From e85511c26a2c79263df72d650b0b25f8c7fca14b Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Tue, 19 Sep 2023 11:27:34 +0200 Subject: [PATCH] saving uncommitted changes in /etc prior to apt run --- .etckeeper | 18 +- apt/keyrings/salt-archive-keyring-2023.gpg | Bin 0 -> 1769 bytes apt/sources.list | 22 +- apt/sources.list.2021-10-31.bullseye.bak | 20 + apt/sources.list.d/dns-oarc.list | 2 +- .../dns-oarc.list.2022-11-30.bullseye.bak | 3 + apt/sources.list.d/fbrehm.list | 2 +- .../fbrehm.list.2021-09-16.bullseye.bak | 7 + apt/sources.list.d/salt.list | 2 +- .../salt.list.2021-10-31.bullseye.bak | 1 + apt/trusted.gpg.d/frank.brehm.asc | 98 ++ apt/trusted.gpg.d/frank.brehm.gpg | Bin 0 -> 2234 bytes apt/trusted.gpg.d/icinga.asc | 29 + chrony/chrony.conf.ucf-dist | 47 - default/grub.ucf-dist | 32 - .../action.d/sendmail-common.conf.dpkg-dist | 77 -- .../action.d/sendmail-whois.conf.dpkg-dist | 40 - fail2ban/action.d/sendmail.conf.dpkg-dist | 37 - fail2ban/fail2ban.conf.dpkg-dist | 86 -- fail2ban/jail.conf.dpkg-dist | 964 ------------------ rsyslog.conf.dpkg-dist | 92 -- skel/.bashrc.dpkg-dist | 113 -- 22 files changed, 181 insertions(+), 1511 deletions(-) create mode 100644 apt/keyrings/salt-archive-keyring-2023.gpg create mode 100644 apt/sources.list.2021-10-31.bullseye.bak create mode 100644 apt/sources.list.d/dns-oarc.list.2022-11-30.bullseye.bak create mode 100644 apt/sources.list.d/fbrehm.list.2021-09-16.bullseye.bak create mode 100644 apt/sources.list.d/salt.list.2021-10-31.bullseye.bak create mode 100644 apt/trusted.gpg.d/frank.brehm.asc create mode 100644 apt/trusted.gpg.d/frank.brehm.gpg create mode 100644 apt/trusted.gpg.d/icinga.asc delete mode 100644 chrony/chrony.conf.ucf-dist delete mode 100644 default/grub.ucf-dist delete mode 100644 fail2ban/action.d/sendmail-common.conf.dpkg-dist delete mode 100644 fail2ban/action.d/sendmail-whois.conf.dpkg-dist delete mode 100644 fail2ban/action.d/sendmail.conf.dpkg-dist delete mode 100644 fail2ban/fail2ban.conf.dpkg-dist delete mode 100644 fail2ban/jail.conf.dpkg-dist delete mode 100644 rsyslog.conf.dpkg-dist delete mode 100644 skel/.bashrc.dpkg-dist diff --git a/.etckeeper b/.etckeeper index a94246a..9a56c36 100755 --- a/.etckeeper +++ b/.etckeeper @@ -265,6 +265,8 @@ maybe chmod 0644 'apt/apt.conf.d/20listchanges' maybe chmod 0644 'apt/apt.conf.d/70debconf' maybe chmod 0644 'apt/apt.conf.d/99needrestart' maybe chmod 0755 'apt/auth.conf.d' +maybe chmod 0755 'apt/keyrings' +maybe chmod 0644 'apt/keyrings/salt-archive-keyring-2023.gpg' maybe chmod 0644 'apt/listchanges.conf' maybe chmod 0755 'apt/listchanges.conf.d' maybe chmod 0755 'apt/preferences.d' @@ -275,13 +277,17 @@ maybe chmod 0644 'apt/sources.list.2017-03-06.jessie.bak' maybe chmod 0644 'apt/sources.list.2017-06-17.jessie.bak' maybe chmod 0644 'apt/sources.list.2018-08-25.stretch.bak' maybe chmod 0644 'apt/sources.list.2019-09-04.buster.bak' +maybe chmod 0644 'apt/sources.list.2021-10-31.bullseye.bak' maybe chmod 0755 'apt/sources.list.d' maybe chmod 0644 'apt/sources.list.d/dns-oarc.list' maybe chmod 0644 'apt/sources.list.d/dns-oarc.list.2019-09-04.buster.bak' +maybe chmod 0644 'apt/sources.list.d/dns-oarc.list.2022-11-30.bullseye.bak' maybe chmod 0644 'apt/sources.list.d/fbrehm.list' maybe chmod 0644 'apt/sources.list.d/fbrehm.list.2019-09-04.buster.bak' +maybe chmod 0644 'apt/sources.list.d/fbrehm.list.2021-09-16.bullseye.bak' maybe chmod 0644 'apt/sources.list.d/salt.list' maybe chmod 0644 'apt/sources.list.d/salt.list.2021-04-08.buster.bak' +maybe chmod 0644 'apt/sources.list.d/salt.list.2021-10-31.bullseye.bak' maybe chmod 0644 'apt/trusted.gpg' maybe chmod 0755 'apt/trusted.gpg.d' maybe chmod 0644 'apt/trusted.gpg.d/debian-archive-bookworm-automatic.gpg' @@ -293,6 +299,9 @@ maybe chmod 0644 'apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg' maybe chmod 0644 'apt/trusted.gpg.d/debian-archive-buster-automatic.gpg' maybe chmod 0644 'apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg' maybe chmod 0644 'apt/trusted.gpg.d/debian-archive-buster-stable.gpg' +maybe chmod 0644 'apt/trusted.gpg.d/frank.brehm.asc' +maybe chmod 0644 'apt/trusted.gpg.d/frank.brehm.gpg' +maybe chmod 0644 'apt/trusted.gpg.d/icinga.asc' maybe chmod 0755 'apticron' maybe chmod 0644 'apticron/README' maybe chmod 0644 'apticron/apticron.conf' @@ -369,7 +378,6 @@ maybe chmod 0644 'calendar/default' maybe chmod 0644 'cczerc' maybe chmod 0755 'chrony' maybe chmod 0644 'chrony/chrony.conf' -maybe chmod 0644 'chrony/chrony.conf.ucf-dist' maybe chmod 0640 'chrony/chrony.keys' maybe chmod 0755 'chrony/conf.d' maybe chmod 0644 'chrony/conf.d/README' @@ -457,7 +465,6 @@ maybe chmod 0644 'default/fail2ban' maybe chmod 0644 'default/grub' maybe chmod 0755 'default/grub.d' maybe chmod 0644 'default/grub.d/init-select.cfg' -maybe chmod 0644 'default/grub.ucf-dist' maybe chmod 0644 'default/halt' maybe chmod 0644 'default/haveged' maybe chmod 0644 'default/hwclock' @@ -613,16 +620,13 @@ maybe chmod 0644 'fail2ban/action.d/pf.conf' maybe chmod 0644 'fail2ban/action.d/route.conf' maybe chmod 0644 'fail2ban/action.d/sendmail-buffered.conf' maybe chmod 0644 'fail2ban/action.d/sendmail-common.conf' -maybe chmod 0644 'fail2ban/action.d/sendmail-common.conf.dpkg-dist' maybe chmod 0644 'fail2ban/action.d/sendmail-geoip-lines.conf' maybe chmod 0644 'fail2ban/action.d/sendmail-whois-ipjailmatches.conf' maybe chmod 0644 'fail2ban/action.d/sendmail-whois-ipmatches.conf' maybe chmod 0644 'fail2ban/action.d/sendmail-whois-lines.conf' maybe chmod 0644 'fail2ban/action.d/sendmail-whois-matches.conf' maybe chmod 0644 'fail2ban/action.d/sendmail-whois.conf' -maybe chmod 0644 'fail2ban/action.d/sendmail-whois.conf.dpkg-dist' maybe chmod 0644 'fail2ban/action.d/sendmail.conf' -maybe chmod 0644 'fail2ban/action.d/sendmail.conf.dpkg-dist' maybe chmod 0644 'fail2ban/action.d/shorewall-ipset-proto6.conf' maybe chmod 0644 'fail2ban/action.d/shorewall.conf' maybe chmod 0644 'fail2ban/action.d/smtp.py' @@ -630,7 +634,6 @@ maybe chmod 0644 'fail2ban/action.d/symbiosis-blacklist-allports.conf' maybe chmod 0644 'fail2ban/action.d/ufw.conf' maybe chmod 0644 'fail2ban/action.d/xarf-login-attack.conf' maybe chmod 0644 'fail2ban/fail2ban.conf' -maybe chmod 0644 'fail2ban/fail2ban.conf.dpkg-dist' maybe chmod 0755 'fail2ban/fail2ban.d' maybe chmod 0755 'fail2ban/filter.d' maybe chmod 0644 'fail2ban/filter.d/3proxy.conf' @@ -730,7 +733,6 @@ maybe chmod 0644 