | 4 +- .../apache2/modules.d/00_apache_manual.conf.2 | 8 +- .../apache2/modules.d/00_apache_manual.conf.3 | 4 +- .../apache2/modules.d/00_apache_manual.conf.4 | 4 +- .../apache2/modules.d/00_apache_manual.conf.5 | 4 +- .../apache2/modules.d/00_apache_manual.conf.6 | 6 +- .../apache2/modules.d/00_apache_manual.conf.7 | 4 +- .../apache2/modules.d/00_apache_manual.conf.8 | 13 +- .../modules.d/00_apache_manual.conf.dist | 9 +- .../modules.d/00_default_settings.conf | 3 +- .../modules.d/00_default_settings.conf.1 | 134 +++ .../00_default_settings.conf.dist.new | 131 +++ .../apache2/modules.d/00_error_documents.conf | 58 ++ .../modules.d/00_error_documents.conf.dist | 0 .../apache2/modules.d/00_mod_autoindex.conf | 3 + .../apache2/modules.d/00_mod_autoindex.conf.1 | 16 +- .../modules.d/00_mod_autoindex.conf.dist | 3 +- .../etc/apache2/modules.d/00_mod_info.conf | 18 + .../apache2/modules.d/00_mod_info.conf.dist | 0 .../etc/apache2/modules.d/00_mod_mime.conf | 55 ++ .../apache2/modules.d/00_mod_mime.conf.dist | 0 .../etc/apache2/modules.d/00_mod_status.conf | 23 + .../apache2/modules.d/00_mod_status.conf.dist | 0 .../etc/apache2/modules.d/00_mpm.conf | 99 +++ .../etc/apache2/modules.d/00_mpm.conf.dist | 0 .../apache2/vhosts.d/00_default_vhost.conf | 48 ++ .../vhosts.d/00_default_vhost.conf.dist | 0 .../apache2/vhosts.d/default_vhost.include | 73 ++ .../vhosts.d/default_vhost.include.dist | 0 config-archive/etc/conf.d/fail2ban | 8 + .../etc/conf.d/fail2ban.dist.new | 0 .../etc/etckeeper/etckeeper.conf.dist | 0 .../etc/etckeeper/etckeeper.conf.dist.new | 44 - config-archive/etc/fail2ban/jail.conf | 762 ++++++++++++++++++ .../etc/fail2ban/jail.conf.dist | 0 config-archive/etc/fail2ban/paths-debian.conf | 40 + .../etc/fail2ban/paths-debian.conf.dist.new | 0 .../etc/logrotate.d/fail2ban.dist.new | 2 - etckeeper/etckeeper.conf | 17 +- fail2ban/jail.conf | 30 +- logrotate.d/._cfg0000_fail2ban | 16 - 53 files changed, 1728 insertions(+), 183 deletions(-) create mode 100644 apache2/modules.d/._mrg0000_00_default_settings.conf rename apache2/modules.d/._cfg0000_00_apache_manual.conf => config-archive/etc/apache2/modules.d/00_apache_manual.conf.8 (72%) create mode 100644 config-archive/etc/apache2/modules.d/00_default_settings.conf.1 create mode 100644 config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new create mode 100644 config-archive/etc/apache2/modules.d/00_error_documents.conf rename apache2/modules.d/._cfg0000_00_error_documents.conf => config-archive/etc/apache2/modules.d/00_error_documents.conf.dist (100%) rename apache2/modules.d/._cfg0000_00_mod_autoindex.conf => config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.1 (88%) create mode 100644 config-archive/etc/apache2/modules.d/00_mod_info.conf rename apache2/modules.d/._cfg0000_00_mod_info.conf => config-archive/etc/apache2/modules.d/00_mod_info.conf.dist (100%) create mode 100644 config-archive/etc/apache2/modules.d/00_mod_mime.conf rename apache2/modules.d/._cfg0000_00_mod_mime.conf => config-archive/etc/apache2/modules.d/00_mod_mime.conf.dist (100%) create mode 100644 config-archive/etc/apache2/modules.d/00_mod_status.conf rename apache2/modules.d/._cfg0000_00_mod_status.conf => config-archive/etc/apache2/modules.d/00_mod_status.conf.dist (100%) create mode 100644 config-archive/etc/apache2/modules.d/00_mpm.conf rename apache2/modules.d/._cfg0000_00_mpm.conf => config-archive/etc/apache2/modules.d/00_mpm.conf.dist (100%) create mode 100644 config-archive/etc/apache2/vhosts.d/00_default_vhost.conf rename apache2/vhosts.d/._cfg0000_00_default_vhost.conf => config-archive/etc/apache2/vhosts.d/00_default_vhost.conf.dist (100%) create mode 100644 config-archive/etc/apache2/vhosts.d/default_vhost.include rename apache2/vhosts.d/._cfg0000_default_vhost.include => config-archive/etc/apache2/vhosts.d/default_vhost.include.dist (100%) create mode 100644 config-archive/etc/conf.d/fail2ban rename conf.d/._cfg0000_fail2ban => config-archive/etc/conf.d/fail2ban.dist.new (100%) rename etckeeper/._cfg0000_etckeeper.conf => config-archive/etc/etckeeper/etckeeper.conf.dist (100%) delete mode 100644 config-archive/etc/etckeeper/etckeeper.conf.dist.new create mode 100644 config-archive/etc/fail2ban/jail.conf rename fail2ban/._cfg0000_jail.conf => config-archive/etc/fail2ban/jail.conf.dist (100%) create mode 100644 config-archive/etc/fail2ban/paths-debian.conf rename fail2ban/._cfg0000_paths-debian.conf => config-archive/etc/fail2ban/paths-debian.conf.dist.new (100%) delete mode 100644 logrotate.d/._cfg0000_fail2ban diff --git a/.etckeeper b/.etckeeper index f35ee5a..78a9cc4 100755 --- a/.etckeeper +++ b/.etckeeper @@ -79,14 +79,8 @@ maybe chmod 0644 'apache2/httpd.conf' maybe chmod 0644 'apache2/info_users_passwd' maybe chmod 0644 'apache2/magic' maybe chmod 0755 'apache2/modules.d' -maybe chmod 0644 'apache2/modules.d/._cfg0000_00_apache_manual.conf' maybe chmod 0644 'apache2/modules.d/._cfg0000_00_default_settings.conf' -maybe chmod 0644 'apache2/modules.d/._cfg0000_00_error_documents.conf' -maybe chmod 0644 'apache2/modules.d/._cfg0000_00_mod_autoindex.conf' -maybe chmod 0644 'apache2/modules.d/._cfg0000_00_mod_info.conf' -maybe chmod 0644 'apache2/modules.d/._cfg0000_00_mod_mime.conf' -maybe chmod 0644 'apache2/modules.d/._cfg0000_00_mod_status.conf' -maybe chmod 0644 'apache2/modules.d/._cfg0000_00_mpm.conf' +maybe chmod 0644 'apache2/modules.d/._mrg0000_00_default_settings.conf' maybe chmod 0644 'apache2/modules.d/.keep_dev-vcs_subversion-0' maybe chmod 0644 'apache2/modules.d/.keep_www-servers_apache-2' maybe chmod 0644 'apache2/modules.d/00_apache_manual.conf' @@ -113,8 +107,6 @@ maybe chmod 0644 'apache2/modules.d/99_nagios3.conf' maybe chmod 0755 'apache2/ssl' maybe chmod 0600 'apache2/ssl/egroupware-cert.pem' maybe chmod 0755 'apache2/vhosts.d' -maybe chmod 0644 'apache2/vhosts.d/._cfg0000_00_default_vhost.conf' -maybe chmod 0644 'apache2/vhosts.d/._cfg0000_default_vhost.include' maybe chmod 0644 'apache2/vhosts.d/.keep_www-servers_apache-2' maybe chmod 0644 'apache2/vhosts.d/00_default_ssl_vhost.conf' maybe chmod 0644 'apache2/vhosts.d/00_default_vhost.conf' @@ -182,7 +174,6 @@ maybe chmod 0644 'colordiffrc' maybe chmod 0644 'colordiffrc-gitdiff' maybe chmod 0644 'colordiffrc-lightbg' maybe chmod 0755 'conf.d' -maybe chmod 0644 'conf.d/._cfg0000_fail2ban' maybe chmod 0644 'conf.d/acpid' maybe chmod 0644 'conf.d/apache2' maybe chmod 0644 'conf.d/atd' @@ -282,14 +273,32 @@ maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_apache_manual.conf.4' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_apache_manual.conf.5' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_apache_manual.conf.6' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_apache_manual.conf.7' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_apache_manual.conf.8' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_apache_manual.conf.dist' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf.1' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf.dist' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_error_documents.conf' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_error_documents.conf.dist' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_autoindex.conf' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.1' maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_info.conf' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_info.conf.dist' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_mime.conf' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_mime.conf.dist' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_status.conf' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mod_status.conf.dist' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mpm.conf' +maybe chmod 0644 'config-archive/etc/apache2/modules.d/00_mpm.conf.dist' maybe chmod 0755 'config-archive/etc/apache2/vhosts.d' maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/00_default_ssl_vhost.conf' maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/00_default_ssl_vhost.conf.dist' +maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/00_default_vhost.conf' +maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/00_default_vhost.conf.dist' +maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/default_vhost.include' +maybe chmod 0644 'config-archive/etc/apache2/vhosts.d/default_vhost.include.dist' maybe chmod 0755 'config-archive/etc/bash' maybe chmod 0644 'config-archive/etc/bash/bashrc' maybe chmod 0644 'config-archive/etc/bash/bashrc.1' @@ -311,6 +320,8 @@ maybe chmod 0644 'config-archive/etc/conf.d/acpid' maybe chmod 0644 'config-archive/etc/conf.d/acpid.dist' maybe chmod 0644 'config-archive/etc/conf.d/apache2' maybe chmod 0644 'config-archive/etc/conf.d/apache2.dist' +maybe chmod 0644 'config-archive/etc/conf.d/fail2ban' +maybe chmod 0644 'config-archive/etc/conf.d/fail2ban.dist.new' maybe chmod 0644 'config-archive/etc/conf.d/fsck' maybe chmod 0644 'config-archive/etc/conf.d/fsck.dist' maybe chmod 0644 'config-archive/etc/conf.d/keymaps' @@ -375,11 +386,15 @@ maybe chmod 0644 'config-archive/etc/eselect/postgresql/slots/9.1/server.2' maybe chmod 0644 'config-archive/etc/eselect/postgresql/slots/9.1/server.dist' maybe chmod 0755 'config-archive/etc/etckeeper' maybe chmod 0644 'config-archive/etc/etckeeper/etckeeper.conf' -maybe chmod 0644 'config-archive/etc/etckeeper/etckeeper.conf.dist.new' +maybe chmod 0644 'config-archive/etc/etckeeper/etckeeper.conf.dist' maybe chmod 0755 'config-archive/etc/fail2ban' maybe chmod 0644 'config-archive/etc/fail2ban/fail2ban.conf' maybe chmod 0644 'config-archive/etc/fail2ban/fail2ban.conf.1' maybe chmod 0644 'config-archive/etc/fail2ban/fail2ban.conf.dist' +maybe chmod 0644 'config-archive/etc/fail2ban/jail.conf' +maybe chmod 0644 'config-archive/etc/fail2ban/jail.conf.dist' +maybe chmod 0644 'config-archive/etc/fail2ban/paths-debian.conf' +maybe chmod 0644 'config-archive/etc/fail2ban/paths-debian.conf.dist.new' maybe chmod 0644 'config-archive/etc/hosts' maybe