# Generated by etckeeper. Do not edit.
+mkdir -p './NetworkManager/dispatcher.d'
mkdir -p './X11/xkb'
mkdir -p './apm/event.d'
mkdir -p './apt/auth.conf.d'
+mkdir -p './apt/listchanges.conf.d'
mkdir -p './apt/preferences.d'
mkdir -p './binfmt.d'
mkdir -p './ca-certificates/update.d'
mkdir -p './network/if-pre-up.d'
mkdir -p './network/interfaces.d'
mkdir -p './opt'
-mkdir -p './perl/CPAN'
mkdir -p './postfix/dynamicmaps.cf.d'
mkdir -p './postfix/sasl'
mkdir -p './salt/pki/master/minions_autosign'
maybe chmod 0600 '.gitignore'
maybe chmod 0755 'NetworkManager'
maybe chmod 0755 'NetworkManager/dispatcher.d'
-maybe chmod 0755 'NetworkManager/dispatcher.d/20-chrony'
maybe chmod 0755 'X11'
maybe chmod 0755 'X11/Xsession.d'
maybe chmod 0644 'X11/Xsession.d/90gpg-agent'
maybe chmod 0644 'apache2/mods-available/negotiation.load'
maybe chmod 0644 'apache2/mods-available/php7.3.conf'
maybe chmod 0644 'apache2/mods-available/php7.3.load'
+maybe chmod 0644 'apache2/mods-available/php7.4.conf'
+maybe chmod 0644 'apache2/mods-available/php7.4.load'
maybe chmod 0644 'apache2/mods-available/proxy.conf'
maybe chmod 0644 'apache2/mods-available/proxy.load'
maybe chmod 0644 'apache2/mods-available/proxy_ajp.load'
maybe chmod 0644 'apache2/mods-available/slotmem_shm.load'
maybe chmod 0644 'apache2/mods-available/socache_dbm.load'
maybe chmod 0644 'apache2/mods-available/socache_memcache.load'
+maybe chmod 0644 'apache2/mods-available/socache_redis.load'
maybe chmod 0644 'apache2/mods-available/socache_shmcb.load'
maybe chmod 0644 'apache2/mods-available/speling.load'
maybe chmod 0644 'apache2/mods-available/ssl.conf'
maybe chmod 0755 'apparmor.d/force-complain'
maybe chmod 0755 'apparmor.d/local'
maybe chmod 0644 'apparmor.d/local/usr.bin.man'
+maybe chmod 0644 'apparmor.d/local/usr.bin.tcpdump'
maybe chmod 0644 'apparmor.d/local/usr.sbin.chronyd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.haveged'
maybe chmod 0644 'apparmor.d/local/usr.sbin.named'
maybe chmod 0644 'apparmor.d/local/usr.sbin.tcpdump'
maybe chmod 0644 'apparmor.d/usr.bin.man'
+maybe chmod 0644 'apparmor.d/usr.bin.tcpdump'
maybe chmod 0644 'apparmor.d/usr.sbin.chronyd'
maybe chmod 0644 'apparmor.d/usr.sbin.haveged'
maybe chmod 0644 'apparmor.d/usr.sbin.named'
-maybe chmod 0644 'apparmor.d/usr.sbin.tcpdump'
maybe chmod 0755 'apt'
maybe chmod 0644 'apt/SALTSTACK-GPG-KEY.pub'
maybe chmod 0755 'apt/apt.conf.d'
maybe chmod 0644 'apt/apt.conf.d/99needrestart'
maybe chmod 0755 'apt/auth.conf.d'
maybe chmod 0644 'apt/listchanges.conf'
+maybe chmod 0755 'apt/listchanges.conf.d'
maybe chmod 0755 'apt/preferences.d'
maybe chmod 0644 'apt/repo.uhu-banane.de.gpg-key.pub'
maybe chmod 0644 'apt/repo.uhu-banane.de.gpg-key2.pub'
maybe chmod 0644 'chrony/chrony.conf'
maybe chmod 0644 'chrony/chrony.conf.ucf-dist'
maybe chmod 0640 'chrony/chrony.keys'
+maybe chmod 0755 'chrony/conf.d'
+maybe chmod 0644 'chrony/conf.d/README'
+maybe chmod 0755 'chrony/sources.d'
+maybe chmod 0644 'chrony/sources.d/README'
maybe chmod 0644 'colordiffrc'
maybe chmod 0755 'console-setup'
maybe chmod 0644 'console-setup/cached_Lat15-Fixed16.psf.gz'
maybe chmod 0755 'cron.daily/logrotate'
maybe chmod 0755 'cron.daily/man-db'
maybe chmod 0755 'cron.daily/mlocate'
-maybe chmod 0755 'cron.daily/passwd'
maybe chmod 0755 'cron.hourly'
maybe chmod 0644 'cron.hourly/.placeholder'
maybe chmod 0755 'cron.monthly'
maybe chmod 0644 'default/keyboard'
maybe chmod 0644 'default/locale'
maybe chmod 0644 'default/locale.bak'
+maybe chmod 0644 'default/named'
maybe chmod 0644 'default/netfilter-persistent'
maybe chmod 0644 'default/networking'
maybe chmod 0644 'default/nss'
maybe chmod 0644 'default/rcS'
maybe chmod 0644 'default/rsync'
-maybe chmod 0644 'default/rsyslog'
maybe chmod 0644 'default/salt-master.environment'
maybe chmod 0644 'default/salt-minion.environment'
maybe chmod 0644 'default/slapd'
maybe chmod 0644 'etckeeper/update-ignore.d/README'
maybe chmod 0755 'etckeeper/vcs.d'
maybe chmod 0755 'etckeeper/vcs.d/50vcs-cmd'
+maybe chmod 0644 'ethertypes'
maybe chmod 0755 'fail2ban'
maybe chmod 0755 'fail2ban/action.d'
maybe chmod 0644 'fail2ban/action.d/abuseipdb.conf'
maybe chmod 0644 'fail2ban/action.d/nftables-allports.conf'
maybe chmod 0644 'fail2ban/action.d/nftables-common.conf'
maybe chmod 0644 'fail2ban/action.d/nftables-multiport.conf'
+maybe chmod 0644 'fail2ban/action.d/nftables.conf'
maybe chmod 0644 'fail2ban/action.d/nginx-block-map.conf'
maybe chmod 0644 'fail2ban/action.d/npf.conf'
maybe chmod 0644 'fail2ban/action.d/nsupdate.conf'
maybe chmod 0644 'fail2ban/filter.d/apache-shellshock.conf'
maybe chmod 0644 'fail2ban/filter.d/assp.conf'
maybe chmod 0644 'fail2ban/filter.d/asterisk.conf'
+maybe chmod 0644 'fail2ban/filter.d/bitwarden.conf'
maybe chmod 0644 'fail2ban/filter.d/botsearch-common.conf'
+maybe chmod 0644 'fail2ban/filter.d/centreon.conf'
maybe chmod 0644 'fail2ban/filter.d/common.conf'
maybe chmod 0644 'fail2ban/filter.d/counter-strike.conf'
maybe chmod 0644 'fail2ban/filter.d/courier-auth.conf'
maybe chmod 0644 'fail2ban/filter.d/exim.conf'
maybe chmod 0644 'fail2ban/filter.d/freeswitch.conf'
maybe chmod 0644 'fail2ban/filter.d/froxlor-auth.conf'
+maybe chmod 0644 'fail2ban/filter.d/gitlab.conf'
+maybe chmod 0644 'fail2ban/filter.d/grafana.conf'
maybe chmod 0644 'fail2ban/filter.d/groupoffice.conf'
maybe chmod 0644 'fail2ban/filter.d/gssftpd.conf'
maybe chmod 0644 'fail2ban/filter.d/guacamole.conf'
maybe chmod 0644 'fail2ban/filter.d/sendmail-reject.conf'
maybe chmod 0644 'fail2ban/filter.d/sieve.conf'
maybe chmod 0644 'fail2ban/filter.d/slapd.conf'
+maybe chmod 0644 'fail2ban/filter.d/softethervpn.conf'
maybe chmod 0644 'fail2ban/filter.d/sogo-auth.conf'
maybe chmod 0644 'fail2ban/filter.d/solid-pop3d.conf'
maybe chmod 0644 'fail2ban/filter.d/squid.conf'
maybe chmod 0644 'fail2ban/filter.d/stunnel.conf'
maybe chmod 0644 'fail2ban/filter.d/suhosin.conf'
maybe chmod 0644 'fail2ban/filter.d/tine20.conf'
+maybe chmod 0644 'fail2ban/filter.d/traefik-auth.conf'
maybe chmod 0644 'fail2ban/filter.d/uwimap-auth.conf'
maybe chmod 0644 'fail2ban/filter.d/vsftpd.conf'
maybe chmod 0644 'fail2ban/filter.d/webmin-auth.conf'
maybe chmod 0644 'fail2ban/filter.d/wuftpd.conf'
maybe chmod 0644 'fail2ban/filter.d/xinetd-fail.conf'
+maybe chmod 0644 'fail2ban/filter.d/znc-adminlog.conf'
maybe chmod 0644 'fail2ban/filter.d/zoneminder.conf'
maybe chmod 0644 'fail2ban/jail.conf'
maybe chmod 0644 'fail2ban/jail.conf.bak'
maybe chmod 0644 'groff/mdoc.local'
maybe chmod 0644 'group'
maybe chmod 0644 'group-'
+maybe chmod 0644 'group.org'
maybe chmod 0755 'grub.d'
maybe chmod 0755 'grub.d/00_header'
maybe chmod 0755 'grub.d/05_debian_theme'
maybe chown 'nagios' 'icinga2'
maybe chgrp 'nagios' 'icinga2'
maybe chmod 0750 'icinga2'
-maybe chmod 0755 'icinga2/conf.d'
+maybe chown 'nagios' 'icinga2/conf.d'
+maybe chgrp 'nagios' 'icinga2/conf.d'
+maybe chmod 0750 'icinga2/conf.d'
+maybe chown 'nagios' 'icinga2/conf.d/app.conf'
+maybe chgrp 'nagios' 'icinga2/conf.d/app.conf'
maybe chmod 0644 'icinga2/conf.d/app.conf'
+maybe chown 'nagios' 'icinga2/conf.d/apt.conf'
+maybe chgrp 'nagios' 'icinga2/conf.d/apt.conf'
maybe chmod 0644 'icinga2/conf.d/apt.conf'
+maybe chown 'nagios' 'icinga2/conf.d/commands.conf'
+maybe chgrp 'nagios' 'icinga2/conf.d/commands.conf'
maybe chmod 0644 'icinga2/conf.d/commands.conf'
+maybe chown 'nagios' 'icinga2/conf.d/downtimes.conf'
+maybe chgrp 'nagios' 'icinga2/conf.d/downtimes.conf'
maybe chmod 0644 'icinga2/conf.d/downtimes.conf'
+maybe chown 'nagios' 'icinga2/conf.d/groups.conf'
+maybe chgrp 'nagios' 'icinga2/conf.d/groups.conf'
maybe chmod 0644 'icinga2/conf.d/groups.conf'
+maybe chown 'nagios' 'icinga2/conf.d/hosts.conf'
+maybe chgrp 'nagios' 'icinga2/conf.d/hosts.conf'
maybe chmod 0644 'icinga2/conf.d/hosts.conf'
+maybe chown 'nagios' 'icinga2/conf.d/notifications.conf'
+maybe chgrp 'nagios' 'icinga2/conf.d/notifications.conf'
maybe chmod 0644 'icinga2/conf.d/notifications.conf'
+maybe chown 'nagios' 'icinga2/conf.d/satellite.conf'
+maybe chgrp 'nagios' 'icinga2/conf.d/satellite.conf'
maybe chmod 0644 'icinga2/conf.d/satellite.conf'
+maybe chown 'nagios' 'icinga2/conf.d/services.conf'
+maybe chgrp 'nagios' 'icinga2/conf.d/services.conf'
maybe chmod 0644 'icinga2/conf.d/services.conf'
+maybe chown 'nagios' 'icinga2/conf.d/templates.conf'
+maybe chgrp 'nagios' 'icinga2/conf.d/templates.conf'
maybe chmod 0644 'icinga2/conf.d/templates.conf'
+maybe chown 'nagios' 'icinga2/conf.d/timeperiods.conf'
+maybe chgrp 'nagios' 'icinga2/conf.d/timeperiods.conf'
maybe chmod 0644 'icinga2/conf.d/timeperiods.conf'
+maybe chown 'nagios' 'icinga2/conf.d/users.conf'
+maybe chgrp 'nagios' 'icinga2/conf.d/users.conf'
maybe chmod 0644 'icinga2/conf.d/users.conf'
-maybe chmod 0644 'icinga2/constants.conf'
+maybe chown 'nagios' 'icinga2/constants.conf'
+maybe chgrp 'nagios' 'icinga2/constants.conf'
+maybe chmod 0640 'icinga2/constants.conf'
maybe chmod 0644 'icinga2/constants.conf.orig'
-maybe chmod 0755 'icinga2/features-available'
+maybe chown 'nagios' 'icinga2/features-available'
+maybe chgrp 'nagios' 'icinga2/features-available'
+maybe chmod 0750 'icinga2/features-available'
+maybe chown 'nagios' 'icinga2/features-available/api.conf'
+maybe chgrp 'nagios' 'icinga2/features-available/api.conf'
maybe chmod 0644 'icinga2/features-available/api.conf'
+maybe chown 'nagios' 'icinga2/features-available/api.conf.orig'
+maybe chgrp 'nagios' 'icinga2/features-available/api.conf.orig'
maybe chmod 0644 'icinga2/features-available/api.conf.orig'
+maybe chown 'nagios' 'icinga2/features-available/checker.conf'
+maybe chgrp 'nagios' 'icinga2/features-available/checker.conf'
maybe chmod 0644 'icinga2/features-available/checker.conf'
+maybe chown 'nagios' 'icinga2/features-available/command.conf'
+maybe chgrp 'nagios' 'icinga2/features-available/command.conf'
maybe chmod 0644 'icinga2/features-available/command.conf'
+maybe chown 'nagios' 'icinga2/features-available/compatlog.conf'
+maybe chgrp 'nagios' 'icinga2/features-available/compatlog.conf'
maybe chmod 0644 'icinga2/features-available/compatlog.conf'
+maybe chown 'nagios' 'icinga2/features-available/debuglog.conf'
+maybe chgrp 'nagios' 'icinga2/features-available/debuglog.conf'
maybe chmod 0644 'icinga2/features-available/debuglog.conf'
+maybe chown 'nagios' 'icinga2/features-available/elasticsearch.conf'
+maybe chgrp 'nagios' 'icinga2/features-available/elasticsearch.conf'
maybe chmod 0644 'icinga2/features-available/elasticsearch.conf'
+maybe chown 'nagios' 'icinga2/features-available/gelf.conf'
+maybe chgrp 'nagios' 'icinga2/features-available/gelf.conf'
maybe chmod 0644 'icinga2/features-available/gelf.conf'
+maybe chown 'nagios' 'icinga2/features-available/graphite.conf'
+maybe chgrp 'nagios' 'icinga2/features-available/graphite.conf'
maybe chmod 0644 'icinga2/features-available/graphite.conf'
+maybe chown 'nagios' 'icinga2/features-available/icingadb.conf'
+maybe chgrp 'nagios' 'icinga2/features-available/icingadb.conf'
+maybe chmod 0644 'icinga2/features-available/icingadb.conf'
+maybe chown 'nagios' 'icinga2/features-available/influxdb.conf'
+maybe chgrp 'nagios' 'icinga2/features-available/influxdb.conf'
maybe chmod 0644 'icinga2/features-available/influxdb.conf'
+maybe chown 'nagios' 'icinga2/features-available/livestatus.conf'
+maybe chgrp 'nagios' 'icinga2/features-available/livestatus.conf'
maybe chmod 0644 'icinga2/features-available/livestatus.conf'
+maybe chown 'nagios' 'icinga2/features-available/mainlog.conf'
+maybe chgrp 'nagios' 'icinga2/features-available/mainlog.conf'
maybe chmod 0644 'icinga2/features-available/mainlog.conf'
+maybe chown 'nagios' 'icinga2/features-available/notification.conf'
+maybe chgrp 'nagios' 'icinga2/features-available/notification.conf'
maybe chmod 0644 'icinga2/features-available/notification.conf'
+maybe chown 'nagios' 'icinga2/features-available/opentsdb.conf'
+maybe chgrp 'nagios' 'icinga2/features-available/opentsdb.conf'
maybe chmod 0644 'icinga2/features-available/opentsdb.conf'
+maybe chown 'nagios' 'icinga2/features-available/perfdata.conf'
+maybe chgrp 'nagios' 'icinga2/features-available/perfdata.conf'
maybe chmod 0644 'icinga2/features-available/perfdata.conf'
+maybe chown 'nagios' 'icinga2/features-available/statusdata.conf'
+maybe chgrp 'nagios' 'icinga2/features-available/statusdata.conf'
maybe chmod 0644 'icinga2/features-available/statusdata.conf'
+maybe chown 'nagios' 'icinga2/features-available/syslog.conf'
+maybe chgrp 'nagios' 'icinga2/features-available/syslog.conf'
maybe chmod 0644 'icinga2/features-available/syslog.conf'
-maybe chmod 0755 'icinga2/features-enabled'
-maybe chmod 0644 'icinga2/icinga2.conf'
+maybe chown 'nagios' 'icinga2/features-enabled'
+maybe chgrp 'nagios' 'icinga2/features-enabled'
+maybe chmod 0750 'icinga2/features-enabled'
+maybe chown 'nagios' 'icinga2/icinga2.conf'
+maybe chgrp 'nagios' 'icinga2/icinga2.conf'
+maybe chmod 0640 'icinga2/icinga2.conf'
maybe chmod 0644 'icinga2/init.conf'
maybe chown 'nagios' 'icinga2/pki'
maybe chgrp 'nagios' 'icinga2/pki'
maybe chmod 0700 'icinga2/pki'
+maybe chown 'nagios' 'icinga2/pki/ca.crt'
+maybe chgrp 'nagios' 'icinga2/pki/ca.crt'
maybe chmod 0644 'icinga2/pki/ca.crt'
maybe chown 'nagios' 'icinga2/pki/ns3.uhu-banane.de.crt'
maybe chgrp 'nagios' 'icinga2/pki/ns3.uhu-banane.de.crt'
maybe chmod 0644 'icinga2/pki/ns3.uhu-banane.de.crt'
+maybe chown 'nagios' 'icinga2/pki/ns3.uhu-banane.de.crt.orig'
+maybe chgrp 'nagios' 'icinga2/pki/ns3.uhu-banane.de.crt.orig'
maybe chmod 0644 'icinga2/pki/ns3.uhu-banane.de.crt.orig'
maybe chown 'nagios' 'icinga2/pki/ns3.uhu-banane.de.key'
maybe chgrp 'nagios' 'icinga2/pki/ns3.uhu-banane.de.key'
maybe chmod 0600 'icinga2/pki/ns3.uhu-banane.de.key'
+maybe chown 'nagios' 'icinga2/pki/ns3.uhu-banane.de.key.orig'
+maybe chgrp 'nagios' 'icinga2/pki/ns3.uhu-banane.de.key.orig'
maybe chmod 0600 'icinga2/pki/ns3.uhu-banane.de.key.orig'
maybe chmod 0755 'icinga2/repository.d'
maybe chmod 0644 'icinga2/repository.d/README'
maybe chmod 0755 'icinga2/scripts'
maybe chmod 0755 'icinga2/scripts/mail-host-notification.sh'
maybe chmod 0755 'icinga2/scripts/mail-service-notification.sh'
-maybe chmod 0644 'icinga2/zones.conf'
+maybe chown 'nagios' 'icinga2/zones.conf'
+maybe chgrp 'nagios' 'icinga2/zones.conf'
+maybe chmod 0640 'icinga2/zones.conf'
maybe chmod 0644 'icinga2/zones.conf.orig'
-maybe chmod 0755 'icinga2/zones.d'
+maybe chown 'nagios' 'icinga2/zones.d'
+maybe chgrp 'nagios' 'icinga2/zones.d'
+maybe chmod 0750 'icinga2/zones.d'
maybe chmod 0644 'icinga2/zones.d/README'
maybe chmod 0755 'init'
maybe chmod 0755 'init.d'
maybe chmod 0755 'init.d/apache-htcacheclean'
maybe chmod 0755 'init.d/apache2'
maybe chmod 0755 'init.d/atd'
-maybe chmod 0755 'init.d/bind9'
maybe chmod 0755 'init.d/bootlogs'
maybe chmod 0755 'init.d/bootmisc.sh'
maybe chmod 0755 'init.d/brightness'
maybe chmod 0755 'init.d/mountkernfs.sh'
maybe chmod 0755 'init.d/mountnfs-bootclean.sh'
maybe chmod 0755 'init.d/mountnfs.sh'
+maybe chmod 0755 'init.d/named'
maybe chmod 0755 'init.d/netfilter-persistent'
maybe chmod 0755 'init.d/networking'
maybe chmod 0755 'init.d/postfix'
maybe chmod 0644 'letsencrypt/renewal/git.uhu-banane.net.conf'
maybe chmod 0644 'lftp.conf'
maybe chmod 0644 'libaudit.conf'
+maybe chmod 0755 'libnl-3'
+maybe chmod 0644 'libnl-3/classid'
+maybe chmod 0644 'libnl-3/pktloc'
maybe chmod 0755 'lighttpd'
maybe chmod 0755 'lighttpd/conf-available'
maybe chmod 0644 'lighttpd/conf-available/90-javascript-alias.conf'
maybe chmod 0755 'logcheck/ignore.d.server'
maybe chmod 0644 'logcheck/ignore.d.server/gpg-agent'
maybe chmod 0644 'logcheck/ignore.d.server/libsasl2-modules'
+maybe chmod 0755 'logcheck/ignore.d.server/netfilter-persistent'
+maybe chmod 0644 'logcheck/ignore.d.server/netfilter-persistent/netfilter-persistent'
maybe chmod 0644 'logcheck/ignore.d.server/rsyslog'
maybe chmod 0644 'login.defs'
maybe chmod 0644 'logrotate.conf'
maybe chmod 0755 'nagios-plugins/config'
maybe chmod 0644 'nagios-plugins/config/apt.cfg'
maybe chmod 0644 'nagios-plugins/config/breeze.cfg'
+maybe chmod 0644 'nagios-plugins/config/curl-http.cfg'
maybe chmod 0644 'nagios-plugins/config/dhcp.cfg'
maybe chmod 0644 'nagios-plugins/config/disk-smb.cfg'
maybe chmod 0644 'nagios-plugins/config/disk.cfg'
maybe chmod 0755 'needrestart/hook.d'
maybe chmod 0755 'needrestart/hook.d/10-dpkg'
maybe chmod 0755 'needrestart/hook.d/20-rpm'
+maybe chmod 0755 'needrestart/hook.d/30-pacman'
maybe chmod 0755 'needrestart/hook.d/90-none'
+maybe chmod 0644 'needrestart/iucode.sh'
maybe chmod 0644 'needrestart/needrestart.conf'
maybe chmod 0644 'needrestart/notify.conf'
maybe chmod 0755 'needrestart/notify.d'
maybe chmod 0644 'pam.d/sudo'
maybe chmod 0644 'passwd'
maybe chmod 0644 'passwd-'
+maybe chmod 0644 'passwd.org'
maybe chmod 0755 'perl'
-maybe chmod 0755 'perl/CPAN'
maybe chmod 0755 'perl/Net'
maybe chmod 0644 'perl/Net/libnet.cfg'
maybe chmod 0755 'php'
maybe chmod 0644 'php/7.0/mods-available/tokenizer.ini'
maybe chmod 0755 'php/7.3'
maybe chmod 0755 'php/7.3/apache2'
-maybe chmod 0755 'php/7.3/apache2/conf.d'
maybe chmod 0644 'php/7.3/apache2/php.ini'
maybe chmod 0755 'php/7.3/cli'
-maybe chmod 0755 'php/7.3/cli/conf.d'
maybe chmod 0644 'php/7.3/cli/php.ini'
maybe chmod 0755 'php/7.3/mods-available'
maybe chmod 0644 'php/7.3/mods-available/calendar.ini'
maybe chmod 0644 'php/7.3/mods-available/sysvsem.ini'
maybe chmod 0644 'php/7.3/mods-available/sysvshm.ini'
maybe chmod 0644 'php/7.3/mods-available/tokenizer.ini'
+maybe chmod 0755 'php/7.4'
+maybe chmod 0755 'php/7.4/apache2'
+maybe chmod 0755 'php/7.4/apache2/conf.d'
+maybe chmod 0644 'php/7.4/apache2/php.ini'
+maybe chmod 0755 'php/7.4/cli'
+maybe chmod 0755 'php/7.4/cli/conf.d'
+maybe chmod 0644 'php/7.4/cli/php.ini'
+maybe chmod 0755 'php/7.4/mods-available'
+maybe chmod 0644 'php/7.4/mods-available/calendar.ini'
+maybe chmod 0644 'php/7.4/mods-available/ctype.ini'
+maybe chmod 0644 'php/7.4/mods-available/exif.ini'
+maybe chmod 0644 'php/7.4/mods-available/ffi.ini'
+maybe chmod 0644 'php/7.4/mods-available/fileinfo.ini'
+maybe chmod 0644 'php/7.4/mods-available/ftp.ini'
+maybe chmod 0644 'php/7.4/mods-available/gd.ini'
+maybe chmod 0644 'php/7.4/mods-available/gettext.ini'
+maybe chmod 0644 'php/7.4/mods-available/iconv.ini'
+maybe chmod 0644 'php/7.4/mods-available/json.ini'
+maybe chmod 0644 'php/7.4/mods-available/ldap.ini'
+maybe chmod 0644 'php/7.4/mods-available/opcache.ini'
+maybe chmod 0644 'php/7.4/mods-available/pdo.ini'
+maybe chmod 0644 'php/7.4/mods-available/phar.ini'
+maybe chmod 0644 'php/7.4/mods-available/posix.ini'
+maybe chmod 0644 'php/7.4/mods-available/readline.ini'
+maybe chmod 0644 'php/7.4/mods-available/shmop.ini'
+maybe chmod 0644 'php/7.4/mods-available/sockets.ini'
+maybe chmod 0644 'php/7.4/mods-available/sysvmsg.ini'
+maybe chmod 0644 'php/7.4/mods-available/sysvsem.ini'
+maybe chmod 0644 'php/7.4/mods-available/sysvshm.ini'
+maybe chmod 0644 'php/7.4/mods-available/tokenizer.ini'
maybe chmod 0755 'postfix'
maybe chmod 0644 'postfix/dynamicmaps.cf'
maybe chmod 0755 'postfix/dynamicmaps.cf.d'
maybe chmod 0644 'salt/roster'
maybe chmod 0755 'security'
maybe chmod 0644 'security/access.conf'
+maybe chmod 0644 'security/faillock.conf'
maybe chmod 0644 'security/group.conf'
maybe chmod 0644 'security/limits.conf'
maybe chmod 0755 'security/limits.d'
maybe chmod 0644 'services'
maybe chmod 0640 'shadow'
maybe chmod 0640 'shadow-'
+maybe chmod 0640 'shadow.org'
maybe chmod 0644 'shells'
maybe chmod 0755 'skel'
maybe chmod 0644 'skel/.bash_logout'
maybe chmod 0755 'subversion'
maybe chmod 0644 'subversion/config'
maybe chmod 0644 'subversion/servers'
+maybe chmod 0644 'sudo.conf'
+maybe chmod 0644 'sudo_logsrvd.conf'
maybe chmod 0440 'sudoers'
maybe chmod 0755 'sudoers.d'
maybe chmod 0440 'sudoers.d/README'
maybe chmod 0755 'sv'
+maybe chmod 0755 'sv/acpid'
+maybe chmod 0755 'sv/acpid/.meta'
+maybe chmod 0644 'sv/acpid/.meta/installed'
+maybe chmod 0755 'sv/acpid/log'
+maybe chmod 0755 'sv/acpid/log/run'
+maybe chmod 0755 'sv/acpid/run'
maybe chmod 0755 'sv/ssh'
maybe chmod 0755 'sv/ssh/.meta'
maybe chmod 0644 'sv/ssh/.meta/installed'
maybe chmod 0644 'sysctl.conf'
maybe chmod 0755 'sysctl.d'
maybe chmod 0644 'sysctl.d/README.sysctl'
-maybe chmod 0644 'sysctl.d/protect-links.conf'
maybe chmod 0755 'systemd'
maybe chmod 0644 'systemd/journald.conf'
maybe chmod 0644 'systemd/logind.conf'
maybe chmod 0644 'systemd/system/getty@.service.d/noclear.conf'
maybe chmod 0644 'systemd/system/local.service'
maybe chmod 0755 'systemd/system/multi-user.target.wants'
+maybe chmod 0755 'systemd/system/netfilter-persistent.service.d'
+maybe chmod 0644 'systemd/system/netfilter-persistent.service.d/iptables.conf'
maybe chmod 0755 'systemd/system/network-online.target.wants'
maybe chmod 0755 'systemd/system/paths.target.wants'
maybe chmod 0755 'systemd/system/sockets.target.wants'
+++ /dev/null
-#!/bin/sh
-# This is a NetworkManager dispatcher / networkd-dispatcher script for
-# chronyd to set its NTP sources online or offline when a network interface
-# is configured or removed
-
-export LC_ALL=C
-
-# For NetworkManager consider only up/down events
-[ $# -ge 2 ] && [ "$2" != "up" ] && [ "$2" != "down" ] && exit 0
-
-# Note: for networkd-dispatcher routable.d ~= on and off.d ~= off
-
-chronyc onoffline > /dev/null 2>&1
-
-exit 0
. /usr/share/acpi-support/policy-funcs
-if { CheckPolicy || HasLogindAndSystemd1Manager; }; then
+if { CheckPolicy || HasDBusLogin1; }; then
exit 0
fi
--- /dev/null
+/lib/systemd/system/netfilter-persistent.service
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/netfilter-persistent.service
\ No newline at end of file
-/bin/less
\ No newline at end of file
+/usr/bin/less
\ No newline at end of file
-/usr/bin/phar7.3
\ No newline at end of file
+/usr/bin/phar7.4
\ No newline at end of file
-/usr/share/man/man1/phar7.3.1.gz
\ No newline at end of file
+/usr/share/man/man1/phar7.4.1.gz
\ No newline at end of file
-/usr/bin/phar.phar7.3
\ No newline at end of file
+/usr/bin/phar.phar7.4
\ No newline at end of file
-/usr/share/man/man1/phar.phar7.3.1.gz
\ No newline at end of file
+/usr/share/man/man1/phar.phar7.4.1.gz
\ No newline at end of file
-/usr/bin/php7.3
\ No newline at end of file
+/usr/bin/php7.4
\ No newline at end of file
-/usr/share/man/man1/php7.3.1.gz
\ No newline at end of file
+/usr/share/man/man1/php7.4.1.gz
\ No newline at end of file
+++ /dev/null
-/usr/bin/w.procps
\ No newline at end of file
+++ /dev/null
-/usr/share/man/man1/w.procps.1.gz
\ No newline at end of file
--- /dev/null
+../conf-available/javascript-common.conf
\ No newline at end of file
-LoadModule dav_module /usr/lib/apache2/modules/mod_dav.so
+<IfModule !mod_dav.c>
+ LoadModule dav_module /usr/lib/apache2/modules/mod_dav.so
+</IfModule>
<IfModule mod_deflate.c>
<IfModule mod_filter.c>
- AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
+ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript
AddOutputFilterByType DEFLATE application/x-javascript application/javascript application/ecmascript
AddOutputFilterByType DEFLATE application/rss+xml
+ AddOutputFilterByType DEFLATE application/wasm
AddOutputFilterByType DEFLATE application/xml
</IfModule>
</IfModule>
AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage cy .cy
+ AddLanguage da .da
AddLanguage da .dk
AddLanguage de .de
AddLanguage dz .dz
--- /dev/null
+<FilesMatch ".+\.ph(ar|p|tml)$">
+ SetHandler application/x-httpd-php
+</FilesMatch>
+<FilesMatch ".+\.phps$">
+ SetHandler application/x-httpd-php-source
+ # Deny access to raw php sources by default
+ # To re-enable it's recommended to enable access to the files
+ # only in specific virtual host or directory
+ Require all denied
+</FilesMatch>
+# Deny access to files without filename (e.g. '.php')
+<FilesMatch "^\.ph(ar|p|ps|tml)$">
+ Require all denied
+</FilesMatch>
+
+# Running PHP scripts in user directories is disabled by default
+#
+# To re-enable PHP in user directories comment the following lines
+# (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it
+# prevents .htaccess files from disabling it.
+<IfModule mod_userdir.c>
+ <Directory /home/*/public_html>
+ php_admin_flag engine Off
+ </Directory>
+</IfModule>
--- /dev/null
+# Conflicts: php5
+# Depends: mpm_prefork
+LoadModule php7_module /usr/lib/apache2/modules/libphp7.4.so
--- /dev/null
+LoadModule socache_redis_module /usr/lib/apache2/modules/mod_socache_redis.so
+++ /dev/null
-../mods-available/php7.3.conf
\ No newline at end of file
+++ /dev/null
-../mods-available/php7.3.load
\ No newline at end of file
--- /dev/null
+../mods-available/php7.4.conf
\ No newline at end of file
--- /dev/null
+../mods-available/php7.4.load
\ No newline at end of file
capability setuid,
capability setgid,
+ # Ordinary permission checks sometimes involve checking whether the
+ # process has this capability, which can produce audit log messages.
+ # Silence them.
+ deny capability dac_override,
+ deny capability dac_read_search,
+
signal peer=@{profile_name},
signal peer=/usr/bin/man//&man_groff,
signal peer=/usr/bin/man//&man_filter,
/usr/bin/vgrind rm,
/etc/groff/** r,
+ /etc/papersize r,
/usr/lib/groff/site-tmac/** r,
/usr/share/groff/** r,
+ /tmp/groff* rw,
+
signal peer=/usr/bin/man,
# @{profile_name} doesn't seem to work here.
signal peer=/usr/bin/man//&man_groff,
# do is feed data to the invoking man process.
/** r,
+ # Allow writing cat pages.
+ /var/cache/man/** w,
+
signal peer=/usr/bin/man,
# @{profile_name} doesn't seem to work here.
signal peer=/usr/bin/man//&man_filter,
--- /dev/null
+# vim:syntax=apparmor
+#include <tunables/global>
+
+profile tcpdump /usr/bin/tcpdump {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+
+ capability net_raw,
+ capability setuid,
+ capability setgid,
+ capability dac_override,
+ capability chown,
+ network raw,
+ network packet,
+
+ # for -D
+ @{PROC}/bus/usb/ r,
+ @{PROC}/bus/usb/** r,
+
+ # for finding an interface
+ /dev/ r,
+ @{PROC}/[0-9]*/net/dev r,
+ /sys/bus/usb/devices/ r,
+ /sys/class/net/ r,
+ /sys/devices/**/net/** r,
+
+ # for -j
+ capability net_admin,
+
+ # for tracing USB bus, which libpcap supports
+ /dev/usbmon* r,
+ /dev/bus/usb/ r,
+ /dev/bus/usb/** r,
+
+ # for init_etherarray(), with -e
+ /etc/ethers r,
+
+ # for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices())
+ /dev/bus/usb/**/[0-9]* w,
+
+ # for -z
+ /{usr/,}bin/gzip ixr,
+ /{usr/,}bin/bzip2 ixr,
+
+ # for -F and -w
+ audit deny @{HOME}/.* mrwkl,
+ audit deny @{HOME}/.*/ rw,
+ audit deny @{HOME}/.*/** mrwkl,
+ audit deny @{HOME}/bin/ rw,
+ audit deny @{HOME}/bin/** mrwkl,
+ owner @{HOME}/ r,
+ owner @{HOME}/** rw,
+
+ # for -r, -F and -w
+ /**.[pP][cC][aA][pP] rw,
+
+ # for convenience with -r (ie, read pcap files from other sources)
+ /var/log/snort/*log* r,
+
+ /usr/bin/tcpdump mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.bin.tcpdump>
+}
# Last Modified: Sat Jan 20 10:45:05 2018
#include <tunables/global>
-/usr/sbin/chronyd (attach_disconnected) {
+/usr/sbin/chronyd flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/nameservice>
- capability sys_time,
+ # For /run/chrony to be created
+ capability chown,
+
+ # Give “root” the ability to read and write the PID file
+ capability dac_override,
+ capability dac_read_search,
+
+ # Needed to support HW timestamping
+ capability net_admin,
+
+ # Needed to allow NTP server sockets to be bound to a privileged port
capability net_bind_service,
- capability setuid,
+
+ # Needed to allow an NTP socket to be bound to a device using the
+ # SO_BINDTODEVICE socket option on kernels before 5.7
+ capability net_raw,
+
+ # Needed to drop privileges
capability setgid,
+ capability setuid,
+
+ # Needed to set the SCHED_FIFO real-time scheduler at the specified priority
+ # using the '-P' option
capability sys_nice,
+
+ # Needed to lock chronyd into RAM
capability sys_resource,
- # for /run/chrony to be created
- capability chown,
- # Needed to support HW timestamping
- capability net_admin,
+
+ # Needed to set the system/real-time clock
+ capability sys_time,
/usr/sbin/chronyd mr,
/etc/chrony/{,**} r,
- /{,var/}run/chronyd.pid w,
- /{,var/}run/chrony/{,*} rw,
- /var/lib/chrony/{,*} r,
- /var/lib/chrony/* w,
- /var/log/chrony/{,*} r,
- /var/log/chrony/* w,
+ /var/lib/chrony/{,*} rw,
+ /var/log/chrony/{,*} rw,
+ @{run}/chrony/{,*} rw,
+ @{run}/chrony-dhcp/{,*} r,
# Using the “tempcomp” directive gives chronyd the ability to improve
# the stability and accuracy of the clock by compensating the temperature
# are common use cases; others should be set as local include (see below).
# Configs using a 'chrony.' prefix like the tempcomp config file example
/etc/chrony.* r,
- # Example gpsd socket is outside /{,var/}run/chrony/
- /{,var/}run/chrony.tty{,*}.sock rw,
+ # Example gpsd socket is outside @{run}/chrony/
+ @{run}/chrony.tty{,*}.sock rw,
# To sign replies to MS-SNTP clients by the smbd daemon
- /var/lib/samba/ntp_signd r,
- /var/lib/samba/ntp_signd/{,*} rw,
+ /var/lib/samba/ntp_signd/socket rw,
# rtc
/etc/adjtime r,
/usr/sbin/haveged {
#include <abstractions/base>
+ #include <abstractions/consoles>
# Required for ioctl RNDADDENTROPY
capability sys_admin,
/sys/devices/system/cpu/cpu*/cache/index*/{type,size,level} r,
/usr/sbin/haveged mr,
+ /run/haveged.pid w,
+
#include <local/usr.sbin.haveged>
}
# Last Modified: Fri Jun 1 16:43:22 2007
#include <tunables/global>
-/usr/sbin/named flags=(attach_disconnected) {
+profile named /usr/sbin/named flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/nameservice>
+++ /dev/null
-# vim:syntax=apparmor
-#include <tunables/global>
-
-/usr/sbin/tcpdump {
- #include <abstractions/base>
- #include <abstractions/nameservice>
- #include <abstractions/user-tmp>
-
- capability net_raw,
- capability setuid,
- capability setgid,
- capability dac_override,
- network raw,
- network packet,
-
- # for -D
- @{PROC}/bus/usb/ r,
- @{PROC}/bus/usb/** r,
-
- # for finding an interface
- @{PROC}/[0-9]*/net/dev r,
- /sys/bus/usb/devices/ r,
- /sys/class/net/ r,
- /sys/devices/**/net/* r,
-
- # for -j
- capability net_admin,
-
- # for tracing USB bus, which libpcap supports
- /dev/usbmon* r,
- /dev/bus/usb/ r,
- /dev/bus/usb/** r,
-
- # for init_etherarray(), with -e
- /etc/ethers r,
-
- # for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices())
- /dev/bus/usb/**/[0-9]* w,
-
- # for -z
- /{usr/,}bin/gzip ixr,
- /{usr/,}bin/bzip2 ixr,
-
- # for -F and -w
- audit deny @{HOME}/.* mrwkl,
- audit deny @{HOME}/.*/ rw,
- audit deny @{HOME}/.*/** mrwkl,
- audit deny @{HOME}/bin/ rw,
- audit deny @{HOME}/bin/** mrwkl,
- owner @{HOME}/ r,
- owner @{HOME}/** rw,
-
- # for -r, -F and -w
- /**.[pP][cC][aA][pP] rw,
-
- # for convenience with -r (ie, read pcap files from other sources)
- /var/log/snort/*log* r,
-
- /usr/sbin/tcpdump mr,
-
- # Site-specific additions and overrides. See local/README for details.
- #include <local/usr.sbin.tcpdump>
-}
VersionedKernelPackages
{
- # linux kernels
- "linux-image";
- "linux-headers";
- "linux-image-extra";
- "linux-modules";
- "linux-modules-extra";
- "linux-signed-image";
- "linux-image-unsigned";
- # kfreebsd kernels
- "kfreebsd-image";
- "kfreebsd-headers";
- # hurd kernels
- "gnumach-image";
+ # kernels
+ "linux-.*";
+ "kfreebsd-.*";
+ "gnumach-.*";
# (out-of-tree) modules
".*-modules";
".*-kernel";
- "linux-backports-modules-.*";
- "linux-modules-.*";
- # tools
- "linux-tools";
- "linux-cloud-tools";
- # build info
- "linux-buildinfo";
- # source code
- "linux-source";
};
Never-MarkAuto-Sections
// DO NOT EDIT! File autogenerated by /etc/kernel/postinst.d/apt-auto-removal
-APT::NeverAutoRemove
-{
- "^linux-image-4\.19\.0-16-amd64$";
- "^linux-image-4\.19\.0-17-amd64$";
- "^linux-headers-4\.19\.0-16-amd64$";
- "^linux-headers-4\.19\.0-17-amd64$";
- "^linux-image-extra-4\.19\.0-16-amd64$";
- "^linux-image-extra-4\.19\.0-17-amd64$";
- "^linux-modules-4\.19\.0-16-amd64$";
- "^linux-modules-4\.19\.0-17-amd64$";
- "^linux-modules-extra-4\.19\.0-16-amd64$";
- "^linux-modules-extra-4\.19\.0-17-amd64$";
- "^linux-signed-image-4\.19\.0-16-amd64$";
- "^linux-signed-image-4\.19\.0-17-amd64$";
- "^linux-image-unsigned-4\.19\.0-16-amd64$";
- "^linux-image-unsigned-4\.19\.0-17-amd64$";
- "^kfreebsd-image-4\.19\.0-16-amd64$";
- "^kfreebsd-image-4\.19\.0-17-amd64$";
- "^kfreebsd-headers-4\.19\.0-16-amd64$";
- "^kfreebsd-headers-4\.19\.0-17-amd64$";
- "^gnumach-image-4\.19\.0-16-amd64$";
- "^gnumach-image-4\.19\.0-17-amd64$";
- "^.*-modules-4\.19\.0-16-amd64$";
- "^.*-modules-4\.19\.0-17-amd64$";
- "^.*-kernel-4\.19\.0-16-amd64$";
- "^.*-kernel-4\.19\.0-17-amd64$";
- "^linux-backports-modules-.*-4\.19\.0-16-amd64$";
- "^linux-backports-modules-.*-4\.19\.0-17-amd64$";
- "^linux-modules-.*-4\.19\.0-16-amd64$";
- "^linux-modules-.*-4\.19\.0-17-amd64$";
- "^linux-tools-4\.19\.0-16-amd64$";
- "^linux-tools-4\.19\.0-17-amd64$";
- "^linux-cloud-tools-4\.19\.0-16-amd64$";
- "^linux-cloud-tools-4\.19\.0-17-amd64$";
- "^linux-buildinfo-4\.19\.0-16-amd64$";
- "^linux-buildinfo-4\.19\.0-17-amd64$";
- "^linux-source-4\.19\.0-16-amd64$";
- "^linux-source-4\.19\.0-17-amd64$";
-};
-/* Debug information:
-# dpkg list:
-ii linux-image-4.19.0-16-amd64 4.19.181-1 amd64 Linux 4.19 for 64-bit PCs (signed)
-iF linux-image-4.19.0-17-amd64 4.19.194-3 amd64 Linux 4.19 for 64-bit PCs (signed)
-ii linux-image-amd64 4.19+105+deb10u12 amd64 Linux for 64-bit PCs (meta-package)
-# list of installed kernel packages:
-4.19.0-16-amd64 4.19.181-1
-4.19.0-17-amd64 4.19.194-3
-# list of different kernel versions:
-4.19.194-3
-4.19.181-1
-# Installing kernel: 4.19.194-3 (4.19.0-17-amd64)
-# Running kernel: 4.19.194-3 (4.19.0-17-amd64)
-# Last kernel: 4.19.194-3
-# Previous kernel: 4.19.181-1
-# Kernel versions list to keep:
-4.19.181-1
-4.19.194-3
-# Kernel packages (version part) to protect:
-4\.19\.0-16-amd64
-4\.19\.0-17-amd64
-*/
+APT::LastInstalledKernel "5.10.0-8-amd64";
DPkg::Pre-Install-Pkgs { "/usr/bin/apt-listchanges --apt || test $? -lt 10"; };
DPkg::Tools::Options::/usr/bin/apt-listchanges::Version "2";
DPkg::Tools::Options::/usr/bin/apt-listchanges::InfoFD "20";
+Dir::Etc::apt-listchanges-main "listchanges.conf";
+Dir::Etc::apt-listchanges-parts "listchanges.conf.d";
# be configured elsewhere; if they are configured here, they will not be
# recognized or used by named.
#
-# The built-in trust anchors are provided for convenience of configuration.
-# They are not activated within named.conf unless specifically switched on.
-# To use the built-in key, use "dnssec-validation auto;" in the
-# named.conf options. Without this option being set, the keys in this
-# file are ignored.
+# To use the built-in root key, set "dnssec-validation auto;" in the
+# named.conf options, or else leave "dnssec-validation" unset. If
+# "dnssec-validation" is set to "yes", then the keys in this file are
+# ignored; keys will need to be explicitly configured in named.conf for
+# validation to work. "auto" is the default setting, unless named is
+# built with "configure --disable-auto-validation", in which case the
+# default is "yes".
#
# This file is NOT expected to be user-configured.
#
-# These keys are current as of October 2017. If any key fails to
-# initialize correctly, it may have expired. In that event you should
-# replace this file with a current version. The latest version of
-# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
+# Servers being set up for the first time can use the contents of this file
+# as initializing keys; thereafter, the keys in the managed key database
+# will be trusted and maintained automatically.
#
-# See https://data.iana.org/root-anchors/root-anchors.xml
-# for current trust anchor information for the root zone.
-
-managed-keys {
- # This key (19036) is to be phased out starting in 2017. It will
- # remain in the root zone for some time after its successor key
- # has been added. It will remain this file until it is removed from
- # the root zone.
- . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
- FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
- bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
- X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
- W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
- Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
- QxA+Uk1ihz0=";
+# These keys are current as of Mar 2019. If any key fails to initialize
+# correctly, it may have expired. In that event you should replace this
+# file with a current version. The latest version of bind.keys can always
+# be obtained from ISC at https://www.isc.org/bind-keys.
+#
+# See https://data.iana.org/root-anchors/root-anchors.xml for current trust
+# anchor information for the root zone.
+trust-anchors {
# This key (20326) was published in the root zone in 2017.
- # Servers which were already using the old key (19036) should
- # roll seamlessly to this new one via RFC 5011 rollover. Servers
- # being set up for the first time can use the contents of this
- # file as initializing keys; thereafter, the keys in the
- # managed key database will be trusted and maintained
- # automatically.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
#----------------------------------------
acl local-host-ips {
- 127.0.0.1/8;
+ 127.0.0.0/8;
::1/128;
};
//========================================================================
//dnssec-enable yes;
dnssec-validation auto;
- dnssec-lookaside auto;
+ # dnssec-lookaside auto;
/*
* As of bind 9.8.0:
mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt
!mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
mozilla/EC-ACC.crt
-mozilla/EE_Certification_Centre_Root_CA.crt
+!mozilla/EE_Certification_Centre_Root_CA.crt
!mozilla/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.crt
mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt
mozilla/Entrust_Root_Certification_Authority.crt
!mozilla/GeoTrust_Primary_Certification_Authority.crt
!mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt
!mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt
-mozilla/GeoTrust_Universal_CA_2.crt
+!mozilla/GeoTrust_Universal_CA_2.crt
!mozilla/GeoTrust_Universal_CA.crt
mozilla/Global_Chambersign_Root_-_2008.crt
mozilla/GlobalSign_Root_CA.crt
!mozilla/NetLock_Notary_=Class_A=_Root.crt
!mozilla/NetLock_Qualified_=Class_QA=_Root.crt
mozilla/Network_Solutions_Certificate_Authority.crt
-mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt
+!mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt
!mozilla/PSCProcert.crt
mozilla/QuoVadis_Root_CA_1_G3.crt
mozilla/QuoVadis_Root_CA_2.crt
!mozilla/Sonera_Class_1_Root_CA.crt
mozilla/Sonera_Class_2_Root_CA.crt
!mozilla/Staat_der_Nederlanden_Root_CA.crt
-mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt
+!mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt
mozilla/Starfield_Class_2_CA.crt
mozilla/Starfield_Root_Certificate_Authority_-_G2.crt
mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt
mozilla/SwissSign_Gold_CA_-_G2.crt
!mozilla/SwissSign_Platinum_CA_-_G2.crt
mozilla/SwissSign_Silver_CA_-_G2.crt
-mozilla/Taiwan_GRCA.crt
+!mozilla/Taiwan_GRCA.crt
!mozilla/TC_TrustCenter_Class_2_CA_II.crt
!mozilla/TC_TrustCenter_Class_3_CA_II.crt
!mozilla/TC_TrustCenter_Universal_CA_I.crt
!mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_2.crt
!mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt
!mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt
-mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
+!mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
!mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
!mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
!mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt
mozilla/Amazon_Root_CA_4.crt
!mozilla/D-TRUST_Root_CA_3_2013.crt
mozilla/GDCA_TrustAUTH_R5_ROOT.crt
-mozilla/LuxTrust_Global_Root_2.crt
+!mozilla/LuxTrust_Global_Root_2.crt
mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt
mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt
mozilla/SSL.com_Root_Certification_Authority_ECC.crt
mozilla/Hongkong_Post_Root_CA_3.crt
mozilla/UCA_Extended_Validation_Root.crt
mozilla/UCA_Global_G2_Root.crt
+mozilla/certSIGN_Root_CA_G2.crt
+mozilla/e-Szigno_Root_CA_2017.crt
+mozilla/Microsoft_ECC_Root_Certificate_Authority_2017.crt
+mozilla/Microsoft_RSA_Root_Certificate_Authority_2017.crt
+mozilla/NAVER_Global_Root_Certification_Authority.crt
+mozilla/Trustwave_Global_Certification_Authority.crt
+mozilla/Trustwave_Global_ECC_P256_Certification_Authority.crt
+mozilla/Trustwave_Global_ECC_P384_Certification_Authority.crt
!mozilla/ACEDICOM_Root.crt
!mozilla/AC_Raíz_Certicámara_S.A..crt
mozilla/Actalis_Authentication_Root_CA.crt
-mozilla/AddTrust_External_Root.crt
+!mozilla/AddTrust_External_Root.crt
!mozilla/AddTrust_Low-Value_Services_Root.crt
!mozilla/AddTrust_Public_Services_Root.crt
!mozilla/AddTrust_Qualified_Certificates_Root.crt
!mozilla/Camerfirma_Global_Chambersign_Root.crt
mozilla/Certigna.crt
!mozilla/Certinomis_-_Autorité_Racine.crt
-mozilla/Certplus_Class_2_Primary_CA.crt
+!mozilla/Certplus_Class_2_Primary_CA.crt
mozilla/certSIGN_ROOT_CA.crt
!mozilla/Certum_Root_CA.crt
mozilla/Certum_Trusted_Network_CA.crt
!mozilla/ComSign_CA.crt
!mozilla/ComSign_Secured_CA.crt
mozilla/Cybertrust_Global_Root.crt
-mozilla/Deutsche_Telekom_Root_CA_2.crt
+!mozilla/Deutsche_Telekom_Root_CA_2.crt
mozilla/DigiCert_Assured_ID_Root_CA.crt
mozilla/DigiCert_Assured_ID_Root_G2.crt
mozilla/DigiCert_Assured_ID_Root_G3.crt
!mozilla/Equifax_Secure_Global_eBusiness_CA.crt
mozilla/E-Tugra_Certification_Authority.crt
!mozilla/GeoTrust_Global_CA_2.crt
-mozilla/GeoTrust_Global_CA.crt
-mozilla/GeoTrust_Primary_Certification_Authority.crt
-mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt
-mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt
+!mozilla/GeoTrust_Global_CA.crt
+!mozilla/GeoTrust_Primary_Certification_Authority.crt
+!mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt
+!mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt
mozilla/GeoTrust_Universal_CA_2.crt
-mozilla/GeoTrust_Universal_CA.crt
+!mozilla/GeoTrust_Universal_CA.crt
mozilla/Global_Chambersign_Root_-_2008.crt
mozilla/GlobalSign_Root_CA.crt
mozilla/GlobalSign_Root_CA_-_R2.crt
!mozilla/TC_TrustCenter_Universal_CA_I.crt
mozilla/TeliaSonera_Root_CA_v1.crt
!mozilla/Thawte_Premium_Server_CA.crt
-mozilla/thawte_Primary_Root_CA.crt
-mozilla/thawte_Primary_Root_CA_-_G2.crt
-mozilla/thawte_Primary_Root_CA_-_G3.crt
+!mozilla/thawte_Primary_Root_CA.crt
+!mozilla/thawte_Primary_Root_CA_-_G2.crt
+!mozilla/thawte_Primary_Root_CA_-_G3.crt
!mozilla/Thawte_Server_CA.crt
mozilla/Trustis_FPS_Root_CA.crt
mozilla/T-TeleSec_GlobalRoot_Class_2.crt
!mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt
!mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt
mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
-mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
-mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
+!mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
+!mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
!mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt
-mozilla/VeriSign_Universal_Root_Certification_Authority.crt
+!mozilla/VeriSign_Universal_Root_Certification_Authority.crt
!mozilla/Visa_eCommerce_Root.crt
!mozilla/WellsSecure_Public_Root_Certificate_Authority.crt
!mozilla/WoSign_China.crt
!spi-inc.org/spi-cacert-2008.crt
!mozilla/CA_WoSign_ECC_Root.crt
!mozilla/Certification_Authority_of_WoSign_G2.crt
-mozilla/Certinomis_-_Root_CA.crt
+!mozilla/Certinomis_-_Root_CA.crt
mozilla/CFCA_EV_ROOT.crt
mozilla/COMODO_RSA_Certification_Authority.crt
mozilla/Entrust_Root_Certification_Authority_-_EC1.crt
mozilla/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt
mozilla/GlobalSign_Root_CA_-_R6.crt
mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt
+mozilla/Certigna_Root_CA.crt
+mozilla/emSign_ECC_Root_CA_-_C3.crt
+mozilla/emSign_ECC_Root_CA_-_G3.crt
+mozilla/emSign_Root_CA_-_C1.crt
+mozilla/emSign_Root_CA_-_G1.crt
+mozilla/Entrust_Root_Certification_Authority_-_G4.crt
+mozilla/GTS_Root_R1.crt
+mozilla/GTS_Root_R2.crt
+mozilla/GTS_Root_R3.crt
+mozilla/GTS_Root_R4.crt
+mozilla/Hongkong_Post_Root_CA_3.crt
+mozilla/UCA_Extended_Validation_Root.crt
+mozilla/UCA_Global_G2_Root.crt
# Welcome to the chrony configuration file. See chrony.conf(5) for more
-# information about usuable directives.
+# information about usable directives.
+
+# Include configuration files found in /etc/chrony/conf.d.
+confdir /etc/chrony/conf.d
+
+# Use Debian vendor zone.
pool 2.debian.pool.ntp.org iburst
+# Use time sources from DHCP.
+sourcedir /run/chrony-dhcp
+
+# Use NTP sources found in /etc/chrony/sources.d.
+sourcedir /etc/chrony/sources.d
+
# This directive specify the location of the file containing ID/key pairs for
# NTP authentication.
keyfile /etc/chrony/chrony.keys
# information.
driftfile /var/lib/chrony/chrony.drift
+# Save NTS keys and cookies.
+ntsdumpdir /var/lib/chrony
+
# Uncomment the following line to turn logging on.
#log tracking measurements statistics
# Step the system clock instead of slewing it if the adjustment is larger than
# one second, but only in the first three clock updates.
makestep 1 3
+
+# Get TAI-UTC offset and leap seconds from the system tz database.
+# This directive must be commented out when using time sources serving
+# leap-smeared time.
+leapsectz right/UTC
# chronyc keygen 1 SHA256 256 >> /etc/chrony/chrony.keys
# would generate a 256-bit SHA-256 key using ID 1.
#
-# A list of supported hash functions and output encoding can be found in
-# the "keyfile" section from the "/usr/share/doc/chrony/chrony.txt.gz" file.
+# A list of supported hash functions and output encoding is available by
+# consulting the "keyfile" directive in the chrony.conf(5) man page.
--- /dev/null
+Files found under the /etc/chrony/conf.d directory with the .conf suffix are
+parsed in the lexicographical order of the file names when chronyd starts up.
+This enables a fragmented configuration of chronyd.
+
+Although those files can contain any directives listed in chrony.conf(5),
+it would be wiser to add NTP sources in the /etc/chrony/sources.d
+directory. Please read /etc/chrony/sources.d/README for more information.
--- /dev/null
+Only NTP sources can be specified in the /etc/chrony/sources.d directory.
+Files in this directory must end with the ".sources" suffix, and can only
+contain the "peer", "pool" and "server" directives.
+
+There is no need to restart chronyd for these time sources to be usable,
+running 'chronyc reload sources' is sufficient.
+
+Example:
+
+# echo 'server 192.0.2.1 iburst' > /etc/chrony/sources.d/local-ntp-server.sources
+# chronyc reload sources
set -e
+# skip in favour of systemd timer
+if [ -d /run/systemd/system ]; then
+ exit 0
+fi
+
[ -x /usr/bin/updatedb.mlocate ] || exit 0
if which on_ac_power >/dev/null 2>&1; then
+++ /dev/null
-#!/bin/sh
-
-cd /var/backups || exit 0
-
-for FILE in passwd group shadow gshadow; do
- test -f /etc/$FILE || continue
- cmp -s $FILE.bak /etc/$FILE && continue
- cp -p /etc/$FILE $FILE.bak && chmod 600 $FILE.bak
-done
# the chrony daemon without editing the init script or service file.
# Options to pass to chrony.
-DAEMON_OPTS="-F -1"
+DAEMON_OPTS="-F 1"
# Configuration file for haveged
# Options to pass to haveged:
-# -w sets low entropy watermark (in bits)
-DAEMON_ARGS="-w 1024"
+#DAEMON_ARGS=""
--- /dev/null
+#
+# run resolvconf?
+RESOLVCONF=no
+
+# startup options for the server
+OPTIONS="-u bind"
# Plugins may extend this file or have their own
FLUSH_ON_STOP=0
+
+# Set to yes to skip saving rules/sets when netfilter-persistent is called with
+# the save parameter
+# IPTABLES_SKIP_SAVE=yes
+# IP6TABLES_SKIP_SAVE=yes
+# IPSET_SKIP_SAVE=yes
+++ /dev/null
-# Options for rsyslogd
-# -x disables DNS lookups for remote messages
-# See rsyslogd(8) for more details
-RSYSLOGD_OPTIONS=""
#
# The SHELL variable specifies the default login shell on your
# system.
-# Similar to DHSELL in adduser. However, we use "sh" here because
+# Similar to DSHELL in adduser. However, we use "sh" here because
# useradd is a low level utility and should be as general
# as possible
SHELL=/bin/sh
-SERVERFILE=/var/lib/dhcp/chrony.servers.$interface
+CHRONY_SOURCEDIR=/run/chrony-dhcp
+SERVERFILE=$CHRONY_SOURCEDIR/$interface.sources
chrony_config() {
- rm -f $SERVERFILE
+ rm -f "$SERVERFILE"
+ mkdir -p "$CHRONY_SOURCEDIR"
for server in $new_ntp_servers; do
- echo "$server iburst" >> $SERVERFILE
+ echo "server $server iburst" >> "$SERVERFILE"
done
- /usr/lib/chrony/chrony-helper update-daemon || :
+ /usr/bin/chronyc reload sources > /dev/null 2>&1 || :
}
chrony_restore() {
- if [ -f $SERVERFILE ]; then
- rm -f $SERVERFILE
- /usr/lib/chrony/chrony-helper update-daemon || :
+ if [ -f "$SERVERFILE" ]; then
+ rm -f "$SERVERFILE"
+ /usr/bin/chronyc reload sources > /dev/null 2>&1 || :
fi
}
;; File: startup.el.in
;; Description: Emacsen startup for dictionaries-common in Debian
-;; Authors: Rafael Laboissière <rafael@debian.org>
+;; Authors: Rafael Laboissière <rafael@debian.org>
;; Agustin Martin <agmartin@debian.org>
;; Created on: Fri Oct 22 09:48:21 CEST 1999
--- /dev/null
+# Ethernet frame types
+#
+# The EtherType is a two-octet field of Ethernet frames used to indicate
+# which protocol is contained in their payload.
+#
+# More entries, mostly historical, can be found on:
+# https://www.iana.org/assignments/ieee-802-numbers/
+# http://standards-oui.ieee.org/ethertype/eth.txt
+#
+# <name> <hexnumber> <alias1>...<alias35> # Comment
+#
+IPv4 0800 ip ip4 # IP (IPv4)
+X25 0805
+ARP 0806 ether-arp # Address Resolution Protocol
+FR_ARP 0808 # Frame Relay ARP [RFC1701]
+BPQ 08FF # G8BPQ AX.25 over Ethernet
+TRILL 22F3 # TRILL [RFC6325]
+L2-IS-IS 22F4 # TRILL IS-IS [RFC6325]
+TEB 6558 # Transparent Ethernet Bridging [RFC1701]
+RAW_FR 6559 # Raw Frame Relay [RFC1701]
+RARP 8035 # Reverse ARP [RFC903]
+ATALK 809B # Appletalk
+AARP 80F3 # Appletalk Address Resolution Protocol
+802_1Q 8100 8021q 1q 802.1q dot1q # VLAN tagged frame [802.1q]
+IPX 8137 # Novell IPX
+NetBEUI 8191 # NetBEUI
+IPv6 86DD ip6 # IP version 6
+PPP 880B # Point-to-Point Protocol
+MPLS 8847 # MPLS [RFC5332]
+MPLS_MULTI 8848 # MPLS with upstream-assigned label [RFC5332]
+ATMMPOA 884C # MultiProtocol over ATM
+PPP_DISC 8863 # PPP over Ethernet discovery stage
+PPP_SES 8864 # PPP over Ethernet session stage
+ATMFATE 8884 # Frame-based ATM Transport over Ethernet
+EAPOL 888E # EAP over LAN [802.1x]
+S-TAG 88A8 # QinQ Service VLAN tag identifier [802.1q]
+EAP_PREAUTH 88C7 # EAPOL Pre-Authentication [802.11i]
+LLDP 88CC # Link Layer Discovery Protocol [802.1ab]
+MACSEC 88E5 # Media Access Control Security [802.1ae]
+PBB 88E7 macinmac # Provider Backbone Bridging [802.1ah]
+MVRP 88F5 # Multiple VLAN Registration Protocol [802.1q]
+PTP 88F7 # Precision Time Protocol
+FCOE 8906 # Fibre Channel over Ethernet
+FIP 8914 # FCoE Initialization Protocol
+ROCE 8915 # RDMA over Converged Ethernet
#
# Example, for ssh bruteforce (in section [sshd] of `jail.local`):
# action = %(known/action)s
-# %(action_abuseipdb)s[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"]
+# abuseipdb[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"]
#
-# See below for catagories.
+# See below for categories.
#
-# Original Ref: https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban
# Added to fail2ban by Andrew James Collett (ajcollett)
-## abuseIPDB Catagories, `the abuseipdb_category` MUST be set in the jail.conf action call.
+## abuseIPDB Categories, `the abuseipdb_category` MUST be set in the jail.conf action call.