'fail2ban/filter.d/znc-adminlog.conf' maybe chmod 0644 'fail2ban/filter.d/zoneminder.conf' maybe chmod 0644 'fail2ban/jail.conf' maybe chmod 0644 'fail2ban/jail.conf.bak' -maybe chmod 0644 'fail2ban/jail.conf.dpkg-dist' maybe chmod 0755 'fail2ban/jail.d' maybe chmod 0644 'fail2ban/jail.d/apache-jail.conf' maybe chmod 0644 'fail2ban/jail.d/defaults-debian.conf' @@ -1810,7 +1812,6 @@ maybe chmod 0755 'resolvconf/update.d' maybe chmod 0755 'resolvconf/update.d/libc' maybe chmod 0644 'rpc' maybe chmod 0644 'rsyslog.conf' -maybe chmod 0644 'rsyslog.conf.dpkg-dist' maybe chmod 0755 'rsyslog.d' maybe chmod 0644 'rsyslog.d/60-default.conf' maybe chmod 0644 'rsyslog.d/70-pb.conf' @@ -1878,7 +1879,6 @@ maybe chmod 0644 'shells' maybe chmod 0755 'skel' maybe chmod 0644 'skel/.bash_logout' maybe chmod 0644 'skel/.bashrc' -maybe chmod 0644 'skel/.bashrc.dpkg-dist' maybe chmod 0644 'skel/.profile' maybe chmod 0755 'skel/bin' maybe chmod 0755 'ssh' diff --git a/apt/keyrings/salt-archive-keyring-2023.gpg b/apt/keyrings/salt-archive-keyring-2023.gpg new file mode 100644 index 0000000000000000000000000000000000000000..cf48f608f9c61bd04b15b8348ec8268cc10b74c3 GIT binary patch literal 1769 zcmajeX)qfIAIEV?MB=LZ)&#Aqj@DU6gi?2{6kSIZAr^6^2(N+EU_Ns^f~Iw$Jm-&a?0K)qmzY^MCc5&m%wxDQrP4nuQik)a1-iH4&~ z9Pr3u8SFRm!shTqTS9|?dBTW`;-M0g*wspm6ujHEN~nb*GaJ%fi+lGiHcNu@bm#e5GQ0S z>&PfIrkqXtMt36#cVS$?*H2Yd3Z?YqB?$8~O4$_H)YXBCS@H?hDZ-}s;qh6oHAcwC zie3Zgi@rSEQzq4FpGbe!gbikz6UBFd1MW0+H(?3WvRDI3fP=@+MS337p?Vs-{YY5B zi1qWFYk7tFvCB5pI86c*m|mzOMqZ`&4|JACcuS-A#<&I;5`0nvJ(oIsyX{A~#3iaJ z1cO4mMmn1SfDO>0?}!eHkU@ooVtsvnT(nOh+Ako)PX-bGqvQUU)o_1jlgQvGbeONY zPiQbQ12E1m1c0(3L}l6eQxi|){++x{(K!}kKl(#aH6<$O|NcUB5O1{wPMWe8ZWl`^6lqsnTjHr-T(JV^@l$U zQ`DkynZ}C6YIMhpGXrb|1?%Ht@OzHAJksYqWd?ozLJ!gm?>EBB-L!C; z`q0HOhJuZPnzY>bJ*+&Z5fu0}QYyoz5g6=(EVc=$%n5S~y?Sc57I~N^MZ4g& zvO&x50=a55T)4-g1{%g!WU(YT#VwAorS;kUpP&nbr_L6accNyY(df|@h}Hc|%1MT3 zZ}rS#cqQR&Lv!cW(BUW4ZB=tVY)ZB>A?~jINbm{m=S^;1k~d}ZLn<81P^-D~nd|YB zJx&?e#@Z}kx4kvOmEJ66Rram`m(9;sb7C&wv*>#cnxMvWRhi;qx}5Ljzb&VO_v|S9 zeSPNF+}gV3=*XOa*2UgSQT#efQum^n?-2Lw-@f{4x*}xefF@@kzfxh@c&+%2PfkvT zDSs;9^YrQ%Q3Al!7t+cGsHW4wKXw_q{&NI4>ZP zk`gUDfv4ow&gCWeYB5mO1$Bvuha1UpgUc=la(O% zxIM6CW3GbRyok+Yf%f$sCsJ}+x~0<)DU;`?h)HSw)|W?a>r1lmGvU4*xwheVS7l2j zQAR2v$TQKS6M_fb%5UgM8u_WkpZf&JM!QRg=1y&1rx1_PGsG{S5u>n?OwYmI%>n

X+=}L|PaXARwr{hza&9A&vL9t5?n7m)_(z-}3SwK_ zQUWWu&Gkung|*BQ3S~eWDQKtb^*|WFtQc_ztL&^jO`!Hbdw1_eg;!oKFh0^4X2bZE4WrAr zz8YhU=fuDr$N{i`D9*N6R`JqoRr(zSaO?@tUT?3oIK-F^Nd@6oP!o&YYDpO!yIPr! zwE3~w52zUwa&T{6T*xu7=71jF_k)SR4^dm$_~FS(d#WTnhf0{I?yhR=upX$;l8D{? z!(Ri1;XTUip_3>K)O!>M74I?u2LIY0@S?2D6=h1PbbRG5RT=!Kd}8g4KR=M8=sEpo z0B+MoqDb97=Xl}gaEW_?&qMHJ5Ba?yrMpHpVPcmg0JFTH1(C(kiWHdW2%IyZi!f+3 zAW55;(tX(JzdY#li>PSctQ^Skn+gX}T@3o&%j^8jx*x0P9JFeW;>rkY${z)C>Abjg zF3uw1QUYHkNS&WlMQuBDt+-^rH-8f47{dy=YfV|=qE|3=tIM)(QTPxy(04l~*%|TX zt}G*Q5?bcwTg3no0RRECJW^$FZ*ysMZ*qAcL1b-dZXjlFav(->VQy<6LULtjZ6G{w zVPk7yXJvChVsd3@Z7pwZY-w&~E@N+PK8XT11QP)W03iY!0|Fia0vCV<0#{@HZ3PPn z2nPcN6$%Lm3k4Pe0|5X43JDO0sN2@Jmfe*l;GWWkTIVidv29Rdkte_#pLE$c_|V^qtqGoXLP zl_{Ut7qa;w5br!b1*8sYSGVZ@4>DP1IC9yyiJXFBh%0o0M@h zL!HKedq`yayWVH!cDkXoWg)@?z%%Zq6Cff-3{kSm;C^hQclJh)wJ6(ZlyDX-_p-bH zx~`1cOq&}OMr|?+aweU~lF-rLs6{z;Zl`R5>I2VvyC$4I&O!_J^H)g)in@BCqn8zR z#6&JSS=BVdzpIWZsj!0!_>2q7gyveu!bf#?J^ZZfn$j%YkTxCKD9LD9GPF-N9G8=` zM>?|!N7T!2hCW`S+kK+aF>tN3>pGKI^HbwjP^NMVVvbHO&{bK3NcXVN4XB`B*I2==-vElvq zRb8FFlc>oATf6|as~euI91-TCa~lk~0u2OLWA)bo5CEwld_oDr8Rc6Qf?vX{P|SJCzd_g|oK8`(15P}0<)HRxBO(fPYRAR* z_2MNmK|UFvkRBcda*32|j#6^b*qlA1gWE-w<+&f(2E1NmH>y7U)rh&5!!BvsDaoSO z%;5DJlKDK28wfrm z`XGhYj5Ck5De4XTl=2Gd&cT(x`eF8aA3ep~bota}(gdNL;JpG8I?QbS$|%=lP&n|8 zcO_lvVWkALT!s(z1Hy&pS#FtiQWoFLYc{oUJEm?Ycv@Gu^FXP#B`FWPTY|ni`fB{K z@I*R0+*kMm@$GoT6V<&6>D>Hovl|fz0g%iHT-Wk%j22uYAR{Puux9Bhi+tv3PQ$NV#R*>yO9+BSY>EA zj9hC*y)sJkRghC+Uj-!LNEa&*4Lp|mA$tH30RRDs0v`kz0SEvI1p-%N_16L$3;+rV z5QnJS*0+}7D!2X*|52XmjM*~~1*|bTvkzcw0d1>FRf&9_erlxK;wevGX-+R%yN6Ox zDV-T72cDNAE+C6lm24&o>$!gb?3xJ{epYQNLtR6a=jBVRe!vp5 z#v(iaUMAIMZtUQlN)o;|VWB~TVr=c2@@+y#!X|h2d=qD#G}|2Dd*sem9PnIpp&>YX z{noAX`$@t$;_@Ow+2MR0%e?a$l%Ukpri9*o4KXU5j6m%*KpmVR)aaP+q|tnb9QBV2 zW&iE(eE0N^rJpM)rTdcbE0`Q;IQ#|beN^hJkIiC5M8sH8_RG$Hn9kzJ){fZY&vXlE_`qrLnT`8OkESdL?C06X z5Em>{=(B>4TNrOPGkNQcnE4p`@U z@KE1SOSj}S4!s$?ZM9q6k5vlfU=((UpYNhw-S|%h5}1wMe}CGaUg I4>f$+4~-8nrvLx| literal 0 HcmV?d00001 diff --git a/apt/trusted.gpg.d/icinga.asc b/apt/trusted.gpg.d/icinga.asc new file mode 100644 index 0000000..3c4197d --- /dev/null +++ b/apt/trusted.gpg.d/icinga.asc @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGiBFKHzk4RBACSHMIFTtfw4ZsNKAA03Gf5t7ovsKWnS7kcMYleAidypqhOmkGg +0petiYsMPYT+MOepCJFGNzwQwJhZrdLUxxMSWay4Xj0ArgpD9vbvU+gj8Tb02l+x +SqNGP8jXMV5UnK4gZsrYGLUPvx47uNNYRIRJAGOPYTvohhnFJiG402dzlwCg4u5I +1RdFplkp9JM6vNM9VBIAmcED/2jr7UQGsPs8YOiPkskGHLh/zXgO8SvcNAxCLgbp +BjGcF4Iso/A2TAI/2KGJW6kBW/Paf722ltU6s/6mutdXJppgNAz5nfpEt4uZKZyu +oSWf77179B2B/Wl1BsX/Oc3chscAgQb2pD/qPF/VYRJU+hvdQkq1zfi6cVsxyREV +k+IwA/46nXh51CQxE29ayuy1BoIOxezvuXFUXZ8rP6aCh4KaiN9AJoy7pBieCzsq +d7rPEeGIzBjI+yhEu8p92W6KWzL0xduWfYg9I7a2GTk8CaLX2OCLuwnKd7RVDyyZ +yzRjWs0T5U7SRAWspLStYxMdKert9lLyQiRHtLwmlgBPqa0gh7Q+SWNpbmdhIE9w +ZW4gU291cmNlIE1vbml0b3JpbmcgKEJ1aWxkIHNlcnZlcikgPGluZm9AaWNpbmdh +Lm9yZz6IYAQTEQIAIAUCUofOTgIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJ +EMbjGcM0QQaCgSQAnRjXdbsyqziqhmxfAKffNJYuMPwdAKCS/IRCVyQzApFBtIBQ +1xuoym/4C7kCDQRSh85OEAgAvPwjlURCi8z6+7i60no4n16dNcSzd6AT8Kizpv2r +9BmNBff/GNYGnHyob/DMtmO2esEuVG8w62rO9m1wzzXzjbtmtU7NZ1Tg+C+reU2I +GNVu3SYtEVK/UTJHAhLcgry9yD99610tYPN2Fx33Efse94mXOreBfCvDsmFGSc7j +GVNCWXpMR3jTYyGj1igYd5ztOzG63D8gPyOucTTl+RWN/G9EoGBv6sWqk5eCd1Fs +JlWyQX4BJn3YsCZx3uj1DWL0dAl2zqcn6m1M4oj1ozW47MqM/efKOcV6VvCs9SL8 +F/NFvZcH4LKzeupCQ5jEONqcTlVlnLlIqId95Z4DI4AV9wADBQf/S6sKA4oH49tD +Yb5xAfUyEp5ben05TzUJbXs0Z7hfRQzy9+vQbWGamWLgg3QRUVPx1e4IT+W5vEm5 +dggNTMEwlLMI7izCPDcD32B5oxNVxlfj428KGllYWCFj+edY+xKTvw/PHnn+drKs +LE65Gwx4BPHm9EqWHIBX6aPzbgbJZZ06f6jWVBi/N7e/5n8lkxXqS23DBKemapyu +S1i56sH7mQSMaRZP/iiOroAJemPNxv1IQkykxw2woWMmTLKLMCD/i+4DxejE50tK +dxaOLTc4HDCsattw/RVJO6fwE414IXHMv330z4HKWJevMQ+CmQGfswvCwgeBP9n8 +PItLjBQAXIhJBBgRAgAJBQJSh85OAhsMAAoJEMbjGcM0QQaCzpAAmwUNoRyySf9p +5G3/2UD1PMueIwOtAKDVVDXEq5LJPVg4iafNu0SRMwgP0Q== +=icbY +-----END PGP PUBLIC KEY BLOCK----- diff --git a/chrony/chrony.conf.ucf-dist b/chrony/chrony.conf.ucf-dist deleted file mode 100644 index b3a9510..0000000 --- a/chrony/chrony.conf.ucf-dist +++ /dev/null @@ -1,47 +0,0 @@ -# Welcome to the chrony configuration file. See chrony.conf(5) for