chmod 0644 'config-archive/etc/hosts.dist.new' maybe chmod 0755 'config-archive/etc/init.d' @@ -926,7 +941,6 @@ maybe chmod 0755 'eselect/postgresql/slots/9.5' maybe chmod 0644 'eselect/postgresql/slots/9.5/base' maybe chmod 0644 'etc-update.conf' maybe chmod 0755 'etckeeper' -maybe chmod 0644 'etckeeper/._cfg0000_etckeeper.conf' maybe chmod 0755 'etckeeper/commit.d' maybe chmod 0755 'etckeeper/commit.d/10vcs-test' maybe chmod 0755 'etckeeper/commit.d/30bzr-add' @@ -974,8 +988,6 @@ maybe chmod 0644 'etckeeper/update-ignore.d/README' maybe chmod 0755 'etckeeper/vcs.d' maybe chmod 0755 'etckeeper/vcs.d/50vcs-cmd' maybe chmod 0755 'fail2ban' -maybe chmod 0644 'fail2ban/._cfg0000_jail.conf' -maybe chmod 0644 'fail2ban/._cfg0000_paths-debian.conf' maybe chmod 0755 'fail2ban/action.d' maybe chmod 0644 'fail2ban/action.d/apf.conf' maybe chmod 0644 'fail2ban/action.d/badips.conf' @@ -1380,7 +1392,6 @@ maybe chmod 0644 'login.defs' maybe chmod 0644 'logrotate.conf' maybe chmod 0644 'logrotate.conf.orig' maybe chmod 0755 'logrotate.d' -maybe chmod 0644 'logrotate.d/._cfg0000_fail2ban' maybe chmod 0644 'logrotate.d/.keep_app-admin_logrotate-0' maybe chmod 0644 'logrotate.d/apache2' maybe chmod 0644 'logrotate.d/clamav' diff --git a/apache2/modules.d/._mrg0000_00_default_settings.conf b/apache2/modules.d/._mrg0000_00_default_settings.conf new file mode 100644 index 0000000..4d9ac11 --- /dev/null +++ b/apache2/modules.d/._mrg0000_00_default_settings.conf @@ -0,0 +1,131 @@ +# This configuration file reflects default settings for Apache HTTP Server. +# You may change these, but chances are that you may not need to. + +# Timeout: The number of seconds before receives and sends time out. +Timeout 300 + +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +KeepAlive On + +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +MaxKeepAliveRequests 100 + +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +KeepAliveTimeout 15 + +# UseCanonicalName: Determines how Apache constructs self-referencing +# URLs and the SERVER_NAME and SERVER_PORT variables. +# When set "Off", Apache will use the Hostname and Port supplied +# by the client. When set "On", Apache will use the value of the +# ServerName directive. +UseCanonicalName Off + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +AccessFileName .htaccess + +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minor | Minimal | Major | Prod +# where Full conveys the most information, and Prod the least. +ServerTokens Full + +# TraceEnable +# This directive overrides the behavior of TRACE for both the core server and +# mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616, +# which disallows any request body to accompany the request. TraceEnable off +# causes the core server and mod_proxy to return a 405 (Method not allowed) +# error to the client. +# For security reasons this is turned off by default. (bug #240680) +TraceEnable off + +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +ServerSignature On + +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +HostnameLookups Off + +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall is used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +EnableMMAP On +EnableSendfile Off + +# FileETag: Configures the file attributes that are used to create +# the ETag (entity tag) response header field when the document is +# based on a static file. (The ETag value is used in cache management +# to save network bandwidth.) +FileETag MTime Size + +# ContentDigest: This directive enables the generation of Content-MD5 +# headers as defined in RFC1864 respectively RFC2616. +# The Content-MD5 header provides an end-to-end message integrity +# check (MIC) of the entity-body. A proxy or client may check this +# header for detecting accidental modification of the entity-body +# in transit. +# Note that this can cause performance problems on your server since +# the message digest is computed on every request (the values are +# not cached). +# Content-MD5 is only sent for documents served by the core, and not +# by any module. For example, SSI documents, output from CGI scripts, +# and byte range responses do not have this header. +ContentDigest Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +ErrorLog /var/log/apache2/error.log + +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +LogLevel info + +# We configure the "default" to be a very restrictive set of features. + + Options FollowSymLinks + AllowOverride None + Require all denied + + +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# +# The index.html.var file (a type-map) is used to deliver content- +# negotiated documents. The MultiViews Options can be used for the +# same purpose, but it is much slower. +# +# Do not change this entry unless you know what you are doing. + + DirectoryIndex index.html index.html.var index.shtml index.htm + + +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. + + Require all denied + + +# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/00_apache_manual.conf b/apache2/modules.d/00_apache_manual.conf index e2c1b36..7e7fa4a 100644 --- a/apache2/modules.d/00_apache_manual.conf +++ b/apache2/modules.d/00_apache_manual.conf @@ -1,17 +1,16 @@ # Provide access to the documentation on your server as # http://yourserver.example.com/manual/ # The documentation is always available at -# http://httpd.apache.org/docs/2.2/ +# http://httpd.apache.org/docs/2.4/ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.31/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.4.18/manual$1" - + Options Indexes AllowOverride None - Order allow,deny - Allow from all + Require all granted SetHandler type-map diff --git a/apache2/modules.d/00_error_documents.conf b/apache2/modules.d/00_error_documents.conf index 90c6b0a..79cf538 100644 --- a/apache2/modules.d/00_error_documents.conf +++ b/apache2/modules.d/00_error_documents.conf @@ -30,8 +30,7 @@ Alias /error/ "/usr/share/apache2/error/" Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var - Order allow,deny - Allow from all + Require all granted LanguagePriority de en cs es fr it ja ko nl pl pt-br ro sv tr ForceLanguagePriority Prefer Fallback diff --git a/apache2/modules.d/00_mod_autoindex.conf b/apache2/modules.d/00_mod_autoindex.conf index bb8ecc3..e103ccb 100644 --- a/apache2/modules.d/00_mod_autoindex.conf +++ b/apache2/modules.d/00_mod_autoindex.conf @@ -9,8 +9,7 @@ Alias /icons/ "/usr/share/apache2/icons/" Options Indexes MultiViews AllowOverride None - Order allow,deny - Allow from all + Require all granted diff --git a/apache2/modules.d/00_mod_info.conf b/apache2/modules.d/00_mod_info.conf index 35cbd2c..1d21be1 100644 --- a/apache2/modules.d/00_mod_info.conf +++ b/apache2/modules.d/00_mod_info.conf @@ -3,15 +3,13 @@ # http://servername/server-info SetHandler server-info - Order deny,allow - Deny from all - Allow from 127.0.0.1 - Allow from localhost - AuthName "Server Status Access" - AuthType Basic - AuthUserFile /etc/apache2/info_users_passwd - Require valid-user - Satisfy Any + Require local + Allow from localhost + AuthName "Server Status Access" + AuthType Basic + AuthUserFile /etc/apache2/info_users_passwd + Require valid-user + Satisfy Any diff --git a/apache2/modules.d/00_mod_mime.conf b/apache2/modules.d/00_mod_mime.conf index 6229e61..3940107 100644 --- a/apache2/modules.d/00_mod_mime.conf +++ b/apache2/modules.d/00_mod_mime.conf @@ -1,12 +1,3 @@ -# DefaultType: the default MIME type the server will use for a document -# if it cannot otherwise determine one, such as from filename extensions. -# If your server contains mostly text or HTML documents, "text/plain" is -# a good value. If most of your content is binary, such as applications -# or images, you may want to use "application/octet-stream" instead to -# keep browsers from trying to display binary files as though they are -# text. -DefaultType text/plain - # TypesConfig points to the file containing the list of mappings from # filename extension to MIME-type. diff --git a/apache2/modules.d/00_mod_status.conf b/apache2/modules.d/00_mod_status.conf index 615122c..74a1011 100644 --- a/apache2/modules.d/00_mod_status.conf +++ b/apache2/modules.d/00_mod_status.conf @@ -3,15 +3,13 @@ # with the URL of http://servername/server-status SetHandler server-status - Order deny,allow - Deny from all - Allow from 127.0.0.1 - Allow from localhost - AuthName "Server Status Access" - AuthType Basic - AuthUserFile /etc/apache2/info_users_passwd - Require valid-user - Satisfy Any + Require local + Allow from localhost + AuthName "Server Status Access" + AuthType Basic + AuthUserFile /etc/apache2/info_users_passwd + Require valid-user + Satisfy Any # ExtendedStatus controls whether Apache will generate "full" status diff --git a/apache2/modules.d/00_mpm.conf b/apache2/modules.d/00_mpm.conf index 27dc24d..23c56fa 100644 --- a/apache2/modules.d/00_mpm.conf +++ b/apache2/modules.d/00_mpm.conf @@ -4,10 +4,10 @@ # identification number when it starts. # # DO NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING -PidFile /var/run/apache2.pid +PidFile /run/apache2.pid # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. -#LockFile /var/run/apache2.lock +# Mutex file:/run/apache_mpm_mutex # Only one of the below sections will be relevant on your # installed httpd. Use "/usr/sbin/apache2 -l" to find out the @@ -17,9 +17,9 @@ PidFile /var/run/apache2.pid # These configuration directives apply to all MPMs # # StartServers: Number of child server processes created at startup -# MaxClients: Maximum number of child processes to serve requests -# MaxRequestsPerChild: Limit on the number of requests that an individual child -# server will handle during its life +# MaxRequestWorkers: Maximum number of child processes to serve requests +# MaxConnectionsPerChild: Limit on the number of connections that an individual +# child server will handle during its life # prefork MPM @@ -31,8 +31,8 @@ PidFile /var/run/apache2.pid StartServers 2 MinSpareServers 2 MaxSpareServers 10 - MaxClients 150 - MaxRequestsPerChild 10000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 # worker MPM @@ -46,8 +46,8 @@ PidFile /var/run/apache2.pid MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 - MaxClients 150 - MaxRequestsPerChild 10000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 # event MPM @@ -60,8 +60,8 @@ PidFile /var/run/apache2.pid MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 - MaxClients 150 - MaxRequestsPerChild 10000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 # peruser MPM @@ -76,8 +76,8 @@ PidFile /var/run/apache2.pid MinSpareProcessors 2 MinProcessors 2 MaxProcessors 10 - MaxClients 150 - MaxRequestsPerChild 1000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 1000 ExpireTimeout 1800 Multiplexer nobody nobody @@ -92,8 +92,8 @@ PidFile /var/run/apache2.pid StartServers 5 MinSpareServers 5 MaxSpareServers 10 - MaxClients 150 - MaxRequestsPerChild 10000 + MaxRequestWorkers 150 + MaxConnectionsPerChild 10000 # vim: ts=4 filetype=apache diff --git a/apache2/vhosts.d/00_default_vhost.conf b/apache2/vhosts.d/00_default_vhost.conf index 2b46233..a0a7312 100644 --- a/apache2/vhosts.d/00_default_vhost.conf +++ b/apache2/vhosts.d/00_default_vhost.conf @@ -6,7 +6,7 @@ # IP addresses. This is indicated by the asterisks in the directives below. # # Please see the documentation at -# +# # for further details before you try to setup virtual hosts. # # You may use the command line option '-S' to verify your virtual host diff --git a/apache2/vhosts.d/default_vhost.include b/apache2/vhosts.d/default_vhost.include index 61282a6..8032dd2 100644 --- a/apache2/vhosts.d/default_vhost.include +++ b/apache2/vhosts.d/default_vhost.include @@ -21,7 +21,7 @@ DocumentRoot "/var/www/localhost/htdocs" # doesn't give it to you. # # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs/2.2/mod/core.html#options + # http://httpd.apache.org/docs/2.4/mod/core.html#options # for more information. Options Indexes FollowSymLinks @@ -31,8 +31,7 @@ DocumentRoot "/var/www/localhost/htdocs" AllowOverride All # Controls who can get stuff from this server. - Order allow,deny - Allow from all + Require all granted @@ -66,8 +65,7 @@ DocumentRoot "/var/www/localhost/htdocs" AllowOverride None Options None - Order allow,deny - Allow from all + Require all granted # vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf b/config-archive/etc/apache2/modules.d/00_apache_manual.conf index f352638..e2c1b36 100644 --- a/config-archive/etc/apache2/modules.d/00_apache_manual.conf +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf @@ -5,9 +5,9 @@ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.29/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.31/manual$1" - + Options Indexes AllowOverride None Order allow,deny diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.1 b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.1 index 5d8ffc1..f352638 100644 --- a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.1 +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.1 @@ -5,9 +5,9 @@ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.27-r4/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.29/manual$1" - + Options Indexes AllowOverride None Order allow,deny diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.2 b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.2 index 391c2e6..5d8ffc1 100644 --- a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.2 +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.2 @@ -2,10 +2,12 @@ # http://yourserver.example.com/manual/ # The documentation is always available at # http://httpd.apache.org/docs/2.2/ + + -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.27/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.27-r4/manual$1" - + Options Indexes AllowOverride None Order allow,deny @@ -22,5 +24,7 @@ AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apac ForceLanguagePriority Prefer Fallback + + # vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.3 b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.3 index 33ae915..391c2e6 100644 --- a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.3 +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.3 @@ -3,9 +3,9 @@ # The documentation is always available at # http://httpd.apache.org/docs/2.2/ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.25/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.27/manual$1" - + Options Indexes AllowOverride None Order allow,deny diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.4 b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.4 index f43bf59..33ae915 100644 --- a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.4 +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.4 @@ -3,9 +3,9 @@ # The documentation is always available at # http://httpd.apache.org/docs/2.2/ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.24/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.25/manual$1" - + Options Indexes AllowOverride None Order allow,deny diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.5 b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.5 index 240d6b4..f43bf59 100644 --- a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.5 +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.5 @@ -3,9 +3,9 @@ # The documentation is always available at # http://httpd.apache.org/docs/2.2/ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.23/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.24/manual$1" - + Options Indexes AllowOverride None Order allow,deny diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.6 b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.6 index 25de5d1..240d6b4 100644 --- a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.6 +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.6 @@ -3,9 +3,9 @@ # The documentation is always available at # http://httpd.apache.org/docs/2.2/ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.22/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.23/manual$1" - + Options Indexes AllowOverride None Order allow,deny @@ -18,7 +18,7 @@ AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apac SetEnvIf Request_URI ^/manual/(de|en|es|fr|ja|ko|pt-br)/ prefer-language=$1 RedirectMatch 301 ^/manual(?:/(de|en|es|fr|ja|ko|pt-br)){2,}(/.*)?$ /manual/$1$2 - LanguagePriority en de es fr ja ko pt-br + LanguagePriority de en es fr ja ko pt-br ForceLanguagePriority Prefer Fallback diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.7 b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.7 index a1bfed2..25de5d1 100644 --- a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.7 +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.7 @@ -3,9 +3,9 @@ # The documentation is always available at # http://httpd.apache.org/docs/2.2/ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.21-r1/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.22/manual$1" - + Options Indexes AllowOverride None Order allow,deny diff --git a/apache2/modules.d/._cfg0000_00_apache_manual.conf b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.8 similarity index 72% rename from apache2/modules.d/._cfg0000_00_apache_manual.conf rename to config-archive/etc/apache2/modules.d/00_apache_manual.conf.8 index 5699151..a1bfed2 100644 --- a/apache2/modules.d/._cfg0000_00_apache_manual.conf +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.8 @@ -1,16 +1,15 @@ # Provide access to the documentation on your server as # http://yourserver.example.com/manual/ # The documentation is always available at -# http://httpd.apache.org/docs/2.4/ - - +# http://httpd.apache.org/docs/2.2/ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.4.18/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.21-r1/manual$1" - + Options Indexes AllowOverride None - Require all granted + Order allow,deny + Allow from all SetHandler type-map @@ -23,7 +22,5 @@ AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apac ForceLanguagePriority Prefer Fallback - - # vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.dist b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.dist index f4ff100..5699151 100644 --- a/config-archive/etc/apache2/modules.d/00_apache_manual.conf.dist +++ b/config-archive/etc/apache2/modules.d/00_apache_manual.conf.dist @@ -1,17 +1,16 @@ # Provide access to the documentation on your server as # http://yourserver.example.com/manual/ # The documentation is always available at -# http://httpd.apache.org/docs/2.2/ +# http://httpd.apache.org/docs/2.4/ -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.31/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.4.18/manual$1" - + Options Indexes AllowOverride None - Order allow,deny - Allow from all + Require all granted SetHandler type-map diff --git a/config-archive/etc/apache2/modules.d/00_default_settings.conf b/config-archive/etc/apache2/modules.d/00_default_settings.conf index 0213f2b..ac0ab07 100644 --- a/config-archive/etc/apache2/modules.d/00_default_settings.conf +++ b/config-archive/etc/apache2/modules.d/00_default_settings.conf @@ -118,8 +118,7 @@ LogLevel info # negotiated documents. The MultiViews Options can be used for the # same purpose, but it is much slower. # -# To add files to that list use AddDirectoryIndex in a custom config -# file. Do not change this entry unless you know what you are doing. +# Do not change this entry unless you know what you are doing. DirectoryIndex index.html index.html.var index.shtml index.htm diff --git a/config-archive/etc/apache2/modules.d/00_default_settings.conf.1 b/config-archive/etc/apache2/modules.d/00_default_settings.conf.1 new file mode 100644 index 0000000..0213f2b --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_default_settings.conf.1 @@ -0,0 +1,134 @@ +# This configuration file reflects default settings for Apache HTTP Server. +# You may change these, but chances are that you may not need to. + +# Timeout: The number of seconds before receives and sends time out. +Timeout 300 + +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +KeepAlive On + +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +MaxKeepAliveRequests 100 + +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +KeepAliveTimeout 15 + +# UseCanonicalName: Determines how Apache constructs self-referencing +# URLs and the SERVER_NAME and SERVER_PORT variables. +# When set "Off", Apache will use the Hostname and Port supplied +# by the client. When set "On", Apache will use the value of the +# ServerName directive. +UseCanonicalName Off + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +AccessFileName .htaccess + +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minor | Minimal | Major | Prod +# where Full conveys the most information, and Prod the least. +ServerTokens Full + +# TraceEnable +# This directive overrides the behavior of TRACE for both the core server and +# mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616, +# which disallows any request body to accompany the request. TraceEnable off +# causes the core server and mod_proxy to return a 405 (Method not allowed) +# error to the client. +# For security reasons this is turned off by default. (bug #240680) +TraceEnable off + +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +ServerSignature On + +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +HostnameLookups Off + +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall is used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +EnableMMAP On +EnableSendfile On + +# FileEtag: Configures the file attributes that are used to create +# the ETag (entity tag) response header field when the document is +# based on a static file. (The ETag value is used in cache management +# to save network bandwidth.) +FileEtag INode MTime Size + +# ContentDigest: This directive enables the generation of Content-MD5 +# headers as defined in RFC1864 respectively RFC2616. +# The Content-MD5 header provides an end-to-end message integrity +# check (MIC) of the entity-body. A proxy or client may check this +# header for detecting accidental modification of the entity-body +# in transit. +# Note that this can cause performance problems on your server since +# the message digest is computed on every request (the values are +# not cached). +# Content-MD5 is only sent for documents served by the core, and not +# by any module. For example, SSI documents, output from CGI scripts, +# and byte range responses do not have this header. +ContentDigest Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +ErrorLog /var/log/apache2/error.log + +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +LogLevel info + +# We configure the "default" to be a very restrictive set of features. + + Options FollowSymLinks + AllowOverride None + Order deny,allow + Deny from all + + +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# +# The index.html.var file (a type-map) is used to deliver content- +# negotiated documents. The MultiViews Options can be used for the +# same purpose, but it is much slower. +# +# To add files to that list use AddDirectoryIndex in a custom config +# file. Do not change this entry unless you know what you are doing. + + DirectoryIndex index.html index.html.var index.shtml index.htm + + +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. + + Order allow,deny + Deny from all + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new b/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new new file mode 100644 index 0000000..38635aa --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new @@ -0,0 +1,131 @@ +# This configuration file reflects default settings for Apache HTTP Server. +# You may change these, but chances are that you may not need to. + +# Timeout: The number of seconds before receives and sends time out. +Timeout 300 + +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +KeepAlive On + +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +MaxKeepAliveRequests 100 + +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +KeepAliveTimeout 15 + +# UseCanonicalName: Determines how Apache constructs self-referencing +# URLs and the SERVER_NAME and SERVER_PORT variables. +# When set "Off", Apache will use the Hostname and Port supplied +# by the client. When set "On", Apache will use the value of the +# ServerName directive. +UseCanonicalName Off + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +AccessFileName .htaccess + +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minor | Minimal | Major | Prod +# where Full conveys the most information, and Prod the least. +ServerTokens Prod + +# TraceEnable +# This directive overrides the behavior of TRACE for both the core server and +# mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616, +# which disallows any request body to accompany the request. TraceEnable off +# causes the core server and mod_proxy to return a 405 (Method not allowed) +# error to the client. +# For security reasons this is turned off by default. (bug #240680) +TraceEnable off + +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +ServerSignature On + +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +HostnameLookups Off + +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall is used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +EnableMMAP On +EnableSendfile Off + +# FileETag: Configures the file attributes that are used to create +# the ETag (entity tag) response header field when the document is +# based on a static file. (The ETag value is used in cache management +# to save network bandwidth.) +FileETag MTime Size + +# ContentDigest: This directive enables the generation of Content-MD5 +# headers as defined in RFC1864 respectively RFC2616. +# The Content-MD5 header provides an end-to-end message integrity +# check (MIC) of the entity-body. A proxy or client may check this +# header for detecting accidental modification of the entity-body +# in transit. +# Note that this can cause performance problems on your server since +# the message digest is computed on every request (the values are +# not cached). +# Content-MD5 is only sent for documents served by the core, and not +# by any module. For example, SSI documents, output from CGI scripts, +# and byte range responses do not have this header. +ContentDigest Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +ErrorLog /var/log/apache2/error_log + +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +LogLevel warn + +# We configure the "default" to be a very restrictive set of features. + + Options FollowSymLinks + AllowOverride None + Require all denied + + +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# +# The index.html.var file (a type-map) is used to deliver content- +# negotiated documents. The MultiViews Options can be used for the +# same purpose, but it is much slower. +# +# Do not change this entry unless you know what you are doing. + + DirectoryIndex index.html index.html.var + + +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. + + Require all denied + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_error_documents.conf b/config-archive/etc/apache2/modules.d/00_error_documents.conf new file mode 100644 index 0000000..90c6b0a --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_error_documents.conf @@ -0,0 +1,58 @@ +# The configuration below implements multi-language error documents through +# content-negotiation. + +# Customizable error responses come in three flavors: +# 1) plain text 2) local redirects 3) external redirects +# Some examples: +#ErrorDocument 500 "The server made a boo boo." +#ErrorDocument 404 /missing.html +#ErrorDocument 404 "/cgi-bin/missing_handler.pl" +#ErrorDocument 402 http://www.example.com/subscription_info.html + +# Required modules: mod_alias, mod_include, mod_negotiation +# We use Alias to redirect any /error/HTTP_.html.var response to +# our collection of by-error message multi-language collections. We use +# includes to substitute the appropriate text. +# You can modify the messages' appearance without changing any of the +# default HTTP_.html.var files by adding the line: +# Alias /error/include/ "/your/include/path/" +# which allows you to create your own set of files by starting with the +# /var/www/localhost/error/include/ files and copying them to /your/include/path/, +# even on a per-VirtualHost basis. The default include files will display +# your Apache version number and your ServerAdmin email address regardless +# of the setting of ServerSignature. + + +Alias /error/ "/usr/share/apache2/error/" + + + AllowOverride None + Options IncludesNoExec + AddOutputFilter Includes html + AddHandler type-map var + Order allow,deny + Allow from all + LanguagePriority de en cs es fr it ja ko nl pl pt-br ro sv tr + ForceLanguagePriority Prefer Fallback + + +ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var +ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var +ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var +ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var +ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var +ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var +ErrorDocument 410 /error/HTTP_GONE.html.var +ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var +ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var +ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var +ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var +ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var +ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var +ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var +ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var +ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var +ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var + + +# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/._cfg0000_00_error_documents.conf b/config-archive/etc/apache2/modules.d/00_error_documents.conf.dist similarity index 100% rename from apache2/modules.d/._cfg0000_00_error_documents.conf rename to