# Example, for ssh bruteforce: action = %(action_abuseipdb)s[abuseipdb_category="18,22"]
# ID Title Description
# 3 Fraud Orders
[Definition]
+# bypass action for restored tickets
+norestored = 1
+
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
# wherever you install the helper script. For the PHP helper script, see
# <https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban>
#
-# --ciphers ecdhe_ecdsa_aes_256_sha is used to workaround a
-# "NSS error -12286" from curl as it attempts to connect using
-# SSLv3. See https://www.centos.org/forums/viewtopic.php?t=52732
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionban = curl --fail --ciphers ecdhe_ecdsa_aes_256_sha --data 'key=<abuseipdb_apikey>' --data-urlencode 'comment=<matches>' --data 'ip=<ip>' --data 'category=<abuseipdb_category>' "https://www.abuseipdb.com/report/json"
+actionban = lgm=$(printf '%%.1000s\n...' "<matches>"); curl -sSf "https://api.abuseipdb.com/api/v2/report" -H "Accept: application/json" -H "Key: <abuseipdb_apikey>" --data-urlencode "comment=$lgm" --data-urlencode "ip=<ip>" --data "categories=<abuseipdb_category>"
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# Notes Your API key from abuseipdb.com
# Values: STRING Default: None
# Register for abuseipdb [https://www.abuseipdb.com], get api key and set below.
-# You will need to set the catagory in the action call.
+# You will need to set the category in the action call.
abuseipdb_apikey =
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
import sys
-if sys.version_info < (2, 7):
+if sys.version_info < (2, 7): # pragma: no cover
raise ImportError("badips.py action requires Python >= 2.7")
import json
import threading
import logging
-if sys.version_info >= (3, ):
+if sys.version_info >= (3, ): # pragma: 2.x no cover
from urllib.request import Request, urlopen
from urllib.parse import urlencode
from urllib.error import HTTPError
-else:
+else: # pragma: 3.x no cover
from urllib2 import Request, urlopen, HTTPError
from urllib import urlencode
-from fail2ban.server.actions import ActionBase
+from fail2ban.server.actions import Actions, ActionBase, BanTicket
+from fail2ban.helpers import splitwords, str2LogLevel
+
class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable
age : str, optional
Age of last report for bad IPs, per badips.com syntax.
Default "24h" (24 hours)
- key : str, optional
- Key issued by badips.com to report bans, for later retrieval
- of personalised content.
banaction : str, optional
Name of banaction to use for blacklisting bad IPs. If `None`,
no blacklist of IPs will take place.
"postfix", but want to use whole "mail" category for blacklist.
Default `category`.
bankey : str, optional
- Key issued by badips.com to blacklist IPs reported with the
- associated key.
+ Key issued by badips.com to retrieve personal list
+ of blacklist IPs.
updateperiod : int, optional
Time in seconds between updating bad IPs blacklist.
Default 900 (15 minutes)
+ loglevel : int/str, optional
+ Log level of the message when an IP is (un)banned.
+ Default `DEBUG`.
+ Can be also supplied as two-value list (comma- or space separated) to
+ provide level of the summary message when a group of IPs is (un)banned.
+ Example `DEBUG,INFO`.
agent : str, optional
User agent transmitted to server.
Default `Fail2Ban/ver.`
"""
TIMEOUT = 10
- _badips = "http://www.badips.com"
+ _badips = "https://www.badips.com"
def _Request(self, url, **argv):
return Request(url, headers={'User-Agent': self.agent}, **argv)
- def __init__(self, jail, name, category, score=3, age="24h", key=None,
- banaction=None, bancategory=None, bankey=None, updateperiod=900, agent="Fail2Ban",
- timeout=TIMEOUT):
+ def __init__(self, jail, name, category, score=3, age="24h",
+ banaction=None, bancategory=None, bankey=None, updateperiod=900,
+ loglevel='DEBUG', agent="Fail2Ban", timeout=TIMEOUT):
super(BadIPsAction, self).__init__(jail, name)
self.timeout = timeout
self.category = category
self.score = score
self.age = age
- self.key = key
self.banaction = banaction
self.bancategory = bancategory or category
self.bankey = bankey
+ loglevel = splitwords(loglevel)
+ self.sumloglevel = str2LogLevel(loglevel[-1])
+ self.loglevel = str2LogLevel(loglevel[0])
self.updateperiod = updateperiod
self._bannedips = set()
except Exception as e: # pragma: no cover
return False, e
+ def logError(self, response, what=''): # pragma: no cover - sporadical (502: Bad Gateway, etc)
+ messages = {}
+ try:
+ messages = json.loads(response.read().decode('utf-8'))
+ except:
+ pass
+ self._logSys.error(
+ "%s. badips.com response: '%s'", what,
+ messages.get('err', 'Unknown'))
def getCategories(self, incParents=False):
"""Get badips.com categories.
try:
response = urlopen(
self._Request("/".join([self._badips, "get", "categories"])), timeout=self.timeout)
- except HTTPError as response:
- messages = json.loads(response.read().decode('utf-8'))
- self._logSys.error(
- "Failed to fetch categories. badips.com response: '%s'",
- messages['err'])
+ except HTTPError as response: # pragma: no cover
+ self.logError(response, "Failed to fetch categories")
raise
else:
response_json = json.loads(response.read().decode('utf-8'))
urlencode({'age': age})])
if key:
url = "&".join([url, urlencode({'key': key})])
+ self._logSys.debug('badips.com: get list, url: %r', url)
response = urlopen(self._Request(url), timeout=self.timeout)
- except HTTPError as response:
- messages = json.loads(response.read().decode('utf-8'))
- self._logSys.error(
- "Failed to fetch bad IP list. badips.com response: '%s'",
- messages['err'])
+ except HTTPError as response: # pragma: no cover
+ self.logError(response, "Failed to fetch bad IP list")
raise
else:
return set(response.read().decode('utf-8').split())
@bancategory.setter
def bancategory(self, bancategory):
- if bancategory not in self.getCategories(incParents=True):
+ if bancategory != "any" and bancategory not in self.getCategories(incParents=True):
self._logSys.error("Category name '%s' not valid. "
"see badips.com for list of valid categories",
bancategory)
def _banIPs(self, ips):
for ip in ips:
try:
- self._jail.actions[self.banaction].ban({
- 'ip': ip,
- 'failures': 0,
- 'matches': "",
- 'ipmatches': "",
- 'ipjailmatches': "",
- })
+ ai = Actions.ActionInfo(BanTicket(ip), self._jail)
+ self._jail.actions[self.banaction].ban(ai)
except Exception as e:
self._logSys.error(
"Error banning IP %s for jail '%s' with action '%s': %s",
exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG)
else:
self._bannedips.add(ip)
- self._logSys.info(
+ self._logSys.log(self.loglevel,
"Banned IP %s for jail '%s' with action '%s'",
ip, self._jail.name, self.banaction)
def _unbanIPs(self, ips):
for ip in ips:
try:
- self._jail.actions[self.banaction].unban({
- 'ip': ip,
- 'failures': 0,
- 'matches': "",
- 'ipmatches': "",
- 'ipjailmatches': "",
- })
+ ai = Actions.ActionInfo(BanTicket(ip), self._jail)
+ self._jail.actions[self.banaction].unban(ai)
except Exception as e:
- self._logSys.info(
+ self._logSys.error(
"Error unbanning IP %s for jail '%s' with action '%s': %s",
ip, self._jail.name, self.banaction, e,
exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG)
else:
- self._logSys.info(
+ self._logSys.log(self.loglevel,
"Unbanned IP %s for jail '%s' with action '%s'",
ip, self._jail.name, self.banaction)
finally:
ips = self.getList(
self.bancategory, self.score, self.age, self.bankey)
# Remove old IPs no longer listed
- self._unbanIPs(self._bannedips - ips)
+ s = self._bannedips - ips
+ m = len(s)
+ self._unbanIPs(s)
# Add new IPs which are now listed
- self._banIPs(ips - self._bannedips)
-
- self._logSys.info(
- "Updated IPs for jail '%s'. Update again in %i seconds",
+ s = ips - self._bannedips
+ p = len(s)
+ self._banIPs(s)
+ if m != 0 or p != 0:
+ self._logSys.log(self.sumloglevel,
+ "Updated IPs for jail '%s' (-%d/+%d)",
+ self._jail.name, m, p)
+ self._logSys.debug(
+ "Next update for jail '%' in %i seconds",
self._jail.name, self.updateperiod)
finally:
self._timer = threading.Timer(self.updateperiod, self.update)
Any issues with badips.com request.
"""
try:
- url = "/".join([self._badips, "add", self.category, aInfo['ip']])
- if self.key:
- url = "?".join([url, urlencode({'key': self.key})])
+ url = "/".join([self._badips, "add", self.category, str(aInfo['ip'])])
+ self._logSys.debug('badips.com: ban, url: %r', url)
response = urlopen(self._Request(url), timeout=self.timeout)
- except HTTPError as response:
- messages = json.loads(response.read().decode('utf-8'))
- self._logSys.error(
- "Response from badips.com report: '%s'",
- messages['err'])
+ except HTTPError as response: # pragma: no cover
+ self.logError(response, "Failed to ban")
raise
else:
messages = json.loads(response.read().decode('utf-8'))
- self._logSys.info(
+ self._logSys.debug(
"Response from badips.com report: '%s'",
messages['suc'])
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionban = curl --fail --data-urlencode
'server=<email>' --data 'apikey=<apikey>' --data 'service=<service>' --data 'ip=<ip>' --data-urlencode 'logs=<matches>' --data 'format=text' --user-agent "<agent>" "https://www.blocklist.de/en/httpreports.html"
+actionban = curl --fail --data-urlencode
"server=<email>" --data "apikey=<apikey>" --data "service=<service>" --data "ip=<ip>" --data-urlencode "logs=<matches><br>" --data 'format=text' --user-agent "<agent>" "https://www.blocklist.de/en/httpreports.html"
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
#
actionunban =
-[Init]
-
# Option: email
-# Notes server email address, as per blocklise.de account
+# Notes server email address, as per blocklist.de account
# Values: STRING Default: None
#
#email =
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
-actionstart = ipfw show | fgrep -c -m 1 -s 'table(<table>)' > /dev/null 2>&1 || ( ipfw show | awk 'BEGIN { b = <lowest_rule_num> } { if ($1 < b) {} else if ($1 == b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num <blocktype> <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" )
+actionstart = ipfw show | fgrep -c -m 1 -s 'table(<table>)' > /dev/null 2>&1 || (
+ num=$(ipfw show | awk 'BEGIN { b = <lowest_rule_num> } { if ($1 == b) { b = $1 + 1 } } END { print b }');
+ ipfw -q add "$num" <blocktype> <block> from table\(<table>\) to me <port>; echo "$num" > "<startstatefile>"
+ )
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = [ ! -f <startstatefile> ] || ( read num < "<startstatefile>" <br> ipfw -q delete $num <br> rm "<startstatefile>" )
# Values: CMD
#
# requires an ipfw rule like "deny ip from table(1) to me"
-actionban = e=`ipfw table <table> add <ip> 2>&1`; x=$?; [ $x -eq 0 -o "$e" = 'ipfw: setsockopt(IP_FW_TABLE_XADD): File exists' ] || { echo "$e" 1>&2; exit $x; }
+actionban = e=`ipfw table <table> add <ip> 2>&1`; x=$?; [ $x -eq 0 -o "$e" = 'ipfw: setsockopt(IP_FW_TABLE_XADD): File exists' ] || echo "$e" | grep -q "record already exists" || { echo "$e" 1>&2; exit $x; }
# Option: actionunban
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionunban = e=`ipfw table <table> delete <ip> 2>&1`; x=$?; [ $x -eq 0 -o "$e" = 'ipfw: setsockopt(IP_FW_TABLE_XDEL): No such process' ] || { echo "$e" 1>&2; exit $x; }
+actionunban = e=`ipfw table <table> delete <ip> 2>&1`; x=$?; [ $x -eq 0 -o "$e" = 'ipfw: setsockopt(IP_FW_TABLE_XDEL): No such process' ] || echo "$e" | grep -q "record not found" || { echo "$e" 1>&2; exit $x; }
[Init]
# Option: table
#
# Please set jail.local's permission to 640 because it contains your CF API key.
#
-# This action depends on curl.
+# This action depends on curl (and optionally jq).
# Referenced from http://www.normyee.net/blog/2012/02/02/adding-cloudflare-support-to-fail2ban by NORM YEE
#
# To get your CloudFlare API Key: https://www.cloudflare.com/a/account/my-account
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
# API v1
#actionban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
# API v4
-actionban = curl -s -o /dev/null -X POST -H 'X-Auth-Email: <cfuser>' -H 'X-Auth-Key: <cftoken>' \
- -H 'Content-Type: application/json' -d '{ "mode": "block", "configuration": { "target": "ip", "value": "<ip>" } }' \
- https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules
+actionban = curl -s -o /dev/null -X POST <_cf_api_prms> \
+ -d '{"mode":"block","configuration":{"target":"ip","value":"<ip>"},"notes":"Fail2Ban <name>"}' \
+ <_cf_api_url>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# API v1
#actionunban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=nul' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
# API v4
-actionunban = curl -s -o /dev/null -X DELETE -H 'X-Auth-Email: <cfuser>' -H 'X-Auth-Key: <cftoken>' \
- https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules/$(curl -s -X GET -H 'X-Auth-Email: <cfuser>' -H 'X-Auth-Key: <cftoken>' \
- 'https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules?mode=block&configuration_target=ip&configuration_value=<ip>&page=1&per_page=1' | cut -d'"' -f6)
+actionunban = id=$(curl -s -X GET <_cf_api_prms> \
+ "<_cf_api_url>?mode=block&configuration_target=ip&configuration_value=<ip>&page=1&per_page=1¬es=Fail2Ban%%20<name>" \
+ | { jq -r '.result[0].id' 2>/dev/null || tr -d '\n' | sed -nE 's/^.*"result"\s*:\s*\[\s*\{\s*"id"\s*:\s*"([^"]+)".*$/\1/p'; })
+ if [ -z "$id" ]; then echo "<name>: id for <ip> cannot be found"; exit 0; fi;
+ curl -s -o /dev/null -X DELETE <_cf_api_prms> "<_cf_api_url>/$id"
+
+_cf_api_url = https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules
+_cf_api_prms = -H 'X-Auth-Email: <cfuser>' -H 'X-Auth-Key: <cftoken>' -H 'Content-Type: application/json'
[Init]
norestored = 1
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
# Values: CMD
#
-mailcmd = mail -s
+mailcmd = mail -E 'set escape' -s
# Option: mailargs
# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
norestored = 1
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = if [ -f <tmpfile>.buffer ]; then
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
# Values: CMD
#
-mailcmd = mail -s
+mailcmd = mail -E 'set escape' -s
# Option: mailargs
# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = if [ ! -z '<target>' ]; then touch <target>; fi;
echo "%(debug)s clear all"
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = if [ ! -z '<target>' ]; then rm -f <target>; fi;
[Definition]
-actionstart = ipset create <ipmset> hash:ip timeout <bantime><familyopt>
+actionstart = ipset create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
firewall-cmd --direct --add-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
actionflush = ipset flush <ipmset>
<actionflush>
ipset destroy <ipmset>
-actionban = ipset add <ipmset> <ip> timeout <bantime> -exist
+actionban = ipset add <ipmset> <ip> timeout <ipsettime> -exist
+
+# actionprolong = %(actionban)s
actionunban = ipset del <ipmset> <ip> -exist
#
chain = INPUT_direct
-# Option: bantime
-# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban)
-# Values: [ NUM ] Default: 600
+# Option: default-ipsettime
+# Notes: specifies default timeout in seconds (handled default ipset timeout only)
+# Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban)
+default-ipsettime = 0
+
+# Option: ipsettime
+# Notes: specifies ticket timeout (handled ipset timeout only)
+# Values: [ NUM ] Default: 0 (managed by fail2ban by unban)
+ipsettime = 0
-bantime = 600
+# expresion to caclulate timeout from bantime, example:
+# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
+timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
# Option: actiontype
# Notes.: defines additions to the blocking rule
# Option: multiport
# Notes.: addition to block access only to specific ports
# Usage.: use in jail config: banaction = firewallcmd-ipset[actiontype=<multiport>]
-multiport = -p <protocol> -m multiport --dports <port>
+multiport = -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)"
ipmset = f2b-<name>
familyopt =
[Init?family=inet6]
ipmset = f2b-<name>6
-familyopt = <sp>family inet6
+familyopt = family inet6
# DEV NOTES:
actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
- firewall-cmd --direct --add-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
+ firewall-cmd --direct --add-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
-actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
+actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
firewall-cmd --direct --remove-rules <family> filter f2b-<name>
firewall-cmd --direct --remove-chain <family> filter f2b-<name>
actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
- firewall-cmd --direct --add-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
+ firewall-cmd --direct --add-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
-actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
+actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
firewall-cmd --direct --remove-rules <family> filter f2b-<name>
firewall-cmd --direct --remove-chain <family> filter f2b-<name>
# Fail2Ban configuration file
#
-# Author: Donald Yandt
+# Authors: Donald Yandt, Sergey G. Brester
#
# Because of the rich rule commands requires firewalld-0.3.1+
# This action uses firewalld rich-rules which gives you a cleaner iptables since it stores rules according to zones and not
#
# If you use the --permanent rule you get a xml file in /etc/firewalld/zones/<zone>.xml that can be shared and parsed easliy
#
-# Example commands to view rules:
-# firewall-cmd [--zone=<zone>] --list-rich-rules
-# firewall-cmd [--zone=<zone>] --list-all
-# firewall-cmd [--zone=zone] --query-rich-rule='rule'
+# This is an derivative of firewallcmd-rich-rules.conf, see there for details and other parameters.
[INCLUDES]
-before = firewallcmd-common.conf
+before = firewallcmd-rich-rules.conf
[Definition]
-actionstart =
-
-actionstop =
-
-actioncheck =
-
-# you can also use zones and/or service names.
-#
-# zone example:
-# firewall-cmd --zone=<zone> --add-rich-rule="rule family='<family>' source address='<ip>' port port='<port>' protocol='<protocol>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <rich-blocktype>"
-#
-# service name example:
-# firewall-cmd --zone=<zone> --add-rich-rule="rule family='<family>' source address='<ip>' service name='<service>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <rich-blocktype>"
-#
-# Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges separated by a comma or space for an example: http, https, 22-60, 18 smtp
-
-actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <rich-blocktype>"; done
-
-actionunban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <rich-blocktype>"; done
+rich-suffix = log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <rich-blocktype>
[Init]
# log rate per minute
rate = 1
-
#
# Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges separated by a comma or space for an example: http, https, 22-60, 18 smtp
-actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' <rich-blocktype>"; done
-
-actionunban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' <rich-blocktype>"; done
+fwcmd_rich_rule = rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' %(rich-suffix)s
+actionban = ports="$(echo '<port>' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done
+
+actionunban = ports="$(echo '<port>' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done
+rich-suffix = <rich-blocktype>
\ No newline at end of file
-[DEFAULT]\r
-\r
-# Usage:\r
-# _grep_logs_args = 'test'\r
-# (printf %%b "Log-excerpt contains 'test':\n"; %(_grep_logs)s; printf %%b "Log-excerpt contains 'test':\n") | mail ...\r
-#\r
-_grep_logs = logpath="<logpath>"; grep <grepopts> -E %(_grep_logs_args)s $logpath | <greplimit>\r
-_grep_logs_args = "(^|[^0-9a-fA-F:])$(echo '<ip>' | sed 's/\./\\./g')([^0-9a-fA-F:]|$)"\r
-\r
-# Used for actions, that should not by executed if ticket was restored:\r
-_bypass_if_restored = if [ '<restored>' = '1' ]; then exit 0; fi;\r
-\r
-[Init]\r
-greplimit = tail -n <grepmax>\r
-grepmax = 1000\r
-grepopts = -m <grepmax>\r
+[DEFAULT]
+
+# Usage:
+# _grep_logs_args = 'test'
+# (printf %%b "Log-excerpt contains 'test':\n"; %(_grep_logs)s; printf %%b "Log-excerpt contains 'test':\n") | mail ...
+#
+_grep_logs = logpath="<logpath>"; grep <grepopts> %(_grep_logs_args)s $logpath | <greplimit>
+# options `-wF` used to match only whole words and fixed string (not as pattern)
+_grep_logs_args = -wF "<ip>"
+
+# Used for actions, that should not by executed if ticket was restored:
+_bypass_if_restored = if [ '<restored>' = '1' ]; then exit 0; fi;
+
+[Init]
+greplimit = tail -n <grepmax>
+grepmax = 1000
+grepopts = -m <grepmax>
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionban = IP=<ip> && printf %%b "<daemon_list>: $IP\n" >> <file>
+actionban = printf %%b "<daemon_list>: <ip_value>\n" >> <file>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionunban = IP=$(echo <ip> | sed 's/\./\\./g') && sed -i "/^<daemon_list>: $IP$/d" <file>
+actionunban = IP=$(echo "<ip_value>" | sed 's/[][\.]/\\\0/g') && sed -i "/^<daemon_list>: $IP$/d" <file>
[Init]
# for hosts.deny/hosts_access. Default is all services.
# Values: STR Default: ALL
daemon_list = ALL
+
+# internal variable IP (to differentiate the IPv4 and IPv6 syntax, where it is enclosed in brackets):
+ip_value = <ip>
+
+[Init?family=inet6]
+ip_value = [<ip>]
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
# enable IPF if not already enabled
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
# don't disable IPF with "/sbin/ipf -D", there may be other filters in use
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = <iptables> -N f2b-<name>
<iptables> -I <chain> -p <protocol> -j f2b-<name>
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name>
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = ipset --create f2b-<name> iphash
actionflush = ipset --flush f2b-<name>
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
-actionstart = ipset create <ipmset> hash:ip timeout <bantime><familyopt>
+actionstart = ipset create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
<iptables> -I <chain> -m set --match-set <ipmset> src -j <blocktype>
# Option: actionflush
actionflush = ipset flush <ipmset>
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = <iptables> -D <chain> -m set --match-set <ipmset> src -j <blocktype>
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionban = ipset add <ipmset> <ip> timeout <bantime> -exist
+actionban = ipset add <ipmset> <ip> timeout <ipsettime> -exist
+
+# actionprolong = %(actionban)s
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
[Init]
-# Option: bantime
-# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban)
-# Values: [ NUM ] Default: 600
-#
-bantime = 600
+# Option: default-ipsettime
+# Notes: specifies default timeout in seconds (handled default ipset timeout only)
+# Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban)
+default-ipsettime = 0
+
+# Option: ipsettime
+# Notes: specifies ticket timeout (handled ipset timeout only)
+# Values: [ NUM ] Default: 0 (managed by fail2ban by unban)
+ipsettime = 0
+
+# expresion to caclulate timeout from bantime, example:
+# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
+timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
ipmset = f2b-<name>
familyopt =
[Init?family=inet6]
ipmset = f2b-<name>6
-familyopt = <sp>family inet6
+familyopt = family inet6
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
-actionstart = ipset create <ipmset> hash:ip timeout <bantime><familyopt>
+actionstart = ipset create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>
# Option: actionflush
actionflush = ipset flush <ipmset>
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionban = ipset add <ipmset> <ip> timeout <bantime> -exist
+actionban = ipset add <ipmset> <ip> timeout <ipsettime> -exist
+
+# actionprolong = %(actionban)s
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
[Init]
-# Option: bantime
-# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban)
-# Values: [ NUM ] Default: 600
-#
-bantime = 600
+# Option: default-ipsettime
+# Notes: specifies default timeout in seconds (handled default ipset timeout only)
+# Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban)
+default-ipsettime = 0
+
+# Option: ipsettime
+# Notes: specifies ticket timeout (handled ipset timeout only)
+# Values: [ NUM ] Default: 0 (managed by fail2ban by unban)
+ipsettime = 0
+
+# expresion to caclulate timeout from bantime, example:
+# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
+timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
ipmset = f2b-<name>
familyopt =
[Init?family=inet6]
ipmset = f2b-<name>6
-familyopt = <sp>family inet6
+familyopt = family inet6
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = <iptables> -N f2b-<name>
<iptables> -F f2b-<name>-log
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = <iptables> -N f2b-<name>
<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = <iptables> -N f2b-<name>
<iptables> -I <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = <iptables> -D <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
# Changing iptables rules requires root privileges. If fail2ban is
actionflush =
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = echo / > /proc/net/xt_recent/<iptname>
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = <iptables> -N f2b-<name>
<iptables> -I <chain> -p <protocol> --dport <port> -j f2b-<name>
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = <iptables> -D <chain> -p <protocol> --dport <port> -j f2b-<name>
norestored = 1
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Output will be buffered until <lines> lines are available.\n
Regards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = if [ -f <tmpfile> ]; then
These hosts have been banned by Fail2Ban.\n
`cat <tmpfile>`
Regards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
rm <tmpfile>
fi
printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
These hosts have been banned by Fail2Ban.\n
`cat <tmpfile>`
\nRegards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
rm <tmpfile>
fi
# character set before sending it to a mail program
# make sure you have 'file' and 'iconv' commands installed when opting for that
_whois_target_charset = UTF-8
-_whois_convert_charset = whois <ip> |
+_whois_convert_charset = (%(_whois)s) |
{ WHOIS_OUTPUT=$(cat) ; WHOIS_CHARSET=$(printf %%b "$WHOIS_OUTPUT" | file -b --mime-encoding -) ; printf %%b "$WHOIS_OUTPUT" | iconv -f $WHOIS_CHARSET -t %(_whois_target_charset)s//TRANSLIT - ; }
# choose between _whois and _whois_convert_charset in mail-whois-common.local
norestored = 1
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = printf %%b "Hi,\n
Fail2Ban" | <mailcmd> "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = printf %%b "Hi,\n
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
# Values: CMD
#
-mailcmd = mail -s
+mailcmd = mail -E 'set escape' -s
# Default name of the chain
#
norestored = 1
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
Here is more information about <ip> :\n
`%(_whois_command)s`\n
Regards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
norestored = 1
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n
Regards,\n
- Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
+ Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
# Modified: Alexander Belykh <albel727@ngs.ru>
# adapted for nftables
#
+# Obsolete: superseded by nftables[type=allports]
[INCLUDES]
-before = nftables-common.conf
+before = nftables.conf
[Definition]
-# Option: nftables_mode
-# Notes.: additional expressions for nftables filter rule
-# Values: nftables expressions
-#
-nftables_mode = meta l4proto <protocol>
-
-[Init]
+type = allports
# Modified: Alexander Belykh <albel727@ngs.ru>
# adapted for nftables
#
+# Obsolete: superseded by nftables[type=multiport]
[INCLUDES]
-before = nftables-common.conf
+before = nftables.conf
[Definition]
-# Option: nftables_mode
-# Notes.: additional expressions for nftables filter rule
-# Values: nftables expressions
-#
-nftables_mode = <protocol> dport \{ <port> \}
-
-[Init]
+type = multiport
\ No newline at end of file
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Daniel Black
+# Author: Cyril Jaquier
+# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
+# made active on all ports from original iptables.conf
+# Modified: Alexander Belykh <albel727@ngs.ru>
+# adapted for nftables
+#
+# This is a included configuration file and includes the definitions for the nftables
+# used in all nftables based actions by default.
+#
+# The user can override the defaults in nftables-common.local
+# Example: redirect flow to honeypot
+#
+# [Init]
+# table_family = ip
+# chain_type = nat
+# chain_hook = prerouting
+# chain_priority = -50
+# blocktype = counter redirect to 2222
+
+[INCLUDES]
+
+after = nftables-common.local
+
+[Definition]
+
+# Option: type
+# Notes.: type of the action.
+# Values: [ multiport | allports ] Default: multiport
+#
+type = multiport
+
+rule_match-custom =
+rule_match-allports = meta l4proto \{ <protocol> \}
+rule_match-multiport = $proto dport \{ $(echo '<port>' | sed s/:/-/g) \}
+match = <rule_match-<type>>
+
+# Option: rule_stat
+# Notes.: statement for nftables filter rule.
+# leaving it empty will block all (include udp and icmp)
+# Values: nftables statement
+#
+rule_stat = %(match)s <addr_family> saddr @<addr_set> <blocktype>
+
+# optional interator over protocol's:
+_nft_for_proto-custom-iter =
+_nft_for_proto-custom-done =
+_nft_for_proto-allports-iter =
+_nft_for_proto-allports-done =
+_nft_for_proto-multiport-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'); do
+_nft_for_proto-multiport-done = done
+
+_nft_list = <nftables> -a list chain <table_family> <table> <chain>
+_nft_get_handle_id = grep -oP '@<addr_set>\s+.*\s+\Khandle\s+(\d+)$'
+
+_nft_add_set = <nftables> add set <table_family> <table> <addr_set> \{ type <addr_type>\; \}
+ <_nft_for_proto-<type>-iter>
+ <nftables> add rule <table_family> <table> <chain> %(rule_stat)s
+ <_nft_for_proto-<type>-done>
+_nft_del_set = { %(_nft_list)s | %(_nft_get_handle_id)s; } | while read -r hdl; do
+ <nftables> delete rule <table_family> <table> <chain> $hdl; done
+ <nftables> delete set <table_family> <table> <addr_set>
+
+# Option: _nft_shutdown_table
+# Notes.: command executed after the stop in order to delete table (it checks that no sets are available):
+# Values: CMD
+#
+_nft_shutdown_table = { <nftables> list table <table_family> <table> | grep -qP '^\s+set\s+'; } || {
+ <nftables> delete table <table_family> <table>
+ }
+
+# Option: actionstart
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
+# Values: CMD
+#
+actionstart = <nftables> add table <table_family> <table>
+ <nftables> -- add chain <table_family> <table> <chain> \{ type <chain_type> hook <chain_hook> priority <chain_priority> \; \}
+ %(_nft_add_set)s
+
+# Option: actionflush
+# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action);
+# uses `nft flush set ...` and as fallback (e. g. unsupported) recreates the set (with references)
+# Values: CMD
+#
+actionflush = { <nftables> flush set <table_family> <table> <addr_set> 2> /dev/null; } || {
+ %(_nft_del_set)s
+ %(_nft_add_set)s
+ }
+
+# Option: actionstop
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+# Values: CMD
+#
+actionstop = %(_nft_del_set)s
+ <_nft_shutdown_table>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck = <nftables> list chain <table_family> <table> <chain> | grep -q '@<addr_set>[ \t]'
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = <nftables> add element <table_family> <table> <addr_set> \{ <ip> \}
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = <nftables> delete element <table_family> <table> <addr_set> \{ <ip> \}
+
+[Init]
+
+# Option: table
+# Notes.: main table to store chain and sets (automatically created on demand)
+# Values: STRING Default: f2b-table
+table = f2b-table
+
+# Option: table_family
+# Notes.: address family to work in
+# Values: [ip | ip6 | inet] Default: inet
+table_family = inet
+
+# Option: chain
+# Notes.: main chain to store rules
+# Values: STRING Default: f2b-chain
+chain = f2b-chain
+
+# Option: chain_type
+# Notes.: refers to the kind of chain to be created
+# Values: [filter | route | nat] Default: filter
+#
+chain_type = filter
+
+# Option: chain_hook
+# Notes.: refers to the kind of chain to be created
+# Values: [ prerouting | input | forward | output | postrouting ] Default: input
+#
+chain_hook = input
+
+# Option: chain_priority
+# Notes.: priority in the chain.
+# Values: NUMBER Default: -1
+#
+chain_priority = -1
+
+# Option: addr_type
+# Notes.: address type to work with
+# Values: [ipv4_addr | ipv6_addr] Default: ipv4_addr
+#
+addr_type = ipv4_addr
+
+# Default name of the filtering set
+#
+name = default
+
+# Option: port
+# Notes.: specifies port to monitor
+# Values: [ NUM | STRING ] Default:
+#
+port = ssh
+
+# Option: protocol
+# Notes.: internally used by config reader for interpolations.
+# Values: [ tcp | udp ] Default: tcp
+#
+protocol = tcp
+
+# Option: blocktype
+# Note: This is what the action does with rules. This can be any jump target
+# as per the nftables man page (section 8). Common values are drop,
+# reject, reject with icmpx type host-unreachable, redirect to 2222
+# Values: STRING
+blocktype = reject
+
+# Option: nftables
+# Notes.: Actual command to be executed, including common to all calls options
+# Values: STRING
+nftables = nft
+
+# Option: addr_set
+# Notes.: The name of the nft set used to store banned addresses
+# Values: STRING
+addr_set = addr-set-<name>
+
+# Option: addr_family
+# Notes.: The family of the banned addresses
+# Values: [ ip | ip6 ]
+addr_family = ip
+
+[Init?family=inet6]
+addr_family = ip6
+addr_type = ipv6_addr
+addr_set = addr6-set-<name>
actioncheck =
-actionban = echo "\\\\<fid> 1;" >> '%(blck_lst_file)s'; %(blck_lst_reload)s
+_echo_blck_row = printf '\%%s 1;\n' "<fid>"
-actionunban = id=$(echo "<fid>" | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/$id 1;/d" %(blck_lst_file)s; %(blck_lst_reload)s
+actionban = %(_echo_blck_row)s >> '%(blck_lst_file)s'; %(blck_lst_reload)s
+
+actionunban = id=$(%(_echo_blck_row)s | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/^$id$/d" %(blck_lst_file)s; %(blck_lst_reload)s
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
# we don't enable NPF automatically, as it will be enabled elsewhere
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
# we don't disable NPF automatically either
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
actionban = /usr/libexec/afctl -a <ip> -t <bantime>
actionunban = /usr/libexec/afctl -r <ip>
-[Init]
-bantime = 2880
+actionprolong = %(actionunban)s && %(actionban)s
+
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
# we don't enable PF automatically; to enable run pfctl -e
actionstart_on_demand = false
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
# we only disable PF rules we've installed prior
norestored = 1
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on <fq-hostname>
The jail <name> has been started successfully.\n
Output will be buffered until <lines> lines are available.\n
Regards,\n
- Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+ Fail2Ban" | <mailcmd>
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = if [ -f <tmpfile> ]; then
These hosts have been banned by Fail2Ban.\n
`cat <tmpfile>`
Regards,\n
- Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+ Fail2Ban" | <mailcmd>
rm <tmpfile>
fi
printf %%b "Subject: [Fail2Ban] <name>: stopped on <fq-hostname>
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
- Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+ Fail2Ban" | <mailcmd>
# Option: actioncheck
# Notes.: command executed once before each actionban command
These hosts have been banned by Fail2Ban.\n
`cat <tmpfile>`
Regards,\n
- Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+ Fail2Ban" | <mailcmd>
rm <tmpfile>
fi
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on <fq-hostname>
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
- Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+ Fail2Ban" | <mailcmd>
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on <fq-hostname>
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
- Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+ Fail2Ban" | <mailcmd>
# Option: actioncheck
# Notes.: command executed once before each actionban command
[Init]
+# Your system mail command
+#
+mailcmd = /usr/sbin/sendmail -f "<sender>" "<dest>"
+
# Recipient mail address
#
dest = root
Country:`geoiplookup -f /usr/share/GeoIP/GeoIP.dat "<ip>" | cut -d':' -f2-`
AS:`geoiplookup -f /usr/share/GeoIP/GeoIPASNum.dat "<ip>" | cut -d':' -f2-`
hostname: <ip-host>\n\n
- Lines containing failures of <ip>\n";
+ Lines containing failures of <ip> (max <grepmax>)\n";
%(_grep_logs)s;
printf %%b "\n
Regards,\n
- Fail2Ban" ) | /usr/sbin/sendmail -f <sender> <dest>
+ Fail2Ban" ) | <mailcmd>
[Init]
[INCLUDES]
before = sendmail-common.conf
+ mail-whois-common.conf
[Definition]
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip> :\n
- `/usr/bin/whois <ip>`\n\n
+ `%(_whois_command)s`\n\n
Matches for <name> with <ipjailfailures> failures IP:<ip>\n
<ipjailmatches>\n\n
Regards,\n
- Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+ Fail2Ban" | <mailcmd>
[Init]
[INCLUDES]
before = sendmail-common.conf
+ mail-whois-common.conf
[Definition]
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip> :\n
- `/usr/bin/whois <ip>`\n\n
+ `%(_whois_command)s`\n\n
Matches with <ipfailures> failures IP:<ip>\n
<ipmatches>\n\n
Regards,\n
- Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+ Fail2Ban" | <mailcmd>
[Init]
[INCLUDES]
before = sendmail-common.conf
+ mail-whois-common.conf
helpers-common.conf
[Definition]
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
- Here is more information about <ip> :\n
- `/usr/bin/whois <ip> || echo missing whois program`\n\n
- Lines containing failures of <ip>\n";
+ Here is more information about <ip> :\n"
+ %(_whois_command)s;
+ printf %%b "\nLines containing failures of <ip> (max <grepmax>)\n";
%(_grep_logs)s;
printf %%b "\n
Regards,\n
- Fail2Ban" ) | /usr/sbin/sendmail -f <sender> <dest>
+ Fail2Ban" ) | <mailcmd>
[Init]
[INCLUDES]
before = sendmail-common.conf
+ mail-whois-common.conf
[Definition]
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip> :\n
- `/usr/bin/whois <ip>`\n\n
+ `%(_whois_command)s`\n\n
Matches:\n
<matches>\n\n
Regards,\n
- Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+ Fail2Ban" | <mailcmd>
[Init]
[INCLUDES]
before = sendmail-common.conf
+ mail-whois-common.conf
[Definition]
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip> :\n
- `/usr/bin/whois <ip> || echo missing whois program`\n
+ `%(_whois_command)s`\n
Regards,\n
- Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+ Fail2Ban" | <mailcmd>
[Init]
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n
Regards,\n
- Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+ Fail2Ban" | <mailcmd>
[Init]
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = if ! ipset -quiet -name list f2b-<name> >/dev/null;
- then ipset -quiet -exist create f2b-<name> hash:ip timeout <bantime>;
+ then ipset -quiet -exist create f2b-<name> hash:ip timeout <default-ipsettime>;
fi
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = ipset flush f2b-<name>
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist
+actionban = ipset add f2b-<name> <ip> timeout <ipsettime> -exist
+
+# actionprolong = %(actionban)s
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
#
actionunban = ipset del f2b-<name> <ip> -exist
-[Init]
+# Option: default-ipsettime
+# Notes: specifies default timeout in seconds (handled default ipset timeout only)
+# Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban)
+default-ipsettime = 0
-# Option: bantime
-# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban)
-# Values: [ NUM ] Default: 600
-#
-bantime = 600
+# Option: ipsettime
+# Notes: specifies ticket timeout (handled ipset timeout only)
+# Values: [ NUM ] Default: 0 (managed by fail2ban by unban)
+ipsettime = 0
+
+# expresion to caclulate timeout from bantime, example:
+# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
+timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
# connections. So if the attempter goes on trying using the same connection
# he could even log in. In order to get the same behavior of the iptable
# action (so that the ban is immediate) the /etc/shorewall/shorewall.conf
-# file should me modified with "BLACKLISTNEWONLY=No". Note that as of
+# file should be modified with "BLACKLISTNEWONLY=No". Note that as of
# Shorewall 4.5.13 BLACKLISTNEWONLY is deprecated; however the equivalent
# of BLACKLISTNEWONLY=No can now be achieved by setting BLACKLIST="ALL".
#
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
try:
self._logSys.debug("Connected to SMTP '%s', response: %i: %s",
self.host, *smtp.connect(self.host))
- if self.user and self.password:
+ if self.user and self.password: # pragma: no cover (ATM no tests covering that)
smtp.login(self.user, self.password)
failed_recipients = smtp.sendmail(
self.fromaddr, self.toaddr.split(", "), msg.as_string())
- except smtplib.SMTPConnectError:
+ except smtplib.SMTPConnectError: # pragma: no cover
self._logSys.error("Error connecting to host '%s'", self.host)
raise
- except smtplib.SMTPAuthenticationError:
+ except smtplib.SMTPAuthenticationError: # pragma: no cover
self._logSys.error(
"Failed to authenticate with host '%s' user '%s'",
self.host, self.user)
raise
- except smtplib.SMTPException:
+ except smtplib.SMTPException: # pragma: no cover
self._logSys.error(
"Error sending mail to host '%s' from '%s' to '%s'",
self.host, self.fromaddr, self.toaddr)
raise
else:
- if failed_recipients:
+ if failed_recipients: # pragma: no cover
self._logSys.warning(
"Email to '%s' failed to following recipients: %r",
self.toaddr, failed_recipients)
try:
self._logSys.debug("Disconnected from '%s', response %i: %s",
self.host, *smtp.quit())
- except smtplib.SMTPServerDisconnected:
+ except smtplib.SMTPServerDisconnected: # pragma: no cover
pass # Not connected
def start(self):
[Definition]
# Option: actionstart
-# Notes.: command executed once at the start of Fail2Ban.
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
actioncheck =
-actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
+actionban = oifs=${IFS};
+ RESOLVER_ADDR="%(addr_resolver)s"
+ if [ "<debug>" -gt 0 ]; then echo "try to resolve $RESOLVER_ADDR"; fi
+ ADDRESSES=$(dig +short -t txt -q $RESOLVER_ADDR | tr -d '"')
+ IFS=,; ADDRESSES=$(echo $ADDRESSES)
+ IFS=${oifs}
IP=<ip>
FROM=<sender>
SERVICE=<service>
PORT=<port>
DATE=`LC_ALL=C date --date=@<time> +"%%a, %%d %%h %%Y %%T %%z"`
if [ ! -z "$ADDRESSES" ]; then
+ oifs=${IFS}; IFS=,; ADDRESSES=$(echo $ADDRESSES)
+ IFS=${oifs}
(printf -- %%b "<header>\n<message>\n<report>\n\n";
date '+Note: Local timezone is %%z (%%Z)';
- printf -- %%b "\n<ipmatches>\n\n<footer>") | <mailcmd> <mailargs> ${ADDRESSES//,/\" \"}
+ printf -- %%b "\n<ipmatches>\n\n<footer>") | <mailcmd> <mailargs> $ADDRESSES
fi
actionunban =
-[Init]
+# Server as resolver used in dig command
+#
+addr_resolver = <ip-rev>abuse-contacts.abusix.org
+
+# Option: boundary
+# Notes: This can be overwritten to be safe for possible predictions
+boundary = bfbb0f920793ac03cb8634bde14d8a1e
+
+_boundary = Abuse<time>-<boundary>
+
# Option: header
# Notes: This is really a fixed value
-header = Subject: abuse report about $IP - $DATE\nAuto-Submitted: auto-generated\nX-XARF: PLAIN\nContent-Transfer-Encoding: 7bit\nContent-Type: multipart/mixed; charset=utf8;\n boundary=Abuse-bfbb0f920793ac03cb8634bde14d8a1e;\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8;\n
+header = Subject: abuse report about $IP - $DATE\nAuto-Submitted: auto-generated\nX-XARF: PLAIN\nContent-Transfer-Encoding: 7bit\nContent-Type: multipart/mixed; charset=utf8;\n boundary=%(_boundary)s;\n\n--%(_boundary)s\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8;\n
# Option: footer
# Notes: This is really a fixed value and needs to match the report and header
# mime delimiters
-footer = \n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e--
+footer = \n\n--%(_boundary)s--
# Option: report
# Notes: Intended to be fixed
-report = --Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name=\"report.txt\";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-ID: $REPORTID\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.2\nUser-Agent: Fail2ban v0.9\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nPort: $PORT\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\nTLP: $TLP\n\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name=\"logfile.log\";
+report = --%(_boundary)s\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name=\"report.txt\";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-ID: $REPORTID\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.2\nUser-Agent: Fail2ban v0.9\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nPort: $PORT\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\nTLP: $TLP\n\n\n--%(_boundary)s\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name=\"logfile.log\";
# Option: Message
# Notes: This can be modified by the users
# Changes: in most of the cases you should not modify this
# file, but provide customizations in fail2ban.local file, e.g.:
#
-# [Definition]
+# [DEFAULT]
# loglevel = DEBUG
#
-[Definition]
+[DEFAULT]
# Option: loglevel
# Notes.: Set the log level output.
# NOTICE
# INFO
# DEBUG
-# Values: [ LEVEL ] Default: ERROR
+# Values: [ LEVEL ] Default: INFO
#
loglevel = INFO
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 1d
+
+# Options: dbmaxmatches
+# Notes.: Number of matches stored in database per ticket (resolvable via
+# tags <ipmatches>/<ipjailmatches> in actions)
+# Values: [ INT ] Default: 10
+dbmaxmatches = 10
+
+[Definition]
+
+
+[Thread]
+
+# Options: stacksize
+# Notes.: Specifies the stack size (in KiB) to be used for subsequently created threads,
+# and must be 0 or a positive integer value of at least 32.
+# Values: [ SIZE ] Default: 0 (use platform or configured default)
+#stacksize = 0
[Definition]
+# Mode for filter: normal (default) and aggressive (allows DDoS & brute force detection of mod_evasive)
+mode = normal
+
+# ignore messages of mod_evasive module:
+apache-pref-ign-normal = (?!evasive)
+# allow "denied by server configuration" from all modules:
+apache-pref-ign-aggressive =
+# mode related ignore prefix for common _apache_error_client substitution:
+apache-pref-ignore = <apache-pref-ign-<mode>>
+
prefregex = ^%(_apache_error_client)s (?:AH\d+: )?<F-CONTENT>.+</F-CONTENT>$
# auth_type = ((?:Digest|Basic): )?
auth_type = ([A-Z]\w+: )?
failregex = ^client (?:denied by server configuration|used wrong authentication scheme)\b
- ^user <F-USER>(?:\S*|.*?)</F-USER> (?:auth(?:oriz|entic)ation failure|not found|denied by provider)\b
+ ^user (?!`)<F-USER>(?:\S*|.*?)</F-USER> (?:auth(?:oriz|entic)ation failure|not found|denied by provider)\b
^Authorization of user <F-USER>(?:\S*|.*?)</F-USER> to access .*? failed\b
^%(auth_type)suser <F-USER>(?:\S*|.*?)</F-USER>: password mismatch\b
- ^%(auth_type)suser `<F-USER>(?:[^']*|.*?)</F-USER>' in realm `.+' (not found|denied by provider)\b
+ ^%(auth_type)suser `<F-USER>(?:[^']*|.*?)</F-USER>' in realm `.+' (auth(?:oriz|entic)ation failure|not found|denied by provider)\b
^%(auth_type)sinvalid nonce .* received - length is not\b
^%(auth_type)srealm mismatch - got `(?:[^']*|.*?)' but expected\b
^%(auth_type)sunknown algorithm `(?:[^']*|.*?)' received\b
^invalid qop `(?:[^']*|.*?)' received\b
^%(auth_type)sinvalid nonce .*? received - user attempted time travel\b
+ ^(?:No h|H)ostname \S+ provided via SNI(?:, but no hostname provided| and hostname \S+ provided| for a name based virtual host)\b
ignoreregex =
apache-prefix = <apache-prefix-<logging>>
-_apache_error_client = <apache-prefix>\[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\]
+apache-pref-ignore =
+
+_apache_error_client = <apache-prefix>\[(:?error|<apache-pref-ignore>\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\]
datepattern = {^LN-BEG}
[Definition]
-failregex = ^%(_apache_error_client)s ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d
+failregex = ^%(_apache_error_client)s(?: \[client [^\]]+\])? ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d
ignoreregex =
[Definition]
-failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): /\S*(php([45]|[.-]cgi)?|\.asp|\.exe|\.pl)(, referer: \S+)?\s*$
- ^%(_apache_error_client)s script '/\S*(php([45]|[.-]cgi)?|\.asp|\.exe|\.pl)\S*' not found or unable to stat(, referer: \S+)?\s*$
+script = /\S*(?:php(?:[45]|[.-]cgi)?|\.asp|\.exe|\.pl|\bcgi-bin/)
+
+prefregex = ^%(_apache_error_client)s (?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?(?:(?:[Ff]ile|script|[Gg]ot) )<F-CONTENT>.+</F-CONTENT>$
+
+failregex = ^(?:does not exist|not found or unable to stat): <script>\b
+ ^'<script>\S*' not found or unable to stat
+ ^error '[Pp]rimary script unknown(?:\\n)?'
ignoreregex =
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
# All Asterisk log messages begin like this:
-log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?
+log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])?:? [^:]+:\d*(?:(?: in)? [^:]+:)?
prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$
^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b)
^No registration for peer '[^']*' \(from <HOST>\)$
^hacking attempt detected '<HOST>'$
- ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$
- ^"Rejecting unknown SIP connection from <HOST>"$
+ ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/[^/"]+/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$
+ ^"Rejecting unknown SIP connection from <HOST>(?::\d+)?"$
^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$
# FreePBX (todo: make optional in v.0.10):
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog
+
+journalmatch = _SYSTEMD_UNIT=asterisk.service
+
+
+[lt_journal]
+
+# asterisk can log timestamp if logs into systemd-journal (optional part matching this timestamp, gh-2383):
+__extra_timestamp = (?:\[[^\]]+\]\s+)?
+__prefix_line = %(known/__prefix_line)s%(__extra_timestamp)s
--- /dev/null
+# Fail2Ban filter for Bitwarden
+# Detecting failed login attempts
+# Logged in bwdata/logs/identity/Identity/log.txt
+
+[INCLUDES]
+before = common.conf
+
+[Definition]
+_daemon = Bitwarden-Identity
+failregex = ^%(__prefix_line)s\s*\[(?:W(?:RN|arning)|Bit\.Core\.[^\]]+)\]\s+Failed login attempt(?:, 2FA invalid)?\. <ADDR>$
+
+# DEV Notes:
+# __prefix_line can result to an empty string, so it can support syslog and non-syslog at once.
--- /dev/null
+# Fail2Ban filter for Centreon Web
+# Detecting unauthorized access to the Centreon Web portal
+# typically logged in /var/log/centreon/login.log
+
+[Init]
+datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
+
+[Definition]
+failregex = ^(?:\|-?\d+){3}\|\[[^\]]*\] \[<HOST>\] Authentication failed for '<F-USER>[^']+</F-USER>'
[DEFAULT]
+# Type of log-file resp. log-format (file, short, journal, rfc542):
+logtype = file
+
# Daemon definition is to be specialized (if needed) in .conf file
_daemon = \S*
# Daemon name (with optional source_file:line or whatever)
# EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix)
-__daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?
+__daemon_re = [\[\(]?<_daemon>(?:\(\S+\))?[\]\)]?:?
# extra daemon info
# EXAMPLE: [ID 800047 auth.info]
# Combinations of daemon name and PID
# EXAMPLES: sshd[31607], pop(pam_unix)[4920]
-__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?)
+__daemon_combs_re = (?:<__pid_re>?:\s+<__daemon_re>|<__daemon_re><__pid_re>?:?)
# Some messages have a kernel prefix with a timestamp
# EXAMPLES: kernel: [769570.846956]
-__kernel_prefix = kernel: \[ *\d+\.\d+\]
+__kernel_prefix = kernel:\s?\[ *\d+\.\d+\]:?
__hostname = \S+
# [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
#
# This can be optional (for instance if we match named native log files)
-__prefix_line = %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)?(?:%(__daemon_combs_re)s\s+)?(?:%(__daemon_extra_re)s\s+)?
+__prefix_line = <lt_<logtype>/__prefix_line>
# PAM authentication mechanism check for failures, e.g.: pam_unix, pam_sss,
# pam_ldap
__pam_auth = pam_unix
# standardly all formats using prefix have line-begin anchored date:
+datepattern = <lt_<logtype>/datepattern>
+
+[lt_file]
+# Common line prefixes for logtype "file":
+__prefix_line = <__date_ambit>?\s*(?:<__bsd_syslog_verbose>\s+)?(?:<__hostname>\s+)?(?:<__kernel_prefix>\s+)?(?:<__vserver>\s+)?(?:<__daemon_combs_re>\s+)?(?:<__daemon_extra_re>\s+)?
datepattern = {^LN-BEG}
-# Author: Yaroslav Halchenko
+[lt_short]
+# Common (short) line prefix for logtype "journal" (corresponds output of formatJournalEntry):
+__prefix_line = \s*(?:<__hostname>\s+)?(?:<_daemon><__pid_re>?:?\s+)?(?:<__kernel_prefix>\s+)?
+datepattern = %(lt_file/datepattern)s
+[lt_journal]
+__prefix_line = %(lt_short/__prefix_line)s
+datepattern = %(lt_short/datepattern)s
+
+[lt_rfc5424]
+# RFC 5424 log-format, see gh-2309:
+#__prefix_line = \s*<__hostname> <__daemon_re> \d+ \S+ \S+\s+
+__prefix_line = \s*<__hostname> <__daemon_re> \d+ \S+ (?:[^\[\]\s]+|(?:\[(?:[^\]"]*|"[^"]*")*\])+)\s+
+datepattern = ^<\d+>\d+\s+{DATE}
+
+# Author: Yaroslav Halchenko, Sergey G. Brester (aka sebres)
_daemon = courieresmtpd
-prefregex = ^%(__prefix_line)serror,relay=<HOST>,<F-CONTENT>.+</F-CONTENT>$
+prefregex = ^%(__prefix_line)serror,relay=<HOST>,(?:port=\d+,)?<F-CONTENT>.+</F-CONTENT>$
failregex = ^[^:]*: 550 User (<.*> )?unknown\.?$
^msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?(?: \S+)$
# 08-09-2014 06:14:27 smtp: postmaster [1.2.3.4] authentication failure using internet password
# 08-09-2014 06:14:27 SMTP Server: Authentication failed for user postmaster ; connecting host 1.2.3.4
-__prefix = (?:\[[^\]]+\])?\s+
-failregex = ^%(__prefix)sSMTP Server: Authentication failed for user .*? \; connecting host <HOST>$
- ^%(__prefix)ssmtp: (?:[^\[]+ )*\[<HOST>\] authentication failure using internet password\s*$
+__prefix = (?:\[[^\]]+\])?\s*
+__opt_data = (?::|\s+\[[^\]]+\])
+failregex = ^%(__prefix)sSMTP Server%(__opt_data)s Authentication failed for user .*? \; connecting host \[?<HOST>\]?$
+ ^%(__prefix)ssmtp: (?:[^\[]+ )*\[?<HOST>\]? authentication failure using internet password\s*$
+ ^%(__prefix)sSMTP Server%(__opt_data)s Connection from \[?<HOST>\]? rejected for policy reasons\.
+
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
_auth_worker = (?:dovecot: )?auth(?:-worker)?
_daemon = (?:dovecot(?:-auth)?|auth)
-prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$
+prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$
-failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
- ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
+failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
+ ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$
- ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials)\s*$
+ ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials|Password mismatch)
<mdre-<mode>>
-mdre-aggressive = ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
+mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
mdre-normal =
^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$
^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
- ^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$
+ ^%(pid)s SMTP call from (?:[^\[\( ]* )?%(host_info)sdropped: too many (?:nonmail commands|syntax or protocol errors) \(last (?:command )?was "[^"]*"\)\s*$
^%(pid)s SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?" %(host_info)sAUTH command used when not advertised\s*$
^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S*s(?: C=\S*)?\s*$
^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$
_daemon = freeswitch
+# Parameter "mode": normal, ddos or extra (default, combines all)
+# Usage example (for jail.local):
+# [freeswitch]
+# mode = normal
+# # or with rewrite filter parameters of jail:
+# [freeswitch-ddos]
+# filter = freeswitch[mode=ddos]
+#
+mode = extra
+
# Prefix contains common prefix line (server, daemon, etc.) and 2 datetimes if used systemd backend
-_pref_line = ^%(__prefix_line)s(?:\d+-\d+-\d+ \d+:\d+:\d+\.\d+)?
+_pref_line = ^%(__prefix_line)s(?:(?:\d+-)?\d+-\d+ \d+:\d+:\d+\.\d+)?
+
+prefregex = ^%(_pref_line)s \[WARN(?:ING)?\](?: \[SOFIA\])? \[?sofia_reg\.c:\d+\]? <F-CONTENT>.+</F-CONTENT>$
+
+cmnfailre = ^Can't find user \[[^@]+@[^\]]+\] from <HOST>$
+
+mdre-normal = %(cmnfailre)s
+ ^SIP auth failure \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
+
+mdre-ddos = ^SIP auth (?:failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
+
+mdre-extra = %(cmnfailre)s
+ <mdre-ddos>
-failregex = %(_pref_line)s \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
- %(_pref_line)s \[WARNING\] sofia_reg\.c:\d+ Can't find user \[[^@]+@[^\]]+\] from <HOST>$
+failregex = <mdre-<mode>>
ignoreregex =
-datepattern = {^LN-BEG}
+datepattern = ^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?
+ {^LN-BEG}
-# Author: Rupa SChomaker, soapee01, Daniel Black
+# Author: Rupa SChomaker, soapee01, Daniel Black, Sergey Brester aka sebres
# https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban
# Thanks to Jim on mailing list of samples and guidance
#
--- /dev/null
+# Fail2Ban filter for Gitlab
+# Detecting unauthorized access to the Gitlab Web portal
+# typically logged in /var/log/gitlab/gitlab-rails/application.log
+
+[Definition]
+failregex = ^: Failed Login: username=<F-USER>.+</F-USER> ip=<HOST>$
--- /dev/null
+# Fail2Ban filter for Grafana
+# Detecting unauthorized access
+# Typically logged in /var/log/grafana/grafana.log
+
+[Init]
+datepattern = ^t=%%Y-%%m-%%dT%%H:%%M:%%S%%z
+
+[Definition]
+failregex = ^(?: lvl=err?or)? msg="Invalid username or password"(?: uname=(?:"<F-ALT_USER>[^"]+</F-ALT_USER>"|<F-USER>\S+</F-USER>)| error="<F-ERROR>[^"]+</F-ERROR>"| \S+=(?:\S*|"[^"]+"))* remote_addr=<ADDR>$
[Definition]
-# Option: failregex
-# Notes.: regex to match the password failures messages in the logfile.
-# Values: TEXT
-#
-failregex = ^.*\nWARNING: Authentication attempt from <HOST> for user "[^"]*" failed\.$
+logging = catalina
+failregex = <L_<logging>/failregex>
+maxlines = <L_<logging>/maxlines>
+datepattern = <L_<logging>/datepattern>
-# Option: ignoreregex
-# Notes.: regex to ignore. If this regex matches, the line is ignored.
-# Values: TEXT
-#
-ignoreregex =
+[L_catalina]
+
+failregex = ^.*\nWARNING: Authentication attempt from <HOST> for user "[^"]*" failed\.$
-# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 2
datepattern = ^%%b %%d, %%ExY %%I:%%M:%%S %%p
^WARNING:()**
- {^LN-BEG}
\ No newline at end of file
+ {^LN-BEG}
+
+[L_webapp]
+
+failregex = ^ \[\S+\] WARN \S+ - Authentication attempt from <HOST> for user "<F-USER>[^"]+</F-USER>" failed.
+
+maxlines = 1
+
+datepattern = ^%%H:%%M:%%S.%%f
+
+# DEV Notes:
+#
+# failregex is based on the default pattern given in Guacamole documentation :
+# https://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging
+#
+# The following logback.xml Guacamole configuration file can then be used accordingly :
+# <configuration>
+# <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
+# <file>/var/log/guacamole.log</file>
+# <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+# <fileNamePattern>/var/log/guacamole.%d.log.gz</fileNamePattern>
+# <maxHistory>32</maxHistory>
+# </rollingPolicy>
+# <encoder>
+# <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
+# </encoder>
+# </appender>
+# <root level="info">
+# <appender-ref ref="FILE" />
+# </root>
+# </configuration>
import re
host = DNSUtils.ipToName(ip)
- if not host or not re.match('.*\.google(bot)?\.com$', host):
+ if not host or not re.match(r'.*\.google(bot)?\.com$', host):
return False
host_ips = DNSUtils.dnsToIp(host)
return (ip in host_ips)
# common.local
before = common.conf
+# [DEFAULT]
+# logtype = short
+
[Definition]
_daemon = monit
+_prefix = Warning|HttpRequest
+
# Regexp for previous (accessing monit httpd) and new (access denied) versions
-failregex = ^\[\s*\]\s*error\s*:\s*Warning:\s+Client '<HOST>' supplied (?:unknown user '[^']+'|wrong password for user '[^']*') accessing monit httpd$
- ^%(__prefix_line)s\w+: access denied -- client <HOST>: (?:unknown user '[^']+'|wrong password for user '[^']*'|empty password)$
+failregex = ^%(__prefix_line)s(?:error\s*:\s+)?(?:%(_prefix)s):\s+(?:access denied\s+--\s+)?[Cc]lient '?<HOST>'?(?:\s+supplied|\s*:)\s+(?:unknown user '<F-ALT_USER>[^']+</F-ALT_USER>'|wrong password for user '<F-USER>[^']*</F-USER>'|empty password)
# Ignore login with empty user (first connect, no user specified)
# ignoreregex = %(__prefix_line)s\w+: access denied -- client <HOST>: (?:unknown user '')
# Fail2Ban filter for murmur/mumble-server
#
-[INCLUDES]
-
-before = common.conf
-
-
[Definition]
_daemon = murmurd
# variable in your server config file (murmur.ini / mumble-server.ini).
_usernameregex = [^>]+
-_prefix = \s+\d+ => <\d+:%(_usernameregex)s\(-1\)> Rejected connection from <HOST>:\d+:
+# Prefix for systemd-journal (with second date-pattern as optional match):
+#
+__prefix_journal = (?:\S+\s+%(_daemon)s\[\d+\]:(?:\s+\<W\>[\d\-]+ [\d:]+.\d+)?)
+
+__prefix_line = %(__prefix_journal)s?
+
+_prefix = %(__prefix_line)s\s+\d+ => <\d+:%(_usernameregex)s\(-1\)> Rejected connection from <HOST>:\d+:
prefregex = ^%(_prefix)s <F-CONTENT>.+</F-CONTENT>$
datepattern = ^<W>{DATE}
+journalmatch = _SYSTEMD_UNIT=murmurd.service + _COMM=murmurd
+
# DEV Notes:
#
# Author: Ross Brown
#
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]:
# log-error=/var/log/mysqld.log
-# log-warning = 2
+# log-warnings = 2
#
# If using mysql syslog [mysql_safe] has syslog in /etc/my.cnf
_daemon = mysqld
-failregex = ^%(__prefix_line)s(?:\d+ |\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[\w+\] Access denied for user '[^']+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
+failregex = ^%(__prefix_line)s(?:(?:\d{6}|\d{4}-\d{2}-\d{2})[ T]\s?\d{1,2}:\d{2}:\d{2} )?(?:\d+ )?\[\w+\] (?:\[[^\]]+\] )*Access denied for user '<F-USER>[^']+</F-USER>'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
ignoreregex =
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
-prefregex = ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>$
+prefregex = ^%(__line_prefix)s(?: error:)?\s*client(?: @\S*)? <HOST>#\S+(?: \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$
-failregex = ^(view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
- ^zone transfer '\S+/AXFR/\w+' denied\s*$
- ^bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
+failregex = ^(?:view (?:internal|external): )?query(?: \(cache\))?
+ ^zone transfer
+ ^bad zone transfer request: '\S+/IN': non-authoritative zone
ignoreregex =
__pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:?
_daemon = \S+
-prefregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s <F-CONTENT>.+</F-CONTENT>$
+prefregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure;(?:\s+(?:(?:logname|e?uid)=\S*)){0,3} tty=%(_ttys_re)s <F-CONTENT>.+</F-CONTENT>$
-failregex = ^ruser=<F-USER>\S*</F-USER> rhost=<HOST>\s*$
- ^ruser= rhost=<HOST>\s+user=<F-USER>\S*</F-USER>\s*$
- ^ruser= rhost=<HOST>\s+user=<F-USER>.*?</F-USER>\s*$
- ^ruser=<F-USER>.*?</F-USER> rhost=<HOST>\s*$
+failregex = ^ruser=<F-ALT_USER>(?:\S*|.*?)</F-ALT_USER> rhost=<HOST>(?:\s+user=<F-USER>(?:\S*|.*?)</F-USER>)?\s*$
ignoreregex =
+datepattern = {^LN-BEG}
+
# DEV Notes:
#
# for linux-pam before 0.99.2.0 (late 2005) (removed before 0.8.11 release)
-# Fail2Ban fitler for the phpMyAdmin-syslog
+# Fail2Ban filter for the phpMyAdmin-syslog
#
[INCLUDES]
prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$
-mdpr-normal = (?:NOQUEUE: reject:|improper command pipelining after \S+)
+mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many errors) after \S+)
mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s
- ^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.1 (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)
- ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.1 (<[^>]*>)?: Helo command rejected: Host not found\b
- ^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.2 (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b
- ^VRFY from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s
- ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.8 (<[^>]*>)?: Sender address rejected: Domain not found\b
+ ^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.\d+ (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)
+ ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.\d+ (<[^>]*>)?: Helo command rejected: Host not found\b
+ ^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.\d+ (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b
+ ^(RCPT|VRFY) from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s
+ ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.\d+ (<[^>]*>)?: Sender address rejected: Domain not found\b
^from [^[]*\[<HOST>\]%(_port)s:?
mdpr-auth = warning:
mdpr-more = %(mdpr-normal)s
mdre-more = %(mdre-normal)s
-mdpr-ddos = lost connection after(?! DATA) [A-Z]+
+mdpr-ddos = (?:lost connection after(?! DATA) [A-Z]+|disconnect(?= from \S+(?: \S+=\d+)* auth=0/(?:[1-9]|\d\d+)))
mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:?
mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)
mdre-aggressive = %(mdre-auth2)s
%(mdre-normal)s
+mdpr-errors = too many errors after \S+
+mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$
failregex = <mdre-<mode>>
# Usage example (for jail.local):
# [postfix]
# mode = aggressive
+#
# # or another jail (rewrite filter parameters of jail):
# [postfix-rbl]
# filter = postfix[mode=rbl]
#
+# # jail to match "too many errors", related postconf `smtpd_hard_error_limit`:
+# # (normally included in other modes (normal, more, extra, aggressive), but this jail'd allow to ban on the first message)
+# [postfix-many-errors]
+# filter = postfix[mode=errors]
+# maxretry = 1
+#
mode = more
ignoreregex =
-# Fail2Ban fitler for the Proftpd FTP daemon
+# Fail2Ban filter for the Proftpd FTP daemon
#
# Set "UseReverseDNS off" in proftpd.conf to avoid the need for DNS.
# See: http://www.proftpd.org/docs/howto/DNS.html
_daemon = proftpd
-__suffix_failed_login = (User not authorized for login|No such user found|Incorrect password|Password expired|Account disabled|Invalid shell: '\S+'|User in \S+|Limit (access|configuration) denies login|Not a UserAlias|maximum login length exceeded).?