more -# information about usable directives. - -# Include configuration files found in /etc/chrony/conf.d. -confdir /etc/chrony/conf.d - -# Use Debian vendor zone. -pool 2.debian.pool.ntp.org iburst - -# Use time sources from DHCP. -sourcedir /run/chrony-dhcp - -# Use NTP sources found in /etc/chrony/sources.d. -sourcedir /etc/chrony/sources.d - -# This directive specify the location of the file containing ID/key pairs for -# NTP authentication. -keyfile /etc/chrony/chrony.keys - -# This directive specify the file into which chronyd will store the rate -# information. -driftfile /var/lib/chrony/chrony.drift - -# Save NTS keys and cookies. -ntsdumpdir /var/lib/chrony - -# Uncomment the following line to turn logging on. -#log tracking measurements statistics - -# Log files location. -logdir /var/log/chrony - -# Stop bad estimates upsetting machine clock. -maxupdateskew 100.0 - -# This directive enables kernel synchronisation (every 11 minutes) of the -# real-time clock. Note that it can’t be used along with the 'rtcfile' directive. -rtcsync - -# Step the system clock instead of slewing it if the adjustment is larger than -# one second, but only in the first three clock updates. -makestep 1 3 - -# Get TAI-UTC offset and leap seconds from the system tz database. -# This directive must be commented out when using time sources serving -# leap-smeared time. -leapsectz right/UTC diff --git a/default/grub.ucf-dist b/default/grub.ucf-dist deleted file mode 100644 index 93f810b..0000000 --- a/default/grub.ucf-dist +++ /dev/null @@ -1,32 +0,0 @@ -# If you change this file, run 'update-grub' afterwards to update -# /boot/grub/grub.cfg. -# For full documentation of the options in this file, see: -# info -f grub -n 'Simple configuration' - -GRUB_DEFAULT=0 -GRUB_TIMEOUT=5 -GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian` -GRUB_CMDLINE_LINUX_DEFAULT="" -GRUB_CMDLINE_LINUX="" - -# Uncomment to enable BadRAM filtering, modify to suit your needs -# This works with Linux (no patch required) and with any kernel that obtains -# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...) -#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef" - -# Uncomment to disable graphical terminal (grub-pc only) -#GRUB_TERMINAL=console - -# The resolution used on graphical terminal -# note that you can use only modes which your graphic card supports via VBE -# you can see them in real GRUB with the command `vbeinfo' -#GRUB_GFXMODE=640x480 - -# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux -#GRUB_DISABLE_LINUX_UUID=true - -# Uncomment to disable generation of recovery mode menu entries -#GRUB_DISABLE_RECOVERY="true" - -# Uncomment to get a beep at grub start -#GRUB_INIT_TUNE="480 440 1" diff --git a/fail2ban/action.d/sendmail-common.conf.dpkg-dist b/fail2ban/action.d/sendmail-common.conf.dpkg-dist deleted file mode 100644 index 1e31fad..0000000 --- a/fail2ban/action.d/sendmail-common.conf.dpkg-dist +++ /dev/null @@ -1,77 +0,0 @@ -# Fail2Ban configuration file -# -# Common settings for sendmail actions -# -# Users can override the defaults in sendmail-common.local - -[INCLUDES] - -after = sendmail-common.local - -[Definition] - -# Option: actionstart -# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). -# Values: CMD -# -actionstart = printf %%b "Subject: [Fail2Ban] : started on - Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` - From: <> - To: \n - Hi,\n - The jail has been started successfully.\n - Regards,\n - Fail2Ban" | - -# Option: actionstop -# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) -# Values: CMD -# -actionstop = printf %%b "Subject: [Fail2Ban] : stopped on - Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` - From: <> - To: \n - Hi,\n - The jail has been stopped.\n - Regards,\n - Fail2Ban" | - -# Option: actioncheck -# Notes.: command executed once before each actionban command -# Values: CMD -# -actioncheck = - -# Option: actionban -# Notes.: command executed when banning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionban = - -# Option: actionunban -# Notes.: command executed when unbanning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionunban = - -[Init] - -# Your system mail command -# -mailcmd = /usr/sbin/sendmail -f "" "" - -# Recipient mail address -# -dest = root - -# Sender mail address -# -sender = fail2ban - -# Sender display name -# -sendername = Fail2Ban diff --git a/fail2ban/action.d/sendmail-whois.conf.dpkg-dist b/fail2ban/action.d/sendmail-whois.conf.dpkg-dist deleted file mode 100644 index 9e93cd3..0000000 --- a/fail2ban/action.d/sendmail-whois.conf.dpkg-dist +++ /dev/null @@ -1,40 +0,0 @@ -# Fail2Ban configuration file -# -# Author: Cyril Jaquier -# -# - -[INCLUDES] - -before = sendmail-common.conf - mail-whois-common.conf - -[Definition] - -# bypass ban/unban for restored tickets -norestored = 1 - -# Option: actionban -# Notes.: command executed when banning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionban = printf %%b "Subject: [Fail2Ban] : banned from - Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` - From: <> - To: \n - Hi,\n - The IP has just been banned by Fail2Ban after - attempts against .\n\n - Here is more information about :\n - `%(_whois_command)s`\n - Regards,\n - Fail2Ban" | - -[Init] - -# Default name of the chain -# -name = default - diff --git a/fail2ban/action.d/sendmail.conf.dpkg-dist b/fail2ban/action.d/sendmail.conf.dpkg-dist deleted file mode 100644 index ad9e8d7..0000000 --- a/fail2ban/action.d/sendmail.conf.dpkg-dist +++ /dev/null @@ -1,37 +0,0 @@ -# Fail2Ban configuration file -# -# Author: Cyril Jaquier -# -# - -[INCLUDES] - -before = sendmail-common.conf - -[Definition] - -# bypass ban/unban for restored tickets -norestored = 1 - -# Option: actionban -# Notes.: command executed when banning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionban = printf %%b "Subject: [Fail2Ban] : banned from - Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` - From: <> - To: \n - Hi,\n - The IP has just been banned by Fail2Ban after - attempts against .