config-archive/etc/apache2/modules.d/00_error_documents.conf.dist diff --git a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf index e04516d..bb8ecc3 100644 --- a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf +++ b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf @@ -1,4 +1,6 @@ + + # We include the /icons/ alias for FancyIndexed directory listings. If # you do not use FancyIndexing, you may comment this out. @@ -80,6 +82,7 @@ HeaderName HEADER.html # IndexIgnore is a set of filenames which directory indexing should ignore # and not include in the listing. Shell-style wildcarding is permitted. IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t + # vim: ts=4 filetype=apache diff --git a/apache2/modules.d/._cfg0000_00_mod_autoindex.conf b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.1 similarity index 88% rename from apache2/modules.d/._cfg0000_00_mod_autoindex.conf rename to config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.1 index 10bf483..e04516d 100644 --- a/apache2/modules.d/._cfg0000_00_mod_autoindex.conf +++ b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.1 @@ -1,6 +1,4 @@ - - # We include the /icons/ alias for FancyIndexed directory listings. If # you do not use FancyIndexing, you may comment this out. @@ -9,7 +7,8 @@ Alias /icons/ "/usr/share/apache2/icons/" Options Indexes MultiViews AllowOverride None - Require all granted + Order allow,deny + Allow from all @@ -21,7 +20,7 @@ Alias /icons/ "/usr/share/apache2/icons/" # IndexOptions: Controls the appearance of server-generated directory # listings. -IndexOptions FancyIndexing VersionSort +IndexOptions FancyIndexing VersionSort FoldersFirst HTMLTable IgnoreCase NameWidth=50 # AddIcon* directives tell the server which icon to show for different # files or filename extensions. These are only displayed for @@ -64,9 +63,11 @@ DefaultIcon /icons/unknown.gif # directories. # Format: AddDescription "description" filename -#AddDescription "GZIP compressed document" .gz -#AddDescription "tar archive" .tar -#AddDescription "GZIP compressed tar archive" .tgz +AddDescription "GZIP-komprimiertes Tar-Archiv" .tar.gz +AddDescription "GZIP-komprimiertes Dokument" .gz +AddDescription "Tar-Archive" .tar +AddDescription "GZIP-komprimiertes Tar-Archiv" .tgz +AddDescription "PDF-Dokument" .pdf # ReadmeName is the name of the README file the server will look for by # default, and append to directory listings. @@ -79,7 +80,6 @@ HeaderName HEADER.html # IndexIgnore is a set of filenames which directory indexing should ignore # and not include in the listing. Shell-style wildcarding is permitted. IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t - # vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist index 097410a..10bf483 100644 --- a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist +++ b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist @@ -9,8 +9,7 @@ Alias /icons/ "/usr/share/apache2/icons/" Options Indexes MultiViews AllowOverride None - Order allow,deny - Allow from all + Require all granted diff --git a/config-archive/etc/apache2/modules.d/00_mod_info.conf b/config-archive/etc/apache2/modules.d/00_mod_info.conf new file mode 100644 index 0000000..35cbd2c --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_mod_info.conf @@ -0,0 +1,18 @@ + +# Allow remote server configuration reports, with the URL of +# http://servername/server-info + + SetHandler server-info + Order deny,allow + Deny from all + Allow from 127.0.0.1 + Allow from localhost + AuthName "Server Status Access" + AuthType Basic + AuthUserFile /etc/apache2/info_users_passwd + Require valid-user + Satisfy Any + + + +# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/._cfg0000_00_mod_info.conf b/config-archive/etc/apache2/modules.d/00_mod_info.conf.dist similarity index 100% rename from apache2/modules.d/._cfg0000_00_mod_info.conf rename to config-archive/etc/apache2/modules.d/00_mod_info.conf.dist diff --git a/config-archive/etc/apache2/modules.d/00_mod_mime.conf b/config-archive/etc/apache2/modules.d/00_mod_mime.conf new file mode 100644 index 0000000..6229e61 --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_mod_mime.conf @@ -0,0 +1,55 @@ +# DefaultType: the default MIME type the server will use for a document +# if it cannot otherwise determine one, such as from filename extensions. +# If your server contains mostly text or HTML documents, "text/plain" is +# a good value. If most of your content is binary, such as applications +# or images, you may want to use "application/octet-stream" instead to +# keep browsers from trying to display binary files as though they are +# text. +DefaultType text/plain + + +# TypesConfig points to the file containing the list of mappings from +# filename extension to MIME-type. +TypesConfig /etc/mime.types + +# AddType allows you to add to or override the MIME configuration +# file specified in TypesConfig for specific file types. +#AddType application/x-gzip .tgz + +# AddEncoding allows you to have certain browsers uncompress +# information on the fly. Note: Not all browsers support this. +AddEncoding x-compress .Z +AddEncoding x-gzip .gz .tgz + +# If the AddEncoding directives above are commented-out, then you +# probably should define those extensions to indicate media types: +AddType application/x-compress .Z +AddType application/x-gzip .gz .tgz + +# AddHandler allows you to map certain file extensions to "handlers": +# actions unrelated to filetype. These can be either built into the server +# or added with the Action directive (see below) + +# To use CGI scripts outside of ScriptAliased directories: +# (You will also need to add "ExecCGI" to the "Options" directive.) +#AddHandler cgi-script .cgi + +# For type maps (negotiated resources): +AddHandler type-map var + +# Filters allow you to process content before it is sent to the client. +# +# To parse .shtml files for server-side includes (SSI): +# (You will also need to add "Includes" to the "Options" directive.) +#AddType text/html .shtml +#AddOutputFilter INCLUDES .shtml + + + +# The mod_mime_magic module allows the server to use various hints from the +# contents of the file itself to determine its type. The MIMEMagicFile +# directive tells the module where the hint definitions are located. +MIMEMagicFile /etc/apache2/magic + + +# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/._cfg0000_00_mod_mime.conf b/config-archive/etc/apache2/modules.d/00_mod_mime.conf.dist similarity index 100% rename from apache2/modules.d/._cfg0000_00_mod_mime.conf rename to config-archive/etc/apache2/modules.d/00_mod_mime.conf.dist diff --git a/config-archive/etc/apache2/modules.d/00_mod_status.conf b/config-archive/etc/apache2/modules.d/00_mod_status.conf new file mode 100644 index 0000000..615122c --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_mod_status.conf @@ -0,0 +1,23 @@ + +# Allow server status reports generated by mod_status, +# with the URL of http://servername/server-status + + SetHandler server-status + Order deny,allow + Deny from all + Allow from 127.0.0.1 + Allow from localhost + AuthName "Server Status Access" + AuthType Basic + AuthUserFile /etc/apache2/info_users_passwd + Require valid-user + Satisfy Any + + +# ExtendedStatus controls whether Apache will generate "full" status +# information (ExtendedStatus On) or just basic information (ExtendedStatus +# Off) when the "server-status" handler is called. +ExtendedStatus On + + +# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/._cfg0000_00_mod_status.conf b/config-archive/etc/apache2/modules.d/00_mod_status.conf.dist similarity index 100% rename from apache2/modules.d/._cfg0000_00_mod_status.conf rename to config-archive/etc/apache2/modules.d/00_mod_status.conf.dist diff --git a/config-archive/etc/apache2/modules.d/00_mpm.conf b/config-archive/etc/apache2/modules.d/00_mpm.conf new file mode 100644 index 0000000..27dc24d --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_mpm.conf @@ -0,0 +1,99 @@ +# Server-Pool Management (MPM specific) + +# PidFile: The file in which the server should record its process +# identification number when it starts. +# +# DO NOT CHANGE UNLESS YOU KNOW WHAT YOU ARE DOING +PidFile /var/run/apache2.pid + +# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. +#LockFile /var/run/apache2.lock + +# Only one of the below sections will be relevant on your +# installed httpd. Use "/usr/sbin/apache2 -l" to find out the +# active mpm. + +# common MPM configuration +# These configuration directives apply to all MPMs +# +# StartServers: Number of child server processes created at startup +# MaxClients: Maximum number of child processes to serve requests +# MaxRequestsPerChild: Limit on the number of requests that an individual child +# server will handle during its life + + +# prefork MPM +# This is the default MPM if USE=-threads +# +# MinSpareServers: Minimum number of idle child server processes +# MaxSpareServers: Maximum number of idle child server processes + + StartServers 2 + MinSpareServers 2 + MaxSpareServers 10 + MaxClients 150 + MaxRequestsPerChild 10000 + + +# worker MPM +# This is the default MPM if USE=threads +# +# MinSpareThreads: Minimum number of idle threads available to handle request spikes +# MaxSpareThreads: Maximum number of idle threads +# ThreadsPerChild: Number of threads created by each child process + + StartServers 2 + MinSpareThreads 25 + MaxSpareThreads 75 + ThreadsPerChild 25 + MaxClients 150 + MaxRequestsPerChild 10000 + + +# event MPM +# +# MinSpareThreads: Minimum number of idle threads available to handle request spikes +# MaxSpareThreads: Maximum number of idle threads +# ThreadsPerChild: Number of threads created by each child process + + StartServers 2 + MinSpareThreads 25 + MaxSpareThreads 75 + ThreadsPerChild 25 + MaxClients 150 + MaxRequestsPerChild 10000 + + +# peruser MPM +# +# MinSpareProcessors: Minimum number of idle child server processes +# MinProcessors: Minimum number of processors per virtual host +# MaxProcessors: Maximum number of processors