+__suffix_failed_login = ([uU]ser not authorized for login|[nN]o such user found|[iI]ncorrect password|[pP]assword expired|[aA]ccount disabled|[iI]nvalid shell: '\S+'|[uU]ser in \S+|[lL]imit (access|configuration) denies login|[nN]ot a UserAlias|[mM]aximum login length exceeded)
-prefregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ <F-CONTENT>(?:USER|SECURITY|Maximum).+</F-CONTENT>$
+prefregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ <F-CONTENT>(?:USER|SECURITY|Maximum) .+</F-CONTENT>$
-failregex = ^USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$
- ^USER .* \(Login failed\): %(__suffix_failed_login)s\s*$
- ^SECURITY VIOLATION: .* login attempted\. *$
- ^Maximum login attempts \(\d+\) exceeded *$
+failregex = ^USER <F-USER>\S+|.*?</F-USER>(?: \(Login failed\))?: %(__suffix_failed_login)s
+ ^SECURITY VIOLATION: <F-USER>\S+|.*?</F-USER> login attempted
+ ^Maximum login attempts \(\d+\) exceeded
ignoreregex =
[Definition]
-_daemon = fail2ban\.actions\s*
+_daemon = (?:fail2ban(?:-server|\.actions)\s*)
-# The name of the jail that this filter is used for. In jail.conf, name the
-# jail using this filter 'recidive', or change this line!
+# The name of the jail that this filter is used for. In jail.conf, name the jail using
+# this filter 'recidive', or supply another name with `filter = recidive[_jailname="jail"]`
_jailname = recidive
-failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
+failregex = ^%(__prefix_line)s(?:\s*fail2ban\.actions\s*%(__pid_re)s?:\s+)?NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
-ignoreregex =
+datepattern = ^{DATE}
-[Init]
+ignoreregex =
journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$
^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> from <HOST> in session \w+( \(error: \d\))?$
-ignoreregex =
+ignoreregex = Could not connect to .* Connection refused
journalmatch = SYSLOG_IDENTIFIER=roundcube
[Definition]
_daemon = (?:sendmail|sm-(?:mta|acceptingconnections))
+# "\w{14,20}" will give support for IDs from 14 up to 20 characters long
+__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
+addr = (?:IPv6:<IP6>|<IP4>)
-failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
+prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
+failregex = ^(\S+ )?\[%(addr)s\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
+ ^AUTH failure \(LOGIN\):(?: [^:]+:)? authentication failure: checkpass failed, user=<F-USER>(?:\S+|.*?)</F-USER>, relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$
ignoreregex =
journalmatch = _SYSTEMD_UNIT=sendmail.service
[Definition]
_daemon = (?:(sm-(mta|acceptingconnections)|sendmail))
+__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
+addr = (?:IPv6:<IP6>|<IP4>)
-prefregex = ^<F-MLFID>%(__prefix_line)s(?:\w{14}: )?</F-MLFID><F-CONTENT>.+</F-CONTENT>$
+prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
-cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[<HOST>\](?: \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
- ^ruleset=check_relay, arg1=(?P<dom>\S+), arg2=<HOST>, relay=((?P=dom) )?\[(\d+\.){3}\d+\](?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
- ^rejecting commands from (\S* )?\[<HOST>\] due to pre-greeting traffic after \d+ seconds$
- ^(?:\S+ )?\[<HOST>\]: (?:(?i)expn|vrfy) \S+ \[rejected\]$
+cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[%(addr)s\](?: \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
+ ^ruleset=check_relay, arg1=(?P<dom>\S+), arg2=%(addr)s, relay=((?P=dom) )?\[(\d+\.){3}\d+\](?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
+ ^rejecting commands from (\S* )?\[%(addr)s\] due to pre-greeting traffic after \d+ seconds$
+ ^(?:\S+ )?\[%(addr)s\]: (?:(?i)expn|vrfy) \S+ \[rejected\]$
^<[^@]+@[^>]+>\.\.\. No such user here$
- ^<F-NOFAIL>from=<[^@]+@[^>]+></F-NOFAIL>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[<HOST>\]$
+ ^<F-NOFAIL>from=<[^@]+@[^>]+></F-NOFAIL>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[%(addr)s\]$
mdre-normal =
-mdre-extra = ^(?:\S+ )?\[<HOST>\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to M(?:TA|SP)(?:-\w+)?$
+mdre-extra = ^(?:\S+ )?\[%(addr)s\](?: \(may be forged\))? did not issue \S+ during connection
mdre-aggressive = %(mdre-extra)s
ignoreregex =
-journalmatch = _SYSTEMD_UNIT=sendmail.service
+journalmatch = SYSLOG_IDENTIFIER=sm-mta + _SYSTEMD_UNIT=sendmail.service
# DEV NOTES:
#
--- /dev/null
+# Fail2Ban filter for SoftEtherVPN
+# Detecting unauthorized access to SoftEtherVPN
+# typically logged in /usr/local/vpnserver/security_log/*/sec.log, or in syslog, depending on configuration
+
+[INCLUDES]
+before = common.conf
+
+[Definition]
+failregex = ^%(__prefix_line)s(?:(?:\([\d\-]+ [\d:.]+\) )?<SECURITY_LOG>: )?Connection "[^"]+": User authentication failed. The user name that has been provided was "<F-USER>(?:[^"]+|.+)</F-USER>", from <ADDR>\.$
[Definition]
-failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>' for user '.*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$
+failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>(?:,[^']*)?' for user '[^']*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$
ignoreregex = "^<ADDR>"
# optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
__pref = (?:(?:error|fatal): (?:PAM: )?)?
# optional suffix (logged from several ssh versions) like " [preauth]"
-__suff = (?: \[preauth\])?\s*
-__on_port_opt = (?: port \d+)?(?: on \S+(?: port \d+)?)?
+#__suff = (?: port \d+)?(?: \[preauth\])?\s*
+__suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s*
+__on_port_opt = (?: (?:port \d+|on \S+)){0,2}
+# close by authenticating user:
+__authng_user = (?: (?:invalid|authenticating) user <F-USER>\S+|.*?</F-USER>)?
# for all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found",
# see ssherr.c for all possible SSH_ERR_..._ALG_MATCH errors.
__alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+)
+# PAM authentication mechanism, can be overridden, e. g. `filter = sshd[__pam_auth='pam_ldap']`:
+__pam_auth = pam_[a-z]+
+
[Definition]
prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID>%(__pref)s<F-CONTENT>.+</F-CONTENT>$
-cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?\s*%(__suff)s$
- ^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>\s*%(__suff)s$
- ^Failed \S+ for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
- ^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
- ^<F-USER>ROOT</F-USER> LOGIN REFUSED.* FROM <HOST>\s*%(__suff)s$
- ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>%(__on_port_opt)s\s*$
- ^User <F-USER>.+</F-USER> from <HOST> not allowed because not listed in AllowUsers\s*%(__suff)s$
- ^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers\s*%(__suff)s$
- ^User <F-USER>.+</F-USER> from <HOST> not allowed because not in any group\s*%(__suff)s$
- ^refused connect from \S+ \(<HOST>\)\s*%(__suff)s$
+cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?%(__suff)s$
+ ^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>%(__suff)s$
+ <cmnfailre-failed-pub-<publickey>>
+ ^Failed <cmnfailed> for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
+ ^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST>
+ ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>%(__suff)s$
+ ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because not listed in AllowUsers%(__suff)s$
+ ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because listed in DenyUsers%(__suff)s$
+ ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because not in any group%(__suff)s$
+ ^refused connect from \S+ \(<HOST>\)
^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$
- ^User <F-USER>.+</F-USER> from <HOST> not allowed because a group is listed in DenyGroups\s*%(__suff)s$
- ^User <F-USER>.+</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*%(__suff)s$
- ^pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=<F-USER>\S*</F-USER>\s*rhost=<HOST>\s.*%(__suff)s$
- ^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
- ^User <F-USER>.+</F-USER> not allowed because account is locked%(__suff)s
- ^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?%(__suff)s
- ^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>: 11:
- ^<F-NOFAIL>Connection <F-MLFFORGET>closed</F-MLFFORGET></F-NOFAIL> by <HOST>%(__suff)s$
- ^<F-MLFFORGET><F-NOFAIL>Accepted publickey</F-NOFAIL></F-MLFFORGET> for \S+ from <HOST>(?:\s|$)
+ ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because a group is listed in DenyGroups%(__suff)s$
+ ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups%(__suff)s$
+ ^<F-NOFAIL>%(__pam_auth)s\(sshd:auth\):\s+authentication failure;</F-NOFAIL>(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=<F-ALT_USER>\S*</F-ALT_USER>\s+rhost=<HOST>(?:\s+user=<F-USER>\S*</F-USER>)?%(__suff)s$
+ ^maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
+ ^User <F-USER>\S+|.*?</F-USER> not allowed because account is locked%(__suff)s
+ ^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\S+</F-USER> <HOST>%(__on_port_opt)s:\s*Change of username or service not allowed:\s*.*\[preauth\]\s*$
+ ^Disconnecting: Too many authentication failures(?: for <F-USER>\S+|.*?</F-USER>)?%(__suff)s$
+ ^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>%(__on_port_opt)s:\s*11:
+ <mdre-<mode>-other>
+ ^<F-MLFFORGET><F-MLFGAINED>Accepted \w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\S+</F-USER> from <HOST>(?:\s|$)
+
+cmnfailed-any = \S+
+cmnfailed-ignore = \b(?!publickey)\S+
+cmnfailed-invalid = <cmnfailed-ignore>
+cmnfailed-nofail = (?:<F-NOFAIL>publickey</F-NOFAIL>|\S+)
+cmnfailed = <cmnfailed-<publickey>>
mdre-normal =
+# used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode)
+mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__suff)s|\s*)$
-mdre-ddos = ^Did not receive identification string from <HOST>%(__suff)s$
- ^Connection <F-MLFFORGET>reset</F-MLFFORGET> by <HOST>%(__on_port_opt)s%(__suff)s
+mdre-ddos = ^Did not receive identification string from <HOST>
+ ^kex_exchange_identification: (?:[Cc]lient sent invalid protocol identifier|[Cc]onnection closed by remote host)
+ ^Bad protocol version identification '.*' from <HOST>
^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:
- ^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer%(__suff)s
+ ^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer
+# same as mdre-normal-other, but as failure (without <F-NOFAIL>) and [preauth] only:
+mdre-ddos-other = ^<F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET> (?:by|from)%(__authng_user)s <HOST>%(__on_port_opt)s\s+\[preauth\]\s*$
-mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*14: No supported authentication methods available%(__suff)s$
+mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available
^Unable to negotiate with <HOST>%(__on_port_opt)s: no matching <__alg_match> found.
- ^Unable to negotiate a <__alg_match>%(__suff)s$
+ ^Unable to negotiate a <__alg_match>
^no matching <__alg_match> found:
+# part of mdre-ddos-other, but user name is supplied (invalid/authenticating) on [preauth] phase only:
+mdre-extra-other = ^<F-MLFFORGET>Disconnected</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\S+|.*?</F-USER> <HOST>%(__on_port_opt)s \[preauth\]\s*$
mdre-aggressive = %(mdre-ddos)s
%(mdre-extra)s
+# mdre-extra-other is fully included within mdre-ddos-other:
+mdre-aggressive-other = %(mdre-ddos-other)s
+
+# Parameter "publickey": nofail (default), invalid, any, ignore
+publickey = nofail
+# consider failed publickey for invalid users only:
+cmnfailre-failed-pub-invalid = ^Failed publickey for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
+# consider failed publickey for valid users too (don't need RE, see cmnfailed):
+cmnfailre-failed-pub-any =
+# same as invalid, but consider failed publickey for valid users too, just as no failure (helper to get IP and user-name only, see cmnfailed):
+cmnfailre-failed-pub-nofail = <cmnfailre-failed-pub-invalid>
+# don't consider failed publickey as failures (don't need RE, see cmnfailed):
+cmnfailre-failed-pub-ignore =
cfooterre = ^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
-datepattern = {^LN-BEG}
-
# DEV Notes:
#
# "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because
--- /dev/null
+# Fail2ban filter configuration for traefik :: auth
+# used to ban hosts, that were failed through traefik
+#
+# Author: CrazyMax
+#
+# To use 'traefik-auth' filter you have to configure your Traefik instance to write
+# the access logs as describe in https://docs.traefik.io/configuration/logs/#access-logs
+# into a log file on host and specifiy users for Basic Authentication
+# https://docs.traefik.io/configuration/entrypoints/#basic-authentication
+#
+# Example:
+#
+# version: "3.2"
+#
+# services:
+# traefik:
+# image: traefik:latest
+# command:
+# - "--loglevel=INFO"
+# - "--accesslog=true"
+# - "--accessLog.filePath=/var/log/access.log"
+# # - "--accessLog.filters.statusCodes=400-499"
+# - "--defaultentrypoints=http,https"
+# - "--entryPoints=Name:http Address::80"
+# - "--entryPoints=Name:https Address::443 TLS"
+# - "--docker.domain=example.com"
+# - "--docker.watch=true"
+# - "--docker.exposedbydefault=false"
+# - "--api=true"
+# - "--api.dashboard=true"
+# ports:
+# - target: 80
+# published: 80
+# protocol: tcp
+# mode: host
+# - target: 443
+# published: 443
+# protocol: tcp
+# mode: host
+# labels:
+# - "traefik.enable=true"
+# - "traefik.port=8080"
+# - "traefik.backend=traefik"
+# - "traefik.frontend.rule=Host:traefik.example.com"
+# - "traefik.frontend.auth.basic.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/"
+# volumes:
+# - "/var/log/traefik:/var/log"
+# - "/var/run/docker.sock:/var/run/docker.sock"
+# restart: always
+#
+
+[Definition]
+
+# Parameter "method" can be used to specifiy request method
+req-method = \S+
+# Usage example (for jail.local):
+# filter = traefik-auth[req-method="GET|POST|HEAD"]
+
+failregex = ^<HOST> \- <usrre-<mode>> \[\] \"(?:<req-method>) [^\"]+\" 401\b
+
+ignoreregex =
+
+# Parameter "mode": normal (default), ddos or aggressive
+# Usage example (for jail.local):
+# [traefik-auth]
+# mode = aggressive
+# # or another jail (rewrite filter parameters of jail):
+# [traefik-auth-ddos]
+# filter = traefik-auth[mode=ddos]
+#
+mode = normal
+
+# part of failregex matches user name (must be available in normal mode, must be empty in ddos mode, and both for aggressive mode):
+usrre-normal = (?!- )<F-USER>\S+</F-USER>
+usrre-ddos = -
+usrre-aggressive = <F-USER>\S+</F-USER>
\ No newline at end of file
--- /dev/null
+# Fail2Ban filter for ZNC (requires adminlog module)
+#
+# to use this module, enable the adminlog module from within ZNC and point
+# logpath to its logfile (e.g. /var/lib/znc/moddata/adminlog/znc.log).
+
+[DEFAULT]
+
+logtype = file
+
+[Definition]
+
+_daemon = znc
+
+# Prefix for different logtype (file, journal):
+#
+__prefix_file = (?:\[\]\s+)?
+__prefix_short = (?:\S+\s+%(_daemon)s\[\d+\]:)\s+
+__prefix_journal = %(__prefix_short)s
+
+__prefix_line = <__prefix_<logtype>>
+
+failregex = ^%(__prefix_line)s\[[^]]+\] failed to login from <ADDR>
+
+ignoreregex =
+
+journalmatch = _SYSTEMD_UNIT=znc.service + _COMM=znc
+
+# DEV Notes:
+# Log format is: [<DATE+TIME>] [<USERNAME>] <ACTION> from <ADDR>
+# [2018-10-27 01:40:17] [girst] connected to ZNC from 1.2.3.4
+# [2018-10-27 01:40:21] [girst] disconnected from ZNC from 1.2.3.4
+# [2018-10-27 01:40:55] [girst] failed to login from 1.2.3.4
+#
+# Author: Tobias Girstmair (//gir.st/)
# MISCELLANEOUS OPTIONS
#
-# "ignorself" specifies whether the local resp. own IP addresses should be ignored
+# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
+# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
+#bantime.increment = true
+
+# "bantime.rndtime" is the max number of seconds using for mixing with random time
+# to prevent "clever" botnets calculate exact time IP can be unbanned again:
+#bantime.rndtime =
+
+# "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further)
+#bantime.maxtime =
+
+# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
+# default value of factor is 1 and with default value of formula, the ban time
+# grows by 1, 2, 4, 8, 16 ...
+#bantime.factor = 1
+
+# "bantime.formula" used by default to calculate next value of ban time, default value below,
+# the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32...
+#bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor
+#
+# more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
+#bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
+
+# "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding
+# previously ban count and given "bantime.factor" (for multipliers default is 1);
+# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count,
+# always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
+#bantime.multipliers = 1 2 4 8 16 32 64
+# following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin,
+# for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
+#bantime.multipliers = 1 5 30 60 300 720 1440 2880
+
+# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed
+# cross over all jails, if false (dafault), only current jail of the ban IP will be searched
+#bantime.overalljails = false
+
+# --------------------
+
+# "ignoreself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses.
-#ignorself = true
+#ignoreself = true
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
+# "maxmatches" is the number of matches stored in ticket (resolvable via tag <matches> in actions).
+maxmatches = %(maxretry)s
+
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
banaction_allports = iptables-allports
# The simplest action to take: ban only
-action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
-action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+action_mw = %(action_)s
+ %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
-action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+action_mwl = %(action_)s
+ %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
#
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
# to the destemail.
-action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
+action_xarf = %(action_)s
+ xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
# to the destemail.
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
- %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+ %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
# Report block via blocklist.de fail2ban reporting service API
#
# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in
# corresponding jail.d/my-jail.local file).
#
-action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
+action_blocklist_de = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
# Report ban via badips.com, and use as blacklist
#
[openhab-auth]
filter = openhab
-action = iptables-allports[name=NoAuthFailures]
+banaction = %(banaction_allports)s
logpath = /opt/openhab/logs/request.log
port = http,https
logpath = /var/log/tomcat*/catalina.out
+#logpath = /var/log/guacamole.log
[monit]
#Ban clients brute-forcing the monit gui login
port = 2812
logpath = /var/log/monit
+ /var/log/monit.log
[webmin-auth]
[nsd]
port = 53
-action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
- %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
+ %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
logpath = /var/log/nsd.log
[asterisk]
port = 5060,5061
-action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
- %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
- %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
+action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
+ %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
logpath = /var/log/asterisk/messages
maxretry = 10
[freeswitch]
port = 5060,5061
-action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
- %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
- %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
+action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
+ %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
logpath = /var/log/freeswitch.log
maxretry = 10
+# enable adminlog; it will log to a file inside znc's directory by default.
+[znc-adminlog]
+
+port = 6667
+logpath = /var/lib/znc/moddata/adminlog/znc.log
+
+
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
# equivalent section:
-# log-warning = 2
+# log-warnings = 2
#
# for syslog (daemon facility)
# [mysqld_safe]
[counter-strike]
logpath = /opt/cstrike/logs/L[0-9]*.log
-# Firewall: http://www.cstrike-planet.com/faq/6
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
-action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
- %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+action_ = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"]
+ %(default/action_)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp"]
+
+[softethervpn]
+port = 500,4500
+protocol = udp
+logpath = /usr/local/vpnserver/security_log/*/sec.log
+
+[gitlab]
+port = http,https
+logpath = /var/log/gitlab/gitlab-rails/application.log
+
+[grafana]
+port = http,https
+logpath = /var/log/grafana/grafana.log
+
+[bitwarden]
+port = http,https
+logpath = /home/*/bwdata/logs/identity/Identity/log.txt
+
+[centreon]
+port = http,https
+logpath = /var/log/centreon/login.log
# consider low maxretry and a long bantime
# nobody except your own Nagios server should ever probe nrpe
logpath = %(apache_access_log)s
blocktype = RETURN
returntype = DROP
-action = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s]
+action = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s,
+ actionstart_on_demand=false, actionrepair_on_unban=true]
bantime = 1h
maxretry = 1
findtime = 1
[murmur]
# AKA mumble-server
port = 64738
-action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
- %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
+action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
+ %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
logpath = /var/log/mumble-server/mumble-server.log
port = http,https
logpath = %(apache_error_log)s
+[traefik-auth]
+# to use 'traefik-auth' filter you have to configure your Traefik instance,
+# see `filter.d/traefik-auth.conf` for details and service example.
+port = http,https
+logpath = /var/log/traefik/access.log
<family>DejaVu Sans Mono</family>
</accept>
</alias>
- <!-- Generic name assignment -->
- <alias>
- <family>DejaVu Sans Mono</family>
- <default>
- <family>monospace</family>
- </default>
- </alias>
- <!-- Generic name aliasing -->
- <alias>
- <family>monospace</family>
- <prefer>
- <family>DejaVu Sans Mono</family>
- </prefer>
- </alias>
</fontconfig>
<family>DejaVu Sans</family>
</accept>
</alias>
- <!-- Generic name assignment -->
- <alias>
- <family>DejaVu Sans</family>
- <default>
- <family>sans-serif</family>
- </default>
- </alias>
- <!-- Generic name aliasing -->
- <alias>
- <family>sans-serif</family>
- <prefer>
- <family>DejaVu Sans</family>
- </prefer>
- </alias>
</fontconfig>
<family>DejaVu Serif</family>
</accept>
</alias>
- <!-- Generic name assignment -->
- <alias>
- <family>DejaVu Serif</family>
- <default>
- <family>serif</family>
- </default>
- </alias>
- <!-- Generic name aliasing -->
- <alias>
- <family>serif</family>
- <prefer>
- <family>DejaVu Serif</family>
- </prefer>
- </alias>
</fontconfig>
<!-- Font directory list -->
<dir>/usr/share/fonts</dir>
- <dir>/usr/X11R6/lib/X11/fonts</dir> <dir>/usr/local/share/fonts</dir>
+ <dir>/usr/local/share/fonts</dir>
<dir prefix="xdg">fonts</dir>
<!-- the following element will be removed in the future -->
<dir>~/.fonts</dir>
kvm:x:106:
render:x:120:
systemd-coredump:x:999:
+tcpdump:x:121:
nagios:x:119:
kvm:x:106:
render:x:120:
+systemd-coredump:x:999:
--- /dev/null
+root:x:0:frank
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:frank,gitdeploy
+disk:x:6:frank
+lp:x:7:frank
+mail:x:8:frank
+news:x:9:
+uucp:x:10:
+man:x:12:
+proxy:x:13:
+kmem:x:15:
+dialout:x:20:
+fax:x:21:
+voice:x:22:
+cdrom:x:24:
+floppy:x:25:
+tape:x:26:
+sudo:x:27:
+audio:x:29:frank
+dip:x:30:
+www-data:x:33:
+backup:x:34:
+operator:x:37:frank,gitdeploy
+list:x:38:
+irc:x:39:
+src:x:40:
+gnats:x:41:
+shadow:x:42:
+utmp:x:43:
+video:x:44:frank
+sasl:x:45:
+plugdev:x:46:
+staff:x:50:frank,doris,patrick,gitdeploy
+games:x:60:frank,doris,patrick
+users:x:100:
+nogroup:x:65534:
+input:x:101:
+systemd-journal:x:102:
+systemd-timesync:x:103:
+systemd-network:x:104:
+systemd-resolve:x:105:
+crontab:x:107:frank,gitdeploy
+netdev:x:108:
+ssh:x:109:
+ssl-cert:x:110:
+postfix:x:111:
+postdrop:x:112:
+mlocate:x:113:frank,doris,patrick
+bind:x:114:
+git-commiters:x:222:frank,doris,patrick
+ulog:x:115:
+openldap:x:116:
+messagebus:x:117:
+_chrony:x:118:
+nagios:x:119:
+kvm:x:106:
+render:x:120:
+systemd-coredump:x:999:
cat <<EOF
# GRUB lacks write support for $abstraction, so recordfail support is disabled.
EOF
- return
+ return 1
;;
esac
done
cat <<EOF
# GRUB lacks write support for $FS, so recordfail support is disabled.
EOF
- return
+ return 1
;;
esac
EOF
}
- check_writable
+ if ! check_writable; then
+ recordfail_broken=1
+ fi
cat <<EOF
}
fi
fi
EOF
+if [ "$recordfail_broken" = 1 ]; then
+ cat << EOF
+if [ \$grub_platform = efi ]; then
+ set timeout=${GRUB_RECORDFAIL_TIMEOUT:-30}
+ if [ x\$feature_timeout_style = xy ] ; then
+ set timeout_style=menu
+ fi
+fi
+EOF
+fi
}
if [ "x$GRUB_BUTTON_CMOS_ADDRESS" != "x" ]; then
if [ -e /usr/share/plymouth/themes/default.grub ]; then
sed "s/^/${1}/" /usr/share/plymouth/themes/default.grub
fi
- # For plymouth backward compatiblity. Can be removed
+ # For plymouth backward compatibility. Can be removed
# after xenial.
if [ -e /lib/plymouth/themes/default.grub ]; then
sed "s/^/${1}/" /lib/plymouth/themes/default.grub
fi
# Step #5: Check if GRUB can read the background image directly.
- # If so, we can remove the cache file (if any). Otherwise the backgound
+ # If so, we can remove the cache file (if any). Otherwise the background
# image needs to be cached under /boot/grub/.
if is_path_readable_by_grub "${1}"; then
rm --force "${BACKGROUND_CACHE}.jpeg" \
;;
esac
+# Default to disabling partition uuid support to maintian compatibility with
+# older kernels.
+GRUB_DISABLE_LINUX_PARTUUID=${GRUB_DISABLE_LINUX_PARTUUID-true}
+
# btrfs may reside on multiple devices. We cannot pass them as value of root= parameter
# and mounting btrfs requires user space scanning, so force UUID in this case.
-if [ "x${GRUB_DEVICE_UUID}" = "x" ] || [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ] \
- || ! test -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" \
+if ( [ "x${GRUB_DEVICE_UUID}" = "x" ] && [ "x${GRUB_DEVICE_PARTUUID}" = "x" ] ) \
+ || ( [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ] \
+ && [ "x${GRUB_DISABLE_LINUX_PARTUUID}" = "xtrue" ] ) \
+ || ( ! test -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" \
+ && ! test -e "/dev/disk/by-partuuid/${GRUB_DEVICE_PARTUUID}" ) \
|| ( test -e "${GRUB_DEVICE}" && uses_abstraction "${GRUB_DEVICE}" lvm ); then
LINUX_ROOT_DEVICE=${GRUB_DEVICE}
+elif [ "x${GRUB_DEVICE_UUID}" = "x" ] \
+ || [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ]; then
+ LINUX_ROOT_DEVICE=PARTUUID=${GRUB_DEVICE_PARTUUID}
else
LINUX_ROOT_DEVICE=UUID=${GRUB_DEVICE_UUID}
fi
echo '$(echo "$message" | grub_quote)'
EOF
fi
+ initrd_path=
+ for i in ${initrd}; do
+ initrd_path="${initrd_path} ${rel_dirname}/${i}"
+ done
sed "s/^/$submenu_indentation/" << EOF
- initrd ${rel_dirname}/${initrd}
+ initrd $(echo $initrd_path)
EOF
fi
sed "s/^/$submenu_indentation/" << EOF
alt_version=`echo $version | sed -e "s,\.old$,,g"`
linux_root_device_thisversion="${LINUX_ROOT_DEVICE}"
- initrd=
+ initrd_early=
+ for i in ${GRUB_EARLY_INITRD_LINUX_STOCK} \
+ ${GRUB_EARLY_INITRD_LINUX_CUSTOM}; do
+ if test -e "${dirname}/${i}" ; then
+ initrd_early="${initrd_early} ${i}"
+ fi
+ done
+
+ initrd_real=
for i in "initrd.img-${version}" "initrd-${version}.img" "initrd-${version}.gz" \
"initrd-${version}" "initramfs-${version}.img" \
"initrd.img-${alt_version}" "initrd-${alt_version}.img" \
"initramfs-genkernel-${GENKERNEL_ARCH}-${version}" \
"initramfs-genkernel-${GENKERNEL_ARCH}-${alt_version}"; do
if test -e "${dirname}/${i}" ; then
- initrd="$i"
+ initrd_real="${i}"
break
fi
done
+ initrd=
+ if test -n "${initrd_early}" || test -n "${initrd_real}"; then
+ initrd="${initrd_early} ${initrd_real}"
+
+ initrd_display=
+ for i in ${initrd}; do
+ initrd_display="${initrd_display} ${dirname}/${i}"
+ done
+ gettext_printf "Found initrd image: %s\n" "$(echo $initrd_display)" >&2
+ fi
+
config=
for i in "${dirname}/config-${version}" "${dirname}/config-${alt_version}" "/etc/kernels/kernel-config-${version}" ; do
if test -e "${i}" ; then
initramfs=`grep CONFIG_INITRAMFS_SOURCE= "${config}" | cut -f2 -d= | tr -d \"`
fi
- if test -n "${initrd}" ; then
- gettext_printf "Found initrd image: %s\n" "${dirname}/${initrd}" >&2
- elif test -z "${initramfs}" ; then
+ if test -z "${initramfs}" && test -z "${initrd_real}" ; then
# "UUID=" and "ZFS=" magic is parsed by initrd or initramfs. Since there's
# no initrd or builtin initramfs, it can't work here.
- linux_root_device_thisversion=${GRUB_DEVICE}
+ if [ "x${GRUB_DEVICE_PARTUUID}" = "x" ] \
+ || [ "x${GRUB_DISABLE_LINUX_PARTUUID}" = "xtrue" ]; then
+
+ linux_root_device_thisversion=${GRUB_DEVICE}
+ else
+ linux_root_device_thisversion=PARTUUID=${GRUB_DEVICE_PARTUUID}
+ fi
fi
if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then
;;
esac
+# Default to disabling partition uuid support to maintian compatibility with
+# older kernels.
+GRUB_DISABLE_LINUX_PARTUUID=${GRUB_DISABLE_LINUX_PARTUUID-true}
+
# btrfs may reside on multiple devices. We cannot pass them as value of root= parameter
# and mounting btrfs requires user space scanning, so force UUID in this case.
-if [ "x${GRUB_DEVICE_UUID}" = "x" ] || [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ] \
- || ! test -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" \
+if ( [ "x${GRUB_DEVICE_UUID}" = "x" ] && [ "x${GRUB_DEVICE_PARTUUID}" = "x" ] ) \
+ || ( [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ] \
+ && [ "x${GRUB_DISABLE_LINUX_PARTUUID}" = "xtrue" ] ) \
+ || ( ! test -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" \
+ && ! test -e "/dev/disk/by-partuuid/${GRUB_DEVICE_PARTUUID}" ) \
|| ( test -e "${GRUB_DEVICE}" && uses_abstraction "${GRUB_DEVICE}" lvm ); then
LINUX_ROOT_DEVICE=${GRUB_DEVICE}
+elif [ "x${GRUB_DEVICE_UUID}" = "x" ] \
+ || [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ]; then
+ LINUX_ROOT_DEVICE=PARTUUID=${GRUB_DEVICE_PARTUUID}
else
LINUX_ROOT_DEVICE=UUID=${GRUB_DEVICE_UUID}
fi
title_correction_code=
linux_entry ()
+{
+ linux_entry_xsm "$@" false
+ linux_entry_xsm "$@" true
+}
+linux_entry_xsm ()
{
os="$1"
version="$2"
type="$4"
args="$5"
xen_args="$6"
+ xsm="$7"
+ # If user wants to enable XSM support, make sure there's
+ # corresponding policy file.
+ if ${xsm} ; then
+ xenpolicy="xenpolicy-$xen_version"
+ if test ! -e "${xen_dirname}/${xenpolicy}" ; then
+ return
+ fi
+ xen_args="$xen_args flask=enforcing"
+ xen_version="$(gettext_printf "%s (XSM enabled)" "$xen_version")"
+ # xen_version is used for messages only; actual file is xen_basename
+ fi
if [ -z "$boot_device_id" ]; then
boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")"
fi
if test -n "${initrd}" ; then
# TRANSLATORS: ramdisk isn't identifier. Should be translated.
message="$(gettext_printf "Loading initial ramdisk ...")"
+ initrd_path=
+ for i in ${initrd}; do
+ initrd_path="${initrd_path} ${rel_dirname}/${i}"
+ done
sed "s/^/$submenu_indentation/" << EOF
echo '$(echo "$message" | grub_quote)'
- ${module_loader} --nounzip ${rel_dirname}/${initrd}
+ ${module_loader} --nounzip $(echo $initrd_path)
+EOF
+ fi
+ if ${xsm} && test -n "${xenpolicy}" ; then
+ message="$(gettext_printf "Loading XSM policy ...")"
+ sed "s/^/$submenu_indentation/" << EOF
+ echo '$(echo "$message" | grub_quote)'
+ ${module_loader} ${rel_dirname}/${xenpolicy}
EOF
fi
sed "s/^/$submenu_indentation/" << EOF
exit 0
fi
-file_is_not_sym () {
+file_is_not_xen_garbage () {
case "$1" in
*/xen-syms-*)
return 1;;
+ */xenpolicy-*)
+ return 1;;
+ */*.config)
+ return 1;;
*)
return 0;;
esac
xen_list=
for i in /boot/xen*; do
- if grub_file_is_not_garbage "$i" && file_is_not_sym "$i" ; then xen_list="$xen_list $i" ; fi
+ if grub_file_is_not_garbage "$i" && file_is_not_xen_garbage "$i" ; then xen_list="$xen_list $i" ; fi
done
prepare_boot_cache=
boot_device_id=
if [ "x$is_top_level" != xtrue ]; then
echo " submenu '$(gettext_printf "Xen hypervisor, version %s" "${xen_version}" | grub_quote)' \$menuentry_id_option 'xen-hypervisor-$xen_version-$boot_device_id' {"
fi
- if ($grub_file --is-x86-multiboot2 $current_xen); then
- xen_loader="multiboot2"
- module_loader="module2"
+ if ($grub_file --is-arm64-efi $current_xen); then
+ xen_loader="xen_hypervisor"
+ module_loader="xen_module"
else
- xen_loader="multiboot"
- module_loader="module"
+ if ($grub_file --is-x86-multiboot2 $current_xen); then
+ xen_loader="multiboot2"
+ module_loader="module2"
+ else
+ xen_loader="multiboot"
+ module_loader="module"
+ fi
fi
+
+ initrd_early=
+ for i in ${GRUB_EARLY_INITRD_LINUX_STOCK} \
+ ${GRUB_EARLY_INITRD_LINUX_CUSTOM}; do
+ if test -e "${xen_dirname}/${i}" ; then
+ initrd_early="${initrd_early} ${i}"
+ fi
+ done
+
while [ "x$list" != "x" ] ; do
linux=`version_find_latest $list`
gettext_printf "Found linux image: %s\n" "$linux" >&2
alt_version=`echo $version | sed -e "s,\.old$,,g"`
linux_root_device_thisversion="${LINUX_ROOT_DEVICE}"
- initrd=
+ initrd_real=
for i in "initrd.img-${version}" "initrd-${version}.img" "initrd-${version}.gz" \
"initrd-${version}" "initramfs-${version}.img" \
"initrd.img-${alt_version}" "initrd-${alt_version}.img" \
"initramfs-genkernel-${GENKERNEL_ARCH}-${version}" \
"initramfs-genkernel-${GENKERNEL_ARCH}-${alt_version}" ; do
if test -e "${dirname}/${i}" ; then
- initrd="$i"
+ initrd_real="$i"
break
fi
done
- if test -n "${initrd}" ; then
- gettext_printf "Found initrd image: %s\n" "${dirname}/${initrd}" >&2
- else
+
+ initrd=
+ if test -n "${initrd_early}" || test -n "${initrd_real}"; then
+ initrd="${initrd_early} ${initrd_real}"
+
+ initrd_display=
+ for i in ${initrd}; do
+ initrd_display="${initrd_display} ${dirname}/${i}"
+ done
+ gettext_printf "Found initrd image: %s\n" "$(echo $initrd_display)" >&2
+ fi
+
+ if test -z "${initrd_real}"; then
# "UUID=" magic is parsed by initrds. Since there's no initrd, it can't work here.
- linux_root_device_thisversion=${GRUB_DEVICE}
+ if [ "x${GRUB_DEVICE_PARTUUID}" = "x" ] \
+ || [ "x${GRUB_DISABLE_LINUX_PARTUUID}" = "xtrue" ]; then
+
+ linux_root_device_thisversion=${GRUB_DEVICE}
+ else
+ linux_root_device_thisversion=PARTUUID=${GRUB_DEVICE_PARTUUID}
+ fi
fi
if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then
. "${datarootdir}/grub/grub-mkconfig_lib"
-efi_vars_dir=/sys/firmware/efi/vars
+efi_vars_dir=/sys/firmware/efi/efivars
EFI_GLOBAL_VARIABLE=8be4df61-93ca-11d2-aa0d-00e098032b8c
-OsIndications="$efi_vars_dir/OsIndicationsSupported-$EFI_GLOBAL_VARIABLE/data"
+OsIndications="$efi_vars_dir/OsIndicationsSupported-$EFI_GLOBAL_VARIABLE"
if [ -e "$OsIndications" ] && \
- [ "$(( $(printf 0x%x \'"$(cat $OsIndications | cut -b1)") & 1 ))" = 1 ]; then
+ [ "$(( $(printf 0x%x \'"$(cat $OsIndications | cut -b5)") & 1 ))" = 1 ]; then
LABEL="System setup"
gettext_printf "Adding boot menu entry for EFI firmware configuration\n" >&2
kvm:!::
render:!::
systemd-coredump:!!::
+tcpdump:!::
nagios:!::
kvm:!::
render:!::
+systemd-coredump:!!::
address = "127.0.0.1"
address6 = "::1"
- /* Set custom attribute `os` for hostgroup assignment in `groups.conf`. */
+ /* Set custom variable `os` for hostgroup assignment in `groups.conf`. */
vars.os = "Linux"
/* Define http vhost attributes for service apply rules in `services.conf`. */
* The example notification apply rules.
*
* Only applied if host/service objects have
- * the custom attribute `notification` defined
+ * the custom variable `notification` defined
* and containing `mail` as key.
*
* Check `hosts.conf` for an example.
/*
* Apply the `ssh` service to all hosts
* with the `address` attribute defined and
- * the custom attribute `os` set to `Linux`.
+ * the custom variable `os` set to `Linux`.
*/
apply Service "ssh" {
import "generic-service"
--- /dev/null
+object IcingaDB "icingadb" {
+ //host = "127.0.0.1"
+ //port = 6380
+ //password = "xxx"
+}
object OpenTsdbWriter "opentsdb" {
//host = "127.0.0.1"
//port = 4242
+ //enable_generic_metrics = false
+
+ // Custom Tagging, refer to Icinga object type documentation for
+ // OpenTsdbWriter
+ //host_template = {
+ // metric = "icinga.host"
+ // tags = {
+ // zone = "$host.zone$"
+ // }
+ //}
+ //service_template = {
+ // metric = "icinga.service.$service.check_command$"
+ // tags = {
+ // zone = "$service.zone$"
+ // }
+ //}
}
-#!/usr/bin/env bash
-#
-# Copyright (C) 2012-2018 Icinga Development Team (https://icinga.com/)
-# Except of function urlencode which is Copyright (C) by Brian White (brian@aljex.com) used under MIT license
+#!/bin/sh
+# Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+
+# Except of function urlencode which is Copyright (C) by Brian White (brian@aljex.com) used under MIT license
PROG="`basename $0`"
ICINGA2HOST="`hostname`"
}
urlencode() {
- local LANG=C i c e=''
- for ((i=0;i<${#1};i++)); do
- c=${1:$i:1}
- [[ "$c" =~ [a-zA-Z0-9\.\~\_\-] ]] || printf -v c '%%%02X' "'$c"
- e+="$c"
+ local LANG=C i=0 c e s="$1"
+
+ while [ $i -lt ${#1} ]; do
+ [ "$i" -eq 0 ] || s="${s#?}"
+ c=${s%"${s#?}"}
+ [ -z "${c#[[:alnum:].~_-]}" ] || c=$(printf '%%%02X' "'$c")
+ e="${e}${c}"
+ i=$((i + 1))
done
echo "$e"
}
fi
## Check whether verbose mode was enabled and log to syslog.
-if [ "$VERBOSE" == "true" ] ; then
+if [ "$VERBOSE" = "true" ] ; then
logger "$PROG sends $SUBJECT => $USEREMAIL"
fi
-#!/usr/bin/env bash
-#
-# Copyright (C) 2012-2018 Icinga Development Team (https://icinga.com/)
+#!/bin/sh
+# Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+
# Except of function urlencode which is Copyright (C) by Brian White (brian@aljex.com) used under MIT license
PROG="`basename $0`"
}
urlencode() {
- local LANG=C i c e=''
- for ((i=0;i<${#1};i++)); do
- c=${1:$i:1}
- [[ "$c" =~ [a-zA-Z0-9\.\~\_\-] ]] || printf -v c '%%%02X' "'$c"
- e+="$c"
+ local LANG=C i=0 c e s="$1"
+
+ while [ $i -lt ${#1} ]; do
+ [ "$i" -eq 0 ] || s="${s#?}"
+ c=${s%"${s#?}"}
+ [ -z "${c#[[:alnum:].~_-]}" ] || c=$(printf '%%%02X' "'$c")
+ e="${e}${c}"
+ i=$((i + 1))
done
echo "$e"
}
fi
## Check whether verbose mode was enabled and log to syslog.
-if [ "$VERBOSE" == "true" ] ; then
+if [ "$VERBOSE" = "true" ] ; then
logger "$PROG sends $SUBJECT => $USEREMAIL"
fi
-This directory contains configuration files for cluster zones. If you're not
-running a cluster you can safely ignore this directory.
+Please check the documentation for more details:
+https://icinga.com/docs/icinga2/latest/doc/06-distributed-monitoring/
+++ /dev/null
-#!/bin/sh -e
-
-### BEGIN INIT INFO
-# Provides: bind9
-# Required-Start: $remote_fs
-# Required-Stop: $remote_fs
-# Should-Start: $network $syslog
-# Should-Stop: $network $syslog
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: Start and stop bind9
-# Description: bind9 is a Domain Name Server (DNS)
-# which translates ip addresses to and from internet names
-### END INIT INFO
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin
-
-# for a chrooted server: "-u bind -t /var/lib/named"
-# Don't modify this line, change or create /etc/default/bind9.
-OPTIONS=""
-RESOLVCONF=no
-
-test -f /etc/default/bind9 && . /etc/default/bind9
-
-test -x /usr/sbin/rndc || exit 0
-
-. /lib/lsb/init-functions
-PIDFILE=/run/named/named.pid
-
-check_network() {
- if [ -x /usr/bin/uname ] && [ "X$(/usr/bin/uname -o)" = XSolaris ]; then
- IFCONFIG_OPTS="-au"
- else
- IFCONFIG_OPTS=""
- fi
- if [ -z "$(/sbin/ifconfig $IFCONFIG_OPTS)" ]; then
- #log_action_msg "No networks configured."
- return 1
- fi
- return 0
-}
-
-case "$1" in
- start)
- log_daemon_msg "Starting domain name service..." "bind9"
-
- modprobe capability >/dev/null 2>&1 || true
-
- # dirs under /run can go away on reboots.
- mkdir -p /run/named
- chmod 775 /run/named
- chown root:bind /run/named >/dev/null 2>&1 || true
-
- if [ ! -x /usr/sbin/named ]; then
- log_action_msg "named binary missing - not starting"
- log_end_msg 1
- fi
-
- if ! check_network; then
- log_action_msg "no networks configured"
- log_end_msg 1
- fi
-
- if start-stop-daemon --start --oknodo --quiet --exec /usr/sbin/named \
- --pidfile ${PIDFILE} -- $OPTIONS; then
- if [ "X$RESOLVCONF" != "Xno" ] && [ -x /sbin/resolvconf ] ; then
- echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.named
- fi
- log_end_msg 0
- else
- log_end_msg 1
- fi
- ;;
-
- stop)
- log_daemon_msg "Stopping domain name service..." "bind9"
- if ! check_network; then
- log_action_msg "no networks configured"
- log_end_msg 1
- fi
-
- if [ "X$RESOLVCONF" != "Xno" ] && [ -x /sbin/resolvconf ] ; then
- /sbin/resolvconf -d lo.named
- fi
- pid=$(/usr/sbin/rndc stop -p | awk '/^pid:/ {print $2}') || true
- if [ -z "$pid" ]; then # no pid found, so either not running, or error
- pid=$(pgrep -f ^/usr/sbin/named) || true
- start-stop-daemon --stop --oknodo --quiet --exec /usr/sbin/named \
- --pidfile ${PIDFILE} -- $OPTIONS
- fi
- if [ -n "$pid" ]; then
- sig=0
- n=1
- while kill -$sig $pid 2>/dev/null; do
- if [ $n -eq 1 ]; then
- echo "waiting for pid $pid to die"
- fi
- if [ $n -eq 11 ]; then
- echo "giving up on pid $pid with kill -0; trying -9"
- sig=9
- fi
- if [ $n -gt 20 ]; then
- echo "giving up on pid $pid"
- break
- fi
- n=$(($n+1))
- sleep 1
- done
- fi
- log_end_msg 0
- ;;
-
- reload|force-reload)
- log_daemon_msg "Reloading domain name service..." "bind9"
- if ! check_network; then
- log_action_msg "no networks configured"
- log_end_msg 1
- fi
-
- /usr/sbin/rndc reload >/dev/null && log_end_msg 0 || log_end_msg 1
- ;;
-
- restart)
- if ! check_network; then
- log_action_msg "no networks configured"
- exit 1
- fi
-
- $0 stop
- $0 start
- ;;
-
- status)
- ret=0
- status_of_proc -p ${PIDFILE} /usr/sbin/named bind9 2>/dev/null || ret=$?
- exit $ret
- ;;
-
- *)
- log_action_msg "Usage: /etc/init.d/bind9 {start|stop|reload|restart|force-reload|status}"
- exit 1
- ;;
-esac
-
-exit 0
DAEMON=/usr/sbin/chronyd
NAME="chronyd"
DESC="time daemon"
-PIDFILE=/run/chronyd.pid
-CHRONY_HELPER=/usr/lib/chrony/chrony-helper
+PIDFILE=/run/chrony/chronyd.pid
[ -x "$DAEMON" ] || exit 0
else
log_daemon_msg "Starting $DESC" "$NAME"
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
- if [ -x $CHRONY_HELPER ]; then
- $CHRONY_HELPER update-daemon
- fi
log_end_msg $?
fi
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
- start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --remove-pidfile --exec $DAEMON
+ start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --exec $DAEMON
log_end_msg $?
;;
create_machineid
+ # Force libnss-systemd to avoid trying to communicate via D-Bus, which
+ # is never going to work well from within dbus-daemon. systemd
+ # special-cases this internally, but we might need to do the same when
+ # booting with sysvinit if libnss-systemd is still installed.
+ # (Workaround for #940971)
+ export SYSTEMD_NSS_BYPASS_BUS=1
+
log_daemon_msg "Starting $DESC" "$NAME"
start-stop-daemon --start --quiet --pidfile $PIDFILE \
--exec $DAEMON -- --system $PARAMS
-#! /bin/sh
+#!/bin/sh
### BEGIN INIT INFO
# Provides: fail2ban
# Required-Start: $local_fs $remote_fs
# rename this file: (sudo) mv /etc/init.d/fail2ban.init /etc/init.d/fail2ban
# same with the logrotate file: (sudo) mv /etc/logrotate.d/fail2ban.logrotate /etc/logrotate.d/fail2ban
#
-PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin
-DESC="authentication failure monitor"
-NAME=fail2ban
+PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin"
+DESC="Authentication failure monitor"
+NAME="fail2ban"
# fail2ban-client is not a daemon itself but starts a daemon and
# loads its with configuration
-DAEMON=/usr/bin/$NAME-client
-SCRIPTNAME=/etc/init.d/$NAME
+DAEMON="/usr/bin/$NAME-client"
+SCRIPTNAME="/etc/init.d/$NAME"
# Ad-hoc way to parse out socket file name
-SOCKFILE=`grep -h '^[^#]*socket *=' /etc/$NAME/$NAME.conf /etc/$NAME/$NAME.local 2>/dev/null \
- | tail -n 1 | sed -e 's/.*socket *= *//g' -e 's/ *$//g'`
-[ -z "$SOCKFILE" ] && SOCKFILE='/var/run/fail2ban.sock'
+SOCKFILE="$(grep -h '^[^#]*socket *=' "/etc/$NAME/$NAME.conf" "/etc/$NAME/$NAME.local" 2>/dev/null \
+ | tail -n 1 | sed -e 's/.*socket *= *//g' -e 's/ *$//g')"
+[ -z "$SOCKFILE" ] && SOCKFILE="/var/run/fail2ban.sock"
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
# Run as root by default.
-FAIL2BAN_USER=root
+FAIL2BAN_USER="root"
# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+[ -r "/etc/default/$NAME" ] && . "/etc/default/$NAME"
DAEMON_ARGS="$FAIL2BAN_OPTS"
# Load the VERBOSE setting and other rcS variables
# Predefine what can be missing from lsb source later on -- necessary to run
# on sarge. Just present it in a bit more compact way from what was shipped
-log_daemon_msg () {
+log_daemon_msg()
+{
[ -z "$1" ] && return 1
echo -n "$1:"
[ -z "$2" ] || echo -n " $2"
#
report_bug()
{
- echo $*
+ echo "$*"
echo "Please submit a bug report to Debian BTS (reportbug fail2ban)"
exit 1
}
check_socket()
{
# Return
- # 0 if socket is present and readable
- # 1 if socket file is not present
- # 2 if socket file is present but not readable
- # 3 if socket file is present but is not a socket
+ # 0 if socket is present and readable
+ # 1 if socket file is not present
+ # 2 if socket file is present but not readable
+ # 3 if socket file is present but is not a socket
[ -e "$SOCKFILE" ] || return 1
[ -r "$SOCKFILE" ] || return 2
[ -S "$SOCKFILE" ] || return 3
do_start()
{
# Return
- # 0 if daemon has been started
- # 1 if daemon was already running
- # 2 if daemon could not be started
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
do_status && return 1
if [ -e "$SOCKFILE" ]; then
log_failure_msg "Socket file $SOCKFILE is present"
- [ "$1" = "force-start" ] \
+ [ "$1" = force-start ] \
&& log_success_msg "Starting anyway as requested" \
|| return 2
DAEMON_ARGS="$DAEMON_ARGS -x"
# Assure that /var/run/fail2ban exists
[ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban
- if [ "$FAIL2BAN_USER" != "root" ]; then
+ if [ "$FAIL2BAN_USER" != root ]; then
# Make the socket directory, IP lists and fail2ban log
# files writable by fail2ban
chown "$FAIL2BAN_USER" /var/run/fail2ban
# Create the logfile if it doesn't exist
touch /var/log/fail2ban.log
chown "$FAIL2BAN_USER" /var/log/fail2ban.log
- find /proc/net/xt_recent -name 'fail2ban-*' -exec chown "$FAIL2BAN_USER" {} \;
+ find /proc/net/xt_recent -name "fail2ban-*" -exec chown "$FAIL2BAN_USER" "{}" ";"
fi
- start-stop-daemon --start --quiet --chuid "$FAIL2BAN_USER" --exec $DAEMON -- \
- $DAEMON_ARGS start > /dev/null\
+ # $DAEMON_ARGS need to be expanded possibly with multiple or no options
+ # shellcheck disable=SC2086
+ start-stop-daemon --start --quiet --chuid "$FAIL2BAN_USER" --exec "$DAEMON" -- \
+ $DAEMON_ARGS start >/dev/null \
|| return 2
return 0
#
do_status()
{
- $DAEMON ping > /dev/null 2>&1
- return $?
+ $DAEMON ping >/dev/null 2>&1
+ return "$?"
}
#
do_stop()
{
# Return
- # 0 if daemon has been stopped
- # 1 if daemon was already stopped
- # 2 if daemon could not be stopped
- # other if a failure occurred
- $DAEMON status > /dev/null 2>&1 || return 1
- $DAEMON stop > /dev/null || return 2
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ $DAEMON status >/dev/null 2>&1 || return 1
+ $DAEMON stop >/dev/null || return 2
# now we need actually to wait a bit since it might take time
# for server to react on client's stop request. Especially
# important for restart command on slow boxes
count=1
- while do_status && [ $count -lt 60 ]; do
+ while do_status && [ "$count" -lt 60 ]; do
sleep 1
- count=$(($count+1))
+ count="$((count + 1))"
done
- [ $count -lt 60 ] || return 3 # failed to stop
+ [ "$count" -lt 60 ] || return 3 # failed to stop
return 0
}
#
# Function to reload configuration
#
-do_reload() {
- $DAEMON reload > /dev/null && return 0 || return 1
+do_reload()
+{
+ "$DAEMON" reload >/dev/null && return 0 || return 1
return 0
}
#
log_end_msg_wrapper()
{
- if [ "$3" != "no" ]; then
- [ $1 -lt $2 ] && value=0 || value=1
- log_end_msg $value
+ if [ "$1" != 0 ] && [ "$1" != "$2" ]; then
+ value="1"
+ else
+ value="0"
+ fi
+ if [ "$3" != no ]; then
+ log_end_msg "$value"
+ fi
+ if [ "$value" != 0 ]; then
+ exit "$1"
fi
}
start|force-start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start "$command"
- log_end_msg_wrapper $? 2 "$VERBOSE"
+ log_end_msg_wrapper "$?" 255 "$VERBOSE"
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
- log_end_msg_wrapper $? 2 "$VERBOSE"
+ log_end_msg_wrapper "$?" 255 "$VERBOSE"
;;
restart|force-reload)
case "$?" in
0|1)
do_start
- log_end_msg_wrapper $? 1 "always"
+ log_end_msg_wrapper "$?" 0 always
;;
*)
# Failed to stop
log_end_msg 1
;;
- esac
+ esac
;;
- reload|force-reload)
- log_daemon_msg "Reloading $DESC" "$NAME"
- do_reload
- log_end_msg $?
- ;;
+ reload)
+ log_daemon_msg "Reloading $DESC" "$NAME"
+ do_reload
+ log_end_msg "$?"
+ ;;
status)
log_daemon_msg "Status of $DESC"
do_status
- case $? in
- 0) log_success_msg " $NAME is running" ;;
+ case "$?" in
+ 0)
+ log_success_msg " $NAME is running"
+ ;;
255)
check_socket
- case $? in
- 1) log_failure_msg " $NAME is not running" && exit 3 ;;
- 0) log_failure_msg " $NAME is not running but $SOCKFILE exists" && exit 3 ;;
- 2) log_failure_msg " $SOCKFILE not readable, status of $NAME is unknown" && exit 3 ;;
- 3) log_failure_msg " $SOCKFILE exists but not a socket, status of $NAME is unknown" && exit 3 ;;
- *) report_bug "Unknown return code from $NAME:check_socket." && exit 4 ;;
+ case "$?" in
+ 1)
+ log_failure_msg " $NAME is not running" && exit 3
+ ;;
+ 0)
+ log_failure_msg " $NAME is not running but $SOCKFILE exists" && exit 3
+ ;;
+ 2)
+ log_failure_msg " $SOCKFILE not readable, status of $NAME is unknown" && exit 3
+ ;;
+ 3)
+ log_failure_msg " $SOCKFILE exists but not a socket, status of $NAME is unknown" && exit 3
+ ;;
+ *)
+ report_bug "Unknown return code from $NAME:check_socket." && exit 4
+ ;;
esac
;;
- *) report_bug "Unknown $NAME status code" && exit 4
+ *)
+ report_bug "Unknown $NAME status code" && exit 4
+ ;;
esac
;;
*)
- echo "Usage: $SCRIPTNAME {start|force-start|stop|restart|force-reload|status}" >&2
+ echo "Usage: $SCRIPTNAME {start|force-start|stop|restart|force-reload|status}" 1>&2
exit 3
;;
esac
DAEMON_CMDGROUP=www-data
DAEMON_ARGS="-e /var/log/icinga2/icinga2.err"
STARTUP_LOG="/var/log/icinga2/startup.log"
-PIDFILE=/var/run/icinga2/$NAME.pid
+PIDFILE=/run/icinga2/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
# Block/ignore SIGPIPE inside Icinga2
# check run directory
check_run () {
- test -d '/var/run/icinga2' || mkdir /var/run/icinga2
- test -d '/var/run/icinga2/cmd' || mkdir /var/run/icinga2/cmd
+ test -d '/run/icinga2' || mkdir /run/icinga2
+ test -d '/run/icinga2/cmd' || mkdir /run/icinga2/cmd
- chown "$DAEMON_USER":"$DAEMON_GROUP" /var/run/icinga2
- chmod 0755 /var/run/icinga2
+ chown "$DAEMON_USER":"$DAEMON_GROUP" /run/icinga2
+ chmod 0755 /run/icinga2
- chown "$DAEMON_USER":"$DAEMON_CMDGROUP" /var/run/icinga2/cmd
- chmod 2710 /var/run/icinga2/cmd
+ chown "$DAEMON_USER":"$DAEMON_CMDGROUP" /run/icinga2/cmd
+ chmod 2710 /run/icinga2/cmd
}
check_config () {
--- /dev/null
+#!/bin/sh -e
+
+### BEGIN INIT INFO
+# Provides: bind bind9
+# Required-Start: $remote_fs
+# Required-Stop: $remote_fs
+# Should-Start: $network $syslog
+# Should-Stop: $network $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Start and stop BIND 9 Domain Name Server
+# Description: BIND 9 is a Domain Name Server (DNS)
+# which translates ip addresses to and from internet names
+### END INIT INFO
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+
+# for a chrooted server: "-u bind -t /var/lib/named"
+# Don't modify this line, instead change or create /etc/default/named.
+OPTIONS=""
+RESOLVCONF=no
+
+test -f /etc/default/named && . /etc/default/named
+
+test -x /usr/sbin/rndc || exit 0
+
+. /lib/lsb/init-functions
+PIDFILE=/run/named/named.pid
+
+check_network() {
+ result=0
+ if [ -x /usr/bin/uname ] && [ "X$(/usr/bin/uname -o)" = XSolaris ]; then
+ LIST_NICS_IP=$(/sbin/ifconfig -au) || result=$?
+ else
+ LIST_NICS_IP=$(/bin/ip addr) || result=$?
+ fi
+ if [ $result -ne 0 -o -z "${LIST_NICS_IP}" ]; then
+ #log_action_msg "No networks configured."
+ return 1
+ fi
+ return 0
+}
+
+case "$1" in
+ start)
+ log_daemon_msg "Starting domain name service..." "named"
+
+ modprobe capability >/dev/null 2>&1 || true
+
+ # dirs under /run can go away on reboots.
+ mkdir -p /run/named
+ chmod 775 /run/named
+ chown root:bind /run/named >/dev/null 2>&1 || true
+
+ if [ ! -x /usr/sbin/named ]; then
+ log_action_msg "named binary missing - not starting"
+ log_end_msg 1
+ fi
+
+ if ! check_network; then
+ log_action_msg "no networks configured"
+ log_end_msg 1
+ fi
+
+ if start-stop-daemon --start --oknodo --quiet --exec /usr/sbin/named \
+ --pidfile ${PIDFILE} -- $OPTIONS; then
+ if [ "X$RESOLVCONF" != "Xno" ] && [ -x /sbin/resolvconf ] ; then
+ echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.named
+ fi
+ log_end_msg 0
+ else
+ log_end_msg 1
+ fi
+ ;;
+
+ stop)
+ log_daemon_msg "Stopping domain name service..." "named"
+ if ! check_network; then
+ log_action_msg "no networks configured"
+ log_end_msg 1
+ fi
+
+ if [ "X$RESOLVCONF" != "Xno" ] && [ -x /sbin/resolvconf ] ; then
+ /sbin/resolvconf -d lo.named
+ fi
+ pid=$(/usr/sbin/rndc stop -p | awk '/^pid:/ {print $2}') || true
+ if [ -z "$pid" ]; then # no pid found, so either not running, or error
+ pid=$(pgrep -f ^/usr/sbin/named) || true
+ start-stop-daemon --stop --oknodo --quiet --exec /usr/sbin/named \
+ --pidfile ${PIDFILE} -- $OPTIONS
+ fi
+ if [ -n "$pid" ]; then
+ sig=0
+ n=1
+ while kill -$sig $pid 2>/dev/null; do
+ if [ $n -eq 1 ]; then
+ echo "waiting for pid $pid to die"
+ fi
+ if [ $n -eq 11 ]; then
+ echo "giving up on pid $pid with kill -0; trying -9"
+ sig=9
+ fi
+ if [ $n -gt 20 ]; then
+ echo "giving up on pid $pid"
+ break
+ fi
+ n=$(($n+1))
+ sleep 1
+ done
+ fi
+ log_end_msg 0
+ ;;
+
+ reload|force-reload)
+ log_daemon_msg "Reloading domain name service..." "named"
+ if ! check_network; then
+ log_action_msg "no networks configured"
+ log_end_msg 1
+ fi
+
+ /usr/sbin/rndc reload >/dev/null && log_end_msg 0 || log_end_msg 1
+ ;;
+
+ restart)
+ if ! check_network; then
+ log_action_msg "no networks configured"
+ exit 1
+ fi
+
+ $0 stop
+ $0 start
+ ;;
+
+ status)
+ ret=0
+ status_of_proc -p ${PIDFILE} /usr/sbin/named bind 2>/dev/null || ret=$?