\n - Regards,\n - Fail2Ban" | - -[Init] - -# Default name of the chain -# -name = default - diff --git a/fail2ban/fail2ban.conf.dpkg-dist b/fail2ban/fail2ban.conf.dpkg-dist deleted file mode 100644 index f386783..0000000 --- a/fail2ban/fail2ban.conf.dpkg-dist +++ /dev/null @@ -1,86 +0,0 @@ -# Fail2Ban main configuration file -# -# Comments: use '#' for comment lines and ';' (following a space) for inline comments -# -# Changes: in most of the cases you should not modify this -# file, but provide customizations in fail2ban.local file, e.g.: -# -# [DEFAULT] -# loglevel = DEBUG -# - -[DEFAULT] - -# Option: loglevel -# Notes.: Set the log level output. -# CRITICAL -# ERROR -# WARNING -# NOTICE -# INFO -# DEBUG -# Values: [ LEVEL ] Default: INFO -# -loglevel = INFO - -# Option: logtarget -# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT. -# Only one log target can be specified. -# If you change logtarget from the default value and you are -# using logrotate -- also adjust or disable rotation in the -# corresponding configuration file -# (e.g. /etc/logrotate.d/fail2ban on Debian systems) -# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | FILE ] Default: STDERR -# -logtarget = /var/log/fail2ban.log - -# Option: syslogsocket -# Notes: Set the syslog socket file. Only used when logtarget is SYSLOG -# auto uses platform.system() to determine predefined paths -# Values: [ auto | FILE ] Default: auto -syslogsocket = auto - -# Option: socket -# Notes.: Set the socket file. This is used to communicate with the daemon. Do -# not remove this file when Fail2ban runs. It will not be possible to -# communicate with the server afterwards. -# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.sock -# -socket = /var/run/fail2ban/fail2ban.sock - -# Option: pidfile -# Notes.: Set the PID file. This is used to store the process ID of the -# fail2ban server. -# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid -# -pidfile = /var/run/fail2ban/fail2ban.pid - -# Options: dbfile -# Notes.: Set the file for the fail2ban persistent data to be stored. -# A value of ":memory:" means database is only stored in memory -# and data is lost when fail2ban is stopped. -# A value of "None" disables the database. -# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3 -dbfile = /var/lib/fail2ban/fail2ban.sqlite3 - -# Options: dbpurgeage -# Notes.: Sets age at which bans should be purged from the database -# Values: [ SECONDS ] Default: 86400 (24hours) -dbpurgeage = 1d - -# Options: dbmaxmatches -# Notes.: Number of matches stored in database per ticket (resolvable via -# tags / in actions) -# Values: [ INT ] Default: 10 -dbmaxmatches = 10 - -[Definition] - - -[Thread] - -# Options: stacksize -# Notes.: Specifies the stack size (in KiB) to be used for subsequently created threads, -# and must be 0 or a positive integer value of at least 32. -# Values: [ SIZE ] Default: 0 (use platform or configured default) -#stacksize = 0 diff --git a/fail2ban/jail.conf.dpkg-dist b/fail2ban/jail.conf.dpkg-dist deleted file mode 100644 index e6961a1..0000000 --- a/fail2ban/jail.conf.dpkg-dist +++ /dev/null @@ -1,964 +0,0 @@ -# -# WARNING: heavily refactored in 0.9.0 release. Please review and -# customize settings for your setup. -# -# Changes: in most of the cases you should not modify this -# file, but provide customizations in jail.local file, -# or separate .conf files under jail.d/ directory, e.g.: -# -# HOW TO ACTIVATE JAILS: -# -# YOU SHOULD NOT MODIFY THIS FILE. -# -# It will probably be overwritten or improved in a distribution update. -# -# Provide customizations in a jail.local file or a jail.d/customisation.local. -# For example to change the default bantime for all jails and to enable the -# ssh-iptables jail the following (uncommented) would appear in the .local file. -# See man 5 jail.conf for details. -# -# [DEFAULT] -# bantime = 1h -# -# [sshd] -# enabled = true -# -# See jail.conf(5) man page for more information - - - -# Comments: use '#' for comment lines and ';' (following a space) for inline comments - - -[INCLUDES] - -#before = paths-distro.conf -before = paths-debian.conf - -# The DEFAULT allows a global definition of the options. They can be overridden -# in each jail afterwards. - -[DEFAULT] - -# -# MISCELLANEOUS OPTIONS -# - -# "bantime.increment" allows to use database for searching of previously banned ip's to increase a -# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32... -#bantime.increment = true - -# "bantime.rndtime" is the max number of seconds using for mixing with random time -# to prevent "clever" botnets calculate exact time IP can be unbanned again: -#bantime.rndtime = - -# "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further) -#bantime.maxtime = - -# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier, -# default value of factor is 1 and with default value of formula, the ban time -# grows by 1, 2, 4, 8, 16 ... -#bantime.factor = 1 - -# "bantime.formula" used by default to calculate next value of ban time, default value below, -# the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32... -#bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor -# -# more aggressive example of formula has the same values only for factor "2.0 / 2.885385" : -#bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor) - -# "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding -# previously ban count and given "bantime.factor" (for multipliers default is 1); -# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, -# always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours -#bantime.multipliers = 1 2 4 8 16 32 64 -# following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin, -# for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day -#bantime.multipliers = 1 5 30 60 300 720 1440 2880 - -# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed -# cross over all jails, if false (dafault), only current jail of the ban IP will be searched -#bantime.overalljails = false - -# -------------------- - -# "ignoreself" specifies whether the local resp. own IP addresses should be ignored -# (default is true). Fail2ban will not ban a host which matches such addresses. -#ignoreself = true - -# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban -# will not ban a host which matches an address in this list. Several addresses -# can be defined using space (and/or comma) separator. -#ignoreip = 127.0.0.1/8 ::1 - -# External command that will take an tagged arguments to ignore, e.g. , -# and return true if the IP is to be ignored. False otherwise. -# -# ignorecommand = /path/to/command -ignorecommand = - -# "bantime" is the number of seconds that a host is banned. -bantime = 10m - -# A host is banned if it has generated "maxretry" during the last "findtime" -# seconds. -findtime = 10m - -# "maxretry" is the number of failures before a host get banned. -maxretry = 5 - -# "maxmatches" is the number of matches stored in ticket (resolvable via tag in actions). -maxmatches = %(maxretry)s - -# "backend" specifies the backend used to get files modification. -# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". -# This option can be overridden in each jail as well. -# -# pyinotify: requires pyinotify (a file alteration monitor) to be installed. -# If pyinotify is not installed, Fail2ban will use auto. -# gamin: requires Gamin (a file alteration monitor) to be installed. -# If Gamin is not installed, Fail2ban will use auto. -# polling: uses a polling algorithm which does not require external libraries. -# systemd: uses systemd python library to access the systemd journal. -# Specifying "logpath" is not valid for this backend. -# See "journalmatch" in the jails associated filter config -# auto: will try to use the following backends, in order: -# pyinotify, gamin, polling. -# -# Note: if systemd backend is chosen as the default but you enable a jail -# for which logs are present only in its own log files, specify some other -# backend for that jail (e.g. polling) and provide empty value for -# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 -backend = auto - -# "usedns" specifies if jails should trust hostnames in logs, -# warn when DNS lookups are performed, or ignore all hostnames in logs -# -# yes: if a hostname is encountered, a DNS lookup will be performed. -# warn: if a hostname is encountered, a DNS lookup will be performed, -# but it will be logged as a warning. -# no: if a hostname is encountered, will not be used for banning, -# but it will be logged as info. -# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user) -usedns = warn - -# "logencoding" specifies the encoding of the log files handled by the jail -# This is used to decode the lines from the log file. -# Typical examples: "ascii", "utf-8" -# -# auto: will use the system locale setting -logencoding = auto - -# "enabled" enables the jails. -# By default all jails are disabled, and it should stay this way. -# Enable only relevant to your setup jails in your .local or jail.d/*.conf -# -# true: jail will be enabled and log files will get monitored for changes -# false: jail is not enabled -enabled = false - - -# "mode" defines the mode of the filter (see corresponding filter implementation for more info). -mode = normal - -# "filter" defines the filter to use by the jail. -# By default jails have names matching their filter name -# -filter = %(__name__)s[mode=%(mode)s] - - -# -# ACTIONS -# - -# Some options used for actions - -# Destination email address used solely for the interpolations in -# jail.{conf,local,d/*} configuration files. -destemail = root@localhost - -# Sender email address used solely for some actions -sender = root@ - -# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the -# mailing. Change mta configuration parameter to mail if you want to -# revert to conventional 'mail'. -mta = sendmail - -# Default protocol -protocol = tcp - -# Specify chain where jumps would need to be added in ban-actions expecting parameter chain -chain = - -# Ports to be banned -# Usually should be overridden in a particular jail -port = 0:65535 - -# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3 -fail2ban_agent = Fail2Ban/%(fail2ban_version)s - -# -# Action shortcuts. To be used to define action parameter - -# Default banning action (e.g. iptables, iptables-new, -# iptables-multiport, shorewall, etc) It is used to define -# action_* variables. Can be overridden globally or per -# section within jail.local file -banaction = iptables-multiport -banaction_allports = iptables-allports - -# The simplest action to take: ban only -action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] - -# ban & send an e-mail with whois report to the destemail. -action_mw = %(action_)s - %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] - -# ban & send an e-mail with whois report and relevant log lines -# to the destemail. -action_mwl = %(action_)s - %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] - -# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action -# -# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines -# to the destemail. -action_xarf = %(action_)s - xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"] - -# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines -# to the destemail. -action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] - %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] - -# Report block via blocklist.de fail2ban reporting service API -# -# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action. -# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation -# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey` -# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in -# corresponding jail.d/my-jail.local file). -# -action_blocklist_de = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] - -# Report ban via badips.com, and use as blacklist -# -# See BadIPsAction docstring in config/action.d/badips.py for -# documentation for this action. -# -# NOTE: This action relies on banaction being present on start and therefore -# should be last action defined for a jail. -# -action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] -# -# Report ban via badips.com (uses action.d/badips.conf for reporting only) -# -action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] - -# Report ban via abuseipdb.com. -# -# See action.d/abuseipdb.conf for usage example and details. -# -action_abuseipdb = abuseipdb - -# Choose default action. To change, just override value of 'action' with the -# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local -# globally (section [DEFAULT]) or per specific section -action = %(action_)s - - -# -# JAILS -# - -# -# SSH servers -# - -[sshd] - -# To use more aggressive sshd modes set filter parameter "mode" in jail.local: -# normal (default), ddos, extra or aggressive (combines all). -# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. -#mode = normal -port = ssh -logpath = %(sshd_log)s -backend = %(sshd_backend)s - - -[dropbear] - -port = ssh -logpath = %(dropbear_log)s -backend = %(dropbear_backend)s - - -[selinux-ssh] - -port = ssh -logpath = %(auditd_log)s - - -# -# HTTP servers -# - -[apache-auth] - -port = http,https -logpath = %(apache_error_log)s - - -[apache-badbots] -# Ban hosts which agent identifies spammer robots crawling the web -# for email addresses. The mail outputs are buffered. -port = http,https -logpath = %(apache_access_log)s -bantime = 48h -maxretry = 1 - - -[apache-noscript] - -port = http,https -logpath = %(apache_error_log)s - - -[apache-overflows] - -port = http,https -logpath = %(apache_error_log)s -maxretry = 2 - - -[apache-nohome] - -port = http,https -logpath = %(apache_error_log)s -maxretry = 2 - - -[apache-botsearch] - -port = http,https -logpath = %(apache_error_log)s -maxretry = 2 - - -[apache-fakegooglebot] - -port = http,https -logpath = %(apache_access_log)s -maxretry = 1 -ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot - - -[apache-modsecurity] - -port = http,https -logpath = %(apache_error_log)s -maxretry = 2 - - -[apache-shellshock] - -port = http,https -logpath = %(apache_error_log)s -maxretry = 1 - - -[openhab-auth] - -filter = openhab -banaction = %(banaction_allports)s -logpath = /opt/openhab/logs/request.log - - -[nginx-http-auth] - -port = http,https -logpath = %(nginx_error_log)s - -# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` -# and define `limit_req` and `limit_req_zone` as described in nginx documentation -# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html -# or for example see in 'config/filter.d/nginx-limit-req.conf' -[nginx-limit-req] -port = http,https -logpath = %(nginx_error_log)s - -[nginx-botsearch] - -port = http,https -logpath = %(nginx_error_log)s -maxretry = 2 - - -# Ban attackers that try to use PHP's URL-fopen() functionality -# through GET/POST variables. - Experimental, with more than a year -# of usage in production environments. - -[php-url-fopen] - -port = http,https -logpath = %(nginx_access_log)s - %(apache_access_log)s - - -[suhosin] - -port = http,https -logpath = %(suhosin_log)s - - -[lighttpd-auth] -# Same as above for Apache's mod_auth -# It catches wrong authentifications -port = http,https -logpath = %(lighttpd_error_log)s - - -# -# Webmail and groupware servers -# - -[roundcube-auth] - -port = http,https -logpath = %(roundcube_errors_log)s -# Use following line in your jail.local if roundcube logs to journal. -#backend = %(syslog_backend)s - - -[openwebmail] - -port = http,https -logpath = /var/log/openwebmail.log - - -[horde] - -port = http,https -logpath = /var/log/horde/horde.log - - -[groupoffice] - -port = http,https -logpath = /home/groupoffice/log/info.log - - -[sogo-auth] -# Monitor SOGo groupware server -# without proxy this would be: -# port = 20000 -port = http,https -logpath = /var/log/sogo/sogo.log - - -[tine20] - -logpath = /var/log/tine20/tine20.log -port = http,https - - -# -# Web Applications -# -# - -[drupal-auth] - -port = http,https -logpath = %(syslog_daemon)s -backend = %(syslog_backend)s - -[guacamole] - -port = http,https -logpath = /var/log/tomcat*/catalina.out -#logpath = /var/log/guacamole.log - -[monit] -#Ban clients brute-forcing the monit gui login -port = 2812 -logpath = /var/log/monit - /var/log/monit.log - - -[webmin-auth] - -port = 10000 -logpath = %(syslog_authpriv)s -backend = %(syslog_backend)s - - -[froxlor-auth] - -port = http,https -logpath = %(syslog_authpriv)s -backend = %(syslog_backend)s - - -# -# HTTP Proxy servers -# -# - -[squid] - -port = 80,443,3128,8080 -logpath = /var/log/squid/access.log - - -[3proxy] - -port = 3128 -logpath = /var/log/3proxy.log - - -# -# FTP servers -# - - -[proftpd] - -port = ftp,ftp-data,ftps,ftps-data -logpath = %(proftpd_log)s -backend = %(proftpd_backend)s - - -[pure-ftpd] - -port = ftp,ftp-data,ftps,ftps-data -logpath = %(pureftpd_log)s -backend = %(pureftpd_backend)s - - -[gssftpd] - -port = ftp,ftp-data,ftps,ftps-data -logpath = %(syslog_daemon)s -backend = %(syslog_backend)s - - -[wuftpd] - -port = ftp,ftp-data,ftps,ftps-data -logpath = %(wuftpd_log)s -backend = %(wuftpd_backend)s - - -[vsftpd] -# or overwrite it in jails.local to be -# logpath = %(syslog_authpriv)s -# if you want to rely on PAM failed login attempts -# vsftpd's failregex should match both of those formats -port = ftp,ftp-data,ftps,ftps-data -logpath = %(vsftpd_log)s - - -# -# Mail servers -# - -# ASSP SMTP Proxy Jail -[assp] - -port = smtp,465,submission -logpath = /root/path/to/assp/logs/maillog.txt - - -[courier-smtp] - -port = smtp,465,submission -logpath = %(syslog_mail)s -backend = %(syslog_backend)s - - -[postfix] -# To use another modes set filter parameter "mode" in jail.local: -mode = more -port = smtp,465,submission -logpath = %(postfix_log)s -backend = %(postfix_backend)s - - -[postfix-rbl] - -filter = postfix[mode=rbl] -port = smtp,465,submission -logpath = %(postfix_log)s -backend = %(postfix_backend)s -maxretry = 1 - - -[sendmail-auth] - -port = submission,465,smtp -logpath = %(syslog_mail)s -backend = %(syslog_backend)s - - -[sendmail-reject] -# To use more aggressive modes set filter parameter "mode" in jail.local: -# normal (default), extra or aggressive -# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. -#mode = normal -port = smtp,465,submission -logpath = %(syslog_mail)s -backend = %(syslog_backend)s - - -[qmail-rbl] - -filter = qmail -port = smtp,465,submission -logpath = /service/qmail/log/main/current - - -# dovecot defaults to logging to the mail syslog facility -# but can be set by syslog_facility in the dovecot configuration. -[dovecot] - -port = pop3,pop3s,imap,imaps,submission,465,sieve -logpath = %(dovecot_log)s -backend = %(dovecot_backend)s - - -[sieve] - -port = smtp,465,submission -logpath = %(dovecot_log)s -backend = %(dovecot_backend)s - - -[solid-pop3d] - -port = pop3,pop3s -logpath = %(solidpop3d_log)s - - -[exim] -# see filter.d/exim.conf for further modes supported from filter: -#mode = normal -port = smtp,465,submission -logpath = %(exim_main_log)s - - -[exim-spam] - -port = smtp,465,submission -logpath = %(exim_main_log)s - - -[kerio] - -port = imap,smtp,imaps,465 -logpath = /opt/kerio/mailserver/store/logs/security.log - - -# -# Mail servers authenticators: might be used for smtp,ftp,imap servers, so -# all relevant ports get banned -# - -[courier-auth] - -port = smtp,465,submission,imap,imaps,pop3,pop3s -logpath = %(syslog_mail)s -backend = %(syslog_backend)s - - -[postfix-sasl] - -filter = postfix[mode=auth] -port = smtp,465,submission,imap,imaps,pop3,pop3s -# You might consider monitoring /var/log/mail.warn instead if you are -# running postfix since it would