per virtual host +# ExpireTimeout: Maximum idle time before a child is killed, 0 to disable +# Multiplexer: Specify a Multiplexer child configuration. +# Processor: Specify a user and group for a specific child process + + MinSpareProcessors 2 + MinProcessors 2 + MaxProcessors 10 + MaxClients 150 + MaxRequestsPerChild 1000 + ExpireTimeout 1800 + + Multiplexer nobody nobody + Processor apache apache + + +# itk MPM +# +# MinSpareServers: Minimum number of idle child server processes +# MaxSpareServers: Maximum number of idle child server processes + + StartServers 5 + MinSpareServers 5 + MaxSpareServers 10 + MaxClients 150 + MaxRequestsPerChild 10000 + + +# vim: ts=4 filetype=apache diff --git a/apache2/modules.d/._cfg0000_00_mpm.conf b/config-archive/etc/apache2/modules.d/00_mpm.conf.dist similarity index 100% rename from apache2/modules.d/._cfg0000_00_mpm.conf rename to config-archive/etc/apache2/modules.d/00_mpm.conf.dist diff --git a/config-archive/etc/apache2/vhosts.d/00_default_vhost.conf b/config-archive/etc/apache2/vhosts.d/00_default_vhost.conf new file mode 100644 index 0000000..2b46233 --- /dev/null +++ b/config-archive/etc/apache2/vhosts.d/00_default_vhost.conf @@ -0,0 +1,48 @@ +# Virtual Hosts +# +# If you want to maintain multiple domains/hostnames on your +# machine you can setup VirtualHost containers for them. Most configurations +# use only name-based virtual hosts so the server doesn't need to worry about +# IP addresses. This is indicated by the asterisks in the directives below. +# +# Please see the documentation at +# +# for further details before you try to setup virtual hosts. +# +# You may use the command line option '-S' to verify your virtual host +# configuration. + + +# see bug #178966 why this is in here + +# Listen: Allows you to bind Apache to specific IP addresses and/or +# ports, instead of the default. See also the +# directive. +# +# Change this to Listen on specific IP addresses as shown below to +# prevent Apache from glomming onto all bound IP addresses. +# +#Listen 12.34.56.78:80 +Listen 80 + +# Use name-based virtual hosting. +NameVirtualHost *:80 + +# When virtual hosts are enabled, the main host defined in the default +# httpd.conf configuration will go away. We redefine it here so that it is +# still available. +# +# If you disable this vhost by removing -D DEFAULT_VHOST from +# /etc/conf.d/apache2, the first defined virtual host elsewhere will be +# the default. + + ServerName www.uhu-banane.de + Include /etc/apache2/vhosts.d/default_vhost.include + + + ServerEnvironment apache apache + + + + +# vim: ts=4 filetype=apache diff --git a/apache2/vhosts.d/._cfg0000_00_default_vhost.conf b/config-archive/etc/apache2/vhosts.d/00_default_vhost.conf.dist similarity index 100% rename from apache2/vhosts.d/._cfg0000_00_default_vhost.conf rename to config-archive/etc/apache2/vhosts.d/00_default_vhost.conf.dist diff --git a/config-archive/etc/apache2/vhosts.d/default_vhost.include b/config-archive/etc/apache2/vhosts.d/default_vhost.include new file mode 100644 index 0000000..61282a6 --- /dev/null +++ b/config-archive/etc/apache2/vhosts.d/default_vhost.include @@ -0,0 +1,73 @@ +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +ServerAdmin frank@brehm-online.com + +# DocumentRoot: The directory out of which you will serve your +# documents. By default, all requests are taken from this directory, but +# symbolic links and aliases may be used to point to other locations. +# +# If you change this to something that isn't under /var/www then suexec +# will no longer work. +DocumentRoot "/var/www/localhost/htdocs" + +# This should be changed to whatever you set DocumentRoot to. + + # Possible values for the Options directive are "None", "All", + # or any combination of: + # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews + # + # Note that "MultiViews" must be named *explicitly* --- "Options All" + # doesn't give it to you. + # + # The Options directive is both complicated and important. Please see + # http://httpd.apache.org/docs/2.2/mod/core.html#options + # for more information. + Options Indexes FollowSymLinks + + # AllowOverride controls what directives may be placed in .htaccess files. + # It can be "All", "None", or any combination of the keywords: + # Options FileInfo AuthConfig Limit + AllowOverride All + + # Controls who can get stuff from this server. + Order allow,deny + Allow from all + + + + # Redirect: Allows you to tell clients about documents that used to + # exist in your server's namespace, but do not anymore. The client + # will make a new request for the document at its new location. + # Example: + # Redirect permanent /foo http://www.example.com/bar + + # Alias: Maps web paths into filesystem paths and is used to + # access content that does not live under the DocumentRoot. + # Example: + # Alias /webpath /full/filesystem/path + # + # If you include a trailing / on /webpath then the server will + # require it to be present in the URL. You will also likely + # need to provide a section to allow access to + # the filesystem path. + + # ScriptAlias: This controls which directories contain server scripts. + # ScriptAliases are essentially the same as Aliases, except that + # documents in the target directory are treated as applications and + # run by the server when requested rather than as documents sent to the + # client. The same rules about trailing "/" apply to ScriptAlias + # directives as to Alias. + ScriptAlias /cgi-bin/ "/var/www/localhost/cgi-bin/" + + +# "/var/www/localhost/cgi-bin" should be changed to whatever your ScriptAliased +# CGI directory exists, if you have that configured. + + AllowOverride None + Options None + Order allow,deny + Allow from all + + +# vim: ts=4 filetype=apache diff --git a/apache2/vhosts.d/._cfg0000_default_vhost.include b/config-archive/etc/apache2/vhosts.d/default_vhost.include.dist similarity index 100% rename from apache2/vhosts.d/._cfg0000_default_vhost.include rename to config-archive/etc/apache2/vhosts.d/default_vhost.include.dist diff --git a/config-archive/etc/conf.d/fail2ban b/config-archive/etc/conf.d/fail2ban new file mode 100644 index 0000000..50eaf41 --- /dev/null +++ b/config-archive/etc/conf.d/fail2ban @@ -0,0 +1,8 @@ +# Config file for /etc/init.d/fail2ban +# +# For information on options, see "/usr/bin/fail2ban-client -h". + +FAIL2BAN_OPTIONS="-v" + +# Force execution of the server even if the socket already exists: +#FAIL2BAN_OPTIONS="-x" diff --git a/conf.d/._cfg0000_fail2ban b/config-archive/etc/conf.d/fail2ban.dist.new similarity index 100% rename from conf.d/._cfg0000_fail2ban rename to config-archive/etc/conf.d/fail2ban.dist.new diff --git a/etckeeper/._cfg0000_etckeeper.conf b/config-archive/etc/etckeeper/etckeeper.conf.dist similarity index 100% rename from etckeeper/._cfg0000_etckeeper.conf rename to config-archive/etc/etckeeper/etckeeper.conf.dist diff --git a/config-archive/etc/etckeeper/etckeeper.conf.dist.new b/config-archive/etc/etckeeper/etckeeper.conf.dist.new deleted file mode 100644 index c1da4bf..0000000 --- a/config-archive/etc/etckeeper/etckeeper.conf.dist.new +++ /dev/null @@ -1,44 +0,0 @@ -# The VCS to use. -#VCS="hg" -VCS="git" -#VCS="bzr" -#VCS="darcs" - -# Options passed to git commit when run by etckeeper. -GIT_COMMIT_OPTIONS="" - -# Options passed to hg commit when run by etckeeper. -HG_COMMIT_OPTIONS="" - -# Options passed to bzr commit when run by etckeeper. -BZR_COMMIT_OPTIONS="" - -# Options passed to darcs record when run by etckeeper. -DARCS_COMMIT_OPTIONS="-a" - -# Uncomment to avoid etckeeper committing existing changes -# to /etc automatically once per day. -#AVOID_DAILY_AUTOCOMMITS=1 - -# Uncomment the following to avoid special file warning -# (the option is enabled automatically by cronjob regardless). -#AVOID_SPECIAL_FILE_WARNING=1 - -# Uncomment to avoid etckeeper committing existing changes to -# /etc before installation. It will cancel the installation, -# so you can commit the changes by hand. -#AVOID_COMMIT_BEFORE_INSTALL=1 - -# The high-level package manager that's being used. -# (apt, pacman-g2, yum, zypper etc) -# For gentoo this is emerge -HIGHLEVEL_PACKAGE_MANAGER=emerge - -# The low-level package manager that's being used. -# (dpkg, rpm, pacman, pacman-g2, etc) -# For gentoo this is qlist -LOWLEVEL_PACKAGE_MANAGER=qlist - -# To push each commit to a remote, put the name of the remote here. -# (eg, "origin" for git). -PUSH_REMOTE="" diff --git a/config-archive/etc/fail2ban/jail.conf b/config-archive/etc/fail2ban/jail.conf new file mode 100644 index 0000000..82be8d0 --- /dev/null +++ b/config-archive/etc/fail2ban/jail.conf @@ -0,0 +1,762 @@ +# +# WARNING: heavily refactored in 0.9.0 release. Please review and +# customize settings for your setup. +# +# Changes: in most of the cases you should not modify this +# file, but provide customizations in jail.local file, +# or separate .conf files under jail.d/ directory, e.g.: +# +# HOW TO ACTIVATE JAILS: +# +# YOU SHOULD NOT MODIFY THIS FILE. +# +# It will probably be overwritten or improved in a distribution update. +# +# Provide customizations in a jail.local file or a jail.d/customisation.local. +# For example to change the default bantime for all jails and to enable the +# ssh-iptables jail the following (uncommented) would appear in the .local file. +# See man 5 jail.conf for details. +# +# [DEFAULT] +# bantime = 3600 +# +# [sshd] +# enabled = true +# +# See jail.conf(5) man page for more information + + + +# Comments: use '#' for comment lines and ';' (following a space) for inline comments + + +[INCLUDES] + +#before = paths-distro.conf +before = paths-debian.conf + +# The DEFAULT allows a global definition of the options. They can be overridden +# in each jail afterwards. + +[DEFAULT] + +sshd_log = /var/log/syslog.d/authpriv.log + +# +# MISCELLANEOUS OPTIONS +# + +# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not +# ban a host which matches an address in this list. Several addresses can be +# defined using space