+ exit $ret
+ ;;
+
+ *)
+ log_action_msg "Usage: /etc/init.d/named {start|stop|reload|restart|force-reload|status}"
+ exit 1
+ ;;
+esac
+
+exit 0
13 dnrouted
14 xorp
15 ntk
-16 dhcp
+16 dhcp
+18 keepalived
42 babel
186 bgp
187 isis
-# Generated by xtables-save v1.8.2 on Thu Apr 8 19:25:18 2021
+# Generated by iptables-save v1.8.7 on Thu Sep 16 13:59:08 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [3894502:15435226157]
+:OUTPUT ACCEPT [844:109767]
+:f2b-apache-noscript - [0:0]
+:f2b-ssh - [0:0]
:icinga2 - [0:0]
:rejects - [0:0]
:salt-master - [0:0]
-:f2b-ssh - [0:0]
-:f2b-apache-noscript - [0:0]
+-A INPUT -p tcp -m multiport --dports 22 -j f2b-ssh
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-noscript
-A INPUT -p tcp -m multiport --dports 22 -j f2b-ssh
-A INPUT -s 220.192.0.0/12 -p tcp -m multiport --dports 22 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j rejects
-A INPUT -j NFLOG --nflog-prefix "IPv4 INPUT Reject " --nflog-threshold 1
-A INPUT -j REJECT --reject-with icmp-port-unreachable
+-A f2b-apache-noscript -j RETURN
+-A f2b-ssh -s 221.131.165.56/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-ssh -s 180.76.60.141/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-ssh -s 107.175.33.240/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-ssh -s 221.131.165.23/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-ssh -s 128.199.99.204/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-ssh -s 49.88.112.115/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-ssh -s 42.192.249.157/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-ssh -s 212.129.248.183/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-ssh -j RETURN
+-A f2b-ssh -j RETURN
-A icinga2 -s 185.102.95.107/32 -j ACCEPT
-A icinga2 -s 162.254.24.33/32 -j ACCEPT
-A icinga2 -s 185.48.118.128/32 -j ACCEPT
-A salt-master -s 188.34.187.246/32 -j ACCEPT
-A salt-master -j NFLOG --nflog-prefix "IPv4 Salt Reject " --nflog-threshold 1
-A salt-master -j REJECT --reject-with icmp-port-unreachable
--A f2b-ssh -s 107.175.33.240/32 -j REJECT --reject-with icmp-port-unreachable
--A f2b-ssh -s 221.131.165.23/32 -j REJECT --reject-with icmp-port-unreachable
--A f2b-ssh -s 128.199.99.204/32 -j REJECT --reject-with icmp-port-unreachable
--A f2b-ssh -s 49.88.112.115/32 -j REJECT --reject-with icmp-port-unreachable
--A f2b-ssh -s 42.192.249.157/32 -j REJECT --reject-with icmp-port-unreachable
--A f2b-ssh -s 212.129.248.183/32 -j REJECT --reject-with icmp-port-unreachable
--A f2b-ssh -j RETURN
--A f2b-apache-noscript -j RETURN
COMMIT
-# Completed on Thu Apr 8 19:25:18 2021
+# Completed on Thu Sep 16 13:59:08 2021
-# Generated by xtables-save v1.8.2 on Thu Apr 8 19:25:18 2021
+# Generated by ip6tables-save v1.8.7 on Thu Sep 16 13:59:08 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [7925469:622635830]
+:OUTPUT ACCEPT [1061:84609]
:salt-master - [0:0]
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED -j ACCEPT
-A salt-master -j NFLOG --nflog-prefix "IPv6 Salt Reject " --nflog-threshold 1
-A salt-master -j REJECT --reject-with icmp6-port-unreachable
COMMIT
-# Completed on Thu Apr 8 19:25:18 2021
+# Completed on Thu Sep 16 13:59:08 2021
#!/bin/sh
set -e
-# Mark as not-for-autoremoval those kernel packages that are:
-# - the currently booted version
-# - the kernel version we've been called for
-# - the latest kernel version (as determined by debian version number)
-# - the second-latest kernel version
-#
-# In the common case this results in two kernels saved (booted into the
-# second-latest kernel, we install the latest kernel in an upgrade), but
-# can save up to four. Kernel refers here to a distinct release, which can
-# potentially be installed in multiple flavours counting as one kernel.
eval $(apt-config shell APT_CONF_D Dir::Etc::parts/d)
test -n "${APT_CONF_D}" || APT_CONF_D="/etc/apt/apt.conf.d"
config_file="${APT_CONF_D}/01autoremove-kernels"
-eval $(apt-config shell DPKG Dir::bin::dpkg/f)
-test -n "$DPKG" || DPKG="/usr/bin/dpkg"
-
-list="$("${DPKG}" -l | awk '/^[ih][^nc][ ]+(linux|kfreebsd|gnumach)-image-[0-9]+\./ && $2 !~ /-dbg(:.*)?$/ && $2 !~ /-dbgsym(:.*)?$/ { print $2,$3; }' \
- | sed -e 's#^\(linux\|kfreebsd\|gnumach\)-image-##' -e 's#:[^:]\+ # #')"
-debverlist="$(echo "$list" | cut -d' ' -f 2 | sort --unique --reverse --version-sort)"
-
-if [ -n "$1" ]; then
- installed_version="$(echo "$list" | awk "\$1 == \"$1\" { print \$2;exit; }")"
-fi
-unamer="$(uname -r | tr '[A-Z]' '[a-z]')"
-if [ -n "$unamer" ]; then
- running_version="$(echo "$list" | awk "\$1 == \"$unamer\" { print \$2;exit; }")"
-fi
-# ignore the currently running version if attempting a reproducible build
-if [ -n "${SOURCE_DATE_EPOCH}" ]; then
- unamer=""
- running_version=""
-fi
-latest_version="$(echo "$debverlist" | sed -n 1p)"
-previous_version="$(echo "$debverlist" | sed -n 2p)"
-
-debkernels="$(echo "$latest_version
-$installed_version
-$running_version
-$previous_version" | sort -u | sed -e '/^$/ d')"
-kernels="$( (echo "$1
-$unamer"; for deb in $debkernels; do echo "$list" | awk "\$2 == \"$deb\" { print \$1; }"; done; ) \
- | sed -e 's#\([\.\+]\)#\\\1#g' -e '/^$/ d' | sort -u)"
-
generateconfig() {
cat <<EOF
// DO NOT EDIT! File autogenerated by $0
-APT::NeverAutoRemove
-{
-EOF
- for package in $(apt-config dump --no-empty --format '%v%n' 'APT::VersionedKernelPackages'); do
- for kernel in $kernels; do
- echo " \"^${package}-${kernel}$\";"
- done
- done
- echo '};'
- if [ "${APT_AUTO_REMOVAL_KERNELS_DEBUG:-true}" = 'true' ]; then
- cat <<EOF
-/* Debug information:
-# dpkg list:
-$(dpkg -l | grep '\(linux\|kfreebsd\|gnumach\)-image-')
-# list of installed kernel packages:
-$list
-# list of different kernel versions:
-$debverlist
-# Installing kernel: $installed_version ($1)
-# Running kernel: ${running_version:-ignored} (${unamer:-ignored})
-# Last kernel: $latest_version
-# Previous kernel: $previous_version
-# Kernel versions list to keep:
-$debkernels
-# Kernel packages (version part) to protect:
-$kernels
-*/
+APT::LastInstalledKernel "$1";
EOF
- fi
}
generateconfig "$@" > "${config_file}.dpkg-new"
mv -f "${config_file}.dpkg-new" "$config_file"
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
-#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
+#URI ldap://ldap.example.com ldap://ldap-provider.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
This notice applies to all files in this directory.
-Copyright 1998-2018 The OpenLDAP Foundation, Redwood City, California, USA
+Copyright 1998-2021 The OpenLDAP Foundation, Redwood City, California, USA
All rights reserved.
Redistribution and use in source and binary forms, with or without
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2018 The OpenLDAP Foundation.
+## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2018 The OpenLDAP Foundation.
+## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2018 The OpenLDAP Foundation.
+## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2018 The OpenLDAP Foundation.
+## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2018 The OpenLDAP Foundation.
+## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2018 The OpenLDAP Foundation.
+## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2018 The OpenLDAP Foundation.
+## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2018 The OpenLDAP Foundation.
+## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2018 The OpenLDAP Foundation.
+## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2018 The OpenLDAP Foundation.
+## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2018 The OpenLDAP Foundation.
+## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2018 The OpenLDAP Foundation.
+## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2018 The OpenLDAP Foundation.
+## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2018 The OpenLDAP Foundation.
+## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2018 The OpenLDAP Foundation.
+## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 2004-2018 The OpenLDAP Foundation.
+## Copyright 2004-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
--- /dev/null
+###############################################################################
+#
+# ClassID <-> Name Translation Table
+#
+# This file can be used to assign names to classids for easier reference
+# in all libnl tools.
+#
+# Format:
+# <MAJ:> <NAME> # qdisc definition
+# <MAJ:MIN> <NAME> # class deifnition
+# <NAME:MIN> <NAME> # class definition referencing an
+# existing qdisc definition.
+#
+# Example:
+# 1: top # top -> 1:0
+# top:1 interactive # interactive -> 1:1
+# top:2 www # www -> 1:2
+# top:3 bulk # bulk -> 1:3
+# 2:1 test_class # test_class -> 2:1
+#
+# Illegal Example:
+# 30:1 classD
+# classD:2 invalidClass # classD refers to a class, not a qdisc
+#
+###############################################################################
+
+# <CLASSID> <NAME>
+
+# Reserved default classids
+0:0 none
+ffff:ffff root
+ffff:fff1 ingress
+
+#
+# List your classid definitions here:
+#
+
+
+
+###############################################################################
+# List of auto-generated classids
+#
+# DO NOT ADD CLASSID DEFINITIONS BELOW THIS LINE
+#
+# <CLASSID> <NAME>
--- /dev/null
+#
+# Location definitions for packet matching
+#
+
+# name alignment offset mask shift
+ip.version u8 net+0 0xF0 4
+ip.hdrlen u8 net+0 0x0F
+ip.diffserv u8 net+1
+ip.length u16 net+2
+ip.id u16 net+4
+ip.flag.res u8 net+6 0xff 7
+ip.df u8 net+6 0x40 6
+ip.mf u8 net+6 0x20 5
+ip.offset u16 net+6 0x1FFF
+ip.ttl u8 net+8
+ip.proto u8 net+9
+ip.chksum u16 net+10
+ip.src u32 net+12
+ip.dst u32 net+16
+
+# if ip.ihl > 5
+ip.opts u32 net+20
+
+
+#
+# IP version 6
+#
+# name alignment offset mask shift
+ip6.version u8 net+0 0xF0 4
+ip6.tc u16 net+0 0xFF0 4
+ip6.flowlabel u32 net+0 0xFFFFF
+ip6.length u16 net+4
+ip6.nexthdr u8 net+6
+ip6.hoplimit u8 net+7
+ip6.src 16 net+8
+ip6.dst 16 net+24
+
+#
+# Transmission Control Protocol (TCP)
+#
+# name alignment offset mask shift
+tcp.sport u16 tcp+0
+tcp.dport u16 tcp+2
+tcp.seq u32 tcp+4
+tcp.ack u32 tcp+8
+
+# Data offset (4 bits)
+tcp.off u8 tcp+12 0xF0 4
+
+# Reserved [0 0 0] (3 bits)
+tcp.reserved u8 tcp+12 0x04 1
+
+# ECN [N C E] (3 bits)
+tcp.ecn u16 tcp+12 0x01C00 6
+
+# Individual TCP flags (0|1) (6 bits in total)
+tcp.flag.urg u8 tcp+13 0x20 5
+tcp.flag.ack u8 tcp+13 0x10 4
+tcp.flag.psh u8 tcp+13 0x08 3
+tcp.flag.rst u8 tcp+13 0x04 2
+tcp.flag.syn u8 tcp+13 0x02 1
+tcp.flag.fin u8 tcp+13 0x01
+
+tcp.win u16 tcp+14
+tcp.csum u16 tcp+16
+tcp.urg u16 tcp+18
+tcp.opts u32 tcp+20
+
+#
+# User Datagram Protocol (UDP)
+#
+# name alignment offset mask shift
+udp.sport u16 tcp+0
+udp.dport u16 tcp+2
+udp.length u16 tcp+4
+udp.csum u16 tcp+6
--- /dev/null
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[1\]: netfilter-persistent\.service: Dependency Conflict(s|edBy)=(ip(6)?tables|ipset)\.service dropped, merged into netfilter-persistent\.service$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: imklog [0-9.]+, log source = /proc/kmsg started.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging \(proc\) stopped.$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] start$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] exiting on signal [0-9]+.$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="https://www.rsyslog.com"\] start$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="https://www.rsyslog.com"\] exiting on signal [0-9]+.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="https://www.rsyslog.com"\] rsyslogd was HUPed$
-# Generated by LVM2 version 2.03.02(2) (2018-12-18): Wed Sep 4 23:05:49 2019
+# Generated by LVM2 version 2.03.11(2) (2021-01-08): Thu Sep 16 14:12:01 2021
contents = "Text Format Volume Group"
version = 1
-description = "Created *after* executing 'pvscan --cache --activate ay 8:17'"
+description = "Created *after* executing 'vgcfgbackup'"
-creation_host = "ns3" # Linux ns3 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08) x86_64
-creation_time = 1567631149 # Wed Sep 4 23:05:49 2019
+creation_host = "ns3" # Linux ns3 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
+creation_time = 1631794321 # Thu Sep 16 14:12:01 2021
vg00 {
id = "JepAFT-Qvz3-A30x-OAuH-gKtZ-sybB-thTeYw"
#
external_device_info_source = "none"
+ # Configuration option devices/hints.
+ # Use a local file to remember which devices have PVs on them.
+ # Some commands will use this as an optimization to reduce device
+ # scanning, and will only scan the listed PVs. Removing the hint file
+ # will cause lvm to generate a new one. Disable hints if PVs will
+ # be copied onto devices using non-lvm commands, like dd.
+ #
+ # Accepted values:
+ # all
+ # Use all hints.
+ # none
+ # Use no hints.
+ #
+ # This configuration option has an automatic default value.
+ # hints = "all"
+
# Configuration option devices/preferred_names.
# Select which path name to display for a block device.
# If multiple path names exist for a block device, and LVM needs to
#
# Example
# Accept every block device:
- # filter = [ "a|.*/|" ]
+ # filter = [ "a|.*|" ]
# Reject the cdrom drive:
# filter = [ "r|/dev/cdrom|" ]
# Work with just loopback devices, e.g. for testing:
# Accept all loop devices and ide drives except hdc:
# filter = [ "a|loop|", "r|/dev/hdc|", "a|/dev/ide|", "r|.*|" ]
# Use anchors to be very specific:
- # filter = [ "a|^/dev/hda8$|", "r|.*/|" ]
+ # filter = [ "a|^/dev/hda8$|", "r|.*|" ]
#
# This configuration option has an automatic default value.
- # filter = [ "a|.*/|" ]
+ # filter = [ "a|.*|" ]
# Configuration option devices/global_filter.
# Limit the block devices that are used by LVM system components.
# The syntax is the same as devices/filter. Devices rejected by
# global_filter are not opened by LVM.
# This configuration option has an automatic default value.
- # global_filter = [ "a|.*/|" ]
+ # global_filter = [ "a|.*|" ]
# Configuration option devices/types.
# List of additional acceptable block device types.
sysfs_scan = 1
# Configuration option devices/scan_lvs.
- # Scan LVM LVs for layered PVs.
- scan_lvs = 1
+ # Scan LVM LVs for layered PVs, allowing LVs to be used as PVs.
+ # When 1, LVM will detect PVs layered on LVs, and caution must be
+ # taken to avoid a host accessing a layered VG that may not belong
+ # to it, e.g. from a guest image. This generally requires excluding
+ # the LVs with device filters. Also, when this setting is enabled,
+ # every LVM command will scan every active LV on the system (unless
+ # filtered), which can cause performance problems on systems with
+ # many active LVs. When this setting is 0, LVM will not detect or
+ # use PVs that exist on LVs, and will not allow a PV to be created on
+ # an LV. The LVs are ignored using a built in device filter that
+ # identifies and excludes LVs.
+ scan_lvs = 0
# Configuration option devices/multipath_component_detection.
# Ignore devices that are components of DM multipath devices.
multipath_component_detection = 1
# Configuration option devices/md_component_detection.
- # Ignore devices that are components of software RAID (md) devices.
+ # Enable detection and exclusion of MD component devices.
+ # An MD component device is a block device that MD uses as part
+ # of a software RAID virtual device. When an LVM PV is created
+ # on an MD device, LVM must only use the top level MD device as
+ # the PV, and should ignore the underlying component devices.
+ # In cases where the MD superblock is located at the end of the
+ # component devices, it is more difficult for LVM to consistently
+ # identify an MD component, see the md_component_checks setting.
md_component_detection = 1
+ # Configuration option devices/md_component_checks.
+ # The checks LVM should use to detect MD component devices.
+ # MD component devices are block devices used by MD software RAID.
+ #
+ # Accepted values:
+ # auto
+ # LVM will skip scanning the end of devices when it has other
+ # indications that the device is not an MD component.
+ # start
+ # LVM will only scan the start of devices for MD superblocks.
+ # This does not incur extra I/O by LVM.
+ # full
+ # LVM will scan the start and end of devices for MD superblocks.
+ # This requires an extra read at the end of devices.
+ #
+ # This configuration option has an automatic default value.
+ # md_component_checks = "auto"
+
# Configuration option devices/fw_raid_component_detection.
# Ignore devices that are components of firmware RAID devices.
# LVM must use an external_device_info_source other than none for this
# Enabling this setting allows the VG to be used as usual even with
# uncertain devices.
allow_changes_with_duplicate_pvs = 0
+
+ # Configuration option devices/allow_mixed_block_sizes.
+ # Allow PVs in the same VG with different logical block sizes.
+ # When allowed, the user is responsible to ensure that an LV is
+ # using PVs with matching block sizes when necessary.
+ allow_mixed_block_sizes = 0
}
# Configuration section allocation.
# Configuration option allocation/cache_pool_metadata_require_separate_pvs.
# Cache pool metadata and data will always use different PVs.
- cache_pool_metadata_require_separate_pvs = 0
+ # This configuration option has an automatic default value.
+ # cache_pool_metadata_require_separate_pvs = 0
# Configuration option allocation/cache_metadata_format.
# Sets default metadata format for new cache.
# This configuration option does not have a default value defined.
# Configuration option allocation/thin_pool_metadata_require_separate_pvs.
- # Thin pool metdata and data will always use different PVs.
- thin_pool_metadata_require_separate_pvs = 0
+ # Thin pool metadata and data will always use different PVs.
+ # This configuration option has an automatic default value.
+ # thin_pool_metadata_require_separate_pvs = 0
# Configuration option allocation/thin_pool_zero.
# Thin pool data chunks are zeroed before they are first used.
# This configuration option has an automatic default value.
# thin_pool_chunk_size_policy = "generic"
+ # Configuration option allocation/zero_metadata.
+ # Zero whole metadata area before use with thin or cache pool.
+ # This configuration option has an automatic default value.
+ # zero_metadata = 1
+
# Configuration option allocation/thin_pool_chunk_size.
# The minimal chunk size in KiB for thin pool volumes.
# Larger chunk sizes may improve performance for plain thin volumes,
# This configuration option has an automatic default value.
# vdo_use_deduplication = 1
- # Configuration option allocation/vdo_emulate_512_sectors.
- # Specifies that the VDO volume is to emulate a 512 byte block device.
+ # Configuration option allocation/vdo_use_metadata_hints.
+ # Enables or disables whether VDO volume should tag its latency-critical
+ # writes with the REQ_SYNC flag. Some device mapper targets such as dm-raid5
+ # process writes with this flag at a higher priority.
+ # Default is enabled.
# This configuration option has an automatic default value.
- # vdo_emulate_512_sectors = 0
+ # vdo_use_metadata_hints = 1
+
+ # Configuration option allocation/vdo_minimum_io_size.
+ # The minimum IO size for VDO volume to accept, in bytes.
+ # Valid values are 512 or 4096. The recommended and default value is 4096.
+ # This configuration option has an automatic default value.
+ # vdo_minimum_io_size = 4096
# Configuration option allocation/vdo_block_map_cache_size_mb.
# Specifies the amount of memory in MiB allocated for caching block map
# vdo_block_map_cache_size_mb = 128
# Configuration option allocation/vdo_block_map_period.
- # Tunes the quantity of block map updates that can accumulate
- # before cache pages are flushed to disk. The value must be
- # at least 1 and less then 16380.
- # A lower value means shorter recovery time but lower performance.
+ # The speed with which the block map cache writes out modified block map pages.
+ # A smaller era length is likely to reduce the amount time spent rebuilding,
+ # at the cost of increased block map writes during normal operation.
+ # The maximum and recommended value is 16380; the minimum value is 1.
# This configuration option has an automatic default value.
# vdo_block_map_period = 16380
# This configuration option has an automatic default value.
# vdo_index_memory_size_mb = 256
- # Configuration option allocation/vdo_use_read_cache.
- # Enables or disables the read cache within the VDO volume.
- # The cache should be enabled if write workloads are expected
- # to have high levels of deduplication, or for read intensive
- # workloads of highly compressible data.
- # This configuration option has an automatic default value.
- # vdo_use_read_cache = 0
-
- # Configuration option allocation/vdo_read_cache_size_mb.
- # Specifies the extra VDO volume read cache size in MiB.
- # This space is in addition to a system-defined minimum.
- # The value must be less then 16TiB and 1.12 MiB of memory
- # will be used per MiB of read cache specified, per bio thread.
- # This configuration option has an automatic default value.
- # vdo_read_cache_size_mb = 0
-
# Configuration option allocation/vdo_slab_size_mb.
# Specifies the size in MiB of the increment by which a VDO is grown.
# Using a smaller size constrains the total maximum physical size
# Each additional thread after the first will use an additional 18MiB of RAM,
# plus 1.12 MiB of RAM per megabyte of configured read cache size.
# This configuration option has an automatic default value.
- # vdo_bio_threads = 1
+ # vdo_bio_threads = 4
# Configuration option allocation/vdo_bio_rotation.
# Specifies the number of I/O operations to enqueue for each bio-submission
# Data which has not been flushed is not guaranteed to persist in this mode.
# This configuration option has an automatic default value.
# vdo_write_policy = "auto"
+
+ # Configuration option allocation/vdo_max_discard.
+ # Specified te maximum size of discard bio accepted, in 4096 byte blocks.
+ # I/O requests to a VDO volume are normally split into 4096-byte blocks,
+ # and processed up to 2048 at a time. However, discard requests to a VDO volume
+ # can be automatically split to a larger size, up to <max discard> 4096-byte blocks
+ # in a single bio, and are limited to 1500 at a time.
+ # Increasing this value may provide better overall performance, at the cost of
+ # increased latency for the individual discard requests.
+ # The default and minimum is 1. The maximum is UINT_MAX / 4096.
+ # This configuration option has an automatic default value.
+ # vdo_max_discard = 1
}
# Configuration section log.
# Configuration option log/indent.
# Indent messages according to their severity.
- indent = 1
+ # This configuration option has an automatic default value.
+ # indent = 0
# Configuration option log/command_names.
# Display the command name on each line of output.
# available: memory, devices, io, activation, allocation,
# metadata, cache, locking, lvmpolld. Use "all" to see everything.
debug_classes = [ "memory", "devices", "io", "activation", "allocation", "metadata", "cache", "locking", "lvmpolld", "dbus" ]
+
+ # Configuration option log/debug_file_fields.
+ # The fields included in debug output written to log file.
+ # Use "all" to include everything (the default).
+ # This configuration option is advanced.
+ # This configuration option has an automatic default value.
+ # debug_file_fields = [ "time", "command", "fileline", "message" ]
+
+ # Configuration option log/debug_output_fields.
+ # The fields included in debug output written to stderr.
+ # Use "all" to include everything (the default).
+ # This configuration option is advanced.
+ # This configuration option has an automatic default value.
+ # debug_output_fields = [ "time", "command", "fileline", "message" ]
}
# Configuration section backup.
# the error messages.
activation = 1
- # Configuration option global/segment_libraries.
- # This configuration option does not have a default value defined.
-
# Configuration option global/proc.
# Location of proc filesystem.
# This configuration option is advanced.
# a volume group's metadata, instead of always granting the read-only
# requests immediately, delay them to allow the read-write requests to
# be serviced. Without this setting, write access may be stalled by a
- # high volume of read-only requests. This option only affects
- # locking_type 1 viz. local file-based locking.
+ # high volume of read-only requests. This option only affects file locks.
prioritise_write_locks = 1
# Configuration option global/library_dir.
#
mirror_segtype_default = "raid1"
+ # Configuration option global/support_mirrored_mirror_log.
+ # Enable mirrored 'mirror' log type for testing.
+ #
+ # This type is deprecated to create or convert to but can
+ # be enabled to test that activation of existing mirrored
+ # logs and conversion to disk/core works.
+ #
+ # Not supported for regular operation!
+ # This configuration option has an automatic default value.
+ # support_mirrored_mirror_log = 0
+
# Configuration option global/raid10_segtype_default.
# The segment type used by the -i -m combination.
# The --type raid10|mirror option overrides this setting.
# activated from these events (the default is all.)
# When event_activation is disabled, the system will generally run
# a direct activation command to activate LVs in complete VGs.
- event_activation = 1
+ # This configuration option has an automatic default value.
+ # event_activation = 1
# Configuration option global/use_aio.
# Use async I/O when reading and writing devices.
# The full path to the vdoformat command.
# LVM uses this command to initial data volume for VDO type logical volume
# This configuration option has an automatic default value.
- # vdo_format_executable = "autodetect"
+ # vdo_format_executable = "/usr/bin/vdoformat"
# Configuration option global/vdo_format_options.
# List of options passed added to standard vdoformat command.
# When enabled, an LVM command that changes PVs, changes VG metadata,
# or changes the activation state of an LV will send a notification.
notify_dbus = 1
+
+ # Configuration option global/io_memory_size.
+ # The amount of memory in KiB that LVM allocates to perform disk io.
+ # LVM performance may benefit from more io memory when there are many
+ # disks or VG metadata is large. Increasing this size may be necessary
+ # when a single copy of VG metadata is larger than the current setting.
+ # This value should usually not be decreased from the default; setting
+ # it too low can result in lvm failing to read VGs.
+ # This configuration option has an automatic default value.
+ # io_memory_size = 8192
}
# Configuration section activation.
# This enables additional checks (and if necessary, repairs) on entries
# in the device directory after udev has completed processing its
# events. Useful for diagnosing problems with LVM/udev interactions.
- verify_udev_operations = 0
+ # This configuration option has an automatic default value.
+ # verify_udev_operations = 0
# Configuration option activation/retry_deactivation.
# Retry failed LV deactivation.
# When disabled, the striped target is used. The linear target is an
# optimised version of the striped target that only handles a single
# stripe.
- use_linear_target = 1
+ # This configuration option has an automatic default value.
+ # use_linear_target = 1
# Configuration option activation/reserved_stack.
# Stack size in KiB to reserve for use while devices are suspended.
# Insufficent reserve risks I/O deadlock during device suspension.
- reserved_stack = 64
+ # This configuration option has an automatic default value.
+ # reserved_stack = 64
# Configuration option activation/reserved_memory.
# Memory size in KiB to reserve for use while devices are suspended.
# Insufficent reserve risks I/O deadlock during device suspension.
- reserved_memory = 8192
+ # This configuration option has an automatic default value.
+ # reserved_memory = 8192
# Configuration option activation/process_priority.
# Nice value used while devices are suspended.
# Use a high priority so that LVs are suspended
# for the shortest possible time.
- process_priority = -18
+ # This configuration option has an automatic default value.
+ # process_priority = -18
# Configuration option activation/volume_list.
# Only LVs selected by this list are activated.
# auto
# Use default value chosen by kernel.
#
- readahead = "auto"
+ # This configuration option has an automatic default value.
+ # readahead = "auto"
# Configuration option activation/raid_fault_policy.
# Defines how a device failure in a RAID LV is handled.
# 8.4G, it is extended to 14.4G:
# vdo_pool_autoextend_threshold = 70
#
- vdo_pool_autoextend_threshold = 100
+ # This configuration option has an automatic default value.
+ # vdo_pool_autoextend_threshold = 100
# Configuration option activation/vdo_pool_autoextend_percent.
# Auto-extending a VDO pool adds this percent extra space.
# Use the old behavior of mlockall to pin all memory.
# Prior to version 2.02.62, LVM used mlockall() to pin the whole
# process's memory while activating devices.
- use_mlockall = 0
+ # This configuration option has an automatic default value.
+ # use_mlockall = 0
# Configuration option activation/monitoring.
# Monitor LVs that are activated.
# intervals of this number of seconds. If this is set to 0 and there
# is only one thing to wait for, there are no progress reports, but
# the process is awoken immediately once the operation is complete.
- polling_interval = 15
+ # This configuration option has an automatic default value.
+ # polling_interval = 15
# Configuration option activation/auto_set_activation_skip.
# Set the activation skip flag on new thin snapshot LVs.
# additional space for VG metadata. The --metadatasize option overrides
# this setting.
# This configuration option does not have a default value defined.
- # This configuration option has an automatic default value.
# Configuration option metadata/pvmetadataignore.
# Ignore metadata areas on a new PV.
# failures. It removes failed devices from a volume group and
# reconfigures a mirror as necessary. If no mirror library is
# provided, mirrors are not monitored through dmeventd.
- mirror_library = "libdevmapper-event-lvm2mirror.so"
+ # This configuration option has an automatic default value.
+ # mirror_library = "libdevmapper-event-lvm2mirror.so"
# Configuration option dmeventd/raid_library.
# This configuration option has an automatic default value.
# libdevmapper-event-lvm2snapshot.so monitors the filling of snapshots
# and emits a warning through syslog when the usage exceeds 80%. The
# warning is repeated when 85%, 90% and 95% of the snapshot is filled.
- snapshot_library = "libdevmapper-event-lvm2snapshot.so"
+ # This configuration option has an automatic default value.
+ # snapshot_library = "libdevmapper-event-lvm2snapshot.so"
# Configuration option dmeventd/thin_library.
# The library dmeventd uses when monitoring a thin device.
# libdevmapper-event-lvm2thin.so monitors the filling of a pool
# and emits a warning through syslog when the usage exceeds 80%. The
# warning is repeated when 85%, 90% and 95% of the pool is filled.
- thin_library = "libdevmapper-event-lvm2thin.so"
+ # This configuration option has an automatic default value.
+ # thin_library = "libdevmapper-event-lvm2thin.so"
# Configuration option dmeventd/thin_command.
# The plugin runs command with each 5% increment when thin-pool data volume
# Demo configuration for 'VDO' using less memory.
-#
+# ~lvmconfig --type full | grep vdo
allocation {
- vdo_use_compression = 1
- vdo_use_deduplication = 1
- vdo_emulate_512_sectors = 0
- vdo_block_map_cache_size_mb = 128
- vdo_block_map_period = 16380
- vdo_check_point_frequency = 0
- vdo_use_sparse_index = 0
- vdo_index_memory_size_mb = 256
- vdo_use_read_cache = 0
- vdo_read_cache_size_mb = 0
- vdo_slab_size_mb = 2048
-
- vdo_ack_threads = 1
- vdo_bio_threads = 1
- vdo_bio_rotation = 64
- vdo_cpu_threads = 2
- vdo_hash_zone_threads = 1
- vdo_logical_threads = 1
- vdo_physical_threads = 1
- vdo_write_policy = "auto"
+ vdo_use_compression=1
+ vdo_use_deduplication=1
+ vdo_use_metadata_hints=1
+ vdo_minimum_io_size=4096
+ vdo_block_map_cache_size_mb=128
+ vdo_block_map_period=16380
+ vdo_check_point_frequency=0
+ vdo_use_sparse_index=0
+ vdo_index_memory_size_mb=256
+ vdo_slab_size_mb=2048
+ vdo_ack_threads=1
+ vdo_bio_threads=1
+ vdo_bio_rotation=64
+ vdo_cpu_threads=2
+ vdo_hash_zone_threads=1
+ vdo_logical_threads=1
+ vdo_physical_threads=1
+ vdo_write_policy="auto"
+ vdo_max_discard=1
}
###############################################################################
-text/plain; less '%s'; needsterminal
-application/x-troff-man; /usr/bin/man -X100 -l '%s'; test=test -n "$DISPLAY" -a -e /usr/bin/gxditview; description=Man page
-text/troff; /usr/bin/man -X100 -l '%s'; test=test -n "$DISPLAY" -a -e /usr/bin/gxditview; description=Man page
-application/x-troff-man; /usr/bin/man -l '%s'; needsterminal; description=Man page
-text/troff; /usr/bin/man -l '%s'; needsterminal; description=Man page
+text/plain; less %s; needsterminal
+application/x-troff-man; /usr/bin/man -X100 -l %s; test=test -n "$DISPLAY" -a -e /usr/bin/gxditview; description=Man page
+text/troff; /usr/bin/man -X100 -l %s; test=test -n "$DISPLAY" -a -e /usr/bin/gxditview; description=Man page
+application/x-troff-man; /usr/bin/man -l %s; needsterminal; description=Man page
+text/troff; /usr/bin/man -l %s; needsterminal; description=Man page
text/html; /usr/bin/sensible-browser %s; description=HTML Text; nametemplate=%s.html
application/x-troff-man; /usr/bin/nroff -mandoc -Tutf8; copiousoutput; print=/usr/bin/nroff -mandoc -Tutf8 | print text/plain:-
text/troff; /usr/bin/nroff -mandoc -Tutf8; copiousoutput; print=/usr/bin/nroff -mandoc -Tutf8 | print text/plain:-
text/html; /usr/bin/elinks -force-html -dump %s; copiousoutput; description=HTML Text; nametemplate=%s.html
application/zip; unzip -l %s; nametemplate=%s.zip; copiousoutput
text/plain; view %s; edit=vi %s; compose=vi %s; needsterminal
-application/x-troff-man; /usr/bin/man -Tascii -l '%s' | col -b; copiousoutput; description=Man page
-text/troff; /usr/bin/man -Tascii -l '%s' | col -b; copiousoutput; description=Man page
-text/*; less '%s'; needsterminal
+application/x-troff-man; /usr/bin/man -Tascii -l %s | col -b; copiousoutput; description=Man page
+text/troff; /usr/bin/man -Tascii -l %s | col -b; copiousoutput; description=Man page
+text/*; less %s; needsterminal
text/*; view %s; edit=vim %s; compose=vim %s; test=test -x /usr/bin/vim; needsterminal
-application/x-tar; /bin/tar tvf '%s'; print=/bin/tar tvf - | print text/plain:-; copiousoutput
-application/x-gtar; /bin/tar tvf '%s'; print=/bin/tar tvf - | print text/plain:-; copiousoutput
-application/x-ustar; /bin/tar tvf '%s'; print=/bin/tar tvf - | print text/plain:-; copiousoutput
+application/x-tar; /bin/tar tvf %s; print=/bin/tar tvf - | print text/plain:-; copiousoutput
+application/x-gtar; /bin/tar tvf %s; print=/bin/tar tvf - | print text/plain:-; copiousoutput
+application/x-ustar; /bin/tar tvf %s; print=/bin/tar tvf - | print text/plain:-; copiousoutput
text/*; more %s; needsterminal
text/*; view %s; edit=vi %s; compose=vi %s; needsterminal
application/vnd.debian.binary-package; /usr/lib/mime/debian-view %s; needsterminal; description=Debian GNU/Linux Package; nametemplate=%s.deb
MANDB_MAP /usr/local/share/man /var/cache/man/local
MANDB_MAP /usr/X11R6/man /var/cache/man/X11R6
MANDB_MAP /opt/man /var/cache/man/opt
+MANDB_MAP /snap/man /var/cache/man/snap
#
#---------------------------------------------------------
# Program definitions. These are commented out by default as the value
# The MariaDB configuration file
#
# The MariaDB/MySQL tools read configuration files in the following order:
+# 0. "/etc/mysql/my.cnf" symlinks to this file, reason why all the rest is read.
# 1. "/etc/mysql/mariadb.cnf" (this file) to set global defaults,
# 2. "/etc/mysql/conf.d/*.cnf" to set global options.
# 3. "/etc/mysql/mariadb.conf.d/*.cnf" to set MariaDB-only options.
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
+#
+# If you are new to MariaDB, check out https://mariadb.com/kb/en/basic-mariadb-articles/
#
-# This group is read both both by the client and the server
+# This group is read both by the client and the server
# use it for options that affect everything
#
[client-server]
+# Port or socket location where to connect
+# port = 3306
+socket = /run/mysqld/mysqld.sock
# Import all .cnf files from configuration directory
!includedir /etc/mysql/conf.d/
--- /dev/null
+# 'check_curl_http' command definition
+define command{
+ command_name check_curl_http
+ command_line /usr/lib/nagios/plugins/check_curl -H '$HOSTADDRESS$' -I '$HOSTADDRESS$' '$ARG1$'
+ }
+
+# 'check_curl_httpname' command definition
+define command{
+ command_name check_curl_httpname
+ command_line /usr/lib/nagios/plugins/check_curl -H '$HOSTNAME$' -I '$HOSTADDRESS$' '$ARG1$'
+ }
+
+# 'check_curl_http2' command definition
+define command{
+ command_name check_curl_http2
+ command_line /usr/lib/nagios/plugins/check_curl -H '$ARG1$' -I '$HOSTADDRESS$' -w '$ARG2$' -c '$ARG3$' '$ARG4$'
+ }
+
+# 'check_curl_squid' command definition
+define command{
+ command_name check_curl_squid
+ command_line /usr/lib/nagios/plugins/check_curl -H '$HOSTADDRESS$' -p '$ARG1$' -u '$ARG2$'
+ }
+
+# 'check_curl_https' command definition
+define command{
+ command_name check_curl_https
+ command_line /usr/lib/nagios/plugins/check_curl --ssl -H '$HOSTADDRESS$' -I '$HOSTADDRESS$' '$ARG1$'
+ }
+
+# 'check_curl_https_httpname' command definition
+define command{
+ command_name check_curl_https_hostname
+ command_line /usr/lib/nagios/plugins/check_curl --ssl -H '$HOSTNAME$' -I '$HOSTADDRESS$' '$ARG1$'
+ }
+
+# 'check_curl_https_auth' command definition
+define command{
+ command_name check_curl_https_auth
+ command_line /usr/lib/nagios/plugins/check_curl --ssl -H '$HOSTADDRESS$' -I '$HOSTADDRESS$' -a '$ARG1$' '$ARG2$'
+ }
+
+# 'check_curl_https_auth_hostname' command definition
+define command{
+ command_name check_curl_https_auth_hostname
+ command_line /usr/lib/nagios/plugins/check_curl --ssl -H '$HOSTNAME$' -I '$HOSTADDRESS$' -a '$ARG1$' '$ARG2$'
+ }
+
+# 'check_curl_cups' command definition
+define command{
+ command_name check_curl_cups
+ command_line /usr/lib/nagios/plugins/check_curl -I '$HOSTADDRESS$' -p 631 '$ARG1$'
+ }
+
+####
+# use these checks, if you want to test IPv4 connectivity on IPv6 enabled systems
+####
+
+# 'check_curl_http_4' command definition
+define command{
+ command_name check_curl_http_4
+ command_line /usr/lib/nagios/plugins/check_curl -H '$HOSTADDRESS$' -I '$HOSTADDRESS$' -4 '$ARG1$'
+ }
+
+# 'check_curl_httpname_4' command definition
+define command{
+ command_name check_curl_httpname_4
+ command_line /usr/lib/nagios/plugins/check_curl -H '$HOSTNAME$' -I '$HOSTADDRESS$' -4 '$ARG1$'
+ }
+
+# 'check_curl_http2_4' command definition
+define command{
+ command_name check_curl_http2_4
+ command_line /usr/lib/nagios/plugins/check_curl -H '$ARG1$' -I '$HOSTADDRESS$' -w '$ARG2$' -c '$ARG3$' -4 '$ARG4$'
+ }
+
+# 'check_curl_squid_4' command definition
+define command{
+ command_name check_curl_squid_4
+ command_line /usr/lib/nagios/plugins/check_curl -H '$HOSTADDRESS$' -p '$ARG1$' -u '$ARG2$' -4
+ }
+
+# 'check_curl_https_4' command definition
+define command{
+ command_name check_curl_https_4
+ command_line /usr/lib/nagios/plugins/check_curl --ssl -H '$HOSTADDRESS$' -I '$HOSTADDRESS$' -4 '$ARG1$'
+ }
+
+# 'check_curls_https_hostname_4' command definition
+define command{
+ command_name check_curl_https_hostname_4
+ command_line /usr/lib/nagios/plugins/check_curl --ssl -H '$HOSTNAME$' -I '$HOSTADDRESS$' -4 '$ARG1$'
+ }
+
+# 'check_curl_https_auth_4' command definition
+define command{
+ command_name check_curl_https_auth_4
+ command_line /usr/lib/nagios/plugins/check_curl --ssl -H '$HOSTADDRESS$' -I '$HOSTADDRESS$' -a '$ARG1$' -4 '$ARG2$'
+ }
+
+# 'check_curl_https_auth_hostname_4' command definition
+define command{
+ command_name check_curl_https_auth_hostname_4
+ command_line /usr/lib/nagios/plugins/check_curl --ssl -H '$HOSTNAME' -I '$HOSTADDRESS$' -a '$ARG1$' -4 '$ARG2$'
+ }
+
+# 'check_curl_cups_4' command definition
+define command{
+ command_name check_curl_cups_4
+ command_line /usr/lib/nagios/plugins/check_curl -I '$HOSTADDRESS$' -p 631 -4 '$ARG1$'
+ }
# 'snmp_users' command definition
define command{
command_name snmp_users
- command_line /usr/lib/nagios/plugins/check_snmp -H '$HOSTADDRESS$' -C '$ARG1$' -o host.hrSystem.hrSystemNumUsers -w :'$ARG2$' -c :'$ARG3$' -l users
+ command_line /usr/lib/nagios/plugins/check_snmp -H '$HOSTADDRESS$' -C '$ARG1$' -o host.hrSystem.hrSystemNumUsers.0 -w :'$ARG2$' -c :'$ARG3$' -l users
}
## Sample initialization file for GNU nano.
##
-## Please note that you must have configured nano with --enable-nanorc
-## for this file to be read! Also note that this file should not be in
-## DOS or Mac format, and that characters specially interpreted by the
-## shell should not be escaped here.
+## For the options that take parameters, the default value is shown.
+## Other options are unset by default. To make sure that an option
+## is disabled, you can use "unset <option>".
##
-## To make sure an option is disabled, use "unset <option>".
-##
-## For the options that take parameters, the default value is given.
-## Other options are unset by default.
-##
-## Quotes inside string parameters don't have to be escaped with
-## backslashes. The last double quote in the string will be treated as
-## its end. For example, for the "brackets" option, ""')>]}" will match
-## ", ', ), >, ], and }.
+## Characters that are special in a shell should not be escaped here.
+## Inside string parameters, quotes should not be escaped -- the last
+## double quote on the line will be seen as the closing quote.
-## Make the 'nextword' function (Ctrl+Right) stop at word ends
-## instead of at beginnings.
+## Make 'nextword' (Ctrl+Right) and 'chopwordright' (Ctrl+Delete)
+## stop at word ends instead of at beginnings.
# set afterends
## When soft line wrapping is enabled, make it wrap lines at blanks
## Use bold text instead of reverse video text.
# set boldtext
+## Treat any line with leading whitespace as the beginning of a paragraph.
+# set bookstyle
+
## The characters treated as closing brackets when justifying paragraphs.
## This may not include any blank characters. Only closing punctuation,
## optionally followed by these closing brackets, can end sentences.
# set brackets ""')>]}"
+## Automatically hard-wrap the current line when it becomes overlong.
+# set breaklonglines
+
## Do case-sensitive searches by default.
# set casesensitive
## Use cut-from-cursor-to-end-of-line by default.
# set cutfromcursor
-## (The old form, 'cut', is deprecated.)
-## Set the line length for wrapping text and justifying paragraphs.
-## If the value is 0 or less, the wrapping point will be the screen
-## width less this number.
+## Do not use the line below the title bar, leaving it entirely blank.
+# set emptyline
+
+## Set the target width for automatic hard-wrapping and for justifying
+## paragraphs. If the specified value is 0 or less, the wrapping point
+## will be the terminal's width minus this number.
# set fill -8
## Remember the used search/replace strings for the next session.
set historylog
-## Display line numbers to the left of the text.
+## Display a "scrollbar" on the righthand side of the edit window.
+# set indicator
+
+## Scroll the buffer contents per half-screen instead of per line.
+# set jumpyscrolling
+
+## Display line numbers to the left (and any anchors in the margin).
# set linenumbers
## Enable vim-style lock-files. This is just to let a vim user know you
## no plans to implement vim-style undo state in these files.
set locking
+## Fall back to slow libmagic to try and determine an applicable syntax.
+# set magic
+
## The opening and closing brackets that can be found by bracket
## searches. They cannot contain blank characters. The former set must
## come before the latter set, and both must be in the same order.
# set matchbrackets "(<[{)>]}"
-## Use the blank line below the title bar as extra editing space.
-# set morespace
-
## Enable mouse support, if available for your system. When enabled,
## mouse clicks can be used to place the cursor, set the mark (with a
## double click), and execute shortcuts. The mouse will work in the X
## Don't automatically add a newline when a file does not end with one.
# set nonewlines
-## Don't pause between warnings at startup. Which means that only the
-## last one will be readable (when there are multiple ones).
-# set nopauses
-
-## Don't wrap text at all.
-set nowrap
-
## Set operating directory. nano will not read or write files outside
## this directory and its subdirectories. Also, the current directory
## is changed to here, so any files are inserted from this dir. A blank
## 1 keystroke instead of 26. Note that "constantshow" overrides this.
# set quickblank
-## The email-quote string, used to justify email-quoted paragraphs.
-## This is an extended regular expression. The default is:
-# set quotestr "^([ ]*([#:>|}]|//))+"
+## The regular expression that matches quoting characters in email
+## or line-comment introducers in source code. The default is:
+# set quotestr "^([ ]*([!#%:;>|}]|//))+"
+
+## Try to work around a mismatching terminfo terminal description.
+# set rawsequences
## Fix Backspace/Delete confusion problem.
# set rebinddelete
-## Fix numeric keypad key confusion problem.
-# set rebindkeypad
-
-## Do extended regular expression searches by default.
+## Do regular-expression searches by default.
+## Regular expressions are of the extended type (ERE).
# set regexp
-## Put the cursor on the highlighted item in the file browser;
-## useful for people who use a braille display.
+## Save a changed buffer automatically on exit; don't prompt.
+# set saveonexit
+## (The old form of this option, 'set tempfile', is deprecated.)
+
+## Put the cursor on the highlighted item in the file browser, and show
+## the cursor in the help viewer; useful for people who use a braille
+## display and people with poor vision.
# set showcursor
## Make the Home key smarter. When Home is pressed anywhere but at the
## beginning of the line.
# set smarthome
-## Use smooth scrolling as the default.
-# set smooth
-
-## Enable soft line wrapping (AKA full-line display).
+## Spread overlong lines over multiple screen lines.
# set softwrap
## Use this spelling checker instead of the internal one. This option
## does not have a default value.
# set speller "aspell -x -c"
-## Allow nano to be suspended.
-set suspend
+## Use the end of the title bar for some state flags: I = auto-indenting,
+## M = mark, L = hard-wrapping long lines, R = recording, S = soft-wrapping.
+set stateflags
+
+## Allow nano to be suspended (with ^Z by default).
+set suspendable
+## (The old form of this option, 'set suspend', is deprecated.)
## Use this tab size instead of the default; it must be greater than 0.
# set tabsize 8
## Convert typed tabs to spaces.
# set tabstospaces
-## Save automatically on exit; don't prompt.
-# set tempfile
-
## Snip whitespace at the end of lines when justifying or hard-wrapping.
# set trimblanks
-## (The old form, 'justifytrim', is deprecated.)
-
-## Disallow file modification. Why would you want this in an rcfile? ;)
-# set view
## The two single-column characters used to display the first characters
## of tabs and spaces. 187 in ISO 8859-1 (0000BB in Unicode) and 183 in
## set, it overrides option 'set wordbounds'.
# set wordchars "<_>."
+## Let an unmodified Backspace or Delete erase the marked region (instead
+## of a single character, and without affecting the cutbuffer).
+# set zap
## Paint the interface elements of nano. These are examples;
## by default there are no colors, except for errorcolor.
-# set titlecolor brightwhite,blue
-# set statuscolor brightwhite,green
-# set errorcolor brightwhite,red
-# set selectedcolor brightwhite,magenta
+# set titlecolor bold,lightwhite,blue
+# set statuscolor bold,lightwhite,green
+# set errorcolor bold,lightwhite,red
+# set selectedcolor lightwhite,magenta
+# set stripecolor ,yellow
+# set scrollercolor cyan
# set numbercolor cyan
# set keycolor cyan
# set functioncolor green
+
## In root's .nanorc you might want to use:
-# set titlecolor brightwhite,magenta
-# set statuscolor brightwhite,magenta
-# set errorcolor brightwhite,red
-# set selectedcolor brightwhite,cyan
+# set titlecolor bold,lightwhite,magenta
+# set statuscolor bold,lightwhite,magenta
+# set errorcolor bold,lightwhite,red
+# set selectedcolor lightwhite,cyan
+# set stripecolor ,yellow
+# set scrollercolor magenta
# set numbercolor magenta
-# set keycolor brightmagenta
+# set keycolor lightmagenta
# set functioncolor magenta
-## Setup of syntax coloring.
-##
-## Format:
-##
-## syntax "short description" ["filename regex" ...]
-##
-## The "none" syntax is reserved; specifying it on the command line is
-## the same as not having a syntax at all. The "default" syntax is
-## special: it takes no filename regexes, and applies to files that
-## don't match any other syntax's filename regexes.
-##
-## color foreground,background "regex" ["regex"...]
-## or
-## icolor foreground,background "regex" ["regex"...]
-##
-## "color" will do case-sensitive matches, while "icolor" will do
-## case-insensitive matches.
-##
-## Valid colors: white, black, red, blue, green, yellow, magenta, cyan.
-## For foreground colors, you may use the prefix "bright" to get a
-## stronger highlight.
-##
-## To use multi-line regexes, use the start="regex" end="regex"
-## [start="regex" end="regex"...] format.
-##
-## If your system supports transparency, not specifying a background
-## color will use a transparent color. If you don't want this, be sure
-## to set the background color to black or white.
-##
-## All regexes should be extended regular expressions.
-##
-## If you wish, you may put your syntax definitions in separate files.
-## You can make use of such files as follows:
-##
-## include "/path/to/syntax_file.nanorc"
-##
-## Unless otherwise noted, the name of the syntax file (without the
-## ".nanorc" extension) should be the same as the "short description"
-## name inside that file. These names are kept fairly short to make
-## them easier to remember and faster to type using nano's -Y option.
-##
-## To include all existing syntax definitions, you can do:
-include "/usr/share/nano/*.nanorc"
-
+## === Syntax coloring ===
+## For all details, see 'man nanorc', section SYNTAX HIGHLIGHTING.
-## Key bindings.
-## See nanorc(5) (section REBINDING KEYS) for more details on this.
-##
-## The following two functions are not bound to any key by default.
-## You may wish to choose other keys than the ones suggested here.
-# bind M-B cutwordleft main
-# bind M-N cutwordright main
+## To include most of the existing syntax definitions, you can do:
+include "/usr/share/nano/*.nanorc"
-## Set this if your Backspace key sends Del most of the time.
-# bind Del backspace all
+## Or you can select just the ones you need. For example:
+# include "/usr/share/nano/html.nanorc"
+# include "/usr/share/nano/python.nanorc"
+# include "/usr/share/nano/sh.nanorc"
+
+## In /usr/share/nano/extra/ you can find some syntaxes that are
+## specific for certain distros or for some less common languages.
+
+
+## If <Tab> should always produce four spaces when editing a Python file,
+## independent of the settings of 'tabsize' and 'tabstospaces':
+# extendsyntax python tabgives " "
+
+## If <Tab> should always produce an actual TAB when editing a Makefile:
+# extendsyntax makefile tabgives " "
+
+
+## === Key bindings ===
+## For all details, see 'man nanorc', section REBINDING KEYS.
+
+## The <Ctrl+Delete> keystroke deletes the word to the right of the cursor.
+## On some terminals the <Ctrl+Backspace> keystroke produces ^H, which is
+## the ASCII character for backspace, so it is bound by default to the
+## backspace function. The <Backspace> key itself produces a different
+## keycode, which is hard-bound to the backspace function. So, if you
+## normally use <Backspace> for backspacing and not ^H, you can make
+## <Ctrl+Backspace> delete the word to the left of the cursor with:
+# bind ^H chopwordleft main
+
+## If you would like nano to have keybindings that are more "usual",
+## such as ^O for Open, ^F for Find, ^H for Help, and ^Q for Quit,
+## then uncomment these:
+#bind ^Q exit all
+#bind ^S savefile main
+#bind ^W writeout main
+#bind ^O insert main
+#bind ^H help all
+#bind ^H exit help
+#bind ^F whereis all
+#bind ^G findnext all
+#bind ^B wherewas all
+#bind ^D findprevious all
+#bind ^R replace main
+#bind M-X flipnewbuffer all
+#bind ^X cut all
+#bind ^C copy main
+#bind ^V paste all
+#bind ^P location main
+#bind ^A mark main
+#unbind ^K main
+#unbind ^U all
+#unbind ^N main
+#unbind ^Y all
+#unbind M-J main
+#unbind M-T main
+#bind ^T gotoline main
+#bind ^T gotodir browser
+#bind ^Y speller main
+#bind M-U undo main
+#bind M-R redo main
+#bind ^U undo main
+#bind ^E redo main
+#set multibuffer
# Thomas Liske <thomas@fiasko-nw.net>
#
# Copyright Holder:
-# 2013 - 2018 (C) Thomas Liske [http://fiasko-nw.net/~thomas/]
+# 2013 - 2020 (C) Thomas Liske [http://fiasko-nw.net/~thomas/]
#
# License:
# This program is free software; you can redistribute it and/or modify
# Thomas Liske <thomas@fiasko-nw.net>
#
# Copyright Holder:
-# 2013 - 2018 (C) Thomas Liske [http://fiasko-nw.net/~thomas/]
+# 2013 - 2020 (C) Thomas Liske [http://fiasko-nw.net/~thomas/]
#
# License:
# This program is free software; you can redistribute it and/or modify
--- /dev/null
+#!/usr/bin/perl
+
+# needrestart - Restart daemons after library updates.
+#
+# Authors:
+# Thomas Liske <thomas@fiasko-nw.net>
+#
+# Copyright Holder:
+# 2013 - 2020 (C) Thomas Liske [http://fiasko-nw.net/~thomas/]
+#
+# License:
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this package; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+#
+
+# This PacMan hook tries to find the run-level scripts of the package's binary
+# which has old libraries in use.
+
+use Getopt::Std;
+
+use strict;
+use warnings;
+
+system("type pacman 1> /dev/null 2> /dev/null");
+exit 0 if ($? != -1 && $? >> 8);
+
+our $opt_v;
+getopts('c:v');
+
+sub fork_pipe(@) {
+ my $pid = open(HPIPE, '-|');
+ defined($pid) || die "Can't fork: $!\n";
+
+ if($pid == 0) {
+ close(STDIN);
+ close(STDERR) unless($opt_v);
+
+ exec(@_);
+ exit;
+ }
+
+ \*HPIPE
+}
+
+my $FN = shift || die "Usage: $0 <filename>\n";
+my $psearch = fork_pipe(qw(pacman -Qqo), $FN);
+
+my @pkgs;
+while(<$psearch>) {
+ chomp;
+
+ push(@pkgs, $_);
+}
+close($psearch);
+
+exit(0) unless($#pkgs > -1);
+
+foreach my $pkg (@pkgs) {
+ print "PACKAGE|$pkg\n";
+
+ my $plist = fork_pipe(qw(pacman -Qql), $pkg);
+ while(<$plist>) {
+ chomp;
+ print "RC|$2\n" if(m@/etc(/rc\.d)?/init\.d/(.+)$@ && -x $_);
+ }
+ close($plist);
+}
+
+exit(1);
# Thomas Liske <thomas@fiasko-nw.net>
#
# Copyright Holder:
-# 2013 - 2018 (C) Thomas Liske [http://fiasko-nw.net/~thomas/]
+# 2013 - 2020 (C) Thomas Liske [http://fiasko-nw.net/~thomas/]
#
# License:
# This program is free software; you can redistribute it and/or modify
--- /dev/null
+# needrestart - Restart daemons after library updates.
+#
+# This shell script is sourced in /usr/lib/needrestart/iucode-scan-versions
+# before calling iucode_tool to detect microcode updates for Intel CPUs.
+#
+# If required you may exec iucode_tool with customized parameters. You should
+# keep the `-l $filter` option and add a final exit statement in case the
+# exec call fails.
+
+# Example (generic):
+# exec iucode_tool -l $filter --ignore-broken -tb /lib/firmware/intel-ucode -ta /usr/share/misc/intel-microcode* 2>&1
+# exit $?
+
+# Example (CentOS):
+# lsinitrd -f kernel/x86/microcode/GenuineIntel.bin $(/boot/initramfs-*.img|sort -n|tail -n 1) | iucode_tool -t b -l -
+# exit $?
# needrestart - Restart daemons after library updates.
#
-# Authors:
-# Thomas Liske <thomas@fiasko-nw.net>
-#
-# Copyright Holder:
-# 2013 - 2018 (C) Thomas Liske [http://fiasko-nw.net/~thomas/]
-#
-# License:
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-
# This is the configuration file of needrestart. This is perl syntax.
-# needrstart uses reasonable default values, you might not need to
+# needrestart uses reasonable default values, you might not need to
# change anything.
+#
# Verbosity:
# 0 => quiet
# Blacklist services (list of regex) - USE WITH CARE.
# You should prefere to put services to $nrconf{override_rc} instead.
-# Any service listed in $nrconf{blacklist_rc} we be ignored completely!
+# Any service listed in $nrconf{blacklist_rc} will be ignored completely!
#$nrconf{blacklist_rc} = [
#];
# networking stuff
qr(^bird) => 0,
- qr(^networking) => 0,
- qr(^network-manager) => 0,
+ qr(^network) => 0,
qr(^NetworkManager) => 0,
qr(^ModemManager) => 0,
qr(^wpa_supplicant) => 0,
qr(^frr) => 0,
qr(^tinc) => 0,
qr(^(open|free|libre|strong)swan) => 0,
+ qr(^bluetooth) => 0,
# gettys
qr(^getty@.+\.service) => 0,
# special device paths
qr(^/(SYSV00000000( \(deleted\))?|drm(\s|$)|dev/)),
+ # ignore memfd file used by nvidia binary drivers
+ qr(^/memfd:/.glXXXXXX),
+
# aio(7) mapping
qr(^/\[aio\]),
# plasmashell (issue #65)
qr(/#\d+( \(deleted\))?$),
- # Java Native Access
- qr#/tmp/jna--#,
-
- # Java Foreign Function Interface
- qr#^/tmp/jffi#,
-
- # elasticsearch
- qr#^/tmp/elasticsearch\.#,
+ # temporary stuff
+ qr#^(/var)?/tmp/#,
+ qr#^(/var)?/run/#,
];
# Verify mapped files in fileystem:
-# 0 : enabled (default)
-# -1: ignore non-existing files, workaround for broken grsecurity kernels
+# 0 : enabled
+# -1: ignore non-existing files, workaround for chroots and broken grsecurity kernels (default)
# 1 : disable check completely, rely on content of maps file only
-$nrconf{skip_mapfiles} = (-d '/proc/sys/kernel/grsecurity' ? -1 : 0);
+$nrconf{skip_mapfiles} = -1;
# Enable/disable hints on pending kernel upgrades:
# 1: requires the user to acknowledge pending kernels
# -1: print kernel hints to stderr only
#$nrconf{kernelhints} = -1;
+# Filter kernel image filenames by regex. This is required on Raspian having
+# multiple kernel image variants installed in parallel.
+#$nrconf{kernelfilter} = qr(kernel7\.img);
+
# Enable/disable CPU microcode update hints:
# 1: requires the user to acknowledge pending updates
# 0: disable microcode checks completely
# Read additional config snippets.
if(-d q(/etc/needrestart/conf.d)) {
foreach my $fn (sort </etc/needrestart/conf.d/*.conf>) {
- print STDERR "$LOGPREF eval $fn\n" if($nrconf{verbose});
+ print STDERR "$LOGPREF eval $fn\n" if($nrconf{verbosity} > 1);
eval do { local(@ARGV, $/) = $fn; <>};
die "Error parsing $fn: $@" if($@);
}
# needrestart - Restart daemons after library updates.
#
-# Authors:
-# Thomas Liske <thomas@fiasko-nw.net>
-#
-# Copyright Holder:
-# 2013 - 2018 (C) Thomas Liske [http://fiasko-nw.net/~thomas/]
-#
-# License:
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-
# Configure notification globals (shell syntax)
+#
# Disable write to tty (notify.d/200-write)
#NR_NOTIFYD_DISABLE_WRITE='1'
# Thomas Liske <thomas@fiasko-nw.net>
#
# Copyright Holder:
-# 2013 - 2018 (C) Thomas Liske [http://fiasko-nw.net/~thomas/]
+# 2013 - 2020 (C) Thomas Liske [http://fiasko-nw.net/~thomas/]
#
# License:
# This program is free software; you can redistribute it and/or modify
# Thomas Liske <thomas@fiasko-nw.net>
#
# Copyright Holder:
-# 2013 - 2018 (C) Thomas Liske [http://fiasko-nw.net/~thomas/]
+# 2013 - 2020 (C) Thomas Liske [http://fiasko-nw.net/~thomas/]
#
# License:
# This program is free software; you can redistribute it and/or modify
case "$NR_SESSION" in
session*)
- # cleanup environment
- unset DBUS_SESSION_BUS_ADDRESS
+ DBUS_SESSION_BUS_ADDRESS=$(sed -z -n s/^DBUS_SESSION_BUS_ADDRESS=//p "/proc/$NR_SESSPPID/environ")
+ if [ -z "$DBUS_SESSION_BUS_ADDRESS" ]; then
+ unset DBUS_SESSION_BUS_ADDRESS
+ fi
+
export DISPLAY=$(sed -z -n s/^DISPLAY=//p "/proc/$NR_SESSPPID/environ")
export XAUTHORITY=$(sed -z -n s/^XAUTHORITY=//p "/proc/$NR_SESSPPID/environ")
MSGBODY=$(gettext 'Your session is running obsolete binaries or libraries as listed below.
<i><b>Please consider a relogin or restart of the affected processes!</b></i>')'\n'$(cat)
- su -p -s /bin/sh -c "$NSEND -u critical -i dialog-warning \"$MSGTITLE\" \"$MSGBODY\"" "$NR_USERNAME"
+ su -p -s /bin/sh -c "$NSEND -a needrestart -u critical -i dialog-warning \"$MSGTITLE\" \"$MSGBODY\"" "$NR_USERNAME"
;;
*)
echo "[$0] skip session '$NR_SESSION'" 1>&2
# Thomas Liske <thomas@fiasko-nw.net>
#
# Copyright Holder:
-# 2013 - 2018 (C) Thomas Liske [http://fiasko-nw.net/~thomas/]
+# 2013 - 2020 (C) Thomas Liske [http://fiasko-nw.net/~thomas/]
#
# License:
# This program is free software; you can redistribute it and/or modify
# needrestart - Restart daemons after library updates.
#
-# Authors:
-# Thomas Liske <thomas@fiasko-nw.net>
-#
-# Copyright Holder:
-# 2013 - 2018 (C) Thomas Liske [http://fiasko-nw.net/~thomas/]
-#
-# License:
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-
# Restart dbus and affiliated services under systemd using a procedure
# suggested by @Vladimir-csp in github issue #44.
+#
# enable xtrace if we should be verbose
if [ "$NR_VERBOSE" = '1' ]; then
# needrestart - Restart daemons after library updates.
#
-# Authors:
-# Thomas Liske <thomas@fiasko-nw.net>
-#
-# Copyright Holder:
-# 2013 - 2018 (C) Thomas Liske [http://fiasko-nw.net/~thomas/]
-#
-# License:
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
+# Restarting systemd using special systemctl call.
#
# enable xtrace if we should be verbose
# needrestart - Restart daemons after library updates.
#
-# Authors:
-# Thomas Liske <thomas@fiasko-nw.net>
-#
-# Copyright Holder:
-# 2013 - 2018 (C) Thomas Liske [http://fiasko-nw.net/~thomas/]
-#
-# License:
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
+# Restart SysV's init.
#
# enable xtrace if we should be verbose
[ -x /usr/sbin/chronyd ] || exit 0
-if [ -e /run/chronyd.pid ]; then
+if [ -e /run/chrony/chronyd.pid ]; then
chronyc onoffline > /dev/null 2>&1
fi
[ -x /usr/sbin/chronyd ] || exit 0
-if [ -e /run/chronyd.pid ]; then
+if [ -e /run/chrony/chronyd.pid ]; then
chronyc onoffline > /dev/null 2>&1
fi
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
-auth [success=1 default=ignore] pam_unix.so nullok_secure
+auth [success=1 default=ignore] pam_unix.so nullok
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# used to change user passwords. The default is pam_unix.
# Explanation of pam_unix options:
-#
-# The "sha512" option enables salted SHA512 passwords. Without this option,
-# the default is Unix crypt. Prior releases used the option "md5".
-#
-# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
-# login.defs.
-#
-# See the pam_unix manpage for other options.
+# The "yescrypt" option enables
+#hashed passwords using the yescrypt algorithm, introduced in Debian
+#11. Without this option, the default is Unix crypt. Prior releases
+#used the option "sha512"; if a shadow password hash will be shared
+#between Debian 11 and older releases replace "yescrypt" with "sha512"
+#for compatibility . The "obscure" option replaces the old
+#`OBSCURE_CHECKS_ENAB' option in login.defs. See the pam_unix manpage
+#for other options.