provide the same log lines at the -# "warn" level but overall at the smaller filesize. -logpath = %(postfix_log)s -backend = %(postfix_backend)s - - -[perdition] - -port = imap,imaps,pop3,pop3s -logpath = %(syslog_mail)s -backend = %(syslog_backend)s - - -[squirrelmail] - -port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks -logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log - - -[cyrus-imap] - -port = imap,imaps -logpath = %(syslog_mail)s -backend = %(syslog_backend)s - - -[uwimap-auth] - -port = imap,imaps -logpath = %(syslog_mail)s -backend = %(syslog_backend)s - - -# -# -# DNS servers -# - - -# !!! WARNING !!! -# Since UDP is connection-less protocol, spoofing of IP and imitation -# of illegal actions is way too simple. Thus enabling of this filter -# might provide an easy way for implementing a DoS against a chosen -# victim. See -# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html -# Please DO NOT USE this jail unless you know what you are doing. -# -# IMPORTANT: see filter.d/named-refused for instructions to enable logging -# This jail blocks UDP traffic for DNS requests. -# [named-refused-udp] -# -# filter = named-refused -# port = domain,953 -# protocol = udp -# logpath = /var/log/named/security.log - -# IMPORTANT: see filter.d/named-refused for instructions to enable logging -# This jail blocks TCP traffic for DNS requests. - -[named-refused] - -port = domain,953 -logpath = /var/log/named/security.log - - -[nsd] - -port = 53 -action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] - %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] -logpath = /var/log/nsd.log - - -# -# Miscellaneous -# - -[asterisk] - -port = 5060,5061 -action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] - %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] -logpath = /var/log/asterisk/messages -maxretry = 10 - - -[freeswitch] - -port = 5060,5061 -action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] - %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] -logpath = /var/log/freeswitch.log -maxretry = 10 - - -# enable adminlog; it will log to a file inside znc's directory by default. -[znc-adminlog] - -port = 6667 -logpath = /var/lib/znc/moddata/adminlog/znc.log - - -# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or -# equivalent section: -# log-warnings = 2 -# -# for syslog (daemon facility) -# [mysqld_safe] -# syslog -# -# for own logfile -# [mysqld] -# log-error=/var/log/mysqld.log -[mysqld-auth] - -port = 3306 -logpath = %(mysql_log)s -backend = %(mysql_backend)s - - -# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') -[mongodb-auth] -# change port when running with "--shardsvr" or "--configsvr" runtime operation -port = 27017 -logpath = /var/log/mongodb/mongodb.log - - -# Jail for more extended banning of persistent abusers -# !!! WARNINGS !!! -# 1. Make sure that your loglevel specified in fail2ban.conf/.local -# is not at DEBUG level -- which might then cause fail2ban to fall into -# an infinite loop constantly feeding itself with non-informative lines -# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) -# to maintain entries for failed logins for sufficient amount of time -[recidive] - -logpath = /var/log/fail2ban.log -banaction = %(banaction_allports)s -bantime = 1w -findtime = 1d - - -# Generic filter for PAM. Has to be used with action which bans all -# ports such as iptables-allports, shorewall - -[pam-generic] -# pam-generic filter can be customized to monitor specific subset of 'tty's -banaction = %(banaction_allports)s -logpath = %(syslog_authpriv)s -backend = %(syslog_backend)s - - -[xinetd-fail] - -banaction = iptables-multiport-log -logpath = %(syslog_daemon)s -backend = %(syslog_backend)s -maxretry = 2 - - -# stunnel - need to set port for this -[stunnel] - -logpath = /var/log/stunnel4/stunnel.log - - -[ejabberd-auth] - -port = 5222 -logpath = /var/log/ejabberd/ejabberd.log - - -[counter-strike] - -logpath = /opt/cstrike/logs/L[0-9]*.log -tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 -udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 -action_ = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"] - %(default/action_)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp"] - -[softethervpn] -port = 500,4500 -protocol = udp -logpath = /usr/local/vpnserver/security_log/*/sec.log - -[gitlab] -port = http,https -logpath = /var/log/gitlab/gitlab-rails/application.log - -[grafana] -port = http,https -logpath = /var/log/grafana/grafana.log - -[bitwarden] -port = http,https -logpath = /home/*/bwdata/logs/identity/Identity/log.txt - -[centreon] -port = http,https -logpath = /var/log/centreon/login.log - -# consider low maxretry and a long bantime -# nobody except your own Nagios server should ever probe nrpe -[nagios] - -logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility -backend = %(syslog_backend)s -maxretry = 1 - - -[oracleims] -# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above -logpath = /opt/sun/comms/messaging64/log/mail.log_current -banaction = %(banaction_allports)s - -[directadmin] -logpath = /var/log/directadmin/login.log -port = 2222 - -[portsentry] -logpath = /var/lib/portsentry/portsentry.history -maxretry = 1 - -[pass2allow-ftp] -# this pass2allow example allows FTP traffic after successful HTTP authentication -port = ftp,ftp-data,ftps,ftps-data -# knocking_url variable must be overridden to some secret value in jail.local -knocking_url = /knocking/ -filter = apache-pass[knocking_url="%(knocking_url)s"] -# access log of the website with HTTP auth -logpath = %(apache_access_log)s -blocktype = RETURN -returntype = DROP -action = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s, - actionstart_on_demand=false, actionrepair_on_unban=true] -bantime = 1h -maxretry = 1 -findtime = 1 - - -[murmur] -# AKA mumble-server -port = 64738 -action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] - %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] -logpath = /var/log/mumble-server/mumble-server.log - - -[screensharingd] -# For Mac OS Screen Sharing Service (VNC) -logpath = /var/log/system.log -logencoding = utf-8 - -[haproxy-http-auth] -# HAProxy by default doesn't log to file you'll need to set it up to forward -# logs to a syslog server which would then write them to disk. -# See "haproxy-http-auth" filter for a brief cautionary note when setting -# maxretry and findtime. -logpath = /var/log/haproxy.log - -[slapd] -port = ldap,ldaps -logpath = /var/log/slapd.log - -[domino-smtp] -port = smtp,ssmtp -logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log - -[phpmyadmin-syslog] -port = http,https -logpath = %(syslog_authpriv)s -backend = %(syslog_backend)s - - -[zoneminder] -# Zoneminder HTTP/HTTPS web interface auth -# Logs auth failures to apache2 error log -port = http,https -logpath = %(apache_error_log)s - -[traefik-auth] -# to use 'traefik-auth' filter you have to configure your Traefik instance, -# see `filter.d/traefik-auth.conf` for details and service example. -port = http,https -logpath = /var/log/traefik/access.log diff --git a/rsyslog.conf.dpkg-dist b/rsyslog.conf.dpkg-dist deleted file mode 100644 index 86d3bed..0000000 --- a/rsyslog.conf.dpkg-dist +++ /dev/null @@ -1,92 +0,0 @@ -# /etc/rsyslog.conf configuration file for rsyslog -# -# For more information install rsyslog-doc and see -# /usr/share/doc/rsyslog-doc/html/configuration/index.html - - -################# -#### MODULES #### -################# - -module(load="imuxsock") # provides support for local system logging -module(load="imklog") # provides kernel logging support -#module(load="immark") # provides --MARK-- message capability - -# provides UDP syslog reception -#module(load="imudp") -#input(type="imudp" port="514") - -# provides TCP syslog reception -#module(load="imtcp") -#input(type="imtcp" port="514") - - -########################### -#### GLOBAL DIRECTIVES #### -########################### - -# -# Use traditional timestamp format. -# To enable high precision timestamps, comment out the following line. -# -$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat - -# -# Set the default permissions for all log files. -# -$FileOwner root -$FileGroup adm -$FileCreateMode 0640 -$DirCreateMode 0755 -$Umask 0022 - -# -# Where to place spool and state files -# -$WorkDirectory /var/spool/rsyslog - -# -# Include all config files in /etc/rsyslog.d/ -# -$IncludeConfig /etc/rsyslog.d/*.conf - - -############### -#### RULES #### -############### - -# -# First some standard log files. Log by facility. -# -auth,authpriv.* /var/log/auth.log -*.*;auth,authpriv.none -/var/log/syslog -#cron.* /var/log/cron.log -daemon.* -/var/log/daemon.log -kern.* -/var/log/kern.log -lpr.* -/var/log/lpr.log -mail.* -/var/log/mail.log -user.* -/var/log/user.log - -# -# Logging for the mail system. Split it up so that -# it is easy to write scripts to parse these files. -# -mail.info -/var/log/mail.info -mail.warn -/var/log/mail.warn -mail.err /var/log/mail.err - -# -# Some "catch-all" log files. -# -*.=debug;\ - auth,authpriv.none;\ - mail.none -/var/log/debug -*.=info;*.=notice;*.=warn;\ - auth,authpriv.none;\ - cron,daemon.none;\ - mail.none -/var/log/messages - -# -# Emergencies are sent to everybody logged in. -# -*.emerg :omusrmsg:* diff --git a/skel/.bashrc.dpkg-dist b/skel/.bashrc.dpkg-dist deleted file mode 100644 index 9360f69..0000000 --- a/skel/.bashrc.dpkg-dist +++ /dev/null @@ -1,113 +0,0 @@ -# ~/.bashrc: executed by bash(1) for non-login shells. -# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc) -# for examples - -# If not running interactively, don't do anything -case $- in - *i*) ;; - *) return;; -esac - -# don't put duplicate lines or lines starting with space in the history. -# See bash(1) for more options -HISTCONTROL=ignoreboth - -# append to the history file, don't overwrite it -shopt -s histappend - -# for setting history length see HISTSIZE and HISTFILESIZE in bash(1) -HISTSIZE=1000 -HISTFILESIZE=2000 - -# check the window size after each command and, if necessary, -# update the values of LINES and COLUMNS. -shopt -s checkwinsize - -# If set, the pattern "**" used in a pathname expansion context will -# match all files and zero or more directories and subdirectories. -#shopt -s globstar - -# make less more friendly for non-text input files, see lesspipe(1) -#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)" - -# set variable identifying the chroot you work in (used in the prompt below) -if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then - debian_chroot=$(cat /etc/debian_chroot) -fi - -# set a fancy prompt (non-color, unless we know we "want" color) -case "$TERM" in - xterm-color|*-256color) color_prompt=yes;; -esac - -# uncomment for a colored prompt, if the terminal has the capability; turned -# off by default to not distract the user: the focus in a terminal window -# should be on the output of commands, not on the prompt -#force_color_prompt=yes - -if [ -n "$force_color_prompt" ]; then - if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then - # We have color support; assume it's compliant with Ecma-48 - # (ISO/IEC-6429). (Lack of such support is extremely rare, and such - # a case would tend to support setf rather than setaf.) - color_prompt=yes - else - color_prompt= - fi -fi - -if [ "$color_prompt" = yes ]; then - PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' -else - PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' -fi -unset color_prompt force_color_prompt - -# If this is an xterm set the title to user@host:dir -case "$TERM" in -xterm*|rxvt*) - PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1" - ;; -*) - ;; -esac - -# enable color support of ls and also add handy aliases -if [ -x /usr/bin/dircolors ]; then - test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" - alias ls='ls --color=auto' - #alias dir='dir --color=auto' - #alias vdir='vdir --color=auto' - - #alias grep='grep --color=auto' - #alias fgrep='fgrep --color=auto' - #alias egrep='egrep --color=auto' -fi - -# colored GCC warnings and errors -#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01' - -# some more ls aliases -#alias ll='ls -l' -#alias la='ls -A' -#alias l='ls -CF' - -# Alias definitions. -# You may want to put all your additions into a separate file like -# ~/.bash_aliases, instead of adding them here directly. -# See /usr/share/doc/bash-doc/examples in the bash-doc package. - -if [ -f ~/.bash_aliases ]; then - . ~/.bash_aliases -fi - -# enable programmable completion features (you don't need to enable -# this, if it's already enabled in /etc/bash.bashrc and /etc/profile -# sources /etc/bash.bashrc). -if ! shopt -oq posix; then - if [ -f /usr/share/bash-completion/bash_completion ]; then - . /usr/share/bash-completion/bash_completion - elif [ -f /etc/bash_completion ]; then - . /etc/bash_completion - fi -fi -- 2.39.5