separator. +ignoreip = 127.0.0.1/8 + +# External command that will take an tagged arguments to ignore, e.g. , +# and return true if the IP is to be ignored. False otherwise. +# +# ignorecommand = /path/to/command +ignorecommand = + +# "bantime" is the number of seconds that a host is banned. +bantime = 600 + +# A host is banned if it has generated "maxretry" during the last "findtime" +# seconds. +findtime = 600 + +# "maxretry" is the number of failures before a host get banned. +maxretry = 5 + +# "backend" specifies the backend used to get files modification. +# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". +# This option can be overridden in each jail as well. +# +# pyinotify: requires pyinotify (a file alteration monitor) to be installed. +# If pyinotify is not installed, Fail2ban will use auto. +# gamin: requires Gamin (a file alteration monitor) to be installed. +# If Gamin is not installed, Fail2ban will use auto. +# polling: uses a polling algorithm which does not require external libraries. +# systemd: uses systemd python library to access the systemd journal. +# Specifying "logpath" is not valid for this backend. +# See "journalmatch" in the jails associated filter config +# auto: will try to use the following backends, in order: +# pyinotify, gamin, polling. +# +# Note: if systemd backend is choses as the default but you enable a jail +# for which logs are present only in its own log files, specify some other +# backend for that jail (e.g. polling) and provide empty value for +# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 +backend = auto + +# "usedns" specifies if jails should trust hostnames in logs, +# warn when DNS lookups are performed, or ignore all hostnames in logs +# +# yes: if a hostname is encountered, a DNS lookup will be performed. +# warn: if a hostname is encountered, a DNS lookup will be performed, +# but it will be logged as a warning. +# no: if a hostname is encountered, will not be used for banning, +# but it will be logged as info. +usedns = warn + +# "logencoding" specifies the encoding of the log files handled by the jail +# This is used to decode the lines from the log file. +# Typical examples: "ascii", "utf-8" +# +# auto: will use the system locale setting +logencoding = auto + +# "enabled" enables the jails. +# By default all jails are disabled, and it should stay this way. +# Enable only relevant to your setup jails in your .local or jail.d/*.conf +# +# true: jail will be enabled and log files will get monitored for changes +# false: jail is not enabled +enabled = false + + +# "filter" defines the filter to use by the jail. +# By default jails have names matching their filter name +# +filter = %(__name__)s + + +# +# ACTIONS +# + +# Some options used for actions + +# Destination email address used solely for the interpolations in +# jail.{conf,local,d/*} configuration files. +destemail = root@localhost + +# Sender email address used solely for some actions +sender = root@localhost + +# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the +# mailing. Change mta configuration parameter to mail if you want to +# revert to conventional 'mail'. +mta = sendmail + +# Default protocol +protocol = tcp + +# Specify chain where jumps would need to be added in iptables-* actions +chain = INPUT + +# Ports to be banned +# Usually should be overridden in a particular jail +port = 0:65535 + +# +# Action shortcuts. To be used to define action parameter + +# Default banning action (e.g. iptables, iptables-new, +# iptables-multiport, shorewall, etc) It is used to define +# action_* variables. Can be overridden globally or per +# section within jail.local file +banaction = iptables-multiport + +# The simplest action to take: ban only +action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report to the destemail. +action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report and relevant log lines +# to the destemail. +action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] + +# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action +# +# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines +# to the destemail. +action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] + + +# Report block via blocklist.de fail2ban reporting service API +# +# See the IMPORTANT note in action.d/blocklist_de.conf for when to +# use this action. Create a file jail.d/blocklist_de.local containing +# [Init] +# blocklist_de_apikey = {api key from registration] +# +action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"] + +# Report ban via badips.com, and use as blacklist +# +# See BadIPsAction docstring in config/action.d/badips.py for +# documentation for this action. +# +# NOTE: This action relies on banaction being present on start and therefore +# should be last action defined for a jail. +# +action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"] + +# Choose default action. To change, just override value of 'action' with the +# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local +# globally (section [DEFAULT]) or per specific section +action = %(action_)s + + +# +# JAILS +# + +# +# SSH servers +# + +[sshd] + +port = ssh +logpath = /var/log/syslog.d/authpriv.log + + +[sshd-ddos] +# This jail corresponds to the standard configuration in Fail2ban. +# The mail-whois action send a notification e-mail with a whois request +# in the body. +port = ssh +logpath = /var/log/syslog.d/authpriv.log + + +[dropbear] + +port = ssh +logpath = %(dropbear_log)s + + +[selinux-ssh] + +port = ssh +logpath = %(auditd_log)s +maxretry = 5 + + +# +# HTTP servers +# + +[apache-auth] + +port = http,https +logpath = %(apache_error_log)s + + +[apache-badbots] +# Ban hosts which agent identifies spammer robots crawling the web +# for email addresses. The mail outputs are buffered. +port = http,https +logpath = %(apache_access_log)s +bantime = 172800 +maxretry = 1 + + +[apache-noscript] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 6 + + +[apache-overflows] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-nohome] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-botsearch] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-fakegooglebot] + +port = http,https +logpath = %(apache_access_log)s +maxretry = 1 +ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot + + +[apache-modsecurity] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + +[apache-shellshock] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 1 + +[nginx-http-auth] + +port = http,https +logpath = %(nginx_error_log)s + +[nginx-botsearch] + +port = http,https +logpath = %(nginx_error_log)s +maxretry = 2 + +# Ban attackers that try to use PHP's URL-fopen() functionality +# through GET/POST variables. - Experimental, with more than a year +# of usage in production environments. + +[php-url-fopen] + +port = http,https +logpath = %(nginx_access_log)s + %(apache_access_log)s + + +[suhosin] + +port = http,https +logpath = %(suhosin_log)s + + +[lighttpd-auth] +# Same as above for Apache's mod_auth +# It catches wrong authentifications +port = http,https +logpath = %(lighttpd_error_log)s + + +# +# Webmail and groupware servers +# + +[roundcube-auth] + +port = http,https +logpath = /var/log/roundcube/userlogins + + +[openwebmail] + +port = http,https +logpath = /var/log/openwebmail.log + + +[horde] + +port = http,https +logpath = /var/log/horde/horde.log + + +[groupoffice] + +port = http,https +logpath = /home/groupoffice/log/info.log + + +[sogo-auth] +# Monitor SOGo groupware server +# without proxy this would be: +# port = 20000 +port = http,https +logpath = /var/log/sogo/sogo.log + + +[tine20] + +logpath = /var/log/tine20/tine20.log +port = http,https +maxretry = 5 + + +# +# Web Applications +# +# + +[drupal-auth] + +port = http,https +logpath = %(syslog_daemon)s + +[guacamole] + +port = http,https +logpath = /var/log/tomcat*/catalina.out + +[monit] +#Ban clients brute-forcing the monit gui login +filter = monit +port = 2812 +logpath = /var/log/monit + + +[webmin-auth] + +port = 10000 +logpath = %(syslog_authpriv)s + + +# +# HTTP Proxy servers +# +# + +[squid] + +port = 80,443,3128,8080 +logpath = /var/log/squid/access.log + + +[3proxy] + +port = 3128 +logpath = /var/log/3proxy.log + +# +# FTP servers +# + + +[proftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(proftpd_log)s + + +[pure-ftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(pureftpd_log)s +maxretry = 6 + + +[gssftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(syslog_daemon)s +maxretry = 6 + + +[wuftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(wuftpd_log)s +maxretry = 6 + + +[vsftpd] +# or overwrite it in jails.local to be +# logpath = %(syslog_authpriv)s +# if you want to rely on PAM failed login attempts +# vsftpd's failregex should match both of those formats +port = ftp,ftp-data,ftps,ftps-data +logpath = %(vsftpd_log)s + + +# +# Mail servers +# + +# ASSP SMTP Proxy Jail +[assp] + +port = smtp,465,submission +logpath = /root/path/to/assp/logs/maillog.txt + + +[courier-smtp] + +port = smtp,465,submission +logpath = %(syslog_mail)s + + +[postfix] + +port = smtp,465,submission +logpath = %(postfix_log)s + + +[postfix-rbl] + +port = smtp,465,submission +logpath = %(syslog_mail)s +maxretry = 1 + + +[sendmail-auth] + +port = submission,465,smtp +logpath = %(syslog_mail)s + + +[sendmail-reject] + +port = smtp,465,submission +logpath = %(syslog_mail)s + + +[qmail-rbl] + +filter = qmail +port = smtp,465,submission +logpath = /service/qmail/log/main/current + + +# dovecot defaults to logging to the mail syslog facility +# but can be set by syslog_facility in the dovecot configuration. +[dovecot] + +port = pop3,pop3s,imap,imaps,submission,465,sieve +logpath = %(dovecot_log)s + + +[sieve] + +port = smtp,465,submission +logpath = %(dovecot_log)s + + +[solid-pop3d] + +port = pop3,pop3s +logpath = %(solidpop3d_log)s + + +[exim] + +port = smtp,465,submission +logpath = %(exim_main_log)s + + +[exim-spam] + +port = smtp,465,submission +logpath = %(exim_main_log)s + + +[kerio] + +port = imap,smtp,imaps,465 +logpath = /opt/kerio/mailserver/store/logs/security.log + + +# +# Mail servers authenticators: might be used for smtp,ftp,imap servers, so +# all relevant ports get banned +# + +[courier-auth] + +port = smtp,465,submission,imap3,imaps,pop3,pop3s +logpath = %(syslog_mail)s + + +[postfix-sasl] + +port = smtp,465,submission,imap3,imaps,pop3,pop3s +# You might consider monitoring /var/log/mail.warn instead if you are +# running postfix since it would provide the same log lines at the +# "warn" level but overall at the smaller filesize. +logpath = %(postfix_log)s + + +[perdition] + +port = imap3,imaps,pop3,pop3s +logpath = %(syslog_mail)s + + +[squirrelmail] + +port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks +logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log + + +[cyrus-imap] + +port = imap3,imaps +logpath = %(syslog_mail)s + + +[uwimap-auth] + +port = imap3,imaps +logpath = %(syslog_mail)s + + +# +# +# DNS servers +# + + +# !!! WARNING !!! +# Since UDP is connection-less protocol, spoofing of IP and imitation +# of illegal actions is way too simple. Thus enabling of this filter +# might provide an easy way for implementing a DoS against a chosen +# victim. See +# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html +# Please DO NOT USE this jail unless you know what you are doing. +# +# IMPORTANT: see filter.d/named-refused for instructions to enable logging +# This jail blocks UDP traffic for DNS requests. +# [named-refused-udp] +# +# filter = named-refused +# port = domain,953 +# protocol = udp +# logpath = /var/log/named/security.log + +# IMPORTANT: see filter.d/named-refused for instructions to enable logging +# This jail blocks TCP traffic for DNS requests. + +[named-refused] + +port = domain,953 +logpath = /var/log/named/security.log + + +[nsd] + +port = 53 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] +logpath = /var/log/nsd.log + + +# +# Miscellaneous +# + +[asterisk] + +port = 5060,5061 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] +logpath = /var/log/asterisk/messages +maxretry = 10 + + +[freeswitch] + +port = 5060,5061 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] +logpath = /var/log/freeswitch.log +maxretry = 10 + + +# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or +# equivalent section: +# log-warning = 2 +# +# for syslog (daemon facility) +# [mysqld_safe] +# syslog +# +# for own logfile +# [mysqld] +# log-error=/var/log/mysqld.log +[mysqld-auth] + +port = 3306 +logpath = %(mysql_log)s +maxretry = 5 + + +# Jail for more extended banning of persistent abusers +# !!! WARNINGS !!! +# 1. Make sure that your loglevel specified in fail2ban.conf/.local +# is not at DEBUG level -- which might then cause fail2ban to fall into +# an infinite loop constantly feeding itself with non-informative lines +# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) +# to maintain entries for failed logins for sufficient amount of time +[recidive] + +logpath = /var/log/fail2ban.log +banaction = iptables-allports +bantime = 604800 ; 1 week +findtime = 86400 ; 1 day +maxretry = 5 + + +# Generic filter for PAM. Has to be used with action which bans all +# ports such as iptables-allports, shorewall + +[pam-generic] +# pam-generic filter can be customized to monitor specific subset of 'tty's +banaction = iptables-allports +logpath = %(syslog_authpriv)s + + +[xinetd-fail] + +banaction = iptables-multiport-log +logpath = %(syslog_daemon)s +maxretry = 2 + + +# stunnel - need to set port for this +[stunnel] + +logpath = /var/log/stunnel4/stunnel.log + + +[ejabberd-auth] + +port = 5222 +logpath = /var/log/ejabberd/ejabberd.log + + +[counter-strike] + +logpath = /opt/cstrike/logs/L[0-9]*.log +# Firewall: http://www.cstrike-planet.com/faq/6 +tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 +udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] + +# consider low maxretry and a long bantime +# nobody except your own Nagios server should ever probe nrpe +[nagios] + +enabled = false +logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility +maxretry = 1 + + +[oracleims] +# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above +enabled = false +logpath = /opt/sun/comms/messaging64/log/mail.log_current +maxretry = 6 +banaction = iptables-allports + +[directadmin] +enabled = false +logpath = /var/log/directadmin/login.log +port = 2222 + +[portsentry] +enabled = false +logpath = /var/lib/portsentry/portsentry.history +maxretry = 1 + +# vim: filetype=dosini diff --git a/fail2ban/._cfg0000_jail.conf b/config-archive/etc/fail2ban/jail.conf.dist similarity index 100% rename from fail2ban/._cfg0000_jail.conf rename to config-archive/etc/fail2ban/jail.conf.dist diff --git a/config-archive/etc/fail2ban/paths-debian.conf b/config-archive/etc/fail2ban/paths-debian.conf new file mode 100644 index 0000000..bf7d764 --- /dev/null +++ b/config-archive/etc/fail2ban/paths-debian.conf @@ -0,0 +1,40 @@ +# Debian + +[INCLUDES] + +before = paths-common.conf + +after = paths-overrides.local + + +[DEFAULT] + +syslog_mail = /var/log/syslog.d/mail.log + +syslog_mail_warn = /var/log/mail/mail.warn.log + +syslog_authpriv = /var/log/syslog.d/authpriv.log + +syslog_auth = /var/log/syslog.d/auth.log + +syslog_user = /var/log/syslog.d/user.log + +syslog_ftp = /var/log/syslog + +syslog_daemon = /var/log/syslog.d/daemon.log + +syslog_local0 = /var/log/syslog.d/local0.log + + +apache_error_log = /var/log/apache2/*error.log + +apache_access_log = /var/log/apache2/*access.log + +exim_main_log = /var/log/exim4/mainlog + +# was in debian squeezy but not in wheezy +# /etc/proftpd/proftpd.conf (SystemLog) +proftpd_log = /var/log/proftpd/proftpd.log + + +# vim: filetype=dosini diff --git a/fail2ban/._cfg0000_paths-debian.conf b/config-archive/etc/fail2ban/paths-debian.conf.dist.new similarity index 100% rename from fail2ban/._cfg0000_paths-debian.conf rename to config-archive/etc/fail2ban/paths-debian.conf.dist.new diff --git a/config-archive/etc/logrotate.d/fail2ban.dist.new b/config-archive/etc/logrotate.d/fail2ban.dist.new index a09870a..fe4f797 100644 --- a/config-archive/etc/logrotate.d/fail2ban.dist.new +++ b/config-archive/etc/logrotate.d/fail2ban.dist.new @@ -9,9 +9,7 @@ # http://pkgs.fedoraproject.org/cgit/fail2ban.git/tree/fail2ban-logrotate /var/log/fail2ban.log { - rotate 7 missingok - compress postrotate /usr/bin/fail2ban-client flushlogs 1>/dev/null || true endscript diff --git a/etckeeper/etckeeper.conf b/etckeeper/etckeeper.conf index a5983d9..8134bfb 100644 --- a/etckeeper/etckeeper.conf +++ b/etckeeper/etckeeper.conf @@ -30,15 +30,24 @@ DARCS_COMMIT_OPTIONS="-a" #AVOID_COMMIT_BEFORE_INSTALL=1 # The high-level package manager that's being used. -# (apt, pacman-g2, yum, zypper etc) -# For gentoo this is emerge +# (apt, pacman-g2, yum, dnf, zypper etc) +#HIGHLEVEL_PACKAGE_MANAGER=apt + +# Gentoo specific: +# For portage this is emerge +# For paludis this is cave HIGHLEVEL_PACKAGE_MANAGER=emerge # The low-level package manager that's being used. # (dpkg, rpm, pacman, pacman-g2, etc) -# For gentoo this is qlist +#LOWLEVEL_PACKAGE_MANAGER=dpkg + +# Gentoo specific: +# For portage this is qlist +# For paludis this is cave LOWLEVEL_PACKAGE_MANAGER=qlist # To push each commit to a remote, put the name of the remote here. -# (eg, "origin" for git). +# (eg, "origin" for git). Space-separated lists of multiple remotes +# also work (eg, "origin gitlab github" for git). PUSH_REMOTE="origin" diff --git a/fail2ban/jail.conf b/fail2ban/jail.conf index 82be8d0..40bc7e2 100644 --- a/fail2ban/jail.conf +++ b/fail2ban/jail.conf @@ -176,6 +176,10 @@ action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(por action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] +# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines +# to the destemail. +action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] + %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # Report block via blocklist.de fail2ban reporting service API # @@ -213,7 +217,7 @@ action = %(action_)s [sshd] port = ssh -logpath = /var/log/syslog.d/authpriv.log +logpath = %(sshd_log)s [sshd-ddos] @@ -221,7 +225,7 @@ logpath = /var/log/syslog.d/authpriv.log # The mail-whois action send a notification e-mail with a whois request # in the body. port = ssh -logpath = /var/log/syslog.d/authpriv.log +logpath = %(sshd_log)s [dropbear] @@ -346,7 +350,7 @@ logpath = %(lighttpd_error_log)s [roundcube-auth] port = http,https -logpath = /var/log/roundcube/userlogins +logpath = logpath = %(roundcube_errors_log)s [openwebmail] @@ -410,6 +414,12 @@ port = 10000 logpath = %(syslog_authpriv)s +[froxlor-auth] + +port = http,https +logpath = %(syslog_authpriv)s + + # # HTTP Proxy servers # @@ -426,6 +436,7 @@ logpath = /var/log/squid/access.log port = 3128 logpath = /var/log/3proxy.log + # # FTP servers # @@ -759,4 +770,17 @@ enabled = false logpath = /var/lib/portsentry/portsentry.history maxretry = 1 +[pass2allow-ftp] +# this pass2allow example allows FTP traffic after successful HTTP authentication +port = ftp,ftp-data,ftps,ftps-data +# knocking_url variable must be overridden to some secret value in filter.d/apache-pass.local +filter = apache-pass +# access log of the website with HTTP auth +logpath = %(apache_access_log)s +blocktype = RETURN +returntype = DROP +bantime = 3600 +maxretry = 1 +findtime = 1 + # vim: filetype=dosini diff --git a/logrotate.d/._cfg0000_fail2ban b/logrotate.d/._cfg0000_fail2ban deleted file mode 100644 index fe4f797..0000000 --- a/logrotate.d/._cfg0000_fail2ban +++ /dev/null @@ -1,16 +0,0 @@ -# -# Gentoo: -# http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/fail2ban/files/fail2ban-logrotate?view=markup -# -# Debian: -# https://github.com/fail2ban/fail2ban/blob/debian/debian/fail2ban.logrotate -# -# Fedora view: -# http://pkgs.fedoraproject.org/cgit/fail2ban.git/tree/fail2ban-logrotate - -/var/log/fail2ban.log { - missingok - postrotate - /usr/bin/fail2ban-client flushlogs 1>/dev/null || true - endscript -} -- 2.39.5