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
-password [success=1 default=ignore] pam_unix.so obscure sha512
+password [success=1 default=ignore] pam_unix.so obscure yescrypt
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
-# at the start and end of sessions of *any* kind (both interactive and
-# non-interactive).
+# at the start and end of interactive sessions.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
-irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
_chrony:x:111:118:Chrony daemon,,,:/var/lib/chrony:/bin/false
nagios:x:112:119::/var/lib/nagios:/bin/false
systemd-coredump:x:999:999:systemd Core Dumper:/:/sbin/nologin
+tcpdump:x:103:121::/nonexistent:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
-irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
_apt:x:110:65534::/nonexistent:/bin/false
_chrony:x:111:118:Chrony daemon,,,:/var/lib/chrony:/bin/false
nagios:x:112:119::/var/lib/nagios:/bin/false
+systemd-coredump:x:999:999:systemd Core Dumper:/:/sbin/nologin
+tcpdump:x:103:121::/nonexistent:/usr/sbin/nologin
--- /dev/null
+root:x:0:0:root Ns3:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
+systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
+systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
+sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
+postfix:x:105:111::/var/spool/postfix:/bin/false
+bind:x:106:114:Bind daemon user,,,:/var/cache/bind:/bin/false
+frank:x:1017:100:Frank Brehm:/home/frank:/bin/bash
+doris:x:1019:100:Doris Hennig:/home/doris:/bin/bash
+patrick:x:1004:100:Patrick Hennig:/home/patrick:/bin/bash
+ulog:x:107:115::/var/log/ulog:/bin/false
+openldap:x:108:116:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
+gitdeploy:x:3334:100:Git deploy user:/home/gitdeploy:/bin/sh
+messagebus:x:109:117::/var/run/dbus:/bin/false
+_apt:x:110:65534::/nonexistent:/bin/false
+_chrony:x:111:118:Chrony daemon,,,:/var/lib/chrony:/bin/false
+nagios:x:112:119::/var/lib/nagios:/bin/false
+systemd-coredump:x:999:999:systemd Core Dumper:/:/sbin/nologin
+++ /dev/null
-/etc/php/7.3/mods-available/opcache.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/pdo.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/calendar.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/ctype.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/exif.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/fileinfo.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/ftp.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/gd.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/gettext.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/iconv.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/json.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/ldap.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/phar.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/posix.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/readline.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/shmop.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/sockets.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/sysvmsg.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/sysvsem.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/sysvshm.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/tokenizer.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/opcache.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/pdo.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/calendar.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/ctype.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/exif.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/fileinfo.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/ftp.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/gd.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/gettext.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/iconv.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/json.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/ldap.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/phar.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/posix.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/readline.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/shmop.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/sockets.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/sysvmsg.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/sysvsem.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/sysvshm.ini
\ No newline at end of file
+++ /dev/null
-/etc/php/7.3/mods-available/tokenizer.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/opcache.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/pdo.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/calendar.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/ctype.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/exif.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/ffi.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/fileinfo.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/ftp.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/gd.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/gettext.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/iconv.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/json.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/ldap.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/phar.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/posix.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/readline.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/shmop.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/sockets.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/sysvmsg.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/sysvsem.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/sysvshm.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/tokenizer.ini
\ No newline at end of file
--- /dev/null
+[PHP]
+
+;;;;;;;;;;;;;;;;;;;
+; About php.ini ;
+;;;;;;;;;;;;;;;;;;;
+; PHP's initialization file, generally called php.ini, is responsible for
+; configuring many of the aspects of PHP's behavior.
+
+; PHP attempts to find and load this configuration from a number of locations.
+; The following is a summary of its search order:
+; 1. SAPI module specific location.
+; 2. The PHPRC environment variable. (As of PHP 5.2.0)
+; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0)
+; 4. Current working directory (except CLI)
+; 5. The web server's directory (for SAPI modules), or directory of PHP
+; (otherwise in Windows)
+; 6. The directory from the --with-config-file-path compile time option, or the
+; Windows directory (usually C:\windows)
+; See the PHP docs for more specific information.
+; http://php.net/configuration.file
+
+; The syntax of the file is extremely simple. Whitespace and lines
+; beginning with a semicolon are silently ignored (as you probably guessed).
+; Section headers (e.g. [Foo]) are also silently ignored, even though
+; they might mean something in the future.
+
+; Directives following the section heading [PATH=/www/mysite] only
+; apply to PHP files in the /www/mysite directory. Directives
+; following the section heading [HOST=www.example.com] only apply to
+; PHP files served from www.example.com. Directives set in these
+; special sections cannot be overridden by user-defined INI files or
+; at runtime. Currently, [PATH=] and [HOST=] sections only work under
+; CGI/FastCGI.
+; http://php.net/ini.sections
+
+; Directives are specified using the following syntax:
+; directive = value
+; Directive names are *case sensitive* - foo=bar is different from FOO=bar.
+; Directives are variables used to configure PHP or PHP extensions.
+; There is no name validation. If PHP can't find an expected
+; directive because it is not set or is mistyped, a default value will be used.
+
+; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one
+; of the INI constants (On, Off, True, False, Yes, No and None) or an expression
+; (e.g. E_ALL & ~E_NOTICE), a quoted string ("bar"), or a reference to a
+; previously set variable or directive (e.g. ${foo})
+
+; Expressions in the INI file are limited to bitwise operators and parentheses:
+; | bitwise OR
+; ^ bitwise XOR
+; & bitwise AND
+; ~ bitwise NOT
+; ! boolean NOT
+
+; Boolean flags can be turned on using the values 1, On, True or Yes.
+; They can be turned off using the values 0, Off, False or No.
+
+; An empty string can be denoted by simply not writing anything after the equal
+; sign, or by using the None keyword:
+
+; foo = ; sets foo to an empty string
+; foo = None ; sets foo to an empty string
+; foo = "None" ; sets foo to the string 'None'
+
+; If you use constants in your value, and these constants belong to a
+; dynamically loaded extension (either a PHP extension or a Zend extension),
+; you may only use these constants *after* the line that loads the extension.
+
+;;;;;;;;;;;;;;;;;;;
+; About this file ;
+;;;;;;;;;;;;;;;;;;;
+; PHP comes packaged with two INI files. One that is recommended to be used
+; in production environments and one that is recommended to be used in
+; development environments.
+
+; php.ini-production contains settings which hold security, performance and
+; best practices at its core. But please be aware, these settings may break
+; compatibility with older or less security conscience applications. We
+; recommending using the production ini in production and testing environments.
+
+; php.ini-development is very similar to its production variant, except it is
+; much more verbose when it comes to errors. We recommend using the
+; development version only in development environments, as errors shown to
+; application users can inadvertently leak otherwise secure information.
+
+; This is the php.ini-production INI file.
+
+;;;;;;;;;;;;;;;;;;;
+; Quick Reference ;
+;;;;;;;;;;;;;;;;;;;
+; The following are all the settings which are different in either the production
+; or development versions of the INIs with respect to PHP's default behavior.
+; Please see the actual settings later in the document for more details as to why
+; we recommend these changes in PHP's behavior.
+
+; display_errors
+; Default Value: On
+; Development Value: On
+; Production Value: Off
+
+; display_startup_errors
+; Default Value: Off
+; Development Value: On
+; Production Value: Off
+
+; error_reporting
+; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
+; Development Value: E_ALL
+; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
+
+; log_errors
+; Default Value: Off
+; Development Value: On
+; Production Value: On
+
+; max_input_time
+; Default Value: -1 (Unlimited)
+; Development Value: 60 (60 seconds)
+; Production Value: 60 (60 seconds)
+
+; output_buffering
+; Default Value: Off
+; Development Value: 4096
+; Production Value: 4096
+
+; register_argc_argv
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+
+; request_order
+; Default Value: None
+; Development Value: "GP"
+; Production Value: "GP"
+
+; session.gc_divisor
+; Default Value: 100
+; Development Value: 1000
+; Production Value: 1000
+
+; session.sid_bits_per_character
+; Default Value: 4
+; Development Value: 5
+; Production Value: 5
+
+; short_open_tag
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+
+; variables_order
+; Default Value: "EGPCS"
+; Development Value: "GPCS"
+; Production Value: "GPCS"
+
+;;;;;;;;;;;;;;;;;;;;
+; php.ini Options ;
+;;;;;;;;;;;;;;;;;;;;
+; Name for user-defined php.ini (.htaccess) files. Default is ".user.ini"
+;user_ini.filename = ".user.ini"
+
+; To disable this feature set this option to an empty value
+;user_ini.filename =
+
+; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes)
+;user_ini.cache_ttl = 300
+
+;;;;;;;;;;;;;;;;;;;;
+; Language Options ;
+;;;;;;;;;;;;;;;;;;;;
+
+; Enable the PHP scripting language engine under Apache.
+; http://php.net/engine
+engine = On
+
+; This directive determines whether or not PHP will recognize code between
+; <? and ?> tags as PHP source which should be processed as such. It is
+; generally recommended that <?php and ?> should be used and that this feature
+; should be disabled, as enabling it may result in issues when generating XML
+; documents, however this remains supported for backward compatibility reasons.
+; Note that this directive does not control the <?= shorthand tag, which can be
+; used regardless of this directive.
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+; http://php.net/short-open-tag
+short_open_tag = Off
+
+; The number of significant digits displayed in floating point numbers.
+; http://php.net/precision
+precision = 14
+
+; Output buffering is a mechanism for controlling how much output data
+; (excluding headers and cookies) PHP should keep internally before pushing that
+; data to the client. If your application's output exceeds this setting, PHP
+; will send that data in chunks of roughly the size you specify.
+; Turning on this setting and managing its maximum buffer size can yield some
+; interesting side-effects depending on your application and web server.
+; You may be able to send headers and cookies after you've already sent output
+; through print or echo. You also may see performance benefits if your server is
+; emitting less packets due to buffered output versus PHP streaming the output
+; as it gets it. On production servers, 4096 bytes is a good setting for performance
+; reasons.
+; Note: Output buffering can also be controlled via Output Buffering Control
+; functions.
+; Possible Values:
+; On = Enabled and buffer is unlimited. (Use with caution)
+; Off = Disabled
+; Integer = Enables the buffer and sets its maximum size in bytes.
+; Note: This directive is hardcoded to Off for the CLI SAPI
+; Default Value: Off
+; Development Value: 4096
+; Production Value: 4096
+; http://php.net/output-buffering
+output_buffering = 4096
+
+; You can redirect all of the output of your scripts to a function. For
+; example, if you set output_handler to "mb_output_handler", character
+; encoding will be transparently converted to the specified encoding.
+; Setting any output handler automatically turns on output buffering.
+; Note: People who wrote portable scripts should not depend on this ini
+; directive. Instead, explicitly set the output handler using ob_start().
+; Using this ini directive may cause problems unless you know what script
+; is doing.
+; Note: You cannot use both "mb_output_handler" with "ob_iconv_handler"
+; and you cannot use both "ob_gzhandler" and "zlib.output_compression".
+; Note: output_handler must be empty if this is set 'On' !!!!
+; Instead you must use zlib.output_handler.
+; http://php.net/output-handler
+;output_handler =
+
+; URL rewriter function rewrites URL on the fly by using
+; output buffer. You can set target tags by this configuration.
+; "form" tag is special tag. It will add hidden input tag to pass values.
+; Refer to session.trans_sid_tags for usage.
+; Default Value: "form="
+; Development Value: "form="
+; Production Value: "form="
+;url_rewriter.tags
+
+; URL rewriter will not rewrite absolute URL nor form by default. To enable
+; absolute URL rewrite, allowed hosts must be defined at RUNTIME.
+; Refer to session.trans_sid_hosts for more details.
+; Default Value: ""
+; Development Value: ""
+; Production Value: ""
+;url_rewriter.hosts
+
+; Transparent output compression using the zlib library
+; Valid values for this option are 'off', 'on', or a specific buffer size
+; to be used for compression (default is 4KB)
+; Note: Resulting chunk size may vary due to nature of compression. PHP
+; outputs chunks that are few hundreds bytes each as a result of
+; compression. If you prefer a larger chunk size for better
+; performance, enable output_buffering in addition.
+; Note: You need to use zlib.output_handler instead of the standard
+; output_handler, or otherwise the output will be corrupted.
+; http://php.net/zlib.output-compression
+zlib.output_compression = Off
+
+; http://php.net/zlib.output-compression-level
+;zlib.output_compression_level = -1
+
+; You cannot specify additional output handlers if zlib.output_compression
+; is activated here. This setting does the same as output_handler but in
+; a different order.
+; http://php.net/zlib.output-handler
+;zlib.output_handler =
+
+; Implicit flush tells PHP to tell the output layer to flush itself
+; automatically after every output block. This is equivalent to calling the
+; PHP function flush() after each and every call to print() or echo() and each
+; and every HTML block. Turning this option on has serious performance
+; implications and is generally recommended for debugging purposes only.
+; http://php.net/implicit-flush
+; Note: This directive is hardcoded to On for the CLI SAPI
+implicit_flush = Off
+
+; The unserialize callback function will be called (with the undefined class'
+; name as parameter), if the unserializer finds an undefined class
+; which should be instantiated. A warning appears if the specified function is
+; not defined, or if the function doesn't include/implement the missing class.
+; So only set this entry, if you really want to implement such a
+; callback-function.
+unserialize_callback_func =
+
+; The unserialize_max_depth specifies the default depth limit for unserialized
+; structures. Setting the depth limit too high may result in stack overflows
+; during unserialization. The unserialize_max_depth ini setting can be
+; overridden by the max_depth option on individual unserialize() calls.
+; A value of 0 disables the depth limit.
+;unserialize_max_depth = 4096
+
+; When floats & doubles are serialized, store serialize_precision significant
+; digits after the floating point. The default value ensures that when floats
+; are decoded with unserialize, the data will remain the same.
+; The value is also used for json_encode when encoding double values.
+; If -1 is used, then dtoa mode 0 is used which automatically select the best
+; precision.
+serialize_precision = -1
+
+; open_basedir, if set, limits all file operations to the defined directory
+; and below. This directive makes most sense if used in a per-directory
+; or per-virtualhost web server configuration file.
+; Note: disables the realpath cache
+; http://php.net/open-basedir
+;open_basedir =
+
+; This directive allows you to disable certain functions.
+; It receives a comma-delimited list of function names.
+; http://php.net/disable-functions
+disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
+
+; This directive allows you to disable certain classes.
+; It receives a comma-delimited list of class names.
+; http://php.net/disable-classes
+disable_classes =
+
+; Colors for Syntax Highlighting mode. Anything that's acceptable in
+; <span style="color: ???????"> would work.
+; http://php.net/syntax-highlighting
+;highlight.string = #DD0000
+;highlight.comment = #FF9900
+;highlight.keyword = #007700
+;highlight.default = #0000BB
+;highlight.html = #000000
+
+; If enabled, the request will be allowed to complete even if the user aborts
+; the request. Consider enabling it if executing long requests, which may end up
+; being interrupted by the user or a browser timing out. PHP's default behavior
+; is to disable this feature.
+; http://php.net/ignore-user-abort
+;ignore_user_abort = On
+
+; Determines the size of the realpath cache to be used by PHP. This value should
+; be increased on systems where PHP opens many files to reflect the quantity of
+; the file operations performed.
+; Note: if open_basedir is set, the cache is disabled
+; http://php.net/realpath-cache-size
+;realpath_cache_size = 4096k
+
+; Duration of time, in seconds for which to cache realpath information for a given
+; file or directory. For systems with rarely changing files, consider increasing this
+; value.
+; http://php.net/realpath-cache-ttl
+;realpath_cache_ttl = 120
+
+; Enables or disables the circular reference collector.
+; http://php.net/zend.enable-gc
+zend.enable_gc = On
+
+; If enabled, scripts may be written in encodings that are incompatible with
+; the scanner. CP936, Big5, CP949 and Shift_JIS are the examples of such
+; encodings. To use this feature, mbstring extension must be enabled.
+; Default: Off
+;zend.multibyte = Off
+
+; Allows to set the default encoding for the scripts. This value will be used
+; unless "declare(encoding=...)" directive appears at the top of the script.
+; Only affects if zend.multibyte is set.
+; Default: ""
+;zend.script_encoding =
+
+; Allows to include or exclude arguments from stack traces generated for exceptions.
+; In production, it is recommended to turn this setting on to prohibit the output
+; of sensitive information in stack traces
+; Default: Off
+zend.exception_ignore_args = On
+
+;;;;;;;;;;;;;;;;;
+; Miscellaneous ;
+;;;;;;;;;;;;;;;;;
+
+; Decides whether PHP may expose the fact that it is installed on the server
+; (e.g. by adding its signature to the Web server header). It is no security
+; threat in any way, but it makes it possible to determine whether you use PHP
+; on your server or not.
+; http://php.net/expose-php
+expose_php = Off
+
+;;;;;;;;;;;;;;;;;;;
+; Resource Limits ;
+;;;;;;;;;;;;;;;;;;;
+
+; Maximum execution time of each script, in seconds
+; http://php.net/max-execution-time
+; Note: This directive is hardcoded to 0 for the CLI SAPI
+max_execution_time = 30
+
+; Maximum amount of time each script may spend parsing request data. It's a good
+; idea to limit this time on productions servers in order to eliminate unexpectedly
+; long running scripts.
+; Note: This directive is hardcoded to -1 for the CLI SAPI
+; Default Value: -1 (Unlimited)
+; Development Value: 60 (60 seconds)
+; Production Value: 60 (60 seconds)
+; http://php.net/max-input-time
+max_input_time = 60
+
+; Maximum input variable nesting level
+; http://php.net/max-input-nesting-level
+;max_input_nesting_level = 64
+
+; How many GET/POST/COOKIE input variables may be accepted
+;max_input_vars = 1000
+
+; Maximum amount of memory a script may consume
+; http://php.net/memory-limit
+memory_limit = 128M
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Error handling and logging ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; This directive informs PHP of which errors, warnings and notices you would like
+; it to take action for. The recommended way of setting values for this
+; directive is through the use of the error level constants and bitwise
+; operators. The error level constants are below here for convenience as well as
+; some common settings and their meanings.
+; By default, PHP is set to take action on all errors, notices and warnings EXCEPT
+; those related to E_NOTICE and E_STRICT, which together cover best practices and
+; recommended coding standards in PHP. For performance reasons, this is the
+; recommend error reporting setting. Your production server shouldn't be wasting
+; resources complaining about best practices and coding standards. That's what
+; development servers and development settings are for.
+; Note: The php.ini-development file has this setting as E_ALL. This
+; means it pretty much reports everything which is exactly what you want during
+; development and early testing.
+;
+; Error Level Constants:
+; E_ALL - All errors and warnings (includes E_STRICT as of PHP 5.4.0)
+; E_ERROR - fatal run-time errors
+; E_RECOVERABLE_ERROR - almost fatal run-time errors
+; E_WARNING - run-time warnings (non-fatal errors)
+; E_PARSE - compile-time parse errors
+; E_NOTICE - run-time notices (these are warnings which often result
+; from a bug in your code, but it's possible that it was
+; intentional (e.g., using an uninitialized variable and
+; relying on the fact it is automatically initialized to an
+; empty string)
+; E_STRICT - run-time notices, enable to have PHP suggest changes
+; to your code which will ensure the best interoperability
+; and forward compatibility of your code
+; E_CORE_ERROR - fatal errors that occur during PHP's initial startup
+; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's
+; initial startup
+; E_COMPILE_ERROR - fatal compile-time errors
+; E_COMPILE_WARNING - compile-time warnings (non-fatal errors)
+; E_USER_ERROR - user-generated error message
+; E_USER_WARNING - user-generated warning message
+; E_USER_NOTICE - user-generated notice message
+; E_DEPRECATED - warn about code that will not work in future versions
+; of PHP
+; E_USER_DEPRECATED - user-generated deprecation warnings
+;
+; Common Values:
+; E_ALL (Show all errors, warnings and notices including coding standards.)
+; E_ALL & ~E_NOTICE (Show all errors, except for notices)
+; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.)
+; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors)
+; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
+; Development Value: E_ALL
+; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
+; http://php.net/error-reporting
+error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+
+; This directive controls whether or not and where PHP will output errors,
+; notices and warnings too. Error output is very useful during development, but
+; it could be very dangerous in production environments. Depending on the code
+; which is triggering the error, sensitive information could potentially leak
+; out of your application such as database usernames and passwords or worse.
+; For production environments, we recommend logging errors rather than
+; sending them to STDOUT.
+; Possible Values:
+; Off = Do not display any errors
+; stderr = Display errors to STDERR (affects only CGI/CLI binaries!)
+; On or stdout = Display errors to STDOUT
+; Default Value: On
+; Development Value: On
+; Production Value: Off
+; http://php.net/display-errors
+display_errors = Off
+
+; The display of errors which occur during PHP's startup sequence are handled
+; separately from display_errors. PHP's default behavior is to suppress those
+; errors from clients. Turning the display of startup errors on can be useful in
+; debugging configuration problems. We strongly recommend you
+; set this to 'off' for production servers.
+; Default Value: Off
+; Development Value: On
+; Production Value: Off
+; http://php.net/display-startup-errors
+display_startup_errors = Off
+
+; Besides displaying errors, PHP can also log errors to locations such as a
+; server-specific log, STDERR, or a location specified by the error_log
+; directive found below. While errors should not be displayed on productions
+; servers they should still be monitored and logging is a great way to do that.
+; Default Value: Off
+; Development Value: On
+; Production Value: On
+; http://php.net/log-errors
+log_errors = On
+
+; Set maximum length of log_errors. In error_log information about the source is
+; added. The default is 1024 and 0 allows to not apply any maximum length at all.
+; http://php.net/log-errors-max-len
+log_errors_max_len = 1024
+
+; Do not log repeated messages. Repeated errors must occur in same file on same
+; line unless ignore_repeated_source is set true.
+; http://php.net/ignore-repeated-errors
+ignore_repeated_errors = Off
+
+; Ignore source of message when ignoring repeated messages. When this setting
+; is On you will not log errors with repeated messages from different files or
+; source lines.
+; http://php.net/ignore-repeated-source
+ignore_repeated_source = Off
+
+; If this parameter is set to Off, then memory leaks will not be shown (on
+; stdout or in the log). This is only effective in a debug compile, and if
+; error reporting includes E_WARNING in the allowed list
+; http://php.net/report-memleaks
+report_memleaks = On
+
+; This setting is on by default.
+;report_zend_debug = 0
+
+; Store the last error/warning message in $php_errormsg (boolean). Setting this value
+; to On can assist in debugging and is appropriate for development servers. It should
+; however be disabled on production servers.
+; This directive is DEPRECATED.
+; Default Value: Off
+; Development Value: Off
+; Production Value: Off
+; http://php.net/track-errors
+;track_errors = Off
+
+; Turn off normal error reporting and emit XML-RPC error XML
+; http://php.net/xmlrpc-errors
+;xmlrpc_errors = 0
+
+; An XML-RPC faultCode
+;xmlrpc_error_number = 0
+
+; When PHP displays or logs an error, it has the capability of formatting the
+; error message as HTML for easier reading. This directive controls whether
+; the error message is formatted as HTML or not.
+; Note: This directive is hardcoded to Off for the CLI SAPI
+; http://php.net/html-errors
+;html_errors = On
+
+; If html_errors is set to On *and* docref_root is not empty, then PHP
+; produces clickable error messages that direct to a page describing the error
+; or function causing the error in detail.
+; You can download a copy of the PHP manual from http://php.net/docs
+; and change docref_root to the base URL of your local copy including the
+; leading '/'. You must also specify the file extension being used including
+; the dot. PHP's default behavior is to leave these settings empty, in which
+; case no links to documentation are generated.
+; Note: Never use this feature for production boxes.
+; http://php.net/docref-root
+; Examples
+;docref_root = "/phpmanual/"
+
+; http://php.net/docref-ext
+;docref_ext = .html
+
+; String to output before an error message. PHP's default behavior is to leave
+; this setting blank.
+; http://php.net/error-prepend-string
+; Example:
+;error_prepend_string = "<span style='color: #ff0000'>"
+
+; String to output after an error message. PHP's default behavior is to leave
+; this setting blank.
+; http://php.net/error-append-string
+; Example:
+;error_append_string = "</span>"
+
+; Log errors to specified file. PHP's default behavior is to leave this value
+; empty.
+; http://php.net/error-log
+; Example:
+;error_log = php_errors.log
+; Log errors to syslog (Event Log on Windows).
+;error_log = syslog
+
+; The syslog ident is a string which is prepended to every message logged
+; to syslog. Only used when error_log is set to syslog.
+;syslog.ident = php
+
+; The syslog facility is used to specify what type of program is logging
+; the message. Only used when error_log is set to syslog.
+;syslog.facility = user
+
+; Set this to disable filtering control characters (the default).
+; Some loggers only accept NVT-ASCII, others accept anything that's not
+; control characters. If your logger accepts everything, then no filtering
+; is needed at all.
+; Allowed values are:
+; ascii (all printable ASCII characters and NL)
+; no-ctrl (all characters except control characters)
+; all (all characters)
+; raw (like "all", but messages are not split at newlines)
+; http://php.net/syslog.filter
+;syslog.filter = ascii
+
+;windows.show_crt_warning
+; Default value: 0
+; Development value: 0
+; Production value: 0
+
+;;;;;;;;;;;;;;;;;
+; Data Handling ;
+;;;;;;;;;;;;;;;;;
+
+; The separator used in PHP generated URLs to separate arguments.
+; PHP's default setting is "&".
+; http://php.net/arg-separator.output
+; Example:
+;arg_separator.output = "&"
+
+; List of separator(s) used by PHP to parse input URLs into variables.
+; PHP's default setting is "&".
+; NOTE: Every character in this directive is considered as separator!
+; http://php.net/arg-separator.input
+; Example:
+;arg_separator.input = ";&"
+
+; This directive determines which super global arrays are registered when PHP
+; starts up. G,P,C,E & S are abbreviations for the following respective super
+; globals: GET, POST, COOKIE, ENV and SERVER. There is a performance penalty
+; paid for the registration of these arrays and because ENV is not as commonly
+; used as the others, ENV is not recommended on productions servers. You
+; can still get access to the environment variables through getenv() should you
+; need to.
+; Default Value: "EGPCS"
+; Development Value: "GPCS"
+; Production Value: "GPCS";
+; http://php.net/variables-order
+variables_order = "GPCS"
+
+; This directive determines which super global data (G,P & C) should be
+; registered into the super global array REQUEST. If so, it also determines
+; the order in which that data is registered. The values for this directive
+; are specified in the same manner as the variables_order directive,
+; EXCEPT one. Leaving this value empty will cause PHP to use the value set
+; in the variables_order directive. It does not mean it will leave the super
+; globals array REQUEST empty.
+; Default Value: None
+; Development Value: "GP"
+; Production Value: "GP"
+; http://php.net/request-order
+request_order = "GP"
+
+; This directive determines whether PHP registers $argv & $argc each time it
+; runs. $argv contains an array of all the arguments passed to PHP when a script
+; is invoked. $argc contains an integer representing the number of arguments
+; that were passed when the script was invoked. These arrays are extremely
+; useful when running scripts from the command line. When this directive is
+; enabled, registering these variables consumes CPU cycles and memory each time
+; a script is executed. For performance reasons, this feature should be disabled
+; on production servers.
+; Note: This directive is hardcoded to On for the CLI SAPI
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+; http://php.net/register-argc-argv
+register_argc_argv = Off
+
+; When enabled, the ENV, REQUEST and SERVER variables are created when they're
+; first used (Just In Time) instead of when the script starts. If these
+; variables are not used within a script, having this directive on will result
+; in a performance gain. The PHP directive register_argc_argv must be disabled
+; for this directive to have any effect.
+; http://php.net/auto-globals-jit
+auto_globals_jit = On
+
+; Whether PHP will read the POST data.
+; This option is enabled by default.
+; Most likely, you won't want to disable this option globally. It causes $_POST
+; and $_FILES to always be empty; the only way you will be able to read the
+; POST data will be through the php://input stream wrapper. This can be useful
+; to proxy requests or to process the POST data in a memory efficient fashion.
+; http://php.net/enable-post-data-reading
+;enable_post_data_reading = Off
+
+; Maximum size of POST data that PHP will accept.
+; Its value may be 0 to disable the limit. It is ignored if POST data reading
+; is disabled through enable_post_data_reading.
+; http://php.net/post-max-size
+post_max_size = 8M
+
+; Automatically add files before PHP document.
+; http://php.net/auto-prepend-file
+auto_prepend_file =
+
+; Automatically add files after PHP document.
+; http://php.net/auto-append-file
+auto_append_file =
+
+; By default, PHP will output a media type using the Content-Type header. To
+; disable this, simply set it to be empty.
+;
+; PHP's built-in default media type is set to text/html.
+; http://php.net/default-mimetype
+default_mimetype = "text/html"
+
+; PHP's default character set is set to UTF-8.
+; http://php.net/default-charset
+default_charset = "UTF-8"
+
+; PHP internal character encoding is set to empty.
+; If empty, default_charset is used.
+; http://php.net/internal-encoding
+;internal_encoding =
+
+; PHP input character encoding is set to empty.
+; If empty, default_charset is used.
+; http://php.net/input-encoding
+;input_encoding =
+
+; PHP output character encoding is set to empty.
+; If empty, default_charset is used.
+; See also output_buffer.
+; http://php.net/output-encoding
+;output_encoding =
+
+;;;;;;;;;;;;;;;;;;;;;;;;;
+; Paths and Directories ;
+;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; UNIX: "/path1:/path2"
+;include_path = ".:/usr/share/php"
+;
+; Windows: "\path1;\path2"
+;include_path = ".;c:\php\includes"
+;
+; PHP's default setting for include_path is ".;/path/to/php/pear"
+; http://php.net/include-path
+
+; The root of the PHP pages, used only if nonempty.
+; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root
+; if you are running php as a CGI under any web server (other than IIS)
+; see documentation for security issues. The alternate is to use the
+; cgi.force_redirect configuration below
+; http://php.net/doc-root
+doc_root =
+
+; The directory under which PHP opens the script using /~username used only
+; if nonempty.
+; http://php.net/user-dir
+user_dir =
+
+; Directory in which the loadable extensions (modules) reside.
+; http://php.net/extension-dir
+;extension_dir = "./"
+; On windows:
+;extension_dir = "ext"
+
+; Directory where the temporary files should be placed.
+; Defaults to the system default (see sys_get_temp_dir)
+;sys_temp_dir = "/tmp"
+
+; Whether or not to enable the dl() function. The dl() function does NOT work
+; properly in multithreaded servers, such as IIS or Zeus, and is automatically
+; disabled on them.
+; http://php.net/enable-dl
+enable_dl = Off
+
+; cgi.force_redirect is necessary to provide security running PHP as a CGI under
+; most web servers. Left undefined, PHP turns this on by default. You can
+; turn it off here AT YOUR OWN RISK
+; **You CAN safely turn this off for IIS, in fact, you MUST.**
+; http://php.net/cgi.force-redirect
+;cgi.force_redirect = 1
+
+; if cgi.nph is enabled it will force cgi to always sent Status: 200 with
+; every request. PHP's default behavior is to disable this feature.
+;cgi.nph = 1
+
+; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape
+; (iPlanet) web servers, you MAY need to set an environment variable name that PHP
+; will look for to know it is OK to continue execution. Setting this variable MAY
+; cause security issues, KNOW WHAT YOU ARE DOING FIRST.
+; http://php.net/cgi.redirect-status-env
+;cgi.redirect_status_env =
+
+; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's
+; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
+; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting
+; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting
+; of zero causes PHP to behave as before. Default is 1. You should fix your scripts
+; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
+; http://php.net/cgi.fix-pathinfo
+;cgi.fix_pathinfo=1
+
+; if cgi.discard_path is enabled, the PHP CGI binary can safely be placed outside
+; of the web tree and people will not be able to circumvent .htaccess security.
+;cgi.discard_path=1
+
+; FastCGI under IIS supports the ability to impersonate
+; security tokens of the calling client. This allows IIS to define the
+; security context that the request runs under. mod_fastcgi under Apache
+; does not currently support this feature (03/17/2002)
+; Set to 1 if running under IIS. Default is zero.
+; http://php.net/fastcgi.impersonate
+;fastcgi.impersonate = 1
+
+; Disable logging through FastCGI connection. PHP's default behavior is to enable
+; this feature.
+;fastcgi.logging = 0
+
+; cgi.rfc2616_headers configuration option tells PHP what type of headers to
+; use when sending HTTP response code. If set to 0, PHP sends Status: header that
+; is supported by Apache. When this option is set to 1, PHP will send
+; RFC2616 compliant header.
+; Default is zero.
+; http://php.net/cgi.rfc2616-headers
+;cgi.rfc2616_headers = 0
+
+; cgi.check_shebang_line controls whether CGI PHP checks for line starting with #!
+; (shebang) at the top of the running script. This line might be needed if the
+; script support running both as stand-alone script and via PHP CGI<. PHP in CGI
+; mode skips this line and ignores its content if this directive is turned on.
+; http://php.net/cgi.check-shebang-line
+;cgi.check_shebang_line=1
+
+;;;;;;;;;;;;;;;;
+; File Uploads ;
+;;;;;;;;;;;;;;;;
+
+; Whether to allow HTTP file uploads.
+; http://php.net/file-uploads
+file_uploads = On
+
+; Temporary directory for HTTP uploaded files (will use system default if not
+; specified).
+; http://php.net/upload-tmp-dir
+;upload_tmp_dir =
+
+; Maximum allowed size for uploaded files.
+; http://php.net/upload-max-filesize
+upload_max_filesize = 2M
+
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 20
+
+;;;;;;;;;;;;;;;;;;
+; Fopen wrappers ;
+;;;;;;;;;;;;;;;;;;
+
+; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
+; http://php.net/allow-url-fopen
+allow_url_fopen = On
+
+; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
+; http://php.net/allow-url-include
+allow_url_include = Off
+
+; Define the anonymous ftp password (your email address). PHP's default setting
+; for this is empty.
+; http://php.net/from
+;from="john@doe.com"
+
+; Define the User-Agent string. PHP's default setting for this is empty.
+; http://php.net/user-agent
+;user_agent="PHP"
+
+; Default timeout for socket based streams (seconds)
+; http://php.net/default-socket-timeout
+default_socket_timeout = 60
+
+; If your scripts have to deal with files from Macintosh systems,
+; or you are running on a Mac and need to deal with files from
+; unix or win32 systems, setting this flag will cause PHP to
+; automatically detect the EOL character in those files so that
+; fgets() and file() will work regardless of the source of the file.
+; http://php.net/auto-detect-line-endings
+;auto_detect_line_endings = Off
+
+;;;;;;;;;;;;;;;;;;;;;;
+; Dynamic Extensions ;
+;;;;;;;;;;;;;;;;;;;;;;
+
+; If you wish to have an extension loaded automatically, use the following
+; syntax:
+;
+; extension=modulename
+;
+; For example:
+;
+; extension=mysqli
+;
+; When the extension library to load is not located in the default extension
+; directory, You may specify an absolute path to the library file:
+;
+; extension=/path/to/extension/mysqli.so
+;
+; Note : The syntax used in previous PHP versions ('extension=<ext>.so' and
+; 'extension='php_<ext>.dll') is supported for legacy reasons and may be
+; deprecated in a future PHP major version. So, when it is possible, please
+; move to the new ('extension=<ext>) syntax.
+;
+; Notes for Windows environments :
+;
+; - Many DLL files are located in the extensions/ (PHP 4) or ext/ (PHP 5+)
+; extension folders as well as the separate PECL DLL download (PHP 5+).
+; Be sure to appropriately set the extension_dir directive.
+;
+;extension=bz2
+;extension=curl
+;extension=ffi
+;extension=ftp
+;extension=fileinfo
+;extension=gd2
+;extension=gettext
+;extension=gmp
+;extension=intl
+;extension=imap
+;extension=ldap
+;extension=mbstring
+;extension=exif ; Must be after mbstring as it depends on it
+;extension=mysqli
+;extension=oci8_12c ; Use with Oracle Database 12c Instant Client
+;extension=odbc
+;extension=openssl
+;extension=pdo_firebird
+;extension=pdo_mysql
+;extension=pdo_oci
+;extension=pdo_odbc
+;extension=pdo_pgsql
+;extension=pdo_sqlite
+;extension=pgsql
+;extension=shmop
+
+; The MIBS data available in the PHP distribution must be installed.
+; See http://www.php.net/manual/en/snmp.installation.php
+;extension=snmp
+
+;extension=soap
+;extension=sockets
+;extension=sodium
+;extension=sqlite3
+;extension=tidy
+;extension=xmlrpc
+;extension=xsl
+
+;;;;;;;;;;;;;;;;;;;
+; Module Settings ;
+;;;;;;;;;;;;;;;;;;;
+
+[CLI Server]
+; Whether the CLI web server uses ANSI color coding in its terminal output.
+cli_server.color = On
+
+[Date]
+; Defines the default timezone used by the date functions
+; http://php.net/date.timezone
+;date.timezone =
+
+; http://php.net/date.default-latitude
+;date.default_latitude = 31.7667
+
+; http://php.net/date.default-longitude
+;date.default_longitude = 35.2333
+
+; http://php.net/date.sunrise-zenith
+;date.sunrise_zenith = 90.583333
+
+; http://php.net/date.sunset-zenith
+;date.sunset_zenith = 90.583333
+
+[filter]
+; http://php.net/filter.default
+;filter.default = unsafe_raw
+
+; http://php.net/filter.default-flags
+;filter.default_flags =
+
+[iconv]
+; Use of this INI entry is deprecated, use global input_encoding instead.
+; If empty, default_charset or input_encoding or iconv.input_encoding is used.
+; The precedence is: default_charset < input_encoding < iconv.input_encoding
+;iconv.input_encoding =
+
+; Use of this INI entry is deprecated, use global internal_encoding instead.
+; If empty, default_charset or internal_encoding or iconv.internal_encoding is used.
+; The precedence is: default_charset < internal_encoding < iconv.internal_encoding
+;iconv.internal_encoding =
+
+; Use of this INI entry is deprecated, use global output_encoding instead.
+; If empty, default_charset or output_encoding or iconv.output_encoding is used.
+; The precedence is: default_charset < output_encoding < iconv.output_encoding
+; To use an output encoding conversion, iconv's output handler must be set
+; otherwise output encoding conversion cannot be performed.
+;iconv.output_encoding =
+
+[imap]
+; rsh/ssh logins are disabled by default. Use this INI entry if you want to
+; enable them. Note that the IMAP library does not filter mailbox names before
+; passing them to rsh/ssh command, thus passing untrusted data to this function
+; with rsh/ssh enabled is insecure.
+;imap.enable_insecure_rsh=0
+
+[intl]
+;intl.default_locale =
+; This directive allows you to produce PHP errors when some error
+; happens within intl functions. The value is the level of the error produced.
+; Default is 0, which does not produce any errors.
+;intl.error_level = E_WARNING
+;intl.use_exceptions = 0
+
+[sqlite3]
+; Directory pointing to SQLite3 extensions
+; http://php.net/sqlite3.extension-dir
+;sqlite3.extension_dir =
+
+; SQLite defensive mode flag (only available from SQLite 3.26+)
+; When the defensive flag is enabled, language features that allow ordinary
+; SQL to deliberately corrupt the database file are disabled. This forbids
+; writing directly to the schema, shadow tables (eg. FTS data tables), or
+; the sqlite_dbpage virtual table.
+; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html
+; (for older SQLite versions, this flag has no use)
+;sqlite3.defensive = 1
+
+[Pcre]
+; PCRE library backtracking limit.
+; http://php.net/pcre.backtrack-limit
+;pcre.backtrack_limit=100000
+
+; PCRE library recursion limit.
+; Please note that if you set this value to a high number you may consume all
+; the available process stack and eventually crash PHP (due to reaching the
+; stack size limit imposed by the Operating System).
+; http://php.net/pcre.recursion-limit
+;pcre.recursion_limit=100000
+
+; Enables or disables JIT compilation of patterns. This requires the PCRE
+; library to be compiled with JIT support.
+;pcre.jit=1
+
+[Pdo]
+; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off"
+; http://php.net/pdo-odbc.connection-pooling
+;pdo_odbc.connection_pooling=strict
+
+;pdo_odbc.db2_instance_name
+
+[Pdo_mysql]
+; Default socket name for local MySQL connects. If empty, uses the built-in
+; MySQL defaults.
+pdo_mysql.default_socket=
+
+[Phar]
+; http://php.net/phar.readonly
+;phar.readonly = On
+
+; http://php.net/phar.require-hash
+;phar.require_hash = On
+
+;phar.cache_list =
+
+[mail function]
+; For Win32 only.
+; http://php.net/smtp
+SMTP = localhost
+; http://php.net/smtp-port
+smtp_port = 25
+
+; For Win32 only.
+; http://php.net/sendmail-from
+;sendmail_from = me@example.com
+
+; For Unix only. You may supply arguments as well (default: "sendmail -t -i").
+; http://php.net/sendmail-path
+;sendmail_path =
+
+; Force the addition of the specified parameters to be passed as extra parameters
+; to the sendmail binary. These parameters will always replace the value of
+; the 5th parameter to mail().
+;mail.force_extra_parameters =
+
+; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
+mail.add_x_header = Off
+
+; The path to a log file that will log all mail() calls. Log entries include
+; the full path of the script, line number, To address and headers.
+;mail.log =
+; Log mail to syslog (Event Log on Windows).
+;mail.log = syslog
+
+[ODBC]
+; http://php.net/odbc.default-db
+;odbc.default_db = Not yet implemented
+
+; http://php.net/odbc.default-user
+;odbc.default_user = Not yet implemented
+
+; http://php.net/odbc.default-pw
+;odbc.default_pw = Not yet implemented
+
+; Controls the ODBC cursor model.
+; Default: SQL_CURSOR_STATIC (default).
+;odbc.default_cursortype
+
+; Allow or prevent persistent links.
+; http://php.net/odbc.allow-persistent
+odbc.allow_persistent = On
+
+; Check that a connection is still valid before reuse.
+; http://php.net/odbc.check-persistent
+odbc.check_persistent = On
+
+; Maximum number of persistent links. -1 means no limit.
+; http://php.net/odbc.max-persistent
+odbc.max_persistent = -1
+
+; Maximum number of links (persistent + non-persistent). -1 means no limit.
+; http://php.net/odbc.max-links
+odbc.max_links = -1
+
+; Handling of LONG fields. Returns number of bytes to variables. 0 means
+; passthru.
+; http://php.net/odbc.defaultlrl
+odbc.defaultlrl = 4096
+
+; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char.
+; See the documentation on odbc_binmode and odbc_longreadlen for an explanation
+; of odbc.defaultlrl and odbc.defaultbinmode
+; http://php.net/odbc.defaultbinmode
+odbc.defaultbinmode = 1
+
+[MySQLi]
+
+; Maximum number of persistent links. -1 means no limit.
+; http://php.net/mysqli.max-persistent
+mysqli.max_persistent = -1
+
+; Allow accessing, from PHP's perspective, local files with LOAD DATA statements
+; http://php.net/mysqli.allow_local_infile
+;mysqli.allow_local_infile = On
+
+; Allow or prevent persistent links.
+; http://php.net/mysqli.allow-persistent
+mysqli.allow_persistent = On
+
+; Maximum number of links. -1 means no limit.
+; http://php.net/mysqli.max-links
+mysqli.max_links = -1
+
+; Default port number for mysqli_connect(). If unset, mysqli_connect() will use
+; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the
+; compile-time value defined MYSQL_PORT (in that order). Win32 will only look
+; at MYSQL_PORT.
+; http://php.net/mysqli.default-port
+mysqli.default_port = 3306
+
+; Default socket name for local MySQL connects. If empty, uses the built-in
+; MySQL defaults.
+; http://php.net/mysqli.default-socket
+mysqli.default_socket =
+
+; Default host for mysqli_connect() (doesn't apply in safe mode).
+; http://php.net/mysqli.default-host
+mysqli.default_host =
+
+; Default user for mysqli_connect() (doesn't apply in safe mode).
+; http://php.net/mysqli.default-user
+mysqli.default_user =
+
+; Default password for mysqli_connect() (doesn't apply in safe mode).
+; Note that this is generally a *bad* idea to store passwords in this file.
+; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw")
+; and reveal this password! And of course, any users with read access to this
+; file will be able to reveal the password as well.
+; http://php.net/mysqli.default-pw
+mysqli.default_pw =
+
+; Allow or prevent reconnect
+mysqli.reconnect = Off
+
+[mysqlnd]
+; Enable / Disable collection of general statistics by mysqlnd which can be
+; used to tune and monitor MySQL operations.
+mysqlnd.collect_statistics = On
+
+; Enable / Disable collection of memory usage statistics by mysqlnd which can be
+; used to tune and monitor MySQL operations.
+mysqlnd.collect_memory_statistics = Off
+
+; Records communication from all extensions using mysqlnd to the specified log
+; file.
+; http://php.net/mysqlnd.debug
+;mysqlnd.debug =
+
+; Defines which queries will be logged.
+;mysqlnd.log_mask = 0
+
+; Default size of the mysqlnd memory pool, which is used by result sets.
+;mysqlnd.mempool_default_size = 16000
+
+; Size of a pre-allocated buffer used when sending commands to MySQL in bytes.
+;mysqlnd.net_cmd_buffer_size = 2048
+
+; Size of a pre-allocated buffer used for reading data sent by the server in
+; bytes.
+;mysqlnd.net_read_buffer_size = 32768
+
+; Timeout for network requests in seconds.
+;mysqlnd.net_read_timeout = 31536000
+
+; SHA-256 Authentication Plugin related. File with the MySQL server public RSA
+; key.
+;mysqlnd.sha256_server_public_key =
+
+[OCI8]
+
+; Connection: Enables privileged connections using external
+; credentials (OCI_SYSOPER, OCI_SYSDBA)
+; http://php.net/oci8.privileged-connect
+;oci8.privileged_connect = Off
+
+; Connection: The maximum number of persistent OCI8 connections per
+; process. Using -1 means no limit.
+; http://php.net/oci8.max-persistent
+;oci8.max_persistent = -1
+
+; Connection: The maximum number of seconds a process is allowed to
+; maintain an idle persistent connection. Using -1 means idle
+; persistent connections will be maintained forever.
+; http://php.net/oci8.persistent-timeout
+;oci8.persistent_timeout = -1
+
+; Connection: The number of seconds that must pass before issuing a
+; ping during oci_pconnect() to check the connection validity. When
+; set to 0, each oci_pconnect() will cause a ping. Using -1 disables
+; pings completely.
+; http://php.net/oci8.ping-interval
+;oci8.ping_interval = 60
+
+; Connection: Set this to a user chosen connection class to be used
+; for all pooled server requests with Oracle 11g Database Resident
+; Connection Pooling (DRCP). To use DRCP, this value should be set to
+; the same string for all web servers running the same application,
+; the database pool must be configured, and the connection string must
+; specify to use a pooled server.
+;oci8.connection_class =
+
+; High Availability: Using On lets PHP receive Fast Application
+; Notification (FAN) events generated when a database node fails. The
+; database must also be configured to post FAN events.
+;oci8.events = Off
+
+; Tuning: This option enables statement caching, and specifies how
+; many statements to cache. Using 0 disables statement caching.
+; http://php.net/oci8.statement-cache-size
+;oci8.statement_cache_size = 20
+
+; Tuning: Enables statement prefetching and sets the default number of
+; rows that will be fetched automatically after statement execution.
+; http://php.net/oci8.default-prefetch
+;oci8.default_prefetch = 100
+
+; Compatibility. Using On means oci_close() will not close
+; oci_connect() and oci_new_connect() connections.
+; http://php.net/oci8.old-oci-close-semantics
+;oci8.old_oci_close_semantics = Off
+
+[PostgreSQL]
+; Allow or prevent persistent links.
+; http://php.net/pgsql.allow-persistent
+pgsql.allow_persistent = On
+
+; Detect broken persistent links always with pg_pconnect().
+; Auto reset feature requires a little overheads.
+; http://php.net/pgsql.auto-reset-persistent
+pgsql.auto_reset_persistent = Off
+
+; Maximum number of persistent links. -1 means no limit.
+; http://php.net/pgsql.max-persistent
+pgsql.max_persistent = -1
+
+; Maximum number of links (persistent+non persistent). -1 means no limit.
+; http://php.net/pgsql.max-links
+pgsql.max_links = -1
+
+; Ignore PostgreSQL backends Notice message or not.
+; Notice message logging require a little overheads.
+; http://php.net/pgsql.ignore-notice
+pgsql.ignore_notice = 0
+
+; Log PostgreSQL backends Notice message or not.
+; Unless pgsql.ignore_notice=0, module cannot log notice message.
+; http://php.net/pgsql.log-notice
+pgsql.log_notice = 0
+
+[bcmath]
+; Number of decimal digits for all bcmath functions.
+; http://php.net/bcmath.scale
+bcmath.scale = 0
+
+[browscap]
+; http://php.net/browscap
+;browscap = extra/browscap.ini
+
+[Session]
+; Handler used to store/retrieve data.
+; http://php.net/session.save-handler
+session.save_handler = files
+
+; Argument passed to save_handler. In the case of files, this is the path
+; where data files are stored. Note: Windows users have to change this
+; variable in order to use PHP's session functions.
+;
+; The path can be defined as:
+;
+; session.save_path = "N;/path"
+;
+; where N is an integer. Instead of storing all the session files in
+; /path, what this will do is use subdirectories N-levels deep, and
+; store the session data in those directories. This is useful if
+; your OS has problems with many files in one directory, and is
+; a more efficient layout for servers that handle many sessions.
+;
+; NOTE 1: PHP will not create this directory structure automatically.
+; You can use the script in the ext/session dir for that purpose.
+; NOTE 2: See the section on garbage collection below if you choose to
+; use subdirectories for session storage
+;
+; The file storage module creates files using mode 600 by default.
+; You can change that by using
+;
+; session.save_path = "N;MODE;/path"
+;
+; where MODE is the octal representation of the mode. Note that this
+; does not overwrite the process's umask.
+; http://php.net/session.save-path
+;session.save_path = "/var/lib/php/sessions"
+
+; Whether to use strict session mode.
+; Strict session mode does not accept an uninitialized session ID, and
+; regenerates the session ID if the browser sends an uninitialized session ID.
+; Strict mode protects applications from session fixation via a session adoption
+; vulnerability. It is disabled by default for maximum compatibility, but
+; enabling it is encouraged.
+; https://wiki.php.net/rfc/strict_sessions
+session.use_strict_mode = 0
+
+; Whether to use cookies.
+; http://php.net/session.use-cookies
+session.use_cookies = 1
+
+; http://php.net/session.cookie-secure
+;session.cookie_secure =
+
+; This option forces PHP to fetch and use a cookie for storing and maintaining
+; the session id. We encourage this operation as it's very helpful in combating
+; session hijacking when not specifying and managing your own session id. It is
+; not the be-all and end-all of session hijacking defense, but it's a good start.
+; http://php.net/session.use-only-cookies
+session.use_only_cookies = 1
+
+; Name of the session (used as cookie name).
+; http://php.net/session.name
+session.name = PHPSESSID
+
+; Initialize session on request startup.
+; http://php.net/session.auto-start
+session.auto_start = 0
+
+; Lifetime in seconds of cookie or, if 0, until browser is restarted.
+; http://php.net/session.cookie-lifetime
+session.cookie_lifetime = 0
+
+; The path for which the cookie is valid.
+; http://php.net/session.cookie-path
+session.cookie_path = /
+
+; The domain for which the cookie is valid.
+; http://php.net/session.cookie-domain
+session.cookie_domain =
+
+; Whether or not to add the httpOnly flag to the cookie, which makes it
+; inaccessible to browser scripting languages such as JavaScript.
+; http://php.net/session.cookie-httponly
+session.cookie_httponly =
+
+; Add SameSite attribute to cookie to help mitigate Cross-Site Request Forgery (CSRF/XSRF)
+; Current valid values are "Strict", "Lax" or "None". When using "None",
+; make sure to include the quotes, as `none` is interpreted like `false` in ini files.
+; https://tools.ietf.org/html/draft-west-first-party-cookies-07
+session.cookie_samesite =
+
+; Handler used to serialize data. php is the standard serializer of PHP.
+; http://php.net/session.serialize-handler
+session.serialize_handler = php
+
+; Defines the probability that the 'garbage collection' process is started on every
+; session initialization. The probability is calculated by using gc_probability/gc_divisor,
+; e.g. 1/100 means there is a 1% chance that the GC process starts on each request.
+; Default Value: 1
+; Development Value: 1
+; Production Value: 1
+; http://php.net/session.gc-probability
+session.gc_probability = 0
+
+; Defines the probability that the 'garbage collection' process is started on every
+; session initialization. The probability is calculated by using gc_probability/gc_divisor,
+; e.g. 1/100 means there is a 1% chance that the GC process starts on each request.
+; For high volume production servers, using a value of 1000 is a more efficient approach.
+; Default Value: 100
+; Development Value: 1000
+; Production Value: 1000
+; http://php.net/session.gc-divisor
+session.gc_divisor = 1000
+
+; After this number of seconds, stored data will be seen as 'garbage' and
+; cleaned up by the garbage collection process.
+; http://php.net/session.gc-maxlifetime
+session.gc_maxlifetime = 1440
+
+; NOTE: If you are using the subdirectory option for storing session files
+; (see session.save_path above), then garbage collection does *not*
+; happen automatically. You will need to do your own garbage
+; collection through a shell script, cron entry, or some other method.
+; For example, the following script is the equivalent of setting
+; session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes):
+; find /path/to/sessions -cmin +24 -type f | xargs rm
+
+; Check HTTP Referer to invalidate externally stored URLs containing ids.
+; HTTP_REFERER has to contain this substring for the session to be
+; considered as valid.
+; http://php.net/session.referer-check
+session.referer_check =
+
+; Set to {nocache,private,public,} to determine HTTP caching aspects
+; or leave this empty to avoid sending anti-caching headers.
+; http://php.net/session.cache-limiter
+session.cache_limiter = nocache
+
+; Document expires after n minutes.
+; http://php.net/session.cache-expire
+session.cache_expire = 180
+
+; trans sid support is disabled by default.
+; Use of trans sid may risk your users' security.
+; Use this option with caution.
+; - User may send URL contains active session ID
+; to other person via. email/irc/etc.
+; - URL that contains active session ID may be stored
+; in publicly accessible computer.
+; - User may access your site with the same session ID
+; always using URL stored in browser's history or bookmarks.
+; http://php.net/session.use-trans-sid
+session.use_trans_sid = 0
+
+; Set session ID character length. This value could be between 22 to 256.
+; Shorter length than default is supported only for compatibility reason.
+; Users should use 32 or more chars.
+; http://php.net/session.sid-length
+; Default Value: 32
+; Development Value: 26
+; Production Value: 26
+session.sid_length = 26
+
+; The URL rewriter will look for URLs in a defined set of HTML tags.
+; <form> is special; if you include them here, the rewriter will
+; add a hidden <input> field with the info which is otherwise appended
+; to URLs. <form> tag's action attribute URL will not be modified
+; unless it is specified.
+; Note that all valid entries require a "=", even if no value follows.
+; Default Value: "a=href,area=href,frame=src,form="
+; Development Value: "a=href,area=href,frame=src,form="
+; Production Value: "a=href,area=href,frame=src,form="
+; http://php.net/url-rewriter.tags
+session.trans_sid_tags = "a=href,area=href,frame=src,form="
+
+; URL rewriter does not rewrite absolute URLs by default.
+; To enable rewrites for absolute paths, target hosts must be specified
+; at RUNTIME. i.e. use ini_set()
+; <form> tags is special. PHP will check action attribute's URL regardless
+; of session.trans_sid_tags setting.
+; If no host is defined, HTTP_HOST will be used for allowed host.
+; Example value: php.net,www.php.net,wiki.php.net
+; Use "," for multiple hosts. No spaces are allowed.
+; Default Value: ""
+; Development Value: ""
+; Production Value: ""
+;session.trans_sid_hosts=""
+
+; Define how many bits are stored in each character when converting
+; the binary hash data to something readable.
+; Possible values:
+; 4 (4 bits: 0-9, a-f)
+; 5 (5 bits: 0-9, a-v)
+; 6 (6 bits: 0-9, a-z, A-Z, "-", ",")
+; Default Value: 4
+; Development Value: 5
+; Production Value: 5
+; http://php.net/session.hash-bits-per-character
+session.sid_bits_per_character = 5
+
+; Enable upload progress tracking in $_SESSION
+; Default Value: On
+; Development Value: On
+; Production Value: On
+; http://php.net/session.upload-progress.enabled
+;session.upload_progress.enabled = On
+
+; Cleanup the progress information as soon as all POST data has been read
+; (i.e. upload completed).
+; Default Value: On
+; Development Value: On
+; Production Value: On
+; http://php.net/session.upload-progress.cleanup
+;session.upload_progress.cleanup = On
+
+; A prefix used for the upload progress key in $_SESSION
+; Default Value: "upload_progress_"
+; Development Value: "upload_progress_"
+; Production Value: "upload_progress_"
+; http://php.net/session.upload-progress.prefix
+;session.upload_progress.prefix = "upload_progress_"
+
+; The index name (concatenated with the prefix) in $_SESSION
+; containing the upload progress information
+; Default Value: "PHP_SESSION_UPLOAD_PROGRESS"
+; Development Value: "PHP_SESSION_UPLOAD_PROGRESS"
+; Production Value: "PHP_SESSION_UPLOAD_PROGRESS"
+; http://php.net/session.upload-progress.name
+;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS"
+
+; How frequently the upload progress should be updated.
+; Given either in percentages (per-file), or in bytes
+; Default Value: "1%"
+; Development Value: "1%"
+; Production Value: "1%"
+; http://php.net/session.upload-progress.freq
+;session.upload_progress.freq = "1%"
+
+; The minimum delay between updates, in seconds
+; Default Value: 1
+; Development Value: 1
+; Production Value: 1
+; http://php.net/session.upload-progress.min-freq
+;session.upload_progress.min_freq = "1"
+
+; Only write session data when session data is changed. Enabled by default.
+; http://php.net/session.lazy-write
+;session.lazy_write = On
+
+[Assertion]
+; Switch whether to compile assertions at all (to have no overhead at run-time)
+; -1: Do not compile at all
+; 0: Jump over assertion at run-time
+; 1: Execute assertions
+; Changing from or to a negative value is only possible in php.ini! (For turning assertions on and off at run-time, see assert.active, when zend.assertions = 1)
+; Default Value: 1
+; Development Value: 1
+; Production Value: -1
+; http://php.net/zend.assertions
+zend.assertions = -1
+
+; Assert(expr); active by default.
+; http://php.net/assert.active
+;assert.active = On
+
+; Throw an AssertionError on failed assertions
+; http://php.net/assert.exception
+;assert.exception = On
+
+; Issue a PHP warning for each failed assertion. (Overridden by assert.exception if active)
+; http://php.net/assert.warning
+;assert.warning = On
+
+; Don't bail out by default.
+; http://php.net/assert.bail
+;assert.bail = Off
+
+; User-function to be called if an assertion fails.
+; http://php.net/assert.callback
+;assert.callback = 0
+
+; Eval the expression with current error_reporting(). Set to true if you want
+; error_reporting(0) around the eval().
+; http://php.net/assert.quiet-eval
+;assert.quiet_eval = 0
+
+[COM]
+; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs
+; http://php.net/com.typelib-file
+;com.typelib_file =
+
+; allow Distributed-COM calls
+; http://php.net/com.allow-dcom
+;com.allow_dcom = true
+
+; autoregister constants of a component's typlib on com_load()
+; http://php.net/com.autoregister-typelib
+;com.autoregister_typelib = true
+
+; register constants casesensitive
+; http://php.net/com.autoregister-casesensitive
+;com.autoregister_casesensitive = false
+
+; show warnings on duplicate constant registrations
+; http://php.net/com.autoregister-verbose
+;com.autoregister_verbose = true
+
+; The default character set code-page to use when passing strings to and from COM objects.
+; Default: system ANSI code page
+;com.code_page=
+
+[mbstring]
+; language for internal character representation.
+; This affects mb_send_mail() and mbstring.detect_order.
+; http://php.net/mbstring.language
+;mbstring.language = Japanese
+
+; Use of this INI entry is deprecated, use global internal_encoding instead.
+; internal/script encoding.
+; Some encoding cannot work as internal encoding. (e.g. SJIS, BIG5, ISO-2022-*)
+; If empty, default_charset or internal_encoding or iconv.internal_encoding is used.
+; The precedence is: default_charset < internal_encoding < iconv.internal_encoding
+;mbstring.internal_encoding =
+
+; Use of this INI entry is deprecated, use global input_encoding instead.
+; http input encoding.
+; mbstring.encoding_translation = On is needed to use this setting.
+; If empty, default_charset or input_encoding or mbstring.input is used.
+; The precedence is: default_charset < input_encoding < mbstring.http_input
+; http://php.net/mbstring.http-input
+;mbstring.http_input =
+
+; Use of this INI entry is deprecated, use global output_encoding instead.
+; http output encoding.
+; mb_output_handler must be registered as output buffer to function.
+; If empty, default_charset or output_encoding or mbstring.http_output is used.
+; The precedence is: default_charset < output_encoding < mbstring.http_output
+; To use an output encoding conversion, mbstring's output handler must be set
+; otherwise output encoding conversion cannot be performed.
+; http://php.net/mbstring.http-output
+;mbstring.http_output =
+
+; enable automatic encoding translation according to
+; mbstring.internal_encoding setting. Input chars are
+; converted to internal encoding by setting this to On.
+; Note: Do _not_ use automatic encoding translation for
+; portable libs/applications.
+; http://php.net/mbstring.encoding-translation
+;mbstring.encoding_translation = Off
+
+; automatic encoding detection order.
+; "auto" detect order is changed according to mbstring.language
+; http://php.net/mbstring.detect-order
+;mbstring.detect_order = auto
+
+; substitute_character used when character cannot be converted
+; one from another
+; http://php.net/mbstring.substitute-character
+;mbstring.substitute_character = none
+
+; overload(replace) single byte functions by mbstring functions.
+; mail(), ereg(), etc are overloaded by mb_send_mail(), mb_ereg(),
+; etc. Possible values are 0,1,2,4 or combination of them.
+; For example, 7 for overload everything.
+; 0: No overload
+; 1: Overload mail() function
+; 2: Overload str*() functions
+; 4: Overload ereg*() functions
+; http://php.net/mbstring.func-overload
+;mbstring.func_overload = 0
+
+; enable strict encoding detection.
+; Default: Off
+;mbstring.strict_detection = On
+
+; This directive specifies the regex pattern of content types for which mb_output_handler()
+; is activated.
+; Default: mbstring.http_output_conv_mimetype=^(text/|application/xhtml\+xml)
+;mbstring.http_output_conv_mimetype=
+
+; This directive specifies maximum stack depth for mbstring regular expressions. It is similar
+; to the pcre.recursion_limit for PCRE.
+; Default: 100000
+;mbstring.regex_stack_limit=100000
+
+; This directive specifies maximum retry count for mbstring regular expressions. It is similar
+; to the pcre.backtrack_limit for PCRE.
+; Default: 1000000
+;mbstring.regex_retry_limit=1000000
+
+[gd]
+; Tell the jpeg decode to ignore warnings and try to create
+; a gd image. The warning will then be displayed as notices
+; disabled by default
+; http://php.net/gd.jpeg-ignore-warning
+;gd.jpeg_ignore_warning = 1
+
+[exif]
+; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS.
+; With mbstring support this will automatically be converted into the encoding
+; given by corresponding encode setting. When empty mbstring.internal_encoding
+; is used. For the decode settings you can distinguish between motorola and
+; intel byte order. A decode setting cannot be empty.
+; http://php.net/exif.encode-unicode
+;exif.encode_unicode = ISO-8859-15
+
+; http://php.net/exif.decode-unicode-motorola
+;exif.decode_unicode_motorola = UCS-2BE
+
+; http://php.net/exif.decode-unicode-intel
+;exif.decode_unicode_intel = UCS-2LE
+
+; http://php.net/exif.encode-jis
+;exif.encode_jis =
+
+; http://php.net/exif.decode-jis-motorola
+;exif.decode_jis_motorola = JIS
+
+; http://php.net/exif.decode-jis-intel
+;exif.decode_jis_intel = JIS
+
+[Tidy]
+; The path to a default tidy configuration file to use when using tidy
+; http://php.net/tidy.default-config
+;tidy.default_config = /usr/local/lib/php/default.tcfg
+
+; Should tidy clean and repair output automatically?
+; WARNING: Do not use this option if you are generating non-html content
+; such as dynamic images
+; http://php.net/tidy.clean-output
+tidy.clean_output = Off
+
+[soap]
+; Enables or disables WSDL caching feature.
+; http://php.net/soap.wsdl-cache-enabled
+soap.wsdl_cache_enabled=1
+
+; Sets the directory name where SOAP extension will put cache files.
+; http://php.net/soap.wsdl-cache-dir
+soap.wsdl_cache_dir="/tmp"
+
+; (time to live) Sets the number of second while cached file will be used
+; instead of original one.
+; http://php.net/soap.wsdl-cache-ttl
+soap.wsdl_cache_ttl=86400
+
+; Sets the size of the cache limit. (Max. number of WSDL files to cache)
+soap.wsdl_cache_limit = 5
+
+[sysvshm]
+; A default size of the shared memory segment
+;sysvshm.init_mem = 10000
+
+[ldap]
+; Sets the maximum number of open links or -1 for unlimited.
+ldap.max_links = -1
+
+[dba]
+;dba.default_handler=
+
+[opcache]
+; Determines if Zend OPCache is enabled
+;opcache.enable=1
+
+; Determines if Zend OPCache is enabled for the CLI version of PHP
+;opcache.enable_cli=0
+
+; The OPcache shared memory storage size.
+;opcache.memory_consumption=128
+
+; The amount of memory for interned strings in Mbytes.
+;opcache.interned_strings_buffer=8
+
+; The maximum number of keys (scripts) in the OPcache hash table.
+; Only numbers between 200 and 1000000 are allowed.
+;opcache.max_accelerated_files=10000
+
+; The maximum percentage of "wasted" memory until a restart is scheduled.
+;opcache.max_wasted_percentage=5
+
+; When this directive is enabled, the OPcache appends the current working
+; directory to the script key, thus eliminating possible collisions between
+; files with the same name (basename). Disabling the directive improves
+; performance, but may break existing applications.
+;opcache.use_cwd=1
+
+; When disabled, you must reset the OPcache manually or restart the
+; webserver for changes to the filesystem to take effect.
+;opcache.validate_timestamps=1
+
+; How often (in seconds) to check file timestamps for changes to the shared
+; memory storage allocation. ("1" means validate once per second, but only
+; once per request. "0" means always validate)
+;opcache.revalidate_freq=2
+
+; Enables or disables file search in include_path optimization
+;opcache.revalidate_path=0
+
+; If disabled, all PHPDoc comments are dropped from the code to reduce the
+; size of the optimized code.
+;opcache.save_comments=1
+
+; Allow file existence override (file_exists, etc.) performance feature.
+;opcache.enable_file_override=0
+
+; A bitmask, where each bit enables or disables the appropriate OPcache
+; passes
+;opcache.optimization_level=0x7FFFBFFF
+
+;opcache.dups_fix=0
+
+; The location of the OPcache blacklist file (wildcards allowed).
+; Each OPcache blacklist file is a text file that holds the names of files
+; that should not be accelerated. The file format is to add each filename
+; to a new line. The filename may be a full path or just a file prefix
+; (i.e., /var/www/x blacklists all the files and directories in /var/www
+; that start with 'x'). Line starting with a ; are ignored (comments).
+;opcache.blacklist_filename=
+
+; Allows exclusion of large files from being cached. By default all files
+; are cached.
+;opcache.max_file_size=0
+
+; Check the cache checksum each N requests.
+; The default value of "0" means that the checks are disabled.
+;opcache.consistency_checks=0
+
+; How long to wait (in seconds) for a scheduled restart to begin if the cache
+; is not being accessed.
+;opcache.force_restart_timeout=180
+
+; OPcache error_log file name. Empty string assumes "stderr".
+;opcache.error_log=
+
+; All OPcache errors go to the Web server log.
+; By default, only fatal errors (level 0) or errors (level 1) are logged.
+; You can also enable warnings (level 2), info messages (level 3) or
+; debug messages (level 4).
+;opcache.log_verbosity_level=1
+
+; Preferred Shared Memory back-end. Leave empty and let the system decide.
+;opcache.preferred_memory_model=
+
+; Protect the shared memory from unexpected writing during script execution.
+; Useful for internal debugging only.
+;opcache.protect_memory=0
+
+; Allows calling OPcache API functions only from PHP scripts which path is
+; started from specified string. The default "" means no restriction
+;opcache.restrict_api=
+
+; Mapping base of shared memory segments (for Windows only). All the PHP
+; processes have to map shared memory into the same address space. This
+; directive allows to manually fix the "Unable to reattach to base address"
+; errors.
+;opcache.mmap_base=
+
+; Facilitates multiple OPcache instances per user (for Windows only). All PHP
+; processes with the same cache ID and user share an OPcache instance.
+;opcache.cache_id=
+
+; Enables and sets the second level cache directory.
+; It should improve performance when SHM memory is full, at server restart or
+; SHM reset. The default "" disables file based caching.
+;opcache.file_cache=
+
+; Enables or disables opcode caching in shared memory.
+;opcache.file_cache_only=0
+
+; Enables or disables checksum validation when script loaded from file cache.
+;opcache.file_cache_consistency_checks=1
+
+; Implies opcache.file_cache_only=1 for a certain process that failed to
+; reattach to the shared memory (for Windows only). Explicitly enabled file
+; cache is required.
+;opcache.file_cache_fallback=1
+
+; Enables or disables copying of PHP code (text segment) into HUGE PAGES.
+; This should improve performance, but requires appropriate OS configuration.
+;opcache.huge_code_pages=1
+
+; Validate cached file permissions.
+;opcache.validate_permission=0
+
+; Prevent name collisions in chroot'ed environment.
+;opcache.validate_root=0
+
+; If specified, it produces opcode dumps for debugging different stages of
+; optimizations.
+;opcache.opt_debug_level=0
+
+; Specifies a PHP script that is going to be compiled and executed at server
+; start-up.
+; http://php.net/opcache.preload
+;opcache.preload=
+
+; Preloading code as root is not allowed for security reasons. This directive
+; facilitates to let the preloading to be run as another user.
+; http://php.net/opcache.preload_user
+;opcache.preload_user=
+
+; Prevents caching files that are less than this number of seconds old. It
+; protects from caching of incompletely updated files. In case all file updates
+; on your site are atomic, you may increase performance by setting it to "0".
+;opcache.file_update_protection=2
+
+; Absolute path used to store shared lockfiles (for *nix only).
+;opcache.lockfile_path=/tmp
+
+[curl]
+; A default value for the CURLOPT_CAINFO option. This is required to be an
+; absolute path.
+;curl.cainfo =
+
+[openssl]
+; The location of a Certificate Authority (CA) file on the local filesystem
+; to use when verifying the identity of SSL/TLS peers. Most users should
+; not specify a value for this directive as PHP will attempt to use the
+; OS-managed cert stores in its absence. If specified, this value may still
+; be overridden on a per-stream basis via the "cafile" SSL stream context
+; option.
+;openssl.cafile=
+
+; If openssl.cafile is not specified or if the CA file is not found, the
+; directory pointed to by openssl.capath is searched for a suitable
+; certificate. This value must be a correctly hashed certificate directory.
+; Most users should not specify a value for this directive as PHP will
+; attempt to use the OS-managed cert stores in its absence. If specified,
+; this value may still be overridden on a per-stream basis via the "capath"
+; SSL stream context option.
+;openssl.capath=
+
+[ffi]
+; FFI API restriction. Possible values:
+; "preload" - enabled in CLI scripts and preloaded files (default)
+; "false" - always disabled
+; "true" - always enabled
+;ffi.enable=preload
+
+; List of headers files to preload, wildcard patterns allowed.
+;ffi.preload=
--- /dev/null
+/etc/php/7.4/mods-available/opcache.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/pdo.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/calendar.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/ctype.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/exif.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/ffi.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/fileinfo.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/ftp.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/gd.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/gettext.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/iconv.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/json.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/ldap.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/phar.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/posix.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/readline.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/shmop.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/sockets.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/sysvmsg.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/sysvsem.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/sysvshm.ini
\ No newline at end of file
--- /dev/null
+/etc/php/7.4/mods-available/tokenizer.ini
\ No newline at end of file
--- /dev/null
+[PHP]
+
+;;;;;;;;;;;;;;;;;;;
+; About php.ini ;
+;;;;;;;;;;;;;;;;;;;
+; PHP's initialization file, generally called php.ini, is responsible for
+; configuring many of the aspects of PHP's behavior.
+
+; PHP attempts to find and load this configuration from a number of locations.
+; The following is a summary of its search order:
+; 1. SAPI module specific location.
+; 2. The PHPRC environment variable. (As of PHP 5.2.0)
+; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0)
+; 4. Current working directory (except CLI)
+; 5. The web server's directory (for SAPI modules), or directory of PHP
+; (otherwise in Windows)
+; 6. The directory from the --with-config-file-path compile time option, or the
+; Windows directory (usually C:\windows)
+; See the PHP docs for more specific information.
+; http://php.net/configuration.file
+
+; The syntax of the file is extremely simple. Whitespace and lines
+; beginning with a semicolon are silently ignored (as you probably guessed).
+; Section headers (e.g. [Foo]) are also silently ignored, even though
+; they might mean something in the future.
+
+; Directives following the section heading [PATH=/www/mysite] only
+; apply to PHP files in the /www/mysite directory. Directives
+; following the section heading [HOST=www.example.com] only apply to
+; PHP files served from www.example.com. Directives set in these
+; special sections cannot be overridden by user-defined INI files or
+; at runtime. Currently, [PATH=] and [HOST=] sections only work under
+; CGI/FastCGI.
+; http://php.net/ini.sections
+
+; Directives are specified using the following syntax:
+; directive = value
+; Directive names are *case sensitive* - foo=bar is different from FOO=bar.
+; Directives are variables used to configure PHP or PHP extensions.
+; There is no name validation. If PHP can't find an expected
+; directive because it is not set or is mistyped, a default value will be used.
+
+; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one
+; of the INI constants (On, Off, True, False, Yes, No and None) or an expression
+; (e.g. E_ALL & ~E_NOTICE), a quoted string ("bar"), or a reference to a
+; previously set variable or directive (e.g. ${foo})
+
+; Expressions in the INI file are limited to bitwise operators and parentheses:
+; | bitwise OR
+; ^ bitwise XOR
+; & bitwise AND
+; ~ bitwise NOT
+; ! boolean NOT
+
+; Boolean flags can be turned on using the values 1, On, True or Yes.
+; They can be turned off using the values 0, Off, False or No.
+
+; An empty string can be denoted by simply not writing anything after the equal
+; sign, or by using the None keyword:
+
+; foo = ; sets foo to an empty string
+; foo = None ; sets foo to an empty string
+; foo = "None" ; sets foo to the string 'None'
+
+; If you use constants in your value, and these constants belong to a
+; dynamically loaded extension (either a PHP extension or a Zend extension),
+; you may only use these constants *after* the line that loads the extension.
+
+;;;;;;;;;;;;;;;;;;;
+; About this file ;
+;;;;;;;;;;;;;;;;;;;
+; PHP comes packaged with two INI files. One that is recommended to be used
+; in production environments and one that is recommended to be used in
+; development environments.
+
+; php.ini-production contains settings which hold security, performance and
+; best practices at its core. But please be aware, these settings may break
+; compatibility with older or less security conscience applications. We
+; recommending using the production ini in production and testing environments.
+
+; php.ini-development is very similar to its production variant, except it is
+; much more verbose when it comes to errors. We recommend using the
+; development version only in development environments, as errors shown to
+; application users can inadvertently leak otherwise secure information.
+
+; This is the php.ini-production INI file.
+
+;;;;;;;;;;;;;;;;;;;
+; Quick Reference ;
+;;;;;;;;;;;;;;;;;;;
+; The following are all the settings which are different in either the production
+; or development versions of the INIs with respect to PHP's default behavior.
+; Please see the actual settings later in the document for more details as to why
+; we recommend these changes in PHP's behavior.
+
+; display_errors
+; Default Value: On
+; Development Value: On
+; Production Value: Off
+
+; display_startup_errors
+; Default Value: Off
+; Development Value: On
+; Production Value: Off
+
+; error_reporting
+; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
+; Development Value: E_ALL
+; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
+
+; log_errors
+; Default Value: Off
+; Development Value: On
+; Production Value: On
+
+; max_input_time
+; Default Value: -1 (Unlimited)
+; Development Value: 60 (60 seconds)
+; Production Value: 60 (60 seconds)
+
+; output_buffering
+; Default Value: Off
+; Development Value: 4096
+; Production Value: 4096
+
+; register_argc_argv
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+
+; request_order
+; Default Value: None
+; Development Value: "GP"
+; Production Value: "GP"
+
+; session.gc_divisor
+; Default Value: 100
+; Development Value: 1000
+; Production Value: 1000
+
+; session.sid_bits_per_character
+; Default Value: 4
+; Development Value: 5
+; Production Value: 5
+
+; short_open_tag
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+
+; variables_order
+; Default Value: "EGPCS"
+; Development Value: "GPCS"
+; Production Value: "GPCS"
+
+;;;;;;;;;;;;;;;;;;;;
+; php.ini Options ;
+;;;;;;;;;;;;;;;;;;;;
+; Name for user-defined php.ini (.htaccess) files. Default is ".user.ini"
+;user_ini.filename = ".user.ini"
+
+; To disable this feature set this option to an empty value
+;user_ini.filename =
+
+; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes)
+;user_ini.cache_ttl = 300
+
+;;;;;;;;;;;;;;;;;;;;
+; Language Options ;
+;;;;;;;;;;;;;;;;;;;;
+
+; Enable the PHP scripting language engine under Apache.
+; http://php.net/engine
+engine = On
+
+; This directive determines whether or not PHP will recognize code between
+; <? and ?> tags as PHP source which should be processed as such. It is
+; generally recommended that <?php and ?> should be used and that this feature
+; should be disabled, as enabling it may result in issues when generating XML
+; documents, however this remains supported for backward compatibility reasons.
+; Note that this directive does not control the <?= shorthand tag, which can be
+; used regardless of this directive.
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+; http://php.net/short-open-tag
+short_open_tag = Off
+
+; The number of significant digits displayed in floating point numbers.
+; http://php.net/precision
+precision = 14
+
+; Output buffering is a mechanism for controlling how much output data
+; (excluding headers and cookies) PHP should keep internally before pushing that
+; data to the client. If your application's output exceeds this setting, PHP
+; will send that data in chunks of roughly the size you specify.
+; Turning on this setting and managing its maximum buffer size can yield some
+; interesting side-effects depending on your application and web server.
+; You may be able to send headers and cookies after you've already sent output
+; through print or echo. You also may see performance benefits if your server is
+; emitting less packets due to buffered output versus PHP streaming the output
+; as it gets it. On production servers, 4096 bytes is a good setting for performance
+; reasons.
+; Note: Output buffering can also be controlled via Output Buffering Control
+; functions.
+; Possible Values:
+; On = Enabled and buffer is unlimited. (Use with caution)
+; Off = Disabled
+; Integer = Enables the buffer and sets its maximum size in bytes.
+; Note: This directive is hardcoded to Off for the CLI SAPI
+; Default Value: Off
+; Development Value: 4096
+; Production Value: 4096
+; http://php.net/output-buffering
+output_buffering = 4096
+
+; You can redirect all of the output of your scripts to a function. For
+; example, if you set output_handler to "mb_output_handler", character
+; encoding will be transparently converted to the specified encoding.
+; Setting any output handler automatically turns on output buffering.
+; Note: People who wrote portable scripts should not depend on this ini
+; directive. Instead, explicitly set the output handler using ob_start().
+; Using this ini directive may cause problems unless you know what script
+; is doing.
+; Note: You cannot use both "mb_output_handler" with "ob_iconv_handler"
+; and you cannot use both "ob_gzhandler" and "zlib.output_compression".
+; Note: output_handler must be empty if this is set 'On' !!!!
+; Instead you must use zlib.output_handler.
+; http://php.net/output-handler
+;output_handler =
+
+; URL rewriter function rewrites URL on the fly by using
+; output buffer. You can set target tags by this configuration.
+; "form" tag is special tag. It will add hidden input tag to pass values.
+; Refer to session.trans_sid_tags for usage.
+; Default Value: "form="
+; Development Value: "form="
+; Production Value: "form="
+;url_rewriter.tags
+
+; URL rewriter will not rewrite absolute URL nor form by default. To enable
+; absolute URL rewrite, allowed hosts must be defined at RUNTIME.
+; Refer to session.trans_sid_hosts for more details.
+; Default Value: ""
+; Development Value: ""
+; Production Value: ""
+;url_rewriter.hosts
+
+; Transparent output compression using the zlib library
+; Valid values for this option are 'off', 'on', or a specific buffer size
+; to be used for compression (default is 4KB)
+; Note: Resulting chunk size may vary due to nature of compression. PHP
+; outputs chunks that are few hundreds bytes each as a result of
+; compression. If you prefer a larger chunk size for better
+; performance, enable output_buffering in addition.
+; Note: You need to use zlib.output_handler instead of the standard
+; output_handler, or otherwise the output will be corrupted.
+; http://php.net/zlib.output-compression
+zlib.output_compression = Off
+
+; http://php.net/zlib.output-compression-level
+;zlib.output_compression_level = -1
+
+; You cannot specify additional output handlers if zlib.output_compression
+; is activated here. This setting does the same as output_handler but in
+; a different order.
+; http://php.net/zlib.output-handler
+;zlib.output_handler =
+
+; Implicit flush tells PHP to tell the output layer to flush itself
+; automatically after every output block. This is equivalent to calling the
+; PHP function flush() after each and every call to print() or echo() and each
+; and every HTML block. Turning this option on has serious performance
+; implications and is generally recommended for debugging purposes only.
+; http://php.net/implicit-flush
+; Note: This directive is hardcoded to On for the CLI SAPI
+implicit_flush = Off
+
+; The unserialize callback function will be called (with the undefined class'
+; name as parameter), if the unserializer finds an undefined class
+; which should be instantiated. A warning appears if the specified function is
+; not defined, or if the function doesn't include/implement the missing class.
+; So only set this entry, if you really want to implement such a
+; callback-function.
+unserialize_callback_func =
+
+; The unserialize_max_depth specifies the default depth limit for unserialized
+; structures. Setting the depth limit too high may result in stack overflows
+; during unserialization. The unserialize_max_depth ini setting can be
+; overridden by the max_depth option on individual unserialize() calls.
+; A value of 0 disables the depth limit.
+;unserialize_max_depth = 4096
+
+; When floats & doubles are serialized, store serialize_precision significant
+; digits after the floating point. The default value ensures that when floats
+; are decoded with unserialize, the data will remain the same.
+; The value is also used for json_encode when encoding double values.
+; If -1 is used, then dtoa mode 0 is used which automatically select the best
+; precision.
+serialize_precision = -1
+
+; open_basedir, if set, limits all file operations to the defined directory
+; and below. This directive makes most sense if used in a per-directory
+; or per-virtualhost web server configuration file.
+; Note: disables the realpath cache
+; http://php.net/open-basedir
+;open_basedir =
+
+; This directive allows you to disable certain functions.
+; It receives a comma-delimited list of function names.
+; http://php.net/disable-functions
+disable_functions =
+
+; This directive allows you to disable certain classes.
+; It receives a comma-delimited list of class names.
+; http://php.net/disable-classes
+disable_classes =
+
+; Colors for Syntax Highlighting mode. Anything that's acceptable in
+; <span style="color: ???????"> would work.
+; http://php.net/syntax-highlighting
+;highlight.string = #DD0000
+;highlight.comment = #FF9900
+;highlight.keyword = #007700
+;highlight.default = #0000BB
+;highlight.html = #000000
+
+; If enabled, the request will be allowed to complete even if the user aborts
+; the request. Consider enabling it if executing long requests, which may end up
+; being interrupted by the user or a browser timing out. PHP's default behavior
+; is to disable this feature.
+; http://php.net/ignore-user-abort
+;ignore_user_abort = On
+
+; Determines the size of the realpath cache to be used by PHP. This value should
+; be increased on systems where PHP opens many files to reflect the quantity of
+; the file operations performed.
+; Note: if open_basedir is set, the cache is disabled
+; http://php.net/realpath-cache-size
+;realpath_cache_size = 4096k
+
+; Duration of time, in seconds for which to cache realpath information for a given
+; file or directory. For systems with rarely changing files, consider increasing this
+; value.
+; http://php.net/realpath-cache-ttl
+;realpath_cache_ttl = 120
+
+; Enables or disables the circular reference collector.
+; http://php.net/zend.enable-gc
+zend.enable_gc = On
+
+; If enabled, scripts may be written in encodings that are incompatible with
+; the scanner. CP936, Big5, CP949 and Shift_JIS are the examples of such
+; encodings. To use this feature, mbstring extension must be enabled.
+; Default: Off
+;zend.multibyte = Off
+
+; Allows to set the default encoding for the scripts. This value will be used
+; unless "declare(encoding=...)" directive appears at the top of the script.
+; Only affects if zend.multibyte is set.
+; Default: ""
+;zend.script_encoding =
+
+; Allows to include or exclude arguments from stack traces generated for exceptions.
+; In production, it is recommended to turn this setting on to prohibit the output
+; of sensitive information in stack traces
+; Default: Off
+zend.exception_ignore_args = On
+
+;;;;;;;;;;;;;;;;;
+; Miscellaneous ;
+;;;;;;;;;;;;;;;;;
+
+; Decides whether PHP may expose the fact that it is installed on the server
+; (e.g. by adding its signature to the Web server header). It is no security
+; threat in any way, but it makes it possible to determine whether you use PHP
+; on your server or not.
+; http://php.net/expose-php
+expose_php = On
+
+;;;;;;;;;;;;;;;;;;;
+; Resource Limits ;
+;;;;;;;;;;;;;;;;;;;
+
+; Maximum execution time of each script, in seconds
+; http://php.net/max-execution-time
+; Note: This directive is hardcoded to 0 for the CLI SAPI
+max_execution_time = 30
+
+; Maximum amount of time each script may spend parsing request data. It's a good
+; idea to limit this time on productions servers in order to eliminate unexpectedly
+; long running scripts.
+; Note: This directive is hardcoded to -1 for the CLI SAPI
+; Default Value: -1 (Unlimited)
+; Development Value: 60 (60 seconds)
+; Production Value: 60 (60 seconds)
+; http://php.net/max-input-time
+max_input_time = 60
+
+; Maximum input variable nesting level
+; http://php.net/max-input-nesting-level
+;max_input_nesting_level = 64
+
+; How many GET/POST/COOKIE input variables may be accepted
+;max_input_vars = 1000
+
+; Maximum amount of memory a script may consume
+; http://php.net/memory-limit
+memory_limit = -1
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Error handling and logging ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; This directive informs PHP of which errors, warnings and notices you would like
+; it to take action for. The recommended way of setting values for this
+; directive is through the use of the error level constants and bitwise
+; operators. The error level constants are below here for convenience as well as
+; some common settings and their meanings.
+; By default, PHP is set to take action on all errors, notices and warnings EXCEPT
+; those related to E_NOTICE and E_STRICT, which together cover best practices and
+; recommended coding standards in PHP. For performance reasons, this is the
+; recommend error reporting setting. Your production server shouldn't be wasting
+; resources complaining about best practices and coding standards. That's what
+; development servers and development settings are for.
+; Note: The php.ini-development file has this setting as E_ALL. This
+; means it pretty much reports everything which is exactly what you want during
+; development and early testing.
+;
+; Error Level Constants:
+; E_ALL - All errors and warnings (includes E_STRICT as of PHP 5.4.0)
+; E_ERROR - fatal run-time errors
+; E_RECOVERABLE_ERROR - almost fatal run-time errors
+; E_WARNING - run-time warnings (non-fatal errors)
+; E_PARSE - compile-time parse errors
+; E_NOTICE - run-time notices (these are warnings which often result
+; from a bug in your code, but it's possible that it was
+; intentional (e.g., using an uninitialized variable and
+; relying on the fact it is automatically initialized to an
+; empty string)
+; E_STRICT - run-time notices, enable to have PHP suggest changes
+; to your code which will ensure the best interoperability
+; and forward compatibility of your code
+; E_CORE_ERROR - fatal errors that occur during PHP's initial startup
+; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's
+; initial startup
+; E_COMPILE_ERROR - fatal compile-time errors
+; E_COMPILE_WARNING - compile-time warnings (non-fatal errors)
+; E_USER_ERROR - user-generated error message
+; E_USER_WARNING - user-generated warning message
+; E_USER_NOTICE - user-generated notice message
+; E_DEPRECATED - warn about code that will not work in future versions
+; of PHP
+; E_USER_DEPRECATED - user-generated deprecation warnings
+;
+; Common Values:
+; E_ALL (Show all errors, warnings and notices including coding standards.)
+; E_ALL & ~E_NOTICE (Show all errors, except for notices)
+; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.)
+; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors)
+; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
+; Development Value: E_ALL
+; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
+; http://php.net/error-reporting
+error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+
+; This directive controls whether or not and where PHP will output errors,
+; notices and warnings too. Error output is very useful during development, but
+; it could be very dangerous in production environments. Depending on the code
+; which is triggering the error, sensitive information could potentially leak
+; out of your application such as database usernames and passwords or worse.
+; For production environments, we recommend logging errors rather than
+; sending them to STDOUT.
+; Possible Values:
+; Off = Do not display any errors
+; stderr = Display errors to STDERR (affects only CGI/CLI binaries!)
+; On or stdout = Display errors to STDOUT
+; Default Value: On
+; Development Value: On
+; Production Value: Off
+; http://php.net/display-errors
+display_errors = Off
+
+; The display of errors which occur during PHP's startup sequence are handled
+; separately from display_errors. PHP's default behavior is to suppress those
+; errors from clients. Turning the display of startup errors on can be useful in
+; debugging configuration problems. We strongly recommend you
+; set this to 'off' for production servers.
+; Default Value: Off
+; Development Value: On
+; Production Value: Off
+; http://php.net/display-startup-errors
+display_startup_errors = Off
+
+; Besides displaying errors, PHP can also log errors to locations such as a
+; server-specific log, STDERR, or a location specified by the error_log
+; directive found below. While errors should not be displayed on productions
+; servers they should still be monitored and logging is a great way to do that.
+; Default Value: Off
+; Development Value: On
+; Production Value: On
+; http://php.net/log-errors
+log_errors = On
+
+; Set maximum length of log_errors. In error_log information about the source is
+; added. The default is 1024 and 0 allows to not apply any maximum length at all.
+; http://php.net/log-errors-max-len
+log_errors_max_len = 1024
+
+; Do not log repeated messages. Repeated errors must occur in same file on same
+; line unless ignore_repeated_source is set true.
+; http://php.net/ignore-repeated-errors
+ignore_repeated_errors = Off
+
+; Ignore source of message when ignoring repeated messages. When this setting
+; is On you will not log errors with repeated messages from different files or
+; source lines.
+; http://php.net/ignore-repeated-source
+ignore_repeated_source = Off
+
+; If this parameter is set to Off, then memory leaks will not be shown (on
+; stdout or in the log). This is only effective in a debug compile, and if
+; error reporting includes E_WARNING in the allowed list
+; http://php.net/report-memleaks
+report_memleaks = On
+
+; This setting is on by default.
+;report_zend_debug = 0
+
+; Store the last error/warning message in $php_errormsg (boolean). Setting this value
+; to On can assist in debugging and is appropriate for development servers. It should
+; however be disabled on production servers.
+; This directive is DEPRECATED.
+; Default Value: Off
+; Development Value: Off
+; Production Value: Off
+; http://php.net/track-errors
+;track_errors = Off
+
+; Turn off normal error reporting and emit XML-RPC error XML
+; http://php.net/xmlrpc-errors
+;xmlrpc_errors = 0
+
+; An XML-RPC faultCode
+;xmlrpc_error_number = 0
+
+; When PHP displays or logs an error, it has the capability of formatting the
+; error message as HTML for easier reading. This directive controls whether
+; the error message is formatted as HTML or not.
+; Note: This directive is hardcoded to Off for the CLI SAPI
+; http://php.net/html-errors
+;html_errors = On
+
+; If html_errors is set to On *and* docref_root is not empty, then PHP
+; produces clickable error messages that direct to a page describing the error
+; or function causing the error in detail.
+; You can download a copy of the PHP manual from http://php.net/docs
+; and change docref_root to the base URL of your local copy including the
+; leading '/'. You must also specify the file extension being used including
+; the dot. PHP's default behavior is to leave these settings empty, in which
+; case no links to documentation are generated.
+; Note: Never use this feature for production boxes.
+; http://php.net/docref-root
+; Examples
+;docref_root = "/phpmanual/"
+
+; http://php.net/docref-ext
+;docref_ext = .html
+
+; String to output before an error message. PHP's default behavior is to leave
+; this setting blank.
+; http://php.net/error-prepend-string
+; Example:
+;error_prepend_string = "<span style='color: #ff0000'>"
+
+; String to output after an error message. PHP's default behavior is to leave
+; this setting blank.
+; http://php.net/error-append-string
+; Example:
+;error_append_string = "</span>"
+
+; Log errors to specified file. PHP's default behavior is to leave this value
+; empty.
+; http://php.net/error-log
+; Example:
+;error_log = php_errors.log
+; Log errors to syslog (Event Log on Windows).
+;error_log = syslog
+
+; The syslog ident is a string which is prepended to every message logged
+; to syslog. Only used when error_log is set to syslog.
+;syslog.ident = php
+
+; The syslog facility is used to specify what type of program is logging
+; the message. Only used when error_log is set to syslog.
+;syslog.facility = user
+
+; Set this to disable filtering control characters (the default).
+; Some loggers only accept NVT-ASCII, others accept anything that's not
+; control characters. If your logger accepts everything, then no filtering
+; is needed at all.
+; Allowed values are:
+; ascii (all printable ASCII characters and NL)
+; no-ctrl (all characters except control characters)
+; all (all characters)
+; raw (like "all", but messages are not split at newlines)
+; http://php.net/syslog.filter
+;syslog.filter = ascii
+
+;windows.show_crt_warning
+; Default value: 0
+; Development value: 0
+; Production value: 0
+
+;;;;;;;;;;;;;;;;;
+; Data Handling ;
+;;;;;;;;;;;;;;;;;
+
+; The separator used in PHP generated URLs to separate arguments.
+; PHP's default setting is "&".
+; http://php.net/arg-separator.output
+; Example:
+;arg_separator.output = "&"
+
+; List of separator(s) used by PHP to parse input URLs into variables.
+; PHP's default setting is "&".
+; NOTE: Every character in this directive is considered as separator!
+; http://php.net/arg-separator.input
+; Example:
+;arg_separator.input = ";&"
+
+; This directive determines which super global arrays are registered when PHP
+; starts up. G,P,C,E & S are abbreviations for the following respective super
+; globals: GET, POST, COOKIE, ENV and SERVER. There is a performance penalty
+; paid for the registration of these arrays and because ENV is not as commonly
+; used as the others, ENV is not recommended on productions servers. You
+; can still get access to the environment variables through getenv() should you
+; need to.
+; Default Value: "EGPCS"
+; Development Value: "GPCS"
+; Production Value: "GPCS";
+; http://php.net/variables-order
+variables_order = "GPCS"
+
+; This directive determines which super global data (G,P & C) should be
+; registered into the super global array REQUEST. If so, it also determines
+; the order in which that data is registered. The values for this directive
+; are specified in the same manner as the variables_order directive,
+; EXCEPT one. Leaving this value empty will cause PHP to use the value set
+; in the variables_order directive. It does not mean it will leave the super
+; globals array REQUEST empty.
+; Default Value: None
+; Development Value: "GP"
+; Production Value: "GP"
+; http://php.net/request-order
+request_order = "GP"
+
+; This directive determines whether PHP registers $argv & $argc each time it
+; runs. $argv contains an array of all the arguments passed to PHP when a script
+; is invoked. $argc contains an integer representing the number of arguments
+; that were passed when the script was invoked. These arrays are extremely
+; useful when running scripts from the command line. When this directive is
+; enabled, registering these variables consumes CPU cycles and memory each time
+; a script is executed. For performance reasons, this feature should be disabled
+; on production servers.
+; Note: This directive is hardcoded to On for the CLI SAPI
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+; http://php.net/register-argc-argv
+register_argc_argv = Off
+
+; When enabled, the ENV, REQUEST and SERVER variables are created when they're
+; first used (Just In Time) instead of when the script starts. If these
+; variables are not used within a script, having this directive on will result
+; in a performance gain. The PHP directive register_argc_argv must be disabled
+; for this directive to have any effect.
+; http://php.net/auto-globals-jit
+auto_globals_jit = On
+
+; Whether PHP will read the POST data.
+; This option is enabled by default.
+; Most likely, you won't want to disable this option globally. It causes $_POST
+; and $_FILES to always be empty; the only way you will be able to read the
+; POST data will be through the php://input stream wrapper. This can be useful
+; to proxy requests or to process the POST data in a memory efficient fashion.
+; http://php.net/enable-post-data-reading
+;enable_post_data_reading = Off
+
+; Maximum size of POST data that PHP will accept.
+; Its value may be 0 to disable the limit. It is ignored if POST data reading
+; is disabled through enable_post_data_reading.
+; http://php.net/post-max-size
+post_max_size = 8M
+
+; Automatically add files before PHP document.
+; http://php.net/auto-prepend-file
+auto_prepend_file =
+
+; Automatically add files after PHP document.
+; http://php.net/auto-append-file
+auto_append_file =
+
+; By default, PHP will output a media type using the Content-Type header. To
+; disable this, simply set it to be empty.
+;
+; PHP's built-in default media type is set to text/html.
+; http://php.net/default-mimetype
+default_mimetype = "text/html"
+
+; PHP's default character set is set to UTF-8.
+; http://php.net/default-charset
+default_charset = "UTF-8"
+
+; PHP internal character encoding is set to empty.
+; If empty, default_charset is used.
+; http://php.net/internal-encoding
+;internal_encoding =
+
+; PHP input character encoding is set to empty.
+; If empty, default_charset is used.
+; http://php.net/input-encoding
+;input_encoding =
+
+; PHP output character encoding is set to empty.
+; If empty, default_charset is used.
+; See also output_buffer.
+; http://php.net/output-encoding
+;output_encoding =
+
+;;;;;;;;;;;;;;;;;;;;;;;;;
+; Paths and Directories ;
+;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; UNIX: "/path1:/path2"
+;include_path = ".:/usr/share/php"
+;
+; Windows: "\path1;\path2"
+;include_path = ".;c:\php\includes"
+;
+; PHP's default setting for include_path is ".;/path/to/php/pear"
+; http://php.net/include-path
+
+; The root of the PHP pages, used only if nonempty.
+; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root
+; if you are running php as a CGI under any web server (other than IIS)
+; see documentation for security issues. The alternate is to use the
+; cgi.force_redirect configuration below
+; http://php.net/doc-root
+doc_root =
+
+; The directory under which PHP opens the script using /~username used only
+; if nonempty.
+; http://php.net/user-dir
+user_dir =
+
+; Directory in which the loadable extensions (modules) reside.
+; http://php.net/extension-dir
+;extension_dir = "./"
+; On windows:
+;extension_dir = "ext"
+
+; Directory where the temporary files should be placed.
+; Defaults to the system default (see sys_get_temp_dir)
+;sys_temp_dir = "/tmp"
+
+; Whether or not to enable the dl() function. The dl() function does NOT work
+; properly in multithreaded servers, such as IIS or Zeus, and is automatically
+; disabled on them.
+; http://php.net/enable-dl
+enable_dl = Off
+
+; cgi.force_redirect is necessary to provide security running PHP as a CGI under
+; most web servers. Left undefined, PHP turns this on by default. You can
+; turn it off here AT YOUR OWN RISK
+; **You CAN safely turn this off for IIS, in fact, you MUST.**
+; http://php.net/cgi.force-redirect
+;cgi.force_redirect = 1
+
+; if cgi.nph is enabled it will force cgi to always sent Status: 200 with
+; every request. PHP's default behavior is to disable this feature.
+;cgi.nph = 1
+
+; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape
+; (iPlanet) web servers, you MAY need to set an environment variable name that PHP
+; will look for to know it is OK to continue execution. Setting this variable MAY
+; cause security issues, KNOW WHAT YOU ARE DOING FIRST.
+; http://php.net/cgi.redirect-status-env
+;cgi.redirect_status_env =
+
+; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's
+; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
+; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting
+; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting
+; of zero causes PHP to behave as before. Default is 1. You should fix your scripts
+; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
+; http://php.net/cgi.fix-pathinfo
+;cgi.fix_pathinfo=1
+
+; if cgi.discard_path is enabled, the PHP CGI binary can safely be placed outside
+; of the web tree and people will not be able to circumvent .htaccess security.
+;cgi.discard_path=1
+
+; FastCGI under IIS supports the ability to impersonate
+; security tokens of the calling client. This allows IIS to define the
+; security context that the request runs under. mod_fastcgi under Apache
+; does not currently support this feature (03/17/2002)
+; Set to 1 if running under IIS. Default is zero.
+; http://php.net/fastcgi.impersonate
+;fastcgi.impersonate = 1
+
+; Disable logging through FastCGI connection. PHP's default behavior is to enable
+; this feature.
+;fastcgi.logging = 0
+
+; cgi.rfc2616_headers configuration option tells PHP what type of headers to
+; use when sending HTTP response code. If set to 0, PHP sends Status: header that
+; is supported by Apache. When this option is set to 1, PHP will send
+; RFC2616 compliant header.
+; Default is zero.
+; http://php.net/cgi.rfc2616-headers
+;cgi.rfc2616_headers = 0
+
+; cgi.check_shebang_line controls whether CGI PHP checks for line starting with #!
+; (shebang) at the top of the running script. This line might be needed if the
+; script support running both as stand-alone script and via PHP CGI<. PHP in CGI
+; mode skips this line and ignores its content if this directive is turned on.
+; http://php.net/cgi.check-shebang-line
+;cgi.check_shebang_line=1
+
+;;;;;;;;;;;;;;;;
+; File Uploads ;
+;;;;;;;;;;;;;;;;
+
+; Whether to allow HTTP file uploads.
+; http://php.net/file-uploads
+file_uploads = On
+
+; Temporary directory for HTTP uploaded files (will use system default if not
+; specified).
+; http://php.net/upload-tmp-dir
+;upload_tmp_dir =
+
+; Maximum allowed size for uploaded files.
+; http://php.net/upload-max-filesize
+upload_max_filesize = 2M
+
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 20
+
+;;;;;;;;;;;;;;;;;;
+; Fopen wrappers ;
+;;;;;;;;;;;;;;;;;;
+
+; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
+; http://php.net/allow-url-fopen
+allow_url_fopen = On
+
+; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
+; http://php.net/allow-url-include
+allow_url_include = Off
+
+; Define the anonymous ftp password (your email address). PHP's default setting
+; for this is empty.
+; http://php.net/from
+;from="john@doe.com"
+
+; Define the User-Agent string. PHP's default setting for this is empty.
+; http://php.net/user-agent
+;user_agent="PHP"
+
+; Default timeout for socket based streams (seconds)
+; http://php.net/default-socket-timeout
+default_socket_timeout = 60
+
+; If your scripts have to deal with files from Macintosh systems,
+; or you are running on a Mac and need to deal with files from
+; unix or win32 systems, setting this flag will cause PHP to
+; automatically detect the EOL character in those files so that
+; fgets() and file() will work regardless of the source of the file.
+; http://php.net/auto-detect-line-endings
+;auto_detect_line_endings = Off
+
+;;;;;;;;;;;;;;;;;;;;;;
+; Dynamic Extensions ;
+;;;;;;;;;;;;;;;;;;;;;;
+
+; If you wish to have an extension loaded automatically, use the following
+; syntax:
+;
+; extension=modulename
+;
+; For example:
+;
+; extension=mysqli
+;
+; When the extension library to load is not located in the default extension
+; directory, You may specify an absolute path to the library file:
+;
+; extension=/path/to/extension/mysqli.so
+;
+; Note : The syntax used in previous PHP versions ('extension=<ext>.so' and
+; 'extension='php_<ext>.dll') is supported for legacy reasons and may be
+; deprecated in a future PHP major version. So, when it is possible, please
+; move to the new ('extension=<ext>) syntax.
+;
+; Notes for Windows environments :
+;
+; - Many DLL files are located in the extensions/ (PHP 4) or ext/ (PHP 5+)
+; extension folders as well as the separate PECL DLL download (PHP 5+).
+; Be sure to appropriately set the extension_dir directive.
+;
+;extension=bz2
+;extension=curl
+;extension=ffi
+;extension=ftp
+;extension=fileinfo
+;extension=gd2
+;extension=gettext
+;extension=gmp
+;extension=intl
+;extension=imap
+;extension=ldap
+;extension=mbstring
+;extension=exif ; Must be after mbstring as it depends on it
+;extension=mysqli
+;extension=oci8_12c ; Use with Oracle Database 12c Instant Client
+;extension=odbc
+;extension=openssl
+;extension=pdo_firebird
+;extension=pdo_mysql
+;extension=pdo_oci
+;extension=pdo_odbc
+;extension=pdo_pgsql
+;extension=pdo_sqlite
+;extension=pgsql
+;extension=shmop
+
+; The MIBS data available in the PHP distribution must be installed.
+; See http://www.php.net/manual/en/snmp.installation.php
+;extension=snmp
+
+;extension=soap
+;extension=sockets
+;extension=sodium
+;extension=sqlite3
+;extension=tidy
+;extension=xmlrpc
+;extension=xsl
+
+;;;;;;;;;;;;;;;;;;;
+; Module Settings ;
+;;;;;;;;;;;;;;;;;;;
+
+[CLI Server]
+; Whether the CLI web server uses ANSI color coding in its terminal output.
+cli_server.color = On
+
+[Date]
+; Defines the default timezone used by the date functions
+; http://php.net/date.timezone
+;date.timezone =
+
+; http://php.net/date.default-latitude
+;date.default_latitude = 31.7667
+
+; http://php.net/date.default-longitude
+;date.default_longitude = 35.2333
+
+; http://php.net/date.sunrise-zenith
+;date.sunrise_zenith = 90.583333
+
+; http://php.net/date.sunset-zenith
+;date.sunset_zenith = 90.583333
+
+[filter]
+; http://php.net/filter.default
+;filter.default = unsafe_raw
+
+; http://php.net/filter.default-flags
+;filter.default_flags =
+
+[iconv]
+; Use of this INI entry is deprecated, use global input_encoding instead.
+; If empty, default_charset or input_encoding or iconv.input_encoding is used.
+; The precedence is: default_charset < input_encoding < iconv.input_encoding
+;iconv.input_encoding =
+
+; Use of this INI entry is deprecated, use global internal_encoding instead.
+; If empty, default_charset or internal_encoding or iconv.internal_encoding is used.
+; The precedence is: default_charset < internal_encoding < iconv.internal_encoding
+;iconv.internal_encoding =
+
+; Use of this INI entry is deprecated, use global output_encoding instead.
+; If empty, default_charset or output_encoding or iconv.output_encoding is used.
+; The precedence is: default_charset < output_encoding < iconv.output_encoding
+; To use an output encoding conversion, iconv's output handler must be set
+; otherwise output encoding conversion cannot be performed.
+;iconv.output_encoding =
+
+[imap]
+; rsh/ssh logins are disabled by default. Use this INI entry if you want to
+; enable them. Note that the IMAP library does not filter mailbox names before
+; passing them to rsh/ssh command, thus passing untrusted data to this function
+; with rsh/ssh enabled is insecure.
+;imap.enable_insecure_rsh=0
+
+[intl]
+;intl.default_locale =
+; This directive allows you to produce PHP errors when some error
+; happens within intl functions. The value is the level of the error produced.
+; Default is 0, which does not produce any errors.
+;intl.error_level = E_WARNING
+;intl.use_exceptions = 0
+
+[sqlite3]
+; Directory pointing to SQLite3 extensions
+; http://php.net/sqlite3.extension-dir
+;sqlite3.extension_dir =
+
+; SQLite defensive mode flag (only available from SQLite 3.26+)
+; When the defensive flag is enabled, language features that allow ordinary
+; SQL to deliberately corrupt the database file are disabled. This forbids
+; writing directly to the schema, shadow tables (eg. FTS data tables), or
+; the sqlite_dbpage virtual table.
+; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html
+; (for older SQLite versions, this flag has no use)
+;sqlite3.defensive = 1
+
+[Pcre]
+; PCRE library backtracking limit.
+; http://php.net/pcre.backtrack-limit
+;pcre.backtrack_limit=100000
+
+; PCRE library recursion limit.
+; Please note that if you set this value to a high number you may consume all
+; the available process stack and eventually crash PHP (due to reaching the
+; stack size limit imposed by the Operating System).
+; http://php.net/pcre.recursion-limit
+;pcre.recursion_limit=100000
+
+; Enables or disables JIT compilation of patterns. This requires the PCRE
+; library to be compiled with JIT support.
+;pcre.jit=1
+
+[Pdo]
+; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off"
+; http://php.net/pdo-odbc.connection-pooling
+;pdo_odbc.connection_pooling=strict
+
+;pdo_odbc.db2_instance_name
+
+[Pdo_mysql]
+; Default socket name for local MySQL connects. If empty, uses the built-in
+; MySQL defaults.
+pdo_mysql.default_socket=
+
+[Phar]
+; http://php.net/phar.readonly
+;phar.readonly = On
+
+; http://php.net/phar.require-hash
+;phar.require_hash = On
+
+;phar.cache_list =
+
+[mail function]
+; For Win32 only.
+; http://php.net/smtp
+SMTP = localhost
+; http://php.net/smtp-port
+smtp_port = 25
+
+; For Win32 only.
+; http://php.net/sendmail-from
+;sendmail_from = me@example.com
+
+; For Unix only. You may supply arguments as well (default: "sendmail -t -i").
+; http://php.net/sendmail-path
+;sendmail_path =
+
+; Force the addition of the specified parameters to be passed as extra parameters
+; to the sendmail binary. These parameters will always replace the value of
+; the 5th parameter to mail().
+;mail.force_extra_parameters =
+
+; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
+mail.add_x_header = Off
+
+; The path to a log file that will log all mail() calls. Log entries include
+; the full path of the script, line number, To address and headers.
+;mail.log =
+; Log mail to syslog (Event Log on Windows).
+;mail.log = syslog
+
+[ODBC]
+; http://php.net/odbc.default-db
+;odbc.default_db = Not yet implemented
+
+; http://php.net/odbc.default-user
+;odbc.default_user = Not yet implemented
+
+; http://php.net/odbc.default-pw
+;odbc.default_pw = Not yet implemented
+
+; Controls the ODBC cursor model.
+; Default: SQL_CURSOR_STATIC (default).
+;odbc.default_cursortype
+
+; Allow or prevent persistent links.
+; http://php.net/odbc.allow-persistent
+odbc.allow_persistent = On
+
+; Check that a connection is still valid before reuse.
+; http://php.net/odbc.check-persistent
+odbc.check_persistent = On
+
+; Maximum number of persistent links. -1 means no limit.
+; http://php.net/odbc.max-persistent
+odbc.max_persistent = -1
+
+; Maximum number of links (persistent + non-persistent). -1 means no limit.
+; http://php.net/odbc.max-links
+odbc.max_links = -1
+
+; Handling of LONG fields. Returns number of bytes to variables. 0 means
+; passthru.
+; http://php.net/odbc.defaultlrl
+odbc.defaultlrl = 4096
+
+; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char.
+; See the documentation on odbc_binmode and odbc_longreadlen for an explanation
+; of odbc.defaultlrl and odbc.defaultbinmode
+; http://php.net/odbc.defaultbinmode
+odbc.defaultbinmode = 1
+
+[MySQLi]
+
+; Maximum number of persistent links. -1 means no limit.
+; http://php.net/mysqli.max-persistent
+mysqli.max_persistent = -1
+
+; Allow accessing, from PHP's perspective, local files with LOAD DATA statements
+; http://php.net/mysqli.allow_local_infile
+;mysqli.allow_local_infile = On
+
+; Allow or prevent persistent links.
+; http://php.net/mysqli.allow-persistent
+mysqli.allow_persistent = On
+
+; Maximum number of links. -1 means no limit.
+; http://php.net/mysqli.max-links
+mysqli.max_links = -1
+
+; Default port number for mysqli_connect(). If unset, mysqli_connect() will use
+; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the
+; compile-time value defined MYSQL_PORT (in that order). Win32 will only look
+; at MYSQL_PORT.
+; http://php.net/mysqli.default-port
+mysqli.default_port = 3306
+
+; Default socket name for local MySQL connects. If empty, uses the built-in
+; MySQL defaults.
+; http://php.net/mysqli.default-socket
+mysqli.default_socket =
+
+; Default host for mysqli_connect() (doesn't apply in safe mode).
+; http://php.net/mysqli.default-host
+mysqli.default_host =
+
+; Default user for mysqli_connect() (doesn't apply in safe mode).
+; http://php.net/mysqli.default-user
+mysqli.default_user =
+
+; Default password for mysqli_connect() (doesn't apply in safe mode).
+; Note that this is generally a *bad* idea to store passwords in this file.
+; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw")
+; and reveal this password! And of course, any users with read access to this
+; file will be able to reveal the password as well.
+; http://php.net/mysqli.default-pw
+mysqli.default_pw =
+
+; Allow or prevent reconnect
+mysqli.reconnect = Off
+
+[mysqlnd]
+; Enable / Disable collection of general statistics by mysqlnd which can be
+; used to tune and monitor MySQL operations.
+mysqlnd.collect_statistics = On
+
+; Enable / Disable collection of memory usage statistics by mysqlnd which can be
+; used to tune and monitor MySQL operations.
+mysqlnd.collect_memory_statistics = Off
+
+; Records communication from all extensions using mysqlnd to the specified log
+; file.
+; http://php.net/mysqlnd.debug
+;mysqlnd.debug =
+
+; Defines which queries will be logged.
+;mysqlnd.log_mask = 0
+
+; Default size of the mysqlnd memory pool, which is used by result sets.
+;mysqlnd.mempool_default_size = 16000
+
+; Size of a pre-allocated buffer used when sending commands to MySQL in bytes.
+;mysqlnd.net_cmd_buffer_size = 2048
+
+; Size of a pre-allocated buffer used for reading data sent by the server in
+; bytes.
+;mysqlnd.net_read_buffer_size = 32768
+
+; Timeout for network requests in seconds.
+;mysqlnd.net_read_timeout = 31536000
+
+; SHA-256 Authentication Plugin related. File with the MySQL server public RSA
+; key.
+;mysqlnd.sha256_server_public_key =
+
+[OCI8]
+
+; Connection: Enables privileged connections using external
+; credentials (OCI_SYSOPER, OCI_SYSDBA)
+; http://php.net/oci8.privileged-connect
+;oci8.privileged_connect = Off
+
+; Connection: The maximum number of persistent OCI8 connections per
+; process. Using -1 means no limit.
+; http://php.net/oci8.max-persistent
+;oci8.max_persistent = -1
+
+; Connection: The maximum number of seconds a process is allowed to
+; maintain an idle persistent connection. Using -1 means idle
+; persistent connections will be maintained forever.
+; http://php.net/oci8.persistent-timeout
+;oci8.persistent_timeout = -1
+
+; Connection: The number of seconds that must pass before issuing a
+; ping during oci_pconnect() to check the connection validity. When
+; set to 0, each oci_pconnect() will cause a ping. Using -1 disables
+; pings completely.
+; http://php.net/oci8.ping-interval
+;oci8.ping_interval = 60
+
+; Connection: Set this to a user chosen connection class to be used
+; for all pooled server requests with Oracle 11g Database Resident
+; Connection Pooling (DRCP). To use DRCP, this value should be set to
+; the same string for all web servers running the same application,
+; the database pool must be configured, and the connection string must
+; specify to use a pooled server.
+;oci8.connection_class =
+
+; High Availability: Using On lets PHP receive Fast Application
+; Notification (FAN) events generated when a database node fails. The
+; database must also be configured to post FAN events.
+;oci8.events = Off
+
+; Tuning: This option enables statement caching, and specifies how
+; many statements to cache. Using 0 disables statement caching.
+; http://php.net/oci8.statement-cache-size
+;oci8.statement_cache_size = 20
+
+; Tuning: Enables statement prefetching and sets the default number of
+; rows that will be fetched automatically after statement execution.
+; http://php.net/oci8.default-prefetch
+;oci8.default_prefetch = 100
+
+; Compatibility. Using On means oci_close() will not close
+; oci_connect() and oci_new_connect() connections.
+; http://php.net/oci8.old-oci-close-semantics
+;oci8.old_oci_close_semantics = Off
+
+[PostgreSQL]
+; Allow or prevent persistent links.
+; http://php.net/pgsql.allow-persistent
+pgsql.allow_persistent = On
+
+; Detect broken persistent links always with pg_pconnect().
+; Auto reset feature requires a little overheads.
+; http://php.net/pgsql.auto-reset-persistent
+pgsql.auto_reset_persistent = Off
+
+; Maximum number of persistent links. -1 means no limit.
+; http://php.net/pgsql.max-persistent
+pgsql.max_persistent = -1
+
+; Maximum number of links (persistent+non persistent). -1 means no limit.
+; http://php.net/pgsql.max-links
+pgsql.max_links = -1
+
+; Ignore PostgreSQL backends Notice message or not.
+; Notice message logging require a little overheads.
+; http://php.net/pgsql.ignore-notice
+pgsql.ignore_notice = 0
+
+; Log PostgreSQL backends Notice message or not.
+; Unless pgsql.ignore_notice=0, module cannot log notice message.
+; http://php.net/pgsql.log-notice
+pgsql.log_notice = 0
+
+[bcmath]
+; Number of decimal digits for all bcmath functions.
+; http://php.net/bcmath.scale
+bcmath.scale = 0
+
+[browscap]
+; http://php.net/browscap
+;browscap = extra/browscap.ini
+
+[Session]
+; Handler used to store/retrieve data.
+; http://php.net/session.save-handler
+session.save_handler = files
+
+; Argument passed to save_handler. In the case of files, this is the path
+; where data files are stored. Note: Windows users have to change this
+; variable in order to use PHP's session functions.
+;
+; The path can be defined as:
+;
+; session.save_path = "N;/path"
+;
+; where N is an integer. Instead of storing all the session files in
+; /path, what this will do is use subdirectories N-levels deep, and
+; store the session data in those directories. This is useful if
+; your OS has problems with many files in one directory, and is
+; a more efficient layout for servers that handle many sessions.
+;
+; NOTE 1: PHP will not create this directory structure automatically.
+; You can use the script in the ext/session dir for that purpose.
+; NOTE 2: See the section on garbage collection below if you choose to
+; use subdirectories for session storage
+;
+; The file storage module creates files using mode 600 by default.
+; You can change that by using
+;
+; session.save_path = "N;MODE;/path"
+;
+; where MODE is the octal representation of the mode. Note that this
+; does not overwrite the process's umask.
+; http://php.net/session.save-path
+;session.save_path = "/var/lib/php/sessions"
+
+; Whether to use strict session mode.
+; Strict session mode does not accept an uninitialized session ID, and
+; regenerates the session ID if the browser sends an uninitialized session ID.
+; Strict mode protects applications from session fixation via a session adoption
+; vulnerability. It is disabled by default for maximum compatibility, but
+; enabling it is encouraged.
+; https://wiki.php.net/rfc/strict_sessions
+session.use_strict_mode = 0
+
+; Whether to use cookies.
+; http://php.net/session.use-cookies
+session.use_cookies = 1
+
+; http://php.net/session.cookie-secure
+;session.cookie_secure =
+
+; This option forces PHP to fetch and use a cookie for storing and maintaining
+; the session id. We encourage this operation as it's very helpful in combating
+; session hijacking when not specifying and managing your own session id. It is
+; not the be-all and end-all of session hijacking defense, but it's a good start.
+; http://php.net/session.use-only-cookies
+session.use_only_cookies = 1
+
+; Name of the session (used as cookie name).
+; http://php.net/session.name
+session.name = PHPSESSID
+
+; Initialize session on request startup.
+; http://php.net/session.auto-start
+session.auto_start = 0
+
+; Lifetime in seconds of cookie or, if 0, until browser is restarted.
+; http://php.net/session.cookie-lifetime
+session.cookie_lifetime = 0
+
+; The path for which the cookie is valid.
+; http://php.net/session.cookie-path
+session.cookie_path = /
+
+; The domain for which the cookie is valid.
+; http://php.net/session.cookie-domain
+session.cookie_domain =
+
+; Whether or not to add the httpOnly flag to the cookie, which makes it
+; inaccessible to browser scripting languages such as JavaScript.
+; http://php.net/session.cookie-httponly
+session.cookie_httponly =
+
+; Add SameSite attribute to cookie to help mitigate Cross-Site Request Forgery (CSRF/XSRF)
+; Current valid values are "Strict", "Lax" or "None". When using "None",
+; make sure to include the quotes, as `none` is interpreted like `false` in ini files.
+; https://tools.ietf.org/html/draft-west-first-party-cookies-07
+session.cookie_samesite =
+
+; Handler used to serialize data. php is the standard serializer of PHP.
+; http://php.net/session.serialize-handler
+session.serialize_handler = php
+
+; Defines the probability that the 'garbage collection' process is started on every
+; session initialization. The probability is calculated by using gc_probability/gc_divisor,
+; e.g. 1/100 means there is a 1% chance that the GC process starts on each request.
+; Default Value: 1
+; Development Value: 1
+; Production Value: 1
+; http://php.net/session.gc-probability
+session.gc_probability = 0
+
+; Defines the probability that the 'garbage collection' process is started on every
+; session initialization. The probability is calculated by using gc_probability/gc_divisor,
+; e.g. 1/100 means there is a 1% chance that the GC process starts on each request.
+; For high volume production servers, using a value of 1000 is a more efficient approach.
+; Default Value: 100
+; Development Value: 1000
+; Production Value: 1000
+; http://php.net/session.gc-divisor
+session.gc_divisor = 1000
+
+; After this number of seconds, stored data will be seen as 'garbage' and
+; cleaned up by the garbage collection process.
+; http://php.net/session.gc-maxlifetime
+session.gc_maxlifetime = 1440
+
+; NOTE: If you are using the subdirectory option for storing session files
+; (see session.save_path above), then garbage collection does *not*
+; happen automatically. You will need to do your own garbage
+; collection through a shell script, cron entry, or some other method.
+; For example, the following script is the equivalent of setting
+; session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes):
+; find /path/to/sessions -cmin +24 -type f | xargs rm
+
+; Check HTTP Referer to invalidate externally stored URLs containing ids.
+; HTTP_REFERER has to contain this substring for the session to be
+; considered as valid.
+; http://php.net/session.referer-check
+session.referer_check =
+
+; Set to {nocache,private,public,} to determine HTTP caching aspects
+; or leave this empty to avoid sending anti-caching headers.
+; http://php.net/session.cache-limiter
+session.cache_limiter = nocache
+
+; Document expires after n minutes.
+; http://php.net/session.cache-expire
+session.cache_expire = 180
+
+; trans sid support is disabled by default.
+; Use of trans sid may risk your users' security.
+; Use this option with caution.
+; - User may send URL contains active session ID
+; to other person via. email/irc/etc.
+; - URL that contains active session ID may be stored
+; in publicly accessible computer.
+; - User may access your site with the same session ID
+; always using URL stored in browser's history or bookmarks.
+; http://php.net/session.use-trans-sid
+session.use_trans_sid = 0
+
+; Set session ID character length. This value could be between 22 to 256.
+; Shorter length than default is supported only for compatibility reason.
+; Users should use 32 or more chars.
+; http://php.net/session.sid-length
+; Default Value: 32
+; Development Value: 26
+; Production Value: 26
+session.sid_length = 26
+
+; The URL rewriter will look for URLs in a defined set of HTML tags.
+; <form> is special; if you include them here, the rewriter will
+; add a hidden <input> field with the info which is otherwise appended
+; to URLs. <form> tag's action attribute URL will not be modified
+; unless it is specified.
+; Note that all valid entries require a "=", even if no value follows.
+; Default Value: "a=href,area=href,frame=src,form="
+; Development Value: "a=href,area=href,frame=src,form="
+; Production Value: "a=href,area=href,frame=src,form="
+; http://php.net/url-rewriter.tags
+session.trans_sid_tags = "a=href,area=href,frame=src,form="
+
+; URL rewriter does not rewrite absolute URLs by default.
+; To enable rewrites for absolute paths, target hosts must be specified
+; at RUNTIME. i.e. use ini_set()
+; <form> tags is special. PHP will check action attribute's URL regardless
+; of session.trans_sid_tags setting.
+; If no host is defined, HTTP_HOST will be used for allowed host.
+; Example value: php.net,www.php.net,wiki.php.net
+; Use "," for multiple hosts. No spaces are allowed.
+; Default Value: ""
+; Development Value: ""
+; Production Value: ""
+;session.trans_sid_hosts=""
+
+; Define how many bits are stored in each character when converting
+; the binary hash data to something readable.
+; Possible values:
+; 4 (4 bits: 0-9, a-f)
+; 5 (5 bits: 0-9, a-v)
+; 6 (6 bits: 0-9, a-z, A-Z, "-", ",")
+; Default Value: 4
+; Development Value: 5
+; Production Value: 5
+; http://php.net/session.hash-bits-per-character
+session.sid_bits_per_character = 5
+
+; Enable upload progress tracking in $_SESSION
+; Default Value: On
+; Development Value: On
+; Production Value: On
+; http://php.net/session.upload-progress.enabled
+;session.upload_progress.enabled = On
+
+; Cleanup the progress information as soon as all POST data has been read
+; (i.e. upload completed).
+; Default Value: On
+; Development Value: On
+; Production Value: On
+; http://php.net/session.upload-progress.cleanup
+;session.upload_progress.cleanup = On
+
+; A prefix used for the upload progress key in $_SESSION
+; Default Value: "upload_progress_"
+; Development Value: "upload_progress_"
+; Production Value: "upload_progress_"
+; http://php.net/session.upload-progress.prefix
+;session.upload_progress.prefix = "upload_progress_"
+
+; The index name (concatenated with the prefix) in $_SESSION
+; containing the upload progress information
+; Default Value: "PHP_SESSION_UPLOAD_PROGRESS"
+; Development Value: "PHP_SESSION_UPLOAD_PROGRESS"
+; Production Value: "PHP_SESSION_UPLOAD_PROGRESS"
+; http://php.net/session.upload-progress.name
+;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS"
+
+; How frequently the upload progress should be updated.
+; Given either in percentages (per-file), or in bytes
+; Default Value: "1%"
+; Development Value: "1%"
+; Production Value: "1%"
+; http://php.net/session.upload-progress.freq
+;session.upload_progress.freq = "1%"
+
+; The minimum delay between updates, in seconds
+; Default Value: 1
+; Development Value: 1
+; Production Value: 1
+; http://php.net/session.upload-progress.min-freq
+;session.upload_progress.min_freq = "1"
+
+; Only write session data when session data is changed. Enabled by default.
+; http://php.net/session.lazy-write
+;session.lazy_write = On
+
+[Assertion]
+; Switch whether to compile assertions at all (to have no overhead at run-time)
+; -1: Do not compile at all
+; 0: Jump over assertion at run-time
+; 1: Execute assertions
+; Changing from or to a negative value is only possible in php.ini! (For turning assertions on and off at run-time, see assert.active, when zend.assertions = 1)
+; Default Value: 1
+; Development Value: 1
+; Production Value: -1
+; http://php.net/zend.assertions
+zend.assertions = -1
+
+; Assert(expr); active by default.
+; http://php.net/assert.active
+;assert.active = On
+
+; Throw an AssertionError on failed assertions
+; http://php.net/assert.exception
+;assert.exception = On
+
+; Issue a PHP warning for each failed assertion. (Overridden by assert.exception if active)
+; http://php.net/assert.warning
+;assert.warning = On
+
+; Don't bail out by default.
+; http://php.net/assert.bail
+;assert.bail = Off
+
+; User-function to be called if an assertion fails.
+; http://php.net/assert.callback
+;assert.callback = 0
+
+; Eval the expression with current error_reporting(). Set to true if you want
+; error_reporting(0) around the eval().
+; http://php.net/assert.quiet-eval
+;assert.quiet_eval = 0
+
+[COM]
+; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs
+; http://php.net/com.typelib-file
+;com.typelib_file =
+
+; allow Distributed-COM calls
+; http://php.net/com.allow-dcom
+;com.allow_dcom = true
+
+; autoregister constants of a component's typlib on com_load()
+; http://php.net/com.autoregister-typelib
+;com.autoregister_typelib = true
+
+; register constants casesensitive
+; http://php.net/com.autoregister-casesensitive
+;com.autoregister_casesensitive = false
+
+; show warnings on duplicate constant registrations
+; http://php.net/com.autoregister-verbose
+;com.autoregister_verbose = true
+
+; The default character set code-page to use when passing strings to and from COM objects.
+; Default: system ANSI code page
+;com.code_page=
+
+[mbstring]
+; language for internal character representation.
+; This affects mb_send_mail() and mbstring.detect_order.
+; http://php.net/mbstring.language
+;mbstring.language = Japanese
+
+; Use of this INI entry is deprecated, use global internal_encoding instead.
+; internal/script encoding.
+; Some encoding cannot work as internal encoding. (e.g. SJIS, BIG5, ISO-2022-*)
+; If empty, default_charset or internal_encoding or iconv.internal_encoding is used.
+; The precedence is: default_charset < internal_encoding < iconv.internal_encoding
+;mbstring.internal_encoding =
+
+; Use of this INI entry is deprecated, use global input_encoding instead.
+; http input encoding.
+; mbstring.encoding_translation = On is needed to use this setting.
+; If empty, default_charset or input_encoding or mbstring.input is used.
+; The precedence is: default_charset < input_encoding < mbstring.http_input
+; http://php.net/mbstring.http-input
+;mbstring.http_input =
+
+; Use of this INI entry is deprecated, use global output_encoding instead.
+; http output encoding.
+; mb_output_handler must be registered as output buffer to function.
+; If empty, default_charset or output_encoding or mbstring.http_output is used.
+; The precedence is: default_charset < output_encoding < mbstring.http_output
+; To use an output encoding conversion, mbstring's output handler must be set
+; otherwise output encoding conversion cannot be performed.
+; http://php.net/mbstring.http-output
+;mbstring.http_output =
+
+; enable automatic encoding translation according to
+; mbstring.internal_encoding setting. Input chars are
+; converted to internal encoding by setting this to On.
+; Note: Do _not_ use automatic encoding translation for
+; portable libs/applications.
+; http://php.net/mbstring.encoding-translation
+;mbstring.encoding_translation = Off
+
+; automatic encoding detection order.
+; "auto" detect order is changed according to mbstring.language
+; http://php.net/mbstring.detect-order
+;mbstring.detect_order = auto
+
+; substitute_character used when character cannot be converted
+; one from another
+; http://php.net/mbstring.substitute-character
+;mbstring.substitute_character = none
+
+; overload(replace) single byte functions by mbstring functions.
+; mail(), ereg(), etc are overloaded by mb_send_mail(), mb_ereg(),
+; etc. Possible values are 0,1,2,4 or combination of them.
+; For example, 7 for overload everything.
+; 0: No overload
+; 1: Overload mail() function
+; 2: Overload str*() functions
+; 4: Overload ereg*() functions
+; http://php.net/mbstring.func-overload
+;mbstring.func_overload = 0
+
+; enable strict encoding detection.
+; Default: Off
+;mbstring.strict_detection = On
+
+; This directive specifies the regex pattern of content types for which mb_output_handler()
+; is activated.
+; Default: mbstring.http_output_conv_mimetype=^(text/|application/xhtml\+xml)
+;mbstring.http_output_conv_mimetype=
+
+; This directive specifies maximum stack depth for mbstring regular expressions. It is similar
+; to the pcre.recursion_limit for PCRE.
+; Default: 100000
+;mbstring.regex_stack_limit=100000
+
+; This directive specifies maximum retry count for mbstring regular expressions. It is similar
+; to the pcre.backtrack_limit for PCRE.
+; Default: 1000000
+;mbstring.regex_retry_limit=1000000
+
+[gd]
+; Tell the jpeg decode to ignore warnings and try to create
+; a gd image. The warning will then be displayed as notices
+; disabled by default
+; http://php.net/gd.jpeg-ignore-warning
+;gd.jpeg_ignore_warning = 1
+
+[exif]
+; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS.
+; With mbstring support this will automatically be converted into the encoding
+; given by corresponding encode setting. When empty mbstring.internal_encoding
+; is used. For the decode settings you can distinguish between motorola and
+; intel byte order. A decode setting cannot be empty.
+; http://php.net/exif.encode-unicode
+;exif.encode_unicode = ISO-8859-15
+
+; http://php.net/exif.decode-unicode-motorola
+;exif.decode_unicode_motorola = UCS-2BE
+
+; http://php.net/exif.decode-unicode-intel
+;exif.decode_unicode_intel = UCS-2LE
+
+; http://php.net/exif.encode-jis
+;exif.encode_jis =
+
+; http://php.net/exif.decode-jis-motorola
+;exif.decode_jis_motorola = JIS
+
+; http://php.net/exif.decode-jis-intel
+;exif.decode_jis_intel = JIS
+
+[Tidy]
+; The path to a default tidy configuration file to use when using tidy
+; http://php.net/tidy.default-config
+;tidy.default_config = /usr/local/lib/php/default.tcfg
+
+; Should tidy clean and repair output automatically?
+; WARNING: Do not use this option if you are generating non-html content
+; such as dynamic images
+; http://php.net/tidy.clean-output
+tidy.clean_output = Off
+
+[soap]
+; Enables or disables WSDL caching feature.
+; http://php.net/soap.wsdl-cache-enabled
+soap.wsdl_cache_enabled=1
+
+; Sets the directory name where SOAP extension will put cache files.
+; http://php.net/soap.wsdl-cache-dir
+soap.wsdl_cache_dir="/tmp"
+
+; (time to live) Sets the number of second while cached file will be used
+; instead of original one.
+; http://php.net/soap.wsdl-cache-ttl
+soap.wsdl_cache_ttl=86400
+
+; Sets the size of the cache limit. (Max. number of WSDL files to cache)
+soap.wsdl_cache_limit = 5
+
+[sysvshm]
+; A default size of the shared memory segment
+;sysvshm.init_mem = 10000
+
+[ldap]
+; Sets the maximum number of open links or -1 for unlimited.
+ldap.max_links = -1
+
+[dba]
+;dba.default_handler=
+
+[opcache]
+; Determines if Zend OPCache is enabled
+;opcache.enable=1
+
+; Determines if Zend OPCache is enabled for the CLI version of PHP
+;opcache.enable_cli=0
+
+; The OPcache shared memory storage size.
+;opcache.memory_consumption=128
+
+; The amount of memory for interned strings in Mbytes.
+;opcache.interned_strings_buffer=8
+
+; The maximum number of keys (scripts) in the OPcache hash table.
+; Only numbers between 200 and 1000000 are allowed.
+;opcache.max_accelerated_files=10000
+
+; The maximum percentage of "wasted" memory until a restart is scheduled.
+;opcache.max_wasted_percentage=5
+
+; When this directive is enabled, the OPcache appends the current working
+; directory to the script key, thus eliminating possible collisions between
+; files with the same name (basename). Disabling the directive improves
+; performance, but may break existing applications.
+;opcache.use_cwd=1
+
+; When disabled, you must reset the OPcache manually or restart the
+; webserver for changes to the filesystem to take effect.
+;opcache.validate_timestamps=1
+
+; How often (in seconds) to check file timestamps for changes to the shared
+; memory storage allocation. ("1" means validate once per second, but only
+; once per request. "0" means always validate)
+;opcache.revalidate_freq=2
+
+; Enables or disables file search in include_path optimization
+;opcache.revalidate_path=0
+
+; If disabled, all PHPDoc comments are dropped from the code to reduce the
+; size of the optimized code.
+;opcache.save_comments=1
+
+; Allow file existence override (file_exists, etc.) performance feature.
+;opcache.enable_file_override=0
+
+; A bitmask, where each bit enables or disables the appropriate OPcache
+; passes
+;opcache.optimization_level=0x7FFFBFFF
+
+;opcache.dups_fix=0
+
+; The location of the OPcache blacklist file (wildcards allowed).
+; Each OPcache blacklist file is a text file that holds the names of files
+; that should not be accelerated. The file format is to add each filename
+; to a new line. The filename may be a full path or just a file prefix
+; (i.e., /var/www/x blacklists all the files and directories in /var/www
+; that start with 'x'). Line starting with a ; are ignored (comments).
+;opcache.blacklist_filename=
+
+; Allows exclusion of large files from being cached. By default all files
+; are cached.
+;opcache.max_file_size=0
+
+; Check the cache checksum each N requests.
+; The default value of "0" means that the checks are disabled.
+;opcache.consistency_checks=0
+
+; How long to wait (in seconds) for a scheduled restart to begin if the cache
+; is not being accessed.
+;opcache.force_restart_timeout=180
+
+; OPcache error_log file name. Empty string assumes "stderr".
+;opcache.error_log=
+
+; All OPcache errors go to the Web server log.
+; By default, only fatal errors (level 0) or errors (level 1) are logged.
+; You can also enable warnings (level 2), info messages (level 3) or
+; debug messages (level 4).
+;opcache.log_verbosity_level=1
+
+; Preferred Shared Memory back-end. Leave empty and let the system decide.
+;opcache.preferred_memory_model=
+
+; Protect the shared memory from unexpected writing during script execution.
+; Useful for internal debugging only.
+;opcache.protect_memory=0
+
+; Allows calling OPcache API functions only from PHP scripts which path is
+; started from specified string. The default "" means no restriction
+;opcache.restrict_api=
+
+; Mapping base of shared memory segments (for Windows only). All the PHP
+; processes have to map shared memory into the same address space. This
+; directive allows to manually fix the "Unable to reattach to base address"
+; errors.
+;opcache.mmap_base=
+
+; Facilitates multiple OPcache instances per user (for Windows only). All PHP
+; processes with the same cache ID and user share an OPcache instance.
+;opcache.cache_id=
+
+; Enables and sets the second level cache directory.
+; It should improve performance when SHM memory is full, at server restart or
+; SHM reset. The default "" disables file based caching.
+;opcache.file_cache=
+
+; Enables or disables opcode caching in shared memory.
+;opcache.file_cache_only=0
+
+; Enables or disables checksum validation when script loaded from file cache.
+;opcache.file_cache_consistency_checks=1
+
+; Implies opcache.file_cache_only=1 for a certain process that failed to
+; reattach to the shared memory (for Windows only). Explicitly enabled file
+; cache is required.
+;opcache.file_cache_fallback=1
+
+; Enables or disables copying of PHP code (text segment) into HUGE PAGES.
+; This should improve performance, but requires appropriate OS configuration.
+;opcache.huge_code_pages=1
+
+; Validate cached file permissions.
+;opcache.validate_permission=0
+
+; Prevent name collisions in chroot'ed environment.
+;opcache.validate_root=0
+
+; If specified, it produces opcode dumps for debugging different stages of
+; optimizations.
+;opcache.opt_debug_level=0
+
+; Specifies a PHP script that is going to be compiled and executed at server
+; start-up.
+; http://php.net/opcache.preload
+;opcache.preload=
+
+; Preloading code as root is not allowed for security reasons. This directive
+; facilitates to let the preloading to be run as another user.
+; http://php.net/opcache.preload_user
+;opcache.preload_user=
+
+; Prevents caching files that are less than this number of seconds old. It
+; protects from caching of incompletely updated files. In case all file updates
+; on your site are atomic, you may increase performance by setting it to "0".
+;opcache.file_update_protection=2
+
+; Absolute path used to store shared lockfiles (for *nix only).
+;opcache.lockfile_path=/tmp
+
+[curl]
+; A default value for the CURLOPT_CAINFO option. This is required to be an
+; absolute path.
+;curl.cainfo =
+
+[openssl]
+; The location of a Certificate Authority (CA) file on the local filesystem
+; to use when verifying the identity of SSL/TLS peers. Most users should
+; not specify a value for this directive as PHP will attempt to use the
+; OS-managed cert stores in its absence. If specified, this value may still
+; be overridden on a per-stream basis via the "cafile" SSL stream context
+; option.
+;openssl.cafile=
+
+; If openssl.cafile is not specified or if the CA file is not found, the
+; directory pointed to by openssl.capath is searched for a suitable
+; certificate. This value must be a correctly hashed certificate directory.
+; Most users should not specify a value for this directive as PHP will
+; attempt to use the OS-managed cert stores in its absence. If specified,
+; this value may still be overridden on a per-stream basis via the "capath"
+; SSL stream context option.
+;openssl.capath=
+
+[ffi]
+; FFI API restriction. Possible values:
+; "preload" - enabled in CLI scripts and preloaded files (default)
+; "false" - always disabled
+; "true" - always enabled
+;ffi.enable=preload
+
+; List of headers files to preload, wildcard patterns allowed.
+;ffi.preload=
--- /dev/null
+; configuration for php common module
+; priority=20
+extension=calendar.so
--- /dev/null
+; configuration for php common module
+; priority=20
+extension=ctype.so
--- /dev/null
+; configuration for php common module
+; priority=20
+extension=exif.so
--- /dev/null
+; configuration for php common module
+; priority=20
+extension=ffi.so
--- /dev/null
+; configuration for php common module
+; priority=20
+extension=fileinfo.so
--- /dev/null
+; configuration for php common module
+; priority=20
+extension=ftp.so
--- /dev/null
+; configuration for php gd module
+; priority=20
+extension=gd.so
--- /dev/null
+; configuration for php common module
+; priority=20
+extension=gettext.so
--- /dev/null
+; configuration for php common module
+; priority=20
+extension=iconv.so
--- /dev/null
+; configuration for php json module
+; priority=20
+extension=json.so
--- /dev/null
+; configuration for php ldap module
+; priority=20
+extension=ldap.so
--- /dev/null
+; configuration for php opcache module
+; priority=10
+zend_extension=opcache.so
--- /dev/null
+; configuration for php common module
+; priority=10
+extension=pdo.so
--- /dev/null
+; configuration for php common module
+; priority=20
+extension=phar.so
--- /dev/null
+; configuration for php common module
+; priority=20
+extension=posix.so
--- /dev/null
+; configuration for php readline module
+; priority=20
+extension=readline.so
--- /dev/null
+; configuration for php common module
+; priority=20
+extension=shmop.so
--- /dev/null
+; configuration for php common module
+; priority=20
+extension=sockets.so
--- /dev/null
+; configuration for php common module
+; priority=20
+extension=sysvmsg.so
--- /dev/null
+; configuration for php common module
+; priority=20
+extension=sysvsem.so
--- /dev/null
+; configuration for php common module
+; priority=20
+extension=sysvshm.so
--- /dev/null
+; configuration for php common module
+; priority=20
+extension=tokenizer.so
# were in the public domain. I waive all rights.
# Modified by Vincent Blut <vincent.debian@free.fr>
-if [ -e /run/chronyd.pid ]; then
+if [ -e /run/chrony/chronyd.pid ]; then
chronyc onoffline > /dev/null 2>&1
fi
# were in the public domain. I waive all rights.
# Modified by Vincent Blut <vincent.debian@free.fr>
-if [ -e /run/chronyd.pid ]; then
+if [ -e /run/chrony/chronyd.pid ]; then
chronyc onoffline > /dev/null 2>&1
fi
+# shellcheck shell=sh disable=SC1091,SC2039,SC2166
# Check for interactive bash and that we haven't already been sourced.
-if [ -n "${BASH_VERSION-}" -a -n "${PS1-}" -a -z "${BASH_COMPLETION_VERSINFO-}" ]; then
+if [ "x${BASH_VERSION-}" != x -a "x${PS1-}" != x -a "x${BASH_COMPLETION_VERSINFO-}" = x ]; then
# Check for recent enough version of bash.
- if [ ${BASH_VERSINFO[0]} -gt 4 ] || \
- [ ${BASH_VERSINFO[0]} -eq 4 -a ${BASH_VERSINFO[1]} -ge 1 ]; then
- [ -r "${XDG_CONFIG_HOME:-$HOME/.config}/bash_completion" ] && \
+ if [ "${BASH_VERSINFO[0]}" -gt 4 ] ||
+ [ "${BASH_VERSINFO[0]}" -eq 4 -a "${BASH_VERSINFO[1]}" -ge 2 ]; then
+ [ -r "${XDG_CONFIG_HOME:-$HOME/.config}/bash_completion" ] &&
. "${XDG_CONFIG_HOME:-$HOME/.config}/bash_completion"
if shopt -q progcomp && [ -r /usr/share/bash-completion/bash_completion ]; then
# Source completion code.
--- /dev/null
+../init.d/named
\ No newline at end of file
+++ /dev/null
-../init.d/bind9
\ No newline at end of file
--- /dev/null
+../init.d/sendsigs
\ No newline at end of file
--- /dev/null
+../init.d/rsyslog
\ No newline at end of file
+++ /dev/null
-../init.d/sendsigs
\ No newline at end of file
--- /dev/null
+../init.d/hwclock.sh
\ No newline at end of file
+++ /dev/null
-../init.d/rsyslog
\ No newline at end of file
--- /dev/null
+../init.d/umountnfs.sh
\ No newline at end of file
+++ /dev/null
-../init.d/hwclock.sh
\ No newline at end of file
--- /dev/null
+../init.d/networking
\ No newline at end of file
+++ /dev/null
-../init.d/umountnfs.sh
\ No newline at end of file
+++ /dev/null
-../init.d/networking
\ No newline at end of file
--- /dev/null
+../init.d/umountfs
\ No newline at end of file
+++ /dev/null
-../init.d/umountfs
\ No newline at end of file
--- /dev/null
+../init.d/umountroot
\ No newline at end of file
--- /dev/null
+../init.d/halt
\ No newline at end of file
+++ /dev/null
-../init.d/umountroot
\ No newline at end of file
+++ /dev/null
-../init.d/halt
\ No newline at end of file
--- /dev/null
+../init.d/named
\ No newline at end of file
+++ /dev/null
-../init.d/bind9
\ No newline at end of file
--- /dev/null
+../init.d/rsyslog
\ No newline at end of file
+++ /dev/null
-../init.d/rsyslog
\ No newline at end of file
+++ /dev/null
-../init.d/bind9
\ No newline at end of file
--- /dev/null
+../init.d/named
\ No newline at end of file
+++ /dev/null
-../init.d/bind9
\ No newline at end of file
--- /dev/null
+../init.d/named
\ No newline at end of file
+++ /dev/null
-../init.d/bind9
\ No newline at end of file
--- /dev/null
+../init.d/named
\ No newline at end of file
+++ /dev/null
-../init.d/bind9
\ No newline at end of file
--- /dev/null
+../init.d/named
\ No newline at end of file
--- /dev/null
+../init.d/named
\ No newline at end of file
+++ /dev/null
-../init.d/bind9
\ No newline at end of file
--- /dev/null
+../init.d/sendsigs
\ No newline at end of file
--- /dev/null
+../init.d/rsyslog
\ No newline at end of file
+++ /dev/null
-../init.d/sendsigs
\ No newline at end of file
--- /dev/null
+../init.d/hwclock.sh
\ No newline at end of file
+++ /dev/null
-../init.d/rsyslog
\ No newline at end of file
--- /dev/null
+../init.d/umountnfs.sh
\ No newline at end of file
+++ /dev/null
-../init.d/hwclock.sh
\ No newline at end of file
--- /dev/null
+../init.d/networking
\ No newline at end of file
+++ /dev/null
-../init.d/umountnfs.sh
\ No newline at end of file
+++ /dev/null
-../init.d/networking
\ No newline at end of file
--- /dev/null
+../init.d/umountfs
\ No newline at end of file
+++ /dev/null
-../init.d/umountfs
\ No newline at end of file
--- /dev/null
+../init.d/umountroot
\ No newline at end of file
--- /dev/null
+../init.d/reboot
\ No newline at end of file
+++ /dev/null
-../init.d/umountroot
\ No newline at end of file
+++ /dev/null
-../init.d/reboot
\ No newline at end of file
#
*.=debug;\
auth,authpriv.none;\
- news.none;mail.none -/var/log/debug
+ mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
- mail,news.none -/var/log/messages
+ mail.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
--- /dev/null
+/etc/sv/acpid
\ No newline at end of file
-#@ s-nail.rc
-#@ Configuration file for S-nail v14.9.11
+#@ /etc/s-nail.rc
+#@ Configuration file for S-nail v14.9.22.
#@ The syntax of this file is interpreted as follows:
-#@ - Leading and trailing space, tabulator, newline (" \t\n") and all members
-#@ *ifs-ws* are removed.
+#@ - Any leading and trailing whitespace (space, tabulator, newline: " \t\n"),
+#@ and all members of (the internal variable) *ifs-ws* are removed.
#@ - Empty lines are ignored.
-#@ - Any other line is a command line. Such lines can be spread over
-#@ multiple lines if the newline character is "escaped" by placing
-#@ a reverse solidus character \ as the last character of the line; any
-#@ leading whitespace of follow lines is ignored, trailing whitespace before
-#@ the escaped newline is not.
+#@ - Any other line is a command line. Such lines may spread over multiple
+#@ lines if a reverse solidus character \ is placed as the last character of
+#@ all lines except the final one; any leading whitespace of follow lines is
+#@ removed, but trailing whitespace before "escaped newlines" is not.
#@ - The number sign # is the comment-command and causes the (joined) line
#@ (content) to be ignored.
-#@ S-nail v14.9.11 / 2018-08-08
+#--MKREL-START--
+#@ S-nail v14.9.22 / 2021-02-24
+#--MKREL-END--
## Variables
-# The standard POSIX 2008/Cor 2-2016 mandates the following initial settings:
+# The standard POSIX 2008/Cor 2-2016 mandates the following initial settings
+# which are established independendly from this file:
# [a] noallnet, noappend, asksub, noaskbcc, noaskcc, noautoprint,
# [b-e] nobang, nocmd, nocrt, nodebug, nodot, escape="~",
# [f-i] noflipr, nofolder, header, nohold, noignore, noignoreeof,
# [t-z] toplines="5"
#
# Notes:
-# - *hold, *keep*, *keepsave* and *sendwait* are deliberately set below.
-# - no*onehop* doesn't exist in this implementation.
-# (To pass options through to the MTA, either add them after a "--"
-# separator on the command line or set the *mta-arguments* variable.)
-# (Keep in SYNC: ./nail.h:okeys, ./nail.rc, ./nail.1:"Initial settings"!)
-#
-# Adjust the standard-imposed default variable settings.
-# Some of the following variables are not portable and may thus have no effect
-# with other Mail(1) / mailx(1) programs.
-# Entries are marked [OPTION] if their availability is compile-time dependent.
-
-# If threaded mode is activated, automatically collapse thread
+# - In this implementation:
+# + *sendwait* is set by default (and has extended meaning).
+# + no*onehop* does not exist.
+# (To pass options through to the MTA, either add them after a "--"
+# separator on the command line or set the *mta-arguments* variable.)
+# - *hold, *keep*, and *keepsave* are deliberately set below.
+# (Keep in SYNC: mx/nail.h:okeys, ./nail.rc, ./nail.1:"Initial settings"!)
+
+# Adjustments of standard imposed default- as well as other settings follow.
+# - Some of the latter are not portable and may thus have no effect with
+# other Mail(1) / mailx(1) / mail(1) programs.
+# - "wysh" is one of the "Command modifiers" and is not portable: before v15 it
+# changes the syntax of some old-style commands to sh(1)ell style quoting,
+# also see "COMMANDS" -> "Shell-style argument quoting" in the manual.
+# - Availability of entries marked [OPTION] is a compile-time decision.
+
+# If threaded mode is activated, automatically collapse thread.
set autocollapse
-# Enter threaded mode automatically
+# Enter threaded mode automatically.
#set autosort=thread
# Append rather than prepend when writing to mbox automatically.
-# This has no effect unless *hold* is unset (it is set below), it is
-# a compile-time setting for other cases.
+# Has no effect unless *hold* is unset (it is set below).
# This is a traditional entry and should usually be set.
set append
-# Ask for a message subject.
-set ask
+# Confirm sending of messages:
+set asksend
# Uncomment this in order to get coloured output in $PAGER (if possible).
#set colour-pager
# ? wysh set PAGER=less; environ unset LESS
# ? wysh set PAGER=lv; environ unset LV
-# Assume a CRT-like terminal and invoke a $PAGER if output doesn't fit on a
+# Assume a CRT-like terminal and invoke $PAGER if output does not fit on
# the screen. (Set crt=0 to always page; value treated as number of lines.)
set crt
# When entering compose mode, directly startup into $EDITOR, as via `~e'.
-# If the value is "v", startup into $VISUAL, as via `~v' instead.
+# If the value is "v", startup into $VISUAL instead, as via `~v'.
#set editalong=v
# When spawning an editor in compose mode (`~e', `~v', *editalong*), allow
# [OPTION] Add more entries to the history as is done by default.
# The latter will cause the built-in editor to save those entries, too.
# (The *history-file* variable controls persistency of the history.)
-set history-gabby history-gabby-persist
+set history-gabby=all history-gabby-persist
# Do not move read messages of system mailboxes to MBOX by default since this
# is likely to be irritating for most users today; also see *keepsave*.
set hold
-# Quote the original message in replies by "> " as usual on the Internet.
+# Quote the original message in replies with "> " as usual on the Internet.
# POSIX mandates tabulator ("wysh set indentprefix=$'\t'") as default.
set indentprefix="> "
+# Honour Mail-Followup-To: headers when replying etc.
+set followup-to-honour=ask-yes
+
# Mark messages that have been answered.
set markanswered
set keepsave
# An informational prompt (and see "Gimmicks" below).
+# Of interest may also be \${^ERRQUEUE-EXISTS} and \${^ERRQUEUE-COUNT}.
# Note the _real_ evaluation occurs once used (see *prompt* manual entry).
#wysh set prompt='?\$?!\$!/\$^ERRNAME[\${account-name}#\${mailbox-display}]? '
# (which is subject to `charsetalias' expansion, though).
#set reply-in-same-charset
+# Honour Reply-To: headers when replying etc.
+set reply-to-honour=ask-yes
+
# [OPTION] Outgoing messages are sent in UTF-8 if possible, otherwise LATIN1.
# Note: it is highly advisable to read the section "Character sets" of the
# manual in order to understand all the possibilities that exist to fine-tune
# $LC_ALL / $LANG environment variables and react upon them).
set sendcharsets=utf-8,iso-8859-1
-# When sending a message wait until the MTA (including the built-in SMTP one)
-# exits before accepting further commands. Only with this variable set errors
-# reported by the MTA will be recognizable!
-set sendwait
-
# Display real sender names in header summaries instead of only addresses.
set showname
## Commands
-# Most commands are not portable to other Mail(1) / mailx(1) programs, which is
-# why most commands are commented out. To remain portable, place anything
-# specific in its own file, then "set mailx-extra-rc=~/.my-file" in $MAILRC
-# (usually ~/.mailrc).
+# Most commands are not portable to other Mail(1) / mailx(1) / mail(1)
+# programs, which is why most commands are commented out. To remain portable,
+# place anything specific in its own file, and then
+# set mailx-extra-rc=~/.my-file"
+# in $MAILRC (usually ~/.mailrc).
+# The below use the \ command modifier to avoid `commandalias' checks
# Map ISO-8859-1 to LATIN1, and LATIN1 to CP1252.
# (These mappings are not applied to character sets specified by other
-# variables, e.g., sendcharsets).
-#charsetalias iso-8859-1 latin1 latin1 cp1252
+# variables, e.g., *sendcharsets*).
+#\charsetalias iso-8859-1 latin1 latin1 cp1252
# Only include the selected header fields when printing messages
-# `headerpick' is not portable, so use the standard `retain'
-retain from_ date from to cc subject message-id mail-followup-to reply-to
-#headerpick type retain from_ date from to cc subject \
+# (`headerpick' is not portable, so use the standard `retain')
+retain date sender from to cc subject message-id mail-followup-to reply-to
+#\headerpick type retain from_ date sender from to cc subject \
# message-id mail-followup-to reply-to
-# ...when forwarding messages
-#headerpick forward retain subject date from to cc
-# ...and don't include these when saving message, etc.
-#if [ "$features" =@ +regex ]
-# headerpick save ignore '^Original-.*$' '^X-.*$'
-#end
+# - when forwarding messages
+#\headerpick forward retain subject date sender from to cc
+# - and do not include these when saving message, etc.
+#\if "$features" =@ ,+regex,
+# \headerpick save ignore '^Original-.*$' '^X-.*$'
+#\end
## Some pipe-TYPE/SUBTYPE entries
# HTML as text, inline display via lynx(1).
-#if [ "$features" !@ +filter-html-tagsoup ]
-# set pipe-text/html='@* lynx -stdin -dump -force_html'
-#endif
+#\if "$features" !@ ,+filter-html-tagsoup,
+# \set pipe-text/html='?* lynx -stdin -dump -force_html'
+#\endif
# "External body", URL type supported only.
-#wysh set pipe-message/external-body='@* echo $MAILX_EXTERNAL_BODY_URL'
+#\wysh set pipe-message/external-body='?* echo $MAILX_EXTERNAL_BODY_URL'
# PDF display, asynchronous display: via `mimeview' command only.
-#wysh set pipe-application/pdf='@=&@\
+#\wysh set pipe-application/pdf='?=&@\
# trap "rm -f \"${MAILX_FILENAME_TEMPORARY}\"" EXIT;\
# trap "trap \"\" INT QUIT TERM; exit 1" INT QUIT TERM;\
# mupdf "${MAILX_FILENAME_TEMPORARY}"'
## Gimmicks
# More key bindings for the Mailx-Line-Editor (when in interactive mode).
-#if terminal && [ "$features" =@ +key-bindings ]
+#\if terminal && "$features" =@ +key-bindings
# \bind base $'\e',d mle-snarf-word-fwd
# \bind base $'\e',$'\c?' mle-snarf-word-bwd
# \bind base $'\e',f mle-go-word-fwd
# \bind base $'\e',b mle-go-word-bwd
# \bind base $'\cL' mle-clear-screen
# \bind compose :kf1 ~v
-#endif
+#\endif
# Coloured prompt for the Mailx-Line-Editor (when in interactive mode).
-#if terminal && [ "$features" =@ +mle ] && [ "$features" =@ +colour ]
-# colour 256 mle-position fg=202
-# colour 256 mle-prompt fg=red
-# colour iso mle-position ft=reverse
-# colour iso mle-prompt fg=red
-# colour mono mle-position ft=reverse
-# colour mono mle-prompt ft=bold
-#endif
+#\if terminal && "$features" =@ +mle && "$features" =@ +colour
+# \colour 256 mle-position fg=202
+# \colour 256 mle-prompt fg=203
+# \colour 256 mle-error bg=124
+# \colour iso mle-position ft=bold
+# \colour iso mle-prompt fg=brown
+# \colour iso mle-error bg=red
+# \colour mono mle-position ft=reverse
+# \colour mono mle-prompt ft=bold
+# \colour mono mle-error ft=reverse
+#\endif
# Install file-extension handlers to handle MBOXes in various formats.
-#filetype \
+#\filetype \
# bz2 'bzip2 -dc' 'bzip2 -zc' \
# gpg 'gpg -d' 'gpg -e' \
# gz 'gzip -dc' 'gzip -c' \
# zst 'zstd -dc' 'zstd -19 -zc' \
# zst.pgp 'gpg -d | zstd -dc' 'zstd -19 -zc | gpg -e'
+# If mail is send from cron scripts and iconv(3) is compiled it, it could be
+# that sending fails because of invalid (according to locale) character input.
+# This undesired event can be prevented as follows, the (possibly) resulting
+# octet-stream message data can be read nonetheless via
+# *mime-counter-evidence*=0b1111:
+#\if ! terminal && "$LOGNAME" == root
+# \set mime-force-sendout
+#\endif
+
# s-it-mode
--- /dev/null
+# Configuration for locking the user after multiple failed
+# authentication attempts.
+#
+# The directory where the user files with the failure records are kept.
+# The default is /var/run/faillock.
+# dir = /var/run/faillock
+#
+# Will log the user name into the system log if the user is not found.
+# Enabled if option is present.
+# audit
+#
+# Don't print informative messages.
+# Enabled if option is present.
+# silent
+#
+# Don't log informative messages via syslog.
+# Enabled if option is present.
+# no_log_info
+#
+# Only track failed user authentications attempts for local users
+# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
+# The `faillock` command will also no longer track user failed
+# authentication attempts. Enabling this option will prevent a
+# double-lockout scenario where a user is locked out locally and
+# in the centralized mechanism.
+# Enabled if option is present.
+# local_users_only
+#
+# Deny access if the number of consecutive authentication failures
+# for this user during the recent interval exceeds n tries.
+# The default is 3.
+# deny = 3
+#
+# The length of the interval during which the consecutive
+# authentication failures must happen for the user account
+# lock out is <replaceable>n</replaceable> seconds.
+# The default is 900 (15 minutes).
+# fail_interval = 900
+#
+# The access will be re-enabled after n seconds after the lock out.
+# The value 0 has the same meaning as value `never` - the access
+# will not be re-enabled without resetting the faillock
+# entries by the `faillock` command.
+# The default is 600 (10 minutes).
+# unlock_time = 600
+#
+# Root account can become locked as well as regular accounts.
+# Enabled if option is present.
+# even_deny_root
+#
+# This option implies the `even_deny_root` option.
+# Allow access after n seconds to root account after the
+# account is locked. In case the option is not specified
+# the value is the same as of the `unlock_time` option.
+# root_unlock_time = 900
+#
+# If a group name is specified with this option, members
+# of the group will be handled by this module the same as
+# the root account (the options `even_deny_root>` and
+# `root_unlock_time` will apply to them.
+# By default, the option is not set.
+# admin_group = <admin_group_name>
# is explicitly called with an argument to ignore the mode of the
# instance parent. System administrators should use this argument with
# caution, as it will reduce security and isolation achieved by
-# polyinstantiation.
+# polyinstantiation. The parent directories (except $HOME) are created
+# at boot by pam_namespace_helper, but in a live system, system
+# administrators should create the parent directories before enabling
+# them here.
#
#/tmp /tmp-inst/ level root,adm
#/var/tmp /var/tmp/tmp-inst/ level root,adm
#
# Each line starts with the variable name, there are then two possible
# options for each variable DEFAULT and OVERRIDE.
-# DEFAULT allows and administrator to set the value of the
+# DEFAULT allows an administrator to set the value of the
# variable to some default value, if none is supplied then the empty
# string is assumed. The OVERRIDE option tells pam_env that it should
# enter in its value (overriding the default value) if there is one
# Network services, Internet style
#
-# Note that it is presently the policy of IANA to assign a single well-known
-# port number for both TCP and UDP; hence, officially ports have two entries
-# even if the protocol doesn't support UDP operations.
-#
# Updated from https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml .
#
# New ports will be added on request if they have been officially assigned
daytime 13/udp
netstat 15/tcp
qotd 17/tcp quote
-msp 18/tcp # message send protocol
-msp 18/udp
chargen 19/tcp ttytst source
chargen 19/udp ttytst source
ftp-data 20/tcp
smtp 25/tcp mail
time 37/tcp timserver
time 37/udp timserver
-rlp 39/udp resource # resource location
-nameserver 42/tcp name # IEN 116
whois 43/tcp nicname
tacacs 49/tcp # Login Host Protocol (TACACS)
tacacs 49/udp
gopher 70/tcp # Internet Gopher
finger 79/tcp
http 80/tcp www # WorldWideWeb HTTP
-link 87/tcp ttylink
kerberos 88/tcp kerberos5 krb5 kerberos-sec # Kerberos v5
kerberos 88/udp kerberos5 krb5 kerberos-sec # Kerberos v5
iso-tsap 102/tcp tsap # part of ISODE
sunrpc 111/tcp portmapper # RPC 4.0 portmapper
sunrpc 111/udp portmapper
auth 113/tcp authentication tap ident
-sftp 115/tcp
nntp 119/tcp readnews untp # USENET News Transfer Protocol
ntp 123/udp # Network Time Protocol
epmap 135/tcp loc-srv # DCE endpoint resolution
-epmap 135/udp loc-srv
-netbios-ns 137/tcp # NETBIOS Name Service
-netbios-ns 137/udp
-netbios-dgm 138/tcp # NETBIOS Datagram Service
-netbios-dgm 138/udp
+netbios-ns 137/udp # NETBIOS Name Service
+netbios-dgm 138/udp # NETBIOS Datagram Service
netbios-ssn 139/tcp # NETBIOS session service
-netbios-ssn 139/udp
imap2 143/tcp imap # Interim Mail Access P 2 and 4
snmp 161/tcp # Simple Net Mgmt Protocol
snmp 161/udp
cmip-agent 164/tcp
cmip-agent 164/udp
mailq 174/tcp # Mailer transport queue for Zmailer
-mailq 174/udp
-xdmcp 177/tcp # X Display Mgr. Control Proto
-xdmcp 177/udp
-nextstep 178/tcp NeXTStep NextStep # NeXTStep window
-nextstep 178/udp NeXTStep NextStep # server
+xdmcp 177/udp # X Display Manager Control Protocol
bgp 179/tcp # Border Gateway Protocol
-irc 194/tcp # Internet Relay Chat
-irc 194/udp
smux 199/tcp # SNMP Unix Multiplexer
-smux 199/udp
-at-rtmp 201/tcp # AppleTalk routing
-at-rtmp 201/udp
-at-nbp 202/tcp # AppleTalk name binding
-at-nbp 202/udp
-at-echo 204/tcp # AppleTalk echo
-at-echo 204/udp
-at-zis 206/tcp # AppleTalk zone information
-at-zis 206/udp
qmtp 209/tcp # Quick Mail Transfer Protocol
-qmtp 209/udp
z3950 210/tcp wais # NISO Z39.50 database
-z3950 210/udp wais
-ipx 213/tcp # IPX
-ipx 213/udp
+ipx 213/udp # IPX [RFC1234]
ptp-event 319/udp
ptp-general 320/udp
pawserv 345/tcp # Perf Analysis Workbench
-pawserv 345/udp
zserv 346/tcp # Zebra server
-zserv 346/udp
-fatserv 347/tcp # Fatmen Server
-fatserv 347/udp
rpc2portmap 369/tcp
rpc2portmap 369/udp # Coda portmapper
codaauth2 370/tcp
codaauth2 370/udp # Coda authentication server
-clearcase 371/tcp Clearcase
clearcase 371/udp Clearcase
-ulistserv 372/tcp # UNIX Listserv
-ulistserv 372/udp
ldap 389/tcp # Lightweight Directory Access Protocol
ldap 389/udp
-imsp 406/tcp # Interactive Mail Support Protocol
-imsp 406/udp
svrloc 427/tcp # Server Location
svrloc 427/udp
https 443/tcp # http protocol over TLS/SSL
+https 443/udp # HTTP/3
snpp 444/tcp # Simple Network Paging Protocol
-snpp 444/udp
microsoft-ds 445/tcp # Microsoft Naked CIFS
-microsoft-ds 445/udp
kpasswd 464/tcp
kpasswd 464/udp
submissions 465/tcp ssmtp smtps urd # Submission over TLS [RFC8314]
saft 487/tcp # Simple Asynchronous File Transfer
-saft 487/udp
-isakmp 500/tcp # IPsec - Internet Security Association
-isakmp 500/udp # and Key Management Protocol
+isakmp 500/udp # IPSEC key management
rtsp 554/tcp # Real Time Stream Control Protocol
rtsp 554/udp
nqs 607/tcp # Network Queuing system
-nqs 607/udp
-npmp-local 610/tcp dqs313_qmaster # npmp-local / DQS
-npmp-local 610/udp dqs313_qmaster
-npmp-gui 611/tcp dqs313_execd # npmp-gui / DQS
-npmp-gui 611/udp dqs313_execd
-hmmp-ind 612/tcp dqs313_intercell # HMMP Indication / DQS
-hmmp-ind 612/udp dqs313_intercell
asf-rmcp 623/udp # ASF Remote Management and Control Protocol
qmqp 628/tcp
-qmqp 628/udp
ipp 631/tcp # Internet Printing Protocol
-ipp 631/udp
+ldp 646/tcp # Label Distribution Protocol
+ldp 646/udp
#
# UNIX specific services
#
biff 512/udp comsat
login 513/tcp
who 513/udp whod
-shell 514/tcp cmd # no passwords used
+shell 514/tcp cmd syslog # no passwords used
syslog 514/udp
printer 515/tcp spooler # line printer spooler
talk 517/udp
ntalk 518/udp
route 520/udp router routed # RIP
-timed 525/udp timeserver
-tempo 526/tcp newdate
-courier 530/tcp rpc
-conference 531/tcp chat
-netnews 532/tcp readnews
-netwall 533/udp # for emergency broadcasts
gdomap 538/tcp # GNUstep distributed objects
gdomap 538/udp
uucp 540/tcp uucpd # uucp daemon
klogin 543/tcp # Kerberized `rlogin' (v5)
kshell 544/tcp krcmd # Kerberized `rsh' (v5)
-dhcpv6-client 546/tcp
dhcpv6-client 546/udp
-dhcpv6-server 547/tcp
dhcpv6-server 547/udp
afpovertcp 548/tcp # AFP over TCP
-afpovertcp 548/udp
-idfp 549/tcp
-idfp 549/udp
-remotefs 556/tcp rfs_server rfs # Brunhoff remote filesystem
nntps 563/tcp snntp # NNTP over SSL
submission 587/tcp # Submission [RFC4409]
ldaps 636/tcp # LDAP over SSL
tinc 655/tcp # tinc control port
tinc 655/udp
silc 706/tcp
-silc 706/udp
kerberos-adm 749/tcp # Kerberos `kadmin' (v5)
#
-webster 765/tcp # Network dictionary
-webster 765/udp
domain-s 853/tcp # DNS over TLS [RFC7858]
domain-s 853/udp # DNS over DTLS [RFC8094]
rsync 873/tcp
#> community.
#
socks 1080/tcp # socks proxy server
-socks 1080/udp
proofd 1093/tcp
-proofd 1093/udp
rootd 1094/tcp
-rootd 1094/udp
openvpn 1194/tcp
openvpn 1194/udp
rmiregistry 1099/tcp # Java RMI Registry
-rmiregistry 1099/udp
-kazaa 1214/tcp
-kazaa 1214/udp
-nessus 1241/tcp # Nessus vulnerability
-nessus 1241/udp # assessment scanner
lotusnote 1352/tcp lotusnotes # Lotus Note
-lotusnote 1352/udp lotusnotes
ms-sql-s 1433/tcp # Microsoft SQL Server
-ms-sql-s 1433/udp
-ms-sql-m 1434/tcp # Microsoft SQL Monitor
-ms-sql-m 1434/udp
+ms-sql-m 1434/udp # Microsoft SQL Monitor
ingreslock 1524/tcp
-ingreslock 1524/udp
datametrics 1645/tcp old-radius
datametrics 1645/udp old-radius
sa-msg-port 1646/tcp old-radacct
sa-msg-port 1646/udp old-radacct
kermit 1649/tcp
-kermit 1649/udp
groupwise 1677/tcp
-groupwise 1677/udp
-l2f 1701/tcp l2tp
l2f 1701/udp l2tp
radius 1812/tcp
radius 1812/udp
radius-acct 1813/tcp radacct # Radius Accounting
radius-acct 1813/udp radacct
-msnp 1863/tcp # MSN Messenger
-msnp 1863/udp
-unix-status 1957/tcp # remstats unix-status server
-log-server 1958/tcp # remstats log server
-remoteping 1959/tcp # remstats remoteping server
cisco-sccp 2000/tcp # Cisco SCCP
-cisco-sccp 2000/udp
-search 2010/tcp ndtp
-pipe-server 2010/tcp pipe_server
nfs 2049/tcp # Network File System
nfs 2049/udp # Network File System
gnunet 2086/tcp
rtcm-sc104 2101/tcp # RTCM SC-104 IANA 1/29/99
rtcm-sc104 2101/udp
gsigatekeeper 2119/tcp
-gsigatekeeper 2119/udp
gris 2135/tcp # Grid Resource Information Server
-gris 2135/udp
cvspserver 2401/tcp # CVS client/server operations
-cvspserver 2401/udp
venus 2430/tcp # codacon port
venus 2430/udp # Venus callback/wbc interface
venus-se 2431/tcp # tcp side effects
mon 2583/tcp # MON traps
mon 2583/udp
dict 2628/tcp # Dictionary server
-dict 2628/udp
f5-globalsite 2792/tcp
-f5-globalsite 2792/udp
gsiftp 2811/tcp
-gsiftp 2811/udp
gpsd 2947/tcp
-gpsd 2947/udp
gds-db 3050/tcp gds_db # InterBase server
-gds-db 3050/udp gds_db
-icpv2 3130/tcp icp # Internet Cache Protocol
-icpv2 3130/udp icp
+icpv2 3130/udp icp # Internet Cache Protocol
isns 3205/tcp # iSNS Server Port
isns 3205/udp # iSNS Server Port
iscsi-target 3260/tcp
mysql 3306/tcp
-mysql 3306/udp
+ms-wbt-server 3389/tcp
nut 3493/tcp # Network UPS Tools
nut 3493/udp
distcc 3632/tcp # distributed compiler
-distcc 3632/udp
daap 3689/tcp # Digital Audio Access Protocol
-daap 3689/udp
svn 3690/tcp subversion # Subversion protocol
-svn 3690/udp subversion
suucp 4031/tcp # UUCP over SSL
-suucp 4031/udp
sysrqd 4094/tcp # sysrq daemon
-sysrqd 4094/udp
sieve 4190/tcp # ManageSieve Protocol
epmd 4369/tcp # Erlang Port Mapper Daemon
-epmd 4369/udp
remctl 4373/tcp # Remote Authenticated Command Service
-remctl 4373/udp
f5-iquery 4353/tcp # F5 iQuery
-f5-iquery 4353/udp
+ntske 4460/tcp # Network Time Security Key Establishment
ipsec-nat-t 4500/udp # IPsec NAT-Traversal [RFC3947]
-iax 4569/tcp # Inter-Asterisk eXchange
-iax 4569/udp
+iax 4569/udp # Inter-Asterisk eXchange
mtn 4691/tcp # monotone Netsync Protocol
-mtn 4691/udp
radmin-port 4899/tcp # RAdmin Port
-radmin-port 4899/udp
-rfe 5002/udp # Radio Free Ethernet
-rfe 5002/tcp
-mmcc 5050/tcp # multimedia conference control tool (Yahoo IM)
-mmcc 5050/udp
sip 5060/tcp # Session Initiation Protocol
sip 5060/udp
sip-tls 5061/tcp
sip-tls 5061/udp
-aol 5190/tcp # AIM
-aol 5190/udp
xmpp-client 5222/tcp jabber-client # Jabber Client Connection
-xmpp-client 5222/udp jabber-client
xmpp-server 5269/tcp jabber-server # Jabber Server Connection
-xmpp-server 5269/udp jabber-server
cfengine 5308/tcp
-cfengine 5308/udp
-mdns 5353/tcp # Multicast DNS
-mdns 5353/udp
+mdns 5353/udp # Multicast DNS
postgresql 5432/tcp postgres # PostgreSQL Database
-postgresql 5432/udp postgres
freeciv 5556/tcp rptp # Freeciv gameplay
-freeciv 5556/udp
amqps 5671/tcp # AMQP protocol over TLS/SSL
amqp 5672/tcp
-amqp 5672/udp
amqp 5672/sctp
-ggz 5688/tcp # GGZ Gaming Zone
-ggz 5688/udp
x11 6000/tcp x11-0 # X Window System
-x11 6000/udp x11-0
x11-1 6001/tcp
-x11-1 6001/udp
x11-2 6002/tcp
-x11-2 6002/udp
x11-3 6003/tcp
-x11-3 6003/udp
x11-4 6004/tcp
-x11-4 6004/udp
x11-5 6005/tcp
-x11-5 6005/udp
x11-6 6006/tcp
-x11-6 6006/udp
x11-7 6007/tcp
-x11-7 6007/udp
gnutella-svc 6346/tcp # gnutella
gnutella-svc 6346/udp
gnutella-rtr 6347/tcp # gnutella
gnutella-rtr 6347/udp
+redis 6379/tcp
sge-qmaster 6444/tcp sge_qmaster # Grid Engine Qmaster Service
-sge-qmaster 6444/udp sge_qmaster
sge-execd 6445/tcp sge_execd # Grid Engine Execution Service
-sge-execd 6445/udp sge_execd
mysql-proxy 6446/tcp # MySQL Proxy
-mysql-proxy 6446/udp
babel 6696/udp # Babel Routing Protocol
ircs-u 6697/tcp # Internet Relay Chat via TLS/SSL
-afs3-fileserver 7000/tcp bbs # file server itself
-afs3-fileserver 7000/udp bbs
-afs3-callback 7001/tcp # callbacks to cache managers
-afs3-callback 7001/udp
-afs3-prserver 7002/tcp # users & groups database
-afs3-prserver 7002/udp
-afs3-vlserver 7003/tcp # volume location database
-afs3-vlserver 7003/udp
-afs3-kaserver 7004/tcp # AFS/Kerberos authentication
-afs3-kaserver 7004/udp
-afs3-volser 7005/tcp # volume managment server
-afs3-volser 7005/udp
-afs3-errors 7006/tcp # error interpretation service
-afs3-errors 7006/udp
-afs3-bos 7007/tcp # basic overseer process
-afs3-bos 7007/udp
-afs3-update 7008/tcp # server-to-server updater
-afs3-update 7008/udp
-afs3-rmtsys 7009/tcp # remote cache manager service
-afs3-rmtsys 7009/udp
+bbs 7000/tcp
+afs3-fileserver 7000/udp
+afs3-callback 7001/udp # callbacks to cache managers
+afs3-prserver 7002/udp # users & groups database
+afs3-vlserver 7003/udp # volume location database
+afs3-kaserver 7004/udp # AFS/Kerberos authentication
+afs3-volser 7005/udp # volume managment server
+afs3-bos 7007/udp # basic overseer process
+afs3-update 7008/udp # server-to-server updater
+afs3-rmtsys 7009/udp # remote cache manager service
font-service 7100/tcp xfs # X Font Service
-font-service 7100/udp xfs
http-alt 8080/tcp webcache # WWW caching service
-http-alt 8080/udp
puppet 8140/tcp # The Puppet master service
bacula-dir 9101/tcp # Bacula Director
-bacula-dir 9101/udp
bacula-fd 9102/tcp # Bacula File Daemon
-bacula-fd 9102/udp
bacula-sd 9103/tcp # Bacula Storage Daemon
-bacula-sd 9103/udp
xmms2 9667/tcp # Cross-platform Music Multiplexing System
-xmms2 9667/udp
nbd 10809/tcp # Linux Network Block Device
zabbix-agent 10050/tcp # Zabbix Agent
-zabbix-agent 10050/udp
zabbix-trapper 10051/tcp # Zabbix Trapper
-zabbix-trapper 10051/udp
amanda 10080/tcp # amanda backup services
-amanda 10080/udp
dicom 11112/tcp
hkp 11371/tcp # OpenPGP HTTP Keyserver
-hkp 11371/udp
-bprd 13720/tcp # VERITAS NetBackup
-bprd 13720/udp
-bpdbm 13721/tcp # VERITAS NetBackup
-bpdbm 13721/udp
-bpjava-msvc 13722/tcp # BP Java MSVC Protocol
-bpjava-msvc 13722/udp
-vnetd 13724/tcp # Veritas Network Utility
-vnetd 13724/udp
-bpcd 13782/tcp # VERITAS NetBackup
-bpcd 13782/udp
-vopied 13783/tcp # VERITAS NetBackup
-vopied 13783/udp
db-lsp 17500/tcp # Dropbox LanSync Protocol
dcap 22125/tcp # dCache Access Protocol
gsidcap 22128/tcp # GSI dCache Access Protocol
wnn6 22273/tcp # wnn6
-wnn6 22273/udp
#
# Datagram Delivery Protocol services
#=========================================================================
# Kerberos (Project Athena/MIT) services
-# Note that these are for Kerberos v4, and are unofficial. Sites running
-# v4 should uncomment these and comment out the v5 entries above.
-#
kerberos4 750/udp kerberos-iv kdc # Kerberos (server)
kerberos4 750/tcp kerberos-iv kdc
kerberos-master 751/udp kerberos_master # Kerberos authentication
kerberos-master 751/tcp
passwd-server 752/udp passwd_server # Kerberos passwd server
krb-prop 754/tcp krb_prop krb5_prop hprop # Kerberos slave propagation
-krbupdate 760/tcp kreg # Kerberos registration
-swat 901/tcp # swat
-kpop 1109/tcp # Pop with Kerberos
-knetd 2053/tcp # Kerberos de-multiplexor
zephyr-srv 2102/udp # Zephyr server
zephyr-clt 2103/udp # Zephyr serv-hm connection
zephyr-hm 2104/udp # Zephyr hostmanager
-eklogin 2105/tcp # Kerberos encrypted rlogin
-# Hmmm. Are we using Kv4 or Kv5 now? Worrying.
-# The following is probably Kerberos v5 --- ajt@debian.org (11/02/2000)
-kx 2111/tcp # X over Kerberos
iprop 2121/tcp # incremental propagation
-#
-# Unofficial but necessary (for NetBSD) services
-#
-supfilesrv 871/tcp # SUP server
-supfiledbg 1127/tcp # SUP debugging
+supfilesrv 871/tcp # Software Upgrade Protocol server
+supfiledbg 1127/tcp # Software Upgrade Protocol debugging
#
# Services added for the Debian GNU/Linux distribution
#
poppassd 106/tcp # Eudora
-poppassd 106/udp
moira-db 775/tcp moira_db # Moira database
moira-update 777/tcp moira_update # Moira update protocol
moira-ureg 779/udp moira_ureg # Moira user registration
spamd 783/tcp # spamassassin daemon
-omirr 808/tcp omirrd # online mirror
-omirr 808/udp omirrd
-customs 1001/tcp # pmake customs server
-customs 1001/udp
skkserv 1178/tcp # skk jisho server port
predict 1210/udp # predict -- satellite tracking
rmtcfg 1236/tcp # Gracilis Packeten remote config server
-wipld 1300/tcp # Wipl network monitor
xtel 1313/tcp # french minitel
xtelw 1314/tcp # french minitel
-support 1529/tcp # GNATS
-cfinger 2003/tcp # GNU Finger
-frox 2121/tcp # frox: caching ftp proxy
-ninstall 2150/tcp # ninstall service
-ninstall 2150/udp
zebrasrv 2600/tcp # zebra service
zebra 2601/tcp # zebra vty
ripd 2602/tcp # ripd vty (zebra)
ospf6d 2606/tcp # ospf6d vty (zebra)
ospfapi 2607/tcp # OSPF-API
isisd 2608/tcp # ISISd vty (zebra)
-afbackup 2988/tcp # Afbackup system
-afbackup 2988/udp
-afmbackup 2989/tcp # Afmbackup system
-afmbackup 2989/udp
-xtell 4224/tcp # xtell server
fax 4557/tcp # FAX transmission service (old)
hylafax 4559/tcp # HylaFAX client-server protocol (new)
-distmp3 4600/tcp # distmp3host daemon
munin 4949/tcp lrrd # Munin
-enbd-cstatd 5051/tcp # ENBD client statd
-enbd-sstatd 5052/tcp # ENBD server statd
-pcrd 5151/tcp # PCR-1000 Daemon
-noclog 5354/tcp # noclogd with TCP (nocol)
-noclog 5354/udp # noclogd with UDP (nocol)
-hostmon 5355/tcp # hostmon uses TCP (nocol)
-hostmon 5355/udp # hostmon uses UDP (nocol)
rplay 5555/udp # RPlay audio service
nrpe 5666/tcp # Nagios Remote Plugin Executor
nsca 5667/tcp # Nagios Agent - NSCA
-mrtd 5674/tcp # MRT Routing Daemon
-bgpsim 5675/tcp # MRT Routing Simulator
canna 5680/tcp # cannaserver
syslog-tls 6514/tcp # Syslog over TLS [RFC5425]
sane-port 6566/tcp sane saned # SANE network scanner daemon
zope-ftp 8021/tcp # zope management by ftp
tproxy 8081/tcp # Transparent Proxy
omniorb 8088/tcp # OmniORB
-omniorb 8088/udp
clc-build-daemon 8990/tcp # Common lisp build daemon
xinetd 9098/tcp
-mandelspawn 9359/udp mandelbrot # network mandelbrot
git 9418/tcp # Git Version Control System
zope 9673/tcp # zope server
webmin 10000/tcp
kamanda 10081/tcp # amanda backup services (Kerberos)
-kamanda 10081/udp
amandaidx 10082/tcp # amanda backup services
amidxtape 10083/tcp # amanda backup services
-smsqp 11201/tcp # Alamin SMS gateway
-smsqp 11201/udp
-xpilot 15345/tcp # XPilot Contact Port
-xpilot 15345/udp
sgi-cmsd 17001/udp # Cluster membership services daemon
sgi-crsd 17002/udp
sgi-gcd 17003/udp # SGI Group membership daemon
sgi-cad 17004/tcp # Cluster Admin daemon
-isdnlog 20011/tcp # isdn logging system
-isdnlog 20011/udp
-vboxd 20012/tcp # voice box system
-vboxd 20012/udp
binkp 24554/tcp # binkp fidonet protocol
asp 27374/tcp # Address Search Protocol
asp 27374/udp
_chrony:*:17365:0:99999:7:::
nagios:!:17449:0:99999:7:::
systemd-coredump:!!:18143::::::
+tcpdump:*:18886:0:99999:7:::
_apt:*:17365:0:99999:7:::
_chrony:*:17365:0:99999:7:::
nagios:!:17449:0:99999:7:::
+systemd-coredump:!!:18143::::::
+tcpdump:*:18886:0:99999:7:::
--- /dev/null
+root:$6$vHVlymK2rKEvbfVQ$bh5D78yiliZtUWrosEue7SlY9qgqtlb6fRNEnkc1SMEmxsJF0uIQUOFtHcJjhDt3c6/xt1IePbRMhEjcRSkA51:16625:0:99999:7:::
+daemon:*:16625:0:99999:7:::
+bin:*:16625:0:99999:7:::
+sys:*:16625:0:99999:7:::
+sync:*:16625:0:99999:7:::
+games:*:16625:0:99999:7:::
+man:*:16625:0:99999:7:::
+lp:*:16625:0:99999:7:::
+mail:*:16625:0:99999:7:::
+news:*:16625:0:99999:7:::
+uucp:*:16625:0:99999:7:::
+proxy:*:16625:0:99999:7:::
+www-data:*:16625:0:99999:7:::
+backup:*:16625:0:99999:7:::
+list:*:16625:0:99999:7:::
+irc:*:16625:0:99999:7:::
+gnats:*:16625:0:99999:7:::
+nobody:*:16625:0:99999:7:::
+systemd-timesync:*:16625:0:99999:7:::
+systemd-network:*:16625:0:99999:7:::
+systemd-resolve:*:16625:0:99999:7:::
+sshd:*:16625:0:99999:7:::
+postfix:*:16854:0:99999:7:::
+bind:*:16869:0:99999:7:::
+frank:$6$kxHuk1r2$O5jQlpc73U/ptwjZqKhIRAqEvIwbOD1vzt2nymCYpnaeFwceiPsFT7yD1bunKx2Kt7aKDLOp03et1RxsjzjpQ1:16919:0:99999:7:::
+doris:$6$ytvH/1Wr$TBx1U/JLr62XC5slXfmU3fm1qz8wDqS5Awa23RYk7yxNTYEuRukEOOyq6wGhoB32NJqBtLR/8lPW0Ed6jGnFa0:14756:0:99999:7:::
+patrick:$6$cayHKFTo$y3plIUQem6gONYo/D.VqfmcUJRgJ08lxWKzr.Q2NYw9P6BWOGLFgNi6HyWQ8sCjR9Ky7cWvBULtyxJG4xq2Bq1:14756:0:99999:7:::
+ulog:*:16920:0:99999:7:::
+openldap:!:16922:0:99999:7:::
+gitdeploy:!:16932:0:99999:7:::
+messagebus:*:17329:0:99999:7:::
+_apt:*:17365:0:99999:7:::
+_chrony:*:17365:0:99999:7:::
+nagios:!:17449:0:99999:7:::
+systemd-coredump:!!:18143::::::
+++ /dev/null
-EE_Certification_Centre_Root_CA.pem
\ No newline at end of file
--- /dev/null
+NAVER_Global_Root_Certification_Authority.pem
\ No newline at end of file
+++ /dev/null
-Staat_der_Nederlanden_Root_CA_-_G2.pem
\ No newline at end of file
--- /dev/null
+certSIGN_Root_CA_G2.pem
\ No newline at end of file
+++ /dev/null
-Taiwan_GRCA.pem
\ No newline at end of file
+++ /dev/null
-GeoTrust_Universal_CA_2.pem
\ No newline at end of file
--- /dev/null
+Microsoft_ECC_Root_Certificate_Authority_2017.pem
\ No newline at end of file
--- /dev/null
+Trustwave_Global_ECC_P256_Certification_Authority.pem
\ No newline at end of file
+++ /dev/null
-/usr/share/ca-certificates/mozilla/EE_Certification_Centre_Root_CA.crt
\ No newline at end of file
+++ /dev/null
-/usr/share/ca-certificates/mozilla/GeoTrust_Universal_CA_2.crt
\ No newline at end of file
+++ /dev/null
-/usr/share/ca-certificates/mozilla/LuxTrust_Global_Root_2.crt
\ No newline at end of file
--- /dev/null
+/usr/share/ca-certificates/mozilla/Microsoft_ECC_Root_Certificate_Authority_2017.crt
\ No newline at end of file
--- /dev/null
+/usr/share/ca-certificates/mozilla/Microsoft_RSA_Root_Certificate_Authority_2017.crt
\ No newline at end of file
--- /dev/null
+/usr/share/ca-certificates/mozilla/NAVER_Global_Root_Certification_Authority.crt
\ No newline at end of file
+++ /dev/null
-/usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt
\ No newline at end of file
+++ /dev/null
-/usr/share/ca-certificates/mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt
\ No newline at end of file
+++ /dev/null
-/usr/share/ca-certificates/mozilla/Taiwan_GRCA.crt
\ No newline at end of file
--- /dev/null
+/usr/share/ca-certificates/mozilla/Trustwave_Global_Certification_Authority.crt
\ No newline at end of file
--- /dev/null
+/usr/share/ca-certificates/mozilla/Trustwave_Global_ECC_P256_Certification_Authority.crt
\ No newline at end of file
--- /dev/null
+/usr/share/ca-certificates/mozilla/Trustwave_Global_ECC_P384_Certification_Authority.crt
\ No newline at end of file
+++ /dev/null
-/usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
\ No newline at end of file
+++ /dev/null
-OISTE_WISeKey_Global_Root_GA_CA.pem
\ No newline at end of file
--- /dev/null
+Microsoft_RSA_Root_Certificate_Authority_2017.pem
\ No newline at end of file
+++ /dev/null
-Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
\ No newline at end of file
nJ2lYJU6Un/10asIbvPuW/mIPX64b24D5EI=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIEAzCCAuugAwIBAgIQVID5oHPtPwBMyonY43HmSjANBgkqhkiG9w0BAQUFADB1
-MQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1
-czEoMCYGA1UEAwwfRUUgQ2VydGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYG
-CSqGSIb3DQEJARYJcGtpQHNrLmVlMCIYDzIwMTAxMDMwMTAxMDMwWhgPMjAzMDEy
-MTcyMzU5NTlaMHUxCzAJBgNVBAYTAkVFMSIwIAYDVQQKDBlBUyBTZXJ0aWZpdHNl
-ZXJpbWlza2Vza3VzMSgwJgYDVQQDDB9FRSBDZXJ0aWZpY2F0aW9uIENlbnRyZSBS
-b290IENBMRgwFgYJKoZIhvcNAQkBFglwa2lAc2suZWUwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDIIMDs4MVLqwd4lfNE7vsLDP90jmG7sWLqI9iroWUy
-euuOF0+W2Ap7kaJjbMeMTC55v6kF/GlclY1i+blw7cNRfdCT5mzrMEvhvH2/UpvO
-bntl8jixwKIy72KyaOBhU8E2lf/slLo2rpwcpzIP5Xy0xm90/XsY6KxX7QYgSzIw
-WFv9zajmofxwvI6Sc9uXp3whrj3B9UiHbCe9nyV0gVWw93X2PaRka9ZP585ArQ/d
-MtO8ihJTmMmJ+xAdTX7Nfh9WDSFwhfYggx/2uh8Ej+p3iDXE/+pOoYtNP2MbRMNE
-1CV2yreN1x5KZmTNXMWcg+HCCIia7E6j8T4cLNlsHaFLAgMBAAGjgYowgYcwDwYD
-VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBLyWj7qVhy/
-zQas8fElyalL1BSZMEUGA1UdJQQ+MDwGCCsGAQUFBwMCBggrBgEFBQcDAQYIKwYB
-BQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQEF
-BQADggEBAHv25MANqhlHt01Xo/6tu7Fq1Q+e2+RjxY6hUFaTlrg4wCQiZrxTFGGV
-v9DHKpY5P30osxBAIWrEr7BSdxjhlthWXePdNl4dp1BUoMUq5KqMlIpPnTX/dqQG
-E5Gion0ARD9V04I8GtVbvFZMIi5GQ4okQC3zErg7cBqklrkar4dBGmoYDQZPxz5u
-uSlNDUmJEYcyW+ZLBMjkXOZ0c5RdFpgTlf7727FE5TpwrDdr5rMzcijJs1eg9gIW
-iAYLtqZLICjU3j2LrTcFU3T+bsy8QxdxXvnFzBqpYe73dgzzcvRyrc9yAjYHR8/v
-GVCJYMzpJJUPwssd8m92kMfMdcGWxZ0=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
NL/+I5c30jn6PQ0GC7TbO6Orb1wdtn7os4I07QZcJA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIFbDCCA1SgAwIBAgIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEW
-MBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXR2VvVHJ1c3QgVW5pdmVy
-c2FsIENBIDIwHhcNMDQwMzA0MDUwMDAwWhcNMjkwMzA0MDUwMDAwWjBHMQswCQYD
-VQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXR2VvVHJ1
-c3QgVW5pdmVyc2FsIENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
-AQCzVFLByT7y2dyxUxpZKeexw0Uo5dfR7cXFS6GqdHtXr0om/Nj1XqduGdt0DE81
-WzILAePb63p3NeqqWuDW6KFXlPCQo3RWlEQwAx5cTiuFJnSCegx2oG9NzkEtoBUG
-FF+3Qs17j1hhNNwqCPkuwwGmIkQcTAeC5lvO0Ep8BNMZcyfwqph/Lq9O64ceJHdq
-XbboW0W63MOhBW9Wjo8QJqVJwy7XQYci4E+GymC16qFjwAGXEHm9ADwSbSsVsaxL
-se4YuU6W3Nx2/zu+z18DwPw76L5GG//aQMJS9/7jOvdqdzXQ2o3rXhhqMcceujwb
-KNZrVMaqW9eiLBsZzKIC9ptZvTdrhrVtgrrY6slWvKk2WP0+GfPtDCapkzj4T8Fd
-IgbQl+rhrcZV4IErKIM6+vR7IVEAvlI4zs1meaj0gVbi0IMJR1FbUGrP20gaXT73
-y/Zl92zxlfgCOzJWgjl6W70viRu/obTo/3+NjN8D8WBOWBFM66M/ECuDmgFz2ZRt
-hAAnZqzwcEAJQpKtT5MNYQlRJNiS1QuUYbKHsu3/mjX/hVTK7URDrBs8FmtISgoc
-QIgfksILAAX/8sgCSqSqqcyZlpwvWOB94b67B9xfBHJcMTTD7F8t4D1kkCLm0ey4
-Lt1ZrtmhN79UNdxzMk+MBB4zsslG8dhcyFVQyWi9qLo2CQIDAQABo2MwYTAPBgNV
-HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR281Xh+qQ2+/CfXGJx7Tz0RzgQKzAfBgNV
-HSMEGDAWgBR281Xh+qQ2+/CfXGJx7Tz0RzgQKzAOBgNVHQ8BAf8EBAMCAYYwDQYJ
-KoZIhvcNAQEFBQADggIBAGbBxiPz2eAubl/oz66wsCVNK/g7WJtAJDday6sWSf+z
-dXkzoS9tcBc0kf5nfo/sm+VegqlVHy/c1FEHEv6sFj4sNcZj/NwQ6w2jqtB8zNHQ
-L1EuxBRa3ugZ4T7GzKQp5y6EqgYweHZUcyiYWTjgAA1i00J9IZ+uPTqM1fp3DRgr
-Fg5fNuH8KrUwJM/gYwx7WBr+mbpCErGR9Hxo4sjoryzqyX6uuyo9DRXcNJW2GHSo
-ag/HtPQTxORb7QrSpJdMKu0vbBKJPfEncKpqA1Ihn0CoZ1Dy81of398j9tx4TuaY
-T1U6U+Pv8vSfx3zYWK8pIpe44L2RLrB27FcRz+8pRPPphXpgY+RdM4kX2TGq2tbz
-GDVyz4crL2MjhF2EjD9XoIj8mZEoJmmZ1I+XRL6O1UixpCgp8RW04eWe3fiPpm8m
-1wk8OhwRDqZsN/etRIcsKMfYdIKz0G9KV7s1KSegi+ghp4dkNl3M2Basx7InQJJV
-OCiNUW7dFGdTbHFcJoRNdVq2fmBWqU2t+5sel/MN2dKXVHfaPRK34B7vCAas+YWH
-6aLcr34YEoP9VhdBLtUpgn2Z9DH2canPLAEnpQW5qrJITirvn5NSUZU8UnOOVkwX
-QMAJKOSLakhT2+zNVVXxxvjpoixMptEmX36vWkzaH6byHCx+rgIW0lbQL1dTR+iS
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
MIIHSTCCBTGgAwIBAgIJAMnN0+nVfSPOMA0GCSqGSIb3DQEBBQUAMIGsMQswCQYD
VQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBhZGRyZXNzIGF0
IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJQTgyNzQzMjg3
pGxlaKFJdlxDydi8NmdspZS11My5vWo1ViHe2MPr+8ukYEywVaCge1ey
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIID8TCCAtmgAwIBAgIQQT1yx/RrH4FDffHSKFTfmjANBgkqhkiG9w0BAQUFADCB
-ijELMAkGA1UEBhMCQ0gxEDAOBgNVBAoTB1dJU2VLZXkxGzAZBgNVBAsTEkNvcHly
-aWdodCAoYykgMjAwNTEiMCAGA1UECxMZT0lTVEUgRm91bmRhdGlvbiBFbmRvcnNl
-ZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9iYWwgUm9vdCBHQSBDQTAeFw0w
-NTEyMTExNjAzNDRaFw0zNzEyMTExNjA5NTFaMIGKMQswCQYDVQQGEwJDSDEQMA4G
-A1UEChMHV0lTZUtleTEbMBkGA1UECxMSQ29weXJpZ2h0IChjKSAyMDA1MSIwIAYD
-VQQLExlPSVNURSBGb3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBX
-SVNlS2V5IEdsb2JhbCBSb290IEdBIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAy0+zAJs9Nt350UlqaxBJH+zYK7LG+DKBKUOVTJoZIyEVRd7jyBxR
-VVuuk+g3/ytr6dTqvirdqFEr12bDYVxgAsj1znJ7O7jyTmUIms2kahnBAbtzptf2
-w93NvKSLtZlhuAGio9RN1AU9ka34tAhxZK9w8RxrfvbDd50kc3vkDIzh2TbhmYsF
-mQvtRTEJysIA2/dyoJaqlYfQjse2YXMNdmaM3Bu0Y6Kff5MTMPGhJ9vZ/yxViJGg
-4E8HsChWjBgbl0SOid3gF27nKu+POQoxhILYQBRJLnpB5Kf+42TMwVlxSywhp1t9
-4B3RLoGbw9ho972WG6xwsRYUC9tguSYBBQIDAQABo1EwTzALBgNVHQ8EBAMCAYYw
-DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUswN+rja8sHnR3JQmthG+IbJphpQw
-EAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAEuh/wuHbrP5wUOx
-SPMowB0uyQlB+pQAHKSkq0lPjz0e701vvbyk9vImMMkQyh2I+3QZH4VFvbBsUfk2
-ftv1TDI6QU9bR8/oCy22xBmddMVHxjtqD6wU2zz0c5ypBd8A3HR4+vg1YFkCExh8
-vPtNsCBtQ7tgMHpnM1zFmdH4LTlSc/uMqpclXHLZCB6rTjzjgTGfA6b7wP4piFXa
-hNVQA7bihKOmNqoROgHhGEvWRGizPflTdISzRpFGlgC3gCy24eMQ4tui5yiPAZZi
-Fj4A4xylNoEYokxSdsARo27mHbrjWr42U8U+dY+GaSlYU7Wcu2+fXMUY7N0v4ZjJ
-/L7fCg0=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
MIIFYDCCA0igAwIBAgIUeFhfLq0sGUvjNwc1NBMotZbUZZMwDQYJKoZIhvcNAQEL
BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc
BgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMSBHMzAeFw0xMjAxMTIxNzI3NDRaFw00
ZrUYrAqmVCY0M9IbwdR/GjqOC6oybtv8TyWf2TLHllpwrN9M
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIFyjCCA7KgAwIBAgIEAJiWjDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJO
-TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSswKQYDVQQDDCJTdGFh
-dCBkZXIgTmVkZXJsYW5kZW4gUm9vdCBDQSAtIEcyMB4XDTA4MDMyNjExMTgxN1oX
-DTIwMDMyNTExMDMxMFowWjELMAkGA1UEBhMCTkwxHjAcBgNVBAoMFVN0YWF0IGRl
-ciBOZWRlcmxhbmRlbjErMCkGA1UEAwwiU3RhYXQgZGVyIE5lZGVybGFuZGVuIFJv
-b3QgQ0EgLSBHMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMVZ5291
-qj5LnLW4rJ4L5PnZyqtdj7U5EILXr1HgO+EASGrP2uEGQxGZqhQlEq0i6ABtQ8Sp
-uOUfiUtnvWFI7/3S4GCI5bkYYCjDdyutsDeqN95kWSpGV+RLufg3fNU254DBtvPU
-Z5uW6M7XxgpT0GtJlvOjCwV3SPcl5XCsMBQgJeN/dVrlSPhOewMHBPqCYYdu8DvE
-pMfQ9XQ+pV0aCPKbJdL2rAQmPlU6Yiile7Iwr/g3wtG61jj99O9JMDeZJiFIhQGp
-5Rbn3JBV3w/oOM2ZNyFPXfUib2rFEhZgF1XyZWampzCROME4HYYEhLoaJXhena/M
-UGDWE4dS7WMfbWV9whUYdMrhfmQpjHLYFhN9C0lK8SgbIHRrxT3dsKpICT0ugpTN
-GmXZK4iambwYfp/ufWZ8Pr2UuIHOzZgweMFvZ9C+X+Bo7d7iscksWXiSqt8rYGPy
-5V6548r6f1CGPqI0GAwJaCgRHOThuVw+R7oyPxjMW4T182t0xHJ04eOLoEq9jWYv
-6q012iDTiIJh8BIitrzQ1aTsr1SIJSQ8p22xcik/Plemf1WvbibG/ufMQFxRRIEK
-eN5KzlW/HdXZt1bv8Hb/C3m1r737qWmRRpdogBQ2HbN/uymYNqUg+oJgYjOk7Na6
-B6duxc8UpufWkjTYgfX8HV2qXB72o007uPc5AgMBAAGjgZcwgZQwDwYDVR0TAQH/
-BAUwAwEB/zBSBgNVHSAESzBJMEcGBFUdIAAwPzA9BggrBgEFBQcCARYxaHR0cDov
-L3d3dy5wa2lvdmVyaGVpZC5ubC9wb2xpY2llcy9yb290LXBvbGljeS1HMjAOBgNV
-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJFoMocVHYnitfGsNig0jQt8YojrMA0GCSqG
-SIb3DQEBCwUAA4ICAQCoQUpnKpKBglBu4dfYszk78wIVCVBR7y29JHuIhjv5tLyS
-CZa59sCrI2AGeYwRTlHSeYAz+51IvuxBQ4EffkdAHOV6CMqqi3WtFMTC6GY8ggen
-5ieCWxjmD27ZUD6KQhgpxrRW/FYQoAUXvQwjf/ST7ZwaUb7dRUG/kSS0H4zpX897
-IZmflZ85OkYcbPnNe5yQzSipx6lVu6xiNGI1E0sUOlWDuYaNkqbG9AclVMwWVxJK
-gnjIFNkXgiYtXSAfea7+1HAWFpWD2DU5/1JddRwWxRNVz0fMdWVSSt7wsKfkCpYL
-+63C4iWEst3kvX5ZbJvw8NjnyvLplzh+ib7M+zkXYT9y2zqR2GUBGR2tUKRXCnxL
-vJxxcypFURmFzI79R6d0lR2o0a9OF7FpJsKqeFdbxU2n5Z4FF5TKsl+gSRiNNOkm
-bEgeqmiSBeGCc1qb3AdbCG19ndeNIdn8FCCqwkXfP+cAslHkwvgFuXkajDTznlvk
-N1trSt8sV4pAWja63XVECDdCcAz+3F4hoKOKwJCcaNpQ5kUQR3i2TtJlycM33+FC
-Y7BXN0Ute4qcvwXqZVUz9zkQxSgqIXobisQk+T8VyJoVIPVVYpbtbZNQvOSqeK3Z
-ywplh6ZmwcSBo3c6WB4L7oOLnR7SUqTMHW+wmG2UMbX4cQrcufx9MmDm66+KAQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl
MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp
U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw
tGMU0gYqZ4yD9c7qB9iaah7s5Aq7KkzrCWA5zspi2C5u
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIFcjCCA1qgAwIBAgIQH51ZWtcvwgZEpYAIaeNe9jANBgkqhkiG9w0BAQUFADA/
-MQswCQYDVQQGEwJUVzEwMC4GA1UECgwnR292ZXJubWVudCBSb290IENlcnRpZmlj
-YXRpb24gQXV0aG9yaXR5MB4XDTAyMTIwNTEzMjMzM1oXDTMyMTIwNTEzMjMzM1ow
-PzELMAkGA1UEBhMCVFcxMDAuBgNVBAoMJ0dvdmVybm1lbnQgUm9vdCBDZXJ0aWZp
-Y2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
-AJoluOzMonWoe/fOW1mKydGGEghU7Jzy50b2iPN86aXfTEc2pBsBHH8eV4qNw8XR
-IePaJD9IK/ufLqGU5ywck9G/GwGHU5nOp/UKIXZ3/6m3xnOUT0b3EEk3+qhZSV1q
-gQdW8or5BtD3cCJNtLdBuTK4sfCxw5w/cP1T3YGq2GN49thTbqGsaoQkclSGxtKy
-yhwOeYHWtXBiCAEuTk8O1RGvqa/lmr/czIdtJuTJV6L7lvnM4T9TjGxMfptTCAts
-F/tnyMKtsc2AtJfcdgEWFelq16TheEfOhtX7MfP6Mb40qij7cEwdScevLJ1tZqa2
-jWR+tSBqnTuBto9AAGdLiYa4zGX+FVPpBMHWXx1E1wovJ5pGfaENda1UhhXcSTvx
-ls4Pm6Dso3pdvtUqdULle96ltqqvKKyskKw4t9VoNSZ63Pc78/1Fm9G7Q3hub/FC
-VGqY8A2tl+lSXunVanLeavcbYBT0peS2cWeqH+riTcFCQP5nRhc4L0c/cZyu5SHK
-YS1tB6iEfC3uUSXxY5Ce/eFXiGvviiNtsea9P63RPZYLhY3Naye7twWb7LuRqQoH
-EgKXTiCQ8P8NHuJBO9NAOueNXdpm5AKwB1KYXA6OM5zCppX7VRluTI6uSw+9wThN
-Xo+EHWbNxWCWtFJaBYmOlXqYwZE8lSOyDvR5tMl8wUohAgMBAAGjajBoMB0GA1Ud
-DgQWBBTMzO/MKWCkO7GStjz6MmKPrCUVOzAMBgNVHRMEBTADAQH/MDkGBGcqBwAE
-MTAvMC0CAQAwCQYFKw4DAhoFADAHBgVnKgMAAAQUA5vwIhP/lSg209yewDL7MTqK
-UWUwDQYJKoZIhvcNAQEFBQADggIBAECASvomyc5eMN1PhnR2WPWus4MzeKR6dBcZ
-TulStbngCnRiqmjKeKBMmo4sIy7VahIkv9Ro04rQ2JyftB8M3jh+Vzj8jeJPXgyf
-qzvS/3WXy6TjZwj/5cAWtUgBfen5Cv8b5Wppv3ghqMKnI6mGq3ZW6A4M9hPdKmaK
-ZEk9GhiHkASfQlK3T8v+R0F2Ne//AHY2RTKbxkaFXeIksB7jSJaYV0eUVXoPQbFE
-JPPB/hprv4j9wabak2BegUqZIJxIZhm1AHlUD7gsL0u8qV1bYH+Mh6XgUmMqvtg7
-hUAV/h62ZT/FS9p+tXo1KaMuephgIqP0fSdOLeq0dDzpD6QzDxARvBMB1uUO07+1
-EqLhRSPAzAhuYbeJq4PjJB7mXQfnHyA+z2fI56wwbSdLaG5LKlwCCDTb+HbkZ6Mm
-nD+iMsJKxYEYMRBWqoTvLQr/uB930r+lWKBi5NdLkXWNiYCYfm3LU05er/ayl4WX
-udpVBrkk7tfGOB5jGxI7leFYrPLfhNVfmS8NVVvmONsuP3LpSIXLuykTjx44Vbnz
-ssQwmSNOXfJIoRIM3BKQCZBUkQM8R+XVyWXgt0t97EfTsws+rZ7QdAAO671RrcDe
-LMDDav7v3Aun+kbfYNucpllQdSNpc5Oy+fwC00fmcc4QAu4njIT/rEUNE1yDMuAl
-pYYsfPQS
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
MIIFODCCAyCgAwIBAgIRAJW+FqD3LkbxezmCcvqLzZYwDQYJKoZIhvcNAQEFBQAw
NzEUMBIGA1UECgwLVGVsaWFTb25lcmExHzAdBgNVBAMMFlRlbGlhU29uZXJhIFJv
b3QgQ0EgdjEwHhcNMDcxMDE4MTIwMDUwWhcNMzIxMDE4MTIwMDUwWjA3MRQwEgYD
YiesZSLX0zzG5Y6yU8xJzrww/nsOM5D77dIUkR8Hrw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIEGjCCAwICEQCbfgZJoz5iudXukEhxKe9XMA0GCSqGSIb3DQEBBQUAMIHKMQsw
-CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl
-cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu
-LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT
-aWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
-dHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD
-VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT
-aWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJ
-bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWdu
-IENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
-LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMu6nFL8eB8aHm8b
-N3O9+MlrlBIwT/A2R/XQkQr1F8ilYcEWQE37imGQ5XYgwREGfassbqb1EUGO+i2t
-KmFZpGcmTNDovFJbcCAEWNF6yaRpvIMXZK0Fi7zQWM6NjPXr8EJJC52XJ2cybuGu
-kxUccLwgTS8Y3pKI6GyFVxEa6X7jJhFUokWWVYPKMIno3Nij7SqAP395ZVc+FSBm
-CC+Vk7+qRy+oRpfwEuL+wgorUeZ25rdGt+INpsyow0xZVYnm6FNcHOqd8GIWC6fJ
-Xwzw3sJ2zq/3avL6QaaiMxTJ5Xpj055iN9WFZZ4O5lMkdBteHRJTW8cs54NJOxWu
-imi5V5cCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAERSWwauSCPc/L8my/uRan2Te
-2yFPhpk0djZX3dAVL8WtfxUfN2JzPtTnX84XA9s1+ivbrmAJXx5fj267Cz3qWhMe
-DGBvtcC1IyIuBwvLqXTLR7sdwdela8wv0kL9Sd2nic9TutoAWii/gt/4uhMdUIaC
-/Y4wjylGsB49Ndo4YhYYSq3mtlFs3q9i6wHQHiT+eo8SGhJouPtmmRQURVyu565p
-F4ErWjfJXir0xuKhXFSbplQAz/DxwceYMBo7Nhbbo27q/a2ywtrvAkcTisDxszGt
-TxzhT5yvDwyd93gN2PQ1VoDat20Xj50egWTh/sVFuq1ruQp6Tk9LhO5L8X3dEQ==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCB
gjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk
MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRY
MTd61X8kreS8/f3MboPoDKi3QWwH3b08hpcv0g==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIFwzCCA6ugAwIBAgIUCn6m30tEntpqJIWe5rgV0xZ/u7EwDQYJKoZIhvcNAQEL
-BQAwRjELMAkGA1UEBhMCTFUxFjAUBgNVBAoMDUx1eFRydXN0IFMuQS4xHzAdBgNV
-BAMMFkx1eFRydXN0IEdsb2JhbCBSb290IDIwHhcNMTUwMzA1MTMyMTU3WhcNMzUw
-MzA1MTMyMTU3WjBGMQswCQYDVQQGEwJMVTEWMBQGA1UECgwNTHV4VHJ1c3QgUy5B
-LjEfMB0GA1UEAwwWTHV4VHJ1c3QgR2xvYmFsIFJvb3QgMjCCAiIwDQYJKoZIhvcN
-AQEBBQADggIPADCCAgoCggIBANeFl78RmOnwYoNMPIf5U2o3C/IPPIfOb9wmKb3F
-ibrJgz337spbxm1Jc7TJRqMbNBM/wYlFV/TZsfs2ZUv7COJIcRHIbjuend+JZTem
-hfY7RBi2xjcwYkSSl2l9QjAk5A0MiWtj3sXh306pFGxT4GHO9hcvHTy95iJMHZP1
-EMShduxq3sVs35a0VkBCwGKSMKEtFZSg0iAGCW5qbeXrt77U8PEVfIvmTroTzEsn
-Xpk8F12PgX8zPU/TPxvsXD/wPEx1bvKm1Z3aLQdjAsZy6ZS8TEmVT4hSyNvoaYL4
-zDRbIvCGp4m9SAptZoFtyMhk+wHh9OHe2Z7d21vUKpkmFRseTJIpgp7VkoGSQXAZ
-96Tlk0u8d2cx3Rz9MXANF5kM+Qw5GSoXtTBxVdUPrljhPS80m8+f9niFwpN6cj5m
-j5wWEWCPnolvZ77gR1o7DJpni89Gxq44o/KnvObWhWszJHAiS8sIm7vI+AIpHb4g
-DEa/a4ebsypmQjVGbKq6rfmYe+lQVRQxv7HaLe2ArWgk+2mr2HETMOZns4dA/Yl+
-8kPREd8vZS9kzl8UubG/Mb2HeFpZZYiq/FkySIbWTLkpS5XTdvN3JW1CHDiDTf2j
-X5t/Lax5Gw5CMZdjpPuKadUiDTSQMC6otOBttpSsvItO13D8xTiOZCXhTTmQzsmH
-hFhxAgMBAAGjgagwgaUwDwYDVR0TAQH/BAUwAwEB/zBCBgNVHSAEOzA5MDcGByuB
-KwEBAQowLDAqBggrBgEFBQcCARYeaHR0cHM6Ly9yZXBvc2l0b3J5Lmx1eHRydXN0
-Lmx1MA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBT/GCh2+UgFLKGu8SsbK7JT
-+Et8szAdBgNVHQ4EFgQU/xgodvlIBSyhrvErGyuyU/hLfLMwDQYJKoZIhvcNAQEL
-BQADggIBAGoZFO1uecEsh9QNcH7X9njJCwROxLHOk3D+sFTAMs2ZMGQXvw/l4jP9
-BzZAcg4atmpZ1gDlaCDdLnINH2pkMSCEfUmmWjfrRcmF9dTHF5kH5ptV5AzoqbTO
-jFu1EVzPig4N1qx3gf4ynCSecs5U89BvolbW7MM3LGVYvlcAGvI1+ut7MV3CwRI9
-loGIlonBWVx65n9wNOeD4rHh4bhY79SV5GCc8JaXcozrhAIuZY+kt9J/Z93I055c
-qqmkoCUUBpvsT34tC38ddfEz2O3OuHVtPlu5mB0xDVbYQw8wkbIEa91WvpWAVWe+
-2M2D2RjuLg+GLZKecBPs3lHJQ3gCpU3I+V/EkVhGFndadKpAvAefMLmx9xIX3eP/
-JEAdemrRTxgKqpAd60Ae36EeRJIQmvKN4dFLRp7oRUKX6kWZ8+xm1QL68qZKJKre
-zrnK+T+Tb/mjuuqlPpmt/f97mfVl7vBZKGfXkJWkE4SphMHozs51k2MavDzq1WQf
-LSoSOcbDWjLtR5EWDrw4wVDej8oqkDQc7kGUnF4ZLvhFSZl0kbAEb+MEWrGrKqv+
-x9CWttrhSmQGbmBNvUJO/3jaJMobtNeWOWyu8Q6qp31IiyBMz2TWuJdGsE7RKlY6
-oJO9r4Ak4Ap+58rVyuiFVdw2KuGUaJPHZnJED4AhMmwlxyOAgwrr
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
MIIClDCCAhqgAwIBAgIILCmcWxbtBZUwCgYIKoZIzj0EAwIwfzELMAkGA1UEBhMC
VVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9T
U0wgQ29ycG9yYXRpb24xNDAyBgNVBAMMK1NTTC5jb20gRVYgUm9vdCBDZXJ0aWZp
YiGqhkCyLmTTX8jjfhFnRR8F/uOi77Oos/N9j/gMHyIfLXC0uAE0djAA5SN4p1bX
UB+K+wb1whnw0A==
-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFRzCCAy+gAwIBAgIJEQA0tk7GNi02MA0GCSqGSIb3DQEBCwUAMEExCzAJBgNV
+BAYTAlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMTY2VydFNJR04g
+Uk9PVCBDQSBHMjAeFw0xNzAyMDYwOTI3MzVaFw00MjAyMDYwOTI3MzVaMEExCzAJ
+BgNVBAYTAlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMTY2VydFNJ
+R04gUk9PVCBDQSBHMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMDF
+dRmRfUR0dIf+DjuW3NgBFszuY5HnC2/OOwppGnzC46+CjobXXo9X69MhWf05N0Iw
+vlDqtg+piNguLWkh59E3GE59kdUWX2tbAMI5Qw02hVK5U2UPHULlj88F0+7cDBrZ
+uIt4ImfkabBoxTzkbFpG583H+u/E7Eu9aqSs/cwoUe+StCmrqzWaTOTECMYmzPhp
+n+Sc8CnTXPnGFiWeI8MgwT0PPzhAsP6CRDiqWhqKa2NYOLQV07YRaXseVO6MGiKs
+cpc/I1mbySKEwQdPzH/iV8oScLumZfNpdWO9lfsbl83kqK/20U6o2YpxJM02PbyW
+xPFsqa7lzw1uKA2wDrXKUXt4FMMgL3/7FFXhEZn91QqhngLjYl/rNUssuHLoPj1P
+rCy7Lobio3aP5ZMqz6WryFyNSwb/EkaseMsUBzXgqd+L6a8VTxaJW732jcZZroiF
+DsGJ6x9nxUWO/203Nit4ZoORUSs9/1F3dmKh7Gc+PoGD4FapUB8fepmrY7+EF3fx
+DTvf95xhszWYijqy7DwaNz9+j5LP2RIUZNoQAhVB/0/E6xyjyfqZ90bp4RjZsbgy
+LcsUDFDYg2WD7rlcz8sFWkz6GZdr1l0T08JcVLwyc6B49fFtHsufpaafItzRUZ6C
+eWRgKRM+o/1Pcmqr4tTluCRVLERLiohEnMqE0yo7AgMBAAGjQjBAMA8GA1UdEwEB
+/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSCIS1mxteg4BXrzkwJ
+d8RgnlRuAzANBgkqhkiG9w0BAQsFAAOCAgEAYN4auOfyYILVAzOBywaK8SJJ6ejq
+kX/GM15oGQOGO0MBzwdw5AgeZYWR5hEit/UCI46uuR59H35s5r0l1ZUa8gWmr4UC
+b6741jH/JclKyMeKqdmfS0mbEVeZkkMR3rYzpMzXjWR91M08KCy0mpbqTfXERMQl
+qiCA2ClV9+BB/AYm/7k29UMUA2Z44RGx2iBfRgB4ACGlHgAoYXhvqAEBj500mv/0
+OJD7uNGzcgbJceaBxXntC6Z58hMLnPddDnskk7RI24Zf3lCGeOdA5jGokHZwYa+c
+NywRtYK3qq4kNFtyDGkNzVmf9nGvnAvRCjj5BiKDUyUM/FHE5r7iOZULJK2v0ZXk
+ltd0ZGtxTgI8qoXzIKNDOXZbbFD+mpwUHmUUihW9o4JFWklWatKcsWMy5WHgUyIO
+pwpJ6st+H6jiYoD2EEVSmAYY3qXNL3+q1Ok+CHLsIwMCPKaq2LxndD0UF/tUSxfj
+03k9bWtJySgOLnRQvwzZRjoQhsmnP+mg7H/rpXdYaXHmgwo38oZJar55CJD2AhZk
+PuXaTH4MNMn5X7azKFGnpyuqSfqNZSlO42sTp5SjLVFteAxEy9/eCG/Oo2Sr05WE
+1LlSVHJ7liXMvGnjSG4N0MedJ5qq+BOS3R7fY581qRY27Iy4g/Q9iY/NtBde17MX
+QRBdJ3NghVdJIgc=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICQDCCAeWgAwIBAgIMAVRI7yH9l1kN9QQKMAoGCCqGSM49BAMCMHExCzAJBgNV
+BAYTAkhVMREwDwYDVQQHDAhCdWRhcGVzdDEWMBQGA1UECgwNTWljcm9zZWMgTHRk
+LjEXMBUGA1UEYQwOVkFUSFUtMjM1ODQ0OTcxHjAcBgNVBAMMFWUtU3ppZ25vIFJv
+b3QgQ0EgMjAxNzAeFw0xNzA4MjIxMjA3MDZaFw00MjA4MjIxMjA3MDZaMHExCzAJ
+BgNVBAYTAkhVMREwDwYDVQQHDAhCdWRhcGVzdDEWMBQGA1UECgwNTWljcm9zZWMg
+THRkLjEXMBUGA1UEYQwOVkFUSFUtMjM1ODQ0OTcxHjAcBgNVBAMMFWUtU3ppZ25v
+IFJvb3QgQ0EgMjAxNzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJbcPYrYsHtv
+xie+RJCxs1YVe45DJH0ahFnuY2iyxl6H0BVIHqiQrb1TotreOpCmYF9oMrWGQd+H
+Wyx7xf58etqjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G
+A1UdDgQWBBSHERUI0arBeAyxr87GyZDvvzAEwDAfBgNVHSMEGDAWgBSHERUI0arB
+eAyxr87GyZDvvzAEwDAKBggqhkjOPQQDAgNJADBGAiEAtVfd14pVCzbhhkT61Nlo
+jbjcI4qKDdQvfepz7L9NbKgCIQDLpbQS+ue16M9+k/zzNY9vTlp8tLxOsvxyqltZ
++efcMQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICWTCCAd+gAwIBAgIQZvI9r4fei7FK6gxXMQHC7DAKBggqhkjOPQQDAzBlMQsw
+CQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYwNAYD
+VQQDEy1NaWNyb3NvZnQgRUNDIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIw
+MTcwHhcNMTkxMjE4MjMwNjQ1WhcNNDIwNzE4MjMxNjA0WjBlMQswCQYDVQQGEwJV
+UzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYwNAYDVQQDEy1NaWNy
+b3NvZnQgRUNDIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTcwdjAQBgcq
+hkjOPQIBBgUrgQQAIgNiAATUvD0CQnVBEyPNgASGAlEvaqiBYgtlzPbKnR5vSmZR
+ogPZnZH6thaxjG7efM3beaYvzrvOcS/lpaso7GMEZpn4+vKTEAXhgShC48Zo9OYb
+hGBKia/teQ87zvH2RPUBeMCjVDBSMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBTIy5lycFIM+Oa+sgRXKSrPQhDtNTAQBgkrBgEEAYI3
+FQEEAwIBADAKBggqhkjOPQQDAwNoADBlAjBY8k3qDPlfXu5gKcs68tvWMoQZP3zV
+L8KxzJOuULsJMsbG7X7JNpQS5GiFBqIb0C8CMQCZ6Ra0DvpWSNSkMBaReNtUjGUB
+iudQZsIxtzm6uBoiB078a1QWIP8rtedMDE2mT3M=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFqDCCA5CgAwIBAgIQHtOXCV/YtLNHcB6qvn9FszANBgkqhkiG9w0BAQwFADBl
+MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYw
+NAYDVQQDEy1NaWNyb3NvZnQgUlNBIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
+IDIwMTcwHhcNMTkxMjE4MjI1MTIyWhcNNDIwNzE4MjMwMDIzWjBlMQswCQYDVQQG
+EwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTYwNAYDVQQDEy1N
+aWNyb3NvZnQgUlNBIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTcwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDKW76UM4wplZEWCpW9R2LBifOZ
+Nt9GkMml7Xhqb0eRaPgnZ1AzHaGm++DlQ6OEAlcBXZxIQIJTELy/xztokLaCLeX0
+ZdDMbRnMlfl7rEqUrQ7eS0MdhweSE5CAg2Q1OQT85elss7YfUJQ4ZVBcF0a5toW1
+HLUX6NZFndiyJrDKxHBKrmCk3bPZ7Pw71VdyvD/IybLeS2v4I2wDwAW9lcfNcztm
+gGTjGqwu+UcF8ga2m3P1eDNbx6H7JyqhtJqRjJHTOoI+dkC0zVJhUXAoP8XFWvLJ
+jEm7FFtNyP9nTUwSlq31/niol4fX/V4ggNyhSyL71Imtus5Hl0dVe49FyGcohJUc
+aDDv70ngNXtk55iwlNpNhTs+VcQor1fznhPbRiefHqJeRIOkpcrVE7NLP8TjwuaG
+YaRSMLl6IE9vDzhTyzMMEyuP1pq9KsgtsRx9S1HKR9FIJ3Jdh+vVReZIZZ2vUpC6
+W6IYZVcSn2i51BVrlMRpIpj0M+Dt+VGOQVDJNE92kKz8OMHY4Xu54+OU4UZpyw4K
+UGsTuqwPN1q3ErWQgR5WrlcihtnJ0tHXUeOrO8ZV/R4O03QK0dqq6mm4lyiPSMQH
++FJDOvTKVTUssKZqwJz58oHhEmrARdlns87/I6KJClTUFLkqqNfs+avNJVgyeY+Q
+W5g5xAgGwax/Dj0ApQIDAQABo1QwUjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUCctZf4aycI8awznjwNnpv7tNsiMwEAYJKwYBBAGC
+NxUBBAMCAQAwDQYJKoZIhvcNAQEMBQADggIBAKyvPl3CEZaJjqPnktaXFbgToqZC
+LgLNFgVZJ8og6Lq46BrsTaiXVq5lQ7GPAJtSzVXNUzltYkyLDVt8LkS/gxCP81OC
+gMNPOsduET/m4xaRhPtthH80dK2Jp86519efhGSSvpWhrQlTM93uCupKUY5vVau6
+tZRGrox/2KJQJWVggEbbMwSubLWYdFQl3JPk+ONVFT24bcMKpBLBaYVu32TxU5nh
+SnUgnZUP5NbcA/FZGOhHibJXWpS2qdgXKxdJ5XbLwVaZOjex/2kskZGT4d9Mozd2
+TaGf+G0eHdP67Pv0RR0Tbc/3WeUiJ3IrhvNXuzDtJE3cfVa7o7P4NHmJweDyAmH3
+pvwPuxwXC65B2Xy9J6P9LjrRk5Sxcx0ki69bIImtt2dmefU6xqaWM/5TkshGsRGR
+xpl/j8nWZjEgQRCHLQzWwa80mMpkg/sTV9HB8Dx6jKXB/ZUhoHHBk2dxEuqPiApp
+GWSZI1b7rCoucL5mxAyE7+WL85MB+GqQk2dLsmijtWKP6T+MejteD+eMuMZ87zf9
+dOLITzNy4ZQ5bb0Sr74MTnB8G2+NszKTc0QWbej09+CVgI+WXTik9KveCjCHk9hN
+AHFiRSdLOkKEW39lt2c0Ui2cFmuqqNh7o0JMcccMyj6D5KbvtwEwXlGjefVwaaZB
+RA+GsCyRxj3qrg+E
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFojCCA4qgAwIBAgIUAZQwHqIL3fXFMyqxQ0Rx+NZQTQ0wDQYJKoZIhvcNAQEM
+BQAwaTELMAkGA1UEBhMCS1IxJjAkBgNVBAoMHU5BVkVSIEJVU0lORVNTIFBMQVRG
+T1JNIENvcnAuMTIwMAYDVQQDDClOQVZFUiBHbG9iYWwgUm9vdCBDZXJ0aWZpY2F0
+aW9uIEF1dGhvcml0eTAeFw0xNzA4MTgwODU4NDJaFw0zNzA4MTgyMzU5NTlaMGkx
+CzAJBgNVBAYTAktSMSYwJAYDVQQKDB1OQVZFUiBCVVNJTkVTUyBQTEFURk9STSBD
+b3JwLjEyMDAGA1UEAwwpTkFWRVIgR2xvYmFsIFJvb3QgQ2VydGlmaWNhdGlvbiBB
+dXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC21PGTXLVA
+iQqrDZBbUGOukJR0F0Vy1ntlWilLp1agS7gvQnXp2XskWjFlqxcX0TM62RHcQDaH
+38dq6SZeWYp34+hInDEW+j6RscrJo+KfziFTowI2MMtSAuXaMl3Dxeb57hHHi8lE
+HoSTGEq0n+USZGnQJoViAbbJAh2+g1G7XNr4rRVqmfeSVPc0W+m/6imBEtRTkZaz
+kVrd/pBzKPswRrXKCAfHcXLJZtM0l/aM9BhK4dA9WkW2aacp+yPOiNgSnABIqKYP
+szuSjXEOdMWLyEz59JuOuDxp7W87UC9Y7cSw0BwbagzivESq2M0UXZR4Yb8Obtoq
+vC8MC3GmsxY/nOb5zJ9TNeIDoKAYv7vxvvTWjIcNQvcGufFt7QSUqP620wbGQGHf
+nZ3zVHbOUzoBppJB7ASjjw2i1QnK1sua8e9DXcCrpUHPXFNwcMmIpi3Ua2FzUCaG
+YQ5fG8Ir4ozVu53BA0K6lNpfqbDKzE0K70dpAy8i+/Eozr9dUGWokG2zdLAIx6yo
+0es+nPxdGoMuK8u180SdOqcXYZaicdNwlhVNt0xz7hlcxVs+Qf6sdWA7G2POAN3a
+CJBitOUt7kinaxeZVL6HSuOpXgRM6xBtVNbv8ejyYhbLgGvtPe31HzClrkvJE+2K
+AQHJuFFYwGY6sWZLxNUxAmLpdIQM201GLQIDAQABo0IwQDAdBgNVHQ4EFgQU0p+I
+36HNLL3s9TsBAZMzJ7LrYEswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
+Af8wDQYJKoZIhvcNAQEMBQADggIBADLKgLOdPVQG3dLSLvCkASELZ0jKbY7gyKoN
+qo0hV4/GPnrK21HUUrPUloSlWGB/5QuOH/XcChWB5Tu2tyIvCZwTFrFsDDUIbatj
+cu3cvuzHV+YwIHHW1xDBE1UBjCpD5EHxzzp6U5LOogMFDTjfArsQLtk70pt6wKGm
++LUx5vR1yblTmXVHIloUFcd4G7ad6Qz4G3bxhYTeodoS76TiEJd6eN4MUZeoIUCL
+hr0N8F5OSza7OyAfikJW4Qsav3vQIkMsRIz75Sq0bBwcupTgE34h5prCy8VCZLQe
+lHsIJchxzIdFV4XTnyliIoNRlwAYl3dqmJLJfGBs32x9SuRwTMKeuB330DTHD8z7
+p/8Dvq1wkNoL3chtl1+afwkyQf3NosxabUzyqkn+Zvjp2DXrDige7kgvOtB5CTh8
+piKCk5XQA76+AqAF3SAi428diDRgxuYKuQl1C/AH6GmWNcf7I4GOODm4RStDeKLR
+LBT/DShycpWbXgnbiUSYqqFJu3FS8r/2/yehNq+4tneI3TqkbZs0kNwUXTC/t+sX
+5Ie3cdCh13cV1ELX8vMxmV2b3RZtP+oGI/hGoiLtk/bdmuYqh7GYVPEi92tF4+KO
+dh2ajcQGjTa3FPOdVGm3jjzVpG2Tgbet9r1ke8LJaDmgkpzNNIaRkPpkUZ3+/uul
+9XXeifdy
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIF2jCCA8KgAwIBAgIMBfcOhtpJ80Y1LrqyMA0GCSqGSIb3DQEBCwUAMIGIMQsw
+CQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMxEDAOBgNVBAcMB0NoaWNhZ28x
+ITAfBgNVBAoMGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjExMC8GA1UEAwwoVHJ1
+c3R3YXZlIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNzA4MjMx
+OTM0MTJaFw00MjA4MjMxOTM0MTJaMIGIMQswCQYDVQQGEwJVUzERMA8GA1UECAwI
+SWxsaW5vaXMxEDAOBgNVBAcMB0NoaWNhZ28xITAfBgNVBAoMGFRydXN0d2F2ZSBI
+b2xkaW5ncywgSW5jLjExMC8GA1UEAwwoVHJ1c3R3YXZlIEdsb2JhbCBDZXJ0aWZp
+Y2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+ALldUShLPDeS0YLOvR29zd24q88KPuFd5dyqCblXAj7mY2Hf8g+CY66j96xz0Xzn
+swuvCAAJWX/NKSqIk4cXGIDtiLK0thAfLdZfVaITXdHG6wZWiYj+rDKd/VzDBcdu
+7oaJuogDnXIhhpCujwOl3J+IKMujkkkP7NAP4m1ET4BqstTnoApTAbqOl5F2brz8
+1Ws25kCI1nsvXwXoLG0R8+eyvpJETNKXpP7ScoFDB5zpET71ixpZfR9oWN0EACyW
+80OzfpgZdNmcc9kYvkHHNHnZ9GLCQ7mzJ7Aiy/k9UscwR7PJPrhq4ufogXBeQotP
+JqX+OsIgbrv4Fo7NDKm0G2x2EOFYeUY+VM6AqFcJNykbmROPDMjWLBz7BegIlT1l
+RtzuzWniTY+HKE40Cz7PFNm73bZQmq131BnW2hqIyE4bJ3XYsgjxroMwuREOzYfw
+hI0Vcnyh78zyiGG69Gm7DIwLdVcEuE4qFC49DxweMqZiNu5m4iK4BUBjECLzMx10
+coos9TkpoNPnG4CELcU9402x/RpvumUHO1jsQkUm+9jaJXLE9gCxInm943xZYkqc
+BW89zubWR2OZxiRvchLIrH+QtAuRcOi35hYQcRfO3gZPSEF9NUqjifLJS3tBEW1n
+twiYTOURGa5CgNz7kAXU+FDKvuStx8KU1xad5hePrzb7AgMBAAGjQjBAMA8GA1Ud
+EwEB/wQFMAMBAf8wHQYDVR0OBBYEFJngGWcNYtt2s9o9uFvo/ULSMQ6HMA4GA1Ud
+DwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAmHNw4rDT7TnsTGDZqRKGFx6W
+0OhUKDtkLSGm+J1WE2pIPU/HPinbbViDVD2HfSMF1OQc3Og4ZYbFdada2zUFvXfe
+uyk3QAUHw5RSn8pk3fEbK9xGChACMf1KaA0HZJDmHvUqoai7PF35owgLEQzxPy0Q
+lG/+4jSHg9bP5Rs1bdID4bANqKCqRieCNqcVtgimQlRXtpla4gt5kNdXElE1GYhB
+aCXUNxeEFfsBctyV3lImIJgm4nb1J2/6ADtKYdkNy1GTKv0WBpanI5ojSP5RvbbE
+sLFUzt5sQa0WZ37b/TjNuThOssFgy50X31ieemKyJo90lZvkWx3SD92YHJtZuSPT
+MaCm/zjdzyBP6VhWOmfD0faZmZ26NraAL4hHT4a/RDqA5Dccprrql5gR0IRiR2Qe
+qu5AvzSxnI9O4fKSTx+O856X3vOmeWqJcU9LJxdI/uz0UA9PSX3MReO9ekDFQdxh
+VicGaeVyQYHTtgGJoC86cnn+OjC/QezHYj6RS8fZMXZC+fc8Y+wmjHMMfRod6qh8
+h6jCJ3zhM0EPz8/8AKAigJ5Kp28AsEFFtyLKaEjFQqKu3R3y4G5OBVixwJAWKqQ9
+EEC+j2Jjg6mcgn0tAumDMHzLJ8n9HmYAsC7TIS+OMxZsmO0QqAfWzJPP29FpHOTK
+yeC2nOnOcXHebD8WpHk=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICYDCCAgegAwIBAgIMDWpfCD8oXD5Rld9dMAoGCCqGSM49BAMCMIGRMQswCQYD
+VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAf
+BgNVBAoTGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3
+YXZlIEdsb2JhbCBFQ0MgUDI1NiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0x
+NzA4MjMxOTM1MTBaFw00MjA4MjMxOTM1MTBaMIGRMQswCQYDVQQGEwJVUzERMA8G
+A1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRydXN0
+d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBF
+Q0MgUDI1NiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTBZMBMGByqGSM49AgEGCCqG
+SM49AwEHA0IABH77bOYj43MyCMpg5lOcunSNGLB4kFKA3TjASh3RqMyTpJcGOMoN
+FWLGjgEqZZ2q3zSRLoHB5DOSMcT9CTqmP62jQzBBMA8GA1UdEwEB/wQFMAMBAf8w
+DwYDVR0PAQH/BAUDAwcGADAdBgNVHQ4EFgQUo0EGrJBt0UrrdaVKEJmzsaGLSvcw
+CgYIKoZIzj0EAwIDRwAwRAIgB+ZU2g6gWrKuEZ+Hxbb/ad4lvvigtwjzRM4q3wgh
+DDcCIC0mA6AFvWvR9lz4ZcyGbbOcNEhjhAnFjXca4syc4XR7
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICnTCCAiSgAwIBAgIMCL2Fl2yZJ6SAaEc7MAoGCCqGSM49BAMDMIGRMQswCQYD
+VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAf
+BgNVBAoTGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3
+YXZlIEdsb2JhbCBFQ0MgUDM4NCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0x
+NzA4MjMxOTM2NDNaFw00MjA4MjMxOTM2NDNaMIGRMQswCQYDVQQGEwJVUzERMA8G
+A1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRydXN0
+d2F2ZSBIb2xkaW5ncywgSW5jLjE6MDgGA1UEAxMxVHJ1c3R3YXZlIEdsb2JhbCBF
+Q0MgUDM4NCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTB2MBAGByqGSM49AgEGBSuB
+BAAiA2IABGvaDXU1CDFHBa5FmVXxERMuSvgQMSOjfoPTfygIOiYaOs+Xgh+AtycJ
+j9GOMMQKmw6sWASr9zZ9lCOkmwqKi6vr/TklZvFe/oyujUF5nQlgziip04pt89ZF
+1PKYhDhloKNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0G
+A1UdDgQWBBRVqYSJ0sEyvRjLbKYHTsjnnb6CkDAKBggqhkjOPQQDAwNnADBkAjA3
+AZKXRRJ+oPM+rRk6ct30UJMDEr5E0k9BpIycnR+j9sKS50gU/k6bpZFXrsY3crsC
+MGclCrEMXu6pY5Jv5ZAL/mYiykf9ijH3g/56vxC+GCsej/YpHpRZ744hN8tRmKVu
+Sw==
+-----END CERTIFICATE-----
--- /dev/null
+/usr/share/ca-certificates/mozilla/certSIGN_Root_CA_G2.crt
\ No newline at end of file
--- /dev/null
+Trustwave_Global_ECC_P384_Certification_Authority.pem
\ No newline at end of file
+++ /dev/null
-LuxTrust_Global_Root_2.pem
\ No newline at end of file
--- /dev/null
+/usr/share/ca-certificates/mozilla/e-Szigno_Root_CA_2017.crt
\ No newline at end of file
--- /dev/null
+e-Szigno_Root_CA_2017.pem
\ No newline at end of file
--- /dev/null
+Trustwave_Global_Certification_Authority.pem
\ No newline at end of file
### HTTP operation.
### http-chunked-requests Whether to use chunked transfer
### encoding for HTTP requests body.
+### http-auth-types List of HTTP authentication types.
### ssl-authority-files List of files, each of a trusted CA
### ssl-trust-default-ca Trust the system 'default' CAs
### ssl-client-cert-file PKCS#12 format client certificate file
### to authenticate against a
### Subversion server may be cached
### to disk in any way.
-### store-plaintext-passwords Specifies whether passwords may
-### be cached on disk unencrypted.
### store-ssl-client-cert-pp Specifies whether passphrase used
### to authenticate against a client
### certificate may be cached to disk
### in any way
-### store-ssl-client-cert-pp-plaintext
-### Specifies whether client cert
-### passphrases may be cached on disk
-### unencrypted (i.e., as plaintext).
### store-auth-creds Specifies whether any auth info
### (passwords, server certs, etc.)
### may be cached to disk.
### username Specifies the default username.
###
-### Set store-passwords to 'no' to avoid storing passwords on disk
-### in any way, including in password stores. It defaults to
+### Set store-passwords to 'no' to avoid storing new passwords on
+### disk in any way, including in password stores. It defaults to
### 'yes', but Subversion will never save your password to disk in
### plaintext unless explicitly configured to do so.
-### Note that this option only prevents saving of *new* passwords;
-### it doesn't invalidate existing passwords. (To do that, remove
-### the cache files by hand as described in the Subversion book.)
###
-### Set store-plaintext-passwords to 'no' to avoid storing
-### passwords in unencrypted form in the auth/ area of your config
-### directory. Set it to 'yes' to allow Subversion to store
-### unencrypted passwords in the auth/ area. The default is
-### 'ask', which means that Subversion will ask you before
-### saving a password to disk in unencrypted form. Note that
-### this option has no effect if either 'store-passwords' or
-### 'store-auth-creds' is set to 'no'.
-###
-### Set store-ssl-client-cert-pp to 'no' to avoid storing ssl
+### Set store-ssl-client-cert-pp to 'no' to avoid storing new ssl
### client certificate passphrases in the auth/ area of your
### config directory. It defaults to 'yes', but Subversion will
### never save your passphrase to disk in plaintext unless
### explicitly configured to do so.
###
-### Note store-ssl-client-cert-pp only prevents the saving of *new*
-### passphrases; it doesn't invalidate existing passphrases. To do
-### that, remove the cache files by hand as described in the
-### Subversion book at http://svnbook.red-bean.com/nightly/en/\
-### svn.serverconfig.netmodel.html\
-### #svn.serverconfig.netmodel.credcache
-###
-### Set store-ssl-client-cert-pp-plaintext to 'no' to avoid storing
-### passphrases in unencrypted form in the auth/ area of your
-### config directory. Set it to 'yes' to allow Subversion to
-### store unencrypted passphrases in the auth/ area. The default
-### is 'ask', which means that Subversion will prompt before
-### saving a passphrase to disk in unencrypted form. Note that
-### this option has no effect if either 'store-auth-creds' or
-### 'store-ssl-client-cert-pp' is set to 'no'.
-###
-### Set store-auth-creds to 'no' to avoid storing any Subversion
+### Set store-auth-creds to 'no' to avoid storing any new Subversion
### credentials in the auth/ area of your config directory.
### Note that this includes SSL server certificates.
-### It defaults to 'yes'. Note that this option only prevents
-### saving of *new* credentials; it doesn't invalidate existing
-### caches. (To do that, remove the cache files by hand.)
+### It defaults to 'yes'.
+###
+### Note that setting a 'store-*' option to 'no' only prevents
+### saving of *new* passwords, passphrases or other credentials.
+### It does not remove or invalidate existing stored credentials.
+### To do that, see the 'svn auth --remove' command, or remove the
+### cache files by hand as described in the Subversion book at
+### http://svnbook.red-bean.com/nightly/en/svn.serverconfig.netmodel.html#svn.tour.initial.authn-cache-purge
###
### HTTP timeouts, if given, are specified in seconds. A timeout
### of 0, i.e. zero, causes a builtin default to be used.
# http-proxy-username = blah
# http-proxy-password = doubleblah
# http-timeout = 60
-# store-plaintext-passwords = no
# username = harry
### Information for the second group:
# Password / passphrase caching parameters:
# store-passwords = no
# store-ssl-client-cert-pp = no
-# store-plaintext-passwords = no
-# store-ssl-client-cert-pp-plaintext = no
--- /dev/null
+#
+# Default /etc/sudo.conf file
+#
+# Sudo plugins:
+# Plugin plugin_name plugin_path plugin_options ...
+#
+# The plugin_path is relative to /usr/lib/sudo unless
+# fully qualified.
+# The plugin_name corresponds to a global symbol in the plugin
+# that contains the plugin interface structure.
+# The plugin_options are optional.
+#
+# The sudoers plugin is used by default if no Plugin lines are present.
+#Plugin sudoers_policy sudoers.so
+#Plugin sudoers_io sudoers.so
+#Plugin sudoers_audit sudoers.so
+
+#
+# Sudo askpass:
+# Path askpass /path/to/askpass
+#
+# An askpass helper program may be specified to provide a graphical
+# password prompt for "sudo -A" support. Sudo does not ship with its
+# own askpass program but can use the OpenSSH askpass.
+#
+# Use the OpenSSH askpass
+#Path askpass /usr/X11R6/bin/ssh-askpass
+#
+# Use the Gnome OpenSSH askpass
+#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
+
+#
+# Sudo device search path:
+# Path devsearch /dev/path1:/dev/path2:/dev
+#
+# A colon-separated list of paths to check when searching for a user's
+# terminal device.
+#
+#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
+
+#
+# Sudo noexec:
+# Path noexec /path/to/sudo_noexec.so
+#
+# Path to a shared library containing replacements for the execv(),
+# execve() and fexecve() library functions that just return an error.
+# This is used to implement the "noexec" functionality on systems that
+# support LD_PRELOAD or its equivalent.
+#
+# The compiled-in value is usually sufficient and should only be changed
+# if you rename or move the sudo_noexec.so file.
+#
+#Path noexec /usr/lib/sudo/sudo_noexec.so
+
+#
+# Sudo plugin directory:
+# Path plugin_dir /path/to/plugins
+#
+# The default directory to use when searching for plugins that are
+# specified without a fully qualified path name.
+#
+#Path plugin_dir /usr/lib/sudo
+
+#
+# Sudo developer mode:
+# Set developer_mode true|false
+#
+# Allow loading of plugins that are owned by non-root or are writable
+# by "group" or "other". Should only be used during plugin development.
+#Set developer_mode true
+
+#
+# Core dumps:
+# Set disable_coredump true|false
+#
+# By default, sudo disables core dumps while it is executing (they
+# are re-enabled for the command that is run).
+# To aid in debugging sudo problems, you may wish to enable core
+# dumps by setting "disable_coredump" to false.
+#
+#Set disable_coredump false
+
+#
+# User groups:
+# Set group_source static|dynamic|adaptive
+#
+# Sudo passes the user's group list to the policy plugin.
+# If the user is a member of the maximum number of groups (usually 16),
+# sudo will query the group database directly to be sure to include
+# the full list of groups.
+#
+# On some systems, this can be expensive so the behavior is configurable.
+# The "group_source" setting has three possible values:
+# static - use the user's list of groups returned by the kernel.
+# dynamic - query the group database to find the list of groups.
+# adaptive - if user is in less than the maximum number of groups.
+# use the kernel list, else query the group database.
+#
+#Set group_source static
+
+#
+# Sudo interface probing:
+# Set probe_interfaces true|false
+#
+# By default, sudo will probe the system's network interfaces and
+# pass the IP address of each enabled interface to the policy plugin.
+# On systems with a large number of virtual interfaces this may take
+# a noticeable amount of time.
+#
+#Set probe_interfaces false
+
+#
+# Sudo debug files:
+# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
+#
+# Sudo and related programs support logging debug information to a file.
+# The program is typically sudo, sudoers.so, sudoreplay or visudo.
+#
+# Subsystems vary based on the program; "all" matches all subsystems.
+# Priority may be crit, err, warn, notice, diag, info, trace or debug.
+# Multiple subsystem@priority may be specified, separated by a comma.
+#
+#Debug sudo /var/log/sudo_debug all@debug
+#Debug sudoers.so /var/log/sudoers_debug all@debug
--- /dev/null
+#
+# sudo logsrv configuration
+#
+
+[server]
+# The host name or IP address and port to listen on with an optional TLS
+# flag. If no port is specified, port 30343 will be used for plaintext
+# connections and port 30344 will be used to TLS connections.
+# The following forms are accepted:
+# listen_address = hostname(tls)
+# listen_address = hostname:port(tls)
+# listen_address = IPv4_address(tls)
+# listen_address = IPv4_address:port(tls)
+# listen_address = [IPv6_address](tls)
+# listen_address = [IPv6_address]:port(tls)
+#
+# The (tls) suffix should be omitted for plaintext connections.
+#
+# Multiple listen_address settings may be specified.
+# The default is to listen on all addresses.
+#listen_address = *:30343
+#listen_address = *:30344(tls)
+
+# The file containing the ID of the running sudo_logsrvd process.
+#pid_file = /var/run/sudo/sudo_logsrvd.pid
+
+# If set, enable the SO_KEEPALIVE socket option on the connected socket.
+#tcp_keepalive = true
+
+# The amount of time, in seconds, the server will wait for the client to
+# respond. A value of 0 will disable the timeout. The default value is 30.
+#timeout = 30
+
+# If set, server certificate will be verified at server startup and
+# also connecting clients will perform server authentication by
+# verifying the server's certificate and identity.
+#tls_verify = true
+
+# Whether to verify client certificates for TLS connections.
+# By default client certs are not checked.
+#tls_checkpeer = false
+
+# Path to the certificate authority bundle file in PEM format.
+# Required if 'tls_verify' or 'tls_checkpeer' is set.
+#tls_cacert = /etc/ssl/sudo/cacert.pem
+
+# Path to the server's certificate file in PEM format.
+# Required for TLS connections.
+#tls_cert = /etc/ssl/sudo/certs/logsrvd_cert.pem
+
+# Path to the server's private key file in PEM format.
+# Required for TLS connections.
+#tls_key = /etc/ssl/sudo/private/logsrvd_key.pem
+
+# TLS cipher list (see "CIPHER LIST FORMAT" in the openssl-ciphers manual).
+# NOTE that this setting is only effective if the negotiated protocol
+# is TLS version 1.2.
+# The default cipher list is HIGH:!aNULL.
+#tls_ciphers_v12 = HIGH:!aNULL
+
+# TLS cipher list if the negotiated protocol is TLS version 1.3.
+# The default cipher list is TLS_AES_256_GCM_SHA384.
+#tls_ciphers_v13 = TLS_AES_256_GCM_SHA384
+
+# Path to the Diffie-Hellman parameter file in PEM format.
+# If not set, the server will use the OpenSSL defaults.
+#tls_dhparams = /etc/ssl/sudo/logsrvd_dhparams.pem
+
+[iolog]
+# The top-level directory to use when constructing the path name for the
+# I/O log directory. The session sequence number, if any, is stored here.
+#iolog_dir = /var/log/sudo-io
+
+# The path name, relative to iolog_dir, in which to store I/O logs.
+# Note that iolog_file may contain directory components.
+#iolog_file = %{seq}
+
+# If set, I/O logs will be compressed using zlib. Enabling compression can
+# make it harder to view the logs in real-time as the program is executing.
+#iolog_compress = false
+
+# If set, I/O log data is flushed to disk after each write instead of
+# buffering it. This makes it possible to view the logs in real-time
+# as the program is executing but reduces the effectiveness of compression.
+#iolog_flush = true
+
+# The group to use when creating new I/O log files and directories.
+# If iolog_group is not set, the primary group-ID of the user specified
+# by iolog_user is used. If neither iolog_group nor iolog_user
+# are set, I/O log files and directories are created with group-ID 0.
+#iolog_group = wheel
+
+# The user to use when setting the user-ID and group-ID of new I/O
+# log files and directories. If iolog_group is set, it will be used
+# instead of the user's primary group-ID. By default, I/O log files
+# and directories are created with user and group-ID 0.
+#iolog_user = root
+
+# The file mode to use when creating I/O log files. The file permissions
+# will always include the owner read and write bits, even if they are
+# not present in the specified mode. When creating I/O log directories,
+# search (execute) bits are added to match the read and write bits
+# specified by iolog_mode.
+#iolog_mode = 0600
+
+# The maximum sequence number that will be substituted for the "%{seq}"
+# escape in the I/O log file. While the value substituted for "%{seq}"
+# is in base 36, maxseq itself should be expressed in decimal. Values
+# larger than 2176782336 (which corresponds to the base 36 sequence
+# number "ZZZZZZ") will be silently truncated to 2176782336.
+#maxseq = 2176782336
+
+[eventlog]
+# Where to log accept, reject and alert events.
+# Accepted values are syslog, logfile, or none.
+# Defaults to syslog
+#log_type = syslog
+
+# Event log format.
+# Supported log formats are "sudo" and "json"
+# Defaults to sudo
+#log_format = sudo
+
+[syslog]
+# The maximum length of a syslog payload.
+# On many systems, syslog(3) has a relatively small log buffer.
+# IETF RFC 5424 states that syslog servers must support messages
+# of at least 480 bytes and should support messages up to 2048 bytes.
+# Messages larger than this value will be split into multiple messages.
+#maxlen = 960
+
+# The syslog facility to use for event log messages.
+# The following syslog facilities are supported: authpriv (if your OS
+# supports it), auth, daemon, user, local0, local1, local2, local3,
+# local4, local5, local6, and local7.
+#facility = authpriv
+
+# Syslog priority to use for event log accept messages, when the command
+# is allowed by the security policy. The following syslog priorities are
+# supported: alert, crit, debug, emerg, err, info, notice, warning, none.
+#accept_priority = notice
+
+# Syslog priority to use for event log reject messages, when the command
+# is not allowed by the security policy.
+#reject_priority = alert
+
+# Syslog priority to use for event log alert messages reported by the
+# client.
+#alert_priority = alert
+
+[logfile]
+# The path to the file-based event log.
+# This path must be fully-qualified and start with a '/' character.
+#path = /var/log/sudo
+
+# The format string used when formatting the date and time for
+# file-based event logs. Formatting is performed via strftime(3) so
+# any format string supported by that function is allowed.
+#time_format = %h %e %T
%sudo ALL=(ALL:ALL) ALL
%root ALL=(ALL:ALL) NOPASSWD: ALL
-# See sudoers(5) for more information on "#include" directives:
+# See sudoers(5) for more information on "@include" directives:
-#includedir /etc/sudoers.d
+@includedir /etc/sudoers.d
--- /dev/null
+#!/bin/sh
+chown -R runit-log:adm '/var/log/runit/acpid'
+chmod 750 '/var/log/runit/acpid'
+chmod u+rw,g+r,o-rwx '/var/log/runit/acpid'/*
+exec chpst -u runit-log svlogd -tt '/var/log/runit/acpid'
--- /dev/null
+/var/lib/runit/log/supervise/acpid
\ No newline at end of file
--- /dev/null
+#!/usr/bin/env /lib/runit/invoke-run
+exec 2>&1
+exec /usr/bin/env -i /usr/sbin/acpid --foreground ${OPTIONS:-}
+
+# vim: ft=sh
--- /dev/null
+/var/lib/runit/supervise/acpid
\ No newline at end of file
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
-##############################################################3
+###################################################################
# Functions previously found in netbase
#
+++ /dev/null
-###################################################################
-# Protected links
-#
-# Protects against creating or following links under certain conditions
-# Debian kernels have both set to 1 (restricted)
-# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
-fs.protected_hardlinks = 1
-fs.protected_symlinks = 1
--- /dev/null
+/lib/systemd/system/named.service
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/named.service
\ No newline at end of file
--- /dev/null
+[Unit]
+Conflicts=iptables.service ip6tables.service
--- /dev/null
+/lib/systemd/system/mlocate.timer
\ No newline at end of file
" It is recommended to make changes after sourcing debian.vim since it alters
" the value of the 'compatible' option.
-" This line should not be removed as it ensures that various options are
-" properly set to work with the Vim-related packages available in Debian.
runtime! debian.vim
" Vim will load $VIMRUNTIME/defaults.vim if the user does not have a vimrc.
" _not_ sourced; /etc/vim/vimrc and/or /etc/vim/gvimrc are.
" Debian system-wide default configuration Vim
-set runtimepath=~/.vim,/var/lib/vim/addons,/usr/share/vim/vimfiles,/usr/share/vim/vim81,/usr/share/vim/vimfiles/after,/var/lib/vim/addons/after,~/.vim/after
+set runtimepath=~/.vim,/var/lib/vim/addons,/usr/share/vim/vimfiles,/usr/share/vim/vim82,/usr/share/vim/vimfiles/after,/var/lib/vim/addons/after,~/.vim/after
set compatible
(( ${+aliases[run-help]} )) && unalias run-help
autoload -Uz run-help
+
+# If you don't want compinit called here, place the line
+# skip_global_compinit=1
+# in your $ZDOTDIR/.zshenv
+if grep -q '^ID.*=.*ubuntu' /etc/os-release && [[ -z "$skip_global_compinit" ]]; then
+ autoload -U compinit
+ compinit
+fi
projects / config / ns3 / etc.git / commitdiff